Documente Academic
Documente Profesional
Documente Cultură
Version : V2.38
Build a foundation of knowledge which will be useful also after passing the exam.
Latest Version
We are constantly reviewing our products. New material is added and old material is revised. Free
updates are available for 90 days after the purchase. You should check your member zone at TestInside
1.Go to http://www.TestInside.com
3.The latest versions of all purchased products are downloadable from here. Just click the links.
Feedback
If you spot a possible improvement then please let us know. We always interested in improving product
quality.
Feedback should be send to sales(at)TestInside.com. You should include the following: Exam number,
Explanations
This product does not include explanations at the moment. If you are interested in providing explanations
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a single Active Directory domain
in the company network. Windows Server 2008 is run by all domain controllers that are configured as DNS
servers. A domain controller named DC01 has a standard primary zone for wiikigo.com. A domain controller
You have to make sure that the replication of the wiikigo.com zone is encrypted. You must not lose any
A. The zone transfer settings of the standard primary zone should be configured. The Master Servers lists
B. The interface that the DNS server listens on should be modified on both servers.
C. The primary zone should be converted into an Active Directory-integrated zone. The secondary zone
should be deleted.
D. The primary zone should be converted into an Active Directory-integrated stub zone. The secondary
Answer: C
2. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an organizational unit named
Production in your company. The Production organizational unit has a child organizational unit named R D.
After a GPO named Software Deployment is created by you, you link it to the Production organizational unit.
You create a shadow group for the R D organizational unit. You have to deploy an application to users in the
Production organizational unit. You also need to make sure that the application is not deployed to users in
the R D organizational unit. What are two possible ways to achieve this goal?
A. In order to achieve this goal, security filtering on the Software Deployment GPO should be configured to
B. In order to achieve this goal, the Enforce setting should be configured on the software deployment GPO.
C. In order to achieve this goal, the Block Inheritance setting should be configured on the R D
organizational unit.
organizational unit.
Answer: AC
3. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. You have a domain controller named
DC01. Windows Server 2008 is run by this domain controller. DC01 is configured as a DNS server for
wiikigo.com. You have the DNS Server server role installed on a member server which is named Server01
and then you create a standard secondary zone for wiikigo.com. DC01 is configured as the master server
for the zone. You have to make sure that Server01 receives zone updates from DC01. What action should
you perform?
A. The zone transfer settings for the wiikigo.com zone should be modified on DC01.
Answer: A
4. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There are two domain controllers named
DC01 and DC02 in your company. All domain and forest operations master roles are hosted by DC01.
Since you are the technical support, you are required to reinstall the operating system to rebuild DC01. In
addition, you are required to have all operations master roles rollbacked to their original state. A metadate
Which action should be performed to achieve the goal? (Choose three from the options below, and then put
A. 3->5->2
B. 3->6->1
C. 4->5->2
D. 4->6->1
Answer: A
5. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory forest in the
company. Not all domain controllers in the forest are configured as Global Catalog Servers. One root
domain and one child domain is contained in your domain structure. You modify the folder permissions on a
file server that is in the child domain. You find that some Access Control entries start with S-1-5-21 and that
no account name is listed. You have to list the account names. So what action should you perform?
A. The schema should be modified to enable replication of the friendlynames attribute to the Global
Catalog.
B. The RID master role in the child domain should be moved to a domain controller that holds the Global
Catalog.
C. The infrastructure master role in the child domain should be moved to a domain controller that does not
D. The RID master role in the child domain should be moved to a domain controller that does not hold the
Global Catalog.
Answer: C
6. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory forest in the
Each location has a child organizational unit named Sales. All the users and computers from the sales
department are contained in the Sales organizational unit. The offices in Paris, Huston, and Denver are
According to the company requirement, you have to install an application on all the computers in the sales
A. You should create a Group Policy Object (GPO) named OfficeInstall that assigns the application to the
B. The slow link detection setting should be disabled in the Group Policy Object (GPO).
C. The slow link detection threshold setting should be configured to 1,544 Kbps (T1) in the Group Policy
Object (GPO).
D. You should create a Group Policy Object (GPO) named OfficeInstall that assigns the application to users.
Answer: AB
7. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. The company has an Active Directory
domain which is named ad.wiikigo.com. Luxware, Inc. has an Active Directory domain which is named
intranet.luxware.com. The transfer of internal DNS zone data outside the Luxware network is prevented by
Luxware security policy. According to the company requirement, you have to make sure that the Wiikkigo
users can resolve names from the intranet.luxware.com domain. So what action should you perform?
A. In order to make sure of this, conditional forwarding for the intranet.luxware.com domain should be
configured.
B. In order to make sure of this, a new stub zone should be created for the intranet.luxware.com domain.
C. In order to make sure of this, an Active Directoryintegrated zone should be created for the
intranet.luxware.com domain.
D. In order to make sure of this, a standard secondary zone should be created for the intranet.luxware.com
domain.
8. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. In your company, there is an Active
Directory domain named wiikigo.com. And there are two DNS servers named DNS01 and DNS02 on the
company network.
You can see the configuration of the DNS servers from the table below.
It is reported by the Domain users who are configured to utilize DNS02 as the preferred DNS server that
Since you are the technical report, you are required to have Internet name resolution enabled for all client
computers.
A. To achieve the goal, the Cache.dns file should be updated on DNS02. And then, conditional forwarding
B. To achieve the goal, the .(root) zone should be deleted from DNS02. And then, conditional forwarding
C. To achieve the goal, a copy of the .(root) zone should be created on DNS01.
D. To achieve the goal, the list of root hints servers should be updated on DNS02.
Answer: B
9. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory forest in the
company. Only Windows Server 2003 domain controllers are contained in this forest. Now you receive an
order from the company, you have to prepare the Active Directory domain to install Windows Server 2008
Answer: BC
10. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory domain
named ad.wiikigo.com in your company. Two domain controllers named DC01 and DC02 are contained by
the domain. The DNS Server server role is installed by the two domain controllers. A new DNS server
named DNS01.wiikigo.com is installed on the perimeter network. DC01 is configured to forward all
unresolved name requests to DNS01.wiikigo.com. A problem occurred that the DNS forwarding option
cannot be used on DC02. Since you are the technical support, you are required to configure DNS
forwarding on the DC02 server to point to the DNS01.wiikigo.com server. Which action should be
Answer: AD
11. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a domain controller in your
company. Windows Server 2008 is run by the domain controller. In addition, the domain controller is
configured as a DNS server. According to the company requirements, you are required to have all inbound
DNS queries to the server recorded. Which action should be performed in the DNS Manager console?
A. In the DNS Manager console, event logging should be configured to log errors and warnings.
C. In the DNS Manager console, automatic testing for simple queries should be enabled.
D. In the DNS Manager console, automatic testing for recursive queries should be enabled.
Answer: B
12. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a server that runs Windows
Server 2008 in your company. The company configures Active Directory Certificate Services (AD CS) as a
stand-alone Certification Authority (CA) on the server. According to the company requirements, you are
required to audit modifications to the CA configuration settings and the CA security settings. To achieve the
goal, which tasks should be performed to achieve the goal? (Choose more than one.)
A. To achieve the goal, auditing of successful and failed attempts should be enabled to write to files in the
%SYSTEM32%\CertLog directory.
B. To achieve the goal, the Audit object access setting should be enabled in the Local Security Policy for the
C. To achieve the goal, auditing in the Certification Authority snap-in should be configured.
D. To achieve the goal, auditing of successful and failed attempts should be enabled to modify permissions
Answer: BC
13. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. Your network consists of an Active
Directory forest named contoso.com. All servers run Windows Server 2008. All domain controllers are
configured as DNS servers. The wiikigo.com DNS zone is stored in the ForestDnsZones Active Directory
application partition. You have a member server that contains a standard primary DNS zone for
dev.wiikigo.com. You have to make sure that all domain controllers can resolve names for dev.wiikigo.com.
A. The properties of the SOA record in the wiikigo.com zone should be modified.
Answer: C
14. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. The Active Directory Domain Services (AD
DS) role and the Active Directory Lightweight Directory Services (AD LDS) role are installed on a server
named DC01.An AD LDS instsance named LDS01 has its data stored on the C: drive.Since you are the
technical support, you are required to have the LDS01 instance relocated to the D: drive.
To achieve the goal, which actions should be performed to achieve the goal? (choose three options and put
1 The net stop ???Active Directory Domain Services??? command should be run.
6 The net start ???Active Directory Domain Services??? command should be run.
7 The Windows Backup tool should be utilized to back up and recover the LDS01 instance to the D: drive.
A. 2->3->6
B. 3->2->5
C. 7->3->4
D. 1->3->5
Answer: A
15. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There are two servers named S01 and
S02. Windows Server 2008 is run by the two servers. The company configures S01 as an Enterprise Root
technical support, you are required to configure S02 so as to have certificate revocation lists (CRLs) issued
for the enterprise root CA. to achieve the goal, which action should be performed? (Choose more than one.)
A. To achieve the goal, the Startup Type of the Certificate Propagation service should be set to Automatic.
C. To achieve the goal, the OCSP Response Signing certificate should be imported.
D. To achieve the goal, the S01 computer account should be added to the CertPublishers group.
Answer: BC
16. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. One of the domain controllers in a child
domain is being decommissioned. Since you are the technical support, you are required to move all domain
operations master roles within the child domain to a newly installed domain controller, and the newly
installed domain is in the same child domain. From the following five domain operations master roles, which
three should be moved to finish the task? (Choose more than one.)
A. To finish the task, Domain naming master should be moved to a newly installed domain controller.
B. To finish the task, RID master should be moved to a newly installed domain controller.
C. To finish the task, PDC emulator should be moved to a newly installed domain controller.
D. To finish the task, Schema master should be moved to a newly installed domain controller.
E. To finish the task, Infrastructure master should be moved to a newly installed domain controller.
Answer: BCE
17. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. Now you receive an order from the
company management, you are asked to make sure that users who enter three successive invalid
passwords within 5 minutes are locked out for 5 minutes. So what should you do? (Choose more than one)
E. The Reset account lockout counter after setting should be set to 5 minutes.
F. The Account lockout threshold setting should be set to 3 invalid logon attempts.
Answer: BEF
18. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory forest in your
company. And only Windows Server 2003 domain controllers are contained by an Active Directory forest.
Since you are the technical support, you are required to prepare the Active Directory domain so as to have
Windows Server 2008 domain controllers installed. Which actions should be performed to achieve the goal?
A. To achieve the goal, the forest functional level should be raised to Windows Server 2008.
B. To achieve the goal, the domain functional level should be raised to Windows Server 2008.
Answer: CD
19. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a head office and a branch office
in your company. A single-domain Active Directory forest is contained by your company. Two domain
controllers named DC01 and DC02 that run Windows Server 2008 are contained by the head office. And a
Windows Server 2008 read-only domain controller (RODC) named DC03 is contained by the branch office.
The DNS Server server role is held by all domain controllers which are configured as Active
Directory-integrated zones. Only secure updates are permitted by the DNS zones. You should enable
dynamic DNS updates on DC03. Which action should be performed to achieve the goal?
A. To achieve the goal, a custom application directory partition should be created on DC01. and then, the
C. To achieve the goal, the Dnscmd.exe /ZoneResetType command should be run on DC03.
D. To achieve the goal, Active Directory Domain Services on DC03 should be reinstalled as a writable
domain controller.
Answer: D
20. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory domain in
your company. A new domain controller is installed in the domain. It is reported by a few users that the
domain cannot be logged on. According to the company requirements, the SRV records should be
A. On the new domain controller, the sc stop netlogon command should be run followed by the sc start
netlogon command.
B. On the new domain controller, the netsh interface reset command should be run.
C. On the new domain controller, the ipconfig /flushdns command should be run.
D. On the new domain controller, the dnscmd /EnlistDirectoryPartition command should be run.
Answer: A
21. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. Now according to the company
requirement, you are decommissioning domain controllers that hold all forest-wide operations master roles.
According to the company requirement, all forest-wide operations master roles need to be transferred to
22. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. In the company, the default domain GPO
Microsoft SQL Server is installed on a computer named S01, and Windows Server 2008 is run by S01. A
Domain user rights are given to the SQLSer account. The SQL Server computer functions properly at the
beginning. However, it fails to run after several months. You find that the SQLSer user account is not locked
out.
Since you are the technical support, you are required to solve the problem of the server failure and stop the
What should be done to achieve the goal? (Choose more than one.)
A. To achieve the goal, the properties of the SQLSer account should be configured to User cannot change
password.
B. To achieve the goal, the local security policy on S01 should be configured to explicitly grant the SQLSer
C. To achieve the goal, the password of the SQLSer user account should be reset.
D. To achieve the goal, the local security policy on S01 should be configured to grant the Logon as a
E. To achieve the goal, the properties of the SQLSer account should be configured to Password never
expires.
Answer: CE
23. You work as a technology specialist in an international company named Wiikigo. Your major job is to
Directory infrastructure and maintaining Active Directory objects. There is a domain controller named DC01
that runs Windows Server 2008 in your company. And the company configures DC01 as a DNS server for
wiikigo.com. The DNS Server server role is installed on a member server named S01 and then a standard
secondary zone is created for wiikigo.com. DC01 is configured as the master server for the zone. You
should make sure that zone updates can be received by S01 from DC01. Which action should be
A. On DC01, the zone transfer settings for the wiikigo.com zone should be changed.
Answer: A
24. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a server in your company. And an
instance of Active Directory Lightweight Directory Services (AD LDS) is run by the server. According to the
company requirements, you should have new organizational units created in the AD LDS application
A. You should create the organizational units by utilizing the dsmod OU <OrganizationalUnitDN> command.
B. You should create the organizational units on the AD LDS application directory partition by utilizing the
C. You should create the organizational units on the AD LDS application directory partition by utilizing the
D. You should create the organizational units by utilizing the dsadd OU <OrganizationalUnitDN> command.
Answer: C
25. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. A single Active Directory domain is
run by the server. The company configures both servers as DNS servers. Either Windows XP Service Pack
2 or Windows Vista Client is run by computers. There is a standard primary zone on the domain controller. A
secondary copy of the zone is hosted by the member server. According to the company requirements, you
should make sure that host (A) records in the DNS zone can only be permitted only by authenticated users.
Answer: B
26. Which of the following are required to create a domain controller successfully? (Choose all that apply.)
D. A DNS server
Answer: AB
27. You are hired as the network administrator in your company. All the servers in your company run
windows 2008. The network of your company consists of a single Active Directory domain. There are two
Active Directory-integrated zones named CO1.com and CO2.com in the domain. All domain controllers are
configures as DNS servers. The company has instructed you to make sure that a user is able to modify
records in Hi-tech es.com while preventing the user to modify the SOA record in CO2.com zone. What
A. Modify the permissions of CO1.com zone by accessing the DNS Manager Console
B. Configure the user permissions on CO1.com to include all the users and configure the user permissions
C. Modify the permission of CO2.com zone by accessing the DNS Manager Console
D. Modify the Domain Controllers organizational unit by accessing the Active Directory Users and
Answer: A
28. You are the administrator for a nationwide company with over 5,000 employees. Your main office has
approximately 4,500 employees, there are ten remote offices in the company. Each remote office has 50
users. Usually, you are not clear about the physical security at these offices. However, since there is a fairly
sizable amount of users at each office, you must provide them with directory services.
What is the BEST option to use for directory services when security is often an unknown?
Answer: B
29. Trey Research has recently acquired Litware, Inc. Because of regulatory issues related to data
replication, it is decided to configure a child domain in the forest for Litware users and computers. The Trey
Research forest currently contains only Windows Server 2008 domain controllers. The new domain will be
created by promoting a Windows Server 2008 domain controller, but you might need to use existing
Windows Server 2003 systems as domain controllers in the Litware domain. Which functional levels will be
appropriate to configure?
A. Windows Server 2008 forest functional level and Windows Server 2008 domain functional level for the
Litware domain
B. Windows Server 2008 forest functional level and Windows Server 2003 domain functional level for the
Litware domain
C. Windows Server 2003 forest functional level and Windows Server 2008 domain functional level for the
Litware domain
D. Windows Server 2003 forest functional level and Windows Server 2003 domain functional level for the
Litware domain
Answer: D
named server01 and server02 that runs Windows Server 2008. servers named Hi-tech A and Hi-tech B.
DNS servers are configured as shown in the table: Domain users are unable to connect to the Internet
website using Hi-tech B because it is configured as a preferred DNS server. You have to enable Internet
A. Delete the .(root) zone from Hi-tech B. Configure conditional forwarding on Hi-tech B.
Answer: A
31. You are logged on as Administrator to SERVER02, one of four domain controllers in the hi-tech.com
domain that run Server Core. You want to demote the domain controller. Which of the following is required?
Answer: A
32. Hi-tech .com has an Active Directory domain called es. Hi-tech .com. Hi-tech .com has a subsidiary
company named Woksworks Inc. Woksworks Inc. has an Active Directory domain called
intranet.woksworks.com. Since woksworks Inc. security policy doesn't allow the transfer of internal DNS
zone data outside the woksworks network, you have to make sure that Hi-tech .com users are able to
resolve names from intranet.woksworks.com domain. What should you do to achieve this task?
Answer: A
33. You are the administrator for a nationwide company with over 5,000 employees. Your director tells you
your company has just signed into a partnership with another organization, and that you will be responsible
for ensuring that authentication can occur between both organizations without the need for additional
sign-on accounts. Your boss mentions that the partner has a variety of Directory Services installed
Which of the following can Active Directory Federation Services NOT connect to?
Answer: B
34. SERVER02 is running Server Core. It is already configured with the AD DS role. You want to add Active
Directory Certificate Services (AD CS) to the server. What must you do?
Answer: D
35. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There are two Active Directory forests in
your company, and they are respectively named wiikigo.com and cosoto.com. Only domain controllers are
run by both forests, and Windows Server 2008 is run by the domain controller. The domain functional level
Windows Server 2003 Native mode. An external trust is configured between wiikigo.com and cosoto.com.
Since you are the technical support, you are required to enable the Kerberos AES encryption option. To
achieve the goal, which action should be performed to achieve the goal?
A. To achieve the goal, the forest functional level of cosoto.com should be raised to Windows Server 2008.
B. To achieve the goal, the domain functional level of cosoto.com should be raised to Windows Server
2008.
C. To achieve the goal, a new forest trust should be created and forest-wide authentication should be
enabled.
D. To achieve the goal, the forest functional level of wiikigo.com should be raised to Windows Server 2008.
Answer: B
36. Hi-tech .com has two Active Directory forests named Hi-tech.com and vervoks.com. The company
network has three DNS servers named Hi-tech A, Hi-tech B, and Hi-tech C. The DNS servers are
configured as shown in the table: All computers that belong to the vervoks.com domain have Hi-tech C
configured as the preferred DNS server. All other computers use Hi-tech A as the preferred DNS server.
Users from the acme.com domain are unable to connect to the servers that belong to the Hi-tech .com
domain. You need to ensure users in the acme.com domain are able to resolve all Hi-tech .com queries.
B. Configure conditional forwarding on Hi-tech A and Hi-tech B to forward vervoks.com queries to Hi-tech C.
D. Create a copy of the vervoks.com zone on the Hi-tech A server and the Hi-tech B server.
Answer: C
37. You are a support professional for Hi-tech, Ltd. The domain's administrators have distributed a custom
reset a user's password, you receive Access Denied errors. You are certain that you have been delegated
A. Close the custom console and open Server Manager. Use the Active Directory Users and Computers
B. Close the custom console and open a command prompt. Type dsa.msc.
C. Close the custom console, and then right-click the console and choose Run As Administrator. Type the
D. Close the custom console, and then right-click the console and open a command prompt. Use the
DSMOD USER command with the -p switch to change the user's password.
Answer: C
38. You are hired as the network administrator in your company. In your company there's a server named
Server01 that runs Windows Server 2008. You company has an Active Directory forest with single domain.
Server01 works as the Domain Controller with Active Directory Federation Services (AD FS) role installed.
Server01 is configured as a DNS server. You have to record all inbound DNS queries to server01.
A. In the DNS Manager Console Enable automatic testing for simple queries.
C. In the DNS Manager Console Configure event logging to log errors and warnings.
D. In the DNS Manager Console Enable automatic testing for recursive queries.
Answer: B
39. You are the administrator for a nationwide company with over 5,000 employees. Your main office has
approximately 4,500 employees, while your company's ten remote offices have 50 users each residing in
them. You are often unaware of the physical security in place at these offices. However, since there is a
fairly sizable amount of users at each office, you need to provide them with directory services. What is the
BEST option to use for directory services when security is often an unknown?
Answer: B
40. You have opened a command prompt, using Run As Administrator, with credentials in the Domain
Admins group. You use the Dsrm command to remove an OU that had been created accidentally by James,
a member of the Administrators group of the domain. You receive the response: Dsrm Failed: Access Is
A. You must launch the command prompt as a member of Administrators to perform Active Directory tasks.
Answer: D
41. You are hired as the network administrator in your company. All servers in your company run Windows
Server 2008. The company has a single Active Directory domain. Server01 and Server02 work as the
domain controllers with DNS server role installed. You plan to install a new DNS server named Server03 on
the perimeter network. Server01 is configured to forward all unresolved name requests to Server03. You
discover that the DNS forwarding option is unavailable on Server02. You need to configure DNS forwarding
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
Answer: BD
42. You want to enable your help desk to reset user passwords and unlock user accounts.
Which of the following tools can be used? (Choose all that apply.)
C. DSUTIL
Answer: ABD
43. You are hired as the network administrator in your company. Your company has an Active Directory
forest. All domain controllers run Windows Server 2008 and are configured as DNS servers. You have an
Active Directory-integrated zone for Hi-tech .com. You have a Unix-based DNS server. You need to
configure your Windows Server 2008 environment to allow zone transfers of the Hi-tech .com zone to the
Unix-based DNS server. What should you do in the DNS Manager console?
C. Disable recursion.
Answer: B
44. The Web development team has requested that you implement a new Web server in a DMZ that will be
used for presenting Web sites to customers. Which of the following is NOT a reason for using Windows
B. A Core installation does not provide GUIs, which limits console access.
C. Core Server installs fewer services than a full installation of Windows Server 2008.
D. Core Server uses fewer resources than a full installation of Windows Server 2008.
Answer: A
45. You are an administrator at a large university, and you have just been sent an Excel file containing
information about 2,000 students who will enter the school in two weeks.
You want to create user accounts for the new students with as little effort as possible.
Answer: C
46. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory domain in
your company. Windows Server 2008 is run by all servers. An Enterprise Root certification authority (CA)
and an Enterprise Intermediate CA is used by your company. The Enterprise Intermediate CA certificate
expires. According to the company requirement, a new Enterprise Intermediate CA certificate needs to be
deployed to all computers in the domain. So What action should you perform?
A. The new certificate should be imported into the Intermediate Certification Store in the Default Domain
B. The new certificate should be imported into the Intermediate Certification Store on the Enterprise Root
CA server.
C. The new certificate should be imported into the Intermediate Certification Store on the Enterprise
Intermediate CA server.
D. The new certificate should be imported into the Intermediate Certification Store in the Default Domain
Answer: A
47. You are hired as the network administrator in your company. Your company network consists of a single
Active Directory domain. Ten domain controllers are present in the domain. All domain controllers run
Windows Server 2008 and are configured as DNS servers. You are instructed to create a new Active
Directory-integrated zone. You have to make sure that the new zone is only replicated to four of your
Answer: D
48. You are an administrator at a large university. Which command can be used to delete user accounts for
A. LDIFDE
B. Dsmod
C. DEL
D. CSVDE
Answer: A
49. You have a Windows Server 2003 R2 domain currently running in your organization. You would like to
install a read-only domain controller into your Directory Services structure, but you do not want to
completely upgrade your domain to Windows Server 2008 Directory Services just yet. What do you need to
A. Change the domain functional level to Windows Server 2008 mixed mode.
B. Change the forest functional level to Windows Server 2008 mixed mode.
D. An RODC cannot be added until the entire domain is a Windows Server 2008 Directory Services
domain.
Answer: C
50. Hi-tech .com has a single Active Directory domain called int. Hi-tech .com. You have installed domain
controllers with a DNS server role. The domain controllers run Windows Server 2008. Every computer in
the domain and non-domain members, register their DNS records dynamically. You want only the domain
members to register their DNS records dynamically. What should you do to configure int. Hi-tech .com?
51. You want to create a user object with Windows PowerShell. Which of the following must you do?
Answer: C
52. You are hired as the network administrator in your company. Your company has a network consisting of
an Active Directory forest named ebd.com. All servers have Windows Server 2008. All domain controllers
are configured as DNS servers. The ebd.com DNS zone is stored in ForestDnsZones Active directory
partition. A member server contains a standard primary DNS zone for eb.ebd.com. You need to make sure
that all domain controllers can resolve names for eb.ebd.com. What should you do to achieve this task?
Answer: A
53. You want to create a user object with a single command. Which of the following should you do?
Answer: D
54. You are hired as the network administrator in your company. In your company there's a server named
Server01 that runs Windows Server 2008. Server01 works as a Domain Controller is configured as DNS
server in a single Active Directory domain. The domain contains one Active Directory-integrated DNS zone.
A. Modify the TTL of the SOA record by accessing the zone properties
Answer: D
55. Which of the following Directory Services administration tools can be used in a Windows Server 2008
Answer: B
56. Which of the following lines of Windows PowerShell code are necessary to create a user object in the
People OU? (Choose all that apply. Each correct answer is a part of the solution.)
A. $objUser=$objOU.Create("user","CN=Jeff Ford")
B. $objUser.SetInfo()
C. $objUser=CreateObject("LDAP://CN=Jeff Ford,OU=People,DC=hi-tech,DC=com")
D. $objOU=[ADSI]"LDAP://OU=People,DC=hi-tech,DC=com"
Answer: ABD
57. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. Since you are the technical support, you
Which four actions should you perform in sequence? (To answer, move the appropriate four actions from
the list of actions to the answer area and arrange them in the correct order.)
A. 6->1->2->4
B. 5->1->3->4
C. 6->4->3->1
D. 4->6->3->5
Answer: A
58. You are hired as the network administrator in your company. In your company there's a server named
Server01 that runs Windows Server 2008. Server01 is configured as DNS server and has 4 ctive
DirectoryCintegrated zones. For auditing purposes, you have to provide copies of the zone files of the DNS
server to the security audit group. What should you do to achieve this task?
Answer: C
59. You want to set the Office property of ten users in two different OUs. The users currently have the Office
property configured as Miammi. You recently discovered the typographic error and want to change it to
Miami. What can you do to make the change? (Choose all that apply.)
A. Select all ten users by holding the Ctrl key and opening the Properties dialog box.
Answer: C
60. You are hired as the network administrator in your company. In your company there are two servers
named Server01 and Server02 that run Windows Server 2008. Server01 works as a Domain Controller and
is configured as DNS server in a single Active Directory domain. Server02 is a member of the domain as
the standard secondary zone with DNS Server role installed.You configured Server01 as the master server
What should you do to make sure that Server02 receives zone updates from Server01?
Answer: B
61. BitLocker is a new technology that is available in Windows Server 2008 as well as Windows Vista.
B. BitLocker prevents someone from removing a hard drive from a system and reading it by installing it on
another system.
C. BitLocker prevents someone from loading another operating system onto the server and reading the
Answer: A
62. You want to move a user from the Paris OU to the Moscow OU. Which tools can you use? (Choose all
that apply.)
A. Move-Item
C. Dsmove
D. Redirusr.exe
63. Hi-tech .com has a main office and a branch office. All servers in both offices run Windows Server 2008.
The offices are connected through a MAN link. Hi-tech .com has an Active Directory domain that hosts a
single domain called maks. Hi-tech .com. There is a domain controller in the maks. Hi-tech .com domain
called Server01 . It is located in the main office. You have configured Server01 as a DNS server for maks.
Hi-tech .com DNS zone. It is configured as a standard primary zone. You are instructed to install a new
domain controller called Server02 in the branch office. After installing the domain controller, you install DNS
on Server02 . You want to ensure that the DNS service on Server02 can update records and resolve DNS
D. Configure a new stub zone on Server01 and set the forwarding option to Server02
Answer: C
64. A user reports that she is receiving a logon message that states, "Your account is configured to prevent
you from using the computer. Please try another computer." What should you do to enable her to log on to
the computer?
A. Click the Log On To button on the Account tab of her user account.
B. Click the Allowed To Join Domain button in the New Computer dialog box.
D. Give her the right to log on locally, using the local security policy of the computer
Answer: A
65. You are the administrator for a nationwide company that currently runs Windows Server 2008 DNS and
are reviewing the resource records in your Active Directory-integrated DNS zone. You notice there are
hostnames that do not meet your company's naming convention and verify that the computers are not
members of your Active Directory domain. What must you do to ensure these hosts cannot create records
Answer: B
66. Hi-tech .com has a single Active Directory domain. You have configured all domain controllers in the
network as DNS servers and they run Windows Server 2008. A domain controller named Server01 has a
standard Primary zone for Hi-tech .com and a domain controller named Server02 has a standard secondary
zone for Hi-tech .com. You have to make sure that the replication of the Hi-tech .com zone is encrypted so
you might not loose any zone data. What should you do to achieve this task?
B. Convert the primary zone into an active directory zone and delete the secondary zone
D. On the standard primary zone, configure zone transfer settings. After that modify the master servers lists
Answer: B
67. You are hired as the network administrator in your company. Your company has a main office and a
branch office that are configured as a single Active Directory forest. The functional level of the Active
Directory forest is Windows Server 2003. There are four Windows Server 2003 domain controllers in the
main office. You need to ensure that you are able to deploy a read-only domain controller (RODC) at the
branch office. Which two actions should you perform?(Choose two answers. Each answer is a part of the
complete solution.)
Answer: AB
68. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory forest in your
company. And two domains are included by the Active Directory forest. Universal groups are included by
the forest. And members from each domain are included by the universal groups. There is a domain
controller named DC01 in the branch office. It is reported by users at the branch office that it takes quite
long time to log on. Since you are the technical support, you are required to reduce the amount of logon
time for the branch office users. Which action should be performed to achieve the goal?
A. To achieve the goal, the replication interval on the site link that connects the branch office to the
B. To achieve the goal, the replication interval on the site link that connects the branch office to the
D. To achieve the goal, DC01 should be configured as a bridgehead server for the branch office site.
Answer: C
69. A new project requires that users in your domain and in the domain of a partner organization have
access to a shared folder on your file server. Which type of group should you create to manage the access
Answer: B
70. Your domain includes a global distribution group named Company Update. It has been used to send
company news by e-mail to its members. You have decided to allow all members to contribute to the
newsletter by creating a shared folder on a file server. What must you do to allow group members access to
Answer: D
71. You are hired as the network administrator in your company. Your company has servers that run
Windows Server 2008. There are 2 domain controllers installed on the network. An Active Directory
database is installed on the D volume of a domain controller. You want to move the Active Directory
A. Open the Files option in the Ntdsutil utility and move the ntds.dit file to the new volume.
B. Move the ntds.dit file to the new volume using Copy Paste function in the Windows Power Shell.
C. Use XCOPY command on Windows Command prompt to move ntds.dit file to the new volume.
Answer: A
72. You are creating a new standard primary zone for the company you work for, Name Resolution
University, using the domain nru.corp. You create the zone through the DNS management console,and now
you want to view the corresponding DNS zone file, nru.corp.dns. Where do you need to look in order to find
this file?
A. You cannot view the zone file because it is stored in Active Directory.
C. You cannot view the DNS file except by using the DNS management console.
D. The DNS zone file is actually just a key in the Windows Registry. You need to use the Registry Editor if
Answer: B
73. Which of the following can be used to remove members from a group? (Choose all that apply.)
A. Remove-Item
B. Dsrm
D. LDIFDE
E. CSVDE
Answer: BCD
74. Hi-tech .com has a single Active Directory domain named ad. Hi-tech .com. Windows Server 2008 is
installed on all domain controllers. The domain functional level and forest functional level are set to
Windows 2000 native mode. You have to ensure the UPN suffix for Hi-tech .com is available for user
A. Change the Primary DNS Suffix option in the Default Domain Controllers Group Policy Object (GPO) to
Hi-tech .com.
C. Raise the Hi-tech .com domain functional level to Windows Server 2003 or Windows Server 2008.
D. Raise the Hi-tech .com forest functional level to Windows Server 2003 or Windows Server 2008.
Answer: B
75. You are using Dsmod to add a domain local group named GroupA to a global group named GroupB.
You are receiving errors. Which command will solve the problem so that you can then add GroupA to
A. Dsrm.exe
B. Dsmod.exe
C. Dsquery.exe
D. Dsget.exe
Answer: B
76. Hi-tech .com has a network consisting of a single Active Directory domain. All domain controllers run
Windows Server 2003. Hi-tech .com instructs you to upgrade all domain controllers to Windows Server
2008. After upgrading the domain controllers, you need to ensure that the ebsysvolume share replicates by
using DFS Replication (DFS-R). What should you do to achieve this task?
C. Run dcpromo/attend:attendfile.xml
Answer: D
77. You have removed WINS from your environment, but still have at least one legacy PC and application
that requires NetBIOS resolution. What solution can you use in place of WINS to address NetBIOS
resolution?
A. GlobalNames zones.
B. Reverse zones.
C. Dynamic updates.
Answer: A
78. Your management has asked you to produce a list of all users who belong to the Special Project group,
including those users belonging to groups nested into Special Project. Which of the following can you use?
A. Get-Members
B. Dsquery.exe
C. LDIFDE
D. Dsget.exe
Answer: D
79. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory domain in the
company. Two domain controllers are contained in the company. They are respectively named DC01 and
DC02. DC01 holds the schema master role, while DC02 fails. You use the administrator account to log on to
Active Directory. You cannot transfer the schema master role. You have to make sure that DC2 holds the
C. You should register the Schmmgmt.dll and start the Active Directory Schema snap-in.
D. Utilize an account that is a member of the Schema Admins group to log off and log on again to Active
Answer: A
80. Your company is conducting a meeting for a special project. The data is particularly confidential. The
team is meeting in a conference room, and you have configured a folder on the conference room computer
that grants permission to the team members. You want to ensure that team members access the data only
while logged on to the computer in the conference room, not from other computers in the enterprise. What
Answer: D
81. Hi-tech.com has an Active Directory forest which runs Windows Server 2008. It has branch offices all
around the world. The forest includes finance organizational units for an office in the following locations:
New York
London
Amsterdam
Rome
Each location has a child organizational unit named finance. The finance organizational unit hosts all the
users and computers in the finance department. The offices in London and, Amsterdam and New York are
connected by T1 connections. However, the office in Rome is connected by a 128-Kbps ISDN connection.
Hi-tech .com has instructed you to install an application on all computers in the finance department. Which
two actions should you perform to achieve this task? (Choose two answers. Each answer is a part of the
complete solution)
A. Create a Group Policy Object (GPO) named accountingtree Install that assigns the application to the
B. Create a GPO named accounting tree install that assigns the application to each user in the
C. Change the slow link detection setting to 2,544 Kbps (T1) in the GPO
Answer: AC
82. You've just created a new zone in DNS on a Windows Server 2008-based computer. You check the
zone and notice that the only records in it are the SOA and NS RRs. Checking the configuration, you see
that the zone is configured to accept dynamic updates. What should you do next?
A. Manually add all RRs for the zone, including A, CNAME, PTR, and SRV records.
B. Manually add A records for all hosts that cannot use dynamic updating.
C. Manually add A RRs and PTR RRs for all hosts that will be using dynamic updating.
D. Manually initiate a zone transfer to replicate all the needed RR to the new zone.
Answer: B
83. You want to allow a user named Mike Danseglio to add and remove users from a group called Special
Answer: D
84. You are hired as the network administrator in your company. Your company has a single Active
Directory domain. The domain controllers run Windows Server 2003. You are instructed to upgrade all
domain controllers to Windows Server 2008. To accomplish this task, you have to configure the Active
Answer: D
85. Which of the following groups can shut down a domain controller? (Choose all that apply.)
A. Account Operators
B. Print Operators
C. Backup Operators
D. Server Operators
E. Interactive
Answer: BCD
86. Your company has offices in North America and Europe. It has an Active Directory forest with two
domains. You are assigned the task to reduce the time required to authenticate users from
labs.eul.hi-tech.com domain when they access resources on eng.na.hi-tech.com domain. What should you
Answer: A
87. You want to require all new computer accounts created when computers join the domain to be placed in
A. Dsmove
B. Move-Item
C. Netdom
D. Redircmp
Answer: D
88. You are hired as the network administrator in your company. Your company has an Active Directory
domain. Another administrator at the company attempts to log on to a computer that was offline for 12
weeks. While accessing the computer, administrator receives an error message that authentication has
failed. What should you do to ensure that the administrator can log on to the computer?
A. Disjoin the computer from the domain and rejoin it to the domain. Reset the computer account
B. Delete the computer account from the organizational unit and then add the account again
C. Execute the netsh command on the computer and set the machine options
D. Execute netsh trust/reset command and join the computer to the domain again.
Answer: A
89. A DNS server, Aspen, has been successfully resolving queries but with the wrong information. You use
the Monitoring function in the DNS Management Console for Aspen and test the simple and recursive
queries. Both work fine. What is the most likely cause of the problem?
A. Aspen is not authoritative for the zone in which the wrong information is being returned.
C. Some clients do not support dynamic updates, or manually entered RRs have errors.
D. The clients that received the wrong information do not support the OPT record type.
Answer: C
90. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. You have a computer which runs Windows
Server 2008. At present you are installing an application on this computer. During installation, the
application will need to install new attributes and classes to the Active Directory database. You have to
make sure that you are able to install the application. So what action should you perform?
A. You should use an account that has Server Operator rights to log on.
B. The functional level of the forest should be changed to Windows Server 2008.
C. You should use an account that has the Enterprise Administrator rights and the appropriate rights to log
Answer: D
91. You want to prevent nonadministrative users from joining computers to the domain. What should you
do?
C. Remove the Add Workstations To Domain user right from Authenticated Users.
D. On the domain, deny the Authenticated Users group the Create Computer Objects permission.
Answer: A
92. You are hired as the network administrator in your company. Your company has a main office and ten
branch offices. It has an Active Directory forest that hosts a single domain. Each office has one domain
controller and they are configured as an Active Directory site. All sites are connected with the
DEFAULTIPSITELINK object. You have to decrease the replication latency between the domain controllers.
Answer: C
93. You want to join a remote computer to the domain. Which command should you use?
A. Dsadd.exe
B. Netdom.exe
C. Dctest.exe
D. System.cpl
Answer: B
application to deploy on 200 computers. You are instructed to deploy the application on all 200 computers.
To install the application, you have to modify the registry on each target computer before installing the
You have to prepare the target computers for the application. What should you do to achieve this task?
A. Create a new Group Policy Object (GPO) and import the .adm file into it. Edit the GPO and link it to an
B. Create a Microsoft Windows PowerShell script to copy the .adm file to the startup folder of each target
computer.
C. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the
D. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the
Answer: A
95. You have been tasked with designing a new Windows Server 2008 Active Directory forest. The network
is currently a combination of Windows 2000 Professional, Windows XP, Windows Vista, and Macintosh
clients. You want to reduce the administration of IP addresses. Which of the following services would you
A. DHCP
B. DNS
C. WINS
D. DDNS
Answer: A
96. Your manager has just asked you to create an account for DESKTOP234. Which of the following
A. CSVDE
B. LDIFDE
C. Dsadd
E. VBScript
Answer: C
97. You are hired as the network administrator in your company. The headquarters of your company is
located in New York. Now your company builds its branch in Washington. The branch office in Washington
is configured as a separate Active Directory site and has an Active Directory domain controller. You disable
an account that has administrative rights. You need to immediately replicate the disabled account
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution.
Choose two.)
A. From the Active Directory Sites and Services console, select the existing connection objects and force
replication.
B. From the Active Directory Sites and Services console, configure all domain controllers as global catalog
servers.
Answer: AC
98. Your hardware vendor has just given you an Excel worksheet containing the asset tags of computers
that will be delivered next week. You want to create computer objects for the computers in advance. Your
naming convention specifies that computers' names are their asset tags. Which of the following tools can
A. CSVDE
B. LDIFDE
C. Dsadd
D. Windows PowerShell
E. VBScript
Answer: ADE
located in New York. The main office has an existing Active Directory site named Site1. Now your company
builds its branch in Washington. You are assigned to deploy and implement a new Active Directory site and
name Site2. To configure Active Directory replication between Site1 and Site2, you install a new domain
controller and create the site link between Site1 and Site2. What should you do next to achieve this task?
A. Use the Active Directory Sites and Services console to configure the new domain controller as a
B. Use the Active Directory Sites and Services console to decrease the site link cost between Site1 and
Site2.
C. Use the Active Directory Sites and Services console to assign a new IP subnet to Site2. Move the new
D. Use the Active Directory Sites and Services console to configure a new site link bridge object.
Answer: C
100. Your network contains a mix of Windows 2003 and Windows Server 2008. You have three domain
controllers running Windows Server 2003. Your file server, print server, and Exchange server are running
Windows 2000 Server. Your DNS, DHCP, and WINS servers are running Windows Server 2008. All of your
clients are running Windows XP Professional with Service Pack 2. All machines, other than the servers that
require a static IP address, are configured as DHCP clients with the default settings. Your DNS server has
following records will be registered in DNS automatically? (Choose all that apply.)
A. MX
B. Host (A)
C. SRV
D. PTR
Answer: BCD
101. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory forest in your
sure that users are able to install approved application updates on their computers. What should you do?
A. A GPO should be created and it should be linked to the domain. The GPO should be configured to direct
the client computers to the Microsoft WSUS server for approved updates.
B. Automatic Updates through Control Panel should be set up on the client computers.
C. A GPO should be created and it should be linked to the Domain Controllers organizational unit. The GPO
site.
D. The Microsoft WSUS application should be installed on a server in the environment. The server should
be configured to search for new updates on the Internet. All required updates should
be approved.
Answer: AD
102. A server administrator reports Failed To Authenticate events in the event log of a file server. What
Answer: A
103. You are hired as the network administrator in your company. Your company has an Active Directory
domain. All servers in the Active Directory run Windows Server 2008. The domain runs Enterprise Root
certification authority (CA). You have to make sure that only administrators can sign code.
A. Change the local computer policy of the Enterprise Root CA to allow only administrators to manage
Trusted Publishers.
C. Change the security settings on the template to allow only the administrators to request code signing
D. Distribute the code signing template among the administrators and ask them to add it to the trust peer
certificates.
Answer: BC
104. A computer has permissions assigned to its account to support a system service. It also belongs to 15
groups. The computer is being replaced with new hardware. The new hardware has a new asset tag, and
your naming convention uses the asset tag as the computer name. What should you do? (Choose all that
Answer: CDE
105. You are hired as the network administrator in your company. The headquarters of your company is
located in New York. Now your company builds its branch in Washington. The branch office in Washington
is configured as a separate Active Directory site and has an Active Directory domain controller. You are
assigned to deploy and implement a new application which requires a local global Catalog server to support
at the branch office. Which tool should you use to configure the domain controller as a Global Catalog
server? (Each correct answer presents part of the solution. Choose two.)
Answer: AD
106. You have just installed a Windows Server 2008 domain controller in your environment. Which of the
A. Users
B. Computers
C. Built-in
D. Default Groups
Answer: C
107. Your enterprise recently created a child domain to support a research project in a remote location.
Computer accounts for researchers were moved to the new domain. When you open Active Directory Users
And Computers, the objects for those computers are displayed with a down-arrow icon. What is the most
Answer: C
108. You are hired as the network administrator in your company. Your company has a domain controller
that runs Windows Server 2008. It is configured as a DNS server. You have to record all inbound DNS
queries to the server. What should you configure in the DNS Manager Console?
Answer: D
109. Your organization has one Active Directory domain in the Active Directory forest. You are responsible
for creating accounts for all users in your domain. Your company just bought another company with 5000
user accounts, and you are required to create their new user accounts without using a third-party tool.
B. dsuseradd
C. adduser
D. adduser.ps
Answer: A
110. Litware, Inc., has three business units, each represented by an OU in the litwareinc.com domain. The
business unit administrators want the ability to manage Group Policy for the users and computers in their
OUs. Which actions do you perform to give the administrators the ability to manage Group Policy fully for
their business units? (Choose all that apply. Each correct answer is a part of the solution.)
A. Copy administrative templates from the central store to the PolicyDefinitions folder on the administrators'
B. Add business unit administrators to the Group Policy Creator Owners group.
domain.
D. Delegate Link GPOs permission to the each business unit's administrators in the
Answer: BD
111. You are hired as the network administrator in your company. Your company has a main office and 15
branch offices. An Active Directory site with one domain controller is installed in each office. Only domain
controllers in the main office are configured as Global Catalog servers. On the domain controllers in the
branch offices, you need to deactivate the Universal Group Membership Caching (UGMC) option. However,
A. Site
B. domain controllers
C. Forest
D. Connection object
Answer: A
112. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. A single Active Directory domain is
contained by your network. And there is a domain controller and a member server that run Windows Server
2008 in the company. The company configures the two servers as DNS servers. Either Windows XP
Service Pack 2 or Windows Vista is run by client computers. There is a standard primary zone on the
domain controller. A secondary copy of the zone is hosted by the member server. According to the company
requirements, you should make sure that host (A) records in the DNS zone can only be updated by
authenticated users.
Answer: A
113. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a single Active Directory domain
in your company. Windows Server 2003 is run by all domain controllers. You have Windows Server 2008
installed on a server. Since you are the technical support, you are required to have the new server added as
a domain controller in your domain. To achieve the goal, which action should be performed first?
Answer: B
114. You are hired as the network administrator in your company. Your company has two active directory
Windows Server 2008 is running on the domain functional level on Eb1.com. The domain functional level of
Eb2.com is Windows Server 2003 Native mode. As per instructions, you configure an external trust
between Eb1.com and Eb2.com. To achieve this, you need to enable the Kerberos AES encryption option.
Answer: D
115. You are an administrator at Hi-tech, Ltd. The hi-tech.com domain has a child domain, es.hi-tech.com,
for the branch in Spain. Administrators of that domain have asked you to provide a Spanish-language
interface for Group Policy Management Editor. How can you provide Spanish-language versions of
administrative templates?
D. Install the Boot.wim file from the Windows Server 2008 CD on a domain controller in the child domain.
Answer: BD
116. You are hired as the network administrator in your company. Your company has an Active Directory
domain and two domain controllers named Server01 and Server02. The Server01 hosts the Schema
Master Role. Suddenly the Server01 fails. To rectify the problem, you log on to Active Directory using
administrator account. You are trying to transfer the Schema Master Operations role. But you fail. What
should you do to ensure that Server02 holds the Schema Master role?
A. Register Schemamt.dll on the Active Directory domain and start the Active Directory Schema snap-in
Answer: D
117. You are at a branch office of your company assisting a user on his PC. While assisting the user, you
receive a phone call from your boss who wants to know why all the users are required to change their
passwords the first time they log on? What would be the best way to answer his question?
A. It's a default Active Directory group and domain policy to enforce user passwords set by the
administrator.
D. This is just a check box for user account properties to force users to change the default passwords set
by the administrator at the time of the creation of their account. This then forces users to pick their own
password.
Answer: D
118. You are an administrator at Hi-tech, Ltd. At a recent conference, you had a conversation with
administrators at Fabrikam, Inc. You discussed a particularly successful set of configurations you have
deployed using a GPO. The Fabrikam administrators have asked you to copy the GPO to their domain.
A. Right-click the Hi-tech GPO and choose Save Report. Create a GPO in the Fabrikam domain, right-click
B. Right-click the Hi-tech GPO and choose Back Up. Right-click the Group Policy Objects container in the
C. Right-click the Hi-tech GPO and choose Back Up. Create a GPO in the Fabrikam domain, right-click it,
D. Right-click the Hi-tech GPO and choose Back Up. Create a GPO in the Fabrikam domain, right-click it,
Answer: D
domain and two domain controllers named Server01 and Server02. The Server01 hosts the Schema
Master Role. Suddenly the Server01 fails. To rectify the problem, you log on to Active Directory using
administrator account. You are trying to transfer the Schema Master Operations role. But you fail. What
should you do to ensure that Server02 holds the Schema Master role?
A. Register Schemamt.dll on the Active Directory domain and start the Active Directory Schema snap-in
C. Join the Schema Administrators group and modify the Schema settings to save records on Server02
Answer: D
120. You want to deploy a GPO named Northwind Lockdown that applies configuration to all users at
Northwind Traders. However, you want to ensure that the settings do not apply to members of the Domain
Admins group. How can you achieve this goal? (Choose all that apply.)
A. Link the Northwind Lockdown GPO to the domain, and then right-click the domain and choose Block
Inheritance.
B. Link the Northwind Lockdown GPO to the domain, right-click the OU that contains the user accounts of
all users in the Domain Admins group, and choose Block Inheritance.
C. Link the Northwind Lockdown GPO to the domain, and then assign the Domain Admins group the Deny
D. Link the Northwind Lockdown GPO to the domain, and then configure security filtering so that the GPO
Answer: BC
121. Lisa works as a branch office administrator for your organization. She receives a call from her
manager, Dina, asking which of the following characteristics make up a strong password. Which one is
correct?
Answer: D
122. You want to create a standard lockdown desktop experience for users when they log on to computers
in your company's conference and training rooms. You have created a GPO called Public Computers
Configuration with desktop restrictions defined in the User Configuration node. What additional steps must
you take? (Choose all that apply. Each correct answer is a part of the solution.)
A. Enable the User Group Policy Loopback Processing Mode policy setting.
C. Select the Block Inheritance option on the OU containing conference and training room computers.
D. Link the GPO to the OU containing conference and training room computers
Answer: AD
123. You are hired as the network administrator in your company. Your company has an Active Directory
domain. For regular checkups, you log on to the domain controller and open Microsoft Management
Console (MMC). The Active Directory Schema snap-in is not available. What should you do to access the
A. Register Schmmgmt.dll
B. using a member account of the Schema Administrators group, log off and log on again
C. Add the Active Directory Lightweight Directory Services (AD LDS) role to the domain controller
Answer: A
124. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. Since you are the technical support, you
are required to confirm whether Active Directory successfully copied between two domain controllers.
Answer: B
125. A user calls the help desk at your organization and reports problems that you suspect might be related
to changes that were recently made to Group Policy. You want to examine information regarding Group
Policy processing on her system. Which tools can you use to gather this information remotely? (Choose all
that apply.)
C. Gpupdate.exe
D. Gpresult.exe
E. Msconfig.exe
Answer: BD
126. You are hired as the network administrator in your company. Your company has instructed you to
decommission domain controllers that host all forest-wide operations master roles. Before you start taking
down these domain controllers, you want to transfer all forest-wide operation master roles to another
domain. Which two roles should you transfer to achieve this objective? (Choose two answers. Each answer
D. Schema master
E. PDC Master
Answer: AD
127. Which of the following options require administrative privileges to change the password?
Answer: B
128. You are the administrator at Hi-tech, Ltd. The hi-tech.com domain has five GPOs linked to the domain,
one of which configures the password-protected screen saver and screen saver timeout required by
corporate policy. Some users report that the screen saver is not launching after 10 minutes as expected.
B. Run Gpresult.exe-computer.
Answer: A
129. You are hired as the network administrator in your company. Your company has an Active Directory
domain and two domain controllers named Server01 and Server02 . The Server01 hosts the Schema
Master Role. Suddenly the Server01 fails. To rectify the problem, you log on to Active Directory using
administrator account. You are trying to transfer the Schema Master Operations role. But you fail. What
should you do to ensure that Server02 holds the Schema Master role?
A. Register Schemamt.dll on the Active Directory domain and start the Active Directory Schema snap-in
C. Join the Schema Administrators group and modify the Schema settings to save records on Server02
Answer: D
130. The hi-tech.com domain contains a GPO named Corporate Help Desk, linked to the Clients OU, and a
GPO named Sydney Support linked to the Sydney OU within the Clients OU. The Corporate Help Desk
GPO includes a restricted groups policy for the HI-TECH\ Help Desk group that specifies This Group Is A
Member Of Administrators. The Sydney Support GPO includes a restricted groups policy for the
HI-TECH\Sydney Support group that specifies This Group Is A Member Of Administrators. A computer
A. Administrator
B. Domain Admins
C. Sydney Support
D. Help Desk
Answer: ABCD
131. You are hired as the network administrator in your company. In your company there's a server named
server01 that runs Windows Server 2008. An instance of Active Directory Lightweight Directory Service (AD
LDS) runs on Server01. You have to create new organizational units in the AD LDS application directory
partition.
A. Create the organizational units on the AD LDS application directory partition by accessing the ADSI Edit
snap-in.
C. Use the Active Directory Users and Computers snap-in to create the organizational units on the AD LDS
Answer: A
132. You are attempting to describe the purpose of a template account to a co-worker. What should you tell
them?
D. A template account simplifies the creation of a large number of user accounts. In a template, you can
define all the account parameters you need to for your users. You can then use this template to create user
accounts by simply filling in the Name, Full Name and Description Password, and Confirm Password fields.
133. The hi-tech.com domain contains a GPO named Corporate Help Desk, linked to the Clients OU, and a
GPO named Sydney Support linked to the Sydney OU within the Clients OU. The Corporate Help Desk
GPO includes a restricted groups policy for the Administrators group that specifies the Members Of This
Group setting to be HI-TECH\Help Desk. The Sydney Support GPO includes a restricted groups policy for
the Administrators group that specifies the Members Of This Group setting to be HI-TECH\Sydney Support.
A computer named DESKTOP234 joins the domain in the Sydney OU. Which of the following accounts will
A. Administrator
B. Domain Admins
C. Sydney Support
D. Help Desk
Answer: AC
134. You are hired as the network administrator in your company. Your company has a single Active
Directory domain. All the domain controllers run Windows Server 2003. You install Windows Server 2008
on a server. You need to ensure that the new server is added as a domain controller in the domain. What
Answer: B
135. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a single Active Directory domain
in your network. Windows Server 2008 is run by all domain controllers. The Audit account management
The logged changes must include the old and new values of any attributes. So what action should you
perform?
A. The Audit directory service access setting and directory service changes should be enabled from the
B. The Audit account management policy should be enabled in the Default Domain Controller Policy.
C. The Security settings of the Domain Controllers OU should be configured after running auditpol.exe.
D. The Audit directory service access setting should be enabled in the Default Domain policy after running
auditpol.exe.
Answer: C
136. The hi-tech.com domain contains a GPO named Corporate Help Desk, linked to the Clients OU, and a
GPO named Sydney Support linked to the Sydney OU within the Clients OU. The Corporate Help Desk
GPO includes a restricted groups policy for the Administrators group that specifies the Members Of This
Group setting to be HI-TECH\Help Desk. The Sydney Support GPO includes a restricted groups policy for
the HI-TECH \Sydney Support group that specifies This Group Is A Member Of Administrators. A computer
Which of the following accounts will be a member of the Administrators group on DESKTOP234? (Choose
A. Administrator
B. Domain Admins
C. Sydney Support
D. Help Desk
Answer: ACD
137. You are hired as the network administrator in your company. Your company network consists of a
single Active Directory domain. All domain controllers run Windows Server 2008. Some of the Lightweight
Directory Access Protocol (LDAP) clients are using the largest amount of CPU resources on a domain
A. Execute the Active Directory Diagnostics Data Collector Set a review the Active Directory report
C. Run the LAN Diagnostics Data Collector Set. Review the LAN Diagnostics report.
Answer: A
138. A large company has just merged with yours. This organization has recently converted its internal
network from IPv4 addressing to IPv6 to support a number of new network applications that required it. You
must now begin to plan for IPv6 support on your own internal network. You are creating training materials
for your junior networking staff. Which of the following features is built into IPv6 that was not required in
IPv4?
D. Loopback IP addressing
Answer: B
139. You want to deploy security settings to multiple servers by using Group Policy. The settings need to
apply the user rights that you have configured and validated on a server in your test environment. Which
D. Security Templates
Answer: B
140. You are hired as the network administrator in your company. Your company has an Active Directory
forest. You want to install an Enterprise certification authority (CA) on a stand-alone server. When you try to
add Active Directory Certificate Services (AD CS) role, you find that the Enterprise CA option is not
B. Add the Web server (IIS) role and the AD LDS role.
Answer: D
141. You want to deploy security settings to multiple servers by using Group Policy. The settings need to
configure services, firewall rules, and audit policies appropriate for servers in your enterprise that act as file
and print servers. Which tool would be the best choice for you to use?
D. Security Templates
Answer: C
142. You are hired as the network administrator in your company. You company has a server that's runs
Windows Server 2008. Active directory forest is configured at the functional level. To enable users to have a
database services on the server, you install Microsoft SQL server 2005 and implement Active Directory
Rights Management Service (AD RMS). While testing the server, you attempt to open the AD RMS
administration website. You receive an error message saying:" SQL Server does not exist or access is
denied".
You want to rectify this problem and open AD RMS administration website. Which two actions should you
perform to achieve this objective? (Select two answers. Each answer is the part of complete solution)
C. Delete the AD RMS instance and the SQL server and install it again.
Answer: BD
143. Your company, mycompany.com, is merging with the yourcompany.com company. The details of the
merger are not yet complete. You need to gain access to the resources in the yourcompany.com company
before the merger is completed. What type of trust relationship should you create?
A. Forest trust
B. Shortcut trust
C. External trust
Answer: C
144. You created a security policy by using the Security Configuration Wizard. Now you want to deploy the
settings in that security policy to the servers in your Servers OU. Which of the following steps are required?
Answer: AD
145. You are hired as the network administrator in your company. The headquarters of your company is
located in New York. Now your company builds its branch in Washington. You are assigned to deploy and
implement a Read-only Domain Controller (RODC) at the branch office. You deploy a RODC that runs
You must make sure that the users at the branch office can log on to the domain using RODC, so what
D. Deploy and configure a Password Replication Policy on the RODC in the main office
Answer: A
146. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory forest in your
company. A single domain is contained in this forest. The domain member server has an Active Directory
Federation Services (AD FS) server role installed. You have to configure AD FS to make sure that AD FS
tokens contain information from the Active Directory domain. So what action should you perform?
Answer: C
147. You want to deploy an application by using Group Policy to client computers in the headquarters and in
a branch office. The branch office is connected to the headquarters with a wide area network connection
that is 364 kbps. What steps must you take to deploy the software? (Choose two. Each correct answer is
A. Create a GPO that applies to all client computers in the headquarters and branch office. In the GPO,
create a software package in the User Configuration node that assigns the application.
B. Create a GPO that applies to all client computers in the headquarters and branch office. In the GPO,
create a software package in the Computer Configuration node that assigns the application.
C. In a GPO that applies to all computers, configure the slow link detection policy connection speed in the
D. In a GPO that applies to computers in the branch office, configure the slow link detection policy
E. In a GPO that applies to computers in the branch office, configure the slow link detection policy
Answer: BD
148. You are hired as the network administrator in your company. The headquarters of your company is
Directory forest in your company. All servers run Windows Server2008. Server01 and Server02 work as the
Domain Controller in the main office while Server03 works as a Windows Server 2008 read-only domain
controller (RODC) in the branch office. All domain controllers hold the DNS Server role and are configured
as Active Directory-integrated zones. The DNS zones only allow secure updates.
You must make sure to enable dynamic DNS updates on Server03. What should you do?
D. Create a custom application directory partition on DC1. Configure the partition to store Active
Directory-integrated zones.
Answer: C
149. You are hired as the network administrator in your company. All the servers in your company run
windows 2008. The network of your company consists of an Active Directory forest that contains one
domain. There is an Active Directory-integrated zone with two Active Directory sites in the domain. Each
site contains two domain controllers. All domain controllers are configures as DNS servers.
You are assigned to deploy and implement a new NS record to the zone. You have to make sure that all
domain controllers immediately receive the new NS record. What should you do to achieve this task?
D. Shutdown and then, restart the DNS server service from services snap-in
Answer: A
150. Your boss just informed you that your company will be participating in a joint venture with a partner
company. He is very concerned about the fact that a trust relationship needs to be established with the
partner company. He fears that an administrator in the other company might be able to masquerade as one
of your administrators and grant himself privileges to resources. You assure him that your network and its
resources can be protected from an elevated privilege attack. Along with the other security precautions that
A. The permissions set on the Security Account Manager (SAM) database will prevent the other
B. The SIDHistory attribute tracks all access from other domains. Their activities can be tracked in the
System Monitor.
C. The SIDHistory attribute from the partner's domain attaches the domain SID for identification. If an
account from the other domain tries to elevate its own or another user's privilege, the SID filtering removes
D. SID filtering tracks the domain of every user who accesses resources. The SIDHistory records this
information and reports the attempts to the Security log in the Event Viewer.
Answer: C
151. In your domain, the Employees OU contains all user accounts. Each site has an OU within which a
Sales OU contains accounts for the computers in the Sales department at that site. You want to deploy an
application so that it is available to all users in the organization's Sales departments. Which methods can
A. Create a GPO linked to the domain. Create a group containing all Sales users. Filter the GPO so that it
applies only to the group. In the GPO's User Configuration policies, create a software package that assigns
the application.
B. Create a GPO linked to each site's Sales OU. In the GPO's User Configuration policies, create a
C. Create a GPO linked to the domain. Create a group containing all Sales users. Filter the GPO so that it
applies only to the group. In the GPO's Computer Configuration policies, create a software package that
D. Create a GPO linked to each site?0100110010014301001100100154s Sales OU. In the GPO User
Configuration policies, create a software package that assigns the application. In the GPO's Computer
Answer: AD
152. You are hired as the network administrator in your company. Your company has an Active Directory
uses a custom application directory partition named ResData for data replication. The application is
installed on one member server in five sites. You need to configure the five member servers to receive the
ResData application directory partition for data replication. What should you do?
Answer: A
153. You are hired as the network administrator in your company. Your company network has an Active
Directory forest that contains one parent domain and one child domain. The child domain has two domain
controllers that run Windows Server 2008. All user accounts from the child domain are migrated to the
parent domain. The child domain is scheduled to be decommissioned. You need to remove the child
domain from the Active Directory forest. What are two possible ways to achieve this goal? (Choose two
A. Use Server Manager on both domain controllers in the child domain to uninstall the Active Directory
B. Run the Dcpromo tool that has individual answer files on each domain controller in the child domain.
C. Delete the computer accounts for each domain controller in the child domain. Remove the trust
D. Run the Computer Management console to stop the Domain Controller service on both domain
Answer: AB
154. Your organization consists of ten branch offices. Within your Active Directory, an Employees OU is
divided into ten child OUs containing user accounts at each branch office. You want to deploy an application
to users at four branches. The application should be fully installed before the user opens the application for
the first time. Which steps should you take? (Choose four. Each correct answer is a part of the solution.)
D. Create a shadow group that includes the users in the four branches. Filter the software deployment GPO
E. Create a package in the User Configuration policies that assigns the application.
Answer: ACDE
a problem with the Active Directory. One of the administrators made an update to a user object and another
reported that he had not seen the changes appear on another DC. It was more than a week since the
change was made Robin checks the problem by making a change to another Active Directory object. Within
a few hours, the change appears on a few DCs, but not on all of them. Which of the following is a possible
Answer: A
156. You are hired as the network administrator in your company. In your company there's a server named
Server01 that runs Windows Server 2008. You company has an Active Directory forest with single domain.
Server01 works as the Domain Controller with Active Directory Federation Services (AD FS) role installed.
Some other applications are also hosted on its perimeter network. The organization wants single sign-on to
You are required to configure the AD FS trust policy to populate AD FS tokens with employee's information
Answer: B
157. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory domain in the
company. A Windows Server 2008 is run by all servers. An Enterprise Root certificate authority (CA) is used
by your company. You have to make sure that revoked certificate information is highly available. So what
A. You should use a Group Policy Object (GPO) to publish the trusted certificate authorities list to the
domain.
B. You should use Network Load Balancing to implement an Online Certificate Status Protocol (OCSP)
responder.
C. You should create a new Group Policy Object (GPO) that allows users to trust peer certificates. The
D. You should use an Internet Security and Acceleration Server array to implement an Online Certificate
Answer: B
158. You are concerned that an individual is trying to gain access to computers by logging on with valid
domain user names and a variety of attempted passwords. Which audit policy should you configure and
Answer: D
159. You want to audit changes to attributes of user accounts used by administrators in your organization.
Answer: B
160. You are hired as the network administrator in your company. Your company has an Active Directory
domain which runs Windows Server 2008. A user attempts to log on to the domain from the client computer
using his account. He receives the following message: "This account has expired. Contact your
administrator to reactivate the account" What should you do to ensure that the user is able to log on to the
A. Open the properties of the user account and change the option to "Never Expire"
B. Open the properties of the user account and extend the Logon Hours setting
C. Open the properties of the user account and modify the default domain policy to decrease the duration of
account lockout.
D. Change the password option to never expire in the user account properties
Answer: A
161. Darien is a new member of the Web Services team at your company. He is going to be responsible for
running and testing scripts for an in-house homegrown application which requires a special application that
is deployed via Group Policy. The first time he logs on to the domain he does not receive the software
package. You verify that his user account is in the proper OU. What could be causing Darien not to receive
A. Security filtering has been enabled on the GPO and Darien is not a member of the proper group
B. WMI Filtering has been enabled on the GPO and Darien is not a member of the proper group
C. Darien must be a local administrator on his machine to download a GPO with a software package in it
D. Darien's user account has Block Inheritance configured on it and therefore he cannot download the
policy
162. Your organization includes 10 file servers, which have computer accounts in the Servers OU of your
domain. A GPO named Server Configuration is linked to the Servers OU. On five of the servers, a folder
called Confidential Data exists. You have hired a team of consultants to assist on a project, and you want to
ensure that those consultants cannot access the Confidential Data folder. You configure permissions on the
folder to prevent access by consultants, and you want to audit any attempt by consultants to open or
manipulate the folder. Which steps must you take? (Choose three.
A. Add audit entries to the Confidential Data folder to audit successful Full Control access.
C. Define the Audit Directory Service Access policy in the Server Configuration GPO.
D. Define the Audit Object Access policy in the Default Domain Controllers GPO.
E. Define the Audit Object Access policy in the Server Configuration GPO.
G. Add audit entries to the Confidential Data folder to audit failed Full Control access.
Answer: EFG
163. Hi-tech has an Active Directory forest with single domain. Some other applications are also hosted on
its perimeter network. The organization wants single sign-on to all applications hosted on perimeter network.
The company has a domain member server with Active Directory Federation Services (AD FS) role
installed.
You are required to configure the AD FS trust policy to populate AD FS tokens with employee's information
Answer: A
Accounts that contains all user accounts. Because you have configured service accounts with passwords
that never expire, you want to apply a password policy that requires passwords of at least 40 characters.
Which of the following steps should you perform? (Choose all that apply. Each correct answer is part of the
solution.)
A. Set the Minimum Password Length policy in the Default Domain Policy GPO.
Answer: CDE
165. As an administrator at You are hired as the network administrator in your company. Your company, you
have installed an Active Directory forest that has a single domain. You have installed an Active Directory
Federation services (AD FS) on the domain member server. What should you do to configure AD FS to
make sure that AD FS token contains information from the active directory domain?
Answer: A
166. SueyDog Enterprises will soon be deploying Microsoft Office Communicator into its environment. All of
its DCs are running Windows Server 2008. Their administrator, Matthew, is attempting to prepare for the
new product by creating a GPO and exploring the available settings. He creates a new policy and proceeds
to expand each section of the policy, looking for the section containing the Microsoft Office Communicator
settings. He can't seem to locate the settings for Microsoft Office Communicator. What should Matthew do
A. Download the appropriate .adm file and import it into the new GPO
D. Download the appropriate .adm file and place it in the Central Store
Answer: A
167. You want to configure account lockout policy so that a locked account will not be unlocked
automatically. Rather, you want to require an administrator to unlock the account. Which configuration
Answer: D
168. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory forest in your
company. The company locates in three different places. An organizational unit and a child organizational
unit named Sales are included by each location. All users and computers of the sales department are
included by the Sales organizational unit. A Microsoft Office 2007 application should be deployed on all
computers within the three Sales organizational units. According to the company requirements, you should
make sure that the Office 2007 application can only be installed on the computers in the Sales
A. A Group Policy Object (GPO) named SalesAPP GPO. And then, the GPO should be configured to
publish the application to the user account. At last, the SalesAPP GPO should be linked to to the Sales
B. A Group Policy Object (GPO) named SalesAPP GPO. And then, the GPO should be configured to assign
the application to the computer account. At last, the SalesAPP GPO should be linked to to the Sales
C. A Group Policy Object (GPO) named SalesAPP GPO should be created. And then, the GPO should be
configured to assign the application to the computer account. At last, the SalesAPP GPO should be linked
D. A Group Policy Object (GPO) named SalesAPP GPO should be created. And then, the GPO should be
configured to assign the application to the user account. At last, the SalesAPP GPO should be linked to to
Answer: B
169. You are hired as the network administrator in your company. Your company has an Active Directory
forest. There is one main office and branch office in two different locations. Both of the locations have an
organizational unit. Hi-tech has instructed you to ensure that the branch office administrators are able to
create and apply GPOs only to their respective organizational unit. Which two actions should you perform
A. Add branch administrators for each organizational unit in the Managed By Tab settings.
B. Add the branch office administrators user accounts in the Group Policy Creator Owners Group
C. Execute the Delegation of Control Wizard and delegate the right to link GPOs for their branch
D. Execute the Delegation of Control Wizard and delegate the right to links GPOs for the domain to the
Answer: BC
170. As you evaluate the password settings objects in your domain, you discover a PSO named PSO1 with
a precedence value of 1 that is linked to a group named Help Desk. Another PSO, named PSO2,with a
precedence value of 99, is linked to a group named Support. Mike Danseglio is a member of both the Help
Desk and Support groups. You discover that two PSOs are linked directly to Mike.PSO3 has a precedence
value of 50, and PSO4 has a precedence value of 200. Which PSO is the resultant PSO for Mike?
A. PSO1
B. PSO2
C. PSO3
D. PSO4
Answer: C
domain running Windows Server 2008. The Finance OU (organizational unit) contains an OU for computers,
an OU for groups and an OU for users. As per company policy, you perform daily backups. Another
administrator mistakenly deletes the groups OU. You have to restore the Groups OU without affecting users
and computers in the Finance OU. What should you do to achieve this task?
Answer: A
172. You work for a large hospital. The main users in the hospital are nurses and doctors. Because they are
always on the go, you set up kiosk stations throughout the hospital for them to log on to and check Web
mail or access applications. The kiosks share one user logon and the nurses and doctors use their personal
accounts to gain access to resources via a browser interface which prompts them for credentials. One
morning a nurse logs onto a kiosk machine and is greeted by extremely offensive wallpaper. How would
you utilize Group Policy to prevent this from happening in the future?
A. Create a Group Policy and apply it to the nurses' user accounts. Disable Display Settings.
B. Create a Group Policy and apply it to the nurses' user accounts. Configure Loopback Processing in
Replace mode.
C. Create a Group Policy and apply it to the kiosk machines. Configure the wallpaper to the company logo
D. Create a Group Policy and apply it to the kiosk machines. Configure Loopback Processing in Replace
mode.
Answer: D
173. You want to obtain a log that will help you isolate the times of day that failed logons are causing a
A. Define the Audit Account Logon Events policy setting for Success events in the Default Domain Policy
GPO.
GPO.
C. Define the Audit Logon Events policy setting for Success events in the Default Domain Policy GPO.
D. Define the Audit Logon Events policy setting for Failure events in the Default Domain Policy GPO.
Answer: B
174. You are hired as the network administrator in your company. You are assigned to relocate the existing
user and computer objects in your company to different organizational units. What are two possible ways to
achieve this goal? (Each correct answer presents a complete solution. Choose two.)
Answer: AC
175. You want to keep track of when users log on to computers in the human resources department of
Adventure Works. Which of the following methods will enable you to obtain this information?
A. Configure the policy setting to audit successful account logon events in the Default Domain Controllers
GPO. Examine the event log of the first domain controller you installed in the domain.
B. Configure the policy setting to audit successful logon events in a GPO linked to the OU containing user
accounts for employees in the human resources department. Examine the event logs of each computer in
C. Configure the policy setting to audit successful logon events in a GPO linked to the OU containing
computer accounts in the human resources department. Examine the event logs of each computer in the
D. Configure the policy setting to audit successful account logon events in a GPO linked to the OU
containing computer accounts in the human resources department. Examine the event logs of each domain
controller.
Answer: C
domain which runs Windows Server 2008. A user attempts to log on to the domain from the client computer
using his account. He receives the following message: "This account has expired. Contact your
What should you do to ensure that the user is able to log on to the domain using his account?
A. Open the properties of the user account and change the option to "Never Expire"
B. Open the properties of the user account and extend the Logon Hours setting
C. Open the properties of the user account and modify the default domain policy to decrease the duration of
account lockout.
D. Change the password option to never expire in the user account properties
Answer: A
177. The CIO has asked you to configure a GPO that will ensure that antivirus software is installed on every
computer in the company. You are the most senior administrator in the company and have full access to
every computer, and to Active Directory. Your company has a single domain and site. Which one of the
A. You configure a GPO at the domain level, and publish the application to all computers
B. You configure a GPO at the site level, and assign the application to all computers
C. You create a GPO with the required settings and link it into all OUs that have computer accounts in it.
Answer: D
178. Your domain consists of five domain controllers, one of which is running Windows Server 2008. All
other DCs are running Windows Server 2003. What must you do before installing a read-only domain
controller?
C. Run Dsmgmt.
179. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a head office and five branch
offices in the company. The offices are connected by WAN links. The company has an Active Directory
domain named wiikigo.com. Each branch office has a member server configured as a DNS server. All
According to the company requirement, the wiikigo.com zone needs to be configured to resolve client
queries for at least four days in the event that a WAN link fails. So what action should you perform?
A. The Refresh interval option for the wiikigo.com zone should be configured to 4 days.
B. The Minimum (default) TTL option for the wiikigo.com zone should be configured to 4 days.
C. The Expire after option for the wiikigo.com zone should be configured to 4 days.
D. The Retry interval option for the wiikigo.com zone should be configured to 4 days.
Answer: C
180. You are hired as the network administrator in your company. Your company has an Active Directory
forest. There is a main office and five branch offices. Each branch office has an organizational unit and a
child organizational unit called Accounts. The Accounts organizational unit contains all users and
computers of the accounts department. You are directed to install Peachtree application only on the
computers in the finance organizational unit. To install the application, you create a GPO named
A. Create a GPO to assign application to the user groups in the accounts organizational unit. Link the
B. Create a GPO and assign the application to each computer account. Link the FinanceApp GPO to the
C. Configure the GPO to assign the application to the computer account. Link the FinanceApp GPO to the
D. Configure the GPO to assign the application to the organizational unit. Link the FinanceApp GPO to the
181. During a recent burglary at a branch office of Tailspin Toys, the branch office RODC was stolen. Where
can you find out which users' credentials were stored on the RODC?
Answer: A
182. You are hired as the network administrator in your company. Your company has an Active Directory
forest containing eight linked GPOs. One of the eight GPOs publishes applications to user objects. One of
the user reports that the application is not available for installation. You have to identity whether the GPO is
Answer: D
183. Your company decided not to renew the license agreement for its contact management software. The
software is deployed on systems across many client computers in the company. A single GPO was
configured to install the software, and was linked into multiple places in the Active Directory hierarchy to
accommodate the various user groups that needed the program. You've gone into the GPO and removed
the published object for the software. Now, the object is gone from the GPO but the application is still
installed on the client computers. Which one of the following most likely explains what happened?
D. You deleted the software object from the GPO but forgot to select the uninstall options first
184. Next week, five users are relocating to one of the ten overseas branch offices of Litware, Inc. Each
branch office contains an RODC. You want to ensure that when the users log on for the first time in the
branch office, they do not experience problems authenticating over the WAN link to the data center. Which
A. Add the five users to the Allowed RODC Password Replication Group.
B. Add the five users to the Password Replication Policy tab of the branch office RODC.
C. Add the five users to the Log On Locally security policy of the Default Domain Controllers Policy GPO.
Answer: BD
185. You are hired as the network administrator in your company. Your company has a group of consultants.
All consultants belong to a global group named TempWorkers. You were advised to place three file servers
in a new organizational unit named Secureserv. These file servers contain confidential data located in
shared folders. After placing the file servers, you need to record any failed attempts made by the
consultants to access confidential data. Which of the following two actions should you perform to achieve
this task?
A. On each shared folder on the three file servers, add the TempWorkers global groups to the Auditing tab.
configure the Failed Full control setting in the Auditing Entry dialog box.
B. Create and link a new GPO to the SecureServ organizational unit. Configure the Deny access to this
computer from the network user rights setting for the TempWorkers global group.
C. On each shared folder on the three file servers, add the three servers to the Auditing tab. Configure the
D. Create and link a new GPO to the SecureServ organizational unit. Configure the Audit privilege use
E. Create and link a new GPO to the SecureServ organizational unit. Configure the Audit object access
Answer: AE
called subproduction. The organizational unit has a child organizational unit called Research.
You create a GPO named Software Deployment and link it to the Production organizational unit. You create
a shadow group for the Research organizational unit. You need to deploy an application to users in the
subproduction organizational unit. You also need to ensure that the application is not deployed to users in
the Research organizational unit. What are two possible ways to achieve this goal? (Choose two answers.
D. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the
Answer: CD
187. You are an administrator for Hi-tech, Ltd. Your organization has decided to move to Windows Server
2008 and, because of your past experience, you have decided to create a new server implementation
instead of upgrading your existing infrastructure. After the new infrastructure has been created, you will
move all data-accounts, directory settings, and more-to the new forest you will implement with Windows
Server 2008. You have been asked to create the initial forest structure. This forest includes a root domain, a
global child production domain, and a domain tree. The forest is named with a .net extension, and the
domain tree uses a .ms extension to differentiate it from the production forest. You successfully create the
forest root domain and the child domain, but when you come to the domain tree, you find that you cannot
A. You cannot create a domain tree with the Active Directory Domain Services Installation Wizard. You must
C. You must return to the Welcome page of the wizard to select the Advanced mode of the wizard.
D. The server you are using is not a member of the forest root domain.
Answer: C
applications failed. On some systems the application installed just fine, on others it only partially installed,
and on still others it failed very early in the process. You figured out what went wrong, and have modified
the MSI file. Which one of the following should you do to correct the problem?
B. You should delete and re-create the deployment object in group policy
D. You should begin manually troubleshooting the workstations that had problems
Answer: C
189. You are an administrator for Hi-tech, Ltd. Your organization has decided to move to Windows Server
2008 and, because of your past experience, you have decided to create a new server implementation
instead of upgrading your existing infrastructure. After the new infrastructure has been created, you will
move all data-accounts, directory settings, and more-to the new forest you will implement with Windows
Server 2008. You have been asked to create the initial forest structure. This forest includes a root domain, a
global child production domain, and a domain tree. The forest is named with a .net extension, and the
domain tree uses a .ms extension to differentiate it from the production forest. You successfully create the
forest root domain and the child domain, but when you come to the domain tree, you find that you cannot
create the delegation, no matter which options you try or which credentials you provide. What could be the
A. You must select the advanced mode of the wizard to create the delegation.
B. You must create a manual delegation before creating the domain tree.
C. You must tell the wizard to create the delegation during the creation of the domain tree and provide
appropriate credentials.
D. You must tell the wizard to omit the creation of the delegation during the creation of the domain tree.
E. You must create the delegation manually after the domain tree has been created.
Answer: BD
190. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
company network. Two domains are contained in this forest. All servers run Windows Server 2008. All
domain controllers are configured as DNS servers. You have a standard primary zone for dev.wiikigo.com
that is stored on a member server. You have to make sure that all domain controllers can resolve names
A. A conditional forwarder should be created on one domain controller. The conditional forwarder should be
C. A NS record for each domain controller should be created on the member server.
D. A conditional forwarder should be created on one domain controller. The conditional forwarder should be
Answer: D
191. You are hired as the network administrator in your company. Your company has an Active Directory
domain with an organizational unit called Sales. This organizational unit hosts two global security groups
named Sales directors and Sales executives. Hi-tech has instructed you to apply desktop restrictions to the
sales executives group. However, the desktop restrictions should not be applied to the Sales directors
group. You create a GPO named Desktop Lockdown and link it to the Sales organizational unit. What
A. Set the Deny Apply Group Policy permission for the Sales directors on the DesktopLockdown GPO
B. Set the Deny Apply Group Policy permission for the Sales Executives on the DesktopLockdown GPO
C. Set the Allow Apply Group Policy permission for the Local domain users on DesktopLockdown GPO
D. Set the Allow Apply Group Policy permission for the Authenticated Users on DesktopLockdown GPO
Answer: A
192. You are an administrator at Trey Research. The Trey Research forest consists of three domains, each
of which includes two domain controllers running Windows Server 2003. You want to upgrade one of the
Answer: D
193. You work for a small accounting firm. Recently your boss, the owner of the company, read an article
about weaknesses in password security. He's asked that you require everyone in the company to change
his or her password every 30 days, and to have to use at least 12 different passwords per year. Which of
the following settings do you configure in the Default Domain Policy? (Select all that apply.)
Answer: AC
194. You are hired as the network administrator in your company. Your company has an Active Directory
forest that contains Windows Server 2008 domain controllers and DNS servers. All client computers run
Windows XP. You need to use your client computers to edit domain-based GPOs by using the ADMX files
that are stored in the ADMX central store. What should you do?
B. Create a folder on the Primary Domain Controller (PDC) emulator for the domain in the PolicyDefinitions
Answer: C
195. You are an administrator at Hi-tech, Ltd. The domain was built using Windows Server 2008 domain
controllers. You want to improve authentication at a remote site by promoting a member server at the site to
a read-only domain controller. There is no IT support at the site, so you want the site's manager to perform
the promotion. You do not want to give her administrative credentials in the domain. Which steps must you
Answer: BCD
196. You are working in a Windows Server 2008 PKI and going over various user profiles that are subject to
deletion due to company policy. The public keys for these users are stored under Documents and
and Settings\Administrator\Crypto\RSA. You possess copies of the public keys in the registry, and in Active
Directory. What effect will the deletion of the user profile have on the private key?
Answer: C
197. You are hired as the network administrator in your company. Your company has a network with a
single Active Directory domain. There are two domain controllers installed which run Windows Server 2008.
You have enabled the Audit account management policy and Audit directory services access settings for
the entire domain. You must ensure that the changes made to Active Directory objects are logged. The
changes logged must show the old and new values of any attribute. What should you do to achieve this
task?
A. Enable the Audit Directory services access setting and directory service changes by accessing Default
C. Execute auditpol.exe and configure the security settings of the domain controllers Organizational unit
Answer: C
198. You want to promote a server to act as a domain controller, but you are concerned about the
replication traffic that will occur during the promotion and its impact on the slow link between the server's
site and the data center where all other domain controllers are located, so you choose to promote the
server, using a backup of the directory from another domain controller. What must you do to create the
installation media?
C. Run Ntdsutil.exe in the IFM mode and use the Create Sysvol Full command.
D. Copy ntds.dit and SYSVOL from a domain controller to a location in the remote site.
Answer: C
199. You are hired as the network administrator in your company. Your company has an Active Directory
forest with a single domain. The domain has Windows Server 2008 at its functional level. You are instructed
to create a global distribution group and add users to it. After creating the group and adding users, you
create a shared folder on a Windows Server 2008 member server and place the global distribution group in
a domain local group that has access to the shared folder. What should you do to ensure that the users can
D. Modify the group type of the global distribution group to a security group
Answer: D
200. You are an administrator at Hi-tech, Ltd. The hi-tech.com domain consists of two sites. At the
headquarters, one domain controller, named SERVER01, is a GC server and performs all five operations
master roles. The second domain controller at the headquarters is named SERVER02. SERVER02 is not a
GC and performs no operations master roles. At the branch office, the domain controller is named
SERVER03, and it is a GC server. Which change to the operations master role placement must you make?
Answer: E
201. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory domain in
your company. All consultants belong to a global group named TempWorkers. The TempWorkers group is
not nested in any other groups. You have the computer objects of three file servers moved to a new
organizational unit named SecureServers. These file servers contain only confidential data in shared
folders.
According to the company requirement, you have to prevent members of the TempWorkers group from
accessing the confidential data on the file servers. When you try to achieve this, you must make sure that
A. A new GPO should be created and it should be linked to the SecureServers organizational unit. The
Deny log on locally user right should be assigned to the TempWorkers global group.
B. A new GPO should be created and it should be linked to the domain. The Deny log on locally user right
C. A new GPO should be created and it should be linked to the domain. The Deny access to this computer
should be assigned from the network user right to the TempWorkers global group.
D. A new GPO should be created and it should be linked to the SecureServers organizational unit. The
Deny access to this computer should be assigned from the network user right to the TempWorkers global
group.
Answer: D
202. You are hired as the network administrator in your company. Your company network consists of a
create multiple password policies for users in your domain. What should you do?
A. From the ADSI Edit snap-in, create multiple Password Setting objects.
B. From the Group Policy Management snap-in, create multiple Group Policy objects.
Answer: A
203. You are an administrator at Hi-tech, Ltd. The forest consists of two domains, hi-tech.com and
You are going to decommission the windows.hi-tech.com domain and move all accounts into hi-tech.com.
You want to transfer all operations masters to SERVER01.hi-tech.com. Which operations masters do you
A. Infrastructure master
B. PDC emulator
C. RID master
D. Schema master
Answer: DE
204. You are browsing your company's e-commerce site using Internet Explorer 7 and have added a
number of products to the shopping cart. You notice that there is a padlock symbol in the browser. By right
clicking this symbol you will be able to view information concerning the site's:
A. Private Key.
B. Public Key.
C. Information Architecture.
D. Certificates.
Answer: D
205. You are hired as the network administrator in your company. Your company has an Active Directory
New York
London
Amsterdam
Rome
Each location has a child organizational unit named finance. The finance organizational unit hosts all the
users and computers in the finance department. The offices in London and, Amsterdam and New York are
connected by T1 connections. However, the office in Rome is connected by a 128-Kbps ISDN connection.
The company has instructed you to install an application on all computers in the finance department. Which
two actions should you perform to achieve this task? (Choose two answers. Each answer is a part of the
complete solution)
A. Create a Group Policy Object (GPO) named accountingtree Install that assigns the application to the
B. Create a GPO named accounting tree install that assigns the application to each user in the
C. Change the slow link detection setting to 2,544 Kbps (T1) in the GPO
Answer: AC
206. You are an administrator at Hi-tech, Ltd. The hi-tech.com domain has five domain controllers. You
want to move all domain operations masters to SERVER02.hi-tech.com. Which masters do you move?
A. Infrastructure master
B. PDC emulator
C. RID master
D. Schema master
Answer: ABC
Windows XP. Hi-tech .com has directed you to ensure that users are able to install approved application
updates on their computers. Which of the following two actions should you perform to achieve this task?
A. Create a GPO and link it to the domain. Configure the GPO to direct client computers to the Microsoft
B. In the environment, install the Microsoft WSUS application on a server and configure the server to
search for new updates on the internet. Configure it to approve all required updates.
D. Create a GPO and link it to the server. Configure the GPO to automatically search for updates on
Answer: AB
208. You are an administrator at Trey Research. Your domain consists of three domain controllers, two
running Windows Server 2008 and one running Windows Server 2003. The forest root domain has two
domain controllers, both running Windows Server 2003. You want to replicate SYSVOL in your domain,
using DFS-R. What steps must you take? (Choose all that apply. Each correct answer is part of the
solution.)
C. Upgrade your Windows Server 2003 domain controller to Windows Server 2008.
D. Configure the domain functional level of your domain to Windows Server 2008.
E. Configure the domain functional level of the forest root domain to Windows Server 2008.
Answer: CD
209. You are hired as the network administrator in your company. Your company has a network that
consists of a single Active Directory domain. Windows Server 2008 is installed on all domain controllers in
the network. You are instructed to capture all replication errors from all domain controllers to a central
Answer: B
210. You are the administrator of your company's Windows Server 2008-based network and are attempting
to enroll a smart card and configure it at an enrollment station. Which of the following certificates must be
A. A machine certificate.
B. An application certificate.
C. A user certificate.
Answer: C
211. You are hired as the network administrator in your company. Your company has file server located in
an organizational unit named Salaries. The files servers have salaries files in a folder named salaries. You
create a GPO. You have to track which employees access the salaries files on the file servers. What should
A. Enable AUDIT object access option. Link the GPO to the Salaries organizational unit. On the file servers,
B. Enable the Audit process tracking option. Link the GPO to the Payroll organizational unit. On the file
servers, configure Auditing for the Everyone group in the Payroll folder.
C. Enable the Audit object access option. Link the GPO to the domain. On the domain controllers, configure
D. Enable the Audit process tracking option. Link the GPO to the Domain Controllers organizational unit. On
the file servers, configure Auditing for the Authenticated Users group in the Payroll folder.
Answer: A
212. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
company. And a single domain is included by the Active Directory forest. An Active Directory Federation
Services (AD FS) server role is installed on the domain member server. Since you are the technical support,
information from the Active Directory domain is included by AD FS tokens. Which action should be
A. To achieve the goal, a new resource partner should be added and configured.
C. To achieve the goal, a new account store should be added and configured.
D. To achieve the goal, a new account partner should be added and configured.
Answer: C
213. You want to configure Active Directory so that replication of logon scripts is managed using DFS-R.
A. Dfsrmig.exe
B. Repadmin.exe
C. Dfsutil.exe
D. Dfscmd.exe
Answer: A
214. Two users, Dave and Dixine, wish to communicate privately. Dave and Dixine each own a key pair
consisting of a public key and a private key. A public key was used to encrypt a message and the
corresponding private key was used to decrypt. What is the major security issue with this scenario?
B. Information encrypted with a public key can be decrypted too easily with out the private key.
C. An attacker can intercept the data mid-stream, and replace the original signature with his or her own,
Answer: C
that runs Windows Server 2008. The server is a backup server with a single 500-GB hard disk and has
three partitions for the applications, operating system and data. As per company policy, you perform daily
backups of the server. The hard disk fails and you replace the hard disk with a new one of same capacity.
After restarting the computer on the installation media, you select repair your computer option. You want to
restore the operating system and all the other files. What should you do to achieve this task?
Answer: C
216. Client computers in a branch office are performing poorly during logon. You notice that the computers
report that their logon server is a domain controller in a remote site rather than the domain controller in the
branch office itself. Which of the following could cause this problem?
C. The branch office IP address range is not associated with the site.
Answer: C
217. You are hired as the network administrator in your company. Your company has a single Active
Directory domain and two domain controllers which run Windows Server 2008. Due to a problem, you need
to reset the Directory Services Recovery Mode (DSRM) password on one domain controller. What tool
B. Netsh
C. ntdsutil
218. You are responsible for performing backups on the DCs on your network. Your boss has requested
that you conduct system state backups to DVD. How do you accomplish this?
A. Run the Windows Server Backup Wizard, select System State Backup, and set your target to the DVD
drive
B. Run the Windows Server Backup Wizard, select a local drive as the target, and then copy the system
C. Run the wbadmin.exe command with the start systemstatebackup command and target it to the DVD
drive
D. Run the wbadmin.exe command with the start systemstatebackup command, set the target to a local
fixed drive, and then copy the system state backup to a DVD
Answer: D
219. You are hired as the network administrator in your company. Your company has an Active Directory
domain called ad. Hi-tech .com. There are two domain controllers on the network: Server01 and Server02.
Other administrators try to log on to the domain controllers but their logon attempts fail. You have to identify
the logon attempts on the domain controllers. What should you do to achieve this task?
Answer: B
220. You are adding a read-only domain controller to a branch office location. You want to ensure that
clients in the branch office are likely to authenticate with the RODC. What is required? (Choose all that
apply.)
A. A subnet object with the network prefix of the branch office IP address range
B. An account for the domain controller in the organizational unit for the site
Answer: ADE
221. You are the network administrator at your company. The Active Directory database file on one of your
DCs is corrupt. You decide to perform a nonauthoritative restore on the DC. You reboot the server into
DSRM and try to log on as the domain administrator but you cannot. You need to get this DC back up and
C. Change the domain administrator's password from another DC and then log on using the account with
Answer: D
222. As an administrator at You are hired as the network administrator in your company. Your company, you
create 200 new user accounts. The users are located in six different sites. The users report that when they
try to log on, they receive the following error message: "The username or password is incorrect" You
confirm that the user accounts exist and are enabled. You also confirm that the username and password
are correct too. You have to identity the cause of this failure. You also need to ensure that the new users are
able to log on using their accounts. What should you do to achieve this task?
A. Repadmin
B. Rsdiag
D. Rstools
Answer: A
223. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory domain in the
Schema snap-in in the Microsoft Management Console (MMC). Since you are the technical support, you
are required to make sure that the Active Directory Schema snap-in is available.
A. To achieve the goal, you should connect to the schema master operations master and open the schema
B. To achieve the goal, you should have the Active Directory Lightweight Directory Services (AD LDS) role
D. To achieve the goal, you should utilize an account that is a member of the Schema Admins group to log
Answer: C
224. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a current Active Directory site
named S01. You have a new Active Directory site created and name it S02. Since you are the technical
support, you are required to configure Active Directory replication between S01 and S02. A new domain
controller is installed. And the site link between S01 and S02 is created. To achieve the goal, which action
A. To achieve the goal, the Active Directory Sites and Services console should be utilized to assign a new
IP subnet to S02. And then, the new domain controller object should be migrated to S02.
B. To achieve the goal, the Active Directory Sites and Services console should be utilized to configure the
C. To achieve the goal, the Active Directory Sites and Services console should be utilized to configure a
D. To achieve the goal, the Active Directory Sites and Services console should be utilized to decrease the
Answer: A
that the domain controller in the branch is able to authenticate users when it cannot contact a global catalog
C. Intersite replication
Answer: D
226. You are the domain administrator for your company. Your network consists of multiple DCs at multiple
sites. A DC at your local site is having problems with replicating. You need to know when this DC last
attempted to perform an inbound replication on the Active Directory partitions. How would you accomplish
this?
Answer: D
227. You are hired as the network administrator in your company. Hi-tech .com runs Window Server 2008
on all of its servers. It has a single Active Directory domain and it uses Enterprise Certificate Authority. The
security policy at Hi-tech .com makes it necessary to examine revoked certificate information. You need to
make sure that the revoked certificate information is available at all times.
A. Add and configure a new GPO (Group Policy Object) that enables users to accept peer certificates and
B. Configure and use a GPO to publish a list of trusted certificate authorities to the domain
C. Configure and publish an OCSP (Online certificate status protocol) responder through ISAS (Internet
228. You are hired as the network administrator in your company. Your company has a server that runs
Windows Server 2008. The Enterprise Root CA is also installed on the server. The Security policy prevents
port 443 and port 80 from being opened on domain controllers and on the issuing CA. You have to allow
users to request certificates from a web interface. To do that, you install AD CS role. What should you do
next?
A. Configure the Certification Authority Web Enrollment Role Service on a member server.
C. Configure the Certification Authority Web Enrollment Role Service on a domain controller.
Answer: A
229. You are the administrator at Hi-tech, Ltd. The Hi-tech forest consists of three domains, each with four
domain controllers. You are preparing to demote a domain controller in the forest root domain.You want to
be sure that you do not permanently destroy any Active Directory partitions. Which of the following Active
Directory partitions might exist only on that domain controller? (Choose all that apply.)
A. Schema
B. Configuration
C. Domain
Answer: DE
230. You are hired as the network administrator in your company. Your company has an Active Directory
domain. As an administrator, you plan to install the Active Directory Certificate Service (AD CS) role on a
member server running Windows Server 2008. You have to make sure that the Account Operators group is
Which of the following three actions should you perform to achieve this task?
A. Restrict enrollment agents for the Smartcard logon certificate to the Account Operator group.
C. Restrict certificate managers for the Smartcard logon certificate to the Account Operator group.
Answer: ADF
231. You are hired as the network administrator in your company. Your company employs Windows Server
2008 Enterprise certificate authority (CA) to issue certificates. You're instructed to implement key archival.
C. Revoke the Enterprise subordinate CA and issue a user certificate to users of the encrypted files
D. Configure the automatic enrollement for the computers that store encrypted files
Answer: A
232. You are the domain administrator for your company. At your site you have a single DC that also acts as
an application server. From 10:00 a.m. to 4:00 p.m., users complain about slow logons to the network and
that accessing resources from this DC is incredibly slow during most of the workday. You log on to the DC,
pull up the Task Manager, and notice that a process called CustApp.exe is using just more than 90% of the
CPU cycles. The application must remain running during the day, but you also need to resolve the slow
logon issues. There is no money in the budget for additional hardware. What is the best way to handle this
situation?
A. Go into the Windows System Resource Manager on the DC, and create a new recurring calendar event
to start at 8:00 a.m. and end at 5:00 p.m. daily. Associate the event with the Equal_Per_Process policy.
B. Go into the Task Manager and into the Processes tab. Find CustApp.exe and set the priority to Below
Normal.
C. Go into the Task Manager and into the Process tab. Find CustApp.exe and end the process.
Answer: A
233. You are hired as the network administrator in your company. Your company has a server that runs
Windows Server 2008. Primarily this server has certification services configured as a stand-alone
Certification Authority (CA). As per company policy, you are required to audit changes to the CA
configuration setting and the CA security settings. Which two actions should you perform to achieve this
task? (Choose two answers. Each answer is part of the complete solution)
B. Enable and configure the Audit object Access setting in the local security policy for the certification
services server
C. Configure the certification services server to log successful and failed attempts to change permissions
D. Open the Certification services snap-in and configure auditing for security settings
Answer: AB
234. You want to configure all the existing domain controllers in your forest as global catalog servers. Which
tools can you use to achieve this goal? (Choose all that apply.)
A. Dcpromo.exe
Answer: C
235. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. Nine new employees are hired by your
company. The new employees should connect to the main office through a VPN connection. New user
accounts are created and the new employees are granted the Allow Read and Allow Execute permissions
to shared resources in the head office. Shared resources in the head office cannot be accessed by the new
employees. Since you are the technical support, you are required to make sure that users are enabled to
A. To achieve the goal, the new employees should be added to the Windows Authorization Access security
group.
B. To achieve the goal, the new employees should be granted the Allow Full control permission.
C. To achieve the goal, the new employees should be granted the Allow Access Dial-in permission.
D. To achieve the goal, the new employees should be added to the Remote Desktop Users security group.
Answer: C
236. The network infrastructure at Trey Research prevents direct IP connectivity between the data center
and a research ship at sea. What must you do to support replication between the data center and the ship?
B. Increase the cost of the Active Directory site link containing the headquarters and the ship.
D. Manually create a connection object between the domain controller on the ship and a domain controller
at the headquarters.
Answer: A
237. You are hired as the network administrator in your company. Your company has servers that run
Windows Server 2008. You administer 2 servers named SERVER01 and SERVER02. You have installed
the enterprise root certification authority (CA) on SERVER01 and Online Responder role service on
SERVER02. You want the SERVER01 to support the online responder. What should you do to configure
D. Create a conventional Group Policy Object (GPO) and import enterprise root CA certificate. Link the
GPO to SERVER01
Answer: A
238. You want to initiate replication manually between two domain controllers to verify that replication is
B. Repadmin.exe
C. Dcdiag.exe
Answer: AB
239. You are hired as the network administrator in your company. Your company runs Window Server 2008
on all of its servers. It has a single Active Directory domain and it uses Enterprise Certificate Authority. The
security policy at Hi-tech.com makes it necessary to examine revoked certificate information. You need to
make sure that the revoked certificate information is available at all times.
A. Add and configure a new GPO (Group Policy Object) that enables users to accept peer certificates and
B. Configure and use a GPO to publish a list of trusted certificate authorities to the domain
C. Configure and publish an OCSP (Online certificate status protocol) responder through ISAS (Internet
Answer: D
240. You want to raise the domain functional level of a domain in the hi-tech.com forest. Which tool can you
Answer: AD
241. You are an administrator of the hi-tech.com domain. You want to add a read-only domain controller to
a domain with one Windows Server 2003 domain controller and one Windows 2008 domain controller.
Answer: BDE
242. You have just finished upgrading all domain controllers in the hi-tech.com domain to Windows Server
2008. Domain controllers in the subsidiary.hi-tech.com domain will be upgraded in three months. You want
to configure fine-grained password policies for several groups of users in hi-tech.com. What must you do
first?
B. Run Dfsrmig.exe.
Answer: C
243. You are an administrator at Wingtip Toys, which has just acquired Tailspin Toys. You have created a
one-way outgoing trust to enable users in the tailspintoys.com domain to access resources that have been
moved into the wingtiptoys.com domain. Some users from tailspintoys.com are able to access the
resources successfully, but other users are reporting that they are unable to gain access to the resources.
You discover that the users having problems have worked for Tailspin Toys for eight or more years and that
their accounts were migrated from a Windows NT 4.0 domain. What must you do to enable them to gain
A. Create accounts in the wingtiptoys.com domain with the same user names and passwords as their
B. Rebuild the Windows NT 4.0 domain and upgrade a domain controller to Windows Server 2008.
Answer: CD
244. You are a systems administrator for hi-tech.com. You have been requested to compact the database
on one of the two DCs for the forest root domain. However, when you try to stop the AD DS service, you find
that you cannot stop it on the server you are working on. What could be the problem?
D. You must use the net stop command to stop the AD DS service.
Answer: B
245. You are a systems administrator at hi-tech.com. As you log on to a DC to perform maintenance, you
get the impression that server response is sluggish. You want to verify what is going on. Which tool should
A. Reliability Monitor
B. Event Viewer
C. Task Manager
D. Performance Monitor
Answer: ABCD
246. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. A single Active Directory domain is
contained by your network. Windows Server 2003 is run by all domain controllers. All domain controllers are
upgraded to Windows Server 2008. Since you are the technical support, you are required to make sure that
Answer: B
247. You are hired as the network administrator in your company. Your company has an Active Directory
domain. As an administrator, you plan to install the Active Directory Certificate Service (AD CS) role on a
member server running Windows Server 2008. You have to make sure that the Account Operators group is
Which of the following three actions should you perform to achieve this task?
A. Restrict enrollment agents for the Smartcard logon certificate to the Account Operator group.
C. Restrict certificate managers for the Smartcard logon certificate to the Account Operator group.
Answer: ADF
248. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. You have a domain controller that runs the
DHCP service. You need to perform an offline defragmentation of the Active Directory database on the
domain controller. You must achieve this goal without affecting the availability of the DHCP service. What
A. The Active Directory Domain Services service should be stopped. The Ntdsutil utility should be run.
B. The domain controller should be restarted in Directory Services Restore Mode. The Ntdsutil utility should
be run.
C. The Active Directory Domain Services service should be stopped. The Disk Defragmenter utility should
be run.
D. The domain controller should be restarted in Directory Services Restore Mode. The Disk Defragmenter
Answer: A
249. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory domain in the
company. Windows Server 2008 is run by all servers. An Enterprise Root certification authority (CA) is run
by your company. You have to make sure that only administrators can sign code. So what should you do?
A. The security settings on the template should be modified to allow only administrators to request code
signing certificates.
B. The local computer policy of the Enterprise Root CA should be edited to allow only administrators to
D. The local computer policy of the Enterprise Root CA should be edited to allow users to trust peer
Answer: AC
250. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory domain in
your company. An Enterprise Root certification authority (CA) is installed on a member server named S01.
Since you are the technical support, you are required to make sure that only the Security Manager is
enabled to revoke certificates which are provided by S01. Which action should be performed to achieve the
goal?
A. To achieve the goal, the Allow - Manage CA permission should be assigned to only the Security Manager
user account.
B. To achieve the goal, the Allow - Issue and Manage Certificates permission should be assigned to only
C. To achieve the goal, the Request Certificates permission should be removed from the Domain Users
D. To achieve the goal, the Request Certificates permission should be removed from the Authenticated
Users group.
Answer: B
251. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory domain in
your company. And Windows Server 2008 is run by the Active Directory domain. An OU for Computers, an
OU for Groups, and an OU for Users are included by the Sales OU. Nightly backups are performed. The
Groups OU is deleted by an administrator. Since you are the technical support, you are required to restore
the Groups OU, and users and computers in the Sales OU should not be affected. Which action should be
Answer: D
252. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory forest in your
company. An organizational unit and a child organizational unit named Sales are contained by each branch
office. All users and computers of the sales department are included by the Sales organizational unit. Since
you are the technical support, you are required to have a Microsoft Office 2007 application installed only on
the computers in the Sales organizational unit. A GPO named SApplication GPO should be created. Which
A. The GPO should be configured to assign the application to the computer account. And then, the
B. The GPO should be configured to assign the application to the user account. And then, the SApplication
C. The GPO should be configured to publish the application to the user account. And then, the SApplication
D. The GPO should be configured to assign the application to the computer account. And then, the
SApplication GPO should be linked to the Sales organizational unit in each location.
Answer: D
253. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. It is reported by a user in a branch office of
your company that he fails to join a computer to the domain. Since you are the technical support, you are
required to enable the user to join a single computer to the domain. In addition, you should make sure that
only rights which are necessary to finish the task should be given to the user. Which action should be
A. To achieve the goal, the user to the Server Operators group should be added in the Active Directory
domain.
B. To achieve the goal, the user the right should be granted to log on locally by utilizing a Group Policy
Object (GPO).
C. To achieve the goal, the computer account should be prestaged in the Active Directory domain.
D. To achieve the goal, the user to the Domain Administrators group should be added for one day.
Answer: C
254. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. A single Active Directory domain is
contained by your network. And nine domain controllers are included by the domain. Windows Server 2008
is run by the domain controllers. In addition, the domain controllers are configured as DNS servers. A new
Active Directory-integrated zone will be created. According to the company requirements, you should make
sure that the new zone is only copied to four of your domain controllers. Which actions should be performed
first?
specified.
B. From the command prompt, dnscmd should be run and the /createdirectorypartition parameter should be
specified.
Answer: B
255. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a domain controller which runs
Windows Server 2008. The domain controller has the Windows Server Backup feature installed. You have
to use an existing backup file to perform a non-authoritative restore of the domain controller. So what action
A. The domain controller should be restarted in safe mode. Perform a critical volume restore by using the
WBADMIN command.
B. The domain controller should be restarted in safe mode. Perform a critical volume restore by using the
C. The domain controller should be restarted in Directory Services Restore Mode. Perform a critical volume
D. The domain controller should be restarted in Directory Services Restore Mode. Perform a critical volume
Answer: C
256. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a domain controller in the
company, and the DHCP service is run by the controller. Since you are the technical support, you are
required to have an offline defragmentation of the Active Directory database performed on the domain
controller. In addition, the availability of the DHCP service should not be affected during the process. Which
A. To achieve the goal, the Active Directory Domain Services service should be stopped. And then, the
B. To achieve the goal, the Active Directory Domain Services service should be stopped. And then, the Disk
C. To achieve the goal, the domain controller should be restarted in Directory Services Restore Mode. And
D. To achieve the goal, the domain controller should be restarted in Directory Services Restore Mode. And
Answer: A
257. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. You are in charge of two servers named
S01 and S02. Windows Server 2008 is run by both servers. S01 is configured as an enterprise root
certification authority (CA). You have the Online Responder role service installed on S02. You have to
configure S01 to support the Online Responder. So what action should you perform?
Answer: A
258. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. An Active Directory forest is included by
your network. And one domain named wiikigo.com is contained by the Active Directory forest. Windows
Server 2008 is run by all domain controllers. In addition, all domain controllers are configured as DNS
servers. There are two Active Directory-integrated zones: wiikigo.com and cosoto.com. According to the
company requirements, you should make sure that a user can change records in the wiikigo.com zone. The
A. From the Active Directory Users and Computers console, the Delegation of Control Wizard should be
run.
B. From the Active Directory Users and Computers console, the permissions of the Domain Controllers
C. From the DNS Manager console, the permissions of the wiikigo.com zone should be changed.
D. From the DNS Manager console, the permissions of the cosoto.com zone should be changed.
Answer: C
259. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a head office and three branch
offices in your company. The company configures each office as a separate Active Directory site, and the
Active Directory site has its own domain controller. An account that has administrative rights should be
disabled. Since you are the technical support, you are required to copy the disabled account information
instantly to all sites. To accomplish the task, which two of the following options should be performed?
A. To accomplish the task, the current connection objects and force replication should be chosen from the
B. To accomplish the task, all domain controllers should be configured as global catalog servers from the
C. To accomplish the task, Dsmod.exe should be utilized to configure all domain controllers as global
catalog servers.
D. To accomplish the task, Repadmin.exe should be utilized to force replication between the site connection
objects.
Answer: AD
260. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
contained by your network. Windows Server 2008 is run by all domain controllers. Since you are the
technical support, you are required to have all replication errors captured from all domain controllers to a
A. To achieve the goal, the Active Directory Diagnostics data collector set should be started.
B. To achieve the goal, Network Monitor should be installed and a new a new capture should be created.
D. To achieve the goal, the System Performance data collector set should be started.
Answer: C
261. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a head office and 40 branch
office in your company. Each branch office is configured as a separate Active Directory site which has a
dedicated read-only domain controller (RODC). An RODC server is stolen from one of the branch offices.
According to the company requirement, you have to identify the user accounts that were cached on the
Answer: C
262. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a single Active Directory domain
in the company network. User accounts for engineering department reside in an OU named Engineering.
According to the company requirement, you have to create a password policy for the engineering
department that is different from your domain password policy. So what action should you perform?
A. A domain local security group should be created and all the user accounts for the engineering
B. A new GPO should be created. The GPO should be linked to the Engineering OU.
C. A new GPO should be created. The GPO should be linked to the domain. Block policy inheritance on all
D. A global security group should be created and all the user accounts for the engineering department
should be added to the group. A new Password Policy Object (PSO) should be created and it should be
Answer: D
263. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. The company has offices that are located
in Asian and Europe. There is an Active Directory forest in this company. This forest contains three domains.
Now you receive an order from the company management. You are asked to cut down the time required to
authenticate users from the labs.eu.wiikigo.com domain when they access resources in the
A. The replication interval for the DEFAULTIPSITELINK site link should be decreased.
Answer: D
264. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory domain
named wiikigo.com in your company. There are two DNS servers named DNS01 and DNS02 in the
company network.
The table below shows the configuration of the DNS servers.Domain users, who are configured to use
DNS02 as the preferred DNS server, cannot connect to Internet Web sites. According to the company
you perform?
C. The .(root) zone should be deleted from DNS02. Conditional forwarding on DNS02 should be configured.
D. The Cache.dns file on DNS02 should be updated. Conditional forwarding on DNS01 should be
configured.
Answer: C
265. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a single Active Directory domain
in the company network. Windows Server 2008 is run by all domain controllers.
Auditing is configured to log changes made to the Managed By attribute on group objects in an
organizational unit named OU1. You have to log changes made to the Description attribute on all group
A. A new Group Policy object (GPO) should be created. The Audit account management policy setting
Answer: C
266. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory forest in your
company network. One domain is contained in this forest. Windows Server 2008 is run by all domain
controllers that are configured as DNS servers. You have an Active Directory-integrated zone and two
the zone. According to the company requirement, you have to make sure that all domain controllers
immediately receive the new NS record. So what action should you perform?
B. Increase the version number of the SOA record from the DNS Manager console.
Answer: A
267. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a server named S01 in the
company. S01 runs Windows Server 2008. S01 runs an instance of Active Directory Lightweight Directory
Services (AD LDS). You need to replicate the AD LDS instance on a test computer that is located on the
A. Run the Dsmgmt command on the test computer to create a naming context.
B. Run the Dsmgmt command on the test computer to create a new directory partition.
C. Run the AD LDS Setup wizard on the test computer to create and install a replica.
D. The repadmin /kcc <servername> command should be run on the test computer.
Answer: C
268. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. The company wants users to use a new
User Principal Name (UPN) to log on to Active Directory. You are asked to modify the UPN suffix for all user
269. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. Since you are the technical support, you
are required to have all failed logon attempts on the domain controllers identified.
A. To achieve the goal, the Security tab should be viewed on the domain controller computer object.
Answer: B
270. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. A single Active Directory domain is
included by your network. Windows Server 2008 is run by all domain controllers. Since you are the
technical support, you are required to reset the Directory Services Recovery Mode (DSRM) password on a
domain controller. From the following four tools, which one should be utilized to achieve the goal?
A. To achieve the goal, local Users and Groups snap-in should be utilized.
B. To achieve the goal, active Directory Users and Computers snap-in should be utilized.
Answer: D
271. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory forest in your
company. And a single domain is included by the Active Directory forest. An Active Directory Federation
Services (AD FS) server role is installed on the domain member server. Since you are the technical support,
included by AD FS tokens contain. Which action should be performed to achieve the goal?
A. To achieve the goal, a new resource partner should be added and configured.
C. To achieve the goal, a new account store should be added and configured.
D. To achieve the goal, a new account partner should be added and configured.
Answer: C
272. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory domain in
your company. The company intends to have the Active Directory Certificate Service (AD CS) server role
installed on a member server, and Windows Server 2008 is run by the server. Since you are the technical
support, you are required to make sure that members of the Account Operators group should be enabled to
have smartcard credentials issued. But they should not be enabled to have certificates revoked. To achieve
B. To achieve the goal, the AD CS server role should be installed and it should be configured as an
C. To achieve the goal, the AD CS server role should be installed and it should be configured as a
Standalone CA.
D. To achieve the goal, enrollment agents for the Smartcard logon certificate should be restricted to the
E. To achieve the goal, certificate managers for the Smartcard logon certificate should be restricted to the
Answer: BDF
273. You work as a technology specialist in an international company named Wiikigo. Your major job is to
Directory infrastructure and maintaining Active Directory objects. There is a head office and a branch office
in the company. The offices are connected by a WAN link. There is an Active Directory forest in the
company. A single domain named ad.wiikigo.com is contained in the forest. The ad.wiikigo.com domain
contains one domain controller named DC01 that is located in the head office. DC01 is configured as a
DNS server for the ad.wiikigo.com DNS zone. This zone is configured as a standard primary zone. You
install a new domain controller named DC02 in the branch office. You install DNS on DC02. You have to
make sure that the DNS service can update records and resolve DNS queries in the event that a WAN link
D. In order to make sure of this, a new stub zone named ad.wiikigo.com should be created on DC02.
Answer: C
274. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. An Active Directory Rights Management
Services (AD RMS) server is contained by your company. Windows Vista is run by the users' computers.
And the company configures an Active Directory domain at the Windows Server 2003 functional level.
According to the company requirements, you should configure AD RMS so as to make sure that the users
are enabled to protect their documents. Which action should be performed to achieve the goal?
A. To achieve the goal, an e-mail account should be created in Active Directory Domain Services (AD DS)
B. To achieve the goal, Active Directory domain should be upgraded to the functional level of Windows
Server 2008.
C. To achieve the goal, the AD RMS client 2.0 should be installed on each client computer.
D. To achieve the goal, the RMS service account should be added to the local administrators group on the
AD RMS server.
Answer: A
275. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory domain, and
Windows Server 2008 is run by the domain. You are required to implement a certification authority (CA)
Second, a certification authority (CA) server should integrate with Active Directory Domain Services
A. To achieve the goal, a certificate should be purchased from a third-party certification authority. And then,
the certificate should be imported into the computer store of the schema master.
B. To achieve the goal, the Active Directory Certificate Services server role should be installed and
C. To achieve the goal, the Active Directory Certificate Services server role should be installed and
D. To achieve the goal, a certificate should be purchased from a third-party certification authority. And then,
the Active Directory Certificate Services server role should be installed and configured as a Standalone
Subordinate CA.
Answer: C
276. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. Since you are the technical support, you
are required to have a read-only domain controller (RODC) deployed, and Windows Server 2008 is run by
RODC. As you should choose a minimal forest functional level, which of the following should be utilized?
Answer: B
277. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There are file servers in your company,
and they are located in an organizational unit named PRoll. PRoll files are included by file servers which are
in a folder named PRoll. A GPO is created. Since you are the technical support, you are required to have
the employees who access the PRoll files on the file servers tracked.
A. The Audit process tracking option should be enabled. And then, the GPO should be linked to the PRoll
organizational unit. At last, Auditing for the Everyone group in the PRoll folder should be configured on the
file servers.
B. The Audit object access option should be enabled. And then, the GPO should be linked to the PRoll
organizational unit. At last, Auditing for the Everyone group in the PRoll folder should be configured on the
file servers.
C. The Audit object access option should be enabled. And then, the GPO should be linked to the domain. At
last, Auditing for the Authenticated Users group in the PRoll folder should be configured on the domain
controllers.
D. The Audit process tracking option should be enabled. And then, the GPO should be linked to the Domain
Controllers organizational unit. At last, Auditing for the Authenticated Users group in the PRoll folder should
Answer: B
278. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory domain in the
company. You have a new domain controller installed in the domain. You receive report from twenty users
saying that they cannot log on to the domain. You have to reregister the SRV records. Which command
B. The sc stop netlogon command should be run followed by the sc start netlogon command.
Answer: B
279. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. In your company, there are three Active
Directory domains in a single forest. A new Active Directoryenabled application is installed. New user
attributes are added to the Active Directory schema by the application. You find that the Active Directory
replication traffic to the Global Catalogs has raised. Since you are the technical support, you are required to
stop the new attributes from being copied to the Global Catalog. The application functionality should not be
A. To achieve the goal, the new attributes in the Active Directory schema should be marked as defunct.
B. To achieve the goal, the properties in the Active Directory schema should be changed for the new
attributes.
C. To achieve the goal, the replication interval for the DEFAULTIPSITELINK object should be modified to
9990.
D. To achieve the goal, the cost for the DEFAULTIPSITELINK object should be modified to 9990.
Answer: B
280. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory forest in your
company. The company intends to have an Enterprise certification authority (CA) installed on a dedicated
stand-alone server. When you try to have the Active Directory Certificate Services (AD CS) server role
added, you find that the Enterprise CA option cannot be accessed. You are required to have the AD CS
server role installed as an Enterprise CA. Which action should be performed to achieve the goal?
A. To achieve the goal, the Web Server server role and the AD CS server role should be added.
B. To achieve the goal, the Active Directory Lightweight Directory Services (AD LDS) server role should be
added.
Answer: D
281. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a single Active Directory domain
in the company network. Ten domain controllers are contained in the domain. Windows Server 2008 is run
by the domain controllers that are configured as DNS servers. You decide to create a new Active
Directory-integrated zone. You have to make sure that the new zone is only replicated to four of your
A. Run dnscmd and specify the /enlistdirectorypartition parameter from the command prompt.
B. Run dnscmd and specify the /createdirectorypartition parameter from the command prompt.
Answer: B
282. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a current Active Directory site
named S01. A new Active Directory site named S02 is created. Since you are the technical support, you are
required to configure Active Directory replication between S01 and S02. A new domain controller is installed.
The site link between S01 and S02 is created. To achieve the goal, which action should be performed next?
A. To achieve the goal, the Active Directory Sites and Services console should be utilized to reduce the site
B. The Active Directory Sites and Services console should be utilized to assign a new IP subnet to S02. And
C. The Active Directory Sites and Services console should be utilized to configure the new domain
D. To achieve the goal, the Active Directory Sites and Services console should be utilized to configure a
Answer: B
283. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There are two domain controllers in your
company, and both domain controllers are configured as internal DNS servers. You can see all zones on
the DNS servers are Active Directory-integrated zones. All dynamic updates are permitted by the zone. You
find a problem that there are multiple entries in the wiikigo.com zone
for the host names of computers that do not exist. Therefore, you plan to configure the wiikigo.com zone to
automatically move expired records. Which action should be performed to achieve the goal?
A. To achieve the goal, the default expiration interval should be increased on the wiikigo.com zone from the
B. To achieve the goal, only secure updates should be enabled on the wiikigo.com zone.
C. To achieve the goal, scavenging should be enabled and the refresh interval should be configured on the
wiikigo.com zone.
D. To achieve the goal, the default refresh interval should be reduced on the wiikigo.com zone from the
Answer: C
284. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. Shared folders are used by your company.
Users are granted access to the shared folders by using domain local groups. Confidential data is
contained in one of the shared folders. You have to make sure that unauthorized users cannot access the
shared folder that contains confidential data. So what action should you perform?
A. The unauthorized users should be instructed to use the Guest account to log on. Configure the Deny Full
control permission on the shared folders that hold the confidential data for the Guest account.
B. Use the Dsmod utility to enable the Do not trust this computer for delegation property on all the
unauthorized users should be placed into the Deny DLG group. The Deny Full control permission should be
configured on the shared folder that holds the confidential data for the Deny DLG group.
D. A Global Group named Deny DLG should be created. The global group that contains the unauthorized
users should be placed into the Deny DLG group. The Allow Full control permission should be configured
on the shared folder that holds the confidential data for the Deny DLG group.
Answer: C
285. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory forest in your
company. Three branch offices are contained by the company, and the branch offices are located in three
different places. An organizational unit is contained by each location. Since you are the technical support,
you are required to make sure that the branch office administrators are enabled to create and apply GPOs
only to their respective organizational units. Which actions should be performed to achieve the goal?
A. The Delegation of Control Wizard should be run and the right to link GPOs for the domain should be
B. The Delegation of Control Wizard should be run and the right to link GPOs for their branch organizational
C. The user accounts of the branch office administrators should be added to the Group Policy Creator
Owners Group.
D. The Managed By tab in each organizational unit should be changed to add the branch office
Answer: BC
286. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory domain in
your company. And there is a two-tier PKI infrastructure which an offline root CA and an online issuing CA
company requirements, you are required to make sure that users can have
new certificates enrolled. Which action should be performed to achieve the goal?
A. The issuing CA certificate should be imported into the Intermediate Certification Authorities store on all
client workstations.
B. To achieve the goal, the Certificate Revocation List (CRL) should be renewed on the root CA. And then,
C. The Certificate Revocation List (CRL) should be renewed on the issuing CA. And then, the CRL should
D. The root CA certificate should be imported into the Trusted Root Certification Authorities store on all
client workstations.
Answer: B
287. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory forest in your
company. In the company, there are servers that run Windows Server 2008 and client computers that run
Windows Vista. The domain uses a set of GPO administrative templates that have been approved to
support regulatory compliance requirements. There is an Active Directory forest that contains a single
domain in your partner company. The company has servers that run Windows Server 2008 and client
computers that run Windows Vista. According to the company requirement, your partner companys domain
needs to be configured to use the approved set of administrative templates. So what action should you
perform?
A. Download the conf.adm, system.adm, wuau.adm, and inetres.adm files from the Microsoft Updates Web
site. The ADM files should be copied to the PolicyDefinitions folder on the partner companys PDC emulator.
B. You should back up the GPO to a file by using the Group Policy Management Console (GPMC) utility. In
C. The ADMX files should be copied from your companys PDC emulator to the PolicyDefinitions folder on
D. The ADML files should be copied from your companys PDC emulator to the PolicyDefinitions folder on
Answer: C
288. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a head office and 9 branch offices
in your company. An Active Directory site is contained by each branch office, and one domain controller is
included by the Active Directory site. The company configures only domain controllers in the head office as
Global Catalog servers. Since you are the technical support, you are required to disable the Universal
Group Membership Caching option on the domain controllers in the branch offices. As you should disable
the disable the Universal Group Membership Caching option, which level should you choose?
A. You should disable the Universal Group Membership Caching option at Connection object level.
B. You should disable the Universal Group Membership Caching option at Site level.
C. You should disable the Universal Group Membership Caching option at Server level.
D. You should disable the Universal Group Membership Caching option at Domain level.
Answer: B
289. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a single Active Directory domain
in your company network. The forest plays in the functional level of Windows Server 2008. According to the
company requirement, you have to create multiple password policies for users in your domain. So what
A. Multiple security policies should be created from the Security Configuration Wizard.
B. Multiple Group Policy objects should be created from the Group Policy Management snap-in.
C. Multiple class schema objects should be created from the Schema snap-in.
D. Multiple Password Setting objectss should be created from the ADSI Edit snap-in.
Answer: D
290. You work as a technology specialist in an international company named Wiikigo. Your major job is to
Directory infrastructure and maintaining Active Directory objects. A single Active Directory domain is
included by your network. The functional level of the forest is Windows Server 2008.
Since you are the technical support, you are required to have multiple password policies created for users
A. From the Group Policy Management snap-in, multiple Group Policy objects should be created.
B. From the Schema snap-in, multiple class schema objects should be created.
C. From the ADSI Edit snap-in, multiple Password Setting objects should be created.
D. From the Security Configuration Wizard, multiple security policies should be created.
Answer: C
291. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a single Active Directory domain
named intranet.wiikigo.com in your company. Windows Server 2008 is run by all domain controllers. The
company configures the domain functional level and the forest functional level to Windows 2000 native
mode. Since you are the technical support, you are required to make sure that the UPN suffix for
wiikigo.com is available for user accounts. To achieve the goal, which action should be performed first?
A. To achieve the goal, the new UPN suffix should be added to the forest.
B. To achieve the goal, the Primary DNS Suffix option in the Default Domain Controllers Group Policy
C. To achieve the goal, the wiikigo.com forest functional level should be raised to Windows Server 2003 or
D. To achieve the goal, the wiikigo.com domain functional level should be raised to Windows Server 2003
Answer: A
292. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory forest in your
Rights Management Services (AD RMS). Microsoft SQL Server 2005 is installed by you. When you try to
open the AD RMS administration Web site, you receive the following error message: "SQL Server does not
exist or access denied." You have to open the AD RMS administration Web site. So what should you do?
A. The Service Connection Point in Active Directory Domain Services (AD DS) should be deleted manually
Answer: BD
293. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. 200 new user accounts are created by you.
The users are located in six different sites. Now you receive report from new users. At the time that they
attempt to log on, they receive the following error message when they try to log on: "The username or
password is incorrect." You are sure that the user accounts exist and are enabled. You also confirm that the
user name and password information supplied are correct. You need to find out the cause of the failure.
Besides, you have to make sure that the new users are able to log on. Which utility should be run?
Answer: B
294. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory domain in
your company. An organizational unit named Sales is contained in this domain. There are two global
managers and sales executives. You have to apply desktop restrictions to the sales executives group. You
must not apply these desktop restrictions to the sales managers group. After a GPO named
DesktopLockdown is created and linked to the Sales organizational unit. What action should you perform
next?
A. The Deny Apply Group Policy permission should be configured for Authenticated Users on the
DesktopLockdown GPO.
B. The Allow Apply Group Policy permission should be configured for Authenticated Users on the
DesktopLockdown GPO.
C. The Deny Apply Group Policy permission should be configured for the sales managers on the
DesktopLockdown GPO.
D. The Deny Apply Group Policy permission should be configured for the sales executives on the
DesktopLockdown GPO.
Answer: C
295. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a single Active Directory domain
in your company network. All domain controllers run Windows Server 2008. You have to reset the Directory
Services Recovery Mode (DSRM) password on a domain controller. What tool should be used?
Answer: A
296. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. A single Active Directory domain is
included by the network. Windows Server 2008 is run by all domain controllers. Since you are the technical
A. To achieve the goal, Network Monitor should be installed and a new a new capture should be created.
C. To achieve the goal, the System Performance data collector set should be started.
D. To achieve the goal, the Active Directory Diagnostics data collector set should be started.
Answer: B
297. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. You have a Windows Server 2008 which
has the Active Directory Certificate Services server role installed. Since it takes a long time for client
computers to download a certificate revocation list (CRL), you are asked to cut down the amount of time. So
C. The Issuing CA certificate should be imported into the Trusted Root Certification Authorities store on all
client workstations.
D. The Root CA certificate should be imported into the Trusted Root Certification Authorities store on all
client workstations.
Answer: B
298. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. All consultants are members of a global
group named TWorkers. Three file servers are placed in a new organizational unit named Safeservers.
Confidential data which is located in shared folders are included by the three file servers. Since you are the
technical support, you are required to record any unsuccessful attempts made by the consultants to
connect the confidential data. Which two actions should be performed to achieve the goal? (Choose more
than one.)
Auditing tab. And then, the Failed Full control setting should be configured in the Auditing Entry dialog box.
B. A new GPO should be created and linked to the Safeservers organizational unit. And then, the Audit
C. A new GPO should be created and linked to the Safeservers organizational unit. And then, the Audit
D. A new GPO should be created and linked to the Safeservers organizational unit. And then, the Deny
access to this computer from the network user rights setting should be configured for the TWorkers global
group.
E. On each shared folder on the three file servers, the three servers should be added to the Auditing tab.
And then, the Failed Full control setting should be configured in the Auditing Entry dialog box.
Answer: AC
299. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory forest in your
company network. Windows Server 2008 is run by all domain controllers that are configured as DNS
servers. You have an Active Directory-integrated zone for wiikigo.com. You have a UNIX-based DNS server.
Your Windows Server 2008 environment needs to be configured to allow zone transfers of the wiikigo.com
zone to the UNIX-based DNS server. What action should you perform in the DNS Manager console?
Answer: B
300. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an existing Active Directory site
named Site01. After you create a new Active Directory site, you name it Site02.
have to configure Active Directory replication between Site01 and Site02. After a new domain controller is
installed by you, the site link between Site01 and Site02 is created. What action should you perform next?
A. The new domain controller should be configured as a preferred bridgehead server for Site01 by using the
B. A new site link bridge object should be configured by using the Active Directory Sites and Services
console.
C. The site link cost between Site01 and Site02 should be decreased by using the Active Directory Sites
D. A new IP subnet should be assigned to Site02 by using the Active Directory Sites and Services console.
Answer: D
301. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory domain in the
company. A user receives the following message when trying to log on to the domain from a client computer:
"This user account has expired. Ask your administrator to reactivate the account." So what action should
you perform?
A. The properties of the user account should be modified to set the password to never expire.
B. The default domain policy should be modified to decrease the account lockout duration.
C. The properties of the user account should be modified to set the account to never expire.
D. The properties of the user account should be modified to extend the Logon Hours setting.
Answer: C
302. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory domain and
an organizational unit in the company. The organizational unit is named Web. You configure and test new
security settings for Internet Information Service (IIS) servers on a server named IISServerA. You have to
A. The hisecws.inf file template should be imported into a GPO and the GP should be linked to the Web
organizational unit.
B. Export the settings on IISServerA to create a security template. Run secedit /configure /db webou.inf
C. Run secedit /configure /db webou.inf from the command prompt after running secedit /configure /db
D. Export the settings on IISServerA to create a security template. Import the security template into a GPO
Answer: D
303. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. Recently, a new subsidiary company has
been purchased by your company, and the new company is located in Quebec. The French-language
version of the administrative templates should be utilized by the Active Directory administrators of the
subsidiary company. A folder is created on the PDC emulator for the subsidiary domain in the path
are required to make sure that the French-language version of the templates can be used. Which action
should be performed?
A. The ADMX files from the French local installation media for Windows Server 2008 should be replicated
B. The Conf.adm, System.adm, Wuau.adm, and Inetres.adm files should be downloaded from the Microsoft
Web site. And then, the ADM files should be replicated to the FR folder.
C. The ADML files from the French local installation media for Windows Server 2008 should be replicated to
D. The Install.WIM file from the French local installation media for Windows Server 2008 should be
Answer: C
304. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There are two Active Directory forests in
your company. And they are respectively named F01 and F02. The company configures the forest
functional level and the domain functional level of F01 to Windows Server 2008. In addition, the company
set the forest functional level of F02 to Windows 2000. What's more,the company sets the domain
functional levels in F02 to Windows Server 2003. Since you are the technical support, you are required to
create a transitive forest trust between F01 and F02. To achieve the goal, which action should be performed
first?
A. To achieve the goal, the domain controllers in F02 should be upgraded to Windows Server 2003.
B. To achieve the goal, the forest functional level of F02 should be raised to Windows Server 2003 Interim
mode.
C. To achieve the goal, the forest functional level of F02 should be raised to Windows Server 2003.
D. To achieve the goal, the domain controllers in F02 should be upgraded to Windows Server 2008.
Answer: C
305. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory forest in your
company. And it runs at the functional level of Windows Server 2008. Active Directory Rights Management
Services (AD RMS) is implemented. Microsoft SQL Server 2005 is installed. When you try to open the AD
Since you are the technical support, you are required to open the AD RMS administration Web site. To
achieve the goal, which two actions should be performed to achieve the goal? (Choose more than one.)
A. To achieve the goal, the Service Connection Point should be deleted manually in Active Directory
Answer: BD
306. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a single Active Directory domain
in the company network. All domain controllers run Windows Server 2008 is run by all domain controllers.
According to the company requirement, you have to identify the Lightweight Directory Access Protocol
(LDAP) clients that are using the largest amount of available CPU resources on a domain controller. So
A. The Active Directory Diagnostics Data Collector Set should be run. The Active Directory Diagnostics
D. The LAN Diagnostics Data Collector Set should be run. The LAN Diagnostics report should be reviewed.
Answer: A
307. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a Windows Server 2008
Enterprise Root CA in your company. Port 443 and port 80 is prevented from being opened on domain
controllers and on the issuing CA by security policy. Since you are the technical support, you are required to
permit users to have certificates requested from a Web interface. First, you have the Active Directory
Certificate Services (AD CS) server role installed. To achieve the goal, which action should be performed
next?
A. To achieve the goal, the Certification Authority Web Enrollment Role Service should be configured on a
member server.
B. To achieve the goal, the Certification Authority Web Enrollment Role Service should be configured on a
domain controller.
C. To achieve the goal, the Online Responder Role Service should be configured on a member server.
Answer: A
308. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory domain
named ad.wiikigo.com in your company. Two domain controllers named DC01 and DC02 are contained by
the domain. The DNS Server server role is installed by both domain controllers. A new DNS server named
DNS01.wiikigo.com is installed on the perimeter network. DC01 is configured to have all unresolved name
requests forwarded to DNS01.wiikigo.com. A problem occurs that the DNS forwarding option cannot be
accessed on DC02. Since you are the technical support, you are required to have DNS forwarding
configured on the DC02 server to point to the DNS01.wiikigo.com server. What should be done to achieve
Answer: AD
309. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a domain controller, and
Windows Server 2008 is run by the domain controller. The company installs the Windows Server Backup
feature on the domain controller. Since you are the technical support, you are required to utilize a current
backup file so as to perform a non-authoritative restore of the domain controller. Which action should be
A. The domain controller should be restarted in safe mode. And then, the Windows Server Backup snap-in
B. The domain controller should be restarted in safe mode. And then, the WBADMIN command should be
D. The domain controller should be restarted in Directory Services Restore Mode. And then, the Windows
Answer: C
310. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a single-domain Active Directory
forest in your company. The functional level of the domain plays at the functional level of Windows Server
Place the global distribution group in a domain local group that has access to the shared folder.
According to the company requirement, you have to make sure that the users have access to the shared
A. The group type of the global distribution group should be changed to a security group.
B. The scope of the global distribution group should be changed to a Universal distribution group.
C. Raise the forest functional level should be raised to Windows Server 2008.
D. Add the global distribution group should be added to the Domain Administrators group.
Answer: A
311. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory forest in your
company. And multiple domain controllers are included by the Active Directory forest. Windows Server 2008
Since you are the technical support, you are required to recover a deleted organizational unit and its child
objects.
answer.)
1 The Ntdsutil utility should be utilized to mark the organizational unit as authoritative.
4 The system state data should be recovered to a date before the organizational unit was deleted.
A. 6->4->1->5
B. 3->4->1->5
C. 4->6->2->5
D. 1->4->5->6
Answer: A
312. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory domain in
your company. Windows Server 2008 is run by all servers. An Enterprise Root certification authority (CA)
and an Enterprise Intermediate CA are utilized by your company. However, the Enterprise Intermediate CA
certificate expires. Therefore, you should have a new Enterprise Intermediate CA certificate deployed to all
computers in the domain. Which action should be performed to achieve the goal?
A. The new certificate should be imported into the Intermediate Certification Store in the Default Domain
B. The new certificate should be imported into the Intermediate Certification Store in the Default Domain
C. The new certificate should be imported into the Intermediate Certification Store on the Enterprise Root
CA server.
D. The new certificate should be imported into the Intermediate Certification Store on the Enterprise
Intermediate CA server.
Answer: B
313. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a single Active Directory domain
in the company. Windows Server 2003 is run by all domain controllers. You have Windows Server 2008
installed on a server. The new server needs to be added as a domain controller in your domain. So what
Answer: B
314. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. In your company, a branch office that is
configured as a separate Active Directory site and has an Active Directory domain controller. The Active
Directory site needs a local Global Catalog server to support a new application. According to the company
requirement, the domain controller needs to be configured as a global Catalog server. Which tool should be
used?
Answer: A
315. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a head office and a branch office
level of the Active Directory forest is Windows Server 2003. Four Windows Server 2003 domain controllers
are contained in the main office. Since you are the technical support, you are required to make sure that
you should be enabled to deploy a read-only domain controller (RODC) at the branch office. To achieve the
goal, which actions should be performed to achieve the goal? (Choose more than one.)
A. To achieve the goal, a Windows Server 2008 domain controller should be deployed at the head office.
C. To achieve the goal, the functional level of the forest should be raised to Windows Server 2008.
D. To achieve the goal, the functional level of the domain should be raised to Windows Server 2008.
Answer: AB
316. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. An Active Directory forest is contained by
your network, and one domain is included by the Active Directory forest. Windows Server 2008 is run by all
domain controllers and the domain controllers are configured as DNS servers. There is an Active
Directory-integrated zone, and two Active Directory sites. Five domain controllers are included by each site.
A new NS record should be added to the zone. Therefore, you should make sure that the new NS record is
received instantly by all domain controllers. Which action should be performed to finish the task?
A. From the Services snap-in, the DNS Server service should be restarted.
C. From the DNS Manager console, the version number of the SOA record should be increased.
Answer: B
317. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. Complex passwords are required
according to the requirement of the company security policy. You have a comma delimited file named
import.csv that contains user account information. You need to use the import.csv file to create user
A. The userAccountControl attribute should be modified to disabled. The ldifde i f import.csv command
should be run. Set passwords for the imported user accounts by running the DSADD utility.
B. The userAccountControl attribute should be modified to disabled. The csvde i k f import.csv command
should be run. Set default passwords for the user accounts by running the DSMOD utility.
C. The userAccountControl attribute should be modified to accounts disabled. The csvde f import.csv
command should be run. set default passwords for the user accounts by running the DSMOD utility.
D. The userAccountControl attribute should be modified to disabled. The wscript import.csv command
should be run. Set default passwords for the imported user accounts by running the DSADD utility.
Answer: B
318. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is an Active Directory domain in the
company. A DNS server named DNS01 is contained by the head office. DNS01 is configured with Active
Directory-integrated DNS. A DNS server named DNS02 and a secondary copy of the zone file from DNS01
are included by the branch office. The company connects the two offices with an unreliable WAN link. A new
server is added to the head office. After the server has been added for ten minutes, it is reported by a user
from the branch office that the new server is unavailable. Since you are the technical support, you are
required to make sure that the user can get access to the new server. Which action should be performed to
C. To achieve the goal, the zone should be exported from DNS01 and imported to DNS02.
Answer: B
319. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
wiikigo.com is contained by your network. Windows Server 2008 is run by all servers. The company
configures all domain controllers as DNS servers. The company has the wiikigo.com DNS zone stored in
the ForestDnsZones Active Directory application partition. In addition, you have a member server and a
standard primary DNS zone for dev.wiikigo.com is included by the member server. According to the
company requirements, you are required to make sure that all domain controllers can have names resolved
A. To achieve the goal, the properties of the SOA record should be changed in the wiikigo.com zone.
D. To achieve the goal, a standard secondary zone should be created on a Global Catalog server.
Answer: C
320. You work as a technology specialist in an international company named Wiikigo. Your major job is to
configure Windows Server 2008 Active Directory. And you are experienced in configuring the Active
Directory infrastructure and maintaining Active Directory objects. There is a Windows Server 2008
Enterprise Root certification authority (CA). Members of the Account Operators group should be offered
with the ability to only manage Basic EFS certificates. The Account Operators group is granted the Issue
and Manage Certificates permission on the CA. To achieve the goal, which actions should be performed?
A. To achieve the goal, all unnecessary certificate templates that are assigned should be migrated to the
B. To achieve the goal, the Restrict Enrollment Agents option should be enabled on the CA.
C. To achieve the goal, the Restrict Certificate Managers option should be enabled on the CA.
D. To achieve the goal, the Basic EFS certificate template should be added for the Account Operators
group.
E. To achieve the goal, the Account Operators group the Manage CA permission should be granted on the
CA.
Answer: ACD
321.
Answer:
322.
Answer:
323.
Answer: