Anda di halaman 1dari 122

Microsoft 70-640 - NowFixedAnonymous

Number: 70-640
Passing Score: 700
Time Limit : 145 min
70-640 Exam
Windows Server 2008 Active Directory Configuring
Thanks To Everyone Who Contributed To This Prep Exam.

NowAnonymous [Reduced Questions from 468Q to 223Q]


^
Anon [Fixed Answers based on posts]
^
NowAnonymous [Exam K.50q / Exam L.15q]
^
Anon [.PDF pass4sure]
^
Andyfx
^
Maxbox
^
Cooper
^
Newton
- Study Hard - Don't Just Memories, Try To Understand The Material GOOD LUCK

Exam A
QUESTION 1
You create a new Active Directory domain. The functional level of the domain is Windows Server 2003. The
domain contains five domain controllers that run Windows Server 2008 R2. You need to monitor the
replication of the group policy template files.
Which tool should you use?
A.
B.
C.
D.

Dfsrdiag
Fsutil
Ntdsutil
Ntfrsutl

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 2
You have a domain controller named Server1 that runs Windows Server 2008 R2. You need to determine
the size of the Active Directory database on Server1.
What should you do?
A.
B.
C.
D.

Run the Active Directory Sizer tool.


Run the Active Directory Diagnostics data collector set.
From Windows Explorer, view the properties of the %systemroot%\ntds\ntds.dit file.
From Windows Explorer, view the properties of the %systemroot%\sysvol\domain folder.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 3
You need to receive an e-mail message whenever a domain user account is locked out.
Which tool should you use?
A.
B.
C.
D.

Active Directory Administrative Center


Event Viewer
Resource Monitor
Security Configuration Wizard

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 4
Your network contains an Active Directory domain named contoso.com.
You have a management computer named Computer1 that runs Windows 7.

You need to forward the logon events of all the domain controllers in contoso.com to Computer1.
All new domain controllers must be dynamically added to the subscription.
What should you do?
A. From Computer1, configure source-initiated event subscriptions. From a Group Policy object (GPO)
linked to the Domain Controllers organizational unit (OU), configure the Event Forwarding node.
B. From Computer1, configure collector-initiated event subscriptions. From a Group Policy object (GPO)
linked to the Domain Controllers organizational unit (OU), configure the Event Forwarding node.
C. From Computer1, configure source-initiated event subscriptions. Install a server authentication
certificate on Computer1. Implement autoenrollment for the Domain Controllers organizational unit
(OU).
D. From Computer1, configure collector-initiated event subscriptions. Install a server authentication
certificate on Computer1. Implement autoenrollment for the Domain Controllers organizational unit
(OU).
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 5
Your network contains an Active Directory domain that has two sites. You need to identify whether logon
scripts are replicated to all domain controllers.
Which folder should you verify?
A.
B.
C.
D.

GroupPolicy
NTDS
SoftwareDistribution
SYSVOL

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 6
You install a standalone root certification authority (CA) on a server named Server1.
You need to ensure that every computer in the forest has a copy of the root CA certificate installed in the
local computer's Trusted Root Certification Authorities store.
Which command should you run on Server1?
A. certreq.exe and specify the -accept parameter B.
certreq.exe and specify the -retrieve parameter C.
certutil.exe and specify the -dspublish parameter
D. certutil.exe and specify the -importcert parameter
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

QUESTION 7
Your network contains an Active Directory forest. The forest contains two domains. You have a standalone
root certification authority (CA). On a server in the child domain, you run the Add Roles Wizard and discover
that the option to select an enterprise CA is disabled.
You need to install an enterprise subordinate CA on the server.
What should you use to log on to the new server?
A.
B.
C.
D.

an account that is a member of the Certificate Publishers group in the child domain
an account that is a member of the Certificate Publishers group in the forest root domain
an account that is a member of the Schema Admins group in the forest root domain
an account that is a member of the Enterprise Admins group in the forest root domain

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 8
You have an enterprise subordinate certification authority (CA).
You have a group named Group1.
You need to allow members of Group1 to publish new certificate revocation lists. Members of Group1 must
not be allowed to revoke certificates.
What should you do?
A.
B.
C.
D.

Add Group1 to the local Administrators group.


Add Group1 to the Certificate Publishers group.
Assign the Manage CA permission to Group1.
Assign the Issue and Manage Certificates permission to Group1.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 9
You have an enterprise subordinate certification authority (CA) configured for key archival. Three key
recovery agent certificates are issued.
The CA is configured to use two recovery agents.
You need to ensure that all of the recovery agent certificates can be used to recover all new private keys.
What should you do?
A.
B.
C.
D.

Add a data recovery agent to the Default Domain Policy.


Modify the value in the Number of recovery agents to use box.
Revoke the current key recovery agent certificates and issue three new key recovery agent certificates.
Assign the Issue and Manage Certificates permission to users who have the key recovery agent
certificates.

Correct Answer: B

Section: (none)
Explanation
Explanation/Reference:
QUESTION 10
You have an enterprise subordinate certification authority (CA). The CA is configured to use a hardware
security module. You need to back up Active Directory Certificate Services on the CA.
Which command should you run?
A.
B.
C.
D.

certutil.exe backup
certutil.exe backupdb
certutil.exe backupkey
certutil.exe store

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 11
You have Active Directory Certificate Services (AD CS) deployed.
You create a custom certificate template.
You need to ensure that all of the users in the domain automatically enroll for a certificate based on the
custom certificate template.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. In a Group Policy object (GPO), configure the autoenrollment settings.
B. In a Group Policy object (GPO), configure the Automatic Certificate Request Settings.
C. On the certificate template, assign the Read and Autoenroll permission to the Authenticated Users
group.
D. On the certificate template, assign the Read, Enroll, and Autoenroll permission to the Domain Users
group.
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 12
You have an enterprise subordinate certification authority (CA).
You have a custom Version 3 certificate template.
Users can enroll for certificates based on the custom certificate template by using the Certificates console.
The certificate template is unavailable for Web enrollment. You need to ensure that the certificate template
is available on the Web enrollment pages.
What should you do?
A. Run certutil.exe pulse.
B. Run certutil.exe installcert.

C. Change the certificate template to a Version 2 certificate template.


D. On the certificate template, assign the Autoenroll permission to the users.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 13
You have an enterprise subordinate certification authority (CA). You have a custom certificate template that
has a key length of 1,024 bits. The template is enabled for autoenrollment.
You increase the template key length to 2,048 bits.
You need to ensure that all current certificate holders automatically enroll for a certificate that uses the new
template.
Which console should you use?
A.
B.
C.
D.

Active Directory Administrative Center


Certification Authority
Certificate Templates
Group Policy Management

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 14
Your network contains an Active Directory forest. All domain controllers run Windows Server 2008
Standard.
The functional level of the domain is Windows Server 2003.
You have a certification authority (CA).
The relevant servers in the domain are configured as shown below:

You need to ensure that you can install the Active Directory Certificate Services (AD CS) Certificate
Enrollment Web Service on the network.
What should you do?
A.
B.
C.
D.

Upgrade Server1 to Windows Server 2008 R2.


Upgrade Server2 to Windows Server 2008 R2.
Raise the functional level of the domain to Windows Server 2008.
Install the Windows Server 2008 R2 Active Directory Schema updates.

Correct Answer: D

Section: (none)
Explanation
Explanation/Reference:
QUESTION 15
You have a domain controller that runs the DHCP service. You need to perform an offline defragmentation
of the Active Directory database on the domain controller. You must achieve this goal without affecting the
availability of the DHCP service. What should you do?
A.
B.
C.
D.

Restart the domain controller in Directory Services Restore Mode. Run the Disk Defragmenter utility.
Restart the domain controller in Directory Services Restore Mode. Run the Ntdsutil utility.
Stop the Active Directory Domain Services service. Run the Ntdsutil utility.
Stop the Active Directory Domain Services service. Run the Disk Defragmenter utility.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 16
Your network contains two Active Directory forests named contoso.com and nwtraders.com. A two-way
forest trust exists between contoso.com and nwtraders.com. The forest trust is configured to use selective
authentication. Contoso.com contains a server named Server1. Server1 contains a shared folder named
Marketing. Nwtraders.com contains a global group named G_Marketing. The Change share permission and
the Modify NTFS permission for the Marketing folder are assigned to the G_Marketing group. Members of
G_Marketing report that they cannot access the Marketing folder. You need to ensure that the G_Marketing
members can access the folder from the network. What should you do?
A.
B.
C.
D.

From Windows Explorer, modify the NTFS permissions of the folder.


From Windows Explorer, modify the share permissions of the folder.
From Active Directory Users and Computers, modify the computer object for Server1.
From Active Directory Users and Computers, modify the group object for G_Marketing.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 17
Your network contains an Active Directory forest. You need to add a new user principal name (UPN) suffix
to the forest. Which tool should you use?
A.
B.
C.
D.

Active Directory Administrative Center


Active Directory Domains and Trusts
Active Directory Sites and Services
Active Directory Users and Computers

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 18
Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2.
Site 1 contains five domain controllers. Site2 contains one read-only domain controller (RODC). Site1 and
Site2 connect to each other by using a slow WAN link.
You discover that the cached password for a user named User1 is compromised on the RODC.
On a domain controller in Site1, you change the password for User1.
You need to replicate the new password for User1 to the RODC immediately. The solution must not
replicate other objects to the RODC. Which tool should you use?
A.
B.
C.
D.

Active Directory Sites and Services


Active Directory Users and Computers
Repadmin
Replmon

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 19
Your network contains an Active Directory domain named contoso.com. The properties of the contoso.com
DNS zone are configured as shown in the exhibit. (Click the Exhibit button.)

You need to update all service location (SRV) records for a domain controller in the domain. What should
you do?
A.
B.
C.
D.

Restart the Netlogon service.


Restart the DNS Client service.
Run sc.exe and specify the triggerinfo parameter.
Run ipconfig.exe and specify the /registerdns parameter.

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 20
Your network contains an Active Directory domain.
A user named User1 takes a leave of absence for one year.
You need to restrict access to the User1 user account while User1 is away.
What should you do?
A.
B.
C.
D.

From the Default Domain Policy, modify the account lockout settings.
From the Default Domain Controller Policy, modify the account lockout settings.
From the properties of the user account, modify the Account options.
From the properties of the user account, modify the Session settings.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 21
Your network contains an Active Directory domain. The domain contains 1,000 user accounts. You have a
list that contains the mobile phone number of each user. You need to add the mobile number of each user
to Active Directory. What should you do?
A.
B.
C.
D.

Create a file that contains the mobile phone numbers, and then run ldifde.exe.
Create a file that contains the mobile phone numbers, and then run csvde.exe.
From Adsiedit, select the CN=Users container, and then modify the properties of the container.
From Active Directory Users and Computers, select all of the users, and then modify the properties of
the users.

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 22
Your network contains an Active Directory domain named contoso.com. All domain controllers and member
servers run Windows Server 2008. All client computers run Windows 7. From a client computer, you create
an audit policy by using the Advanced Audit Policy Configuration settings in the Default Domain Policy
Group Policy object (GPO). You discover that the audit policy is not applied to the member servers. The
audit policy is applied to the client computers. You need to ensure that the audit policy is applied to all
member servers and all client computers. What should you do?

A.
B.
C.
D.

Add a WMI filter to the Default Domain Policy GPO.


Modify the security settings of the Default Domain Policy GPO.
Configure a startup script that runs auditpol.exe on the member servers.
Configure a startup script that runs auditpol.exe on the domain controllers.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 23
Your network contains an Active Directory domain. The domain contains a group named Group1. The
minimum password length for the domain is set to six characters. You need to ensure that the passwords
for all users in Group1 are at least 10 characters long. All other users must be able to use passwords that
are six characters long. What should you do first?
A.
B.
C.
D.

Run the New-ADFineGrainedPasswordPolicy cmdlet.


Run the Add-ADFineGrainedPasswordPolicySubject cmdlet.
From the Default Domain Policy, modify the password policy.
From the Default Domain Controller Policy, modify the password policy.

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 24
Your company uses an application that stores data in an Active Directory Lightweight Directory Services
(AD LDS) instance named Instance1. You attempt to create a snapshot of Instance1 as shown in the
exhibit. (Click the Exhibit button.)

You need to ensure that you can take a snapshot of Instance1. What should you do?
A. At the command prompt, run net start VSS.

B. At the command prompt, run net start Instance1.


C. Set the Startup Type for the Instance1 service to Disabled.
D. Set the Startup Type for the Volume Shadow Copy Service (VSS) to Manual.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 25
Your network contains 10 domain controllers that run Windows Server 2008 R2. The network contains a
member server that is configured to collect all of the events that occur on the domain controllers. You need
to ensure that administrators are notified when a specific event occurs on any of the domain controllers.
You want to achieve this goal by using the minimum amount of administrative effort. What should you do?
A.
B.
C.
D.

From Event Viewer on the member server, create a subscription.


From Event Viewer on each domain controller, create a subscription.
From Event Viewer on the member server, run the Create Basic Task Wizard.
From Event Viewer on each domain controller, run the Create Basic Task Wizard.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 26
Your network contains an Active Directory domain controller named DC1. DC1 runs Windows Server 2008
R2. You need to defragment the Active Directory database on DC1. The solution must minimize downtime
on DC1. What should you do first?
A.
B.
C.
D.

At the command prompt, run net stop ntds.


At the command prompt, run net stop netlogon.
Restart DC1 in Safe Mode.
Restart DC1 in Directory Services Restore Mode (DSRM).

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 27
Your network contains a single Active Directory domain named contoso.com. An administrator accidentally
deletes the _msdsc.contoso.com zone. You recreate the _msdsc.contoso.com zone. You need to ensure
that the _msdsc.contoso.com zone contains all of the required DNS records.
What should you do on each domain controller?
A.
B.
C.
D.

Restart the Netlogon service.


Restart the DNS Server service.
Run dcdiag.exe /fix.
Run ipconfig.exe /registerdns.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
QUESTION 28
Your network contains an Active Directory-integrated zone. All DNS servers that host the zone are domain
controllers. You add multiple DNS records to the zone. You need to ensure that the records are replicated
to all DNS servers. Which tool should you use?
A.
B.
C.
D.

Dnslint
Ldp
Nslookup
Repadmin

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 29
Your network contains an Active Directory forest. The forest contains two domains named contoso.com and
eu.contoso.com. All domain controllers are DNS servers. The domain controllers in contoso.com host the
zone for contoso.com. The domain controllers in eu.contoso.com host the zone for eu.contoso.com. The
DNS zone for contoso.com is configured as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that all domain controllers in the forest host a writable copy of _msdsc.contoso.com.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A.
B.
C.
D.

Create a zone delegation record in the contoso.com zone.


Create a zone delegation record in the eu.contoso.com zone.
Create an Active Directory-integrated zone for _msdsc.contoso.com.
Create a secondary zone named _msdsc.contoso.com in eu.contoso.com.

Correct Answer: AC
Section: (none)
Explanation

Explanation/Reference:
QUESTION 30
You need to compact an Active Directory database on a domain controller that runs Windows Server 2008
R2. What should you do?
A.
B.
C.
D.

Run defrag.exe /a /c.


Run defrag.exe /c /u.
From Ntdsutil, use the Files option.
From Ntdsutil, use the Metadata cleanup option.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 31
Your network contains an Active Directory domain named contoso.com. Contoso.com contains three
servers. The servers are configured as shown in the following table.

You need to ensure that users can manually enroll and renew their certificates by using the Certificate
Enrollment Web Service. Which two actions should you perform? (Each correct answer presents part of the
solution. Choose two.)
A.
B.
C.
D.

Configure the policy module settings.


Configure the issuance requirements for the certificate templates.
Configure the Certificate Services Client - Certificate Enrollment Policy Group Policy setting.
Configure the delegation settings for the Certificate Enrollment Web Service application pool account.

Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 32
Your network contains an Active Directory domain named contoso.com. Contoso.com contains a member
server that runs Windows Server 2008 Standard. You need to install an enterprise subordinate certification
authority (CA) that supports private key archival. You must achieve this goal by using the minimum amount
of administrative effort. What should you do first?
A.
B.
C.
D.

Initialize the Trusted Platform Module (TPM).


Upgrade the member server to Windows Server 2008 R2 Standard.
Install the Certificate Enrollment Policy Web Service role service on the member server.
Run the Security Configuration Wizard (SCW) and select the Active Directory Certificate Services Certification Authority server role template check box.

Correct Answer: B

Section: (none)
Explanation
Explanation/Reference:
QUESTION 33
You have an enterprise subordinate certification authority (CA). You have a custom Version 3
certificate template. Users can enroll for certificates based on the custom certificate template by using the
Certificates console. The certificate template is unavailable for Web enrollment. You need to ensure that the
certificate template is available on the Web enrollment pages. What should you do?
A.
B.
C.
D.

Run certutil.exe Cpulse.


Run certutil.exe Cinstallcert.
Change the certificate template to a Version 2 certificate template.
On the certificate template, assign the Autoenroll permission to the users.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 34
Your network contains an Active Directory domain. The domain contains a member server named Server1
that runs Windows Server 2008 R2. You need to configure Server1 as a global catalog server. What should
you do?
A.
B.
C.
D.

Modify the Active Directory schema.


From Ntdsutil, use the Roles option.
Run the Active Directory Domain Services Installation Wizard on Server1.
Move the Server1 computer object to the Domain Controllers organizational unit (OU).

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 35
Your network contains three Active Directory forests named Forest1, Forest2, and Forest3. Each forest
contains three domains.
A two-way forest trust exists between Forest1 and Forest2. A two-way forest trust exists between Forest2
and Forest3.
You need to configure the forests to meet the following requirements:
Users in Forest3 must be able to access resources in Forest1
Users in Forest1 must be able to access resources in Forest3.
The number of trusts must be minimized.
What should you do?
A.
B.
C.
D.

In Forest2, modify the name suffix routing settings.


In Forest1 and Forest3, configure selective authentication.
In Forest1 and Forest3, modify the name suffix routing settings.
Create a two-way forest trust between Forest1 and Forest3.

E. Create a shortcut trust in Forest1 and a shortcut trust in Forest3.


Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 36
Your network contains an Active Directory domain. All domain controller run Windows Server 2003. You
replace all domain controllers with domain controllers that run Windows Server 2008 R2. You raise the
functional level of the domain to Windows Server 2008 R2. You need to minimize the amount of SYSVOL
replication traffic on the network. What should you do?
A.
B.
C.
D.

Raise the functional level of the forest to Windows Server 2008 R2.
Modify the path of the SYSVOL folder on all of the domain controllers.
On a global catalog server, run repadmin.exe and specify the KCC parameter.
On the domain controller that holds the primary domain controller (PDC) emulator FSMO role, run
dfsrmig.exe.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 37
Your network contains an Active Directory forest. The forest contains two domain controllers. The domain
controllers are configured as shown in the following table.

All client computers run Windows 7. You need to ensure that all client computers in the domain keep the
same time as an external time server. What should you do?
A.
B.
C.
D.

From DC1, run the time command.


From DC2, run the time command.
From DC1, run the w32tm.exe command.
From DC2, run the w32tm.exe command.

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 38
Your network contains an Active Directory domain named contoso.com. Contoso.com contains two domain
controllers. The domain controllers are configured as shown in the following table.

All client computers have IP addresses in the 10.1.2.1 to 10.1.2.240 range. You need to minimize the
number of client authentication requests sent to DC2. What should you do?
A. Create a new site named Site1. Create a new subnet object that has the 10.1.1.0/24 prefix and assign
the subnet to Site1. Move DC1 to Site1.
B. Create a new site named Site1. Create a new subnet object that has the 10.1.1.1/32 prefix and assign
the subnet to Site1. Move DC1 to Site1.
C. Create a new site named Site1. Create a new subnet object that has the 10.1.1.2/32 prefix and assign
the subnet to Site1. Move DC2 to Site1.
D. Create a new site named Site1. Create a new subnet object that has the 10.1.2.0/24 prefix and assign
the subnet to Site1. Move DC2 to Site1.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 39
Active Directory Rights Management Services (AD RMS) is deployed on your network. You need to
configure AD RMS to use Kerberos authentication. Which two actions should you perform? (Each correct
answer presents part of the solution. Choose two.)
A.
B.
C.
D.

Register a service principal name (SPN) for AD RMS.


Register a service connection point (SCP) for AD RMS.
Configure the identity setting of the _DRMSAppPool1 application pool.
Configure the useAppPoolCredentials attribute in the Internet Information Services (IIS)

Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 40
Your network contains an Active Directory forest. The forest contains an Active Directory site for a remote
office. The remote site contains a read-only domain controller (RODC). You need to configure the RODC to
store only the passwords of users in the remote site. What should you do?
A.
B.
C.
D.

Create a Password Settings object (PSO).


Modify the Partial-Attribute-Set attribute of the forest.
Add the user accounts of the remote site users to the Allowed RODC Password Replication Group.
Add the user accounts of users who are not in the remote site to the Denied RODC Password
Replication Group.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

QUESTION 41
Your company has four offices. The network contains a single Active Directory domain. Each office has a
domain controller. Each office has an organizational unit (OU) that contains the user accounts for the users
in that office. In each office, support technicians perform basic troubleshooting for the users in their
respective office. You need to ensure that the support technicians can reset the passwords for the user
accounts in their respective office only. The solution must prevent the technicians from creating user
accounts. What should you do?
A.
B.
C.
D.

For each OU, run the Delegation of Control Wizard.


For the domain, run the Delegation of Control Wizard.
For each office, create an Active Directory group, and then modify the security settings for each group.
For each office, create an Active Directory group, and then modify the controlAccessRights attribute for
each group.

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 42
Your network contains a single Active Directory domain. Client computers run either Windows XP
Service Pack 3 (SP3) or Windows 7. All of the computer accounts for the client computers are located in an
organizational unit (OU) named OU1.
You link a new Group Policy object (GPO) named GPO10 to OU1.
You need to ensure that GPO10 is applied only to client computers that run Windows 7.
What should you do?
A.
B.
C.
D.

Create a new OU in OU1. Move the Windows XP computer accounts to the new OU.
Enable block inheritance on OU1.
Create a WMI filter and assign the filter to GPO10.
Modify the permissions of OU1.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 43
Your network contains an Active Directory domain named contoso.com.
You need to audit changes to a service account. The solution must ensure that the audit logs contain the
before and after values of all the changes.
Which security policy setting should you configure?
A.
B.
C.
D.

Audit Sensitive Privilege Use


Audit User Account Management
Audit Directory Service Changes
Audit Other Account Management Events

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
QUESTION 44
Your network contains two Active Directory forests named contoso.com and nwtraders.com. Active
Directory Rights Management Services (AD RMS) is deployed in each forest. You need to ensure that users
from the nwtraders.com forest can access AD RMS protected content in the contoso.com forest. What
should you do?
A.
B.
C.
D.

Add a trusted user domain to the AD RMS cluster in the nwtraders.com domain.
Create an external trust from nwtraders.com to contoso.com.
Add a trusted user domain to the AD RMS cluster in the contoso.com domain.
Create an external trust from contoso.com to nwtraders.com.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 45
Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 is configured
as an Active Directory Federation Services (AD FS) 2.0 standalone server.
You plan to add a new token-signing certificate to Server1.
You import the certificate to the server as shown in the exhibit. (Click the Exhibit button.)

When you run the Add Token-Signing Certificate wizard, you discover that the new certificate is unavailable.
You need to ensure that you can use the new certificate for AD FS. What should you do?
A.
B.
C.
D.

From the properties of the certificate, modify the Certificate Policy OIDs setting.
Import the certificate to the AD FS 2.0 Windows Service personal certificate store.
From the properties of the certificate, modify the Certificate purposes setting.
Import the certificate to the local computer personal certificate store.

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 46
You need to purge the list of user accounts that were authenticated on a read-only domain controller
(RODC). What should you do?
A.
B.
C.
D.

Run the repadmin.exe command and specify the /prp parameter.


From Active Directory Sites and Services, modify the properties of the RODC computer object.
From Active Directory Users and Computers, modify the properties of the RODC computer object.
Run the dsrm.exe command and specify the -u parameter.

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 47
Your company has a main office and four branch offices.
An Active Directory site exists for each office. Each site contains one domain controller. Each branch office
site has a site link to the main office site.
You discover that the domain controllers in the branch offices sometimes replicate directly to each other.
You need to ensure that the domain controllers in the branch offices only replicate to the domain controller
in the main office.
What should you do?
A.
B.
C.
D.

Modify the firewall settings for the main office site.


Disable the Knowledge Consistency Checker (KCC) for each branch office site.
Disable site link bridging.
Modify the security settings for the main office site.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 48
Your network contains an Active Directory forest. The forest contains one domain. The domain
contains two domain controllers named DC1 and DC2 that run Windows Server 2008 R2.
DC1 was installed before DC2.
DC1 fails.
You need to ensure that you can add 1,000 new user accounts to the domain.
What should you do?

A.
B.
C.
D.

Modify the permissions of the DC2 computer account.


Seize the schema master FSMO role.
Configure DC2 as a global catalog server.
Seize the RID master FSMO role.

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 49
Your network contains an Active Directory domain named contoso.com. You need to identify whether the
Active Directory Recycle Bin is enabled. What should you do?
A.
B.
C.
D.

From Ldp, search for the Reanimate-Tombstones object.


From Ldp, search for the LostAndFound container.
From Windows PowerShell, run the Get-ADObject cmdlet.
From Windows PowerShell, run the Get-ADOptionalFeature cmdlet.

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 50
Your network contains an Active Directory domain.
You create and mount an Active Directory snapshot.
You run dsamain.exe as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that you can browse the contents of the Active Directory snapshot. What should you?

A.
B.
C.
D.

Stop Active Directory Domain Services (AD DS), and then rerun dsamain.exe.
Change the value of the dbpath parameter, and then rerun dsamain.exe.
Change the value of the ldapport parameter, and then rerun dsamain.exe.
Restart the Volume Shadow Copy Service (VSS), and then rerun dsamain.exe.

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Exam B
QUESTION 1
Your network contains an Active Directory domain.
You need to back up all of the Group Policy objects (GPOs), Group Policy permissions, and Group Policy
links for the domain.
What should you do?
A.
B.
C.
D.

From Group Policy Management Console (GPMC), back up the GPOs.


From Windows Explorer, copy the content of the %systemroot%\SYSVOL folder.
From Windows Server Backup, perform a system state backup.
From Windows PowerShell, run the Backup-GPO cmdlet.

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 2
Your network contains a domain controller that runs Windows Server 2008 R2. You need to reset the
Directory Services Restore Mode (DSRM) password on the domain controller. Which tool should you use?
A.
B.
C.
D.

Ntdsutil
Dsamain
Active Directory Users and Computers
Local Users and Groups

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 3
Your network contains an Active Directory forest. All client computers run Windows 7.
The network contains a high-volume enterprise certification authority (CA).
You need to minimize the amount of network bandwidth required to validate a certificate.
What should you do?
A.
B.
C.
D.

Configure an LDAP publishing point for the certificate revocation list (CRL).
Configure an Online Certification Status Protocol (OCSP) responder.
Modify the settings of the delta certificate revocation list (CRL).
Replicate the certificate revocation list (CRL) by using Distributed File System (DFS).

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 4
Your network contains an Active Directory domain. You have five organizational units (OUs) named

Finance, HR, Marketing, Sales, and Dev. You link a Group Policy object named GPO1 to the domain as
shown in the exhibit. (Click the Exhibit button.)

You need to ensure that GPO1 is applied to users in the Finance, HR, Marketing, and Sales OUs. The
solution must prevent GPO1 from being applied to users in the Dev OU. What should you do?
A.
B.
C.
D.

Enforce GPO1.
Modify the security settings of the Dev OU.
Link GPO1 to the Finance OU.
Modify the security settings of the Finance OU.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 5
Your network contains an Active Directory domain. The domain contains an organizational unit (OU) named
OU1. OU1 contains all managed service accounts in the domain. You need to prevent the managed service
accounts from being deleted accidentally from OU1. Which cmdlet should you use?
A.
B.
C.
D.

Set-ADUser
Set-ADOrganizationalUnit
Set-ADServiceAccount
Set-ADObject

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:

QUESTION 6
Your network contains an Active Directory domain named contoso.com. Contoso.com contains a writable
domain controller named DC1 and a read-only domain controller (RODC) named DC2. All domain
controllers run Windows Server 2008 R2. You need to install a new writable domain controller named DC3
in a remote site. The solution must minimize the amount of replication traffic that occurs during the
installation of Active Directory Domain Services (AD DS) on DC3. What should you do first?
A.
B.
C.
D.

Run dcpromo.exe /createdcaccount on DC3.


Run ntdsutil.exe on DC2.
Run dcpromo.exe /adv on DC3.
Run ntdsutil.exe on DC1.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 7
Your network contains an Active Directory forest. The forest contains 10 domains. All domain controllers
are configured as global catalog servers.
You remove the global catalog role from a domain controller named DC5.
You need to reclaim the hard disk space used by the global catalog on DC5.
What should you do?
A.
B.
C.
D.

From Active Directory Sites and Services, run the Knowledge Consistency Checker (KCC).
From Active Directory Sites and Services, modify the general properties of DC5.
From Ntdsutil, use the Semantic database analysis option.
From Ntdsutil, use the Files option.

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 8
A corporate network includes an Active Directory-integrated zone. All DNS servers that host the zone are
domain controllers.
You add multiple DNS records to the zone.
You need to ensure that the new records are available on all DNS servers as soon as possible.
Which tool should you use?
A.
B.
C.
D.
E.
F.
G.

Ldp
Repadmin
Ntdsutil
Nslookup
Active Directory Sites And Services console
Active Directory Domains And Trusts console
Dnslint

H. Dnscmd
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Repadmin /syncall
http://technet.microsoft.com/en-us/library/cc835086%28v=ws.10%29.aspx
QUESTION 9
You have a DNS zone that is stored in a custom application partition. You need to add a domain controller
to the replication scope of the custom application partition. Which tool should you use?
A.
B.
C.
D.

DNScmd
DNS Manager
Server Manager
Dsmod

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 10
Your network contains a server named Server1 that runs Windows Server 2008 R2 Standard. Server1 has
the Active Directory Certificate Services (AD CS) role installed. You configure a certificate template named
Template1 for autoenrollment. You discover that certificates are not being issued to any client computers.
The event logs on the client computers do not contain any autoenrollment errors. You need to ensure that
all of the client computers automatically receive certificates based on Template1. What should you do?
A.
B.
C.
D.

Modify the Default Domain Policy Group Policy object (GPO).


Modify the Default Domain Controllers Policy Group Policy object (GPO).
Upgrade Server1 to Windows Server 2008 R2 Enterprise.
Restart Certificate Services on Server1.

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 11
Your network contains a server that has the Active Directory Lightweight Directory Services (AD LDS) role
installed.
You need to perform an automated installation of an AD LDS instance.
Which tool should you use?
A.
B.
C.
D.

Dism.exe
Servermanagercmd.exe
Adaminstall.exe
Ocsetup.exe

Correct Answer: C

Section: (none)
Explanation
Explanation/Reference:
QUESTION 12
Your network contains an Active Directory domain named contoso.com. A partner company has an Active
Directory domain named nwtraders.com.
The networks for contoso.com and nwtraders.com connect to each other by using a WAN link.
You need to ensure that users in contoso.com can access resources in nwtraders.com and resources on
the Internet.
What should you do first?
A.
B.
C.
D.

Modify the Trusted Root Certification Authorities store.


Modify the Intermediate Certification Authorities store.
Create conditional forwarders.
Add a root hint to the DNS server.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 13
Your network contains an Active Directory forest. The forest contains multiple domains.
You need to ensure that users in the human resources department can search for employees by using the
employeeNumber attribute.
What should you do?
A. From Active Directory Sites and Services, modify the properties of each global catalog server.
B. From the Active Directory Schema snap-in, modify the properties of the user object class.
C. From Active Directory Sites and Services, modify the NTDS Settings objectof each global catalog
server.
D. From the Active Directory Schema snap-in, modify the properties of the employeeNumber attribute.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 14
Your network contains a single Active Directory domain. The domain contains an enterprise certification
authority (CA).
You need to ensure that the encryption keys for e-mail certificates can be recovered from the CA database.
You modify the e-mail certificate template to support key archival.
What should you do next?
A. Issue the key recovery agent certificate template.

B. Run certutil.exe -recoverkey.


C. Run certreq.exe-policy.
D. Modify the location of the Authority Information Access (AIA) distribution point.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 15
Your network contains an Active Directory-integrated DNS zone named contoso.com. You discover that the
zone includes DNS records for computers that were removed from the network. You need to ensure that
the DNS records are deleted automatically from the zone. What should you do?
A.
B.
C.
D.

From DNS Manager, set the aging properties.


Create a scheduled task that runs dnslint.exe /v /d contoso.com.
From DNS Manager, modify the refresh interval of the start of authority (SOA) record.
Create a scheduled task that runs ipconfig.exe /flushdns.

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 16
Your network contains a domain controller that runs Windows Server 2008 R2.
You run the following command on the domain controller:
dsamain.exe C dbpath c:\$SNAP_201006170326_VOLUMEC$\Windows\NTDS\ntds.ditC ldapport 389 allowNonAdminAccess
The command fails. You need to ensure that the command completes successfully.
How should you modify the command?
A.
B.
C.
D.

Change the value of the -dbpath parameter.


Include the path to Dsamain.
Change the value of the -ldapport parameter.
Remove the CallowNonAdminAccess parameter.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 17
Your network contains an Active Directory domain. The domain contains 10 domain controllers that run
Windows Server 2008 R2.
You need to monitor the following information on the domain controllers during the next five days:
Memory usage
Processor usage
The number of LDAP queries

What should you do?


A.
B.
C.
D.

Create a User Defined Data Collector Set (DCS) that uses the Active Directory Diagnostics template.
Use the System Performance Data Collector Set (DCS).
Create a User Defined Data Collector Set (DCS) that uses the System Performance template.
Use the Active Directory Diagnostics Data Collector Set (DCS).

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 18
Your network contains an Active Directory domain named contoso.com.
Contoso.com contains a domain controller named DC1 and a read-only domain controller (RODC) named
RODC1.
You need to view the most recent user accounts authenticated by RODC1.
What should you do first?
A. From Active Directory Sites and Services, right-click the Connection object for DC1, and then click
Replicate Now.
B. From Active Directory Sites and Services, right-click the Connection object for DC2, and then click
Replicate Now.
C. From Active Directory Users and Computers, right-click contoso.com, click Change DomainController,
and then connect to DC1.
D. From Active Directory Users and Computers, right-click contoso.com, click Change Domain Controller,
and then connect to RODC1.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 19
Your network contains an Active Directory domain. The domain contains 3,000 client computers.
All of the client computers run Windows 7.
Users log on to their client computers by using standard user accounts.
You plan to deploy a new application named App1.
The vendor of App1 provides a Setup.exe file to install App1. Setup.exe requires administrative rights to
run.
You need to deploy App1 to all client computers. The solution must meet the following requirements:
- App1 must automatically detect and replace corrupt application files.
- App1 must be available from the Start menu on each client computer.
What should you do first?
A. Create a logon script that calls Setup.exe for App1.
B. Create a .zap file.

C. Create a startup script that calls Setup.exe for App1.


D. Repackage App1 as a Windows Installer package.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 20
Your network contains an Active Directory domain named contoso.com.
Contoso.com contains two sites named Site1 and Site2. Site1 contains a domain controller named DC1.
In Site1, you install a new domain controller named DC2. You ship DC2 to Site2.
You discover that certain users in Site2 authenticate to DC1.
You need to ensure that the users in Site2 always attempt to authenticate to DC2 first.
What should you do?
A.
B.
C.
D.

From Active Directory Users and Computers, modify the Location settings of the DC2 computer object.
From Active Directory Sites and Services, modify the Location attribute for Site2.
From Active Directory Sites and Services, move the DC2 server object.
From Active Directory Users and Computers, move the DC2 computer object.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 21
Your network contains an Active Directory domain named contoso.com.
Contoso.com contains a server named Server2. You open the System properties on Server2 as shown in
the exhibit. (Click the Exhibit button.)

When you attempt to configure Server2 as an enterprise subordinate certification authority (CA),
you discover that the enterprise subordinate CA option is unavailable.
You need to configure Server2 as an enterprise subordinate CA.
What should you do first?
A.
B.
C.
D.

Upgrade Server2 to Windows Server 2008 R2 Enterprise.


Log in as an administrator and run Server Manager.
Import the root CA certificate.
Join Server2 to the domain.

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 22
Your network contains an Active Directory domain. The domain contains an enterprise certification authority
(CA).
You need to ensure that only members of a group named Admin1 can create certificate templates.
Which tool should you use to assign permissions to Admin1?
A. the Certification Authority console
B. Active Directory Users and Computers

C. the Certificates snap-in


D. Active Directory Sites and Services
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 23
Your network contains an Active Directory domain. All DNS servers are domain controllers. You view the
properties of the DNS zone as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that only domain members can register DNS records in the zone. What should you do
first?
A.
B.
C.
D.

Modify the zone type.


Create a trust anchor.
Modify the Advanced properties of the DNS server.
Modify the Dynamic updates setting.

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 24
Your company has a single Active Directory forest with a single domain. Consultants in different
departments of the company require access to different network resources. The consultants belong to a

global group named TempWorkers. Three file servers are placed in a new
organizational unit named SecureServers. The file servers contain confidential data in shared folders. You
need to prevent the consultants from accessing the confidential data.
What should you do?
A. Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit. Assign the
Deny access to this computer from the network user right to the TempWorkers global group.
B. Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny access to this
computer from the network user right to the TempWorkers global group.
C. On the three file servers, create a share on the root of each hard disk. Configure the Deny Full control
permission for the TempWorkers global group on the share.
D. Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny log on locally user
right to the TempWorkers global group.
E. Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit. Assign the
Deny log on locally user right to the TempWorkers global group.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 25
Your network contains two Active Directory forests named contoso.com and nwtraders.com. The functional
level of both forests is Windows Server 2003. Contoso.com contains one domain. Nwtraders.com contains
two domains. You need to ensure that users in contoso.com can access the resources in all domains. The
solution must require the minimum number of trusts.
Which type of trust should you create?
A.
B.
C.
D.

external
forest
realm
shortcut

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 26
You install an Active Directory domain in a test environment.
You need to reset the passwords of all the user accounts in the domain from a domain controller.
Which two Windows PowerShell commands should you run? (Each correct answer presents part of the
solution, choose two.)
A.
B.
C.
D.
E.
F.
G.

$ newPassword = *
Import-Module ActiveDirectory
Import-Module WebAdministration
Get- AdUser -filter * | Set- ADAccountPossword - NewPassword $ newPassword - Reset
Set- ADAccountPossword - NewPassword - Reset
$ newPassword = (Read-Host - Prompt "New Password" - AsSecureString )
Import-Module ServerManager

Correct Answer: DF
Section: (none)
Explanation
Explanation/Reference:
QUESTION 27
Your network contains two forests named adatum.com and litwareinc.com. The functional level of all the
domains is Windows Server 2003. The functional level of both forests is Windows 2000.
You need to create a forest trust between adatum.com and litwareinc.com.
What should you do first?
A.
B.
C.
D.

Create an external trust.


Raise the functional level of both forests.
Configure SID filtering.
Raise the functional level of all the domains.

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 28
Your network contains an Active Directory forest named adatum.com.
All client computers used by the marketing department are in an organizational unit (OU) named Marketing
Computers. All user accounts for the marketing department are in an OU named Marketing Users.
You purchase a new application.
You need to ensure that every user in the domain who logs on to a marketing department computer can use
the application. The application must only be available from the marketing department computers.
What should you do?
A. Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation package
to a shared folder on the network. Assign the application.
B. Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the installation
package to a shared folder on the network. Assign the application.
C. Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the installation
package to a local drive on each marketing department computer. Publish the application.
D. Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation package
to a folder on each marketing department computer. Publish the application.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 29
Your network contains an Active Directory forest named adatum.com.
You need to create an Active Directory Rights Management Services (AD RMS) licensing-only cluster.

What should you install before you create the AD RMS root cluster?
A.
B.
C.
D.
E.

The Failover Cluster feature


The Active Directory Certificate Services (AD CS) role
Microsoft Exchange Server 2010
Microsoft SharePoint Server 2010
Microsoft SQL Server 2008

Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
QUESTION 30
Your network contains an Active Directory domain named contoso.com. The contoso.com domain contains
a domain controller named DC1.
You create an Active Directory-integrated GlobalNames zone. You add an alias (CNAME) resource record
named Server1 to the zone. The target host of the record is server2.contoso.com.
When you ping Server1, you discover that the name fails to resolve. You are able to successfully ping
server2.contoso.com.
You need to ensure that you can resolve names by using the GlobalNames zone.
Which command should you run?
A.
B.
C.
D.

Dnscmd DCl.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /domain


Dnscmd DCl.contoso.com /config /Enableglobalnamessupport forest
DnscmdDCl.contoso.com/config/Enableglobalnamessupport1
Dnscmd DCl.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /forest

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 31
Your network contains an Active Directory domain named contoso.com.
The network has a branch office site that contains a read-only domain controller (RODC) named R0DC1.
R0DC1 runs Windows Server 2008 R2.
A user logs on to a computer in the branch office site.
You discover that the user's password is not stored on R0DC1.
You need to ensure that the user's password is stored on RODC1 when he logs on to a branch office site
computer.
What should you do?
A. Modify the RODC s password replication policy by removing the entry for the Allowed RODC Password
Replication Group.
B. Modify the RODC's password replication policy by adding R0DC1's computer account to the list of
allowed users, groups, and computers.
C. Add the user's user account to the built-in Allowed RODC Password Replication Group on R0DC1.

D. Add R0DC1's computer account to the built-in Allowed RODC Password Replication Group on R0DC1.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 32
You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a server named
Server1.
You need to configure the Windows Firewall on Server1 to allow external users to authenticate by using AD
FS.
Which protocol should you allow on Server1?
A.
B.
C.
D.

Kerberos
SSL
SMB
RPC

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 33
Your network contains an Active Directory domain named contoso.com. Contoso.com contains a member
server that runs Windows Server 2008 R2 Standard.
You need to create an enterprise subordinate certification authority (CA) that can issue certificates based
on version 3 certificate templates.
You must achieve this goal by using the minimum amount of administrative effort.
What should you do first?
A.
B.
C.
D.

Run the certutil.exe - addenrollmentserver command.


Install the Active Directory Certificate Services (AD CS) role on the member server.
Upgrade the member server to Windows Server 2008 R2 Enterprise.
Run the certutil.exe - installdefaulttemplates command.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 34
Your network contains a server named Server1. The Active Directory Rights Management Services (AD
RMS) server role is installed on Server1.
An administrator changes the password of the user account that is used by AD RMS. You need to update
AD RMS to use the new password.
Which console should you use?

A.
B.
C.
D.

Active Directory Rights Management Services


Active Directory Users and Computers
Local Users and Groups
Services

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 35
Your company, Contoso, Ltd., has a main office and a branch office. The offices are connected by a WAN
link. Contoso has an Active Directory forest that contains a single domain named ad.contoso.com.
The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office.
DC1 is configured as a DNS server for the ad.contoso.com DNS zone. This zone is configured as a
standard primary zone.
You install a new domain controller named DC2 in the branch office. You install DNS on DC2.
You need to ensure that the DNS service can update records and resolve DNS queries in the event that a
WAN link fails.
What should you do?
A.
B.
C.
D.

Create a new secondary zone named ad.contoso.com on DC2.


Create a new stub zone named ad.contoso.com on DC2.
Configure the DNS server on DC2 to forward requests to DC1.
Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 36
Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2
Enterprise.
You enable key archival on the CA. The CA is configured to use custom certificate templates for Encrypted
File System (EFS) certificates.
You need to archive the private key for all new EFS certificates.
Which snap-in should you use?
A.
B.
C.
D.
E.
F.
G.
H.
I.

Active Directory Users and Computers


Authorization Manager
Group Policy Management
Enterprise PKI
Security Templates
TPM Management
Certificates
Certification Authority
Certificate Templates

Correct Answer: H
Section: (none)
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc730721
QUESTION 37
Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2
Enterprise.
You need to ensure that all of the members of a group named Group1 can view the event log entries for
Certificate Services.
Which snap-in should you use?
A.
B.
C.
D.
E.
F.
G.
H.
I.

Certificate Templates
Certification Authority
Authorization Manager
Active Directory Users and Computers
TPM Management
Security Templates
Group Policy Management
Enterprise PKI
Certificates

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 38
Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2
Enterprise.
You need to ensure that users can enroll for certificates that use the IPSEC (Offline request) certificate
template
Which snap-in should you use?
A.
B.
C.
D.
E.
F.
G.
H.
I.

Enterprise PKI
TPM Management
Certificates
Active Directory Users and Computers
Authorization Manager
Certification Authority
Group Policy Management
Security Templates
Certificate Templates

Correct Answer: I
Section: (none)
Explanation
Explanation/Reference:

QUESTION 39
Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2
Enterprise.
You have a custom certificate template named Template 1. Template1 is published to the CA.
You need to ensure that all of the members of a group named Group1 can enroll for certificates that use
Template1.
Which snap-in should you use?
A.
B.
C.
D.
E.
F.
G.
H.
I.

Security Templates
Enterprise PKI
Certification Authority
Certificate Templates
Certificates
TPM Management
Authorization Manager
Group Policy Management
Active Directory Users and Computers

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 40
Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2
Enterprise.
You need to approve a pending certificate request.
Which snap-in should you use?
A.
B.
C.
D.
E.
F.
G.
H.
I.

Active Directory Users and Computers


Authorization Manager
Certification Authority
Group Policy Management
Certificate Templates
TPM Management
Certificates
Enterprise PKI
Security Templates

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

Exam C
QUESTION 1
Your network contains an Active Directory domain named adatum.com.
You need to ensure that IP addresses can be resolved to fully qualified domain names (FQDNs).
Under which node in the DNS snap-in should you add a zone?
A.
B.
C.
D.
E.

Reverse Lookup Zones


adatum.com
Forward Lookup Zones
Conditional Forwarders
_msdcs.adatum.com

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 2
Your network contains an Active Directory domain named adatum.com. The domain contains a domain
controller named DC1. DC1 has an IP address of 192.168.200.100.
You need to identify the zone that contains the Pointer (PTR) record for 0C1.
Which zone should you identify?
A.
B.
C.
D.

adatum.com
_msdcs.adatum.com
100.168.192.in-addr.arpa
200.168.192.in-addr.arpa

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 3
Your network contains an Active Directory forest named adatum.com.
The DNS infrastructure fails.
You rebuild the DNS infrastructure.
You need to force the registration of the Active Directory Service Locator (SRV) records in DNS.
Which service should you restart on the domain controllers?
A.
B.
C.
D.
E.

Netlogon
DNS Server
Network Location Awareness
Network Store Interface Service
Online Responder Service

Correct Answer: A

Section: (none)
Explanation
Explanation/Reference:
QUESTION 4
Your network contains an Active Directory domain named adatum.com.
The password policy of the domain requires that the passwords for all user accounts be changed every 50
days.
You need to create several user accounts that will be used by services. The passwords for these accounts
must be changed automatically every 50 days.
Which tool should you use to create the accounts?
A.
B.
C.
D.
E.

Active Directory Administrative Center


Active Directory Users and Computers
Active Directory Module for Windows PowerShell
ADSI Edit
Active Directory Domains and Trusts

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 5
Your network contains an Active Directory domain. The domain contains several domain controllers. You
need to modify the Password Replication Policy on a read-only domain controller (RODC).
Which tool should you use?
A.
B.
C.
D.
E.

Group Policy Management


Active Directory Domains and Trusts
Active Directory Users and Computers
Computer Management
Security Configuration Wizard

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 6
Your network contains an Active Directory forest. The forest contains domain controllers that run Windows
Server 2008 R2. The functional level of the forest is Windows Server 2003. The functional level of the
domain is Windows Server 2008.
From a domain controller, you need to perform an authoritative restore of an organizational unit (OU).
What should you do first?
A. Raise the functional level of the forest
B. Modify the tombstone lifetime of the forest.

C. Restore the system state.


D. Raise the functional level of the domain.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 7
Your network contains an Active Directory forest. The forest contains two domains named contoso.com and
woodgrovebank.com.
You have a custom attribute named Attribute 1 in Active Directory. Attribute 1 is associated to User objects.
You need to ensure that Attribute1 is included in the global catalog.
What should you do?
A. From the Active Directory Schema snap-in, modify the properties of the Attribute 1 attributeSchema
object.
B. In Active Directory Users and Computers, configure the permissions on the Attribute 1 attribute for User
objects.
C. From the Active Directory Schema snap-in, modify the properties of the User classSchema object.
D. In Active Directory Sites and Services, configure the Global Catalog settings for all domain controllers in
the forest.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 8
Your network contains a server named Server1. Server1 runs Windows Server 2008 R2 and has the Active
Directory Lightweight Directory Services (AD LDS) role installed. Server1 hosts two AD LDS instances
named Instance1 and Instance2.
You need to remove Instance2 from Server1 without affecting Instance1.
Which tool should you use?
A.
B.
C.
D.

NTDSUtil
Dsdbutil
Programs and Features in the Control Panel
Server Manager

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 9
Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.
You need to compact the Active Directory database.

What should you do?


A.
B.
C.
D.
E.
F.
G.
H.
I.
J.

Run the Get-ADForest cmdlet.


Configure subscriptions from Event Viewer.
Run the eventcreate.exe command.
Configure the Active Directory Diagnostics Data Collector Set (OCS).
Create a Data Collector Set (DCS).
Run the repadmin.exe command.
Run the ntdsutil.exe command.
Run the dsquery.exe command.
Run the dsamain.exe command.
Create custom views from Event Viewer.

Correct Answer: G
Section: (none)
Explanation
Explanation/Reference:
QUESTION 10
Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.
You need to collect all of the Directory Services events from all of the domain controllers and store the
events in a single central computer.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.

Run the ntdsutil.exe command.


Run the repodmin.exe command.
Run the Get-ADForest cmdlet.
Run the dsamain.exe command.
Create custom views from Event Viewer.
Run the dsquery.exe command.
Configure the Active Directory Diagnostics Data Collector Set (DCS),
Configure subscriptions from Event Viewer.
Run the eventcreate.exe command.
Create a Data Collector Set (DCS).

Correct Answer: H
Section: (none)
Explanation
Explanation/Reference:
QUESTION 11
Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.
You need to receive a notification when more than 100 Active Directory objects are deleted per second.
What should you do?
A.
B.
C.
D.
E.

Create custom views from Event Viewer.


Run the Get-ADForest cmdlet.
Run the ntdsutil.exe command.
Configure the Active Directory Diagnostics Data Collector Set (DCS).
Create a Data Collector Set (DCS).

F.
G.
H.
I.
J.

Run the dsamain.exe command.


Run the dsquery.exe command.
Run the repadmin.exe command.
Configure subscriptions from Event Viewer.
Run the eventcreate.exe command.

Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
QUESTION 12
Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.
You need to create a snapshot of Active Directory.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.

Run the dsquery.exe command.


Run the dsamain.exe command.
Create custom views from Event Viewer.
Configure subscriptions from Event Viewer.
Create a Data Collector Set (DCS).
Configure the Active Directory Diagnostics Data Collector Set (DCS).
Run the repadmin.exe command.
Run the ntdsutil.exe command.
Run the Get-ADForest cmdlet.
Run the eventcreate.exe command.

Correct Answer: H
Section: (none)
Explanation
Explanation/Reference:
QUESTION 13
Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.
You mount an Active Directory snapshot.
You need to ensure that you can query the snapshot by using LDAP.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.

Run the dsamain.exe command.


Create custom views from Event Viewer.
Run the ntdsutil.exe command.
Configure subscriptions from Event Viewer.
Run the Get-ADForest cmdlet.
Create a Data Collector Set (DCS).
Run the eventcreate.exe command.
Configure the Active Directory Diagnostics Data Collector Set (DCS).
Run the repadmin.exe command.
Run the dsquery.exe command.

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Exam D
QUESTION 1
Your network contains an Active Directory forest named adatum.com.
The forest contains four child domains named europe.adatum.com, northamerica.adatum.com, asia.
adatum.com, and africa.adatum.com.
You need to create four new groups in the forest root domain. The groups must be configured as shown in
the following table.

What should you do?


To answer, drag the appropriate group type to the correct group name in the answer area.
Select and Place:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
QUESTION 2
Your network contains an Active Directory domain named adatum.com.
You need to use Group Policies to deploy the line-of-business applications shown in the following table.

What should you do?


To answer, drag the appropriate deployment method to the correct application in the answer area.
Select and Place:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
You can use Group Policy to distribute computer programs by using the following methods:
Assigning Software
You can assign a program distribution to users or computers. If you assign the program to a user, it is
installed when the user logs on to the computer. When the user first runs the program, the installation is
finalized. If you assign the program to a computer, it is installed when the computer starts, and it is available
to all users who log on to the computer. When a user first runs the program, the installation is finalized.
Publishing Software
You can publish a program distribution to users. When the user logs on to the computer, the published
program is displayed in the Add or Remove Programs dialog box, and it can be installed from there.
QUESTION 3
Your network contains an Active Directory forest.

The DNS infrastructure fails.


You rebuild the DNS infrastructure.
You need to force the registration of the Active Directory Service Locator (SRV) records in DNS.
Which service should you restart on the domain controllers?
To answer, select the appropriate service in the answer area.
Point and Shoot:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
The Netlogon service would be involved with this.
QUESTION 4
Your network contains an Active Directory forest named contoso.com.
The password policy of the forest requires that the passwords for all of the user accounts be changed every
30 days.
You need to create user accounts that will be used by services. The passwords for these accounts must be
changed automatically every 30 days.
Which tool should you use to create these accounts?
To answer, select the appropriate tool in the answer area.
Point and Shoot:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Creating a Managed Service Account
Applies To: Windows Server 2008 R2
This topic explains how to use the Active Directory module for Windows PowerShell to create a managed
service account. Managed service accounts are used to run various services for applications that are
operating in your domain environment.
Example 1
The following example demonstrates how to create a service account, SQL-SRV1, in the container
Managed Service Accounts in the Fabrikam.com domain:
New-ADServiceAccount -Name SQL-SRV1 -Path "CN=Managed Service Accounts,DC=FABRIKAM,
DC=COM"
QUESTION 5
Your network contains an Active Directory forest named contoso.com. All client computers run Windows 7
Enterprise.
You need automatically to create a local group named PowerManagers on each client computer that
contains a battery.
The solution must minimize the amount of administrative effort.
Which node in Group Policy Management Editor should you use?
To answer, select the appropriate node in the answer area.
Point and Shoot:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Would be a GPO applied to a computer.

Control Panel Settings under Preferences.


Select

QUESTION 6
Your network contains an Active Directory domain named contoso.com. The domain contains a domain
controller named Server1. Server1 has an IP address of 192.168.200.100.
You need to view the Pointer (PTR) record for Server1.
Which zone should you open in the DNS snap-in to view the record?
To answer, select the appropriate zone in the answer area.
Point and Shoot:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
the corresponding in-addr.arpa zone would be 200.168.192, assuming a default subnet of /24s
QUESTION 7
Your network contains an Active Directory domain.
You need to create a new site link between two sites named Site1 and Site3. The site link must support the
replication of domain objects.
Under which node in Active Directory Sites and Services should you create the site link?

To answer, select the appropriate node in the answer area


Point and Shoot:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
To create a site link
Open Active Directory Sites and Services. To open Active Directory Sites and Services, click Start, click
Administrative Tools, and then click Active Directory Sites and Services.
In the console tree, right-click the intersite transport protocol that you want the site link to use.
Where?
Active Directory Sites and Services\Sites\Inter-Site Transports\IP or SMTP

Click New Site Link.


In Name, type the name for the site link.
In Sites not in this site link, click a site to add to the site link, and then click Add. Repeat to add more
sites to the site link. To remove a site from the site link, in Sites in this link, click the site, and then click
Remove.
When you have added the sites that you want to be connected by this site link, click OK.
QUESTION 8
Your company has a main office and a branch office. All servers are located in the main office. The network
contains an Active Directory forest named adatum.com. The forest contains a domain controller named
MainDC that runs Windows Server 2008 R2 Enterprise and a member server named FileServer that runs
Windows Server 2008 R2 Standard. You have a kiosk computer named Public_Computer that runs
Windows 7. Public_Computer is not connected to the network. You need to join Public_Computer to the
adatum.com domain.
What should you do?
To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and
arrange them in the correct order.
Build List and Reorder:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
QUESTION 9
Your network contains two forests named contoso.com and fabrikam.com. The functional level of all the
domains is Windows Server 2003. The functional level of both forests is Windows 2000. You need to create
a trust between contoso.com and fabrikam.com. The solution must ensure that users from contoso.com

can only access the servers in fabrikam.com that have the Allowed to Authenticate permission set.
What should you do?
To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and
arrange them in the correct order.
Build List and Reorder:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
QUESTION 10
Your network contains an Active Directory forest named contoso.com. You need to create an Active
Directory Rights Management Services (AD RMS) licensing-only cluster.
What should you do?
To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and
arrange them in the correct order.
Build List and Reorder:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
QUESTION 11
Your network contains an Active Directory forest named contoso.com. The forest contains a domain
controller named DC1 that runs Windows Server 2008 R2 Enterprise and a member server named Server1
that runs Windows Server 2008 R2 Standard. You have a computer named Computer1 that runs Windows
7. Computer1 is not connected to the network. You need to join Computer1 to the contoso.com domain.
What should you do?
To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and
arrange them in the correct order.
Build List and Reorder:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
QUESTION 12
You need to modify the Password Replication Policy on a read-only domain controller (RODC).
Which tool should you use?
To answer, select the appropriate tool in the answer area.
Point and Shoot:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
QUESTION 13
Your network contains an Active Directory domain named contoso.com.
You need to ensure that IP addresses can be resolved to fully qualified domain names (FQDNs).
Under which node in the DNS snap-in should you add a zone?
To answer, select the appropriate node in the answer area.
Point and Shoot:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
QUESTION 14
Your company has two domain controllers named DC1 and DC2. DC1 hosts all domain and forest
operations master roles. DC1 fails. You need to rebuild DC1 by reinstalling the operating system. You also
need to rollback all operations master roles to their original state. You perform a metadata cleanup and
remove all references of DC1.
Which three actions should you perform next?
(To answer, move the appropriate actions from the list of actions to the answer area and arrange them in
the correct order.)
Build List and Reorder:

Correct Answer:

Section: (none)

Explanation
Explanation/Reference:
QUESTION 15
A server named DC1 has the Active Directory Domain Services (AD DS) role and the Active Directory
Lightweight Directory Services (AD LDS) role installed. An AD LDS instance named LDS1 stores its data on
the C: drive. You need to relocate the LDS1 instance to the D: drive. Which three actions should you
perform in sequence? (To answer, move the three appropriate actions from the list of actions to the answer
area and arrange them in the correct order.)
Build List and Reorder:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
QUESTION 16
You need to perform an offline defragmentation of an Active Directory database. Which four actions should
you perform in sequence? (To answer, move the appropriate four actions from the list of actions to the
answer area and arrange them in the correct order.)
Build List and Reorder:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
QUESTION 17
Your company has an Active Directory forest that contains multiple domain controllers. The domain
controllers run Windows Server 2008. You need to perform an an authoritative restore of a deleted
orgainzational unit and its child objects. Which four actions should you perform in sequence? (To answer,
move the appropriate four actions from the list of actions to the answer area, and arrange them in the
correct order.)
Build List and Reorder:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
QUESTION 18
ABC.com has an Active Directory forest on a single domain. The domain operates Windows Server 2008. A
new administrator accidentally deletes the entire organizational unit in the Active Directory database that
hosts 6000 objects. You have backed up the system state data using third-party backup software. To
restore backup, you start the domain controller in the Directory Services Restore Mode (DSRM). You need
to perform an authoritative restore of the organizational unit and restore the domain controller to its original
state. Which three actions should you perform?
Build List and Reorder:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:

Exam E
QUESTION 1
Your network contains an Active Directory domain named contoso.com. The domain contains a server
named Server1 and a domain controller named DC1.
On Server1, you configure a collector-initiated subscription for the Application log of DC1. The subscription
is configured to collect all events.
After several days, you discover that Server1 failed to collect any events from DC1, although there are more
than 100 new events in the Application log of DC1.
You need to ensure that Server1 collects events from DC1.
What should you do?
A.
B.
C.
D.

On Server1, run wecutil quick-config.


On Server1, run winrm quickconfig.
On DC1, run wecutil quick-config.
On DC1, run winrm quickconfig.

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc748890
QUESTION 2
A network contains an Active Directory Domain Services (AD DS) domain. Active Directory is configured as
shown in the following table.

The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is
Windows Server 2003.
Active Directory replication between the Seattle site and the Chicago site occurs from 8:00 P.M. to 1:00 A.
M. every day.
At 7:00 A.M. an administrator deletes a user account while he is logged on to DC001.
You need to restore the deleted user account. You must achieve this goal by using the minimum
administrative effort.
What should you do?
A.
B.
C.
D.

On DC006, stop AD DS, perform an authoritative restore, and then start AD DS.
On DC001, run the Restore-ADObject cmdlet.
On DC006, run the Restore-ADObject cmdlet.
On DC001, stop AD DS, restore the system state, and then start AD DS.

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc755296(v=ws.10).aspx

QUESTION 3
Your network contains an Active Directory domain. The domain is configured as shown in the exhibit.

You have a Group Policy Object (GPO) linked to the domain.


You need to ensure that the settings in the GPO are not processed by user accounts or computer accounts
in the Finance organizational unit (OU). You must achieve this goal by using the minimum amount of
administrative effort.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.

Modify the Group Policy permissions.


Configure WMI filtering.
Enable block inheritance.
Enable loopback processing in replace mode.
Configure the link order.
Configure Group Policy Preferences.
Link the GPO to the Human Resources OU.
Configure Restricted Groups.
Enable loopback processing in merge mode.
Link the GPO to the Finance OU.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc731076.aspx
QUESTION 4
Your network contains an Active Directory domain named contoso.com.
You have an organizational unit (OU) named Sales and an OU named Engineering.
You have two Group Policy Objects (GPOs) named GPO1 and GPO2. GPO1 and GPO2 are linked to the
Sales OU and contain multiple settings.

You discover that GPO2 has a setting that conflicts with a setting in GPO1. When the policies are applied,
the setting in GPO2 takes effect.
You need to ensure that the settings in GPO1 supersede the settings in GPO2. The solution must ensure
that all non-conflicting settings in both GPOs are applied.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.

Configure Restricted Groups.


Configure the link order.
Link the GPO to the Sales OU.
Link the GPO to the Engineer OU.
Enable loopback processing in merge mode.
Modify the Group Policy permissions.
Configure WMI filtering.
Configure Group Policy Permissions.
Enable loopback processing in replace mode.
Enable block inheritance.

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc757050(v=ws.10).aspx#BKMK_change
QUESTION 5
All vendors belong to a global group named vendors.
You place three file servers in a new organizational unit (OU) named ConfidentialFileServers. The three file
servers contain confidential data located in shared folders.
You need to record any failed attempts made by the vendors to access the confidential data.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Create a new Group Policy Object (GPO) and link it to the CONFIDENTIALFILESERVERS OU.
Configure the Audit object access failure audit policy setting.
B. Create a new Group Policy Object (GPO) and link it to the CONFIDENTIALFILESERVERS OU.
Configure the Audit privilege use Failure audit policy setting.
C. On each shared folder on the three file servers, add the Vendors global group to the Auditing tab.
Configure Failed Full control setting in the AuditingEntry dialog box.
D. On each shared folder on the three file servers, add the three servers to the Auditing tab. Configure
Failed Full control setting in the AuditingEntry dialog box.
E. Create a new Group Policy Object (GPO) and link it to the CONFIDENTIALFILESERVERS OU.
Configure the Deny access to this computer from the network user rights setting for the Vendors
global group.
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 6
A corporate network includes a single Active Directory Domain Services (AD DS) domain.
The HR department has a dedicated organizational unit (OU) named HR. The HR OU has two sub-OUs:

HR Users and HR Computers. User accounts for the HR department reside in the HR Users OU. Computer
accounts for the HR department reside in the HR Computers OU. All HR department employees belong to a
security group named HR Employees. All HR department computers belong to a security group named HR
PCs.
Company policy requires that passwords are a minimum of 6 characters.
You need to ensure that, the next time HR department employees change their passwords, the passwords
are required to have at least 8 characters. The password length requirement should not change for
employees of any other department.
What should you do?
A.
B.
C.
D.

Modify the password policy in the GPO that is applied to the domain.
Create a new GPO, with the necessary password policy, and link it to the HR Users OU.
Create a fine-grained password policy and apply it to the HR Users OU.
Modify the password policy in the GPO that is applied to the domain controllers OU.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 7
A corporate network includes a single Active Directory Domain Services (AD DS) domain. All regular user
accounts reside in an organisational unit (OU) named Employees. All administrator accounts reside in an
OU named Admins.
You need to ensure that any time an administrator modifies an employee's name in AD DS, the change is
audited.
What should you do first?
A. Create a Group Policy Object with the Audit directory service access setting enabled and link it to the
Employees OU.
B. Modify the searchFlags property for the Name attribute in the Schema.
C. Create a Group Policy Object with the Audit directory service access setting enabled and link it to the
Admins OU.
D. Use the Auditpol.exe command-line tool to enable the directoryservicechanges auditing subcategory.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 8
Your network contains an Active Directory forest named contoso.com.
You need to provide a user named User1 with the ability to create and manage subnet objects. The solution
must minimize the number of permissions assigned to User1.
What should you do?
A.
B.
C.
D.

From Active Directory Users and Computers, run the Delegation of Control wizard.
From Active Directory Administrative Centre, add User1 to the Schema Admins group.
From Active Directory Sites and Services, run the Delegation of Control wizard.
From Active Directory Administrative Centre, add User1 to the Network Configuration Operators group.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 9
A corporate network contains a Windows Server 2008 R2 Active Directory forest.
You need to add a User Principle Name (UPN) suffix to the forest.
What tool should you use?
A.
B.
C.
D.

Dsmgmt.
Active Directory Domains and Trusts console.
Active Directory Users and Computers console.
Active Directory Sites and Services console.

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 10
Your network contains a single Active Directory domain that has two sites named Site1 and Site2. Site1 has
two domain controllers named DC1 and DC2. Site2 has two domain controllers named DC3 and DC4.
DC3 fails.
You discover that replication no longer occurs between the sites.
You verify the connectivity between DC4 and the domain controllers in Site1.
On DC4, you run repadmin.exe /kcc.
Replication between the sites continues to fail.
You need to ensure that Active Directory data replicates between the sites.
What should you do?
A.
B.
C.
D.

From Active Directory Sites and Services, configure the NTDS Site Settings of Site2.
From Active Directory Sites and Services, configure DC3 so it is not a preferred bridgehead server.
From Active Directory Users and Computers, configure the NTDS settings of DC4.
From Active Directory Users and Computers, configure the location settings of DC4.

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 11
Your network contains an Active Directory domain named contoso.com.
All domain controllers were upgraded from Windows Server 2003 to Windows Server 2008 R2 Service
Pack 1 (SP1). The functional level of the domain is Windows Server 2003.

You need to configure SYSVOL to use DFS Replication.


Which tools should you use? (Each correct answer presents part of the solution. Choose two.)
A.
B.
C.
D.
E.
F.
G.

Dfsrmig
Frsdiag
Ntdsutil
Set-ADForest
Repadmin
Set-ADDomainMode
DFS Management

Correct Answer: AF
Section: (none)
Explanation
Explanation/Reference:
QUESTION 12
You manage an Active Directory forest named contoso.com.
The forest contains an empty root domain named contoso.com and a child domain named child.contoso.
com. All domain controllers run Windows Server 2008. The functional level of the forest is Windows Server
2008.
You need to raise the functional level of the forest to Windows Server 2008 R2. You must achieve this goal
by using the minimum amount of administrative effort.
What should you do?
To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the
correct order.
Build List and Reorder:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
QUESTION 13
Your network contains an Active Directory forest. The forest contains one domain named contoso.com.
You attempt to run adprep /domainprep and the operation fails.
You discover that the first domain controller deployed to the forest failed.
You need to run adprep /domainprep successfully.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.

Move the domain naming master role.


Install a read-only domain controller (RODC).
Move the PDC emulator role.
Move the RID master role.
Move the infrastructure master role.
Deploy an additional global catalog server.
Move the bridgehead server.
Move the schema master role.
Restart the Active Directory Domain Services (AD DS) service.
Move the global catalog server.

Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
QUESTION 14
Your network contains an Active Directory forest. The forest contains one domain named contoso.com.
You discover the following event in the Event log of client computers: "The time provider NtpClient was
unable to find a domain controller to use as a time source. NtpClient will try again in %1 minutes."
You need to ensure that the client computers can synchronize their clocks properly.
What should you do?
A. Move the domain naming master role.
B. Restart Active Directory Domain Services (AD DS) service.
C. Move the PDC emulator role.

D.
E.
F.
G.
H.
I.
J.

Move the infrastructure master role.


Move the global catalog server.
Move the RID master role.
Move the bridgehead server.
Move the schema master role.
Deploy an additional global catalog server.
Install a read-only domain controller (RODC).

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 15
Your network contains an Active Directory forest named contoso.com. The functional level of the forest is
Windows Server 2008 R2.
The DNS zone for contoso.com is Active Directory-integrated.
You deploy a read-only domain controller (RODC) named RODC1.
You install the DNS Server server role on RODC1.
You discover that RODC1 does not have any application directory partitions.
You need to ensure that RODC1 has a copy of the DNS application directory partition of contoso.com.
What should you do?
A.
B.
C.
D.

From DNS Manager, create secondary zones.


Run Dnscmd.exe, and specify the /enlistdirectorypartition parameter.
From DNS Manager, right-click RODC1 and click Update Server Data Files.
Run Dnscmd.exe and specify the /createbuiltindirectorypartitions parameter.

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 16
Your network contains an Active Directory forest named contoso.com.
You need to identify whether a fine-grained password policy is applied to a specific group.
Which tool should you use?
A.
B.
C.
D.

Credential Manager
Group Policy Management Editor
Active Directory Users and Computers
Active Directory Sites and Services

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:

QUESTION 17
Your network contains an Active Directory domain named contoso.com.
You need to create one password policy for administrators and another password policy for all other users.
Which tool should you use?
A.
B.
C.
D.

Group Policy Management Editor


Group Policy Management Console (GPMC)
Authorization Manager
Ldifde

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 18
Your network contains two Active Directory forests named contoso.com and fabrikam.com. Each forest
contains one domain. A two-way forest trust exists between the forests.
You plan to add users from fabrikam.com to groups in contoso.com.
You need to identify which group you must use to assign users in fabrikam.com access to the shared
folders in contoso.com.
To which group should you add the users?
A.
B.
C.
D.
E.
F.

Group 1: Security Group - Domain Local.


Group 2: Distribution Group - Domain Local.
Group 3: Security Group - Global.
Group 4: Distribution Group - Global.
Group 5: Security Group - Universal.
Group 6: Distribution Group - Univeral.

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
I think A is wrong here. You would need to use Universal groups to assign users across forests.
Domain local groups Groups that are used to grant permissions within a single domain. Members of
domain local groups can include only accounts (both user and computer accounts) and groups from the
domain in which they are defined.
Global groups Groups that are used to grant permissions to objects in any domain in the domain tree or
forest. Members of global groups can include only accounts and groups from the domain in which they are
defined.
Universal groups Groups that are used to grant permissions on a wide scale throughout a domain tree or
forest. Members of global groups include accounts and groups from any domain in the domain tree or
forest.
Security groups Groups that can have security descriptors associated with them. You define security
groups in domains using Active Directory Users And Computers.

Distribution groups Groups that are used as e-mail distribution lists. They can't have security descriptors
associated with them. You define distribution groups in domains using Active Directory Users And
Computers.
http://technet.microsoft.com/en-us/library/bb726978.aspx
QUESTION 19
Your network contains an Active Directory domain. The domain contains 5,000 user accounts.
You need to disable all of the user accounts that have a description of Temp.
You must achieve this goal by using the minimum amount of administrative effort.
Which tools should you use? (Each correct answer presents part of the solution. Choose two.)
A.
B.
C.
D.
E.
F.

Find
Dsget
Dsmod
Dsadd
Net accounts
Dsquery

Correct Answer: CF
Section: (none)
Explanation
Explanation/Reference:
QUESTION 20
Your network contains an Active Directory domain. The domain contains two file servers. The file servers
are configured as shown in the following table.

You create a Group Policy object (GPO) named GPO1 and you link GPO1 to OU1.
You configure the advanced audit policy.
You discover that the settings are not applied to Server1. The settings are applied to Server2.
You need to ensure that access to the file shares on Server1 is audited.
What should you do?
A. From Active Directory Users and Computers, modify the permissions of the computer account for
Server1.
B. From GPO1, configure the Security Options.
C. From Active Directory Users and Computers, add Server1 to the Event Log Readers group.
D. On Server1, run seceditexe and specify the /configure parameter.
E. On Server1, run auditpol.exe and specify the /set parameter.
Correct Answer: E
Section: (none)
Explanation

Explanation/Reference:
QUESTION 21
Your network contains an Active Directory domain named contoso.com.
You have an organizational unit (OU) named Sales and an OU named Engineering. Each OU contains over
200 user accounts.
The Sales OU and the Engineering OU contain several user accounts that are members of a universal
group named Group1.
You have a Group Policy object (GPO) linked to the domain.
You need to prevent the GPO from being applied to the members of Group1 only.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.

Modify the Group Policy permissions.


Configure Restricted Groups.
Configure WMI filtering.
Configure the link order.
Enable loopback processing in merge mode.
Link the GPO to the Sales OU.
Configure Group Policy Preferences.
Link the GPO to the Engineering OU.
Enable block inheritance.
Enable loopback processing in replace mode.

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 22
Your network contains an Active Directory domain.
You have two Group Policy objects (GPOS) named GPO1 and GPO2. GPO1 and GPO2 are linked to the
Finance organizational unit (OU) and contain multiple settings.
You discover that GPO2 has a setting that conflicts with a setting in GPO1. When the policies are applied,
the setting in GPO2 takes effect.
You need to ensure that the settings in GPO1 supersede the settings in GPO2. The solution must ensure
that all non-conflicting settings in both GPOs are applied.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.

Configure the link order.


Configure Restricted Groups.
Enable block inheritance.
Link the GPO to the Finance OU.
Enable Ioopback processing in merge mode.
Enable Ioopback processing in replace mode.
Link the GPO to the Human Resources OU.
Configure Group Policy Preferences.

I. Configure WMI filtering.


J. Modify the Group Policy permissions.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 23
You have a domain controller named DC1 that runs Windows Server 2008 R2. DC1 is configured as a DNS
server for contoso.com.
You install the DNS server server role on a member server named server1 and then you create a standard
secondary zone for contoso.com. You configure DC1 as the master server for the zone.
You need to ensure that Server1 receives zone updates from DC1.
What should you do
A.
B.
C.
D.

On DC1, modify the permissions of contoso.com zone.


On Server1, add a conditional forwarder.
Add the Server1 computer account to the DNsUpdateProxy group.
On DC1, modify the zone transfer settings for the contoso.com zone.

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 24
A corporate network includes an Active Directory-integrated zone. AIl DNS servers that host the zone are
domain controllers.
You add multiple DNS records to the zone.
You need to ensure that the new records are available on all DNS servers as soon as possible.
Which tool should you use?
A.
B.
C.
D.

Active Directory Sites And Services console


Ntdsutil
Dnslint
Nslookup

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
ssniyer -- In the case where (Exam J, Q24) Repadmin is not an answer option, I will go with AD Sites and
Services because it allows to force AD replication across connection objects.
Both DNSLint and nslookup are diagnostic tools. DNSLint is useful to make sure RRs are associated with
the right services and nslookup for domain namespace resolution issues. There is no diagnostic need in
this question.
Dnscmd is useful to administer/maintain a DNS server or zone using a command line tool. It is also the right

tool to create Application Directory Partition. However, I don't see literature to suggest it as a good
replication tool for AD integrated zones.
QUESTION 25
Your network contains an Active Directory domain named contoso.com. Contoso.com contains two domain
controllers named DC1 and DC2. DC1 and DC2 are configured as DNS servers and host the Active
Directory-integrated zone for contoso.com.
From DNS Manager on DC1, you enable scavenging for the contoso.com zone.
You discover stale DNS records in the zone.
You need to ensure that the stale DNS records are deleted from contoso.com.
What should you do?
A.
B.
C.
D.

From DNS Manager, enable scavenging on DC1.


From DNS Manager, reload the zone.
Run dnscmd.exe and specify the ageallrecords parameter.
Run dnscmd.exe and specify the startscavenging parameter.

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 26
Your network contains an Active Directory forest. The forest contains one domain named contoso.com.
You discover the following event in the Event log of domain controllers: The request for a new accountidentifier pool failed. The operation will be retried until the request succeeds. The error is " %1 ""
You need to ensure that the domain controllers can acquire new account-identifier pools successfully.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.

Move the domain naming master role.


Move the global catalog server.
Restart the Active Directory Domain Services (AD DS) service.
Deploy an additional global catalog server.
Move the infrastructure master role.
Move the PDC emulator role.
Install a read-only domain controller (RODC).
Move the RID master role.
Move the bridgehead server.
Move the schema master role.

Correct Answer: H
Section: (none)
Explanation
Explanation/Reference:
QUESTION 27
Your network contains an Active Directory domain named adatum.com. All servers run Windows Server
2008 R2 Enterprise. All client computers run Windows 7 Professional.

The network contains an enterprise certification authority (CA).


You enable key archival on the CA. The CA is configured to use custom certificate templates for Encrypted
File System (EFS) certificates.
All users plan to encrypt files by using EFS.
You need to ensure that the private keys for all new EFS certificates are archived.
Which snap-in should you use?
A.
B.
C.
D.
E.
F.
G.
H.
I.

Share and Storage Management


Security Configuration wizard
Enterprise PKI
Active Directory Administrative Center
Certification Authority
Group Policy Management
Certificate Templates
Authorization Manager
Certificates

Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc730721.aspx
http://technet.microsoft.com/en-us/library/cc730721
QUESTION 28
Your network contains an Active Directory domain named adatum.com. All servers run Windows Server
2008 R2 Enterprise. All client computers run Windows 7 Professional.
The network contains an enterprise certification authority (CA).
You have a custom certificate template named Sales_Temp. Sales_Temp is published to the CA.
You need to ensure that all of the members of a group named Sales can enroll for certificates that use
Sales_Temp.
Which snap-in should you use?
A.
B.
C.
D.
E.
F.
G.
H.
I.

Enterprise PKI
Certification Authority
Share and storage Management
Certificate Templates
Security Configuration Wizard
Authorization Manager
Group Policy Management
Certificates
Active Directory Administrative Center

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:

QUESTION 29
Your network contains an Active Directory forest named adatum.com. All domain controllers currently run
Windows Server 2003 Service Pack 2 (SP2). The functional level of the forest and the domain is Windows
Server 2003.
You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2.
What should you do first?
A.
B.
C.
D.

Deploy a writable domain controller that runs Windows Server 2008 R2.
Raise the functional level of the forest to Windows Server 2008.
Run adprep.exe.
Raise the functional level of the domain to Windows Server 2003.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 30
Your network contains two Active Directory forests named contoso.com and nwtraders.com. Active
Directory Rights Management Services (AD RMS) is deployed in each forest.
You need to ensure that users from the nwtraders.com forest can access AD RMS protected content in the
contoso.com forest.
What should you do?
A.
B.
C.
D.

Add a trusted user domain to the AD RMS cluster in the nwtraders.com domain.
Add a trusted user domain to the AD RMS cluster in the contoso.com domain.
Create an external trust from nwtraders.com to contoso.com.
Create an external trust from contoso.com to nwtraders.corn.

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/dd772648(v=ws.10).aspx
QUESTION 31
Your company plans to open a new branch office. The new office will have a Iow-speed connection to the
Internet.
You plan to deploy a read-only domain controller (RODC) in the branch office.
You need to create an offline copy of the Active Directory database that can be used to install Active
Directory on the new RODC.
Which commands should you run from Ntdsutil?
To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the
correct order.
Build List and Reorder:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc770654.aspx
QUESTION 32
Your network contains an Active Directory forest.
All users have a value set for the Department attribute.
From Active Directory Users and computers, you search a domain for all users who have a Department
attribute value of Marketing.
The search returns 50 users.
From Active Directory Users and Computers, you search the entire directory for all users who have a
Department attribute value of Marketing.
The search does not return any users.
You need to ensure that a search of the entire directory for users in the marketing department returns all of
the users who have the Marketing Department attribute.
What should you do?
A.
B.
C.
D.

Install the Windows Search Service role service on a global catalog server.
From the Active Directory Schema snap-in, modify the properties of the Department attribute.
Install the Indexing Service role service on a global catalog server.
From the Active Directory Schema snap-in, modify the properties of the user class.

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 33
A corporate network includes a single Active Directory Domain Services (AD DS) domain. The AD DS
infrastructure is shown in the following graphic.

When the Montreal site domain controller is offline, authentication requests for Montreal branch office users
are sent to the Toronto site domain controller.
You need to ensure that when the Montreal Site domain controller is offline, authentication requests for
Montreal branch office users are sent to the Quebec City site domain controller.
What should you do?
A.
B.
C.
D.

Create a site link bndge between the Montreal site and the Quebec City site.
Enable the global catalog role on the Montreal site domain controller.
Modify the Default Domain Policy Group Policy Object.
Delete the Toronto-Montreal Site Link

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc733142(v=ws.10).aspx
QUESTION 34
A corporate environment includes two Active Directory Domain Services (AD DS) forests, as shown in the
following table.

You need to ensure that users in the contoso.com domain can access resources in the eng.fabrikam.com
domain.
What should you do?
A.
B.
C.
D.

Enable selective authentication.


Enable forest-wide authentication.
Create an external trust between contoso.com and eng.fabrikam.com.
Enable domain-wide authentication.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 35
Your network contains an Active Directory domain.
You need to activate the Active Directory Recycle Bin in the domain.
Which tool should you use?
A.
B.
C.
D.

Dsamain
Set-ADDomain
Add-WindowsFeature
Ldp

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/dd379481(v=WS.10).aspx
QUESTION 36
Your network contains an Active Directory domain named contoso.com.
You need to create a script that runs the Best Practices Analyzer (BPA) each week for all of the server roles
that BPA supports on each domain controller.
You must achieve this goal by using the minimum amount of administrative effort.
Which tools should you use? (Each correct answer presents part of the solution. Choose three.)
A.
B.
C.
D.
E.

Get-Troubleshooting Pack / Invoke-Troubleshooting Pack.


Import-Module Best Practices.
Get-BPA Model / Invoke-BPA Model.
Import-Module Troubleshooting Pack.
Get- BPA Result.

Correct Answer: BCE


Section: (none)

Explanation
Explanation/Reference:
QUESTION 37
A corporate network includes a single Active Directory Domain Services (AD DS) domain. All regular user
accounts reside in an organizational unit (OU) named Employees. All administrator accounts reside in an
OU named Admins.
You need to ensure that any time an administrator modifies an employee's name in AD DS, the change is
audited.
What should you do first?
A. Enable the Audit directory service access setting in the Default Domain Controllers Policy Group
Policy Object.
B. Create a Group Policy Object with the Audit directory service access setting enabled and link it to the
Employees OU.
C. Enable the Audit directory service access setting in the Default Domain Policy Group Policy
Object. D. Modify the searchFlags property for the User class in the schema.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Note that these ANSWERS differ from Exam J - Q. 7
b - same as before
a,c, d = different
ssniyer posted ---- The answer to Exam J, Q37 is A - Enable the Audit Directory Service Access setting in
the Default Domain Controllers Policy. Refer to Technet article - http://technet.microsoft.com/en-us/library/
cc731607(v=WS.10).aspx - for details. I will get back to you on the DNS question tomorrow. Need to
research it out.

Exam F
QUESTION 1
Your network contains an Active Directory domain named contoso.com.
The Administrator deletes an OU named OU1 accidentally.
You need to restore OU1. Which cmdlet should you use?
A.
B.
C.
D.

Set-ADObject cmdlet.
Set-ADOrganizationalUnit cmdlet.
Set-ADUser cmdlet.
Set-ADGroup cmdlet.

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 2
Your network contains an Active Directory domain. The domain is configured as shown in the exhibit.
You have a Group Policy Object (GPO) linked to the domain.
You need to ensure that the settings in the GPO are not processed by user accounts or computer accounts
in the Finance organizational unit (OU). You must achieve this goal by using the minimum amount of
administrative effort.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.

Modify the Group Policy Permission.


Configure WMI filtering.
Enable block inheritance.
Enable loopback processing in replace mode.
Configure the link order.
Configure Group Policy Preferences.
Link the GPO to the Human Resources OU.
Configure Restricted Groups.
Enable loopback processing in merge mode.
Link the GPO to the Finance OU.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 3
Your network contains an Active Directory domain named contoso.com.
You have an organizational unit (OU) named Sales and an OU named Engineering.
You have two Group Policy objects (GPOs) named GP01 and GPO2. GP01 and GP02 are linked to the
Sales OU and contain multiple settings.
You discover that GPO2 has a setting that conflicts with a setting in GP01. When the policies are applied,
the setting in GPO2 takes effect.

You need to ensure that the settings in GP01 supersede the settings in GP02. The solution must ensure
that all non-conflicting settings in both GPOs are applied.
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.

Configure Restricted Groups.


Configure the link order.
Link the GPO to the Sales OU.
Link the GPO to the Engineering OU.
Enable loopback processing in merge mode.
Modify the Group Policy permissions.
Configure WMI Filtering.
Configure Group Policy Preferences.
Enable loopback processing in replace mode.
Enable block inheritance.

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 4
Your network contains an Active Directory forest.
All users have a value set for the Department attribute.
From Active Directory Users and Computers, you search a domain for all users who have a Department
attribute value of Marketing. The search returns 50 users.
From Active Directory Users and Computers, you search the entire directory for all users who have a
Department attribute value of Marketing.
The search does not return any users.
You need to ensure that a search of the entire directory for users in the marketing department returns all of
the users who have the Marketing Department attribute.
What should you do?
A.
B.
C.
D.

Install the Windows Search Service role service on a global catalog server.
From the Active Directory Schema snap-in modify the properties of the Department attribute.
Install the Indexing Service role service on a global catalog server.
From the Active Directory Schema snap-in modify the properties of the user class.

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 5
Your network contains an Active Directory forest. The forest contains one domain named contoso.com.
You discover the following event in the Event log of domain controllers: "The request for a new accountidentifier pool failed. The operation will be retried until the request succeeds. The error is " %1 ""
You need to ensure that the domain controllers can acquire new account-identifier pools successfully.

What should you do?


A.
B.
C.
D.
E.
F.
G.
H.
I.
J.

Move the PDC emulator role.


Move the schema master role.
Move the global catalog server.
Move the domain naming master role.
Move the infrastructure master role.
Move the RID master role.
Restart the Active Directory Domain Services (AD DS) service.
Deploy an additional global catalog server.
Move the bridgehead server.
Install a read-only domain controller (RODC).

Correct Answer: F
Section: (none)
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc756699(v=ws.10)
QUESTION 6
Your network contains an Active Directory domain named contoso.com.
You need to create one password policy for administrators and another password policy for all other users.
Which tool should you use?
A.
B.
C.
D.

Ntdsutil
Active Directory Users and Computers
ADSI Edit
Group Policy Management Console (GPMC)

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-US/library/cc754461.aspx
QUESTION 7
Your network contains an Active Directory forest named contoso.com.
You need to identify whether a fine-grained password policy is applied to a specific group.
Which tool should you use?
A.
B.
C.
D.

Active Directory Sites and Services


Authorization Manager
Local Security Policy
ADSI Edit

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
The link below instructs you to access the "Attribute Editor" via Active Directory Users and Computers.
However the "Attribute Editor" can also be accessed by right-clicking on a user or group in ADSI Edit.

http://technet.microsoft.com/en-US/library/cc770848.aspx
QUESTION 8
A corporate network includes an Active Directory-integrated zone. All DNS servers that host the zone are
domain controllers.
You add multiple DNS records to the zone.
You need to ensure that the new records are available on all DNS servers as soon as possible.
Which tool should you use?
A.
B.
C.
D.

Repadmin
Active Directory Domains and Trusts console
Ldp
Ntdsutil

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc835086(v=ws.10)
QUESTION 9
Your network contains an Active Directory forest named contoso.com. The forest contains two
domains named contoso.com and child.contoso.com. The forest contains two sites named Seattle and
Denver. Both sites contain users, client computers, and domain controllers from both domains.
The Seattle site contains the first domain controller deployed to the forest. The Seattle site also contains the
primary domain controller (PDC) emulator for both domains. All of the domain controllers are configured as
DNS servers. All DNS zones are replicated to all of the domain controllers in the forest.
The users in the Denver site report that is takes a long time to log on to their client computer when they use
their user principal name (UPN). The users in the Seattle site do not experience the same issue.
You need to reduce the amount of time it takes for the Denver users to log on to their client computer by
using their UPN.
What should you do?
A.
B.
C.
D.
E.
F.

Reduce the cost of the site link between the Denver site and the Seattle site.
Enable the global catalog on a domain controller in the Denver site.
Enable universal group membership caching in the Denver site.
Move a PDC emulator to the Denver site.
Reduce the replication interval of the site link between the Denver site and the Seattle site.
Add an additional domain controller to the Denver site.

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 10
Your network contains two Active Directory forests named contoso.com and fabrikam.com. Each forest
contains a single domain.
A two-way forest trust exists between the forests. Selective authentication is enabled on the trust.

Contoso.com contains a group named Group 1.


Fabrikam.com contains a server named Server1.
You need to ensure that users in Group1 can access resources on Server1.
What should you modify?
A.
B.
C.
D.

the permissions of the Group1 group


the UPN suffixes of the contoso.com forest
the UPN suffixes of the fabrikam.com forest
the permissions of the Server1 computer account

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Please Check Answer
QUESTION 11
Your network contains an Active Directory domain named contoso.com.
You have an organizational unit (OU) named Sales and an OU named Engineering.
Users in the Sates OU frequently log on to client computers in the Engineering OU.
You need to meet the following requirements:
- All of the user settings in the Group Policy objects (GPOs) linked to both the Sales OU and the
Engineering OU must be applied to sales users when they log on to client computers in the Engineering
OU.
- Only the policy settings in the GPOs linked to the Sales OU must be applied to sales users when they log
on to client computers in the Sales OU.
- Policy settings in the GPOs linked to the Sales OU must not be applied to users in the Engineering OU.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.

Modify the Group Policy permissions.


Enable block inheritance.
Configure the link order.
Enable loopback processing in merge mode.
Enable loopback processing in replace mode.
Configure WMI filtering.
Configure Restricted Groups.
Configure Group Policy Preferences.
Link the GPO to the Sales OU.
Link the GPO to the Engineering OU.

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Please Check Answer
Loopback with MergeIn the case of Loopback with Merge, the Group Policy object list is a
concatenation. The default list of GPOs for the user object is obtained, as normal, but then the list of GPOs
for the computer (obtained during computer startup) is appended to this list. Because the computer's GPOs

are processed after the user's GPOs, they have precedence if any of the settings conflict.
http://technet.microsoft.com/en-us/library/cc782810%28v=ws.10%29.aspx
QUESTION 12
You have an Active Directory domain named contoso.com.
You need to view the account lockout threshold and duration for the domain.
Which tool should you use?
A.
B.
C.
D.

Computer Management
Net Config
Active Directory Users and Computers
Gpresult

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 13
Your network contains an Active Directory forest. The forest contains two domains named contoso.com and
east.contoso.com. The contoso.com domain contains a domain controller named DC1. The east.contoso.
com domain contains a domain controller named DC2. DC1 and DC2 have the DNS Server server role
installed.
You need to create a DNS zone that is available on DC1 and DC2. The solution must ensure that zone
transfers are encrypted.
What should you do?
A. Create a primary zone on DC1 and store the zone in a zone file. On DC1 and DC2, configure inbound
rules and outbound rules by using Windows Firewall with Advanced Security. Create a secondary zone
on DC2 and select DC1 as the master.
B. Create a primary zone on DC1 and store the zone in a DC=ForestDNSZones, DC=Contoso, DC=com
naming context.
C. Create a primary zone on DC2 and store the zone in a DC= DC=East, DC=Contoso/DC=com naming
context. Create a secondary zone on DC1 and select DC2 as the master.
D. Create a primary zone on DC1 and store the zone in a zone file. Configure DNSSEC for the zone.
Create a secondary zone on DC2 and select DC1 as the master.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 14
Your network contains an Active Directory domain named adatum.com. All servers run Windows Server
2008 R2.
The network contains an enterprise certification authority (CA).
You need to ensure that all of the members of a group named Managers can view the event log entries for
Certificate Services.
Which snap-in should you use?

A.
B.
C.
D.
E.
F.
G.
H.
I.

Active Directory Administrative Center


Authorization Manager
Certificate Templates
Certificates
Certification Authority
Enterprise PKI
Group Policy Management
Security Configuration Wizard
Share and Storage Management

Correct Answer: G
Section: (none)
Explanation
Explanation/Reference:
There is mention of an Event Log Reader Group. Membership should be able to be configured in AD Users
and Groups. Check this answer. In the MMFSH dump he has the anwser AD Users and Groups, however
this is not a option here so I have left it Group Policy Management.
QUESTION 15
Your network contains an Active Directory domain named adatum.com. All servers run Windows Server
2008 R2 Enterprise. All client computers run Windows 7 Professional.
The network contains an enterprise certification authority (CA).
You need to approve a pending certificate request.
Which snap-in should you use?
A.
B.
C.
D.
E.
F.
G.
H.
I.

Active Directory Administrative Center


Authorization Manager
Certificate Templates
Certificates
Certification Authority
Enterprise PKI
Group Policy Management
Security Configuration Wizard
Share and Storage Management

Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
QUESTION 16
Your network contains an Active Directory domain named contoso.com.
You have an organizational unit (OU) named Sales and an OU named Engineering.
You have a Group Policy object (GPO) linked to the domain.
You need to ensure that the settings in the GPO are not processed by user accounts or computer accounts
in the Sales OU. You must achieve this goal by using the minimum amount of administrative effort.
What should you do?
A. Modify the Group Policy permissions.

B.
C.
D.
E.
F.
G.
H.
I.
J.

Enable block inheritance.


Configure the link order.
Enable loopback processing in merge mode.
Enable loopback processing in replace mode.
Configure WMI filtering.
Configure Restricted Groups.
Configure Group Policy Preferences.
Link the GPO to the Sales OU.
Link the GPO to the Engineering OU.

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 17
A corporate network includes a single Active Directory Domain Services (AD DS) domain. The domain
contains 10 domain controllers. The domain controllers run Windows Server 2008 R2 and are configured as
DNS servers.
You plan to create an Active Directory-integrated zone.
You need to ensure that the new zone is replicated to only four of the domain controllers.
What should you do first?
A.
B.
C.
D.

Use the ntdsutil tool to modify the DS behavior for the domain.
Use the ntdsutil tool to add a naming context.
Create a new delegation in the ForestDnsZones application directory partition.
Use the dnscmd tool with the /zoneadd parameter.

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 18
Your network contains an Active Directory forest named fabrikam.com. The forest contains the following
domains:
- Fabrikam.com
- Eu.fabrikam.com
- Na.fabrikam.com
- Eu.contoso.com
- Na.contoso.com
You need to configure the forest to ensure that the administrators of any of the domains can specify a user
principal name (UPN) suffix of contoso.com when they create user accounts from Active Directory Users
and Computers.
Which tool should you use?
A. Active Directory Sites and Services
B. Set-ADDomain
C. Set-ADForest

D. Active Directory Administrative Center


Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Creating a UPN Suffix for a Forest
This topic explains how to use the Active Directory module for Windows PowerShell to create a new user
principal name (UPN) suffix for the users in a forest. Creating an additional UPN suffix helps simplify the
names that are used to log on to another domain in the forest.
he following example demonstrates how to create a new UPN suffix for the users in the Fabrikam.com
forest:
Set-ADForest -UPNSuffixes @{Add="headquarters.fabrikam.com"}
http://technet.microsoft.com/en-us/library/dd391925%28v=ws.10%29.aspx
QUESTION 19
A corporate network includes a single Active Directory Domain Services (AD DS) domain and two AD DS
sites. The AD DS sites are named Toronto and Montreal. Each site has multiple domain controllers.
You need to determine which domain controller holds the Inter-Site Topology Generator role for the Toronto
site.
What should you do?
A.
B.
C.
D.

Use the Active Directory Sites and Services console to view the NTDS Site Settings for the Toronto site.
Use the Ntdsutil tool with the roles parameter.
Use the Ntdsutil tool with the LDAP policies parameter.
Use the Active Directory Sites and Services console to view the properties of each domain controller in
the Toronto site.

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 20
Your network contains an Active Directory domain. The domain contains five sites. One of the sites contains
a read-only domain controller (RODC) named RODC1.
You need to identify which user accounts can have their password cached on RODC1.
Which tool should you use?
A.
B.
C.
D.

Repadmin
Dcdiag
Get-ADDomainControllerPasswordReplicationPolicyUsage
Adtest

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
The Get-ADDomainControllerPasswordReplicationPolicyUsagegets the user or computer accounts

that are authenticated by a read-only domain controller (RODC) or that have passwords that are stored on
that RODC. The list of accounts that are stored on a RODC is known as the revealed list.
http://technet.microsoft.com/en-us/library/ee617194.aspx
QUESTION 21
A network contains an Active Directory forest. The forest contains three domains and two sites.
You remove the global catalog from a domain controller named DC2. DC2 is located in Site1.
You need to reduce the size of the Active Directory database on DC2. The solution must minimize the
impact on all users in Site1.
What should you do first?
A.
B.
C.
D.

On DC2, start the Protected Storage service.


On DC2, stop the Active Directory Domain Services service.
Start DC2 in Safe Mode.
Start DC2 in Directory Services Restore Mode.

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 22
Your network contains an Active Directory domain named adatum.com. The functional level of the domain
is Windows Server 2008. All domain controllers run Windows Server 2008 R2. All client computers run
Windows 7 Enterprise.
You need to receive a notification when more than 50 Active Directory objects are deleted per second.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.

Run the Get-ADDomain cmdlet.


Run the dsget.exe command.
Run the ntdsutil.exe command.
Run the ocsetup.exe command.
Run the dsamain.exe command.
Run the eventcreate.exe command.
Create a Data Collector Set (DCS).
Create custom views from Event Viewer.
Configure subscriptions from Event Viewer.
Import the Active Directory module for Windows PowerShell.

Correct Answer: G
Section: (none)
Explanation
Explanation/Reference:
QUESTION 23
You have an enterprise subordinate certification authority (CA).
You have a custom certificate template that has a key length of 1,024 bits. The template is enabled for
autoenrollment.

You increase the template key length to 2,048 bits.


You need to ensure that all current certificate holders automatically enroll for a certificate that uses the new
template.
Which console should you use?
A.
B.
C.
D.

Group Policy Management MMC Snap-In


Certificates MMC Snap-In on the Certificate Authority
Certificate Templates MMC Snap-In
Certification Authority MMC Snap-In

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 24
Your network contains an Active Directory forest. The forest contains one domain named contoso.com.
You attempt to create a new child domain and you receive the following error message: "An LDAP read of
operational attributes failed."
You need to ensure that you can add a new child domain to the forest.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.

Move the PDC emulator role.


Move the RID master role.
Move the infrastructure master role.
Move the schema master role.
Move the domain naming master role.
Move the global catalog server.
Move the bridgehead server.
Install a read-only domain controller (RODC).
Deploy an additional global catalog server.
Restart the Active Directory Domain Services (AD DS) service.

Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
QUESTION 25
Your network contains an Active Directory domain named adatum.com. The functional level of the domain
is Windows Server 2003. All domain controllers run Windows Server 2008 R2.
You mount an Active Directory snapshot.
You need to ensure that you can connect to the snapshot by using LDAP.
What should you do?
A. Run the Get-ADDomain cmdlet.
B. Run the dsget.exe command.
C. Run the ntdsutil.exe command.

D.
E.
F.
G.
H.
I.
J.

Run the ocsetup.exe command.


Run the dsamain.exe command.
Run the eventcreate.exe command,
Create a Data Collector Set (DCS).
Create custom views from Event Viewer.
Configure subscriptions from Event Viewer.
Import the Active Directory module for Windows PowerShell.

Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
QUESTION 26
Your network contains an Active Directory domain named contoso.com.
You have an organizational unit (OU) named Sales and an OU named Engineering.
You need to ensure that when users log on to client computers, they are added automatically to the local
Administrators group. The users must be removed from the group when they log off of the client computers.
What should you do?
A.
B.
C.
D.
E.
F.
G.
H.
I.
J.

Modify the Group Policy permissions.


Enable block inheritance.
Configure the link order.
Enable loopback processing in merge mode.
Enable loopback processing in replace mode.
Configure WMI filtering.
Configure Restricted Groups.
Configure Group Policy Preferences.
Link the Group Policy object (GPO) to the Sales OU.
Link the Group Policy object (GPO) to the Engineering OU.

Correct Answer: H
Section: (none)
Explanation
Explanation/Reference:
QUESTION 27
Your network contains an Active Directory forest named contoso.com. The forest contains two member
servers named Server1 and Server2. Server1 and Server2 have the DNS Server server role installed.
Server1 hosts a standard primary zone for contoso.com. Server2 is configured as a secondary name server
for contoso.com.
You experience issues with the copy of the zone on Server2,
You verify that both copies of the zone have the same serial number.
You need to transfer a complete copy of the zone from Server1 to Server2.
What should you do on Server2?
A. From DNS Manager, right-click contoso.com and click Transfer from Master.

B.
C.
D.
E.

From Services, right-click DNS Server and click Refresh.


From Services, right-click DNS Server and click Restart.
From DNS Manager, right-click contoso.com and click Reload.
From DNS Manager, right-click contoso.com and click Transfer a new copy of zone from Master.

Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
Please Check Answer
QUESTION 28
Your network contains an Active Directory domain. The domain contains two Active Directory sites named
Site1 and Site2. Site1 contains two domain controllers named DC1 and DC2. Site2 contains two domain
controller named DC3 and DC4,
The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is
Windows Server 2003.
Active Directory replication between Site1 and Site2 occurs from 20:00 to 01:00 every day.
At 07:00, an administrator deletes a user account while he is logged on to DC1.
"A Composite Solution With Just One Click" - Certification Guaranteed 266 Microsoft 70-640 Exam
You need to restore the deleted user account. You want to achieve this goal by using the minimum amount
of administrative effort.
What should you do?
A. On DC3, stop Active Directory Domain Services, perform an authoritative restore, and then start Active
Directory Domain Services.
B. On DC3, run the Restore-ADObject cmdlet.
C. On DC1, run the Restore-ADObject cmdlet.
D. On DC1, stop Active Directory Domain Services, restore the SystemState, and then start Active
Directory Domain Services.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 29
You create a standard primary zone for contoso.com.
You need to specify a user named Admin1 as the person responsible for managing the zone.
What should you do? (Each correct answer presents a complete solution. Choose two.)
A. Open the %Systemroot\System32\DNS\Contoso.com.dns file by using Notepad and change all
instances of "hostmaster.contoso.com" to "admin1.contoso.com".
B. From DNS Manager, open the properties of the Start of Authority (SOA) record ofcontoso.com, Specify
admin1.contoso.com as the responsible person.
C. Open the %Systemroot\System32\DNS\Contoso.com.dns file by using Notepad and change all
instances of "hostmaster@contoso.com" to "adminl@contoso.com".
D. From DNS Manager, open the properties of the Start of Authority (SOA) record ofcontoso.com.
Specify admin1@contoso.com as the responsible person.
Correct Answer: AB

Section: (none)
Explanation
Explanation/Reference:
Please Check Answer
QUESTION 30
Your network contains an Active Directory forest named contoso.com. The functional level of the forest is
Windows Server 2008 R2
The DNS zone for contoso.com is Active Directory-integrated.
You deploy a read-only domain controller (RODC) named R0DC1. You install the DNS Server server role
on R0DC1.
You discover that R0DC1 does not have any DNS application directory partitions.
You need to ensure that R0DC1 has a copy of the DNS application directory partition of contoso.com.
What should you do? (Each correct answer presents a complete solution. Choose two.)
A.
B.
C.
D.
E.

From DNS Manager, right-click RODC1 and click Create Default Application Directory Partitions.
Run ntdsutil.exe. From the Partition Management context, run the create nc command.
Run dnscmd.exe and specify the /createbuiltindirectorypartitions parameter.
Run ntdsutil.exe. From the Partition Management context, run the add nc replica command.
Run dnscmd.exe and specify the /enlistdirectorypartition parameter.

Correct Answer: DE
Section: (none)
Explanation
Explanation/Reference:
Please Check but I think this should be A and C and not A and D.
I have changed it to A and C.
Reason: Once the application directory partition is created, contoso.com should replicate to it.
Dnscmd /enlistdirectorypartition --- Adds the DNS server to the specified directory partition's replica set.
Dnscmd /createbuiltindirectorypartitions
Creates a DNS application directory partition. When DNS is installed, an application directory partition for
the service is created at the forest and domain levels. Use this command to create DNS application
directory partitions that were deleted or never created. With no parameter, this command creates a
built-in DNS directory partition for the domain.
To create the default DNS application directory partitions
Using the Windows interface
Open DNS.
In the console tree, right-click the applicable DNS server.
Where?
DNS/applicable DNS server
Click Create Default Application Directory Partitions.
Follow the instructions to create the DNS application directory partitions.

QUESTION 31
A corporate network includes an Active Directory-integrated zone. All DNS servers that host the zone are
domain controllers.
You add multiple DNS records to the zone.
You need to ensure that the new records are available on all DNS servers as soon as possible.
Which tool should you use?
A.
B.
C.
D.

Ntdsutil
Dnscmd
Repadmin
Nslookup

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Please Check
Repadmin /syncall
Because this is a Active Directory-integrated zone, you can use Repadmin /syncall to update everything
encluding DNS records.
QUESTION 32
Your network contains three servers named ADFS1, ADFS2, and ADFS3 that run Windows Server 2008
R2. ADFS1 has the Active Directory Federation Services (AD FS) Federation Service role service installed.
You plan to deploy AD FS 2.0 on ADFS2 and ADFS3.
You need to export the token-signing certificate from ADFS1, and then import the certificate to ADFS2 and
ADFS3.
A.
B.
C.
D.

Personal Information Exchange PKCS #12 (.pfx)


DER encoded binary X.509 (.cer)
Cryptographic Message Syntax Standard PKCS #7 (.p7b)
Base-64 encoded X.S09 (.cer)

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 33
You create a user account template for the marketing department.
When you copy the user account template, you discover that the Web page attribute is not copied.
You need to preserve the Web page attribute when you copy the user account template.
What should you do?
A. From Active Directory Administrative Center, modify the value of the wWWHomePage attribute for the
user account template.
B. From the Active Directory Schema snap-in, modify the properties of the user class.

C. From Active Directory Users and Computers, modify the value of the wWWHomePage attribute for the
user account template.
D. From ADSI Edit, modify the properties of the wWWHomePage attribute.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 34
Your network contains an Active Directory domain named contoso.com. The functional level of the forest is
Windows Server 2008 R2.
The Default Domain Controller Policy Group Policy object (GPO) contains audit policy settings.
On a domain controller named DC1, an administrator configures the Advanced Audit Policy Configuration
settings by using a local GPO.
You need to identify what will be audited on DC1.
Which tool should you use?
A.
B.
C.
D.

Get-ADObject
Secedit
Security Configuration and Analysis
Auditpol

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 35
A network contains an Active Directory forest. The forest schema contains a custom attribute for user
objects.
You need to view the custom attribute value of 500 user accounts in a Microsoft Excel table.
Which tool should you use?
A.
B.
C.
D.

Dsmod
Csvde
Ldifde
Dsrm

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 36
Your network contains an Active Directory forest named contoso.com. The forest contains two domains
named contoso.com and child.contoso.com. All domain controllers run Windows Server 2008. All forestwide operations master roles are in child.contoso.com.

An administrator successfully runs adprep.exe /forestprep from the Windows Server 2008 R2 Service Pack
1 (SP1) installation media.
You plan to run adprep.exe /domainprep in each domain.
You need to ensure that you have the required user rights to run the command successfully in each
domain.
Of which groups should you be a member? (Each correct answer presents part of the solution.
Choose two.)
A.
B.
C.
D.
E.
F.

Administrators in child.contoso.com
Enterprise Admins in contoso.com
Domain Admins in child.contoso.com
Domain Admins in contoso.com
Administrators in contoso.com
Schema Admins in contoso.com

Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 37
Your network contains an Active Directory forest named contoso.com. The forest contains a single domain
and 10 domain controllers. All of the domain controllers run Windows Server 2008 R2 Service Pack 1
(SP1).
The forest contains an application directory partition named dc=app1, dc=contoso,dc=com. A domain
controller named DC1 has a copy of the application directory partition.
You need to configure a domain controller named DC2 to receive a copy of dc=app1, dc=contoso,dc=corn.
Which tool should you use?
A.
B.
C.
D.

Active Directory Sites and Services


Dsmod
Dcpromo
Dsmgmt

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Please Check Answer
I don't think this is Dsmod. It is most likely Dcpromo.
Dsmod -- Modifies an existing object of a specific type in the directory.
QUESTION 38
A corporate environment includes a Windows Server 2008 R2 Active Directory Domain Services (AD DS)
domain.
You need to enable Universal Group Membership Caching on several domain controllers in the domain.
Which tool should you use?

A. Dsmod
B. Dscmd
C. Ntdsutil
D. Active Directory Sites and Services console
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
To enable Universal Group Membership Caching in a site
Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then
click Active Directory Sites and Services.
In the console tree, expand Sites, and then click the site in which you want to enable Universal Group
Membership Caching.
In the details pane, right-click the NTDS Site Settings object, and then click Properties.
Under Universal Group Membership Caching, select Enable Universal Group Membership Caching.
In the Refresh cache from list, click the site that you want the domain controller to contact when the
Universal Group membership cache must be updated, and then click OK.
http://technet.microsoft.com/en-us/library/cc816928%28v=ws.10%29
QUESTION 39
Your network contains an Active Directory forest. The forest contains three domains. All domain controllers
have the DNS Server server role installed.
The forest contains three sites named Site1, Site2, and Site3. Each site contains the users, client
computers, and domain controllers of each domain. Site1 contains the first domain controller deployed to
the forest.
"A Composite Solution With Just One Click" - Certification Guaranteed 277 Microsoft 70-640 Exam
The sites connect to each other by using unreliable WAN links.
The users in Site2 and Site3 report that is takes a long time to log on to their client computer when they use
their user principal name (UPN). The users in Site1 do not experience the same issue.
You need to reduce the amount of time it takes for the Site2 users and the Site3 users to log on to their
client computer by using their UPN.
What should you do?
A.
B.
C.
D.
E.
F.

Configure a global catalog server in Site2 and a global catalog server in Site3.
Reduce the replication interval of the site links.
Move a primary domain controller (PDC) emulator to Site2 and to Site3.
Add additional domain controllers to Site2 and to Site3.
Reduce the cost of the site links.
Enable universal group membership caching in Site2 and in Site3.

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 40

You have a client computer named Computer1 that runs Windows 7.


On Computer1, you configure a source-initiated subscription.
You configure the subscription to retrieve all events from the Windows logs of a domain controller named
DC1. The subscription is configured to use the HTTP protocol.
You discover that events from the Security log of DC1 are not collected on Computer1. Events from the
Application log of DC1 and the System log of DC1 are collected on Computer1.
You need to ensure that events from the Security log of DC1 are collected on Computer1.
What should you do?
A.
B.
C.
D.

Add the computer account of Computer1 to the Event Log Readers group on the domain controller.
Add the Network Service security principal to the Event Log Readers group on the domain.
Configure the subscription to use custom Event Delivery Optimization settings.
Configure the subscription to use the HTTPS protocol.

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 41
Your network contains an Active Directory forest named contoso.com. The forest contains six domains.
You need to ensure that the administrators of any of the domains can specify a user principal name (UPN)
suffix oflitwareinc.com when they create user accounts by using Active Directory Users and Computers.
Which tool should you use?
A.
B.
C.
D.

Active Directory Administrative Center


Set-ADDomain
Active Directory Sites and Services
Set-ADForest

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Creating a UPN Suffix for a Forest
This topic explains how to use the Active Directory module for Windows PowerShell to create a new user
principal name (UPN) suffix for the users in a forest. Creating an additional UPN suffix helps simplify the
names that are used to log on to another domain in the forest.
he following example demonstrates how to create a new UPN suffix for the users in the Fabrikam.com
forest:
Set-ADForest -UPNSuffixes @{Add="headquarters.fabrikam.com"}
http://technet.microsoft.com/en-us/library/dd391925%28v=ws.10%29.aspx
QUESTION 42
Your network contains an Active Directory domain named litwareinc.com. The domain contains two sites
named Sitel and Site2. Site2 contains a read-only domain controller (RODC).
You need to identify which user accounts attempted to authenticate to the RODC.

Which tool should you use?


A.
B.
C.
D.

Active Directory Users and Computers


Ntdsutil
Get-ADAccountResultantPasswordReplicationPolicy
Adtest

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Get-ADDomainControllerPasswordReplicationPolicyUsage
o get accounts that are authenticated by the RODC, use the AuthenticatedAccounts parameter. To get the
accounts that have passwords stored on the RODC, use the RevealedAccounts parameter.
http://technet.microsoft.com/en-us/library/ee617194.aspx
QUESTION 43
Your network contains an Active Directory forest. The forest schema contains a custom attribute for user
objects.
You need to generate a file that contains the last logon time and the custom attribute values for each user in
the forest.
What should you use?
A.
B.
C.
D.

the Get-ADUser cmdlet


the Export-CSV cmdlet
the Net User command
the Dsquery User tool

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 44
You have an Active Directory domain named contoso.com.
You need to view the account lockout threshold and duration for the domain.
Which tool should you use?
A.
B.
C.
D.

Net User
Active Directory Users and Computers
Group Policy Management Console (GPMC)
Computer Management

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 45

A domain controller named DC4 runs Windows Server 2008 R2. DC4 is configured as a DNS server for
fabrikam.com.
You install the DNS Server server role on a member server named DNS1 and then you create a standard
secondary zone for fabrikam.com. You configure DC4 as the master server for the zone.
You need to ensure that DNS1 receives zone updates from DC4.
What should you do?
A.
B.
C.
D.

Add the DNS1 computer account to the DNSUpdateProxy group.


On DC4, modify the permissions offabrikam.com zone.
On DNS1, add a conditional forwarder.
On DC4, modify the zone transfer settings for the fabrikam.com zone.

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 46
A company has an Active Directory forest. You plan to install an offline Enterprise root certification authority
(CA) on a server named CA1. CA1 is a member of the PerimeterNetwork workgroup and is attached to a
hardware security module for private key storage.
You attempt to add the Active Directory Certificate Services (AD CS) server role to CA1. The Enterprise CA
option is not available.
You need to install the AD CS server role as an Enterprise CA on CA1.
What should you do first?
A.
B.
C.
D.

Add the DNS Server server role to CA1.


Add the Web Server (IIS) server role and the AD CS server role to CA1.
Add the Active Directory Lightweight Directory Services (AD LDS) server role to CA1.
Join CA1 to the domain.

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 47
Your company has an Active Directory forest. Each regional office has an organizational unit (OU) named
Marketing. The Marketing OU contains all users and computers in the region's Marketing department.
You need to install a Microsoft Office 2007 application only on the computers in the Marketing OUs.
You create a GPO named MarketingApps.
What should you do next?
A. Configure the GPO to assign the application to the computer account. Link the GPO to the domain.
B. Configure the GPO to assign the application to the user account. Link the GPO to each Marketing OU.
C. Configure the GPO to assign the application to the computer account. Link the GPO to each Marketing
OU.
D. Configure the GPO to publish the application to the user account. Link the GPO to each Marketing OU.

Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 48
Your network contains an Active Directory domain named contoso.com.
The Active Directory sites are configured as shown in the Sites exhibit. (Click the Exhibit button.)
You need to ensure that DC1 and DC4 are the only servers that replicate Active Directory changes between
the sites.
What should you do?
Exhibit:

A.
B.
C.
D.

Configure DC1 as a preferred bridgehead server for IP transport.


Configure DC4 as a preferred bridgehead server for IP transport.
From the DC4 server object, create a Connection object for DC1.
From the DC1 server object, create a Connection object for DC4.

Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:

Please Check Answer


Connections. The KCC creates connections that enable domain controllers to replicate with each
other. A connection defines a one-way, inbound route from one domain controller, the source, to another
domain controller, the destination. The KCC reuses existing connections where it can, deletes unused
connections, and creates new connections if none exist that meet the current need.
Bridgehead Servers. To communicate across site links, the KCC automatically designates a single server,
called the bridgehead server, in each site to perform site-to-site replication. Subsequent replication occurs

by replication within a site. When site links are established, authorized administrators can designate the
bridgehead servers that they want to receive replication between sites. By designating a specific server to
receive replication between sites, rather than using any available server, authorized administrators can
specify the most beneficial conditions for the connection between sites. Bridgehead servers ensure that
most replication occurs within sites rather than between sites.
http://technet.microsoft.com/library/dd277429.aspx
QUESTION 49
Your network contains an Active Directory domain named contoso.com. The domain contains a domain
controller named DC1. DC1 has the DNS Server server role installed and hosts an Active Directoryintegrated zone for contoso.com. The no-refresh interval and the refresh interval are both set to three days.
The Advanced DNS settings of DC1 are shown in the Advanced DNS Settings exhibit. (Click the Exhibit
button.)

You open the properties of a static record named Server1 as shown in the Server1 Record exhibit.
(Click the Exhibit button.)

You discover that the scavenging process ran today, but the record for Server1 was not deleted.
You run dnscmd.exe and specify the ageallrecords parameter.
You need to identify when the record for Server1 will be deleted from the zone.
In how many days will the record be deleted?
A.
B.
C.
D.

13
10
23
7

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Automatic scavenging. Automatic scavenging specifies that aging and scavenging of stale records is to be
performed automatically by the server for any eligible zones at a recurring interval that is specified as the
scavenging period. When you use automatic scavenging, the default scavenging period is one day, and the
minimum allowed value that you can use for the scavenging period is one hour.
QUESTION 50
Your network contains an Active Directory domain. The domain is configured as shown in the exhibit. (Click
the Exhibit button.)
Each organizational unit (OU) contains over 500 user accounts.
The Finance OU and the Human Resources OU contain several user accounts that are members of a

universal group named Group1.


You have a Group Policy object (GPO) linked to the domain.
You need to prevent the GPO from being applied to the members of Group1 only.
What should you do?
Exhibit:

A.
B.
C.
D.
E.
F.
G.
H.
I.
J.

Modify the Group Policy permissions.


Enable block inheritance.
Configure the link order.
Enable loopback processing in merge mode.
Enable loopback processing in replace mode.
Configure WMI filtering.
Configure Restricted Groups.
Configure Group Policy Preferences.
Link the GPO to the Finance OU.
Link the GPO to the Human Resources OU.

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:

Exam G
QUESTION 1
Your network contains an Active Directory domain. The domain contains a domain controller named DC1
that runs windows Server 2008 R2 Service Pack 1 (SP1).
You need to implement a central store for domain policy templates.
What should you do?
To answer, select the source content that should be copied to the destination folder in the answer area.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
http://www.petri.co.il/creating-group-policy-central-store.htm
QUESTION 2
Your network contains an Active Directory forest named contoso.com.
You plan to migrate all user accounts to a new forest named litwareinc.com.
The functional level of the contoso.com forest is Windows Server 2003. Contoso.com contains four servers.
The servers are configured as shown in the following table.

The functional level of the litwareinc.com forest is Windows Server 2008. Litwareinc.com contains four
servers. The servers are configured as shown in the following table.

You need to identify on which server in the litwareinc.com forest you must install Active Directory Migration
Tool version 3.2 (ADMT v3.2).
Which server should you identify?
A.
B.
C.
D.

Litw_Srv4
Litw_Srv1
Litw_Srv2
Litw_Srv3

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 3
Your network contains an Active Directory domain.
The password policy for the domain is configured as shown in the Current Policy exhibit, (Click the Exhibit
button.)

You change the password policy for the domain as shown in the New Policy exhibit. (Click the Exhibit
button.)

You need to provide users with examples of a valid password.


Which password examples should you provide to the users? (Each correct answer presents a complete
solution. Choose three.)
A.
B.
C.
D.
E.
F.

123456!@#$%^
!@#$1234ABCD
passwordl234
1-2-3-4-5-a-b-c-e
%%PASS1234%%
111111aaaaaaa

Correct Answer: BDE


Section: (none)
Explanation
Explanation/Reference:
Passwords must contain characters from three of the following five categories:
Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic
characters)
Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and
Cyrillic characters)

Base 10 digits (0 through 9)


Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/
Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase.
This includes Unicode characters from Asian languages.
http://technet.microsoft.com/en-us/library/cc786468%28v=ws.10%29.aspx
QUESTION 4
Your network contains an Active Directory domain named contoso.com.
The Active Directory sites are configured as shown in the Sites exhibit. (Click the Exhibit button.)
You need to ensure that DC1 and DC4 are the only servers that replicate Active Directory changes between
the sites.
What should you do?
Exhibit:

A.
B.
C.
D.

Configure DC1 as a preferred bridgehead server for IP transport.


Configure DC4 as a preferred bridgehead server for IP transport.
From the DC4 server object, create a Connection object for DC1.
From the DC1 server object, create a Connection object for DC4.

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 5
Your network contains an Active Directory forest named contoso.com. The functional level of the forest is
Windows Server 2008 R2. The forest contains a single domain.
You need to ensure that objects can be restored from the Active Directory Recycle Bin.
Which tool should you use?

A.
B.
C.
D.

Ntdsutil
Set-ADDomain
Dsamain
Enable-ADOptionalFeature

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/dd379481%28v=ws.10%29.aspx
QUESTION 6
Your network contains an Active Directory domain. The domain is configured as shown in the exhibit. (Click
the Exhibit button.)
Users in the Finance organizational unit (OU) frequently log on to client computers in the Human Resources
OU.
You need to meet the following requirements:
- All of the user settings in the Group Policy objects (GPOs) linked to both the Finance OU and the Human
Resources OU must be applied to finance users when they log on to client computers in the Engineering
OU.
- Only the policy settings in the GPOs linked to the Finance OU must be applied to finance users when they
log on to client computers in the Finance OU.
- Policy settings in the GPOs linked to the Finance OU must not be applied to users in the Human
Resources OU.
What should you do?
Exhibit:

A.
B.
C.
D.
E.
F.
G.
H.
I.
J.

Modify the Group Policy permissions.


Enable block inheritance.
Configure the link order.
Enable loopback processing in merge mode.
Enable loopback processing in replace mode.
Configure WMI filtering.
Configure Restricted Groups.
Configure Group Policy Preferences.
Link the GPO to the Finance OU.
Link the GPO to the Human Resources OU.

Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 7
Your network contains an Active Directory forest named contoso.com. The forest contains four computers.
The computers are configured as shown in the following table.

An administrator creates a script that contains the following commands:

You need to identity which computers can successfully run all of the commands in the script.
Which two computers should you identify? (Each correct answer presents part of the solution. Choose two.)
A.
B.
C.
D.

Computer1
Server1
Computer2
Server2

Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
http://technet.microsoft.com/pt-pt/library/ff625687%28v=ws.10%29.aspx
QUESTION 8
Your network contains an Active Directory domain. The domain is configured as shown in the exhibit, (Click
the Exhibit button.)
You need to ensure that when users log on to client computers, they are added automatically to the local
Administrators group. The users must be removed from the group when they log off of the client computers.

What should you do?


Exhibit:

A.
B.
C.
D.
E.
F.
G.
H.
I.
J.

Modify the Group Policy permissions.


Enable block inheritance.
Configure the link order.
Enable loopback processing in merge mode.
Enable loopback processing in replace mode.
Configure WMI filtering.
Configure Restricted Groups.
Configure Group Policy Preferences.
Link the Group Policy object (GPO) to the Finance organizational unit (OU).
Link the Group Policy object (GPO) to the Human Resources organizational unit (OU).

Correct Answer: H
Section: (none)
Explanation
Explanation/Reference:
QUESTION 9
Your company plans to open a new branch office.
The new office will have a low-speed connection to the Internet.
You plan to deploy a read-only domain controller (RODC) in the branch office.
You need to create an offline copy of the Active Directory database that can be used to install the Active
Directory on the new RODC.
Which commands should you run from Ntdsutil?

To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the
correct order.
Select and Place:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
QUESTION 10
Your network contains an Active Directory forest named contoso.com.
You need to use Group Policies to deploy the applications shown in the following table.

What should you do?


To answer, drag the appropriate deployment method to the correct application in the answer area.
Select and Place:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
QUESTION 11
Your network contains an Active Directory domain named contoso.com.
You need to view which password setting object is applied to a user.
Which filter option in Attribute Editor should you enable? To answer, select the appropriate filter option in
the answer area.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
QUESTION 12
Your network contains two Active Directory forests named contoso.com and fabrikam.com.
A two-way forest trust exists between the forests. Selective authentication is enabled on the trust.
Fabrikam.com contains a server named Server1.
You assign Contoso\Domain Users the Manage documents permission and the Print permission to a
shared printer on Server1.
You discover that users from contoso.com cannot access the shared printer on Server1.
You need to ensure that the contoso.com users can access the shared printer on Server1.
Which permission should you assign to Contoso\Domain Users.
To answer, select the appropriate permission in the answer area.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
QUESTION 13
Your network contains an Active Directory forest named contoso.com. The forest contains two sites named
Seattle and Montreal. The Seattle site contains two domain controllers. The domain controllers are
configured as shown in the following table.

The Montreal site contains a domain controller named DC3. DC3 is the only global catalog server in the
forest.
You need to configure DC2 as a global catalog server.
Which object's properties should you modify?
To answer, select the appropriate object in the answer area.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
To designate a domain controller to be a global catalog server
Open Active Directory Sites and Services.
In the console tree expand the Sites container, and then expand the site in which you are designating a
global catalog server.
Expand the Servers container and then expand the Server object for the domain controller that you want
to designate as a global catalog server.
Right-click the NTDS Settings object for the target server, and then click Properties.

Select the Global Catalog check box, and then click OK.
http://technet.microsoft.com/en-us/library/cc782576%28v=ws.10%29
QUESTION 14
Your network contains an Active Directory forest named contoso.com. The forest contains two Active
Directory sites named Seattle and Montreal. The Montreal site is a branch office that contains only a single
read-only domain controller (RODC).
You accidentally delete the site link between the two sites.
You recreate the site link while you are connected to a domain controller in Seattle.
You need to replicate the change to the RODC in Montreal.
Which node in Active Directory Sites and Services should you use?
To answer, select the appropriate node in the answer area.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
QUESTION 15
Your network contains an Active Directory forest named contoso.com. The forest contains two sites named
Seattle and Montreal. The Seattle site contains two domain controllers. The domain controllers are
configured as shown in the following table.

You need to enable universal group membership caching in the Seattle site.
Which object's properties should you modify?
To answer, select the appropriate object in the answer area.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference: