Server 2
1. Which of the following is the default authentication protocol for non-domain computers? a. NTLM b. PAP c. CHAP d. Kerberos
Answer: A Difficulty: Easy Section Ref: Configuring Server Authentication Explanation: Although Kerberos is the default authentication protocol for today's domain computers, NTLM is the default authentication protocol for Windows NT, standalone computers that are not part of a domain, and situations in which you authenticate to a server using an IP address.
9. How many PDC Emulators are required in a domain? a. one b. two c. three d. four
Answer: A Difficulty: Easy Section Ref: Managing Operations Masters Explanation: A domain requires just one Primary Domain Controller Emulator.
6. Which of the following is the PowerShell cmdlet that installs a domain controller to the domain "adatum.com"? a. Install-AddsForest -DomainName "adatum.com" b. Install-AddsDomainController -DomainName "adatum.com" c. Install-AddsDomain -DomainName "adatum.com" d. Install-WindowsFeature -DomainName "adatum.com"
Answer: A Difficulty: Hard Section Ref: Installing AD DS on Server Core Explanation: In its simplest form, the following command installs a domain controller for a new forest called adatum.com: Install-AddsForest -DomainName "adatum.com"
13. How many global catalogs are recommended for every organization? a. at least one b. at least two c. at least three d. no fewer than four
Answer: B Difficulty: Medium Section Ref: Configuring the Global Catalog Explanation: Initially, it was recommended to have global catalogs at every site. Nonetheless, every organization should have at least two global catalogs for fault tolerance.
5. Which of the following is the global catalog? a. The schema that lists what objects and attributes exist in the AD DS forest b. An index of all AD DS objects in a forest c. A list of all domain controllers currently available d. A matrix of all domains, sites, and domain controllers
Answer: B Difficulty: Medium Section Ref: Configuring the Global Catalog Explanation: The global catalog is an index of all AD DS objects in a forest that prevents systems from having to perform searches among multiple domain controllers.
4. Which of the following is the only OU created by default after installing Active Directory? a. Users OU b. Domain Controllers OU c. Global OU d. Computers OU
Answer: B Difficulty: Medium Section Ref: Creating and Managing Organizational Units Explanation: After you install Active Directory Domain Services (AD DS), only one OU is in the domain, by default: the Domain Controllers OU. The domain administrator must create all other OUs.
8. Which of the following is the process of confirming that a user has the correct permissions to access one or more network resources? a. permission b. authorization c. delegation d. authentication
Answer: B Difficulty: Medium Section Ref: Creating and Managing User Objects Explanation: Authorization is the process of confirming that an authenticated user has the correct permissions to access one or more network resources.
16. Which command-line utility can create new user accounts by importing information from a comma-separated value file? a. New-ADUser b. CSVDE.exe c. Active Directory Administrative Center d. Dsadd.exe
Answer: B Difficulty: Medium Section Ref: Creating and Managing User Objects Explanation: CSVDE is a utility that imports AD DS information from a commaseparated value file and uses it to add, delete, or modify objects, in addition to modifying the schema, if necessary.
6. Which of the following is the default maximum allowable time lapse between domain controllers and client systems for Kerberos to work correctly? a. 1 minute b. 5 minutes c. 15 minutes d. 45 minutes
Answer: B Difficulty: Medium Section Ref: Managing Kerberos Explanation: For all of this to work and to ensure security, the domain controllers and clients must have the same time. Windows operating systems include the Time Service tool (W32Time service). Kerberos authentication will work if the time interval between the relevant computers is within the maximum enabled time parameters. The default is five minutes.
18. Which Kerberos setting defines the maximum lifetime ticket for a Kerberos TGT ticket? a. maximum lifetime for service ticket b. maximum lifetime for user ticket c. maximum lifetime for user ticket renewal d. maximum tolerance for computer clock synchronization
Answer: B Difficulty: Medium Section Ref: Managing Kerberos Explanation: The setting for maximum lifetime for user ticket defines the maximum lifetime ticket for a Kerberos TGT ticket (user ticket). The default lifetime is 10 hours.
5. Kerberos security and authentication are based on which type of technology? a. secure transmission b. secret key c. challenge-response d. legacy code
Answer: B Difficulty: Medium Section Ref: Managing Kerberos Explanation: With Kerberos, security and authentication are based on secret-key technology. Every host on the network has its own secret key.
11. When you add attributes to an Active Directory object, which part of the domain database are you actually changing? a. FSMO b. schema c. directory structure d. organizational units
Answer: B Difficulty: Medium Section Ref: Managing Operations Masters Explanation: When you add attributes to an Active Directory object, you change the schema of the domain database.
8. What happens when a client submits a service ticket request for an SPN that does not exist in the identity store? a. An event is written to the Kerberos server's event log. b. The client receives an access denied error. c. The Kerberos server receives an access denied error. d. The Kerberos ticket for that service is destroyed.
Answer: B Difficulty: Medium Section Ref: Managing Service Principal Names Explanation: If a client submits a service ticket request for an SPN that does not exist in the identity store, no service ticket can be established and the client throws an access denied error.
10. Regarding the default groups that are created when Active Directory is installed, what are their types? a. Distribution groups b. Security groups c. Domain groups d. All the above
Answer: B Difficulty: Medium Section Ref: Understanding Default Groups Explanation: All the default groups are security groups. Active Directory does not include any default distribution groups.
14. Some of the following groups might grant or deny permissions to any resource located in any domain in the forest. Of them, which membership is replicated only in the domain controllers of the same domain? a. Universal groups b. Global groups c. Domain local groups d. Distribution groups
Answer: B Difficulty: Medium Section Ref: Understanding Group Scopes Explanation: You can use global groups to grant or deny permissions to any resource located in any domain in the forest. You accomplish this by adding the global group as a member of a domain local group that has the desired permissions. Global group memberships are replicated only to domain controllers within the same domain.
24. Which of the following is the default minimum password length in characters? a. 5 b. 7 c. 8 d. 10
Answer: B Difficulty: Medium Section Ref: Configuring Domain User Password Policy Explanation: The minimum password length setting defines the minimum number of characters that a user's password must contain. The default value is seven.
14. Which of the following are benefits to using Managed Service Accounts (MSAs)? (Choose two answers) a. Microsoft technology b. automatic password management c. simplified SPN management d. simplified account troubleshooting
Answer: B and C Difficulty: Medium Section Ref: Creating and Configuring Managed Service Accounts Explanation: To simplify administration, MSAs provide automatic password management and simplified SPN management.
14. Which of the following must be done to Windows Server to convert it to a domain controller? (Choose two answers) a. Install Server Manager. b. Install Active Directory Domain Services (AD DS). c. Install DNS. d. Execute dcpromo from Server Manager.
Answer: B and D Difficulty: Medium Section Ref: Understanding Active Directory Explanation: A domain controller is a Windows server that stores a replica of the account and security information for the domain and defines the domain boundaries. To make a computer running Windows Server 2016 a domain controller, you must install the AD DS and execute dcpromo from Server Manager.
19. Which type of system must be connected to and used to make changes to Active Directory? a. RODC b. Forest Master c. writable domain controller d. domain tree
Answer: C Difficulty: Easy Section Ref: Installing and Configuring an RODC Explanation: Because the RODC can only read the Active Directory database, you need to connect to a writable domain controller to make changes to that Active Directory.
12. Which type of account is an account under which an operating system, process, or service runs? a. user b. system c. service d. network
Answer: C Difficulty: Easy Section Ref: Managing Service Accounts Explanation: A service account is an account under which an operating system, process, or service runs.
11. Which of the following is another utility that you can use to add SPNs to an account? a. dnscmd b. spnedit c. setspn d. netsh
Answer: C Difficulty: Easy Section Ref: Managing Service Principal Names Explanation: You can use setspn.exe to add SPNs to an account.
2. What does the acronym NTLM stand for? a. NT Link Messenger b. NT Link Manager c. NT LAN Manager d. NT LAN Messenger
Answer: C Difficulty: Easy Section Ref: Understanding NTLM Authentication Explanation: NT LAN Manager (NTLM) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users.
15. Where are you most likely to see a Read-Only Domain Controller (RODC)? a. In a small network instead of in an enterprise b. In an enterprise network c. In a remote site d. In the place of a standard domain controller
Answer: C Difficulty: Medium Section Ref: Installing and Configuring an RODC Explanation: An RODC was created to be used in places where a domain controller is needed but the physical security of the domain controller could not be guaranteed. For example, it might be placed in a remote site that is not very secure and has a slower WAN link. Because it has a slow WAN link, a local domain controller would benefit the users at that site.
20. Which Kerberos setting defines how long a service or user ticket can be renewed? a. maximum lifetime for service ticket b. maximum lifetime for user ticket c. maximum lifetime for user ticket renewal d. maximum tolerance for computer clock synchronization
Answer: C Difficulty: Medium Section Ref: Managing Kerberos Explanation: The setting for maximum lifetime for user ticket renewal defines how long a service or user ticket can be renewed. By default, it can be renewed up to 7 days.
7. Which special DNS resource record enables clients to locate domain controllers and other vital AD DS services? a. AAAA b. MX c. SRV d. NS
Answer: C Difficulty: Medium Section Ref: Troubleshooting DNS SRV Registration Failure Explanation: The DNS is essential to the operating of AD DS. To accommodate directory services such as AD DS, a special DNS resource record (SRV) was created to enable clients to locate domain controllers and other vital AD DS services.
3. Which of the following is the next level of Active Directory container object below a domain? a. Organizational unit b. Group c. Subdomain d. Forest
A An organizational unit (OU) is a container object that functions in a subordinate capacity to a domain, similar to a subdomain, but without the complete separation of security policies. As container objects, OUs can contain other OUs, as well as leaf objects.
16. Which of these groups' memberships is stored in the global catalog? a. Universal groups b. Global groups c. Domain local groups d. Distribution groups
Answer: A Difficulty: Hard Section Ref: Understanding Group Scopes Explanation: A key point in the application and utilization of universal groups is that group memberships in universal groups should not change frequently, because universal groups are stored in the global catalog. Changes to universal group membership lists are replicated to all global catalog servers throughout the forest. If these changes occur frequently, the replication process can consume a significant amount of bandwidth, especially on relatively slow and expensive wide area network (WAN) links.
25. Which of the following is a setting you can configure for account lockout duration that requires an administrator to manually unlock the account? a. 0 b. 10 c. 99 d. 99,999
Answer: A Difficulty: Medium Section Ref: Configuring Account Lockout Settings Explanation: The account lockout duration determines the length of time a lockout will remain in place before another logon attempt can be made. This can be set from 0 to 99,999 minutes. If set to 0, an administrator will need to unlock the account manually.
20. Which version of Windows Server introduced incremental universal group membership replication? A. Windows Server 2003 B. Windows Server 2008 C. Windows Server 2012 D. Windows Server 2012 R2 E. Windows Server 2016
Answer: A Difficulty: Medium Section Ref: Configuring the Global Catalog Explanation: Since Windows Server 2003, incremental universal group membership replication was introduced, which significantly decreased the amount of replication traffic of universal groups.
10. When would administrators choose to use a User Template? a. When an administrator wants to save time while creating single users with many attributes b. When an administrator wants to save task steps while delegating user creation to other users c. When an administrator wants to ensure quality assurance in creating new objects d. When an administrator is accustomed to using User Templates
Answer: A Difficulty: Medium Section Ref: Copying Users and Configuring User Templates Explanation: In some cases, you need to create single users on a regular basis, but the user accounts contain so many attributes that creating them individually becomes timeconsuming. To speed up the process of creating complex user objects is to use the New-ADUser cmdlet or the Dsadd.exe program and retain your commands in a script or batch file. However, if you prefer a graphical interface, you can do roughly the same thing by creating a user template.
2. Which of the following is the PowerShell cmdlet used to create user objects? a. New-ADUser b. CSVDE.exe c. LFIFDE.exe d. Dsadd.exe
Answer: A Difficulty: Medium Section Ref: Creating Single Users Explanation: Windows PowerShell provides a cmdlet called New-ADUser, which you can use to create a user account and configure any or all the attributes associated with it.
18. Which of the following are containers in a domain that allow you to organize and group resources for easier administration, including providing for delegating administrative rights? a. organizational units b. domains c. domain trees d. forests
Answer: A Difficulty: Medium Section Ref: Creating and Managing Organizational Units Explanation: Organizational units serve as containers in a domain that allow you to organize and group resources for easier administration, including providing for delegating administrative rights.
4. Which of the following are types of user accounts in Windows Server 2016? (Choose two answers) a. local and domain b. domain and group c. authenticated and unauthorized d. shared and unique
Answer: A Difficulty: Medium Section Ref: Creating and Managing User Objects Explanation: The following two types of user accounts run on Windows Server 2016 systems: Local users and Domain users. Local users can only access resources on the local system, while domain users can access AD DS or network-based resources, such as shared folder and printers.
4. Which type of protocol is Kerberos? a. a secure network authentication protocol b. a simple Microsoft-only protocol c. a uni-directional authentication protocol d. a certificate-based authentication protocol
Answer: A Difficulty: Medium Section Ref: Managing Kerberos Explanation: Kerberos is a computer network authentication protocol that allows hosts to prove their identity securely over a non-secure network.
10. You do not place the infrastructure master on a global catalog server unless which of the following exists? a. You have a single domain. b. You have Windows NT 4.0 systems to support. c. You have multiple schemas. d. Your AD DS is Windows 2008 or higher.
Answer: A Difficulty: Medium Section Ref: Managing Operations Masters Explanation: Do not place the infrastructure master on a global catalog server unless you have only one domain or all the domain controllers in your forest are also global catalogs.
13. Which of the following is not an example of a special identity? a. Dialup Service b. Creator Owner c. Authenticated Users d. Anonymous Logon
Answer: A Difficulty: Medium Section Ref: Understanding Special Identities Explanation: Special identities exist on all computers running Windows Server 2016. These are not groups because you cannot create them, delete them, or directly modify their memberships. Special identities do not appear as manageable objects in the AD DS utilities, but you can use them like groups, by adding them to the ACLs of system and network resources.
7. The Delegation of Control Wizard is capable of which of the following permissions? a. granting b. modifying c. removing d. all the above
Answer: A Difficulty: Medium Section Ref: Using OUs to Delegate Active Directory Management Tasks Explanation: Although you can use the Delegation of Control Wizard to grant permissions, you cannot use it to modify or remove permissions. To perform these tasks, you must use the interface provided in the Security tab in the AD DS object's Properties sheet.
8. In Windows Server 2016, after a user logs on to Active Directory, which of the following is created that identifies the user and all the user's group memberships? a. An access token b. An access control entry c. An authentication token d. A universal group
Answer: A Difficulty: Medium Section Ref: Working With Groups Explanation: In Windows Server 2016, after a user logs on to Active Directory, an access token is created that identifies the user and all the user's group memberships. Domain controllers use this access token to verify a user's permissions when the user attempts to access a local or network resource.
22. Why must an RODC be able to connect to at least one Windows Server 2008 or higher domain controller? (Choose all that apply) a. To replicate the domain partition b. To replicate the global catalog partition c. So that the Password Replication Policy (PRP) applied to the RODC can be configured and enforced d. So that the SYSVOL folder can be replicated using Distributed File System Replication (DFSR
Answer: A and C Difficulty: Hard Section Ref: Installing and Configuring an RODC Explanation: Read-only domain controllers can only pull the domain partition from a writable Windows Server 2008 or higher domain controller. Additionally, the need to connect to a writable Windows Server 2008 domain controller is required because the Password Replication Policy (PRP) applied to the RODC can be configured and enforced only from a writable Windows Server 2008 domain controller.
13. When creating accounts for operating systems, processes, and services, you should always configure them with which of the following in mind? (Choose two answers) a. using strong passwords b. using cryptic user names c. granting the least rights possible d. using built-in accounts
Answer: A and C Difficulty: Medium Section Ref: Creating and Configuring Service Accounts Explanation: To reduce the risk of using service accounts, you should use a strong password for the service account and make sure that the password changes often. Also, give the account the least amount of access (user rights, NTFS permissions, and share permissions) that it needs to perform its necessary tasks.
16. Which of the following commands issued at the fsmo maintenance prompt would successfully seize the role of an Operations Master Holder? (Select all that apply) a. seize schema master b. seize global master c. seize PDC d. seize domain control
Answer: A and C Difficulty: Medium Section Ref: Seizing the Operations Masters Role Explanation: At the fsmo maintenance prompt, the seize schema master command and the seize PDC command would each seize the role of an Operations Master Holder.
10. Which of the following are restrictions for adding SPNs to an account? (Choose two answers) a. Domain Administrator privileges b. full control permissions for the folder c. local administrator privileges d. the editor runs from the domain controller
Answer: A and D Difficulty: Medium Section Ref: Managing Service Principal Names Explanation: To configure an SPN for a service or application pool account, you must have domain administrative permissions or a delegation to modify the ServicePrincipalName property. You also must run ADSI Edit from a domain controller.
21. Which of the following are examples of password policies? (Choose all that apply) a. history b. length c. complexity d. age
Answer: A, B, C and D Difficulty: Easy Section Ref: Configuring Domain User Password Policy Explanation: The first folder under Account Policies is for password policies. Password policies include enforced password history, maximum password age, minimum password age, minimum password length, and complexity requirements.
21. The global catalog stores a partial copy of all objects in the forest. Which tasks are improved by using that partial copy? (Select all that apply) a. logons b. object searches c. universal group membership d. schema integrity
Answer: A, B, and C Difficulty: Hard Section Ref: Configuring the Global Catalog Explanation: The global catalog has a partial copy of all objects for all other domains in the forest. The partial copy of all objects is used for logon, object searches, and universal group membership.
18. Which utility must be run on a cloned system to ensure that the clone receives its own SID? a. adprep /renew b. sysprep c. dcpromo d. ntconfig
Answer: B Difficulty: Easy Section Ref: Cloning a Domain Controller Explanation: Before, if you cloned any server, the server would end up with the same domain or forest, which is unsupported within the same domain or forest. You would then have to run sysprep, which would remove the unique security information before cloning and then promote a domain controller manually. When you clone a domain controller, you perform safe cloning, in which a cloned domain controller automatically runs a subset of the sysprep process and promotes the server to a domain controller automatically.
22. Which of the following is the primary reason to put account lockout policies into place? a. privacy b. security c. policy d. regulations
Answer: B Difficulty: Easy Section Ref: Configuring Account Lockout Settings Explanation: With enough time, a hacker can crack any password. To help prevent password cracking, you can limit how many times a hacker can guess a password before the account is locked.
1. Resource access for individuals takes place through which of the following? a. computer accounts b. user accounts c. authentication d. shared folders
Answer: B Difficulty: Easy Section Ref: Creating and Managing User Objects Explanation: Resource access for individuals takes place through their individual user accounts. To gain access to the network, prospective network users must authenticate to a network with a specific user account.
13. Which of the following is the SAM account name and the User Principal Name for the account [email protected]? a. SAM account name is [email protected], and the User Principal Name is ella b. SAM account name is ella, and the User Principal Name is [email protected] c. Both the SAM account name and the User Principal Name are: [email protected] d. Both the SAM account name and the User Principal Name are: ella
Answer: B Difficulty: Hard Section Ref: Creating Single Users Explanation: The SAM account name refers to each user's login name—the portion to the left of the "@" within a User Principal Name—which is ella in [email protected]. The SAM account name must be unique across a domain.
12. Which of the following would be the distinguished name (DN) for a user named Ella Parker, whose user account resides in the Marketing OU of the adatum.com domain? a. cn=Ella Parker,dc=adatum,dc=com b. cn=Ella Parker,ou=Marketing,dc=adatum,dc=com c. dn=Ella Parker,dc=adatum,dc=com d. dn=Ella Parker,ou=Marketing,dc=adatum,dc=com
Answer: B Difficulty: Hard Section Ref: Creating Single Users Explanation: The distinguished name of an object signifies its relative location within the Active Directory structure. For example, in the distinguished name cn=Ella Parker,ou=Marketing,dc=adatum,dc=com, the "cn" refers to the common name for Ella Parker's user account, which resides in the Marketing OU, which resides in the adatum.com domain. Each object has a unique DN.
12. Which of the following default groups is a universal group? a. Certificate Publishers b. Enterprise Admins c. Domain Users d. Domain Admins
Answer: B Difficulty: Hard Section Ref: Understanding Default Groups Explanation: Enterprise Admins (appears only on forest root domain controllers) is a group added to the Administrators group on all domain controllers in the forest. The Enterprise Admins is a universal group.
2. What is a key difference between a domain tree hierarchy and the organizational unit (OU) hierarchy within a domain? a. Ability to apply Group Policy b. Members allowed within c. Inheritance d. Membership
Answer: C Difficulty: Hard Section Ref: Creating and Managing Organizational Units Explanation: One of the critical differences between a domain tree hierarchy and the OU hierarchy within a domain is inheritance. When you assign Group Policy settings to a domain, the settings apply to all the leaf objects in that domain, but not to the subdomains that are subordinate to it. However, when you assign Group Policy settings to an OU, the settings apply to all the leaf objects in the OU and are inherited by any subordinate OUs it contains.
7. The LDIFDE.exe utility is most similar to which other utility? a. Microsoft Excel b. Active Directory Administrative Center (ADAC) c. CSVDE.exe d. Dsadd.exe
Answer: C Difficulty: Hard Section Ref: Introducing User Creation Tools Explanation: LDAP Data Interchange Format Directory Exchange (LDIFDE.exe): Like CSVDE, this utility imports AD DS information and uses it to add, delete, or modify objects, in addition to modifying the schema, if necessary.
6. Members of a universal group can come from which of the following? a. from different organizational units b. from different domains c. from trusted forests d. only from within the domain
Answer: C Difficulty: Hard Section Ref: Understanding Group Scopes Explanation: If a cross-forest trust exists, universal groups can contain similar accounts from a trusted forest. Universal groups, like global groups, can organize users according to their resource access needs. You can use them to provide access to resources located in any domain in the forest through the use of domain local groups.
16. Which of the following is the format for a virtual account used with Windows Server 2016? a. domainname\servicename b. computername\servicename c. NT Service\servicename d. NT Service\servicename$
Answer: C Difficulty: Medium Section Ref: Configuring Virtual Accounts Explanation: A virtual account is an account that emulates a Network Service account that has the name NT Service\servicename. The virtual account has simplified service administration, including automatic password management, and simplified SPN management.
6. Can a domain user, who does not possess explicit object creation permissions, create computer objects, such as workstations or servers? a. No, not without the object creation permission b. Yes, an authenticated user can create a server object, after authenticating to a different domain server c. Yes, authenticated users can create workstation, but not server objects d. Can create workstation and server objects
Answer: C Difficulty: Medium Section Ref: Creating Computer Objects While Joining Explanation: With Add Workstations To The Domain user right, "workstations" is the operative word. Authenticated users can add up to ten workstations to the domain, but not servers. Domain users also can create computer objects themselves through an interesting, indirect process. The Default Domain Controllers Policy GPO grants a user right called Add Workstations To The Domain to the Authenticated Users special identity. Any user who is successfully authenticated to Active Directory is permitted to join up to ten workstations to the domain, and create ten associated computer objects, even if the user does not possess explicit object creation permissions.
11. Which user creation tool incorporates new features such as the Active Directory Recycle Bin and fine-grained password policies? a. Active Directory Users and Computers console b. Windows PowerShell c. Active Directory Administrative Center (ADAC) d. LDIFDE.exe
Answer: C Difficulty: Medium Section Ref: Creating Single Users Explanation: The ADAC application was first introduced in Windows Server 2008 R2 to fully incorporate newer features such as the Active Directory Recycle Bin and finegrained password policies. You can also use the tool to create and manage AD DS user accounts.
15. Which graphical tool can create user and computer accounts in Windows Server 2016? a. New-ADUser b. CSVDE c. Active Directory Administrative Center d. Dsadd e. Computer Management console f. Active Directory Management console
Answer: C Difficulty: Medium Section Ref: Creating Single Users Explanation: Windows Server 2012 redesigned the ADAC application, first introduced in Windows Server 2008 R2, to fully incorporate new features such as the Active Directory Recycle Bin and fine-grained password policies. You can also use the tool to create and manage AD DS user accounts.
15. By default, which service accounts will the Windows PowerShell cmdlets manage? a. standalone MSAs b. standard local service accounts c. group MSAs d. domain user accounts designated as service accounts
Answer: C Difficulty: Medium Section Ref: Creating and Configuring Managed Service Accounts Explanation: The Windows PowerShell cmdlets default to managing the group Managed Service Accounts rather than the original standalone MSAs.
5. Within a domain, the primary hierarchical building block is which of the following? a. The forest b. The group c. The organizational unit d. The user
Answer: C Difficulty: Medium Section Ref: Creating and Managing Organizational Units Explanation: Within a domain, the primary hierarchical building block is the organizational unit (OU). As a general rule, it is easier to build an Active Directory hierarchy by using OUs than it is by using domains.
9. Which of the following guidelines are not best practices for securing the Administrator account? a. Renaming the Administrator account name so as not to distinguish it from nonadministrative accounts b. At least seven characters length and strong complexity for the account password c. Using the Administrator account for daily, non-administrative tasks d. Share the administrator account with only a few, necessary individuals
Answer: C Difficulty: Medium Section Ref: Creating and Managing User Objects Explanation: The following list summarizes several security guidelines you should consider regarding the Administrator account: rename the Administrator account, set a strong password, limit knowledge of administrator passwords to only a few individuals, and do not use the Administrator account for daily non-administrative tasks.
27. Which of the following best describes how to assign Password Settings objects (PSOs) to users? a. Assign the PSOs directly to individual users. b. Assign the PSOs to a new group and add the users to the new group. c. Assign the PSOs to a global security group and add users to the group. d. Assign the PSOs to various Active Directory groups as needed.
Answer: C Difficulty: Medium Section Ref: Delegating Password Settings Management Explanation: To assign a PSO to a user, it is best to assign the PSO to a global security group and then add the user to the global security group.
24. Which of the following is the fundamental component of the Active Directory architecture, functioning as the boundary for virtually all directory functions, including administration, access control, database management, and replication? a. Organizational unit b. Group c. Domain d. Forest
Answer: C Difficulty: Medium Section Ref: Understanding Active Directory Explanation: The domain is the fundamental component of the Active Directory architecture. You can zoom into a domain and create a hierarchy within it, and you can zoom out and create a hierarchy out of multiple domains. In AD DS, domains function by default as the boundaries for virtually all directory functions, including administration, access control, database management, and replication.
11. Which of the following is the group scope for Domain Admins, Domain Controllers, and Domain Users default groups? a. Distribution b. Universal c. Global d. Domain local
Answer: C Difficulty: Medium Section Ref: Understanding Default Groups Explanation: All three, Domain Admins, Domain Controllers, and Domain Users, are global groups
15. Which of these groups is used to assign permissions to resources in the same domain? a. Universal groups b. Global groups c. Domain local groups d. Distribution groups
Answer: C Difficulty: Medium Section Ref: Understanding Group Scopes Explanation: Domain local groups are used to assign permissions to resources in the same domain as the domain local group. Domain local groups can make permission assignment and maintenance easier to manage.
3. NTLM uses a challenge-response mechanism for authentication without doing which of the following? a. revealing the client's operating system to the server b. revealing the protocol to the server c. sending a password to the server d. sending an encrypt/decrypt message to the server
Answer: C Difficulty: Medium Section Ref: Understanding NTLM Authentication Explanation: NTLM uses a challenge-response mechanism for authentication in which clients can prove their identities without sending a password to the server
4. Active Directory uses a naming convention for the domain that mirrors which of the following? a. DHCP b. WINS c. DNS d. files and folders
Answer: C Difficulty: Medium Section Ref: Zooming Out: Domain Trees Explanation: Active Directory uses the Domain Name System (DNS) naming conventions for its domains. You can create an Active Directory domain using the registered domain name you use on the Internet, or you can create an internal domain name, without registering it.
3. Which of the following are the two built-in user accounts are created on a computer running Windows Server 2016? a. system and guest b. default and guest c. domain administrator and local administrator d. administrator and guest
Answer: D Difficulty: Easy Section Ref: Creating and Managing User Objects Explanation: By default, two built-in user accounts are created on a computer running Windows Server 2016: the Administrator account and the Guest account. Built-in user accounts can be local accounts or domain accounts, depending on whether the server is a standalone server or a domain controller. In the case of a standalone server, the built-in accounts are local accounts on the server itself. On a domain controller, the built-in accounts are domain accounts that are replicated to each domain controller.
26. By default, who has read/write capability to the Default Domain Policy? a. local administrators b. power users c. domain users d. domain administrators
Answer: D Difficulty: Easy Section Ref: Delegating Password Settings Management Explanation: By default, the Domain Admins group has Read and Write capabilities to the Default Domain Policy.
9. Which tool can be used to add SPNs to an account? a. Notepad b. LDAP c. Microsoft Word d. ADSI Edit
Answer: D Difficulty: Easy Section Ref: Managing Service Principal Names Explanation: You can use ADSI Edit to add SPNs to an account.
23. An Active Directory _____ consists of one or more separate domain trees. a. organizational unit b. group c. domain d. forest
Answer: D Difficulty: Easy Section Ref: Understanding Active Directory Explanation: An Active Directory forest consists of one or more separate domain trees, which have the same two-way trust relationships between them as two domains in the same tree. When you create the first domain on an Active Directory network, you are in fact creating a new forest, and that first domain becomes the forest root domain.
8. The domain controllers are the computers that store and run which of the following? a. user database b. services database c. Managed Service Accounts database d. Active Directory database
Answer: D Difficulty: Easy Section Ref: Understanding Domain Controllers Explanation: The domain controllers are the servers that store and run the Active Directory database.
1. Which of the following is not a group scope? a. Universal groups b. Global groups c. Domain local groups d. Security groups
Answer: D Difficulty: Easy Section Ref: Understanding Group Scopes Explanation: In addition to security and distribution group types, several group scopes are available within Active Directory. Group scopes available in an Active Directory domain include domain local groups, global groups, and universal groups.
17. Which of these groups is not related to security and cannot have permissions assigned to it? a. Universal groups b. Global groups c. Domain local groups d. Distribution groups
Answer: D Difficulty: Easy Section Ref: Understanding Group Types Explanation: Distribution groups are nonsecurity-related groups created for the distribution of information to one or more persons. Active Directory-aware applications can use distribution groups for nonsecurity-related functions. For example, Microsoft Exchange uses distribution groups to send messages to multiple users. Only applications that are designed to work with Active Directory can use distribution groups in this manner.
9. An administrator needs to grant an e-mail distribution group of 100 members access to a database. The e-mail group is obsolete and needs to be deleted. a. Assign the necessary access permissions to the database to the distribution group. Which of the following describes how to best proceed? b. Create a new group with the 100 members, then assign permissions. c. Remove the distribution group, and then convert the members into a universal group, granting access permissions. d. Convert the distribution group to a security group and then assign the group access permissions.
Answer: D Difficulty: Hard Section Ref: Converting Groups Explanation: By converting the distribution group to a security group and assigning permissions to the group, you can provide the project members with access to the common database without having to create a new group and add 100 members to it again.
3. Of the key reasons for creating organizational units, which of the following is not one of them? a. Delegating administration b. Assigning Group Policy settings c. Duplicating organizational divisions d. Assigning permissions to network resources
Answer: D Difficulty: Hard Section Ref: Creating and Managing Organizational Units Explanation: You should create an OU for only the following reasons: delegating administration, assigning Group Policy settings, and duplicating organizational divisions. When you want to grant a collection of users permission to access a network resource, such as a file system share or a printer, you cannot assign permissions to an organizational unit; you must use a security group instead.
17. Beginning with which of the following server versions can you safely deploy domain controllers in a virtual machine? a. Windows Server 2003 b. Windows Server 2008 c. Windows Server 2008 R2 d. Windows Server 2012 e. Windows Server 2016
Answer: D Difficulty: Medium Section Ref: Cloning a Domain Controller Explanation: Starting with Windows Server 2012, you can safely virtualize a domain controller and rapidly deploy virtual domain controllers through cloning.
23. Which of the following is the default setting for password history? a. 6 b. 10 c. 16 d. 24
Answer: D Difficulty: Medium Section Ref: Configuring Domain User Password Policy Explanation: The enforce password history setting defines the number of unique, new passwords that must be associated with a user account before an old password can be reused. The default setting is 24 previous passwords.
17. Which command-line utility requires you to know the SAM account name as well as the user login ID before creating user accounts? a. New-ADUser b. CSVDE.exe c. Active Directory Administrative Center d. Dsadd.exe
Answer: D Difficulty: Medium Section Ref: Creating Single Users Explanation: To create a user by using the Dsadd.exe utility, you must know the distinguished name (DN) for the user and the user's login ID, also known as the SAM account name attribute within AD DS.
5. Which of the following is the process of confirming a user's identity by using a known value such as a password, a smart card, or a fingerprint? a. authorization b. permission c. delegation d. authentication
Answer: D Difficulty: Medium Section Ref: Creating and Managing User Objects Explanation: To gain access to the network, prospective network users must authenticate to a network with a specific user account. Authentication is the process of confirming a user's identity by using a known value such as a password, a smart card, or a fingerprint.
17. Which Kerberos setting defines the maximum time skew that can be tolerated between a ticket's timestamp and the current time at the KDC? a. maximum lifetime for service ticket b. maximum lifetime for user ticket c. maximum lifetime for user ticket renewal d. maximum tolerance for computer clock synchronization
Answer: D Difficulty: Medium Section Ref: Managing Kerberos Explanation: The setting for maximum tolerance for computer clock synchronization defines the maximum time skew that can be tolerated between a ticket's timestamp and the current time at the KDC. Kerberos uses a timestamp to protect against replay attacks. The default setting is 5 minutes.
7. Which three components make up a service principal name (SPN)? a. service name, IP address, and port number b. service name, URL, and host name c. service name, host name, and IP address d. service class, host name, and port number
Answer: D Difficulty: Medium Section Ref: Managing Service Principal Names Explanation: The SPN consists of three components: the service class, such as HTTP (which includes both the HTTP and HTTPS protocols) or SQLService, the host name, and the port (if port 80 is not used).
14. Which of the following describes how CSVDE.exe differs from LDIFDE.exe? a. Both utilities can import users, but only CSVDE can modify or delete objects later b. CSVDE can modify existing AD DS objects c. Only LDIFDE can import users d. Both utilities can import users, but only LDIFDE can modify or delete objects later
Answer: D Difficulty: Medium Section Ref: Performing Bulk Active Directory Operations Explanation: Consider an example where you need to import 200 new users into your AD DS structure. In this case, you can use CSVDE.exe or LDIFDE.exe to import the users. However, you can use LDIFDE.exe to modify or delete the objects later, whereas CSVDE.exe does not provide this option.
7. Which of the following is the method for removing a domain controller in Windows Server 2016? a. Using the Dcpromo.exe command b. Using the Add Roles and Features Wizard c. Using the Adprep.exe command d. Using the Remove Roles and Features Wizard
Answer: D Difficulty: Medium Section Ref: Removing a Domain Controller Explanation: To remove a domain controller from an AD DS installation, you must begin by running the Remove Roles and Features Wizard
12. Which Active Directory object is defined as a specialized domain controller that performs certain tasks so that multi-master domain controllers can operate and synchronize properly? a. Schema Master b. Forest c. RODC d. Operations Master
Answer: D Difficulty: Medium Section Ref: Managing Operations Masters Explanation: Operations Masters are specialized domain controllers that perform certain tasks so that multi-master domain controllers can operate and synchronize properly.
1. Which of the following is the process of granting the user access only to the resources he or she is permitted to use? a. Authentication b. Authorization c. Importing a user object to Active Directory d. Registering the SRV record
B. Authorization is the process of granting the user access only to the resources he or she is permitted to use. Users joined to an Active Directory Domain Services (AD DS) domain can log on to the domain, not to an individual computer or application, and can access any resources in that domain for which administrators have granted them the proper permissions.
2. Which of the following defines which objects exist as well as which attributes are associated with any object in the Active Directory? a. Active Directory administrator b. Active Directory global directory c. Active Directory root user d. Active Directory schema
D Different object types have different sets of attributes, depending on their functions. The attributes each type of object can possess, the type of data that each attribute can store, and the object's place in the directory tree are all defined in the directory schema.