Answer: D 

Explanation: 

http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/795f209d-b056-4de8-8dcf-7c7f80529aab/ 

What does "certutil -pulse" command do? 

Certutil -pulse will initiate autoenrollment requests. 

It is equivalent to doing the following in the CertMgr.msc console (in Vista and Windows 7) 

Right-click Certificates , point to All Tasks , click Automatically Enroll and Retrieve 

Certificates. 

The command does require that 

-any autoenrollment GPO settings have already been applied to the target user or computer 

-a certificate template enables Read, Enroll and Autoenroll permissions for the user or a global or universal group containing the user 

-The group membership is recognized in the users Token (they have logged on after the membership was added http://technet.microsoft.com/library/cc732443.aspx Certutil Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains. When certutil is run on a certification authority without additional parameters, it displays the current certification authority configuration. When cerutil is run on a non-certification authority, the command defaults to running the certutil -dump verb. Verbs The following table describes the verbs that can be used with the certutil command. pulse Pulse auto enrollment events 

Answer: D 

Explanation: 

Answer: A 

Explanation: 

Answer: C 

Explanation: 

http://technet.microsoft.com/en-us/library/dd759209.aspx Certificate Enrollment Web Service Overview The Certificate Enrollment Web Service is an Active Directory Certificate Services (AD CS) role service that enables users and computers to perform certificate enrollment by using the HTTPS protocol. Together with the Certificate Enrollment Policy Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain. Personal note: Since domain controllers are off-limits (regarding open ports), you are left to install the Certificate Enrollment Web Service role service on a plain member server 

Answer: A 

Explanation: 

http://technet.microsoft.com/en-us/library/cc754916.aspx Change the Zone Replication Scope You can use the following procedure to change the replication scope for a zone. Only Active Directory Domain Services (AD DS)–integrated primary and stub forward lookup zones can change their replication scope. Secondary forward lookup zones cannot change their replication scope. http://technet.microsoft.com/en-us/library/cc772101.aspx Understanding DNS Zone Replication in Active Directory Domain Services You can store Domain Name System (DNS) zones in the domain or application directory partitions of Active Directory Domain Services (AD DS). A partition is a data structure in AD DS that distinguishes data for different replication purposes. The following table describes the available zone replication scopes for AD DS-integrated DNS zone data. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

When you decide which replication scope to choose, consider that the broader the replication scope, the greater the network traffic caused by replication. For example, if you decide to have AD DS–integrated DNS zone data replicated to all DNS servers in the forest, this will produce greater network traffic than replicating the DNS zone data to all DNS servers in a single AD DS domain in that forest. 

AD DS-integrated DNS zone data that is stored in an application directory partition is not replicated to the global catalog for the forest. The domain controller that contains the global catalog can also host application directory partitions, but it will not replicate this data to its global catalog. AD DS-integrated DNS zone data that is stored in a domain partition is replicated to all domain controllers in its AD DS domain, and a portion of this data is stored in the global catalog. This setting is used to support Windows 2000. If an application directory partition's replication scope replicates across AD DS sites, replication will occur with the same intersite replication schedule as is used for domain partition data. By default, the Net Logon service registers domain controller locator (Locator) DNS resource records for the application directory partitions that are hosted on a domain controller in the same manner as it registers domain controller locator (Locator) DNS resource records for the domain partition that is hosted on a domain controller. 

Answer: D 

Explanation: 

http://technet.microsoft.com/en-us/library/cc772393%28v=ws.10%29.aspx 

Active Directory Certificate Services Step-by-Step Guide 

http://kazmierczak.eu/itblog/2012/09/23/enterprise-ca-option-is-greyed-out-unavailable/ 

Enterprise CA option is greyed out / unavailable Many times, administrators ask me what to do when installing Active Directory Certificate Services they cannot choose to install Enterprise Certification Authority, because it’s unavailable as in following picture: 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Well, you need to fulfill basic requirements: Server machine has to be a member server (domain joined). You can run an Enterprise CA on the Standard, Enterprise, or Data Center Windows Edition. The difference is the number of ADCS features and components that can be enabled. To get full functionality, you need to run on Enterprise or Data Center Windows Server 2008 /R2/ Editions. It includes functionality like Role separation, Certificate manager restrictions, Delegated enrollment agent restrictions, Certificate enrollment across forests, Online Responder, Network Device Enrollment. In order to install an Enterprise CA, you must be a member of either Enterprise Admins or Domain Admins in the forest root domain (either directly or through a group nesting). If issue still persists, there is probably a problem with getting correct credentials of your account. There are many thing that can cause it (network blockage, domain settings, server configuration, and other issues). In all cases I got, this troubleshooting helped perfectly: First of all, carefully check all above requirements. Secondly, install all available patches and Service Packs with Windows Update before trying to install Enterprise CA. Check network settings on the CA Server. If there is no DNS setting, Certificate Authority Server cannot resolve and find domain. Sufficient privileges for writing the Enterprise CA configuration information in AD configuration partition are required. Determine if you are a member of the Enterprise Admins or Domain Admins in the forest root domain. Think about the account you are currently trying to install ADCS with. In fact, you may be sure, that your account is in Enterprise Admins group, but check this how CA Server “sees” your account membership by typing whoami /groups. You also need to be a member of local Administrators group. If you are not, you wouldn’t be able to run Server Manager, but still needs to be checked. View C:\windows\certocm.log file. There you can find helpful details on problems with group membership. For example status of ENUM_ENTERPRISE_UNAVAIL_REASON_NO_INSTALL_RIGHTS indicates that needed memberships are not correct. Don’t forget to check event viewer on CA Server side and look for red lines. Verify that network devices or software&hardware firewalls are not blocking access from/to server and Domain Controllers. If so, Certificate Authority Server may not be communicating correctly with the domain. To check that, simply run nltest /sc_verify:DomainName Check also whether Server CA is connected to a writable Domain Controller. Enterprise Admins groups is the most powerful group and has ADCS required full control permissions, but who knows – maybe someone changed default permissions? Run adsiedit.msc on Domain Controller, connect to default context and first of all check if CN=Public Key Service,CN=Services,CN=Configuration,DC=Your,DC=Domain,DC=Com container does exist. If so, check permissions for all subcontainers under Public Key Service if Enterprise Admins group has full control permissions. The main subcontainers to verify are Certificate Templates, OID, KRA containers. If no above tips help, disjoin the server from domain and join again. Ultimately reinstall operation system on CA Server. 

Answer: B 

Explanation: 

http://support.microsoft.com/kb/921469 

Administrators can use the procedure that is described in this article to deploy a custom audit policy that applies detailed security auditing settings to Windows Vista-based and Windows Server 2008-based computers in a Windows Server 2003 domain or in a Windows 2000 domain. 

Use the Auditpol.exe command-line tool to configure the custom audit policy settings that you want. 

Answer: C 

Explanation: 

http://technet.microsoft.com/en-us/library/cc756898%28v=ws.10%29.aspx 

Default groups 

Default groups, such as the Domain Admins group, are security groups that are created automatically when you create an Active Directory domain. You can use these predefined groups to help control access to shared resources and delegate specific domain-wide administrative roles. 

Groups in the Builtin container 

The following table provides descriptions of the default groups located in the Builtin container and lists the assigned user rights for each group. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Groups in the Users container 

The following table provides a description of the default groups located in the Users container and lists the assigned user rights for each group. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Answer: A 

Explanation: 

http://www.petri.co.il/adding_new_administrative_templates_to_gpo.htm Adding New Administrative Templates to a GPO Adding .ADM files to the Administrative Templates in a GPO In order to add additional .ADM files to the existing Administrative Templates section in GPO please follow the next steps: 

1. Open the Group Policy Management Console (or GPMC) from the Administrative Tools folder in the Stat menu, or by typing gpmc.msc in the Run command. 

2. Right-click an existing GPO (or create an new GPO, then right-click on it) and select Edit. 

Answer: B 

Explanation: 

Not sure about this one. See my thoughts below. 

to MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) key archival 

is not available in the Windows Server 2008 R2 Standard edition, so that would leave out 

answer B. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Another dump gives the following for answer B: 

"Upgrade the menber [sic] server to Windows Server 2008 R2 Enterprise." 

Should the actual exam mention to upgrade to the Enterprise edition for answer B, I'd go 

for that. In this VCE it doesn't seem to make sense to go for B as it shouldn't work, I think. 

Certificate Enrollment Policy Web Service role of answer C was introduced in Windows 

Server 2008 R2, so that would not be an option on the mentioned Windows Server 2008 

machine. 

Trusted Platform Module is "a secure cryptographic integrated circuit (IC), provides a 

hardware-based approach to manage user authentication, network access, data protection 

and more that takes security to higher level than software-based security." 

(http://www.trustedcomputinggroup.org/resources/ 

how_to_use_the_tpm_a_guide_to_hardwarebased_endpoint_security/) 

Pfff... I'm bothered that answer B speaks of the Standard edition, and not the Enterprise 

edition. Hope the VCE is wrong.