Ch. 6.4 - 7.2

Ace your homework & exams now with Quizwiz!

Which of the following is true about a default trust automatically created between domains in a forest?

A parent/child trust exists between a parent domain and the immediate child domain.

Which of the following best describes an Active Directory site?

A physical grouping of well-connected IP subnets which are connected with high-speed links.

Which of the following best describes a transitive trust?

A trust relationship which allows the trust to flow among domains.

Which of the following best describes a forest trust?

A trust which creates a trusted relationship between forests.

To join a computer to a domain, you must be a member of which of the following groups?

Administrators group on the local computer

You manage a network with a single domain named widgets.com. The network has multiple domain controllers at two locations: Chicago and Baltimore. A WAN link connects the two locations. You create two site objects and configure a site link object to connect the two sites. To reduce WAN traffic between the two sites, you would like to take advantage of the remote differential compression feature for SYSVOL replication. What should you do?

Configure all domain controllers to use DFS replication.

Which of the following is a common user identifier used for authentication and authorization in the cloud and on-premises?

A hybrid identity

Which of the following can automatically synchronize user credentials, group accounts, and computer accounts between an on-premises Active Directory and cloud-based Azure services?

Azure AD Connect

You are the administrator of the eastsim.com domain. Your Active Directory structure has organizational units (OUs) for each company department. You have assistants who help with resetting passwords and managing group membership. You want your assistants to also help create and delete user accounts. Which of the following tools can you use to allow your assistants to perform these additional tasks?

Delegation of Control wizard

You are the network administrator for an Active Directory forest with a single domain. The network has three sites with one domain controller at each site. You have created and configured sites in Active Directory Sites and Services, and replication is operating normally between sites. You configure two universal groups for use in securing the network. All users are members of one universal group or the other. After configuring the universal groups, users at Sites 2 and 3 report slow login and slow access to the corporate database. Users at Site 1 can log in and access the corporate database with acceptable performance. You want to improve login and resource access performance for users in Sites 2 and 3. What should you do?

Designate the domain controllers at Sites 2 and 3 as Global Catalog servers.

You are the administrator for a small company that uses a Windows server to host a single domain. Mary Hurd, a user in the sales department, calls and reports that she is unable to log in using her computer (Sales1). You use Active Directory Users and Computers and see the screen shown in the image. What can you do to allow Mary to log in?

Enable the computer account

Which of the following password synchronization options in Azure AD Connect utilizes proxy servers as an extra layer of security in the authentication process?

Federation authentication

Which of the following password synchronization options offers the highest level of security in Azure AD Connect?

Federation authentication

Which of the following is true about organizational units (OUs)?

Group Policy can be applied to organizational units.

What does the netdom query fsmo command do?

Lists the FSMO roles and identifies the server on which they are running.

You are the network administrator for corpnet.com. corpnet.com uses a vendor named partner.com. You create a cross-forest trust with Selective Authentication between the corpnet.com Active Directory forest and the partner.com Active Directory forest. On a file server named File1, you create a share named Share1 and assign the following permissions: Partner\SalesUsers - Allow-Modify NTFS permissions. Partner\SalesUsers - Allow-Full Control share permissions. Users in the Partner\SalesUsers group report that they cannot connect to the \\File1\Share1 share. You need to ensure that users in the Partner\SalesUsers group can connect to the share and modify data. What should you do?

Modify the properties of the File1 computer account in Active Directory Users and Computers.

You are a domain administrator for a large multi-domain network. There are approximately 2,500 computers in your domain. Organizational Units (OUs) have been created for each department. Group Policy objects (GPOs) are linked to each OU to configure department-wide user and computer settings. While you were on vacation, another 20 computers were added to the network. The computers appear to be functioning correctly with one exception: the computers do not seem to have the necessary GPO settings applied. What should you do?

Move the computer accounts from their current location to the correct OUs.

The Djoin command is used in which of the following methods for adding computer accounts to Active Directory?

Offline domain join

Which utility would you use to seize a role?

The Ntdsutil.exe tool

A client computer comes onto the network and first looks in its own site for a domain controller. A domain controller is not found within its site. Only the default settings are configured. Which of the following is most likely to happen next?

The client computer will search randomly for a domain controller in any site.

Site-link cost is determined by which of the following?

The speed of the link

Which of the following is true about forest trusts?

They are also called interforest trusts.

When applying Group Policy in Active Directory, which of the following is true?

Through inheritance, settings applied to the domain or parent OUs apply to all child OUs and objects within those OUs.

In following a best practice approach to organizing your sites in your Active Directory network, you would normally organize by which of the following ways?

You would match the site link design to the physical network with a site link for each WAN link.

Which of the following are the responsibilities of the domain naming master? (Select three.)

- Ensures that domain names are unique. - Must be accessible to add or remove a domain from the forest. - Must be a global catalog server if it resides in a multiple domain environment.

Which of the following is an established relationship between domains that allow authentication, communication, and access to resources?

Active Directory trust

You are the network administrator for corpnet.com. Users in the .sales.us.corpnet.com domain frequently need to access shares in sales.eu.corpnet.com, but report that it often takes a long time to be authenticated when accessing the shares. You need to reduce the amount of time it takes the users in sales.us.corpnet.com to be authenticated in sales.eu.corpnet.com. What should you do?

Create a shortcut trust.

Each computer has a password that is automatically generated when the computer joins the domain. When the computer boots, this password is used to authenticate the computer to the domain and establish a secure channel between the computer and the domain controller. Where is this password stored?

On the local computer and in Active Directory.

Which of the following password synchronization options in Azure AD Connect require an authentication agent to be installed?

Passthrough authentication

Which of the following password synchronization options in Azure AD Connect stores the user's credentials in Azure AD?

Password hash authentication

Which Azure AD Connect option uses the following password synchronization process? Active Directory creates a hash for a user's password, then Azure AD Connect makes a cryptographic hash of the local hash and stores that cryptographic hash in Azure AD.

Password hash synchronization

Which of the following is true about Active Directory sites?

Sites are linked to one or more subnets.

You are the administrator for a large single-domain network. You have several Windows Server domain controllers and member servers. Your 3,500 client computers are Windows workstations. Today, one of your users has called for help. It seems that their computer is reporting that trust cannot be established between their Windows computer and the domain controller. The user is unable to log on to the domain. You examine the computer's account using Active Directory Users and Computers, and there is nothing obviously wrong. You need to allow this user to log on to the domain. What should you do?

Reset the computer account and rejoin the domain.

You have a laptop that you use for remote administration from home and while traveling. The laptop has been joined to the domain using the name of AdminRemote. The processor in your laptop overheats one day, causing extensive damage. Rather than repair the computer, you purchase a new one. The computer arrives, and you edit the system properties and name it AdminRemote. When you try to join the computer to the domain, you receive an error message and are unable to proceed. What should you do?

Reset the computer account in Active Directory.

Your network currently has the following Active Directory domains: westsim.com, emea.westsim.com, uk.emea.westsim.com, and us.westsim.com. Your company is closing its offices in the United States. Previously, most of the network administration took place in that office. Now all IT administration will take place in your London office. You have removed all domain controllers from the us.westsim.com domain except for the DC1 server. This server hosts the following roles: RID master PDC emulator Domain naming master Infrastructure master Prior to removing Active Directory from the domain controller, you need to transfer the necessary operation master roles to servers in the westsim.com domain. The westsim.com domain has the following domain controllers: WS1, WS2, WS3, and WS4. All servers are also global catalog servers except for WS3. What should you do to prepare for Active Directory removal on DC1?

Transfer the domain naming master to WS1, WS2, or WS4.

Your network currently has two domains, eastsim.com and sales.eastsim.com. You need to remove the sales.eastsim.com domain. You have removed all domain controllers in the domain except for the DC1.sales.eastsim.com server. This server holds the following infrastructure master roles: RID master PDC emulator Infrastructure master Domain naming master You are getting ready to remove Active Directory from DC1. What should you do first?

Transfer the domain naming master to a domain controller in eastsim.com.

You manage a single-domain network with a domain named widgets.com. You have received funding to upgrade all of your domain controllers from Windows Server 2003 to Windows Server 2012 R2. You upgrade all domain controllers to Windows Server 2012 R2. You then set the domain and forest functional levels to Windows Server 2012 R2. You decide to migrate from FRS replication to DFS replication using a staged migration approach. You start replication and progress to the point where both FRS and DFS replication are running. Because everything looks like it is working properly, you configure replication to now use only DFS replication. After a few days, you notice several replication errors. You decide that you want to configure replication so that only FRS replication is used (DFS replication will no longer operate). Which command should you use?

dfsrmig /setglobalstate 0

You are the network administrator for westsim.com. The network consists of one Active Directory domain that contains 1,500 users. westsim.com has one main office and 15 branch offices. There are three domain controllers at the main office and one domain controller at each branch office. You have been asked to identify which domain controller hosts the schema master role. Which utilities should you use? (Select two.)

- Active Directory Schema snap-in - Dsquery

-Holds the default service administrator accounts -The default location for new user accounts and groups -The default location for domain controller computer accounts -The root container to the hierarchy -The default location for workstations when they join the domain

- Built-in container -Users container -Domain Controller OU -Domain container -Computers container

You have just started a new job as the administrator of the eastsim.com domain. The manager of the accounting department has overheard his employees joke about how many employees are using "password" as their password. He wants you to configure a more restrictive password policy for employees in the accounting department. Before creating the password policy, you open the Active Directory Users and Computers structure and see the following containers and OU: eastsim.com Built-in Users Computers Domain Controllers Which steps must you perform to implement the desired password policy? (Select three. Each correct answer is part of the complete solution.)

- Configure the password policy and link it to the OU created for the accounting employees. - Create an OU in eastsim.com for the accounting employees. - Put the accounting employees user objects into the OU created for the accounting employees.

You are the network administrator for a network with a single Active Directory domain and a default site configuration. Your domain consists of three domain controllers, two at the company headquarters in Los Angeles and one in New York. Active Directory Domains and Trusts shows that all three domain controllers are replicating without errors. You have implemented a group structure using Microsoft's recommendation. You have global groups, which are members of universal groups. The universal groups are members of domain local groups. You have assigned permissions to the domain's local groups. Users in Los Angeles aren't reporting any difficulties logging in and accessing local resources. However, users in New York report that login is very slow and that resource access is also very slow as well, even for local resources. You want to improve login and resource access performance for New York users. What should you do? (Select two. Each answer is part of the complete solution.)

- Make the domain controller in New York a Global Catalog server. - Create two sites, one called Los Angeles and one called New York. Assign the IP subnet in use at each location to the appropriate site.

-Denver OU -Printers OU -Sales OU -Engineering OU -Brazil OU -Brazil OU containing the Sales OU

- Physical location model - Object type model - Corporate structure model - Corporate structure model - Physical location model - Hybrid model

You are the network administrator for corpnet.com. The company has a main office and four branch offices. All of the servers run Windows Server 2016. All of the sites have been added to the DEFAULTIPSITELINK object, which is set to replicate every 15 minutes. The Branch1 office contains one domain controller, DC3. The WAN link between the main and Branch1 offices has excellent bandwidth and very low latency. You frequently update the user accounts for users located at the Branch1 office and encounter conflicts that require you to force replication. You need to enable replication between the main and Branch1 offices to occur more frequently than every 15 minutes. The change must not affect replication between the main office and the other branch offices. What should you do? (Select three.)

-Remove the Branch1 office from the DEFAULTIPSITELINK. -Create a new IP Site Link and add the main office and the Branch1 office to the new lin -Configure the Options attribute on the new link. Configure the Cost on the new link.

Microsoft recommends staying within how many sub-tree levels when creating OUs in your network design?

5

Which of the following best describes Azure AD Connect?

An on-premises Active Directory synchronization service.

Your network has two sites, as shown in the graphic. You want to designate Computer1 as a preferred bridgehead server. Which object's properties would you edit to do this?

COMPUTER1

You are the network administrator for your company. Your network consists of two Active Directory domains, named research.westsim.local and sales.westsim.local. Your company has two sites, Dallas and Houston. Each site has two domain controllers, one for each domain. Users in Houston who are members of the sales.westsim.local domain report slow performance when logging in and accessing files in Dallas. Users in Dallas do not report any problems logging in and accessing local resources. You want all users in Houston to experience adequate login and resource access response time. What should you do?

Configure one of the domain controllers in Houston to be a Global Catalog server.

You are the network administrator of a network with a single Active Directory forest. The forest root domain is named westsim.local, and there are two child domains named europe.westsim.local and asia.westsim.local. All domain controllers are running Windows Server 2012 R2 or Windows Server 2016. Your network has five Active Directory sites in the United States, six in Europe, and three in Asia. All sites in Europe have two domain controllers from the europe.westsim.local domain and one domain controller from the westsim.local domain. Several sites in Europe are using outdated hardware for their domain controllers, and you have decided to update them. You install and configure a new domain controller for an office in Europe and move the server to the correct site. After several days, you notice that the new server is not being utilized for replication between sites. What should you do?

Configure the new server as a preferred bridgehead server for its site.

You are working for a company that has a large Active Directory network with locations in New York City, Washington, D.C., Seattle, Miami, and Des Moines. The company has just opened an office in Toronto. You are responsible for bringing the new Toronto site online. You have created a site link to represent a high-speed connection between Washington, D.C., and Toronto. You anticipate that the link between these two cities will be used heavily during normal Eastern Time Zone business hours (5:00 a.m. to 7:00 p.m.). You need to configure replication between Toronto and Washington, D.C., and minimize the impact of replication traffic during business hours. What should you do?

Configure the site link between Toronto and Washington, D.C. to be available between 7:00 p.m. and 5:00 a.m.

You are the network administrator for westsim.com. The network consists of a single Active Directory domain. There is one main office in New York and several branch offices, including one in Chattanooga, TN. All of the clients in Chattanooga, TN, are configured using DCHP and obtain addresses in the 172.16.0.0/16 subnet with the scope ranging from 172.16.3.1 to 172.16.3.254. There are two domain controllers in the Chattanooga office named TNDC1 and TNDC2. TNDC1 has a static IP address of 172.16.2.3/16, and TNDC2 has a static IP address of 172.16.2.4/16. During an IT audit, you notice that users authenticated by TNDC2 experience significant logon delays. You order a new server to replace TNDC2. As a temporary fix, you would like to ensure that all users in the Chattanooga, TN, site are authenticated by TNDC1. The solution should enable users to be authenticated by TNDC2 only if TNDC1 fails. What should you do?

Create a new Active Directory site. Create a new subnet object using the 172.16.2.4/32 subnet. Move TNDC2 to the new site.

You are the network administrator of a network that spans two locations, Atlanta and Dallas. Atlanta and Dallas are connected using a dedicated WAN link. The Atlanta location is also connected to the internet. A single Active Directory domain spans both locations, and each location has a single domain controller. You have not used the Active Directory Sites and Services snap-in to make any changes to the default configuration. Users in Dallas complain that internet access is very slow at times. After monitoring the network traffic across the WAN link, you discover that the slow performance occurs after major changes are made to Active Directory. What is the first step for solving this problem?

Create a new site object in Active Directory and move the server object for the Dallas domain controller into the new site.

You manage a single domain named southsim.com. The network has three locations: Seattle, Portland, and Boise. You need to configure Active Directory sites so that resource access and logon are localized for each location and WAN traffic is minimized. See the image for a diagram of the WAN links connecting each location, as well as the number of users and domain controllers in each location. What should you do?

Create a site for Seattle and a site that includes both the Portland and Boise locations.

You are the network administrator for a company with a single Active Directory domain. The corporate office is located in Miami, and there are satellite offices in Boston and Chicago. There are Active Directory sites configured for all three geographic locations. The Default-First-Site-Name was renamed the Miami site. Each location has a single IP subnet configured and associated with the appropriate site. Each office has several domain controllers. The Boston office has recently expanded to three additional floors in the office building that they are in. The additional floors each have their own IP subnet and are connected by a router. The domain controllers for the Boston office are all located on one floor and are in the same subnet. You notice that the users working on the new floors in the Boston office are sometimes authenticating to domain controllers from other locations. You need to make sure that all authentication traffic over the WAN links is kept to a minimum. What should you do?

Create subnets for the new floors in the Boston office and link them to the Boston site.

You are the network administrator of a network that spans two locations, Atlanta and Dallas. The network has only one Active Directory domain named company.local. The Atlanta and Dallas locations are connected using a T1 line. You have also configured an on-demand dial-up connection between the two locations, which should only be used for backup if the T1 line becomes unavailable. You create two site objects named Atlanta and Dallas using the Active Directory Sites and Services snap-in. How should you configure Active Directory to perform replication over the T1 line rather than the dial-up connection

Create two Site Link objects representing the T1 and dial-up connections. Configure the T1 Site Link object with a lower cost than the dial-up Site Link object.

You are the network administrator for a network with a single Active Directory forest. All domains in the forest are at Windows Server 2008 functional level, and the forest is also at a Windows Server 2008 functional level. Offices are located in Denver, Chicago, and Miami. Each geographic location has an Active Directory site configured. The links that connect the Denver and Miami sites to the corporate headquarters in Chicago are highly utilized, and you want to minimize replication traffic over them. Company headquarters is located in Chicago, and that location has multiple global catalog servers to service global queries efficiently. Several users in Denver and Miami are members of universal groups throughout the forest. You need to make sure that, in the event of a WAN link failure, group membership will be protected, and logons will be available. What should you do?

Enable Universal Group Membership Caching for the Denver and Miami sites.

Which of the following is true about the default containers in Active Directory?

Group Policy cannot be applied to default containers.

Which of the following is true about the direction of access in a one-way trust relationship?

If Domain A trusts Domain B, then Domain B has access to Domain A's resources.

You are working for a company that has a large Active Directory network with locations in New York City, Washington, D.C., Seattle, Miami, and Des Moines. The company has just opened an office in Toronto. You are responsible for bringing the new Toronto site online. You configure a site link to represent the connection between Toronto and Washington, D.C. You make the site link available between 7:00 p.m. and 5:00 a.m. only. You configure the replication interval at 180 minutes. The link between Toronto and Washington, D.C., appears to work as expected and has been operating for several days without any apparent problems. On Monday at 9:00 a.m., you publish a new printer named ColorLaser to Active Directory. At noon, a user calls from Toronto to say that a print job must be sent to the new color printer, but the printer does not show up in Active Directory. You instruct the user to be patient and check again in an hour. One hour later, the user calls back and still cannot see the printer. You think there is a problem with replication. You want the Toronto user to have access to the printer from Active Directory as quickly as possible. What should you do?

In Active Directory Sites and Services, force replication between a Washington, D.C. domain controller and a Toronto domain controller.

You are the administrator of the eastsim.com domain, which has two domain controllers. Your Active Directory structure has organizational units (OUs) for each company department. You have assistant administrators who help manage Active Directory objects. For each OU, you grant one of your assistants Full Control over the OU. You come to work one morning to find that while managing some user accounts, the administrator in charge of the Sales OU has deleted the entire OU. You restore the OU and all of its objects from a recent backup. You want to configure the OU to prevent accidental deletion. You edit the OU properties, but can't find the Protect object from accidental deletion setting. What should you do so you can configure this setting?

In Active Directory Users and Computers, select View > Advanced Features.

Where does authentication take place in the passthrough authentication process?

In Active Directory on-premises

You are the network administrator for corpnet.com. The company has a main office and two branch offices named Branch1 and Branch2. The main office has two domain controllers named DC1 and DC2. The Branch1 branch office has one domain controller named DC3. There are no domain controllers at the Branch2 location. In Active Directory Sites and Services, you have created a site that corresponds to each location. You have also created IP site links between each site. You discover that users from Branch2 are being authenticated by all three domain controllers. You need to ensure that users in Branch2 are only authenticated by DC1 or DC2. Users in Branch2 should only be authenticated by DC3 if the domain controllers at the main office are unavailable. What should you do?

Increase the cost of the site link between Branch1 and Branch2.

Which of the following password synchronization options provided by Azure AD Connect is the simplest for both the administrator to set up and for the user to use, for access to cloud apps and AD resources?

Password hash synchronization

When you create a computer account in a specific OU, and the computer is matched to the already-created computer account when it joins the domain, you are using which of the following methods?

Pre-stage account method

You have just ordered several laptop computers that will be used by members of the programming team. The laptops will arrive with Windows installed. You want the computer account for each new laptop to be added to the Developers OU in Active Directory. In addition, you want each programmer to join their new laptop to the domain. What should you do?

Pre-stage the computer accounts in Active Directory. Grant the programmers the rights to join the workstation to the domain.

You are the network administrator for westsim.com. The network consists of a single Active Directory domain. A user named Mary Merone is working on location in Africa. She calls to report that her laptop has failed. The hardware vendor replaced the laptop, and now you need to join the new computer to the domain. However, there is no connectivity from the current location to the domain. You must ensure that the laptop is joined to the domain immediately, even if it cannot be physically connected to a domain controller. What should you do first?

Prepare the computer to perform an offline domain join by creating an Active Directory account for the computer using the Djoin /provision command.

You are an administrator for the northsim.com domain. The domain has two domain controllers, DC1 and DC2. DC1 is located in the main office, and DC2 is located in a branch office. You work in a branch office and manage the network there. The main office is connected to the branch office with a WAN link. A site object has been created for each location. The DEFAULTIPSITELINK object connects the two locations. To reduce WAN traffic, replication between sites occurs between 8:00 p.m. and 5:00 a.m. The branch office has recently hired three new employees. An administrator in the main office has created the user accounts. However, users are unable to log on. You need to make sure the users can log on as soon as possible. What should you do?

Run repadmin /replicate DC2 DC1

As a network administrator you would like to allow only the group of HR users from another forest the right to authenticate to the resources within your forest. Which of the following security settings would be the best choice for allowing the needed access but also following the principle of least privilege?

Selective authentication

If you want to increase the speed of authentication and resource access between two domains within the same forest, which of the following is the best trust to create manually?

Shortcut trust

You manage a single-domain network with a domain named widgets.com. You have received funding to upgrade all of your domain controllers from Windows Server 2003 to Windows Server 2012 R2. You upgrade all domain controllers to Windows Server 2012 R2. You then set the domain and forest functional levels to Windows Server 2012 R2. You decide to migrate from FRS replication to DFS replication using a staged migration approach. Which command would you run to use both DFS and FRS replication, with DFS replication being the primary replication method?

dfsrmig /setglobalstate 2

You have a laptop that you use for remote administration from home and while traveling. The laptop has been joined to the domain using the name of AdminRemote. The processor in your laptop overheats one day, causing extensive damage. Rather than repair the computer, you purchase a new one. The computer arrives, and you edit the system properties and name it AdminRemote. When you try to join the computer to the domain, you receive an error message and are unable to proceed. You want the new computer to be joined to the domain using the same name as the old computer. Which commands should you run?

netdom reset and then netdom join

See all study sets

Related study sets

Mental health service provision, Law, Pharma, Intellectual disability, Childhood, Personality disorders, Alcohol, Alcohol and substance abuse, Eating disorders, Anxiety and somatoform disorders, Anxiety, fear and avoidance, Schizophrenia, Psychosis,...

View Set