getcertified4sure.com

70-640 Exam

Tactics to 70 640 pdf



Proper study guides for Renewal Microsoft TS: Windows Server 2008 Active Directory. Configuring certified begins with Microsoft mcitp 70 640 preparation products which designed to deliver the High quality microsoft 70 640 questions by making you pass the mcitp 70 640 test at your first time. Try the free microsoft 70 640 demo right now.

Q101. Your network contains an Active Directory forest. The forest schema contains a custom attribute for user objects. 

You need to give the human resources department a file that contains the last logon time and the custom attribute values for each user in the forest. 

What should you use? 

A. the Dsquery tool 

B. the Export-CSV cmdlet 

C. the Get-ADUser cmdlet 

D. the Net.exe user command 

Answer:

Explanation: 

Explanations: 

https://devcentral.f5.com/weblogs/Joe/archive/2009/01/09/powershell-abcs---o-is-for-output.aspx 

http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/thread/8d8649d9-f591-4b44-b838-e0f5f3a591d7 

http://kpytko.wordpress.com/2012/07/30/lastlogon-vs-lastlogontimestamp/ 

Export-Csv 

Explanation: 

http://technet.microsoft.com/en-us/library/ee176825.aspx 

Saving Data as a Comma-Separated Values File 

The Export-Csv cmdlet makes it easy to export data as a comma-separated values (CSV) 

file; all you need to do is call Export-Csv followed by the path to the CSV file. For example, 

thiscommand uses Get-Process to grab information about all the processes running on the 

computer,then uses Export-Csv to write that data to a file named C:\Scripts\Test.txt: 

Get-Process | Export-Csv c:\scripts\test.txt. 

Net User 

Explanation: 

http://technet.microsoft.com/en-us/library/cc771865.aspx 

Adds or modifies user accounts, or displays user account information. 

DSQUERY 

Explanation 1: 

http://technet.microsoft.com/en-us/library/cc754232.aspx 

Parameters 

{<StartNode> | forestroot | domainroot} 

Specifies the node in the console tree where the search starts. You can specify the forest root (forestroot), domain root (domainroot), or distinguished name of a node as the start node <StartNode>. If you specify 

forestroot, AD DS searches by using the global catalog. 

-attr {<AttributeList> | *} 

Specifies that the semicolon separated LDAP display names included in <AttributeList> for each entry in the result set. If you specify the value of this parameter as a wildcard character (*), this parameter displays all attributes that are present on the object in the result set. In addition, if you specify a *, this parameter uses the default output format (a list), regardless of whether you specify the -l parameter. The default <AttributeList> is a distinguished name. 

Explanation 2: 

http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/dda5fcd6-1a10-4d47-9379-02ca38aaa65b 

Gives an example of how to find a user with certain attributes using Dsquery. Note that it uses domainroot as the startnode, instead of forestroot what we need. 

Explanation 3: 

http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/c6fc3826-78e1-48fd-ab6f-690378e0f787/ 

List all last login times for all users, regardless of whether they are disabled. 

dsquery * -filter "(&(objectCategory=user)(objectClass=user))" -limit 0 -attr givenName sn sAMAccountName 

lastLogon>>c:\last_logon_for_all.txt 


Q102. You create a new Active Directory domain. The functional level of the domain is Windows Server 2003. The domain contains five domain controllers that run Windows Server 2008 R2. 

You need to monitor the replication of the group policy template files. 

Which tool should you use? 

A. Dfsrdiag 

B. Fsutil 

C. Ntdsutil 

D. Ntfrsutl 

Answer:

Explanation: 

With domain functional level 2008 you have available dfs-r sysvol replication. So with 

DFL2008 you can use the DFSRDIAG tool. It is not available with domain functional level 

2003. 

With domain functional level 2003 you can only use Ntfrsutl. 


Q103. Your company has a main office and a branch office. The branch office contains a read-only domain controller named RODC1. 

You need to ensure that a user named Admin1 can install updates on RODC1. The solution must prevent Admin1 from logging on to other domain controllers. 

What should you do? 

A. Run ntdsutil.exe and use the Roles option. 

B. Run dsmgmt.exe and use the Local Roles option. 

C. From Active Directory Sites and Services, modify the NTDS Site Settings. 

D. From Active Directory Users and Computers, add the user to the Server Operators group. 

Answer:

Explanation: http://technet.microsoft.com/en-us/library/cc732301.aspx Administrator Role Separation Configuration This section provides procedures for creating a local administrator role for an RODC and 

for adding a user to that role. 

To configure Administrator Role Separation for an RODC 

1. Click Start, click Run, type cmd, and then press ENTER. 

2. At the command prompt, type dsmgmt.exe, and then press ENTER. 

3. At the DSMGMT prompt, type local roles, and then press ENTER. 


Q104. Your network consists of a single Active Directory domain. User accounts for engineering department are located in an OU named Engineering. 

You need to create a password policy for the engineering department that is different from your domain password policy. 

What should you do? 

A. Create a new GPO. Link the GPO to the Engineering OU. 

B. Create a new GPO. Link the GPO to the domain. Block policy inheritance on all OUs except for the Engineering OU. 

C. Create a global security group and add all the user accounts for the engineering department to the group. Create a new Password Policy Object (PSO) and apply it to the group. 

D. Create a domain local security group and add all the user accounts for the engineering department to the group. From the Active Directory Users and Computer console, select the group and run the Delegation of Control Wizard. 

Answer:

Explanation: 

http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/b3d11cd4-897b-4da1-bae1-f1b69441175b Complex Password Policy on an OU 

Q: Is it possible to apply a complex password policy to an OU instead of entire domain (Windows 2008 R2). I'm under the impression it can only be applied to either a security group or an individual user. A1: I beleive you are referering to PSC and PSO. The Password Settings Container (PSC) object class is created by default under the System container in the domain. It stores the Password Settings objects (PSOs) for that domain. You cannot rename, move, or delete this container. PSOs cannot be applied to organizational units (OUs) directly. If your users are organized into OUs, consider creating global security groups that contain the users from these OUs and then applying the newly defined fine-grained password and account lockout policies to them. If you move a user from one OU to another, you must update user memberships in the corresponding global security groups. Groups offer better flexibility for managing various sets of users than OUs. For the fine-grained password and account lockout policies to function properly in a given domain, the domain functional level of that domain must be set to Windows Server 2008. Fine-grained password policies apply only to user objects and global security groups. They cannot be applied to Computer objects. For more info, please see below article: http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide A2: Here is a link to how you setup find grain password policy... However you can only apply it to a Security Group. http://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password-policy/A3: In addition, for fine grated password policy ; you need DLF 2008 and you can apply that policy on a single user and only global security group. 

Find the step by step info. http://social.technet.microsoft.com/wiki/contents/articles/4627.aspx http://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password-policy/ Tutorial: How to setup Default and Fine Grain Password Policy One strange thing that still seems to catch a lot of people out is that you can only have one password policy for your user per domain. This catches a lot of people out as they apply a password policy to an OU in their AD thinking that it will apply to all the users in that OU…. but it doesn’t. Microsoft did introduce Fine Grain Password Policies with Windows Server 2008 however this can only be set based on a security group membership and you still need to use the very un-user-friendly ADSI edit tool to make the changes to the policy. Below I will go through how you change the default domain password policy and how you then apply a fine grain password policy to your environment. The Good news is setting the default password policy for a domain is really easy. The Bad news is that setting a fine grain password policy is really hard. How to set a Default Domain Password Policy 

Step 1 Create a new Group Policy Object at the top level of the domain (e.g. “Domain Password Policy”). 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Note: I have elected to create a new GPO at the top of the domain in this case as I always 

try to avoid modifying the “Default Domain Policy”, see Explanations below. 

Explanation: 

http://technet.microsoft.com/en-us/library/cc736813(WS.10).aspx 

TechNet: Linking GPOs 

If you need to modify some of the settings contained in the Default Domain Policy GPO, it is recommended that you create a new GPO for this purpose, link it to the domain, and set the Enforce option. 

http://technet.microsoft.com/en-us/library/cc779159(WS.10).aspx 

TechNet: Establishing Group Policy Operational Guidelines 

Do not modify the default domain policy or default domain controller policy unless necessary. Instead, create a new GPO at the domain level and set it to override the default settings in the default policies. 

Step 2 

Edit the “Domain Password Policy” GPO and go to Computer Configurations>Policies>Windows 

Settings>Security Settings>Account Policy>Password Policy and configured the password policies settings to the configuration you desire. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 3 

Once you have configured the password policy settings make the “Domain Password Policy” GPO the highest in the Linked GPO processing order. 

TIP: Make sure you inform all your users when you are going to do this as it may trigger them to change their password the next time they logon. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Done… told you it was easy…. 

Note: Even if you apply the password policies to the “Domain Controllers” OU it will not modify the domain’s password policy. As far as I know this is the only exception to the rule as to how GPO’s apply to objects. As you can see in the image below the “Minimum password length” in the “Domain Password Policy” GPO is still applied to the domain controller even though I have another GPO linking to the “Domain Controllers” OU configuration the same setting. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

For a better explanation as to why the GPO that is linked to the Domain and not the Domain Controllers is used for the password policy for all users check out Jorge’s Quest for Knowledge! – Why GPOs with Password and Account Lockout Policy Settings must be linked to the AD domain object to be affective on AD domain user accounts (http://blogs.dirteam.com/blogs/jorge/archive/2008/12/16/why-gpos-with-password-and-accountlockout- policy-settings-must-be-linked-to-the-ad-domain-object-to-be-affective-on-ad-domain-useraccounts.aspx) 

How to set a Fine Grain Password Policy 

Fine Grain Password Policies (FGPP) were introduced as a new feature of Windows Server 2008. Before this the only way to have different password polices for the users in your environment was to have separate domains… OUCH! 

Pre-Requisites/Restrictions 

You domain must be Windows Server 2008 Native Mode, this means ALL of your domain controllers must be running Windows Server 2008 or later. You can check this by selection the “Raise domain functional level” on the top of the domain in Active Directory Users and Computers. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Explanation http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx AD DS: Fine-Grained Password Policies The domain functional level must be Windows Server 2008. The other restriction with this option is that you can only apply FGPP to users object or 

users in global security groups (not computers). Explanation http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx AD DS: Fine-Grained Password Policies Fine-grained password policies apply only to user objects … and global security groups. TIP: If you setup an “Automatic Shadow Group 

(http://policelli.com/blog/archive/2008/01/15/manage-shadowgroups-in-windows-server-2008/)” you can apply these password policies to users automatically to 

any users located in an OU. 

Creating a Password Setting Object (PSO) 

Step 1 Under Administrator Tools Open ADSI Edit and connect it to a domain and domain controller you want to setup the new password policy. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Note: If you do not see this option go to “Turn Windows Features On or Off” and make sure the “AD DS and AD LDS Tools” are installed. (You will need RSAT also installed if you are on Windows 7).\ 

Step 2 Double click on the “CN=DomainName” then double click on “CN=System” and then double click on “CN=Password Settings Container”. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 3 

Right click on “CN=Password Settings Container” and then click on “New” then “Object. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 4 

Click on “Next” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 5 

Type the name of the PSO in the “Value” field and then click “Next” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Note: With the exception of the password length the following values are all the same as the default values in the “Default Domain Policy”. 

Step 6 

Type in a number that will be the Precedence for this Password Policy then click “Next”. 

Note: This is used if a users has multiple Password Settings Object (PSO) applied to them. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 7 

Type “FALSE” in the value field and click “Next” 

Note: You should almost never use “TRUE” for this setting. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 8 

Type “24” in the “Value” field and click “Next” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 9 

Type “TRUE” in the “Value” field and click “Next” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 10 

Type “5” in the “Value” field and click “Next” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 11 

Type “1:00:00:00” in the “Value” field and click “Next” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 12 

Type “42:00:00:00” in the “Value” field and click “Next” C:\Documents and Settings\usernwz1\Desktop\1.PNG Step 13 

Type “10” in the “Value” field and click “Next” C:\Documents and Settings\usernwz1\Desktop\1.PNG Step 14 

Type “0:00:30:00” field and click “Next” C:\Documents and Settings\usernwz1\Desktop\1.PNG Step 15 

Type “0:00:33:00” in the “Value” field and click “Next” C:\Documents and Settings\usernwz1\Desktop\1.PNG Step 16 

Click “Finish” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

You have now created the Password Settings Object (PSO) and you can close the 

ADSIEdit tool. 

Now to apply the PSO to a users or group… 

Step 17 

Open Active Directory Users and Computers and navigate to “System > Password Settings 

Container” 

Note: Advanced Mode needs to be enabled. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 18 

Double click on the PSO you created then click on the “Attribute Editor” tab and then select the “msDS-PSOAppliedTo” attribute and click “Edit” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 19 

Click “Add Windows Accounts….” button. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 20 

Select the user or group you want to apply this PSO and click “OK” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 21 

Click “OK” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 22 

Click “OK” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

And your are done… (told you it was hard). 

Fine Grain Password Policies as you can see are very difficult to setup and manage so it is probably best you use them sparingly in your organisation… But if you really have to have a simple password or extra complicated password then at least it give you away to do this without having to spin up another domain. 


Q105. Your network contains a single Active Directory domain. 

You need to create an Active Directory Domain Services snapshot. 

What should you do? 

A. Use the Ldp tool. 

B. Use the NTDSUtil tool. 

C. Use the Wbadmin tool. 

D. From Windows Server Backup, perform a full backup. 

Answer:

Explanation: http://technet.microsoft.com/en-us/library/cc753609.aspx To create an AD DS or AD LDS snapshot 

1. Log on to a domain controller as a member of the Enterprise Admins groups or the Domain Admins group. 

2. Click Start, right-click Command Prompt, and then click Run as administrator. 

3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. 

4. At the elevated command prompt, type the following command, and then press ENTER: ntdsutil 

5. At the ntdsutil prompt, type the following command, and then press ENTER: snapshot 

6. At the snapshot prompt, type the following command, and then press ENTER: activate instance ntds 

7. At the snapshot prompt, type the following command, and then press ENTER: create 


Q106. Your company has a domain controller server that runs the Windows Server 2008 R2 operating system. The server is a backup server. The server has a single 500-GB hard disk that has three partitions for the operating system, applications, and data. You perform daily backups of the server. 

The hard disk fails. You replace the hard disk with a new hard disk of the same capacity. You restart the computer on the installation media. You select the Repair your computer option. 

You need to restore the operating system and all files. 

What should you do? 

A. Select the System Image Recovery option. 

B. Run the Imagex utility at the command prompt. 

C. Run the Wbadmin utility at the command prompt. 

D. Run the Rollback utility at the command prompt. 

Answer:

Explanation: 

Old Answer: Run the Wbadmin utility at the command prompt. Answer: Select the System Image Recovery option. 

http://technet.microsoft.com/en-us/library/cc755163.aspx Recover the Operating System or Full Server Applies To: Windows Server 2008 R2 You can recover your server operating system or full server by using Windows Recovery Environment and a backup that you created earlier with Windows Server Backup. You can access the recovery and troubleshooting tools in Windows Recovery Environment through the System Recovery Options dialog box in the Install Windows Wizard. In Windows Server 2008 R2, to launch this wizard, use the Windows Setup disc or start/restart the computer, press F8, and then select Repair Your Computer from the list of startup options. 

To recover your operating system or full server using a backup created earlier and Windows Setup disc 

1. Insert the Windows Setup disc that has the same architecture of the system that you are trying to recover into the CD or DVD drive and start or restart the computer. If needed, press the required key to boot from the disc. The Install Windows Wizard should appear. 

2. In Install Windows, specify language settings, and then click Next. 

3. Click Repair your computer. 

4. Setup searches the hard disk drives for an existing Windows installation and then displays the results in System Recovery Options. If you are recovering the operating system onto separate hardware, the list should be empty (there should be no operating system on the computer). Click Next. 

5. On the System Recovery Options page, click System Image Recovery. This opens the Re-image your computer page. 

http://technet.microsoft.com/en-us/magazine/dd767786.aspx Use the Wbadmin Backup Command Line Utility in Windows Server 2008 Wbadmin is the command-line counterpart to Windows Server Backup. You use Wbadmin to manage all aspects of backup configuration that you would otherwise manage in Windows Server Backup. This means that you can typically use either tool to manage backup and recovery. After you’ve installed the Backup Command-Line Tools feature, you can use Wbadmin to manage backup and recovery. Wbadmin is located in the %SystemRoot%\System32\ directory. As this directory is in your command path by default, you do not need to add this directory to your command path. Further information: http://technet.microsoft.com/en-us/library/cc754015%28v=ws.10%29.aspx 

Wbadmin Enables you to back up and restore your operating system, volumes, files, folders, and applications from a command prompt. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Remarks The wbadmin command replaces the ntbackup command that was released with previous versions of Windows. You cannot recover backups that you created with ntbackup by using wbadmin. However, a version of ntbackup is available as a download for Windows Server 2008, Windows Vista, Windows Server 2008 R2, or Windows 7 users who want to recover backups that they created using ntbackup. This downloadable version of ntbackup enables you to perform recoveries only of legacy backups, and it cannot be used on computers running Windows Server 2008, Windows Vista, Windows Server 2008 R2, or Windows 7 to create new backups. http://technet.microsoft.com/en-us/library/dd979562%28v=ws.10%29.aspx Backup and Recovery Overview for Windows Server 2008 R2 Windows Server 2008 R2 contains features to help you create backups and, if needed, perform a recovery of your operating system, applications, and data. By using these features appropriately and implementing good operational practices, you can improve your organization's ability to recover from damaged or lost data, hardware failures, and disasters. For Windows Server 2008 R2, there are new features that expand what you can back up, where you can store backups, and how you can perform recoveries. 

This table summarizes the tools you can use to perform the following backup or recovery tasks for your computers running Windows Server 2008 R2: 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

What is Windows Recovery Environment? 

You can access the recovery and troubleshooting tools in Windows Recovery Environment through the System Recovery Options dialog box in the Install Windows Wizard. In Windows Server 2008 R2, to launch this wizard, use the Windows Setup disc or start/restart the computer, press F8, and then select Repair Your Computer from the list of startup options. Features in Windows Recovery Environment The tools in Windows Recovery Environment include: System Image Recovery. You can use this tool and a backup that you created earlier with Windows Server Backup to restore your operating system or full server. Windows Memory Diagnostic. You can use this tool (which is a memory diagnostic schedule) to check your computer's RAM. Doing this requires a restart. In addition, this tool requires a valid Windows Server 2008, Windows Vista, Windows Server 2008 R2, or Windows 7 installation to function. Command Prompt. This opens a command prompt window with Administrator privileges that provides full access to your file system and volumes. In addition, certain Wbadmin commands are only available from this command window. 


Q107. Your network contains a domain controller that has two network connections named Internal and Private. 

Internal has an IP address of 192.168.0.20. Private has an IP address of 10.10.10.5. You need to prevent the domain controller from registering Host (A) records for the 10.10.10.5 IP address. 

What should you do? 

A. Modify the netlogon.dns file on the domain controller. 

B. Modify the Name Server settings of the DNS zone for the domain. 

C. Modify the properties of the Private network connection on the domain controller. 

D. Disable netmask ordering on the DNS server that hosts the DNS zone for the domain. 

Answer:

Explanation: 

http://support.microsoft.com/kb/2023004 Steps to avoid registering unwanted NIC(s) in DNS on a Mulithomed Domain Controller Symptoms On Domain Controllers with more than one NIC where each NIC is connected to separate Network, there is a possibility that the Host A DNS registration can occur for unwanted NIC(s). If the client queries for DC’s DNS records and gets an unwanted record or the record of a different network which is not reachable to client, the client will fail to contact the DC causing authentication and many other issues. 

Cause The DNS server will respond to the query in a round robin fashion. If the DC has multiple NICs registered in DNS. The DNS will serve the client with all the records available for that DC. To prevent this, we need to make sure the unwanted NIC address is not registered in DNS. Below are the services that are responsible for Host A record registration on a DC 

1. Netlogon service 

2. DNS server service (if the DC is running DNS server service) 

3. DHCP client /DNS client (2003/2008) If the NIC card is configured to register the connection address in DNS, then the DHCP /DNS client service will Register the record in DNS. Unwanted NIC should be configured not to register the connection address in DNS If the DC is running DNS server service, then the DNS service will register the interface Host A record that it has set to listen on. The Zone properties, “Name server” tab list out the IP addresses of interfaces present on the DC. If it has listed both the IPs, then DNS server will register Host A record for both the IP addresses. We need to make sure only the required interface listens for DNS and the zone properties, name server tab has required IP address information 

Resolution To avoid this problem perform the following 3 steps (It is important that you follow all the steps to avoid the issue). 

1. Under Network Connections Properties: On the Unwanted NIC TCP/IP Properties -> 

Advanced -> DNS -

> Uncheck "Register this connections Address in DNS" 

2. Open the DNS server console: highlight the server on the left pane Action-> Properties 

and on the "Interfaces" tab select "listen on only the following IP addresses". Remove 

unwanted IP address from the list 

3. On the Zone properties, select Name server tab. Along with FQDN of the DC, you will 

see the IP address associated with the DC. Remove unwanted IP address if it is listed. 

After performing this delete the existing unwanted Host A record of the DC. 


Q108. You have an enterprise subordinate certification authority (CA). 

You have a custom Version 3 certificate template. 

Users can enroll for certificates based on the custom certificate template by using the 

Certificates console. The certificate template is unavailable for Web enrollment. 

You need to ensure that the certificate template is available on the Web enrollment pages. 

What should you do? 

A. Run certutil.exe pulse. 

B. Run certutil.exe installcert. 

C. Change the certificate template to a Version 2 certificate template. 

D. On the certificate template, assign the Autoenroll permission to the users. 

Answer:

Explanation: 

Explanation 

Identical to F/Q33. Explanation 1: http://technet.microsoft.com/en-us/library/cc732517.aspx Certificate Web enrollment cannot be used with version 3 certificate templates. Explanation 2: http://blogs.technet.com/b/ad/archive/2008/06/30/2008-web-enrollment-and-version-3-templates.aspx The reason for this blog post is that one of our customers called after noticing some unexpected behavior when they were trying to use the Server 2008 certificate web enrollment page to request a Version 3 Template based certificate. The problem was that no matter what they did the Version 3 Templates would not appear as certificates which could be requested via the web page. On the other hand, version 1 and 2 templates did appear in the page and requests could be done successfully using those templates. 


Q109. Your network contains two Active Directory forests. One forest contains two domains named contoso.com and na.contoso.com. The other forest contains a domain named nwtraders.com. A forest trust is configured between the two forests. 

You have a user named User1 in the na.contoso.com domain. User1 reports that he fails to log on to a computer in the nwtraders.com domain by using the user name NA\User1. 

Other users from na.contoso.com report that they can log on to the computers in the nwtraders.com domain. 

You need to ensure that User1 can log on to the computer in the nwtraders.com domain. 

What should you do? 

A. Enable selective authentication over the forest trust. 

B. Create an external one-way trust from na.contoso.com to nwtraders.com. 

C. Instruct User1 to log on to the computer by using his user principal name (UPN). 

D. Instruct User1 to log on to the computer by using the user name nwtraders\User1. 

Answer:

Explanation: 

http://apttech.wordpress.com/2012/02/29/what-is-upn-and-why-to-use-it/ 

What is UPN and why to use it? 

UPN or User Principal Name is a logon method of authentication when you enter the 

credentials as username@domainname.com instead of Windows authentication method: 

domainname\username to be used as login. 

So UPN is BASICALLY a suffix that is added after a username which can be used in place 

of “Samaccount” name to authenticate a user. So lets say your company is called ABC, 

then instead of ABC\Username you can use username@ABC.com at the authentication 

popup. The additional UPN suffix can help users to simplify the logon information in long domain names with an easier name. Example: instead of username@this.is.my.long.domain.name.in.atlanta.com”, change it to “username@atlanta”, if you create an UPN suffix called Atlanta. http://blogs.technet.com/b/mir/archive/2011/06/12/accessing-resources-across-forest-and-achieve-single-signon-part1.aspx Accessing Resources across forest and achieve Single Sign ON (Part1) http://technet.microsoft.com/en-us/library/cc772808%28v=ws.10%29.aspx Accessing resources across forests 

When a forest trust is first established, each forest collects all of the trusted namespaces in its partner forest and stores the information in a TDO. Trusted namespaces include domain tree names, user principal name (UPN) suffixes, service principal name (SPN) suffixes, and security ID (SID) namespaces used in the other forest. TDO objects are replicated to the global catalog. 


Q110. Your network contains an Active Directory forest named contoso.com. 

You plan to add a new domain named nwtraders.com to the forest. 

All DNS servers are domain controllers. 

You need to ensure that the computers in nwtraders.com can update their Host (A) records on any of the DNS servers in the forest. 

What should you do? 

A. Add the computer accounts of all the domain controllers to the DnsAdmins group. 

B. Add the computer accounts of all the domain controllers to the DnsUpdateProxy group. 

C. Create a standard primary zone on a domain controller in the forest root domain. 

D. Create an Active Directory-integrated zone on a domain controller in the forest root domain. 

Answer:


© Copyright Getcertified4sure.com. examcollectionuk.com
All other trademarks and copyrights are the property of their respective owners.
All rights reserved.