A computer running Microsoft Windows Server 2008 is configured as a domain controller.

The computer also supports other services, including the Dynamic Host Configuration Protocol (DHCP) service. You need to move the Active Directory database on the computer. You must minimize the impact on the other services running on the computer. What should you do first? (Each correct answer presents a complete solution. Choose two.) Run Dcpromo to force removal of the Active Directory Domain Services (AD DS) role. Use Computer Manager to stop the Active Directory service. Run Ntdsutil to compact the database. Run Net stop to stop the Active Directory service. Restart the domain controller in Directory Services Restore Mode (DSRM).
jw a 2

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring * Demo Test * Question ID: flm9MS_70-640-029 Jump to Question ID

Question 1 Explanation:

You should either use Computer Manager or the Net stop command to stop the Active Directory service. Window Server 2008 supports restartable AD DS, which lets you perform some types of maintenance, including offline database compaction and movement, without affecting other services running on the computer. You should not restart the domain controller in DSRM. This would allow you to compact the database, but it would also prevent users from accessing the other services supported on the computer.

You should not run Ntdsutil first. You need to first stop AD DS. Then you can use Ntds to compact and then move the database. You should not run Dcpromo to force removal of the AD DS role. There is no reason to remove the role. You can move the database without doing this. Objective:List all questions for this objective Maintaining the Active Directory Environment Sub-Objective:

5.2 Perform offline maintenance. References:

1. Windows Server 2008 Restartable AD DS Step-by-Step Guide Click here for further information Microsoft TechNet, Microsoft 2. Compact the directory database file (offline defragmentation) Click here for further information Microsoft TechNet, Microsoft 3. Module 4: Active Directory Domain Services Course 6416A, Microsoft Lesson 3: Manageability and Reliability

Your company's network is configured as a single Active Directory domain. All domain controllers are running Windows Server 2008. The network currently has only a single site. The company is preparing to open a branch office. You must ensure that administrators at the branch office can create, modify, and delete user accounts only for employees at the branch office. Administrators must be able to manage user accounts even if the link to the corporate office is unavailable. What should you do? Install a standard domain controller at the branch office. Create a global group named BranchAdmins. Create a domain local group named BranchUsers. Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins. Install a standard domain controller at the branch office. Create a global group named BranchAdmins. Create an organizational unit (OU) named BranchUsers. Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins. Install a read-only domain controller (RODC) at the branch office. Create a global group named BranchAdmins. Create an organizational unit (OU) named BranchUsers. Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins. Install a read-only domain controller (RODC) at the branch office. Create a global group named BranchAdmins. Create domain local group named BranchUsers. Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins.
jw a 1

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring * Demo Test * Question ID: rrMS_70-640-036 Jump to Question ID

Question 2 Explanation: You should perform the following steps: * Install a standard domain controller at the branch office. * Create a global group named BranchAdmins. * Create an OU named BranchUsers. * Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins. You should install a standard domain controller at the branch office to allow administrators there to log on to it and manage accounts even if the link to the corporate office is unavailable. You should create an OU named BranchUsers and use the Delegation of Control Wizard to delegate the Create, delete, and manage user accounts task to the BranchAdmins global group. You must delegate the permission to manage user accounts on the OU that will contain those user accounts. You should not install an RODC at the branch office. An RODC cannot be used to make changes to user accounts. Therefore, administrators at the branch office would not be able to manage user accounts if the link to the corporate office was unavailable. You should not create a domain local group named BranchUsers. You cannot delegate control to manage user accounts by delegating control for a group to which the accounts will belong. You must delegate control for the OU that will contain the user accounts to be managed. Objective:List all questions for this objective Creating and Maintaining Active Directory Objects Sub-Objective: 4.2 Maintain Active Directory accounts. References:
1. Creating an Organization Unit Design Click here for further information Windows Server 2008 Technical Library, Microsoft 2. Delegating Administration by Using OU Objects Click here for further information Windows Server 2008 Technical Library, Microsoft

 1999-2011 MeasureUp AssessTech is a registered trademark of MeasureUp

Your company has two locations: Chicago and Miami. The network is configured as a single Active Directory domain. You are planning to install Windows Server 2008 on a domain controller at each location. IP addresses will be assigned using a Dynamic Host Configuration Protocol (DHCP) server at each location. Your solution must meet the following requirements: * Administrators in Chicago need to be able to create and modify Active Directory accounts. * Administrators in Miami need to be able to update drivers on the domain controller in Miami, but should not be able to create or modify user accounts. * Records in the Domain Name System (DNS) database must be kept up to date. * Only Active Directory domain members can register with the DNS server. * Name resolution traffic across the Wide Area Network (WAN) link should be minimized. You need to plan the DNS configuration. What should you do? (Each correct answer presents part of the solution. Choose two.) Deploy a stub zone in Miami. Deploy an Active Directory-Integrated zone in Chicago. Deploy an Active Directory-Integrated zone in Miami. Deploy a primary read-only zone in Miami. Deploy a standard primary zone in Chicago.
1 jw a 2

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring * Demo Test * Question ID: rrMS_70-640-001 Jump to Question ID

Question 3 Explanation: You should install an Active Directory-Integrated zone in Chicago. To support dynamic updates only by domain members, you must enable Secure Dynamic DNS (DDNS). Secure DDNS is only supported on Active Directory-Integrated zones. You should also create a primary read-only zone on the domain controller in Miami. To prevent administrators

in Miami from creating and modifying user accounts, you must install a read-only domain controller (RODC). An RODC supports primary read-only DNS zones. When a client needs to update a DNS record, the primary read-only DNS server refers the client to the writable DNS server on the writable domain controller. You should not create a standard primary zone in Chicago. A standard primary zone does not support Secure DDNS. You should not create an Active Directory-Integrated zone in Miami. The Miami office must have an RODC, not a writable domain controller because the administrators in Miami should not be able to create and modify user accounts. An Active Directory-Integrated zone can only be created on a writable domain controller. You should not create a stub zone in Miami. A stub zone contains only Name Server (NS) records. It does not resolve the names of other computers. Therefore, it would not reduce name resolution traffic across the WAN. You would use a stub zone to keep a parent zone up to date with the addresses of DNS servers in the child zones. Objective:List all questions for this objective Configuring Domain Name System (DNS) for Active Directory Sub-Objective: 1.1 Configure zones. References:
1. DNS Server Role Click here for further information Windows Server 2008 Technical Library, Microsoft 2. Lesson 2: Read-Only Domain Controller Operation Course 6416A, Microsoft Module 6 3. DNS Server Overview Click here for further information Windows Server 2008 Technical Library, Microsoft

1999-2011 MeasureUp AssessTech is a registered trademark of MeasureUp

Your company's network consists of 10 Microsoft Windows Server 2008 domain controllers.

There are also 15 member servers running Windows Server 2008 and 1,000 client computers running Windows XP Professional. All computers are members of a single Active Directory domain. A Public Key Infrastructure (PKI) is also in place using Active Directory Certificate Services. Users are required to enroll for a User certificate using Web enrollment. Users are reporting that the response time is very slow when accessing servers that host financial data. Certificate authentication is required to access these servers. You discover that the network is extremely busy and network bandwidth is reaching capacity. You need to re-configure the Certificate Authority (CA) infrastructure to help reduce traffic on the network. What should you do? Open the Certificate Authority snap-in and decrease the Certificate Revocation List (CRL) publication interval. Open the Certificate Authority snap-in and configure the CA to use a Delta Certificate Revocation List (CRL). Open the Certificate Templates snap-in and configure auto-enrollment instead of Webbased enrollment. Open Active Directory Sites and Services. Deny users the Enroll permission on all templates except the User template.
jw a 1

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring * Demo Test * Question ID: dhMS_70-640-019 Jump to Question ID

Question 4 Explanation: You should use the Certificate Authority snap-in to configure the CA to use a Delta CRL. Delta CRLs only replicate the new revocations to each CRL distribution point. Using a Delta CRL means a smaller file and therefore, less network traffic. You should not decrease the Certificate Revocation List publication interval. The publication interval determines the frequency that the CRL is published. By decreasing the interval, the CRL will be published more frequently and increase network traffic. You should not deny users the Enroll permission on all templates except the User template. Denying users access to certificate templates increases security so you can control the types of certificates users can request. It does not however, reduce network traffic.

You should not change the method used for certificate enrollment. Traffic will be generated when users first enrol

for certificates. However, once users are issued a certificate, they do not need to generate an additional request. Changing the method used for certificate enrollment will not reduce network traffic on an on-going basis. Objective:List all questions for this objective Configuring Active Directory Certificate Services Sub-Objective: 6.2 Configure CA server settings. References:
1. Configuring Certificate Revocation Click here for further information Windows Server 2008 Technical Library, Microsoft

You have deployed Active Directory Federation Services (AD FS) in your organization. You need to configure another organization as a federated partner. Your organization is the resource partner in this partnership. You need to exchange partner values with the partner organization. You want to do this with as little administrative effort as possible. What should you do? Add your partner's domain as an Active Directory Domain Services (AD DS) Account store. Have the partner send its federation server's validation certificate. Export your trust policy files and send the resulting file to the partner administrator. Deploy an AD FS Proxy in the partner's perimeter network.
jw a 1

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring * Demo Test * Question ID: flm9MS_70-640-030 Jump to Question ID

Question 5 Explanation: You should export your trust policy files and send the resulting file to the partner administrator. Your partner would then import the XML policy file. Your partner can use the same process to provide you with trust policy file information. You use the Add Partner Wizard to both export and import trust policy files. The trust policy files include all of the information needed, including Uniform Resource Indicators (URIs), claim types, claim

mappings, validation certificate, and so on. You should not have the partner send its federation server's validation certificate. You would only need this if you were setting up the partnership manually. While this is possible, the process requires significantly more administrative effort. You should not add your partner's domain as an Active Directory Domain Services (AD DS) Account store. This is used to add your organization's AD DS accounts to support user authentication to facilitate remote access by users from your network's domain. You should not deploy an AD FS Proxy in the partner's perimeter network. An AD FS Proxy receives authentication requests and passes them on for authentication. You would deploy the AD FS Proxy in your own perimeter network. Objective:List all questions for this objective Configuring Additional Active Directory Server Roles Sub-Objective: 3.4 Configure Active Directory Federation Services (AD FS). References:
1. Active Directory Federation Services Role Click here for further information Microsoft TechNet, Microsoft 2. Active Directory Federation Services Click here for further information Microsoft TechNet, Microsoft 3. Understanding Account Stores Click here for further information Microsoft TechNet, Microsoft

1999-2011 MeasureUp AssessTech is a registered trademark of MeasureUp

The network you manage has the five domains shown in the exhibit. Users in dev.eu.stayandsleep.com frequently access files on file servers in dev.corp.stayandsleep.com.

You need to optimize performance for users in dev.eu.stayandsleep.com when accessing files in dev.corp.stayandsleep.com. What should you do?

Create a shortcut trust in which dev.corp.stayandsleep.com trusts dev.eu.stayandsleep.com. Create a two-way external trust between dev.eu.stayandsleep.com and dev.corp.stayandsleep.com. Create a shortcut trust in which dev.eu.stayandsleep.com trusts dev.corp.stayandsleep.com. Create a forest trust and enable selective authentication.
jw a 1

Microsoft (70-640) TS: Windows Server 2008 Active Directory, Configuring * Demo Test * Question ID: rrMS_70-640-014 Jump to Question ID

Question 6 Explanation: You should create a shortcut trust in which dev.corp.stayandsleep.com trusts dev.eu.stayandsleep.com. A shortcut trust is used to shorten the authentication path when users in one child domain need frequent access to resources in another child domain. The trusting domain is the one in which the resources are located. You should not create a shortcut trust in which dev.eu.stayandsleep.com trusts dev.corp.stayandsleep.com. The trusting domain is the one in which the resources are located.

You should not create a two-way external trust between dev.eu.stayandsleep.com and dev.corp.stayandsleep.com. An external trust is used to allow access to or from a Windows NT 4.0 domain or when you cannot use a forest trust. An external trust is not used between domains in the same forest. You should not create a forest trust and enable selective authentication on it. A forest trust is used between two Active Directory forests, not within the same forest. Selective authentication is used to limit the access to specific users in different forests. Objective:List all questions for this objective Configuring the Active Directory Infrastructure Sub-Objective: 2.2 Configure trusts. References:
1. Understanding When to Create a Shortcut Trust Click here for further information Windows Server 2008 Technical Library, Microsoft