Windows Server 2008 Active Directory, Configuring v41.0 (70-640)

Answer : C,D

Explanation:
http://technet.microsoft.com/en-us/library/cc755937%28v=ws.10%29.aspx
Decommissioning a Domain Controller
To complete this task, perform the following procedures:
1. View the current operations master role holders
2. Transfer the schema master
3. Transfer the domain naming master
4. Transfer the domain-level operations master roles
5. Determine whether a domain controller is a global catalog server
6. Verify DNS registration and functionality
7. Verify communication with other domain controllers
8. Verify the availability of the operations masters
9. If the domain controller hosts encrypted documents, perform the following procedure before you remove
Active Directory to ensure that the encrypted files can be recovered after Active Directory is removed: Export a certificate with the private key
10.Uninstall Active Directory
11.If the domain controller hosts encrypted documents and you backed up the certificate and private key before you remove Active Directory, perform the following procedure to re- import the certificate to the server:

Import a certificate -
12. Determine whether a Server object has child objects
13. Delete a Server object from a site
http://technet.microsoft.com/en-us/library/cc737258%28v=ws.10%29.aspx

Uninstall Active Directory -

To uninstall Active Directory -
1. Click Start, click Run, type dcpromo and then click OK.

Answer : A

Explanation:
http://technet.microsoft.com/en-us/library/cc770842%28v=ws.10%29.aspx
AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide
This step-by-step guide provides instructions for configuring and applying fine-grained password and account lockout policies for different sets of users in Windows Server 2008 domains.
In Microsoft Windows 2000 and Windows Server 2003 Active Directory domains, you could apply only one password and account lockout policy, which is specified in the domain's Default Domain Policy, to all users in the domain. As a result, if you wanted different password and account lockout settings for different sets of users, you had to either create a password filter or deploy multiple domains. Both options were costly for different reasons.
In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies and apply different password restrictions and account lockout policies to different sets of users within a single domain.
Requirements and special considerations for fine-grained password and account lockout policies
Domain functional level: The domain functional level must be set to Windows Server 2008 or higher.

Answer : B

Explanation:
http://technet.microsoft.com/en-us/library/cc709647%28v=ws.10%29.aspx
Managing Group Policy ADMX Files Step-by-Step Guide
Microsoft Windows Vista and Windows Server 2008 introduce a new format for displaying registry-based policy settings. Registry-based policy settings (located under the Administrative Templates category in the
Group Policy Object Editor) are defined using a standards-based, XML file format known as

ADMX files. These -
new files replace ADM files, which used their own markup language. The Group Policy tools Group Policy
Object Editor and Group Policy Management Consoleremain largely unchanged. In the majority of situations, you will not notice the presence of ADMX files during your day-to-day Group Policy administration tasks. http://blogs.technet.com/b/grouppolicy/archive/2008/12/17/questions-on-admx-in-windows- xp-and-windows2003- environments.aspx
Questions on ADMX in Windows XP and Windows 2003 environments
We had a question a couple of days ago about the usage of ADMX template formats in
Windows XP/Server 2003 environments. Essentially the question was:
Whats the supported or recommended way of getting W2k8 ADMX templates applying in a W2k3 domain with or with no W2k8 DCs. What Ive done in test is, created a central store in the /Sysvol/domain/policies folder on the 2k3 DC (PDC) and created and edited a
GPO using GPMC from the W2k8 member server applying to a W2k8 machine and it seems to work just fine. Is this the right way to do it?
The answer is Yes. Again this is one of those things that confuse people. The template format has nothing to do with the policy file thats created. Its just used to create the policy by the administrative tool itself. In the case of GPMC on Windows XP and Windows Server
2003 and previous this tool used the ADM file format. These ADM files were copied into every policy object on the SYSVOL, which represents about 4MB of duplicated bloat per policy. This was one of the areas that caused major problems with an issue called SYSVOL bloat.
In Vista and Server 2008 this template format changed to ADMX. This was a complete change towards a new XML based format that aimed to eliminate SYSVOL bloat. It doesnt copy itself into every policy object but relies on a central or local store of these templates
(Note that even in the newer tools you can still import custom ADM files for stuff like Office etc).
In the question above, the person wanted to know if copying the local store, located under c:/windows/ policydefinitions, could be copied into a Windows Server 2003 domain environment as the central store and referenced by the newer admin tools. Again the domain functional mode has little to do with Group Policy. I talked about that one before.
The things that we care about are the administrative tools and the client support for the policy functions. So of course it can.
Heres the confusion-reducing scoop Group Policy as a platform only relies on two main factors. Active Directory to store met

Answer : B,D

Explanation:
Answer: Delete the Root zone on DC2.
Configure conditional forwarding on DC2.
http://technet.microsoft.com/en-us/library/cc754941.aspx
Configure a DNS Server to Use Forwarders
A forwarder is a Domain Name System (DNS) server on a network that is used to forward
DNS queries for external DNS names to DNS servers outside that network. You can also configure your server to forward queries according to specific domain names using conditional forwarders. http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/0ca38ece-d76e-
42f0-85d5-a342f9e169f5/
Deleting .root dns zone in 2008 DNS
Q: We have 2 domain controllers and .root zone is created in the DNS. Due to which the external name resolution is not possible. I had tried to add conditional forwarders but i get an error saying that conditional forwarders cannot be created on root DNS servers.
A 1: If you have a "root" zone created in your DNS, and you no longer want that configuration, you can just simply delete that zone. There is no reason to have a root "." zone hosted unless you want to make sure that the DNS server is authoritative for all queries and not allow the DNS server to go elsewhere for name resolution.
If you delete this zone, the DNS server will be able to use its root hints, or fowarders to resolve queries for zones its not authoritative for.
A 2: That was from the old 2000 days where DCPROMO would create it if it detected no internet access while promoting the first DC. Jut remove it, and the Forwarders option reappear.
Further information:
http://support.microsoft.com/kb/298148
How To Remove the Root Zone (Dot Zone)
http://technet.microsoft.com/en-us/library/cc731879%28v=ws.10%29.aspx

Reviewing DNS Concepts -
Delegation For a DNS server to answer queries about any name, it must have a direct or indirect path to every zone in the namespace. These paths are created by means of delegation. A delegation is a record in a parent zone that lists a name server that is authoritative for the zone in the next level of the hierarchy. Delegations make it possible for servers in one zone to refer clients to servers in other zones. The following illustration shows one example of delegation.

Answer : C

Explanation:
http://technet.microsoft.com/en-us/library/cc756898%28v=ws.10%29.aspx

Default groups -
Default groups, such as the Domain Admins group, are security groups that are created automatically when you create an Active Directory domain. You can use these predefined groups to help control access to shared resources and delegate specific domain-wide administrative roles.

Groups in the Builtin container -
The following table provides descriptions of the default groups located in the Builtin container and lists the assigned user rights for each group.

Answer : C

Explanation:
http://support.microsoft.com/kb/243629
HOW TO: Add UPN Suffixes to a Forest

Adding a UPN Suffix to a Forest -
Open Active Directory Domains and Trusts.
Right-click Active Directory Domains and Trusts in the Tree window pane, and then click
Properties.
On the UPN Suffixes tab, type the new UPN suffix that you would like to add to the forrest.
Click Add, and then click OK.
Now when you add users to the forest, you can select the new UPN suffix to complete the user's logon name.

APPLIES TO -

Microsoft Windows 2000 Server -
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server

Answer : B,D

Explanation:
http://technet.microsoft.com/en-us/library/cc781031%28v=ws.10%29.aspx
Specifying Group Policy for Slow Link Detection
Administrators can partially control which Group Policy extensions are processed over a slow link. By default, when processing over a slow link, not all components of Group Policy are processed.
Table 2.6 shows the default settings for processing Group Policy over slow links.

Answer : B

Explanation:
http://technet.microsoft.com/en-us/library/cc753343%28v=ws.10%29.aspx

Ntdsutil -
Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory
Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).
You can use the ntdsutil commands to perform database maintenance of AD DS, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. This tool is intended for use by experienced administrators.
Commands set DSRM password - Resets the Directory Services Restore Mode (DSRM) administrator password.
Further information:
http://technet.microsoft.com/en-us/library/cc754363%28v=ws.10%29.aspx

Set DSRM password -
Resets the Directory Services Restore Mode (DSRM) password on a domain controller. At the Reset DSRM Administrator Password: prompt, type any of the parameters listed under
Syntax.
This is a subcommand of Ntdsutil and Dsmgmt. Ntdsutil and Dsmgmt are command-line tools that are built into Windows Server 2008 and Windows Server 2008 R2. Ntdsutil is available if you have the Active Directory Domain Services (AD DS) or Active Directory
Lightweight Directory Services (AD LDS) server role installed.
Dsmgmt is available if you have the AD LDS server role installed. These tools are also available if you install the Active Directory Domain Services Tools that are part of the
Remote Server Administration Tools (RSAT).

Answer : B

Explanation:
Answer: The Active Directory Sites and Services console
http://technet.microsoft.com/en-us/library/cc781329%28v=ws.10%29.aspx
Configure a domain controller as a global catalog server
To configure a domain controller as a global catalog server
1. Open Active Directory Sites and Services.
Further information:
http://technet.microsoft.com/en-us/library/cc728188%28v=ws.10%29.aspx
What Is the Global Catalog?
The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain
Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication.
Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.
In addition to configuration and schema directory partition replicas, every domain controller in a forest stores a full, writable replica of a single domain directory partition. Therefore, a domain controller can locate only the objects in its domain. Locating an object in a different domain would require the user or application to provide the domain of the requested object.
The global catalog provides the ability to locate objects from any domain without having to know the domain name. A global catalog server is a domain controller that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest. The additional domain directory partitions are partial because only a limited set of attributes is included for each object. By including only the attributes that are most used for searching, every object in every domain in even the largest forest can be represented in the database of a single global catalog server.
Note: A global catalog server can also store a full, writable replica of an application directory partition, but objects in application directory partitions are not replicated to the global catalog as partial, read-only directory partitions.
The global catalog is built and updated automatically by the AD DS replication system. The attributes that are replicated to the global catalog are identified in the schema as the partial attribute set (PAS) and are defined by default by Microsoft. However, to optimize searching, you can edit the schema by adding or removing attributes that are stored in the global catalog.
In Windows 2000 Server environments, any change to the PAS results in full synchronization (update of all attributes) of the global catalog. Later versions of Windows
Server reduce the impact of updating the global catalog by replicating only the attributes that change.
In a single-domain forest, a global catalog server stores a full, writable replica of the domain and does not store any partial replica. A global catalog server in a single-

Answer : B

Explanation:
Answer: Configure conditional forwarding for the intranet.fabrikam.com domain. http://technet.microsoft.com/en-us/library/cc730756.aspx

Understanding Forwarders -
A forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for external DNS names to DNS servers outside that network. You can also forward queries according to specific domain names using conditional forwarders.
You designate a DNS server on a network as a forwarder by configuring the other DNS servers in the network to forward the queries that they cannot resolve locally to that DNS server. By using a forwarder, you can manage name resolution for names outside your network, such as names on the Internet, and improve the efficiency of name resolution for the computers in your network.
The following figure illustrates how external name queries are directed with forwarders.

Answer : C

Explanation:
http://technet.microsoft.com/en-us/library/cc732526.aspx
Configure a CA to Support OCSP Responders
To function properly, an Online Responder must have a valid Online Certificate Status
Protocol (OCSP)Response Signing certificate. This OCSP Response Signing certificate is also needed if you are using a non-Microsoft OCSP responder.
Configuring a certification authority (CA) to support OCSP responder services includes the following steps:
1. Configure certificate templates and issuance properties for OCSP Response Signing certificates.
2. Configure enrollment permissions for any computers that will be hosting Online
Responders.
3. If this is a Windows Server 2003based CA, enable the OCSP extension in issued certificates.
4. Add the location of the Online Responder or OCSP responder to the authority information access extension on the CA.
5. Enable the OCSP Response Signing certificate template for the CA.

Answer : C

Explanation:
http://support.microsoft.com/kb/298148
How To Remove the Root Zone (Dot Zone)
When you install DNS on a Windows 2000 server that does not have a connection to the
Internet, the zone for the domain is created and a root zone, also known as a dot zone, is also created. This root zone may prevent access to the Internet for DNS and for clients of the DNS. If there is a root zone, there are no other zones other than those that are listed with DNS, and you cannot configure forwarders or root hint servers. For these reasons, you may have to remove the root zone.

Answer : D

Explanation:
http://technet.microsoft.com/en-us/library/cc730756.aspx

Understanding Forwarders -
A forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for external DNS names to DNS servers outside that network. You can also forward queries according to specific domain names using conditional forwarders.
You designate a DNS server on a network as a forwarder by configuring the other DNS servers in the network to forward the queries that they cannot resolve locally to that DNS server. By using a forwarder, you can manage name resolution for names outside your network, such as names on the Internet, and improve the efficiency of name resolution for the computers in your network.
The following figure illustrates how external name queries are directed with forwarders.

Answer : A

Explanation:
http://technet.microsoft.com/en-us/library/cc731607%28v=ws.10%29.aspx
AD DS Auditing Step-by-Step Guide
In Windows Server 2008 you can now set up AD DS auditing with a new audit subcategory to log old and new values when changes are made to objects and their attributes.
The ability to audit changes to objects in AD DS is enabled with the new audit policy subcategory Directory Service Changes. This guide provides instructions for implementing this audit policy subcategory.
The types of changes that you can audit include a user (or any security principal) creating, modifying, moving, or undeleting an object. The new audit policy subcategory adds the following capabilities to auditing in AD DS:
When a successful modify operation is performed on an attribute, AD DS logs the previous and current values of the attribute. If the attribute has more than one value, only the values that change as a result of the modify operation are logged.
If a new object is created, values of the attributes that are populated at the time of creation are logged. If the user adds attributes during the create operation, those new attribute values are logged. In most cases, AD DS assigns default values to attributes (such as samAccountName). The values of such system attributes are not logged.
If an object is moved, the previous and new location (distinguished name) is logged for moves within the domain. When an object is moved to a different domain, a create event is generated on the domain controller in the target domain.
If an object is undeleted, the location where the object is moved to is logged. In addition, if the user adds, modifies, or deletes attributes while performing an undelete operation, the values of those attributes are logged.
In Windows Server 2008, you implement the new auditing feature by using the following controls:

Global audit policy -
System access control list (SACL)

Schema -

Global audit policy -
Enabling the global audit policy, Audit directory service access, enables all directory service policy subcategories. You can set this global audit policy in the Default Domain
Controllers Group Policy (under Security Settings\Local Policies\Audit Policy). In Windows
Server 2008, this global audit policy is not enabled by default. Although the subcategory
Directory Service Access is enabled for success events by default, the other subcategories are not enabled by default.
You can use the command-line tool Auditpol.exe to view or set audit policy subcategories.

There is no -
Windows interface tool available in Windows Server 2008 to view or set audit policy subcategories.
Further information:
http://technet.microsoft.com/en-us/library/cc731451%28v=ws.10%29.aspx

Auditpol -
Displays information about and performs functions to manipulate audit policies. http://servergeeks.wordpress.com/2012/12/31/auditing-directory-services/
AD Scenario Auditing Directory Services
Auditing of Directory Services depends on several controls, these are:
1. Global Audit Poli

Answer : A

Explanation: