[Free] 2018(June) Ensurepass Microsoft 70-640 Dumps with VCE and PDF 1-10

Ensurepass.com : Ensure you pass the IT Exams
2018 May Microsoft Official New Released 70-640
100% Free Download! 100% Pass Guaranteed!

Windows Server 2008 Active Directory, Configuring

Question No: 1 – (Topic 1)

Your network consists of an Active Directory forest that contains two domains. All servers run Windows Server 2008 R2. All domain controllers are configured as DNS Servers.

You have a standard primary zone for dev.contoso.com that is stored on a member server.

You need to ensure that all domain controllers can resolve names from the dev.contoso.com zone.

What should you do?

  1. On the member server, create a stub zone.

  2. On the member server, create a NS record for each domain controller.

  3. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to all DNS servers in the forest.

  4. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to all DNS servers in the domain.

Answer: C Explanation:

http://technet.microsoft.com/en-us/library/cc730756.aspx Understanding Forwarders

A forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for external DNS names to DNS servers outside that network. You can also forward queries according to specific domain names using conditional forwarders.

You designate a DNS server on a network as a forwarder by configuring the other DNS servers in the network to forward the queries that they cannot resolve locally to that DNS server. By using a forwarder, you can manage name resolution for names outside your network, such as names on the Internet, and improve the efficiency of name resolution for the computers in your network.

The following figure illustrates how external name queries are directed with forwarders.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Conditional forwarders

A conditional forwarder is a DNS server on a network that forwards DNS queries according to the DNS domain name in the query. For example, you can configure a DNS server to forward all the queries that it receives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers.

Further information:

http://technet.microsoft.com/en-us/library/cc794735(v=ws.10).aspx Assign a Conditional Forwarder for a Domain Name http://technet.microsoft.com/en-us/library/cc754941.aspx

Configure a DNS Server to Use Forwarders

Question No: 2 – (Topic 1)

Your company has an Active Directory forest. The company has servers that run Windows Server 2008 R2 and client computers that run Windows 7. The domain uses a set of GPO administrative templates that have been approved to support regulatory compliance requirements.

Your partner company has an Active Directory forest that contains a single domain. The company has servers that run Windows Server 2008 R2 and client computers that run Windows 7.

You need to configure your partner company#39;s domain to use the approved set of administrative templates.

What should you do?

  1. Use the Group Policy Management Console (GPMC) utility to back up the GPO to a file. In each site, import the GPO to the default domain policy.

  2. Copy the ADMX files from your company#39;s PDC emulator to the PolicyDefinitions folder on the partner company#39;s PDC emulator.

  3. Copy the ADML files from your company#39;s PDC emulator to the PolicyDefinitions folder on the partner company#39;s PDC emulator.

  4. Download the conf.adm, system.adm, wuau.adm, and inetres.adm files from the Microsoft Updates Web site. Copy the ADM files to the PolicyDefinitions folder on thr partner company#39;s emulator.

Answer: B Explanation:

http://support.microsoft.com/kb/929841

How to create the Central Store for Group Policy Administrative Template files in Windows Vista Windows Vista uses a new format to display registry-based policy settings. These registry-based policy settings appear under Administrative Templates in the Group Policy Object Editor. In Windows Vista, these registry-based policy settings are defined by standards-based XML files that have an .admx file name extension. The .admx file format replaces the legacy .adm file format. The .adm file format uses a proprietary markup language.

In Windows Vista, Administrative Template files are divided into .admx files and language- specific .adml files that are available to Group Policy administrators.

Administrative Template file storage

In earlier operating systems, all the default Administrative Template files are added to the ADM folder of a Group Policy object (GPO) on a domain controller. The GPOs are stored in the SYSVOL folder. The SYSVOL folder is automatically replicated to other domain controllers in the same domain. A policy file uses approximately 2 megabytes (MB) of hard disk space. Because each domain controller stores a distinct version of a policy, replication traffic is increased.

Windows Vista uses a Central Store to store Administrative Template files. In Windows Vista, the ADM folder is not created in a GPO as in earlier versions of Windows. Therefore, domain controllers do not store or replicate redundant copies of .adm files.

The Central Store

To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder on a domain controller. The Central Store is a file location that is checked by the Group Policy tools. The Group Policy tools use any .admx files that are in the Central Store. The files that are in the Central Store are later replicated to all domain controllers in the domain.

To create a Central Store for .admx and .adml files, create a folder that is named PolicyDefinitions in the following location:

\\FQDN\SYSVOL\FQDN\policies

Note: FQDN is a fully qualified domain name.

http://www.frickelsoft.net/blog/?p=31

How can I export local Group Policy settings made in gpedit.msc?

Mark Heitbrink, MVP for Group Policy脙鈥毭?came up with a good solution on how you can “export” the Group

Policy and Security脙鈥毭?settings you made in on a machine with the Local Group Policy Editor (gpedit.msc) to other machines pretty easy:

Normal settings can be copied like this:

1.) Open %systemroot%\system32\grouppolicy\

Within this folder, there are two folders – “machine” and “user”. Copy these to folders to the “%systemroot%

\system32\grouppolicy – folder on the target machine. All it needs now is a reboot or a “gpupdate /force”.

Note: If you cannot see the “grouppolicy” folder on either the source or the target machine, be sure to have your explorer folder options set to “Show hidden files and folders”…

For security settings:

1.) Open MMC and add the Snapin “Security Templates”.

2.) Create your own customized template and save it as an “*inf” file.

3.) Copy the file to the target machine and import it via command line tool “secedit”: secedit

/configure /db %temp%\temp.sdb /cfg yourcreated.inf Further information on secedit can be found here:http://www.microsoft.com/resources/documentation/ windows/xp/all/proddocs/en-us/secedit_cmds.mspx?mfr=true

If you’re building custom installations, you can pretty easy script the “overwriting” of the “machine”/”user”- folders or the import via secedit by copying these file to a share and copy and execute them with a script.

Question No: 3 – (Topic 1)

Your company has file servers located in an organizational unit named Payroll. The file servers contain payroll files located in a folder named Payroll.

You create a GPO.

You need to track which employees access the Payroll files on the file servers. What should you do?

  1. Enable the Audit process tracking option. Link the GPO to the Domain Controllers organizational unit. On the file servers, configure Auditing for the Authenticated Users group in the Payroll folder.

  2. Enable the Audit object access option. Link the GPO to the Payroll organizational unit. On the file servers, configure Auditing for the Everyone group in the Payroll folder.

  3. Enable the Audit process tracking option. Link the GPO to the Payroll organizational unit. On the file servers, configure Auditing for the Everyone group in the Payroll folder.

  4. Enable the Audit object access option. Link the GPO to the domain. On the domain controllers, configure Auditing for the Authenticated Users group in the Payroll folder.

Answer: B Explanation:

Answer: Enable the Audit object access option. Link the GPO to the Payroll organizational unit. On the file servers, configure Auditing for the Everyone group in the Payroll folder.

http://technet.microsoft.com/en-us/library/dd349800(v=ws.10).aspx Audit Policy

Establishing an organizational computer system audit policy is an important facet of information security.

Configuring Audit policy settings that monitor the creation or modification of objects gives you a way to track potential security problems, helps to ensure user accountability, and provides evidence in the event of a security breach.

There are nine different kinds of events for which you can specify Audit Policy settings. If you audit any of these kinds of events, Windows庐 records the events in the Security log, which you can find in Event Viewer.

Object access. Audit this to record when someone has used a file, folder, printer, or other object.

Process tracking. Audit this to record when events such as program activation or a process exiting occur.

When you implement Audit Policy settings:

If you want to audit directory service access or object access, determine which objects you want to audit access of and what type of access you want to audit. For example, if you want to audit all attempts by users to open a particular file, you can configure audit policy

settings in the object access event category so that both successful and failed attempts to read a file are recorded.

Further information:

http://technet.microsoft.com/en-us/library/hh147307(v=ws.10).aspx Group Policy for Beginners

Group Policy Links

At the top level of AD DS are sites and domains. Simple implementations will have a single site and a single domain. Within a domain, you can create organizational units (OUs). OUs are like folders in Windows Explorer.

Instead of containing files and subfolders, however, they can contain computers, users, and other objects.

For example, in Figure 1 you see an OU named Departments. Below the Departments OU, you see four subfolders: Accounting, Engineering, Management, and Marketing. These are child OUs. Other than the

Domain Controllers OU that you see in Figure 1, nothing else in the figure is an OU.

What does this have to do with Group Policy links? Well, GPOs in the Group Policy objects folder have no impact unless you link them to a site, domain, or OU. When you link a GPO to a container, Group Policy applies the GPO’s settings to the computers and users in that container.

Question No: 4 – (Topic 1)

You need to remove the Active Directory Domain Services role from a domain controller named DC1.

What should you do?

  1. Run the netdom remove DC1 command.

  2. Run the Dcpromo utility. Remove the Active Directory Domain Services role.

  3. Run the nltest /remove_server: DC1 command.

  4. Reset the Domain Controller computer account by using the Active Directory Users and Computers utility.

    Answer: B Explanation:

    Answer: Run the Dcpromo utility. Remove the Active Directory Domain Services role.

    http://technet.microsoft.com/en-us/library/cc771844(v=ws.10).aspx Removing a Domain Controller from a Domain

    To remove a domain controller by using the Windows interface

    1. Click Start, click Run, type dcpromo, and then press ENTER.

      Further information:

      http://technet.microsoft.com/en-us/library/cc772217(v=ws.10).aspx Netdom

      Enables administrators to manage Active Directory domains and trust relationships from the command prompt.

      Netdom is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the Active Directory Domain Services (AD DS) server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT).

      Commands Netdom remove

      Removes a workstation or server from the domain.

      http://technet.microsoft.com/en-us/library/cc731935(v=ws.10).aspx Nltest Performs network administrative tasks.

      Nltest is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the AD DS or the AD LDS server role installed. It is also available if you install the Active

      Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT).

      You can use nltest to:

      Get a list of domain controllers Force a remote shutdown Query the status of trust

      Test trust relationships and the state of domain controller replication in a Windows domain Force a user-account database to synchronize on Windows NT version 4.0 or earlier domain controllers

      Personal comment #1:

      There is no /remove_server switch for the nltest command Personal comment #2:

      Resetting the Domain Controller#39;s computer account has nothing to do with this question

      Question No: 5 – (Topic 1)

      You have an Active Directory domain that runs Windows Server 2008 R2.

      You need to implement a certification authority (CA) server that meets the following requirements:

      Allows the certification authority to automatically issue certificates Integrates with Active Directory Domain Services

      What should you do?

      1. Install and configure the Active Directory Certificate Services server role as a Standalone Root CA.

      2. Install and configure the Active Directory Certificate Services server role as an Enterprise Root CA.

      3. Purchase a certificate from a third-party certification authority, Install and configure the Active Directory

        Certificate Services server role as a Standalone Subordinate CA.

      4. Purchase a certificate from a third-party certification authority, Import the certificate into the computer store of the schema master.

Answer: B Explanation:

http://technet.microsoft.com/en-us/library/cc776874(v=ws.10).aspx Enterprise certification authorities

The Enterprise Administrator can install Certificate Services to create an enterprise certification authority (CA).

Enterprise CAs can issue certificates for purposes such as digital signatures, secure e-mail using S/MIME

(Secure Multipurpose Internet Mail Extensions), authentication to a secure Web server using Secure Sockets

Layer (SSL) or Transport Layer Security (TLS) and logging on to a Windows Server 2003 family domain using

a smart card.

An enterprise CA has the following features:

An enterprise CA requires the Active Directory directory service.

When you install an enterprise root CA, it uses Group Policy to propagate its certificate to the Trusted

Root Certification Authorities certificate store for all users and computers in the domain. You must be a

Domain Administrator or be an administrator with write access to Active Directory to install an enterprise root

CA.

Certificates can be issued for logging on to a Windows Server 2003 family domain using smart cards.

The enterprise exit module publishes user certificates and the certificate revocation list (CRL) to Active

Directory. In order to publish certificates to Active Directory, the server that the CA is installed on must be a

member of the Certificate Publishers group. This is automatic for the domain the server is in, but the server

must be delegated the proper security permissions to publish certificates in other domains.

For more

information about the exit module, see Policy and exit modules.

An enterprise CA uses certificate types, which are based on a certificate template. The following functionality is

possible when you use certificate templates:

Enterprise CAs enforce credential checks on users during certificate enrollment. Each certificate template

has a security permission set in Active Directory that determines whether the certificate requester is

authorized to receive the type of certificate they have requested.

The certificate subject name can be generated automatically from the information in Active Directory or

supplied explicitly by the requestor.

The policy module adds a predefined list of certificate extensions to the issued certificate.

The extensions

are defined by the certificate template. This reduces the amount of information a certificate requester has to

provide about the certificate and its intended use. http://technet.microsoft.com/en-us/library/cc780501(WS.10).aspx Stand-alone certification authorities

You can install Certificate Services to create a stand-alone certification authority (CA).

Stand-alone CAs can

issue certificates for purposes such as digital signatures, secure e-mail using S/MIME (Secure Multipurpose

Internet Mail Extensions) and authentication to a secure Web server using Secure Sockets Layer (SSL) or

Transport Layer Security (TLS).

A stand-alone CA has the following characteristics:

Unlike an enterprise CA, a stand-alone CA does not require the use of the Active Directory directory service. Stand-alone CAs are primarily intended to be used as Trusted Offline Root CAs in a CA hierarchy or when extranets and the Internet are involved. Additionally, if you want to use a custom policy module for a CA, you would first install a stand-alone CA and then replace the stand-alone policy module with your custom policy module.

When submitting a certificate request to a stand-alone CA, a certificate requester must explicitly supply all identifying information about themselves and the type of certificate that is wanted in the certificate request. (This does not need to be done when submitting a request to an enterprise CA, since the enterprise user#39;s information is already in Active Directory and the certificate type is described by a certificate template). The authentication information for requests is obtained from the local computer#39;s Security Accounts Manager database.

By default, all certificate requests sent to the stand-alone CA are set to Pending until the administrator of the stand-alone CA verifies the identity of the requester and approves the request. This is done for security reasons, because the certificate requester#39;s credentials are not verified by the stand-alone CA.

Certificate templates are not used.

No certificates can be issued for logging on to a Windows Server 2003 family domain using smart cards, but other types of certificates can be issued and stored on a smart card.

The administrator has to explicitly distribute the stand-alone CA#39;s certificate to the domain user#39;s trusted root store or users must perform that task themselves.

When a stand-alone CA uses Active Directory, it has these additional features:

If a member of the Domain Administrators group or an administrator with write access to Active Directory, installs a stand-alone root CA, it is automatically added to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. For this reason, if you install a stand-alone root

CA in an Active Directory domain, you should not change the default action of the CA upon receiving certificate requests (which marks requests as Pending). Otherwise, you will have a trusted root CA that automatically issues certificates without verifying the identity of the certificate requester.

If a stand-alone CA is installed by a member of the Domain Administrators group of the parent domain of a tree in the enterprise, or by an administrator with write access to Active Directory, then the stand-alone CA will publish its CA certificate and the certificate revocation list (CRL) to Active Directory.

Question No: 6 – (Topic 1)

You have an existing Active Directory site named Site1. You create a new Active Directory site and name it Site2.

You need to configure Active Directory replication between Site1 and Site2. You install a new domain controller.

You create the site link between Site1 and Site2. What should you do next?

  1. Use the Active Directory Sites and Services console to assign a new IP subnet to Site2. Move the new domain controller object to Site2.

  2. Use the Active Directory Sites and Services console to configure a new site link bridge object.

  3. Use the Active Directory Sites and Services console to decrease the site link cost between Site1 and Site2.

  4. Use the Active Directory Sites and Services console to configure the new domain controller as a preferred bridgehead server for Site1.

    Answer: A Explanation:

    http://www.enterprisenetworkingplanet.com/netsysm/article.php/624411/Intersite- eplication.htm

    Inter-site Replication

    The process of creating a custom site link has five basic steps:

    1. Create the site link.

    2. Configure the site link#39;s associated attributes.

    3. Create site link bridges.

    4. Configure connection objects. (This step is optional.)

    5. Designate a preferred bridgehead server. (This step is optional) http://technet.microsoft.com/en-us/library/cc759160(v=ws.10).aspx Replication between sites

      Question No: 7 – (Topic 1)

      Your company has an Active Directory forest. The company has three locations. Each

      location has an organizational unit and a child organizational unit named Sales.

      The Sales organizational unit contains all users and computers of the sales department.

      The company plans to deploy a Microsoft Office 2007 application on all computers within the three Sales organizational units.

      You need to ensure that the Office 2007 application is installed only on the computers in the Sales organizational units.

      What should you do?

      1. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the domain.

      2. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each location.

      3. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the Sales organizational unit in each location.

      4. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to publish the application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each location.

Answer: C

Question No: 8 – (Topic 1)

Your company has two Active Directory forests named contoso.com and fabrikam.com. Both forests run only domain controllers that run Windows Server 2008. The domain functional level of contoso.com is Windows Server 2008. The domain functional level of fabrikam.com is Windows Server 2003 Native mode.

You configure an external trust between contoso.com and fabrikam.com. You need to enable the Kerberos AES encryption option.

What should you do?

  1. Raise the forest functional level of fabrikam.com to Windows Server 2008.

  2. Raise the domain functional level of fabrikam.com to Windows Server 2008.

  3. Raise the forest functional level of contoso.com to Windows Server 2008.

  4. Create a new forest trust and enable forest-wide authentication.

Answer: B Explanation:

Answer: Raise the domain functional level of fabrikam.com to Windows Server 2008.

http://technet.microsoft.com/en-us/library/understanding-active-directory-functional- levels(v=ws.10).aspx

Understanding Active Directory Domain Services (AD DS) Functional Levels Functional levels determine the available Active Directory Domain Services (AD DS) domain or forest capabilities. They also determine which Windows Server operating

systems you can run on domain controllers in the domain or forest. However, functional levels do not affect which operating systems you can run on workstations and member servers that are joined to the domain or forest.

Features that are available at domain functional levels Windows Server 2008

All of the default AD DS features, all of the features from the Windows Server 2003 domain functional level, and the following features are available:

* Advanced Encryption Standard (AES 128 and AES 256) support for the Kerberos protocol. In order for

TGTs to be issued using AES, the domain functional level must be Windows Server 2008 or higher and the domain password needs to be changed.

Further information:

http://technet.microsoft.com/en-us/library/cc749438(WS.10).aspx Kerberos Enhancements

Requirements

All Kerberos authentication requests involve three different parties: the client requesting a connection, the server that will provide the requested data, and the Kerberos KDC that provides the keys that are used to protect the various messages.

This discussion focuses on how AES can be used to protect these Kerberos authentication protocol messages and data structures that are exchanged among the three parties.

Typically, when the parties are operating systems running Windows Vista or Windows Server 2008, the exchange will use AES. However, if one of the parties is an operating

system running Windows 2000 Professional, Windows 2000 Server, Windows XP, or Windows Server 2003, the exchange will not use AES.

Question No: 9 – (Topic 1)

You are decommissioning domain controllers that hold all forest-wide operations master roles.

You need to transfer all forest-wide operations master roles to another domain controller.

Which two roles should you transfer? (Each correct answer presents part of the solution. Choose two.)

  1. Domain naming master

  2. Infrastructure master

  3. RID master

  4. PDC emulator

  5. Schema master

Answer: A,E Explanation:

Answer: Schema master Domain naming master

http://social.technet.microsoft.com/wiki/contents/articles/832.transferring-fsmo-roles-in- indows-server-2008.aspx

Transferring FSMO Roles in Windows Server 2008

One of any system administrator duties, would be to upgrade a current domain controller to a new hardware server. One of the crucial steps required to successfully migrate your domain controller, is to be able to successfully transfer the FSMO roles to the new hardware server. FSMO stands for Flexible Single Master

Operations, and in a forest there are at least five roles. The five FSMO roles are:

Schema Master Domain Naming Master Infrastructure Master

Relative ID (RID) Master

PDC Emulator

The first two roles above are forest-wide, meaning there is one of each for the entire forest. The last three are domain-wide, meaning there is one of each per domain. If there is one domain in your forest, you will have five FSMO roles. If you have three domains in your forest, there will be 11 FSMO roles.

Question No: 10 – (Topic 1)

Your company has an Active Directory domain. The company has purchased 100 new computers. You want to deploy the computers as members of the domain.

You need to create the computer accounts in an OU. What should you do?

  1. Run the csvde -f computers.csv command

  2. Run the ldifde -f computers.ldf command

  3. Run the dsadd computer lt;computerdngt; command

  4. Run the dsmod computer lt;computerdngt; command

Answer: C Explanation:

http://technet.microsoft.com/en-us/library/cc754539(v=ws.10).aspx Dsadd computer

Syntax: dsadd computer lt;ComputerDNgt; [-samid lt;SAMNamegt;] [-desc lt;Descriptiongt;] [-loc

lt;Locationgt;] [-memberof

lt;GroupDN …gt;] [{-s lt;Servergt; | -d lt;Domaingt;}] [-u lt;UserNamegt;] [-p {lt;Passwordgt; | *}] [-q] [{-uc | -uco | -uci}]

Personal comment: you use ldifde and csvde to import and export directory objects to Active Directory

http://support.microsoft.com/kb/237677

http://technet.microsoft.com/en-us/library/cc732101(v=ws.10).aspx

100% Ensurepass Free Download!
Download Free Demo:70-640 Demo PDF
100% Ensurepass Free Guaranteed!
70-640 Dumps

EnsurePass ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
PDF VCE Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

Leave a Reply

Your email address will not be published. Required fields are marked *