Q1.Your company has an Active Directory forest that contains a single domain. The domain member serverhas an Active Directory Federation Services (AD FS) role installed. You need to configure AD FS to ensurethat AD FS tokens contain information from the Active Directory domain. What should you do?
A. Add and configure a new account partner.
B. Add and configure a new resource partner.
C. Add and configure a new account store.
D. Add and configure a Claims-aware application.
Option C is correct.
http://technet.microsoft.com/en-us/library/cc732095.aspx Understanding Account StoresActive Directory Federation Services (AD FS) uses account stores to log on users and extract securityclaims for those users. You can configure multiple account stores for a single Federation Service. You canalso define their priority. The Federation Service uses Lightweight Directory Access Protocol (LDAP) tocommunicate with account stores. AD FS supports the following two account stores:Active Directory Domain Services (AD DS)Active Directory Lightweight Directory Services (AD LDS)
Q2.You network consists of a single Active Directory domain. All domain controllers run Windows Server 2008R2. You need to reset the Directory Services Restore Mode (DSRM) password on a domain controller.What tool should you use?
A. Active Directory Users and Computers snap-in
C. Local Users and Groups snap-in
Option B is correct.
http://technet.microsoft.com/en-us/library/cc753343%28v=ws.10%29.aspx NtdsutilNtdsutil.exe is a command-line tool that provides management facilities for Active Directory DomainServices (AD DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the ntdsutilcommands to perform database maintenance of AD DS, manage and control single master operations, andremove metadata left behind by domain controllers that were removed from the network without beingproperly uninstalled. This tool is intended for use by experienced administrators...Commands set DSRM password - Resets the Directory Services Restore Mode (DSRM) administratorpassword.Further information:http://technet.microsoft.com/en-us/library/cc754363%28v=ws.10%29.aspx Set DSRM passwordResets the Directory Services Restore Mode (DSRM) password on a domain controller. At the Reset DSRMAdministrator Password: prompt, type any of the parameters listed under "Syntax." This is a subcommandof Ntdsutil and Dsmgmt. Ntdsutil and Dsmgmt are command-line tools that are built into Windows Server2008 and Windows Server 2008 R2. Ntdsutil is available if you have the Active Directory Domain Services(AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed.Dsmgmt is available if you have the AD LDS server role installed. These tools are also available if youinstall the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools(RSAT).
Q3.Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008R2 and are configured as DNS servers. A domain controller named DC1 has a standard primary zone forcontoso.com. A domain controller named DC2 has a standard secondary zone for contoso.com. You needto ensure that the replication of the contoso.com zone is encrypted. You must not lose any zone data. Whatshould you do?
A. Convert the primary zone into an Active Directory-integrated stub zone. Delete the secondary zone.
B. Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone.
C. Configure the zone transfer settings of the standard primary zone. Modify the Master Servers lists on the
D. On both servers, modify the interface that the DNS server listens on.
Option B is correct.
http://technet.microsoft.com/en-us/library/cc771150.aspx Change the Zone TypeYou can use this procedure to change make a zone a primary, secondary, or stub zone. You can also use itto integrate a zone with Active Directory Domain Services (AD DS). http://technet.microsoft.com/en-us/library/cc726034.aspx Understanding Active Directory Domain Services Integration The DNS Server serviceis integrated into the design and implementation of Active Directory Domain Services (AD DS). AD DSprovides an enterprise-level tool for organizing, managing, and locating resources in a network.Benefits of AD DS integrationFor networks that deploy DNS to support AD DS, directory-integrated primary zones are stronglyrecommended. They provide the following benefits:DNS features multimaster data replication and enhanced security based on the capabilities of AD DS. In astandard zone storage model, DNS updates are conducted based on a single-master update model. In thismodel, a single authoritative DNS server for a zone is designated as the primary source for the zone. Thisserver maintains the master copy of the zone in a local file. With this model, the primary server for the zonerepresents a single fixed point of failure. If this server is not available, update requests from DNS clients arenot processed for the zone. With directory-integrated storage, dynamic updates to DNS are sent to any ADDS-integrated DNS server and are replicated to all other AD DS-integrated DNS servers by means of ADDS replication. In this model, any AD DS-integrated DNS servercan accept dynamic updates for the zone.Because the master copy of the zone is maintained in the AD DS database, which is fully replicated to alldomain controllers, the zone can be updated by the DNS servers operating at any domain controller for thedomain. With the multimaster update model of AD DS, any of the primary servers for the directoryintegratedzone can process requests from DNS clients to update the zone as long as a domain controller is availableand reachable on the network...Zones are replicated and synchronized to new domain controllers automatically whenever a new one isadded to an AD DS domain.By integrating storage of your DNS zone databases in AD DS, you can streamline database replicationplanning for your network.Directory-integrated replication is faster and more efficient than standard DNS replication. http://technet.microsoft.com/en-us/library/ee649124%28v=ws.10%29.aspx Deploy IPsec Policy to DNS ServersYou can deploy IPsec rules through one of the following mechanisms:Domain Controllers organizational unit (OU): If the DNS servers in your domain are ActiveDirectoryintegrated, you can deploy IPsec policy settings using the Domain Controllers OU. This option isrecommended to make configuration and deployment easier. DNS Server OU or security group: If you haveDNS servers that are not domain controllers, then consider creating a separate OU or a security group withthe computer accounts of your DNS servers. Local firewall configuration: Use this option if you have DNSservers that are not domain members or if you have a small number of DNS servers that you want toconfigure locally. http://technet.microsoft.com/en-us/library/cc772661%28v=ws.10%29.aspx DeployingSecure DNSProtecting DNS ServersWhen the integrity of the responses of a DNS server are compromised or corrupted, or when the DNS datais tampered with, clients can be misdirected to unauthorized locations without their knowledge. After theclients start communicating with these unauthorized locations, attempts can be made to gain access toinformation that is stored on the client computers. Spoofing and cache pollution are examples of this type ofattack. Another type of attack, the denial-of-service attack, attempts to incapacitate a DNS server to makeDNS infrastructure unavailable in an enterprise. To protect your DNS servers from these types of attacks:Use IPsec between DNS clients and servers.Monitor network activity.Close all unused firewall ports.Implementing IPsec Between DNS Clients and ServersIPsec encrypts all traffic over a network connection. Encryption minimizes the risk that data that is sentbetween the DNS clients and the DNS servers can be scanned for sensitive information or tampered withby anyone attempting to collect information by monitoring traffic on the network. When IPsec is enabled,both ends of a connection are validated before communication begins. A client can be certain that the DNSserver with which it is communicating is a valid server. Also, all communication over the connection isencrypted, thereby eliminating the possibility of tampering with client communication. Encryption preventsspoofing attacks, which are false responses to DNS client queries by unauthorized sources that act like aDNS server.Further information:http://technet.microsoft.com/en-us/library/cc771898.aspx Understanding Zone TypesThe DNS Server service provides for three types of zones:Primary zoneSecondary zoneStub zoneNote: If the DNS server is also an Active Directory Domain Services (AD DS) domain controller, primaryzones and stub zones can be stored in AD DS.The following sections describe each of these zone types:Primary zone When a zone that this DNS server hosts is a primary zone, the DNS server is the primarysource for information about this zone, and it stores the master copy of zone data in a local file or in AD DS.When the zone is stored in a file, by default the primary zone file is named zone_name.dns and it is locatedin the % windir%\System32\Dns folder on the server. Secondary zone When a zone that this DNS serverhosts is a secondary zone, this DNS server is a secondary source for information about this zone. The zoneat this server must be obtained from another remote DNS server computer that also hosts the zone. ThisDNS server must have network access to the remote DNS server that supplies this server with updatedinformation about the zone. Because a secondary zone is merely a copy of a primary zone that is hosted onanother server, it cannot be stored in AD DS.Stub zoneWhen a zone that this DNS server hosts is a stub zone, this DNS server is a source only for informationabout the authoritative name servers for this zone. The zone at this server must be obtained from anotherDNS server that hosts the zone. This DNS server must have network access to the remote DNS server tocopy the authoritative name server information about the zone.You can use stub zones to:Keep delegated zone information current. By updating a stub zone for one of its child zones regularly, theDNS server that hosts both the parent zone and the stub zone will maintain a current list of authoritativeDNS servers for the child zone.Improve name resolution. Stub zones enable a DNS server to perform recursion using the stub zone's list ofname servers, without having to query the Internet or an internal root server for the DNS namespace.Simplify DNS administration. By using stub zones throughout your DNS infrastructure, you can distribute alist of the authoritative DNS servers for a zone without using secondary zones. However, stub zones do notserve the same purpose as secondary zones, and they are not an alternative for enhancing redundancy andload sharing.There are two lists of DNS servers involved in the loading and maintenance of a stub zone:The list of master servers from which the DNS server loads and updates a stub zone. A master server maybe a primary or secondary DNS server for the zone. In both cases, it will have a complete list of the DNSservers for the zone.The list of the authoritative DNS servers for a zone. This list is contained in the stub zone using nameserver (NS) resource records.When a DNS server loads a stub zone, such as widgets.tailspintoys.com, it queries the master servers,which can be in different locations, for the necessary resource records of the authoritative servers for thezone widgets.tailspintoys.com. The list of master servers may contain a single server or multiple servers,and it can be changed anytime.http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/d352966e-b1ec-46b6-a8b4-317c2c3388c3/Answered what is non-standard dns secondary zone?Q: While passing through 70-291 exam prep questions, I encountered the term "standard secondary zone".From the context of other questions I understood that "standard", in context of primary zone, mean "non-ADintegrated".A: Standard means it is not an AD integrated zone. AD integrated zones are stored in the AD database andnot in a text file.Q: What does "standard" mean in context of DNS secondary zone?A: It means the same thing in context of a Standard Primary Zone. Simply stated, "Standard" means thezone data is stored in a text file, which can be found in system32\dns.
Q4.Your company has a main office and a branch office. You deploy a read-only domain controller (RODC) thatruns Microsoft Windows Server 2008 to the branch office. You need to ensure that users at the branchoffice are able to log on to the domain by using the RODC. What should you do?
A. Add another RODC to the branch office.
B. Configure a new bridgehead server in the main office.
C. Decrease the replication interval for all connection objects by using the Active Directory Sites and
D. Configure the Password Replication Policy on the RODC.
Option D is correct.
http://technet.microsoft.com/en-us/library/cc754956%28v=ws.10%29.aspx RODC Frequently Asked QuestionsWhat new attributes support the RODC Password Replication Policy? Password Replication Policy is themechanism for determining whether a user or computer's credentials are allowed to replicate from awritable domain controller to an RODC. The Password Replication Policy is always set on a writable domaincontroller running Windows Server 2008. What operations fail if the WAN is offline, but the RODC is onlinein the branch office? If the RODC cannot connect to a writable domain controller running Windows Server2008 in the hub, the following branch office operations fail:Password changesAttempts to join a computer to a domainComputer renameAuthentication attempts for accounts whose credentials are not cached on the RODC Group Policy updatesthat an administrator might attempt by running the gpupdate /force command What operations succeed ifthe WAN is offline, but the RODC is online in the branch office? If the RODC cannot connect to a writabledomain controller running Windows Server 2008 in the hub, the following branch office operations succeed:Authentication and logon attempts, if the credentials for the resource and the requester are already cached,Local RODC server administration performed by a delegated RODC server administrator.
Q5.Your company has a single Active Directory domain named intranet.adatum.com. The domain controllersrun Windows Server 2008 and the DNS server role. All computers, including non-domain members,dynamically register their DNS records. You need to configure the intranet.adatum.com zone to allow onlydomain members to dynamically register DNS records. What should you do?
A. Set dynamic updates to Secure Only.
B. Remove the Authenticated Users group.
C. Enable zone transfers to Name Servers.
D. Deny the Everyone group the Create All Child Objects permission.
Option A is correct.
http://technet.microsoft.com/en-us/library/cc753751.aspx Allow Only Secure Dynamic UpdatesDomain Name System (DNS) client computers can use dynamic update to register and dynamically updatetheir resource records with a DNS server whenever changes occur. This reduces the need for manualadministration of zone records, especially for clients that frequently move or change locations and useDynamic Host Configuration Protocol (DHCP) to obtain an IP address. Dynamic updates can be secure ornonsecure. DNS update security is available only for zones that are integrated into Active Directory DomainServices (AD DS). After you directory-integrate a zone, access control list (ACL) editing features areavailable in DNS Manager so that you can add or remove users or groups from the ACL for a specifiedzone or resource record.Further information:http://technet.microsoft.com/en-us/library/cc771255.aspx Understanding Dynamic Update
Q6.You are decommissioning domain controllers that hold all forest-wide operations master roles. You need totransfer all forest-wide operations master roles to another domain controller. Which two roles should youtransfer? (Each correct answer presents part of the solution. Choose two.)
A. Domain naming master
B. Infrastructure master
C. RID master
D. PDC emulator
E. Schema master
Option A,E are correct.
http://social.technet.microsoft.com/wiki/contents/articles/832.transferring-fsmo-roles-in-indows-server-2008.aspxTransferring FSMO Roles in Windows Server 2008One of any system administrator duties, would be to upgrade a current domain controller to a new hardwareserver. One of the crucial steps required to successfully migrate your domain controller, is to be able tosuccessfully transfer the FSMO roles to the new hardware server. FSMO stands for Flexible Single MasterOperations, and in a forest there are at least five roles.The five FSMO roles are:Schema MasterDomain Naming MasterInfrastructure MasterRelative ID (RID) MasterPDC EmulatorThe first two roles above are forest-wide, meaning there is one of each for the entire forest. The last threeare domain-wide, meaning there is one of each per domain. If there is one domain in your forest, you willhave five FSMO roles. If you have three domains in your forest, there will be 11 FSMO roles.
Q7.Your company uses a Windows 2008 Enterprise certificate authority (CA) to issue certificates. You need toimplement key archival. What should you do?
A. Configure the certificate for automatic enrollment for the computers that store encrypted files.
B. Install an Enterprise Subordinate CA and issue a user certificate to users of the encrypted files.
C. Apply the Hisecdc security template to the domain controllers.
D. Archive the private key on the server.
Option D is correct.
http://technet.microsoft.com/en-us/library/cc753011.aspx Enable Key Archival for a CABefore a key recovery agent can use a key recovery certificate, the key recovery agent must have enrolledfor the key recovery certificate and be registered as the recovery agent for the certification authority (CA).You must be a CA administrator to complete this procedure.To enable key archival for a CA:1. Open the Certification Authority snap-in.2. In the console tree, click the name of the CA.3. On the Action menu, click Properties.4. Click the Recovery Agents tab, and then click Archive the key.5. In Number of recovery agents to use, type the number of key recovery agents that will be used to encryptthe archived key.The Number of recovery agents to use must be between one and the number of key recovery agentcertificates that have been configured.6. Click Add. Then, in Key Recovery Agent Selection, click the key recovery certificates that are displayed,and click OK.7. The certificates should appear in the Key recovery agent certificates list, but their status is listed as Notloaded.8. Click OK or Apply. When prompted to restart the CA, click Yes. When the CA has restarted, the status ofthe certificates should be listed as Valid.Further information:http://technet.microsoft.com/en-us/library/ee449489%28v=ws.10%29.aspx Key Archival and Management in Windows Server 2008http://technet.microsoft.com/en-us/library/cc730721.aspx Managing Key Archival and Recovery
Q8.Contoso, Ltd. has an Active Directory domain named ad.contoso.com. Fabrikam, Inc. has an ActiveDirectory domain named intranet.fabrikam.com. Fabrikam's security policy prohibits the transfer of internalDNS zone data outside the Fabrikam network. You need to ensure that the Contoso users are able toresolve names from the intranet.fabrikam.com domain. What should you do?
A. Create a new stub zone for the intranet.fabrikam.com domain.
B. Configure conditional forwarding for the intranet.fabrikam.com domain.
C. Create a standard secondary zone for the intranet.fabrikam.com domain.
D. Create an Active DirectoryCintegrated zone for the intranet.fabrikam.com domain.
Option B is correct.
http://technet.microsoft.com/en-us/library/cc730756.aspx Understanding ForwardersA forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for externalDNS names to DNS servers outside that network. You can also forward queries according to specificdomain names using conditional forwarders.You designate a DNS server on a network as a forwarder by configuring the other DNS servers in thenetwork to forward the queries that they cannot resolve locally to that DNS server. By using a forwarder, youcan manage name resolution for names outside your network, such as names on the Internet, and improvethe efficiency of name resolution for the computers in your network. The following figure illustrates howexternal name queries are directed with forwarders.
Conditional forwardersA conditional forwarder is a DNS server on a network that forwards DNS queries according to the DNSdomain name in the query. For example, you can configure a DNS server to forward all the queries that itreceives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IPaddresses of multiple DNS servers.Further information:http://technet.microsoft.com/en-us/library/cc794735%28v=ws.10%29.aspx Assign a Conditional Forwarder for a Domain Namehttp://technet.microsoft.com/en-us/library/cc754941.aspx Configure a DNS Server to Use Forwarders
Q9.An Active Directory database is installed on the C volume of a domain controller. You need to move theActive Directory database to a new volume. What should you do?
A. Copy the ntds.dit file to the new volume by using the ROBOCOPY command.
B. Move the ntds.dit file to the new volume by using Windows Explorer.
C. Move the ntds.dit file to the new volume by running the Move-item command in Microsoft Windows
D. Move the ntds.dit file to the new volume by using the Files option in the Ntdsutil utility.
Option D is correct.
http://technet.microsoft.com/en-us/library/cc816720%28v=ws.10%29.aspx Move the Directory Database and Log Files to a Local Drive You can use this procedure to move ActiveDirectory database and log files to a local drive. When you move the files to a folder on the local domaincontroller, you can move them permanently or temporarily. Move the files to a temporary destination if youneed to reformat the original location, or move the files to a permanent location if you have additional diskspace. If you reformat the original drive, use the same procedure to move the files back after the reformat iscomplete. Ntdsutil.exe updates the registry when you move files locally. Even if you are moving the files onlytemporarily, use Ntdsutil.exe so that the registry is always current.On a domain controller that is running Windows Server 2008, you do not have to restart the domaincontroller in Directory Services Restore Mode (DSRM) to move database files. You can stop the ActiveDirectory DomainServices (AD DS) service and then restart the service after you move the files to their permanent location.To move the directory database and log files to a local drive:..7. At the ntdsutil prompt, type files, and then press ENTER.8. To move the database file, at the file maintenance: prompt, use the following commands:....Further information:http://servergeeks.wordpress.com/2013/01/01/moving-active-directory-database-and-logs/ Moving ActiveDirectory Database and LogsStep 1Start the server in Directory Services Restore ModeWindows Server 2003/2008 Directory Service opens its files in exclusive mode. This means that the filescannot be managed while the server is operating as a domain controller. To perform any files movementrelated activities using ntdsutil, we need to start the server in Directory Services Restore Mode.To start the server in Directory Services Restore mode, follow these steps:Restart the computer.After the BIOS information is displayed, press F8.Use the DOWN ARROW to select Directory Services Restore Mode, and then press ENTER.
Log on with your local administrative account and password. (Not Domain Administrative account)
Note: using service control (SC.exe) you can verify quickly ntds services are running or stopped. Incommand prompt type SC query ntds
Step 2How to Move Active Directory Database and LogsYou can move the Ntds.dit data file to a new folder. If you do so, the registry is updated so that DirectoryService uses the new location when you restart the server. To move the data file to another folder, followthese steps:Click Start, click Run, type ntdsutil in the Open box, and then press ENTER.
At the Ntdsutil command prompt, type activate instance ntds, and then press ENTER.
At the Ntdsutil command prompt, type files, and then press ENTER.
At the file maintenance command prompt, type move DB to (where new location is anexisting folder that you have created for this purpose) and then press ENTER. In this case, the new locationfor database is C:\AD\Database Now
Now to move logs , at the file maintenance command prompt, type move logs to (wherenew location is an existing folder that you have created for this purpose) and then press ENTER. In ourcase, the new location for database is C:\AD\Logs
To quit file maintenance, type quit. Again to Ntdsutil, type quit to close the prompt Restart the computer. ADdatabase and Logs are moved successfully to new location.
Q10.Your company has file servers located in an organizational unit named Payroll. The file servers containpayroll files located in a folder named Payroll. You create a GPO. You need to track which employeesaccess the Payroll files on the file servers. What should you do?
A. Enable the Audit process tracking option. Link the GPO to the Domain Controllers organizational unit.
On the file servers, configure Auditing for the Authenticated Users group in the Payroll folder.
B. Enable the Audit object access option. Link the GPO to the Payroll organizational unit. On the file
servers, configure Auditing for the Everyone group in the Payroll folder.
C. Enable the Audit process tracking option. Link the GPO to the Payroll organizational unit. On the file
servers, configure Auditing for the Everyone group in the Payroll folder.
D. Enable the Audit object access option. Link the GPO to the domain. On the domain controllers,
configure Auditing for the Authenticated Users group in the Payroll folder.
Option B is correct.
http://technet.microsoft.com/en-us/library/dd349800%28v=ws.10%29.aspx Audit PolicyEstablishing an organizational computer system audit policy is an important facet of information security.Configuring Audit policy settings that monitor the creation or modification of objects gives you a way to trackpotential security problems, helps to ensure user accountability, and provides evidence in the event of asecurity breach.There are nine different kinds of events for which you can specify Audit Policy settings. If you audit any ofthese kinds of events, Windows® records the events in the Security log, which you can find in Event Viewer...Object access. Audit this to record when someone has used a file, folder, printer, or other object...Process tracking. Audit this to record when events such as program activation or a process exiting occur...When you implement Audit Policy settings:..If you want to audit directory service access or object access, determine which objects you want to auditaccess of and what type of access you want to audit. For example, if you want to audit all attempts by usersto open a particular file, you can configure audit policy settings in the object access event category so thatboth successful and failed attempts to read a file are recorded.Further information:http://technet.microsoft.com/en-us/library/hh147307%28v=ws.10%29.aspx Group Policy for BeginnersGroup Policy LinksAt the top level of AD DS are sites and domains. Simple implementations will have a single site and a singledomain. Within a domain, you can create organizational units (OUs). OUs are like folders in WindowsExplorer.Instead of containing files and subfolders, however, they can contain computers, users, and other objects.For example, in Figure 1 you see an OU named Departments. Below the Departments OU, you see foursubfolders: Accounting, Engineering, Management, and Marketing. These are child OUs. Other than theDomain Controllers OU that you see in Figure 1, nothing else in the figure is an OU. What does this have todo with Group Policy links? Well, GPOs in the Group Policy objects folder have no impact unless you linkthem to a site, domain, or OU. When you link a GPO to a container, Group Policy applies the GPO'ssettings to the computers and users in that container.