MCTS 70-640 Exam

FREE MCTS 70 640: Active Directory, Configuring Question and Answers

Active Directory forests with the names contoso.com and fabrikam.com exist within your organization.
Three DNS servers designated DNS1, DNS2, and DNS3, are part of the firm network. The configuration of the DNS servers is displayed in the following table.
DNS3 is set as the primary DNS server on each computer in the fabrikam.com domain. The preferred DNS server for the rest of the PCs is DNS1.
The servers for the contoso.com domain are inaccessible to users from the fabrikam.com domain.
You must make sure that any contoso.com queries may be answered by users of the fabrikam.com domain.
What ought you to do?

Create a copy of the fabrikam.com zone on the DNS1 server and the DNS2 server.

Create a copy of the _msdcs.contoso.com zone on the DNS3 server.

Configure conditional forwarding on DNS1 and DNS2 to forward fabrikam.com queries to DNS3.

Configure conditional forwarding on DNS3 to forward contoso.com queries to DNS1.

Correct! Wrong!

Explanation:
Recognizing Forwarders - An internal DNS server on a network that transmits DNS requests for external DNS names to external DNS servers is known as a forwarder. Utilizing conditional forwarders, you may also forward inquiries in accordance with particular domain names.
By configuring the other DNS servers on the network to forward requests that they are unable to locally resolve to the DNS server you have designated as a forwarder, you can designate one DNS server on a network as a forwarder. You may control name resolution for names outside of your network, such names on the Internet, and enhance name resolution effectiveness for the computers in your network by employing a forwarder.

The direction of external name inquiries with forwarders is shown in the accompanying figure.

desktop1.png in C: Documents and Settingsusernwz1

Forwarders with conditions: A DNS server that forwards DNS requests based on the DNS domain name in the request is known as a conditional forwarder. For instance, you can instruct a DNS server to route all requests for names ending in corp.contoso.com to either a single DNS server's IP address or to the IP addresses of several different DNS servers.

The Active Directory domain for your business is contoso.com. Two DNS servers, DNS1 and DNS2, are part of the firm network. The configuration of the DNS servers is displayed in the following table.

Users of the domain who have DNS2 set as their preferred DNS server are unable to access Internet websites.
All client PCs must have Internet name resolution enabled.
What ought you to do?

Update the Cache.dns file on DNS2. Configure conditional forwarding on DNS1.

Update the list of root hints servers on DNS2.

Create a copy of the .(root) zone on DNS1.

Delete the .(root) zone from DNS2. Configure conditional forwarding on DNS2.

Correct! Wrong!

Explanation:
http://support.microsoft.com/kb/298148
How to Dispose of the Dot Zone (Root Zone)
When installing DNS on a Windows 2000 server without a connection to the Internet,
A root zone, commonly referred to as a dot zone, is generated along with the zone for the domain on the internet. The DNS and its clients may be unable to access the Internet due to this root zone. If a root zone exists, there are no other zones save those that are mentioned with DNS, and forwarders or root hint servers cannot be configured. You might need to get rid of the root zone because of these factors.

There is only one Active Directory domain in your network. Every domain controller is active Operating System 2008 R2. Both the Audit directory services access setting and the Audit account management policy setting are turned on for the entire domain. The ability to log changes to Active Directory objects must be present. The old and new values of any attributes must be included in the modifications that were logged.
What ought you to do?

Run auditpol.exe and then enable the Audit directory service access setting in the Default Domain policy.

Run auditpol.exe and then configure the Security settings of the Domain Controllers OU.

From the Default Domain Controllers policy, enable the Audit directory service access setting and enable directory service changes.

Enable the Audit account management policy in the Default Domain Controller Policy.

Correct! Wrong!

Explanation:
When objects and their characteristics are changed, a new audit subcategory in Windows Server 2008 allows you to configure AD DS auditing to log both the old and new values.
The new audit policy subcategory Directory Service Changes enables the ability to audit changes to objects in AD DS. This manual offers guidance for putting this audit policy subcategory into practice.

There is only one Active Directory domain in your network. Every domain controller is active Operating System 2003.
The domain controllers are all upgraded to Windows Server 2008.
The Active Directory system has to be set up to accommodate the use of multiple password policies.
What should you do?

Create multiple Active Directory sites

On all domain controllers, run dcpromo /adv

Raise the functional level of the domain to Windows Server 2008

On one domain controller, run dcpromo /adv.

Correct! Wrong!

Explanation:
Step-by-Step Guide for the AD DS Fine-Grained Password and Account Lockout Policy This step-by-step manual outlines how to set up and implement specific password and account lockout policies for various user groups in Windows Server 2008 domains. There is only one password and account lockout policy that may be applied to all domain users in Microsoft Windows 2000 and Windows Server 2003 Active Directory domains. This policy is defined in the domain's Default Domain Policy. As a result, you had to either develop a password filter or set up numerous domains if you desired different password and account lockout settings for certain groups of users. Both choices were expensive for various reasons. Using fine-grained password policies in Windows Server 2008, you can specify various password policies and implement various account lockout and password restrictions for various groups of users inside a single domain.
Policies for account lockout and fine-grained passwords: Requirements and specific considerations
Domain functional level: Windows Server 2008 or a later version must be selected as the domain functional level.

There is an Active Directory domain for your business. The following warning appears when a user attempts to log on to the domain from a client computer: "This user account has expired. Ask your administrator to reactivate the account."
You must guarantee that the user can access the domain.
What ought you to do?

Modify the properties of the user account to set the account to never expire.

Modify the properties of the user account to extend the Logon Hours setting.

Modify the default domain policy to decrease the account lockout duration.

Modify the properties of the user account to set the password to never expire.

Correct! Wrong!

Explanation:
desktop1.png in C:Documents and Settingsusernwz1
Additional details:
http://technet.microsoft.com/en-us/library/dd145547.aspx
Account Tab in User Properties
Account closes down - establishes the user's account expiration policy. You have the following options to choose from:
If you want the specified account to never expire, use the Never option. For brand-new users, this choice is the default.
If you wish the user's account to expire on a specific date, choose End of and then choose a date.

You have two servers, Server1 and Server2, respectively. Windows Server 2008 is used by both servers. R2. Enterprise root certification authority (CA) configuration is set up on Server1.
On Server2, you set up the Online Responder role service.
Server1 must be set up to handle the Online Responder.
What ought you to do?

Configure the Certificate Revocation List Distribution Point extension.

Add the Server2 computer account to the CertPublishers group.

Configure the Authority Information Access (AIA) extension.

Import the enterprise root CA certificate.

Correct! Wrong!

Explanation:
Create a CA Setup for OCSP Responders

An online responder needs to have a current online certificate status in order to work effectively.
Certificate for the Protocol (OCSP)Response Signing. If you are using an OCSP responder that is not a Microsoft product, you additionally require this OCSP Response Signing certificate. The following actions are required when setting up a certification authority (CA) to support OCSP responder services:
1. Set up the OCSP Response Signing certificates' issuance properties and certificate templates.
2. Establish enrollment restrictions for all computers hosting Online Responders.
3. Enable the OCSP extension in issued certificates if the CA runs on Windows Server 2003.
4. Update the authority information access extension on the CA to include the Online Responder's or OCSP responder's location.
5. Activate the CA's OCSP Response Signing certificate template.

Intranet.contoso.com is the only Active Directory domain owned by your business. Windows Server 2008 R2 is used by all domain controllers. Windows is the domain functional level.
Windows 2000 is native and the forest functional level.
You must make sure that user accounts can use the UPN suffix for contoso.com.
What should you start with

Add the new UPN suffix to the forest.

Change the Primary DNS Suffix option in the Default Domain Controllers Group Policy Object (GPO) to contoso.com

Raise the intranet.contoso.com forest functional level to Windows Server 2003 or higher.

Raise the intranet.contoso.com domain functional level to Windows Server 2003 or higher.

Correct! Wrong!

Explanation:
http://support.microsoft.com/kb/243629 HOW TO: Add Forest UPN Suffixes

Adding a Forest to a UPN Suffix -
Active Directory Domains and Trusts should be open.
In the Tree window pane, right-click Active Directory Domains and Trusts, and then click Properties.
Enter the new UPN suffix you want to add to the forest on the UPN Suffixes page.
Click OK after selecting Add.
You can now choose the new UPN suffix to complete the user's logon name when adding users to the forest.

FREE MCTS 70 640: Active Directory, Configuring Question and Answers

There is only one Active Directory domain in your network. Every domain controller is active Operating System 2003. The domain controllers are all upgraded to Windows Server 2008. The Active Directory system has to be set up to accommodate the use of multiple password policies. What should you do?

Related Post

There is only one Active Directory domain in your network. Every domain controller is active Operating System 2003.
The domain controllers are all upgraded to Windows Server 2008.
The Active Directory system has to be set up to accommodate the use of multiple password policies.
What should you do?