[Free] 2018(June) Ensurepass Microsoft 70-640 Dumps with VCE and PDF 161-170

Ensurepass.com : Ensure you pass the IT Exams
2018 May Microsoft Official New Released 70-640
100% Free Download! 100% Pass Guaranteed!

Windows Server 2008 Active Directory, Configuring

Question No: 161 HOTSPOT – (Topic 2)

Your network contains an Active Directory forest named contoso.com. The forest contains two Active Directory sites named Seattle and Montreal. The Montreal site is a branch office that contains only a single read-only domain controller (RODC).

You accidentally delete the site link between the two sites.

You recreate the site link while you are connected to a domain controller in Seattle. You need to replicate the change to the RODC in Montreal.

Which node in Active Directory Sites and Services should you use?To answer, select the appropriate node in the answer area.

Ensurepass 2018 PDF and VCE

Answer:

Ensurepass 2018 PDF and VCE

Explanation:

Ensurepass 2018 PDF and VCE

Reference 1:

http://blogs.technet.com/b/ashleymcglone/archive/2011/06/29/report-and-edit-ad-site-links- from-powershellturbo-your-ad-replication.aspx

Site links are stored in the Configuration partition of the AD database. Reference 2:

http://technet.microsoft.com/en-us/library/dd736126.aspx

To use Active Directory Sites and Services to force replication of the configuration partition to an RODC

  1. Open the Active Directory Sites and Services snap-in (Dssite.msc).

  2. Double-click Sites, double-click the name of the site that has the RODC, double-click

    Servers, double-click the name of the RODC, right-click NTDS Settings, and then click Replicate configuration to the selected DC.

  3. Click OK to close the message indicating that AD DS has replicated the connections.

    Question No: 162 – (Topic 2)

    ABC.com boasts a two-node Network Load Balancing cluster which is called web.CK1.com. The purpose of this cluster is to provide load balancing and high availability of the intranet website only.

    With monitoring the cluster, you discover that the users can view the Network Load Balancing cluster in their Network Neighborhood and they can use it to connect to various services by using the name web.CK1.com.

    You also discover that there is only one port rule configured for Network Load Balancing cluster. You have to configure web.CK1.com NLB cluster to accept HTTP traffic only.

    Which two actions should you perform to achieve this objective? (Choose two answers. Each answer is part of the complete solution)

    1. Create a new rule for TCP port 80 by using the Network Load Balancing Cluster console

    2. Run the wlbs disable command on the cluster nodes

    3. Assign a unique port rule for NLB cluster by using the NLB Cluster console

    4. Delete the default port rules through Network Load Balancing Cluster console

Answer: A,D Explanation:

http://technet.microsoft.com/en-us/library/cc733056.aspx Create a new Network Load Balancing Port Rule

Port rules control how a Network Load Balancing (NLB) cluster functions. To maximize control of various types of TCP/IP traffic, you can set up port rules to control how each port#39;s cluster-network traffic is handled. The method by which a port#39;s network traffic is handled is called its filtering mode. There are three possible filtering modes: Multiple hosts, Single host, and Disabled.

You can also specify that a filtering mode apply to a numerical range of ports. You do this by defining a port rule with a set of configuration parameters that define the filtering mode. Each rule consists of the following configuration parameters:

The virtual IP address that the rule should apply to

The TCP or UDP port range that this rule should apply to

The protocols that this rule should apply to, including TCP, UDP, or both

The filtering mode that specifies how the cluster handles traffic, which is described by the port range and the protocols

In addition, you can select one of three options for client affinity: None, Single, or Network. Single and Network are used to ensure that all network traffic from a particular client is directed to the same cluster host.

To allow NLB to properly handle IP fragments, you should avoid using None when you select UDP or Both for your protocol setting. As an extension to the Single and Network options, you can configure a time-out setting to preserve client affinity when the configuration of an NLB cluster is changed. This extension also allows clients to keep affinity to a cluster host even if there are no active, existing connections from the client to the host.

Question No: 163 – (Topic 2)

Your network contains an Active Directory domain named contoso.com. The network contains client computers that run either Windows Vista or Windows 7. Active Directory Rights Management Services (AD RMS) is deployed on the network.

You create a new AD RMS template that is distributed by using the AD RMS pipeline. The template is updated every month.

You need to ensure that all the computers can use the most up-to-date version of the AD RMS template.

You want to achieve this goal by using the minimum amount of administrative effort. What should you do?

  1. Upgrade all of the Windows Vista computers to Windows 7.

  2. Upgrade all of the Windows Vista computers to Windows Vista Service Pack 2 (SP2).

  3. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all users by using a Software Installation extension of Group Policy.

  4. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all computers by using a Software Installation extension of Group Policy.

Answer: B

Question No: 164 – (Topic 2)

Your network consists of a single Active Directory domain. User accounts for engineering department are located in an OU named Engineering.

You need to create a password policy for the engineering department that is different from your domain password policy.

What should you do?

  1. Create a new GPO. Link the GPO to the Engineering OU.

  2. Create a new GPO. Link the GPO to the domain. Block policy inheritance on all OUs except for the Engineering OU.

  3. Create a global security group and add all the user accounts for the engineering department to the group. Create a new Password Policy Object (PSO) and apply it to the group.

  4. Create a domain local security group and add all the user accounts for the engineering department to the group. From the Active Directory Users and Computer console, select the group and run the Delegation of Control Wizard.

Answer: C Explanation:

http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/b3d11cd4-897b- 4da1-bae1-

f1b69441175b

Complex Password Policy on an OU

Q: Is it possible to apply a complex password policy to an OU instead of entire domain (Windows 2008 R2). I#39;m

under the impression it can only be applied to either a security group or an individual user. A1:

I beleive you are referering to PSC and PSO.

The Password Settings Container (PSC) object class is created by default under the System container in the

domain. It stores the Password Settings objects (PSOs) for that domain. You cannot rename, move, or delete

this container.

PSOs cannot be applied to organizational units (OUs) directly. If your users are organized into OUs,

consider creating global security groups that contain the users from these OUs and then

applying the

newly defined fine-grained password and account lockout policies to them. If you move a user from

one OU to another, you must update user memberships in the corresponding global security groups.

Groups offer better flexibility for managing various sets of users than OUs.

For the fine-grained password and account lockout policies to function properly in a given domain, the domain

functional level of that domain must be set to Windows Server 2008.

Fine-grained password policies apply only to user objects and global security groups. They cannot be applied

to Computer objects.

For more info, please see below article: http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx

AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide A2:

Here is a link to how you setup find grain password policy… However you can only apply it to a Security Group.

http://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password- policy/A3:

In addition, for fine grated password policy ; you need DLF 2008 and you can apply that policy on a single user and only global security group.

Find the step by step info. http://social.technet.microsoft.com/wiki/contents/articles/4627.aspx http://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password- policy/

Tutorial: How to setup Default and Fine Grain Password Policy

One strange thing that still seems to catch a lot of people out is that you can only have one password policy for your user per domain. This catches a lot of people out as they apply a password policy to an OU in their AD thinking that it will apply to all the users in that OU…. but it doesn’t. Microsoft did introduce Fine Grain Password Policies with Windows Server 2008 however this can only be set based on a security group membership and you still need to use the very un-user-friendly ADSI edit tool to make the changes to the policy.

Below I will go through how you change the default domain password policy and how you then apply a fine grain password policy to your environment. The Good news is setting the default password policy for a domain is really easy. The Bad news is that setting a fine grain password policy is really hard.

How to set a Default Domain Password Policy Step 1

Create a new Group Policy Object at the top level of the domain (e.g. “Domain Password Policy”).

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Note: I have elected to create a new GPO at the top of the domain in this case as I always try to avoid modifying the “Default Domain Policy”, see references below.

Reference:

http://technet.microsoft.com/en-us/library/cc736813(WS.10).aspx TechNet: Linking GPOs

If you need to modify some of the settings contained in the Default Domain Policy GPO, it is recommended that you create a new GPO for this purpose, link it to the domain, and set the Enforce option.

http://technet.microsoft.com/en-us/library/cc779159(WS.10).aspx TechNet: Establishing Group Policy Operational Guidelines

Do not modify the default domain policy or default domain controller policy unless necessary. Instead, create a new GPO at the domain level and set it to override the default settings in the default policies.

Step 2

Edit the “Domain Password Policy” GPO and go to Computer Configurationsgt;Policiesgt;Windows

Settingsgt;Security Settingsgt;Account Policygt;Password Policy and configured the password policies settings to the configuration you desire.

C:\Documents and Settings\usernwz1\Desktop\1.PNG Step 3

Once you have configured the password policy settings make the “Domain Password Policy” GPO the highest in the Linked GPO processing order.

TIP: Make sure you inform all your users when you are going to do this as it may trigger them to change their password the next time they logon.

C:\Documents and Settings\usernwz1\Desktop\1.PNG Done… told you it was easy….

Note: Even if you apply the password policies to the “Domain Controllers” OU it will not modify the domain’s password policy. As far as I know this is the only exception to the rule as to how GPO’s apply to objects. As you can see in the image below the “Minimum password length” in the “Domain Password Policy” GPO is still applied to the domain controller even though I have another GPO linking to the “Domain Controllers” OU configuration the same setting.

C:\Documents and Settings\usernwz1\Desktop\1.PNG

For a better explanation as to why the GPO that is linked to the Domain and not the Domain Controllers is used for the password policy for all users check out Jorge’s Quest for Knowledge! – Why GPOs with Password and Account Lockout Policy Settings must be linked to the AD domain object to be affective on AD domain user accounts (http://blogs.dirteam.com/blogs/jorge/archive/2008/12/16/why-gpos-with-password-and- accountlockout- policy-settings-must-be-linked-to-the-ad-domain-object-to-be-affective-on- ad-domain-useraccounts.aspx)

How to set a Fine Grain Password Policy

Fine Grain Password Policies (FGPP) were introduced as a new feature of Windows Server 2008. Before this the only way to have different password polices for the users in your environment was to have separate domains… OUCH!

Pre-Requisites/Restrictions

You domain must be Windows Server 2008 Native Mode, this means ALL of your domain controllers must be running Windows Server 2008 or later. You can check this by selection

the “Raise domain functional level” on the top of the domain in Active Directory Users and Computers.

C:\Documents and Settings\usernwz1\Desktop\1.PNG Reference

http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx AD DS: Fine-Grained Password Policies

The domain functional level must be Windows Server 2008.

The other restriction with this option is that you can only apply FGPP to users object or users in global security groups (not computers).

Reference

http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx AD DS: Fine-Grained Password Policies

Fine-grained password policies apply only to user objects … and global security groups.

TIP: If you setup an “Automatic Shadow Group (http://policelli.com/blog/archive/2008/01/15/manage-shadowgroups-

in-windows-server-2008/)” you can apply these password policies to users automatically to any users located in an OU.

Creating a Password Setting Object (PSO)

Step 1

Under Administrator Tools Open ADSI Edit and connect it to a domain and domain controller you want to setup the new password policy.

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Note: If you do not see this option go to “Turn Windows Features On or Off” and make sure the “AD DS and AD LDS Tools” are installed. (You will need RSAT also installed if you are on Windows 7).\

Step 2

Double click on the “CN=DomainName” then double click on “CN=System” and then double

click on “CN=Password Settings Container”. C:\Documents and Settings\usernwz1\Desktop\1.PNG

Step 3

Right click on “CN=Password Settings Container” and then click on “New” then “Object. C:\Documents and Settings\usernwz1\Desktop\1.PNG

Step 4

Click on “Next”

C:\Documents and Settings\usernwz1\Desktop\1.PNG Step 5

Type the name of the PSO in the “Value” field and then click “Next” C:\Documents and Settings\usernwz1\Desktop\1.PNG

Note: With the exception of the password length the following values are all the same as the default values in the “Default Domain Policy”.

Step 6

Type in a number that will be the Precedence for this Password Policy then click “Next”. Note: This is used if a users has multiple Password Settings Object (PSO) applied to them.

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Step 7

Type “FALSE” in the value field and click “Next”

Note: You should almost never use “TRUE” for this setting. C:\Documents and Settings\usernwz1\Desktop\1.PNG Step 8

Type “24” in the “Value” field and click “Next” C:\Documents and Settings\usernwz1\Desktop\1.PNG

Step 9

Type “TRUE” in the “Value” field and click “Next” C:\Documents and Settings\usernwz1\Desktop\1.PNG

Step 10

Type “5” in the “Value” field and click “Next” C:\Documents and Settings\usernwz1\Desktop\1.PNG

Step 11

Type “1:00:00:00” in the “Value” field and click “Next” C:\Documents and Settings\usernwz1\Desktop\1.PNG

Step 12

Type “42:00:00:00” in the “Value” field and click “Next” C:\Documents and Settings\usernwz1\Desktop\1.PNG

Step 13

Type “10” in the “Value” field and click “Next” C:\Documents and Settings\usernwz1\Desktop\1.PNG

Step 14

Type “0:00:30:00” field and click “Next”

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Step 15

Type “0:00:33:00” in the “Value” field and click “Next” C:\Documents and Settings\usernwz1\Desktop\1.PNG

Step 16 Click “Finish”

C:\Documents and Settings\usernwz1\Desktop\1.PNG

You have now created the Password Settings Object (PSO) and you can close the ADSIEdit tool.

Now to apply the PSO to a users or group…

Step 17

Open Active Directory Users and Computers and navigate to “System gt; Password Settings Container”

Note: Advanced Mode needs to be enabled. C:\Documents and Settings\usernwz1\Desktop\1.PNG

Step 18

Double click on the PSO you created then click on the “Attribute Editor” tab and then select the

“msDS-PSOAppliedTo” attribute and click “Edit” C:\Documents and Settings\usernwz1\Desktop\1.PNG

Step 19

Click “Add Windows Accounts….” button. C:\Documents and Settings\usernwz1\Desktop\1.PNG Step 20

Select the user or group you want to apply this PSO and click “OK” C:\Documents and Settings\usernwz1\Desktop\1.PNG

Step 21 Click “OK”

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Step 22 Click “OK”

C:\Documents and Settings\usernwz1\Desktop\1.PNG

And your are done… (told you it was hard).

Fine Grain Password Policies as you can see are very difficult to setup and manage so it is probably best you use them sparingly in your organisation… But if you really have to have a simple password or extra complicated password then at least it give you away to do this without having to spin up another domain.

Question No: 165 – (Topic 2)

As an administrator at Company, you have installed an Active Directory forest that has a single domain.

You have installed an Active Directory Federation services (AD FS) on the domain member server.

What should you do to configure AD FS to make sure that AD FS token contains information from the active directory domain?

  1. Add a new account store and configure it.

  2. Add a new resource partner and configure it

  3. Add a new resource store and configure it

  4. Add a new administrator account on AD FS and configure it

  5. None of the above

Answer: A Explanation:

http://technet.microsoft.com/en-us/library/cc772309(v=ws.10).aspx Step 3: Installing and Configuring AD FS

Now that you have configured the computers that will be used as federation servers, you are ready to install Active Directory Federation Services (AD FS) components on each of the computers. This section includes the following procedures:

Install the Federation Service on ADFS-RESOURCE and ADFS-ACCOUNT Configure ADFS-ACCOUNT to work with AD RMS

Configure ADFS-RESOURCE to Work with AD RMS

Question No: 166 – (Topic 2)

Your network contains an Active Directory forest. The forest contains multiple sites. You need to enable universal group membership caching for a site.

What should you do?

  1. From Active Directory Sites and Services, modify the NTDS Settings.

  2. From Active Directory Sites and Services, modify the NTDS Site Settings.

  3. From Active Directory Users and Computers, modify the properties of all universal groups used in the site.

  4. From Active Directory Users and Computers, modify the computer objects for the domain controllers in the site.

    Answer: B Explanation:

    http://technet.microsoft.com/en-us/library/cc816797(v=ws.10).aspx Enabling Universal Group Membership Caching in a Site

    In a multidomain forest, when a user logs on to a domain, a global catalog server must be contacted to determine the universal group memberships of the user. A universal group can contain users from other domains, and it can be applied to access control lists (ACLs) on objects in all domains in the forest. Therefore, universal group memberships must be ascertained at domain logon so that the user has appropriate access in the domain and in other domains during the logon session. Only global catalog servers store the memberships of all universal groups in the forest.

    If a global catalog server is not available in the site when a user logs on to a domain, the domain controller must contact a global catalog server in another site.

    In multidomain forests where remote sites do not have a global catalog server, the need to contact a global catalog server over a potentially slow wide are network (WAN) connection can be problematic and a user can potentially be unable to log on to the domain if a global catalog server is not available. You can enable Universal Group Membership Caching on domain controllers that are running Windows Server 2008 so that when the domain controller contacts a global catalog server for the user’s initial domain logon, the domain controller retrieves universal group memberships for the user. On subsequent logon requests by the same user, the domain controller uses cached universal group memberships and does not have to contact a global catalog server.

    To complete this task, perform the following procedure: http://technet.microsoft.com/en-us/library/cc816928(v=ws.10).aspx Enable Universal Group Membership Caching in a Site

    1. Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services.

    2. In the console tree, expand Sites, and then click the site in which you want to enable Universal Group Membership Caching.

    3. In the details pane, right-click the NTDS Site Settings object, and then click Properties.

    4. Under Universal Group Membership Caching, select Enable Universal Group Membership Caching.

    5. In the Refresh cache from list, click the site that you want the domain controller to contact when the Universal Group membership cache must be updated, and then click OK.

      Question No: 167 – (Topic 2)

      Your company Datum Corporation, has a single Active Directory domain named intranet.adatum.com. The domain has two domain controllers that run Windows Server 2008 R2 operating system. The domain controllers also run DNS servers.

      The intranet.adatum.com DNS zone is configured as an Active Directory-integrated zone with the Dynamic updates setting configured to Secure only.

      A new corporate security policy requires that the intranet.adatum.com DNS zone must be updated only by domain controllers or member servers.

      You need to configure the intranet.adatum.com zone to meet the new security policy requirement.

      Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

      1. Remove the Authenticated Users account from the Security tab of the intranet.adatum.com DNS zone properties.

      2. Assign the SELF Account Deny on Write permission on the Security tab of the intranet.adatum.com DNS zone properties.

      3. Assign the server computer accounts the Allow on Write All Properties permission on the Security tab of the intranet.adatum.com DNS zone properties.

      4. Assign the server computer accounts the Allow on Create All Child Objects permission on the Security tab of the intranet.adatum.com DNS zone properties.

Answer: A,D Explanation:

http://www.advicehow.com/managing-dns-dynamic-updates-in-windows-server-2008-r2/ Managing DNS Dynamic Updates in Windows Server 2008 R2

What Is DNS Dynamic Update?

When a DNS server is installed in a network, during the installation administrators can configure it to accept dynamic updates of client records. Dynamic updates means that DNS client computers can automatically register their names along with their IP addresses in the DNS server. When this happens DNS server automatically creates a Host (A) record for that client computer that contains hostname of the client and its associated IP address.

Also, during the installation of DNS server administrators can choose an option according to which DNS server should not automatically update its records and in this condition administrators must manually create Host (A) records in the DNS database. http://www.windowsecurity.com/articles-tutorials/windows_server_2008_security/DNS- Security-Part2.html

DNS Security (Part 2): DNS Security Steps Prior to Deploying DNSSEC

In this article, then, we’ll take a look at the details of the following preliminary steps you can take to help secure your Windows DNS infrastructure:

Decide who can resolve Internet host names Don’t co-locate internal and external zones Lock down the DNS cache

Enable recursion only where needed

Restrict DNS servers to listen on specific addresses Consider using a private root hints file

Randomize your DNS source ports

Be aware of the Global Query Block List Limit zone transfers

Take advantage of Active Directory integrated zone security

Take advantage of Active Directory integrated zone security

Active Directory integrated zones enable you to secure the registration of resource records when dynamic name registration is enabled. Members of the Active Directory domain can register their resource records dynamically while non-domain members will be unable to register their names. You can also use discretionary access control lists (DACLs) to control which computers are able to register or change their addressing information.

The figure below shows how you configure secure dynamic updates.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

http://www.tutorialspoint.com/shorttutorials/configuring-dns-server-for-secure-only-dynamic- updates/

Configuring DNS Server for Secure Only Dynamic Updates

Question No: 168 – (Topic 2)

You want users to log on to Active Directory by using a new Principal Name (UPN). You need to modify the UPN suffix for all user accounts.

Which tool should you use?

  1. Dsmod

  2. Netdom

  3. Redirusr

  4. Active Directory Domains and Trusts

Answer: A Explanation:

http://technet.microsoft.com/en-us/library/cc732954(v=ws.10).aspx Dsmod user dsmod user -upn lt;UPNgt;

Specifies the user principal names (UPNs) of the users that you want to modify, for example,

Linda@widgets.contoso.com.

Question No: 169 – (Topic 2)

You need to ensure that domain controllers only replicate between domain controllers in adjacent sites.What should you configure from Active Directory Sites and Services?

  1. From the IP properties, select Ignore all schedules.

  2. From the IP properties, select Disable site link bridging.

  3. From the NTDS Settings object, manually configure the Active Directory Domain Services connection objects.

  4. From the properties of the NTDS Site Settings object, configure the Inter-Site Topology Generator for each site.

Answer: B Explanation:

http://www.omnisecu.com/windows-2003/active-directory/what-is-site-link-bridge.htm What is Site Link Bridge and How to create Site Link Bridge

A site link bridge connects two or more site links. A site link bridge enables transitivity between site links. Each site link in a bridge must have a site in common with another site link in the bridge.

By default, all site links are transitive and it is recommended to keep transitivity enabled by not changing the default value of quot;Bridge all site linksquot; (enabled by default).

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

We may need to disable quot;Bridge all site linksquot; and create a site link bridge design if

  • When the IP network is not fully routed.

  • When we need to control the replication flow in Active Directory.

Question No: 170 – (Topic 2)

You had installed Windows Server 2008 on a computer and configured it as a file server, named FileSrv1. The FileSrv1 computer contains four hard disks, which are configured as basic disks.

For fault tolerance and performance you want to configure Redundant Array of Independent Disks (RAID) 0 1 on FileSrv1.

Which utility you will use to convert basic disks to dynamic disks on FileSrv1?

  1. Diskpart.exe

  2. Chkdsk.exe

  3. Fsutil.exe

  4. Fdisk.exe

  5. None of the above

Answer: A

Reference:

http://technet.microsoft.com/en-us/library/cc771534.aspx

[Diskpart] Convert dynamic Converts a basic disk into a dynamic disk.

100% Ensurepass Free Download!
Download Free Demo:70-640 Demo PDF
100% Ensurepass Free Guaranteed!
70-640 Dumps

EnsurePass ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
PDF VCE Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

Leave a Reply

Your email address will not be published. Required fields are marked *