Published: March 6, 2008
Languages: English, German, Japanese
Audiences: IT professionals
Technology: Windows Server 2008
Credit toward certification: MCP, MCTS, MCITP, MCSA
This exam measures your ability to accomplish the technical tasks listed below. The percentages indicate the relative weight of each major topic area on the exam. The higher the percentage, the more questions you are likely to see on that content area on the exam. View video tutorials about the variety of question types on Microsoft exams.
Please note that the questions may test on, but will not be limited to, the topics described in the bulleted text.
Do you have feedback about the relevance of the skills measured on this exam? Please send Microsoft your comments. All feedback will be reviewed and incorporated as appropriate while still maintaining the validity and reliability of the certification process. Note that Microsoft will not respond directly to your feedback. We appreciate your input in ensuring the quality of the Microsoft Certification program.
If you have concerns about specific questions on this exam, please submit an exam challenge.
If you have other questions or feedback about Microsoft Certification exams or about the certification program, registration, or promotions, please contact your Regional Service Center.
Configuring Domain Name System (DNS) for Active Directory (18%)
Dynamic DNS (DDNS), Non-dynamic DNS (NDDNS), and Secure Dynamic DNS (SDDNS); Time to Live (TTL); GlobalNames; Primary, Secondary, Active Directory Integrated, Stub; SOA; zone scavenging; forward lookup; reverse lookup
Configure DNS server settings
Forwarding; root hints; configure zone delegation; round robin; disable recursion; debug logging; server scavenging
Configure zone transfers and replication
Configure replication scope (forestDNSzone; domainDNSzone); incremental zone transfers; DNS Notify; secure zone transfers; configure name servers; application directory partitions
Configuring zone properties
Configure a DNS server for use with Active Directory Domain Services
Modify zone transfer settings
Configuring the Active Directory infrastructure (17%)
Configure a forest or a domain
Remove a domain; perform an unattended installation; Active Directory Migration Tool (ADMT); change forest and domain functional levels; interoperability with previous versions of Active Directory; multiple user principal name (UPN) suffixes; forestprep; domainprep
Forest trust; selective authentication vs. forest-wide authentication; transitive trust; external trust; shortcut trust; SID filtering
Create Active Directory subnets; configure site links; configure site link costing; configure sites infrastructure
Configure Active Directory replication
DFSR; one-way replication; Bridgehead server; replication scheduling; configure replication protocols; force intersite replication
Configure the global catalog
Universal Group Membership Caching (UGMC); partial attribute set; promote to global catalog
Configure operations masters
Seize and transfer; backup operations master; operations master placement; Schema Master; extending the schema; time service
Deploying a Windows Server 2008 forest root domain
Securing domain and forest trusts
Active Directory replication tools and settings
Configuring Active Directory roles and services (14%)
Configure Active Directory Lightweight Directory Service (AD LDS)
Migration to AD LDS; configure data within AD LDS; configure an authentication server; Server Core installation
Configure Active Directory Rights Management Service (AD RMS)
Certificate request and installation; self-enrollments; delegation; create RMS templates; RMS administrative roles; RM add-on for IE
Configure the read-only domain controller (RODC)
Replication; Administrator role separation; read-only DNS; BitLocker; credential caching; password replication; syskey; read-only SYSVOL; staged install
Configure Active Directory Federation Services (AD FSv2)
Install AD FS server role; exchange certificate with AD FS agents; configure trust policies; configure user and group claim mapping; import and export trust policies
AD LDS getting started step-by-step guide
Read-only domain controllers step-by-step guide
AD FS step-by-step guide
Creating and maintaining Active Directory objects (18%)
Automate creation of Active Directory accounts
Bulk import; configure the UPN; create computer, user, and group accounts (scripts, import, migration); template accounts; contacts; distribution lists; offline domain join
Maintain Active Directory accounts
Manage computer accounts; configure group membership; account resets; delegation; AGDLP/AGGUDLP; deny domain local group; local vs. domain; Protected Admin; disabling accounts vs. deleting accounts; deprovisioning; contacts; creating organizational units (OUs); delegation of control; protecting AD objects from deletion; managed service accounts
Create and apply Group Policy objects (GPOs)
Enforce, OU hierarchy, block inheritance, and enabling user objects; group policy processing priority; WMI; group policy filtering; group policy loopback; Group Policy Preferences (GPP)
Configure GPO templates
User rights; ADMX Central Store; administrative templates; security templates; restricted groups; security options; starter GPOs; shell access policies
Deploy and manage software by using GPOs
Publishing to users; assigning software to users; assigning to computers; software removal; software restriction policies; AppLocker
Configure account policies
Domain password policy; account lockout policy; fine-grain password policies
Configure audit policy by using GPOs
Audit logon events; audit account logon events; audit policy change; audit access privilege use; audit directory service access; audit object access; advanced audit policies; global object access auditing; “Reason for Access” reporting
Active Directory how to…
Group policy planning and deployment guide
Maintaining the Active Directory environment (18%)
Configure backup and recovery
Using Windows Server Backup; back up files and system state data to media; backup and restore by using removable media; perform an authoritative or non-authoritative restores; linked value replication; Directory Services Recovery Mode (DSRM); backup and restore GPOs; configure AD recycle bin
Perform offline maintenance
Offline defragmentation and compaction; Restartable Active Directory; Active Directory database mounting tool
Monitor Active Directory
Event viewer subscriptions; data collector sets; real-time monitoring; analyzing logs; WMI queries; PowerShell
Windows Server backup step-by-step guide for Windows Server 2008
Compact the directory database file (offline defragmentation)
Restartable AD DS step-by-step guide
Configuring Active Directory Certificate Services (15%)
Install Active Directory Certificate Services
Certificate authority (CA) types, including standalone, enterprise, root, and subordinate; role services; prepare for multiple-forest deployments
Configure CA server settings
Key archival; certificate database backup and restore; assigning administration roles; high-volume CAs; auditing
Manage certificate templates
Certificate template types; securing template permissions; managing different certificate template versions; key recovery agent
Network device enrollment service (NDES); auto enrollment; Web enrollment; extranet enrollment; smart card enrollment; authentication mechanism assurance; creating enrollment agents; deploying multiple-forest certificates; x.509 certificate mapping
Manage certificate revocations
Configure Online Responders; Certificate Revocation List (CRL); CRL Distribution Point (CDP); Authority Information Access (AIA)
Active Directory certificate services step-by-step guide
Setting up a certification authority
Administering certificate templates
Your company has a main office and three branch offices. Each office is configured as a separate Active Directory site that has its own domain controller.
You disable an account that has administrative rights.
You need to immediately replicate the disabled account information to all sites.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)
A. From the Active Directory Sites and Services console, configure all domain controllers
as global catalog servers.
B. From the Active Directory Sites and Services console, select the existing connection objects and force replication.
C. Use Repadmin.exe to force replication between the site connection objects.
D. Use Dsmod.exe to configure all domain controllers as global catalog servers.
Repadmin /syncall Synchronizes a specified domain controller with all of its replication partners. http://ivan.dretvic.com/2012/01/how-to-force-replication-of-domain-controllers/
How to force replication of Domain Controllers From time to time its necessary to kick off AD replication to speed up a task you may be doing, or just a good too to check the status of replication between DC’s.
Below is a command to replicate from a specified DC to all other DC’s.
Repadmin /syncall DC_name /Aped By running a repadmin /syncall with the /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished names) parameters, you have duplicated exactly what Replmon used to do in Windows 2003, except that you did it in one step, not many.And with the benefit of seeing immediate results on how the operations are proceeding.
If I am running it on the DC itself, I don’t even have to specify the server name. http://technet.microsoft.com/en-us/library/cc776188%28v=ws.10%29.aspx Force replication over a connection
To force replication over a connection
1. Open Active Directory Sites and Services.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Your company has a branch office that is configured as a separate Active Directory site and has an Active Directory domain controller.
The Active Directory site requires a local Global Catalog server to support a new application.
You need to configure the domain controller as a Global Catalog server.
Which tool should you use?
A. The Server Manager console
B. The Active Directory Sites and Services console
C. The Dcpromo.exe utility
D. The Computer Management console
E. The Active Directory Domains and Trusts console
Answer: The Active Directory Sites and Services console http://technet.microsoft.com/en-us/library/cc781329%28v=ws.10%29.aspx Configure a domain controller as a global catalog server
To configure a domain controller as a global catalog server 1. Open Active Directory Sites and Services.
Further information: http://technet.microsoft.com/en-us/library/cc728188%28v=ws.10%29.aspx What Is the Global Catalog?
The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.
In addition to configuration and schema directory partition replicas, every domain controller in a forest stores a full, writable replica of a single domain directory partition. Therefore, a domain controller can locate only the objects in its domain. Locating an object in a different domain would require the user or application to provide the domain of the requested object. The global catalog provides the ability to locate objects from any domain without having to know the domain name. A global catalog server is a domain controller that, in addition to its
full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest. The additional domain directory partitions are partial because only a limited set of attributes is included for each object. By including only the attributes that are most used for searching, every object in every domain in even the largest forest can be represented in the database of a single global catalog server.
Note: A global catalog server can also store a full, writable replica of an application directory partition, but objects in application directory partitions are not replicated to the global catalog as partial, read-only directory partitions.
The global catalog is built and updated automatically by the AD DS replication system. The attributes that are replicated to the global catalog are identified in the schema as the partial attribute set (PAS) and are defined by default by Microsoft. However, to optimize searching, you can edit the schema by adding or removing attributes that are stored in the global catalog.
In Windows 2000 Server environments, any change to the PAS results in full synchronization (update of all attributes) of the global catalog. Later versions of Windows Server reduce the impact of updating the global catalog by replicating only the attributes that change.
In a single-domain forest, a global catalog server stores a full, writable replica of the domain and does not store any partial replica. A global catalog server in a single-domain forest functions in the same manner as a nonglobal-catalog server except for the processing of forest-wide searches.
Your company has an Active Directory domain. You have a two-tier PKI infrastructure that contains an offline root CA and an online issuing CA.
The Enterprise certification authority is running Windows Server 2008 R2.
You need to ensure users are able to enroll new certificates.
What should you do?
A. Renew the Certificate Revocation List (CRL) on the root CA. Copy the CRL to the CertEnroll folder on the issuing CA.
B. Renew the Certificate Revocation List (CRL) on the issuing CA, Copy the CRL to the SysternCertificates folder in the users’ profile.
C. Import the root CA certificate into the Trusted Root Certification Authorities store on all client workstations.
D. Import the issuing CA certificate into the Intermediate Certification Authorities store on all client workstations.
Offline Root Certification Authority (CA)
A root certification authority (CA) is the top of a public key infrastructure (PKI) and generates a self-signed certificate. This means that the root CA is validating itself (self-validating). This root CA could then have subordinate CAs that effectively trust it. The subordinate CAs receive a certificate signed by the root CA, so the subordinate CAs can issue certificates that are validated by the root C
A. This establishes a CA hierarchy and trust path.
If a root CA is in some way compromised (broken into, hacked, stolen, or accessed by an unauthorized or malicious person), then all of the certificates that were issued by that CA are also compromised. Since certificates are used for data protection, identification, and authorization, the compromise of a CA could compromise the security of an entire organizational network. For that reason, many organizations that run internal PKIs install their root CA offline. That is, the CA is never connected to the company network, which makes the root CA an offline root C
A. Make sure that you keep all CAs in secure areas with limited access.
To ensure the reliability of your CA infrastructure, specify that any root and non-issuing intermediate CAs must be offline. A non-issuing CA is one that is not expected to provide certificates to client computers, network devices, and so on. This minimizes the risk of the CA private keys becoming compromised, which would in turn compromise all the certificates that were issued by the CA.
How Do Offline CAs issue certificates?
Offline root CAs can issue certificates to removable media devices (e.g. floppy disk, USB drive, CD/DVD) and then physically transported to the subordinate CAs that need the certificate in order to perform their tasks. If the subordinate CA is a non-issuing intermediate that is offline, then it will also be used to generate a certificate and that certificate will be placed on removable media. Each CA receives its authorization to issue certificates from the CA directly above it in the CA hierarchy. However, you can have multiple CAs at the same level of the CA hierarchy. Issuing CAs are typically online and used to issue certificates to client computers, network
devices, mobile devices, and so on. Do not join offline CAs to an Active Directory Domain Services domain Since offline CAs should not be connected to a network, it does not make sense to join them to an Active Directory Domain Services (AD DS) domain, even with the
Offline Domain Join [This link is external to TechNet Wiki. It will open in a new window.] option introduced with Windows 7 and Windows Server 2008 R2.
Furthermore, installing an offline CA on a server that is a member of a domain can cause problems with a secure channel when you bring the CA back online after a long offline period. This is because the computer account password changes every 30 days. You can get around this by problem and better protect your CA by making it a member of a workgroup, instead of a domain. Since Enterprise CAs need to be joined to an AD DS domain, do not attempt to install an offline CA as a Windows Server Enterprise C
Renewing a certification authority
A certification authority may need to be renewed for either of the following reasons: Change in the policy of certificates issued by the CA
Expiration of the CA’s issuing certificate
You have a Windows Server 2008 R2 Enterprise Root certification authority (CA).
You need to grant members of the Account Operators group the ability to only manage Basic EFS certificates.
You grant the Account Operators group the Issue and Manage Certificates permission on the CA.
Which three tasks should you perform next? (Each correct answer presents part of the solution.
A. Enable the Restrict Enrollment Agents option on the CA.
B. Enable the Restrict Certificate Managers option on the CA.
C. Add the Basic EFS certificate template for the Account Operators group.
D. Grant the Account Operators group the Manage CA permission on the CA.
E. Remove all unnecessary certificate templates that are assigned to the Account Operators group.
Your company has an Active Directory domain.
You log on to the domain controller. The Active Directory Schema snap-in is not available in the Microsoft Management Console (MMC).
You need to access the Active Directory Schema snap-in.
What should you do?
A. Add the Active Directory Lightweight Directory Services (AD LDS) role to the domain controller by using Server Manager.
B. Log off and log on again by using an account that is a member of the Schema Administrators group.
C. Use the Ntdsutil.exe command to connect to the Schema Master operations master and open the schema for writing.
D. Register Schmmgmt.dll.
http://technet.microsoft.com/en-us/library/cc732110.aspx Install the Active Directory Schema Snap-In
You can use this procedure to first register the dynamic-link library (DLL) that is required for the Active Directory Schema snap-in. You can then add the snap-in to Microsoft Management Console (MMC).
To install the Active Directory Schema snap-in
1. To open an elevated command prompt, click Start, type command prompt and then right-click Command
Prompt when it appears in the Start menu. Next, click Run as administrator and then click OK.
To open an elevated command prompt in Windows Server 2012, click Start, type cmd, right click cmd and then click Run as administrator.
2. Type the following command, and then press ENTER:
3. Click Start, click Run, type mmc and then click OK.
4. On the File menu, click Add/Remove Snap-in.
5. Under Available snap-ins, click Active Directory Schema, click Add and then click OK.
6. To save this console, on the File menu, click Save.
7. In the Save As dialog box, do one of the following:
* To place the snap-in in the Administrative Tools folder, in File name, type a name for the snap-in, and then click Save.
* To save the snap-in to a location other than the Administrative Tools folder, in Save in
navigate to a location for the snap-in. In File name, type a name for the snap-in, and then
You have an Active Directory domain that runs Windows Server 2008 R2.
You need to implement a certification authority (CA) server that meets the following requirements:
Allows the certification authority to automatically issue certificates
Integrates with Active Directory Domain Services
What should you do?
A. Install and configure the Active Directory Certificate Services server role as a Standalone Root CA.
B. Install and configure the Active Directory Certificate Services server role as an Enterprise Root CA.
C. Purchase a certificate from a third-party certification authority, Install and configure the Active Directory
Certificate Services server role as a Standalone Subordinate CA.
D. Purchase a certificate from a third-party certification authority, Import the certificate into the computer store of the schema master.