70-640 Exam
Foolproof mcsa 70-640 tips
Want to know Pass4sure 70-640 Exam practice test features? Want to lear more about Microsoft TS: Windows Server 2008 Active Directory. Configuring certification experience? Study Real Microsoft 70-640 answers to Replace 70-640 questions at Pass4sure. Gat a success with an absolute guarantee to pass Microsoft 70-640 (TS: Windows Server 2008 Active Directory. Configuring) test on your first attempt.
2021 Oct mcts exam 70-640:
Q181. Your network contains three Active Directory forests named Forest1, Forest2, and Forest3. Each forest contains three domains. A two-way forest trust exists between Forest1 and Forest2. A two-way forest trust exists between Forest2 andForest3.
You need to configure the forests to meet the following requirements:
. Users in Forest3 must be able to access resources in Forest1
. Users in Forest1 must be able to access resources in Forest3.
. The number of trusts must be minimized.
What should you do?
A. In Forest2, modify the name suffix routing settings.
B. In Forest1 and Forest3, configure selective authentication.
C. In Forest1 and Forest3, modify the name suffix routing settings.
D. Create a two-way forest trust between Forest1 and Forest3.
E. Create a shortcut trust in Forest1 and a shortcut trust in Forest3.
Answer: D
Explanation:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, December 14 2012) page
639:
Forest Trusts
(...)
You can specify whether the forest trust is one-way, incoming or outgoing, or two-way. As mentioned earlier, a forest trust is transitive, allowing all domains in a trusting forest to trust all domains in a trusted forest. However, forest trusts are not themselves transitive. For example, if the tailspintoys.com forest trusts the worldwideimporters .com forest, and the worldwideimporters.com forest trusts the northwindtraders.com forest, those two trust relationships do not allow the tailspintoys.com forest to trust the northwindtraders.com forest. If you want those two forests to trust each other, you must create a specific forest trust between them.
Q182. You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a server namedServer1.
You need to configure the Windows Firewall on Server1 to allow external users to authenticate by using AD FS.
Which inbound TCP port should you allow on Server1?
A. 88
B. 135
C. 443
D. 445
Answer: C
Q183. Your company has a main office and three branch offices. The company has an Active Directory forest that has a single domain. Each office has one domain controller. Each office is configured as an Active Directory site.
All sites are connected with the DEFAULTIPSITELINK object.
You need to decrease the replication latency between the domain controllers.
What should you do?
A. Decrease the replication schedule for the DEFAULTIPSITELINK object.
B. Decrease the replication interval for the DEFAULTIPSITELINK object.
C. Decrease the cost between the connection objects.
D. Decrease the replication interval for all connection objects.
Answer: B
Explanation:
Answer: Decrease the replication interval for the DEFAULTIPSITELINK object.
Personal comment:
All sites are connected with the DEFAULTIPSITELINK object. <- this roughly translates into
all sites are connected with the first domain controller in the forest
So the topology is star shaped.
Thus, decreasing the cost between the connection objects will offer no benefit.
We know we have multiple sites linked and are using a DEFAULTIPSITELINK object.
Thus, the most plausible answer is to decrease the replication interval for
DEFAULTIPSITELINK.
http://www.informit.com/articles/article.aspx?p=26866&seqNum=5
Understanding Active Directory, Part III
Replication
Active Directory replication between domain controllers is managed by the system
administrator on a site-bysite basis. As domain controllers are added, a replication path
must be established. This is done by the Knowledge Consistency Checker (KCC), coupled
with Active Directory replication components. The KCC is a dynamic process that runs on
all domain controllers to create and modify the replication topology. If a domain controller
fails, the KCC automatically creates new paths to the remaining domain controllers. Manual
intervention with the KCC will also force a new path.
The Active Directory replaces PDCs and BDCs with multimaster replication services. Each
domain controller retains a copy of the entire directory for that particular domain. As
changes are made in one domain controller, the originator communicates these changes to
the peer domain controllers. The directory data itself is stored in the ntds.dit file.
Active Directory replication uses the Remote Procedure Call (RPC) over IP to conduct replication within a site. Replication between sites can utilize either RPC or the Simple Mail Transfer Protocol (SMTP) for data transmission. The default intersite replication protocol is RPC. Intersite and Intrasite Replication There are distinct differences in internal and intersite domain controller replication. In theory, the network bandwidth within a site is sufficient to handle all network traffic associated with replication and other Active Directory activities. By the definition of a site, the network must be reliable and fast. A change notification process is initiated when modifications occur on a domain controller. The domain controller waits for a configurable period (by default, five minutes) before it forwards a message to its replication partners. During this interval, it continues to accept changes. Upon receiving a message, the partner domain controllers copy the modification from the original domain controller. In the event that no changes were noted during a configurable period (six hours, by default), a replication sequence ensures that all possible modifications are communicated. Replication within a site involves the transmission of uncompressed data. NOTE Security-related modifications are replicated within a site immediately. These changes include account and individual user lockout policies, changes to password policies, changes to computer account passwords, and modifications to the Local Security Authority (LSA). Replication between sites assumes that there are network-connectivity problems, including insufficient bandwidth, reliability, and increased cost. Therefore, the Active Directory permits the system to make decisions on the type, frequency, and timing of intersite replication. All replication objects transmitted between sites are compressed, which may reduce traffic by 10 to 25 percent, but because this is not sufficient to guarantee proper replication, the system administrator has the responsibility of scheduling intersite replication. Replication Component Objects Whereas the KCC represents the process elements associated with replication, the following comprise the Active Directory object components: Connection object. Domain controllers become replication "partners" when linked by a connection object. This is represented by a one-way path between two domain controller server objects. Connection objects are created by the KCC by default. They can also be manually created by the system administrator. NTDS settings object. The NTDS settings object is a container that is automatically created by the Active Directory. It contains all of the connection objects, and is a child of the server object. Server object. The Active Directory represents every computer as a computer object. The domain controller is also represented by a computer object, plus a specially created server object. The server object's parent is the site object that defines its IP subnet. However, in the event that the domain controller server object was created prior to site creation, it will be necessary to manually define the IP subnet to properly assign the domain controller a site. When it is necessary to link multiple sites, two additional objects are created to manage the replication topology. Site link. The site link object specifies a series of values (cost, interval, and schedule) that define the connection between sites. The KCC uses these values to manage replication and to modify the replication path if it detects a more efficient one. The Active Directory DEFAULTIPSITELINK is used by default until the system administrator intervenes. The cost value, ranging from 1 to 32767, is an arbitrary estimate of the actual cost of data transmission as defined bandwidth. The interval value sets the number of times replication will occur: 15 minutes to a maximum of once a week (or 10080 minutes) is the minimum; three hours is the default. The schedule interval establishes the time when replication should occur. Although replication can be at any time by default, the system administrator may want to schedule it only during offpeak network hours. Site link bridges. The site link bridge object defines a set of links that communicate via the same protocol. By default, all site links use the same protocol, and are transitive. Moreover, they belong to a single site link bridge. No configuration is necessary to the site link bridge if the IP network is fully routed. Otherwise, manual configuration may be necessary. Further information: http://technet.microsoft.com/en-us/library/cc775549%28v=ws.10%29.aspx What Is Active Directory Replication Topology? Replication of updates to Active Directory objects are transmitted between multiple domain controllers to keep replicas of directory partitions synchronized. Multiple domains are common in large organizations, as are multiple sites in disparate locations. In addition, domain controllers for the same domain are commonly placed in more than one site. Therefore, replication must often occur both within sites and between sites to keep domain and forest data consistent among domain controllers that store the same directory partitions. Site objects can be configured to include a set of subnets that provide local area network (LAN) network speeds. As such, replication within sites generally occurs at high speeds between domain controllers that are on the same network segment. Similarly, site link objects can be configured to represent the wide area network (WAN) links that connect LANs. Replication between sites usually occurs over these WAN links, which might be costly in terms of bandwidth. To accommodate the differences in distance and cost of replication within a site and replication between sites, the intrasite replication topology is created to optimize speed, and the intersite replication topology is created to minimize cost.
The Knowledge Consistency Checker (KCC) is a distributed application that runs on every domain controller and is responsible for creating the connections between domain controllers that collectively form the replication topology. The KCC uses Active Directory data to determine where (from what source domain controller to what destination domain controller) to create these connections.
The following diagram shows the interaction of these technologies with the replication topology, which is indicated by the two-way connections between each set of domain controllers.
Replication Topology and Dependent Technologies
C:\Documents and Settings\usernwz1\Desktop\1.PNG
http://technet.microsoft.com/en-us/library/cc755994%28v=ws.10%29.aspx How Active Directory Replication Topology Works
Replication Topology Physical Structure The Active Directory replication topology can use many different components. Some components are required and others are not required but are available for optimization. The following diagram illustrates most replication topology components and their place in a sample Active Directory multisite and multidomain forest. The depiction of the intersite topology that uses multiple bridgehead servers for each domain assumes that at least one domain controller in each site is running at least Windows Server 2003. All components of this diagram and their interactions are explained in detail later in this section. Replication Topology Physical Structure
C:\Documents and Settings\usernwz1\Desktop\1.PNG
In the preceding diagram, all servers are domain controllers. They independently use global knowledge of onfiguration data to generate one-way, inbound connection objects. The KCCs in a site collectively create an intrasite topology for all domain controllers in the site. The ISTGs from all sites collectively create an intersite topology. Within sites, one-way arrows indicate the inbound connections by which each domain controller replicates changes from its partner in the ring. For intersite replication, one-way arrows represent inbound connections that are created by the ISTG of each site from bridgehead servers (BH) for the same domain (or from a global catalog server [GC] acting as a bridgehead if the domain is not present in the site) in other sites that share a site link. Domains are indicated as D1, D2, D3, and D4. Each site in the diagram represents a physical LAN in the network, and each LAN is represented as a site object in Active Directory. Heavy solid lines between sites indicate WAN links over which two-way replication can occur, and each WAN link is represented in Active Directory as a site link object. Site link objects allow connections to be created between bridgehead servers in each site that is connected by the site link. Not shown in the diagram is that where TCP/IP WAN links are available, replication between sites uses the RPC replication transport. RPC is always used within sites. The site link between Site A and Site D uses the SMTP protocol for the replication transport to replicate the configuration and schema directory partitions and global catalog partial, read-only directory partitions. Although the SMTP transport cannot be used to replicate writable domain directory partitions, this transport is required because a TCP/IP connection is not available between Site A and Site D. This configuration is acceptable for replication because Site D does not host domain controllers for any domains that must be replicated over the site link A-D. By default, site links A-B and A-C are transitive (bridged), which means that replication of domain D2 is possible between Site B and Site C, although no site link connects the two sites. The cost values on site links A-B and A-C are site link settings that determine the routing pExplanation for replication, which is based on the aggregated cost of available site links. The cost of a direct connection between Site C and Site B is the sum of costs on site links A-B and A-C. For this reason, replication between Site B and Site C is automatically routed through Site A to avoid the more expensive, transitive route. Connections are created between Site B and Site C only if replication through Site A becomes impossible due to network or bridgehead server conditions.
Control Replication Latency and Cost Replication latency is inherent in a multimaster directory service. A period of replication latency begins when a directory update occurs on an originating domain controller and ends when replication of the change is received on the last domain controller in the forest that requires the change. Generally, the latency that is inherent in a WAN link is relative to a combination of the speed of the connection and the available bandwidth. Replication cost is an administrative value that can be used to indicate the latency that is associated with different replication routes between sites. A lower-cost route is preferred by the ISTG when generating the replication topology. Site topology is the topology as represented by the physical network: the LANs and WANs that connect domain controllers in a forest. The replication topology is built to use the site topology. The site topology is represented in Active Directory by site objects and site link objects. These objects influence Active Directory replication to achieve the best balance between replication speed and the cost of bandwidth utilization by distinguishing between replication that occurs within a site and replication that must span sites. When the KCC creates replication connections between domain controllers to generate the replication topology, it creates more connections between domain controllers in the same site than between domain controllers in different sites. The results are lower replication latency within a site and less replication bandwidth utilization between sites. Within sites, replication is optimized for speed as follows: Connections between domain controllers in the same site are always arranged in a ring,
with possible additional connections to reduce latency.
Replication within a site is triggered by a change notification mechanism when an update
occurs, moderated by a short, configurable delay (because groups of updates frequently
occur together).
Data is sent uncompressed, and thus without the processing overhead of data
compression.
Between sites, replication is optimized for minimal bandwidth usage (cost) as follows:
Replication data is compressed to minimize bandwidth consumption over WAN links.
Store-and-forward replication makes efficient use of WAN links — each update crosses an
expensive link only once.
Replication occurs at intervals that you can schedule so that use of expensive WAN links is
managed.
The intersite topology is a layering of spanning trees (one intersite connection between any
two sites for each directory partition) and generally does not contain redundant
connections.
Topology-Related Objects in Active Directory
Active Directory stores replication topology information in the configuration directory
partition. Several configuration objects define the components that are required by the KCC
to establish and implement the replication topology:
Site Link Objects
For a connection object to be created on a destination domain controller in one site that
specifies a source domain controller in another site, you must manually create a site link
object (class siteLink ) that connects the two sites. Site link objects identify the transport
protocol and scheduling required to replicate between two or more sites. You can use
Active Directory Sites and Services to create the site links. The KCC uses the information
stored in the properties of these site links to create the intersite topology connections.
A site link is associated with a network transport by creating the site link object in the
appropriate transport container (either IP or SMTP). All intersite domain replication must
use IP site links. The Simple Mail Transfer Protocol (SMTP) transport can be used for
replication between sites that contain domain controllers that do not host any common
domain directory partition replicas.
Site Link Properties
A site link specifies the following:
Two or more sites that are permitted to replicate with each other.
An administrator-defined cost value associated with that replication path. The cost value
controls the route that replication takes, and thus the remote sites that are used as sources
of replication information.
A schedule during which replication is permitted to occur.
An interval that determines how frequently replication occurs over this site link during the times when the schedule allows replication. Default Site Link When you install Active Directory on the first domain controller in the forest, an object named DEFAULTIPSITELINK is created in the Sites container (in the IP container within the Inter-Site Transports container). This site link contains only one site, Default-First-Site-Name.
Q184. Your network contains an Active Directory forest. The forest contains two domains named contoso.com and eu.contoso.com. All domain controllers are DNS servers.
The domain controllers in contoso.com host the zone for contoso.com. The domain controllers in eu.contoso.com host the zone for eu.contoso.com. The DNS zone for contoso.com is configured as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that all domain controllers in the forest host a writable copy of _msdsc.contoso.com.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Create a zone delegation record in the contoso.com zone.
B. Create a zone delegation record in the eu.contoso.com zone.
C. Create an Active Directory-integrated zone for _msdsc.contoso.com.
D. Create a secondary zone named _msdsc.contoso.com in eu.contoso.com.
Answer: A,C
Explanation:
Note that the question speaks of _msdSC, instead of _msdCS. Not sure if it means something, probably a typo.
Q185. Your network contains an enterprise root certification authority (CA). You need to ensure that a certificate issued by the CA is valid. What should you do?
A. Run syskey.exe and use the Update option.
B. Run sigverif.exe and use the Advanced option.
C. Run certutil.exe and specify the -verify parameter.
D. Run certreq.exe and specify the -retrieve parameter.
Answer: C
Explanation:
http://blogs.technet.com/b/pki/archive/2006/11/30/basic-crl-checking-with-certutil.aspx Basic CRL checking with certutil Certutil.exe is the command-line tool to verify certificates and CRLs. To get reliable verification results, you must use certutil.exe because the Certificate MMC Snap-In does not verify the CRL of certificates. A certificate might be wrongly shown in the MMC snap-in as valid but once you verify it with certutil.exe you will see that the certificate is actually invalid.
Refresh free training 70-640:
Q186. Your network consists of a single Active Directory domain. You have a domain controller and a member server that run Windows Server 2008 R2. Both servers are configured as DNS servers. Client computers run either Windows XP Service Pack 3 or Windows 7.
You have a standard primary zone on the domain controller. The member server hosts a secondary copy of the zone.
You need to ensure that only authenticated users are allowed to update host (A) records in the DNS zone.
What should you do first?
A. On the member server, add a conditional forwarder.
B. On the member server, install Active Directory Domain Services.
C. Add all computer accounts to the DNS UpdateProxy group.
D. Convert the standard primary zone to an Active Directory-integrated zone.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc726034.aspx Understanding Active Directory Domain Services Integration The DNS Server service is integrated into the design and implementation of Active Directory Domain Services (AD DS). AD DS provides an enterprise-level tool for organizing, managing, and locating resources in a network. How DNS integrates with AD DS When you install AD DS on a server, you promote the server to the role of a domain controller for a specified domain. As part of this process, you are prompted to specify a DNS domain name for the AD DS domain which you are joining and for which you are promoting the server, and you are offered the option to install the DNS Server role. This option is provided because a DNS server is required to locate this server or other domain controllers for members of an AD DS domain. Benefits of AD DS integration For networks that deploy DNS to support AD DS, directory-integrated primary zones are strongly recommended. They provide the following benefits: DNS features multimaster data replication and enhanced security based on the capabilities of AD DS. In a standard zone storage model, DNS updates are conducted based on a single-master update model. In this model, a single authoritative DNS server for a zone is designated as the primary source for the zone. This server maintains the master copy of the zone in a local file. With this model, the primary server for the zone represents a single fixed point of failure. If this server is not available, update requests from DNS clients are not processed for the zone. With directory-integrated storage, dynamic updates to DNS are sent to any AD DS-integrated DNS server and are replicated to all other AD DS-integrated DNS servers by means of AD DS replication. In this model, any AD DS-integrated DNS servercan accept dynamic updates for the zone. Because the master copy of the zone is maintained in the AD DS database, which is fully replicated to all domain controllers, the zone can be updated by the DNS servers operating at any domain controller for the domain. With the multimaster update model of AD DS, any of the primary servers for the directoryintegrated zone can process requests from DNS clients to update the zone as long as a domain controller is available and reachable on the network. Also, when you use directory-integrated zones, you can use access control list (ACL) editing to secure a dnsZone object container in the directory tree. This feature provides detailed access to either the zone or a specified resource record in the zone. For example, an ACL for a zone resource record can be restricted so that dynamic updates are allowed only for a specified client computer or a secure group, such as a domain administrators group. This security feature is not available with standard primary zones. Zones are replicated and synchronized to new domain controllers automatically whenever a new one is added to an AD DS domain. By integrating storage of your DNS zone databases in AD DS, you can streamline database replication planning for your network. Directory-integrated replication is faster and more efficient than standard DNS replication.
Q187. You need to relocate the existing user and computer objects in your company to different organizational units.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)
A. Run the move-item command in the Microsoft Windows PowerShell utility.
B. Run the Active Directory Users and Computers utility.
C. Run the Dsmove utility.
D. Run the Active Directory Migration Tool (ADMT).
Answer: B,C
Explanation:
Personal note:
You can simply drag and drop objects when using the Active Directory Users and
Computers utility or use the dsmove command.
http://technet.microsoft.com/en-us/library/cc731094%28v=ws.10%29.aspx
Dsmove Moves a single object, within a domain, from its current location in the directory to
a new location, or renames a single object without moving it in the directory tree.
Q188. Your company has two Active Directory forests as shown in the following table.
The forests are connected by using a two-way forest trust. Each trust direction is configured with forest-wide authentication. The new security policy of the company prohibits users from the eng.fabrikam.com domain to access resources in the contoso.com domain.
You need to configure the forest trust to meet the new security policy requirement.
What should you do?
A. Delete the outgoing forest trust in the contoso.com domain.
B. Delete the incoming forest trust in the contoso.com domain.
C. Change the properties of the existing incoming forest trust in the contoso.com domain from Forest-wide authentication to Selective authentication.
D. Change the properties of the existing outgoing forest trust in the contoso.com domain to exclude *.eng. fabrikam.com from the Name Suffix Routing trust properties.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx How Domain and Forest Trusts Work Active Directory provides security across multiple domains or forests through domain and forest trust relationships. Before authentication can occur across trusts, Windows must first determine whether the domain being requested by a user, computer or service has a trust relationship with the logon domain of the requesting account. To make this determination, the Windows security system computes a trust path between the domain controller for the server that receives the request and a domain controller in the domain of the requesting account.
Trust Flow The flow of secured communications over trusts determines the elasticity of a trust: how you create or configure a trust determines how far the communication extends within a forest or across forests. The flow of communication over trusts is determined by the direction of the trust (one-way or two-way) and the transitivity of the trust (transitive or nontransitive). One-Way and Two-Way Trusts Trust relationships that are established to enable access to resources can be either one-way or two-way. A one-way trust is a unidirectional authentication path created between two domains. In a one-way trust between Domain A and Domain B, users in Domain A can access resources in Domain B. However, users in Domain B cannot access resources in Domain A. Some one-way trusts can be either nontransitive or transitive depending on the type of trust being created. All domain trusts in an Active Directory forest are two-way, transitive trusts. When a new child domain is created, a two-way, transitive trust is automatically created between the new child domain and the parent domain. In a two-way trust, Domain A trusts Domain B and Domain B trusts Domain A. This means that authentication requests can be passed between the two domains in both directions. Some two-way relationships can be nontransitive or transitive depending on the type of trust being created. An Active Directory domain can establish a one-way or two-way trust with: Windows Server 2003 domains in the same forest. Windows Server 2003 domains in a different forest. Windows NT 4.0 domains. Kerberos V5 realms. Transitive and Nontransitive Trusts Transitivity determines whether a trust can be extended outside of the two domains with which it was formed. A transitive trust can be used to extend trust relationships with other domains; a nontransitive trust can be used to deny trust relationships with other domains. Each time you create a new domain in a forest, a two-way, transitive trust relationship is automatically created between the new domain and its parent domain. If child domains are added to the new domain, the trust path flows upward through the domain hierarchy extending the initial trust path created between the new domain and its parent domain. Transitive trust relationships flow upward through a domain tree as it is formed, creating transitive trusts between all domains in the domain tree. Authentication requests follow these trust paths, so accounts from any domain in the forest can be authenticated by any other domain in the forest. With a single logon process, accounts with the proper permissions can access resources in any domain in the forest. The following figure shows that all domains in Tree 1 and Tree 2 have transitive trust relationships by default. As a result, users in Tree 1 can access resources in domains in Tree 2 and users in Tree 1 can access resources in Tree 2, when the proper permissions are assigned at the resource.
Default Transitive Trust Relationships
C:\Documents and Settings\usernwz1\Desktop\1.PNG
In addition to the default transitive trusts established in a Windows Server 2003 forest, by using the New Trust Wizard you can manually create the following transitive trusts. Shortcut trust. A transitive trust between domains in the same domain tree or forest that is used to shorten the trust path in a large and complex domain tree or forest. Forest trust. A transitive trust between one forest root domain and another forest root domain. Realm trust. A transitive trust between an Active Directory domain and a Kerberos V5 realm. A nontransitive trust is restricted to the two domains in the trust relationship and does not flow to any other domains in the forest. A nontransitive trust can be a two-way trust or a one-way trust. Nontransitive trusts are one-way by default, although you can also create a two-way relationship by creating two one-way trusts. Nontransitive domain trusts are the only form of trust relationship possible between: A Windows Server 2003 domain and a Windows NT domain A Windows Server 2003 domain in one forest and a domain in another forest (when not joined by a forest trust) By using the New Trust Wizard, you can manually create the following nontransitive trusts: External trust. A nontransitive trust created between a Windows Server 2003 domain and a Windows NT, Windows 2000, or Windows Server 2003 domain in another forest. When you upgrade a Windows NT domain to a Windows Server 2003 domain, all existing Windows NT trusts are preserved intact. All trust relationships between Windows Server 2003 domains and Windows NT domains are nontransitive. Realm trust A nontransitive trust between an Active Directory domain and a Kerberos V5 realm
Q189. Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2008 R2. The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is Windows Server 2008.
You have a member server named Server1 that runs Windows Server 2008.
You need to ensure that you can add Server1 to contoso.com as a domain controller.
What should you run before you promote Server1?
A. dcpromo.exe /CreateDCAccount
B. dcpromo.exe /ReplicaOrNewDomain:replica
C. Set-ADDomainMode -Identity contoso.com -DomainMode Windows2008Domain
D. Set-ADForestMode -Identity contoso.com -ForestMode Windows2008R2Forest
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels.aspx After you set the domain functional level to a certain value in Windows Server 2008 R2, you cannot roll back or lower the domain functional level, with one exception: when you raise the domain functional level to Windows Server 2008 R2 and if the forest functional level is Windows Server 2008 or lower, you have the option of rolling the domain functional level back to Windows Server 2008. You can lower the domain functional level only from Windows Server 2008 R2 to Windows Server 2008. If the domain functional level is set to Windows Server 2008 R2, it cannot be rolled back, for example, to Windows Server 2003.
Q190. Your network contains an Active Directory domain named contoso.com. You run nslookup.exe as shown in the following Command Prompt window.
You need to ensure that you can use Nslookup to list all of the service location (SRV) resource records for contoso.com.
What should you modify?
A. the root hints of the DNS server
B. the security settings of the zone
C. the Windows Firewall settings on the DNS server
D. the zone transfer settings of the zone
Answer: D
Explanation:
http://www.c3.hu/docs/oreilly/tcpip/dnsbind/ch11_07.htm
11.7 Troubleshooting nslookup Problems
11.7.4 Query Refused Refused queries can cause problems at startup, and they can cause lookup failures during a session. Here's what it looks like when nslookup exits on startup because of a refused query: % nslookup *** Can't find server name for address 192.249.249.3: Query refused *** Default servers are not available % This one has two possible causes. Either your name server does not support inverse queries (older nslookups only), or zone security is stopping the lookup. Zone security is not limited to causing nslookup to fail to start up. It can also cause lookups and zone transfers to fail in the middle of a session when you point nslookup to a remote name server. This is what you will see: % nslookup Default Server: hp.com
Address: 15.255.152.4 > server terminator.movie.edu Default Server: terminator.movie.edu Address: 192.249.249.3 > carrie.movie.edu. Server: terminator.movie.edu Address: 192.249.249.3 *** terminator.movie.edu can't find carrie.movie.edu.: Query refused > ls movie.edu - This attempts a zone transfer [terminator.movie.edu] *** Can't list domain movie.edu: Query refused