Refined 70-640 Exam Questions 2021

NEW QUESTION 1
Your network contains an Active Directory domain named contoso.com.
The domain contains an enterprise certification authority (CA).
You plan to deploy certificates to all of the domain users. The certificates will be based on a custom Smartcard Logon template.
You need to recommend a solution to ensure that the users can log on to the domain by using smart cards.
What should you include in the recommendation?

• A. From Certificate Templates, set the minimum certificate key size to 512.
• B. From Active Directory Users and Computers, select Use Kerberos DES encryption types for this accoun
• C. From Certificate Templates, include the user principal name (UPN) in the subject alternate name (SAN) of the templat
• D. From Active Directory Users and Computers, configure Published Certificates for user account

Answer: C

Explanation: Request a smart card certificate from the third-party CA.
Enroll for a certificate from the third-party CA that meets the stated requirements. The
method for enrollment varies by the CA vendor.
The smart card certificate has specific format requirements:
* Subject Alternative Name = Other Name: Principal Name= (UPN). For example:
UPN = user1@name.com
The UPN OtherName OID is : "1.3.6.1.4.1.311.20.2.3"
The UPN OtherName value: Must be ASN1-encoded UTF8 string
* Subject = Distinguished name of user.
* The CRL Distribution Point (CDP) location (where CRL is the Certification Revocation List) must be populated, online, and available.
* Key Usage.= Digital Signature
* Basic Constraints.[Subject Type=End Entity, Path Length Constraint=None] (Optional)
* Enhanced Key Usage

NEW QUESTION 2
You create 200 new user accounts. The users are located in six different sites. New users report that they receive the following error message when they try to log on: "The username or password is incorrect." You confirm that the user accounts exist and are enabled. You also confirm that the user name and password information supplied are correct.
You need to identify the cause of the failure. You also need to ensure that the new users are able to log on.
Which utility should you run?

• A. Active Directory Domains and Trusts
• B. Repadmin
• C. Rstools
• D. Rsdiag

Answer: B

Explanation:
http://technet.microsoft.com/en-us/library/cc770963.aspx
Repadmin /replsummary
Identifies domain controllers that are failing inbound replication or outbound replication, and summarizes the results in a report.
Repadmin /showrepl Displays the replication status when the specified domain controller last attempted to perform inbound replication on Active Directory partitions.
Repadmin /syncall Synchronizes a specified domain controller with all replication partners.

NEW QUESTION 3
Your network contains an Active Directory domain named contoso.com.
You have an organizational unit (OU) named Sales and an OU named Engineering.
You have two Group Policy objects (GPOs) named GPO1 and GPO2. GPO1 and GPO2 are linked to the Sales OU and contain multiple settings.
You discover that GPO2 has a setting that conflicts with a setting in GPO1. When the policies are applied, the setting in GPO2 takes effect.
You need to ensure that the settings in GPO1 supersede the settings in GPO2. The solution must ensure that all non-conflicting settings in both GPOs are applied.

• A. Configure Restricted Group
• B. Configure the link orde
• C. Link the GPO to the Sales O
• D. Link the GPO to the Engineering O
• E. Enable loopback processing in merge mod
• F. Modify the Group Policy permission
• G. Configure WMI Filterin
• H. Configure Group Policy PExplanation
• I. Enable loopback processing in replace mod
• J. Enable block inheritanc

Answer: B

Explanation:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 283
Precedence of Multiple Linked GPOs An OU, domain, or site can have more than one GPO linked to it. In the event of multiple GPOs, the GPOs’ link order determines their precedence. In Figure 6-10, two GPOs are linked to the People OU.
Figure 6-10 GPO link order
The object higher on the list, with a link order of 1, has the highest precedence. Therefore, settings that are enabled or disabled in the Power User Configuration GPO have precedence over these same settings in the Standard User Configuration GPO.
To change the precedence of a GPO link:
1. Select the OU, site, or domain in the GPMC console tree.
2. Click the Linked Group Policy Objects tab in the details pane.
3. Select the GPO.
4. Use the Up, Down, Move To Top, and Move To Bottom arrow icons to change the link order of the selected GPO.

NEW QUESTION 4
ABC.com has a network that consists of a single Active Directory domain.Windows Server 2008 is installed on all domain controllers in the network.
You are instructed to capture all replication errors from all domain controllers to a central location.
What should you do to achieve this task?

• A. Initiate the Active Directory Diagnostics data collector set
• B. Set event log subscriptions and configure it
• C. Initiate the System Performance data collector set
• D. Create a new capture in the Network Monitor

Answer: B

Explanation:
http://technet.microsoft.com/en-us/library/cc748890.aspx Configure Computers to Forward and Collect Events Before you can create a subscription to collect events on a computer, you must configure both the collecting computer (collector) and each computer from which events will be collected (source). http://technet.microsoft.com/en-us/library/cc749183.aspx Event Subscriptions Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue might require you to examine a set of events stored in multiple logs on multiple computers. Windows Vista includes the ability to collect copies of events from multiple remote computers and store them locally. To specify which events to collect, you create an event subscription. Among other details, the subscription specifies exactly which events will be collected and in which log they will be stored locally. Once a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events. Using the event collecting feature requires that you configure both the forwarding and the collecting computers. The functionality depends on the Windows Remote Management (WinRM) service and the Windows Event Collector (Wecsvc) service. Both of these services must be running on computers participating in the forwarding and collecting process. http://technet.microsoft.com/en-us/library/cc961808.aspx Replication Issues

NEW QUESTION 5
HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains two domain controllers named DC1 and DC2. Both domain controllers host an Active Directory-integrated zone for contoso.com. Each domain controller is located in a different city.
You have a member server named Serverl. Serverl hosts a stub zone for contoso.com.
On DC1, you add a name server (NS) record to the contoso.com zone.
In the table below, identify which toot you must use to replicate the record to each server.
Make only one selection in each column. Each correct selection is worth one point.

Answer:

Explanation:

NEW QUESTION 6
Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise.
You have a custom certificate template named Template 1. Template1 is published to the CA.
You need to ensure that all of the members of a group named Group1 can enroll for certificates that use Template1.
Which snap-in should you use?

• A. Security Templates
• B. Enterprise PKI
• C. Certification Authority
• D. Certificate Templates
• E. Certificates
• F. TPM Management
• G. Authorization Manager
• H. Group Policy Management
• I. Active Directory Users and Computers

Answer: D

Explanation:
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 593
Configuring Certificate Templates
AD CS provides the Certificate Templates snap-in (Certtmpl.msc), which provides the
following capabilities:
(...)
Configuring access control lists (ACLs) on certificate templates

NEW QUESTION 7
Your network contains an Active Directory domain. All domain controller run Windows Server 2003.
You replace all domain controllers with domain controllers that run Windows Server 2008 R2. You raise the functional level of the domain to Windows Server 2008 R2.
You need to minimize the amount of SYSVOL replication traffic on the network.
What should you do?

• A. Raise the functional level of the forest to Windows Server 2008 R2.
• B. Modify the path of the SYSVOL folder on all of the domain controller
• C. On a global catalog server, run repadmin.exe and specify the KCC paramete
• D. On the domain controller that holds the primary domain controller (PDC) emulator FSMO role, run dfsrmig.ex

Answer: D

Explanation:
Now that the domain controllers have been upgraded to Windows Server 2008 R2 and the domain functional level has been upgraded to Windows Server 2008 R2 we can use DFS Replication for replicating SYSVOL, instead of File Replication Service (FRS) of previous Windows Server versions. The migration takes place on a domain controller holding the PDC Emulator role.
Explanation 1: http://technet.microsoft.com/en-us/library/cc794837.aspx Using DFS Replication for replicating SYSVOL in Windows Server 2008 DFS Replication technology significantly improves replication of SYSVOL. In Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2, FRS is used to replicate the contents of the SYSVOL share.
When a change to a file occurs, FRS replicates the entire updated file. With DFS Replication, for files larger than 64 KB, only the updated portion of the file is replicated.
Explanation 2:
http://technet.microsoft.com/en-us/library/dd639809.aspx
Migrating to the Prepared State
The following sections provide an overview of the procedures that you perform when you
migrate SYSVOL replication from File Replication Service (FRS) to Distributed File System
(DFS Replication).
This migration phase includes the tasks in the following list.
Running the dfsrmig /SetGlobalState 1 command on the PDC emulator to start the
migration to the Prepared state.

NEW QUESTION 8
Your network contains an Active Directory forest. The forest contains one domain named contoso.com.
You discover the following event in the Event log of domain controllers: “The request for a new accountidentifier pool failed. The operation will be retried until the request succeeds. The error is “ %1 “” You need to ensure that the domain controllers can acquire new account-identifier pools successfully.
What should you do?

• A. Move the domain naming master rol
• B. Move the global catalog serve
• C. Restart the Active Directory Domain Services (AD DS) servic
• D. Deploy an additional global catalog serve
• E. Move the infrastructure master rol
• F. Move the PDC emulator rol
• G. Install a read-only domain controller (RODC).
• H. Move the RID master rol
• I. Move the bridgehead serve
• J. Move the schema master rol

Answer: H

Explanation:
http://technet.microsoft.com/en-us/library/cc756699.aspx
Event ID 16651 — RID Pool Request
Users, computers, and groups stored in Active Directory are collectively known as security
principals. Each security principal is assigned a unique alphanumeric string called a SID.
The SID includes a domain prefix identifier that uniquely identifies the domain and a
relative identifier (RID) that uniquely identifies the security principal within the domain. The
RID is a monotonically increasing number at the end of the SID. Each domain controller is
assigned a pool of RIDs from the global RID pool by the domain controller that holds the
RID master role (also known as flexible single master operations or FSMO) in each Active
Directory domain. The RID master (also known as the RID pool manager, RID manager, or
RID operations master) is responsible for issuing a unique RID pool to each domain
controller in its domain. By default, RID pools are obtained in increments of 500. (...) Newly
promoted domain controllers must acquire a RID pool before they can advertise their
availability to Active Directory clients or share the SYSVOL. Existing domain controllers
require additional RID allocations in order to continue creating security principals when
their current RID pool becomes depleted.
Event Details
Message
The request for a new account-identifier pool failed. The operation will be retried until the
request succeeds.
The error is " %1 "
Resolve
Check connectivity to the RID master, and check its replication status
A relative ID (RID) pool was not allocated to the local domain controller. Ensure that the
local domain controller can communicate with the domain controller that is identified as the
RID operations master.
Ensure that the RID master is online and replicating to other domain controllers.

NEW QUESTION 9
Your company has an Active Directory domain that has an organizational unit named Sales. The Sales organizational unit contains two global security groups named sales managers and sales executives.
You need to apply desktop restrictions to the sales executives group.
You must not apply these desktop restrictions to the sales managers group.
You create a GPO named DesktopLockdown and link it to the Sales organizational unit.
What should you do next?

• A. Configure the Deny Apply Group Policy permission for Authenticated Users on the DesktopLockdown GP
• B. Configure the Deny Apply Group Policy permission for the sales executives on the DesktopLockdown GP
• C. Configure the Allow Apply Group Policy permission for Authenticated Users on the DesktopLockdown GP
• D. Configure the Deny Apply Group Policy permission for the sales managers on the DesktopLockdown GP

Answer: D

Explanation:
http://support.microsoft.com/kb/816100 How to prevent domain Group Policies from applying to certain user or computer accounts Typically, if you want Group Policy to apply only to specific accounts (either user accounts, computer accounts, or both), you can put the accounts in an organizational unit, and then apply Group Policy at that organizational unit level. However, there may be situations where you want to apply Group Policy to a whole domain, although you may not want those policy settings to also apply to administrator accounts or to other specific users or groups. http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/ Best Practice: How to exclude individual users or computers from a Group Policy Object One of the common question I see on the forums from time to time is how to exclude a user and/or a computer from having a Group Policy Object (GPO) applied. This is a relatively straight forward process however I should stress this should be used sparingly and should always be done via group membership to avoid the administrative overhead of having to constantly update the security filtering on the GPO. Step 1. Open the Group Policy Object that you want to apply an exception and then click on the “Delegation” tab and then click on the “Advanced” button.

C:Documents and Settingsusernwz1Desktop1.PNG
Step 2. Click on the “Add” button and select the group (recommended) that you want to exclude from having this policy applied.

C:Documents and Settingsusernwz1Desktop1.PNG
Step 3. In this example I am excluding the “Users GPO Exceptions” group for this policy. Select this group in the “Group or user names” list and then scroll down the permission and tick the “Deny” option against the “Apply Group Policy” permission.

C:Documents and Settingsusernwz1Desktop1.PNG
Now any members of this “User GPO Exceptions” security group will not have this Group Policy Object applied. Having a security group to control this exception makes it much easier to control as someone only needs to modify the group membership of the group to makes changes to who (or what) get the policy applied. This makes the delegation of this task to level 1 or level 2 support much more practical as you don’t need to grant them permission to the Group Policy Objects.

NEW QUESTION 10
Your network contains an Active Directory forest. The forest contains one domain named contoso.com.
You attempt to run adprep /domainprep and the operation fails.
You discover that the first domain controller deployed to the forest failed.
You need to run adprep /domainprep successfully.
What should you do?

• A. Move the domain naming master rol
• B. Install a read-only domain controller (RODC).
• C. Move the PDC emulator rol
• D. Move the RID master rol
• E. Move the infrastructure master rol
• F. Deploy an additional global catalog serve
• G. Move the bridgehead serve
• H. Move the schema master rol
• I. Restart the Active Directory Domain Services (AD DS) servic
• J. Move the global catalog serve

Answer: E

Explanation:
Adprep /domainprep must be run on the server holding the Infrastructure Master role. The
role was originally installed on the first domain controller in the forest. Now it's down and
another domain controller must get the Infrastructure Master role.
Explanation 1:
http://technet.microsoft.com/en-us/library/cc754889.aspx
Planning Operations Master Role Placement
Operations master role holders are assigned automatically when the first domain controller
in a given domain is created. The two forest-level roles (schema master and domain
naming master) are assigned to the first domain controller created in a forest. In addition,
the three domain-level roles (RID master, infrastructure master, and PDC emulator) are
assigned to the first domain controller created in a domain.
Explanation 2:
http://technet.microsoft.com/en-us/library/dd464018.aspx
Adprep /domainprep Must be run on the infrastructure operations master for the domain.

NEW QUESTION 11
Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. Auditing is configured to log changes made to the Managed By attribute on group objects in an organizational unit named OU1.
You need to log changes made to the Description attribute on all group objects in OU1 only.
What should you do?

• A. Run auditpol.ex
• B. Modify the auditing entry for OU1.
• C. Modify the auditing entry for the domai
• D. Create a new Group Policy Object (GPO). Enable Audit account management policy settin
• E. Link the GPO to OU1.

Answer: B

Explanation:
http://ithompson.wordpress.com/tag/organizational-unit-move/ Do you need to track who/where/when for activities done against the OU’s in your AD? With Windows 2003 those were difficult questions to answer, we could get some very basic information from Directory Services Auditing; but it was limited and you had to read through several cryptic events (id 566). With the advanced auditing settings with Windows 2008 R2 you can get some better information (you can do this same thing with Windows 2008 but it has to be done via command line and applied every time servers restart). I don’t want to bore you with Windows 2003 auditing or the command line options for Windows 2008 Domains (if you need them, I will get you the information). So let’s just jump right to using Windows 2008 R2, because we can now apply the advanced auditing settings via Group Policy. Now when you turn on the Advanced Audit Policy Configuration you are turning OFF the basic or standard Audit Policies. The Advanced Audit Policy Configuration allows you to control what AD will audit at a more granular level. Now for the focus of this discussion we are only going to talk about setting up auditing for activity on our Domain Controllers, the other systems in your environment will be a different discussion. So where do we start so that we can answer our question at the top of this discussion? First, turn on the correct auditing. Open up Group Policy Management Editor and drill down as seen in Fig 1.

C:Documents and Settingsusernwz1Desktop1.PNG
For this discussion we are focusing on DS Access and its subcategories. We only want to turn on Audit Directory Service Changes, see Fig 2. This category only generates events on domain controllers and is very useful for tracking changes to Active Directory objects that have object level auditing enabled. These events not only tell you what object and property was changed and by whom but also the new value of the affected properties.

C:Documents and Settingsusernwz1Desktop1.PNG
Now that we have step 1 completed, setting up AD for auditing, it’s time to configure WHAT we want to audit. This next step is done via Active Directory Users and Computers. Open up the properties of your AD and drill down to setup the auditing for Create and Delete Organizational Unit objects as seen in Fig 3.

C:Documents and Settingsusernwz1Desktop1.PNG
Now we need to add more granularity so we need to do this process 1 more time and this time instead of checking boxes on the Object tab we are going to check 2 boxes on the Properties tab, see Fig 4.

C:Documents and Settingsusernwz1Desktop1.PNG
Now that our auditing is setup what type of events can we expect to see?
Here are a few examples:
In this example (Fig 5), id 5137, we see an OU being created by the Administrator.

C:Documents and Settingsusernwz1Desktop1.PNG
Figure 6 shows a Sub OU being created.

C:Documents and Settingsusernwz1Desktop1.PNG
Figure 7 shows id 5139, an OU being moved.

C:Documents and Settingsusernwz1Desktop1.PNG
Now for the best one, this one comes as a pair of messages – OU rename, part of id 5136. Figure 8 shows the first part of the rename process.

C:Documents and Settingsusernwz1Desktop1.PNG
Figure 9 shows the second part of the rename process.

C:Documents and Settingsusernwz1Desktop1.PNG
Now let’s contrast all of this with an event that is part of the good old standard auditing. Let’s take moving an OU; with the Advanced Auditing we get id 5139 (fig 7), nice and easy to read and understand. Now here is id 4662 that you would get for the same thing with standard auditing, fig 10.

C:Documents and Settingsusernwz1Desktop1.PNG
With standard auditing some of the other items that we looked at would be next to
impossible with auditing, such as tracking when an OU is renamed and as you can see
from fig 10 hard to read and understand if you did get an event.
Now if your AD is in Mixed Mode (W2k8 and W2k3) you are stuck with standard auditing.

NEW QUESTION 12
Your network contains an Active Directory domain named contoso.com. The domain has one Active Directory site.
The domain contains an organizational unit (OU) named 0U1. OU1 contains user accounts for 100 users and their managers.
You apply a Group Policy object (GPO) named GPO1 to OU1. GPO1 restricts several desktop settings.
The managers request that the desktop settings not be applied to them.
You need to prevent the desktop settings in GPO1 from being applied to the managers. All other users in OU1 must have GPO1 applied to them.
What should you do?

• A. Link GPO1 to the site and remove the link for GPO1 from OU1.
• B. Move the managers to a child OU of OU1 and block inheritance on the child O
• C. Configure the permissions on OU1.
• D. Disable the computer configurations of GPO1.

Answer: B

NEW QUESTION 13
Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1 has Active Directory Federation Services (AD FS) 2.0 installed.
Server1 is a member of an AD FS farm. The AD FS farm is configured to use a configuration database that is stored on a separate Microsoft SQL Server.
You install AD FS 2.0 on Server2.
You need to add Server2 to the existing AD FS farm.
What should you do?

• A. On Server1, run fsconfig.ex
• B. On Server1, run fsconfigwizard.ex
• C. On Server2, run fsconfig.ex
• D. On Server2, run fsconfigwizard.ex

Answer: C

Explanation:
http://technet.microsoft.com/en-us/library/adfs2-help-how-to-configure-a-new-federation-server.aspx
Configure a New Federation Server To configure a new federation server using the command line
1. Open a Command Prompt window.
2. Change the directory to the path where AD FS 2.0 was installed.
3. To configure this computer as a federation server, type the applicable syntax using either of the following command parameters, and then press ENTER: fsconfig.exe {StandAlone|CreateFarm| CreateSQLFarm|JoinFarm|JoinSQLFarm} [deployment specific parameters] Parameter JoinSQLFarm Joins this computer to an existing federation server farm that is using SQL Server.

NEW QUESTION 14
You install a read-only domain controller (RODC) named RODC1.
You need to ensure that a user named User1 can administer RODC1. The solution must minimize the number of permissions assigned to User1.
Which tool should you use?

• A. Active Directory Administrative Center
• B. Active Directory Users and Computers
• C. Dsadd
• D. Dsmgmt

Answer: B

Explanation:
Explanation 1:
http://technet.microsoft.com/en-us/library/cc755310.aspx
Delegating local administration of an RODC
Administrator Role Separation (ARS) is an RODC feature that you can use to delegate the
ability to administer an RODC to a user or a security group. When you delegate the ability
to log on to an RODC to a user or a security group, the user or group is not added the
Domain Admins group and therefore does not have additional rights to perform directory
service operations.
Steps and best practices for setting up ARS
You can specify a delegated RODC administrator during an RODC installation or after it.
To specify the delegated RODC administrator after installation, you can use either of the
following options:
Modify the Managed By tab of the RODC account properties in theActive Directory Users and Computerssnap-in, as shown in the following figure. You can click Change to change which security principal is the delegated RODC administrator. You can choose only one security principal. Specify a security group rather than an individual user so you can control RODC administration permissions most efficiently. This method changes the managedBy attribute of the computer object that corresponds to the RODC to the SID of the security principal that you specify. This is the recommended way to specify the delegated RODC administrator account because the information is stored in AD DS, where it can be centrally managed by domain administrators.

Use the ntdsutil local roles command or thedsmgmtlocal roles command. You can use this command to view, add, or remove members from the Administrators group and other built-in groups on the RODC.[See also the second Explanation for more information on how to use dsmgmt.]
Using ntdsutil or dsmgmt to specify the delegated RODC administrator account is not recommendedbecause the information is stored only locally on the RODC. Therefore, when you use ntdsutil local roles to delegate an administrator for the RODC, the account that you specify does not appear on the Managed By tab of the RODC account properties. As a result, using the Active Directory Users and Computers snap-in or a similar tool will not reveal that the RODC has a delegated administrator.
In addition, if you demote an RODC, any security principal that you specified by using ntdsutil local roles remains stored in the registry of the server. This can be a security concern if you demote an RODC in one domain and then promote it to be an RODC again in a different domain. In that case, the original security principal would have administrative rights on the new RODC in the different domain.
Explanation 2: http://technet.microsoft.com/en-us/library/cc732301.aspx
Administrator Role Separation Configuration This section provides procedures for creating a local administrator role for an RODC and for adding a user to that role.
To configure Administrator Role Separation for an RODC
Click Start, click Run, type cmd, and then press ENTER.
At the command prompt, typedsmgmt.exe, and then press ENTER.
At the DSMGMT prompt, typelocal roles, and then press ENTER.
For a list of valid parameters, type ?, and then press ENTER.
By default, no local administrator role is defined on the RODC after AD DS installation. To add the local administrator role, use the Add parameter.
Type add <DOMAIN><user><administrative role>
For example, type add CONTOSOtestuser administrators

NEW QUESTION 15
Your network consists of a single Active Directory domain. The domain contains 10 domain controllers. The domain controllers run Windows Server 2008 R2 and are configured as DNS servers.
You plan to create a new Active Directory-integrated zone.
You need to ensure that the new zone is only replicated to four of your domain controllers.
What should you do first?

• A. From the command prompt, run dnscmd and specify the /createdirectorypartition paramete
• B. Create a new delegation in the ForestDnsZones application directory partitio
• C. From the command prompt, run dnscmd and specify the /enlistdirectorypartition paramete
• D. Create a new delegation in the DomainDnsZones application directory partitio

Answer: A

Explanation:
Practically the same question as D/Q25 and K/Q17, different set of answers. To control which servers get a copy of the zone we have to store the zone in an application directory partition. That application directory partition must be created before we create the zone, otherwise it won't work. So that's what we have to do first. Directory partitions are also called naming contexts and we can create one using ntdsutil. Here I tried to create a zone with dnscmd /zoneadd. It failed because the directory partition I wanted to use did not exist yet. To fix that I used ntdsutil to create the directory partition dc=venomous,dc=contoso,dc=com. Note that after creating it a new naming context had been added. Then, after a minute or two, I tried to create the new zone again, and this time it worked.

C:Documents and Settingsusernwz1Desktop1.PNG
Explanation 1: http://technet.microsoft.com/en-us/library/cc725739.aspx Store Data in an AD DS Application Partition You can store Domain Name System (DNS) zones in the domain or application directory partitions of Active Directory Domain Services (AD DS). An application directory partition is a data structure in AD DS that distinguishes data for different replication purposes. When you store a DNS zone in an application directory partition, you can control the zone replication scope by controlling the replication scope of the application directory partition. Explanation 2: http://technet.microsoft.com/en-us/library/cc730970.aspx Partition management Manages directory partitions for Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS). This is a subcommand of Ntdsutil and Dsmgmt. Examples To create an application directory partition named AppPartition in the contoso.com domain, complete the following steps:
1. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, rightclick Command Prompt, and then click Run as administrator.
2. Type: ntdsutil
3. Type: Ac in ntds
4. Type: partition management
5. Type: connections
6. Type: Connect to server DC_Name
7. Type: quit
8. Type: list The following partitions will be listed: 0 CN=Configuration,DC=Contoso,DC=com 1 DC=Contoso,DC=com 2 CN=Schema,CN=Configuration,DC=Contoso,DC=com 3 DC=DomainDnsZones,DC=Contoso,DC=com 4 DC=ForestDnsZones,DC=Contoso,DC=com
9. At the partition management prompt, type: create nc dc=AppPartition,dc=contoso,dc=com ConDc1.contoso.com
10. Run the list command again to refresh the list of partitions.

NEW QUESTION 16
Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008 R2.
The network contains an enterprise certification authority (CA).
You need to ensure that all of the members of a group named Managers can view the event log entries for Certificate Services.
Which snap-in should you use?

• A. Active Directory Administrative Center
• B. Authorization Manager
• C. Certificate Templates
• D. Certificates
• E. Certification Authority
• F. Enterprise PKI
• G. Group Policy Management
• H. Security Configuration Wizard
• I. Share and Storage Management

Answer: G

Explanation: We can make the Group1 group a member of theEvent Log Readers Group
, giving them read access to all event logs, thus including the Certificate Services events.
We can do that by usingGroup Policy Management.
Explanation 1:
It's a bit hard to find some good, clear Explanation for this. There's nothing wrong with doing it
yourself, so here's what I did in VMWare, using a domain controller and a member server.
Click along if you want!
In VMWare I have setup a domain controller, DC01 and a member server MEM01, both
belonging to the contoso.com domain. I have placed MEM01 in an OU named Events. I
have created a global security group, named TESTGROUP, and I want to make it a member of the built-in Event Log Readers group on MEM01.
Start the Group Policy Management console on DC01.
Right-click the Events OU and choose "Create a GPO in this domain, and Link it
here..."
I named the GPO "EventLog_TESTGROUP"
Right-click the "EventLog_TESTGROUP" GPO and choose "Edit..."
Go to Computer Configuration Policies Windows Settings Security Settings and
select "Restricted Groups"
Right-click "Restricted Groups" and choose "Add Group..."
Now there are two ways to do this. We can select TESTGROUP and make it a
member of the Event Log Readers group, or we can select the Event Log Readers
group and add TESTGROUP as a member. Let's do the second one. Click the
Browse button and go find the Event Log Readers group. Click OK.
Click the Browse button next to "Members of this group", search for the
TESTGROUP group and add it.
Click OK.
10. On MEM01 open a command prompt and rungpupdate /force.
Check the Event Log Readers group properties and see that the TESTGROUP
group is now a member.
Explanation 2: http://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-administrators-permission-to-read-event-logs-windows-2003-and-windows-2008.aspx
Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008
So if you want to give Non-Administrator users access remotely to Event logs if the Servers or Domain Controllers they are accessing are Windows 2003 follow the steps below.
(...)
Windows 2008 is much easier as long as you are giving the users and groups in question read access to all event logs. If that is the case just add them to the Built inEvent Log Readers group.

NEW QUESTION 17
Your company has two offices. The offices are located in Miami and London.
The network contains an Active Directory forest named contoso.com. The forest contains two child domains named miami.contoso.com and london.contoso.com. The domain contains 50 domain controllers that run Windows Server 2008 R2. Each office is configured as an Active Directory site.
The forest contains a custom attribute named SecurityAccessCode.
You recently configured a domain controller named DC22 as a global catalog server.
You need to verify that SecurityAccessCode is configured to replicate to DC22.
What should you do?

• A. Run the dsadd.exe command
• B. Run the nltest.exe comman
• C. Run the Set-AdDomain cmdle
• D. Run the dsmove.exe comman
• E. Run the dcpromo.exe comman
• F. Run the Move-AdDirectoryServer cmdle
• G. Use the Active Directory Schema snap-i
• H. Use the Active Directory Users and Computers consol

Answer: G