IST-258 Final Exam

Carl works as a system administrator for a medium sized corporation. Recent green-awareness meetings and funding cutbacks within the corporation have increased the need for resource consolidation. With an increase in demand for a reduction in environmental impact, Carl is looking to virtualize five separate servers and host them on a single server running Hyper-V.

Carl receives a volume license copy of Windows Server 2008 32-bit Enterprise Edition. He installs it on a machine with the following specifications:

Processor: 64-bit Xeon Quad core 2.66 GHz
Memory: 16 GB
Available disk space: 50 GB
Additional Drives: DVD-ROM

During installation, default settings are accepted. After Carl has installed Windows Server 2008, he finds that he is unable to use Hyper-V. What is the problem?

Hyper-V requires a 64-bit edition of Windows Standard or better
Which of the following tools is the basic application responsible for loading more useful management related snap-ins?
Microsoft Management Console
Using this tool, administrators can create policies that require computers to have the latest anti-virus and OS updates, as well as compliant firewall settings.
Network Access Protection (NAP)
When examining the Workgroup Model, a Windows Server 2008 server that participates in a workgroup is referred to as a ____.
stand-alone server
Which is not a benefit of using virtual machines?
Virtual machines have reduced hardware and software requirements
This server role provides automatic IP address assignment and configuration for client computers.
Dynamic Host Configuration Protocol (DHCP)
The main purpose of Active Directory is to ____.
Provide authentication and authorization to users and computers
A DNS Server is used to ____.
Resolve names of Internet computers and domain computers to their assigned IP addresses
You work for a large corporation with several branch offices that have varying requirements in regards to security. Your boss has informed you that a new branch office is in need of a domain controller, but has stressed that due to security reasons, he doesn’t want the server to have the ability to make changes to any domain related information. What can you install to satisfy the needs of the branch office?
Read only domain controller (RODC)
One of your partner organizations currently has to provide logon credentials to access critical applications on your extranet’s web site. While this has worked in the past, a recent meeting has brought to light the need for single sign-on capabilities for the website.

After researching the issue, you discover that one of Windows Server 2008’s new Active Directory roles can help solve the problem. Which of the following answers allows you to create a trust relationship between your extranet and your partner organization?

Active Directory Federation Services (AD FS)
Which of the following is an important requirement for running Hyper-V?
Must have at least Windows Server 2008 64-bit Standard edition
Your intern would like to know which of the following situations would be ideal for a Server Core installation:
You want to install an RODC in a branch office
Pick the service below that is required by Active Directory:
The core structural unit of Active Directory; contains OUs and represents administrative, security, and policy boundaries
An Active Directory container used to organize a network’s users and resources into logical administrative units
Organizational Unit
Used to create new objects in Active Directory from the command line
User accounts created by Windows automatically during installation
built-in user accounts
Information that defines the type, organization, and structure of data stored in the Active Directory database
A list of settings that administrators use to configure user and computer operating environments remotely through Active Directory
Group Policy Object (GPO)
A person who is associated with the company but is not a network user
Used to complete the installation of Active Directory and to make a domain controller fully functional
Used to set policies that apply to all users within the GPO’s scope
User Configuration
GPOs can be linked to all of the following except ____.
What are the two default GPOs that are created when Active Directory is installed?
Default Domain Policy and Default Domain Controllers Policy
A ____ specifies the actions a user can perform on a Windows network.
You are in charge of a domain that contains several office rooms and one large computer commons area. In order to secure accounts in the domain, you want to apply separate account policies for the computers in the commons area, while maintaining the policies that are used in the office rooms. Currently, all computers are in the Computers folder. What is the most efficient way to accomplish this task?
Create a new OU called “CommonsArea” and move the commons area computer accounts into it. Create a new GPO and configure the desired account policies. Link the new GPO to the CommonsArea OU.
When is the installation of the Global Catalog server option mandatory?
It is required when adding the first domain controller in a forest
What boot mode is used to perform restore operations on Active Directory if it becomes corrupted or parts of it are deleted accidentally?
Directory Services Restore Mode
A forest is ____.
A collection of one or more Active Directory trees.
In what order are GPOs applied?
Local computer, site, domain, OU
If a policy is defined in a GPO linked to a domain, and that policy is defined with a different setting in a GPO linked to an OU, which is true by default?
The policy setting in the GPO linked to the OU is applied.
Which of the following is not a part of Active Directory’s four organizing components?
How many domains can a single domain controller service?
Only one
Which of the following defines the types of information stored in an Active Directory object?
Schema attributes
Domain controller computer accounts are placed in what container by default?
Domain Controllers OU
Which of the following statements about operations master roles is correct?
There is only one domain naming master per forest, which must be available whenever domains are added, deleted, or renamed.
Which of the following is not a valid operations master role?
User management master
A process called ____ runs on every domain controller to determine the replication topology which defines the domain controller path that Active Directory changes flow through.
Knowledge Consistency Checker (KCC)
What is the name of the default site link that is created when Active Directory is first installed?
A(n) ____ is a one-way or two-way nontransitive trust between two domains that aren’t in the same forest
External trust
The group “TestGroup” has been added to an objects DACL and assigned the Allow Full control permission. “TestUserA” is a member of “TestGroup”, which has been assigned Deny Write permission for the object. What is “TestUserA”‘s effective permissions?
TestUserA can do anything that Full Control would allow him to do, except write to the object.
Global groups can be members of any global group in the forest
What is Microsoft’s best practices recommendation for the structure of group scope nesting?
Where are local groups stored?
In the local SAM database
A seasoned intern, Sally, has been given a new assignment. She must be able to log on locally to DCs, manage some services, manage shared resources, back up and restore files, shutdown DCs, format hard drives, and change the system time. In order to give her only the rights and permissions necessary to complete these tasks, what domain local group will you add her to?
Server Operators
Which group matches the following description?

This universal group is found only on DCs in the forest root domain. Members have full control over forestwide operations. This group is a member of the Administrators group on all DCs.

Enterprise Admins
By default, a user’s profile is created….
When the user first logs on
Where are user profiles stored by default in Windows Server 2008?
How do you change a profile into a mandatory profile?
Rename Ntuser.dat to
How would you access serverXX’s administrative share for the C Drive?
What is the Windows file-sharing protocol?
Server Message Block (SMB)
In a Windows environment, he physical printer containing paper and ink or toner to which print jobs are sent is called…
a print device
If a file with the compression attribute set is copied to a new location, what happens?
The file inherits the compression attribute settings from its parent container
If a file with the encryption attribute set is copied or moved within an NTFS volume, what happens?
The file retains its encryption attribute, regardless of the parent container’s settings
Vanessa has come to you asking for your help with a network share issue. She created a shared folder named ShareData on a member server with her account, vness1. However, she finds that she is unable to modify or make changes to any documents in the shared folder across the network. You have logged into the server, and checked the permissions set on ShareData:

Share Permissions:
Everyone – Read

NTFS Permissions
Creator owner – Implicit full control

What should Vanessa do?

She should set Everyone to Full Control in the share permissions
The settings in Administrative Templates under User Configuration affect what section of the computer’s registry?
What would you use to prevent GPOs linked to parent containers from affecting child containers?
Inheritance blocking
How can you ensure that a GPO’s settings are applied to all child objects, even if a GPO with conflicting settings is linked to a container at a deeper level?
Enforcing inheritance
What can you use to restrict GPO inheritance to specific objects in an OU?
GPO Filtering
Settings in local GPOs that are inherited from domain GPOs can’t be changed on the local computer; only settings that are undefined or not configured by domain GPOs can be edited locally.
A published application is installed automatically.
A feature that makes shared files more accessible by grouping shared folders from multiple servers into a single folder hierarchy
Distributed File System
An option on NTFS volumes that enables administrators to limit how much disk space a user can occupy with his or her files
disk quotas
A feature that enables users to access a volume as a folder in another volume instead of by using a drive letter
volume mount points
A feature on the Windows file system that allows users to access previous versions of files in shared folders and restore files that have been deleted or corrupted
shadow copies
Defines the method and format an OS uses to store, locate, and retrieve files from electronic storage media
file system
Permissions applied to shared folders that protect files accessed across the network. Share permissions are the only method for protecting files on FAT volumes
share permissions
Hidden shares created by Windows that are available only to members of the Administrators group
Administrative shares
Encrypting File System
Permissions set on folders or files on an NTFS-formatted volume.
NTFS permissions
A protocol that runs over TCP/IP and is designed to facilitate access to directory services and directory objects
Active Directory replication between domain controllers in the same site
intrasite replication
A section of an Active Directory database stored on a domain controller’s hard drive
directory partition
A user logon name that follows the format [email protected]
user principal name (UPN)
An Active Directory object that can be assigned permissions or rights to Active Directory objects and network resources
security principals
A domain controller with sole responsibility for certain domain or forestwide functions
Operations master
A trust relationship in which one domain trusts another, but the reverse is not true
One-way trust
The part of the SID that’s unique for each Active Directory object
relative identifier
The first domain created in a new forest
Forest root domain
You have recently set up a new domain controller and DNS server responsible for a large network. Almost immediately, you notice that every time a user attempts to make use of a resource on a server in your partner organization’s domain,, DNS requests end up performing a recursive query. Rather than continue to allow DNS requests to be processed this way, you would like to make use of a DNS server in’s domain that you have access to via a LAN connection.

What can you configure to have the DNS server in’s domain receive DNS queries from your network, but only ones that are related to’s domain?

Conditional Forwarder
Last year you configured a conditional forwarder for a specific domain on your network. This year, after several major changes to the network, you notice that the conditional forwarder is no longer reachable. You find out that the conditional forwarder’s address changed, and now to continue using a conditional forwarder, you must manually change the IP address on all servers that use it.

What could you do instead of using conditional forwarders and still achieve the same functionality, while simultaneously allowing this process to be handled by Active Directory?

Use a stub zone
Windows Internet Name Service (WINS) is a legacy name service used to resolve….
NetBIOS names
If multiple servers are specified in the forwarders tab of a server’s Properties, what happens if a query is made and none of the forwarders provide a response?
A normal recursive lookup process is initiated, starting with a root server
Root hints data comes from what file?
What does round robin do?
Creates a load sharing / balancing mechanism for servers that have identical services, such as two servers that host the same website
Which of the commands below can be used to test DNS queries with the default DNS server or a specific DNS server on a Windows computer?
What ipconfig option will display the contents of the hosts file, as well as the local DNS cache?
What information does a resource record of type MX contain?
Address of an e-mail server
Increased network usage has inspired your staff to install a new DNS server. After much consideration, you have decided to also make the new server a domain controller as well. One of your interns is curious as to what benefit this would provide to DNS over simply making the DNS server a member server.
The AD-integrated domain DNS zones will be created automatically.
You will want to use a forward lookup zone when you need a zone that…
contains records to translate names to IP addresses
Which MMC is used to transfer the RID master, PDC emulator master, and infrastructure master operations master roles?
Active Directory Users and Computers
Which MMC is used to transfer the domain naming master operations role?
Active Directory Domains and Trusts
What operations master role is needed when a domain or domain controller is added or removed from the forest?
Domain naming master
You’re taking an older server performing the PDC emulator master role out of service and will be replacing it with a new server configured as a domain controller. What should you do to ensure the smoothest transition?
Transfer the PDC master role to the new domain controller, and then shut down the old server
Which of the following statements is true regarding RODC replication?
The domain directory partition can be replicated only to an RODC from a Windows Server 2008 DC.
Under what MMC would you create new connection objects?
Active Directory Sites and Services
Users of a new network subnet have been complaining that logons and other services are taking much longer than they did before being moved to the new subnet. You discover that many logons and requests for DFS resources from workstations in the new subnet are being handled by domain controllers in a remote site instead of local domain controllers.

What can be done to fix this?

Associate the new subnet with a site, then move a local domain controller into the site manually
You work at, and are in charge of a fairly large forest and multidomain structure consisting of Windows Server 2003 domain controllers running at the Windows Server 2003 functional level. One of your interns finished installing the forest’s first Windows Server 2008 server, and has placed it in a branch office to act as a read only domain controller. The intern has already run the adprep /forestprep command.

Unfortunately, for some reason, the RODC Server can’t be installed. What is most likely the issue, based on the information provided?

There must be at least one writeable DC running Windows Server 2008
The SMTP protocol is used primarily for e-mail, but can also be used for…
Intersite replication
When using HTTPS, after the web client finds that a CA is trusted and the signature on a certificate is verified, the web client sends additional parameters to the server that are encrypted with the server’s….
Public key
An enterprise CA is…
A Windows Server 2008 server with the Active Directory Certificate Services role installed
Select the answer below that is not a service a public key infrastructure provides to a network:
Secure tunneling
What component of a PKI is held by a person or system and is unknown to anyone else?
Private key
Your network uses Active Directory running on Windows Server 2008, and your company is about to install an application that integrates with directory services by using LDAP and will require major schema changes. Another application that integrates with a directory service might be installed next year, and it will also require many schema changes that are very different from those the first application requires. Which of the following should you use on your network?
Which of the following is true about AD LDS?
One AD LDS instance for each application
Which of the following is true about AD LDS?
There’s no global catalog.
Multiple instances on the same server are supported.
You have been using AD LDS for a few months to support a directory-enabled application. This application has become a critical part of your operations, and theres concern about what might happen if the AD LDS server fails. What should you do?
Install AD LDS on another server. Create an instance with the option to create a replica of an existing instance.
Which of the following isnt a part of a typical AD FS deployment?
Which of the following should be installed to prevent employees from printing security-sensitive e-mails?
You and another company are engaging in a joint operation to develop a new product. Both companies must access certain Web-based applications in this collaborative effort. Communication between the companies must remain secure, and use of exchanged documents and e-mails must be tightly controlled. What should you use?
Which of the following is true about an RODC installation?
A Windows Server 2008 DC is required.
You need to install an RODC in a new branch office and want to use an existing workgroup server running Windows Server 2008. The office is a plane flight away and is connected via a WAN. You want an employee at the branch office, Michael, to do the RODC installation because hes good at working with computers and following directions. What should you do?
Create the computer account for the RODC in the Domain Controllers OU, and specify Michael’s account as one that can join the computer to the domain.
You maintain an RODC at a branch office, and you want one employee with solid computer knowledge to perform administrative tasks, such as driver and software updates and backups. How can you do this without giving her broader domain rights?
Use Dsmgmt.exe to add the user’s domain account to the administrator role on the RODC
You have installed an RODC at a branch office that also runs the DNS Server role. All DNS zones are Active Directory integrated. What happens when a client computer attempts to register its name with the DNS service on the RODC?
The DNS service sends a referral to the client. The client registers its name with the referred DNS server.
Which of the following is true about incremental backups? (Choose all that apply.)
Files that have changed since the last incremental backup are backed up.
Incremental backups take less storage space than full backups
You can choose a full or incremental backup on a per-volume basis.
A junior administrator accidentally deleted an OU containing several dozen objects. You have three other domain controllers in the network. You have a backup of Active Directory created about 12 hours before the OU was deleted. What should you do to restore the OU and its objects?
Restart the DC in DSRM. Run Wbadmin and restore the system state backup. Run Ntdsutil to mark the OU as authoritative, and then restart the server normally
You have been monitoring server performance for the past hour, viewing CPU, memory, disk, and network utilization. You counted 20 different occurrences of one or more of the performance indicators rising to near 100% for a few seconds and then settling down to between 0 and 30% utilization. What does this information indicate?
Nothing. Spikes like that are normal
Which tool is used to manage processor and memory resources on a per-user and per-process basis?
Which of the following tools is used to monitor and manage Active Directory replication?
Which command is best used to install AD DS on Server Core as a new domain controller in a new domain?
Dcpromo /unattend /replicaOrNewDomain:domain
You want to create a data collector set that monitors changes to the Registry and system and application events. What should you include in the data collector set
Event traces and system configuration
Which of the following is needed if a computer with IP address wants to communicate with a computer with IP address
If you turn on printer sharing in the Network and Sharing Center, all printers on the computer are shared.
You have just completed a default installation of Windows Server 2008. You know that the TCP/IP protocol is installed. How does the server get assigned an IP address?
The IP address is invalid.
Which of the following IP addresses has 12 bits in the host ID?
You have a server with two NICs, each attached to a different IP network. Youre having problems communicating with devices on remote networks that send packets to one of the interfaces. The server receives the packets fine, but the servers replies never reach the intended destination network. Replies to packets that come in through the other interface seem to reach their destination without any problems. What can you do that will most likely solve the problem?
Use the Route command to add routes to the networks that aren’t receiving replies.
You have just changed the IP address on a computer named Computer5 in your domain from to You were communicating with this computer from your workstation fine right before you changed the address. Now when you try the command ping computer5 from your workstation, you dont get a successful reply. Other computers on the network arent having a problem communicating with the computer. Which command might help solve the problem?
ipconfig /flushdns
Which of the following is a valid IPv6 address? (Choose all that apply.)
2001:DB8:BAD: F00D:0020:3344:0:e4
A resource record containing an alias for another record is which of the following record types?
What type of resource record is necessary to get a positive response from the command nslookup
DNS ServerA forwards a query to ForwarderB, which replies with a not found message. DNS ServerA continues the lookup by querying a root server.
You want a DNS server to handle queries for a domain with a standard primary zone hosted on another DNS server. You dont want your server to be authoritative for that zone. How should you configure your server? (Choose all that apply.)
Configure a stub zone on your DNS server.
Configure a forwarder on your DNS server.
You manage the DNS structure on your network. The network security group has decided that only one DNS server should contact the Internet. Under no circumstances should other servers contact the Internet for DNS queries, even if the designated server is down. You have decided that the DNS server named DNS-Int should be the server allowed to contact the Internet. How should you configure your DNS structure to accommodate these requirements?
On each DNS server except DNS-Int, configure a forwarder pointing to DNS-Int. Disable the use of root hints if no forwarders are available. No changes are necessary on DNS-Int.
You have a zone containing two A records for the same hostname, but each A record has a different IP address configured. The host records point to two servers hosting a high-traffic Web site, and you want the servers to share the load. After some testing, you find that youre always accessing the same Web server, so load sharing isnt occurring. What can you do to solve the problem?
Enable the round robin option on the server.
Which is the correct order in which a DNS client tries to resolve a name
Cache, Hosts file, DNS server
You want to verify whether a PTR record exists for the host, but you dont know the IP address. Which of the following commands should you use?
Nslookup, and then Nslookup IPAddress returned from the first Nslookup
You have been communicating with ComputerB from your workstation for the past several hours. A colleague informs you that he has just made some changes to the IP addressing scheme on the network where ComputerB is located. You find that you can no longer communicate with ComputerB. What tool can you use on your workstation to solve the problem?
Which of the following is the default forest functional level for a Windows Server 2008 domain controller installed in a new forest?
windows 2000
Youre going to introduce a Windows Server 2008 domain controller into a Windows Server 2003 forest. Which of the following should you do?
First, prepare the forest by running adprep /forestprep on a Windows Server 2003 domain controller performing the schema operations master role. Then run adprep /domainprep in each domain that will have a Windows Server 2008 domain controller.
If you configure a trust between ForestA and ForestB, and a trust exists between ForestB and ForestC, then ForestA trusts ForestC.
You have three sites: Boston, Chicago, and LA. You have created site links between Boston and Chicago and between Chicago and LA with the default site link settings. What do you need to do to make sure replication will occur between Boston and LA?
Do nothing; replication will occur between Boston and LA with the current configuration.
Your network is configured in a hub and spoke topology. You want to control the flow of replication traffic between sites, specifically reducing the replication traffic traveling across network links between hub sites to reach satellite sites. What should you configure?
Site link bridges
You want to decrease users logon time at SiteA but not increase replication traffic drastically. You have 50 users at this site with one domain controller. Overall, your network contains 3000 user and computer accounts. What solution can decrease logon times with the least impact on replication traffic?
Enable universal group membership caching.
Which of the following configurations should you avoid?
Infrastructure master configured as a global catalog server
User authentications are taking a long time. The domain controller performing which FSMO role will most likely decrease authentication times if its upgraded?
PDC emulator
Which of the following is a service provided by a PKI? (Choose all that apply.)
Which of the following is used in both ends of the cryptography process (encrypt and decrypt) and must be known by both parties?
Secret key
A PKI is based on symmetric cryptography.
Camille and Sophie want to engage in secure communication. Both hold a public/private key pair. Camille wants to send an encrypted message to Sophie. Which of the following happens first?
Sophie sends Camille her public key.