Microsoft 70-640 Exam Questions and Answers 2021

NEW QUESTION 1
Your network contains an Active Directory forest named contoso.com.
You need to identify the Password Setting object (PSO) applied to a user named User1.
Which cmdlet should you run?

• A. Get-AdFineGrainedPasswordPolicy
• B. Get-AdFineGrainedPasswordPolicySubject
• C. Get- AdUserResultantPasswordPolicy
• D. Get-AdDefaultDomainPasswordPolicy

Answer: C

NEW QUESTION 2
Your company has an organizational unit named Production. The Production organizational unit has a child organizational unit named R&D. You create a GPO named Software Deployment and link it to the Production organizational unit.
You create a shadow group for the R&D organizational unit. You need to deploy an application to users in the Production organizational unit.
You also need to ensure that the application is not deployed to users in the R&D organizational unit.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)

• A. Configure the Block Inheritance setting on the R&D organizational uni
• B. Configure the Enforce setting on the software deployment GP
• C. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&D security grou
• D. Configure the Block Inheritance setting on the Production organizational uni

Answer: AC

Explanation:
Answer: Configure the Block Inheritance setting on the R&D organizational unit. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&D security group.
http://technet.microsoft.com/en-us/library/cc757050%28v=ws.10%29.aspx Managing inheritance of Group Policy
Blocking Group Policy inheritance You can block policy inheritance for a domain or organizational unit. Using block inheritance prevents GPOs linked to higher sites, domains, or organizational units from being automatically inherited by the child-level. By default, children inherit all GPOs from the parent, but it is sometimes useful to block inheritance. For example, if you want to apply a single set of policies to an entire domain except for one organizational unit, you can link the required GPOs at the domain level (from which all organizational units inherit policies
by default) and then block inheritance only on the organizational unit to which the policies
should not be applied.
Enforcing a GPO link You can specify that the settings in a GPO link should take
precedence over the settings of any child object by setting that link to Enforced. GPO-links
that are enforced cannot be blocked from the parent container. Without enforcement from
above, the settings of the GPO links at the higher level (parent) are overwritten by settings
in GPOs linked to child organizational units, if the GPOs contain conflicting settings. With
enforcement, the parent
GPO link always has precedence. By default, GPO links are not enforced. In tools prior to
GPMC, "enforced" was known as "No override."
In addition to using GPO links to apply policies, you can also control how GPOs are applied
by using security filters or WMI filters.
http://technet.microsoft.com/en-us/library/cc781988%28v=ws.10%29.aspx
Security filtering using GPMC
Security filtering Security filtering is a way of refining which users and computers will
receive and apply the settings in a Group Policy object (GPO). Using security filtering, you
can specify that only certain security principals within a container where the GPO is linked
apply the GPO. Security group filtering determines whether the GPO as a whole applies to
groups, users, or computers; it cannot be used selectively on different settings within a
GPO.
Notes:
GPOs cannot be linked directly to users, computers, or security groups. They can only be
linked to sites, domains and organizational units. However, by using security filtering, you
can narrow the scope of a GPO so that it applies only to a single group, user, or computer.
The location of a security group in Active Directory is irrelevant to security group filtering
and, more generally, irrelevant to Group Policy processing.
Further information:
http://technet.microsoft.com/en-us/library/cc731076.aspx
Block Inheritance
http://en.wikipedia.org/wiki/Active_Directory#Shadow_groups
Active Directory
Shadow groups
In Microsoft's Active Directory, OUs do not confer access permissions, and objects placed
within OUs are not automatically assigned access privileges based on their containing OU.
This is a design limitation specific to Active Directory. Other competing directories such as
Novell NDS are able to assign access privileges through object placement within an OU.
Active Directory requires a separate step for an administrator to assign an object in an OU
as a member of a group also within that OU. Relying on OU location alone to determine access permissions is unreliable, because the object may not have been assigned to the group object for that OU. A common workaround for an Active Directory administrator is to write a custom PowerShell or Visual Basic script to automatically create and maintain a user group for each OU in their directory. The scripts are run periodically to update the group to match the OU's account membership, but are unable to instantly update the security groups anytime the directory changes, as occurs in competing directories where security is directly implemented into the directory itself. Such groups are known as Shadow Groups. Once created, these shadow groups are selectable in place of the OU in the administrative tools. Microsoft refers to shadow groups in the Server 2008 Explanation documentation, but does not explain how to create them. There are no built-in server methods or console snap-ins for managing shadow groups.[5] The division of an organization's information infrastructure into a hierarchy of one or more domains and toplevel OUs is a key decision. Common models are by business unit, by geographical location, by IT Service, or by object type and hybrids of these. OUs should be structured primarily to facilitate administrative delegation, and secondarily, to facilitate group policy application. Although OUs form an administrative boundary, the only true security boundary is the forest itself and an administrator of any domain in the forest must be trusted across all domains in the forest.[6]

NEW QUESTION 3
Your network contains an Active Directory domain. The domain contains a domain
controller named DC1 that runs Windows Server 208 R2 Service Pack 1 (SP1).
You need to implement a central store for domain policy templates.
What should you do?
To answer, select the source content that should be copied to the destination folder in the
answer area.

Answer:

Explanation:

NEW QUESTION 4
HOTSPOT
Your network contains an Active Directory forest named contoso.com. The forest contains two Active Directory sites named Seattle and Montreal. The Montreal site is a branch office that contains only a single read-only domain controller (RODC).
You accidentally delete the site link between the two sites.
You recreate the site link while you are connected to a domain controller in Seattle.
You need to replicate the change to the RODC in Montreal.
Which node in Active Directory Sites and Services should you use?To answer, select the
appropriate node in the answer area.

Answer:

Explanation:

NEW QUESTION 5
You need to force a domain controller to register all service location (SRV) resource records in DNS.
Which command should you run?

• A. ipconfig.exe /registerdns
• B. net.exe stop dnscache & net.exe start dnscache
• C. net.exe stop netlogon & net.exe start netlogon
• D. regsvr32.exe dnsrslvr.dll

Answer: C

Explanation:
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62 The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller’s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam question might ask you how to troubleshoot the nonregistration of SRV resource records.

NEW QUESTION 6
Your network contains an Active Directory domain.
You have a server named Server1 that runs Windows Server 2008 R2. Server1 is an enterprise root certification authority (CA).
You have a client computer named Computer1 that runs Windows 7.
You enable automatic certificate enrollment for all client computers that run Windows 7.
You need to verify that the Windows 7 client computers can automatically enroll for certificates.
Which command should you run on Computer1?

• A. certreq.exe retrieve
• B. certreq.exe submit
• C. certutil.exe getkey
• D. certutil.exe pulse

Answer: D

Explanation:
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/795f209d-b056-4de8-8dcf-7c7f80529aab/
What does "certutil -pulse" command do?
Certutil -pulse will initiate autoenrollment requests.
It is equivalent to doing the following in the CertMgr.msc console (in Vista and Windows 7)
Right-click Certificates , point to All Tasks , click Automatically Enroll and Retrieve
Certificates.
The command does require that
-any autoenrollment GPO settings have already been applied to the target user or computer
-a certificate template enables Read, Enroll and Autoenroll permissions for the user or a global or universal group containing the user
-The group membership is recognized in the users Token (they have logged on after the membership was added http://technet.microsoft.com/library/cc732443.aspx Certutil Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains. When certutil is run on a certification authority without additional parameters, it displays the current certification authority configuration. When cerutil is run on a non-certification authority, the command defaults to running the certutil -dump verb. Verbs The following table describes the verbs that can be used with the certutil command. pulse Pulse auto enrollment events

NEW QUESTION 7
Your network contains an Active Directory domain named adatum.com. The functional level of the domain is Windows Server 2008. All domain controllers run Windows Server 2008 R2. All client computers run Windows 7 Enterprise.
You need to create a snapshot of Active Directory.
What should you do?

• A. Run the Get-ADDomain cmdle
• B. Run the dsget.exe comman
• C. Run the ntdsutil.exe comman
• D. Run the ocsetup.exe comman
• E. Run the dsamain.exe command
• F. Run the eventcreate.exe comman
• G. Create a Data Collector Set (DCS).
• H. Create custom views from Event Viewe
• I. Configure subscriptions from Event Viewe
• J. Import the Active Directory module for Windows PowerShel

Answer: C

NEW QUESTION 8
Your network contains an Active Directory forest. The forest contains two domains named contoso.com and east.contoso.com. The contoso.com domain contains a domain controller
named DC1. The east.contoso.com domain contains a domain controller named DC2. DC1 and DC2 have the DNS Server server role installed.
You need to create a DNS zone that is available on DC1 and DC2. The solution must ensure that zone transfers are encrypted.
What should you do?

• A. Create a primary zone on DC1 and store the zone in a zone fil
• B. On DC1 and DC2, configure inbound rules and outbound rules by using Windows Firewall with Advanced Securit
• C. Create a secondary zone on DC2 and select DC1 as the maste
• D. Create a primary zone on DC1 and store the zone in a DC=ForestDNSZones, DC=Contoso, DC=com naming contex
• E. Create a primary zone on DC2 and store the zone in a DC= DC=East, DC=Contoso/DC=com naming contex
• F. Create a secondary zone on DC1 and select DC2 as the maste
• G. Create a primary zone on DC1 and store the zone in a zone fil
• H. Configure DNSSEC for the zon
• I. Create a secondary zone on DC2 and select DC1 as the maste

Answer: B

Explanation:
http://technet.microsoft.com/en-us/library/ee649277.aspx
Zone transfers Zone transfers of a DNSSEC-signed zone function in the same way they do for an unsigned zone. All of the resource records, including DNSSEC resource records, are transferred from the primary server to the secondary servers with no additional setup requirements.

NEW QUESTION 9
Your company has an Active Directory domain that has an organizational unit named Sales. The Sales organizational unit contains two global security groups named sales managers and sales executives.
You need to apply desktop restrictions to the sales executives group.
You must not apply these desktop restrictions to the sales managers group.
You create a GPO named DesktopLockdown and link it to the Sales organizational unit.
What should you do next?

• A. Configure the Deny Apply Group Policy permission for Authenticated Users on the DesktopLockdown GP
• B. Configure the Deny Apply Group Policy permission for the sales executives on the DesktopLockdown GP
• C. Configure the Allow Apply Group Policy permission for Authenticated Users on the DesktopLockdown GP
• D. Configure the Deny Apply Group Policy permission for the sales managers on the DesktopLockdown GP

Answer: D

Explanation:
http://support.microsoft.com/kb/816100 How to prevent domain Group Policies from applying to certain user or computer accounts Typically, if you want Group Policy to apply only to specific accounts (either user accounts, computer accounts, or both), you can put the accounts in an organizational unit, and then apply Group Policy at that organizational unit level. However, there may be situations where you want to apply Group Policy to a whole domain, although you may not want those policy settings to also apply to administrator accounts or to other specific users or groups. http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/ Best Practice: How to exclude individual users or computers from a Group Policy Object One of the common question I see on the forums from time to time is how to exclude a user and/or a computer from having a Group Policy Object (GPO) applied. This is a relatively straight forward process however I should stress this should be used sparingly and should always be done via group membership to avoid the administrative overhead of having to constantly update the security filtering on the GPO. Step 1. Open the Group Policy Object that you want to apply an exception and then click on the “Delegation” tab and then click on the “Advanced” button.

C:Documents and Settingsusernwz1Desktop1.PNG
Step 2. Click on the “Add” button and select the group (recommended) that you want to exclude from having this policy applied.

C:Documents and Settingsusernwz1Desktop1.PNG
Step 3. In this example I am excluding the “Users GPO Exceptions” group for this policy. Select this group in the “Group or user names” list and then scroll down the permission and tick the “Deny” option against the “Apply Group Policy” permission.

C:Documents and Settingsusernwz1Desktop1.PNG
Now any members of this “User GPO Exceptions” security group will not have this Group Policy Object applied. Having a security group to control this exception makes it much easier to control as someone only needs to modify the group membership of the group to makes changes to who (or what) get the policy applied. This makes the delegation of this task to level 1 or level 2 support much more practical as you don’t need to grant them permission to the Group Policy Objects.

NEW QUESTION 10
Your company, Contoso Ltd, has offices in North America and Europe. Contoso has an Active Directory forest that has three domains.
You need to reduce the time required to authenticate users from the labs.eu.contoso.com domain when they access resources in the eng.na.contoso.com domain.
What should you do?

• A. Decrease the replication interval for all Connection object
• B. Decrease the replication interval for the DEFAULTIPSITELINK site lin
• C. Set up a one-way shortcut trust from eng.na.contoso.com to labs.eu.contoso.co
• D. Set up a one-way shortcut trust from labs.eu.contoso.com to eng.na.contoso.co

Answer: C

Explanation:
http://technet.microsoft.com/en-us/library/cc754538.aspx
Understanding When to Create a Shortcut Trust
When to create a shortcut trust
Shortcut trusts are one-way or two-way, transitive trusts that administrators can use to optimize the authentication process.
Authentication requests must first travel a trust path between domain trees. In a complex forest this can take time, which you can reduce with shortcut trusts. A trust path is the series of domain trust relationships that authentication requests must traverse between any two domains. Shortcut trusts effectively shorten the path that authentication requests travel between domains that are located in two separate domain trees.
Shortcut trusts are necessary when many users in a domain regularly log on to other domains in a forest.
Using the following illustration as an example, you can form a shortcut trust between domain B and domain D, between domain A and domain 1, and so on.

C:Documents and Settingsusernwz1Desktop1.PNG
Using one-way trusts
A one-way, shortcut trust that is established between two domains in separate domain trees can reduce the time that is necessary to fulfill authentication requests—but in only one direction. For example, when a oneway, shortcut trust is established between domain A and domain B, authentication requests that are made in domain A to domain B can use the new one-way trust path. However, authentication requests that are made in domain B to domain A must still travel the longer trust path.
Using two-way trusts
A two-way, shortcut trust that is established between two domains in separate domain trees reduces the time that is necessary to fulfill authentication requests that originate in either domain. For example, when a two-way trust is established between domain A and domain B, authentication requests that are made from either domain to the other domain can use the new, two-way trust path.

NEW QUESTION 11
A corporate network includes an Active Directory Domain Services (AD DS) forest that contains two domains. All servers run Windows Server 2008 R2. All domain controllers are configured as DNS servers.
A standard primary zone for dev.contoso.com is stored on a member server.
You need to ensure that all domain controllers can resolve names from the dev.contoso.com zone.
What should you do?

• A. On one domain controller, create a secondary zon
• B. On the member server, create a secondary zon
• C. On each domain controller, create a secondary zon
• D. On one domain controller, create a conditional forwarde
• E. Configure the conditional forwarder to replicate to all DNS servers in the domai

Answer: C

NEW QUESTION 12
Your network contains two Active Directory forests named contoso.com and nwtraders.com. Active Directory Rights Management Services (AD RMS) is deployed in each forest.
You need to ensure that users from the nwtraders.com forest can access AD RMS protected content in the contoso.com forest.
What should you do?

• A. Add a trusted user domain to the AD RMS cluster in the nwtraders.com domai
• B. Create an external trust from nwtraders.com to contoso.co
• C. Add a trusted user domain to the AD RMS cluster in the contoso.com domai
• D. Create an external trust from contoso.com to nwtraders.co

Answer: C

Explanation:
http://technet.microsoft.com/en-us/library/hh311036.aspx
Using AD RMS trust
It is not necessary to create trust or federation relationships between the Active Directory forests of organizations to be able to share rights-protected information between separate organizations. AD RMS provides two types of trust relationships that provide this kind of rights-protected information exchange. A trusted user domain (TUD) allows the AD RMS root cluster to process requests for client licensor certificates or use licenses from users whose rights account certificates (RACs) were issued by a different AD RMS root cluster. You add a trusted user domain by importing the server licensor certificate of the AD RMS cluster to trust.

NEW QUESTION 13
Your company has an Active Directory forest that contains only Windows Server 2008 domain controllers.
You need to prepare the Active Directory domain to install Windows Server 2008 R2 domain controllers.
Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)

• A. Run the adprep /domainprep comman
• B. Raise the forest functional level to Windows Server 2008.
• C. Raise the domain functional level to Windows Server 2008.
• D. Run the adprep /forestprep comman

Answer: AD

Explanation:
http://www.petri.co.il/prepare-for-server-2008-r2-domain-controller.htm Prepare your Domain for the Windows Server 2008 R2 Domain Controller Before installing the first Windows Server 2008 R2 domain controller (DC) into an existing Windows 2000, Windows Server 2003 or Windows Server 2008 domain, you must prepare the AD forest and domain. You do so by running a tool called ADPREP. ADPREP extends the Active Directory schema and updates permissions as necessary to prepare a forest and domain for a domain controller that runs the Windows Server 2008 R2 operating system. Note: You may remember that ADPREP was used on previous operating systems such as Windows Server 2003, Windows Server 2003 R2 and Windows Server 2008. This article focuses on Windows Server 2008 R2. What does ADPREP do? ADPREP has parameters that perform a variety of operations that help prepare an existing Active Directory environment for a domain controller that runs Windows Server 2008 R2. Not all versions of ADPREP perform the same operations, but generally the different types of operations that ADPREP can perform include the following: Updating the Active Directory schema Updating security descriptors Modifying access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared folder Creating new objects, as needed Creating new containers, as needed To prepare the forest and domain for the installation of the first Windows Server 2008 R2 domain controller please perform these tasks: Lamer note: The following tasks are required ONLY before adding the first Windows Server 2008 R2 domain controller. If you plan on simply joining a Windows Server 2008 R2 Server to the domain and configuring as a regular member server, none of the following tasks are required. Another lamer note: Please make sure you read the system requirements for Windows Server 2008 R2. For example, you cannot join a Windows Server 2008 R2 server to a Windows NT 4.0 domain, not can it participate as a domain controller in a mixed domain. If any domain controllers in the forest are running Windows 2000 Server, they must be running Service Pack 4 (SP4). First, you should review and understand the schema updates and other changes that ADPREP makes as part of the schema management process in Active Directory Domain Services (AD DS). You should test the ADPREP schema updates in a lab environment to ensure that they will not conflict with any applications that run in your environment. You must make a system state backup for your domain controllers, including the schema master and at least one other domain controller from each domain in the forest (you do have backups, don't you?). Also, make sure that you can log on to the schema master with an account that has sufficient credentials to run adprep /forestprep. You must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema master, which is, by default, the forest root domain. Next, insert the Windows Server 2008 R2 DVD media into your DVD drive. Note that if you do not have the media handy, you may use the evaluation version that is available to download from Microsoft's website. If you only have the ISO file and do not want to or cannot actually burn it to a physical DVD media, you can mount it by using a virtual ISO mounting tool such as MagicIso (can Convert BIN to ISO, Create, Edit, Burn, Extract ISO file, ISO/BIN converter/extractor/editor). Browse to the X:supportadprep folder, where X: is the drive letter of your DVD drive. Find a file called adprep.exe or adprep32.exe. Note: Unlike in Windows Server 2008 where you had to use either the 32-bit or 64-bit installation media to get the right version of ADPREP, Windows Server 2008 R2 ADPREP is available in a 32-bit version and a 64-bit version. The 64-bit version runs by default. If you need to run ADPREP on a 32-bit computer, run the 32-bit version (adprep32.exe).

C:Documents and Settingsusernwz1Desktop1.PNG
To perform this procedure, you must use an account that has membership in all of the following groups: Enterprise Admins Schema Admins Domain Admins for the domain that contains the schema master Open a Command Prompt window by typing CMD and pressing ENTER in the Run menu. Drag the adprep.exe file from the Windows Explorer window to the Command Prompt window. Naturally, if you want, you can always manually type the path of the file in the Command Prompt window if that makes you feel better...
Note: You must run adprep.exe from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator. Note: If your existing DCs are Windows Server 2008, dragging and dropping into a Command Prompt window will not work, as that feature was intentionally disabled in windows Server 2008 and Windows Vista. In the Command Prompt window, type the following command: adprep /forestprep

C:Documents and Settingsusernwz1Desktop1.PNG
You will be prompted to type the letter "c" and then press ENTER. After doing so, process will begin.

C:Documents and Settingsusernwz1Desktop1.PNG
ADPREP will take several minutes to complete. During that time, several LDF files will be imported into the AD Schema, and messages will be displayed in the Command Prompt window. File sch47.ldf seems to be the largest one.

C:Documents and Settingsusernwz1Desktop1.PNG
When completed, you will receive a success message.

C:Documents and Settingsusernwz1Desktop1.PNG
Note: As mentioned above, ADPREP should only be run on an existing DC. When trying to
run it from a non-DC, you will get this error:
Adprep cannot run on this platform because it is not an Active Directory Domain Controller.
[Status/Consequence]
Adprep stopped without making any changes.
[User Action]
Run Adprep on a Active Directory Domain Controller.
Allow the operation to complete, and then allow the changes to replicate throughout the
forest before you prepare any domains for a domain controller that runs Windows Server
2008 R2.
In the Command Prompt window, type the following command: adprep /domainprep
Process will take less than a second.
C:Documents and Settingsusernwz1Desktop1.PNG
ADPREP must only be run in a Windows 2000 Native Mode or higher. If you attempt to run in Mixed Mode you will get this error: Adprep detected that the domain is not in native mode [Status/Consequence] Adprep has stopped without making changes. [User Action] Configure the domain to run in native mode and re-run domainprep Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2. If you're running a Windows 2008 Active Directory domain, that's it, no additional tasks are needed. If you're running a Windows 2000 Active Directory domain, you must also the following command: adprep /domainprep /gpprep Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2. If you're running a Windows 2003 Active Directory domain, that's it, no additional tasks are needed. However, if you're planing to run Read Only Domain controllers (RODCs), you must also type the following command: adprep /rodcprep If you already ran this command for Windows Server 2008, you do not need to run it again for Windows Server 2008 R2. Process will complete in less than a second.

C:Documents and Settingsusernwz1Desktop1.PNG
Allow the operation to complete, and then allow the changes to replicate throughout the
forest before you prepare any domains for a domain controller that runs Windows Server
2008 R2.
To verify that adprep /forestprep completed successfully please perform these steps:
1. Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default on domain controllers that run Windows Server 2008 or Windows Server 2008 R2. On Windows Server 2003 you must install the Resource Kit Tools.
2. Click Start, click Run, type ADSIEdit.msc, and then click OK.
3. Click Action, and then click Connect to.
4. Click Select a well known Naming Context, select Configuration in the list of available naming contexts, and then click OK.
5. Double-click Configuration, and then double-click CN=Configuration, DC=forest_root_domain where forest_root_domain is the distinguished name of your forest root domain.
6. Double-click CN=ForestUpdates.
7. Right-click CN=ActiveDirectoryUpdate, and then click Properties.

C:Documents and Settingsusernwz1Desktop1.PNG
8. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the Revision attribute value is 5, and then click OK.

C:Documents and Settingsusernwz1Desktop1.PNG
9. Click ADSI Edit, click Action, and then click Connect to.
10. Click Select a Well known naming context, select Schema in the list of available naming contexts, and then click OK.
11. Double-click Schema.
12. Right-click CN=Schema,CN=Configuration,DC=forest_root_domain, and then click Properties.

C:Documents and Settingsusernwz1Desktop1.PNG
13. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the objectVersion attribute value is set to 47, and then click OK.

C:Documents and Settingsusernwz1Desktop1.PNG

NEW QUESTION 14
ABC.com has purchased laptop computers that will be used to connect to a wireless network.
You create a laptop organizational unit and create a Group Policy Object (GPO) and configure user profiles by utilizing the names of approved wireless networks.
You link the GPO to the laptop organizational unit. The new laptop users complain to you that they cannot connect to a wireless network.
What should you do to enforce the group policy wireless settings to the laptop computers?

• A. Execute gpupdate/target:computer command at the command prompt on laptop computers
• B. Execute Add a network command and leave the SSID (service set identifier) blank
• C. Execute gpupdate/boot command at the command prompt on laptops computers
• D. Connect each laptop computer to a wired network and log off the laptop computer and then login agai
• E. None of the above

Answer: D

NEW QUESTION 15
Your network contains an Active Directory domain. The domain is configured as shown in the exhibit, (Click the Exhibit button.)

You need to ensure that when users log on to client computers, they are added automatically to the local Administrators group.
The users must be removed from the group when they log off of the client computers.
What should you do?

• A. Modify the Group Policy permission
• B. Enable block inheritanc
• C. Configure the link orde
• D. Enable loopback processing in merge mod
• E. Enable loopback processing in replace mod
• F. Configure WMI filterin
• G. Configure Restricted Group
• H. Configure Group Policy PExplanation
• I. Link the Group Policy object (GPO) to the Finance organizational unit (OU).
• J. Link the Group Policy object (GPO) to the Human Resources organizational unit (OU).

Answer: H

Explanation:
http://daniel.streefkerkonline.com/managing-local-admins-using-gpp/
http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-pExplanations-to-secure-local-administrator-groups/

NEW QUESTION 16
Your network contains an Active Directory domain. The domain contains two domain controllers named DC1 and DC2.
You perform a full backup of the domain controllers every night by using Windows Server Backup.
You update a script in the SYSVOL folder.
You discover that the new script fails to run properly. You need to restore the previous version of the script in the SYSVOL folder. The solution must minimize the amount of time required to restore the script.
What should you do first?

• A. Run the Restore-ADObject cmdle
• B. Restore the system state to its original locatio
• C. Restore the system state to an alternate locatio
• D. Attach the VHD file created by Windows Server Backu

Answer: D

Explanation:
http://technet.microsoft.com/en-us/magazine/2008.05.adbackup.aspx Active Directory Backup and Restore in Windows Server 2008 NTBACKUP vs. Windows Server Backup As an added bonus, Windows Server Backup stores its backup images in Microsoft. Virtual Hard Disk (VHD) format. You can actually take a backup image and mount it as a volume in a virtual machine running under Microsoft Virtual Server 2005. You can simply mount the VHDs in a virtual machine and browse for a particular file rather than having to perform test restores of tapes to see which one has the file is on it. (A note of caution: you can't take a backup image and boot a virtual machine from it. Since the backed-up hardware configuration doesn't correspond to the virtual machine's configuration, you can't use Windows Server Backup as a physical-to-virtual migration tool.)

NEW QUESTION 17
Your network contains an Active Directory forest named fabrikam.com. The forest contains the following domains:
Fabrikam.com
Eu.fabrikam.com
Na.fabrikam.com
Eu.contoso.com
Na.contoso.com
You need to configure the forest to ensure that the administrators of any of the domains can specify a user principal name (UPN) suffix of contoso.com when they create user accounts from Active Directory users and Computers.
Which tool should you use?

• A. Active Directory Users and Computers
• B. Set-ADAccountControl
• C. Set-ADForest
• D. New-ADObject

Answer: C

NEW QUESTION 18
Your company has an Active Directory forest. The company has servers that run Windows Server 2008 R2 and client computers that run Windows 7. The domain uses a set of GPO administrative templates that have been approved to support regulatory compliance requirements.
Your partner company has an Active Directory forest that contains a single domain. The company has servers that run Windows Server 2008 R2 and client computers that run Windows 7.
You need to configure your partner company's domain to use the approved set of administrative templates.
What should you do?

• A. Use the Group Policy Management Console (GPMC) utility to back up the GPO to a fil
• B. In each site, import the GPO to the default domain polic
• C. Copy the ADMX files from your company's PDC emulator to the PolicyDefinitions folder on the partner company's PDC emulato
• D. Copy the ADML files from your company's PDC emulator to the PolicyDefinitions folder on the partner company's PDC emulato
• E. Download the conf.adm, system.adm, wuau.adm, and inetres.adm files from the Microsoft Updates Web sit
• F. Copy the ADM files to the PolicyDefinitions folder on thr partner company's emulato

Answer: B

Explanation:
http://support.microsoft.com/kb/929841 How to create the Central Store for Group Policy Administrative Template files in Windows Vista Windows Vista uses a new format to display registry-based policy settings. These registry-based policy settings appear under Administrative Templates in the Group Policy Object Editor. In Windows Vista, these registry-based policy settings are defined by standards-based XML files that have an .admx file name extension. The .admx file format replaces the legacy .adm file format. The .adm file format uses a proprietary markup language. In Windows Vista, Administrative Template files are divided into .admx files and language-specific .adml files that are available to Group Policy administrators.
Administrative Template file storage In earlier operating systems, all the default Administrative Template files are added to the ADM folder of a Group Policy object (GPO) on a domain controller. The GPOs are stored in the SYSVOL folder. The SYSVOL folder is automatically replicated to other domain
controllers in the same domain. A policy file uses approximately 2 megabytes (MB) of hard
disk space. Because each domain controller stores a distinct version of a policy, replication
traffic is increased.
Windows Vista uses a Central Store to store Administrative Template files. In Windows
Vista, the ADM folder is not created in a GPO as in earlier versions of Windows. Therefore,
domain controllers do not store or replicate redundant copies of .adm files.
The Central Store
To take advantage of the benefits of .admx files, you must create a Central Store in the
SYSVOL folder on a domain controller. The Central Store is a file location that is checked
by the Group Policy tools. The Group Policy tools use any .admx files that are in the
Central Store. The files that are in the Central Store are later replicated to all domain
controllers in the domain.
To create a Central Store for .admx and .adml files, create a folder that is named
PolicyDefinitions in the following location:
\FQDNSYSVOLFQDNpolicies
Note: FQDN is a fully qualified domain name.
http://www.frickelsoft.net/blog/?p=31
How can I export local Group Policy settings made in gpedit.msc?
Mark Heitbrink, MVP for Group Policy... came up with a good solution on how you can
“export” the Group
Policy and Security... settings you made in on a machine with the Local Group Policy
Editor (gpedit.msc) to other machines pretty easy:
Normal settings can be copied like this:
1.) Open %systemroot%system32grouppolicy
Within this folder, there are two folders - “machine” and “user”. Copy these to folders to the
“%systemroot%
system32grouppolicy - folder on the target machine. All it needs now is a reboot or a
“gpupdate /force”.
Note: If you cannot see the “grouppolicy” folder on either the source or the target machine,
be sure to have your explorer folder options set to “Show hidden files and folders”…
For security settings:
1.) Open MMC and add the Snapin “Security Templates”.
2.) Create your own customized template and save it as an “*inf” file.
3.) Copy the file to the target machine and import it via command line tool “secedit”: secedit
/configure /db %temp%temp.sdb /cfg yourcreated.inf
Further information on secedit can be found
here:http://www.microsoft.com/resources/documentation/
windows/xp/all/proddocs/en-us/secedit_cmds.mspx?mfr=true
If you’re building custom installations, you can pretty easy script the “overwriting” of the
“machine”/”user”- folders or the import via secedit by copying these file to a share and copy and execute them with a script.