FREE MCTS 70 640: Active Directory, Configuring Question and Answers
There is an Active Directory domain for your business. The following warning appears when a user attempts to log on to the domain from a client computer: "This user account has expired. Ask your administrator to reactivate the account."
You must guarantee that the user can access the domain.
What ought you to do?
Explanation:
desktop1.png in C:Documents and Settingsusernwz1
Additional details:
http://technet.microsoft.com/en-us/library/dd145547.aspx
Account Tab in User Properties
Account closes down -
establishes the user's account expiration policy. You have the following options to choose from:
If you want the specified account to never expire, use the Never option. For brand-new users, this choice is the default.
If you wish the user's account to expire on a specific date, choose End of and then choose a date.
You have two servers, Server1 and Server2, respectively. Windows Server 2008 is used by both servers.
R2. Enterprise root certification authority (CA) configuration is set up on Server1.
On Server2, you set up the Online Responder role service.
Server1 must be set up to handle the Online Responder.
What ought you to do?
Explanation:
Create a CA Setup for OCSP Responders
An online responder needs to have a current online certificate status in order to work effectively.
Certificate for the Protocol (OCSP)Response Signing. If you are using an OCSP responder that is not a Microsoft product, you additionally require this OCSP Response Signing certificate.
The following actions are required when setting up a certification authority (CA) to support OCSP responder services:
1. Set up the OCSP Response Signing certificates' issuance properties and certificate templates.
2. Establish enrollment restrictions for all computers hosting Online
Responders.
3. Enable the OCSP extension in issued certificates if the CA runs on Windows Server 2003.
4. Update the authority information access extension on the CA to include the Online Responder's or OCSP responder's location.
5. Activate the CA's OCSP Response Signing certificate template.
Active Directory forests with the names contoso.com and fabrikam.com exist within your organization.
Three DNS servers designated DNS1, DNS2, and DNS3, are part of the firm network. The configuration of the DNS servers is displayed in the following table.
DNS3 is set as the primary DNS server on each computer in the fabrikam.com domain. The preferred DNS server for the rest of the PCs is DNS1.
The servers for the contoso.com domain are inaccessible to users from the fabrikam.com domain.
You must make sure that any contoso.com queries may be answered by users of the fabrikam.com domain.
What ought you to do?
Explanation:
Recognizing Forwarders -
An internal DNS server on a network that transmits DNS requests for external DNS names to external DNS servers is known as a forwarder. Utilizing conditional forwarders, you may also forward inquiries in accordance with particular domain names.
By configuring the other DNS servers on the network to forward requests that they are unable to locally resolve to the DNS server you have designated as a forwarder, you can designate one DNS server on a network as a forwarder. You may control name resolution for names outside of your network, such names on the Internet, and enhance name resolution effectiveness for the computers in your network by employing a forwarder.
The direction of external name inquiries with forwarders is shown in the accompanying figure.
desktop1.png in C: Documents and Settingsusernwz1
Forwarders with conditions: A DNS server that forwards DNS requests based on the DNS domain name in the request is known as a conditional forwarder. For instance, you can instruct a DNS server to route all requests for names ending in corp.contoso.com to either a single DNS server's IP address or to the IP addresses of several different DNS servers.
There is only one Active Directory domain in your network. Every domain controller is active
Operating System 2003.
The domain controllers are all upgraded to Windows Server 2008.
The Active Directory system has to be set up to accommodate the use of multiple password policies.
What should you do?
Explanation:
Step-by-Step Guide for the AD DS Fine-Grained Password and Account Lockout Policy
This step-by-step manual outlines how to set up and implement specific password and account lockout policies for various user groups in Windows Server 2008 domains.
There is only one password and account lockout policy that may be applied to all domain users in Microsoft Windows 2000 and Windows Server 2003 Active Directory domains. This policy is defined in the domain's Default Domain Policy. As a result, you had to either develop a password filter or set up numerous domains if you desired different password and account lockout settings for certain groups of users. Both choices were expensive for various reasons.
Using fine-grained password policies in Windows Server 2008, you can specify various password policies and implement various account lockout and password restrictions for various groups of users inside a single domain.
Policies for account lockout and fine-grained passwords: Requirements and specific considerations
Domain functional level: Windows Server 2008 or a later version must be selected as the domain functional level.
There is only one Active Directory domain in your network. Every domain controller is active
Operating System 2008 R2. Both the Audit directory services access setting and the Audit account management policy setting are turned on for the entire domain.
The ability to log changes to Active Directory objects must be present. The old and new values of any attributes must be included in the modifications that were logged.
What ought you to do?
Explanation:
When objects and their characteristics are changed, a new audit subcategory in Windows Server 2008 allows you to configure AD DS auditing to log both the old and new values.
The new audit policy subcategory Directory Service Changes enables the ability to audit changes to objects in AD DS. This manual offers guidance for putting this audit policy subcategory into practice.
The Active Directory domain for your business is contoso.com. Two DNS servers, DNS1 and DNS2, are part of the firm network.
The configuration of the DNS servers is displayed in the following table.
Users of the domain who have DNS2 set as their preferred DNS server are unable to access Internet websites.
All client PCs must have Internet name resolution enabled.
What ought you to do?
Explanation:
http://support.microsoft.com/kb/298148
How to Dispose of the Dot Zone (Root Zone)
When installing DNS on a Windows 2000 server without a connection to the Internet,
A root zone, commonly referred to as a dot zone, is generated along with the zone for the domain on the internet. The DNS and its clients may be unable to access the Internet due to this root zone. If a root zone exists, there are no other zones save those that are mentioned with DNS, and forwarders or root hint servers cannot be configured. You might need to get rid of the root zone because of these factors.
Intranet.contoso.com is the only Active Directory domain owned by your business. Windows Server 2008 R2 is used by all domain controllers. Windows is the domain functional level.
Windows 2000 is native and the forest functional level.
You must make sure that user accounts can use the UPN suffix for contoso.com.
What should you start with
Explanation:
http://support.microsoft.com/kb/243629
HOW TO: Add Forest UPN Suffixes
Adding a Forest to a UPN Suffix -
Active Directory Domains and Trusts should be open.
In the Tree window pane, right-click Active Directory Domains and Trusts, and then click
Properties.
Enter the new UPN suffix you want to add to the forest on the UPN Suffixes page.
Click OK after selecting Add.
You can now choose the new UPN suffix to complete the user's logon name when adding users to the forest.