Do you want to pass the 70-640 Examsavior exam? What are the new questions of the latest 70-640 exam? Examsavior 70-640 VCE dumps and 70-640 PDF dumps will tell you all about the 70-640 Examsavior exam.Here are the Examsavior newest and covered all new added questions and answers, which will help you 100% passing 70-640 Examsavior exam.Hurry up and get the free exam from here!
NOW FREE DOWNLOAD
QUESTION 21
Your company has an Active Directory domain that runs Windows Server 2008 R2.
The Sales OU contains an OU for Computers, an OU for Groups and an OU for Users.
You perform nightly backups. An administrator deletes the Groups OU.
You need to restore the Groups OU without affecting users and computers in the Sales OU.
What should you do?
bbs.hh010.com
A. Perform an authoritative restore of the Sales OU.
B. Perform a non-authoritative restore of the Sales OU.
C. Perform an authoritative restore of the Groups OU.
D. Perform a non-authoritative restore of the Groups OU.
Correct Answer: C
Explanation
Explanation/Reference:
Answer: Perform an authoritative restore of the Groups OU.
Explanation:
http://technet.microsoft.com/en-us/library/cc816878%28v=ws.10%29.aspx
Performing Authoritative Restore of Active Directory Objects
An authoritative restore process returns a designated, deleted Active Directory object or container of
objects to its predeletion state at the time when it was backed up. For example, you might have to perform
an authoritative restore if an administrator inadvertently deletes an organizational unit (OU) that contains a
large number of users. In most cases, there are two parts to the authoritative restore process: a
nonauthoritative restore from backup, followed by an authoritative restore of the deleted objects. If you
perform a nonauthoritative restore from backup only, the deleted OU is not restored because the
restored domain controller is updated after the restore process to the current status of its replication
partners, which have deleted the OU. To recover the deleted OU, after you perform nonauthoritative
restore from backup and before allowing replication to occur, you must perform an authoritative restore
procedure. During the authoritative restore procedure, you mark the OU as authoritative and let the
replication process restore it to all the other domain controllers in the domain. After an authoritative
restore, you also restore group memberships, if necessary.
QUESTION 22
Your network consists of a single Active Directory domain.
The functional level of the forest is Windows Server 2008 R2.
You need to create multiple password policies for users in your domain.
What should you do?
A. From the Group Policy Management snap-in, create multiple Group Policy objects.
B. From the Schema snap-in, create multiple class schema objects.
C. From the ADSI Edit snap-in, create multiple Password Setting objects.
D. From the Security Configuration Wizard, create multiple security policies.
Correct Answer: C
Explanation
Explanation/Reference:
Answer: From the ADSI Edit snap-in, create multiple Password Setting objects.
Explanation:
http://technet.microsoft.com/en-us/library/cc770842%28v=ws.10%29.aspx
AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide
..
In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies
and apply different password restrictions and account lockout policies to different sets of users within a
single domain.
..
To store fine-grained password policies, Windows Server 2008 includes two new object classes in the
Active Directory Domain Services (AD DS) schema:
bbs.hh010.com
Password Settings Container
Password Settings
The Password Settings Container (PSC) object class is created by default under the System container in
the domain. It stores the Password Settings objects (PSOs) for that domain. You cannot rename, move, or
delete this container.
…
Steps to configure fine-grained password and account lockout policies
When the group structure of your organization is defined and implemented, you can configure and apply
fine-grained password and account lockout policies to users and global security groups. Configuring finegrained
password and account lockout policies involves the following steps:
Step 1: Create a PSO
Step 2: Apply PSOs to Users and Global Security Groups
Step 3: Manage a PSO
Step 4: View a Resultant PSO for a User or a Global Security Group
http://technet.microsoft.com/en-us/library/cc754461%28v=ws.10%29.aspx
Step 1: Create a PSO
You can create Password Settings objects (PSOs):
Creating a PSO using the Active Directory module for Windows PowerShell
Creating a PSO using ADSI Edit
Creating a PSO using ldifde
QUESTION 23
You have a domain controller that runs Windows Server 2008 R2 and is configured as a DNS server.
You need to record all inbound DNS queries to the server.
What should you configure in the DNS Manager console?
A. Enable debug logging.
B. Enable automatic testing for simple queries.
C. Configure event logging to log errors and warnings.
D. Enable automatic testing for recursive queries.
Correct Answer: A
Explanation
Explanation/Reference:
Answer: Enable debug logging.
Explanation:
http://technet.microsoft.com/en-us/library/cc753579.aspx
DNS Tools
Event-monitoring utilities
The Windows Server 2008 family includes two options for monitoring DNS servers:
Default logging of DNS server event messages to the DNS server log.
DNS server event messages are separated and kept in their own system event log, the DNS server
log, which you can view using DNS Manager or Event Viewer.
The DNS server log contains events that are logged by the DNS Server service. For example, when
the DNS server starts or stops, a corresponding event message is written to this log. Most additional
critical DNS Server service events are also logged here, for example, when the server starts but
cannot locate initializing data and zones or boot information stored in the registry or (in some cases)
Active Directory Domain Services (AD DS).
You can use Event Viewer to view and monitor client-related DNS events. These events appear in the
System log, and they are written by the DNS Client service at any computers running Windows (all
versions).
bbs.hh010.com
Optional debug options for trace logging to a text file on the DNS server computer.
You can also use DNS Manager to selectively enable additional debug logging options for temporary
trace logging to a text-based file of DNS server activity. The file that is created and used for this
feature, Dns.log, is stored in the %systemroot%\System32\Dns folder.
http://technet.microsoft.com/en-us/library/cc776361%28v=ws.10%29.aspx
Using server debug logging options
The following DNS debug logging options are available:
Direction of packets
Send Packets sent by the DNS server are logged in the DNS server log file.
Receive Packets received by the DNS server are logged in the log file.
…
Further information:
http://technet.microsoft.com/en-us/library/cc759581%28v=ws.10%29.aspx
Select and enable debug logging options on the DNS server
QUESTION 24
Your company has a main office and a branch office.
The company has a single-domain Active Directory forest.
The main office has two domain controllers named DC1 and DC2 that run Windows Server 2008 R2.
The branch office has a Windows Server 2008 R2 read-only domain controller (RODC) named DC3.
All domain controllers hold the DNS Server role and are configured as Active Directory-integrated
zones.
The DNS zones only allow secure updates.
You need to enable dynamic DNS updates on DC3.
What should you do?
A. Run the Dnscmd.exe /ZoneResetType command on DC3.
B. Reinstall Active Directory Domain Services on DC3 as a writable domain controller.
C. Create a custom application directory partition on DC1. Configure the partition to store Active
Directory-integrated zones.
D. Run the Ntdsutil.exe > DS Behavior commands on DC3.
Correct Answer: B
Explanation
Explanation/Reference:
Answer: Reinstall Active Directory Domain Services on DC3 as a writable domain controller.
Explanation:
http://technet.microsoft.com/en-us/library/cc754218%28WS.10%29.aspx#BKMK_DDNS
Appendix A: RODC Technical Reference Topics
DNS updates for clients that are located in an RODC site
When a client attempts a dynamic update, it sends a start of authority (SOA) query to its preferred Domain
Name System (DNS) server. Typically, clients are configured to use the DNS server in their branch site as
their preferred DNS server. The RODC does not hold a writeable copy of the DNS zone. Therefore, when
it is queried for the SOA record, it returns the name of a writable domain controller that runs Windows
Server 2008 or later and hosts the Active Directory–integrated zone, just as a secondary DNS server
handles updates for zones that are not Active Directory–integrated zones. After it receives the name of a
writable domain controller that runs Windows Server 2008 or later, the client is then responsible for
performing the DNS record registration against the writeable server. The RODC waits a certain amount of
time, as explained below, and then it attempts to replicate the updated DNS object in Active Directory
Domain Services (AD DS) from the DNS server that it referred the client to through an RSO operation.
Note:
bbs.hh010.com
For the DNS server on the RODC to perform an RSO operation of the DNS record update, a DNS server
that runs Windows Server 2008 or later must host writeable copies of the zone that contains the record.
That DNS server must register a name server (NS) resource record for the zone. The Windows Server
2003 Branch Office Guide recommended restricting name server (NS) resource record registration to a
subset of the available DNS servers. If you followed those guidelines and you do not register at least one
writable DNS server that runs Windows Server 2008 or later as a name server for the zone, the DNS
server on the RODC attempts to perform the RSO operation with a DNS server that runs Windows Server
2003. That operation fails and generates a 4015 Error in the DNS event log of the RODC, and replication
of the DNS record update will be delayed until the next scheduled replication cycle.
Further information:
http://technet.microsoft.com/en-us/library/dd737255%28v=ws.10%29.aspx
Plan DNS Servers for Branch Office Environments
This topic describes best practices for installing Domain Name System (DNS) servers to support Active
Directory Domain Services (AD DS) in branch office environments.
As a best practice, use Active Directory–integrated DNS zones, which are hosted in the application
directory partitions named ForestDNSZones and DomainDNSZones. The following guidelines are based
on the assumption that you are following this best practice.
In branch offices that have a read-only domain controller (RODC), install a DNS server on each RODC so
that client computers in the branch office can still perform DNS lookups when the wide area network
(WAN) link to a DNS server in a hub site is not available. The best practice is to install the DNS server
when you install AD DS, using Dcpromo.exe. Otherwise, you must use Dnscmd.exe to enlist the RODC in
the DNS application directory partitions that host Active Directory–integrated DNS zones.
Note: You also have to configure the DNS client’s setting for the RODC so that it points to itself as its
preferred DNS server.
To facilitate dynamic updates for DNS clients in branch offices that have an RODC, you should have at
least one writeable Windows Server 2008 DNS server that hosts the corresponding DNS zone for which
client computers in the branch office are attempting to make DNS updates. The writeable Windows Server
2008 DNS server must register name server (NS) resource records for that zone.
By having the writeable Windows Server 2008 DNS server host the corresponding zone, client computers
that are in branch offices that are serviced by RODCs can make dynamic updates more efficiently. This is
because the updates replicate back to the RODCs in their respective branch offices by means of a
replicate-single-object (RSO) operation, rather than waiting for the next scheduled replication cycle.
For example, suppose that you add a new member server in a branch office, Branch1, which includes an
RODC. The member server hosts an application that you want client computers in Branch1 to locate by
using a DNS query. When the member server attempts to register its host (A or AAAA) resource records
for its IP address to a DNS zone, it performs a dynamic update on a writeable Windows Server 2008 or
Windows Server 2008 R2 DNS server that the RODC tracks in Branch1. If a writeable Windows Server
2008 DNS server hosts the DNS zone, the RODC in Branch1 replicates the updated zone information as
soon as possible from the writeable Windows Server 2008 DNS server. Then, client computers in Branch1
can successfully locate the new member server by querying the RODC in Branch1 for its IP address.
If you do not have a writeable Windows Server 2008 DNS server that hosts the DNS zone, the update can
still succeed against Windows Server 2003 DNS server if one is available but the updated record in the
DNS zone will not replicate to the RODC in Branch1 until the next scheduled replication cycle, which can
delay client computers that use the RODC DNS server for name resolution from locating the new member
server.
QUESTION 25
Your company has an Active Directory domain named ad.contoso.com.
The domain has two domain controllers named DC1 and DC2.
Both domain controllers have the DNS server role installed.
You install a new DNS server named DNS1.contoso.com on the perimeter network.
You configure DC1 to forward all unresolved name requests to DNS1.contoso.com.
bbs.hh010.com
You discover that the DNS forwarding option is unavailable on DC2.
You need to configure DNS forwarding on the DC2 server to point to the DNS1.contoso.com
server.
Which two actions should you perform?
(Each correct answer presents part of the solution. Choose two.)
A. Clear the DNS cache on DC2.
B. Configure conditional forwarding on DC2.
C. Configure the Listen On address on DC2.
D. Delete the Root zone on DC2.
Correct Answer: BD
Explanation
Explanation/Reference:
Answer: Delete the Root zone on DC2.
Configure conditional forwarding on DC2.
Explanation:
http://technet.microsoft.com/en-us/library/cc754941.aspx
Configure a DNS Server to Use Forwarders
A forwarder is a Domain Name System (DNS) server on a network that is used to forward DNS queries for
external DNS names to DNS servers outside that network. You can also configure your server to forward
queries according to specific domain names using conditional forwarders.
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/0ca38ece-d76e-42f0-85d5-
a342f9e169f5/
Deleting .root dns zone in 2008 DNS
Q: We have 2 domain controllers and .root zone is created in the DNS. Due to which the external name
resolution is not possible. I had tried to add conditional forwarders but i get an error saying that
conditional forwarders cannot be created on root DNS servers.
A 1: If you have a “root” zone created in your DNS, and you no longer want that configuration, you can just
simply delete that zone. There is no reason to have a root “.” zone hosted unless you want to make sure
that the DNS server is authoritative for all queries and not allow the DNS server to go elsewhere for name
resolution.
If you delete this zone, the DNS server will be able to use its root hints, or fowarders to resolve queries for
zones its not authoritative for.
A 2: That was from the old 2000 days where DCPROMO would create it if it detected no internet access
while promoting the first DC. Jut remove it, and the Forwarders option reappear.
s
Further information:
http://support.microsoft.com/kb/298148
How To Remove the Root Zone (Dot Zone)
http://technet.microsoft.com/en-us/library/cc731879%28v=ws.10%29.aspx
Reviewing DNS Concepts
Delegation
For a DNS server to answer queries about any name, it must have a direct or indirect path to every zone
in the namespace. These paths are created by means of delegation. A delegation is a record in a parent
zone that lists a name server that is authoritative for the zone in the next level of the hierarchy.
Delegations make it possible for servers in one zone to refer clients to servers in other zones. The
following illustration shows one example of delegation.
Your company has an Active Directory domain that runs Windows Server 2008 R2.
The Sales OU contains an OU for Computers, an OU for Groups and an OU for Users.
You perform nightly backups. An administrator deletes the Groups OU.
You need to restore the Groups OU without affecting users and computers in the Sales OU.
What should you do?
bbs.hh010.com
A. Perform an authoritative restore of the Sales OU.
B. Perform a non-authoritative restore of the Sales OU.
C. Perform an authoritative restore of the Groups OU.
D. Perform a non-authoritative restore of the Groups OU.
Correct Answer: C
Explanation
Explanation/Reference:
Answer: Perform an authoritative restore of the Groups OU.
Explanation:
http://technet.microsoft.com/en-us/library/cc816878%28v=ws.10%29.aspx
Performing Authoritative Restore of Active Directory Objects
An authoritative restore process returns a designated, deleted Active Directory object or container of
objects to its predeletion state at the time when it was backed up. For example, you might have to perform
an authoritative restore if an administrator inadvertently deletes an organizational unit (OU) that contains a
large number of users. In most cases, there are two parts to the authoritative restore process: a
nonauthoritative restore from backup, followed by an authoritative restore of the deleted objects. If you
perform a nonauthoritative restore from backup only, the deleted OU is not restored because the
restored domain controller is updated after the restore process to the current status of its replication
partners, which have deleted the OU. To recover the deleted OU, after you perform nonauthoritative
restore from backup and before allowing replication to occur, you must perform an authoritative restore
procedure. During the authoritative restore procedure, you mark the OU as authoritative and let the
replication process restore it to all the other domain controllers in the domain. After an authoritative
restore, you also restore group memberships, if necessary.
QUESTION 22
Your network consists of a single Active Directory domain.
The functional level of the forest is Windows Server 2008 R2.
You need to create multiple password policies for users in your domain.
What should you do?
A. From the Group Policy Management snap-in, create multiple Group Policy objects.
B. From the Schema snap-in, create multiple class schema objects.
C. From the ADSI Edit snap-in, create multiple Password Setting objects.
D. From the Security Configuration Wizard, create multiple security policies.
Correct Answer: C
Explanation
Explanation/Reference:
Answer: From the ADSI Edit snap-in, create multiple Password Setting objects.
Explanation:
http://technet.microsoft.com/en-us/library/cc770842%28v=ws.10%29.aspx
AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide
..
In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies
and apply different password restrictions and account lockout policies to different sets of users within a
single domain.
..
To store fine-grained password policies, Windows Server 2008 includes two new object classes in the
Active Directory Domain Services (AD DS) schema:
bbs.hh010.com
Password Settings Container
Password Settings
The Password Settings Container (PSC) object class is created by default under the System container in
the domain. It stores the Password Settings objects (PSOs) for that domain. You cannot rename, move, or
delete this container.
…
Steps to configure fine-grained password and account lockout policies
When the group structure of your organization is defined and implemented, you can configure and apply
fine-grained password and account lockout policies to users and global security groups. Configuring finegrained
password and account lockout policies involves the following steps:
Step 1: Create a PSO
Step 2: Apply PSOs to Users and Global Security Groups
Step 3: Manage a PSO
Step 4: View a Resultant PSO for a User or a Global Security Group
http://technet.microsoft.com/en-us/library/cc754461%28v=ws.10%29.aspx
Step 1: Create a PSO
You can create Password Settings objects (PSOs):
Creating a PSO using the Active Directory module for Windows PowerShell
Creating a PSO using ADSI Edit
Creating a PSO using ldifde
QUESTION 23
You have a domain controller that runs Windows Server 2008 R2 and is configured as a DNS server.
You need to record all inbound DNS queries to the server.
What should you configure in the DNS Manager console?
A. Enable debug logging.
B. Enable automatic testing for simple queries.
C. Configure event logging to log errors and warnings.
D. Enable automatic testing for recursive queries.
Correct Answer: A
Explanation
Explanation/Reference:
Answer: Enable debug logging.
Explanation:
http://technet.microsoft.com/en-us/library/cc753579.aspx
DNS Tools
Event-monitoring utilities
The Windows Server 2008 family includes two options for monitoring DNS servers:
Default logging of DNS server event messages to the DNS server log.
DNS server event messages are separated and kept in their own system event log, the DNS server
log, which you can view using DNS Manager or Event Viewer.
The DNS server log contains events that are logged by the DNS Server service. For example, when
the DNS server starts or stops, a corresponding event message is written to this log. Most additional
critical DNS Server service events are also logged here, for example, when the server starts but
cannot locate initializing data and zones or boot information stored in the registry or (in some cases)
Active Directory Domain Services (AD DS).
You can use Event Viewer to view and monitor client-related DNS events. These events appear in the
System log, and they are written by the DNS Client service at any computers running Windows (all
versions).
bbs.hh010.com
Optional debug options for trace logging to a text file on the DNS server computer.
You can also use DNS Manager to selectively enable additional debug logging options for temporary
trace logging to a text-based file of DNS server activity. The file that is created and used for this
feature, Dns.log, is stored in the %systemroot%\System32\Dns folder.
http://technet.microsoft.com/en-us/library/cc776361%28v=ws.10%29.aspx
Using server debug logging options
The following DNS debug logging options are available:
Direction of packets
Send Packets sent by the DNS server are logged in the DNS server log file.
Receive Packets received by the DNS server are logged in the log file.
…
Further information:
http://technet.microsoft.com/en-us/library/cc759581%28v=ws.10%29.aspx
Select and enable debug logging options on the DNS server
QUESTION 24
Your company has a main office and a branch office.
The company has a single-domain Active Directory forest.
The main office has two domain controllers named DC1 and DC2 that run Windows Server 2008 R2.
The branch office has a Windows Server 2008 R2 read-only domain controller (RODC) named DC3.
All domain controllers hold the DNS Server role and are configured as Active Directory-integrated
zones.
The DNS zones only allow secure updates.
You need to enable dynamic DNS updates on DC3.
What should you do?
A. Run the Dnscmd.exe /ZoneResetType command on DC3.
B. Reinstall Active Directory Domain Services on DC3 as a writable domain controller.
C. Create a custom application directory partition on DC1. Configure the partition to store Active
Directory-integrated zones.
D. Run the Ntdsutil.exe > DS Behavior commands on DC3.
Correct Answer: B
Explanation
Explanation/Reference:
Answer: Reinstall Active Directory Domain Services on DC3 as a writable domain controller.
Explanation:
http://technet.microsoft.com/en-us/library/cc754218%28WS.10%29.aspx#BKMK_DDNS
Appendix A: RODC Technical Reference Topics
DNS updates for clients that are located in an RODC site
When a client attempts a dynamic update, it sends a start of authority (SOA) query to its preferred Domain
Name System (DNS) server. Typically, clients are configured to use the DNS server in their branch site as
their preferred DNS server. The RODC does not hold a writeable copy of the DNS zone. Therefore, when
it is queried for the SOA record, it returns the name of a writable domain controller that runs Windows
Server 2008 or later and hosts the Active Directory–integrated zone, just as a secondary DNS server
handles updates for zones that are not Active Directory–integrated zones. After it receives the name of a
writable domain controller that runs Windows Server 2008 or later, the client is then responsible for
performing the DNS record registration against the writeable server. The RODC waits a certain amount of
time, as explained below, and then it attempts to replicate the updated DNS object in Active Directory
Domain Services (AD DS) from the DNS server that it referred the client to through an RSO operation.
Note:
bbs.hh010.com
For the DNS server on the RODC to perform an RSO operation of the DNS record update, a DNS server
that runs Windows Server 2008 or later must host writeable copies of the zone that contains the record.
That DNS server must register a name server (NS) resource record for the zone. The Windows Server
2003 Branch Office Guide recommended restricting name server (NS) resource record registration to a
subset of the available DNS servers. If you followed those guidelines and you do not register at least one
writable DNS server that runs Windows Server 2008 or later as a name server for the zone, the DNS
server on the RODC attempts to perform the RSO operation with a DNS server that runs Windows Server
2003. That operation fails and generates a 4015 Error in the DNS event log of the RODC, and replication
of the DNS record update will be delayed until the next scheduled replication cycle.
Further information:
http://technet.microsoft.com/en-us/library/dd737255%28v=ws.10%29.aspx
Plan DNS Servers for Branch Office Environments
This topic describes best practices for installing Domain Name System (DNS) servers to support Active
Directory Domain Services (AD DS) in branch office environments.
As a best practice, use Active Directory–integrated DNS zones, which are hosted in the application
directory partitions named ForestDNSZones and DomainDNSZones. The following guidelines are based
on the assumption that you are following this best practice.
In branch offices that have a read-only domain controller (RODC), install a DNS server on each RODC so
that client computers in the branch office can still perform DNS lookups when the wide area network
(WAN) link to a DNS server in a hub site is not available. The best practice is to install the DNS server
when you install AD DS, using Dcpromo.exe. Otherwise, you must use Dnscmd.exe to enlist the RODC in
the DNS application directory partitions that host Active Directory–integrated DNS zones.
Note: You also have to configure the DNS client’s setting for the RODC so that it points to itself as its
preferred DNS server.
To facilitate dynamic updates for DNS clients in branch offices that have an RODC, you should have at
least one writeable Windows Server 2008 DNS server that hosts the corresponding DNS zone for which
client computers in the branch office are attempting to make DNS updates. The writeable Windows Server
2008 DNS server must register name server (NS) resource records for that zone.
By having the writeable Windows Server 2008 DNS server host the corresponding zone, client computers
that are in branch offices that are serviced by RODCs can make dynamic updates more efficiently. This is
because the updates replicate back to the RODCs in their respective branch offices by means of a
replicate-single-object (RSO) operation, rather than waiting for the next scheduled replication cycle.
For example, suppose that you add a new member server in a branch office, Branch1, which includes an
RODC. The member server hosts an application that you want client computers in Branch1 to locate by
using a DNS query. When the member server attempts to register its host (A or AAAA) resource records
for its IP address to a DNS zone, it performs a dynamic update on a writeable Windows Server 2008 or
Windows Server 2008 R2 DNS server that the RODC tracks in Branch1. If a writeable Windows Server
2008 DNS server hosts the DNS zone, the RODC in Branch1 replicates the updated zone information as
soon as possible from the writeable Windows Server 2008 DNS server. Then, client computers in Branch1
can successfully locate the new member server by querying the RODC in Branch1 for its IP address.
If you do not have a writeable Windows Server 2008 DNS server that hosts the DNS zone, the update can
still succeed against Windows Server 2003 DNS server if one is available but the updated record in the
DNS zone will not replicate to the RODC in Branch1 until the next scheduled replication cycle, which can
delay client computers that use the RODC DNS server for name resolution from locating the new member
server.
QUESTION 25
Your company has an Active Directory domain named ad.contoso.com.
The domain has two domain controllers named DC1 and DC2.
Both domain controllers have the DNS server role installed.
You install a new DNS server named DNS1.contoso.com on the perimeter network.
You configure DC1 to forward all unresolved name requests to DNS1.contoso.com.
bbs.hh010.com
You discover that the DNS forwarding option is unavailable on DC2.
You need to configure DNS forwarding on the DC2 server to point to the DNS1.contoso.com
server.
Which two actions should you perform?
(Each correct answer presents part of the solution. Choose two.)
A. Clear the DNS cache on DC2.
B. Configure conditional forwarding on DC2.
C. Configure the Listen On address on DC2.
D. Delete the Root zone on DC2.
Correct Answer: BD
Explanation
Explanation/Reference:
Answer: Delete the Root zone on DC2.
Configure conditional forwarding on DC2.
Explanation:
http://technet.microsoft.com/en-us/library/cc754941.aspx
Configure a DNS Server to Use Forwarders
A forwarder is a Domain Name System (DNS) server on a network that is used to forward DNS queries for
external DNS names to DNS servers outside that network. You can also configure your server to forward
queries according to specific domain names using conditional forwarders.
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/0ca38ece-d76e-42f0-85d5-
a342f9e169f5/
Deleting .root dns zone in 2008 DNS
Q: We have 2 domain controllers and .root zone is created in the DNS. Due to which the external name
resolution is not possible. I had tried to add conditional forwarders but i get an error saying that
conditional forwarders cannot be created on root DNS servers.
A 1: If you have a “root” zone created in your DNS, and you no longer want that configuration, you can just
simply delete that zone. There is no reason to have a root “.” zone hosted unless you want to make sure
that the DNS server is authoritative for all queries and not allow the DNS server to go elsewhere for name
resolution.
If you delete this zone, the DNS server will be able to use its root hints, or fowarders to resolve queries for
zones its not authoritative for.
A 2: That was from the old 2000 days where DCPROMO would create it if it detected no internet access
while promoting the first DC. Jut remove it, and the Forwarders option reappear.
s
Further information:
http://support.microsoft.com/kb/298148
How To Remove the Root Zone (Dot Zone)
http://technet.microsoft.com/en-us/library/cc731879%28v=ws.10%29.aspx
Reviewing DNS Concepts
Delegation
For a DNS server to answer queries about any name, it must have a direct or indirect path to every zone
in the namespace. These paths are created by means of delegation. A delegation is a record in a parent
zone that lists a name server that is authoritative for the zone in the next level of the hierarchy.
Delegations make it possible for servers in one zone to refer clients to servers in other zones. The
following illustration shows one example of delegation.
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam A PART2 (21-40) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tyzr4B3Pex0DmDFeIQaWukmZRy7rn30hwxoiIE3_dT6Un9XMpxPWEArQ-_eVXAaVv5XMKjcQ8QactjBRLxqfCqNXV-hFNMTtnlB696mc6Z0Y786-VFpqSLjIz6QXThQubxswM=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam A PART2 (21-40) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
The DNS root server hosts the root zone represented as a dot ( . ). The root zone contains a delegation to
a zone in the next level of the hierarchy, the com zone. The delegation in the root zone tells the DNS root
server that, to find the com zone, it must contact the Com server. Likewise, the delegation in the com zone
tells the Com server that, to find the contoso.com zone, it must contact the Contoso server.
Note: A delegation uses two types of records. The name server (NS) resource record provides the name
of an authoritative server. Host (A) and host (AAAA) resource records provide IP version 4 (IPv4) and IP
version 6 (IPv6) addresses of an authoritative server.
This system of zones and delegations creates a hierarchical tree that represents the DNS namespace.
Each zone represents a layer in the hierarchy, and each delegation represents a branch of the tree.
By using the hierarchy of zones and delegations, a DNS root server can find any name in the DNS
namespace. The root zone includes delegations that lead directly or indirectly to all other zones in the
hierarchy. Any server that can query the DNS root server can use the information in the delegations to find
any name in the namespace.
QUESTION 26
Your company has an organizational unit named Production.
The Production organizational unit has a child organizational unit named R&D.
You create a GPO named Software Deployment and link it to the Production organizational unit.
You create a shadow group for the R&D organizational unit.
You need to deploy an application to users in the Production organizational unit.
You also need to ensure that the application is not deployed to users in the R&D organizational
unit.
What are two possible ways to achieve this goal?
(Each correct answer presents a complete solution. Choose two.)
A. Configure the Block Inheritance setting on the R&D organizational unit.
B. Configure the Enforce setting on the software deployment GPO.
C. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&D
security group.
D. Configure the Block Inheritance setting on the Production organizational unit.
Correct Answer: AC
bbs.hh010.com
Explanation
Explanation/Reference:
Answer: Configure the Block Inheritance setting on the R&D organizational unit.
Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the
R&D security group.
Explanation:
http://technet.microsoft.com/en-us/library/cc757050%28v=ws.10%29.aspx
Managing inheritance of Group Policy
..
Blocking Group Policy inheritance
You can block policy inheritance for a domain or organizational unit. Using block inheritance prevents
GPOs linked to higher sites, domains, or organizational units from being automatically inherited by the
child-level. By default, children inherit all GPOs from the parent, but it is sometimes useful to block
inheritance. For example, if you want to apply a single set of policies to an entire domain except for one
organizational unit, you can link the required GPOs at the domain level (from which all organizational units
inherit policies by default) and then block inheritance only on the organizational unit to which the policies
should not be applied.
Enforcing a GPO link
You can specify that the settings in a GPO link should take precedence over the settings of any child
object by setting that link to Enforced. GPO-links that are enforced cannot be blocked from the parent
container. Without enforcement from above, the settings of the GPO links at the higher level (parent) are
overwritten by settings in GPOs linked to child organizational units, if the GPOs contain conflicting
settings. With enforcement, the parent GPO link always has precedence. By default, GPO links are not
enforced. In tools prior to GPMC, “enforced” was known as “No override.”
..
In addition to using GPO links to apply policies, you can also control how GPOs are applied by using
security filters or WMI filters.
http://technet.microsoft.com/en-us/library/cc781988%28v=ws.10%29.aspx
Security filtering using GPMC
Security filtering
Security filtering is a way of refining which users and computers will receive and apply the settings in a
Group Policy object (GPO). Using security filtering, you can specify that only certain security principals
within a container where the GPO is linked apply the GPO. Security group filtering determines whether the
GPO as a whole applies to groups, users, or computers; it cannot be used selectively on different settings
within a GPO.
..
Notes:
GPOs cannot be linked directly to users, computers, or security groups. They can only be linked to
sites, domains and organizational units. However, by using security filtering, you can narrow the scope
of a GPO so that it applies only to a single group, user, or computer.
..
The location of a security group in Active Directory is irrelevant to security group filtering and, more
generally, irrelevant to Group Policy processing.
Further information:
http://technet.microsoft.com/en-us/library/cc731076.aspx
Block Inheritance
http://en.wikipedia.org/wiki/Active_Directory#Shadow_groups
Active Directory
Shadow groups
In Microsoft’s Active Directory, OUs do not confer access permissions, and objects placed within OUs are
not automatically assigned access privileges based on their containing OU. This is a design limitation
specific to Active Directory. Other competing directories such as Novell NDS are able to assign access
bbs.hh010.com
privileges through object placement within an OU.
Active Directory requires a separate step for an administrator to assign an object in an OU as a member of
a group also within that OU. Relying on OU location alone to determine access permissions is unreliable,
because the object may not have been assigned to the group object for that OU.
A common workaround for an Active Directory administrator is to write a custom PowerShell or Visual
Basic script to automatically create and maintain a user group for each OU in their directory. The scripts
are run periodically to update the group to match the OU’s account membership, but are unable to
instantly update the security groups anytime the directory changes, as occurs in competing directories
where security is directly implemented into the directory itself. Such groups are known as Shadow
Groups. Once created, these shadow groups are selectable in place of the OU in the administrative tools.
Microsoft refers to shadow groups in the Server 2008 Reference documentation, but does not explain how
to create them. There are no built-in server methods or console snap-ins for managing shadow groups.[5]The division of an organization’s information infrastructure into a hierarchy of one or more domains and
top-level OUs is a key decision. Common models are by business unit, by geographical location, by IT
Service, or by object type and hybrids of these. OUs should be structured primarily to facilitate
administrative delegation, and secondarily, to facilitate group policy application. Although OUs form an
administrative boundary, the only true security boundary is the forest itself and an administrator of any
domain in the forest must be trusted across all domains in the forest.[6]QUESTION 27
Your company has a branch office that is configured as a separate Active Directory site and has an
Active Directory domain controller.
The Active Directory site requires a local Global Catalog server to support a new application.
You need to configure the domain controller as a Global Catalog server.
Which tool should you use?
A. The Server Manager console
B. The Active Directory Sites and Services console
C. The Dcpromo.exe utility
D. The Computer Management console
E. The Active Directory Domains and Trusts console
Correct Answer: B
Explanation
Explanation/Reference:
Answer: The Active Directory Sites and Services console
Explanation:
http://technet.microsoft.com/en-us/library/cc781329%28v=ws.10%29.aspx
Configure a domain controller as a global catalog server
To configure a domain controller as a global catalog server
1. Open Active Directory Sites and Services.
…
Further information:
http://technet.microsoft.com/en-us/library/cc728188%28v=ws.10%29.aspx
What Is the Global Catalog?
The global catalog is a distributed data repository that contains a searchable, partial representation of
every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The
global catalog is stored on domain controllers that have been designated as global catalog servers and is
distributed through multimaster replication. Searches that are directed to the global catalog are faster
because they do not involve referrals to different domain controllers.
bbs.hh010.com
In addition to configuration and schema directory partition replicas, every domain controller in a forest
stores a full, writable replica of a single domain directory partition. Therefore, a domain controller can
locate only the objects in its domain. Locating an object in a different domain would require the user or
application to provide the domain of the requested object.
The global catalog provides the ability to locate objects from any domain without having to know the
domain name. A global catalog server is a domain controller that, in addition to its full, writable domain
directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in
the forest. The additional domain directory partitions are partial because only a limited set of attributes is
included for each object. By including only the attributes that are most used for searching, every object in
every domain in even the largest forest can be represented in the database of a single global catalog
server.
Note: A global catalog server can also store a full, writable replica of an application directory partition, but
objects in application directory partitions are not replicated to the global catalog as partial, read-only
directory partitions.
The global catalog is built and updated automatically by the AD DS replication system. The attributes that
are replicated to the global catalog are identified in the schema as the partial attribute set (PAS) and are
defined by default by Microsoft. However, to optimize searching, you can edit the schema by adding or
removing attributes that are stored in the global catalog.
In Windows 2000 Server environments, any change to the PAS results in full synchronization (update of
all attributes) of the global catalog. Later versions of Windows Server reduce the impact of updating the
global catalog by replicating only the attributes that change.
In a single-domain forest, a global catalog server stores a full, writable replica of the domain and does not
store any partial replica. A global catalog server in a single-domain forest functions in the same manner as
a non-global-catalog server except for the processing of forest-wide searches.
QUESTION 28
Your company has a main office and three branch offices.
The company has an Active Directory forest that has a single domain.
Each office has one domain controller.
Each office is configured as an Active Directory site.
All sites are connected with the DEFAULTIPSITELINK object.
You need to decrease the replication latency between the domain controllers.
What should you do?
A. Decrease the replication schedule for the DEFAULTIPSITELINK object.
B. Decrease the replication interval for the DEFAULTIPSITELINK object.
C. Decrease the cost between the connection objects.
D. Decrease the replication interval for all connection objects.
Correct Answer: B
Explanation
Explanation/Reference:
Answer: Decrease the replication interval for the DEFAULTIPSITELINK object.
Personal comment:
All sites are connected with the DEFAULTIPSITELINK object. <- this roughly translates into all sites are
connected with the first domain controller in the forest
So the topology is star shaped.
Thus, decreasing the cost between the connection objects will offer no benefit.
We know we have multiple sites linked and are using a DEFAULTIPSITELINK object.
Thus, the most plausible answer is to decrease the replication interval for DEFAULTIPSITELINK.
Explanation:
bbs.hh010.com
http://www.informit.com/articles/article.aspx?p=26866&seqNum=5
Understanding Active Directory, Part III
Replication
Active Directory replication between domain controllers is managed by the system administrator on a siteby-
site basis. As domain controllers are added, a replication path must be established. This is done by the
Knowledge Consistency Checker (KCC), coupled with Active Directory replication components. The KCC
is a dynamic process that runs on all domain controllers to create and modify the replication topology. If a
domain controller fails, the KCC automatically creates new paths to the remaining domain controllers.
Manual intervention with the KCC will also force a new path.
The Active Directory replaces PDCs and BDCs with multimaster replication services. Each domain
controller retains a copy of the entire directory for that particular domain. As changes are made in one
domain controller, the originator communicates these changes to the peer domain controllers. The
directory data itself is stored in the ntds.dit file.
Active Directory replication uses the Remote Procedure Call (RPC) over IP to conduct replication within a
site. Replication between sites can utilize either RPC or the Simple Mail Transfer Protocol (SMTP) for data
transmission. The default intersite replication protocol is RPC.
Intersite and Intrasite Replication
There are distinct differences in internal and intersite domain controller replication. In theory, the network
bandwidth within a site is sufficient to handle all network traffic associated with replication and other Active
Directory activities. By the definition of a site, the network must be reliable and fast. A change notification
process is initiated when modifications occur on a domain controller. The domain controller waits for a
configurable period (by default, five minutes) before it forwards a message to its replication partners.
During this interval, it continues to accept changes. Upon receiving a message, the partner domain
controllers copy the modification from the original domain controller. In the event that no changes were
noted during a configurable period (six hours, by default), a replication sequence ensures that all possible
modifications are communicated. Replication within a site involves the transmission of uncompressed
data.
NOTE
Security-related modifications are replicated within a site immediately. These changes include account
and individual user lockout policies, changes to password policies, changes to computer account
passwords, and modifications to the Local Security Authority (LSA).
Replication between sites assumes that there are network-connectivity problems, including insufficient
bandwidth, reliability, and increased cost. Therefore, the Active Directory permits the system to make
decisions on the type, frequency, and timing of intersite replication. All replication objects transmitted
between sites are compressed, which may reduce traffic by 10 to 25 percent, but because this is not
sufficient to guarantee proper replication, the system administrator has the responsibility of scheduling
intersite replication.
Replication Component Objects
Whereas the KCC represents the process elements associated with replication, the following comprise the
Active Directory object components:
Connection object. Domain controllers become replication “partners” when linked by a connection
object. This is represented by a one-way path between two domain controller server objects.
Connection objects are created by the KCC by default. They can also be manually created by the
system administrator.
NTDS settings object. The NTDS settings object is a container that is automatically created by the
Active Directory. It contains all of the connection objects, and is a child of the server object.
Server object. The Active Directory represents every computer as a computer object. The domain
controller is also represented by a computer object, plus a specially created server object. The server
object’s parent is the site object that defines its IP subnet. However, in the event that the domain
controller server object was created prior to site creation, it will be necessary to manually define the IP
subnet to properly assign the domain controller a site.
When it is necessary to link multiple sites, two additional objects are created to manage the replication
topology.
bbs.hh010.com
Site link. The site link object specifies a series of values (cost, interval, and schedule) that define the
connection between sites. The KCC uses these values to manage replication and to modify the
replication path if it detects a more efficient one. The Active Directory DEFAULTIPSITELINK is used
by default until the system administrator intervenes. The cost value, ranging from 1 to 32767, is an
arbitrary estimate of the actual cost of data transmission as defined bandwidth. The interval value sets
the number of times replication will occur: 15 minutes to a maximum of once a week (or 10080
minutes) is the minimum; three hours is the default. The schedule interval establishes the time when
replication should occur. Although replication can be at any time by default, the system administrator
may want to schedule it only during off-peak network hours.
Site link bridges. The site link bridge object defines a set of links that communicate via the same
protocol. By default, all site links use the same protocol, and are transitive. Moreover, they belong to a
single site link bridge. No configuration is necessary to the site link bridge if the IP network is fully
routed. Otherwise, manual configuration may be necessary.
Further information:
http://technet.microsoft.com/en-us/library/cc775549%28v=ws.10%29.aspx
What Is Active Directory Replication Topology?
Replication of updates to Active Directory objects are transmitted between multiple domain controllers to
keep replicas of directory partitions synchronized. Multiple domains are common in large organizations, as
are multiple sites in disparate locations. In addition, domain controllers for the same domain are
commonly placed in more than one site.
Therefore, replication must often occur both within sites and between sites to keep domain and forest data
consistent among domain controllers that store the same directory partitions. Site objects can be
configured to include a set of subnets that provide local area network (LAN) network speeds. As such,
replication within sites generally occurs at high speeds between domain controllers that are on the same
network segment. Similarly, site link objects can be configured to represent the wide area network (WAN)
links that connect LANs. Replication between sites usually occurs over these WAN links, which might be
costly in terms of bandwidth. To accommodate the differences in distance and cost of replication within a
site and replication between sites, the intrasite replication topology is created to optimize speed, and the
intersite replication topology is created to minimize cost.
The Knowledge Consistency Checker (KCC) is a distributed application that runs on every domain
controller and is responsible for creating the connections between domain controllers that collectively form
the replication topology. The KCC uses Active Directory data to determine where (from what source
domain controller to what destination domain controller) to create these connections.
..
The following diagram shows the interaction of these technologies with the replication topology, which is
indicated by the two-way connections between each set of domain controllers.
Replication Topology and Dependent Technologies
a zone in the next level of the hierarchy, the com zone. The delegation in the root zone tells the DNS root
server that, to find the com zone, it must contact the Com server. Likewise, the delegation in the com zone
tells the Com server that, to find the contoso.com zone, it must contact the Contoso server.
Note: A delegation uses two types of records. The name server (NS) resource record provides the name
of an authoritative server. Host (A) and host (AAAA) resource records provide IP version 4 (IPv4) and IP
version 6 (IPv6) addresses of an authoritative server.
This system of zones and delegations creates a hierarchical tree that represents the DNS namespace.
Each zone represents a layer in the hierarchy, and each delegation represents a branch of the tree.
By using the hierarchy of zones and delegations, a DNS root server can find any name in the DNS
namespace. The root zone includes delegations that lead directly or indirectly to all other zones in the
hierarchy. Any server that can query the DNS root server can use the information in the delegations to find
any name in the namespace.
QUESTION 26
Your company has an organizational unit named Production.
The Production organizational unit has a child organizational unit named R&D.
You create a GPO named Software Deployment and link it to the Production organizational unit.
You create a shadow group for the R&D organizational unit.
You need to deploy an application to users in the Production organizational unit.
You also need to ensure that the application is not deployed to users in the R&D organizational
unit.
What are two possible ways to achieve this goal?
(Each correct answer presents a complete solution. Choose two.)
A. Configure the Block Inheritance setting on the R&D organizational unit.
B. Configure the Enforce setting on the software deployment GPO.
C. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&D
security group.
D. Configure the Block Inheritance setting on the Production organizational unit.
Correct Answer: AC
bbs.hh010.com
Explanation
Explanation/Reference:
Answer: Configure the Block Inheritance setting on the R&D organizational unit.
Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the
R&D security group.
Explanation:
http://technet.microsoft.com/en-us/library/cc757050%28v=ws.10%29.aspx
Managing inheritance of Group Policy
..
Blocking Group Policy inheritance
You can block policy inheritance for a domain or organizational unit. Using block inheritance prevents
GPOs linked to higher sites, domains, or organizational units from being automatically inherited by the
child-level. By default, children inherit all GPOs from the parent, but it is sometimes useful to block
inheritance. For example, if you want to apply a single set of policies to an entire domain except for one
organizational unit, you can link the required GPOs at the domain level (from which all organizational units
inherit policies by default) and then block inheritance only on the organizational unit to which the policies
should not be applied.
Enforcing a GPO link
You can specify that the settings in a GPO link should take precedence over the settings of any child
object by setting that link to Enforced. GPO-links that are enforced cannot be blocked from the parent
container. Without enforcement from above, the settings of the GPO links at the higher level (parent) are
overwritten by settings in GPOs linked to child organizational units, if the GPOs contain conflicting
settings. With enforcement, the parent GPO link always has precedence. By default, GPO links are not
enforced. In tools prior to GPMC, “enforced” was known as “No override.”
..
In addition to using GPO links to apply policies, you can also control how GPOs are applied by using
security filters or WMI filters.
http://technet.microsoft.com/en-us/library/cc781988%28v=ws.10%29.aspx
Security filtering using GPMC
Security filtering
Security filtering is a way of refining which users and computers will receive and apply the settings in a
Group Policy object (GPO). Using security filtering, you can specify that only certain security principals
within a container where the GPO is linked apply the GPO. Security group filtering determines whether the
GPO as a whole applies to groups, users, or computers; it cannot be used selectively on different settings
within a GPO.
..
Notes:
GPOs cannot be linked directly to users, computers, or security groups. They can only be linked to
sites, domains and organizational units. However, by using security filtering, you can narrow the scope
of a GPO so that it applies only to a single group, user, or computer.
..
The location of a security group in Active Directory is irrelevant to security group filtering and, more
generally, irrelevant to Group Policy processing.
Further information:
http://technet.microsoft.com/en-us/library/cc731076.aspx
Block Inheritance
http://en.wikipedia.org/wiki/Active_Directory#Shadow_groups
Active Directory
Shadow groups
In Microsoft’s Active Directory, OUs do not confer access permissions, and objects placed within OUs are
not automatically assigned access privileges based on their containing OU. This is a design limitation
specific to Active Directory. Other competing directories such as Novell NDS are able to assign access
bbs.hh010.com
privileges through object placement within an OU.
Active Directory requires a separate step for an administrator to assign an object in an OU as a member of
a group also within that OU. Relying on OU location alone to determine access permissions is unreliable,
because the object may not have been assigned to the group object for that OU.
A common workaround for an Active Directory administrator is to write a custom PowerShell or Visual
Basic script to automatically create and maintain a user group for each OU in their directory. The scripts
are run periodically to update the group to match the OU’s account membership, but are unable to
instantly update the security groups anytime the directory changes, as occurs in competing directories
where security is directly implemented into the directory itself. Such groups are known as Shadow
Groups. Once created, these shadow groups are selectable in place of the OU in the administrative tools.
Microsoft refers to shadow groups in the Server 2008 Reference documentation, but does not explain how
to create them. There are no built-in server methods or console snap-ins for managing shadow groups.[5]The division of an organization’s information infrastructure into a hierarchy of one or more domains and
top-level OUs is a key decision. Common models are by business unit, by geographical location, by IT
Service, or by object type and hybrids of these. OUs should be structured primarily to facilitate
administrative delegation, and secondarily, to facilitate group policy application. Although OUs form an
administrative boundary, the only true security boundary is the forest itself and an administrator of any
domain in the forest must be trusted across all domains in the forest.[6]QUESTION 27
Your company has a branch office that is configured as a separate Active Directory site and has an
Active Directory domain controller.
The Active Directory site requires a local Global Catalog server to support a new application.
You need to configure the domain controller as a Global Catalog server.
Which tool should you use?
A. The Server Manager console
B. The Active Directory Sites and Services console
C. The Dcpromo.exe utility
D. The Computer Management console
E. The Active Directory Domains and Trusts console
Correct Answer: B
Explanation
Explanation/Reference:
Answer: The Active Directory Sites and Services console
Explanation:
http://technet.microsoft.com/en-us/library/cc781329%28v=ws.10%29.aspx
Configure a domain controller as a global catalog server
To configure a domain controller as a global catalog server
1. Open Active Directory Sites and Services.
…
Further information:
http://technet.microsoft.com/en-us/library/cc728188%28v=ws.10%29.aspx
What Is the Global Catalog?
The global catalog is a distributed data repository that contains a searchable, partial representation of
every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The
global catalog is stored on domain controllers that have been designated as global catalog servers and is
distributed through multimaster replication. Searches that are directed to the global catalog are faster
because they do not involve referrals to different domain controllers.
bbs.hh010.com
In addition to configuration and schema directory partition replicas, every domain controller in a forest
stores a full, writable replica of a single domain directory partition. Therefore, a domain controller can
locate only the objects in its domain. Locating an object in a different domain would require the user or
application to provide the domain of the requested object.
The global catalog provides the ability to locate objects from any domain without having to know the
domain name. A global catalog server is a domain controller that, in addition to its full, writable domain
directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in
the forest. The additional domain directory partitions are partial because only a limited set of attributes is
included for each object. By including only the attributes that are most used for searching, every object in
every domain in even the largest forest can be represented in the database of a single global catalog
server.
Note: A global catalog server can also store a full, writable replica of an application directory partition, but
objects in application directory partitions are not replicated to the global catalog as partial, read-only
directory partitions.
The global catalog is built and updated automatically by the AD DS replication system. The attributes that
are replicated to the global catalog are identified in the schema as the partial attribute set (PAS) and are
defined by default by Microsoft. However, to optimize searching, you can edit the schema by adding or
removing attributes that are stored in the global catalog.
In Windows 2000 Server environments, any change to the PAS results in full synchronization (update of
all attributes) of the global catalog. Later versions of Windows Server reduce the impact of updating the
global catalog by replicating only the attributes that change.
In a single-domain forest, a global catalog server stores a full, writable replica of the domain and does not
store any partial replica. A global catalog server in a single-domain forest functions in the same manner as
a non-global-catalog server except for the processing of forest-wide searches.
QUESTION 28
Your company has a main office and three branch offices.
The company has an Active Directory forest that has a single domain.
Each office has one domain controller.
Each office is configured as an Active Directory site.
All sites are connected with the DEFAULTIPSITELINK object.
You need to decrease the replication latency between the domain controllers.
What should you do?
A. Decrease the replication schedule for the DEFAULTIPSITELINK object.
B. Decrease the replication interval for the DEFAULTIPSITELINK object.
C. Decrease the cost between the connection objects.
D. Decrease the replication interval for all connection objects.
Correct Answer: B
Explanation
Explanation/Reference:
Answer: Decrease the replication interval for the DEFAULTIPSITELINK object.
Personal comment:
All sites are connected with the DEFAULTIPSITELINK object. <- this roughly translates into all sites are
connected with the first domain controller in the forest
So the topology is star shaped.
Thus, decreasing the cost between the connection objects will offer no benefit.
We know we have multiple sites linked and are using a DEFAULTIPSITELINK object.
Thus, the most plausible answer is to decrease the replication interval for DEFAULTIPSITELINK.
Explanation:
bbs.hh010.com
http://www.informit.com/articles/article.aspx?p=26866&seqNum=5
Understanding Active Directory, Part III
Replication
Active Directory replication between domain controllers is managed by the system administrator on a siteby-
site basis. As domain controllers are added, a replication path must be established. This is done by the
Knowledge Consistency Checker (KCC), coupled with Active Directory replication components. The KCC
is a dynamic process that runs on all domain controllers to create and modify the replication topology. If a
domain controller fails, the KCC automatically creates new paths to the remaining domain controllers.
Manual intervention with the KCC will also force a new path.
The Active Directory replaces PDCs and BDCs with multimaster replication services. Each domain
controller retains a copy of the entire directory for that particular domain. As changes are made in one
domain controller, the originator communicates these changes to the peer domain controllers. The
directory data itself is stored in the ntds.dit file.
Active Directory replication uses the Remote Procedure Call (RPC) over IP to conduct replication within a
site. Replication between sites can utilize either RPC or the Simple Mail Transfer Protocol (SMTP) for data
transmission. The default intersite replication protocol is RPC.
Intersite and Intrasite Replication
There are distinct differences in internal and intersite domain controller replication. In theory, the network
bandwidth within a site is sufficient to handle all network traffic associated with replication and other Active
Directory activities. By the definition of a site, the network must be reliable and fast. A change notification
process is initiated when modifications occur on a domain controller. The domain controller waits for a
configurable period (by default, five minutes) before it forwards a message to its replication partners.
During this interval, it continues to accept changes. Upon receiving a message, the partner domain
controllers copy the modification from the original domain controller. In the event that no changes were
noted during a configurable period (six hours, by default), a replication sequence ensures that all possible
modifications are communicated. Replication within a site involves the transmission of uncompressed
data.
NOTE
Security-related modifications are replicated within a site immediately. These changes include account
and individual user lockout policies, changes to password policies, changes to computer account
passwords, and modifications to the Local Security Authority (LSA).
Replication between sites assumes that there are network-connectivity problems, including insufficient
bandwidth, reliability, and increased cost. Therefore, the Active Directory permits the system to make
decisions on the type, frequency, and timing of intersite replication. All replication objects transmitted
between sites are compressed, which may reduce traffic by 10 to 25 percent, but because this is not
sufficient to guarantee proper replication, the system administrator has the responsibility of scheduling
intersite replication.
Replication Component Objects
Whereas the KCC represents the process elements associated with replication, the following comprise the
Active Directory object components:
Connection object. Domain controllers become replication “partners” when linked by a connection
object. This is represented by a one-way path between two domain controller server objects.
Connection objects are created by the KCC by default. They can also be manually created by the
system administrator.
NTDS settings object. The NTDS settings object is a container that is automatically created by the
Active Directory. It contains all of the connection objects, and is a child of the server object.
Server object. The Active Directory represents every computer as a computer object. The domain
controller is also represented by a computer object, plus a specially created server object. The server
object’s parent is the site object that defines its IP subnet. However, in the event that the domain
controller server object was created prior to site creation, it will be necessary to manually define the IP
subnet to properly assign the domain controller a site.
When it is necessary to link multiple sites, two additional objects are created to manage the replication
topology.
bbs.hh010.com
Site link. The site link object specifies a series of values (cost, interval, and schedule) that define the
connection between sites. The KCC uses these values to manage replication and to modify the
replication path if it detects a more efficient one. The Active Directory DEFAULTIPSITELINK is used
by default until the system administrator intervenes. The cost value, ranging from 1 to 32767, is an
arbitrary estimate of the actual cost of data transmission as defined bandwidth. The interval value sets
the number of times replication will occur: 15 minutes to a maximum of once a week (or 10080
minutes) is the minimum; three hours is the default. The schedule interval establishes the time when
replication should occur. Although replication can be at any time by default, the system administrator
may want to schedule it only during off-peak network hours.
Site link bridges. The site link bridge object defines a set of links that communicate via the same
protocol. By default, all site links use the same protocol, and are transitive. Moreover, they belong to a
single site link bridge. No configuration is necessary to the site link bridge if the IP network is fully
routed. Otherwise, manual configuration may be necessary.
Further information:
http://technet.microsoft.com/en-us/library/cc775549%28v=ws.10%29.aspx
What Is Active Directory Replication Topology?
Replication of updates to Active Directory objects are transmitted between multiple domain controllers to
keep replicas of directory partitions synchronized. Multiple domains are common in large organizations, as
are multiple sites in disparate locations. In addition, domain controllers for the same domain are
commonly placed in more than one site.
Therefore, replication must often occur both within sites and between sites to keep domain and forest data
consistent among domain controllers that store the same directory partitions. Site objects can be
configured to include a set of subnets that provide local area network (LAN) network speeds. As such,
replication within sites generally occurs at high speeds between domain controllers that are on the same
network segment. Similarly, site link objects can be configured to represent the wide area network (WAN)
links that connect LANs. Replication between sites usually occurs over these WAN links, which might be
costly in terms of bandwidth. To accommodate the differences in distance and cost of replication within a
site and replication between sites, the intrasite replication topology is created to optimize speed, and the
intersite replication topology is created to minimize cost.
The Knowledge Consistency Checker (KCC) is a distributed application that runs on every domain
controller and is responsible for creating the connections between domain controllers that collectively form
the replication topology. The KCC uses Active Directory data to determine where (from what source
domain controller to what destination domain controller) to create these connections.
..
The following diagram shows the interaction of these technologies with the replication topology, which is
indicated by the two-way connections between each set of domain controllers.
Replication Topology and Dependent Technologies
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam A PART2 (21-40) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_s6EyD0k0sciMJkU8F4d-pGLsUGBMWxhC_e-R3V8iDF5P1rKMxkzIGRrnsLCklLtR2lZ3ShTV7dj02IQEoAm27J6iRvBB0VIUfvRWwIGOj5OtuC1HuXDao8Enb5bxBsgC4ZQwI=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam A PART2 (21-40) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
http://technet.microsoft.com/en-us/library/cc755994%28v=ws.10%29.aspx
How Active Directory Replication Topology Works
..
Replication Topology Physical Structure
The Active Directory replication topology can use many different components. Some components are
required and others are not required but are available for optimization. The following diagram illustrates
most replication topology components and their place in a sample Active Directory multisite and
multidomain forest. The depiction of the intersite topology that uses multiple bridgehead servers for each
domain assumes that at least one domain controller in each site is running at least Windows Server 2003.
All components of this diagram and their interactions are explained in detail later in this section.
Replication Topology Physical Structure bbs.hh010
How Active Directory Replication Topology Works
..
Replication Topology Physical Structure
The Active Directory replication topology can use many different components. Some components are
required and others are not required but are available for optimization. The following diagram illustrates
most replication topology components and their place in a sample Active Directory multisite and
multidomain forest. The depiction of the intersite topology that uses multiple bridgehead servers for each
domain assumes that at least one domain controller in each site is running at least Windows Server 2003.
All components of this diagram and their interactions are explained in detail later in this section.
Replication Topology Physical Structure bbs.hh010
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam A PART2 (21-40) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vVA4BRh7Pcw5tgw02oEVMfBq9Al8DaTv5j5uuhxqms44DPwJYYGQ_td5mrT9qxpskIKC2-ZM95sL3ivw6Sxke07G1g8KxrTz5PJWiGTW4r4oHQlfB0Pwg_8l1tuQ1Sj7xv4ty2=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam A PART2 (21-40) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
In the preceding diagram, all servers are domain controllers. They independently use global knowledge of configuration data to generate one-way, inbound connection objects. The KCCs in a site collectively create an intrasite topology for all domain controllers in the site. The ISTGs from all sites collectively create an intersite topology. Within sites, one-way arrows indicate the inbound connections by which each domain controller replicates changes from its partner in the ring. For intersite replication, one-way arrows represent inbound connections that are created by the ISTG of each site from bridgehead servers (BH) for the same domain (or from a global catalog server [GC] acting as a bridgehead if the domain is not present in the site) in other sites that share a site link. Domains are indicated as D1, D2, D3, and D4. Each site in the diagram represents a physical LAN in the network, and each LAN is represented as a site object in Active Directory. Heavy solid lines between sites indicate WAN links over which two-way replication can occur, and each WAN link is represented in Active Directory as a site link object. Site link objects allow connections to be created between bridgehead servers in each site that is connected by the site link. Not shown in the diagram is that where TCP/IP WAN links are available, replication between sites uses the RPC replication transport. RPC is always used within sites. The site link between Site A and Site D uses the SMTP protocol for the replication transport to replicate the configuration and schema directory partitions and global catalog partial, read-only directory partitions. Although the SMTP transport cannot be used to replicate writable domain directory partitions, this transport is required because a TCP/IP connection is not available between Site A and Site D. This configuration is acceptable for replication because Site D does not host domain controllers for any domains that must be replicated over the site link bbs.hh010.com A-D. By default, site links A-B and A-C are transitive (bridged), which means that replication of domain D2 is possible between Site B and Site C, although no site link connects the two sites. The cost values on site links A-B and A-C are site link settings that determine the routing preference for replication, which is based on the aggregated cost of available site links. The cost of a direct connection between Site C and Site B is the sum of costs on site links A-B and A-C. For this reason, replication between Site B and Site C is automatically routed through Site A to avoid the more expensive, transitive route. Connections are created between Site B and Site C only if replication through Site A becomes impossible due to network or bridgehead server conditions. … Control Replication Latency and Cost Replication latency is inherent in a multimaster directory service. A period of replication latency begins when a directory update occurs on an originating domain controller and ends when replication of the change is received on the last domain controller in the forest that requires the change. Generally, the latency that is inherent in a WAN link is relative to a combination of the speed of the connection and the available bandwidth. Replication cost is an administrative value that can be used to indicate the latency that is associated with different replication routes between sites. A lower-cost route is preferred by the ISTG when generating the replication topology. Site topology is the topology as represented by the physical network: the LANs and WANs that connect domain controllers in a forest. The replication topology is built to use the site topology. The site topology is represented in Active Directory by site objects and site link objects. These objects influence Active Directory replication to achieve the best balance between replication speed and the cost of bandwidth utilization by distinguishing between replication that occurs within a site and replication that must span sites. When the KCC creates replication connections between domain controllers to generate the replication topology, it creates more connections between domain controllers in the same site than between domain controllers in different sites. The results are lower replication latency within a site and less replication bandwidth utilization between sites. Within sites, replication is optimized for speed as follows: Connections between domain controllers in the same site are always arranged in a ring, with possible additional connections to reduce latency. Replication within a site is triggered by a change notification mechanism when an update occurs, moderated by a short, configurable delay (because groups of updates frequently occur together). Data is sent uncompressed, and thus without the processing overhead of data compression. Between sites, replication is optimized for minimal bandwidth usage (cost) as follows: Replication data is compressed to minimize bandwidth consumption over WAN links. Store-and-forward replication makes efficient use of WAN links — each update crosses an expensive link only once. Replication occurs at intervals that you can schedule so that use of expensive WAN links is managed. The intersite topology is a layering of spanning trees (one intersite connection between any two sites for each directory partition) and generally does not contain redundant connections. … Topology-Related Objects in Active Directory Active Directory stores replication topology information in the configuration directory partition. Several configuration objects define the components that are required by the KCC to establish and implement the replication topology: .. Site Link Objects For a connection object to be created on a destination domain controller in one site that specifies a source domain controller in another site, you must manually create a site link object (class siteLink ) that connects the two sites. Site link objects identify the transport protocol and scheduling required to replicate between two or more sites. You can use Active Directory Sites and Services to create the site links. The KCC uses the information stored in the properties of these site links to create the intersite topology connections. bbs.hh010.com A site link is associated with a network transport by creating the site link object in the appropriate transport container (either IP or SMTP). All intersite domain replication must use IP site links. The Simple Mail Transfer Protocol (SMTP) transport can be used for replication between sites that contain domain controllers that do not host any common domain directory partition replicas. Site Link Properties A site link specifies the following: Two or more sites that are permitted to replicate with each other. An administrator-defined cost value associated with that replication path. The cost value controls the route that replication takes, and thus the remote sites that are used as sources of replication information. A schedule during which replication is permitted to occur. An interval that determines how frequently replication occurs over this site link during the times when the schedule allows replication. Default Site Link When you install Active Directory on the first domain controller in the forest, an object named DEFAULTIPSITELINK is created in the Sites container (in the IP container within the Inter-Site Transports container). This site link contains only one site, Default-First-Site-Name. QUESTION 29 Your company has two Active Directory forests named contoso.com and fabrikam.com. Both forests run only domain controllers that run Windows Server 2008. The domain functional level of contoso.com is Windows Server 2008. The domain functional level of fabrikam.com is Windows Server 2003 Native mode. You configure an external trust between contoso.com and fabrikam.com. You need to enable the Kerberos AES encryption option. What should you do? A. Raise the forest functional level of fabrikam.com to Windows Server 2008. B. Raise the domain functional level of fabrikam.com to Windows Server 2008. C. Raise the forest functional level of contoso.com to Windows Server 2008. D. Create a new forest trust and enable forest-wide authentication. Correct Answer: B Explanation Explanation/Reference: Answer: Raise the domain functional level of fabrikam.com to Windows Server 2008. Explanation: http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28v=ws.10% 29.aspx Understanding Active Directory Domain Services (AD DS) Functional Levels Functional levels determine the available Active Directory Domain Services (AD DS) domain or forest capabilities. They also determine which Windows Server operating systems you can run on domain controllers in the domain or forest. However, functional levels do not affect which operating systems you can run on workstations and member servers that are joined to the domain or forest. .. Features that are available at domain functional levels .. Windows Server 2008 All of the default AD DS features, all of the features from the Windows Server 2003 domain functional level, and the following features are available: .. * Advanced Encryption Standard (AES 128 and AES 256) support for the Kerberos protocol. In order for TGTs to be issued using AES, the domain functional level must be Windows Server 2008 or higher and bbs.hh010.com the domain password needs to be changed. … Further information: http://technet.microsoft.com/en-us/library/cc749438%28WS.10%29.aspx Kerberos Enhancements .. Requirements All Kerberos authentication requests involve three different parties: the client requesting a connection, the server that will provide the requested data, and the Kerberos KDC that provides the keys that are used to protect the various messages. This discussion focuses on how AES can be used to protect these Kerberos authentication protocol messages and data structures that are exchanged among the three parties. Typically, when the parties are operating systems running Windows Vista or Windows Server 2008, the exchange will use AES. However, if one of the parties is an operating system running Windows 2000 Professional, Windows 2000 Server, Windows XP, or Windows Server 2003, the exchange will not use AES. QUESTION 30 All consultants belong to a global group named TempWorkers. You place three file servers in a new organizational unit named SecureServers. The three file servers contain confidential data located in shared folders. You need to record any failed attempts made by the consultants to access the confidential data. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Create and link a new GPO to the SecureServers organizational unit. Configure the Deny access to this computer from the network user rights setting for the TempWorkers global group. B. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit privilege use Failure audit policy setting. C. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit object access Failure audit policy setting. D. On each shared folder on the three file servers, add the three servers to the Auditing tab. Configure the Failed Full control setting in the Auditing Entry dialog box. E. On each shared folder on the three file servers, add the TempWorkers global group to the Auditing tab. Configure the Failed Full control setting in the Auditing Entry dialog box. Correct Answer: CE Explanation Explanation/Reference: Answer: On each shared folder on the three file servers, add the TempWorkers global group to the Auditing tab. Configure the Failed Full control setting in the Auditing Entry dialog box. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit object access Failure audit policy setting. Explanation: http://technet.microsoft.com/en-us/library/cc771070.aspx Apply or Modify Auditing Policy Settings for a Local File or Folder You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log. .. To apply or modify auditing policy settings for a local file or folder 1. Open Windows Explorer. 2. Right-click the file or folder that you want to audit, click Properties, and then click the Security tab. 3. Click Edit, and then click Advanced. 4. In the Advanced Security Settings for
dialog box, click the Auditing tab. .. bbs.hh010.com 7. In the Access box, indicate what actions you want to audit by selecting the appropriate check boxes: .. * To audit unsuccessful events, select the Failed check box. .. … http://technet.microsoft.com/en-us/library/cc776774%28v=ws.10%29.aspx Audit object access Description This security setting determines whether to audit the event of a user accessing an object–for example, a file, folder, registry key, printer, and so forth–that has its own system access control list (SACL) specified. If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an object that has an appropriate SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an object that has a SACL specified. Further information: Practically the same as J/Q5. Reference: Windows Server 2008 R2 Unleashed (SAMS, 2010) page 671 Auditing Resource Access Object access can be audited, although it is not one of the recommended settings. Auditing object access can place a significant load on the servers, so it should only be enabled when it is specifically needed. Auditing object access is a two-step process: Step one is enabling “Audit object access” and step two is selecting the objects to be audited. When enabling Audit object access, you need to decide if both failure and success events will be logged. The two options are as follows: Audit object access failure enables you to see if users are attempting to access objects to which they have no rights. This shows unauthorized attempts. Audit object access success enables you to see usage patterns. This shows misuse of privilege. After object access auditing is enabled, you can easily monitor access to resources such as folders, files, and printers. Auditing Files and Folders The network administrator can tailor the way Windows Server 2008 R2 audits files and folders through the property pages for those files or folders. Keep in mind that the more files and folders that are audited, the more events that can be generated, which can increase administrative overhead and system resource requirements. Therefore, choose wisely which files and folders to audit. To audit a file or folder, do the following: 1. In Windows Explorer, right-click the file or folder to audit and select Properties. 2. Select the Security tab and then click the Advanced button. 3. In the Advanced Security Settings window, select the Auditing tab and click the Edit button. 4. Click the Add button to display the Select User or Group window. 5. Enter the name of the user or group to audit when accessing the file or folder. Click the Check Names button to verify the name. QUESTION 31 You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 is configured as an Enterprise Root certification authority (CA). bbs.hh010.com You install the Online Responder role service on Server2. You need to configure Server2 to issue certificate revocation lists (CRLs) for the enterprise root CA. Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.) A. Import the enterprise root CA certificate. B. Import the OCSP Response Signing certificate. C. Add the Server1 computer account to the CertPublishers group. D. Set the Startup Type of the Certificate Propagation service to Automatic. Correct Answer: AB Explanation Explanation/Reference: Answer: ??? Explanation: Further information: http://technet.microsoft.com/en-us/library/cc770413%28v=ws.10%29.aspx Online Responder Installation, Configuration, and Troubleshooting Guide Public key infrastructure (PKI) consists of multiple components, including certificates, certificate revocation lists (CRLs) and certification authorities (CAs). In most cases, applications that depend on X.509 certificates, such as Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Sockets Layer (SSL) and smart cards, are required to validate the status of the certificates used when performing authentication, signing, or encryption operations. The certificate status and revocation checking is the process by which the validity of certificates is verified based on two main categories: time and revocation status. .. Although validating the revocation status of certificates can be performed in multiple ways, the common mechanisms are CRLs, delta CRLs, and Online Certificate Status Protocol (OCSP) responses. … http://technet.microsoft.com/en-us/library/cc772393%28v=ws.10%29.aspx Active Directory Certificate Services Step-by-Step Guide http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-andplanning. aspx Designing and Implementing a PKI: Part I Design and Planning http://technet.microsoft.com/en-us/library/cc725937.aspx Set Up an Online Responder http://technet.microsoft.com/en-us/library/cc731099.aspx Creating a Revocation Configuration QUESTION 32 Your company has an Active Directory forest. The forest includes organizational units corresponding to the following four locations: London Chicago New York Madrid Each location has a child organizational unit named Sales. The Sales organizational unit contains all the users and computers from the sales department. bbs.hh010.com The offices in London, Chicago, and New York are connected by T1 connections. The office in Madrid is connected by a 256-Kbps ISDN connection. You need to install an application on all the computers in the sales department. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to users. Link the GPO to each Sales organizational unit. B. Disable the slow link detection setting in the Group Policy Object (GPO). C. Configure the slow link detection threshold setting to 1,544 Kbps (T1) in the Group Policy Object (GPO). D. Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to the computers. Link the GPO to each Sales organizational unit. Correct Answer: BD Explanation Explanation/Reference: Answer: Disable the slow link detection setting in the Group Policy Object (GPO). Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to the computers. Link the GPO to each Sales organizational unit. Explanation: http://technet.microsoft.com/en-us/library/cc781031%28v=ws.10%29.aspx Specifying Group Policy for Slow Link Detection Administrators can partially control which Group Policy extensions are processed over a slow link. By default, when processing over a slow link, not all components of Group Policy are processed. Table 2.6 shows the default settings for processing Group Policy over slow links.
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam A PART2 (21-40) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vIBKIlYR514jNFkECv4JKu7kSaihSsh8poVr_pWl-vv9fXvbWbRWky-0-2w8I16zB2UQMSAYxGmCKhaOpE9bgTv5t8pB8EByJ9mgfMu1CO3ohw0aXue8LifhH6_5q4kyQK9jk=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam A PART2 (21-40) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
Administrators can use a Group Policy setting to define a slow link for the purposes of applying and
updating Group Policy. The default value defines a rate slower than 500 Kbps as a slow link.
http://technet.microsoft.com/en-us/library/cc783635%28v=ws.10%29.aspx
Assigning and Publishing Software
..
Assigning software to computers
After you assign a software package to computers in a site, domain, or OU, the software is installed the
next time the computer restarts or the user logs on.
Further information:
bbs.hh010.com
http://technet.microsoft.com/en-us/library/cc978717.aspx
Group Policy slow link detection
QUESTION 33
Your company has a domain controller server that runs the Windows Server 2008 R2 operating
system.
The server is a backup server.
The server has a single 500-GB hard disk that has three partitions for the operating system,
applications, and data.
You perform daily backups of the server.
The hard disk fails.
You replace the hard disk with a new hard disk of the same capacity.
You restart the computer on the installation media.
You select the Repair your computer option.
You need to restore the operating system and all files.
What should you do?
A. Select the System Image Recovery option.
B. Run the Imagex utility at the command prompt.
C. Run the Wbadmin utility at the command prompt.
D. Run the Rollback utility at the command prompt.
Correct Answer: A
Explanation
Explanation/Reference:
!***
Old answer: Run the Wbadmin utility at the command prompt.
Answer: Select the System Image Recovery option.
Explanation:
http://technet.microsoft.com/en-us/library/cc755163.aspx
Recover the Operating System or Full Server
Applies To: Windows Server 2008 R2
You can recover your server operating system or full server by using Windows Recovery Environment and
a backup that you created earlier with Windows Server Backup.
You can access the recovery and troubleshooting tools in Windows Recovery Environment through the
System Recovery Options dialog box in the Install Windows Wizard. In Windows Server 2008 R2, to
launch this wizard, use the Windows Setup disc or start/restart the computer, press F8, and then select
Repair Your Computer from the list of startup options.
..
To recover your operating system or full server using a backup created earlier and Windows Setup disc
1. Insert the Windows Setup disc that has the same architecture of the system that you are trying to
recover into the CD or DVD drive and start or restart the computer. If needed, press the required key to
boot from the disc. The Install Windows Wizard should appear.
2. In Install Windows, specify language settings, and then click Next.
3. Click Repair your computer.
4. Setup searches the hard disk drives for an existing Windows installation and then displays the results
in System Recovery Options. If you are recovering the operating system onto separate hardware, the
list should be empty (there should be no operating system on the computer). Click Next.
5. On the System Recovery Options page, click System Image Recovery. This opens the Re-image your
computer page.
bbs.hh010.com
…
http://technet.microsoft.com/en-us/magazine/dd767786.aspx
Use the Wbadmin Backup Command Line Utility in Windows Server 2008
Wbadmin is the command-line counterpart to Windows Server Backup. You use Wbadmin to manage all
aspects of backup configuration that you would otherwise manage in Windows Server Backup. This means
that you can typically use either tool to manage backup and recovery.
After you’ve installed the Backup Command-Line Tools feature, you can use Wbadmin to manage backup
and recovery. Wbadmin is located in the %SystemRoot%\System32\ directory. As this directory is in your
command path by default, you do not need to add this directory to your command path.
Further information:
http://technet.microsoft.com/en-us/library/cc754015%28v=ws.10%29.aspx
Wbadmin
Enables you to back up and restore your operating system, volumes, files, folders, and applications
from a command prompt.
Subcommands
updating Group Policy. The default value defines a rate slower than 500 Kbps as a slow link.
http://technet.microsoft.com/en-us/library/cc783635%28v=ws.10%29.aspx
Assigning and Publishing Software
..
Assigning software to computers
After you assign a software package to computers in a site, domain, or OU, the software is installed the
next time the computer restarts or the user logs on.
Further information:
bbs.hh010.com
http://technet.microsoft.com/en-us/library/cc978717.aspx
Group Policy slow link detection
QUESTION 33
Your company has a domain controller server that runs the Windows Server 2008 R2 operating
system.
The server is a backup server.
The server has a single 500-GB hard disk that has three partitions for the operating system,
applications, and data.
You perform daily backups of the server.
The hard disk fails.
You replace the hard disk with a new hard disk of the same capacity.
You restart the computer on the installation media.
You select the Repair your computer option.
You need to restore the operating system and all files.
What should you do?
A. Select the System Image Recovery option.
B. Run the Imagex utility at the command prompt.
C. Run the Wbadmin utility at the command prompt.
D. Run the Rollback utility at the command prompt.
Correct Answer: A
Explanation
Explanation/Reference:
!***
Old answer: Run the Wbadmin utility at the command prompt.
Answer: Select the System Image Recovery option.
Explanation:
http://technet.microsoft.com/en-us/library/cc755163.aspx
Recover the Operating System or Full Server
Applies To: Windows Server 2008 R2
You can recover your server operating system or full server by using Windows Recovery Environment and
a backup that you created earlier with Windows Server Backup.
You can access the recovery and troubleshooting tools in Windows Recovery Environment through the
System Recovery Options dialog box in the Install Windows Wizard. In Windows Server 2008 R2, to
launch this wizard, use the Windows Setup disc or start/restart the computer, press F8, and then select
Repair Your Computer from the list of startup options.
..
To recover your operating system or full server using a backup created earlier and Windows Setup disc
1. Insert the Windows Setup disc that has the same architecture of the system that you are trying to
recover into the CD or DVD drive and start or restart the computer. If needed, press the required key to
boot from the disc. The Install Windows Wizard should appear.
2. In Install Windows, specify language settings, and then click Next.
3. Click Repair your computer.
4. Setup searches the hard disk drives for an existing Windows installation and then displays the results
in System Recovery Options. If you are recovering the operating system onto separate hardware, the
list should be empty (there should be no operating system on the computer). Click Next.
5. On the System Recovery Options page, click System Image Recovery. This opens the Re-image your
computer page.
bbs.hh010.com
…
http://technet.microsoft.com/en-us/magazine/dd767786.aspx
Use the Wbadmin Backup Command Line Utility in Windows Server 2008
Wbadmin is the command-line counterpart to Windows Server Backup. You use Wbadmin to manage all
aspects of backup configuration that you would otherwise manage in Windows Server Backup. This means
that you can typically use either tool to manage backup and recovery.
After you’ve installed the Backup Command-Line Tools feature, you can use Wbadmin to manage backup
and recovery. Wbadmin is located in the %SystemRoot%\System32\ directory. As this directory is in your
command path by default, you do not need to add this directory to your command path.
Further information:
http://technet.microsoft.com/en-us/library/cc754015%28v=ws.10%29.aspx
Wbadmin
Enables you to back up and restore your operating system, volumes, files, folders, and applications
from a command prompt.
Subcommands
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam A PART2 (21-40) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sexZ3RcvtRukJ9szLUS_fPYBDgCPA6x9z9KAKP7kBAqGIop_Geal4QFKsrgm-R8oAxQHE_8jp_STHGCNoX3jMggzkvNQcWjz3VDv8-S05n5e5LEw8Y8MMHk2XfsdR3gzzrzeqf=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam A PART2 (21-40) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
Remarks
The wbadmin command replaces the ntbackup command that was released with previous versions of
Windows. You cannot recover backups that you created with ntbackup by using wbadmin. However, a
version of ntbackup is available as a download for Windows Server 2008, Windows Vista, Windows
Server 2008 R2, or Windows 7 users who want to recover backups that they created using ntbackup. This
downloadable version of ntbackup enables you to perform recoveries only of legacy backups, and it
cannot be used on computers running Windows Server 2008, Windows Vista, Windows Server 2008 R2,
or Windows 7 to create new backups.
http://technet.microsoft.com/en-us/library/dd979562%28v=ws.10%29.aspx
Backup and Recovery Overview for Windows Server 2008 R2
Windows Server 2008 R2 contains features to help you create backups and, if needed, perform a recovery
of your operating system, applications, and data. By using these features appropriately and implementing
good operational practices, you can improve your organization’s ability to recover from damaged or lost
data, hardware failures, and disasters. For Windows Server 2008 R2, there are new features that expand
what you can back up, where you can store backups, and how you can perform recoveries.
..
This table summarizes the tools you can use to perform the following backup or recovery tasks for your
computers running Windows Server 2008 R2:
The wbadmin command replaces the ntbackup command that was released with previous versions of
Windows. You cannot recover backups that you created with ntbackup by using wbadmin. However, a
version of ntbackup is available as a download for Windows Server 2008, Windows Vista, Windows
Server 2008 R2, or Windows 7 users who want to recover backups that they created using ntbackup. This
downloadable version of ntbackup enables you to perform recoveries only of legacy backups, and it
cannot be used on computers running Windows Server 2008, Windows Vista, Windows Server 2008 R2,
or Windows 7 to create new backups.
http://technet.microsoft.com/en-us/library/dd979562%28v=ws.10%29.aspx
Backup and Recovery Overview for Windows Server 2008 R2
Windows Server 2008 R2 contains features to help you create backups and, if needed, perform a recovery
of your operating system, applications, and data. By using these features appropriately and implementing
good operational practices, you can improve your organization’s ability to recover from damaged or lost
data, hardware failures, and disasters. For Windows Server 2008 R2, there are new features that expand
what you can back up, where you can store backups, and how you can perform recoveries.
..
This table summarizes the tools you can use to perform the following backup or recovery tasks for your
computers running Windows Server 2008 R2:
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam A PART2 (21-40) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sUYe35zJ3ZCSliT70L4AYsWD2MwxjEIhmfUTdfwHv94Cy1mvGhSjGRKzRHavgdf7E9YT_DSAU1edFVmhAonmqA3E81PVtU2tvPpwLdzpSJevJy5YFQORIy2TiiO7GEV0tyKRaO=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam A PART2 (21-40) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
What is Windows Recovery Environment?
You can access the recovery and troubleshooting tools in Windows Recovery Environment through the
System Recovery Options dialog box in the Install Windows Wizard.
In Windows Server 2008 R2, to launch this wizard, use the Windows Setup disc or start/restart the
computer, press F8, and then select Repair Your Computer from the list of startup options.
Features in Windows Recovery Environment
The tools in Windows Recovery Environment include:
System Image Recovery. You can use this tool and a backup that you created earlier with Windows
Server Backup to restore your operating system or full server.
Windows Memory Diagnostic. You can use this tool (which is a memory diagnostic schedule) to check
your computer’s RAM. Doing this requires a restart. In addition, this tool requires a valid Windows
Server 2008, Windows Vista, Windows Server 2008 R2, or Windows 7 installation to function.
Command Prompt. This opens a command prompt window with Administrator privileges that provides
full access to your file system and volumes. In addition, certain Wbadmin commands are only
available from this command window.
QUESTION 34
You need to remove the Active Directory Domain Services role from a domain controller named
DC1.
What should you do?
A. Run the netdom remove DC1 command.
B. Run the Dcpromo utility. Remove the Active Directory Domain Services role.
C. Run the nltest /remove_server: DC1 command.
D. Reset the Domain Controller computer account by using the Active Directory Users and Computers
utility.
Correct Answer: B
Explanation
Explanation/Reference:
Answer: Run the Dcpromo utility. Remove the Active Directory Domain Services role.
Explanation:
http://technet.microsoft.com/en-us/library/cc771844%28v=ws.10%29.aspx
Removing a Domain Controller from a Domain
bbs.hh010.com
..
To remove a domain controller by using the Windows interface
1. Click Start, click Run, type dcpromo, and then press ENTER.
…
Further information:
http://technet.microsoft.com/en-us/library/cc772217%28v=ws.10%29.aspx
Netdom
Enables administrators to manage Active Directory domains and trust relationships from the command
prompt.
Netdom is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is
available if you have the Active Directory Domain Services (AD DS) server role installed. It is also
available if you install the Active Directory Domain Services Tools that are part of the Remote Server
Administration Tools (RSAT).
Commands
Netdom remove
..
Removes a workstation or server from the domain.
…
http://technet.microsoft.com/en-us/library/cc731935%28v=ws.10%29.aspx
Nltest
Performs network administrative tasks.
Nltest is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is
available if you have the AD DS or the AD LDS server role installed. It is also available if you install the
Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT).
You can use nltest to:
Get a list of domain controllers
Force a remote shutdown
Query the status of trust
Test trust relationships and the state of domain controller replication in a Windows domain
Force a user-account database to synchronize on Windows NT version 4.0 or earlier domain controllers
Personal comment #1:
There is no /remove_server switch for the nltest command
Personal comment #2:
Resetting the Domain Controller’s computer account has nothing to do with this question
QUESTION 35
Your company has an Active Directory forest.
The company has branch offices in three locations.
Each location has an organizational unit.
You need to ensure that the branch office administrators are able to create and apply GPOs only to
their respective organizational units.
Which two actions should you perform?
(Each correct answer presents part of the solution. Choose two.)
A. Run the Delegation of Control wizard and delegate the right to link GPOs for their branch
organizational units to the branch office administrators.
B. Add the user accounts of the branch office administrators to the Group Policy Creator Owners Group.
C. Modify the Managed By tab in each organizational unit to add the branch office administrators to their
respective organizational units.
D. Run the Delegation of Control wizard and delegate the right to link GPOs for the domain to the branch
bbs.hh010.com
office administrators.
Correct Answer: AB
Explanation
Explanation/Reference:
Answer: Run the Delegation of Control wizard and delegate the right to link GPOs for their branch
organizational units to the branch office administrators.
Add the user accounts of the branch office administrators to the Group Policy Creator Owners
Group.
Explanation:
http://technet.microsoft.com/en-us/library/cc732524.aspx
Delegate Control of an Organizational Unit
1. To delegate control of an organizational unit
2. To open Active Directory Users and Computers, click Start , click Control Panel , double-click
Administrative Tools and then double-click Active Directory Users and Computers .
3. In the console tree, right-click the organizational unit (OU) for which you want to delegate control.
Where?
Active Directory Users and Computers\ domain node \ organizational unit
4. Click Delegate Control to start the Delegation of Control Wizard, and then follow the instructions in the
wizard.
http://technet.microsoft.com/en-us/library/cc781991%28v=ws.10%29.aspx
Delegating Administration of Group Policy
Your Group Policy design will probably call for delegating certain Group Policy administrative tasks.
Determining to what degree to centralize or distribute administrative control of Group Policy is one of the
most important factors to consider when assessing the needs of your organization. In organizations that
use a centralized administration model, an IT group provides services, makes decisions, and sets
standards for the entire company. In organizations that use a distributed administration model, each
business unit manages its own IT group.
You can delegate the following Group Policy tasks:
Creating GPOs
Managing individual GPOs (for example, granting Edit or Read access to a GPO)
etc.
…
Delegating Creation of GPOs
The ability to create GPOs in a domain is a permission that is managed on a per-domain basis. By default,
only Domain Administrators, Enterprise Administrators, Group Policy Creator Owners, and SYSTEM
can create new Group Policy objects. If the domain administrator wants a non-administrator or nonadministrative
group to be able to create GPOs, that user or group can be added to the Group Policy
Creator Owners security group. Alternatively, you can use the Delegation tab on the Group Policy Objects
container in GPMC to delegate creation of GPOs. When a non-administrator who is a member of the
Group Policy Creator Owners group creates a GPO, that user becomes the creator owner of the GPO and
can edit the GPO and modify permissions on the GPO. However, members of the Group Policy Creator
Owners group cannot link GPOs to containers unless they have been separately delegated the right to do
so on a particular site, domain, or OU. Being a member of the Group Policy Creator Owners group gives
the non-administrator full control of only those GPOs that the user creates. Group Policy Creator Owner
members do not have permissions for GPOs that they do not create.
Note: When an administrator creates a GPO, the Domain Administrators group becomes the Creator
Owner of the Group Policy object. By default, Domain Administrators can edit all GPOs in the domain.
The right to link GPOs is delegated separately from the right to create GPOs and the right to edit GPOs.
Be sure to delegate both rights to those groups you want to be able to create and link GPOs. By default,
non-Domain Admins cannot manage links, and this prevents them from being able to use GPMC to create
and link a GPO. However, non-Domain Admins can create an unlinked GPO if they are members of the
Group Policy Creator Owners group. After a non-Domain Admin creates an unlinked GPO, the Domain
Admin or someone else who has been delegated permissions to link GPOs an a container can link the
GPO as appropriate.
bbs.hh010.com
Creation of GPOs can be delegated to any group or user. There are two methods of granting a group or
user this permission:
Add the group or user to the Group Policy Creator Owners group. This was the only method
available prior to GPMC.
Explicitly grant the group or user permission to create GPOs. This method is newly available with
GPMC.
You can manage this permission by using the Delegation tab on the Group Policy objects container for a
given domain in GPMC. This tab shows the groups that have permission to create GPOs in the domain,
including the Group Policy Creator Owners group. From this tab, you can modify the membership of
existing groups that have this permission, or add new groups.
Because the Group Policy Creator Owners group is a domain global group, it cannot contain members
from outside the domain. Being able to grant users permissions to create GPOs without using Group
Policy Creator Owners facilitates delegating GPO creation to users outside the domain. Without GPMC,
this task cannot be delegated to members outside the domain.
If you require that users outside the domain have the ability to create GPOs, create a new domain local
group in the domain (for example, “GPCO – External”), grant that group GPO creation permissions in the
domain, and then add domain global groups from external domains to that group. For users and groups in
the domain, you should continue to use the Group Policy Creator Owners group to grant GPO-creation
permissions.
Adding a user to the membership of Group Policy Creator Owners and granting the user GPO-creation
permissions directly using the new method available in GPMC are identical in terms of permissions.
QUESTION 36
Your company has an Active Directory domain.
A user attempts to log on to the domain from a client computer and receives the following message:
“This user account has expired. Ask your administrator to reactivate the account.”
You need to ensure that the user is able to log on to the domain.
What should you do?
A. Modify the properties of the user account to set the account to never expire.
B. Modify the properties of the user account to extend the Logon Hours setting.
C. Modify the default domain policy to decrease the account lockout duration.
D. Modify the properties of the user account to set the password to never expire.
Correct Answer: A
Explanation
Explanation/Reference:
Answer: Modify the properties of the user account to set the account to never expire.
Explanation:
You can access the recovery and troubleshooting tools in Windows Recovery Environment through the
System Recovery Options dialog box in the Install Windows Wizard.
In Windows Server 2008 R2, to launch this wizard, use the Windows Setup disc or start/restart the
computer, press F8, and then select Repair Your Computer from the list of startup options.
Features in Windows Recovery Environment
The tools in Windows Recovery Environment include:
System Image Recovery. You can use this tool and a backup that you created earlier with Windows
Server Backup to restore your operating system or full server.
Windows Memory Diagnostic. You can use this tool (which is a memory diagnostic schedule) to check
your computer’s RAM. Doing this requires a restart. In addition, this tool requires a valid Windows
Server 2008, Windows Vista, Windows Server 2008 R2, or Windows 7 installation to function.
Command Prompt. This opens a command prompt window with Administrator privileges that provides
full access to your file system and volumes. In addition, certain Wbadmin commands are only
available from this command window.
QUESTION 34
You need to remove the Active Directory Domain Services role from a domain controller named
DC1.
What should you do?
A. Run the netdom remove DC1 command.
B. Run the Dcpromo utility. Remove the Active Directory Domain Services role.
C. Run the nltest /remove_server: DC1 command.
D. Reset the Domain Controller computer account by using the Active Directory Users and Computers
utility.
Correct Answer: B
Explanation
Explanation/Reference:
Answer: Run the Dcpromo utility. Remove the Active Directory Domain Services role.
Explanation:
http://technet.microsoft.com/en-us/library/cc771844%28v=ws.10%29.aspx
Removing a Domain Controller from a Domain
bbs.hh010.com
..
To remove a domain controller by using the Windows interface
1. Click Start, click Run, type dcpromo, and then press ENTER.
…
Further information:
http://technet.microsoft.com/en-us/library/cc772217%28v=ws.10%29.aspx
Netdom
Enables administrators to manage Active Directory domains and trust relationships from the command
prompt.
Netdom is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is
available if you have the Active Directory Domain Services (AD DS) server role installed. It is also
available if you install the Active Directory Domain Services Tools that are part of the Remote Server
Administration Tools (RSAT).
Commands
Netdom remove
..
Removes a workstation or server from the domain.
…
http://technet.microsoft.com/en-us/library/cc731935%28v=ws.10%29.aspx
Nltest
Performs network administrative tasks.
Nltest is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is
available if you have the AD DS or the AD LDS server role installed. It is also available if you install the
Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT).
You can use nltest to:
Get a list of domain controllers
Force a remote shutdown
Query the status of trust
Test trust relationships and the state of domain controller replication in a Windows domain
Force a user-account database to synchronize on Windows NT version 4.0 or earlier domain controllers
Personal comment #1:
There is no /remove_server switch for the nltest command
Personal comment #2:
Resetting the Domain Controller’s computer account has nothing to do with this question
QUESTION 35
Your company has an Active Directory forest.
The company has branch offices in three locations.
Each location has an organizational unit.
You need to ensure that the branch office administrators are able to create and apply GPOs only to
their respective organizational units.
Which two actions should you perform?
(Each correct answer presents part of the solution. Choose two.)
A. Run the Delegation of Control wizard and delegate the right to link GPOs for their branch
organizational units to the branch office administrators.
B. Add the user accounts of the branch office administrators to the Group Policy Creator Owners Group.
C. Modify the Managed By tab in each organizational unit to add the branch office administrators to their
respective organizational units.
D. Run the Delegation of Control wizard and delegate the right to link GPOs for the domain to the branch
bbs.hh010.com
office administrators.
Correct Answer: AB
Explanation
Explanation/Reference:
Answer: Run the Delegation of Control wizard and delegate the right to link GPOs for their branch
organizational units to the branch office administrators.
Add the user accounts of the branch office administrators to the Group Policy Creator Owners
Group.
Explanation:
http://technet.microsoft.com/en-us/library/cc732524.aspx
Delegate Control of an Organizational Unit
1. To delegate control of an organizational unit
2. To open Active Directory Users and Computers, click Start , click Control Panel , double-click
Administrative Tools and then double-click Active Directory Users and Computers .
3. In the console tree, right-click the organizational unit (OU) for which you want to delegate control.
Where?
Active Directory Users and Computers\ domain node \ organizational unit
4. Click Delegate Control to start the Delegation of Control Wizard, and then follow the instructions in the
wizard.
http://technet.microsoft.com/en-us/library/cc781991%28v=ws.10%29.aspx
Delegating Administration of Group Policy
Your Group Policy design will probably call for delegating certain Group Policy administrative tasks.
Determining to what degree to centralize or distribute administrative control of Group Policy is one of the
most important factors to consider when assessing the needs of your organization. In organizations that
use a centralized administration model, an IT group provides services, makes decisions, and sets
standards for the entire company. In organizations that use a distributed administration model, each
business unit manages its own IT group.
You can delegate the following Group Policy tasks:
Creating GPOs
Managing individual GPOs (for example, granting Edit or Read access to a GPO)
etc.
…
Delegating Creation of GPOs
The ability to create GPOs in a domain is a permission that is managed on a per-domain basis. By default,
only Domain Administrators, Enterprise Administrators, Group Policy Creator Owners, and SYSTEM
can create new Group Policy objects. If the domain administrator wants a non-administrator or nonadministrative
group to be able to create GPOs, that user or group can be added to the Group Policy
Creator Owners security group. Alternatively, you can use the Delegation tab on the Group Policy Objects
container in GPMC to delegate creation of GPOs. When a non-administrator who is a member of the
Group Policy Creator Owners group creates a GPO, that user becomes the creator owner of the GPO and
can edit the GPO and modify permissions on the GPO. However, members of the Group Policy Creator
Owners group cannot link GPOs to containers unless they have been separately delegated the right to do
so on a particular site, domain, or OU. Being a member of the Group Policy Creator Owners group gives
the non-administrator full control of only those GPOs that the user creates. Group Policy Creator Owner
members do not have permissions for GPOs that they do not create.
Note: When an administrator creates a GPO, the Domain Administrators group becomes the Creator
Owner of the Group Policy object. By default, Domain Administrators can edit all GPOs in the domain.
The right to link GPOs is delegated separately from the right to create GPOs and the right to edit GPOs.
Be sure to delegate both rights to those groups you want to be able to create and link GPOs. By default,
non-Domain Admins cannot manage links, and this prevents them from being able to use GPMC to create
and link a GPO. However, non-Domain Admins can create an unlinked GPO if they are members of the
Group Policy Creator Owners group. After a non-Domain Admin creates an unlinked GPO, the Domain
Admin or someone else who has been delegated permissions to link GPOs an a container can link the
GPO as appropriate.
bbs.hh010.com
Creation of GPOs can be delegated to any group or user. There are two methods of granting a group or
user this permission:
Add the group or user to the Group Policy Creator Owners group. This was the only method
available prior to GPMC.
Explicitly grant the group or user permission to create GPOs. This method is newly available with
GPMC.
You can manage this permission by using the Delegation tab on the Group Policy objects container for a
given domain in GPMC. This tab shows the groups that have permission to create GPOs in the domain,
including the Group Policy Creator Owners group. From this tab, you can modify the membership of
existing groups that have this permission, or add new groups.
Because the Group Policy Creator Owners group is a domain global group, it cannot contain members
from outside the domain. Being able to grant users permissions to create GPOs without using Group
Policy Creator Owners facilitates delegating GPO creation to users outside the domain. Without GPMC,
this task cannot be delegated to members outside the domain.
If you require that users outside the domain have the ability to create GPOs, create a new domain local
group in the domain (for example, “GPCO – External”), grant that group GPO creation permissions in the
domain, and then add domain global groups from external domains to that group. For users and groups in
the domain, you should continue to use the Group Policy Creator Owners group to grant GPO-creation
permissions.
Adding a user to the membership of Group Policy Creator Owners and granting the user GPO-creation
permissions directly using the new method available in GPMC are identical in terms of permissions.
QUESTION 36
Your company has an Active Directory domain.
A user attempts to log on to the domain from a client computer and receives the following message:
“This user account has expired. Ask your administrator to reactivate the account.”
You need to ensure that the user is able to log on to the domain.
What should you do?
A. Modify the properties of the user account to set the account to never expire.
B. Modify the properties of the user account to extend the Logon Hours setting.
C. Modify the default domain policy to decrease the account lockout duration.
D. Modify the properties of the user account to set the password to never expire.
Correct Answer: A
Explanation
Explanation/Reference:
Answer: Modify the properties of the user account to set the account to never expire.
Explanation:
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam A PART2 (21-40) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vb9ZsitU6Qfk9aiJ0sjFIyvUaeU_YxqZnUKj7QHLpzthSm4cmGq4G3z9rU-KVkSySaA7c0zO8nTiRG-np5PR4_PLTEFHTtZHBgrCo57_PtjA0aOCrQYiO4r4e8qkdopILGNw0_=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam A PART2 (21-40) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
Further information:
http://technet.microsoft.com/en-us/library/dd145547.aspx
User Properties – Account Tab
Account expires
Sets the account expiration policy for this user. You can select between the following options:
Use Never to specify that the selected account will never expire. This option is the default for new
users.
Select End of and then select a date if you want to have the user’s account expire on a specified date.
QUESTION 37
You have an existing Active Directory site named Site1.
You create a new Active Directory site and name it Site2.
You need to configure Active Directory replication between Site1 and Site2.
You install a new domain controller.
You create the site link between Site1 and Site2.
What should you do next?
A. Use the Active Directory Sites and Services console to assign a new IP subnet to Site2. Move the new
domain controller object to Site2.
B. Use the Active Directory Sites and Services console to configure a new site link bridge object.
C. Use the Active Directory Sites and Services console to decrease the site link cost between Site1 and
bbs.hh010.com
Site2.
D. Use the Active Directory Sites and Services console to configure the new domain controller as a
preferred bridgehead server for Site1.
Correct Answer: A
Explanation
Explanation/Reference:
http://www.enterprisenetworkingplanet.com/netsysm/article.php/624411/Intersite-Replication.htm
Inter-site Replication
The process of creating a custom site link has five basic steps:
1. Create the site link.
2. Configure the site link’s associated attributes.
3. Create site link bridges.
4. Configure connection objects. (This step is optional.)
5. Designate a preferred bridgehead server. (This step is optional)
http://technet.microsoft.com/en-us/library/cc759160%28v=ws.10%29.aspx
Replication between sites
QUESTION 38
Your company has an Active Directory forest.
Each branch office has an organizational unit and a child organizational unit named Sales.
The Sales organizational unit contains all users and computers of the sales department.
You need to install an Office 2007 application only on the computers in the Sales organizational
unit.
You create a GPO named SalesApp GPO.
What should you do next?
A. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the
Sales organizational unit in each location.
B. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the
domain.
C. Configure the GPO to publish the application to the user account. Link the SalesAPP GPO to the Sales
organizational unit in each location.
D. Configure the GPO to assign the application to the user account. Link the SalesAPP GPO to the Sales
organizational unit in each location.
Correct Answer: A
Explanation
Explanation/Reference:
Almost the same as B/Q21
Self explanatory.
QUESTION 39
Your network consists of an Active Directory forest that contains one domain.
All domain controllers run Windows Server 2008 R2 and are configured as DNS servers.
You have an Active Directory-integrated zone.
You have two Active Directory sites.
Each site contains five domain controllers.
bbs.hh010.com
You add a new NS record to the zone.
You need to ensure that all domain controllers immediately receive the new NS record.
What should you do?
A. From the DNS Manager console, reload the zone.
B. From the DNS Manager console, increase the version number of the SOA record.
C. From the command prompt, run repadmin /syncall.
D. From the Services snap-in, restart the DNS Server service.
Correct Answer: C
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc835086%28v=ws.10%29.aspx
Repadmin /syncall
Synchronizes a specified domain controller with all of its replication partners.
http://ivan.dretvic.com/2012/01/how-to-force-replication-of-domain-controllers/
How to force replication of Domain Controllers
From time to time its necessary to kick off AD replication to speed up a task you may be doing, or just a
good too to check the status of replication between DC’s.
Below is a command to replicate from a specified DC to all other DC’s.
Repadmin /syncall DC_name /APed
By running a repadmin /syncall with the /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished
names) parameters, you have duplicated exactly what Replmon used to do in Windows 2003, except that
you did it in one step, not many.And with the benefit of seeing immediate results on how the operations
are proceeding.
If I am running it on the DC itself, I don’t even have to specify the server name.
QUESTION 40
Your company has a single Active Directory domain named intranet.contoso.com.
All domain controllers run Windows Server 2008 R2.
The domain functional level is Windows 2000 native and the forest functional level is Windows
2000.
You need to ensure the UPN suffix for contoso.com is available for user accounts.
What should you do first?
A. Raise the intranet.contoso.com forest functional level to Windows Server 2003 or higher.
B. Raise the intranet.contoso.com domain functional level to Windows Server 2003 or higher.
C. Add the new UPN suffix to the forest.
D. Change the Primary DNS Suffix option in the Default Domain Controllers Group Policy Object (GPO)
to contoso.com.
Correct Answer: C
Explanation
Explanation/Reference:
http://support.microsoft.com/kb/243629
HOW TO: Add UPN Suffixes to a Forest
bbs.hh010.com
Adding a UPN Suffix to a Forest
Open Active Directory Domains and Trusts.
Right-click Active Directory Domains and Trusts in the Tree window pane, and then click Properties.
On the UPN Suffixes tab, type the new UPN suffix that you would like to add to the forrest.
Click Add, and then click OK.
Now when you add users to the forest, you can select the new UPN suffix to complete the user’s logon
name.
APPLIES TO
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
http://technet.microsoft.com/en-us/library/dd145547.aspx
User Properties – Account Tab
Account expires
Sets the account expiration policy for this user. You can select between the following options:
Use Never to specify that the selected account will never expire. This option is the default for new
users.
Select End of and then select a date if you want to have the user’s account expire on a specified date.
QUESTION 37
You have an existing Active Directory site named Site1.
You create a new Active Directory site and name it Site2.
You need to configure Active Directory replication between Site1 and Site2.
You install a new domain controller.
You create the site link between Site1 and Site2.
What should you do next?
A. Use the Active Directory Sites and Services console to assign a new IP subnet to Site2. Move the new
domain controller object to Site2.
B. Use the Active Directory Sites and Services console to configure a new site link bridge object.
C. Use the Active Directory Sites and Services console to decrease the site link cost between Site1 and
bbs.hh010.com
Site2.
D. Use the Active Directory Sites and Services console to configure the new domain controller as a
preferred bridgehead server for Site1.
Correct Answer: A
Explanation
Explanation/Reference:
http://www.enterprisenetworkingplanet.com/netsysm/article.php/624411/Intersite-Replication.htm
Inter-site Replication
The process of creating a custom site link has five basic steps:
1. Create the site link.
2. Configure the site link’s associated attributes.
3. Create site link bridges.
4. Configure connection objects. (This step is optional.)
5. Designate a preferred bridgehead server. (This step is optional)
http://technet.microsoft.com/en-us/library/cc759160%28v=ws.10%29.aspx
Replication between sites
QUESTION 38
Your company has an Active Directory forest.
Each branch office has an organizational unit and a child organizational unit named Sales.
The Sales organizational unit contains all users and computers of the sales department.
You need to install an Office 2007 application only on the computers in the Sales organizational
unit.
You create a GPO named SalesApp GPO.
What should you do next?
A. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the
Sales organizational unit in each location.
B. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the
domain.
C. Configure the GPO to publish the application to the user account. Link the SalesAPP GPO to the Sales
organizational unit in each location.
D. Configure the GPO to assign the application to the user account. Link the SalesAPP GPO to the Sales
organizational unit in each location.
Correct Answer: A
Explanation
Explanation/Reference:
Almost the same as B/Q21
Self explanatory.
QUESTION 39
Your network consists of an Active Directory forest that contains one domain.
All domain controllers run Windows Server 2008 R2 and are configured as DNS servers.
You have an Active Directory-integrated zone.
You have two Active Directory sites.
Each site contains five domain controllers.
bbs.hh010.com
You add a new NS record to the zone.
You need to ensure that all domain controllers immediately receive the new NS record.
What should you do?
A. From the DNS Manager console, reload the zone.
B. From the DNS Manager console, increase the version number of the SOA record.
C. From the command prompt, run repadmin /syncall.
D. From the Services snap-in, restart the DNS Server service.
Correct Answer: C
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc835086%28v=ws.10%29.aspx
Repadmin /syncall
Synchronizes a specified domain controller with all of its replication partners.
http://ivan.dretvic.com/2012/01/how-to-force-replication-of-domain-controllers/
How to force replication of Domain Controllers
From time to time its necessary to kick off AD replication to speed up a task you may be doing, or just a
good too to check the status of replication between DC’s.
Below is a command to replicate from a specified DC to all other DC’s.
Repadmin /syncall DC_name /APed
By running a repadmin /syncall with the /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished
names) parameters, you have duplicated exactly what Replmon used to do in Windows 2003, except that
you did it in one step, not many.And with the benefit of seeing immediate results on how the operations
are proceeding.
If I am running it on the DC itself, I don’t even have to specify the server name.
QUESTION 40
Your company has a single Active Directory domain named intranet.contoso.com.
All domain controllers run Windows Server 2008 R2.
The domain functional level is Windows 2000 native and the forest functional level is Windows
2000.
You need to ensure the UPN suffix for contoso.com is available for user accounts.
What should you do first?
A. Raise the intranet.contoso.com forest functional level to Windows Server 2003 or higher.
B. Raise the intranet.contoso.com domain functional level to Windows Server 2003 or higher.
C. Add the new UPN suffix to the forest.
D. Change the Primary DNS Suffix option in the Default Domain Controllers Group Policy Object (GPO)
to contoso.com.
Correct Answer: C
Explanation
Explanation/Reference:
http://support.microsoft.com/kb/243629
HOW TO: Add UPN Suffixes to a Forest
bbs.hh010.com
Adding a UPN Suffix to a Forest
Open Active Directory Domains and Trusts.
Right-click Active Directory Domains and Trusts in the Tree window pane, and then click Properties.
On the UPN Suffixes tab, type the new UPN suffix that you would like to add to the forrest.
Click Add, and then click OK.
Now when you add users to the forest, you can select the new UPN suffix to complete the user’s logon
name.
APPLIES TO
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Latest online browsing the 70-640 exam!
70-640PDF dumps & 70-640VCE dumps: http://examsavior.com/70-640
 |  |  |  |  | |
|---|---|---|---|---|---|
Test King
|
Pass4sure
|
Actual Tests
|
Other Brands
| ||
| Customer Reviews |  |  |  |  |  |
$89.99
|
$124.99
|
$125.99
|
$189.00
|
$29.99~$49.99
| |
| Up-To-Dated |  |  |  |  |  |
| Real Questions & Answers |  |  |  |  |  |
| Correct All Error |  |  |  |  |  |
| Premium VCE Dumps |  |  |  |  |  |
| Free VCE Simulator |  |  |  |  |  |
| Unlimited After One Time Purchasing |  |  |  |  |  |
| Instant Download |  |  |  |  |  |
| Printable PDF Dumps |  |  |  |  |  |
| 100% Pass Guarantee |  |  |  |  |  |
| 100% Money Back |  |  |  |  |  |
100% Pass:http://examsavior.com/
No comments:
Post a Comment