QUESTION 1
You work as the network administrator at ABC.com. The ABC.com network has a domain named
ABC.com. All servers on the ABC.com network run Windows Server 2008.
Only one Active-Directory integrated zone has been configured in the ABC.com domain. ABC.com
has requested that you configure DNS zone to automatically remove DNS records that are
outdated.
What action should you consider?
A. You should consider running the netsh /Reset DNS command from the Command prompt.
B. You should consider enabling Scavenging in the DNS zone properties page.
C. You should consider reducing the TTL of the SOA record in the DNS zone properties page.
D. You should consider disabling updates in the DNS zone properties page.
Answer: B
Explanation: In the scenario you should enable scavenging through the zone properties because
scavenging removes the outdated DNS records from the DNS zone automatically. You should
additionally note that patience would be required when enabling scavenging as there are some
safety valves built into scavenging which takes long to pop.
Reference: https://www.gilham.org/Blog/Lists/Posts/Post.aspx?List=aab85845-88d2-4091-8088-
a6bbce0a4304&ID=211
Best Microsoft MCTS Training – Microsoft MCITP Training at Certkingdom.com
QUESTION 2
You work as the network administrator at ABC.com. The ABC.com network has a domain named
ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has a server named ABC-SR15. You install the Active Directory
Lightweight Directory Services (AD LDS) on ABC-SR15.
Which of the following options can be used for the creation of new Organizational Units (OU’s) in
the application directory partition of the AD LDS?
A. You should run the net start command on ABC-SR15.
B. You should open the ADSI Edit Microsoft Management Console on ABC-SR15.
C. You should run the repadmin /dsaguid command on ABC-SR15.
D. You should open the Active Directory Users and Computers Console on ABC-SR15.
Answer: B
Explanation: You need to use the ADSI Edit snap-in to create new OUs in the AD LDS
application directory partition. You also need to add the snap-in in the Microsoft Management
Console (MMC).
QUESTION 3
You work as the network administrator at ABC.com. The ABC.com network has a domain named
ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has two domain controllers ABC-DC01 and ABC-DC02. ABC-DC01 suffers
a catastrophic failure but it is causing problems because it was configured to have Schema Master
Operations role. You log on to the ABC.com domain as a domain administrator but your attempts
to transfer the Schema Master Operations role to ABC-DC02 are unsuccessful.
What action should you take to transfer the Schema Master Operations role to ABC-DC02?
A. Your best option would be to have the dcpromo /adv command executed on ABC-DC02.
B. Your best option would be to have the Schema Master role seized to ABC-DC02.
C. Your best option would be to have Schmmgmt.dll registered on ABC-DC02.
D. Your best option would be to add your user account to the Schema Administrators group.
Answer: B
Explanation: To ensure that ABC-DC02 holds the Schema Master role you need to seize the
Schema Master role on ABC-DC02. Seizing the schema master role is a drastic step that should
be considered only if the current operations master will never be available again. So to transfer the
schema master operations role, you have to seize it on ABC-DC02.
Reference: https://technet2.microsoft.com/windowsserver/en/library/d4301a14-dd18-4b3c-a3ccec9a773f7ffb1033.
mspx?mfr=true
QUESTION 4
You work as the network administrator at ABC.com. The ABC.com network has a single forest.
The forest functional level is set at Windows Server 2008.
The ABC.com network has a Microsoft SQL Server 2005 database server named ABC-DB04 that
hosts the Active Directory Rights Management Service (AD RMS).
You try to access the Active Directory Rights Management Services administration website but
received an error message stating:
“SQL Server does not exist or access is denied.”
How can you access the AD RMS administration website?
A. You need to restart the Internet Information Server (IIS) service and the MSSQLSVC service on
ABC-DB04.
B. You need to install the Active Directory Lightweight Directory Services (AD LDS) on ABC-DB04.
C. You need to reinstall the AD RMS instance on ABC-DB04.
D. You need to reinstall the SQL Server 2005 instance on ABC-DB04.
E. You need to run the DCPRO command on ABC-SR04
Answer: A
Explanation: You need to restart the internet information server (IIS) to correct the problem. The
starting of the MSSQULSVC service will allow you to access the database from AD RMS
administration website.
QUESTION 5
You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named
ABC.com. The ABC.com network has a Windows Server 2008 computer named ABC-SR03 that
functions as an Enterprise Root certificate authority (CA).
A new ABC.com security policy requires that revoked certificate information should be available for
examination at all times.
What action should you take adhere to the new policy?
A. This can be accomplished by having a list of trusted certificate authorities published to the
ABC.com domain.
B. This can be accomplished by having the Online Certificate Status Protocol (OCSP) responder
implemented.
C. This can be accomplished by having the OCSP Response Signing certificate imported.
D. This can be accomplished by having the Startup Type of the Certificate Propagation service set
to Automatic.
E. This can be accomplished by having the computer account of ABC-SR03 added to the
PGCertificates group.
Answer: B
Explanation: You should use the network load balancing and publish an OCSP responder. This
will ensure that the revoked certificate information will be available at all times. You do not need to
download the entire CRL to check for revocation of a certificate; the OCSP is an online responder
that can receive a request to check for revocation of a certificate. This will also speed up certificate
revocation checking as well as reducing network bandwidth tremendously.
QUESTION 6
You work as the network administrator at ABC.com. The ABC.com network has a domain named
ABC.com. All servers on the ABC.com network run Windows Server 2008.
You are responsible for managing two servers ABC-SR01 and ABC-SR02. They are setup with
the following configuration.
ABC-SR01 running Enterprise Root certificate authority (CA)
ABC-SR02 running Online Responder role service
Which of the steps must you perform for configuring the Online Responder to be supported on
ABC-SR01?
A. You should enable the Dual Certificate List extension on ABC-SR01.
B. You should ensure that ABC-SR01 is a member of the CertPublishers group.
C. You should import the OCSP Response Signing certificate to ABC-SR01.
D. You should enable the Authority Information Access (AIA) extension on ABC-SR01.
E. You should run the CERTSRV command on ABC-SR01.
Answer: D
Explanation: In order to configure the online responder role service on ABC-SR01 you need to
configure the AIA extension. The authority information access extension will indicate how to
access CA information and services for the issuer of the certificate in which the extension appears.
Information and services may include on-line validation services and CA policy data. This
extension may be included in subject or CA certificates, and it MUST be non-critical
QUESTION 7
You work as the network administrator at ABC.com. The ABC.com network has a domain named
ABC.com. All servers on the ABC.com network run Windows Server 2008 and all client computers
run Windows Vista.
The ABC.com network has a client computer named ABC-WS640 that was last used six months
ago. During the course of the day you attempt to log on to ABC-WS640 but you are unable to
authenticate during the logon process.
What action should you consider in order to log on to ABC-WS640?
A. You should consider opening the command prompt on ABC-WS640 and running the netsh set
machine command.
B. You should consider opening the command prompt on ABC-WS640 and running the repadmin
command.
C. You should consider removing ABC-WS640 from the domain and then rejoining it.
D. You should consider deleting the computer account for ABC-WS640 in Active Directory Users
and Computers, and then recreate the computer account.
Answer: C
Explanation: In the scenario you should have the computer disjoined from the domain and
rejoined to the domain whilst having the computer account reset as well. You should additionally
note that the long inactivity caused the computer to stop responding to the authentication query
using the Active Directory records. You should note by disjoining and rejoining with the account
being reset would refresh the computer account passwords.
QUESTION 8
You work as an enterprise administrator at ABC.com. The ABC.com network has a forest with a
domain named ABC.com.
The ABC.com network has a Windows Server 2008 domain controller named ABC-DC01 that
hosts the Directory Services Recovery Mode (DSRM) role.
What would be the best option to take to have the DSRM password reset?
A. The best option is to open the Active Directory Security for Computers snap-in.
B. The best option is to run the ntdsutil command.
C. The best option is to run the Netsh command.
D. The best option is to open the Domain Controller security snap-in.
Answer: B
Explanation: You should use the ntdsutil utility to reset the DSRM password. You can use
Ntdsutil.exe to reset this password for the server on which you are working, or for another domain
controller in the domain. Type ntdsutil and at the ntdsutil command prompt, type set dsrm
password.
Reference: https://support.microsoft.com/kb/322672
QUESTION 9
You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named
ABC.com. All servers on the ABC.com network run Windows Server 2008. ABC.com has two
offices Chicago and Dallas.
The network has the following setup.
Chicago Office – Domain Controller named ABC-DC01
Dallas Office – Read-Only Domain Controller named ABC-DC02
How can you make sure that Dallas Office users use only ABC-DC02 for authentication?
A. You should consider having ABC-DC02 configured as a bridehead server in the Dallas office.
B. You should consider installing and configuring the Password Replication Policy on ABC-DC02.
C. You should consider having ABC-DC01 configured as a bridehead server in the Chicago office.
D. You should consider installing and configuring the Password Replication Policy on ABC-DC01.
E. You should consider having the Global Catalog installed on ABC-DC01.
Answer: B
Explanation: You should use the Password Replication Policy on the RODC. This will allow the
users at the Dallas office to log on to the domain with RODC. RODCs don’t cache any user or
machine passwords.
QUESTION 10
You work as the network administrator at ABC.com. The ABC.com network has a domain named
intl.ABC.com. All servers on the ABC.com network run Windows Server 2008. The domain
controllers on the ABC.com domain are configured to function as DNS servers.
What action should you take to ensure that computers that are not part of the intl.ABC.com
domain are not able to dynamically register their DNS registration information in the intl.ABC.com zone?
A. You should consider removing the .(root) zone from the intl.ABC.com zone.
B. You should consider running the dnscmd /AgeAllRecords command.
C. You should consider configuring Secure Only dynamic updates.
D. You should consider configuring the intl.ABC.com zone as an Active Directory integrated zone.
Answer: C
Explanation: In order to ensure that only domain members are able to register their DNS records
dynamically you need to set the option Secure only for Dynamic updates. This will only allow the
domain members to register their DNS records dynamically.
Reference:
www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cncf_imp_afpf.mspx
Best Microsoft MCTS Training – Microsoft MCITP Training at Certkingdom.com