4 1

1.
Configuring Baseline
QUESTION 1380
You have a System Center Configuration Manager 2007 environment. An application named App1.exe is
installed on client computers in a collection named Coll1. The App1.exe application is not functioning on
some of the client computers. You need to identify client computers in the Coll1 collection that have
improper security permissions on the App1.exe application. What should you do?
A. Configure the Software Inventory client agent to collect App1.exe.
B. Create a desired configuration baseline to confirm security permissions. Apply the baseline to the Coll1
collection.
C. Create a Microsoft Visual Basic (VB) script that confirms the Logon as a service rights on the client
computers.
D. Create a Microsoft Visual Basic (VB) script that confirms the Act as part of the operating system rights
on the client computers.
Correct Answer: B
QUESTION 1419
You have a System Center Configuration Manager 2007 environment. You need to be able to query
Configuration Manager 2007 to display registry values for a custom application for each client computer.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Configure hardware inventory.
B. Edit SMS_Def.MOF on each site to query for the registry values.
C. Edit the sitectrl.ct0 file at the central site to query for the registry values.
D. Configure and assign a desired configuration baseline at the central site.
Correct Answer: AB
QUESTION 1439
You have a System Center Configuration Manager 2007 environment. The Software Inventory client
agent
is disabled. A software update changes the version of an operating system file on some computers in your
environment. You need to identify the computers that have the affected file. What should you do?
A. Create a software metering rule.
B. Create a configuration baseline, and apply it to the collection that includes all computers in your
environment.
C. Create a report for computers that have the affected file.
D. Create a configuration baseline for users that have the affected file.
Correct Answer: B
QUESTION 1446
You have a System Center Configuration Manager 2007 environment. You have a Configuration Manager
package named Package1 that is used to install an application named App1. You plan to deploy Microsoft
Windows Vista. You need to deploy App1 during the Windows Vista operating system deployment
process.
What should you use?
A. a desired configuration baseline
B. a task sequence
C. a mandatory software advertisement
D. a software update deployment
Correct Answer: B
QUESTION 1448
You have a System Center Configuration Manager 2007 environment and a single Active Directory
domain.
Some of the computers that you manage by using Configuration Manager 2007 are not members of the
domain. A new written corporate security policy prohibits client computers from having Remote Desktop
enabled. You need to identify all computers in your environment that have Remote Desktop enabled.
What
should you do?
A. Use the Operations console to create a new report search.
B. Create a software metering rule to discover computers that are running Terminal Services.
C. Use a Group Policy object (GPO) to discover computers that have Remote Desktop enabled.
D. Create a configuration baseline, and apply it to the collection that includes all computers in your
environment.
Correct Answer: D
QUESTION 1370
You have a System Center Configuration Manager 2007 environment. A server named Server1 is located
in
a remote office. Server1 has a polling interval of 1440 minutes. You create a mandatory software
advertisement to deploy an application to Server1. You need to install the application on Server1 prior to
the
next polling interval. What should you do?
A. Create a PowerShell script that connects to Server1 and executes the TriggerSchedule method for the
Software Updates Deployment Evaluation Cycle action.
B. Create a PowerShell script that connects to Server1 and executes the TriggerSchedule method for the
Machine Policy Retrieval & Evaluation Cycle action.
C. Apply a desired configuration baseline to Server1 with a schedule interval of every five minutes.
D. Create a custom polling interval for the collection that contains Server1. Set the interval to every five
minutes.
Correct Answer: B
QUESTION 1395
You have a System Center Configuration Manager 2007 environment running in native mode. You deploy
software updates to Internet-based client computers. You deploy an application to an Active Directory
global
group named Sales Team. Local computers used by members of the Sales Team group receive the
deployed application. Internet-based computers used by members of the Sales Team group do not
receive
the deployed application. You need to ensure that the application is deployed to all computers that are
used
by members of the Sales Team group. What should you do?
A. Connect the computers that are used by the members of the Sales Team group to the internal network.
B. Publish the management point to a public DNS server.
C. Publish the distribution points to a public DNS server.
D. Configure the Internet-facing distribution point to allow client computers to transfer content by using
BITS, HTTP and HTTPS.
Correct Answer: D
QUESTION 730
Your network contains an Active Directory domain named contoso.com. Contoso.com contains three
servers.
The servers are configured as shown in the following table.
You plan to give users access to the files shares on Server2 by using DirectAccess.
You need to ensure that you can deploy DirectAccess on Server3.

What should you do?
A. Add a static IPv6 address to DC1.
B. Add a static IPv6 address to Server2.
C. Upgrade DC1 to Windows Server 2008 R2.
D. Upgrade Server2 to Windows Server 2008 R2.
Correct Answer: C
What should you install on VPN1?

A. Windows Server Update Services (WSUS)
B. Network Policy Server (NPS)
C. Health Registration Authority (HRA)
D. Connection Manager Administration Kit (CMAK)
Correct Answer: B
QUESTION 1182
servers.
The servers are configured as shown in the following table.
You plan to give users access to the file shares on Server2 by using DirectAccess.
You need to ensure that you can deploy DirectAccess on Server3.
What should you do?
A. Upgrade DC1 to Windows Server 2008 R2.
B. Add a static IPv6 address to DC1.
C. Add a static IPv6 address to Server2.
D. Upgrade Server2 to Windows Server 2008 R2.
Correct Answer: A
QUESTION 1317
Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2.
Network Access Protection (NAP) is deployed on Server1. Server2 has the Routing and Remote Access
service (RRAS) role service installed.
You need to configure Server2 to use NAP VPN enforcement.
Which authentication method should you enable on Server2?
A. Encrypted authentication (CHAP)
B. Allow machine certificate authentication for IKEv2
C. Extensible authentication protocol (EAP)
D. Microsoft encrypted authentication version 2 (MS-CHAP v2)
Correct Answer: C
QUESTION 1793
You have a server that runs Windows Server 2003 Service Pack 2 (SP2).
You need to compare the current security settings of the server to a security template.
Which tool should you use?
A. Security Templates snap-in
B. Group Policy Management Console
C. Security Configuration and Analysis snap-in
D. Microsoft Baseline Security Analyzer (MBSA)
Correct Answer: C
QUESTION 1843
Your network contains a server named Server1 that runs Windows Server 2003 Service Pack 2
(SP2).Server1 has IPSec enabled.
Several users report that they cannot connect to Server1.
You need to see how many IPSec connection attempts failed due to authentication failures.
What should you do?
A. From IP Security Monitor, view the Main Mode Statistics.
B. From Microsoft Baseline Security Analyzer, scan Server1.
C. From the Security event log, view the events from the IPSec source.
D. From System Monitor, add the IPSec V4 Driver : Active Security Associations counter.
Correct Answer: A
QUESTION 1896
You are the network administrator for Humongous Insurance.The network consists of a single Active
Directory domain named humongous.com.The domain contains Windows Server 2003 computers and
Windows XP Professional computers.
You configure several Group Policy objects (GPOs) to enforce the use of IPSec for certain types of
communication between specified computers.
A server named Server2 runs the Telnet service.A GPO is supposed to ensure that all Telnet connections
to Server2 are encrypted by using IPSec.However, when you monitor network traffic, you notice that
Telnet
connections are not being encrypted.
You need to view all of the IPSec settings that are applied to Server2 by GPOs.
A. the IP Security Policy Management console
B. the IP Security Monitor console
C. the Resultant Set of Policy console
D. Microsoft Baseline Security Analyzer (MBSA)
Correct Answer: C
QUESTION 1942
You have two stand-alone servers named Server1 and Server2. Both servers run Windows Server 2003
Service Pack 2 (SP2).
On Server1, you save the local security policy as a template.
You need to import the template to Server2.
What should you run on Server2?
A. the Security Templates snap-in
B. the Security Configuration Wizard
C. the Microsoft Baseline Security Analyzer
D. the Security Configuration and Analysis snap-in
Correct Answer: D
.
QUESTION 256
You are the network administrator for your company. The network consists of a single Active Directory
domain. All servers run Windows Server 2003. All client computers run either Windows 2000 Professional
with Service Pack 4 or Windows XP Professional. You install Software Update Services (SUS) on a
computer named Server2. You create a Group Policy object (GPO) that configures all client computers to
receive their software updates from Server2. One week later, you run Microsoft Baseline Security
Analyzer
(MBSA) on all client computers to find out whether all updates are being applied. You discover that all of
the
Windows 2000 Professional client computers receive updates, but the Windows XP Professional client
computers do not receive updates. You verify that the GPO setting was applied on all Windows XP
Professional computers. You need to ensure that the Windows XP Professional client computers receive
their updates from Server2. What should you do?
A. Make all users of the Windows XP Professional client computers members of the Administrators local
group.
B. On all Windows XP Professional client computers, install Service Pack 1.
C. On all Windows XP Professional client computers, restart Automatic Updates.
D. On all Windows XP Professional client computers, delete the NoAutoUpdate value under
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU.
Correct Answer: B
QUESTION 304
domain. The domain contains 10 Windows Server 2003 computers and 1,000 Windows XP Professional
computers. All client computers are in the Clients organizational unit (OU). You create and link a Group
Policy object (GPO) named Clientconfig to the Clients OU.The written company security policy states that
all Windows XP Professional computers must have identical security settings for user rights assignment
and security options.You need to deploy these settings to all Windows XP Professional computers in the
domain. You need to accomplish this task with the minimum amount of administrative effort.What should
you do?
A. Run Microsoft Baseline Security Analyzer (MBSA) on a server and scan all computers in the domain.
B. Use the Local Security Policy console on each Windows XP Professional computer to apply the
identical
security settings.
C. Create a logon script that runs the Gpupdate /target:computer command on all Windows XP
Professional computers in the domain.
D. Create a custom security template that contains the settings. Import the security template into the
Clientconfig GPO.
Correct Answer: D
QUESTION 1797
Your network contains an Active Directory domain.
You have a server named Server1.
You need to compare the current settings on Server1 to the settings in the Securews.inf security template.
Which tool should you use
A. Security Configuration Wizard
B. Security Configuration and Analysis
C. Gpfixup
D. Gpresult
E. Security Templates
F. Dcgpofix
G. Group Policy Management Console (GPMC)
H. Gpupdate
I. Domain Controller Security Policy
J. Domain Security Policy
K. Resultant Set of Policy
L. Configure Your Server Wizard
Correct Answer: B
QUESTION 1820
You plan to modify the security settings of the Default Domain Controllers Policy.
You need to create a backup of the policy.
A. Security Templates
B. Dcgpofix
C. OnDomain Controller Security Policy

D. Gpfixup
E. Security Configuration and Analysis
F. Configure Your Server Wizard
H. Gpupdate
I. Domain Security Policy
J. Security Configuration Wizard
K. Gpresult
L. Resultant Set of Policy
Correct Answer: G
QUESTION 1852
You need to restore the Default Domain Controllers Policy to the default settings.
C. Gpfixup
D. Gpresult
F. Dcgpofix
H. Gpupdate
Correct Answer: F
QUESTION 1859
You have an organizational unit (OU) named Servers. The Servers OU contains 100 Computer Accounts
You obtain a security template.
You need to apply the security template to only servers in the Servers OU. The soulution must minimize
the
amount of administrative effort.
C. Gpfixup
D. Gpresult
F. Dcgpofix
H. Gpupdate
Correct Answer: G
QUESTION 1866
You need to restore the Default Domain Controllers Policy to the default settings.
C. Gpfixup
D. Gpresult
F. Dcgpofix
H. Gpupdate
Correct Answer: F
QUESTION 117
You are the network administrator for your company. All servers run Windows Server 2003. You configure
the security settings for all servers by using a security template named Corpsec.inf. After a recent security
breach on a member server named Server2, you notice that the security settings are no longer configured
as expected. You want to analyze all the security settings on Server2 that do not match the security
settings
in the Corpsec.inf template. What should you do?
A. Import Corpsec.inf into the security settings on Server2 by using the Local Security Policy console.
B. Import Corpsec.inf into a new security database by using the Security Configuration and Analysis
console.
C. Run the dsquery.exe computer command.
D. Import Corpsec.inf into the security settings of the Default Domain Policy Group Policy object (GPO).
Correct Answer: B
QUESTION 227
You are the network administrator for the Boston office of Woodgrove Bank. The company network
consists
of a single Active Directory domain named woodgrovebank.com. The Boston office contains 15 file
servers
that contain confidential files. All the file servers run either Windows Server 2003 or Windows 2000
Server.
All the file servers are in the BostonFilePrint organizational unit (OU). The company's security department
sets a rule that specifies the size and retention settings for the Security event log of all file servers. The
rule
also specifies that local administrators on servers cannot override the changes you make to the settings
for
the Security event log. You need to define a method to modify the Security event log settings on each file
server in the Boston office in order to meet the stated requirements.What should you do?
A. Modify the local security policy on each file server. Define the size and retention settings for the
Security
event log.
B. Create a security template on one of the file servers by using the Security Configuration and Analysis
tool.
Define the size and retention settings for the Security event log in the template. Import the security
template into the local security policy of the other 14 file servers.
C. Use Event Viewer to modify the event log properties on each file server. Define the size and retention
settings for the Security event log.
D. Create a new Group Policy object (GPO) and link it to the BostonFilePrint OU. In the GPO, define the
size and retention settings for the Security event log.
Correct Answer: D
QUESTION 304
domain. The domain contains 10 Windows Server 2003 computers and 1,000 Windows XP Professional
computers. All client computers are in the Clients organizational unit (OU). You create and link a Group
Policy object (GPO) named Clientconfig to the Clients OU.The written company security policy states that
all Windows XP Professional computers must have identical security settings for user rights assignment
and security options.You need to deploy these settings to all Windows XP Professional computers in the
domain. You need to accomplish this task with the minimum amount of administrative effort.What should
you do?
A. Run Microsoft Baseline Security Analyzer (MBSA) on a server and scan all computers in the domain.
B. Use the Local Security Policy console on each Windows XP Professional computer to apply the
identical
security settings.
C. Create a logon script that runs the Gpupdate /target:computer command on all Windows XP
Professional computers in the domain.
D. Create a custom security template that contains the settings. Import the security template into the
Clientconfig GPO.
Correct Answer: D
QUESTION 596
Your company uses a Windows 2008 Enterprise certificate authority (CA) to issue certificates.
You need to implement key archival.
What should you do?
A. Configure the certificate for automatic enrollment for the computers that store encrypted files.
B. Install an Enterprise Subordinate CA and issue a user certificate to users of the encrypted files.
C. Apply the Hisecdc security template to the domain controllers.
D. Archive the private key on the server.
Correct Answer: D
QUESTION 1547
Your network consists of a single Active Directory domain. All servers run Windows Server 2003 Service
Pack 2 (SP2).
You enable auditing for failed logon attempts on all domain controllers.
You need to ensure that a record of failed logon attempts is retained for 90 days on all domain controllers.
What should you do?
A. From the Security Templates snap in, open the hisecdc template. Modify the Retain System Log
setting.
B. From the Security Templates snap in, open the securedc template. Modify the Retain Security Log
setting.
C. Open the Default Domain Policy. Modify the Retain System Log setting.
D. Open the Default Domain Controller Policy. Modify the Retain Security Log setting.
Correct Answer: D
QUESTION 1609
You have a server named Server1 that runs Windows Server 2003 Service Pack 2 (SP2). Server1 has a
scheduled task that runs Ntbackup.exe every night.
The scheduled task is configured to run by a user named BackupUser.
BackupUser is a member of the local Backup Operators group.
You apply a custom security template that modifies the user rights on Server1.
You discover that the scheduled backup job does not work anymore.
You use the Local Security Settings console to view the current user rights assignments.
The relevant output from the console is shown in the exhibit. (Click the Exhibit button.)
You need to ensure that the scheduled backup job executes successfully on Server1.
Which user right should you assign to BackupUser?
A. Allow log on locally.

B. Log on as a service.
C. Log on as a batch job.
D. Act as part of the operating system.
Correct Answer: C
QUESTION 1775
You receive a security policy that has an .xml file extension.
You need to view and edit the security policy
C. Gpfixup
D. Gpresult
F. Dcgpofix
H. Gpupdate
Correct Answer: A
QUESTION 1523
Your network contains a file server named Server1 that runs Windows Server 2003 Service Pack 2 (SP2).
Server 1 is configured as shown in the following table.
You need to configure security to meet the following requirements:
Enable members of the Sales group to create, modify, and delete files and folders in the Sales folder.
Enable members of the Marketing group to create, modify, and delete files and folders in the Marketing
folder.
Prevent users from modifying permissions when they access the shared files.
What should you do?
A. Change the share permission on Userdata to Authenticated Users: Change.
B. Change the NTFS permission on Userdata to Authenticated Users: Modify.
C. Change the NTFS permission on Marketing to Marketing group: Write. Change the NTFS permission
on
Sales to Sales group: Write.
D. Remove the Userdata share. Share Sales and assign the Sales Group group Full Control share
permission. Share Marketing and assign the Marketing Group group Full Control share permission.
Correct Answer: A
QUESTION 1524
Your network contains a file server named Server1 that runs Windows Server 2003 Service Pack 2 (SP2).
Server1 is configured as shown in the following table.
A user named User1 belongs to the Helpdesk group and the Support group. You need to configure
security
to meet the following requirements:
Prevent User1 from changing files and folders in the Apps share. Allow User1 to open and run
applications
in the Apps share.
What should you do?
A. On the Apps share, assign User1 the Read share permission.
B. On the Apps folder, deny User1 the Write NTFS permission.
C. On the Apps folder, deny User1 the Modify NTFS permission.
D. On the Apps folder, assign User1 the Read & Execute NTFS permission.
Correct Answer: B
QUESTION 1541
Your network consists of a single Active Directory domain. The domain includes a group named
SalesUsers.
You have a file server that runs Windows Server 2003 Service Pack 2 (SP2).
The server has a folder named CorpData.
You share the CorpData folder and assign the Domain Users group the Full Control share permission.
In the CorpData folder, you create a folder named Sales.
You need to configure security for the Sales folder to meet the following requirements:
Members of the SalesUsers group must be able to read, create, and modify all files and folders.
All other users must be able to view items in the folder.
What should you do?
A. On the Sales folder, block permission inheritance and remove permissions.
Assign the Allow Modify permission to the SalesUsers group.
B. On the Sales folder, block permission inheritance and copy permissions.
On the Sales folder, assign the Allow Modify permission to the SalesUsers group.
C. On the CorpData share, change the share permission for Domain Users to Read.
On the Sales folder, assign the Allow Modify permissions to the SalesUsers group.
D. On the CorpData folder, block permission inheritance and remove permissions.
In the Sales folder, assign the Allow Modify permissions to the SalesUsers group.
Correct Answer: B
QUESTION 1890
You are the network administrator for your company.The network consists of a single Active Directory
domain.
The domain contains an organizational unit (OU) named Webservers.The Webservers OU contains the
computer accounts of 12 Windows Server 2003 computers that function as intranet Web servers.A Group
Policy object (GPO) named WebserversPolicy is linked to the Webservers OU.The GPO is used to
configure various settings on the computers in the OU. A global group named WebserverAdmins is a
member of the Administrators local group on each intranet Web server.
You plan to install a security scanning application on each intranet Web server.The documentation for the
application states that it uses a service account, which must be able to modify the
HKEY_LOCAL_MACHINE\SYSTEM key in the registry of every computer on which the application is
installed.
You create the service account in the domain.The company's written security policy states that service
accounts must be assigned only the minimum rights and permissions that they require to function.
You need to configure the intranet Web servers so that they comply with the installation requirements of
the
security scanning application.You also need to comply with the company's security policy.You want to
achieve this goal by using the minimum amount of administrative effort.
What should you do?
A. Add the service account to the WebserverAdmins global group.
B. Configure the required permissions as registry security settings in the WebserversPolicy GPO.
C. Run the regedit.exe command to add the required permissions to the registry of each intranet Web
server.
D. Run the explorer.exe command to modify NTFS permissions on the Systemroot\System32\Config
\System file.Assign the service account the Allow - Change permission.
E. Configure file system security settings in the WebserversPolicy GPO to modify NTFS permissions on
the Systemroot\System32\Config\System file.Assign the service account the Allow - Change
permission.
Correct Answer: B
QUESTION 1902
Your network consists of a single Active Directory domain.The remote access permission for all users is
set
to Control access through Remote Access Policy.
You have a VPN server named Server1 that runs Windows Server 2003 Service Pack 2 (SP2).The
current
configuration allows all authenticated users to establish VPN connections to Server1.
You create a global group named Group1.
You need to prevent all members of Group1 from establishing VPN connections to Server1.
What should you do?
A. From the local computer policy on Server1, modify the Account Policies settings.
B. From Active Directory Users and Computers, modify the Security settings of Group1.
C. From the Routing and Remote Access snap-in, create a new remote access policy.
D. From the Routing and Remote Access snap-in, open the properties of Server1 and modify the security
options.
Correct Answer: C
QUESTION 140
You are the network administrator for your company. The network consists
of a single Active Directory domain. The domain contains an organizational unit (OU) named Webservers.
The Webservers OU contains the computer accounts of 12 Windows Server 2003 computers that function
as intranet Web servers. A Group Policy object (GPO) named WebserversPolicy is linked to the
Webservers OU. The GPO is used to configure various settings on the computers in the OU. A global
group
named WebserverAdmins is a member of the Administrators local group on each intranet Web server.
You
plan to install a security scanning application on each intranet Web server. The documentation for the
application states that it uses a service account, which must be able to modify the
HKEY_LOCAL_MACHINE\SYSTEM key in the registry of every computer on which the application is
installed. You create the service account in the domain. The company's written security policy states that
service accounts must be assigned only the minimum rights and permissions that they require to function.
You need to configure the intranet Web servers so that they comply with the installation requirements of
the
security scanning application. You also need to comply with the company's security policy. You want to
achieve this goal by using the minimum amount of administrative effort. What should you do?
A. Add the service account to the WebserverAdmins global group.
B. Configure the required permissions as registry security settings in the WebserversPolicy GPO.
C. Run the regedit.exe command to add the required permissions to the registry of each intranet Web
server.
D. Run the explorer.exe command to modify NTFS permissions on the Systemroot\System32\Config
\System file. Assign the service account the Allow - Change permission.
E. Configure file system security settings in the WebserversPolicy GPO to modify NTFS permissions on
the Systemroot\System32\Config\System file. Assign the service account the Allow - Change
permission.
Correct Answer: B
QUESTION 251
You are the network administrator for your company. The network consists
of a single Active Directory domain. The functional level of the domain is Windows Server 2003. All client
computers run Windows XP Professional. You are responsible for managing Group Policy objects (GPOs)
in the domain. A desktop support team administers client computers. The desktop support team's user
accounts are all members of a global group named Support. The Support global group belongs to the
Administrators local group on all client computers. On all client computers, the Administrators local group
also contains the domain user account of the user who is assigned to use that computer, so that the user
can install software. The security administrator creates a GPO named RegTools and links the GPO to the
root of the domain. He configures a software restriction policy in the GPO that uses hash rules to prevent
users from running registry editing tools. The policy applies to all user accounts in the domain. The
desktop
support team reports that when they attempt to run registry editing tools, they receive the following error
message: "Windows cannot open this program because it has been prevented by a software restriction
policy. For more information, open Event Viewer or contact your system administrator." You need to
ensure
that only the desktop support team can run registry editing tools. What should you do?
A. Configure the enforcement options of the software restriction policy so that the policy applies to all
users
except local administrators.
B. Make all users members of the Power Users group instead of the Administrators group on their
computers.
C. Use file system security settings in the Default Domain Policy to modify the NTFS permissions for the
registry editing tools' executable files. Assign only the Support group the Allow - Read and Execute
permission for the files.
D. Use a startup script policy to ensure that the registry editing tools are moved to a folder named
RegTools.
Assign only the Support group the Allow - Read and Execute permission for the RegTools folder.
E. Edit the permissions of the RegTools GPO by assigning the Support group the Deny - Apply group
policy permission.
F. Change the software restriction policy in the RegTools GPO to use a zone rule.
Correct Answer: E
QUESTION 417
You need to configure the security settings for the new app servers. Which two actions should you
perform?
(Each correct answer presents part of the solutions. (Choose two)
Lead your way to certificates!
A. Create a Group policy object (GPO) for the web servers.
B. Create a Group policy object (GPO) for the database servers.
C. Modify the Default Domain Policy.
D. Modify the Default Domain Controllers Policy.
Correct Answer: AB
QUESTION 481
Your company has a server that runs Windows Server 2008 R2. Active Directory Certificate Services (AD
CS) is configured as a standalone Certification Authority (CA) on the server.
You need to audit changes to the CA configuration settings and the CA security settings.
Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Configure auditing in the Certification Authority snap-in.
B. Enable auditing of successful and failed attempts to change permissions on files in the %SYSTEM32%
\CertSrv directory.
C. Enable auditing of successful and failed attempts to write to files in the %SYSTEM32%\CertLog
directory.
D. Enable the Audit Object Access setting in the Local Security Policy for the Active Directory Certificate
Services (AD CS) server.
Correct Answer: AD
QUESTION 485
Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company
runs an Enterprise Root certification authority (CA).
You need to ensure that only Administrators can sign code.
A. Publish the Code Signing template.
B. Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certificates and
allow only Administrators to apply the policy.
C. Edit the local computer policy of the Enterprise Root CA to allow only Administrators to manage
Trusted
Publishers.
D. Modify the security settings on the template to allow only Administrators to request code signing
certificates.
Correct Answer: AD
QUESTION 672
Your network contains a server that has the SNMP Service installed.
You need to configure the SNMP security settings on the server.
A. Local Security Policy
B. scw
C. secedit
D. Services console
Correct Answer: D
QUESTION 683
Your network contains multiple servers that run Windows Server 2008 R2. The servers have the Routing
and Remote Access Services (RRAS) role service installed. The servers are configured to support
Routing
Information Protocol (RIP).
You need to prevent the server from receiving routes for the 10.0.0.0 network.
What should you do from the Routing and Remote Access console?
A. From the RIP properties page, modify the General settings.
B. From the RIP properties page, modify the Security settings.
C. From the RIP interface properties page, modify the Security settings.
D. From the RIP interface properties page, modify the Neighbors settings.
Correct Answer: C
QUESTION 807
You create a Password Settings object (PSO).
You need to apply the PSO to a domain user named User1.
What should you do?
A. Modify the properties of the PSO.
B. Modify the account options of the User1 account.
C. Modify the security settings of the User1 account.
D. Modify the password policy of the Default Domain Policy Group Policy object (GPO).
Correct Answer: A
QUESTION 817
Your network consists of a single Active Directory domain. All domain controllers run Windows Server
2008
R2.
The Audit account management policy setting and Audit directory services access setting are enabled for
the entire domain.
You need to ensure that changes made to Active Directory objects can be logged. The logged changes
must include the old and new values of any attributes.
What should you do?
A. Enable the Audit Account Management policy in the Default Domain Controller Policy.
B. Run auditpol.exe and then configure the Security settings of the Domain Controllers OU.
C. Run auditpol.exe and then enable the Audit Directory Service Access setting in the Default
Domain
policy.
D. From the Default Domain Controllers policy, enable the Audit Directory Service Access setting and
Audit
Directory Service Changes setting
Correct Answer: B
QUESTION 833
Your company has 10 servers that run Windows Server 2008 R2. The servers have Remote Desktop
Protocol (RDP) enabled for server administration.
RDP is configured to use default security settings. All administrators' computers run Windows 7.
You need to ensure the RDP connections are as secure as possible.
A. Set the security layer for each server to the RDP Security Layer.
B. Configure the firewall on each server to block port 3389.
C. Acquire user certificates from the internal certification authority.
D. Configure each server to allow connections only to Remote Desktop client computers that use Network
Level Authentication.
Correct Answer: CD
QUESTION 904
domain.
The following table shows the types and quantities of Windows Server 2003 Web and database servers in
the domain.
Server type Quantity Nonproduction test Web server 2 Nonproduction test database server 2 Production
Web server 10 Production database server 10 The computer accounts for the Web and database servers
are located in the default Computers container. The domain also includes many organizational units (OU)
that contain other computer accounts.
Your company plans to use Group Policy objects (GPOs) to centrally apply security settings to the Web
and
database server computers. The settings need to be applied as follows: Some security settings need to
apply to all Web and database servers. Some security settings need to apply to the nonproduction
servers
only. Some security settings need to apply to the production servers only and must not be overridden.
Other
security settings need to apply to specific server types only.
You need to create an organizational unit (OU) structure to support the GPO requirements. You want to
create as few GPOs and links as possible while using only the default security permissions for GPO links.
You also want to limit the number of GPO links to one link per GPO.
What should you do?
A. Create two top-level OUs named Web and Database under the domain. Create two child OUs named
Nonproduction and Production under both the Web OU and the Database OU.
B. Create two top-level OUs named Nonproduction and Production under the domain.
Create two child OUs named Web and Database under both the Nonproduction OU and the Production
OU.
C. Create a top-level OU named Servers under the domain. Create two child OUs named Web and
Database under the Servers OU. Create two child OUs named Nonproduction and Production under
both the Web OU and the Database OU.
D. Create a top-level OU named Servers under the domain. Create two child OUs named Nonproduction
and Production under the Servers OU. Create two child OUs named Web and Database under both the
Nonproduction OU and the Production OU.
Correct Answer: D
QUESTION 929
You are a network administrator for Fabrikam, Inc. The network consists of a single Active Directory
domain
named fabrikam.com. All servers run Windows Server 2003. All client computers run Windows XP
Professional. The company restricts all users so that they can use only authorized applications. All
domain
users are authorized to use the Microsoft Office suite of applications. Members of a security group named
CRM Users are also authorized to use a customer relationship management (CRM) application. You
configure Group Policy objects (GPOs) as shown in the exhibit.
Exhibit
The Office Applications GPO has only the Microsoft Office applications listed as allowed applications. The
CRM Application GPO has only the CRM application listed as an allowed application. The CRM
Application
GPO has security settings so that it applies only to members of the CRM Users security group. Users who
are members of the CRM Users security group report that they cannot run the CRM application. You need
to reconfigure the domain to meet the following requirements: All users must be able to run the Microsoft
Office applications. Members of the CRM Users security group must be able to run the CRM application.
All
users must be prevented from running unauthorized software. Which two actions should you take? (Each
correct answer presents part of the solution.
Choose two.)
A. Configure the Default Domain Policy GPO so that the CRM application is published to the members of
the CRM Users security group.
B. Disable the No Override setting for the CRM Application GPO. Leave the CRM Application GPO linked
to the domain.
C. Reorder the GPOs so that the CRM Application GPO is higher in the list than the Office Applications
GPO.
D. Create a new OU. Move the user accounts for all members of the CRM Users security group into this
OU.
Link the CRM Application GPO to this OU. Enable the Block Policy inheritance setting for this OU.
Unlink the CRM Application GPO from the domain.
E. Add the Microsoft Office applications to the list of allowed applications in the CRM Application GPO.
Correct Answer: CE
QUESTION 931
You are the network administrator for Fabrikam, Inc. The network consists of a single Active Directory
domain. All servers run Windows Server 2003. All client computers run Windows XP Professional. All
users
have user accounts in an organizational unit (OU) named CompanyUsers. The CompanyUsers OU is
configured as shown in the Security Settings exhibit. Exhibit You discover that no Group Policy settings
are
being applied to most users when they log on to client computers in the domain. When administrators log
on, they receive the appropriate Group Policy settings. You examine the event log on one of the client
computers. You find the error message shown in the Event Properties exhibit.
Exhibit
You need to correct the problem in the network so that Group Policy settings are applied for all users.
What should you do?
A. Assign the SYSTEM account the Allow - Full Control permission for child objects in the CompanyUsers
OU.
B. Assign the Authenticated Users group the Allow - Read, the Allow - Read All Properties, and the Allow List Contents permissions for the CompanyUsers OU.
C. Assign the Everyone group the Allow - Read and the Allow - Apply Group Policy permissions for the
Default Domain Controllers Policy Group Policy object (GPO).
D. Assign the Domain Users group the Allow - Full Control permission for the Default Domain Policy
Group
Policy object (GPO).
Correct Answer: C
QUESTION 972
You are the network administrator for Consolidated Messenger. The network consists of a single Active
Directory forest that contains three domains named consolidatedmessenger.com, child1.

consolidatedmessenger.com, and child2.consolidatedmessenger.com. The functional level of the forest is
Windows Server 2003.Both child1.consolidatedmessenger.com and child2.consolidatedmessenger.com
contain employee user accounts, client computer accounts, and resource server computer accounts. The
domain named consolidatedmessenger.com contains only administrative user accounts and computer
accounts for two domain controllers. Each resource server computer provides a single service of file
server,
print server, Web server, or database server.
Your company plans to use Group Policy objects (GPOs) to centrally apply security settings to resource
server computers. Some security settings need to apply to all resource servers and must not be
overridden.
Other security settings need to apply to specific server roles only. You need to create an organizational
unit
(OU) structure to support the GPO requirements. You want to create as few GPOs and links as possible.
What should you do?
A. Create a top-level OU for each server role under the consolidatedmessenger.com domain. Create a
toplevel
OU named Servers under the child1.consolidatedmessenger.com domain. Create a top-level OU
named Servers under the child2.consolidatedmessenger.com domain.
B. Create a top-level OU named Servers under the child1.consolidatedmessenger.com domain. Create a
child OU for each server role under the Servers OU. Create a top-level OU named Servers under the
child2. consolidatedmessenger.com domain. Create a child OU for each server role under the Servers
OU.
C. Create a top-level OU named Servers under the consolidatedmessenger.com domain.
Create a child OU for each server role under the Servers OU.
D. Create a top-level OU for each server role under the child1.consolidatedmessenger.com domain.
Create a top-level OU for each server role under the child2.consolidatedmessenger.com domain.
Correct Answer: B
QUESTION 1000
domain. The domain includes an organizational unit (OU) named Processing. There are 100 computer
accounts in the Processing OU. You create a Group Policy object (GPO) named NetworkSecurity and link
it
to the domain.
You configure NetworkSecurity to enable security settings through the Computer Configuration section of
the Group Policy settings. You need to ensure that NetworkSecurity will apply only to the computers in the
Processing OU. You need to minimize the number of GPO links.
What should you do?
A. Link NetworkSecurity to the Processing OU. Disable the User Configuration section of
NetworkSecurity.
Pass-Guaranteed.com
Pass-Guaranteed.com
70-294
B. Link NetworkSecurity to the Processing OU. Remove the link from NetworkSecurity to the domain.
C. Modify the discretionary access control list (DACL) for NetworkSecurity to assign all computer
accounts
in the Processing OU the Allow - Read and the Allow - Apply Group Policy permissions.
D. Modify the discretionary access control list (DACL) for NetworkSecurity to assign the Authenticated
Users group the Deny - Apply Group Policy permission and to assign all of the computer accounts in the
Processing OU the Allow - Read and the Allow - Apply Group Policy permissions.
Correct Answer: B
QUESTION 1045
domain. All servers that are not domain controllers are located in an organizational unit (OU) named
Servers. The security department is responsible for defining security requirements for servers. You are
responsible for configuring the company's servers. The security department provides you with security
settings that you must apply to new and existing servers that are not domain controllers. You configure a
Windows Server 2003 computer named Server1 with these settings. You need to apply the security
settings
in compliance with the security department's requirements.
What should you do?
A. Export the security settings for Server1. Import the settings to a Group Policy object (GPO) linked to
the
Servers OU.
B. Create a script by running the netsh dump command on Server1. Create a Group Policy object (GPO),
link
the GPO to the Servers OU, and configure the GPO to apply the script as a startup script.
C. Configure Synchronization Manager on Server1 to perform a synchronization task daily.
D. Export the security settings for Server1. Configure File Replication service (FRS) to copy the .inf file to
the systemroot on each server.
Correct Answer: A
QUESTION 1125
Your network contains two standalone servers named Server1and Server2 that have Active Directory
Lightweight Directory Services (AD LDS) installed.
Server1 has an AD LDS instance.
You need to ensure that you can replicate the instance from Server1 to Server2.
What should you do on both servers?
A. Obtain a server certificate.
B. Import the MS-User.ldf file.
C. Create a service user account for AD LDS.
D. Register the service location (SRV) resource records.
Correct Answer: C
QUESTION 1133
Your company has 10 servers that run Windows Server 2008 R2. The servers have Remote Desktop
Protocol (RDP) enabled for server administration. RDP is configured to use default security settings. All
administrators' computers run Windows 7.
You need to ensure the RDP connections are as secure as possible.
Which two actions should you perform? (Each correct answer presents part of the solution.Choose two.)
A. Set the security layer for each server to the RDP Security Layer.
B. Configure the firewall on each server to block port 3389.
C. Acquire user certificates from the internal certification authority.
D. Configure each server to allow connections only to Remote Desktop client computers that use Network
Level Authentication.
Correct Answer: CD
QUESTION 1174
Your network contains a server that has the SNMP Service installed.
You need to configure the SNMP security settings on the server.
A. Services console
B. Secedit
C. Scw
D. Local Security Policy
Correct Answer: A
QUESTION 1476
You have a server named Server1 that runs Windows Server 2003 Service Pack 2 (SP2).
Server1 has a folder named D:\data. The folder is shared as Data. You need to enable users to recover
files that are deleted from the Data shared folder.

What should you do on Server1?
A. From the D volume properties, modify the Shadow Copies settings.
B. From the Sharing and Security settings of D:\data, modify the Caching settings.
C. From the %systemroot%\system32\clients\twclient\x86 folder, install twcli32.msi.
D. From the Services snap in, modify the startup type of the Volume Shadow Copy Service (VSS).
Correct Answer: A
QUESTION 1521
You have a stand alone file server that runs Windows Server 2003 Service Pack 2 (SP2).
You create an account named Admin1 and add it to the Power Users group.
You attempt to log on to the server by using the Admin1 account and receive the following message:
The local policy of this system does not permit you to log on interactively.
You review the security settings as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that the Admin1 account can log on to the console of the server.
What should you do?
Exhibit:
A. Add the Admin1 account to the Administrators group.
B. Add the Admin1 account to the Allow log on locally policy.
C. Remove the Admin1 account from the Users group.
D. Remove the Users group from the Deny log on locally policy.
Correct Answer: D
QUESTION 1537
Pack 2 (SP2).
All client computers run Windows XP Professional Service Pack 3 (SP3).
You have a user account named User1.
You need to identify which permissions User1 has on a file.
What should you do?
A. At a command prompt, run Net file.
B. At a command prompt, run Attrib.exe.
C. From the file properties, view the Summary settings.
D. From the file properties, view the Advanced Security settings.
Correct Answer: D
QUESTION 1538
Pack 2 (SP2).
You have a file server that contains two volumes named C and D. Volume C contains a folder named
User1data.
User1 is the owner of all files in the User1data folder.
You copy the User1data folder to volume D.
You examine the ownership of the User1data folder on volume D and discover that your user account is
listed as the owner.
You need to ensure that User1 is the owner of the User1data folder on volume D.
What should you do?
A. Modify the Advanced Security settings for the User1data folder.
B. Modify the Advanced Attributes settings for the User1data folder.
C. Delete the User1data folder on volume D. From Windows Explorer, move the User1data folder from
volume C to volume D.
D. Delete the User1data folder on volume D. At the command prompt, use the Move command to move
the User1data folder from volume C to volume D.
Correct Answer: A
QUESTION 1914
set
current
What should you do?
options.
Correct Answer: C
QUESTION 1587
You have a server that runs Windows Server 2003 Service Pack 2 (SP2). The server contains one
volume.
You install Certificate Services.
You need to back up the Certificates Services database by using the minimum amount of storage space.
A. Certification Authority snap in
B. Certificates snap in
C. Certificate Templates snap in
D. Windows Backup
Correct Answer: A
QUESTION 1754
.Your network consists of a single Active Directory domain.
You install Windows Server 2003 Service Pack 2 (SP2) on a server named Server1.
You need to ensure that you can install Windows Server Update Services (WSUS) 3.0 on Server1.
What should you install on Server1?
A. .Microsoft .NET Framework 2.0
B. .Internet Information Services (IIS)
C. .Active Directory Application Mode (ADAM)
D. .Microsoft SQL Server Desktop Engine (MSDE)
E. .Certificate Services
F. .Universal Description, Discovery, and Integration (UDDI) Services
G. .Distributed File System (DFS)
H. .Latest version of the Automatic Updates client
Correct Answer: AB
QUESTION 179
domain that contains two domain controllers. The domain controllers run Windows Server 2003 and
Certificate Services. Each domain controller has a single mirrored hard disk that contains a single NTFS
volume. You are responsible for backing up all servers. Company requirements state that backups must
be
performed only between the hours of 1:00 A.M. and 6:00 A.M. All servers share a single backup device.
Because a large amount of data must be backed up, you need to complete the required backups as
quickly
as possible in order to complete the backups within the allotted time. You need to back up Active Directory
and Certificate Services on the two domain controllers. The backup must include only the minimum
amount
of data necessary. Which action or actions should you perform? (Choose all that apply.)
A. Perform a backup of the System State by using the Backup utility.
B. Perform a shadow copy backup of the C:\Windows\Ntds folder by using the Backup utility.
C. Perform a shadow copy backup of the C:\Windows\Sysvol folder by using the Backup utility.
D. Perform a shadow copy backup of the C:\Windows\System32\Certsrv folder by using the Backup utility.
Correct Answer: A
QUESTION 276
be
Because a large amount of data must be backed up, you need to
complete the required backups as quickly as possible in order to complete the backups within the allotted
time. You need to back up Active Directory and Certificate Services on the two domain controllers. The
backup must include only the minimum amount of data necessary. Which action or actions should you
perform? (Choose all that apply.)
Correct Answer: A
QUESTION 472
Your network contains two Active Directory forests named contoso.com and adatum.com. The functional
level of both forests is Windows Server 2008 R2.
Each forest contains one domain. Active Directory Certificate Services (AD CS) is configured in the
contoso.com forest to allow users from both forests to automatically enroll user certificates.
You need to ensure that all users in the adatum.com forest have a user certificate from the contoso.com
certification authority (CA).
What should you configure in the adatum.com domain?
A. From the Default Domain Controllers Policy, modify the Enterprise Trust settings.
B. From the Default Domain Controllers Policy, modify the Trusted Publishers settings.
C. From the Default Domain Policy, modify the Certificate Enrollment policy.
D. From the Default Domain Policy, modify the Trusted Root Certification Authority settings.
QUESTION 473
You have a server named Server1 that has the following Active Directory Certificate Services (AD CS)
role
services installed:
Enterprise Root Certification Authority (CA)
Certificate Enrollment Web Service
Certificate Enrollment Policy Web Service
You create a new certificate template. External users report that the new template is unavailable when
they
request a new certificate.
You verify that all other templates are available to the external users.
You need to ensure that the external users can request certificates by using the new template.
A. Run iisreset.exe /restart.
B. Run gpupdate.exe /force.
C. Run certutil.exe dspublish.
D. Restart the Active Directory Certificate Services service.

Correct Answer: A
QUESTION 477
You have an Active Directory domain that runs Windows Server 2008 R2. You need to implement a
certification authority (CA) server that meets the following requirements:
Allows the certification authority to automatically issue certificates
Integrates with Active Directory Domain Services
What should you do?
A. Purchase a certificate from a third-party certification authority. Import the certificate into the computer
store of the schema master.
B. Install and configure the Active Directory Certificate Services server role as a Standalone Root CA.
C. Purchase a certificate from a third-party certification authority. Install and configure the Active Directory
Certificate Services server role as a Standalone Subordinate CA.
D. Install and configure the Active Directory Certificate Services server role as an Enterprise Root CA.
Correct Answer: D
QUESTION 478
Your company has an Active Directory forest. You plan to install an Enterprise certification authority (CA)
on
a dedicated stand-alone server.
When you attempt to add the Active Directory Certificate Services (AD CS) server role, you find that the
Enterprise CA option is not available.
You need to install the AD CS server role as an Enterprise CA.
What should you do first?
A. Add the DNS Server server role.
B. Join the server to the domain.
C. Add the Web Server (IIS) server role and the AD CS server role.
D. Add the Active Directory Lightweight Directory Services (AD LDS) server role.
Correct Answer: B
QUESTION 479
You have a Windows Server 2008 R2 that has the Active Directory Certificate Services server role
installed.
You need to minimize the amount of time it takes for client computers to download a certificate revocation
list (CRL).
What should you do?
A. Install and configure an Online Responder.
B. Install and configure an additional domain controller.
C. Import the Root CA certificate into the Trusted Root Certification Authorities store on all client
workstations.
D. Import the Issuing CA certificate into the Trusted Root Certification Authorities store on all client
workstations.
Correct Answer: A
QUESTION 480
You have a Windows Server 2008 R2 Enterprise Root CA . Security policy prevents port 443 and port 80
from being opened on domain controllers and on the issuing CA.
You need to allow users to request certificates from a Web interface. You install the Active Directory
Certificate Services (AD CS) server role.
What should you do next?
A. Configure the Online Responder role service on a member server.
B. Configure the Online Responder role service on a domain controller.
C. Configure the Certificate Enrollment Web Service role service on a member server.
D. Configure the Certificate Enrollment Web Service role service on a domain controller.
Correct Answer: C
QUESTION 481
Your company has a server that runs Windows Server 2008 R2. Active Directory Certificate Services (AD
CS) is configured as a standalone Certification Authority (CA) on the server.
You need to audit changes to the CA configuration settings and the CA security settings.
A. Configure auditing in the Certification Authority snap-in.
B. Enable auditing of successful and failed attempts to change permissions on files in the %SYSTEM32%
\CertSrv directory.
C. Enable auditing of successful and failed attempts to write to files in the %SYSTEM32%\CertLog
directory.
D. Enable the Audit Object Access setting in the Local Security Policy for the Active Directory Certificate
Services (AD CS) server.
Correct Answer: AD
QUESTION 487
Your company has an Active Directory domain. You plan to install the Active Directory Certificate Services
(AD CS) server role on a member server that runs Windows Server 2008 R2.
You need to ensure that members of the Account Operators group are able to issue smartcard
credentials.
They should not be able to revoke certificates.
Which three actions should you perform? (Each correct answer presents part of the solution. Choose
three.)
A. Install the AD CS server role and configure it as an Enterprise Root CA .
B. Install the AD CS server role and configure it as a Standalone CA .
C. Restrict enrollment agents for the Smartcard logon certificate to the Account Operator group.
D. Restrict certificate managers for the Smartcard logon certificate to the Account Operator group.
E. Create a Smartcard logon certificate.
F. Create an Enrollment Agent certificate.
Correct Answer: ACE
QUESTION 493
Your network contains an Active Directory forest. The forest contains two domains. You have a standalone
root certification authority (CA).
On a server in the child domain, you run the Add Roles Wizard and discover that the option to select an
Enterprise CA is disabled.
You need to install an Enterprise Subordinate CA on the server.
What should you use to log on to the new server?
A. an account that is a member of the Certificate Publishers group in the child domain
B. an account that is a member of the Certificate Publishers group in the forest root domain
C. an account that is a member of the Schema Admins group in the forest root domain
D. an account that is a member of the Enterprise Admins group in the forest root domain
Correct Answer: D
QUESTION 496
You have an enterprise subordinate certification authority (CA). The CA is configured to use a hardware
security module.
You need to back up Active Directory Certificate Services on the CA.
Which command should you run?
A. certutil.exe -backup
B. certutil.exe -backupDB
C. certutil.exe -backupKey
D. certutil.exe -store
Correct Answer: B
QUESTION 499
Your network contains an Active Directory forest. All domain controllers run Windows Server 2008
Standard.
The functional level of the domain is Windows Server 2003. You have a certification authority (CA).
The relevant servers in the domain are configured as shown in the following table:
You need to ensure that you can install the Active Directory Certificate Services (AD CS) Certificate
Enrollment Web Service on the network.
What should you do?
A. Upgrade Server1 to Windows Server 2008 R2.
B. Upgrade Server2 to Windows Server 2008 R2.
C. Raise the functional level of the domain to Windows Server 2008.
D. Install the Windows Server 2008 R2 Active Directory Schema updates.
Correct Answer: D
QUESTION 500
You have Active Directory Certificate Services (AD CS) deployed. You create a custom certificate
template.
You need to ensure that all of the users in the domain automatically enroll for a certificate based on the
custom certificate template.
A. In a Group Policy object (GPO), configure the Autoenrollment settings.
B. In a Group Policy object (GPO), configure the Automatic Certificate Request Settings.
C. On the certificate template, assign the Read and Autoenroll permission to the Authenticated Users
group.
D. On the certificate template, assign the Read, Enroll, and Autoenroll permission to the Domain Users
group.
Correct Answer: AD
QUESTION 552
servers. The servers are configure as shown in the following table.
You need to ensure that users can manually enroll and renew their certificates by using the Certificate
Enrollment Web Service.
Which two actions should you perform? (Each current answer presents part of the solution. Choose two).
A. Configure the policy module setting.
B. Configure the issuance requirements for the certificate templates.
C. Configure the Certificate Services Client - Certificate Enrollment Policy group policy setting.
D. Configure the delegation setting for the Certification Enrollment Web Service application pool account.
Correct Answer: BD
QUESTION 553
Your network contains an Active Directory domain named contoso.com. Contoso.com contains a member
server that runs Windows Server 2008 Standard.
You need to install an enterprise subordinate certification authority (CA) that support private key archival.
You must achieve this goal by using the minimum amount of administrative effort.
What do you do first?
A. Initialize the Trusted Platform Module (TPM)
B. Upgrade the menber server to Windows Server 2008 R2 Standard.
C. Install the Certificate Enrollment Policy Web Service role service on the member server.
D. Run the Security Configuration Wizard (SCW) and select the Active Directory Certificate Services Certification Authority server role template check box.
Correct Answer: B
QUESTION 564
Your network contains an Active Directory forest named adatum.com.
You need to create an Active Directory Rights Management Services (AD RMS) licensing-only cluster.
What should you install before you create the AD RMS root cluster?
A. The Failover Cluster feature

B. The Active Directory Certificate Services (AD CS) role
C. Microsoft Exchange Server 2010
D. Microsoft SharePoint Server 2010
E. Microsoft SQL Server 2008
Correct Answer: E
QUESTION 594
Your network contains an Active Directory domain. The domain contains an enterprise certification
authority
(CA) named Server1 and a server named Server2.
On Server2, you deploy Network Policy Server (NPS) and you configure a Network Access Protection
(NAP) enforcement policy for IPSec.
From the Health Registration Authority snap-in on Server2, you set the lifetime of health certificates to
four
hours.
You discover that the validity period of the health certificates issued to client computers is one year.
You need to ensure that the health certificates are only valid for four hours.
What should you do?
A. Modify the Request Handling settings of the certificate template used for the health certificates.
B. Modify the Issuance Requirements settings of the certificate template used for the health certificates.
C. On Server1, run certutil.exe -setreg policy\editflags +editf_attributeenddate .
D. On Server1, run certutil.exe Csetregdbflags +dbflags_enablevolatilerequests .
Correct Answer: C
QUESTION 609
A company has an Active Directory forest. You plan to install an offline Enterprise root certification
authority
(CA) on a server named CA1. CA1 is a member of the PerimeterNetwork workgroup and is attached to a
hardware security module for private key storage.
You attempt to add the Active Directory Certificate Services (AD CS) server role to CA1. The Enterprise
CA
option is not available.
You need to install the AD CS server role as an Enterprise CA on CA1.
A. Add the DNS Server server role to CA1.
B. Add the Web Server (IIS) server role and the AD CS server role to CA1.
C. Add the Active Directory Lightweight Directory Services (AD LDS) server role to CA1.
D. Join CA1 to the domain.
Correct Answer: D
QUESTION 620
Your company has Active Directory Certificate Services (AD CS) and Network Access Protection (NAP)
deployed on the network.
You need to ensure that NAP policies are enforced on portable computers that use a wireless connection
to
access the network.
What should you do?
A. Configure all access points to use 802.1X authentication.
B. Configure all portable computers to use MS-CHAP v2 authentication.
C. Use the Group Policy Management Console to access the wireless Group Policy settings, and enable
the Prevent connections to ad-hoc networks option.
D. Use the Group Policy Management Console to access the wireless Group Policy settings, and disable
the Prevent connections to infrastructure networks option.
Correct Answer: A
QUESTION 781
Note: This question is part of a series of question that use the same set of answer choices. Each
answer choice may be used once, more than once, or not at all.
Your network contains an Active Directory domain named adatum.com. All servers run Windows Server
2008 R2. All client computers run Windows 7 Professional.
The network contains an enterprise certification authority (CA).
You need to ensure that all of the members of a group named Managers can view the event log entries
for
Certificate Services.
Which snap-in should you use?
A. Active Directory Administrative Center
B. Authorization Manager
C. Certificate Templates
D. Certificates
E. Certification Authority
F. Enterprise PKI
G. Group Policy Management
H. Security Configuration Wizard
I. Share and Storage Management
Correct Answer: G
QUESTION 1140
Your network contains two Active Directory forests named contoso.com and adatum.com. The functional
level of both forests is Windows Server 2008 R2. Each forest contains one domain. Active Directory
Certificate Services (AD CS) is configured in the contoso.com forest to allow users from both forests to
automatically enroll user certificates.
You need to ensure that all users in the adatum.com forest have a user certificate from the contoso.com
certification authority (CA).
What should you configure in the adatum.com domain?
A. From the Default Domain Controllers Policy, modify the Enterprise Trust settings.
B. From the Default Domain Controllers Policy, modify the Trusted Publishers settings.
C. From the Default Domain Policy, modify the Certificate Enrollment policy.
D. From the Default Domain Policy, modify the Trusted Root Certification Authority settings.
Correct Answer: C
QUESTION 1141
.
You have a server named Server1 that has the following Active Directory Certificate Services (AD CS)
role
services installed:
-Enterprise root certification authority (CA)
-Certificate Enrollment Web Service
-Certificate Enrollment Policy Web Service
You create a new certificate template.
External users report that the new template is unavailable when they request a new certificate.
You verify that all other templates are available to the external users.
You need to ensure that the external users can request certificates by using the new template.
A. Run iisreset.exe /restart.
B. Run gpupdate.exe /force.
C. Run certutil.exe dspublish.
D. Restart the Active Directory Certificate Services service.
Correct Answer: A
QUESTION 1302
Your network contains an Active Directory domain named Contoso.com. Contoso.com contains an
enterprise certification authority (CA) named CA1.
You enable Secure Socket Tunneling Protocol (SSTP) on a server named Server1.
A user named User1 attempts to establish an SSTP connection to Server1 and receives the following
error
message: "Error 0x80092013: The revocation function was unable to check revocation because the
revocation server was offline."
You verify that all certificates services are online.
You need to ensure that User1 can connect to Server1 by using SSTP.
A. Configure User1 for certificate auto enrollment.
B. Configure a pre-shared key for IPSec on User1's computer.
C. Add a certificate to Server1 that contains Server1.contoso.com as a Subject Alternative Name (SAN).
D. Publish the certificate revocation list distribution point (CDP) to a location that is accessible from the
Internet.
Correct Answer: D
QUESTION 543
Your network contains an Active Directory domain. The domain contains five domain controllers. A domain
controller named DC1 has the DHCP role and the file server role installed.
You need to move the Active Directory database on DC1 to an alternate location. The solution must
minimize impact on the network during the database move.
A. Restart DC1 in Safe Mode.
B. Restart DC1 in Directory Services Restore Mode.
C. Start DC1 from Windows PE.
D. Stop the Active Directory Domain Services service on DC1.
Correct Answer: D
QUESTION 544
Your company has a main office and a branch office.
The network contains an Active Directory forest. The forest contains three domains.
The branch office contains one domain controller named DC5. DC5 is configured as a global catalog
server, a DHCP server, and a file server.
You remove the global catalog from DC5.
You need to reduce the size of the Active Directory database on DC5. The solution must minimize the
impact on all users in the branch office.
A. Start DC5 in Safe Mode.
B. Start DC5 in Directory Services Restore Mode.
C. On DC5, start the Protected Storage service.
D. On DC5, stop the Active Directory Domain Services service.
Correct Answer: D
QUESTION 674
You need to capture the HTTP traffic to and from a server every day between 09:00 and 10:00.
What should you do?
A. Create a scheduled task that runs the Netsh tool.
B. Create a scheduled task that runs the Nmcap tool.
C. From Network Monitor, configure the General options.
D. From Network Monitor, configure the Capture options.
Correct Answer: B
QUESTION 1251
Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 has the
Remote Desktop Gateway (RD Gateway) role service installed.
You add the Domain Users group to a connection authorization policy named TS_CAP_01.
You need to ensure that only client computers that have Windows Firewall enabled can connect to
Remote
Desktop resources through the RD Gateway.
What should you do?
A. From Remote Desktop Gateway Manager, modify the properties of the TS_RAP_01 resource
authorization policy.
B. From Remote Desktop Gateway Manager, modify the properties of the TS_CAP_01 connection
authorization policy.
C. From the Network Policy Server console, modify the properties of the TS_CAP_01 network policy.
D. From the Network Policy Server console, modify the properties of the TS GATEWAY AUTHORIZATION
POLICY connection request policy.
Correct Answer: C
QUESTION 1453
You have a System Center Configuration Manager 2007 environment. The site named S01 is located on
the intranet. S01 uses a server in the perimeter network to provide a management point to Internet-based
client computers. You need to configure the server roles in the perimeter network to communicate to the
S01 site. Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A. Configure the Network Access account on S01.
B. Configure S01 to use the site servers computer account to install site systems.
C. Configure the S01 site system property to allow only site server initiated data transfers from the site
system.
D. Configure a Site System Installation account on S01.
Correct Answer: CD
QUESTION 1647
domain.All servers run Windows Server 2003.
You place computer accounts for servers in organizational units (OUs) that are organized by server roles.
You apply Group Policy objects (GPOs) to these servers at the OU level. You need to add a new server to
the domain.
You need to ensure that the appropriate GPOs are applied to this server.
What should you do?
A. Prestage a domain computer account for the new server in the appropriate OU. Join the server to the
domain by using the prestaged computer account.
B. On the new server, add the domain name for the Active Directory domain to the DNS suffix setting.
Join
the server to the domain.
C. Assign a user account the Allow - Create permission for the appropriate OU. Join the new server to the
domain by using the user account.
D. Join the new server to the Active Directory domain. On the new server, run the gpupdate /force
command.
Correct Answer: A
QUESTION 247
You are the network administrator for your company. The company's main office is in Chicago, and it has
a
branch office in Detroit. The network consists of a single Active Directory domain. Each office is
configured
as an Active Directory site. The two offices are connected by a 128-Kbps connection. All domain
controllers
run Windows Server 2003. All client computers run Windows XP Professional. All network administrators
are located in Chicago. Universal group membership caching is enabled. The server roles and IP
addresses for each site are shown in the following table. Site Server role IP address Chicago DNS, global
catalog, WINS, DHCP 10.10.10.200 Detroit DNS, domain controller, DHCP 10.10.20.200 The network
connection between Chicago and Detroit intermittently fails. Only the client computers in Detroit have
NetBIOS enabled. All client computers in both sites are configured using DHCP. The significant DHCP
scope options for Detroit are
shown in the following table. Scope option Setting WINS/NBNS Servers 10.10.20.200 DNS Servers
10.10.10.200, 10.10.20.200 Router 10.10.20.1 You create a user account for a new employee in Detroit.
The user reports that she cannot log on to the domain. You confirm that you can log on by using your
account and then by using the user's account. You also confirm that all other users in Detroit can log on.
You need to ensure that the user can authenticate to the domain. What should you do?
A. Configure the user's user account to store passwords by using reversible encryption.
B. Configure the user's computer account to be trusted for delegation.
C. Force Active Directory replication to occur between Chicago and Detroit.
D. Change the Router setting in the DHCP scope options to 10.10.10.1.
Correct Answer: C
QUESTION 287
You are the network administrator for your company. The company has a main office in Chicago, and it
has
a branch office in San Diego. The network consists of a single Active Directory domain. Each office is
configured as an Active Directory site. All domain controllers run Windows Server 2003. The network
connections from Chicago to San Diego intermittently fail. This is an existing condition that will be
resolved
in the future. Your company acquires another company that has a main office in Denver. The acquired
company does not have branch offices. A Windows Server 2003 computer that is configured as a domain
controller is added to the Denver office. The client computers in all three sites run Windows XP
Professional and are configured using DHCP. The server and network configuration for the company is
shown in the following table. Site Server Roles Server IP Address Network Links To Chicago DNS, global
catalog, WINS, DHCP 10.10.10.200 San Diego, Denver San Diego
DNS, domain controller, WINS, DHCP 10.10.20.200 Chicago Denver Global catalog, DHCP 10.10.30.200
Chicago The relevant DHCP scope options for Denver are shown in the following table. Scope Option
Setting WINS/NBNS Servers 10.10.20.200 DNS Servers 10.10.20.200 Router 10.10.30.1 Users in
Denver
report that sometimes they cannot log on to the domain. They receive an error message that states that a
domain controller for their domain cannot be located. You need to ensure that users in Denver can
authenticate to the domain. What should you do?
A. Add a domain controller to the Denver site.
B. Change the DNS Servers setting in the DHCP scope options to include 10.10.10.200.
C. Change the Router setting in the DHCP scope options to include 10.10.30.200.
D. On the global catalog server in Denver, add a Hosts file entry for the domain controller in Chicago.
Correct Answer: B
QUESTION 703
Your network contains 200 servers that run Windows Server 2008 R2.
You need to archive the Security log for each server on a daily basis.
A. netsh
B. secedit
C. wecutil
D. wevtutil
Correct Answer: D
QUESTION 255
You are the administrator of an Active Directory domain. All servers run Windows Server 2003. All client
computers run Windows XP Professional. An unauthorized file sharing application named Fileshare.exe is
being used on your network. The default installation directory for Fileshare.exe is C:\Program Files\File
Share\. You need to prevent all users from using the unauthorized file sharing application, even if they
rename the application. You create a new software restriction policy in the Default Domain Policy Group
Policy object (GPO). You now need to configure the software restriction policy. What should you do?
A. Create a new path rule for Fileshare.exe. Set the security level to Disallowed for the new rule.
B. Create a new hash rule for Fileshare.exe. Set the security level to Disallowed for the new rule.
C. Create a new path rule for C:\Program Files\File Share\. Set the security level to Disallowed for the
new
rule.
D. Set the default security level to Disallowed for the software restriction policy.
Correct Answer: B
QUESTION 267
domain named contoso.com. The network contains two domain controllers and three member servers. All
servers run Windows Server 2003. Client computers run either Windows XP Professional or Windows
2000
Professional. The network contains a single DNS server. The DNS server fails. You install a new member
server that runs Windows Server 2003. You reassign the failed DNS server's IP address to the new
server.
You install DNS on the server. You configure a new primary zone named contoso.com, and you configure
the zone to support dynamic updates. Users report that they cannot log on to the domain. You review the
DNS domain information. The information is shown in the exhibit. (Click the Exhibit button.) You need to
ensure that all users can log on to the domain. What should you do?
A. Restart the Net Logon service on the domain controllers.
B. Force a DNS registration on each of the member servers in the domain.
C. Install DNS on a domain controller. Create a zone named contoso.com. Configure the zone to be an
Active Directory-integrated zone and to support only secure updates.
D. For each of the domain controllers, create a host (A) resource record in the contoso.com domain.
Correct Answer: A
QUESTION 274
domain. Network servers run either Windows 2000 Server or Windows Server 2003. The network
includes
six domain controllers named DC1 through DC6. DC1 through DC3 run Windows Server 2003, and DC4
through DC6 run Windows 2000 Server. The company hires Andreas, a technical support specialist, to
assist you in managing DC1. Periodically, Andreas needs to
configure settings on DC4 and DC5.Andreas tries to open Active Directory Sites and Services from DC1.
However, he cannot establish a connection. How should you solve this problem?
A. Copy Adminpak.msi from the Windows 2000 Server CD-ROM to DC1.
B. Copy Adminpak.msi from the Windows Server 2003 CD-ROM to DC4.
C. Install Windows 2000 Server, Service Pack 3 or higher, on DC4.
D. Install the Support Tools from the Windows 2000 Server CD-ROM on DC1.
Correct Answer: C
QUESTION 276
be
Because a large amount of data must be backed up, you need to

complete the required backups as quickly as possible in order to complete the backups within the allotted
time. You need to back up Active Directory and Certificate Services on the two domain controllers. The
backup must include only the minimum amount of data necessary. Which action or actions should you
perform? (Choose all that apply.)
Correct Answer: A
QUESTION 281
You are a network administrator for your company. The network consists of a single Active Directory
domain. All domain controllers run Windows Server 2003. The company employs three database
administrators who administer seven database servers that run Windows Server 2003. The database
administrators occasionally restore a database server after a disaster. To restore a server, database
administrators need the rights required to perform the following tasks: Back up files and folders. Restore
files and folders. Restore the System State data. You need to assign the database administrators the
rights
that they require to perform the specified tasks. For security reasons, you must not assign the
administrators more rights than they require to perform the tasks. What should you do?
A. Add the database administrators user accounts to the Administrators group on each of the database
servers.
B. Add the database administrators user accounts to the Power Users group on each of the database
servers.
C. Add the database administrators user accounts to the Backup Operators group on each of the
database
servers.
D. Add the database administrators user accounts to the Backup Operators group on one of the domain
controllers.
E. Add the database administrators user accounts to the Server Operators group on one of the domain
controllers.
Correct Answer: C
QUESTION 283
domain. The Active Directory domain contains two domain controllers named DC1 and DC2. During
routine
monitoring of the domain controllers, you observe numerous errors in the system log. The errors are
similar
to the one shown in the following dialog box. You need to resolve these errors on your domain controllers
as quickly as possible. What are two possible ways to achieve this goal? (Each correct answer presents a
complete solution. Choose two.)
A. Install the appropriate printer drivers on DC1 and DC2.
B. Modify the Default domain controller Group Policy object (GPO). Enable the Do not allow client printer
redirection policy.
C. Add the Domain Admins group to the built-in Print Operators group.
D. Add the Domain Users group to the built-in Print Operators group.
Correct Answer: AB
QUESTION 286
domain. All domain controllers run Windows Server 2003. You enabled the Audit account logon events
policy and the Audit logon events policy on all domain controllers. You enabled both policies to audit for
both
success and failure attempts. In addition, you enabled Audit logon events for all other computers in the
domain for both success and failure attempts. You suspect that an unauthorized user attempted to
discover
the password for the domain administrator account by using a computer located in a public area in the
company's main office. You need to find out if your network has been compromised. What should you do?
A. Examine the security log on the public computer.
B. Examine the security log on each domain controller.
C. Examine the system log on the public computer.
D. Examine the system log on the primary domain controller (PDC) emulator.
Correct Answer: B
QUESTION 287
You are the network administrator for your company. The company has a main office in Chicago, and it
has
a branch office in San Diego. The network consists of a single Active Directory domain. Each office is
configured as an Active Directory site. All domain controllers run Windows Server 2003. The network
connections from Chicago to San Diego intermittently fail. This is an existing condition that will be
resolved
in the future. Your company acquires another company that has a main office in Denver. The acquired
company does not have branch offices. A Windows Server 2003 computer that is configured as a domain
controller is added to the Denver office. The client computers in all three sites run Windows XP
Professional and are configured using DHCP. The server and network configuration for the company is
shown in the following table. Site Server Roles Server IP Address Network Links To Chicago DNS, global
catalog, WINS, DHCP 10.10.10.200 San Diego, Denver San Diego
DNS, domain controller, WINS, DHCP 10.10.20.200 Chicago Denver Global catalog, DHCP 10.10.30.200
Chicago The relevant DHCP scope options for Denver are shown in the following table. Scope Option
Setting WINS/NBNS Servers 10.10.20.200 DNS Servers 10.10.20.200 Router 10.10.30.1 Users in
Denver
report that sometimes they cannot log on to the domain. They receive an error message that states that a
domain controller for their domain cannot be located. You need to ensure that users in Denver can
authenticate to the domain. What should you do?
A. Add a domain controller to the Denver site.
B. Change the DNS Servers setting in the DHCP scope options to include 10.10.10.200.
C. Change the Router setting in the DHCP scope options to include 10.10.30.200.
D. On the global catalog server in Denver, add a Hosts file entry for the domain controller in Chicago.
Correct Answer: B
QUESTION 290
domain. All domain controllers run Windows Server 2003. The sales department recently hired 10 new
employees. User accounts for these employees were created in Active Directory. The manager of the
sales
department sent you a list of the new users and asked you to add the user accounts to an existing global
group named SalesDept. You need to add the users to the SalesDept global group. What are two possible
ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)
A. Use the dsadd user command to add the user accounts to the SalesDept global group.
B. Use the dsmod group command to add the user accounts to the SalesDept global group.
C. In Active Directory Users and Computers, select all 10 user accounts. Right-click the selected users,
and then select the Properties menu command.
D. In Active Directory Users and Computers, select all 10 user accounts. Right-click the selected users,
and then select the Add to a group menu command.
Correct Answer: BD
QUESTION 291
You are a network administrator for Coho Vineyard. The network consists of a single Active Directory
domain named cohovineyard.com. All domain controllers run Windows Server 2003. One of the DNS
servers is named DNS1. On DNS1, the DNS zone named cohovineyard.com is configured as shown in
the
exhibit. (Click the Exhibit button.) Another administrator reports that
domain controllers take an unacceptably long time to start and that some users cannot log on to the
cohovineyard.com domain. You need to ensure that domain controllers start as quickly as possible and
that
all users can log on to the cohovineyard.com domain. You must achieve this goal while ensuring that
updates to the cohovineyard.com zone are as secure as possible. Which two actions should you perform?
(Each correct answer presents part of the solution. Choose two.)
A. Change the zone type of the cohovineyard.com zone to an Active Directory-integrated zone.
B. Change the zone type of the cohovineyard.com zone to a stub zone.
C. Enable secure-only dynamic updates on the cohovineyard.com zone.
D. Implement an IPSec filter on DNS1 that allows DNS traffic from only domain members.
E. Configure a list of DNS servers that are allowed to transfer a copy of the cohovineyard.com zone.
Correct Answer: AC
QUESTION 299
You are a network administrator for your company. The network contains an Active Directory domain
named cohovineyard.com. The domain contains three domain controllers named DC1, DC2, and DC3. All
three domain controllers are configured as DNS servers. You monitor all three domain controllers. You
notice that DC3 is not processing user logon requests. You view DNS on DC1, as shown in the exhibit.
(Click the Exhibit button.) You must ensure that DC3 can process user logon requests. What should you
do
on DC3?
A. Run the ipconfig /registerdns command.
B. Run the nslookup command, and then run the set type=srv command.
C. Restart the Net Logon service.
D. Restart the DNS Server service.
Correct Answer: C
QUESTION 306
domain. The domain contains 20 Windows Server 2003 member servers. You assign five support
engineers to perform limited management tasks on the servers. You add the
engineers' user accounts to a global security group named Support Engineers.The five support engineers
will have the following responsibilities: Stop and start printers, clear print jobs from the printer queues, and
set permissions on printers. Back up and restore all files on the servers. Make changes to TCP/IP
settings.
Create and delete shared resources. You need to assign the support engineers the appropriate
permissions
to perform the required tasks on the 20 member servers.Of which group should you make the Support
Engineers group a member?
A. the Administrators local group on one of the domain controllers
B. the Administrators local group on each of the servers
C. the Server Operators local group on a domain controller
D. the Power Users local group on each of the servers
E. the Backup Operators local group on a domain controller
F. the Backup Operators local group on each of the servers
Correct Answer: B
QUESTION 311
domain. All domain controllers run Windows Server 2003, and each one has a locally attached tape
device.
You need to back up each domain controller. Your backup process must fulfill the following requirements:
System recovery must be possible in the event of server failure. The system configuration and all current
dynamic disk configurations must be backed up. Other data partitions do not need to be backed up.What
should you do?
A. Use the Backup utility to back up the system files and to create an Automated System Recovery (ASR)
disk.
B. Use the Backup utility to back up the contents of all mounted drives.
C. Use the Backup utility to back up only the System State data.
D. Use the Copy command to copy C:\windows and its subfolders to a shared folder on the network.
E. Use the Xcopy command to copy C:\windows and its subfolders to a shared folder on the network.
Correct Answer: A
QUESTION 313
You are the network administrator for your company. Your network consists of a single Active Directory
domain. All network servers run Windows Server 2003. Each domain controller contains one disk that is
configured with both the system partition and the boot partition.Every day, you use custom software to
perform a full backup of user profiles and user data. The custom backup software provides a bootable
floppy disk that includes the drivers for the backup media.Every Sunday, you run the Automated System
Recovery (ASR) wizard on your domain controllers in conjunction with removable backup media. Data is
backed up in a file named Backup1.bkf. One Monday morning, you install a new application on a domain
controller named DC1. When you restart DC1, you receive the following error message: "NTLDR is
missing.
Press any key to restart."You need to bring DC1 back online as quickly as possible.What should you do?
A. Restart DC1 by using the installation CD-ROM. Reinstall the operating system and restore the contents
of the latest full backup by using the Restore wizard. Restart DC1.
B. Restart DC1 by using the installation CD-ROM. Restore the contents of Backup1.bkf by using the ASR
disk. Restart DC1.
C. Restart DC1 by using the bootable floppy disk. Copy the contents of Backup1.bkf from the backup
media to C:\winnt. Restart DC1.
D. Restart DC1 by using the bootable floppy disk. Copy the contents of the ASR disk to C:\. Restart DC1.
Correct Answer: B
QUESTION 314
domain. All domain controllers run Windows Server 2003. The company employs three database
administrators who administer seven database servers that run Windows Server
2003. The database administrators occasionally restore a database server after a disaster. To restore a
server, database administrators need the rights required to perform the following tasks: Back up files and
folders. Restore files and folders. Restore the System State data. You need to assign the database
administrators the rights that they require to perform the specified tasks. For security reasons, you must
not
assign the administrators more rights than they require to perform the tasks. What should you do?
A. Add the database administrators user accounts to the Administrators group on each of the database
servers.
B. Add the database administrators user accounts to the Power Users group on each of the database
servers.
C. Add the database administrators user accounts to the Backup Operators group on each of the
database
servers.
D. Add the database administrators user accounts to the Backup Operators group on one of the domain
controllers.
E. Add the database administrators user accounts to the Server Operators group on one of the domain
controllers.
Correct Answer: C
QUESTION 322
domain. All domain controllers run Windows Server 2003. The sales
department recently hired 10 new employees. User accounts for these employees were created in Active
Directory. The manager of the sales department sent you a list of the new users and asked you to add the
user accounts to an existing global group named SalesDept. You need to add the users to the SalesDept
global group. What are two possible ways to achieve this goal? (Each correct answer presents a
complete
solution. Choose two.)
A. Use the dsadd user command to add the user accounts to the SalesDept global group.
B. Use the dsmod group command to add the user accounts to the SalesDept global group.
C. In Active Directory Users and Computers, select all 10 user accounts. Right-click the selected users,
and then select the Properties menu command.
D. In Active Directory Users and Computers, select all 10 user accounts. Right-click the selected users,
and then select the Add to a group menu command.
Correct Answer: BD
QUESTION 348
You are designing the Active Directory infrastructure to meet the business and technical requirements.
You
run ADSizer, and find that it provides a solution that contains only one domain controller for Amsterdam.
What should you do?
A. Place at least two domain controllers in Amsterdam.
B. Configure the domain controller as a bridgehead server.
C. Configure the domain controller as a global catalog server.
D. Distribute the users among sites in ADSizer and recalculate the number of domain controllers.
Correct Answer: A
QUESTION 366
You are designing the DNS infrastructure to meet the business and technical requirements.
What should you do?
A. Create an Active Directory-integrated zone on DC4. Set the replication scope to all DNS servers in the
domain.
B. Create an Active Directory-integrated zone on DC5. Set the replications scope to all DNS servers in the
forest.
C. Create an Active Directory-integrated zone on any domain controller in the forest root domain. Set the
replication scope to all domain controllers in the domain.
D. Create a standard primary zone on DC4
E. Create a standard primary zone on any domain controller in the forest root domain.
Correct Answer: B
QUESTION 398
You are designing a strategy for installing Windows server 2003 on the new domain controllers. Which
method should you use?
A. Unattended installation
B. Remote Installation Services (RIS)
C. Automated Deployment Services (ADS)
D. Microsoft Systems Management Server (SMS)
Correct Answer: A
QUESTION 434
You are designing a DNS implementation strategy to meet the business and technical requirements. What
should you do?
A. Configure a domain controller in each branch office to contain a secondary zone of the contoso.com
domain.
B. Configure the DNS Server service on a domain controller in each office. Configure an Active
Directoryintegrated
zone to replicate to all DNS servers.
C. Configure an Active Directory-integrated zone on a domain controller in Sydney. Configure this zone to
replicate to all domain controllers.
D. Configure a primary zone for blueyonderairlines.com on a domain controller in Sydney.
Configure a secondary zone on another DNS server in Sydney.
Correct Answer: B
QUESTION 437
You are designing a strategy to improve the performance and reliability of the domain controllers. What
should you do?
A. Create one RAID-5 volume.
B. Create two RAID-5 volumes.
C. Create one mirrored volume and two RAID-5 volumes.
D. Create two mirrored volumes and one RAID-5 volume.
Correct Answer: D
QUESTION 439
You are designing a strategy for migrating to the new environment. Which two factions from your current
environment will affect your migration strategy? (Each correct answer presents part of the solution.
(Choose
two.)
A. Trusts between domains
B. Number of BDC s in each domain
C. Users and resources in each domain
D. Current hardware for domain controllers
E. Current amount of replication traffic over WAN links
QUESTION 449
You are designing a DNS strategy to meet the business and technical requirements. What should you do?
A. Install the DNS Server service on all domain controllers. Create Active Directory-integrated zones.
Replicate the zones to all DNS servers in the forest.
B. Install the DNS Server service on all domain controllers. Create Active Directory-integrated zones.
Replicate the zones to all DNS servers in the domain.
C. Install the DNS Server service on all domain controllers. Create primary zones and secondary zones.
D. Create application partitions for the different zones on one domain controller. Configure replication to
occur on all DNS servers.
Correct Answer: B
QUESTION 462
You are designing the DNS topology to meet the business and technical requirements.
Which DNS structure should you use?
A. one primary zone
B. two primary zones
C. one Active Directory-integrated zone that has the replication scope set to all DNS servers in the forest.
D. two Active Directory-integrated zones that have the replication scopes set to all DNS servers in the
forest.
E. one Active Directory-integrated zone that has the replication scope set to all domain controllers in the
domain.
F. two Active Directory-integrated zones that have the replication scopes set to all domain controllers in
the
domain.
Correct Answer: D
QUESTION 470
Your network contains an Active Directory forest named adatum.com. All domain controllers currently run
Windows Server 2003 Service Pack 2 (SP2). The functional level of the forest and the domain is Windows
Server 2003.
You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2.
A. Run adprep.exe
B. Raise the functional level of the domain to Windows Server 2008.
C. Raise the functional level of the forest to Windows Server 2008.
D. Deploy a writable domain controller that runs Windows Server 2008 R2.
Correct Answer: A
QUESTION 486
Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company
uses an Enterprise Root certification authority (CA) and an Enterprise Intermediate CA.
The Enterprise Intermediate CA certificate expires.
You need to deploy a new Enterprise Intermediate CA certificate to all computers in the domain.
What should you do?
A. Import the new certificate into the Intermediate Certification Store on the Enterprise Root CA server.
B. Import the new certificate into the Intermediate Certification Store on the Enterprise Intermediate CA
server.
C. Import the new certificate into the Intermediate Certification Store in the Default Domain Controllers
group policy object.
D. Import the new certificate into the Intermediate Certification Store in the Default Domain group policy
object.
Correct Answer: D
QUESTION 515
Your company has a main office and a branch office. The branch office contains a read-only domain
controller named RODC1.
You need to ensure that a user named Admin1 can install updates on RODC1. The solution must prevent
Admin1 from logging on to other domain controllers.
What should you do?
A. Run ntdsutil.exe and use the Roles option.
B. Run dsmgmt.exe and use the Local Roles option.
C. From Active Directory Sites and Services, modify the NTDS Site Settings.
D. From Active Directory Users and Computers, add the user to the Server Operators group.
Correct Answer: B
QUESTION 517
Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2.
Site1 contains four domain controllers. Site2 contains a read-only domain controller (RODC).
You add a user named User1 to the Allowed RODC Password Replication Group. The WAN link between
Site1 and Site2 fails.
User1 restarts his computer and reports that he is unable to log on to the domain. The WAN link is
restored
and User1 reports that he is able to log on to the domain.
You need to prevent the problem from reoccurring if the WAN link fails.
What should you do?
A. Create a Password Settings object (PSO) and link the PSO to User1's user account.
B. Create a Password Settings object (PSO) and link the PSO to the Domain Users group.
C. Add the computer account of the RODC to the Allowed RODC Password Replication Group.
D. Add the computer account of User1's computer to the Allowed RODC Password Replication Group.
Correct Answer: D
QUESTION 522
Your network contains a single Active Directory domain. The domain contains five read-only domain
controllers (RODCs) and five writable domain controllers. All servers run Windows Server 2008.
You plan to install a new RODC that runs Windows Server 2008 R2. You need to ensure that you can add
the new RODC to the domain. You want to achieve this goal by using the minimum amount of
administrative effort.
A. At the command prompt, run adprep.exe /rodcprep.
B. At the command prompt, run adprep.exe /forestprep.
C. At the command prompt, run adprep.exe /domainprep.
D. From Active Directory Domains and Trusts, raise the functional level of the domain.
E. From Active Directory Users and Computers, pre-stage the RODC computer account.
Correct Answer: BC
QUESTION 533
Your network contains an Active Directory domain that contains five domain controllers. You have a
management computer that runs Windows 7.
From the Windows 7 computer, you need to view all account logon failures that occur in the domain. The
information must be consolidated on one list.
Which command should you run on each domain controller?
A. wecutil.exe qc
B. wevtutil.exe gli
C. winrm.exe quickconfig
D. winrshost.exe
Correct Answer: C
QUESTION 534
You create a new Active Directory domain. The functional level of the domain is Windows Server 2008
R2.
The domain contains five domain controllers.
You need to monitor the replication of the group policy template files.
A. dfsrdiag
B. fsutil
C. ntdsutil
D. ntfrsutl
Correct Answer: A
QUESTION 535
You create a new Active Directory domain. The functional level of the domain is Windows Server 2003.
The
domain contains five domain controllers that run Windows Server 2008 R2.
You need to monitor the replication of the group policy template files.
A. dfsrdiag
B. fsutil
C. ntdsutil
D. ntfrsutl
Correct Answer: D
QUESTION 537
Your network contains a single Active Directory domain. The functional level of the forest is Windows
Server 2008. The functional level of the domain is Windows Server 2008 R2. All DNS servers run
Windows
Server 2008. All domain controllers run Windows Server 2008 R2.
You need to ensure that you can enable the Active Directory Recycle Bin.
What should you do?
A. Change the functional level of the forest.
B. Change the functional level of the domain.

C. Modify the Active Directory schema.
D. Modify the Universal Group Membership Caching settings.
Correct Answer: A
QUESTION 538
Your network contains an Active Directory domain. The domain contains two domain controllers named
DC1 and DC2.
You perform a full backup of the domain controllers every night by using Windows Server Backup.
You update a script in the SYSVOL folder. You discover that the new script fails to run properly.
You need to restore the previous version of the script in the SYSVOL folder. The solution must minimize
the
amount of time required to restore the script.
A. Run the Restore-ADObject cmdlet.
B. Restore the system state to its original location.
C. Restore the system state to an alternate location.
D. Attach the VHD file created by Windows Server Backup.
Correct Answer: D
QUESTION 541
Your network contains an Active Directory domain. The domain contains two Active Directory sites named
Site1 and Site2. Site1 contains two domain controllers named DC1 and DC2. Site2 contains two domain
controller named DC3 and DC4.
The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is
Windows Server 2003.
Active Directory replication between Site1 and Site2 occurs from 20:00 to 01:00 every day.
At 07:00, an administrator deletes a user account while he is logged on to DC1.
You need to restore the deleted user account. You want to achieve this goal by using the minimum
amount
of administrative effort.
What should you do?
A. On DC1, run the Restore-ADObject cmdlet.
B. On DC3, run the Restore-ADObject cmdlet.
C. On DC1, stop Active Directory Domain Services, restore the System State, and then start Active
Directory Domain Services.
D. On DC3, stop Active Directory Domain Services, perform an authoritative restore, and then start Active
Directory Domain Services.
Correct Answer: D
QUESTION 543
Your network contains an Active Directory domain. The domain contains five domain controllers. A domain
controller named DC1 has the DHCP role and the file server role installed.
You need to move the Active Directory database on DC1 to an alternate location. The solution must
minimize impact on the network during the database move.
A. Restart DC1 in Safe Mode.
B. Restart DC1 in Directory Services Restore Mode.
C. Start DC1 from Windows PE.
D. Stop the Active Directory Domain Services service on DC1.
Correct Answer: D
QUESTION 547
2008
R2.
You need to identify the Lightweight Directory Access Protocol (LDAP) clients that are using the largest
amount of available CPU resources on a domain controller.
What should you do?
A. Review performance data in Resource Monitor.
B. Review the Hardware Events log in the Event Viewer.
C. Run the LAN Diagnostics Data Collector Set. Review the LAN Diagnostics report.
D. Run the Active Directory Diagnostics Data Collector Set. Review the Active Directory Diagnostics
report.
Correct Answer: D
QUESTION 554
You need to compact an Active Directory database on a domain controller that runs windows Server 2008
R2.
What should you do?
A. Run defrag.exe /a /c.
B. Run defrag.exe /c /u.
C. Form ntdsutil, use the files option
D. From ntdsutil, use the metadata cleanup option.
Correct Answer: C
QUESTION 559
Your network contains an Active Directory forest. The forest contains domain controllers that run Windows
Server 2008 R2.
The functional level of the forest is Windows Server 2003. The functional level of the domain is Windows
Server 2008.
From a domain controller, you need to perform an authoritative restore of an organizational unit (OU).
A. Restore the system state.
B. Raise the functional level of the forest.
C. Raise the functional level of the domain.
D. Modify the tombstone lifetime of the forest.
Correct Answer: A
QUESTION 560
As the Company administrator you had installed a read-only domain controller (RODC) server at remote
location.
The remote location doesn't provide enough physical security for the server.
What should you do to allow administrative accounts to replicate authentication information to Read-Only
Domain Controllers?
A. Remove any administrative accounts from RODC's group
B. Add administrative accounts to the domain Allowed RODC Password Replication group
C. Set the Deny on Receive as permission for administrative accounts on the RODC computer account
Security tab for the Group Policy Object (GPO)
D. Configure a new Group Policy Object (GPO) with the Account Lockout settings enabled. Link the GPO
to the remote location. Activate the Read Allow and the Apply group policy Allow permissions for the
administrators on the Security tab for the GPO.
E. None of the above
Correct Answer: B
QUESTION 573
You network consists of a single Active Directory domain. All domain controllers run Windows Server
2008
R2.
You need to reset the Directory Services Restore Mode (DSRM) password on a domain controller.
What tool should you use?
A. dsmod
B. ntdsutil
C. Local Users and Groups snap-in
D. Active Directory Users and Computers snap-in
Correct Answer: B
QUESTION 581
Your company has a main office and a branch office that are configured as a single Active Directory
forest.
The functional level of the Active Directory forest is Windows Server 2003. There are four Windows
Server
2003 domain controllers in the main office.
You need to ensure that you are able to deploy a read-only domain controller (RODC) at the branch
office.
A. Raise the functional level of the forest to Windows Server 2008.
B. Deploy a Windows Server 2008 domain controller at the main office.
C. Raise the functional level of the domain to Windows Server 2008.
D. Run the adprep /rodcprep command.
Correct Answer: BD
QUESTION 586
Site 1 contains five domain controllers. Site2 contains one read-only domain controller (RODC). Site1 and
Site2 connect to each other by using a slow WAN link.
You discover that the cached password for a user named User1 is compromised on the RODC.
On a domain controller in Site1, you change the password for User1.
You need to replicate the new password for User1 to the RODC immediately. The solution must not
replicate other objects to the RODC.
A. Active Directory Sites and Services
B. Active Directory Users and Computers
C. Repadmin
D. Replmon
Correct Answer: C
QUESTION 588
Your network contains an Active Directory domain named contoso.com. Contoso.com contains a writable
domain controller named DC1 and a read-only domain controller (RODC) named DC2. All domain
controllers run Windows Server 2008 R2.
You need to install a new writable domain controller named DC3 in a remote site. The solution must
minimize the amount of replication traffic that occurs during the installation of Active Directory Domain
Services (AD DS) on DC3.
A. Run dcpromo.exe /createdcaccount on DC3.
B. Run ntdsutil.exe on DC2.
C. Run dcpromo.exe /adv on DC3.
D. Run ntdsutil.exe on DC1.
Correct Answer: D
QUESTION 590
Your network contains an Active Directory domain. The domain contains five sites. One of the sites
contains
a read-only domain controller (RODC) named RODC1.
You need to identify which user accounts can have their password cached on RODC1.

A. Repadmin
B. Dcdiag
C. Get-ADDomainControllerPasswordReplicationPolicyUsage
D. Adtest
Correct Answer: A
QUESTION 596
Your company uses a Windows 2008 Enterprise certificate authority (CA) to issue certificates.
You need to implement key archival.
What should you do?
A. Configure the certificate for automatic enrollment for the computers that store encrypted files.
B. Install an Enterprise Subordinate CA and issue a user certificate to users of the encrypted files.
C. Apply the Hisecdc security template to the domain controllers.
D. Archive the private key on the server.
Correct Answer: D
QUESTION 598
Company has servers on the main network that run Windows Server 2008. It also has two domain
controllers. Active Directory services are running on a domain controller named CKDC1.
You have to perform critical updates of Windows Server 2008 on CKDC1 without rebooting the server.
What should you do to perform offline critical updates on CKDC1 without rebooting the server?
A. Start the Active Directory Domain Services on CKDC1
B. Disconnect from the network and start the Windows update feature
C. Stop the Active Directory domain services and install the updates. Start the Active Directory domain
services after installing the updates.
D. Stop Active Directory domain services and install updates. Disconnect from the network and then
connect again.
Correct Answer: C
QUESTION 601
Company has a single domain network with Windows 2000, Windows 2003, and Windows 2008 servers.
Client computers running Windows XP and Windows Vista. All domain controllers are running Windows
server 2008.
You need to deploy Active Directory Rights Management System (AD RMS) to secure all documents,
spreadsheets and to provide user authentication.
What do you need to configure, in order to complete the deployment of AD RMS?
A. Upgrade all client computers to Windows Vista. Install AD RMS on domain controller Company _DC1
B. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all
systems. Install AD RMS on domain controller Company _DC1
C. Upgrade all client computers to Windows Vista. Install AD RMS on Company _SRV5
D. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all
systems. Install AD RMS on domain controller Company _SRV5
Correct Answer: D
QUESTION 615
Your company has a main office and a branch office. You discover that when you disable IPv4 on a
computer in the branch office, the computer authenticates by using a domain controller in the main office.
You need to ensure that IPv6-only computers authenticate to domain controllers in the same site.
What should you do?
A. Configure the NTDS Site Settings object.
B. Create Active Directory subnet objects.
C. Create Active Directory Domain Services connection objects.
D. Install an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router.

Correct Answer: B
QUESTION 632
Your company has deployed Network Access Protection (NAP) enforcement for VPNs.
You need to ensure that the health of all clients can be monitored and reported.
What should you do?
A. Create a Group Policy object (GPO) that enables Security Center and link the policy to the domain.
B. Create a Group Policy object (GPO) that enables Security Center and link the policy to the Domain
Controllers organizational unit (OU).
C. Create a Group Policy object (GPO) and set the Require Trusted Path For Credential Entry option to
Enabled. Link the policy to the domain.
D. Create a Group Policy object (GPO) and set the Require Trusted Path For Credential Entry option to
Enabled. Link the policy to the Domain Controllers organizational unit (OU).
Correct Answer: A
QUESTION 699
Your company has an Active Directory domain that has two domain controllers named DC1 and DC2.
You prepare both servers to support event subscriptions. On DC1, you create a new default subscription
for
DC2.
You need to review system events for DC2.
Which event log should you select?
A. System log on DC1
B. Application log on DC2
C. Forwarded Events log on DC1
D. Forwarded Events log on DC2
Correct Answer: C
QUESTION 746
Your company has an Active Directory forest that contains client computers that run Windows Vista and
Windows XP.
You need to ensure that users are able to install approved application updates on their computers.
A. Set up Automatic Updates through Control Panel on the client computers.
B. Create a GPO and link it to the Domain Controllers organizational unit. Configure the GPO to
automatically search for updates on the Microsoft Update site.
C. Create a GPO and link it to the domain. Configure the GPO to direct the client computers to the
Windows Server Update Services (WSUS) server for approved updates.
D. Install the Windows Server Update Services (WSUS). Configure the server to search for new updates
on the Internet. Approve all required updates.
Correct Answer: CD
QUESTION 747
Your network contains an Active Directory domain named contoso.com. You have a management
computer
named Computer1 that runs Windows 7.
You need to forward the logon events of all the domain controllers in contoso.com to Computer1.
All new domain controllers must be dynamically added to the subscription.
What should you do?
A. From Computer1, configure source-initiated event subscriptions. From a Group Policy object (GPO)
linked to the Domain Controllers organizational unit (OU), configure the Event Forwarding node.
B. From Computer1, configure collector-initiated event subscriptions. From a Group Policy object (GPO)
linked to the Domain Controllers organizational unit (OU), configure the Event Forwarding node.
C. From Computer1, configure source-initiated event subscriptions. Install a server authentication
certificate on Computer1. Implement autoenrollment for the Domain Controllers organizational unit
(OU).
D. From Computer1, configure collector-initiated event subscriptions. Install a server authentication
certificate on Computer1. Implement autoenrollment for the Domain Controllers organizational unit
(OU).
Correct Answer: A
QUESTION 755
2008
R2.
You need to capture all replication errors from all domain controllers to a central location.
What should you do?
A. Configure Event Log Subscriptions.
B. Start the System Performance data collector set.
C. Start the Active Directory Diagnostics data collector set.
D. Install Network Monitor and create a new capture.
Correct Answer: A
QUESTION 765
Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.
You need to collect all of the Directory Services events from all of the domain controllers and store the
events in a single central computer.
What should you do?
A. Run the eventcreate.exe command.
B. Create a Data Collector Set (DCS).
C. Configure subscriptions from Event Viewer.
D. Create custom views from Event Viewer.
E. Run the Get-ADForest cmdlet.
F. Run the ntdsutil.exe command.
G. Configure the Active Directory Diagnostics Data Collector Set (DCS).
H. Run the repadmin.exe command.
I. Run the dsquery.exe command.
J. Run the dsamain.exe command.
Correct Answer: C
QUESTION 766
You need to compact the Active Directory database.
What should you do?
Correct Answer: F
QUESTION 767
You need to receive a notification when more than 100 Active Directory objects are deleted per second.
What should you do?
Correct Answer: B
QUESTION 768
You need to create a snapshot of Active Directory.
What should you do?
Correct Answer: F
QUESTION 769
You mount an Active Directory snapshot.
You need to ensure that you can query the snapshot by using LDAP.
What should you do?
Correct Answer: J
QUESTION 791
Your company has a main office and a branch office. The company has a single-domain Active Directory
forest. The main office has two domain controllers named DC1 and DC2 that run Windows Server 2008
R2.
The branch office has a Windows Server 2008 R2 read-only domain controller (RODC) named DC3.
All domain controllers hold the DNS Server server role and are configured as Active Directory-integrated
zones. The DNS zones only allow secure updates.
You need to enable dynamic DNS updates on DC3.
What should you do?
A. Run the ntdsutil.exe DS Behavior command on DC3.
B. Run the dnscmd.exe /ZoneResetType command on DC3.
C. Reinstall Active Directory Domain Services on DC3 as a writable domain controller.
D. Create a custom application directory partition on DC1. Configure the partition to store Active
Directoryintegrated
zones.
Correct Answer: C
QUESTION 793
Your company has a main office and a branch office. The network contains an Active Directory domain
named contoso.com. The DNS zone for contoso.com is configured as an Active Directory- integrated
zone
and is replicated to all domain controllers in the domain.
The main office contains a writable domain controller named DC1. The branch office contains a read- only
domain controller (RODC) named RODC1. All domain controllers run Windows Server 2008 R2 and are
configured as DNS servers.
You uninstall the DNS server role from RODC1.
You need to prevent DNS records from replicating to RODC1.
What should you do?
A. Modify the replication scope for the contoso.com zone.
B. Flush the DNS cache and enable cache locking on RODC1.
C. Configure conditional forwarding for the contoso.com zone.
D. Modify the zone transfer settings for the contoso.com zone.
Correct Answer: A
QUESTION 795
Your network contains a single Active Directory domain named contoso.com. The domain contains two
domain controllers named DC1 and DC2 that run Windows Server 2008 R2. DC1 hosts a primary zone
for
contoso.com. DC2 hosts a secondary zone for contosto.com.
On DC1, you change the zone to an Active Directory-integrated zone and configure the zone to accept
secure dynamic updates only.
You need to ensure that DC2 can accept secure dynamic updates to the contoso.com zone.
A. dnscmd.exe dc2.contoso.com /createdirectorypartition dns.contoso.com
B. dnscmd.exe dc2.contoso.com /zoneresettype contoso.com /dsprimary
C. dnslint.exe /ql
D. repadmin.exe /syncall /force
Correct Answer: B
QUESTION 796
Your network contains an Active Directory domain named contoso.com. The contoso.com DNS zone is
stored in Active Directory. All domain controllers run Windows Server 2008 R2.
You need to identify if all of the DNS records used for Active Directory replication are correctly registered.
What should you do?
A. From the command prompt, use netsh.exe.
B. From the command prompt, use dnslint.exe.

C. From the Active Directory Module for Windows PowerShell, run the Get-ADRootDSE cmdlet.
D. From the Active Directory Module for Windows PowerShell, run the Get-ADDomainController
cmdlet.
Correct Answer: B
QUESTION 797
Your network contains a single Active Directory forest. The forest contains two domains named
contoso.com and sales.contoso.com. The domain controllers are configured as shown in the following
table:
All domain controllers run Windows Server 2008 R2. All zones are configured as Active Directoryintegrated
zones.
You need to ensure that contoso.com records are available on DC3.
A. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com
/domain
B. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com
/forest
C. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com
/domain
D. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com
/forest
Correct Answer: B
QUESTION 798
Your company network has an Active Directory forest that has one parent domain and one child domain.
The child domain has two domain controllers that run Windows Server 2008.
All user accounts from the child domain are migrated to the parent domain. The child domain is scheduled
to be decommissioned.
You need to remove the child domain from the Active Directory forest.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution.
Choose two.)
A. Run the Computer Management console to stop the Domain Controller service on both domain
controllers in the child domain.
B. Delete the computer accounts for each domain controller in the child domain. Remove the trust
relationship between the parent domain and the child domain.
C. Use Server Manager on both domain controllers in the child domain to uninstall the Active Directory
domain services role.
D. Run the dcpromo tool that has individual answer files on each domain controller in the child domain.
Correct Answer: CD
QUESTION 805
Client computers run either Windows XP Service Pack 3 (SP3) or Windows Vista.
You need to ensure that all client computers can apply Group Policy preferences.
What should you do?
A. Upgrade all Windows XP client computers to Windows 7.
B. Create a central store that contains the Group Policy ADMX files.
C. Install the Group Policy client-side extensions (CSEs) on all client computers.
D. Upgrade all Windows Vista client computers to Windows Vista Service Pack 2 (SP2).
Correct Answer: C
QUESTION 809
Your network contains an Active Directory domain. The domain contains several domain controllers. All
domain controllers run Windows Server 2008 R2.

You need to restore the Default Domain Controllers Policy Group Policy object (GPO) to the Windows
Server 2008 R2 default settings.
What should you do?
A. Run dcgpofix.exe /target:dc.
B. Run dcgpofix.exe /target:domain.
C. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /sync.
D. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /force.
Correct Answer: A
QUESTION 815
2003.
You upgrade all domain controllers to Windows Server 2008 R2. You need to ensure that the Sysvol
share
replicates by using DFS Replication (DFS-R).
What should you do?
A. From the command prompt, run netdom /reset.
B. From the command prompt, run dfsutil /addroot:sysvol.
C. Raise the functional level of the domain to Windows Server 2008 R2.
D. From the command prompt, run dcpromo /unattend:unattendfile.xml.
Correct Answer: C
QUESTION 816
Your network contains an Active Directory domain. All domain controllers run Windows Server 2008. The
functional level of the domain is Windows Server 2003. All client computers run Windows 7. You install
Windows Server 2008 R2 on a server named Server1.
You need to perform an offline domain join of Server1.
A. From Server1, run djoin.exe.
B. From Server1, run netdom.exe.
C. From a Windows 7 computer, run djoin.exe.
D. Upgrade one domain controller to Windows Server 2008 R2.
E. Raise the functional level of the domain to Windows Server 2008.
Correct Answer: AC
QUESTION 817
2008
R2.
The Audit account management policy setting and Audit directory services access setting are enabled for
the entire domain.
You need to ensure that changes made to Active Directory objects can be logged. The logged changes
must include the old and new values of any attributes.
What should you do?
A. Enable the Audit Account Management policy in the Default Domain Controller Policy.
B. Run auditpol.exe and then configure the Security settings of the Domain Controllers OU.
C. Run auditpol.exe and then enable the Audit Directory Service Access setting in the Default
Domain
policy.
D. From the Default Domain Controllers policy, enable the Audit Directory Service Access setting and
Audit
Directory Service Changes setting
Correct Answer: B
QUESTION 818
Your company has an Active Directory forest that contains only Windows Server 2008 domain controllers.
You need to prepare the Active Directory domain to install Windows Server 2008 R2 domain controllers.
A. Run the adprep /forestprep command.
B. Run the adprep /domainprep command.
C. Raise the forest functional level to Windows Server 2008.
D. Raise the domain functional level to Windows Server 2008.
Correct Answer: AB
QUESTION 819
Your company has a single Active Directory domain. All domain controllers run Windows Server 2003.
You
install Windows Server 2008 R2 on a server.
You need to add the new server as a domain controller in your domain.
A. On the new server, run dcpromo /adv.
B. On the new server, run dcpromo /createdcaccount.
C. On a domain controller run adprep /rodcprep.
D. On a domain controller, run adprep /forestprep.
Correct Answer: D
QUESTION 821
Client computers run either Windows 7 or Windows Vista Service Pack 2 (SP2).
You need to audit user access to the administrative shares on the client computers.
What should you do?
A. Deploy a logon script that runs icacls.exe.
B. Deploy a logon script that runs auditpol.exe.
C. From the Default Domain Policy, modify the Advanced Audit Policy Configuration.
D. From the Default Domain Controllers Policy, modify the Advanced Audit Policy Configuration.
Correct Answer: B
QUESTION 823
Your company has an Active Directory forest that contains Windows Server 2008 R2 domain controllers
and DNS servers. All client computers run Windows XP SP3.
You need to use your client computers to edit domain-based GPOs by using the ADMX files that are
stored
in the ADMX central store.
What should you do?
A. Add your account to the Domain Admins group.
B. Upgrade your client computers to Windows 7.
C. Install .NET Framework 3.0 on your client computers.
D. Create a folder on PDC emulator for the domain in the PolicyDefinitions path. Copy the ADMX
files to the PolicyDefinitions folder.
Correct Answer: B
QUESTION 824
Your network contains an Active Directory domain named contoso.com. All domain controllers run
Windows
Server 2008 R2. The functional level of the domain is Windows Server 2008 R2. The functional level of
the
forest is Windows Server 2008.
You have a member server named Server1 that runs Windows Server 2008.
You need to ensure that you can add Server1 to contoso.com as a domain controller.
What should you run before you promote Server1?

A. dcpromo.exe /CreateDCAccount
B. dcpromo.exe /ReplicaOrNewDomain:replica
C. Set-ADDomainMode -Identity contoso.com -DomainMode Windows2008Domain
D. Set-ADForestMode -Identity contoso.com -ForestMode Windows2008R2Forest
Correct Answer: C
QUESTION 826
Your network contains an Active Directory domain. All domain controller run Windows Server 2003.
You replace all domain controllers with domain controllers that run Windows Server 2008 R2. You raise
the
functional level of the domain to Windows Server 2008 R2.
You need to minimize the amount of SYSVOL replication traffic on the network.
What should you do?
A. Raise the functional level of the forest to Windows Server 2008 R2.
B. Modify the path of the SYSVOL folder on all of the domain controllers.
C. On a global catalog server, run repadmin.exe and specify the KCC parameter.
D. On the domain controller that holds the primary domain controller (PDC) emulator FSMO role, run
dfsrmig.exe.
Correct Answer: D
QUESTION 831
You remotely monitor several domain controllers.
You run winrm.exe quickconfig on each domain controller.
You need to create a WMI script query to retrieve information from the bios of each domain controller.
Which format should you use to write the query?
A. XrML
B. XML
C. WQL
D. HTML
Correct Answer: C
QUESTION 832
Your network contain 10 domain controller that run Windows Server 2008 R2. The network contain a
member server that is configured to collect all of events that occur on the domain controllers.
Your need to ensure that administrators are notified when a specific event occurs on any of the domain
controllers. You want to achieve the goal by using the minimum amount effort.
What should you do?
A. From Event Viewer on the member server, create a subscription.
B. From Event Viewer on each domain controller, create a subscription.
C. From Event Viewer on the member server, run the Create Basic Task Wizard.
D. From Event Viewer on each domain controller, run the Create Basic Task Wizard.
Correct Answer: C
QUESTION 841
Your network contains an Active Directory domain. The functional level of the domain is Windows Server
2003. The domain contains five domain controllers that run Windows Server 2008 and five domain
controllers that run Windows Server 2008 R2.
You need to ensure that SYSVOL is replicated by using Distributed File System Replication (DFSR).
A. Run dfsrdiag.exe PollAD.
B. Run dfsrmig.exe /SetGlobalState 0.
C. Upgrade all domain controllers to Windows Server 2008 R2.
D. Raise the functional level of the domain to Windows Server 2008.
Correct Answer: D
QUESTION 862
Your network contains an Active Directory domain named contoso.com. The functional level of the domain
and the functional level of the forest are Windows Server 2003. All domain controllers run Windows
Server
2008.
You have a member server that runs Windows Server 2008 R2 named Server1. You install the Distributed
Scan Server role service on Server1. From the Scan Management console, you attempt to add a scan
process and you receive the following error.
You need to ensure that you can add a scan process.
What should you do?
A. Install the Fax Server role.
B. Install the Print Server role service.
C. Update the Active Directory schema.
D. Set the functional level of the forest to Windows Server 2008.
Correct Answer: C
QUESTION 872
Your company has a single Active Directory forest that has a domain in North America named na.contoso.
com and a domain in South America named sa.contoso.com. The client computers run Windows 7.
You need to configure the client computers in the North America office to improve the name resolution
response time for resources in the South America office.
What should you do?
A. Configure a new Group Policy object (GPO) that disables the Local-Link Multicast Name Resolution
feature.Apply the policy to all the client computers in the North America office.
B. Configure a new Group Policy object (GPO) that enables the Local-Link Multicast Name Resolution
feature. Apply the policy to all the client computers in the North America office.
C. Configure a new Group Policy object (GPO) that configures the DNS Suffix Search List option to
sa.contoso.com, na.contoso.com. Apply the policy to all the client computers in the North America
office.
D. Configure the priority value for the Service Location (SRV) records on each of the North America
domain controllers to 5.
Correct Answer: C
QUESTION 875
Your company has an Active Directory forest. All domain controllers run the DNS Server server role. The
company plans to decommission the WINS service.
You need to enable forest-wide single name resolution.
What should you do?
A. Enable WINS-R lookup in DNS.
B. Create Service Location (SRV) records for the single name resources.
C. Create an Active Directory-integrated zone named LegacyWINS. Create host (A) records for the single
name resources.
D. Create an Active Directory-integrated zone named GlobalNames. Create host (A) records for the single
name resources.
Correct Answer: D
QUESTION 879
Your company has a single Active Directory domain. The company has a main office and a branch office.
Both the offices have domain controllers that run Active Directory-integrated DNS zones. All client
computers are configured to use the local domain controllers for DNS resolution. The domain controllers
at
the branch office location are configured as Read-Only Domain Controllers (RODC).
You change the IP address of an existing server named SRV2 in the main office. You need the branch
office DNS servers to reflect the change immediately.
What should you do?
A. Run the dnscmd /ZoneUpdateFromDs command on the branch office servers.
B. Run the dnscmd /ZoneUpdateFromDs command on a domain controller in the main office.
C. Change the domain controllers at the branch offices from RODCs to standard domain controllers.
D. Decrease the Minimum (default) TTL option to 15 minutes on the Start of Authority (SOA) record for the
zone.
Correct Answer: A
QUESTION 884
Your network contains an Active Directory forest named contoso.com. Contoso.com contains three
domain
controllers that run Windows Server 2008 R2 and three domain controllers that run Windows Server
2003.
All domain controllers are configured as DNS servers.
You configure the contoso.com zone to use DNSSEC.
You need to ensure that the zone only replicates to DNS servers that support DNSSEC.
A. Modify the Notify settings of the contoso.com zone.
B. Create an application directory partition.
C. Move the contoso.com zone to the ForestDnsZones application directory partition.
D. Add a server certificate to the Windows Server 2003 DNS servers.
Correct Answer: B
QUESTION 890
A corporate network includes a single Active Directory Domain Services (AD DS) domain.
The HR department has a dedicated organizational unit (OU) named HR. The HR OU has two sub-OUs:
HR Users and HR Computers. User accounts for the HR department reside in the HR Users OU.
Computer
accounts for the HR department reside in the HR Computers OU. All HR department employees belong to
a
security group named HR Employees. All HR department computers belong to a security group named
HR
PCs.
Company policy requires that passwords are a minimum of 6 characters.
You need to ensure that, the next time HR department employees change their passwords, the
passwords
are required to have at least 8 characters. The password length requirement should not change for
employees of any other department.
What should you do?
A. Modify the password policy in the GPO that is applied to the domain.
B. Create a new GPO, with the necessary password policy, and link it to the HR Users OU.
C. Create a fine-grained password policy and apply it to the security group named HR Employees.
D. Modify the password policy in the GPO that is applied to the domain controllers OU.
Correct Answer: C
QUESTION 892
Your network contains an Active Directory domain named contoso.com. The domain contains five domain
controllers.
You add a logoff script to an existing Group Policy object (GPO).
You need to verify that each domain controller successfully replicates the updated group policy.
Which two objects should you verify on each domain controller? (Each correct answer presents part of the
A. \\servername\SYSVOL\contoso.com\Policies\{GUID}\gpt.ini
B. \\servername\SYSVOL\contoso.com\Policies\{GUID}\machine\registry.pol
C. the uSNChanged value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com container
D. the versionNumber value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com container
Correct Answer: AD
QUESTION 895
You are the network administrator for Northwind Traders. The network consists of a single Active Directory
forest. The functional level of the forest is Windows Server 2003. The forest consists of a forest root
domain
named northwindtraders.com and a child domain named child1.northwindtraders.com. The child1.
northwindtraders.com domain contains all of the user accounts for the network. Your company acquires a
company named Contoso, Ltd. The Contoso, Ltd., network consists of a single Active Directory forest that
contains a forest root domain named contoso.com and a child domain named child1.contoso.com. All
domain controllers run Windows 2000 Server. Both domains contain user accounts and resource servers.
The domains and existing trust relationships are shown in the exhibit.
Exhibit
You need to create the minimum number of trust relationships required for the users in the
child1.northwindtraders.com domain to access resources in both domains in the contoso.com forest.
What should you do?
A. Create a one-way trust relationship in which the northwindtraders.com domain trusts the contoso.com
domain.
B. Create a one-way trust relationship in which the contoso.com domain trusts the northwindtraders.com
domain.
C. Create a one-way trust relationship in which the child1.northwindtraders.com domain trusts the
contoso.com domain. Create a one-way trust relationship in which the child1.northwindtraders.com
domain trusts the child1.contoso.com domain.
D. Create a one-way trust relationship in which the contoso.com domain trusts the
child1.northwindtraders.com domain. Create a one-way trust relationship in which the
child1.contoso.com domain trusts the child1. northwindtraders.com domain.
Correct Answer: D
QUESTION 901
You are the network administrator for Proseware, Inc. The network consists of a single Active Directory
forest that contains one forest root domain named proseware.com and two child domains named
europe.proseware.com and usa.proseware.com. The functional level of the forest is Windows 2000
native.
The proseware.com domain contains a Windows 2000 Server domain controller named Server3 that is
running Service Pack 4 or later. You take Server3 offline. You also remove all references to Server3 from
the Configuration container in Active Directory. Five days later, you upgrade all remaining domain
controllers to Windows Server 2003. You then raise the functional level of the forest to Windows Server
2003. You need to integrate Server3 into the new Active Directory infrastructure. You want Server3 to be
an
additional domain controller of the europe. proseware.com domain.
What should you do?
A. Upgrade Server3 to Windows Server 2003. Add the computer account for Server3 into the Computers
container of the europe.proseware.com domain.
B. Demote Server3 to a Windows 2000 member server by running the dcpromo /forceremoval command.
Upgrade Server3 to a Windows Server 2003 member server. Run the dcpromo command to promote
Server3 to be an additional domain controller of the europe.proseware.com domain.
C. Demote Server3 to a Windows 2000 member server by running the dcpromo /forceremoval command.
Add the computer account for Server3 into the Domain Controllers organizational unit (OU) of the
europe. proseware.com domain.
D. Upgrade Server3 to Windows Server 2003. Add the computer account for Server3 into the Domain
Controllers organizational unit (OU) of the europe.proseware.com domain.
Correct Answer: B
QUESTION 911
domain that contains four domain controllers. All servers run Windows Server 2003. All user accounts are
located in an organizational unit (OU) named CompanyUsers. A written company policy requires all users
to
use strong passwords. User passwords must contain a mixture of letters, numbers, or special characters.
Passwords must be at least 10 characters long. Passwords must be changed at least every 60 days, and
the new password cannot be the same as the old one. To enforce this requirement, you create a Group
Policy object (GPO) named Password Policies and link the GPO to the CompanyUsers OU. The settings
in
the Password Policy section of the Password Policies GPO are shown in the exhibit.
Exhibit
You discover that users are creating simple passwords that do not meet the complexity requirements. You
need to ensure that the company password requirements are enforced.
What should you do?
A. Link the Password Policies GPO to the Domain Controllers OU. Make it the first GPO in the list.
B. Configure the properties of the Password Policies GPO so that it cannot be overridden.
C. Delete the Password Policies GPO. Edit the Default Domain Policy GPO to include the settings from
the
Password Policy section of the Password Policies GPO.
D. Delete the Password Policies GPO. Edit the Default Domain Controllers Policy GPO to include the
settings from the Password Policy section of the Password Policies GPO.
Correct Answer: C
QUESTION 913
You are the network administrator for Fourth Coffee. The network consists of a single Active Directory
forest that contains an empty root domain named fourthcoffee.com and a child domain named
research.fourthcoffee.com. You need to implement secure password protection for the accounts located in
the research.fourthcoffee.
com domain.
What should you do?
A. Configure the Default Domain Policy Group Policy object (GPO) of the research.fourthcoffee.com
domain to enable the Passwords must meet complexity requirements policy.
B. Configure the Default Domain Controllers Policy Group Policy object (GPO) of the
research.fourthcoffee. com domain to enable the Passwords must meet complexity requirements policy.
C. Configure the Default Domain Policy Group Policy object (GPO) of the fourthcoffee.com domain to
enable the Passwords must meet complexity requirements policy. Enable the No Override setting on the
GPO.
D. Configure the Default Domain Controllers Policy Group Policy object (GPO) of the fourthcoffee.com
domain to enable the Passwords must meet complexity requirements policy. Enable the No Override
setting on the GPO.
Correct Answer: A
QUESTION 915
domain with two sites. The two sites are named Site1 and Site2. The company has two offices, and each
office is configured as one of the sites. All servers run Windows Server 2003. The two offices are
connected by a 256- Kbps leased line. In addition, Site1 and Site2 are connected by a site link. Site1 has
1,000 users, and Site2 has 15 users. There are no domain controllers in Site2. You create a Group Policy
object (GPO) to redirect the My Documents folder. You link the GPO to the domain. Users in Site1 have
their folders redirected successfully, but users in Site2 do not. You need to ensure that users in Site2 have
their folders redirected.
What should you do?
A. Combine Site1 and Site2 into a single site.
B. Enable loopback processing in Merge mode in the GPO.
C. Remove the link for the GPO from the domain. Link the GPO to Site1 and to Site2.
D. Create a new GPO that disables Group Policy slow link detection. Link the new GPO to Site2.
Correct Answer: D
QUESTION 917
domain with two sites. The two sites are named Site1 and Site2. All servers run Windows Server 2003.
The
company has two offices, and each office is configured as one of the sites. A 256-Kbps leased line
connects the two offices. In addition, a site link connects the two sites. The site link is configured to
replicate during off-peak hours. There are domain controllers in both sites. Site1 contains all of the
operations master role holders. You plan to create Group Policy objects (GPOs) for each site. Some
GPOs
will be used to resolve potential support issues for a specific site, and so you need to minimize any delay
in
the propagation of GPOs. You need to ensure that GPOs are applied to users in the appropriate site with
minimal delay.
What should you do?
A. Configure the Group Policy Object Editor and Active Directory Users and Computers snap-ins to
connect to the infrastructure master.
B. Configure the Group Policy and Active Directory snap-ins to connect to a domain controller in the site
where the GPO must be applied.
C. Create a remote procedure call (RPC) connection object between the two sites.
D. Create a GPO that disables Group Policy slow link detection. Link the GPO to both sites.
Correct Answer: B
QUESTION 918
domain.
All servers run Windows Server 2003. One of the domain controllers is configured as an enterprise root
certification authority (CA). All client computers run Windows XP Professional. Your company uses IPSec
to
secure communications between computers in your company and computers at other companies. These
IPSec connections require computer certificates. Your IPSec policies require every computer to be able to
make an IPSec connection when connecting to other computers. You need to configure the network so
that
all computers can make IPSec connections.
What should you do?
A. In the computer settings section of the Default Domain Policy Group Policy object (GPO), configure the
domain members to always digitally encrypt or sign secure channel data.
B. Create a new automatic certificate request in the computer settings section of the Default Domain
Policy
Group Policy object (GPO).
C. Obtain a new computer certificate from a public CA. Import a copy of this certificate into the Trusted
Root Certification Authorities section of the Default Domain Policy Group Policy object (GPO).
D. Issue a new computer certificate from your enterprise CA. Place a copy of this certificate on an intranet
Web page. Instruct users to install this certificate in their trusted certificate store the first time they need
to make an IPSec connection.
Correct Answer: C
QUESTION 921
You are the network administrator for Northwind Traders. The network consists of a single Active Directory
forest that contains one root domain and one child domain. The forest also contains three separate sites,
as
shown in the Network Diagram exhibit.
Exhibit
The network is not fully routed and there is no direct physical connection between Site1 and Site3. Site
links
are not bridged. You discover that the domain controllers for namerica.northwindtraders.com located in
Site1 have additional accounts that are not on the domain controllers for namerica.northwindtraders.com
located in Site3. You examine the directory service log in Event Viewer on a domain controller for
namerica.northwindtraders.com. You discover the error message shown in the Error Message exhibit.
Exhibit
You need to resolve the condition that is causing this error.
What should you do?
A. Add a domain controller for the namerica.northwindtraders.com domain to Site2.
B. Configure a site link bridge between the site links for Site1 and Site3.
C. Configure at least one domain controller in each site to be a global catalog server.
D. Create a site link between Site1 and Site3.
Correct Answer: B
QUESTION 922
domain with three sites named Site1, Site2, and Site3. The sites and site links are configured to use Site2
to connect Site1 and Site3. Each site contains three Windows Server 2003 domain controllers. A domain
controller in each site is configured as a preferred bridgehead server. All user and group accounts are
created in Site1. Several new users start work in Site2.
When they attempt to log on to the network, the logon fails. You confirm that the user accounts are
created
and are visible in Site1 and Site2. You discover that the preferred IP bridgehead server in Site2 failed. You
repair the server and confirm that replication is successful to Site2. You need to ensure that the failure of
a
single domain controller in any site will not interfere with Active Directory replication between sites.
Choose two.)
A. Configure an IP site link between Site1 and Site3.
B. Configure two domain controllers in each site as preferred IP bridgehead servers.
C. Configure two domain controllers in each site as preferred SMTP bridgehead servers.
D. Configure each site to have no preferred bridgehead servers.
E. Configure an SMTP site link between each of the sites. Assign a cost of 200 to the SMTP site link.
Correct Answer: BD
QUESTION 925
You are the network administrator for Contoso Pharmaceuticals. The network consists of a single Active
Directory domain named contoso.com. The domain contains three Windows Server 2003 domain
controllers. A domain controller named DC2.contoso.com fails because of a hardware failure. You decide
not to rebuild the domain controller. However, because several applications refer to DC2.contoso.com by
its
NetBIOS name, you need to provide a new domain controller that has the same name.
You install a new Windows Server 2003 computer and name it DC2. You attempt to promote the server to
a
domain controller in the contoso.com domain. The promotion fails and you receive the following error
message.
You need to install a new domain controller named DC2 in the contoso.com domain.
What should you do?
A. Use the WINS administrative console to remove all WINS records for DC2.contoso.com.
B. Use the Ntdsutil utility to remove the metadata associated with the DC2.contoso.com domain controller
object from Active Directory.
C. Use Active Directory Users and Computers to remove the DC2.contoso.com domain controller
computer account from the contoso.com domain.
D. Use the DNS administrative console to remove all DNS records that refer to DC2.contoso.com.
Correct Answer: B
QUESTION 926
You are a network administrator for your company. The company has offices in Paris and New York. The
network consists of a single Active Directory domain that contains six domain controllers, as shown in the
exhibit.
Exhibit
What should you do?
A. Increase the replication interval of the site link connecting the two offices.
B. Decrease the replication interval of the site link connecting the two offices.
C. Configure Server1 and Server5 as preferred bridgehead servers.
D. Configure Server3 and Server4 as preferred bridgehead servers.
Correct Answer: D
QUESTION 927
You are the network administrator for the Baldwin Museum of Science. The network consists of a single
Active Directory forest that contains one domain named baldwinmuseumofscience.com. You need to
deploy
a new domain named NA.baldwinmuseumofscience.com as a child domain of
baldwinmuseumofscience.com. You install a new stand-alone Windows Server 2003 computer named
DC1. You plan to make DC1 the first domain controller in the NA.baldwinmuseumofscience.com domain.
You configure DC1 with a static IP configuration.
You run the Active Directory Installation Wizard on DC1. The wizard prompts you for the network
credentials to use to join the NA.baldwinmuseumofscience.com domain to the forest. You enter the
appropriate credentials for an account in the baldwinmuseumofscience.com domain. You receive an error
message stating that a domain controller in the baldwinmuseumofscience.com domain cannot be located.
You need to be able to promote DC1 to a domain controller as the first domain controller of the child
domain in the existing forest.
What should you do?
A. Configure the client WINS settings on DC1 to use a WINS server that contains entries for the
baldwinmuseumofscience.com domain controllers.
B. Configure the client DNS settings on DC1 to use a DNS server that is authoritative for the
baldwinmuseumofscience.com domain.
C. Configure the DNS Server service on DC1 to have a zone for NA.baldwinmuseumofscience.com.
D. Configure DC1 to be a member server in the baldwinmuseumofscience.com domain.
Correct Answer: B
QUESTION 934
domain. The functional level of the domain is Windows Server 2003. All domain controllers run Windows
Server 2003. All domain controllers are fully backed up every Friday evening at 5:00 P.M. The Directory
Services object is configured to have the properties shown in the following table. Directory Services object
property Setting garbageCollPeriod 15 hours tombstoneLifetime 5 days On Monday morning, a network
administrator deletes several domain user accounts. On Wednesday evening at 5:00 P.M., one of the
domain controllers fails. You plan to restore the directory database domain controller from backup.
You need to ensure that Active Directory is not corrupted by the restoration process.
What should you do?
A. Increase the garbageCollPeriod setting by 5.
B. Decrease the garbageCollPeriod setting by 5.
C. Increase the tombstoneLifetime setting by 3.
D. Decrease the tombstoneLifetime setting by 3.
Correct Answer: C
QUESTION 937
You are a network administrator for your company. The company has offices in Paris and New York. The
network consists of a single Active Directory domain that contains six domain controllers, as shown in the
exhibit.
Exhibit
You notice that at regular intervals the CPU utilization on some of the file and print servers increases to
100
percent for a period of time. During this time, the servers become unresponsive to user requests. You
discover that this problem occurs during Active Directory replication.

You need to ensure that the file and print servers are responsive to user requests during Active Directory
replication.
What should you do?
A. Increase the replication interval of the site link connecting the two offices.
B. Decrease the replication interval of the site link connecting the two offices.
C. Configure Server1 and Server5 as preferred bridgehead servers.
D. Configure Server3 and Server4 as preferred bridgehead servers.
Correct Answer: D
QUESTION 939
You are the network administrator for Contoso, Ltd. The network consists of a single Active Directory
forest
that contains a single domain named contoso.com. The network contains four Windows Server 2003
domain controllers. The DNS Server service is running on two Windows Server 2003 member servers in
the domain. You decide to create a new child domain named dev.contoso.com in the forest. You install
Windows Server 2003 on a new server. You join the server to the contoso.com domain. The first domain
controller installed in the contoso.com domain fails because of a hardware failure.
You find out that it will take several days to repair the domain controller. You decide to continue creating
the
new child domain. You attempt to promote the member server to a domain controller in the
dev.contoso.com domain. The promotion of the domain controller fails. You receive the following error
message.
You need to resolve the error to create the new domain. What should you do?
A. Configure the DNS client settings on the new server to use the DNS server that is authoritative for the
contoso.com domain.
B. Configure the DNS server for the Contoso.com zone to have a zone named dev.contoso.com.
Configure
the zone for dynamic updates.
C. Configure one of the other contoso.com domain controllers to hold all of the operations master roles.
D. Configure one of the existing domain controllers as a global catalog server.
Correct Answer: C
QUESTION 940
domain. The domain contains three sites named MainOffice, EastCoast, and WestCoast. Each site
contains four domain controllers and 100 client computers. One server in the EastCoast site is named
Server1.
All DNS servers contain Active Directory-integrated zones. Other administrators report that they cannot
connect to Server1 when attempting to perform Active Directory administration. They report they can
perform these tasks locally at Server1. You verify that Server1 is operational and that file and print
resources are accessible by using the host name. You need to ensure that administrators can perform
Active Directory administration on Server1 without requiring physical access to the server.
What should you do?
A. On Server1, force registration of DNS host (A) resource records.
B. On Server1, restart the Net Logon service.
C. Install DNS on Server1.
D. Configure Server1 as a local bridgehead server for the EastCoast site.
Correct Answer: B
QUESTION 939
forest
Windows Server 2003 on a new server. You join the server to the contoso.com domain. The first domain
controller installed in the contoso.com domain fails because of a hardware failure.
You find out that it will take several days to repair the domain controller. You decide to continue creating
the
new child domain. You attempt to promote the member server to a domain controller in the
dev.contoso.com domain. The promotion of the domain controller fails. You receive the following error
message.
You need to resolve the error to create the new domain. What should you do?
contoso.com domain.
Configure
Correct Answer: C
QUESTION 940
domain. The domain contains three sites named MainOffice, EastCoast, and WestCoast. Each site
contains four domain controllers and 100 client computers. One server in the EastCoast site is named
Server1.
All DNS servers contain Active Directory-integrated zones. Other administrators report that they cannot
connect to Server1 when attempting to perform Active Directory administration. They report they can
perform these tasks locally at Server1. You verify that Server1 is operational and that file and print
resources are accessible by using the host name. You need to ensure that administrators can perform
Active Directory administration on Server1 without requiring physical access to the server.
What should you do?
A. On Server1, force registration of DNS host (A) resource records.
B. On Server1, restart the Net Logon service.
C. Install DNS on Server1.
D. Configure Server1 as a local bridgehead server for the EastCoast site.
Correct Answer: B
QUESTION 946
You are the network administrator for Adventure Works. The network consists of a single Active Directory
forest that contains a forest root domain named adventure-works.com and a child domain named child1.
adventure-works.com. The functional level of the forest is Windows Server 2003. The company uses
universal groups to prevent temporary employees from accessing confidential information on computers
in
the forest. The child1.adventure-works.com domain contains a Windows 2000 Server computer named
Server1. Server1 runs an application that makes frequent LDAP queries to the global catalog.
Server1 is located on a subnet associated with an Active Directory site named Site2 that has no global
catalog servers. Site2 is connected to another site by a WAN connection. You need to enable the
application on Server1 to run at high performance levels and to continue operating if a WAN connection
fails. You also need to minimize traffic over the WAN connection.
What should you do?
A. Enable universal group membership caching in Site2.
B. Configure at least one global catalog server in Site2.
C. Add the
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\IgnoreGCFailures key to the registry
on all domain controllers in Site2.
D. Remove Server1 from the child1.adventure-works.com domain and add it to a workgroup.
Correct Answer: B
QUESTION 948
forest that contains one domain. The functional level of the forest is Windows 2000, and the functional
level
of the domain is Windows 2000 mixed. The domain contains four domain controllers named DC1, DC2,
DC3, and DC4. There are two sites in the forest. DC1 and DC2 are in one site. DC3 and DC4 are in the
other site. DC1 fails. You need to wait until the following week to restore DC1. While connected to DC3,
you
perform a bulk import of user accounts and receive an error message stating that a number of the user
accounts could not be created. You need to ensure that the user accounts can be created.
What should you do?
A. Seize the PDC emulator role to DC3.
B. Seize the relative ID (RID) master role to DC3.
C. Create a replication object to connect DC3 to DC2.
D. Raise the functional level of the domain and the functional level of the forest to Windows Server 2003.
Correct Answer: B
QUESTION 958
domain. All servers run Windows Server 2003. One of the domain controllers is configured as an
enterprise
root certification authority (CA). All client computers run Windows XP Professional.
Your company uses IPSec to secure communications between computers in your company and
computers
at other companies. These IPSec connections require computer certificates. Your IPSec policies require
every computer to be able to make an IPSec connection when connecting to other computers. You need
to
configure the network so that all computers can make IPSec connections.
What should you do?
A. In the computer settings section of the Default Domain Policy Group Policy object (GPO), configure the
domain members to always digitally encrypt or sign secure channel data.
B. Create a new automatic certificate request in the computer settings section of the Default Domain
Policy
Group Policy object (GPO).
Pass-Guaranteed.com
Pass-Guaranteed.com
70-294
C. Obtain a new computer certificate from a public CA. Import a copy of this certificate into the Trusted
Root Certification Authorities section of the Default Domain Policy Group Policy object (GPO).
D. Issue a new computer certificate from your enterprise CA. Place a copy of this certificate on an intranet
Web page. Instruct users to install this certificate in their trusted certificate store the first time they need
to make an IPSec connection.
Correct Answer: C
QUESTION 960
You are the network administrator for Humongous Insurance. The network consists of a single Active
Directory domain named humongousinsurance.com. All servers run Windows Server 2003. All servers
that
are not domain controllers are located in an organizational unit (OU) named Servers. All user accounts
are
located in an OU named Accounts. The health insurance department has servers that store the medical
records of customers. These records servers contain information that must be closely monitored. A nonMicrosoft auditing tool is installed on the records servers to monitor that information.
Access to the auditing information is available only to a small number of local user accounts on each
record
server. For legal reasons, the health insurance department needs to change its account lockout and
password settings for the local user accounts on records servers. You need to ensure that the records
servers adhere to the security requirements. You want to accomplish this task by using the minimum
amount of administrative effort.
What should you do?
A. Create a new domain under the humongousinsurance.com domain. Make the records servers
members
of the new domain. Create a Group Policy object (GPO) that contains the account lockout and password
settings. Link the GPO to the new domain.
B. Create a new domain under the humongousinsurance.com domain. Make the health insurance user
accounts members of the new domain. Create a Group Policy object (GPO) that contains the account
lockout and password settings. Link the GPO to the new domain.
C. Create a new OU under the Servers OU. Make the records servers members of the new OU. Create a
Group Policy object (GPO) that contains the account lockout and password settings. Link the GPO to
the new OU.
D. Create a new OU under the Accounts OU. Make the health insurance user accounts members of the
new OU. Create a Group Policy object (GPO) that contains the account lockout and password settings.
Link the GPO to the new OU.
Correct Answer: C
QUESTION 963
domain. The company has a main office and a branch office. The domain contains four domain
controllers.
Two domain controllers are located in the main office, and two domain controllers are located in the
branch
office. You create a Group Policy object (GPO) named WPSoft and link it to the domain. You configure
WPSoft to assign a word processing application to the User Configuration section of the GPO. Users in
the
branch office report that the application is not available to use. Users in the main office report that they
can
use the application. You need to ensure that the users at the branch office receive the word processing
application.
What should you do?
A. Synchronize the Netlogon shared folder on both domain controllers in the branch office.
B. Force replication between the domain controllers in the main office and the branch office.
C. Run the gpresult command on the client computers in the branch office.
D. Run the gpotool command on a client computer in the branch office.
Correct Answer: B
QUESTION 964
domain. All servers run Windows Server 2003. All client computers run Windows XP Professional. The
company has one office in New York and another office in Ottawa. Each office is configured as an Active
Directory site. Each site contains two domain controllers. The network is configured to display a legal
notice
on the computer screens of all users before they log on to their client computers. At the request of the
legal
department, you make changes to the wording of the notice by changing the settings in a Group Policy
object (GPO).
The GPO is linked to the domain. The legal department reports that not all users are receiving the new
notice. You discover that users in the Ottawa office receive the new notice, but users in the New York
office
receive the old notice. The problem continues for several days. You need to ensure that the new notice
appears correctly on all computers in the network.
What should you do?
A. Create a new security group that contains the computer accounts for all computers in the New York
site.
Grant permissions to this security group to read and apply the GPO.
B. Temporarily assign one of the domain controllers in the New York site to the Ottawa site. Wait 24 hours,
and then reassign the domain controller to the New York site.
C. Force replication of Active Directory between the two sites.
D. Log on to one of the domain controllers in the New York site, and seize the infrastructure master role.
Correct Answer: C
QUESTION 966
domain that contains two domain controllers. Both domain controllers run Windows Server 2003. All client
computers run Windows XP Professional. The only account in the Domain Admins security group is the
Administrator account in the domain. Each night, a full backup is made of the hard disks in each domain
controller.
You disable the local Administrator account in the Default Domain Policy Group Policy object (GPO). You
discover that you are no longer able to log on to either domain controller as the Administrator from the
domain. You need to ensure that you can log on to both domain controllers as the Administrator from the
domain.
What should you do?
A. Restart one domain controller in Safe Mode. Log on as Administrator. Create an account for a second
administrator. Restart the domain controller and use the new account to remove the restrictions on the
local Administrator accounts.
B. Restore the entire hard disk on one domain controller by using the last nightly backup before the
change
was made. Restart the domain controller. Allow time for Active Directory replication to complete.
C. Restart one domain controller and use a Windows Server 2003 CD to run the Recovery Console. Stop
the GPC service. Restart the domain controller.
D. Restart one domain controller in Directory Services Restore Mode. Perform an authoritative restore
operation of the Domain Controllers OU in Active Directory from the last nightly backup before the
change was made. Restart the domain controller.
Correct Answer: D
QUESTION 970
forest. The forest consists of 19 Active Directory domains. Fifteen of the domains contain Windows Server
2003 domain controllers. The functional level of all the domains is Windows 2000 native.
The network also consists of a single Microsoft Exchange 2000 Server organization. You need to create
groups that can be used only to send e-mail messages to user accounts throughout the company. You
want
to achieve this goal by using the minimum amount of replication traffic and minimizing the size of the
Active
Directory database. You need to create a plan for creating e-mail groups for your company.
What should you do?
A. Create global distribution groups in each domain. Make the appropriate users from each domain
members of the global distribution group in the same domain. Create universal distribution groups.
Make the global distribution groups in each domain members of the universal distribution groups.
B. Create global security groups in each domain. Make the appropriate users from each domain members
of the security group in the same domain. Create universal security Pass-Guaranteed.com
Pass-Guaranteed.com
70-294
groups. Make the global security groups in each domain members of the universal security groups.
C. Create universal distribution groups. Make the appropriate users from each domain members of a
universal distribution group.
D. Create universal security groups. Make the appropriate users from each domain members of a
universal
security group.
Correct Answer: A
QUESTION 972
You are the network administrator for Consolidated Messenger. The network consists of a single Active
Directory forest that contains three domains named consolidatedmessenger.com, child1.
consolidatedmessenger.com, and child2.consolidatedmessenger.com. The functional level of the forest is
Windows Server 2003.Both child1.consolidatedmessenger.com and child2.consolidatedmessenger.com
contain employee user accounts, client computer accounts, and resource server computer accounts. The
domain named consolidatedmessenger.com contains only administrative user accounts and computer
accounts for two domain controllers. Each resource server computer provides a single service of file
server,
print server, Web server, or database server.
Your company plans to use Group Policy objects (GPOs) to centrally apply security settings to resource
server computers. Some security settings need to apply to all resource servers and must not be
overridden.
Other security settings need to apply to specific server roles only. You need to create an organizational
unit
(OU) structure to support the GPO requirements. You want to create as few GPOs and links as possible.
What should you do?
A. Create a top-level OU for each server role under the consolidatedmessenger.com domain. Create a
toplevel
OU named Servers under the child1.consolidatedmessenger.com domain. Create a top-level OU
named Servers under the child2.consolidatedmessenger.com domain.
B. Create a top-level OU named Servers under the child1.consolidatedmessenger.com domain. Create a
child OU for each server role under the Servers OU. Create a top-level OU named Servers under the
child2. consolidatedmessenger.com domain. Create a child OU for each server role under the Servers
OU.
C. Create a top-level OU named Servers under the consolidatedmessenger.com domain.
Create a child OU for each server role under the Servers OU.
D. Create a top-level OU for each server role under the child1.consolidatedmessenger.com domain.
Create a top-level OU for each server role under the child2.consolidatedmessenger.com domain.
Correct Answer: B
QUESTION 973
You are a network administrator for your company. The company consists of two subsidiaries named
Litware, Inc., and Contoso, Ltd. The network consists of a single Active Directory forest. The functional
level
of the forest is Windows Server 2003. The forest contains a forest root domain named litwareinc.com and
an additional domain tree named contoso.com, which contains two child domains. All domain controllers
run Windows Server 2003. The Directory Services object is configured with the default property settings.
The forest contains 250,000 objects that are changed frequently. You need to be able to restore objects in
one of the child domains in the contoso.com domain tree from a three- month-old backup. You need to
make a change to a Directory Services property on a domain controller in one of the domains in order to
achieve this goal.
Choose two.)
A. Run the netdom command on a domain controller in contoso.com.
B. Use the Ntdsutil utility on a domain controller in litwareinc.com.
C. Use the ADSIEdit utility on a domain controller in contoso.com.
D. Run the ldp command on a domain controller in litwareinc.com.
Correct Answer: CD
QUESTION 975
You are the network administrator for a company that has three offices. The offices are in Boston,
Chicago,
and New York. All three offices are connected by leased lines as shown in the exhibit.
Exhibit
Your company is deploying a Windows Server 2003 forest. You create a single Active Directory domain.
You configure each office as a single site. You configure three domain controllers in NYSite. You create a
domain controller in each of the other sites. You create site links based on the network topology. Each
leased line is represented by a site link. Each site link connects only two sites. The cost and the schedule
for all site links is the same. The sites and site links are named as shown in the following table.
Users report that network requests between BosSite and ChiSite are taking much longer than they used
to
take. You discover that replication traffic is using an unacceptably large percentage of the bandwidth
between BosSite and ChiSite.
You need to reduce replication traffic over the ChiBoston site link.
What should you do?
A. Create an SMTP-based connection object from a domain controller in NYSite to a domain controller in
BosSite.
B. Increase the cost for the ChiBoston site link.
C. Create a site link bridge that includes the NYBoston and NYChi site links.
D. Increase the replication interval for the NYBoston site link.
Correct Answer: B
QUESTION 981
servers that are not domain controllers have computer accounts in an organizational unit (OU) named
ApplicationServers.
Client computers have computer accounts in 15 OUs organized by department. All users have user
accounts in an OU named CompanyUsers. Your company wants all users to have Microsoft Word
available
on their client computers. Your company does not want to install Word on domain controllers or other
servers. You need to configure the network to install the application as required, without affecting any
existing policies or settings.
What should you do?
A. Create a Group Policy object (GPO) configured with Microsoft Word listed in the software installation
section of the computer settings. Link this GPO to the domain.
Configure the Domain Controllers OU and the ApplicationServers OU to block policy inheritance.
B. Create a Group Policy object (GPO) configured with Microsoft Word listed in the software installation
section of the computer settings. Link this GPO to the domain.
Configure permissions on the GPO so that all server and domain controller accounts are denied the
permissions to read and apply the GPO.
C. Create a Group Policy object (GPO) configured with Microsoft Word listed in the software installation
section of the user settings. Link this GPO to the domain. Configure the Domain Controllers OU and the
ApplicationServers OU to block policy inheritance.
D. Create a Group Policy object (GPO) configured with Microsoft Word listed in the software installation
section of the user settings. Link this GPO to the domain. Configure permissions on the GPO so that all
server and domain controller accounts are denied the permissions to read and apply the GPO.
Correct Answer: B
QUESTION 986
domain with three sites. There is a domain controller at each site. All servers run Windows Server 2003.
Each client computer runs either Windows 2000 Professional or Windows XP Professional. The IT staff is
organized into four groups. The IT staff works at the three different sites. The computers for the IT staff
must be configured by using scripts. The script or scripts must run differently based on which site the IT
staff user is logging on to and which of the four groups the IT staff user is a member of. You need to
ensure
that the correct logon script is applied to the IT staff users based on group membership and site location.
What should you do?

A. Create four Group Policy objects (GPOs). Create a script in each GPO that corresponds to one of the
four groups. Link the four new GPOs to all three sites. Grant each group permissions to apply only the
GPO that was created for the group.
B. Create a single script that performs the appropriate configuration based on the user's group
membership.
Pass-Guaranteed.com
Pass-Guaranteed.com
70-294
Place the script in the Netlogon shared folders on the domain controllers.
C. Configure a Group Policy object (GPO) with a startup script that configures computers based on IT
staff
group. Link the GPO to the three sites.
D. Create a script that configures the computers based on IT staff group membership and site. Create
and
link a GPO to the Domain Controllers OU to run the script.
Correct Answer: A
QUESTION 990
domain with two sites. Each site contains two domain controllers. One domain controller in each site is a
global catalog server. You add a domain controller to each site. Each new domain controller has a faster
processor than the existing domain controllers. Your company requires Active Directory replication to flow
through the servers that have the most powerful CPUs in each site. You need to configure the intersite
replication to comply with the company's requirement for Active Directory replication.
What should you do?
A. Configure the new domain controllers as global catalog servers.
B. Configure the new domain controller in each site as a preferred bridgehead server for the IP transport.
C. Configure the new domain controller in each site as a preferred bridgehead server for the SMTP
transport.
D. Configure an additional IP site link between the two sites. Assign a lower site link cost to this site link
than the site link cost for the original site link.
Correct Answer: B
QUESTION 992
You are the network administrator for Alpine Ski House. The network consists of a single Active Directory
forest that contains five domains. The functional level of the forest is Windows 2000. You have not
configured any universal groups in the forest. One domain is a child domain named
child1.alpineskihouse.com that contains two domain controllers and 50 client computers. The functional
level of the domain is Windows Server 2003. The network includes an Active Directory site named Site1
that contains two domain controllers. Site1 represents a remote clinic, and the location changes every few
months. All of the computers in child1. alpineskihouse.com are located in the remote clinic. The single
WAN
connection that connects the remote clinic to the main network is often saturated or unavailable. Site1
does
not include any global catalog servers. You create several new user accounts on the domain controllers
located in Site1. You need to ensure that users in the remote clinic can always quickly and successfully
log
on to the domain.
What should you do?
A. Enable universal group membership caching in Site1.
B. Add the
on both domain controllers in Site1.
C. Add the
on all global catalog servers in the forest.

D. Raise the functional level of the forest to Windows Server 2003.
Correct Answer: B
QUESTION 1006
You are a network administrator for Litware, Inc. The network consists of a single Active Directory forest
that contains two domains named litwareinc.com and dev.litwareinc.com. All domain controllers run
Windows Server 2003. The functional level of the forest is Windows Server 2003. Litware, Inc., acquires a
company named Graphic Design Institute. The Graphic Design Institute network consists of a single
Active
Directory forest that contains a single domain named graphicdesigninstitute.com. All domain controllers
run
Windows Server 2003. The functional level of the forest is Windows Server 2003. Users in the
litwareinc.com domain require access to file and print resources stored on a computer named
server1.graphicdesigninstitute.com.
Users in the graphicdesigninstitute.com domain require access to all computers in the litwareinc.com
forest.
You must provide administrators with the ability to grant users access to the required resources.
What should you do?
A. Create a two-way forest trust relationship between the litwareinc.com domain and the
graphicdesigninstitute.com domain. In the litwareinc.com domain, enable forest-wide authentication for
the graphicdesigninstitute.com domain. In the graphicdesigninstitute.com domain, enable selective
authentication for the litwareinc.com domain.
B. Create a two-way external trust relationship between the litwareinc.com domain and the
graphicdesigninstitute.com domain.
C. Create a one-way forest trust relationship in which the graphicdesigninstitute.com domain trusts the
litwareinc.com domain. In the litwareinc.com domain, enable forest- wide authentication for the
D. Create a one-way external trust relationship in which the litwareinc.com domain trusts the
graphicdesigninstitute.com domain. Create a second incoming external trust relationship on the
graphicdesigninstitute.com domain. Specify that the trust relationship is between the dev.litwareinc.com
domain and the graphicdesigninstitute.com domain.
Correct Answer: A
QUESTION 1010
You are the network administrator for Contoso Pharmaceuticals. Your network consists of a single Active
Directory forest that contains three domains. The forest root domain is named contoso.com. The domain
contains two child domains named usa.contoso.com and europe.contoso.com. The functional level of the
forest is Windows Server 2003. Each domain contains two Windows Server 2003 domain controllers
named DC1 and DC2. DC1 in the contoso.com domain performs the following two operations master
roles:
schema master and domain naming master. DC1 in each child domain performs the following three
operations master roles: PDC emulator master, relative ID (RID) master, and infrastructure master. DC1 in
each domain is also a global catalog server.
The user account for Nancy Buchanan in the europe.contoso.com domain is a member of the Medicine
Students security group. Because of a name change, the domain administrator of europe.contoso.com
changes the Last name field of Nancy's user account from Buchanan to Anderson. The domain
administrator of usa.contoso.com discovers that the user account for Nancy is still listed as Nancy
Buchanan. You need to ensure that the user account for Nancy Anderson is correctly listed in the
Medicine
Students group.
What should you do?
A. Transfer the PDC emulator master role from DC1 to DC2 in each domain.
B. Transfer the infrastructure master role from DC1 to DC2 in each domain.
C. Transfer the RID master role from DC1 to DC2 in each domain.
D. Transfer the schema master role from DC1 to DC2 in the contoso.com domain.
Correct Answer: B
QUESTION 1014
You are the network administrator for the Baldwin Museum of Science. The network consists of a single
Active Directory forest. The forest functional level is Windows 2000. The forest consists of a forest root
domain named baldwinmuseumofscience.com and two child domains named
child1.baldwinmuseumofscience.com, and child2.baldwinmuseumofscience.com. The functional level of
all
three domains is Windows 2000 native. All domain controllers in the forest run Windows 2000 Server.
Your
user account that has administrative privileges is in the child1.baldwinmuseumofscience.com domain and
is
a member of the following groups:
Schema Admins, Domain Admins, and Domain Users. You need to successfully run the adprep.exe /
forestprep command.
What should you do?
A. Run the adprep.exe /forestprep command on the PDC emulator for the baldwinmuseumofscience.com
domain.
B. Restart the schema master in Directory Services Restore Mode and run the adprep.exe /forestprep
command.
C. Add your user account that has administrative privileges to the Enterprise Admins group. Run the
adprep.exe /forestprep command on the schema master.
D. Run the adprep.exe /domainprep command on the PDC emulator for the
baldwinmuseumofscience.com
domain. Then run the adprep.exe /forestprep command on the schema master.
E. Run the adprep.exe /domainprep command on the infrastructure master in each domain. Then run the
adprep.exe /forestprep command on the schema master.
Correct Answer: C
QUESTION 1016
You are the network administrator for Contoso, Ltd. The network consists of an Active Directory domain
named contoso.com. The functional level of the domain is Windows Server 2003. Your company has a
main office and four branch offices, which are located in one country. Each office has a data center that
contains domain controllers and servers with a corresponding Active Directory site.
There is a central operations department in the main office that is responsible for administering all
resource
servers and domain controllers in all locations. Each office has a local operations department that is
responsible for administering all client computers within the individual department's office only. The local
operations departments are also responsible for running backups on the servers in their data centers.
The computer accounts for all domain controllers are located in the default Domain Controllers
organizational unit (OU). The computer accounts for all other computers are located in the default
Computers container. You decide to use delegation of authority to meet the requirements for
administration
of computer accounts. You need to create an OU structure for computer accounts to support the
delegation
of authority requirements. You want to minimize the amount of administrative effort required to maintain
the
environment.
What should you do?
A. Create a top-level OU under the contoso.com domain for each office. Move the computer accounts of
all
computers in each office to the appropriate OU for that office.
B. Create a top-level OU named Corp_Computers under the contoso.com domain. Create a separate
child
OU for each office and place the child OUs under Corp_Computers.
Move all of the client and resource server computer accounts located in each office to the appropriate
child OU for that office.

C. Create a top-level OU named Servers under the contoso.com domain. Move the computer accounts of
resource servers and domain controllers in all offices to the Servers OU. Create an OU named
Desktops under the contoso.com domain. Move the computer accounts of the client computers in all
offices to the Desktops OU.
D. Create a top-level OU named Servers under the contoso.com domain. Create a separate child OU for
each office under Servers. Move the computer accounts of all resource servers in each office to the
appropriate child OU for that office. Create an OU named Desktops under the contoso.com domain.
Create a separate child OU for each office under Desktops. Move the computer accounts of all client
computers in each office to the appropriate child OU for that office.
E. Create a top-level OU named Servers under the contoso.com domain. Create a separate child OU for
each office under Servers. Move the computer accounts of all resource servers and domain controllers
in each office to the appropriate child OU for that office.
Create a top-level OU named Desktops under the contoso.com domain. Create a separate child OU for
each office under Desktops. Move the computer accounts of all client computers in each office to the
appropriate child OU for that office.
Correct Answer: D
QUESTION 1017
You are a network administrator for your company. The network consists of two Active Directory domains.
All servers run Windows Server 2003. The company has offices in several cities as shown in the exhibit.
Exhibit
Each office is configured as an Active Directory site. There are global catalog servers in the Toronto and
Paris sites. You enable universal group membership caching for all other sites. Users in your company
use
an application that is integrated with Active Directory. The application reads data from the global catalog.
Users report that during periods of peak activity, the application responds slowly. You need to improve the
response time of the application.
What should you do?
A. Disable universal group membership caching in the Chicago, New York, Bonn, and Rome sites.
B. Decrease the replication interval on the site links that connect the Chicago and New York sites to the
Toronto site, and on the site links that connect the Bonn and Rome sites to the Paris site.
C. Configure global catalog servers in the Chicago, New York, Bonn, and Rome sites.
D. Perform an offline defragmentation of the Active Directory database on the domain controllers in the
Toronto and Paris sites.
Correct Answer: C
QUESTION 1018
You are the network administrator for your company. The company consists of two subsidiaries named
Contoso, Ltd., and Fabrikam, Inc. The network consists of two Active Directory forests. The WAN
connections that connect some domain controllers are unreliable. The domain and trust configuration is
shown in the Network Diagram exhibit.
Exhibit
You create shared folders on Windows Server 2003 member servers in both forests. Some of the shared
folders are accessible to users from both forests. For each of the shared folders, you create a domain
local
group. You add global groups from domains in either forest to the domain local group. The Fabrikam, Inc.,
division is sold to a different company. You delete the trust relationship between the two forests. You
notice
that after the trust relationship is deleted, the membership lists for some of the domain local groups are no
longer accurate. When you view a membership list, it contains entries without user-friendly names. A
sample is shown in the Membership List exhibit.
Exhibit
You need to delete all the unknown groups from the membership list for the domain local groups. You
want
to achieve this goal by using the minimum amount of administrative effort, and without modifying the
access
to resources for users in the contoso.com forest.
What should you do?
A. Create new domain local groups. Add the required global groups from the contoso.com forest to the
domain local groups. Grant appropriate permissions to the domain local groups. Delete the original
domain local groups.
B. Re-create the trust relationship between contoso.com forest and the fabrikam.com forest. Delete all the
fabrikam.com global group accounts from the domain local group membership lists. Delete the trust
relationship between the two forests.
C. Verify all remaining trust relationships. Then delete the unknown accounts from the domain local
groups.
D. Delete all the affected domain local groups. Re-create the groups. Add the appropriate global groups
from the contoso.com forest to the groups. Grant appropriate permissions to the domain local groups.
Correct Answer: C
QUESTION 1020
domain. The company has offices in 25 cities. Each office is configured as a single site. You are
responsible for one site that is configured as shown in the exhibit.
Exhibit
A. Create a new SMTP site link between your site and each of the other sites.
B. Configure one domain controller in your site as a global catalog server.
C. Configure both domain controllers in your site to use a fixed port when replicating.
D. Create a VPN between your site and the site at the main office.
Correct Answer: D
QUESTION 1021
domain with two sites named Site1 and Site2. Site1 contains two domain controllers. Site2 contains one
domain controller. Each site contains two member servers. All domain controllers are backed up every
night.
Each of the domain controllers is installed with a similar hardware configuration, which includes a single
processor and a single hard disk. You create several user accounts on the domain controller in Site2. The
hard disk on that domain controller fails. You install a new hard disk on the domain controller and restore
the domain controller from the most recent backup tape. You notice that the new user accounts you
created
on the domain controller do not appear. The only way that you can restore the user accounts is to recreate
them. You need to configure the domain controllers so that the loss of data in Active Directory is
minimized
during a similar hard disk failure.
What should you do?
A. Configure an existing member server as an additional domain controller in Site2.
B. Install an additional hard disk in each domain controller. Move the Active Directory log files to the new
hard disk.
C. Install an additional hard disk in each domain controller. Move the Active Directory database file to the
new hard disk.
D. Configure a new site link between Site1 and Site2.
Correct Answer: A
QUESTION 1022
You are the network administrator for Lucerne Publishing. Lucerne Publishing has offices in New York,
Copenhagen, and Ankara. The network consists of a single Active Directory domain and three sites. The
sites are named NYSite, CopSite, and AnkSite. Lucerne Publishing is adding a new division at the New
York office for publishing fiction books.
You create a new organizational unit (OU) named Fiction for the fiction division. You add a new network
segment and subnet for the fiction division. You plan to place new Windows XP Professional computers
for
the fiction division in the new subnet. You also plan to add a new domain controller to NYSite. You need to
ensure that users in the fiction division use the domain controllers in the New York office when logging on
to
the network.
What should you do?
A. Decrease the metric for the default gateway on the new Windows XP Professional computers.
B. Create a new subnet object for the the new subnet. Add the new subnet object to NYSite.
C. Configure the location attribute for the new Windows XP Professional computers to be NYSite.
D. Move the domain controller objects for the domain controllers in the New York office to the Fiction OU.
Correct Answer: B
QUESTION 1023
domain with three sites named Site1, Site2, and Site3. The sites and site links are configured to use Site2
to connect Site1 and Site3. Each site contains three Windows Server 2003 domain controllers. A domain
controller in each site is configured as a preferred bridgehead server. All user and group accounts are
created in Site1.
Several new users start work in Site2. When they attempt to log on to the network, the logon fails. You
confirm that the user accounts are created and are visible in Site1 and Site2. You discover that the
preferred IP bridgehead server in Site2 failed. You repair the server and confirm that replication is
successful to Site2. You need to ensure that the failure of a single domain controller in any site will not
interfere with Active Directory replication between sites.
Choose two.)
A. Configure an IP site link between Site1 and Site3.
B. Configure two domain controllers in each site as preferred IP bridgehead servers.
C. Configure two domain controllers in each site as preferred SMTP bridgehead servers.
D. Configure each site to have no preferred bridgehead servers.
E. Configure an SMTP site link between each of the sites. Assign a cost of 200 to the SMTP site link.
Correct Answer: BD
QUESTION 1025
You work as the network administrator at Pass.com. Pass.com has its headquarters in Chicago and
branch
offices in Dallas and Miami that are all connected via Wide Area Network WAN links. The Pass.com
network consists of a single Active Directory forest. All servers on the Pass.com network run Windows
Server 2003 and all client computers run Windows XP Professional. The exhibit below illustrates the
Pass.com network:
Each office is configured as a separate site.
1. The Chicago office has four domain controllers named Pass -DC01, Pass -DC02, Pass - DC03, and
Pass -DC04. Pass -DC01 and Pass -DC02 serves as global catalog servers. The Chicago office has 400
users.
2. The Dallas office has three domain controllers named Pass -DC05, Pass -DC06, and Pass - DC07.
Pass -DC06 serves as a global catalog server. The Dallas office has 250 users.
3. The Miami office has two domain controllers named Pass -DC08 and Pass -DC09.
The Miami office has 75 users. The Pass.com helpdesk received numerous calls from the Miami office
users complaining about unacceptably slow authentication and logon performance when they try to log on
to
the company network. The CIO gives you instruction to address the problem. You now need to reduce the
logon times for the Miami users. You need to accomplish this without increasing the Active Directory
replication traffic over the WAN links of the company.
What should you do?
A. You can increase the Active Directory replication traffic over WAN links by configuring Pass -DC08 as a
global catalog server.

B. In the Chicago office the universal group membership caching needs to be enabled in order to increase
the Active Directory replication traffic over WAN links.
C. Your best option would be to allow universal group membership caching in the Dallas office.
D. In order to increase the Active Directory replication traffic over WAN links you need to allow universal
group membership caching in the Miami office.
Correct Answer: D
QUESTION 1030
forest
Windows Server 2003 on a new server.
You join the server to the contoso.com domain. The first domain controller installed in the contoso.com
domain fails because of a hardware failure. You find out that it will take several days to repair the domain
controller. You decide to continue creating the new child domain. You attempt to promote the member
server to a domain controller in the dev.contoso.com domain. The promotion of the domain controller fails.
You receive the following error message.
You need to resolve the error to create the new domain.
What should you do?
contoso.com domain.
Configure
Correct Answer: C
QUESTION 1033
You work as the network administrator at Pass.com. Pass.com has its headquarters in Chicago and a
branch office in Dallas. The network contains of two Active Directory domains and two sites. Each office
functions as a separate site. All servers on the Pass.com network run Windows Server 2003 and all client
computers run Windows XP Professional.
Only two domain controllers are configured to function as global catalog servers in the Chicago office.
The
Research department is located in the Dallas office. Members of the Research department have an
application that they use frequently. This application, though used in the Dallas office, often directs LDAP
queries of the global catalog server to TCP Port 3268.
The Research department users lodged a complaint regarding the application's slow responses. They
need
to application to perform optimally. The CIO then gave you instruction to address the problem. You now
need to improve performance of this application and minimize the intersite traffic that occurs across the
WAN link between the Chicago and Dallas offices.
What should you do?
A. In order to improve the performance of the application and to minimize the inter-site traffic across the
Wide Area Network link the value of the replication interval should be increased.
B. The domain controller in the Dallas office should be configured to host the global catalog.
C. You should enable universal group membership caching in the Dallas office.
D. To adhere to all the requirements the best option would be for you to decrease the value of the
replication interval.
Correct Answer: B
QUESTION 1034
domain and two Active Directory sites. The sites are named Site1 and Site2. Each site contains two
Windows Server 2003 domain controllers. All client computers on the network run Windows XP
Professional. Administrators in Site1 manage all user and group administration on the network. One of the
executives located in the office at Site2 requires access to a network shared folder named ExecutiveData.
This folder is located on a Windows Server 2003 member server in Site2. An administrator in Site1 adds
the
executive to an Active Directory global group that has access to the ExecutiveData shared folder.
The executive restarts her computer and logs back on to the domain. One hour later, the executive still
cannot access the shared folder. Other users in the same group can access the shared folder. You need
to
ensure that the executive has immediate access to the ExecutiveData shared folder.
What should you do?
A. Modify the NTFS permissions on the ExecutiveData shared folder on the Windows Server 2003
member server.
B. Configure one of the domain controllers in Site2 as a global catalog server.
C. Use Replication Monitor to force replication between domain controllers in the two sites.
D. Modify the share permissions on the ExecutiveData shared folder to give the user account explicit
permissions.
Correct Answer: C
QUESTION 1043
computer accounts for the client computers are located in an organizational unit (OU) named
Workstations.
The company's written security policy states the following requirements: Users must be members of the
local Power Users group on all client computers. Users must not be members of the local Administrators
group on any client computer. Users must not have any administrative rights to member servers or
domain
controllers in the domain. The Power Users group membership cannot be modified by members of the
local
Administrators group on any client computer.
You need to provide automatic assignment of required group memberships for the users on the client
computers.
What should you do?
A. Create a logon script that adds the Domain Users group to the local Power Users group when the user
logs on. Link the logon script to the Workstations OU.
B. Create a startup script that adds the Domain Users group to the local Power Users group when the
client computer starts. Link the startup script to the Workstations OU.
C. Create a new Group Policy object (GPO) named GPO1. Configure the Restricted Groups option in
GPO1 to add the Domain Users group to the Power Users group. Link GPO1 to the Workstations OU.
D. Create a new Group Policy object (GPO) named GPO1. Configure the Restricted Groups option in
GPO1 to add the Domain Users group to the Power Users group. Link GPO1 to the domain.
Correct Answer: C
QUESTION 1045
domain. All servers that are not domain controllers are located in an organizational unit (OU) named
Servers. The security department is responsible for defining security requirements for servers. You are
responsible for configuring the company's servers. The security department provides you with security
settings that you must apply to new and existing servers that are not domain controllers. You configure a
Windows Server 2003 computer named Server1 with these settings. You need to apply the security
settings
in compliance with the security department's requirements.
What should you do?
A. Export the security settings for Server1. Import the settings to a Group Policy object (GPO) linked to
the
Servers OU.
B. Create a script by running the netsh dump command on Server1. Create a Group Policy object (GPO),
link
the GPO to the Servers OU, and configure the GPO to apply the script as a startup script.
C. Configure Synchronization Manager on Server1 to perform a synchronization task daily.
D. Export the security settings for Server1. Configure File Replication service (FRS) to copy the .inf file to
the systemroot on each server.
Correct Answer: A
QUESTION 1048
domain.
The domain controllers are located in three Active Directory sites. The domain contains an organizational
unit (OU) named Marketing. The Marketing OU contains two child OUs named Sales and Research. You
need to disable the Windows Update service on all computers in the domain, with the exception of
computers in the Sales OU. You want to use the minimum number of Group Policy object (GPOs).
What should you do?
A. Create a GPO and link it to the domain. Configure the GPO to disable Windows Update under the User
Configuration section of the GPO. On the Sales OU, enable the Block Policy inheritance setting.
B. Create a GPO and link it to the domain. Configure the GPO to disable Windows Update under the User
Configuration section of the GPO. Enable the No Override setting on the GPO.
C. Create a GPO and link it to all three Active Directory sites. Configure the GPO to disable Windows
Update under the User Configuration section of the GPO. On the Sales OU, enable the Block Policy
inheritance setting.
D. Create a GPO and link it to all three Active Directory sites. Configure the GPO to disable Windows
Update under the User Configuration section of the GPO. Enable the No Override setting on the GPO.
Correct Answer: A
QUESTION 1051
You work as the network administrator at Pass.com. The Pass.com network consists of a Active Directory
forest named Pass.com. The forest consists of two domains and two sites. These two sites are located in
Chicago, which is the head quarters, and in Dallas, which is the branch office, respectively. All servers on
the Pass.com network run Windows Server 2003 and all client computers run Windows XP Professional.
The Chicago office has ten domain controllers and the Dallas office has one domain controller. The Dallas
office is connected to the Chicago office via a reliable 56-Kbps link. However, the Dallas users
complained
about slow response times when they attempt to log on to the network. You therefore received instruction
from the CIO to address the problem that the Dallas users are experiencing without incurring extra costs
for
the company. You need to rectify the problem.
What should you do?
A. The Dallas office should get a global catalog server.
B. The Chicago office should have a global catalog server removed.
C. You should increase bandwidth to improve replication.
D. You should implement universal group membership caching.
Correct Answer: A
QUESTION 1053
You are the network administrator for City Power & Light. Your network consists of a single Active
Directory
forest that contains a forest root domain named cpandl.com and one child domain named
miami.cpandl.com. All domain controllers run Windows 2000 Server. The miami.cpandl.com domain
contains one Windows Server 2003 member server named Server2. You attempt to promote Server2 to
be
an additional domain controller of the miami.cpandl.com domain. The promotion fails and you receive the
error message shown in the exhibit.
Exhibit
You need to resolve the error in order to promote Server2 to be an additional domain controller of the
miami.cpandl.com domain.
Which two actions should you take? (Each correct answer presents part of the solution.
Choose two.)
A. Force replication between the schema master and the PDC emulator of only the cpandl.com domain.
B. Force replication between the schema master and the PDC emulator of the cpandl.com domain and
the
C. Run the adprep /forestprep command on the schema master of the cpandl.com domain.
D. Run the adprep /domainprep command on the infrastructure master of only the cpandl.com domain.
E. Run the adprep /domainprep command on the infrastructure masters of the cpandl.com domain and
the
Correct Answer: CE
QUESTION 1057
forest,
as shown in the exhibit.
Exhibit
A domain controller named dc1.corp.contoso.com runs Windows 2000 Server. All other domain controllers
run Windows Server 2003. Contoso, Ltd., is engaged in a joint venture with Litware, Inc. The network at
Litware, Inc., consists of a single Active Directory forest named litwareinc.com that contains one domain.
The functional level of the litwareinc.com forest is Windows Server 2003. You need to ensure that the
users
at Contoso, Ltd., can log on to the litwareinc.com forest. You upgrade dc1.corp.contoso.com to Windows
Server 2003.
Which two additional courses of action should you take? (Each correct answer presents part of the
solution.
Choose two.)
A. Raise the functional level of the corp.contoso.com domain and the east.corp.contoso.com domain to
Windows 2000 native. Raise the functional level of the contoso.com forest to Windows Server 2003.
B. Raise the functional level of the corp.contoso.com domain to Windows 2000 native.
Raise the functional level of the east.corp.contoso.com domain to Windows Server 2003.
Raise the functional level of the west. contoso.com domain to Windows Server 2003.
C. Create a one-way forest trust relationship in which the contoso.com forest trusts the litwareinc.com
forest.
D. Create a one-way forest trust relationship in which the litwareinc.com forest trusts the contoso.com
forest.
Correct Answer: AD
QUESTION 1060
You are a network administrator for Litware, Inc. The network consists of a single Active Directory forest
that contains two domains named litwareinc.com and dev.litwareinc.com. All domain controllers run
Windows Server 2003. The functional level of the forest is Windows Server 2003. Litware, Inc., acquires a
company named Graphic Design Institute.
The Graphic Design Institute network consists of a single Active Directory forest that contains a single
domain named graphicdesigninstitute.com. All domain controllers run Windows Server 2003. The
functional
level of the forest is Windows Server 2003. Users in the litwareinc.com domain require access to file and
print resources stored on a computer named server1.graphicdesigninstitute.com.
Users in the graphicdesigninstitute.com domain require access to all computers in the litwareinc.com
forest.
You must provide administrators with the ability to grant users access to the required resources. What
should you do?
A. Create a two-way forest trust relationship between the litwareinc.com domain and the
graphicdesigninstitute.com domain. In the litwareinc.com domain, enable forest-wide authentication for
the graphicdesigninstitute.com domain. In the graphicdesigninstitute.com domain, enable selective
authentication for the litwareinc.com domain.
B. Create a two-way external trust relationship between the litwareinc.com domain and the
C. Create a one-way forest trust relationship in which the graphicdesigninstitute.com domain trusts the
litwareinc.com domain. In the litwareinc.com domain, enable forest- wide authentication for the
D. Create a one-way external trust relationship in which the litwareinc.com domain trusts the
graphicdesigninstitute.com domain. Create a second incoming external trust relationship on the
graphicdesigninstitute.com domain. Specify that the trust relationship is between the dev.litwareinc.com
domain and the graphicdesigninstitute.com domain.
Correct Answer: A
QUESTION 1064
You are a network administrator for your company. The company consists of two subsidiaries named
LightCom, Inc., and Como, Ltd. The network consists of a single Active Directory forest. The functional
level
of the forest is Windows Server 2003. The forest contains a forest root domain named LightCom Inc.com
and an additional domain tree named Como.com, which contains two child domains. All domain
controllers
run Windows Server 2003. The Directory Services object is configured with the default property settings.
The forest contains 250,000 objects that are changed frequently. You need to be able to restore objects in
one of the child domains in the Como.com domain tree from a three- month-old backup. You need to
make
a change to a Directory Services property on a domain controller in one of the domains in order to
achieve
this goal.
Choose two.)
A. Run the ldp command on a domain controller in LightCom Inc.com.
B. Use the Ntdsutil utility on a domain controller in LightCom Inc.com.
C. Use the ADSIEdit utility on a domain controller in Como.com.
D. Run the netdom command on a domain controller in Como.com.
Correct Answer: AC
QUESTION 1065
You are the network administrator for ThirdCup. The network consists of a single Active Directory forest
that
contains an empty root domain named ThirdCup.com and a child domain named research.ThirdCup.com.
You need to implement secure password protection for the accounts located in the
research.ThirdCup.com
domain.
What should you do?
A. Configure the Default Domain Policy Group Policy object (GPO) of the ThirdCup.com domain to enable
the Passwords must meet complexity requirements policy. Enable the No Override setting on the GPO.
B. Configure the Default Domain Controllers Policy Group Policy object (GPO) of the research.ThirdCup.
com domain to enable the Passwords must meet complexity requirements policy.
C. Configure the Default Domain Policy Group Policy object (GPO) of the research.ThirdCup.com domain
to enable the Passwords must meet complexity requirements policy.
D. None of the above
Correct Answer: C
QUESTION 1067
The help desk frequently processes group membership changes requested by department managers.
Help
desk administrators report that changes made to group memberships are often lost and have to be
recreated.
You discover that this problem is caused by replication conflicts that occur when a large number of
help desk requests are being processed in a short period of time. You upgrade all domain controllers to
Help desk administrators continue to report that work is often lost during times of peak activity. You need
to
reduce the amount of work lost by help desk administrators. You want to accomplish this task by using the
minimum amount of administrative effort.
What should you do?
A. Ensure that all help desk administrators are connecting to the PDC emulator in their domain when they
perform updates to group memberships.
B. Raise the functional level of the domains and of the forests to Windows Server 2003.
C. Enable universal group membership caching on domain controllers used by the help desk
administrators.
D. Disable site link bridging for all site links in the forest.
Correct Answer: B
QUESTION 1068
You are the network administrator for Contoso Pharmaceuticals. Your network consists of a single Active
Directory forest that contains three domains. The forest root domain is named contoso.com. The domain
contains two child domains named usa.contoso.com and europe.contoso.com. The functional level of the
forest is Windows Server 2003. Each domain contains two Windows Server 2003 domain controllers
named DC1 and DC2. DC1 in the contoso.com domain performs the following two operations master
roles:
schema master and domain naming master. DC1 in each child domain performs the following three
operations master roles:
PDC emulator master, relative ID (RID) master, and infrastructure master. DC1 in each domain is also a
global catalog server. The user account for Nancy Buchanan in the europe.contoso.com domain is a
member of the Medicine Students security group. Because of a name change, the domain administrator
of
europe.contoso.com changes the Last name field of Nancy's user account from Buchanan to Anderson.
The domain administrator of usa.contoso.com discovers that the user account for Nancy is still listed as
Nancy Buchanan. You need to ensure that the user account for Nancy Anderson is correctly listed in the
Medicine Students group.
What should you do?
A. Transfer the PDC emulator master role from DC1 to DC2 in each domain.
B. Transfer the infrastructure master role from DC1 to DC2 in each domain.
C. Transfer the RID master role from DC1 to DC2 in each domain.
D. Transfer the schema master role from DC1 to DC2 in the contoso.com domain.
Correct Answer: B
QUESTION 1070
You are a network administrator for your company. The company has 25 offices in major cities throughout
the world. The network consists of a single Active Directory forest that contains five domains. All domain
controllers run Windows 2000 Server. Each domain
contains user objects for five offices. The offices in Paris and Toronto provide help desk services to
20,000
users in all domains. The help desk frequently processes group membership changes requested by
department managers. Help desk administrators report that changes made to group memberships are
often
lost and have to be re-created. You discover that this problem is caused by
replication conflicts that occur when a large number of help desk requests are being processed in a short
period of time. You upgrade all domain controllers to Windows Server 2003. Help desk administrators
continue to report that work is often lost during times of peak
activity. You need to reduce the amount of work lost by help desk administrators. You want to accomplish
this task by using the minimum amount of administrative effort.
What should you do?
A. Ensure that all help desk administrators are connecting to the PDC emulator in their
domain when they perform updates to group memberships.
B. Raise the functional level of the domains and of the forests to Windows Server 2003.
C. Enable universal group membership caching on domain controllers used by the help
desk administrators.
D. Disable site link bridging for all site links in the forest.
Correct Answer: B
QUESTION 1103
Your network contains an Active Directory domain. The domain contains several domain controllers.
You need to modify the Password Replication Policy on a read-only domain controller (RODC).
A. Computer Management
C. Group Policy Management
D. Security Configuration Wizard
E. Active Directory Domains and Trusts
Correct Answer: B
QUESTION 1123
Your company has a main office and a branch office. The branch office contains a read-only domain
controller named RODC1.
You need to ensure that a user named Admin1 can install updates on RODC1. The solution must prevent
Admin1 from logging on to other domain controllers.
What should you do?
A. Run ntdsutil.exe and use the Roles option.
B. Run dsmgmt.exe and use the Local Roles option.
C. From Active Directory Sites and Services, modify the NTDS Site Settings.
D. From Active Directory Users and Computers, add the user to the Server Operators group.
Correct Answer: B
QUESTION 1124
Site1 contains four domain controllers. Site2 contains a read-only domain controller (RODC).
You add a user named User1 to the Allowed RODC Password Replication Group.
The WAN link between Site1 and Site2 fails.
User1 restarts his computer and reports that he is unable to log on to the domain.
The WAN link is restored and User1 reports that he is able to log on to the domain.
You need to prevent the problem from reoccurring if the WAN link fails.
What should you do?
A. Create a Password Settings object (PSO) and link the PSO to User1's user account.
B. Create a Password Settings object (PSO) and link the PSO to the Domain Users group.
C. Add the computer account of the RODC to the Allowed RODC Password Replication Group.
D. Add the computer account of User1's computer to the Allowed RODC Password Replication Group.
Correct Answer: D
QUESTION 1209
Your network contains a single Active Directory domain. The domain contains five read-only domain
controllers (RODCs) and five writable domain controllers. All servers run Windows Server 2008.
You plan to install a new RODC that runs Windows Server 2008 R2.
You need to ensure that you can add the new RODC to the domain. You want to achieve this goal by
using
the minimum amount of administrative effort.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A. From Active Directory Domains and Trusts, raise the functional level of the domain.
B. From Active Directory Users and Computers, pre-stage the RODC computer account.
C. At the command prompt, run adprep.exe /forestprep.
D. At the command prompt, run adprep.exe /rodcprep.
E. At the command prompt, run adprep.exe /domainprep.
Correct Answer: CE
QUESTION 1212
Your network contains an Active Directory forest named adatum.com. All domain controllers currently run
Windows Server 2003 Service Pack 2 (SP2). The functional level of the forest and the domain is Windows
Server 2003.
You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2.
A. Raise the functional level of the forest to Windows Server 2008.
B. Deploy a writable domain controller that runs Windows Server 2008 R2.
C. Raise the functional level of the domain to windows Server 2008.
D. Run adprep.exe.
Correct Answer: D
QUESTION 1259
Your network contains a Web server that runs Windows Server 2008 R2. You need to back up all Web
site
content.
A. Appcmd
B. Internet Information Services (IIS) Manager
C. Internet Information Services (IIS) 6.0 Manager
D. Wbadmin
Correct Answer: D
QUESTION 1309
.
Your network consists of an Active Directory forest that contains one domain. All domain controllers run
Windows Server 2008 R2 and are configured as DNS servers. You have an Active Directory- integrated
zone.
You have two Active Directory sites. Each site contains five domain controllers.
You add a new NS record to the zone.
You need to ensure that all domain controllers immediately receive the new NS record.
What should you do?
A. From the DNS Manager console, reload the zone.
B. From the Services snap-in, restart the DNS Server service.
C. From the command prompt, run repadmin /syncall.
D. From the DNS Manager console, increase the version number of the SOA record.
Correct Answer: C
QUESTION 1311
2008
R2 and are configured as DNS servers.
A domain controller named DC1 has a standard primary zone for contoso.com. A domain controller
named
DC2 has a standard secondary zone for contoso.com.

You need to ensure that the replication of the contoso.com zone is encrypted. You must not lose any zone
data.
What should you do?
A. On both servers, modify the interface that the DNS server listens on.
B. Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone.
C. Convert the primary zone into an Active Directory-integrated stub zone. Delete the secondary zone.
D. Configure the zone transfer settings of the standard primary zone. Modify the Master Servers lists on
the
secondary zone.
Correct Answer: B
QUESTION 1312
.
Your network consists of a single Active Directory domain. The domain contains 10 domain controllers.
The
domain controllers run Windows Server 2008 R2 and are configured as DNS servers.
You plan to create a new Active Directory-integrated zone.
You need to ensure that the new zone is only replicated to four of your domain controllers.
A. Create a new delegation in the ForestDnsZones application directory partition.
B. Create a new delegation in the DomainDnsZones application directory partition.
C. From the command prompt, run dnscmd and specify the /enlistdirectorypartition parameter.
D. From the command prompt, run dnscmd and specify the /createdirectorypartition parameter.
Correct Answer: D
QUESTION 1322
Your company has a single Active Directory domain named intranet.contoso.com. All domain controllers
run
Windows Server 2008 R2. The domain functional level is Windows 2000 native and the forest functional
level is Windows 2000.
You need to ensure the UPN suffix for contoso.com is available for user accounts.
A. Raise the intranet.contoso.com forest functional level to Windows Server 2003 or higher.
B. Raise the intranet.contoso.com domain functional level to Windows Server 2003 or higher.
C. Add the new UPN suffix to the forest.
D. Change the Primary DNS Suffix option in the Default Domain Controllers Group Policy Object (GPO) to
contoso.com.
Correct Answer: C
QUESTION 1323
Your company, A. Datum Corporation, has a single Active Directory domain named intranet.adatum.com.
The domain has two domain controllers that run Windows Server 2008 R2 operating system.
The domain controllers also run DNS servers.
The intranet.adatum.com DNS zone is configured as an Active Directoryintegrated zone with the Dynamic
updates setting configured to Secure only. A new corporate security policy requires that the
intranet.adatum.com DNS zone must be updated only by domain controllers or member servers.
You need to configure the intranet.adatum.com zone to meet the new security policy requirement.
Which two actions should you perform?
A. Remove the Authenticated Users account from the Security tab of the intranet.adatum.com DNS zone
properties.
B. Assign the SELF Account Deny on Write permission on the Security tab of the intranet.adatum.com
DNS zone properties.
C. Assign the server computer accounts the Allow on Write All Properties permission on the Security tab
of
the intranet.adatum.com DNS zone properties.

D. Assign the server computer accounts the Allow on Create All Child Objects permission on the Security
tab of the intranet.adatum.com DNS zone properties.
Correct Answer: AD
QUESTION 1324
http://www.lead2pass.com/70-649.html
Your company has an Active Directory forest that contains only Windows Server 2008 domain controllers.
You need to prepare the Active Directory domain to install Windows Server 2008 R2 domain controllers.
Which two tasks should you perform?
A. Run the adprep /forestprep command.
B. Run the adprep /domainprep command.
C. Raise the forest functional level to Windows Server 2008.
D. Raise the domain functional level to Windows Server 2008.
Correct Answer: AB
QUESTION 1492
Your network consists of a single domain. All domain controllers run Windows Server 2003 Service Pack
2
(SP2).
You need to ensure that users' personal settings are the same when they log on to different client
computers in the domain.
What should you do?
A. From the properties of each user account, configure a profile path.
B. From the properties of each user account, configure a home folder path.
C. From the Default Domain Policy, configure a logon script that runs Loadstate.exe.
D. From the Default Domain Policy, configure a logon script that runs Scanstate.exe.
Correct Answer: A
QUESTION 1498
2003
You have an organizational unit (OU) that contains 1,000 computer accounts. You need to move the
computer accounts to a new OU.
A. Active Directory Domains and Trusts
C. Csvde.exe
D. Dsmod.exe
Correct Answer: B
QUESTION 1501
Your network consists of an Active Directory forest that contains two domains named contoso.com and
Region1.contoso.com.
All servers in the network run Windows Server 2003 Service Pack 2 (SP2).
You attempt to create a universal security group and obtain the result shown in the exhibit. (Click the
Exhibit button.)
You need to ensure that you can create universal security groups in the contoso.com domain.
What should you do in the contoso.com domain?
Exhibit:
A. Modify the Default Domain Policy.
B. Modify the Default Domain Controllers Policy.

C. Raise the domain functional level of the contoso.com domain.
D. Add your user account to the Enterprise Administrators group.
Correct Answer: C
QUESTION 1505
Your network contains one Active Directory domain. All domain controllers run Windows Server 2003
You have a comma delimited file that contains information for 2,000 new employees. You need to create
2,000 new user accounts by using the information in the file. You must achieve this goal by using the
minimum amount of administrative effort.
A. Csvde.exe
B. Dsmod.exe
C. ldifde.exe
D. Ntdsutil.exe
Correct Answer: A
QUESTION 1522
Your company has a main office and a branch office. Your network consists of a single Active Directory
domain.
All domain controllers are in the main office. The offices connect to one another by using a wide area
network (WAN) link.
The branch office has a computer named Server1 that runs Windows Server 2003 Service Pack 2 (SP2).
A domain user named User1 reports that he cannot log on to Server1 when the WAN link is unavailable.
He
reports that he can log on to Server1 when the WAN link is available. You need to ensure that User1 can
log on to Server1 by using his domain account when the WAN link is unavailable.
What should you do?
A. Modify the Default Domain Policy.
B. Modify the Default Domain Controller Policy.
C. Add User1 to the Domain Admins group in the domain.
D. Add User1 to the local Administrators group on Server1.
Correct Answer: A
QUESTION 1547
Pack 2 (SP2).
You enable auditing for failed logon attempts on all domain controllers.
You need to ensure that a record of failed logon attempts is retained for 90 days on all domain controllers.
What should you do?
A. From the Security Templates snap in, open the hisecdc template. Modify the Retain System Log
setting.
B. From the Security Templates snap in, open the securedc template. Modify the Retain Security Log
setting.
C. Open the Default Domain Policy. Modify the Retain System Log setting.
D. Open the Default Domain Controller Policy. Modify the Retain Security Log setting.
Correct Answer: D
QUESTION 1548
Your network consists of a single Active Directory domain that contains two domain controllers.
Both domain controllers run Windows Server 2003 Service Pack 2 (SP2).
Auditing of successful account logon events is enabled on all computers in the domain. You need to
identify
the last time a specific user logged on to the domain.
What should you do?
A. Examine the System Event Log on the user's computer.

B. Examine the System Event Log on both domain controllers.
C. Examine the Security Event Log on both domain controllers.
D. Examine the Application Event Log on the user's computer.
Correct Answer: C
QUESTION 1604
Pack 2 (SP2).
The domain contains two domain controllers named DC1 and DC2. DC1 is located in Montreal and DC2
is
located in Seattle.
Each domain controller has a dedicated hard disk that contains only the Active Directory database and log
files.
Each night, you back up the system state on all domain controllers.
On DC2, the hard disk that contains Active Directory fails.
You replace the failed hard disk on DC2.
You need to restore domain controller functionality on DC2.
The solution must minimize replication traffic between Montreal and Seattle.
What should you do on DC2?
A. Uninstall Active Directory and then reinstall Active Directory.
B. Start by using the Last Known Good Configuration.
C. Start in Directory Services Restore Mode and restore the NTDS.dit file.
D. Start in Directory Services Restore Mode and restore the system state.
Correct Answer: D
QUESTION 1648
You are the domain administrator for your company's Active Directory domain. All domain controllers run
The network consists of 10 offices located across South America. The organizational unit (OU) structure
consists of one top-level OU for each branch office.
Each top-level OU contains eight or more child OUs, one for each department.
User accounts are located in the appropriate departmental OU within the appropriate office OU.
For security purposes, you routinely disable user accounts for terminated employees.
As part of an internal audit, you need to create a list of all disabled user accounts.
You need to generate the list of disabled user accounts as quickly as possible.
Choose two.)
A. In Active Directory Users and Computers, create a new saved query.
B. Run the dsget user command.
C. Run the dsquery user command.
D. Run the netsh command.
Correct Answer: AD
QUESTION 1670
domain. All network servers run Windows Server 2003.
Some client computers run Windows 2000 Professional, and the rest run Windows XP Professional.
All user accounts in the sales department are located in the Sales organizational unit (OU).
To store roaming user profiles, you create a shared folder named Profiles on a member server named
File1.
You assign the Allow - Full Control permission on the Profiles folder to the Everyone group.
Now you need to create roaming user profiles for the user accounts in the Sales OU.
What should you do?
A. Select all user accounts in the Sales OU.
Modify the account properties to specify \\File1\Profiles\%username% as the profile path.
B. Select all user accounts in the Sales OU.

Modify the account properties to specify \\File1\Profiles as the profile path.
C. Create a Group Policy object (GPO) and link it to the Sales OU.
In the User Configuration section of the GPO, configure Folder Redirection to use \\File1\Profiles.
D. Create a Group Policy object (GPO) and link it to the Domain Controllers OU.
In the User Configuration section of the GPO, configure Folder Redirection to use \\File1\Profiles.
Correct Answer: A
QUESTION 1673
domain. All domain controllers run Windows Server 2003.
All client computers run Windows XP Professional with default settings. Some users have portable
computers, and the rest have desktop computers.
You need to ensure that all users are authenticated by a domain controller when they log on.
How should you modify the local security policy?
A. Require authentication by a domain controller to unlock the client computer.
B. Cache zero interactive logons.
C. Cache 50 interactive logons.
D. Grant the Log on locally user right to the Users group.
Correct Answer: B
QUESTION 1674
You are the network administrator for your company's Active Directory domain.
The domain includes Windows Server 2003 domain controllers and Windows XP Professional client
computers.
A new administrator named Paul is hired to assist you in deploying Windows XP Professional to 100 new
computers.
Paul installs the operating system on a new computer named Client1. However, when Paul tries to log on
to
the domain from Client1, he is unsuccessful.
The logon dialog box does not allow him to view and select the domain name. You need to ensure that
Paul
can log on to the domain from Client1.
What should you do?
A. Enable the computer account for Client1.
B. Configure Client1 as a member of the domain.
C. Add Paul's user account to the Enterprise Admins group.
D. Add Paul's user account to the Server Operators group.
Correct Answer: C
QUESTION 1677
Each domain controller contains one disk that is configured with both the system partition and the boot
partition.
Every day, you use custom software to perform a full backup of user profiles and user data.
The custom backup software provides a bootable floppy disk that includes the drivers for the backup
media.
Every Sunday, you run the Automated System Recovery (ASR) wizard on your domain controllers in
conjunction with removable backup media.
Data is backed up in a file named Backup1.bkf. One Monday morning, you install a new application on a
domain controller named DC1.
When you restart DC1, you receive the following error message:
"NTLDR is missing. Press any key to restart."
You need to bring DC1 back online as quickly as possible.
What should you do?
A. Restart DC1 by using the installation CD-ROM.

Reinstall the operating system and restore the contents of the latest full backup by using the Restore
wizard.
Restart DC1.
B. Restart DC1 by using the installation CD-ROM.
Restore the contents of Backup1.bkf by using the ASR disk.
Restart DC1.
C. Restart DC1 by using the bootable floppy disk.
Copy the contents of Backup1.bkf from the backup media to C:\winnt.
Restart DC1.
D. Restart DC1 by using the bootable floppy disk.
Copy the contents of the ASR disk to C:\.
Restart DC1.
Correct Answer: B
QUESTION 1678
The domain contains three domain controllers: DC1, DC2, and DC3. Each one hosts user data.
DC1 experiences hard disk failure.
You need to temporarily restore the user data to DC2.
Which type of restoration should you perform?
A. Automated System Recovery (ASR)
B. normal
C. primary
D. authoritative
Correct Answer: B
QUESTION 1718
Pack 2 (SP2).
The domain contains two domain controllers named DC1 and DC2. DC1 is located in Montreal and DC2
is
located in Seattle.
Each domain controller has a dedicated hard disk that contains only the Active Directory database and log
files.
Each night, you back up the system state on all domain controllers.
On DC2, the hard disk that contains Active Directory fails.
You replace the failed hard disk on DC2.
You need to restore domain controller functionality on DC2.
The solution must minimize replication traffic between Montreal and Seattle.
What should you do on DC2?
A. Uninstall Active Directory and then reinstall Active Directory.
B. Start by using the Last Known Good Configuration.
C. Start in Directory Services Restore Mode and restore the NTDS.dit file.
D. Start in Directory Services Restore Mode and restore the system state.
Correct Answer: D
QUESTION 1727
Your company has a single domain named contoso.com.All servers run Windows Server 2003 Service
Pack 2 (SP2).All client computers run Windows XP Service Pack 3 (SP3).
All domain controllers are DNS servers.The contoso.com DNS zone is configured to allow only secure
updates.
The company has two DHCP servers named DHCP1 and DHCP2. All client computers are configured as
DHCP clients.
You configure the DHCP servers to always update host and pointer (PTR) records in DNS.
You need to ensure that both DHCP servers can update all host and PTR records for DHCP clients.
What should you do?
A. Add DHCP1 and DHCP2 to the DNSAdmins group in the contoso.com domain.
B. Add DHCP1 and DHCP2 to the DNSUpdateProxy group in the contoso.com domain.
C. Create a user account named DHCPUser in the contoso.com domain.Configure DHCP1 and DHCP2
to
use DHCPUser when updating DNS.
D. Create a user account named DHCPUser in the contoso.com domain.Add DHCPUser to the
DNSUpdateProxy group in the contoso.com domain.
Correct Answer: B
QUESTION 1787
Your network consists of a single Active Directory forest that contains two domains named contoso.com
and litwareinc.com.
All domain controllers for contoso.com are in an office located in Singapore.All domain controllers for
litwareinc.com are in an office located in Los Angeles.
There is a single 128-Kbps WAN link between the two offices.
All domain controllers run Windows Server 2003 Service Pack 2 (SP2) and are configured as DNS
servers.Each domain controller contains a standard DNS zone for its respective domain.
You need to ensure that users in the Singapore office can resolve IP addresses for servers in the Los
Angeles office.The solution must minimize replication traffic over the WAN link.
What should you do?
A. Create a shortcut trust between contoso.com and litwareinc.com.
B. Place a domain controller for litwareinc.com in the Singapore office.
C. On a domain controller in the Singapore office, create a secondary zone for the litwareinc.com domain.
D. On a domain controller in the Singapore office, create a conditional forwarder for the litwareinc.com
domain.
Correct Answer: D
QUESTION 1855
You are the administrator of an Active Directory domain.The network contains a Windows Server 2003
domain controller named Server1.
Users report that they experience intermittent delays when they log on to Server1. Administrators report
that
replication attempts between Server1 and other domain controllers are occasionally delayed.
You need to verify the cause of the intermittent connection delays to Server1. You also need to find out
whether the problem is related to a hardware deficiency on Server1. You need to track these delays over
a
period of one day.
A. Run the netdiag /verbose command to perform a network diagnostic test on Server1.
B. Run the replmon command to view the Active Directory replication status on Server1.
C. Use Network Monitor to view the network traffic packet contents between Server1 and all other
computers.
D. Create a System Monitor counter to track the queue lengths on the network adapter on Server1.
Correct Answer: D
QUESTION 1887
Your network consists of a single Active Directory domain named contoso.com.All servers run Windows
Server 2003 Service Pack 2 (SP2).
The domain has two domain controllers named DC1 and DC2. Both domain controllers are DNS
servers.Windows
Support Tools is installed on both domain controllers.The contoso.com DNS zone is Active
Directoryintegrated.
You need to verify that the contoso.com zone has replicated between DC1 and DC2.
What should you do?
A. On DC1 and DC2, open Event Viewer and review the DNS server log.
B. On DC1, open the DNS snap-in.From the properties of the contoso.com zone, review the Zone
Transfer
settings.
C. On DC1 and DC2, open the DNS snap-in.From the properties of the contoso.com zone, review the
Monitoring settings.
D. From Active Directory Replication Monitor, connect to DC1. Under the
DC=DomainDnsZones,DC=contoso,DC=com directory partition, review the status of Default-First-Site
\DC2.
Correct Answer: D
QUESTION 1918
Your company has two offices.
The network consists of a single Active Directory domain.You have two domain controllers named DC2
and
DC3.
All servers run Windows Server 2003 Service Pack 2 (SP2).The relevant portion of the network is
configured as shown in the exhibit.(Click the Exhibit button.)
You verify the IP configuration of Server1 as shown in the following Command Prompt window.
You need to ensure that Server1 can locate a domain controller if a single server fails.
Which IP configuration should you change on Server1?
Exhibit:
A. Add 10.10.0.2 as a DNS server.
B. Add 10.10.0.2 as a WINS server.
C. Add 10.11.0.20 as a WINS server.
D. Add a second network adapter that has an IP address of 10.10.0.20.
Correct Answer: B
QUESTION 1958
Your network consists of a single Active Directory domain that has three Active Directory sites.Each site
contains two Active Directory domain controllers.All domain controllers run Windows Server 2003 Service
Pack 2 (SP2).All domain controllers have Windows Support Tools installed.
You need to verify the replication status of Active Directory.
A. Active Directory Sites and Services
B. Nltest.exe
C. Network Monitor
D. Replmon.exe
Correct Answer: D
QUESTION 95
domain. All domain controllers run Windows Server 2003. All client computers run Windows XP
Professional with default settings. Some users have portable computers, and the rest have desktop
computers.You need to ensure that all users are authenticated by a domain controller when they log on.
How should you modify the local security policy?
A. Require authentication by a domain controller to unlock the client computer.
B. Cache zero interactive logons.
C. Cache 50 interactive logons.
D. Grant the Log on locally user right to the Users group.
Correct Answer: B
QUESTION 120
domain. The domain contains 20 Windows Server 2003 member servers. You assign five support
engineers to perform limited management tasks on the servers. You add the engineers' user accounts to
a
global security group named Support Engineers.The five support engineers will have the following
responsibilities: Stop and start printers, clear print jobs from the printer queues, and set permissions on
printers. Back up and restore all files on the servers. Make changes to TCP/IP settings. Create and delete
shared resources. You need to assign the support engineers the appropriate permissions to perform the
required tasks on the 20 member servers.Of which group should you make the Support Engineers group
a
member?
A. the Administrators local group on one of the domain controllers
B. the Administrators local group on each of the servers
C. the Server Operators local group on a domain controller
D. the Power Users local group on each of the servers
E. the Backup Operators local group on a domain controller
F. the Backup Operators local group on each of the servers
Correct Answer: B
QUESTION 127
You are the network administrator for Humongous Insurance. The network consists of a single Active
Directory domain. All servers run either Windows Server 2003 or Windows 2000 Server. All client
computers run either Windows XP Professional, Windows 2000 Professional, or Windows NT Workstation
4.0. All the computers are members of the domain.All servers have static IP addresses, and all client
computers are assigned addresses by a DHCP server that runs Windows Server 2003. The DNS service
is
installed on three Windows Server 2003 computers that are configured as domain controllers. Company
network management standards state that a DNS domain must be created for each department in the
company. A new department named Market Research has been organized.
You need to create a corresponding DNS zone named marketresearch.humongousinsurance.com. The
network management standards contain the following requirements. All computers must be registered in a
DNS zone. All DNS records must be kept up-to-date at all times, and any changes to the host name or IP
address must be updated on the DNS record. Only computers that have valid accounts in the domain
must
be allowed to dynamically register records in the DNS zone. To reduce administrative effort, all possible
administrative tasks should be automated. You must configure the
marketresearch.humongousinsurance.com zone to meet these requirements.Which three actions should
you perform? (Each correct answer presents part of the solution. Choose three.)
A. Create a standard primary zone named marketresearch.humongousinsurance.com.
B. Create an Active Directory-integrated zone named marketresearch.humongousinsurance.com.
C. Configure the Dynamic updates setting on the marketresearch.humongousinsurance.com zone to be
Secure only.
D. Configure the Dynamic updates setting on the marketresearch.humongousinsurance.com zone to be
Secure and nonsecure.
E. Configure the Dynamic updates setting on the marketresearch.humongousinsurance.com zone to be
None.
F. Manually create and update DNS records for all hosts in the marketresearch.humongousinsurance.com
zone.
G. Configure the DHCP server to register client computers that have received IP configuration from the
DHCP server in the marketresearch.humongousinsurance.com zone.
Correct Answer: BCG
QUESTION 129
You are the network administrator for your company. The company includes two divisions: Contoso, Ltd.
and Fabrikam, Inc. The two divisions are in separate locations. The two locations are connected by a
WAN
connection. The network consists of two single-domain Active Directory forests. The domain names are
contoso.com and fabrikam.com. All domain controllers run Windows Server 2003. All domain controllers
are configured as DNS servers. All computers in each domain are configured to use the local domain
controllers for DNS. Users in the contoso.com domain frequently need to access several Web servers in
the fabrikam.com domain. However, when the users
attempt to connect, they receive an error message stating that the servers cannot be located. You need to
ensure that users in the contoso.com domain can access the Web servers in the fabrikam.com domain.
Your solution must have a minimal effect on the current name resolution and should require minimal
administrative effort to maintain. What are two possible ways to achieve this goal? (Each correct answer
presents a complete solution. Choose two.)
A. On the DNS servers in the contoso.com domain, create a secondary zone for the fabrikam.com
domain.
Configure one of the DNS servers in the fabrikam.com domain as the primary DNS server for the zone.
B. Configure the DNS servers in the contoso.com domain with a primary zone for the fabrikam.com
domain.
Create a host (A) resource record for each of the Web servers in the fabrikam.com domain.
C. On the DNS servers in the contoso.com domain, create an Active Directory-integrated stub zone for
the
fabrikam.com domain. Configure one of the DNS servers in the fabrikam.com domain as the primary
DNS server for the zone.
D. Create a forwarder entry on the DNS servers in the contoso.com domain. Configure the servers to
forward all unresolved requests to a DNS server in the fabrikam.com domain.
Correct Answer: AC
QUESTION 135
You are the network administrator for Wingtip Toys. The network consists of a single Active Directory
domain named wingtiptoys.com. The Active Directory-integrated DNS zone named wingtiptoys.com is
replicated to all domain controllers. Only domain controllers have the DNS service installed.The network
management department requires all hosts in the manufacturing division to be registered in the DNS
namespace manufacturing.wingtiptoys.com. The manufacturing.wingtiptoys.com namespace does not
exist
on any of the DNS servers. You need to add support for the manufacturing.wingtiptoys.com namespace to
all the existing DNS servers. To reduce administrative overhead, you want to find a solution that will not
require reconfiguration if DNS servers are added to the domain in the future.What should you do?
A. Create a subdomain named manufacturing in the wingtiptoys.com zone.
B. Create a delegation named manufacturing in the wingtiptoys.com zone.
C. Create a stub zone for manufacturing.wingtiptoys.com.
D. Create a primary zone for manufacturing.wingtiptoys.com that is not Active Directory-integrated.
Correct Answer: A
QUESTION 139
You are the network administrator for Litware, Inc. The network consists of a single Active Directory forest
that contains four domains. Each domain has two domain controllers. All domain controllers are
configured
as DNS servers. The network is configured as shown in the exhibit. (Click the Exhibit button.) You need to
ensure that the DNS zone for the research.litwareinc.com domain remains available in the case of a
single
server failure. You also need to ensure that the zone supports only secure dynamic updates. You want to
achieve this goal by using the minimum amount of
administrative effort. What should you do?
A. Configure a primary zone for research.litwareinc.com on DC7. Create a secondary zone on DC8.
B. Configure a primary zone for research.litwareinc.com on DC8. Create a secondary zone on DC7.
C. Create an Active Directory partition and scope it for the domain controllers in the research domain.
Configure an Active Directory-integrated zone to replicate to the domain controllers that are scoped in
partition.
D. Create an Active Directory-integrated zone on the domain controllers in the research domain.
Configure
the zone to replicate to all domain controllers in the domain.
Correct Answer: D
QUESTION 141
domain. All servers run Windows Server 2003. The domain contains two domain controllers named DC1
and DC2. You use a Windows XP Professional client computer named Client1. In Active Directory, the
domain administrator creates two new user accounts named NetAdmin1 and AdminUser1. The
NetAdmin1
account is a member of the Domain Admins global group. The AdminUser1 account is a member of only
the Users local group. You assign the AdminUser1 logon account the Allow log on locally user right in the
Default Domain Controller Group Policy object (GPO). A new written security policy states that user
accounts that are members of the Domain Admins global group should not be used to log on to the
console
of a domain controller. It also states that administrative tasks should be performed by using the
Secondary
Logon service. You now need to create a new
computer account in Active Directory, and you must comply with the new company security policy. What
should you do?
A. Log on to DC1 by using the AdminUser1 user account. Run the dsa.msc command.
B. Log on to DC1 by using the NetAdmin1 user account. Run the dsa.msc command.
C. Log on to Client1 by using the AdminUser1 user account. Run the runas /user:netadmin1 dsa.msc
command.
D. Log on to Client1 by using the NetAdmin1 user account. Run the runas /user:adminuser1 dsa.msc
command.
Correct Answer: C
QUESTION 151
domain. All network servers run Windows Server 2003. Three member servers are configured as terminal
servers. All three host confidential data. Currently, all network users are full-time employees, and all
network users are allowed to log on to the terminal servers. Your company hires 25 temporary employees.
You create a user account for each one. You need to ensure that only full-time employees are allowed to
log on to the terminal servers. What should you do?
A. Modify the Default Domain Group Policy object (GPO). Configure a computer-level policy to prevent
the
temporary employees from connecting to the terminal servers.
B. Modify the Default Domain Group Policy object (GPO). Enable the user-level Terminal Server setting
Sets rules for remote control of Terminal Services user sessions.
C. On the Terminal Services Profile tab of the user properties for each account, disable the option to log
on
to terminal servers.
D. In the security policy for domain controllers, disable the computer-level Terminal Server setting Allow
users to connect remotely using the terminal server.
Correct Answer: C
QUESTION 152
You are the domain administrator for your company's Active Directory domain. The domain consists of
four
domain controllers named DC1, DC2, DC3, and DC4. DC1 and DC2 run Windows 2000 Server and have
the latest service pack installed. DC3 and DC4 run Windows Server 2003. All client computers run
Windows XP Professional and have the latest service pack installed. You have a new client computer that
you plan to use to perform domain administration functions. You need to be able to manage Active
Directory users and computers remotely. What should you do?
A. Install the Windows Support Tools from the Windows Server 2003 installation CD on your client
computer.
B. Install the Adminpak.msi file from the Windows Server 2003 installation CD on your client computer.
C. Use the Help and Support Center tools on your client computer to connect to the domain controller that
you need to manage.
D. Use Computer Management on your client computer to connect to the domain controller that you need
to manage.
Correct Answer: B
QUESTION 168
You are the network administrator for your company's Active Directory domain. The domain includes
Windows Server 2003 domain controllers and Windows XP Professional client computers.A new
administrator named Paul is hired to assist you in deploying Windows XP Professional to 100 new
computers. Paul installs the operating system on a new computer named Client1. However, when Paul
tries
to log on to the domain from Client1, he is unsuccessful. The logon dialog box does not allow him to view
and select the domain name. You need to ensure that Paul can log on to the domain from Client1. What
should you do?
A. Enable the computer account for Client1.
B. Configure Client1 as a member of the domain.
C. Add Paul's user account to the Enterprise Admins group.
D. Add Paul's user account to the Server Operators group.
Correct Answer: C
QUESTION 169
domain. All five domain controllers run Windows Server 2003, and all client computers run Windows XP
Professional. The domain's audit policy ensures that all account logon events are audited. A temporary
employee named Peter uses a client computer named Client1. When Peter's temporary assignment
concludes, his employment is terminated.Now you need to learn the times and dates when Peter logged
on
to the domain. You need to accomplish this goal by reviewing the minimum amount of information. What
should you do?
A. Log on to Client1 as a local Administrator. Use Event Viewer to view the local security log. Use the Find
option to list only the events for Peter's user account.
B. Log on to Client1 as a local Administrator. Use Event Viewer to view the local security log. Use the Find
option to list only the events for the Client1 computer account.
C. Use Event Viewer to view the security log on each domain controller. Use the Find option to list only
the
events for Peter's user account.
D. Use Event Viewer to view the security log on each domain controller. Set a filter to list only the events
for
Peter's user account.
E. Use Event Viewer to view the security log on each domain controller. Set a filter to list only the events
for
the Client1 computer account.
Correct Answer: D
QUESTION 179
be
Because a large amount of data must be backed up, you need to complete the required backups as
quickly
as possible in order to complete the backups within the allotted time. You need to back up Active Directory
and Certificate Services on the two domain controllers. The backup must include only the minimum
amount
of data necessary. Which action or actions should you perform? (Choose all that apply.)
Correct Answer: A
QUESTION 183
You are the network administrator for your company. The network contains 40 Windows Server 2003
computers in a single Active Directory domain. The functional level of the domain is Windows Server
2003.
Four servers are configured as domain controllers. The information technology (IT) department has
positions for three trainee network administrators. When their training period is complete, the trainees
move
to other roles, and new trainees are appointed. The trainee administrators are responsible for backing up
and restoring all servers. The company's written security policy states that each trainee must have a
unique
user account. The trainees' domain user accounts are members of a global group named TraineeAdmins.
You need to ensure that trainees have the required rights to log on locally, to shut down, and to back up
and
restore all servers. When new trainees are appointed, you need to assign their user accounts the required
rights. What should you do?
A. Add the TraineeAdmins group to the Power Users group on each server.
B. Add the TraineeAdmins group to the Server Operators group on a domain controller.
C. Add the TraineeAdmins group to the Backup Operators group on each server.
D. Add the TraineeAdmins group to the Backup Operators group on a domain controller.
Correct Answer: C
QUESTION 187
domain. All network servers run Windows Server 2003. Three member servers are configured as terminal
servers. All three host confidential data. Currently, all network users
are full-time employees, and all network users are allowed to log on to the terminal servers. Your
company
hires 25 temporary employees. You create a user account for each one. You need to ensure that only
fulltime
employees are allowed to log on to the terminal servers. What should you do?
A. Modify the Default Domain Group Policy object (GPO). Configure a computer-level policy to prevent
the
temporary employees from connecting to the terminal servers.
B. Modify the Default Domain Group Policy object (GPO). Enable the user-level Terminal Server setting
Sets rules for remote control of Terminal Services user sessions.
C. On the Terminal Services Profile tab of the user properties for each account, disable the option to log
on
to terminal servers.
D. In the security policy for domain controllers, disable the computer-level Terminal Server setting Allow
users to connect remotely using the terminal server.
Correct Answer: C
QUESTION 189
domain. All domain controllers run Windows Server 2003. You enabled the Audit account logon events
policy and the Audit logon events policy on all domain controllers. You enabled both policies to audit for
both
success and failure attempts. In addition, you enabled Audit logon events for all other computers in the
domain for both success and failure attempts. You suspect that an unauthorized user attempted to
discover
the password for the domain administrator account by using a computer located in a public area in the
company's main office. You need to find out if your network has
been compromised. What should you do?
A. Examine the security log on the public computer.
B. Examine the security log on each domain controller.
C. Examine the system log on the public computer.
D. Examine the system log on the primary domain controller (PDC) emulator.
Correct Answer: B
QUESTION 190
domain. All five domain controllers run Windows Server 2003, and all client computers run Windows XP
Professional. The domain's audit policy ensures that all account logon events are audited. A temporary
employee named Peter uses a client computer named Client1. When Peter's temporary assignment
concludes, his employment is terminated.Now you need to learn the times and dates when Peter logged
on
to the domain. You need to accomplish this goal by reviewing the minimum amount of information. What
should you do?
A. Log on to Client1 as a local Administrator. Use Event Viewer to view the local security log. Use the Find
option to list only the events for Peter's user account.
B. Log on to Client1 as a local Administrator. Use Event Viewer to view the local security log. Use the Find
option to list only the events for the Client1 computer account.
C. Use Event Viewer to view the security log on each domain controller. Use the Find option to list only
the
events for Peter's user account.
D. Use Event Viewer to view the security log on each domain controller. Set a filter to list only the events
for
Peter's user account.
E. Use Event Viewer to view the security log on each domain controller. Set a filter to list only the events
for
the Client1 computer account.
Correct Answer: D
QUESTION 196
You are a network administrator for your company. The network contains an Active Directory domain
named cohovineyard.com. The domain contains three domain controllers named DC1, DC2, and DC3. All
three domain controllers are configured as DNS servers. You monitor all three domain controllers. You
notice that DC3 is not processing user logon requests. You view DNS on DC1, as shown in the exhibit.
(Click the Exhibit button.) You must ensure that DC3 can process user logon requests. What should you
do
on DC3?
A. Run the ipconfig /registerdns command.
B. Run the nslookup command, and then run the set type=srv command.
C. Restart the Net Logon service.
D. Restart the DNS Server service.
Correct Answer: B
QUESTION 211
You are the network administrator for Litware, Inc. The network consists of a single Active Directory
domain
named litwareinc.com. All servers run Windows Server 2003. All client computers run Windows XP
Professional. The litwareinc.com zone is configured as shown in the exhibit. (Click the Exhibit button.)
DC1
also hosts a DNS zone named litwareinc.internal. The domain controllers are configured as shown in the
following table. Domain controller Services and applications installed DC1 DNS, WINS DC2 DNS, DHCP
DC3 WINS You create a global group named LitwareDNS. You need to be able to assign the LitwareDNS
global group the necessary permissions to create and delete the child entries in the litwareinc.com zone.
A. Change the litwareinc.internal zone to an Active Directory-integrated primary zone.
B. Change the litwareinc.internal zone to an Active Directory-integrated stub zone.
C. Change the litwareinc.com zone to an Active Directory-integrated primary zone.
D. Change the litwareinc.com zone to an Active Directory-integrated stub zone.
Correct Answer: C
QUESTION 212
You are the network administrator for The Phone Company. The network consists of a single Active
Directory domain. All servers run either Windows Server 2003 or Windows 2000 Server. All client
computers run either Windows 2000 Professional or Windows XP Professional. The DNS service is
installed on three Windows Server 2003 computers that are configured as domain controllers. The
company's network management standards state that a DNS domain must be created for each regional
division in the company. A new regional division named South America is added to the company. You
need
to create a corresponding DNS zone named samerica.thephone-company.com.The network management
standards contain the following additional requirements.All hosts must be registered in DNS. All DNS
records must be kept up-to-date at all times, and any changes to the host name or IP address must be
updated on the DNS record. When hosts are removed from the network, the
corresponding DNS records must be deleted. To prevent problems caused by duplicate computer names,
one host must not be able to overwrite another hosts entry in DNS. To reduce administrative effort, all
possible administrative tasks should be automated. To allow for different requirements between
departments, configuration changes should, where possible, be applied only to individual zones.You must
configure the samerica.thephone-company.com zone to meet the stated requirements.Which three
actions
should you perform? (Each correct answer presents part of the solution. Choose three.)
A. Create a primary zone named samerica.thephone-company.com, and ensure that the Store the zone in
Active Directory option is disabled.
B. Create a primary zone named samerica.thephone-company.com, and ensure that the Store the zone in
Active Directory option is enabled.
C. Enable automatic scavenging of stale resource records on all the DNS servers, and configure the
scavenging options on the samerica.thephone-company.com zone.
D. Configure the Expires after setting on the samerica.thephone-company.com zone to be 1 days.
E. Configure the Dynamic updates setting on the samerica.thephone-company.com zone to be Secure
only.
F. Configure the Dynamic updates setting on the samerica.thephone-company.com zone to be Secure
and
nonsecure.
Correct Answer: BCE
QUESTION 213
You are the network administrator for Coho Vineyard. The network consists of a single Active Directory
domain named cohovineyard.com. All servers run Windows Server 2003. All client computers run either
Windows 2000 Professional or Windows XP Professional. Coho Vineyard has offices in San Francisco,
Los
Angeles, and London. Each office contains three servers that are configured as domain controllers and
run
the DNS Server service. All client computers and servers are configured to use a local DNS server as the
primary DNS server. You create a new primary zone named east.cohovineyard.com on a server in
London
named DC1. You need to configure DNS servers in San Francisco and Los Angeles to resolve queries for
resources in east.cohovineyard.com. You must ensure that client computers can update DNS data on the
local DNS servers. You also need to minimize WAN network traffic relating to DNS queries for resources
in
east.cohovineyard.com. What should you do?
A. On one DNS server in San Francisco and on one DNS server in Los Angeles, create a secondary zone
for east.cohovineyard.com. Configure the secondary zone to receive DNS data from the DNS server in
London.
B. On one DNS server in San Francisco and on one DNS server in Los Angeles, create a primary zone
for
east.cohovineyard.com. Enable dynamic updates on both servers for the east.cohovineyard.com zone.
C. On DC1, configure the east.cohovineyard.com zone as an Active Directory-integrated zone. Enable
dynamic updates for the east.cohovineyard.com zone.
D. On each DNS server, create an Active Directory-integrated stub zone for east.cohovineyard.com.
Configure the stub zone to replicate DNS data from the DNS server in London.
Correct Answer: C
QUESTION 215
You are the network administrator for Woodgrove Bank. The network consists of an Active Directory forest
with two domains named woodgrovebank.com and europe.woodgrovebank.com. Both domains contain
Windows Server 2003 domain controllers and Windows 2000 Server domain controllers. DNS is installed
on all domain controllers. No other computers function as DNS servers. The DNS zones
woodgrovebank.com and europe.woodgrovebank.com are Active Directory-integrated zones. The
company's Web administrator asks you to create a new, separate
DNS zone that will be used to register host names for intranet Web sites. This zone must be replicated to
all
DNS servers in the company. The new zone must be named intranet.woodgrovebank.com. You must
create and configure the intranet.woodgrovebank.com zone to fulfill these requirements.What should you
do?
A. Set up an Active Directory-integrated zone on one Windows Server 2003 domain controller in the
woodgrovebank.com domain. Choose the replication scope To all domain controllers in the Active
Directory domain woodgrovebank.com.
B. Set up an Active Directory-integrated zone on one Windows Server 2003 domain controller in the
woodgrovebank.com domain. Choose the replication scope To all DNS servers in the Active Directory
domain woodgrovebank.com.
C. Create an Active Directory application partition named intranet.woodgrovebank.com. Set up an Active
Directory-integrated zone on one Windows Server 2003 domain controller in the woodgrovebank.com
domain.
Specify the intranet.woodgrovebank.com application partition as the replication scope of the zone.
D. Set up an Active Directory-integrated zone on one Windows Server 2003 domain controller in the
woodgrovebank.com domain. Choose the replication scope To all DNS servers in the Active Directory
forest woodgrovebank.com. Set up a secondary zone on all Windows 2000 domain controllers in the
forest.
Correct Answer: D
QUESTION 219
You are the network administrator for your company. The network consists of two Active Directory forests.
Each forest contains a single domain. The domain names are contoso.com and fabrikam.com. All domain
controllers run Windows Server 2003. The domain controllers in each domain are configured as DNS
servers. The DNS servers are configured to forward all requests for host names on the Internet to a DNS
server located at the company's ISP. The relevant portion of the network is shown in the exhibit. (Click the
Exhibit button.) Users in the contoso.com domain report that they cannot connect to the intranet Web
sites
in the fabrikam.com domain. When they try to connect to the Web sites, they receive the following error
message: "Cannot find server or DNS error." Users in the fabrikam.com domain can connect to the
intranet
Web sites in the fabrikam.com domain. You need to ensure that users in the contoso.com domain can
connect to intranet Web sites in the fabrikam.com domain. You want to accomplish this goal by making
the
minimum amount of changes to the current network configuration. What should you do?
A. On the DNS servers in the contoso.com domain, configure a conditional forwarder to one of the DNS
servers in the fabrikam.com domain.
B. On the DNS servers in the fabrikam.com domain, configure a conditional forwarder to one of the DNS
servers in the contoso.com domain.
C. On the DNS servers in the contoso.com domain, remove the forwarder configuration. Configure the
DNS servers to use root hints.
D. On the DNS servers in the contoso.com domain, change the forwarder configuration so that all
requests
for host names are forwarded to the DNS servers in the fabrikam.com domain.
E. On the DNS servers in the fabrikam.com domain, configure a stub zone for the contoso.com domain.
Correct Answer: A
QUESTION 228
domain. You manage a Terminal Server farm that includes five terminal servers and one Terminal
Services
Licensing server named Server9. All servers run Windows 2000 Server. There are 2,500 users who log on
to the terminal servers to access a custom human
resources (HR) application. You install Windows Server 2003 on a new server named Server10. Server10
is configured with all default settings enabled. You install Terminal Services and the HR application on
Server10. You instruct some users to access the HR application on Server10. Four months later, users
report that they can no longer establish Terminal Services sessions to Server10. You verify that users can
connect to the other terminal servers in your Terminal Server farm. You need to ensure that users can run
the HR application on all terminal servers on the network. What should you do?
A. On Server10, set the License Logging service to Automatic, and then start the service.
B. On Server10, install Terminal Services Licensing. Activate the Terminal Services Licensing server.
C. Install Windows Server 2003 on all domain controllers on the network.
D. Deactivate and activate Terminal Services Licensing on Server9.
Correct Answer: B
QUESTION 250
domain. All domain controllers run Windows Server 2003, and all client computers run Windows XP
Professional.The audit policy for the domain ensures that all account logon events are audited.Two client
computers, Client1 and Client2, are configured as kiosks in the lobby of the main office. Some users log
on
to the domain by using these two computers.You need to use Event Viewer to review successful logon
attempts on these two computers only. You do not want to view any other auditing details.Which two
actions
should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Configure a filter for the security log to list all successful account logon attempts.
B. Configure a filter for the security log to list all failed account logon attempts.
C. Create one new log view. Configure a filter to show all account logon and account logoff events.
D. Create two new log views. Configure a filter on one log view to show successful account logon events
only.
Configure a filter on the other log view to show failed account logon events only.
E. Create two new log views. Configure a filter on one log view to show account logon events for Client1
only. Configure a filter on the other log to show account logon events for Client2 only.
Correct Answer: AE
QUESTION 570
Active Directory Rights Management Services (AD RMS) is deployed on your network.
You need to configure AD RMS to use Kerberos authentication.
A. Register a service principal name (SPN) for AD RMS.
B. Register a service connection point (SCP) for AD RMS.
C. Configure the identity setting of the _DRMSAppPool1 application pool.
D. Configure the useAppPoolCredentials attribute in the Internet Information Services (IIS) metabase.
Correct Answer: AD
QUESTION 1089
Your network contains an Active directory domain named fabrikam.com. The domain contains a Web
server named Web1 that runs Windows Server 2008 R2.
You install the SMTP Server feature on Web 1.
You need to verify whether you can establish an SMTP connection to Web1.
A. Internet Information Services (IIS) 6.0 Manager
B. Internet Information Services (II) Manager
C. Telnet
D. Windows Firewall
Correct Answer: C
QUESTION 1091
You install the FTP Server role service on Web1.
You need to manage the FTP server settings on Web1.
A. Services
B. Internet Information Services (IIS) 6.0 Manager
C. FTP
D. Internet Information Services (IIS) Manager
Correct Answer: D
QUESTION 1104
Your network contains a Web server named Server1 that runs Windows Server 2008 R2. The network
contains two subnets named Subnet1 and Subnet2.
Server1 contains a Web site named Site1.
You need to prevent Server1 from responding to requests that originate from Subnet2.
Which feature should you configure from Internet Information Services (IIS) Manager?
A. Authentication
B. Connection Strings
C. Default Document
D. Error Pages
E. Feature Delegation
F. HTTP Redirect
G. HTTP Response Headers
H. IIS Manager Permissions
I. IP Address and Domain Restrictions
J. ISAPI and CGI Restrictions
K. ISAPI Filters
L. Management Service
M. Request Filtering
N. SSL Settings
O. Worker Processes
Correct Answer: I
QUESTION 1106

You create three application pools named AppPool1, AppPool2, and AppPool3.
You need to recycle AppPool1 without affecting AppPool2 and AppPool3.
A. Iisreset
B. Internet Information Services (IIS) 6.0 Manager
C. Internet Information Services (IIS) Manager
D. Services
Correct Answer: C
QUESTION 1121
Correct Answer: AD
QUESTION 1153
You manage a Web server named Server1 that runs Window Server 2008 R2. Server1 hosts five Web
sites.
You discover that the CPU utilization of Server1 is abnormally high.
You need to view the amount of CPU resources that each Web site is using.
Which tool should you use ?
A. Component Services
B. lisreset
C. Internet Information Services (IIS) Manager
D. Internet Information Services (IIS) 6.0 Manager
E. FTP
F. Local Security Policy
G. Performance Monitor
H. Security Configuration wizard (SCW)
I. Services
J. System Configuration
K. Telnet
L. Windows Firewall
Correct Answer: C
QUESTION 1154
Your network contains a Web server named Server1 that runs Windows Server 2008 R2.
You need to ensure that Server1 only processes HTTP URLs that are shorter that 2,048 bytes.
A. Authentication
B. Authorization Rules
C. Connection Strings
D. Default Document
E. Error Pages
F. Feature Delegation
G. HTTP Redirect
H. HTTP Response Headers
I. IIS Manager Permissions

J. IP Address and Domain Restrictions
K. ISAPI and CGI Restrictions
L. ISAPI Filters
M. Management Service
N. Request Filtering
Correct Answer: N
QUESTION 1172
Your network contains a server that has the Remote Desktop Session Host (RD Session Host) role
service
installed.
You need to ensure that the Remote Desktop sessions of administrators are more responsive than other
sessions when the server is under a heavy load.
What should you do?
A. From the RDP-Tcp properties, modify the Sessions settings.
B. Install and configure the RD Session Broker role service.
C. From the RDP-Tcp properties, modify the Client Settings.
D. Install and configure Windows System Resource Manager (WSRM).
Correct Answer: D
QUESTION 1226
You manage a Web server named Server1 that runs Windows Server 2008 R2. Server1 has five
application pools. You need to recycle one application pool without affecting the other application pools.
A. Internet Information Services (IIS) Manager
B. Telnet
C. Windows Firewall
D. Performance Monitor
E. Ftp
F. Services
G. Internet Information Services (IIS) 6.0 Manager
H. Security Configuration Wizard (SCW)
I. Iisreset
J. Component Services
K. Local Security Policy
L. System Configuration
Correct Answer: A
QUESTION 1227
You manage a Web server named Server1 that runs Windows Server 2008 R2. Server1 has the FTP
Server role service installed.
You need to manage the FTP server settings on Server1.
A. Services
B. Local Security Policy
C. Performance Monitor
D. Internet Information Services (IIS) Manager
E. Ftp
F. System Configuration
G. Iisreset
H. Component Services
I. Telnet
J. Windows Firewall
K. Security Configuration Wizard (SCW)
L. Internet Information Services (IIS) 6.0 Manager
Correct Answer: D
QUESTION 1228
Your network contains a Web server named Server1 that runs windows Server 2008 R2. Server1 contains
a Web site named Site1. Site1 contains a Web page named Priv.aspx.
The Web page is stored on a FAT partition.
You need to ensure that only a user named User1 can access Priv.aspx. All other content on Site1 must
be
accessible to everyone.
A. Authorization Rules
B. ISAPI and CGI Restrictions
C. Authentication
D. Connection Strings
E. IP Address and Domain Restrictions
F. HTTP Response Headers
G. Management Service
H. Error Pages
I. HTTP Redirect
J. ISAPI Filters
K. Worker Processes
L. Feature Delegation
M. Request Filtering
N. IIS Manager Permissions
O. SSL Settings
P. Default Document
Correct Answer: A
QUESTION 1232
server named Web1 that runs Windows Server 2008 R2. Web1 contains three Web sites
named Corp, Sales, and Marketing.
You discover that the CPU utilization of Web1 is abnormally high.
You need to identify the amount of memory that each Web site is using.
A. Component Services
C. System Configuration
D. Performance Monitor
Correct Answer: B
QUESTION 1253
Your network contains a Web server that runs Windows Server 2008 R2. The Web server has a Web site
named Web1. Web1 hosts several HTML Web pages located in the C:\inetpub\wwwroot folder,
Windows authentication is enabled for Web1.
You need to prevent some users from accessing one of the HTML Web pages.
What should you do?
A. From Windows Explorer, modify the NTFS permissions. http://www.lead2pass.com/70-649.html
B. From Windows Explorer, modify the share permissions.
C. From Internet Information Services (IIS) Manager, modify the Authentication settings.
D. From Internet Information Services (IIS) Manager, modify the Request Filtering settings.
Correct Answer: A
QUESTION 1259
Your network contains a Web server that runs Windows Server 2008 R2. You need to back up all Web
site
content.
A. Appcmd
C. Internet Information Services (IIS) 6.0 Manager
D. Wbadmin
Correct Answer: D
QUESTION 1293
You manage a Web server named Server1 that runs Windows Server 2008 R2. Server1 has the SMTP
Server feature installed.
You need to manage the SMTP server settings.
A. Telnet
B. windows Firewall
C. System Configuration
D. Iisreset
E. Local Security Policy
F. Performance Monitor
G. Internet Information Services (IIS) Manager
H. Ftp
I. Component Services
J. Services
K. Security Configuration Wizard (SCW)
L. Internet Information Services (IIS) 6.0 Manager
Correct Answer: L
QUESTION 1294
You manage a Web server named Server1 that runs Windows Server 2008 R2. Server1 has the SMTP
Server feature installed.
You need to verify whether you can connect to Server1 over TCP port 25.
A. Internet Information Services (IIS) Manager
B. Ftp
C. Performance Monitor
D. Windows Firewall
E. Local Security Policy
F. Telnet
G. Iisreset
H. System Configuration
I. Services
J. Component Services
K. Internet Information Services (IIS) 6.0 Manager
L. Security Configuration Wizard (SCW)
Correct Answer: F
QUESTION 1295
Your network contains a Web server named Server1 that runs Windows Server 2008 R2. Server1 has
four
application pools.
You need to view a list of the CPU and memory resources used by each application pool.
A. IP Address and Domain Restrictions
B. Request Filtering
C. HTTP Response Headers
D. HTTP Redirect
E. SSL Settings
F. Feature Delegation
G. Error Pages
H. Worker Processes
I. Default Document
J. Authentication
K. Connection Strings
L. ISAPI Filters
M. Authorization Rules
N. US Manager Permissions
O. ISAPI and CGI Restrictions
P. Management Service
Correct Answer: H
QUESTION 1296
Your network contains a Web server named Server1 that runs windows Server 2008 R2.
You need to ensure that when a user attempts to connect to a page on Server1 that does not exist,
Server1
displays a custom page that contains a site map.
A. HTTP Response Headers
B. Worker Processes
C. Default Document
D. Error Pages
E. ISAPI and CGI Restrictions
F. Authentication
G. Management Service
H. Feature Delegation
I. IIS Manager Permissions
J. SSL Settings
K. Connection Strings
L. Request Filtering
M. Authorization Rules
N. ISAPI Filters
O. HTTP Redirect
P. IP Address and Domain Restrictions
Correct Answer: D
QUESTION 1298
Your network contains a Web server that runs Windows Server 2008 R2.
Remote management is configured for Internet Information Services (IIS).
From IIS Manager Permissions, you add a user to a Web site.
You need to prevent the user from using Internet Information Services (IIS) Manager to modify the
authorization rules of the Web site.
Which settings should you configure?
A. Authorization Rules
B. Feature Delegation
C. IIS Manager Permissions
D. IIS Manager Users
Correct Answer: B
QUESTION 1568
You have a Web server named Server1 that runs Windows Server 2003 Service Pack 2 (SP2).
Server1 hosts 100 Web sites.
Each Web site uses a different application pool. You need to limit the network bandwidth for one of the
Web
sites.
What should you do?
A. From Internet Information Services (IIS) Manager, modify the properties of the Web site.
B. From the Properties of the Local Area Connection, install QoS Packet Scheduler. From the Local
Security Policy, configure the QoS Packet Scheduler settings.
C. From the Local Security Policy, enable auditing for Object Access. From the System Properties, modify
the Performance settings.
D. From the Properties of the Local Area Connection, enable and configure Network Load Balancing.
Correct Answer: A
QUESTION 1754
Your network consists of a single Active Directory domain.
You install Windows Server 2003 Service Pack 2 (SP2) on a server named Server1.
You need to ensure that you can install Windows Server Update Services (WSUS) 3.0 on Server1.
C. .Active Directory Application Mode (ADAM)
D. .Microsoft SQL Server Desktop Engine (MSDE)
E. .Certificate Services
F. .Universal Description, Discovery, and Integration (UDDI) Services
G. .Distributed File System (DFS)
H. .Latest version of the Automatic Updates client
Correct Answer: AB
QUESTION 1762
You have a server named Server1 that runs Windows Server 2003 Service Pack 2 (SP2).Server1 is
configured as a FTP server.
You need to view all the FTP packets sent to Server1 for a period of one hour.
What should you do?
A. From System Monitor, add all counters for the Network object.
B. From Network Monitor, create a new capture and then create a display filter.
C. From the command prompt, run Ftp.exe d server1. Review the files in %systemdrive%\intepub\ftproot\.
D. From Internet Information Services (IIS) Manager, enable and configure logging for the FTP site.Open
the FTP log.
QUESTION 1767
You have a server named Server1 that runs Windows Server 2003 Service Pack 2 (SP2).
You plan to install Windows Server Update Services 3.0 Service Pack 2 (WSUS SP2) on Server1
You need to identify which software must be installed on Server1 before you can install WSUS 3.0 SP2.
Which software shoul you identify? (Choose all that apply)
C. .Microsoft .NET Framework 1.1
D. Microsoft SQL Server 2008 R2
E. .Microsoft ASP.NET
F. .Microsoft Report Viewer 2008 Redistributable
G. .Microsoft Management Console 3.0
H. .Windows PowerShell 1.0
Correct Answer: ABFG
QUESTION 1768
configured as a FTP server.
You need to view all the FTP packets sent to Server1 for a period of one hour.
What should you do?
A. From System Monitor, add all counters for the Network object.
B. From Network Monitor, create a new capture and then create a display filter.
C. From the command prompt, run Ftp.exe d server1. Review the files in %systemdrive%\intepub\ftproot\.
D. From Internet Information Services (IIS) Manager, enable and configure logging for the FTP site.Open
the FTP log.
Correct Answer: B
QUESTION 1860
Your network contains a Web server named Web1 that runs Windows Server 2003 Service Pack 2 (SP2).
You need to monitor the amount of bandwidth used by all Web sites since the Workd Wide Web
Publishing
Service last restarted.
What should you do?
A. From System Monitor, add a new counter.
B. From Network Monitor, create a new capture.
C. From Internet Information Services (IIS) Manager, view the performance settings of the Web Site node.
D. From Internet Information Services (IIS) Manager, enable logging for all web sites.
Correct Answer: A
QUESTION 1888
You have a Web server that runs Windows Server 2003 Service Pack 2 (SP2).
You need to collect the following information from the Web server:
.Unauthorized attempts to upload files
.Unsuccessful commands that try to run executables
You must achieve this goal by using the minimum amount of administrative effort.
What should you do?
A. From Network Monitor, start a capture.
B. From the Performance snap-in, create a counter log.
C. From Internet Information Services (IIS) Manager, enable logging.
D. From Computer Management, modify the properties of the application log.
Correct Answer: C
QUESTION 570
Correct Answer: AD
QUESTION 1132
Your network contains one Active Directory domain. You have a member server named Server1 that runs
Windows Server 2008 R2. The server has the Routing and Remote Access Services role service
installed.
You implement Network Access Protection (NAP) for the domain.
You need to configure the Point-to-Point Protocol (PPP) authentication method on Server1.
Which authentication method should you use?
A. Challenge Handshake Authentication Protocol (CHAP)
B. Extensible Authentication Protocol (EAP)
C. Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)
D. Password Authentication Protocol (PAP)
QUESTION 1179
Routing and Remote Access service (RRAS) role service installed.

You need to view all inbound VPN packets. The solution must minimize the amount of data collected.
What should you do?
A. At the command prompt, run netsh.exe ras set tracing rasauth enabled.
B. From Network Monitor, create a capture filter.
C. From the Registry Editor, configure file tracing for RRAS.
D. From RRAS, create an inbound packet filter.
Correct Answer: B
QUESTION 1184
Your network contains an Active Directory forest. The forest contains the member servers configured as
shown in the following table.
All servers run Windows Server 2008 R2.
You deploy a new server named Server1.
You need to configure Server1 to provide central authentication for all dial-up connections and all VPN
connections.
A. Routing and Remote Access service (RRA5)
B. Active Directory Lightweight Directory Services (AD LDS)
C. Active Directory Federation Services (AD FS)
D. Network Policy Server (NPS)
Correct Answer: D
QUESTION 1185
Your network contains an Active Directory forest. The forest contains a member server named VPN1 that
runs Windows Server 2008 R2.
You need to configure VPN1 as a VPN server.
A. Network Policy Server (NPS)
B. Simple TCP/IP Services
C. Routing and Remote Access service (RRAS)
QUESTION 1276
Your network contains an Active Directory forest. The forest contains a member server named Server1
that
You need to configure Server1 as a network address translation (NAT) server.
Which server role, role service, or feature should you install?
A. windows System Resource Manager (WSRM)
B. Simple TCP/IP services Wireless LAN Service
C. Connection Manager Administration Kit (CMAK)
D. Routing and Remote Access service (RRAS)
E. Group Policy Management
F. File Server Resource Manager (FSRM)
G. Services for Network File System (NFS)
H. Network Load Balancing (NLB)
I. Windows Server Update Services (WSUS)
J. Health Registration Authority (HRA)
K. Network Policy Server (NPS)
L. Windows Internal Database
Correct Answer: D
QUESTION 1278
Your network contains an Active Directory domain. The domain contains several VPN servers that have
the

You need to configure all of the VPN servers to use the same network policies.
The solution must ensure that any changes to the network policies automatically apply to all of the VPN
servers.
What should you configure on the VPN servers?
A. health policies
B. remediation server groups
C. system health validators (SHVs)
D. the Windows Authentication authentication provider
E. Group Policy preferences
F. the Windows Accounting accounting provider
G. IKEv2 client connections
H. the RADIUS Accounting accounting provider
I. the RADIUS Authentication authentication provider
J. connection request policies
Correct Answer: I
QUESTION 1280
the
You need to collect information about the duration of the VPN connections. The information must be
stored
in a central location.
A. the RADIUS Authentication authentication provider
B. system health validators (SHVs)
C. IKEv2 client connections
D. remediation server groups
E. the Windows Accounting accounting provider
F. the Windows Authentication authentication provider
G. health policies
H. Group Policy preferences
I. connection request policies
J. the RADIUS Accounting accounting provider
Correct Answer: J
QUESTION 1317
Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2.
Network Access Protection (NAP) is deployed on Server1. Server2 has the Routing and Remote Access
service (RRAS) role service installed.
You need to configure Server2 to use NAP VPN enforcement.
Which authentication method should you enable on Server2?
A. Encrypted authentication (CHAP)
B. Allow machine certificate authentication for IKEv2
C. Extensible authentication protocol (EAP)
D. Microsoft encrypted authentication version 2 (MS-CHAP v2)
Correct Answer: C
QUESTION 1519
Your network consists of a single Active Directory Domain. You have a VPN server that runs Windows
Server 2003 Service Pack 2 (SP2).
On the VPN server, you create several remote access policies. You view the properties of an account as
shown in the exhibit. (Click the Exhibit button.)
You need to select the Control access through Remote Access Policy remote access permission for
User1.
What should you do?

Exhibit:
A. Add User1 to the Remote Desktop Users group.
B. Enable RADIUS authentication on the VPN server.
C. Raise the functional level of the domain to Windows 2000 native.
D. Select the Store password using reversible encryption option for User1.
Correct Answer: C
QUESTION 1731
Your network contains a head office and one branch office.All servers run Windows Server 2003 Service
Pack 2 (SP2).
The network and IP configuration for each server are configured as shown in the exhibit.(Click the Exhibit
button.)
Server2 has the Routing and Remote Access service and the DNS Server service installed.Routing
Information
Protocol (RIP v2) is enabled on Server2 and all internal routers.
Server1 is unable to connect to the Internet.
You need to ensure that Server1 can connect to the Internet.
What should you do?
Exhibit:
A. On Server1, configure the default gateway address as 10.10.11.1 and then run Netstat r.
B. On Server2, configure the preferred DNS server address as 10.10.11.111 and then restart the DNS
Server service.
C. On Server1, configure the default preferred DNS server address as 127.0.0.1 and then restart the DNS
Client service.
D. On Server2, remove the 10.10.11.1 default gateway address and then restart the Routing and Remote
Access service.
Correct Answer: D
QUESTION 1760
Your company consists of a single Active Directory domain that is configured in Windows 2000 native
mode.All servers run Windows Server 2003 Service Pack 2 (SP2).
You deploy a Routing and Remote Access server to provide VPN access to the network.
You need to ensure that only members of a group named Sales can access the network through the
VPN.The solution must minimize the administrative effort required to manage remote access.
What should you do?
A. Allow dial-in access for the user accounts of all Sales group members.
B. Deny dial-in access for the user accounts of all users except the Sales group members.
C. Create a remote access policy and assign the Allow - Remote Access permission. Add the WindowsGroups condition and specify the Sales group.
D. Create a remote access policy and assign the Deny - Remote Access permission. Add the WindowsGroups condition and specify all Active Directory groups except for Sales.
Correct Answer: C
QUESTION 1761
You have a server that runs Windows Server 2003 Service Pack 2 (SP2).Routing and Remote Access is
enabled and the server is configured as a remote access server.
You need to configure the server to support only the MS-CHAP v2 authentication protocol for remote
access authentication.
What should you do from the Routing and Remote Access snap-in?
A. Configure the port properties.
B. Create and configure a new demand-dial interface.
C. From the server's properties, modify the security options.
D. From the Connections to Microsoft Routing and Remote Access Server policy, add a new condition.
Correct Answer: C
QUESTION 1805
Your company has a main office and one branch office.
Your network consists of an Active Directory domain.
You have a remote access server in the main office named Server1. You have a remote access server in
the branch office named Server2.
Server2 has a demand-dial interface that connects to Server1. The demand-dial interface connects by
using a domain account named Ras1.
You need to prevent Server2 from establishing new demand-dial connections to the main office between
18:00 and 08:00.
What should you do?
A. Modify the dial-in properties of the Ras1 account.
B. Modify the dial-out hours on the demand-dial interface.
C. Modify the IP demand-dial filters on the demand-dial interface.
D. Enable Bandwidth Allocation Protocol (BAP) on Server2.
Correct Answer: B
QUESTION 1807
Your network contains two subnets.
You implement a new VPN server named VPN1 that runs Windows Server 2003 Service Pack 2
(SP2).The
relevant portion of the network is configured as shown in the exhibit.(Click the Exhibit button.)
VPN users report that they can connect to Server1, but they cannot connect to Server2.
From Subnet1, you verify that you can connect to Server2.
You need to ensure that VPN users can connect to Server2.
What should you do?
Exhibit:
A. Add a route on VPN1 and Router1.
B. Modify the default gateway on Server2.
C. Create a new remote access policy on VPN1.
D. Create a Connection Manager Administration Kit (CMAK) profile.Distribute the profile to all VPN users.
Correct Answer: A
QUESTION 1808
You have a VPN server named Server1 and a file server named Server2. Both servers run Windows
Server
2003 Service Pack 2 (SP2).
VPN clients report that they cannot access shares on Server2 after connecting to Server1.
You confirm that VPN clients receive the appropriate IP configurations and that they have permissions to
the shared folders on Server2.
You need to ensure that VPN clients can access the shares on Server2 when they connect to the network
by using a VPN connection.
What should you do?
A. From the Routing and Remote Access snap-in on Server2, enable IP Routing.
B. From the Routing and Remote Access snap-in on Server2, enable Link Control Protocol (LCP)
extensions.
C. From Utility Manager on Server1, enable the Start automatically when I log on option.
D. In the local security policy on Server2, configure the Network Access: Shares that can be accessed
anonymously setting.
Correct Answer: A
QUESTION 1822
Your network consists of a single Active Directory domain and two network segments named Subnet1 and
Subnet2.
You deploy a server named Server1 that runs Routing and Remote Access.Server1 is configured as a
router between the two network segments.
You deploy a DCHP server on Subnet1. You configure a DHCP scope for each network segment.
Client computers that run Windows XP Professional Service Pack 3 (SP3) are deployed on both network
segments and are configured to receive IP configurations dynamically.
You discover that all client computers on Subnet2 have Automatic Private IP Addressing (APIPA)
addresses.
You need to ensure that all client computers on Subnet2 receive their IP configurations from the DHCP
server.
What should you do in Routing and Remote Access?
A. Disable IP Routing.
B. Create a static route.
C. Enable demand-dial routing.
D. Enable a DHCP Relay Agent.
Correct Answer: D
QUESTION 1839
You have a server that runs Windows Server 2003 Service Pack 2 (SP2).The server is configured as a
network address translation (NAT) router.The server has two network adapters and provides Internet
access for the network.
You need to prevent traffic on port 21 from being sent to the Internet.All other outbound traffic must be
allowed.
What should you do?
A. On the network adapter that is connected to the LAN, enable TCP/IP filtering.
B. On the network adapter that is connected to the Internet, enable TCP/IP filtering.
C. From the Routing and Remote Access snap-in, open the properties of the interface connected to the
Internet, select the Services and Ports tab, and define a new service.
D. From the Routing and Remote Access snap-in, open the properties of the interface connected to the
Internet, select the NAT/Basic Firewall tab, and define a new static packet filter.
Correct Answer: D
QUESTION 1848
Your network consists of a single Active Directory domain.All servers run Windows Server 2003 Service
Pack 2 (SP2).
You have a VPN server named Server1. You have an Internet Authentication Service (IAS) server named
Server2.
You need to ensure that all VPN connections to Server1 are authenticated by Server2.
A. From the Internet Authentication Service snap-in on Server2, create a new RADIUS client.
B. From the Internet Authentication Service snap-in on Server2, create a new remote access policy.
C. From the Routing and Remote Access snap-in, configure Server1 to use RADIUS accounting.
D. From the Routing and Remote Access snap-in, configure Server1 to use RADIUS authentication.
Correct Answer: AD
QUESTION 1849
You have a server that runs Windows Server 2003 Service Pack 2 (SP2).The server has the Routing and
Remote Access service enabled and connects to the Internet by using a demand-dial connection.
From the Routing and Remote Access snap-in, you open the properties of the server and enable the Log
additional Routing and Remote Access information setting.
You need to review the log file for issues related to the demand-dial connection.
Which file should you review?
A. %systemroot%\debug\netsetup.log
B. %systemroot%\debug\oakley.log
C. %systemroot%\tracing\ipnathlp.log
D. %systemroot%\tracing\ppp.log
Correct Answer: D
QUESTION 1863
Your network consists of a single Active Directory domain.All servers run Windows Server 2003 Service
Pack 2 (SP2).
You have a VPN server named Server1. You have an Internet Authentication Service (IAS) server named
Server2.
You need to ensure that all VPN connections to Server1 are authenticated by Server2.
A. From the Internet Authentication Service snap-in on Server2, create a new RADIUS client.
B. From the Internet Authentication Service snap-in on Server2, create a new remote access policy.
C. From the Routing and Remote Access snap-in, configure Server1 to use RADIUS accounting.
D. From the Routing and Remote Access snap-in, configure Server1 to use RADIUS authentication.
Correct Answer: AD
QUESTION 1901
configured as a VPN server.
You need to enable trace logging for all Routing and Remote Access components.
A. Netdiag.exe
B. Netcap.exe
C. Netsh.exe
D. Tracert.exe
Correct Answer: C
QUESTION 1902
set
current
What should you do?
options.
Correct Answer: C
QUESTION 1924
Your network contains a main office and one branch office.All servers run Windows Server 2003 Service
Pack 2 (SP2).
The network is configured as shown in the exhibit.(Click the Exhibit button.)
Server2 has the Routing and Remote Access service and the DNS Server service installed.
Server3 successfully connects to Internet hosts.Server1 is unable to connect to Internet hosts.
You need to ensure that you can connect to Internet hosts from Server1.
What should you do?
Exhibit:
A. On Server2, change the subnet mask to 255.255.0.0.
B. On Server1, change the subnet mask to 255.255.255.0.
C. On Server1, configure the default gateway address as 172.16.20.1.
D. On Server2, configure the default gateway address as 172.16.20.1.
QUESTION 1951
You have a multihomed server named Server1 that runs Windows Server 2003 Service Pack 2 (SP2).
Server1 has Routing and Remote Access enabled.Server1 has two network connections named Local
Area
Connection and Local Area Connection 2.
From the Routing and Remote Access snap-in, you add the Open Shortest Path First (OSPF) routing
protocol.
You need to enable OSPF for Local Area Connection.
What should you do?
A. Open Network Connections and select Local Area Connection.Open the Advanced menu and select
Advanced Settings.
B. Open Network Connections, right-click Local Area Connection, and then click Properties.Select Internet
Protocol (TCP/IP) and click Properties.
C. Open the Routing and Remote Access snap-in, expand Routing and Remote Access, expand Server1,
expand IP Routing, and then click OSPF.Right-click OSPF and then click New Interface.
D. Open the Routing and Remote Access snap-in, expand Routing and Remote Access, expand Server1,
expand IP Routing, and then click General.Right-click Local Area Connection and then click Properties.
Correct Answer: C
QUESTION 1952
You have a server that runs Windows Server 2003 Service Pack 2 (SP2).The server has the Routing and
Remote Access service enabled and is configured as a network address translation (NAT) router.
You need to view a list of the current sessions on the Routing and Remote Access server and the private
and public IP addresses and ports that are being used.
What should you do?
A. Run Nbtstat S.
B. Run Netstat ano.
C. From the Routing and Remote Access snap-in, right-click NAT/Basic Firewall and select Export List.
D. From the Routing and Remote access snap-in, right-click the interface connected to the Internet and
click Show Mappings.
Correct Answer: D
QUESTION 1959
You have a server that runs Windows Server 2003 Service Pack 2 (SP2).The server is configured as a
router and provides access to the Internet.
You need to log all connections made to the server.The log must contain the IP address and the port used
to establish the connection.
What should you do?
A. Install Network Monitor Tools and create a new capture.
B. Install Connection Manager Administration Kit (CMAK) and create a new profile.
C. From Performance Logs and Alerts, create a trace log.
D. From Routing and Remote Access, modify the Remote Access Logging settings.
Correct Answer: A
QUESTION 1965
You have a multihomed server named Server1 that runs Windows Server 2003 Service Pack 2 (SP2).
Server1 has Routing and Remote Access enabled.Server1 has two network connections named Local
Area
Connection and Local Area Connection 2.
From the Routing and Remote Access snap-in, you add the Open Shortest Path First (OSPF) routing
protocol.
You need to enable OSPF for Local Area Connection.
What should you do?
A. Open Network Connections and select Local Area Connection.Open the Advanced menu and select
Advanced Settings.
B. Open Network Connections, right-click Local Area Connection, and then click Properties.Select Internet
Protocol (TCP/IP) and click Properties.
C. Open the Routing and Remote Access snap-in, expand Routing and Remote Access, expand Server1,
expand IP Routing, and then click OSPF.Right-click OSPF and then click New Interface.
D. Open the Routing and Remote Access snap-in, expand Routing and Remote Access, expand Server1,
expand IP Routing, and then click General.Right-click Local Area Connection and then click Properties.
Correct Answer: C
QUESTION 177
You are the domain administrator for your company's Active Directory domain. All servers run Windows
Server 2003. All client computers run Windows XP Professional. A newly installed server was added to
your
domain. You need to administer this server remotely from your client computer. You need to configure the
new server to ensure that it can be administered remotely.
What should you do?
A. Install Terminal Server Licensing. Restart the server.
B. Modify the system properties for the server. Enable Remote Desktop for the server by selecting the
Allow users to connect remotely to this system check box.
C. Start the Remote Access Connection Manager service, and then configure the service to start
automatically.
D. Modify your user account properties to enable you to connect to the terminal server.
Correct Answer: B
QUESTION 289
You are the network administrator for your company. The network consists of two Active Directory
domains
in a single forest. The functional level of each domain is Windows 2000 mixed. Your engineering
department has 3,000 users. The engineering users are members of various global groups. The company
plans to open a new office where engineering users will test products. Engineering users will need to dial
in
to the company network when they work at the new office.You need to ensure that all new user accounts
in
the engineering department will have the appropriate group memberships. These accounts must be
allowed
to connect to the network by using remote access permissions. You must achieve your goal by using the
minimum amount of administrative effort. First, you create a template account for engineering users.
Which
two additional actions should you perform? (Each correct answer presents part of the solution. Choose
two.)
A. Modify the schema for the office and street attributes by selecting the Index this attribute in the Active
Directory check box.
B. Modify the schema for the group attribute by selecting the Index this attribute in the Active Directory
check box.
C. Manually add the Allow Access remote access permission to each new user account that you create.
D. Manually add the group membership information to each new user account that you create.
E. Add the group membership information to the template account.
F. Add the Allow Access remote access permission to the template account.
Correct Answer: CE
QUESTION 325
You are the network administrator for your company. The network consists of two Active Directory
domains
in a single forest. The functional level of each domain is Windows 2000 mixed. Your engineering
department has 3,000 users. The engineering users are members of various global groups. The company
plans to open a new office where engineering users will test products. Engineering users will need to dial
in
to the company network when they work at the new office.You need to ensure that all new user accounts
in
the engineering department will have the appropriate group memberships. These accounts must be
allowed
to connect to the network by using remote access permissions. You must achieve your goal by using the
minimum amount of administrative effort. First, you create a template account for engineering users.
Which
two additional actions should you perform? (Each correct answer presents part of the solution. Choose
two.)
A. Modify the schema for the office and street attributes by selecting the Index this attribute in the Active
Directory check box.
B. Modify the schema for the group attribute by selecting the Index this attribute in the Active Directory
check box.
C. Manually add the Allow Access remote access permission to each new user account that you create.
D. Manually add the group membership information to each new user account that you create.
E. Add the group membership information to the template account.
F. Add the Allow Access remote access permission to the template account.
Correct Answer: CE
QUESTION 329
You are the network administrator for your company. All client computers run either Windows 2000
Professional or Windows XP Professional. Your company uses a custom application named App1. This
application was originally created to run on the Windows NT 4.0 operating system. Currently, App1 is
installed on all client computers. App1 runs under the user context and redirects temporary files to a
separate folder for each user. The user folder is created when the application starts, and it is deleted
when
the application closes. Management decides to provide remote access to the network by using Terminal
Services. You must ensure that App1 will be accessible to users who log on to your terminal servers.First,
you successfully test App1 by running it directly on a Windows Server 2003 computer. Now you need to
set
the initial configuration for your deployment of Terminal Services. What should you do?
A. Select Full security as the permission compatibility setting.
B. Select Relaxed security as the permission compatibility setting.
C. In user account settings, configure the remote control setting to interact with the session.
D. In user account settings, configure the remote control setting to view the session.
Correct Answer: B
QUESTION 358
You are designing a strategy for implementing Internet Authentication Service (IAS) to meet the business
and technical requirements.
What should you do?
A. Install IAS on VPN1, VPN2, and VPN3.
B. Install IAS, on VPN1.
Configure VPN2 and VPN3 as RADIUS clients.
C. Install IAS on VPN1.
Configure VPN1, VPN2, and VPN3 as RADIUS clients.
D. Install IAS on DC1. Configure VPN2 and VPN3 as RADIUS clients. Create all remote access policies
on
VPN1.
E. Install IAS on DC2.
Configure VPN2 and VPN3 as RADIUS clients.
Configure remote access logging on VPN1.
Correct Answer: C
QUESTION 380
You are designing a strategy to ensure that VPN users are able to access all internal resources. What
should you do?
A. Specify a static routing table entry on VPN1 for the Dallas network.
B. Specify a static routing table entry on VPN1 for the Seattle network.
C. Implement Internet Authentication Service (IAS) on VPN1.
D. Define a User Class option for Routing & Remote Access Clients on the DHCP Server.
QUESTION 406
You are designing a remote access strategy to meet the business and technical Requirement. What
should
you do?
A. Configure each server running Routing and Remote Access as a RADIUS Client.
B. Add a Remote Access policy to each server running Routing and Remote Access.
Configure the Access method as VPN access.
C. Add a Remote Access policy to each server running Routing and Remote Access.
Configure the Access method as dialup access.
D. Add a Remote Access policy to each server running Routing and Remote Access.
Configure the Access method as wireless access.
Correct Answer: A
QUESTION 420
You are designing a remote access strategy to meet the business & technical requirements.
Which authentication mechanism should you use?
A. MS-CHAP v2.
B. Internet Authentication service (IAS).
C. Multilink & Bandwidth Allocation Protocol (BAP).
D. Remote access policies on all servers running Routing & Remote Access.
Correct Answer: B
QUESTION 443
You are designing a security strategy for users who need remote access to the corporate network. What
should you do?
A. Configure Internet Authentication Service (IAS) for accounting.
B. Configure the server running Routing and Remote Access to support L2TP.
C. Configure the server running Routing and Remote Access to restrict dial-in traffic to the NewApp
servers
only.
D. Create a separate account for remote access users. Configure these accounts to access the NewApp
server only.
Correct Answer: C
QUESTION 451
You are designing a strategy to provide Internet access to all users. What should you do?
A. Configure Internet Connection Sharing on all client computers.
B. Configure Automatic Private IP Addressing (APIPA) on all client computers.
C. Configure one server as a Routing and Remote Access VPN server.
D. Configure one server as a Routing and Remote Access NAT router.
Correct Answer: D
QUESTION 463
You are designing the security for dial-up remote access to meet the business and technical
requirements.
Which two mechanisms should you use? Each correct answer presents part of the solution. Select two.
A. EAP-TLS authentication
B. MS-CHAP v2 authentication
C. a stand-alone certification server
D. an enterprise certification server

E. MPPE 56-bit encryption
Correct Answer: AD
QUESTION 465
You are designing a strategy to allow users to have remote access to internal resources. Which service or
services should you allow on the public interface of the NAT Server? Select all that apply.
A. HTTP
B. LDAP
C. POP3
D. SMTP
E. VPN Gateway
Correct Answer: B
QUESTION 616
installed.
Correct Answer: B
QUESTION 627
Your network contains a Network Policy Server (NPS) named NPS1. NPS1 is configured for remote
access
account lockout.
A domain user named User1 has been locked out by NPS1.
You need to unlock the User1 user account on NPS1.
A. the Netsh tool
B. the Network Policy Server console
C. the Registry Editor
D. the Routing and Remote Access console
Correct Answer: C
QUESTION 633
Your company has deployed Network Access Protection (NAP). You configure secure wireless access to
the network by using 802.1X authentication from any access point.
You need to ensure that all client computers that access the network are evaluated by NAP.
What should you do?
A. Configure all access points as RADIUS clients to the Remediation Servers.
B. Configure all access points as RADIUS clients to the Network Policy Server (NPS).
C. Create a network policy that defines Remote Access Server as a network connection method.
D. Create a network policy that specifies EAP-TLS as the only available authentication method.
Correct Answer: B
QUESTION 634
Remote Access Service role service installed. Server1 is configured as a VPN server.
You need to ensure that you can configure Server1 as a Network Address Translation (NAT) server.
What should you do first on Server1?
A. Enable IPv4 routing.

B. Enable IPv6 routing.
C. Add a new routing protocol.
D. Add the Routing role service.
Correct Answer: D
QUESTION 646
Your network contains a Routing and Remote Access server named RRAS1 and a DHCP server named
DHCP1. RRAS1 and DHCP1 are located in different subnets.
RRAS1 is configured to support VPN connections from the Internet.
DHCP1 has a scope that provides IP addresses for the VPN connections.
You need to ensure that VPN clients that connect to RRAS1 can receive IP addresses from DHCP1.
What should you do?
A. On DHCP1, configure a DHCP Relay Agent.
B. On DHCP1, install the Routing role service.
C. On RRAS1, configure a DHCP Relay Agent.
D. On RRAS1, install the Routing role service.
Correct Answer: C
QUESTION 664
Your network uses IPv4. You install a server that runs Windows Server 2008 R2 at a branch office. The
server is configured with two network interfaces.
You need to configure routing on the server at the branch office.
A. Install the Routing and Remote Access Services role service.
B. Run the netsh ras ip set access ALL command.
C. Run the netsh interface ipv4 enable command.
D. Enable the IPv4 Router Routing and Remote Access option.
Correct Answer: AD
QUESTION 681
Your network contains a server named Server1 that has the Routing role service installed. Server1 has
two
network connections. One network connection connects to the internal network. The other network
connection connects to the Internet. All network connections connected to the internal network use private
IP addresses.
You install a Web server named Web1. Web1 hosts a secured Web site that only allows connections over
TCP port 8281. Web1 is connected to the internal network.
You need to ensure that the secure Web site can be accessed from the Internet.
A. Configure Routing Information Protocol (RIP), and then activate authentication on the RIP interface.
B. Configure Routing Information Protocol (RIP), and then configure the incoming packet protocol settings
on the RIP interface.
C. Configure Network Address Translation (NAT), and then add a new service to the NAT interface.
D. Configure Network Address Translation (NAT), and then enable the Secure Web Server (HTTPS)
service on the NAT interface.
Correct Answer: C
QUESTION 682
Your network contains the servers configured as shown in the following table.
Your company is assigned the public IP addresses from 131.107.0.1 to 131.107.0.31.
You need to ensure that Web1 is accessible from the Internet by using https://131.107.0.2.
A. From the Static Routes node, configure a static route.
B. From the server properties, configure SSL Certificate Binding.
C. From the NAT interface, add an address pool and a reservation.
D. From the NAT interface, configure the Secure Web Server (HTTPS) service.
Correct Answer: C
QUESTION 683
Your network contains multiple servers that run Windows Server 2008 R2. The servers have the Routing
and Remote Access Services (RRAS) role service installed. The servers are configured to support
Routing
Information Protocol (RIP).
You need to prevent the server from receiving routes for the 10.0.0.0 network.
A. From the RIP properties page, modify the General settings.
B. From the RIP properties page, modify the Security settings.
C. From the RIP interface properties page, modify the Security settings.
D. From the RIP interface properties page, modify the Neighbors settings.
Correct Answer: C
QUESTION 685
Your network contains two servers named Server1 and Server2. Server1 and Server2 run the Server
Core
installation of Windows Server 2008 R2.
You need to duplicate the Windows Firewall configurations from Server1 to Server2.
A. the Get-Item and the Set-Item cmdlets
B. the Get-Service and the Set-Service cmdlets
C. the netsh tool
D. the sconfig tool
Correct Answer: C
QUESTION 694
Your corporate network has a member server named RAS1 that runs Windows Server 2008 R2. You
configure RAS1 to use the Routing and Remote Access Services (RRAS). The company's remote access
policy allows members of the Domain Users group to dial in to RAS1. The company issues smart cards to
all employees.
You need to ensure that smart card users are able to connect to RAS1 by using a dial-up connection.
What should you do?
A. Install the Network Policy Server (NPS) server role on RAS1.
B. Create a remote access policy that requires users to authenticate by using SPAP.
C. Create a remote access policy that requires users to authenticate by using EAP-TLS.
D. Create a remote access policy that requires users to authenticate by using MS-CHAP v2.
Correct Answer: C
QUESTION 694
Your corporate network has a member server named RAS1 that runs Windows Server 2008 R2. You
configure RAS1 to use the Routing and Remote Access Services (RRAS). The company's remote access
policy allows members of the Domain Users group to dial in to RAS1. The company issues smart cards to
all employees.
What should you do?
A. Install the Network Policy Server (NPS) server role on RAS1.
C. Create a remote access policy that requires users to authenticate by using EAP-TLS.
D. Create a remote access policy that requires users to authenticate by using MS-CHAP v2.
Correct Answer: C
QUESTION 715
What should you do?
A. From RRAS, create an inbound packet filter.
C. From the Registry Editor, configure File Tracing for RRAS.
D. At the command prompt, run netsh.exe ras set tracing rasauth enabled.
Correct Answer: B
QUESTION 723
Your network contains an Active Directory domain named contoso.com. An Administrator named Admin1
plans to install the Routing and Remote Access service (RRAS) role service on a server named Server1.
Admin1 is not member of the Domain Admins group.
You need to ensure that Server1 can authenticate users from Active Directory by using Windows
authentication.
What should you do?
A. Add the computer account to the RAS and IAS Servers group.
B. Add the computer account for Server1 to the Windows Authorization Access Group.
C. Install the Network Policy Server (NPS) role service on a domain controller.
D. Install the Active Directory Lightweight Directory Services (AD LDS) role on Server1.
Correct Answer: A
QUESTION 744
connections.
A. Active Directory Lightweight Directory Services (AD LDS)
B. Active Directory Federation Services (AD FS)
C. Network Policy Server (NPS)
D. Routing and Remote Access service (RRAS)
Correct Answer: C
QUESTION 759
Your network contains a server named Server1 that has the Routing and Remote Access service (RRAS)
role service installed.
Server1 provides access to the internal network by using Point-to-Point Tunneling Protocol (PPTP).
Static RRAS filters on the external interface of Server1 allow only PPTP. The IP address of the external
interface is 131.107.1.100.
You install the Web Server (IIS) role on Server1.
You need to ensure that users on the Internet can access a Web site on Server1 by using HTTP. The
solution must minimize the number of open ports on Server1.
Which two static RRAS filters should you configure on Server1? (Each correct answer presents part of the
A. An outbound filter that has the following configurations:
Source network: 131.107.1.100/32
Destination network: Any
Protocol: TCP (established)
Port: 80
B. An outbound filter that has the following configurations:
Port: 80
C. An outbound filter that has the following configurations:
Protocol: TCP
Port: Any
D. An inbound filter that has the following configurations:
Source network: Any
Destination network: 131.107.1.100/32
Protocol: TCP
Port: 80
E. An inbound filter that has the following configurations:
Protocol: TCP
Port: Any
Correct Answer: AD
QUESTION 776
the
You need to collect information about the duration of the VPN connections. The information must be
stored
in a central location.
A. the Windows Accounting accounting provider
B. the RADIUS Accounting accounting provider
C. Connection Request policies
D. Health policies
E. the Windows Authentication authentication provider
F. the RADIUS Authentication authentication provider
G. Remediation Server groups
I. System Health Validators (SHVs)
J. IKEv2 client connections
Correct Answer: B
QUESTION 777
the
You need to configure all of the VPN servers to use the same network policies. The solution must ensure
that any changes to the network policies automatically apply to all of the VPN servers.
A. the Windows Accounting accounting provider
B. the RADIUS Accounting accounting provider
C. Connection Request policies
D. Health policies
E. the Windows Authentication authentication provider
F. the RADIUS Authentication authentication provider
G. Remediation Server groups

I. System Health Validators (SHVs)
J. IKEv2 client connections
Correct Answer: F
QUESTION 786
that
You need to configure Server1 as a network address translation (NAT) server.
A. Health Registration Authority (HRA)
B. Routing and Remote Access service (RRAS)
C. Windows Server Update Services (WSUS)
D. Network Load Balancing (NLB)
E. Wireless LAN Service
F. Windows Internal Database
G. Network Policy Server (NPS)
H. File Server Resource Manager (FSRM)
I. Services for Network File System (NFS)
J. Group Policy Management
K. Connection Manager Administration Kit (CMAK)
L. Windows System Resource Manager (WSRM)
M. Simple TCP/IP Services
Correct Answer: B
QUESTION 787
that
You configure Server1 as a VPN server.
You need to ensure that only client computers that have up-to-date virus definitions can establish VPN
connections to Server1.
Correct Answer: G
QUESTION 788
that
You need to ensure that UNIX-based client computers can access shared folders on Server1.
Correct Answer: I
QUESTION 789
that
You need to create folder quotas on Server1.
Correct Answer: H
QUESTION 790
that
You need to configure Server1 to provide central authentication of dial-up, VPN, and wireless connections
to the network.
Which server role, role service or feature should you install?

Correct Answer: G
QUESTION 1073
Your network contains an Active Directory domain named contoso.com.
An administrator named Admin1 plans to install the Routing and Remote Access service (RRAS) role
service on a server named Server1. Admin1's user account is not a member of the Domain Admins group.
You need to ensure that Server1 can authenticate users from Active Directory by using Windows
authentication.
What should you do?
A. Install the Active Directory Lightweight Directory Services (AD LDS) role on Server1.
B. Add the computer account for Server1 to the Windows Authorization Access Group.
C. Install the Network Policy Server (NPS) role service on a domain controller.
D. Add the computer account for Server1 to the RAS and IAS Servers group.
Correct Answer: D
QUESTION 1078
that
You configure Server1 as a VPN server.
You need to ensure that only client computers that have up-to-date virus definitions can establish VPN
connections to Server1.
A. windows System Resource Manager (WSRM)
C. Connection Manager Administration Kit (CMAK)
D. File Server Resource Manager (FSRM)
E. Windows Server Update Services (WSUS)
G. Services for Network File System (NFS)
H. Simple TCP/IP Services
I. Network Policy Server (NPS)
J. Health Registration Authority (HRA)
K. Group Policy Management
L. Wireless LAN Service
M. Network Load Balancing (NLB)
Correct Answer: I
QUESTION 1093
Your corporate network has a member server named RAS1 that runs Windows Server 2008 R2.
You configure RAS1 to use the Routing and Remote Access Services (RRAS).
The company's remote access policy allows members of the Domain Users group to dial in to RAS1. The
company issues smart cards to a employees.
What should you do?
A. Create a remote access policy that requires users to authenticate by using MS-CHAP v2.
C. Install the Network Policy Server (NPS) server role on RAS1.

D. Create a remote access policy that requires users to authenticate by using EAP-TLS.
Correct Answer: D
QUESTION 1132
installed.
Correct Answer: B
QUESTION 1179
What should you do?
A. At the command prompt, run netsh.exe ras set tracing rasauth enabled.
C. From the Registry Editor, configure file tracing for RRAS.
D. From RRAS, create an inbound packet filter.
Correct Answer: B
QUESTION 1184
connections.
A. Routing and Remote Access service (RRA5)
B. Active Directory Lightweight Directory Services (AD LDS)
C. Active Directory Federation Services (AD FS)
D. Network Policy Server (NPS)
Correct Answer: D
QUESTION 1185
Your network contains an Active Directory forest. The forest contains a member server named VPN1 that
You need to configure VPN1 as a VPN server.
A. Network Policy Server (NPS)
B. Simple TCP/IP Services
C. Routing and Remote Access service (RRAS)
Correct Answer: C
QUESTION 1207
Your network contains an Active Directory forest. The forest contains two domains named contoso.com
and
eu.contoso.com.
You install a Network Policy Server (NPS) named Server1 in the contoso.com domain.
You need to ensure that Server1 can read the dial-in properties of the user accounts in the
eu.contoso.com
domain.
What should you do?
A. In the contoso.com domain, add Server1 to the RAS and IAS Servers group.
B. In the contoso.com domain, add Server1 to the Windows Authorization Access group.
C. In the eu.contoso.com domain, add Server1 to the RAS and IAS Servers group.
D. In the eu.contoso.com domain, add Server1 to the Windows Authorization Access group.
Correct Answer: C

4 1

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

4 1

Hochgeladen von

Copyright:

Verfügbare Formate

1.

You need to ensure that you can deploy DirectAccess on Server3.

What should you install on VPN1?

C. OnDomain Controller Security Policy

A. Allow log on locally.

Directory forest that contains three domains named consolidatedmessenger.com, child1.

files that are deleted from the Data shared folder.

D. Restart the Active Directory Certificate Services service.

A. The Failover Cluster feature

Because a large amount of data must be backed up, you need to

B. Change the functional level of the domain.

Which tool should you use?

D. Install an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router.

B. From the command prompt, use dnslint.exe.

domain controllers run Windows Server 2008 R2.

What should you run before you promote Server1?

discover that this problem occurs during Active Directory replication.

What should you do?

on all global catalog servers in the forest.

child OU for that office.

global catalog server.

DC2 has a standard secondary zone for contoso.com.

the intranet.adatum.com DNS zone properties.

B. Modify the Default Domain Controllers Policy.

A. Examine the System Event Log on the user's computer.

B. Select all user accounts in the Sales OU.

A. Restart DC1 by using the installation CD-ROM.

server named Web1 that runs Windows Server 2008 R2.

I. IIS Manager Permissions

Routing and Remote Access service (RRAS) role service installed.

Routing and Remote Access service (RRAS) role service installed.

What should you do?

D. an enterprise certification server

A. Enable IPv4 routing.

H. Group Policy preferences

E. Wireless LAN Service

C. Install the Network Policy Server (NPS) server role on RAS1.

Das könnte Ihnen auch gefallen