Your network contains two Active Directory forests named contoso.com and dev.contoso.com. The
contoso.com forest contains a domain controller named DC1. The dev.contoso.com forest contains a domain
controller named DC2. Each domain contains an organizational unit (OU) named OU1.
Dev.contoso.com has a Group Policy object (GPO) named GPO1. GPO1 contains 200 settings, including several
settings that have network paths. GPO1 is linked to OU1.
You need to copy GPO1 from dev.contoso.com to contoso.com.
What should you do first on DC2?
A.
From the Group Policy Management console, right-click GPO1 and select Copy.
B.
Run the mtedit.exe command and specify the /Domaintcontoso.com /DC: DC 1 parameter.
C.
Run the Save-NetGpocmdlet.
D.
Run the Backup-Gpocmdlet.
Explanation:
To copy a Group Policy object:
In the GPMC console tree, right-click the GPO that you want to copy, and then click Copy.
To create a copy of the GPO in the same domain as the source GPO, right-click Group Policy objects, click
Paste, specify permissions for the new GPO in the Copy GPO box, and then click OK .
For copy operations to another domain, you may need to specify a migration table.
The Migration Table Editor (MTE) is provided with Group Policy Management Console (GPMC) to facilitate the
editing of migration tables. Migration tables are used for copying or importing Group Policy objects (GPOs)
from one domain to another, in cases where the GPOs include domain-specific information that must be
updated during copy or import.
Source WS2008R2: Backup the existing GPOs from the GPMC, you need to ensure that the “Group Policy
Objects” container is selected for the “Backup Up All” option to be available.
Copy a Group Policy Object with the Group Policy Management Console (GPMC)
You can copy a Group Policy object (GPO) either by using the drag-and-drop method or right-click method.
Applies To: Windows 8, Windows Server 2008 R2, Windows Server 2012
Ref: http://technet.microsoft.com/en-us/library/cc785343(v=WS.10).aspx
http://technet.microsoft.com/en-us/library/cc733107.aspx
Right answer is D. There aren’t any trust between forests
I agree. Correct Answer is D as there is no trust between the forests. the GPO will have to be backed up and imported by using a migration table as to updated UNC paths and security principals with the one in the new forest.
If trust existed a copy function could have been used as the UNC and Security principals are the same.
https://msdn.microsoft.com/en-us/library/aa814314(v=vs.85).aspx
Copy GPO does not work under untrusted environment
It doesn’t say if it is trusted or not
If it does not say, we have to pick the solution that works in both cases.
No, you should always stick to the DEFAULTS!
https://technet.microsoft.com/en-us/library/cc733107.aspx
Answer is A
Hi all wouldnt the best answer here be “B”? as the question mentions that the GPO contains 200 settings of which several contain netwrok paths as well. So with the mtedit you would be able to “fix” these unc paths as well
Nevermind, you can use mtedit to resolve these UNC path issues after the copy is done.
“You can use migration tables to update security principals and UNC paths to new values as part of the import or copy operation.”
https://technet.microsoft.com/en-us/library/cc781458(WS.10).aspx
So I guess A seems to be correct
The correct answer is A.
There is Always a trust between a parent en child domain.
https://technet.microsoft.com/en-us/library/cc783351(v=ws.10).aspx
what if I set up two single domain forests named contoso.com and the other dev.contoso.com? and omit setting up a trust…??
Here’s the quote: “Each time you create a new child domain, a two-way transitive trust relationship (known as the parent-child trust) is automatically created between the parent and new child domain. In this way, transitive trust relationships flow upward through the domain tree as it is formed, creating transitive trusts between all domains in the domain tree. The parent-child relationship is a naming and trust relationship only. Administrators in a parent domain are not automatically administrators of a child domain. Likewise, policies set in a parent domain do not automatically apply to child domains.”
I think you mix up setting up an additional trusted subdomain in the same forest and two separate forests (just with specified DNS Domain Names)…
don’t get confused by the DNS domain names!
den,
you are correct.
The question says : contoso.com forest contains The dev.contoso.com forest
There are 2 forests
The the correct answer should be D
“Because a copy operation uses an existing GPO in Active Directory as its source, trust is required between the source and destination domains.”
Since the two domains are in separate, untrusted forests, you have to use Backup-GPO. You then have to create a new GPO in the destination domain and use the Import-GPO command to import the settings.
contains two Active Directory forests named contoso.com and dev.contoso.com
“B”
“D”
Copy. A copy operation allows you to transfer settings from an existing GPO in Active Directory directly into a new GPO. The new GPO created during the copy operation is given a new GUID and is unlinked. You can use a copy operation to transfer settings to a new GPO in the same domain, another domain in the same forest, or a domain in another forest. Because a copy operation uses an existing GPO in Active Directory as its source, trust is required between the source and destination domains. Copy operations are suited for moving Group Policy between production environments, and for migrating Group Policy that has been tested in a test domain or forest to a production environment, as long as there is trust between the source and destination domains.
becuase in questionn nothink say about trusts between domains, answer D
https://technet.microsoft.com/pl-pl/library/cc785343%28v=ws.10%29.aspx
A is wrong, no right click on the policy and copy, you must go to the group policy objects, then from the right pane, right click and copy…
I would
B is wrong too, use Migration Table after the backup or the export to modify it and prepare it for the second untrusted domain..
C no
D should be the right answer backup-gpo
The question says that contoso.com and dev.contoso.com are forests. The question no says that that forests are trusted. So you cannot add forest into GPMC if one not trusted. So I think that the answer on this question is D and I examed it on my lab. You can try it in your VMs.
I think Answer is D
because GPO1 is in dev.contoso.com ((DC2)) not in DC1, and the question says What should you do first on ((DC2))?
D
it is 2 forests. there are no trusts between forests. it has to be D. very well spotted
hi everyone,
plz share me the valid dumps for 70-411.
my emalil: [email protected]
Thanks
Hi Alice,
Can you send me valid 70-411?
[email protected]
Thanks
wouldn’t contoso.com and dev.contoso.com be a Tree-Root trust and make answer “A” correct? I’m thinking the stated answer is correct. “A”
I think there is a mistake in the question. On the begining we have: “…contains two Active Directory FORESTS…”, but then couple words after it states: “Each DOMAIN contains …”. Taking in consideration given DNS names, and the context of given answers, I would rather to pick that DOMAINs was the oryginal word in first sentence. Then copying (point A) is the correct answer, I have tried it myself couple of times.
The question is confusing but the Backup GPO option works both ways if their is a two way forest trust and if there isn’t. Might as well go with D just to be safe.
The answer is A because of lack of a better answer in my opinion. YES, it would be best practice to use a Migration Table when copying GPO’s from one domain or forest to another because of domain/forest specific settings. However it is clearly indicated in many different articles that you MAY (keyword is MAY) need to use a migration table, you also MAY not. So looking at the other answers….
B would be using the wrong parameters as the GPO originally is in dev.contoso.com NOT contoso.com
C… well just invalid.
D is not correct because it was not intended by Microsoft to use Backup-GPO for copying GPO’s. Sure it will work, but again it was not what they intended it to be used for.
your answer to decline D doesn’t make sense… we cannot just ignore the correct answer because was not intended by MS .. here there is no indication about trusts between two forests..I’ll go with D
I will go for “A” as well after reading this page.
https://msdn.microsoft.com/en-us/library/aa814145(v=vs.85).aspx
Yet this page does not address the issue of trust,links on this page including this one:
https://msdn.microsoft.com/en-us/library/aa814315(v=vs.85)
state that a trust must exist between the forests,this question asks WHAT SHOULD YOU DO FIRST ON DC2 which is in a totally different forest,well what could you do except for backing up the GPO in order to make it availible to be imported into the other forest?
again,after reading this page A still seems not right,and D is a good answer that pretty much get’s the job without any further complications.
Answer is D. You need a gpo-backup to set yourself up to use mtedit to cure domain references and import into contoso domain. Read through this article and manny’s comments here.
https://blogs.technet.microsoft.com/manny/2012/02/12/bulk-import-of-group-policy-objects-between-different-domains-with-powershell/
D is the answer.
Did a test in lab, also:
http://www.chicagotech.net/Security/gp8.htm