[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 51-60

Ensurepass

QUESTION 51

You have an Active Directory domain that runs Windows Server 2008 R2.

 

You need to implement a certification authority (CA) server that meets the following requirements:

 

Allows the certification authority to automatically issue certificates

 

Integrates with Active Directory Domain Services

 

What should you do?

 

A.

Install and configure the Active Directory Certificate Services server role as a Standalone Root CA.

B.

Install and configure the Active Directory Certificate Services server role as an Enterprise Root CA.

C.

Purchase a certificate from a third-party certification authority, Install and configure the Active Directory

Certificate Services server role as a Standalone Subordinate CA.

D.

Purchase a certificate from a third-party certification authority, Import the certificate into the computer store of the schema master.

 

Correct Answer: B

Explanation:

http://technet.microsoft.com/en-us/library/cc776874%28v=ws.10%29.aspx

Enterprise certification authorities

The Enterprise Administrator can install Certificate Services to create an enterprise certification authority (CA).

Enterprise CAs can issue certificates for purposes such as digital signatures, secure e-mail using S/MIME (Secure Multipurpose Internet Mail Extensions), authentication to a secure Web server using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) and logging on to a Windows Server 2003 family domain using a smart card.

An enterprise CA has the following features:

An enterprise CA requires the Active Directory directory service. When you install an enterprise root CA, it uses Group Policy to propagate its certificate to the Trusted

Root Certification Authorities certificate store for all users and computers in the domain.

You must be a Domain Administrator or be an administrator with write access to Active Directory to install an enterprise root CA.

Certificates can be issued for logging on to a Windows Server 2003 family domain using smart cards.

The enterprise exit module publishes user certificates and the certificate revocation list (CRL) to Active Directory. In order to publish certificates to Active Directory, the server that the CA is installed on must be a member of the Certificate Publishers group. This is automatic for the domain the server is in, but the server must be delegated the proper security permissions to publish certificates in other domains.

For more information about the exit module, see Policy and exit modules. An enterprise CA uses certificate types, which are based on a certificate template. The following functionality is

possible when you use certificate templates:

Enterprise CAs enforce credential checks on users during certificate enrollment. Each certificate template has a security permission set in Active Directory that determines whether the certificate requester is authorized to receive the type of certificate they have requested. The certificate subject name can be generated automatically from the information in Active Directory or supplied explicitly by the requestor.

The policy module adds a predefined list of certificate extensions to the issued certificate.

The extensions are defined by the certificate template. This reduces the amount of information a certificate requester has to provide about the certificate and its intended use.

http://technet.microsoft.com/en-us/library/cc780501%28WS.10%29.aspx

Stand-alone certification authorities

You can install Certificate Services to create a stand-alone certification authority (CA).

Stand-alone CAs can issue certificates for purposes such as digital signatures, secure e-mail using S/MIME (Secure Multipurpose Internet Mail Extensions) and authentication to a secure Web server using Secure Sockets Layer (SSL) or Transport Layer Security (TLS).

A stand-alone CA has the following characteristics:

Unlike an enterprise CA, a stand-alone CA does not require the use of the Active Directory directory service. Stand-alone CAs are primarily intended to be used as Trusted Offline Root CAs in a CA hierarchy or when extranets and the Internet are involved. Additionally, if you want to use a custom policy module for a CA, you would first install a stand-alone CA and then replace the stand-alone policy module with your custom policy module.

When submitting a certificate request to a stand-alone CA, a certificate requester must explicitly supply all identifying information about themselves and the type of certificate that is wanted in the certificate request. (This does not need to be done when submitting a request to an enterprise CA, since the enterprise user’s information is already in Active Directory and the certificate type is described by a certificate template). The authentication information for requests is obtained from the local computer’s Security Accounts Manager database.

By default, all certificate requests sent to the stand-alone CA are set to Pending until the administrator of the stand-alone CA verifies the identity of the requester and approves the request. This is done for security reasons, because the certificate requester’s credentials are not verified by the stand-alone CA.

Certificate templates are not used.

No certificates can be issued for logging on to a Windows Server 2003 family domain using smart cards, but other types of certificates can be issued and stored on a smart card. The administrator has to explicitly distribute the stand-alone CA’s certificate to the domain user’s trusted root store or users must perform that task themselves.

When a stand-alone CA uses Active Directory, it has these additional features:

If a member of the Domain Administrators group or an administrator with write access to Active Directory, installs a stand-alone root CA, it is automatically added to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. For this reason, if you install a stand-alone root CA in an Active Directory domain, you should not change the default action of the CA upon receiving certificate requests (which marks requests as Pending). Otherwise, you will have a trusted root CA that aut
omatically issues certificates without verifying the identity of the certificate requester.

If a stand-alone CA is installed by a member of the Domain Administrators group of the parent domain of a tree in the enterprise, or by an administrator with write access to Active Directory, then the stand-alone CA will publish its CA certificate and the certificate revocation list (CRL) to Active Directory.

 

 

QUESTION 52

Your company has an Active Directory domain.

 

You plan to install the Active Directory Certificate Services (AD CS) server role on a member server that runs Windows Server 2008 R2.

 

You need to ensure that members of the Account Operators group are able to issue smartcard credentials.They should not be able to revoke certificates.

 

Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)

 

A.

Create an Enrollment Agent certificate.

B.

Create a Smartcard logon certificate.

C.

Restrict enrollment agents for the Smartcard logon certificate to the Account Operator group.

D.

Install the AD CS role and configure it as an Enterprise Root CA.

E.

Install the AD CS role and configure it as a Standalone CA.

F.

Restrict certificate managers for the Smartcard logon certificate to the Account Operator group.

 

Correct Answer: BCD

Explanation:

http://technet.microsoft.com/en-us/library/cc753800%28v=ws.10%29.aspx

AD CS: Restricted Enrollment Agent

The restricted enrollment agent is a new functionality in the Windows Server® 2008 Enterprise operating system that allows limiting the permissions that users designated as enrollment agents have for enrolling smart card certificates on behalf of other users.

 

What does the restricted enrollment agent do?

Enrollment agents are one or more authorized individuals within an organization. The enrollment agent needs to be issued an enrollment agent certificate, which enables the agent to enroll for smart card certificates on behalf of users. Enrollment agents are typically members of the corporate security, Information Technology (IT) security, or help desk teams because these individuals have already been trusted with safeguarding valuable resources. In some organizations, such as banks that have many branches, help desk and security workers might not be conveniently located to perform this task. In this case, des
ignating a branch manager or other trusted employee to act as an enrollment agent is required to enable smart card credentials to be issued from multiple locations. On a Windows Server 2008 Enterprise-based certification authority (CA), the restricted enrollment agent features allow an enrollment agent to be used for one or many certificate templates. For each certificate template, you can choose which users or security groups the enrollment agent can enroll on behalf of. You cannot constrain an enrollment agent based on a certain Active Directory?organizational unit (OU) or container; you must use security groups instead. The restricted enrollment agent is not available on a Windows

 

http://technet.microsoft.com/en-us/library/cc776874%28v=ws.10%29.aspx

 

Enterprise certification authorities

The Enterprise Administrator can install Certificate Services to create an enterprise certification authority (CA).

Enterprise CAs can issue certificates for purposes such as digital signatures, secure e-mail using S/MIME (Secure Multipurpose Internet Mail Extensions), authentication to a secure Web server using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) and logging on to a Windows Server 2003 family domain using a smart card.

An enterprise CA has the following features:

An enterprise CA requires the Active Directory directory service.

When you install an enterprise root CA, it uses Group Policy to propagate its certificate to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. You must be a Domain Administrator or be an administrator with write access to Active Directory to install an enterprise root CA. Certificates can be issued for logging on to a Windows Server 2003 family domain using smart cards. The enterprise exit module publishes user certificates and the certificate revocation list (CRL) to Active Directory. In order to publish certificates to Active Directory, the server that the CA is installed on must be a member of the Certificate Publishers group. This is automatic for the domain the server is in, but the server must be delegated the proper security permissions to publish certificates in other domains. For more information about the exit module, see Policy and exit modules.

 

An enterprise CA uses certificate types, which are based on a certificate template. The following functionality is possible when you use certificate templates:

Enterprise CAs enforce credential checks on users during certificate enrollment. Each certificate template has a security permission set in Active Directory that determines whether the certificate requester is authorized to receive the type of certificate they have requested.

The certificate subject name can be generated automatically from the information in Active Directory or supplied explicitly by the requestor.

The policy module adds a predefined list of certificate extensions to the issued certificate. The extensions are defined by the certificate template. This reduces the amount of information a certificate requester has to provide about the certificate and its intended use.

http://technet.microsoft.com/en-us/library/cc780501%28WS.10%29.aspx

Stand-alone certification authorities

You can install Certificate Services to create a stand-alone certification authority (CA). Stand-alone CAs can issue certificates for purposes such as digital signatures, secure e- mail using S/MIME (Secure Multipurpose Internet Mail Extensions) and authentication to a secure Web server using Secure Sockets Layer (SSL) or Transport Layer Security (TLS).

A stand-alone CA has the following characteristics:

Unlike an enterprise CA, a stand-alone CA does not require the use of the Active Directory directory service. Stand-alone CAs are primarily intended to be used as Trusted Offline Root CAs in a CA hierarchy or when extranets and the Internet are involved. Additionally, if you want to use a custom policy module for a CA, you would first install a stand-alone CA and then replace the stand-alone policy module with your custom policy module. When submitting a certificate request to a stand-alone CA, a certificate requester must explicitly supply all identifying information about themselves and the type of certificate that is wanted in the certificate request. (This does not need to be done when submitting a request to an enterprise CA, since the enterprise user’s information is already in Active Directory and the certificate type is described by a certificate template). The authentication information for requests is obtained from the local computer’s Security Accounts Manager database.

By default, all certificate requests sent to the stand-alone CA are set to Pending until the administrator of the stand-alone CA verifies the identity of the requester and approves the request. This is done for security reasons, because the certificate requester’s credentials are not verified by the stand-alone CA. Certificate templates are not used. No certificates can be issued for logging on to a Windows Server 2003 family domain using smart cards, but other types of certificates can be issued and stored on a smart card. The administrator has to explicitly distribute the stand-alone CA’s certificate to the domain user’s trusted root store or users must perform that task themselves. When a stand-alone CA uses Active Directory, it has these additional features:

If a member of the Domain Administrators group or an administrator with write access to Active Directory, installs a stand-alone root CA, it is automatically added to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. For this reason, if you install a stand-alone root CA in an Active Directory domain, you should not change the default action of the CA upon receiving certificate requests (which marks requests as Pending). Otherwise, you will have a trusted root CA that automatically issues certificates without verifying the identity of the certificate requester.

If a stand-alone CA is installed by a member of the Domain Administrators group of the parent domain of a tree in the enterprise, or by an administrator with write access to Active Directory, then the stand-alone CA will publish its CA certificate and the certificate revocation list (CRL) to Active Directory.

 

 

QUESTION 53

Your company has a server that runs an instance of Active Directory Lightweight Directory Service (AD LDS).

 

You need to create new organizational units in the AD LDS application directory partition.

 

What should you do?

 

A.

Use the dsmod OU <OrganizationalUnitDN> command to create the organizational units.

B.

Use the Active Directory Users and Computers snap-in to create the organizational units on the AD LDS application directory partition.

C.

Use the dsadd OU <OrganizationalUnitDN> command to create the organizational units.

D.

Use the ADSI Edit snap-in to create the organizational units on the AD LDS application directory partition.

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/cc773354%28v=ws.10%29.aspx

ADSI Edit (adsiedit.msc)

Active Directory® Service Interfaces Editor (ADSI Edit) is a Lightweight Directory Access Protocol (LDAP) editor that you can use to manage objects and attributes in Active Directory. ADSI Edit (adsiedit.msc) provides a view of every object and attribute in an Active Directory forest. You can use ADSI Edit to query, view, and edit attributes that are not exposed through other Active Directory Microsoft Management Console (MMC) snap- ins: Active Directory Users and Computers, Active Directory Sites and Services, Active Directory Domains
and Trusts, and Active Directory Schema. http://technet.microsoft.com/en-us/library/cc730701%28v=ws.10%29.aspx#BKMK_1

Step 4: Practice Managing AD LDS Organizational Units, Groups, and Users

Create an OU

To keep your AD LDS users and groups organized, you may want to place users and groups in OUs. In Active Directory Domain Services (AD DS) and in AD LDS, as well as in other Lightweight Directory Access Protocol (LDAP)-based directories, OUs are most commonly used for keeping users and groups organized.

To create an OU

1. Click Start, point to Administrative Tools, and then click ADSI Edit.

2. Connect and bind to the directory partition of the AD LDS instance to which you want to add an OU.

3. In the console tree, double-click the o=Microsoft,c=US directory partition, right-click the container to which you want to add the OU, point to New, and then click Object.

4. In Select a class, click organizationalUnit, and then click Next.

5. In Value, type a name for the new OU, and then click Next.

6. If you want to set values for additional attributes, click More attributes.

Further information:

http://technet.microsoft.com/en-us/library/cc754663%28v=ws.10%29.aspx

Step 5: Practice Working with Application Directory Partitions

The Active Directory Lightweight Directory Services (AD LDS) directory store is organized into logical directory partitions. There are three different types of directory partitions:

Configuration directory partitions

Schema directory partitions

Application directory partitions

Each AD LDS directory store must contain a single configuration directory partition and a single schema directory partition. The directory store can contain zero or more application directory partitions.

Application directory partitions hold the data that your applications use. You can create an application directory partition during AD LDS setup or anytime after installation.

 

 

QUESTION 54

Your company has two Active Directory forests named Forest1 and Forest2, The forest functional level and the domain functional level of Forest1 are set to Windows Server 2008.

 

The forest functional level of Forest2 is set to Windows 2000, and the domain functional levels in Forest2 are set to Windows Server 2003.

 

You need to set up a transitive forest trust between Forest1 and Forest2.

 

What should you do first?

 

A.

Raise the forest functional level of Forest2 to Windows Server 2003 Interim mode.

B.

Raise the forest functional level of Forest2 to Windows Server 2003.

C.

Upgrade the domain controllers in Forest2 to Windows Server 2008.

D.

Upgrade the domain controllers in Forest2 to Windows Server 2003.

 

Correct Answer: B

Explanation:

http://technet.microsoft.com/en-us/library/cc816810.aspx

 

Creating Forest Trusts

You can link two disjoined Active Directory Domain Services (AD DS) forests together to form a one-way or two-way, transitive trust relationship.

 

The following are required to create forest trusts successfully:

 

You can create a forest trust between two Windows Server 2003 forests, between two Windows Server 2008 forests, between two Windows Server 2008 R2 forests, between a Windows Server 2003 forest and a Windows Server 2008 forest, between a Windows Server 2003 forest and a Windows Server 2008 R2 forest, or between a Windows Server 2008 forest and a Windows Server 2008 R2 forest. Forest trusts cannot be extended implicitly to a third forest.

 

To create a forest trust, the minimum forest functional level for the forests that are involved in the trust relationship is Windows Server 2003.

 

 

QUESTION 55

Your company has a main office and a branch office. You deploy a read-only domain controller (RODC) that runs Microsoft Windows Server 2008 to the branch office.

 

You need to ensure that users at the branch office are able to log on to the domain by using the RODC.

 

What should you do?

 

A.

Add another RODC to the branch office.

B.

Configure a new bridgehead server in the main office.

C.

Decrease the replication interval for all connection objects by using the Active Directory Sites and Services console.

D.

Configure the Password Replication Policy on the RODC.

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/cc754956%28v=ws.10%29.aspx

RODC Frequently Asked Questions

What new attributes support the RODC Password Replication Policy?

Password Replication Policy is the mechanism for determining whether a user or computer’s credentials are allowed to replicate from a writable domain controller to an RODC. The Password Replication Policy is always set on a writable domain controller running Windows Server 2008.

What operations fail if the WAN is offline, but the RODC is online in the branch office?

If the RODC cannot connect to a writable domain controller running Windows Server 2008 in the hub, the following branch office operations fail:

Password changes

Attempts to join a computer to a domain

Computer rename

Authentication attempts for accounts whose credentials are not cached on the RODC Group Policy updates that an administrator might attempt by running the gpupdate /force command

What operations succeed if the WAN is offline, but the RODC is online in the branch office?

If the RODC cannot connect to a writable domain controller running Windows Server 2008 in the hub, the following branch office operations succeed:

Authentication and logon attempts, if the credentials for the resource and the requester are already cached, Local RODC server administration performed by a delegated RODC server administrator.

 

 

 

 

 

 

 

 

 

QUESTION 56

Your company h
as an Active Directory domain named ad.contoso.com. The domain has two domain controllers named DC1 and DC2. Both domain controllers have the DNS server role installed.

 

You install a new DNS server named DNS1.contoso.com on the perimeter network. You configure DC1 to forward all unresolved name requests to DNS1.contoso.com.

 

You discover that the DNS forwarding option is unavailable on DC2.

 

You need to configure DNS forwarding on the DC2 server to point to the DNS1.contoso.com server.

 

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

 

A.

Clear the DNS cache on DC2.

B.

Configure conditional forwarding on DC2.

C.

Configure the Listen On address on DC2.

D.

Delete the Root zone on DC2.

 

Correct Answer: BD

Explanation:

http://technet.microsoft.com/en-us/library/cc754941.aspx

Configure a DNS Server to Use Forwarders

A forwarder is a Domain Name System (DNS) server on a network that is used to forward DNS queries for external DNS names to DNS servers outside that network. You can also configure your server to forward queries according to specific domain names using conditional forwarders.

http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/0ca38ece-d76e- 42f0-85d5-a342f9e169f5/

Deleting .root dns zone in 2008 DNS

Q: We have 2 domain controllers and .root zone is created in the DNS. Due to which the external name resolution is not possible. I had tried to add conditional forwarders but i get an error saying that conditional forwarders cannot be created on root DNS servers.

A1: If you have a “root” zone created in your DNS, and you no longer want that configuration, you can just simply delete that zone. There is no reason to have a root “.” zone hosted unless you want to make sure that the DNS server is authoritative for all queries and not allow the DNS server to go elsewhere for name resolution.

If you delete this zone, the DNS server will be able to use its root hints, or fowarders to resolve queries for zones its not authoritative for.

A2: That was from the old 2000 days where DCPROMO would create it if it detected no internet access while promoting the first DC. Jut remove it, and the Forwarders option reappear.

 

Further information:

http://support.microsoft.com/kb/298148

How To Remove the Root Zone (Dot Zone)

http://technet.microsoft.com/en-us/library/cc731879%28v=ws.10%29.aspx

Reviewing DNS Concepts

Delegation For a DNS server to answer queries about any name, it must have a direct or indirect path to every zone in the namespace. These paths are created by means of delegation. A delegation is a record in a parent zone that lists a name server that is authoritative for the zone in the next level of the hierarchy. Delegations make it possible for servers in one zone to refer clients to servers in other zones. The following illustration shows one example of delegation.

 

clip_image002

 

The DNS root server hosts the root zone represented as a dot ( . ). The root zone contains a delegation to a zone in the next level of the hierarchy, the com zone. The delegation in the root zone tells the DNS root server that, to find the com zone, it must contact the Com server. Likewise, the delegation in the com zone tells the Com server that, to find the contoso.com zone, it must contact the Contoso server.

Note: A delegation uses two types of records. The name server (NS) resource record provides the name of an authoritative server. Host (A) and host (AAAA) resource records provide IP version 4 (IPv4) and IP version 6 (IPv6) addresses of an authoritative server. This system of zones and delegations creates a hierarchical tree that represents the DNS namespace. Each zone represents a layer in the hierarchy, and each delegation represents a branch of the tree. By using the hierarchy of zones and delegations, a DNS root server can find any name in the DNS namespace.

The root zone includes delegations that lead directly or indirectly to all other zones in the hierarchy. Any server that can query the DNS root server can use the information in the delegations to find any name in the namespace.

 

 

QUESTION 57

Your company has an Active Directory forest that runs at the functional level of Windows Server 2008.

 

You implement Active Directory Rights Management Services (AD RMS).

 

You install Microsoft SQL Server 2005. When you attempt to open the AD RMS administration Web site, you receive the following error message: “SQL Server does not exist or access denied.”

 

You need to open the AD RMS administration Web site.

 

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

 

A.

Restart IIS.

B.

Manually delete the Service Connection Point in AD DS and restart AD RMS.

C.

Install Message Queuing.

D.

Start the MSSQLSVC service.

 

Correct Answer: AD

Explanation:

http://technet.microsoft.com/en-us/library/cc747605%28v=ws.10%29.aspx#BKMK_1 RMS

Administration Issues

“SQL Server does not exist or access denied” message received when attempting to open the RMS

Administration Web site

If you have installed RMS by using a new installation of SQL Server 2005 as your database server the SQL Server Service might not be started. In SQL Server 2005, the MSSQLSERVER service is not configured to automatically start when the server is started. If you have restarted your SQL Server since installing RMS and have not configured this service to automatically restart RMS will not be able to function and only the RMS Global Administration page will be accessible.

After you have started the MSSQLSERVER service, you must restart IIS on each RMS server in the cluster to restore RMS functionality.

 

 

QUESTION 58

You are decommissioning domain controllers that hold all forest-wide operations master roles.

 

You need to transfer all forest-wide operations master roles to another domain controller.

 

Which two roles should you transfer? (Each correct answer presents part of the solution. Choose two.)

 

A.

Domain naming master

B.

Infrastructure master

C.

RID master

D.

PDC emulator

E.

Schema master

 

Correct Answer: AE

Explanation:

http://social.technet.microsoft.com/wiki/contents/articles/832.transferring-fsmo-roles-in-indows-server-2008.aspx

 

Transferring FSMO Roles in Windows Server 2008

One of any system administrator duties, would be to upgrade a current domain controller to a new hardware server. One of the crucial steps required to successfully migrate your domain controller, is to be able to successfully transfer the FSMO roles to the new hardware server. FSMO stands for Flexible Single Master Operations, and in a forest there are at least five roles.

The five FSMO roles are:

Schema Master

Domain Naming Master

Infrastructure Master

Relative ID (RID) Master

PDC Emulator

The first two roles above are forest-wide, meaning there is one of each for the entire forest. The last three are domain-wide, meaning there is one of each per domain. If there is one domain in your forest, you will have five FSMO roles. If you have three domains in your forest, there will be 11 FSMO roles.

QUESTION 59

Your company has an Active Directory forest.

 

You plan to install an Enterprise certification authority (CA) on a dedicated stand-alone server.

 

When you attempt to add the Active Directory Certificate Services (AD CS) role, you find that the Enterprise CA option is not available.

 

You need to install the AD CS role as an Enterprise CA.

 

What should you do first?

 

A.

Add the DNS Server role.

B.

Add the Active Directory Lightweight Directory Service (AD LDS) role.

C.

Add the Web server (IIS) role and the AD CS role.

D.

Join the server to the domain.

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/cc772393%28v=ws.10%29.aspx

Active Directory Certificate Services Step-by-Step Guide

http://kazmierczak.eu/itblog/2012/09/23/enterprise-ca-option-is-greyed-out-unavailable/

Enterprise CA option is greyed out / unavailable

Many times, administrators ask me what to do when installing Active Directory Certificate Services they cannot choose to install Enterprise Certification Authority, because it’s unavailable as in following picture:

 

clip_image004

Well, you need to fulfill basic requirements:

Server machine has to be a member server (domain joined).

You can run an Enterprise CA on the Standard, Enterprise, or Data Center Windows Edition. The difference is the number of ADCS features and components that can be enabled. To get full functionality, you need to run on Enterprise or Data Center Windows Server 2008 /R2/ Editions. It includes functionality like Role separation, Certificate manager restrictions, Delegated enrollment agent restrictions, Certificate enrollment across forests, Online Responder, Network Device Enrollment. In order to install an Enterprise CA, you must be a member of either Enterprise Admins or Domain Admins in the forest root domain (either directly or through a group nesting).

If issue still persists, there is probably a problem with getting correct credentials of your account. There are many thing that can cause it (network blockage, domain settings, server configuration, and other issues). In all cases I got, this troubleshooting helped perfectly:

First of all, carefully check all above requirements. Secondly, install all available patches and Service Packs with Windows Update before trying to install Enterprise CA.

Check network settings on the CA Server. If there is no DNS setting, Certificate Authority Server cannot resolve and find domain.

Sufficient privileges for writing the Enterprise CA configuration information in AD configuration partition are required. Determine if you are a member of the Enterprise Admins or Domain Admins in the forest root domain. Think about the account you are currently trying to install ADCS with. In fact, you may be sure, that your account is in Enterprise Admins group, but check this how CA Server “sees” your account membership by typing whoami /groups.

You also need to be a member of local Administrators group. If you are not, you wouldn’t be able to run Server Manager, but still needs to be checked. View C:windowscertocm.log file. There you can find helpful details on problems with group membership. For example status of

ENUM_ENTERPRISE_UNAVAIL_REASON_NO_INSTALL_RIGHTS indicates that needed memberships are not correct.

Don’t forget to check event viewer on CA Server side and look for red lines. Verify that network devices or software&hardware firewalls are not blocking access from/to server and Domain Controllers. If so, Certificate Authority Server may not be communicating correctly with the domain. To check that, simply run nltest /sc_verify:DomainName

Check also whether Server CA is connected to a writable Domain Controller. Enterprise Admins groups is the most powerful group and has ADCS required full control permissions, but who knows ?maybe someone changed default permissions?

Run adsiedit.msc on Domain Controller, connect to default context and first of all check if CN=Public Key

Service,CN=Services,CN=Configuration,DC=Your,DC=Domain,DC=Com container does exist. If so, check permissions for all subcontainers under Public Key Service if Enterprise Admins group has full control permissions. The main subcontainers to verify are Certificate Templates, OID, KRA containers.

If no above tips help, disjoin the server from domain and join again. Ultimately reinstall operation system on CA Server.

 

 

QUESTION 60

Your company has two Active Directory forests named contoso.com and fabrikam.com. Both forests run only domain controllers that run Windows Server 2008. The domain functional level of contoso.com is Windows Server 2008. The domain functional level of fabrikam.com is Windows Server 2003 Native mode.

 

You configure an external trust between contoso.com and fabrikam.com.

 

You need to enable the Kerberos AES encryption option.

 

What should you do?

 

A.

Raise the forest functional level of fabrikam.com to Windows Server 2008.

B.

Raise the domain functional level of fabrikam.com to Windows Server 2008.

C.

Raise the forest functional level of contoso.com to Windows Server 2008.

D.

Create a new forest trust and enable forest-wide authentication.

 

Correct Answer: B

Explanation:

http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28v=ws.10%29.aspx

Understanding Active Directory Domain Services (AD DS) Functional Levels Functional levels determine the available Active Directory Domain Services (AD DS) domain or forest capabilities. They also determine which Windows Server operating systems you can run on domain controllers in the domain or forest. However, functional levels do not affect which operating systems you can run on workstations and member servers that are joined to the domain or forest.

 

Features that are available at domain functional levels

 

Windows Server 2008

All of the default AD DS features, all of the features from the Windows Server 2003 domain functional level, and the following features are available:

 

* Advanced Encryption Standard (AES 128 and AES 256) support for the Kerberos protocol. In order for TGTs to be issued using AES, the domain functional level must be Windows Server 2008 or higher and the domain password needs to be changed.

 

Further information:

http://technet.microsoft.com/en-us/library/cc749438%28WS.10%29.aspx

Kerberos Enhancements

 

Requirements

All Kerberos authentication requests involve three different parties: the client requesting a connection, the server that will provide the requested data, and the Kerberos KDC that provides the keys that are used to protect the various messages.

This discussion focuses on how AES can be used to protect these Kerberos authentication protocol messages and data structures that are exchanged among the three parties. Typically, when the parties are operating systems running Windows Vista or Windows Server 2008, the exchange will use AES. However, if one of the parties is an operating system running Windows 2000 Professional, Windows 2000 Server, Windows XP, or Windows Server 2003, the exchange will not use AES.

 

Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…