[Free] 2018(June) Ensurepass Microsoft 70-640 Dumps with VCE and PDF 111-120

Ensurepass.com : Ensure you pass the IT Exams
2018 May Microsoft Official New Released 70-640
100% Free Download! 100% Pass Guaranteed!

Windows Server 2008 Active Directory, Configuring

Question No: 111 – (Topic 2)

Your network contains an Active Directory domain named contoso.com. The domain contains the servers shown in the following table.

Ensurepass 2018 PDF and VCE

The functional level of the forest is Windows Server 2003. The functional level of the domain is Windows Server 2003.

DNS1 and DNS2 host the contoso.com zone. All client computers run Windows 7 Enterprise.

You need to ensure that all of the names in the contoso.com zone are secured by using DNSSEC.

What should you do first?

  1. Change the functional level of the forest.

  2. Change the functional level of the domain.

  3. Upgrade DC1 to Windows Server 2008 R2.

  4. Upgrade DNS1 to Windows Server 2008 R2.

Answer: D Explanation:

http://technet.microsoft.com/en-us/library/ee683904(v=ws.10).aspx DNS Security Extensions (DNSSEC)

What are the major changes?

Support for Domain Name System Security Extensions (DNSSEC) is introduced in Windows Server庐 2008 R2 and Windows庐 7. With Windows Server 2008 R2 DNS server, you can now sign and host DNSSECsigned zones to provide security for your DNS infrastructure.

The following changes are available in DNS server in Windows Server 2008 R2: Ability to sign a zone and host signed zones.

Support for changes to the DNSSEC protocol.

Support for DNSKEY, RRSIG, NSEC, and DS resource records. The following changes are available in DNS client in Windows 7:

Ability to indicate knowledge of DNSSEC in queries.

Ability to process the DNSKEY, RRSIG, NSEC, and DS resource records.

Ability to check whether the DNS server with which it communicated has performed validation on the client’s behalf.

The DNS client’s behavior with respect to DNSSEC is controlled through the Name Resolution Policy Table (NRPT), which stores settings that define the DNS client’s behavior. The NRPT is typically managed through Group Policy.

What does DNSSEC do?

DNSSEC is a suite of extensions that add security to the DNS protocol. The core DNSSEC extensions are specified in RFCs 4033, 4034, and 4035 and add origin authority, data integrity, and authenticated denial of existence to DNS. In addition to several new concepts and operations for both the DNS server and the DNS client, DNSSEC introduces four new resource records (DNSKEY, RRSIG, NSEC, and DS) to DNS.

In short, DNSSEC allows for a DNS zone and all the records in the zone to be cryptographically signed.

When a DNS server hosting a signed zone receives a query, it returns the digital signatures in addition to the records queried for. A resolver or another server can obtain the public key of the public/private key pair and validate that the responses are authentic and have not been tampered with. In order to do so, the resolver or server must be configured with a trust anchor for the signed zone, or for a parent of the signed zone.

Question No: 112 – (Topic 2)

Your network contains a server that runs Windows Server 2008 R2. The server is configured as an enterprise root certification authority (CA).

You have a Web site that uses x.509 certificates for authentication. The Web site is configured to use a manyto-one mapping.

You revoke a certificate issued to an external partner. You need to prevent the external partner from accessing the Web site.

What should you do?

  1. Run certutil.exe -crl.

  2. Run certutil.exe -delkey.

  3. From Active Directory Users and Computers, modify the membership of the IIS_IUSRS group.

  4. From Active Directory Users and Computers, modify the Contact object for the external partner.

Answer: A Explanation:

http://technet.microsoft.com/library/cc732443.aspx Certutil

Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.

Verbs -CRL

Publish new certificate revocation lists (CRLs) [or only delta CRLs] http://technet.microsoft.com/en-us/library/cc783835(v=ws.10).aspx

Requesting Offline Domain Controller Certificates (Advanced Certificate Enrollment and Management)

If you have determined the keycontainername for a specific certificate, you can delete the key container with the following command.

certutil.exe -delkey lt;KeyContainerNamegt;

The -delkey option is supported only with the Windows Server 2003 version of certutil. On Windows 2000, you must add a prefix to the commands. The prefix is the path you have copied the Windows Server 2003 version of certutil to. In this white paper, the

%HOMEDRIVE%\W2K3AdmPak path is used.

Question No: 113 – (Topic 2)

Your company has a server that runs Windows Server 2008 R2. The server runs an instance of ActiveDirectory Lightweight Directory Services (AD LDS).

You need to replicate the AD LDS instance on a test computer that is located on the network.

What should you do?

  1. Run the repadmin /kcc lt;servernamegt; command on the test computer.

  2. Create a naming context by running the Dsmgmt command on the test computer.

  3. Create a new directory partition by running the Dsmgmt command on the test computer.

  4. Create and install a replica by running the AD LDS Setup wizard on the test computer.

    Answer: D

    Reference:

    http://technet.microsoft.com/en-us/library/cc771946.aspx Create a Replica AD LDS Instance

    To create an AD LDS instance and join it to an existing configuration set, use the Active Directory Lightweight

    Directory Services Set Wizard to create a replica AD LDS instance. To create a replica AD LDS instance

    1. Click Start, point to Administrative Tools, and then click Active Directory Lightweight Directory Services Setup Wizard.

    2. On the Welcome to the Active Directory Lightweight Directory Services Setup Wizard page, click Next.

    3. On the Setup Options page, click A replica of an existing instance, and then click Next.

    4. Finish creating the new instance by following the wizard instructions.

      Question No: 114 – (Topic 2)

      Your network contains an Active Directory Rights Management Services (AD RMS) cluster.

      You have several custom policy templates. The custom policy templates are updated frequently.

      Some users report that it takes as many as 30 days to receive the updated policy templates.

      You need to ensure that users receive the updated custom policy templates within seven days.

      What should you do?

      1. Modify the registry on the AD RMS servers.

      2. Modify the registry on the users#39; computers.

      3. Change the schedule of the AD RMS Rights Policy Template Management (Manual) scheduled task.

      4. Change the schedule of the AD RMS Rights Policy Template Management (Automated) scheduled task.

Answer: B

Reference:

http://technet.microsoft.com/en-us/library/cc771971.aspx

Configuring the AD RMS client

The automated scheduled task will not query the AD RMS template distribution pipeline each time that this scheduled task runs. Instead, it checks updateFrequency DWORD value registry entry. This registry entry specifies the time interval (in days) after which the client should update its rights policy templates. By default the registry key is not present on the client computer. In this scenario, the client checks for new, deleted, or modified rights policy templates every 30 days. To configure an interval other than 30 days, create a registry entry at the following location: HKEY_CURRENT_USER\Software\Policies\Microsoft\MSDRM

\TemplateManagement. In this registry key, you can also configure the updateIfLastUpdatedBeforeTime, which forces the client computer to update its rights policy templates.

Question No: 115 – (Topic 2)

You add an Online Responder to an Online Responder Array.

You need to ensure that the new Online Responder resolves synchronization conflicts for all members of the Array.

What should you do?

  1. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 1.

  2. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 32.

  3. From the Online Responder Management Console, select the new Online Responder,

    and then select Set as Array Controller.

  4. From the Online Responder Management Console, select the new Online Responder, and then selectSynchronize Members with Array Controller.

    Answer: C Explanation: Reference 1:

    http://technet.microsoft.com/en-us/library/cc770413.aspx Managing Array members

    For each Array, one member is defined as the Array controller; the role of the Array controller is to help resolve synchronization conflicts and to apply updated revocation configuration information to all Array members.

    Reference 2:

    http://technet.microsoft.com/en-us/library/cc771281.aspx To designate an Array controller

    1. Open the Online Responder snap-in.

    2. In the console tree, click Array Configuration Members.

    3. Select the Online Responder that you want to designate as the Array controller.

    4. In the Actions pane, click Set as Array Controller.

      Question No: 116 – (Topic 2)

      Your company has a main office and 40 branch offices. Each branch office is configured as a separate Active Directory site that has a dedicated read-only domain controller (RODC).

      An RODC server is stolen from one of the branch offices.

      You need to identify the user accounts that were cached on the stolen RODC server. Which utility should you use?

      1. Dsmod.exe

      2. Ntdsutil.exe

      3. Active Directory Sites and Services

      4. Active Directory Users and Computers

Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/cc835486(v=ws.10).aspx Securing Accounts After an RODC Is Stolen

If you become aware of a stolen or otherwise compromised read-only domain controller (RODC), you should act quickly to delete the RODC account from the domain and to reset the passwords of the accounts whose current passwords are stored on the RODC.

An efficient tool for removing the RODC computer account and resetting all the passwords for the accounts that were authenticated to it is the Active Directory Users and Computers snap-in.

Question No: 117 – (Topic 2)

Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2008 R2. The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is Windows Server 2008.

You have a member server named Server1 that runs Windows Server 2008.

You need to ensure that you can add Server1 to contoso.com as a domain controller. What should you run before you promote Server1?

  1. dcpromo.exe /CreateDCAccount

  2. dcpromo.exe /ReplicaOrNewDomain:replica

  3. Set-ADDomainMode -Identity contoso.com -DomainMode Windows2008Domain

  4. Set-ADForestMode -Identity contoso.com -ForestMode Windows2008R2Forest

Answer: C Explanation:

http://technet.microsoft.com/en-us/library/understanding-active-directory-functional- levels.aspx

After you set the domain functional level to a certain value in Windows Server 2008 R2, you cannot roll back or lower the domain functional level, with one exception: when you raise the domain functional level to Windows Server 2008 R2 and if the forest functional level is Windows Server 2008 or lower, you have the option of rolling the domain functional level back to Windows Server 2008. You can lower the domain functional level only from Windows Server 2008 R2 to Windows Server 2008. If the domain functional level is set to

Windows Server 2008 R2, it cannot be rolled back, for example, to Windows Server 2003.

Question No: 118 – (Topic 2)

Your company uses shared folders. Users are granted access to the shared folders by using domain local groups. One of the shared folders contains confidential data.

You need to ensure that unauthorized users are not able to access the shared folder that contains confidential data.

What should you do?

  1. Enable the Do not trust this computer for delegation property on all the computers of unauthorized users by using the Dsmod utility.

  2. Instruct the unauthorized users to log on by using the Guest account. Configure the Deny Full control permission on the shared folders that hold the confidential data for the Guest account.

  3. Create a Global Group named Deny DLG. Place the global group that contains the unauthorized users in to the Deny DLG group. Configure the Allow Full control permission on the shared folder that hold the confidential data for the Deny DLG group.

  4. Create a Domain Local Group named Deny DLG. Place the global group that contains the unauthorized users in to the Deny DLG group. Configure the Deny Full control permission on the shared folder that hold the confidential data for the Deny DLG group.

Answer: D Explanation:

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

http://technet.microsoft.com/en-us/library/cc755692(v=ws.10).aspx

Any group, whether it is a security group or a distribution group, is characterized by a scope that identifies the extent to which the group is applied in the domain tree or forest. The boundary, or reach, of a group scope is also determined by the domain functional level setting of the domain in which it resides. There are three group scopes: universal, global, and domain local.

The following table describes the differences between the scopes of each group.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

When to use groups with domain local scope

Groups with domain local scope help you define and manage access to resources within a single domain. For example, to give five users access to a particular printer, you can add all five user accounts in the printer permissions list. If, however, you later want to give the five users access to a new printer, you must again specify all five accounts in the permissions list for the new printer.

Question No: 119 – (Topic 2)

The Company has a Windows 2008 domain controller server. This server is routinely backed up over the network from a dedicated backup server that is running Windows 2003 OS.

You need to prepare the domain controller for disaster recovery apart from the routine backup procedures.

You are unable to launch the backup utility while attempting to back up the system state data for the data controller.

You need to backup system state data from the Windows Server 2008 domain controller server.

What should you do?

  1. Add your user account to the local Backup Operators group

  2. Install the Windows Server backup feature using the Server Manager feature.

  3. Install the Removable Storage Manager feature using the Server Manager feature

  4. Deactivating the backup job that is configured to backup Windows 2008 server domain controller on the Windows 2003 server.

  5. None of the above

Answer: B Explanation:

http://technet.microsoft.com/en-us/library/cc770266(v=ws.10).aspx Windows Server Backup Step-by-Step Guide for Windows Server 2008

The Windows Server Backup feature provides a basic backup and recovery solution for computers running the Windows Server庐 2008 operating system. Windows Server Backup

introduces new backup and recovery technology and replaces the previous Windows Backup (Ntbackup.exe) feature that was available with earlier versions of the Windows operating system.

What is Windows Server Backup?

The Windows Server Backup feature in Windows Server 2008 consists of a Microsoft Management Console (MMC) snap-in and command-line tools that provide a complete solution for your day-to-day backup and recovery needs. You can use four wizards to guide you through running backups and recoveries. You can use Windows Server Backup to back up a full server (all volumes), selected volumes, or the system state. You can recover volumes, folders, files, certain applications, and the system state. And, in case of disasters like hard disk failures, you can perform a system recovery, which will restore your complete system onto the new hard disk, by using a full server backup and the Windows Recovery Environment.

You can use Windows Server Backup to create and manage backups for the local computer or a remote computer. You can also schedule backups to run automatically and you can perform one-time backups to augment the scheduled backups.

Question No: 120 – (Topic 2)

Your company has three Active Directory domains in a single forest. You install a new Active Directory enabled application. The application ads new user attributes to the Active Directory schema.

You discover that the Active Directory replication traffic to the Global Catalogs has increased.

You need to prevent the new attributes from being replicated to the Global Catalog. You must achieve this goal without affecting application functionality.

What should you do?

  1. Change the replication interval for the DEFAULTIPSITELINK object to 9990.

  2. Change the cost for the DEFAULTIPSITELINK object to 9990.

  3. Make the new attributes in the Active Directory as defunct.

  4. Modify the properties in the Active Directory schema for the new attributes.

Answer: D Explanation:

http://support.microsoft.com/kb/248717

How to Modify Attributes That Replicate to the Global Catalog

The Global Catalog (GC) contains a partial replica of every object in the enterprise. This article discusses how to manipulate the attributes which make up the set values replicated to the GC. Deciding which attributes will replicate (in addition to the default attributes) requires careful planning with consideration for network traffic and necessary disk space. Before describing how to set an attribute to replicate in the GC, it is important to note the effects this has on network replication traffic.

After an attributeSchema object is created, marking an additional attribute to replicate to the GC causes a full replication (also known as a quot;full syncquot;) of all objects to the GC as described below. This behavior occurs on the versions of Windows 2000 listed in this article.

Every server has a full and write-able copy of its own domain. If that server is also a GC, the remaining domains in the forest are held as read-only, partial copies. quot;Partialquot; means that only a subset of the attributes is kept.

When an attribute is added to the GC, it is added to the partial copy subset (partial attribute set). This causes the GC to perform a quot;full syncquot; of all the read-only copies again to repopulate itself with only the partial attributes that it needs to hold. This full sync occurs even if the attribute property isMemberOfPartialAttributeSet is set to quot;True.quot; Thus, it only does a full sync on the read-only partial copy domains and not its own write-able domain, the configuration directory partition or schema directory partition.

In order to modify the attributes that replicate to the Active Directory GC, you must modify the schema. To modify the schema, an administrator must be made a member of the quot;Schema Adminsquot; group. In addition to being a member of this group, a registry key must be set on the Schema master.

100% Ensurepass Free Download!
Download Free Demo:70-640 Demo PDF
100% Ensurepass Free Guaranteed!
70-640 Dumps

EnsurePass ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
PDF VCE Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

Leave a Reply

Your email address will not be published. Required fields are marked *