Servers Test 2

Where is a GPT stored?

In a folder with the same name as the GPO in the SYSVOL share

In a folder with the same name as the GUID of the GPO in Active Directory

In a folder with the same name as the GUID of the GPO in the SYSVOL share

In a folder with the same name as the GPO in Active Directory

Answer: c. In a folder with the same name as the GUID of the GPO in the SYSVOL share

Group Policy Template (GPT) files are stored in the SYSVOL share of domain controllers in a folder

with the same name as the GUID of the GPO.

Which of the following are methods for linking a GPO to a container? (Choose all that apply.)

a. b. c. d. In ADUC, right-click the container and then select “Create a GPO in this domain and link it here.”

In the GPMC, right-click the container and then select “Create a GPO in this domain and link it

here.”

In the GPMC, right-click a container and select Link an Existing GPO.

In ADAC, right-click a container and select Link an Existing GPO.

Answer: b. In the GPMC, right-click the container and then select “Create a GPO in this domain and

link it here.”, c. In the GPMC, right-click a container and select Link an Existing GPO.

You use the GPMC to manage and link GPOs to containers. You can create a GPO and link it at the

same time by right-clicking the container and selecting “Create a GPO in this domain and link it here.”

You can link an existing GPO by right-clicking the container and clicking Link an Existing GPO.

You want to deploy a software package that’s available to all users in the domain if they want to use it, but

you don’t want the package to be installed unless a user needs it. How should you configure the software

installation policy?

a. b. c. d. Publish the package under the Computer Configuration node.

Assign the package under the Computer Configuration node.

Publish the package under the User Configuration node.

Assign the package under the User Configuration node

Answer: c. Publish the package under the User Configuration node.

Publishing an application under the User Configuration node makes the application available to install

by all users in the scope of the GPO. Assigning it in the User or Computer Configuration node

automatically installs the application.

You want to deploy a logon script by using Group Policy. You have several sites connected via a WAN

with a DC at each site. You want to make sure the script is always available when users log on from any

computer at any location. What should you do?

a. b. c. d. Create a share on the fastest DC in the network and save the script there.

Send the script via email to all users and have them save it locally.

Save the script in the SYSVOL share.

Copy the script to cloud storage.

Answer: c. Save the script in the SYSVOL share.

The SYSVOL share is replicated to all domain controllers, so the script will be available to all users at

each site.

Which of the following represents the correct order in which GPOs are applied to an object that falls within

the GPO’s scope?

a. b. c. d. Site, domain, OU, local GPOs

Local GPOs, domain, site, OU

Domain, site, OU, local GPOs

Local GPOs, site, domain, OU

Answer: d. Local GPOs, site, domain, OU

GPOs are applied in the following order: Local GPOs, site-linked GPOs, domain-linked GPOs, and the

OU-linked GPOs. The acronym LSDOU can be used to remember the order.

An OU structure in your domain has one OU per department, and all the computer and user accounts are in

their respective OUs. You have configured several GPOs defining computer and user policies and linked

the GPOs to the domain. A group of managers in the Marketing Department need different policies from

the rest of the Marketing Department users and computers, but you don’t want to change the top-level OU

structure. Which of the following GPO processing features are you most likely to use?

a. Block inheritance

b. GPO enforcement

c. WMI filtering

d. Loopback processing

Answer: a. Block inheritance

Blocking inheritance prevents settings in a GPO linked to a higher-level container from affecting

objects nested in the higher-level container.

You have created a GPO that sets certain security settings on computers. You need to make sure these

settings are applied to all computers in the domain. Which of the following GPO processing features are

you most likely to use?

a. Block inheritance

b. GPO enforcement

c. WMI filtering

d. Loopback processing

Answer: b. GPO enforcement

GPO enforcement ensures that settings in a GPO linked to a container affect objects in nested

containers, even if there are conflicts from other GPOs or inheritance blocking is configured.

You have just finished configuring a GPO that modifies several settings on computers in the Operations

OU and linked the GPO to the OU. You check on a few computers in the Operations Department and find

that the policies haven’t been applied. On one computer, you run gpupdate, and the policies are applied

correctly. What’s a likely reason the policies weren’t applied to all computers when you tried to update

them remotely?

a. b. c. d. The Computer Configuration node of the GPO is disabled.

A security filter that blocks the computer accounts has been set.

The Operations OU has Block Inheritance set.

Computers only apply GPO settings every 90 minutes or when the computer reboots.

Answer: d. Computers only apply GPO settings every 90 minutes or when the computer reboots.

Computer settings are only applied every 90 minutes or when the computer reboots. The settings are

also applied if you run gpupdate on the computer.

You have an Active Directory forest of two trees and eight domains. You haven’t changed any of the

operations master domain controllers. On which domain controller is the schema master?

a. All domain controllers

b. c. d. The last domain controller installed

The first domain controller in the forest root domain

The first domain controller in each tree

Answer: c. The first domain controller in the forest root domain

If you create a new forest, the first DC installed performs all five FSMO roles. The first domain in a

new forest is called the forest root domain.

Which of the following is a reason for establishing multiple sites? (Choose all that apply.)

a. Improving authentication efficiency

b. Enabling more frequent replication

c. d. Reducing traffic on the WAN

Having only one IP subnet

Answer: a. Improving authentication efficiency, c. Reducing traffic on the WAN

There are three main reasons for establishing multiple sites: authentication efficiency, replication

efficiency, and application efficiency. Replication efficiency can help reduce traffic on the WAN.

User authentications are taking a long time. The domain controller performing which FSMO role will most

likely decrease authentication times if it’s upgraded?

a. RID master

b. PDC emulator

c. Infrastructure master

d. Domain naming master

Answer: b. PDC emulator

The PDC emulator processes password changes for older Windows clients and is used during sign-in

authentication. The DC performing this role should be centrally located where there’s a high

concentration of users to facilitate logons. The PDC emulator is the most heavily used of the FSMO

roles and should be placed on a suitable DC.

An older server that's performing the RID master role is being taken out of service, and you will be

replacing it with a new server configured as a domain controller. What should you do to ensure the

smoothest transition?

a. b. c. d. Transfer the RID master role to the new domain controller, and then shut down the old server.

Shut down the current RID master and seize the RID master role from the new domain controller.

Back up the domain controller that’s currently the RID master, restore it to the new domain

controller, and then shut down the old RID master.

Shut down the current RID master, and then transfer the RID master role to the new domain

controller.

Answer: a. Transfer the RID master role to the new domain controller, and then shut down the old

server.

Transferring an operations master role means moving the role’s function from one DC to another while

the original DC is still in operation. Because the RID master should be highly available, transferring

the role is preferable to shutting down the original server and seizing the role.

You maintain an RODC running Windows Server 2022 at a branch office, and you want one employee

with solid computer knowledge to perform administrative tasks, such as driver and software updates and

device management. How can you do this without giving the employee broader domain rights?

a. Assign the employee’s account as a delegated administrator in the RODC’s computer account

b. c. d. settings.

Create a local user on the RODC and add it to the Administrators group. Have the user log on with

this account when necessary.

Create a script that adds the user to the Domain Admins group each day at a certain time and then

removes the user from the group one hour later. Tell the user to log on and perform the necessary

tasks during the specified period.

Send the user to extensive Windows Server 2022 training, and then add the user to the Domain

Admins group.

Answer: a. Assign the employee’s account as a delegated administrator in the RODC’s computer

account settings.

A delegated administrator account for an RODC doesn’t have domain administrative rights and

permissions, so the scope of the delegated permissions is limited to just the RODC computer.

Where would you find files related to logon and logoff scripts in an Active Directory environment?

a. C:\Windows\NTDS

b. %systemroot%\SYSVOL

c. %Windir%\ntds.dit

d. C:\Windows\edb.log

Answer: b. %systemroot%\SYSVOL

Some crucial information for domain operation is stored as files in the SYSVOL share on domain

controllers, including group policy template files, the ADMX central store, and logon scripts.

Which of the following best describes the first domain installed in a forest?

a. Forest root

b. Global catalog

c. Master domain

d. Primary tree

Answer: a. Forest root

The first domain installed in a new forest is referred to as the forest root domain.

Which of the following is responsible for facilitating forest-wide Active Directory searches?

a. Knowledge Consistency Checker

b. Infrastructure master

c. Domain naming master

d. Global catalog server

Answer: d. Global catalog server

A global catalog (GC) server is a DC configured to hold the global catalog. Every forest must have at

least one GC server. GC servers facilitate domain-wide and forest-wide searches and logons across

domains, and they hold universal group membership information.

Your company has merged with another company that also uses Windows Server 2022 and Active

Directory. You want to give the other company’s users access to your company’s forest resources and vice versa without duplicating account information and with the least administrative effort. How can you

achieve this goal?

a. b. Transfer your global catalog to one of their servers.

Create a two-way forest trust.

c. Configure an external trust.

d. Configure selective authentication.

Answer: b. Create a two-way forest trust.

A forest trust allows users in one forest to be granted access to permissions in another forest. If users in

each forest need access to resources in the other forest, a two-way forest trust should be created.

You have three sites: Boston, Chicago, and Los Angeles (LA). You have created site links between Boston

and Chicago and between Chicago and LA with the default site link settings. What do you need to do to

make sure replication occurs between Boston and LA?

a. b. c. d. Do nothing; replication will occur between Boston and LA with the current configuration.

Create a new connection object between Boston and LA.

Create a site link bridge between Boston and LA.

Configure a site link between Boston and LA with SMTP.

Answer: a. Do nothing; replication will occur between Boston and LA with the current configuration.

Site links are transitive by default, which means if a site link exists between Site A and Site B, between

Site A and Site C, and between Site C and Site D, Site A can replicate directly with Site D and Site C

can replicate directly with Site B without creating an explicit link between the two sites.

Which of the following is a valid reason for using multiple forests?

a. Centralized management

b. Need for different schemas

c. d. Easy access to all domain resources

Need for a single global catalog

Answer: b. Need for different schemas

Business units in a large organization might require different schemas because of differences in

language, culture, and applications. The schema controls the objects you can create in Active Directory

and the attributes of these objects. The schema is forest-wide, so if you need different schemas, you

must have additional forests.

Which of the following is a task you should perform before installing server roles and features? (Choose all

that apply.)

a. b. d. Set a strong Administrator password.

Make the server a domain member.

c. Configure static IP addresses.

Make sure security updates are current.

Answer: a. Set a strong Administrator password., c. Configure static IP addresses., d. Make sure

security updates are current.

A strong Administrator password and static IP address should be set on a server immediately after

Windows Server is installed. In addition, security updates should be made current. Making the server a

domain member is dependent on what role the server will play in your organization and is not

necessarily a required task.

You add a server to Server Manager but see the error message “WinRM Negotiate authentication error.”

What should you do?

a. b. Add the server with different credentials.

Add the server to the TrustedHosts list.

c. Install .NET Framework 4.5.

d. Enter the Configure-SMRemoting command.

Answer: b. Add the server to the TrustedHosts list.

If you try to manage a server that is not an Active Directory member, you must add the server to the

TrustedHosts list. Otherwise, you will get an WinRM Negotiate authentication error.

You’re managing 75 servers from a single Server Manager console and find you’re wasting a lot of time

scrolling through the list of servers to find the one you want to manage. You have five locations with about

15 servers in each location. What can you do to make it easier to manage these servers in Server Manager?

a. Create a group in Active Directory.

b. Use WinRM.

c. Enable PowerShell remoting.

d. Create server groups.

Answer: d. Create server groups.

If you have dozens or even hundreds of servers to manage, you might want to organize them in server

groups, such as by department, location, or function. For example, you can group all servers related to

the Operations Department, all servers in the Phoenix office, or all DNS servers.

In Windows Server, what must be running to allow PowerShell remoting?

a. Windows Firewall

LBFO

c. Telnet

d. WinRM

Answer: d. WinRM

By default, Windows Server remote management is enabled via Windows Remote Management

(WinRM). WinRM provides a command-line interface for performing a variety of remote management

tasks.

11. Which method of allowing PowerShell remote administration best leverages the principle of least

privilege?

a. Credential Security Support Provider

b. Kerberos unconstrained delegation

c. Kerberos resource-based constrained delegation

d. Just Enough Administration

Answer: d. Just Enough Administration

Just Enough Administration (JEA) is a technology that allows administrators to delegate administrative

tasks to other personnel without granting excessive privileges. JEA leverages the principle of least

privilege, which states that users and administrators should be given sufficient rights and permissions

to perform their jobs, but no more than that.

With which Windows Admin Center installation option do you access the tool using the loopback address

of the installation computer, typically when you are managing a small number of servers?

a. Local client

b. Gateway server

c. Managed server

d. Failover cluster

Answer: a. Local client

After you install Windows Admin Center using the local client method, you can start it from a shortcut

on the desktop or from the Start menu. Windows Admin Center will open in a browser window with

the address https://localhost:6516.