70-640

Microsoft 70-640

TS: Windows Server 2008 Active Directory,

Configuring

Practice TestVersion: 30.2

QUESTION NO: 1 You work as the network administrator at ABC.com. The ABC.com network has a domain namedABC.com. All servers on the ABC.com network run Windows Server 2008. Only one Active-Directory integrated zone has been configured in the ABC.com domain. ABC.comhas requested that you configure DNS zone to automatically remove DNS records that areoutdated. What action should you consider? A. You should consider running the netsh /Reset DNS command from the Command prompt. B. You should consider enabling Scavenging in the DNS zone properties page. C. You should consider reducing the TTL of the SOA record in the DNS zone properties page. D. You should consider disabling updates in the DNS zone properties page.

Answer: B

Explanation: In the scenario you should enable scavenging through the zone properties because

scavenging removes the outdated DNS records from the DNS zone automatically. You should

additionally note that patience would be required when enabling scavenging as there are some

safety valves built into scavenging which takes long to pop.

Reference: http://www.gilham.org/Blog/Lists/Posts/Post.aspx?List=aab85845-88d2-4091-8088-a6bbce0a4304&ID=211

QUESTION NO: 2 You work as the network administrator at ABC.com. The ABC.com network has a domain namedABC.com. All servers on the ABC.com network run Windows Server 2008. The ABC.com network has a server named ABC-SR15. You install the Active DirectoryLightweight Directory Services (AD LDS) on ABC-SR15. Which of the following options can be used for the creation of new Organizational Units (OU’s) inthe application directory partition of the AD LDS? A. You should run the net start command on ABC-SR15. B. You should open the ADSI Edit Microsoft Management Console on ABC-SR15. C. You should run the repadmin /dsaguid command on ABC-SR15. D. You should open the Active Directory Users and Computers Console on ABC-SR15.

Microsoft 70-640: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 2

Answer: B

Explanation: You need to use the ADSI Edit snap-in to create new OUs in the AD LDS

application directory partition. You also need to add the snap-in in the Microsoft Management

Console (MMC).

QUESTION NO: 3 You work as the network administrator at ABC.com. The ABC.com network has a domain namedABC.com. All servers on the ABC.com network run Windows Server 2008. The ABC.com network has two domain controllers ABC-DC01 and ABC-DC02. ABC-DC01 suffersa catastrophic failure but it is causing problems because it was configured to have Schema MasterOperations role. You log on to the ABC.com domain as a domain administrator but your attemptsto transfer the Schema Master Operations role to ABC-DC02 are unsuccessful. What action should you take to transfer the Schema Master Operations role to ABC-DC02? A. Your best option would be to have the dcpromo /adv command executed on ABC-DC02. B. Your best option would be to have the Schema Master role seized to ABC-DC02. C. Your best option would be to have Schmmgmt.dll registered on ABC-DC02. D. Your best option would be to add your user account to the Schema Administrators group.

Answer: B

Explanation: To ensure that ABC-DC02 holds the Schema Master role you need to seize the

Schema Master role on ABC-DC02. Seizing the schema master role is a drastic step that should

be considered only if the current operations master will never be available again. So to transfer the

schema master operations role, you have to seize it on ABC-DC02.

Reference: http://technet2.microsoft.com/windowsserver/en/library/d4301a14-dd18-4b3c-a3cc-ec9a773f7ffb1033.mspx?mfr=true

QUESTION NO: 4 You work as the network administrator at ABC.com. The ABC.com network has a single forest.The forest functional level is set at Windows Server 2008. The ABC.com network has a Microsoft SQL Server 2005 database server named ABC-DB04 thathosts the Active Directory Rights Management Service (AD RMS).



You try to access the Active Directory Rights Management Services administration website butreceived an error message stating: "SQL Server does not exist or access is denied." How can you access the AD RMS administration website? A. You need to restart the Internet Information Server (IIS) service and the MSSQLSVC service onABC-DB04. B. You need to install the Active Directory Lightweight Directory Services (AD LDS) on ABC-DB04. C. You need to reinstall the AD RMS instance on ABC-DB04. D. You need to reinstall the SQL Server 2005 instance on ABC-DB04. E. You need to run the DCPRO command on ABC-SR04

Answer: A

Explanation: You need to restart the internet information server (IIS) to correct the problem. The

starting of the MSSQULSVC service will allow you to access the database from AD RMS

administration website.

QUESTION NO: 5 You work as an enterprise administrator at ABC.com. The ABC.com network has a domain namedABC.com. The ABC.com network has a Windows Server 2008 computer named ABC-SR03 thatfunctions as an Enterprise Root certificate authority (CA). A new ABC.com security policy requires that revoked certificate information should be available forexamination at all times. What action should you take adhere to the new policy? A. This can be accomplished by having a list of trusted certificate authorities published to theABC.com domain. B. This can be accomplished by having the Online Certificate Status Protocol (OCSP) responderimplemented. C. This can be accomplished by having the OCSP Response Signing certificate imported. D. This can be accomplished by having the Startup Type of the Certificate Propagation service setto Automatic. E. This can be accomplished by having the computer account of ABC-SR03 added to thePGCertificates group.

Answer: B



Explanation: You should use the network load balancing and publish an OCSP responder. This

will ensure that the revoked certificate information will be available at all times. You do not need to

download the entire CRL to check for revocation of a certificate; the OCSP is an online responder

that can receive a request to check for revocation of a certificate. This will also speed up certificate

revocation checking as well as reducing network bandwidth tremendously.

QUESTION NO: 6 You work as the network administrator at ABC.com. The ABC.com network has a domain namedABC.com. All servers on the ABC.com network run Windows Server 2008. You are responsible for managing two servers ABC-SR01 and ABC-SR02. They are setup withthe following configuration. ABC-SR01 running Enterprise Root certificate authority (CA) ABC-SR02 running Online Responder role service Which of the steps must you perform for configuring the Online Responder to be supported onABC-SR01? A. You should enable the Dual Certificate List extension on ABC-SR01. B. You should ensure that ABC-SR01 is a member of the CertPublishers group. C. You should import the OCSP Response Signing certificate to ABC-SR01. D. You should enable the Authority Information Access (AIA) extension on ABC-SR01. E. You should run the CERTSRV command on ABC-SR01.

Answer: D

Explanation: In order to configure the online responder role service on ABC-SR01 you need to

configure the AIA extension. The authority information access extension will indicate how to

access CA information and services for the issuer of the certificate in which the extension appears.

Information and services may include on-line validation services and CA policy data. This

extension may be included in subject or CA certificates, and it MUST be non-critical

QUESTION NO: 7 You work as the network administrator at ABC.com. The ABC.com network has a domain namedABC.com. All servers on the ABC.com network run Windows Server 2008 and all client computersrun Windows Vista.



The ABC.com network has a client computer named ABC-WS640 that was last used six monthsago. During the course of the day you attempt to log on to ABC-WS640 but you are unable toauthenticate during the logon process. What action should you consider in order to log on to ABC-WS640? A. You should consider opening the command prompt on ABC-WS640 and running the netsh setmachine command. B. You should consider opening the command prompt on ABC-WS640 and running the repadmincommand. C. You should consider removing ABC-WS640 from the domain and then rejoining it. D. You should consider deleting the computer account for ABC-WS640 in Active Directory Usersand Computers, and then recreate the computer account.

Answer: C

Explanation: In the scenario you should have the computer disjoined from the domain and

rejoined to the domain whilst having the computer account reset as well. You should additionally

note that the long inactivity caused the computer to stop responding to the authentication query

using the Active Directory records. You should note by disjoining and rejoining with the account

being reset would refresh the computer account passwords.

QUESTION NO: 8 You work as an enterprise administrator at ABC.com. The ABC.com network has a forest with adomain named ABC.com. The ABC.com network has a Windows Server 2008 domain controller named ABC-DC01 thathosts the Directory Services Recovery Mode (DSRM) role. What would be the best option to take to have the DSRM password reset? A. The best option is to open the Active Directory Security for Computers snap-in. B. The best option is to run the ntdsutil command. C. The best option is to run the Netsh command. D. The best option is to open the Domain Controller security snap-in.

Answer: B

Explanation: You should use the ntdsutil utility to reset the DSRM password. You can use

Ntdsutil.exe to reset this password for the server on which you are working, or for another domain

controller in the domain. Type ntdsutil and at the ntdsutil command prompt, type set dsrm

password.



Reference: http://support.microsoft.com/kb/322672

QUESTION NO: 9 You work as an enterprise administrator at ABC.com. The ABC.com network has a domain namedABC.com. All servers on the ABC.com network run Windows Server 2008. ABC.com has twooffices Chicago and Dallas. The network has the following setup. Chicago Office - Domain Controller named ABC-DC01 Dallas Office - Read-Only Domain Controller named ABC-DC02 How can you make sure that Dallas Office users use only ABC-DC02 for authentication? A. You should consider having ABC-DC02 configured as a bridehead server in the Dallas office. B. You should consider installing and configuring the Password Replication Policy on ABC-DC02. C. You should consider having ABC-DC01 configured as a bridehead server in the Chicago office. D. You should consider installing and configuring the Password Replication Policy on ABC-DC01. E. You should consider having the Global Catalog installed on ABC-DC01.

Answer: B

Explanation: You should use the Password Replication Policy on the RODC. This will allow the

users at the Dallas office to log on to the domain with RODC. RODCs don’t cache any user or

machine passwords.

QUESTION NO: 10 You work as the network administrator at ABC.com. The ABC.com network has a domain namedintl.ABC.com. All servers on the ABC.com network run Windows Server 2008. The domaincontrollers on the ABC.com domain are configured to function as DNS servers. What action should you take to ensure that computers that are not part of the intl.ABC.comdomain are not able to dynamically register their DNS registration information in the intl.ABC.comzone? A. You should consider removing the .(root) zone from the intl.ABC.com zone. B. You should consider running the dnscmd /AgeAllRecords command.



C. You should consider configuring Secure Only dynamic updates. D. You should consider configuring the intl.ABC.com zone as an Active Directory integrated zone.

Answer: C

Explanation: In order to ensure that only domain members are able to register their DNS records

dynamically you need to set the option Secure only for Dynamic updates. This will only allow the

domain members to register their DNS records dynamically.

Reference:www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cncf_imp_afpf.mspx

QUESTION NO: 11 You work as a network administrator at ABC.com. The ABC.com network has a domain namedABC.com. All servers on the ABC.com network run Windows Server 2008. The ABC.com network has two servers named ABC-SR01 and ABC-SR02 that are configured asdomain controllers and as DNS servers. Both servers have the following setup for the ABC.comdomain. ABC-SR01 - Standard Primary zone ABC-SR02 - Standard Secondary zone. You have to perform the following tasks - Perform the replication of ABC.com Zone Data - Make sure that Zone Data maintains encryption - Prevent the loss of Zone Data How can you accomplish the goals. (Each correct answer presents part of the solution. (ChooseTWO.) A. You should consider having the zone transfer settings configured on ABC-SR01 and ABC-SR02. B. You should consider having the primary zone on ABC-SR02 converted to an Active Directory-integrated stub zone. C. You should consider having the primary zone on ABC-SR01 converted to an Active Directory-integrated zone.



D. You should consider having the secondary zone on ABC-SR02 deleted. E. You should consider having the primary zone on ABC-SR01 deleted.

Answer: C,D

Explanation: In the scenario you should have the ABC.com primary zone converted to an active

directory-integrated zone and delete the secondary zone as this would ensure replication of the

ABC.com zone is encrypted whilst preventing data loss.

QUESTION NO: 12 You work as the network administrator at ABC.com. The ABC.com network has a domain namedABC.com. All servers on the ABC.com network run Windows Server 2008. All master roles in the forest are maintained at a domain controller ABC-DC01. You have anotherdomain controller in the network named ABC-DC02 which contains better hardware and canimprove performance. ABC-DC01 is to be removed from the network. Which option can you select in order to ensure that proper roles are transferred to ABC-DC02without disrupting the forest wide operations? A. You should consider transferring the RID Master role and the Schema master role. B. You should consider transferring the Schema master role and the Domain naming master role. C. You should consider transferring the Infrastructure master role and the PDC emulator role. D. You should consider transferring the Infrastructure master role and the Domain naming masterrole. E. You should consider transferring the RID Master role and the PDC emulator role.

Answer: C

Explanation: In order to transfer all forest-wide operation master roles to another domain you

need to transfer Domain naming master as well as the Schema master. Schema Master: The

schema master domain controller controls all updates and modifications to the schema. To update

the schema of a forest, you must have access to the schema master. There can be only one

schema master in the whole forest. Domain naming master: The domain naming master domain

controller controls the addition or removal of domains in the forest. There can be only one domain

naming master in the whole forest.

Reference: http://support.microsoft.com/kb/324801



QUESTION NO: 13 You work as the enterprise administrator at ABC.com. The ABC.com network has a domainnamed ABC.com. All servers on the ABC.com network run Windows Server 2008. The ABC.comnetwork has a domain controller named ABC-DC01 that has a single hard drive named Drive C.Drive C hosts the ntds.dit database. You have installed an additional hard drive named Drive D onABC-DC01. What would be the best option to take to transfer the ntds.dit database to Drive D? A. The best option is to run the Ntdsutil command with the Files option. B. The best option is to open the Windows Power Shell and use the Copy and Paste functions. C. The best option is to run the xcopy command. D. The best option is to open the Windows Explorer and use the Cut and Paste functions.

Answer: A

Explanation: The way you move the Active Directory database to a new volume, is to move the

ntds.dit file to the new volume by opening the Files option in the ntdsutil utility. Use Ntdsutil.exe to

move the database file, the log files, or both to a larger existing partition.

Reference: http://technet2.microsoft.com/windowsserver/en/library/af6646aa-2360-46e4-81ca-d51707bf01eb1033.mspx?mfr=true

QUESTION NO: 14 DRAG DROP You work as a network administrator at ABC.com. The ABC.com network has a domain namedABC.com. All servers on the ABC.com network run Windows Server 2008. The ABC.com network has organizational units (OU's) named Sales, Marketing and Admin. TheSales OU contains a file server named ABC-SR04 that hosts a shared folder named SalesDocsthat contains sensitive customer information. What action should you take to track access to the SalesDocs folder? (To answer, drag theappropriate action to the appropriate location in the work area.)



Answer:

QUESTION NO: 15 You work as the network administrator at ABC.com. All servers on the ABC.com network run



Windows Server 2008. The ABC.com network has a server named ABC-SR01 that functions as an Enterprise Rootcertificate authority (CA). What action should you take to configure ABC-SR01 to support key archival? A. The Hisecdc security template should be applied to ABC-SR01. B. The OCSP Response Signing certificate should be imported to ABC-SR01. C. The private key on ABC-SR01 should be archived. D. The Startup Type of the Certificate Propagation service on ABC-SR01 should be set toAutomatic.

Answer: C

Explanation:

QUESTION NO: 16 You work as the enterprise administrator at ABC.com. The ABC.com network has a domainnamed ABC.com that operates at the Windows Server 2008. How can you configure the network so that it allows the users of ABC.com to have multiplepassword policies? A. You should consider creating multiple class schema objects in the Schema console. B. You should consider creating multiple Group Policy objects in the Group Policy Managementconsole. C. You should consider creating multiple Password Setting objects in the ADSI Edit console. D. You should consider creating multiple passwords in Active Directory Users and Computers.

Answer: C

Explanation:

QUESTION NO: 17 You work as the network administrator at ABC.com. The ABC.com network has a domain namedABC.com. All servers on the ABC.com network run Windows Server 2008. The ABC.com Network contains a server which is configured as: - Domain Controller



- DNS Server What option can you sure to ensure tracking of all DNS queries received by ABC-SR01? A. You should consider having automatic logging for recursive queries enabled in the DNSManager Console on ABC-SR01. B. You should consider having debug logging enabled in the DNS Manager Console on ABC-SR01. C. You should consider having event logging configured in the DNS Manager Console on ABC-SR01. D. You should consider having system event logging configured in the Even Viewer on ABC-SR01.

Answer: B

Explanation:

QUESTION NO: 18 You work as an enterprise administrator at ABC.com. All servers on the ABC.com network runWindows Server 2008. ABC.com has its headquarters in Chicago and a branch office in Miami.The two offices are configured as separate sites. The Miami site contains a domain controller named ABC-DC06. You receive an instruction fromthe CIO to install a new application at the Miami office. In order for the application to run a GlobalCatalog server is required. What action should you consider to add a Global Catalog server to the Miami site? A. You should consider running the DCPROMO command on ABC-DC06 to install the GlobalCatalog. B. You should consider using the Server Manager console to configure ABC-DC06 as a GlobalCatalog server. C. You should consider using the Active Directory Domains and Trusts console to configure ABC-DC06 as a Global Catalog server. D. You should consider using the Active Directory Sites and Services console to configure theABC-DC06 as a Global Catalog server.

Answer: D

Explanation:

QUESTION NO: 19



You work as the network administrator at ABC.com. The ABC.com network has a domain namedABC.com. All servers on the ABC.com network run Windows Server 2008. The network contains two sites London and Paris. The following configuration applies to eachlocation. London - Single Domain Controller named ABC-DC01 - Separate Active Directory Site. Paris - Single Domain Controller named ABC-DC02 - Separate Active Directory Site. Network Setup - Both Active Directory Sites are using DEFAULTIPSITELINK object for connectivity. What action should you take to reduce the delay it takes during replication between ABC-DC01and ABC-DC02? A. You should consider having the replication interval for the DEFAULTIPSITELINK objectdecreased. B. You should consider having the replication schedule for the DEFAULTIPSITELINK objectincreased. C. You should consider having the cost for the DEFAULTIPSITELINK object decreased. D. You should consider having a site link bridge installed between ABC-DC01 and ABC-DC02.

Answer: A

Explanation:

QUESTION NO: 20 DRAG DROP You work as the network administrator at ABC.com. The ABC.com network has a domain namedABC.com. All servers on the ABC.com network run Windows Server 2008. The ABC.com network has four file servers named ABC-SR01, ABC-SR02, ABC-SR03 and ABC-SR04 that are placed in an Organizational Unit (OU) named PGServers.



ABC has several contractual workers who are members of a global group named PartTimeUsers.A new ABC.com security policy requires that any attempts by contractual workers to access thefolders and files on the file servers in the PGServers OU needs to be tracked. What action should you take to implement this policy? (To answer, drag the appropriate action tothe appropriate location in the work area.)

Answer:

QUESTION NO: 21



You work as the network administrator at ABC.com. The ABC.com network has a domain namedABC.com. All servers on the ABC.com network run Windows Server 2008. The ABC.com network has two servers named ABC-SR01 and ABC-SR02. ABC-SR01 - Enterprise Root certificate authority (CA). ABC-SR02 - Hosts the Online Responder role. What step you can perform to make sure that ABC-SR02 is issuing the certificate revocation lists(CRL). A. You should enable the Dual Certificate List extension on ABC-SR02. B. You should ensure that ABC-SR02 is a member of the CertPublishers group. C. You should import the enterprise root CA certificate and the OCSP Response Signingcertificate. D. You should enable the Authority Information Access (AIA) extension on ABC-SR02. E. You should run the CERTSRV command on ABC-SR02.

Answer: C

Explanation:

QUESTION NO: 22 You work as the network administrator at ABC.com. The ABC.com network has a domain namedABC.com. All servers on the ABC.com network run Windows Server 2008 and all client computersrun Windows Vista. During the course of the day a ABC.com user named Rory Allen complains that he receives anerror message stating that his account has expired when he attempts to authenticate to theABC.com domain from his client computer. What action should you consider to have Rory Allen log on to the ABC.com domain from his clientcomputer? A. You should consider reducing the account lockout duration in the default domain policy. B. You should consider resetting Rory Allen's user account. C. You should consider setting Rory Allen's user account to never expire. D. You should consider resetting the computer account for Rory Allen's client computer.



Answer: C

Explanation:

QUESTION NO: 23 You work as the network administrator at ABC.com. ABC.com has its headquarters in London.The ABC.com network has a domain named ABC.com that consists of a single Active Directorysite named LondonSite. The LondonSite contains a domain controller named ABC-DC01. ABC.com opens a branch office in York and you create another Active Directory site namedYorkSite. How can you have Active Directory replication configured between the two sites? A. You need to consider installing a new domain controller in YorkSite and creating a site linkbetween the two sites. Then you should consider decreasing the site link cost. B. You need to consider installing a new domain controller in the LondonSite and configuring it asa preferred bridgehead server. C. You need to consider installing a new domain controller in the LondonSite and configuring anew site link bridge between the two sites. D. You need to consider installing a new domain controller in the YorkSite and configuring a newIP subnet for the YorkSite.

Answer: D

Explanation:

QUESTION NO: 24 You work as the enterprise administrator at ABC.com. The ABC.com network has a domainnamed ABC.com. The ABC.com network has three domain controllers named ABC-DC01, ABC-DC02 and ABC-DC03 that run Windows Server 2003. ABC.com purchases a new WindowsServer 2008 computer named ABC-SR04. What is the first step you should take to install ABC-SR04 as a domain controller on the ABC.comnetwork? A. You should consider running the dconfig command on ABC-SR04. B. You should consider running the adprep /forestprep command on ABC-DC01. C. You should consider raising the domain functional level to Windows Server 2008. D. You should consider running the adprep /domainprep command on ABC-DC01. E. You should consider running the dcpromo /remove command on ABC-DB01, ABC-DB02 and



ABC-DB03.

Answer: B

Explanation:

QUESTION NO: 25 You work as an enterprise administrator at ABC.com. The ABC.com network has a domain namedABC.com. All servers on the ABC.com network run Windows Server 2008. A new ABC.com domain controller management policy states that replication errors need to belogged to a central server. How would you implement this policy? A. You should consider having the RepMonitor configured for central logging. B. You should consider having the System Performance data collector set is started on eachdomain controller. C. You should consider having event log subscriptions created on each domain controller. D. You should consider having the RepAdmin Diagnostics data collector started on each domaincontroller.

Answer: C

Explanation:

QUESTION NO: 26 DRAG DROP You work as a network administrator at ABC.com. The ABC.com network has a forest with adomain named ABC.com and a child domain named intl.ABC.com. All domain controllers andservers on the ABC.com network run Windows Serer 2008. The ABC.com domain has two domain controllers named ABC-DC01 and ABC-DC02 and theintl.ABC.com domain has two domain controllers named ABC-DC03 and ABC-DC04. ABC.com decides to reorganize the forest structure by removing the intl.ABC.com child domain. What actions should you take to remove the intl.ABC.com child domain? (To answer, drag theappropriate action to the appropriate location in the work area.)



Answer:

QUESTION NO: 27 You work as the network administrator at ABC.com. The ABC.com network has a domain named



ABC.com. All servers on the ABC.com network run Windows Server 2008. The ABC.com network has six domain controllers named ABC-DC01, ABC-DC02, ABC-DC03,ABC-DC04, ABC-DC05 and ABC-DC06. All six domain controllers function as DNS servers. Youare in the process of implementing a new Active Directory-integrated DNS zone. What action should you take first if you want the new zone replicated only to ABC-DC05 and ABC-DC06? A. You should consider having the dnscmd /createdirectorypartition command executed on ABC-DC05 and ABC-DC06. B. You should consider having the dnscmd /config command executed on ABC-DC05 and ABC-DC06. C. You should consider having the .(root) zone is deleted from ABC-DC01, ABC-DC02, ABC-DC03 and ABC-DC04. D. You should consider having BIND secondaries enabled on ABC-DC05 and ABC-DC06. E. You should consider having the dnscmd /unenlistdirectorypartition command executed on ABC-DC01, ABC-DC02, ABC-DC03 and ABC-DC04.

Answer: A

Explanation:

QUESTION NO: 28 You work as the network administrator at ABC.com. The ABC.com network has a domain namedABC.com. All servers on the ABC.com network run Windows Server 2008. The ABC.com network has a domain controller named ABC-SR01 that also functions as a DNSserver. You add a new stand alone server named ABC-SR02 and configure it as a DNS server.You then configure a standard secondary zone with ABC-SR01 as the master server. What action should you take to have zone updates replicated from ABC-SR01 to ABC-SR02? A. You should consider having ABC-SR02 made a member of the DNSUpdateProxy group. B. You should consider having the permission of the ABC.com zone modified on ABC-SR01. C. You should consider having the dnscmd /ZoneUpdateFromDs command run on ABC-SR02. D. You should consider having the zone transfer settings of the ABC.com zone configured onABC-SR01. E. You should consider having ABC-SR02 promoted to a domain controller.

Answer: D

Explanation:



QUESTION NO: 29 You work as the network administrator at ABC.com. The ABC.com network has a domain namedABC.com. All servers on the ABC.com network run Windows Server 2008. The ABC.com network has a server named ABC-SR03 that functions as an Enterprise Rootcertification authority (CA). ABC.com issues a new security policy that states that only a ABC.comCEO named Kara Lang must be allowed to sign code. What action should you take to implement this policy? (Choose all that apply.) A. You should publish a list of trusted certificate authorities and only grant Kara Lang thenecessary permissions to access the Trusted Publishers list. B. You should apply the code signing template to ABC-SR03 and configure the template onlygrant Kara Lang the necessary permissions to request code signing certificates. C. You should import the Online Certificate Status Protocol (OCSP) Response Signing certificateto ABC-SR03 and only grant Kara Lang the necessary permissions to distribute code signingcertificates. D. You should add ABC-SR03 to the CertPublishers group and only grant Kara Lang thenecessary permissions to manage ABC-SR03.

Answer: B

Explanation:

QUESTION NO: 30 You work as a systems administrator at ABC.com. The ABC.com network has a forest with adomain named ABC.com. All servers on the ABC.com network run Windows Server 2008. You are responsible for managing a stand-alone server named ABC-SR05. You are in the processof configuring ABC-SR05 as an Enterprise certification authority (CA). You now want to assign theActive Directory Certificate Services (AD CS) role to ABC-SR05. However, you notice that youcannot select the Enterprise CA option. What action should you take configuring ABC-SR05 as an Enterprise CA? A. Your best option would be to first configure ABC-SR05 as a Standalone CA. B. Your best option would be to first have ABC-SR05 joined to the ABC.com domain. C. Your best option would be to first install Internet Information Services (IIS) on ABC-SR05. D. Your best option would be to first assign the Active Directory Certificate Services (AD CS) role



to ABC-SR05.

Answer: B

Explanation:

QUESTION NO: 31 You work as an enterprise administrator at ABC.com. The ABC.com network has a domain namedABC.com. All servers on the ABC.com network run Windows Server 2008 and all client computersrun Windows Vista Enterprise Edition. All client computers are located in an Organizational Unitnamed ClientPCs. ABC.com has acquired a new third-party application that you need to install on the clientcomputers. Before you can install the application you need prepare the client computers byapplying a file named PGApp.adm to them. The PGApp.adm file makes changes to the registry onthe client computers. What action should you take to apply the PGApp.adm file? A. Your best option would be to create a transformation package that applies the PGApp.adm fileand assign the package to the client computers. B. Your best option would be to copy the PGApp.adm file to a network share and write a MicrosoftWindows PowerShell script that applies the file to the client computers. C. Your best option would be to write that the Microsoft Windows PowerShell script that copies thePGApp.adm file to the client computers. D. Your best option would be to create a Group Policy Object (GPO) that imports the PGApp.admand link the GPO to the ClientPCs OU.

Answer: D

Explanation:

QUESTION NO: 32 DRAG DROP You work as the enterprise administrator at ABC.com. The ABC.com network has a domainnamed ABC.com. All servers on the ABC.com network run Windows Server 2008. The ABC.com network has a member server named ABC-SR05. You assign the Active DirectoryCertificate Service (AD CS) role to ABC-SR05. You create a security group named SMCGRP. Youwant to grant the SMCARD group the necessary permissions to issue smartcard credentials.However, the SMCGRP must not be granted the permissions to revoke certificates.



Which actions should you take? (To answer, drag the appropriate action to the appropriatelocation in the work area.)

Answer:

QUESTION NO: 33 You work as the network administrator at ABC.com. The ABC.com network has a domain namedABC.com. All servers on the ABC.com network run Windows Server 2008 and all client computersrun Windows Vista. ABC.com has its headquarters in London and branch offices in Lisbon, Madridand Paris. Each office is structured as a separate site named London, Lisbon, Madrid and Paris.



Due to company growth, ABC.com has hired 150 additional employees that are distributed amongthe four sites. You create user accounts for the new ABC.com users. However, the new userscomplain that when they attempt to logon to the domain they receive an error message stating thattheir username or password is incorrect. What action should you take to allow the new ABC.com users to log on to the domain? A. You should consider resetting the user accounts for the new users. B. You should consider adding the new users to the Remote Desktop Users group. C. You should consider running the repadmin /replicate command. D. You should consider install Global Catalog servers at the Lisbon, Madrid and Paris sites.

Answer: C

Explanation:

QUESTION NO: 34 You work as the network administrator at ABC.com. The ABC.com network has a forest with adomain named ABC.com. The ABC.com network has four Windows Server 2008 domain controllers named ABC-DC01,ABC-DC02, TESKING-DC03 and ABC-DC04. All four domain controllers run the DNS Server roleand are part of an Active Directory integrated zone. The ABC.com network also has a UNIX-basedDNS server named ABC-SR05. One of the administrators in your department created an Active Directory-integrated zone forABC.com. ABC.com has recently acquired a During the course of the business day you receive aninstruction from the CIO to configure the Windows Server 2008 organization. ABC.com plans tomake use of this configuration to permit zone transfers of the ABC.com zone to ABC-SR01. What action should you take to ensure that zone transfers to ABC-SR05 can occur? A. You should consider installing Active Directory Lightweight Directory Services (AD LDS) onABC-SR05. B. You should consider running the dcpromo command on ABC-SR05. C. You should consider having a stub zone created for ABC-SR05. D. You should consider configuring BIND secondaries.

Answer: D

Explanation:



QUESTION NO: 35 You work as the network administrator at ABC.com. The ABC.com network has a domain namedABC.com. The ABC.com has a Windows Server 2008 domain controller named ABC-DC01. You log on as the Domain Administrator on ABC-DC01 to view the Active Directory Schemaconsole. However, you cannot locate the Active Directory Schema console. What action should you take to locate the console? A. You should consider running the net start "Active Directory Services" command on ABC-DC01. B. You should have the Schema Master Operations role assigned to ABC-DC01. C. You should consider having Schmmgmt.dll registered on ABC-DC01. D. You should consider logging on to ABC-DC01 as the Local Administrator.

Answer: C

Explanation:

QUESTION NO: 36 You work as the network administrator at ABC.com. The ABC.com network has a domain namedABC.com. All servers on the ABC.com network run Windows Server 2008. The ABC.com network has a server named ABC-SR02 that functions as stand-alone CertificateAuthority (CA). You want to track any modifications made to the configuration and security settingsof the ABC-SR02. What action should you take? A. You should configure auditing in the Certification Services console. B. You should add ABC-SR02 to the PGCertificates group. C. You should configured the Audit object Access setting on ABC-SR02. D. You should join ABC-SR02 to the ABC.com domain. E. You should enable the Authority Information Access (AIA) extension on ABC-SR02.

Answer: C

Explanation:

QUESTION NO: 37 You work as the network administrator at ABC.com. The ABC.com network has a domain named



ABC.com. The domain functional level is set at Windows Server 2008. The ABC.com network has a file server named ABC-SR04. You configure a shared folder namedKINGDATA on ABC-SR04. You then move users to a new global distribution group namedDISTGRP. You grant a domain local group named DLOCGRP access to KINGDATA. You thenadd DISTGRP to DLOCGRP. What action should you take to make sure that all users in the DISTGRP group are able to accessthe KINGDATA share? A. You should configure DISGRP to be a universal distribution group. B. You should configure DISGRP to be a security group. C. You should configure DLOCGRP to be a universal security group. D. You should add the DISTGRP to the Local Administrators group on ABC-SR04.

Answer: B

Explanation:

QUESTION NO: 38 You work as an enterprise administrator at ABC.com. The ABC.com network has a domain namedABC.com. All servers on the ABC.com network run Windows Server 2008. ABC.com has itsheadquarters in Chicago. ABC.com opens a new branch office in Dallas. You need to allow ABC.com users in the Dallasoffice to access network resources in the Chicago office. You assign the ABC.com users in theDallas office the Read and Execute permissions to the network resources in the Chicago office.You then create a VPN connection which the ABC.com users in the Dallas office to establishconnectivity to the Chicago office. However, the users in the Dallas office report that they cannotconnect to the Chicago office by using the VPN connection. What action should you take to resolve this problem? A. Your best option would to assign the Allow Access Dial-in permission to the users in the Dallasoffice. B. Your best option would to make the users in the Dallas office members of the Remote DesktopUsers security group. C. Your best option would to make the users in the Dallas office members of the NetworkConfiguration Operators security group. D. Your best option would to delete and recreate the VPN connection.



Answer: A

Explanation:

QUESTION NO: 39 You work as the network administrator at ABC.com. The network has the following configuration. Server named ABC-DC01. Setup as a domain controller. Running Windows Server 2008. The client computers are using Lightweight Directory Access (LDAP). What action should you take to determine which LDAP clients are consuming the most CPUresources on ABC-DC01? A. You should open System Information and view the Hardware Resources node. B. You should open Task Manager and view the Processes tab. C. You should open the Active Directory Diagnostics Data Collector and view of the ActiveDirectory report. D. You should open the Resource Monitor opened and view the CPU performance data.

Answer: C

Explanation:

QUESTION NO: 40 You work as an enterprise administrator at ABC.com. The ABC.com network has a forest with adomain named ABC.com. All servers on the ABC.com network run Windows Server 2003. You need to upgrade the domain controllers from Windows Server 2003 to Windows 2008 onABC.com domain. What command can be used on servers running Windows 2003 in order to prepare ABC.com forthe upgrade? A. You should execute the dcpromo /adv command. B. You should execute the adprep /forestprep and the adprep /domainprep commands. C. You should set the domain functional level to Windows Server 2008.



D. You should execute the dcpromo /createdcaccount command.

Answer: B

Explanation:

QUESTION NO: 41 You work as the network administrator at ABC.com. The ABC.com network has a domain namedABC.com. All servers on the ABC.com network run Windows Server 2008. The ABC.com network has a server named ABC-SR01 configured as a domain controller as wellas a DNS server configured with several Active Directory Integrated Zones. What action should you take if you want to copy the zone files on ABC-SR01 to a network share? A. You should consider having the dnscmd /ZoneExport command executed on ABC-SR01. B. You should consider having the dnscmd /WriteBackFiles command executed on ABC-SR01. C. You should consider having the dnscmd /Info command executed on ABC-SR01. D. You should consider having the dnscmd /EnumRecords command executed on ABC-SR01. E. You should consider having the dnscmd /EnumZones command executed on ABC-SR01.

Answer: A

Explanation:

QUESTION NO: 42 You work as an enterprise administrator at ABC.com. The ABC.com network has a domain namedABC.com. All servers on the ABC.com network run Windows Server 2008. ABC.com has itsheadquarters in Seattle and branch offices in Dallas, Miami and Chicago. Each office is configuredas a separate site named Seattle, Dallas, Miami and Chicago. The Seattle site as three domain controllers named ABC-DC01, ABC-DC02 and TGESPGING-DC03. The Dallas site has a single domain controller named ABC-DC04, the Miami site has asingle domain controller named ABC-DC05 and the Chicago site has a single domain controllernamed ABC-DC06. ABC-DC01, ABC-DC02 and TGESPGING-DC03 are configured as GlobalCatalog servers. Where should you consider deactivating the Universal Group Membership Caching (UGMC)option at the Dallas, Miami and Chicago offices?



A. You should consider deactivating the UGMC in Active Directory Users and Computers. B. You should consider deactivating the UGMC at the Site level. C. You should consider deactivating the UGMC through a Group Policy Object linked to thedomain. D. You should consider deactivating the UGMC at the Organizational Unit (OU) level.

Answer: B

Explanation:

QUESTION NO: 43 You work as the network administrator at ABC.com. The ABC.com network has a domain namedABC.com. All servers on the ABC.com network run Windows Server 2003. You have just performed the migration of domain controllers from Windows 2003 to Windows2008. Which of following commands can be used to configure DFS Replication (DFS-R) to replicate theSysvol share? A. This can be accomplished by running the netdom /dfs -r command. B. This can be accomplished by raising the domain functional level to Windows Server 2008. C. This can be accomplished by running dfsutil /share:sysvol command. D. This can be accomplished by running dfsutil /addstdroot command.

Answer: B

Explanation:

QUESTION NO: 44 You work as an enterprise administrator at ABC.com. The ABC.com network has a forest with adomain named ABC.com. The forest functional level is set at Windows Server 2003 Native Mode.ABC.com has two divisions namely Chicago and a Dallas. The ABC.com network has three Windows Server 2003 domain controllers named ABC-DC01,ABC-DC02 and ABC-DC03 that are located in the Chicago office. You want to install a read-onlydomain controller (RODC) named ABC-DC04 in the Dallas office. What action should you consider? A. You should consider upgrading ABC-DC01 to Windows Server 2008 and then execute the



adprep /rodcprep command on ABC-DC01. B. You should consider configuring the Dallas network as a separate site and upgrading ABC-DC04 to Windows Server 2008. C. You should consider upgrading all domain controllers to Windows Server 2008 and having theforest functional level set to Windows Server 2008. D. You should consider configuring the Dallas network as a child domain with the domainfunctional level set at Windows Server 2008.

Answer: A

Explanation:

QUESTION NO: 45 You work as an enterprise administrator at ABC.com. The ABC.com network has a domain namedABC.com. All servers on the ABC.com network run Windows Server 2008. You have a workstation called ABC-WS10 and performed the following tasks: - Install Windows Vista Enterprize. -Added to ABC.com domain. What action should you take to make sure that the ABC-WS10 computer account has beencreated in an organizational unit (OU)? A. You should consider using Active Directory Users and Computers to create the computeraccounts. B. You should consider using the csvde command. C. You should consider using the Idifde command. D. You should consider using the dsadd command.

Answer: D

Explanation:

QUESTION NO: 46 You work as the network administrator at ABC.com. The ABC.com network has a domain namedABC.com. All server on the ABC.com network run Windows Server 2008. The ABC.com networkhas two domain controllers named ABC-DC01 and ABC-DC02. What action should you take to verify the successful replication of Active Directory information



ABC-DC01 to ABC-DC02? A. You should execute the RepAdmin command on ABC-SR02. B. You should execute the Dnscmd command on ABC-SR02. C. You should execute the Dsmod command on ABC-SR02. D. You should execute the RepMonitor command on ABC-SR02. E. You should execute the Rsdiag command on ABC-SR02.

Answer: A

Explanation: RepAdmin is a command line utility which is used to view as well as configure

Windows Server 2008 replication amid domain controllers.

QUESTION NO: 47 Your company has two locations: Chicago and Miami. The network is configured as a single ActiveDirectory domain. You are planning to install Windows Server 2008 on a domain controller at eachlocation. IP addresses will be assigned using a Dynamic Host Configuration Protocol (DHCP)server at each location. Your solution must meet the following requirements: * Administrators in Chicago need to be able to create and modify Active Directory accounts. * Administrators in Miami need to be able to update drivers on the domain controller in Miami, butshould not be able to create or modify user accounts. * Records in the Domain Name System (DNS) database must be kept up to date. * Only Active Directory domain members can register with the DNS server. * Name resolution traffic across the Wide Area Network (WAN) link should be minimized. You need to plan the DNS configuration. What should you do? (Each correct answer presents part of the solution. Choose two.) A. Deploy a standard primary zone in Chicago. B. Deploy an Active Directory-Integrated zone in Miami. C. Deploy a primary read-only zone in Miami. D. Deploy a stub zone in Miami. E. Deploy an Active Directory-Integrated zone in Chicago.

Answer: C,E



Explanation:

QUESTION NO: 48 You have deployed Active Directory Federation Services (AD FS) in your organization. You needto configure another organization as a federated partner. Your organization is the resource partnerin this partnership. You need to exchange partner values with the partner organization. You want to do this with aslittle administrative effort as possible. What should you do? A. Add your partner's domain as an Active Directory Domain Services (AD DS) Account store. B. Export your trust policy files and send the resulting file to the partner administrator. C. Have the partner send its federation server's validation certificate. D. Deploy an AD FS Proxy in the partner's perimeter network.

Answer: B

Explanation:

QUESTION NO: 49 A computer running Microsoft Windows Server 2008 is configured as a domain controller. Thecomputer also supports other services, including the Dynamic Host Configuration Protocol (DHCP)service. You need to move the Active Directory database on the computer. You must minimize the impacton the other services running on the computer. What should you do first? (Each correct answer presents a complete solution. Choose two.) A. Use Computer Manager to stop the Active Directory service. B. Run Net stop to stop the Active Directory service. C. Run Ntdsutil to compact the database. D. Run Dcpromo to force removal of the Active Directory Domain Services (AD DS) role. E. Restart the domain controller in Directory Services Restore Mode (DSRM).

Answer: A,B

Explanation:



QUESTION NO: 50 Your company's network consists of 10 Microsoft Windows Server 2008 domain controllers. Thereare also 15 member servers running Windows Server 2008 and 1,000 client computers runningWindows XP Professional. All computers are members of a single Active Directory domain. APublic Key Infrastructure (PKI) is also in place using Active Directory Certificate Services. Usersare required to enroll for a User certificate using Web enrollment. Users are reporting that the response time is very slow when accessing servers that host financialdata. Certificate authentication is required to access these servers. You discover that the networkis extremely busy and network bandwidth is reaching capacity. You need to re-configure the Certificate Authority (CA) infrastructure to help reduce traffic on thenetwork. What should you do? A. Open Active Directory Sites and Services. Deny users the Enroll permission on all templatesexcept the User template. B. Open the Certificate Authority snap-in and configure the CA to use a Delta CertificateRevocation List (CRL). C. Open the Certificate Templates snap-in and configure auto-enrollment instead of Web-basedenrollment. D. Open the Certificate Authority snap-in and decrease the Certificate Revocation List (CRL)publication interval.

Answer: B

Explanation:

QUESTION NO: 51 Your company's network is configured as a single Active Directory domain. All domain controllersare running Windows Server 2008. The network currently has only a single site. The company ispreparing to open a branch office. You must ensure that administrators at the branch office can create, modify, and delete useraccounts only for employees at the branch office. Administrators must be able to manage useraccounts even if the link to the corporate office is unavailable. What should you do?



A. Install a read-only domain controller (RODC) at the branch office. Create a global group named BranchAdmins. Create an organizational unit (OU) named BranchUsers. Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins. B. Install a read-only domain controller (RODC) at the branch office. Create a global group named BranchAdmins. Create domain local group named BranchUsers. Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins. C. Install a standard domain controller at the branch office. Create a global group named BranchAdmins. Create a domain local group named BranchUsers. Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins. D. Install a standard domain controller at the branch office. Create a global group named BranchAdmins. Create an organizational unit (OU) named BranchUsers. Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins.

Answer: D

Explanation:

QUESTION NO: 52 You work as a Network Administrator for Perfect Solutions Inc. The company has its headquartersin Los Angeles. The branch offices of the company are located in Denver, San Jose, and San Diego.All locations are connected through 128Kbps leased lines. You are configuring the network of the company. The company wants to configure a Windows2008 Active Directory-based network. You are supposed to provide a design for the network. Themanagement of the company does not want unnecessary traffic over the WAN connection. Which of the following strategies will you implement to fulfill the requirements of the company? A. Create a separate site for each location. Move the domain controllers to their respective sites. B. Create a separate site for each location. Keep all domain controllers at the headquarters site. C. Create a site for the headquarters and move all domain controllers to this site. D. Create a single site that covers all locations. Keep all domain controllers at the headquarters.

Answer: A

Explanation:



QUESTION NO: 53 You work as a Network Administrator for Tech Perfect Inc. The company has a Windows 2008Active Directory-based network. The company's network consists of two sites, namely SanFrancisco and San Diego. These sites are connected with a high-speed T1 line as shown in theimage below:

The San Francisco site is highly protected and a firewall has been configured for its security. You create a site link to replicate the Active Directory data between the two sites. You find that thereplication is not working properly. You know that the firewall is preventing data from beingreplicated between the two sites. What will you do to resolve the issue? A. Increase the cost of the site link. B. Remove the firewall from the San Francisco site. C. Make the firewall proxy server of the San Francisco site a preferred bridgehead server. D. Schedule the site link to replicate the Active Directory data twenty-four hours a day.

Answer: C

Explanation:

QUESTION NO: 54 You work as a Network Administrator for Tech Perfect Inc. The company has a Windows 2008Active Directory-based network. All client computers on the network run Windows Vista Ultimate.You have configured a Dynamic DNS (DDNS) on the network. There are a lot of mobile users who often connect to and disconnect from the network. Users onthe network complain of slow network responses. You suspect that the stale records on the DNSserver may be the cause of the issue. You want to remove the stale records. Which of the following technologies will you use to accomplish the task? A. Scavenging B. Aging C. Forwarding



D. RODC

Answer: A

Explanation:

QUESTION NO: 55 You work as a Network Administrator for McRoberts Inc. The company has a Windows 2008Active Directory-based single domain network. The company has organized its OU structureaccording to its departments. Three organizational units (OUs) named HR, Marketing, andAdministration are configured in the domain. You create a GPO named ADM and configure it toshow desktop items that are required by most of the users in the Administration department. Youlink the GPO with the Administration OU. You find that the users in the Administration OU are notreceiving the setting that was applied by the GPO on their computers. You suspect that the issueis due to some conflicting policies that are taking higher precedence on the other policies appliedby the GPO. Which of the following actions can you take to find out the policies applied on theusers? Each correct answer represents a complete solution. Choose two. A. Use the HFNETCHK.EXE command. B. Use the NTDSUTIL utility. C. Use the GPRESULT /z command. D. Use the RSoP Wizard in logging mode.

Answer: C,D

Explanation:

QUESTION NO: 56 You work as a Network Administrator for Blue Well Inc. The company has a Windows 2000 singledomain Active Directory-based network. The company wants to upgrade all its servers to WindowsServer 2008 and then its network to a Windows 2008 Active Directory-based network. Beforeupgrading the network, you want to test the transfer of user and computer accounts from theexisting environment to the new environment. You take the following steps: Create some test users and a test group in the existing environment. Make these users members of the group. Create a new Windows 2008 forest in a new server.



Which of the following tools will you use to test the successful transfer of user and computeraccounts and groups? A. Windows Easy Transfer B. ADMT v3 C. CSVDE D. USMT 3.0

Answer: B

Explanation:

QUESTION NO: 57 You work as a Network Administrator for Tech Perfect Inc. The company has a Windows 2008Active Directory-based single domain network. The company has two offices, one in Atlanta andthe other in Denver. The company's headquarters is located in Atlanta. Both locations have beenconfigured as separate sites. The headquarters contains 500 users, whereas the branch office inDenver contains fifty users. Users in the company use an application named REPORT that requires directory access. The management of the company wants to raise the level of security data. The new companypolicy dictates that Active Directory data must be secure. You know that the physical security inthe branch office can be compromised. You need to secure the domain controller in the branchoffice. Which of the following steps will you take to accomplish the task? A. Configure universal group membership caching at the branch office. Remove the domaincontroller. B. Install a global catalog server at the branch office. Remove the domain controller. C. Install an RODC at the branch office. Remove the domain controller. D. Place the domain controller at the branch in a strong room secured with locks and keys.

Answer: C

Explanation:

QUESTION NO: 58 You work as a Network Administrator for Net World International. The company has an ActiveDirectory-based Windows single forest network. Organizational units (OUs) are configuredseparately for each department. All the department's users and computers are placed in theirrespective OUs. A domain-level OU is also configured on the network to implement domain-widepolicies. Rick, a Sales Manager, complains that he is unable to access an application. Yoususpect that a group policy is preventing Rick from accessing the application. You want to find out



the effective group policies on Rick. Which command-line tool will you use to accomplish the task? A. GPUPDATE B. GETRESULT C. GPRESULT D. Resultant Set of Policy Wizard

Answer: C

Explanation:

QUESTION NO: 59 You work as a Network Administrator for Tech Perfect Inc. The company has an ActiveDirectorybased network. You have installed Windows Server 2008 on a computer. You want toconfigure the server as a Certificate Authority (CA). Which of the following utilities will you use toaccomplish the task? A. Manage Your Server B. Configure Your Server C. Security Configuration Wizard D. Server Manager

Answer: D

Explanation:

QUESTION NO: 60 You work as a Network Administrator for Maya Inc. The company has a Windows Active Directory-based single domain network. The company's offices are located in Los Angeles, Denver, SanJose, and San Diego. All locations have been configured as separates sites. The company'headquarters is located in Los Angeles. The network is configured as shown in the image below:



You have configured domain controllers at each site. A bridgehead server is configured at theheadquarters. Each branch office contains fifty users. Users use an Active Directory integratedapplication. You experience that the bridgehead server at the headquarters is receiving a lot ofActive Directory replication traffic from the branch offices. You are required to reduce the ActiveDirectory replication traffic. Which of the following steps will you take to accomplish the task? A. Install a global catalog server at the branch offices. B. Configure universal group membership caching at the branch offices. Remove the domaincontrollers from the branch offices. C. Replace the domain controllers at the branch offices with RODCs. D. Change the 256kbps lines to T1 lines.

Answer: C

QUESTION NO: 61 You work as a Network Administrator for Maya Inc. The company has an Active Directory-basednetwork. You install Server Core of Windows Server 2008 on a computer. You want to install anActive Directory Certificate Authority (CA) on the server. Which of the following steps will you taketo accomplish the task? A. Run the Configure Your Server wizard. B. Run the Manage Your Server wizard. C. You cannot install AD CA in a Server Core installation of Windows Server 2008. D. Run the Server Manager console.

Answer: C

Explanation:

QUESTION NO: 62 You work as a Network Administrator for Net World Inc. The company has a Windows ActiveDirectory-based single forest network. The functional level of the forest is Windows Server 2008.All client computers on the network run Windows Vista Ultimate. The company's headquarters is located in San Francisco. The company has three branch officeslocated in San Jose, San Diego, and New Orleans. Each location is configured as a different site.Each site location is configured as a separate domain too. The branch offices are connected to theheadquarters as shown in the image below:



The location information of the resources is placed in Active Directory. Users in the New Orleansdomain regularly search for available resources in Active Directory by using the Entire Directoryoption. The users complain of slow response time while searching Active Directory for resources.You are required to improve the response time for users at the New Orleans office. Which of the following steps will you take to accomplish the task? A. Configure a domain controller of the San Francisco domain at the New Orleans site. B. Configure universal group membership caching at the New Orleans site. C. Upgrade the 256Kbps WAN link to a 1Mbps WAN link. D. Configure a global catalog server at the New Orleans office.

Answer: D

Explanation:

QUESTION NO: 63 You work as a Network Administrator for Maya Inc. The company has a Windows networkenvironment. The network is configured as a Windows Active Directory-based single forest singledomain network. The network contains Windows Server 2003 and Windows Server 2008 domaincontrollers. Client computers on the network either run Windows Vista Ultimate or Windows XPProfessional. A new security policy is to be implemented. It requires multiple password policies tobe implemented on the network. You are required to prepare the network for implementing thenew security policy. Your solution must involve minimum administrative efforts. Which of thefollowing steps will you take to accomplish the task? Each correct answer represents a part of the solution. Choose two. A. Upgrade all domain controllers running Windows Server 2003 to Windows Server 2008. B. Raise the functional level of the forest to Windows Server 2008. C. Configure different domains for different password policies. D. Upgrade all computers running Windows XP Professional to Windows Vista. E. Raise the functional level of the domain to Windows Server 2008.

Answer: A,E

Explanation:



QUESTION NO: 64 You work as a Network Administrator for Peach Tree Inc. The company has a Windows Server2003- based network. The company wants to upgrade all its Windows 2003 servers to WindowsServer 2008. Before upgrading the servers, you want to test the new operating system and its reliability. Youalso want to test various different operating systems. Which of the following features of WindowsServer 2008 allows you to install and run different operating systems on a single computer? A. RODC B. Hyper-V C. RSoP D. Online Responder

Answer: B

QUESTION NO: 65 You have been hired by McNeil Inc., to design the company's network. The company'sheadquarters is located in Denver. The company has many branch offices. All branch offices areconnected to the headquarters through dedicated T1 lines. The management of the companywants to have a Windows 2008 Active Directory-based network. The company's policy states thatonly the administrators of the headquarters are allowed to create and manage user accounts. Thelocal administrators in the branch offices are allowed to control their own resources only.Replication or authentication traffic on the WAN is not an issue here. Which of the following designs will you use to fulfill the requirements of the company? A. Create a multi-forest network. Create a forest for each branch office and one for the main office. Delegate the authority for the resource administration to the local Administrators for theirrespective forests. Delegate the authority to the main office's forest to the Domain Admins group only. B. Create a single domain network. Create an organizational unit (OU) for each branch office and an OU for the main office. Delegate the authority for the resource administration to the local Administrators for their ownOUs. Delegate the authority for the main office's OU to the Domain Admins group only.



C. Create a domain for the main office. Create child domains for the branch offices. Keep all the user accounts in the main office domain and the resources on each domain of thebranch offices. Give Administrators Full Control access to the domain controllers. D. Create a single domain network. Create a site for each branch office and a site for the main office. Delegate the authority for the resource administration to the local Administrators for theirrespective sites. Delegate the authority of the main office's site to the Domain Admins group only.

Answer: B

Explanation:

QUESTION NO: 66 You are the systems administrator for your company, a plastic container manufacturer anddistributor. The company's network consists of a single Active Directory forest. The networkcontains an Internet Information Services (IIS) server that hosts a Web application that allowsusers to purchase your company's products online. Your company has a partner organization, a graphic design firm that designs your company'sproducts. The partner company has its own Active Directory forest. You are required to enableusers in the partner organization to access your Web application without being prompted forsecondary credentials. Which Windows Server 2008 server role should you install in your network to provide Web-basedSingle-Sign-On (SSO) capabilities to users in the partner organization? A. Active Directory Rights Management Services (AD RMS) B. Active Directory Federation Services (AD FS) C. Active Directory Lightweight Directory Services (AD LDS) D. Active Directory Directory Services (AD DS)

Answer: B

Explanation:

QUESTION NO: 67 You administer your company's network. The network consists of a single Active Directorydomain. All servers run Windows Server 2008, and all client computers run Windows Vista. Thecompany's written security policy stipulates that employees must use certificates for remote



access and secure e-mail. Only designated administrators are authorized to approve users'requests for certificates, issue certificates, and revoke certificates. You install Certificate Services on several servers and configure them as enterprise certificationauthorities (CAs). You must assign the appropriate privileges to the designated administrators in accordance withthe company policy. Which of the following should you do? A. Issue an Enrollment Agent certificate to each designated administrator. B. Assign the designated administrators to the Certificate Manager role on each CA. C. Assign the Allow - Enroll permission for each certificate template to the designatedadministrators. D. Assign the Allow - Write permission for each CA to the designated administrators.

Answer: B

Explanation:

QUESTION NO: 68 You are the systems administrator for your company. The company's network consists of a singleActive Directory domain. A computer running Windows Server 2008 has both Active DirectoryDomain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) rolesinstalled. The AD LDS server contains an instance with the default name that is used by severalapplications that access data from and write data to the AD LDS database. Over time, users report to you that the AD LDS applications have become slow. To resolve thisproblem, you want to defragment the AD LDS database. What should you do to perform an offline defragmentation of AD LDS database? (Choose all thatapply. Each correct answer is part of a single solution.) A. Restart the domain controller in Directory Services Restore Mode. B. Run the Net stop Adam_instance1 command. C. Run the Net stop Ntds command. D. Use the Ntdsutil command with the appropriate parameters to defrag the database. E. Run the Net start Adam_instance1 command. F. Run the Net start Ntds command.

Answer: B,D,E

QUESTION NO: 69 You are a network administrator for your company. The corporate network consists of a single



Active Directory domain where all servers run Windows Server 2003 and all client computers runWindows XP Professional. You use a Group Policy object (GPO) to deploy an application on thenetwork. Later, you receive a different application to work with the files that have the same filename extensions instead of the previously deployed application. You must deploy the newapplication, but users should not have to install it if they choose to use the original applicationinstead of the new one. However, only one of these applications should be installed on the samecomputer. Which of the following should you do? A. Assign the new application to computers; specify in the GPO that the original application beremoved before the new one is installed. B. Publish the new application to computers and remove the GPO that deploys the originalapplication. C. Assign the new application to users and remove the GPO that deploys the original application. D. Publish the new application to users; specify in the GPO that the original application beremoved before the new one is installed.

Answer: D

Explanation:

QUESTION NO: 70 You are the network administrator for Network Corporation. Your network has a single domain,and all of the domain controllers run Windows Server 2008. A domain controller in the branch office failed this morning. This domain controller does not holdany other roles. You bring the domain controller back on line, but you need to perform a nonauthoritative restore ofthe domain controller. You do not have a critical volume backup of the domain controller on hand,but you do have a recent full backup. What should be your first action to perform a nonauthoritative restore of the domain controller? A. Perform a critical backup of another domain controller. Reboot the failed domain controller intoDirectory Services Restore Mode (DSRM). B. Perform a full backup of another domain controller. Reboot the failed domain controller intoDirectory Services Restore Mode (DSRM). C. At the command prompt, type bcdedit/set safeboot dsrepair and hit Enter. At the nextcommand prompt, type shutdown -t 0 -r and hit Enter. D. At the command prompt, type bcdedit /set safeboot and hit Enter. At the next commandprompt, type shutdown -t 0 -r and hit Enter.



Answer: C

Explanation:

QUESTION NO: 71 You are the network administrator of your company. Your company has a main office and abranch office. The main office network consists of a single Active Directory domain. You want to create a new domain for the branch office in the same forest as the main officedomain. Which operations master role must be available in the forest for you to create a newdomain for the branch office successfully? A. Schema master B. Domain naming master C. Relative ID (RID) master D. Primary domain controller (PDC) emulator master E. Infrastructure master

Answer: B

Explanation:

QUESTION NO: 72 You are the network administrator of your company. You install Windows Server 2008 on allservers on the network. All client computers are configured to run Windows Vista. You want to beable to use Advanced Encryption Standard (AES) with Kerberos for encryption of Ticket GrantingTickets (TGTs), service tickets, and session keys. What is the minimum domain functional level that is required to support AES encryption withKerberos? A. Windows 2000 Server mixed B. Windows 2000 Server native C. Windows Server 2003 D. Windows Server 2008

Answer: D

QUESTION NO: 73 You are the systems administrator for your company. The company's network consists of a single



Active Directory domain. All domain controllers run Windows Server 2008, and all client computersrun Windows Vista. You have a public key infrastructure that has a subordinate enterpriseCertification Authority (CA), which issues certificates on behalf of the root CA. You have a certificate template that allows users to autoenroll, and a group policy object thatdistributes the certificates to users. All users are able to automatically obtain certificates. You nowwant routers and other network devices are able to obtain certificates from the CA. What should you do? A. Assign the routers and network devices the Autoenroll permission in a certificate template. B. Change the Publish Delta CRL to 1 hour so expired certificates for routers and networkdevices are published in Active Directory. C. Install the Online Certificate Status Protocol (OCSP) role service for AD CS. D. Install the Microsoft Simple Certificate Enrollment Protocol (MSCEP) role service for AD CS.

Answer: D

Explanation:

QUESTION NO: 74 You are the network administrator for your company. Your company's network has a single forestwith three domains. All domain controllers in your forest are Windows Server 2008. Each domainis configured to be a separate site. Recently the telephone company has changed the telephone number of a department in thelocation of one of your company's domains. There are 55 accounts that are affected by thetelephone number change. You need to change the telephone number property in the 55 differentaccounts. You want to perform the update as quickly as possible. What should you do? A. Use CSVDE to export the 55 accounts to a CSV file. Change the telephone number and useCSVDE to import the accounts. B. In Active Directory Users and Computers, select Find from the Action menu and create asaved LDAP query that will return the 55 user accounts. Select all of the user accounts returnedby the query and simultaneously modify the telephone number in their accounts' properties. C. Create a saved LDAP query that will return user accounts of the 55 user accounts. Export theresults to a tab-delimited file, modify the expiration date in the file and use the LDIFDE utility toimport the file into Active Directory. D. In Active Directory Users and Computers, select Find from the Action menu and create aLDAP query that will return the 55 user accounts. Export the results to a comma-delimited file,modify the expiration date in the file and use the CSVDE utility to import the file into Active



Directory.

Answer: B

Explanation:

QUESTION NO: 75 You are the administrator for a nationwide company with over 5,000 employees. Your main officehas approximately 4,500 employees, while the company’s ten remote offices have 50 usersresiding in each. You are often unaware of the physical security in place at these offices. However,since there is a fairly sizable amount of users at each office, you must provide them with directoryservices. What is the BEST option to use for directory services when security is often an unknown? A. Lightweight Directory Services B. Read-only domain controllers C. Active Directory Federation Services D. Active Director Rights Management Services

Answer: B

Explanation:

QUESTION NO: 76 You are the administrator for a nationwide company with over 5,000 employees. Your director tellsyou your company has just signed into a partnership with another organization, and that you willbe responsible for ensuring that authentication can occur between both organizations without theneed for additional sign-on accounts. Your boss mentions that the partner has a variety ofDirectory Services installed throughout their organizations. Which of the following can ActiveDirectory Federation Services NOT connect to? A. Lightweight Directory Services B. Windows Server 2003 Directory Services C. Windows Server 2003 R2 Directory Services D. All of the above

Answer: B

Explanation:



QUESTION NO: 77 You are the administrator for a nationwide company that currently runs Windows Server 2008DNS and are reviewing the resource records in your Active Directory–integrated DNS zone. Younotice there are hostnames that do not meet your company’s naming convention and verify thatthe computers are not members of your Active Directory domain. What must you do to ensurethese hosts cannot create records in your DNS zone? A. Disable DNS and enable DHCP. B. Configure your zone to enable secure dynamic updates. C. Disable dynamic updates in your zone. D. You cannot prevent this from occurring in DNS.

Answer: B

Explanation:

QUESTION NO: 78 You are creating a new standard primary zone for the company you work for, Name ResolutionUniversity, using the domain nru.corp. You create the zone through the DNS managementconsole, and now you want to view the corresponding DNS zone file, nru.corp.dns. Where do youneed to look in order to find this file? A. You cannot view the zone file because it is stored in Active Directory. B. You can look in the %systemroot%\system32\dns folder. C. You cannot view the DNS file except by using the DNS management console. D. The DNS zone file is actually just a key in the Windows Registry. You need to use the RegistryEditor if you want to view the file.

Answer: B

Explanation:

QUESTION NO: 79 You have implemented DNS on a Windows Server 2008 Core Server installation. You want to listthe DNS zones on this server. What command-line utility would you use to accomplish this? A. ocsetup. B. netsh. C. dnscmd. D. None of the above. You must use the GUI from another Windows Server



2008 host.

Answer: C

Explanation:

QUESTION NO: 80 What is the purpose of resetting an account? A. Helps you reset a computer password stored in Active Directory so the computer can make atrusted connection with Active Directory. B. Helps you reboot the computer. C. Helps you restart netlogon services. D. Helps you change the authentication protocol from NTML to Kerberos.

Answer: A

QUESTION NO: 81 Josh is responsible for administering a small Active Directory domain. Recently, your companyhas acquired a small company where all the computers are installed in a workgroup. Which of thefollowing operations must she perform in order to create the computer accounts? (Choose all thatapply.) A. Select Start | Run, and then type in the joinallwks /user:administrator command. B. Select Start | Programs | Administrative Tools | Active Directory Users and Computers, andthen right-click the computer container and create the computer objects. C. Rename the existing computers in a workgroup. D. Query for resources.

Answer: B

Explanation:

QUESTION NO: 82 Himma is managing an Active Directory environment of a medium-size company. He istroubleshooting a problem with the Active Directory. One of the administrators made an update toa user object and another reported that he had not seen the changes appear on another DC. Itwas more than a week since the change was made. Robin checks the problem by making achange to another Active Directory object. Within a few hours, the change appears on a few DCs,but not on all of them. Which of the following is a possible cause for this problem?



A. Connection objects are not properly configured. B. Robin has configured one of the DCs for manual updates. C. There might be different DCs for different domains. D. Creation of multiple site links between the sites.

Answer: A

Explanation:

QUESTION NO: 83 You are a systems administrator for an Active Directory environment that consists of two dozensites. The physical network environment is not fully routed, and You have disabled automatic sitelink transitivity. Now you want to set up three site links to be transitive, as they are physicallyconnected to one another. Which of the following Active Directory objects is responsible forrepresenting a transitive relationship between sites? A. Additional sites B. Additional site links C. Bridgehead servers D. Site link bridges

Answer: D

Explanation:

QUESTION NO: 84 Maria is an administrator of a medium-size organization responsible for managing Active Directoryreplication traffic. She finds an error in the replication configuration. How can she look for specificerror messages related to replication? A. Use the Active Directory Sites and Services administrative tool B. Use the Disk Management tool C. View the System log option in the Event Viewer D. View the Directory Service log option in the Event Viewer

Answer: D

Explanation:

QUESTION NO: 85 Martin is going to be migrating his Lotus Notes environment into his newly established Windows



Server 2008 forest. He has guidance on what he will require for Group Policy settings for thedifferent teams and departments. He has not yet created his OU structure. How should Joey proceed in creating the requiredGPOs? A. Create stand-alone GPOs B. Create the GPOs at the Domain level C. Create the GPOs at the Site level D. Wait to create the GPOs until the OU structure is in place

Answer: A

Explanation:

QUESTION NO: 86 The CIO has asked you to configure a GPO that will ensure that antivirus software is installed onevery computer in the company. You are the most senior administrator in the company and havefull access to every computer, and to Active Directory. Your company has a single domain andsite. Which one of the following actions do you take? A. You configure a GPO at the domain level, and publish the application to all computers. B. You configure a GPO at the site level, and assign the application to all computers. C. You create a GPO with the required settings and link it into all OUs that have computeraccounts in it. You set the options to assign the application to computers. D. You tell him it cannot be done.

Answer: D

Explanation:

QUESTION NO: 87 Joe is responsible for administering her company’s PKI. The company has an offline root CA andfour enterprise subordinate CAs, each of which issues certificates to users in a major division ofthe company. As a result of corporate downsizing and reorganization, one of the four major divisions is beingdisbanded. Betsy must ensure that resources on the network will not accept certificates from thesubordinate CA located in the division that is being disbanded. Which of the following should she do? (Each correct answer represents part of the solution.



Choose three answers.) A. At the disbanded division’s subordinate CA, revoke all the certificates that it has issued. B. Uninstall the AD CS role from the disbanded division’s subordinate CA. C. Bring the offline root CA online, revoke the disbanded division’s subordinate CA’s certificate,and then take the root CA back offline. D. Publish a new base CRL. E. Publish a new delta CRL. F. Copy the new CRL to the network’s CRL distribution point. G. Add the AIA extension to all URLs where certificates issued by the disbanded division’ssubordinate CA can be retrieved.

Answer: C,D,F

Explanation:

QUESTION NO: 88 Martin is responsible for administering AD CS within his company’s AD DS domain. He hasconfigured a PKI that consists of a standalone root CA and two enterprise subordinate CAs onservers running Windows Server 2008 Enterprise Edition. He wants to configure the subordinateCAs to support the Online Responder service for keeping track of revoked certificates. Which ofthe following tasks must Jim perform? (Each correct answer represents part of the solution.Choose two answers.) B. Configure the CA servers to publish delta CRLs. C. From the Extensions tab of the CA server’s Properties dialog box, configure a CRL distributionpoint on the CA servers. D. From the Extensions tab of the CA server’s Properties dialog box, select the URL for the onlineresponder, and select the check box labeled Include in the AIA Extension of Issued Certificates. E. From the Extensions tab of the CA server’s Properties dialog box, select the URL for the onlineresponder, and select the check boxes labeled Include in the AIA Extension of Issued Certificatesand Include in the Online Certificate Status Protocol (OCSP) Extension. A. Enable the use of the OCSP Response Signing certificate template from the CertificateTemplates snap-in.

Answer: A

QUESTION NO: 89 Lee is responsible for maintaining DNS on his company’s AD DS network, which consists of asingle domain in which all servers run Windows Server 2008. The company operates an office in



downtown Denver and a suburban office in Littleton. After upgrading a member server in the company’s suburban office to a domain controller, users atthat office report that logon to the domain is slow. Upon investigating the problem, Roy notices thatthe service (SRV) resource records for the new domain controller are not registered in the DNSzone for the suburban office. What should he do to reregister these SRV resource records asquickly as possible? A. Restart the DNS Server service. B. Restart the DNS Client service. C. Restart the Netlogon service. D. Reboot the domain controller.

Answer: C

Explanation:

QUESTION NO: 90 Kevin is responsible for maintaining AD DS replication on his company’s network, which consistsof three domains and nine sites. When he uses replmon to check the automatically configuredreplication topology, he notices that connection paths are not established in what he thinks is theoptimum manner. What can Kevin do to manually change the topology? A. Edit the Registry to indicate the appropriate paths. B. Use Active Directory Sites and Services to manually create a site link object connecting therequired servers. C. Force the Knowledge Consistency Checker (KCC) to update the replication topology. D. Brian cannot modify the replication paths. The KCC does not permit this type of configuration.

Answer: B

Explanation:

QUESTION NO: 91 Greg is the network administrator for a company that operates an AD DS network consisting of asingle domain. Company executives have signed a long-term partnership agreement with anothercompany that also operates an AD DS network. Users in Greg’s company will require access torights-protected confidential information that is stored on web servers located on the second



company’s network. Users in the second company will not require access to documents on Greg’snetwork. Which two of the following should Carol configure on her network? (Each correct answerrepresents part of the solution. Choose two answers.) A. Active Directory Lightweight Directory Services (AD LDS) B. Active Directory Rights Management Services (AD RMS) C. Active Directory Federation Services (AD FS) D. Active Directory Certificate Services (AD CS) E. A one-way external trust relationship

Answer: B,C

Explanation:

QUESTION NO: 92 You are the network administrator for a company that operates an AD DS network consisting of asingle domain. Servers run Windows Server 2008, and client computers run Windows VistaEnterprise. The domain contains OUs that are structured according to the departmental structureof the company, and all OUs have multiple GPOs linked to them. As a result of departmental reorganization, the Design OU needs to be moved under theEngineering OU. Alfredo needs to determine which objects in the Design OU are adverselyaffected by GPOs linked to the Engineering OU. What should Alfredo do to achieve this goalwithout disruption to users? A. Use the Group Policy Modeling Wizard for the Design OU. Choose the Engineering OU tosimulate policy settings. B. Use the Group Policy Modeling Wizard for the Engineering OU. Choose the Design OU tosimulate policy settings. C. Use the Group Policy Results Wizard for the Design OU. Review the policy results for users inthe OU. D. Use the Group Policy Results Wizard for the Engineering OU. Review the policy results forusers in the OU.

Answer: A

QUESTION NO: 93 Joe’s company operates an AD DS forest consisting of a single tree with an empty root domain



and five child domains that represent operational divisions. Joe is responsible for maintaining theFSMO roles. In total, how many FSMO roles are present in this tree? A. One schema master, one domain naming master, six RID masters, six PDC emulators, and sixinfrastructure masters B. One schema master, one domain naming master, five RID masters, five PDC emulators, andfive infrastructure masters C. Six schema masters, six domain naming masters, six RID masters, six PDC emulators, and sixinfrastructure masters D. One schema master, one domain naming master, one RID master, one PDC emulator, and oneinfrastructure master

Answer: A

Explanation:

QUESTION NO: 94 You administer the network for a catering company called Thoughtful Food. Your firm operates asingle domain AD DS network that includes three Windows Server 2008 computers and a mix ofWindows XP Professional and Windows Vista Business clients. Management has notified you thata competitor known as Engorge & Devour has taken a keen interest in your pumpkin soup recipe. Two employees of Thoughtful Food haverecently resigned and taken up positions with Engorge & Devour, and management is afraid thatthey will attempt to steal proprietary formulas and recipes belonging to Thoughtful Food bybreaking into your network. You are tasked with improving logon security on Thoughtful Food’snetwork by limiting the number of failed logon attempts for all users on the network and byestablishing an audit policy for tracking failed logon attempts. Which of the following tasks should you undertake to complete this task? (Each correct answerrepresents part of the solution. Choose two answers.) A. Edit the Default Domain Policy GPO to enable auditing and account lockout. B. Monitor the security log for failed account management attempts on each domain controller. C. Monitor the security log for failed logon attempts on each domain controller. D. Configure a local security policy on each computer in the domain.

Answer: A,C

Explanation:

QUESTION NO: 95



Kevin is the senior network administrator for his company. The CIO has asked him to create anOU structure that enables the Research department to administer its own user accounts so thatthe IT department staff other than Kevin don’t have permissions to this OU. Kevin is the onlymember of the Enterprise Admins group, other than the domain’s default administrator account, whose password is known only by Kevin and the CIO. Kevin creates a Research Admins security group and Research OU, delegates administrativepermissions to the Research Admins group, and removes the IT department security group fromthe permissions list. A few days later, Kevin discovers that another administrator has been resetting user accounts forResearch employees. What has he missed? A. Kevin needs to create a separate Research domain to isolate it from the corporate domain. B. Kevin needs to change the password on the domain administrator account because the otheradministrator must be using that account. C. Kevin needs to remove the Enterprise Admins group from the permissions list. D. Kevin needs to remove the Domain Admins group from the permissions list.

Answer: D

Explanation:

QUESTION NO: 96 Jim is the systems administrator for a company that operates an AD DS network consisting of asingle domain. He is configuring the properties of several GPOs, one of which is linked to thedomain, and the others are linked to various OUs, including child OUs. At the domain level, Jimconfigures a Restricted Desktop GPO that removes the Network and Games folders from the Startmenu. On the Scope tab for this policy in Group Policy Management Console (GPMC), he sets theEnforced option to Yes. Jim also configures another GPO that disables the removal of the Networkfolder, links it to the IT OU, and specifies Block Inheritance so that the IT staff will be able to usethis folder. Later, a couple of IT staffers call to complain that they are unable to reach the Networkfolder. What is the most likely reason that IT staffers are unable to reach the Network folder? A. Block Inheritance takes precedence over Enforced. B. Enforced takes precedence over Block Inheritance. C. When both these options are set, they cancel each other out. D. The policies that Jim configured at the OU level were ignored because these options can be setonly at the site or domain level.



Answer: B

Explanation:



Documents

70-640