Answer: B 

Explanation: 

http://www.kassapoglou.com/windows-server-2008-lesson-23-video-creating-a-user/ 

Demonstration adding a UPN Suffix 

To add or modify a UPN suffix for your forest, open Active Directory Domains and Trusts from the start menu. Right click Active Directory Domains and Trusts at the top and open the properties. From here you can add and remove additional domain UPN suffixes for the forest. 

Answer: B 

Explanation: 

Answer: C 

Explanation: 

Explanation 1: http://technet.microsoft.com/en-us/library/cc770413.aspx Managing Array members For each Array, one member is defined as the Array controller; the role of the Array controller is to help resolve synchronization conflicts and to apply updated revocation configuration information to all Array members. 

Explanation 2: http://technet.microsoft.com/en-us/library/cc771281.aspx To designate an Array controller 

1. Open the Online Responder snap-in. 

2. In the console tree, click Array Configuration Members. 

3. Select the Online Responder that you want to designate as the Array controller. 

4. In the Actions pane, click Set as Array Controller. 

Answer: C 

Explanation: 

Answer: D 

Explanation: 

http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx How Domain and Forest Trusts Work Active Directory provides security across multiple domains or forests through domain and forest trust relationships. Before authentication can occur across trusts, Windows must first determine whether the domain being requested by a user, computer or service has a trust relationship with the logon domain of the requesting account. To make this determination, the Windows security system computes a trust path between the domain controller for the server that receives the request and a domain controller in the domain of the requesting account. 

Trust Flow The flow of secured communications over trusts determines the elasticity of a trust: how you create or configure a trust determines how far the communication extends within a forest or across forests. The flow of communication over trusts is determined by the direction of the trust (one-way or two-way) and the transitivity of the trust (transitive or nontransitive). One-Way and Two-Way Trusts Trust relationships that are established to enable access to resources can be either one-way or two-way. A one-way trust is a unidirectional authentication path created between two domains. In a one-way trust between Domain A and Domain B, users in Domain A can access resources in Domain B. However, users in Domain B cannot access resources in Domain A. Some one-way trusts can be either nontransitive or transitive depending on the type of trust being created. All domain trusts in an Active Directory forest are two-way, transitive trusts. When a new child domain is created, a two-way, transitive trust is automatically created between the new child domain and the parent domain. In a two-way trust, Domain A trusts Domain B and Domain B trusts Domain A. This means that authentication requests can be passed between the two domains in both directions. Some two-way relationships can be nontransitive or transitive depending on the type of trust being created. An Active Directory domain can establish a one-way or two-way trust with: Windows Server 2003 domains in the same forest. Windows Server 2003 domains in a different forest. Windows NT 4.0 domains. Kerberos V5 realms. Transitive and Nontransitive Trusts Transitivity determines whether a trust can be extended outside of the two domains with which it was formed. A transitive trust can be used to extend trust relationships with other domains; a nontransitive trust can be used to deny trust relationships with other domains. Each time you create a new domain in a forest, a two-way, transitive trust relationship is automatically created between the new domain and its parent domain. If child domains are added to the new domain, the trust path flows upward through the domain hierarchy extending the initial trust path created between the new domain and its parent domain. Transitive trust relationships flow upward through a domain tree as it is formed, creating transitive trusts between all domains in the domain tree. Authentication requests follow these trust paths, so accounts from any domain in the forest can be authenticated by any other domain in the forest. With a single logon process, accounts with the proper permissions can access resources in any domain in the forest. The following figure shows that all domains in Tree 1 and Tree 2 have transitive trust relationships by default. As a result, users in Tree 1 can access resources in domains in Tree 2 and users in Tree 1 can access resources in Tree 2, when the proper permissions are assigned at the resource. 

Default Transitive Trust Relationships 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

In addition to the default transitive trusts established in a Windows Server 2003 forest, by using the New Trust Wizard you can manually create the following transitive trusts. Shortcut trust. A transitive trust between domains in the same domain tree or forest that is used to shorten the trust path in a large and complex domain tree or forest. Forest trust. A transitive trust between one forest root domain and another forest root domain. Realm trust. A transitive trust between an Active Directory domain and a Kerberos V5 realm. A nontransitive trust is restricted to the two domains in the trust relationship and does not flow to any other domains in the forest. A nontransitive trust can be a two-way trust or a one-way trust. Nontransitive trusts are one-way by default, although you can also create a two-way relationship by creating two one-way trusts. Nontransitive domain trusts are the only form of trust relationship possible between: A Windows Server 2003 domain and a Windows NT domain A Windows Server 2003 domain in one forest and a domain in another forest (when not joined by a forest trust) By using the New Trust Wizard, you can manually create the following nontransitive trusts: External trust. A nontransitive trust created between a Windows Server 2003 domain and a Windows NT, Windows 2000, or Windows Server 2003 domain in another forest. When you upgrade a Windows NT domain to a Windows Server 2003 domain, all existing Windows NT trusts are preserved intact. All trust relationships between Windows Server 2003 domains and Windows NT domains are nontransitive. Realm trust A nontransitive trust between an Active Directory domain and a Kerberos V5 realm 

Answer:  

Answer: B 

Explanation: 

http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx#BKMK_23 Dnscmd A command-line interface for managing DNS servers. This utility is useful in scripting batch files to help automate routine DNS management tasks, or to perform simple unattended setup and configuration of new DNS servers on your network. dnscmd /zonechangedirectorypartition Changes the directory partition on which the specified zone resides. Syntax dnscmd [<ServerName>] /zonechangedirectorypartition <ZoneName>] {[<NewPartitionName>] | [<ZoneType>] } 

Parameters 

<ServerName> 

Specifies the DNS server to manage, represented by IP address, FQDN, or host name. If 

this parameter is omitted, the local server is used. 

<ZoneName> The FQDN of the current directory partition on which the zone resides. 

<NewPartitionName> The FQDN of the directory partition that the zone will be moved to. 

<ZoneType> Specifies the type of directory partition that the zone will be moved to. 

/domain Moves the zone to the built-in domain directory partition. 

/forest Moves the zone to the built-in forest directory partition. 

/legacy Moves the zone to the directory partition that is created for pre–Active Directory 

domain controllers. These directory partitions are not necessary for native mode. 

Answer: C 

Explanation: 

http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/b3d11cd4-897b-4da1-bae1-f1b69441175b Complex Password Policy on an OU 

Q: Is it possible to apply a complex password policy to an OU instead of entire domain (Windows 2008 R2). I'm under the impression it can only be applied to either a security group or an individual user. A1: I beleive you are referering to PSC and PSO. The Password Settings Container (PSC) object class is created by default under the System container in the domain. It stores the Password Settings objects (PSOs) for that domain. You cannot rename, move, or delete this container. PSOs cannot be applied to organizational units (OUs) directly. If your users are organized into OUs, consider creating global security groups that contain the users from these OUs and then applying the newly defined fine-grained password and account lockout policies to them. If you move a user from one OU to another, you must update user memberships in the corresponding global security groups. Groups offer better flexibility for managing various sets of users than OUs. For the fine-grained password and account lockout policies to function properly in a given domain, the domain functional level of that domain must be set to Windows Server 2008. Fine-grained password policies apply only to user objects and global security groups. They cannot be applied to Computer objects. For more info, please see below article: http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide A2: Here is a link to how you setup find grain password policy... However you can only apply it to a Security Group. http://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password-policy/A3: In addition, for fine grated password policy ; you need DLF 2008 and you can apply that policy on a single user and only global security group. 

Find the step by step info. http://social.technet.microsoft.com/wiki/contents/articles/4627.aspx http://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password-policy/ Tutorial: How to setup Default and Fine Grain Password Policy One strange thing that still seems to catch a lot of people out is that you can only have one password policy for your user per domain. This catches a lot of people out as they apply a password policy to an OU in their AD thinking that it will apply to all the users in that OU…. but it doesn’t. Microsoft did introduce Fine Grain Password Policies with Windows Server 2008 however this can only be set based on a security group membership and you still need to use the very un-user-friendly ADSI edit tool to make the changes to the policy. Below I will go through how you change the default domain password policy and how you then apply a fine grain password policy to your environment. The Good news is setting the default password policy for a domain is really easy. The Bad news is that setting a fine grain password policy is really hard. How to set a Default Domain Password Policy 

Step 1 Create a new Group Policy Object at the top level of the domain (e.g. “Domain Password Policy”). 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Note: I have elected to create a new GPO at the top of the domain in this case as I always 

try to avoid modifying the “Default Domain Policy”, see Explanations below. 

Explanation: 

http://technet.microsoft.com/en-us/library/cc736813(WS.10).aspx 

TechNet: Linking GPOs 

If you need to modify some of the settings contained in the Default Domain Policy GPO, it is recommended that you create a new GPO for this purpose, link it to the domain, and set the Enforce option. 

http://technet.microsoft.com/en-us/library/cc779159(WS.10).aspx 

TechNet: Establishing Group Policy Operational Guidelines 

Do not modify the default domain policy or default domain controller policy unless necessary. Instead, create a new GPO at the domain level and set it to override the default settings in the default policies. 

Step 2 

Edit the “Domain Password Policy” GPO and go to Computer Configurations>Policies>Windows 

Settings>Security Settings>Account Policy>Password Policy and configured the password policies settings to the configuration you desire. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 3 

Once you have configured the password policy settings make the “Domain Password Policy” GPO the highest in the Linked GPO processing order. 

TIP: Make sure you inform all your users when you are going to do this as it may trigger them to change their password the next time they logon. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Done… told you it was easy…. 

Note: Even if you apply the password policies to the “Domain Controllers” OU it will not modify the domain’s password policy. As far as I know this is the only exception to the rule as to how GPO’s apply to objects. As you can see in the image below the “Minimum password length” in the “Domain Password Policy” GPO is still applied to the domain controller even though I have another GPO linking to the “Domain Controllers” OU configuration the same setting. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

For a better explanation as to why the GPO that is linked to the Domain and not the Domain Controllers is used for the password policy for all users check out Jorge’s Quest for Knowledge! – Why GPOs with Password and Account Lockout Policy Settings must be linked to the AD domain object to be affective on AD domain user accounts (http://blogs.dirteam.com/blogs/jorge/archive/2008/12/16/why-gpos-with-password-and-accountlockout- policy-settings-must-be-linked-to-the-ad-domain-object-to-be-affective-on-ad-domain-useraccounts.aspx) 

How to set a Fine Grain Password Policy 

Fine Grain Password Policies (FGPP) were introduced as a new feature of Windows Server 2008. Before this the only way to have different password polices for the users in your environment was to have separate domains… OUCH! 

Pre-Requisites/Restrictions 

You domain must be Windows Server 2008 Native Mode, this means ALL of your domain controllers must be running Windows Server 2008 or later. You can check this by selection the “Raise domain functional level” on the top of the domain in Active Directory Users and Computers. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Explanation http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx AD DS: Fine-Grained Password Policies The domain functional level must be Windows Server 2008. The other restriction with this option is that you can only apply FGPP to users object or 

users in global security groups (not computers). Explanation http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx AD DS: Fine-Grained Password Policies Fine-grained password policies apply only to user objects … and global security groups. TIP: If you setup an “Automatic Shadow Group 

(http://policelli.com/blog/archive/2008/01/15/manage-shadowgroups-in-windows-server-2008/)” you can apply these password policies to users automatically to 

any users located in an OU. 

Creating a Password Setting Object (PSO) 

Step 1 Under Administrator Tools Open ADSI Edit and connect it to a domain and domain controller you want to setup the new password policy. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Note: If you do not see this option go to “Turn Windows Features On or Off” and make sure the “AD DS and AD LDS Tools” are installed. (You will need RSAT also installed if you are on Windows 7).\ 

Step 2 Double click on the “CN=DomainName” then double click on “CN=System” and then double click on “CN=Password Settings Container”. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 3 

Right click on “CN=Password Settings Container” and then click on “New” then “Object. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 4 

Click on “Next” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 5 

Type the name of the PSO in the “Value” field and then click “Next” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Note: With the exception of the password length the following values are all the same as the default values in the “Default Domain Policy”. 

Step 6 

Type in a number that will be the Precedence for this Password Policy then click “Next”. 

Note: This is used if a users has multiple Password Settings Object (PSO) applied to them. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 7 

Type “FALSE” in the value field and click “Next” 

Note: You should almost never use “TRUE” for this setting. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 8 

Type “24” in the “Value” field and click “Next” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 9 

Type “TRUE” in the “Value” field and click “Next” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 10 

Type “5” in the “Value” field and click “Next” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 11 

Type “1:00:00:00” in the “Value” field and click “Next” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 12 

Type “42:00:00:00” in the “Value” field and click “Next” C:\Documents and Settings\usernwz1\Desktop\1.PNG Step 13 

Type “10” in the “Value” field and click “Next” C:\Documents and Settings\usernwz1\Desktop\1.PNG Step 14 

Type “0:00:30:00” field and click “Next” C:\Documents and Settings\usernwz1\Desktop\1.PNG Step 15 

Type “0:00:33:00” in the “Value” field and click “Next” C:\Documents and Settings\usernwz1\Desktop\1.PNG Step 16 

Click “Finish” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

You have now created the Password Settings Object (PSO) and you can close the 

ADSIEdit tool. 

Now to apply the PSO to a users or group… 

Step 17 

Open Active Directory Users and Computers and navigate to “System > Password Settings 

Container” 

Note: Advanced Mode needs to be enabled. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 18 

Double click on the PSO you created then click on the “Attribute Editor” tab and then select the “msDS-PSOAppliedTo” attribute and click “Edit” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 19 

Click “Add Windows Accounts….” button. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 20 

Select the user or group you want to apply this PSO and click “OK” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 21 

Click “OK” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 22 

Click “OK” 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

And your are done… (told you it was hard). 

Fine Grain Password Policies as you can see are very difficult to setup and manage so it is probably best you use them sparingly in your organisation… But if you really have to have a simple password or extra complicated password then at least it give you away to do this without having to spin up another domain. 

Answer: B 

Explanation: 

http://technet.microsoft.com/en-us/library/cc709647%28v=ws.10%29.aspx Managing Group Policy ADMX Files Step-by-Step Guide 

Microsoft Windows Vista. and Windows Server 2008 introduce a new format for displaying registry-based policy settings. Registry-based policy settings (located under the Administrative Templates category in the Group Policy Object Editor) are defined using a standards-based, XML file format known as ADMX files. These new files replace ADM files, which used their own markup language. The Group Policy tools —Group Policy Object Editor and Group Policy Management Console—remain largely unchanged. In the majority of situations, you will not notice the presence of ADMX files during your day-to-day Group Policy administration tasks. http://blogs.technet.com/b/grouppolicy/archive/2008/12/17/questions-on-admx-in-windows-xp-and-windows2003-environments.aspx Questions on ADMX in Windows XP and Windows 2003 environments We had a question a couple of days ago about the usage of ADMX template formats in Windows XP/Server 2003 environments. Essentially the question was: “…What’s the supported or recommended way of getting W2k8 ADMX templates applying in a W2k3 domain with or with no W2k8 DCs. What I’ve done in test is, created a central store in the /Sysvol/domain/policies folder on the 2k3 DC (PDC) and created and edited a GPO using GPMC from the W2k8 member server applying to a W2k8 machine and it seems to work just fine. Is this the right way to do it?…” The answer is Yes. Again this is one of those things that confuse people. The template format has nothing to do with the policy file that’s created. Its just used to create the policy by the administrative tool itself. In the case of GPMC on Windows XP and Windows Server 2003 and previous – this tool used the ADM file format. These ADM files were copied into every policy object on the SYSVOL, which represents about 4MB of duplicated bloat per policy. This was one of the areas that caused major problems with an issue called SYSVOL bloat. In Vista and Server 2008 this template format changed to ADMX. This was a complete change towards a new XML based format that aimed to eliminate SYSVOL bloat. It doesn’t copy itself into every policy object but relies on a central or local store of these templates (Note that even in the newer tools you can still import custom ADM files for stuff like Office etc). In the question above, the person wanted to know if copying the local store, located under c:/windows/ policydefinitions, could be copied into a Windows Server 2003 domain environment as the central store and Explanationd by the newer admin tools. Again the domain functional mode has little to do with Group Policy. I talked about that one before. The things that we care about are the administrative tools and the client support for the policy functions. So of course it can. Here’s the confusion-reducing scoop – Group Policy as a platform only relies on two main factors. Active Directory to store metadata about the policy objects and to allow client discoverability for the location of the policy files. The other is the SYSVOL to store the policy files. So at its core that’s LDAP and SMB file shares. Specific extensions on top of the policy platform may require certain domain functionality but that’s very specific to that extension. Examples are the new Wireless policy and BitLocker extensions in Vista SP1. They require schema updates – not GP itself. So if you don't currently use them then you don't have to update schema. So provided you’re using Windows Vista SP1 with RSAT or Windows Server 2008 to administer the policies you get all the benefits to manage downlevel clients. That means eliminating SYSVOL bloat. That means all the joys of Group Policy PExplanations. Honestly – it amazes us the amount of IT Pros that still haven’t discovered GPP…especially with the power it has to practically eliminate logon scripts! As a last point – IT Pros also ask us when we will be producing an updated GPMC version for Windows XP to support all the new stuff. The answer is that we are not producing any updated GPMC versions for Windows XP and Server 2003. All the new administrative work is being done on the newer platforms. So get moving ahead! There are some really good benefits in the newer tools and very low impact to your current environment. You only need a single Windows Vista SP1 machine to start! 

Answer: B,D 

Explanation: 

http://techblog.mirabito.net.au/?p=297 Generating and working with code signing certificates A code signing certificate is a security measure designed to assist in the prevention of malicious code execution. The intention is that code must be “signed” with a certificate that is trusted by the machine on which the code is executed. The trust is verified by contacting the certification authority for the certificate, which could be either a local (on the machine itself, such as a self-signed certificate), internal (on the domain, such as an enterprise certification authority) or external certification authority (third party, such as Verisign or Thawte). For an Active Directory domain with an enterprise root certification authority, the enterprise root certification authority infrastructure is trusted by all machines that are a member of the Active Directory domain, and therefore any certificates issued by this certification authority are automatically trusted. In the case of code signing, it may be necessary also for the issued certificate to be in the “Trusted Publishers” store of the local machine in order to avoid any prompts upon executing code, even if the certificate was issued by a trusted certification authority. Therefore, it is required to ensure that certificates are added to this store where user interaction is unavailable, such as running automated processes that call signed code. A certificate can be assigned to a user or a computer, which will then be the “publisher” of the code in question. Generally, this should be the user, and the user will then become the trusted publisher. As an example, members of the development team in your organisation will probably each have their own code signing certificate, which would all be added to the “Trusted Publishers” store on the domain machines. Alternatively, a special domain account might exist specifically for signing code, although one of the advantages of code signing is to be able to determine the person who signed it.