70-640 Windows Active Directory 2008 R2 Exam Questions and Answers with Explanation

Tool used for validation of successful AD replication between any given two DCs

Repadmin.exe is a Microsoft Windows 2000 Resource Kit tool that is available in the Support Tools folder on the Windows 2000 CD-ROM. It is a command-line interface to Active Directory replication. This tool provides a powerful interface into the inner workings of Active Directory replication, and is useful for troubleshooting Active Directory replication problems.

 

References:

• Repadmin Examples: Active Directory
• Using Repadmin.exe to troubleshoot Active Directory replication

 

How do you load the DNS zone changes on other site before the scheduled replication happens?

Refresh the Zone on the DNS server in the site you want to see the changes.

 

How do you restore a deleted OU in AD? 

 

Do an authoritative restore of the selective OU that is deleted.

 

How to apply DesktopLockDown/Restrictions policy to selective AD OUs?

Apply the DesktopLockDown/Restrictions policy to selective OUs. In case you need to apply for all but not to a particular OU, apply the policy at the domain level and block the policy inheritance at the OU that you need to exclude.

 

How to apply DesktopLockDown/Restrictions policy to selective AD Security Groups?

Apply the DesktopLockDown/Restrictions policy to OU and Deny the Policy to the selected AD Security Group.

 

What permissions required for installing an application that updates AD Schema?

One has to be a Schema Administrator for installing such an application as well as he should be have administrator rights on the system where he is installing it.

 

How do you provide the DNS zone details?

Use dnscmd /ZoneExport command to have all the zone data exported to file formats.

Dnscmd.exe: DNS Server Troubleshooting Tool

This command-line tool assists administrators in Domain Name System (DNS) management.

DNSCmd displays and changes the properties of DNS servers, zones, and resource records. It manually modifies these properties, creates and deletes zones and resource records, and forces replication events between DNS server physical memory and DNS databases and data files. Some operations of this tool work at the DNS server level while others work at the zone level.

 

References:

• Dnscmd
• Dnscmd Examples: Domain Name System(DNS)

How do you allow users a domain be able to modify entries in one AD integrated DNS zone but not in the other?

 

You need to modify the permissions on DNS server via DNS Manager to let users modify that DNS zone.

 

How do you remove/uninstall AD DS role?

 

Run Dcpromo.exe and Choose Remove AD DS role

 

What are various Options available to Remove/Uninstall AD DS Role?

• Run Dcpromo and choose Remove options. For automation, you can use an answer file.
• Goto Server Manager, Roles and uninstall AD DS Role

 

How do you configure AD FS such that AD FS tokens contain information from AD? Or How do you integrate AD FS with AD for populating the information from AD into AD FS tokens?

 

You need to Add and Configure a new Account Store in AD FS Trust Policy

 

How do you ensure that only Authenticated users are allowed to update Host (A) records in DNS zones?

 

One has to convert or setup such a DNS zone as Active Directory Integrated Zone. AD Integrated Zones allow only Authenticated users to update the Host records. 

 

How do you configure your Online Responder server to issue Certificate Revocation List (CRLs) for enterprise root CA?

1. Import the Enterprise root CA certificate.
2. Import the OCSP Response Signing Certificate.

How do you configure the Change Auditing for a Standalone Certificate Authority (CA)?

 

Since the CA is a standalone server, that is it’s not part of your domain, so you can’t apply auditing from a domain GPO rather you need to achieve the same via Local Group Policies. Here are the steps for configuring the same:

1. Enable the Audit Object Access setting in Local Security Policy on the CA server
2. Configure the Auditing in Certification Authority snap-in

What are the possible ways to decommission a 2008 domain controller server and remove a child domain of a Forest?

In order to decommission a child domain and it’s DC, first you have to move/migrate all the required AD objects out from that domain to the parent domain or wherever needed.  Then use need to uninstall the AD DS role on the DC. This can be done via

 

1. Server Manager, Uninstall the AD DS server role
2. Run Dcpromo.exe , Choose Remove Option. You can run the same tool using an answer file for automated uninstall of AD DS role.

How do you configure your Windows 2008 R2 environment to allow Zone transfers to a UNIX-based DNS server?

In DNS Manager Console, choose the zone to be allowed for transfers to Unix server and enable the BIND Secondaries

 

What are the steps involved in creating a New AD Site and Establishing Replication between two AD Sites?

1. Create new AD Site
2. Install and Add a new Domain Controller to the new Site
3. There will be a Default IP Site Link created for the replication with other AD sites in the domain
4. On the new DC, In AD Sites and Services Console, Create a new IP Subnet to the new Site
5. Move the DC Object to the new Site

 

How do you Launch AD Schema Snap-in?

AD Schema snap-in isn’t registered default for the user to find it readily, in view of it’s security. However, one can have it launched by manually registering the Schmmgmt.dll file.

 

What are tools available to manage the existing AD User and Computer Objects?

1. AD User and Computers Console
2. DSMod command line Utility

C:>dsmod /?
Description:  This dsmod command modifies existing objects in the directory.
The dsmod commands include:

dsmod computer – modifies an existing computer in the directory.
dsmod contact – modifies an existing contact in the directory.
dsmod group – modifies an existing group in the directory.
dsmod ou – modifies an existing organizational unit in the directory.
dsmod server – modifies an existing AD DC/LDS instance in the directory.
dsmod user – modifies an existing user in the directory.
dsmod quota – modifies an existing quota specification in the directory.
dsmod partition – modifies an existing partition specification in the directory.

For help on a specific command, type "dsmod <ObjectType> /?" where
<ObjectType> is one of the supported ob
ject types shown above.
For example, dsmod ou /?.

Remarks:
The dsmod commands support piping of input to allow you to pipe results from
the dsquery commands as input to the dsmod commands and modify the objects
found by the dsquery commands.

Commas that are not used as separators in distinguished names must be
escaped with the backslash ("") character
(for example, "CN=Company, Inc.,CN=Users,DC=microsoft,DC=com").

Backslashes used in distinguished names must be escaped with a backslash
(for example,
"CN=Sales\ Latin America,OU=Distribution Lists,DC=microsoft,DC=com").

Reference:

How To Use the Directory Service Command-Line Tools to Manage Active Directory Objects in Windows Server 2003

 

How do you deploy new Enterprise Intermediate CA Certificate to all computers in a domain, if existing certificate is expired?

 

One has to import new certificate into the Intermediate Certification Store in Default Domain Policy GPO Object

 

 

How do you setup Auditing for failed access attempts by a group of users, to shared folders on all file servers, residing in a particular OU?

• Create and Link a new GPO for that OU containing all file servers.
• In the GPO, Configure the Audit Object Access Failure at below path as shown: Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationObject AccessAudit File Share and Tick for Failure or Success attempts you want to track
• Then Configure the
• 

Auditing implementation has several steps that include:

1. Enable auditing on the domain controller specifically via either Default Domain Policy or Default Domain Controller Policy.  Auditing Polices will not be available on other policies in the domain

2. Select objects to audit, and set the system access control lists (SACL) for the objects.

3. Configure the event log.

4. Protect the audit data from unauthorized access or modification.

5. Review and maintain the audit logs.

 

 

 

 

 

 

 

 

 

 

 

 

How do configure a DNS zone for automatic removal of expired records?

 

One has to enable the “Scavenging Stale Resource Records“ and Configure the refresh  interval settings at the DNS Zone level.

 

 

 

How do you check the most recent user accounts authenticated by a Read Only Domain Controller?

Using AD User and Computers console, connect to the writable DC in the domain

 

How do you perform an authoritative restore on a 2008 R2 DC in a 2003 Forest functional Level?

 

One has to restore the required objects via System State backup

 

How do you restore a DC from complete hard disk failure provided you have full hard disk backup?

 

1. Replace the crashed HDD with the latest backup HDD having all the required data especially system state information.
2. Restart the computer with Windows Install Media
3. Select the Repair Option (as similar to the case with any Windows Server restore)
4. Run the WBAdmin tool for restoration

How do you verify that a GPO change addition of new logon script got replicated to all DCs?

1. Check the gpt.ini File Under SysVol  path for the GUID of the Policy
2. Using ADSIEDIT, Verify the version number of the Policy Object as: CN=<GUID>,CN=Policies,CN=System,DC=<Domain>,DC=<Suffix>
3. Both the GPT.INI and the ADSI version should match indicating the changes have been replicated
   successfully

gpt.ini">gpt.ini">\ServerName/IP-addresssysvoldomain.suffixPolicies<Policy GUID>gpt.ini

Sample GPT.INI entries:

[General]
Version=845373
displayName=<GPOName>

 

What is your recommendation for ensuring that the DNS server in a branch Office can update and resolve DNS queries for a primary DNS zone even in the event of a WAN link failure?

In order to with stand the WAN unreliability issues, one has to have the ability to update the DNS entries even when disconnected from Primary DNS Zone servers. This can be achieved through configuring DNS zones as AD-Integrated DNS.  Thus my recommendation is to convert the existing primary/secondary DNS zones into AD integrated DNS zones.

 

How do you configure IIS Security Settings in GPO?

1. Export the settings on IIS server to create a security template.
2. Import the Security template into the GPO
3. Link the GPO to required IIS servers OU

 

How do you login to an external domain for which a AD Trust has been setup?

One has to login using the User Principal Name (UPN) like username@domain.suffix to an  external domain that trusts your domain.

 

How do you fix “This user account has Expired”?

Modify the properties of the user account to set account never expires

 

What Forest level is required to support Active Directory Recycle Bin feature?

One has to run Windows Server 2008 R2 Forest Functional Level for the support of Active Directory Recycle Bin. That means all your Domain Controllers should be running Windows Server 2008 R2.

 

Where do you manage the Password Replication Policy for a Read Only Domain Controller (RODC) ?

In Active Directory Users and Computers, Go to Domain Controllers OU,  Select the RODC server object, Under the properties control the list of user/group objects that are configured for password replication to that RODC server.

 

How do you Install an application

 

 

With the Dsdbutil.exe tool, you can create installation media that corresponds only to the AD LDS instance that you want to back up, as opposed to backing up entire volumes that contain the AD LDS instance.

Reference: Dsdbutil.exe