[Free] 2018(June) Ensurepass Microsoft 70-640 Dumps with VCE and PDF 381-390

Ensurepass.com : Ensure you pass the IT Exams
2018 May Microsoft Official New Released 70-640
100% Free Download! 100% Pass Guaranteed!

Windows Server 2008 Active Directory, Configuring

Question No: 381 – (Topic 4)

Your network contains an Active Directory forest named adatum.com.

All client computers used by the marketing department are in an organizational unit (OU) named Marketing Computers. All user accounts for the marketing department are in an OU named Marketing Users.

You purchase a new application.

You need to ensure that every user in the domain who logs on to a marketing department computer can use the application. The application must only be available from the marketing department computers.

What should you do?

  1. Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation package to a shared folder on the network. Assign the application.

  2. Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the installation package to a shared folder on the network. Assign the application.

  3. Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the installation package to a local drive on each marketing department computer. Publish the

    application.

  4. Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation package to a folder on each marketing department computer. Publish the application.

Answer: B Explanation:

The software must only be available on the marketing department computers, so we must link the GPO to the Marketing Computers OU. Next we need to assign the application to the Marketing Computers OU.

Reference:

MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 399

Assigning Software to Computers

When you assign software to computers, it is available to all authenticated users of the computer, regardless of their group membership or privileges. The software package is installed when the computer is next restarted after the package has been assigned. For example, suppose that you have a design application that should be available on all computers in the Engineering OU but not to computers elsewhere on your network. You would assign this application to computers in a Group Policy object (GPO) linked to the Engineering OU.

Question No: 382 – (Topic 4)

Your network contains an Active Directory forest named contoso.com. The forest contains two member servers named Server1 and Server2. Server1 and Server2 have the DNS Server server role installed.

Server1 hosts a standard primary zone for contoso.com. Server2 is configured as a secondary name server for contoso.com.

You experience issues with the copy of the zone on Server2,

You verify that both copies of the zone have the same serial number.

You need to transfer a complete copy of the zone from Server1 to Server2.

What should you do on Server2?

  1. From DNS Manager, right-click contoso.com and click Transfer from Master.

  2. From Services, right-click DNS Server and click Refresh.

  3. From Services, right-click DNS Server and click Restart.

  4. From DNS Manager, right-click contoso.com and click Reload.

  5. From DNS Manager, right-click contoso.com and click Transfer a new copy of zone from Master.

Answer: E

Reference:

MS Press – Self-Paced Training Kit (Exam 70-642) (2nd Edition, 2011) page 212 Manually Updating a Secondary Zone

By right-clicking a secondary zone in the DNS Manager console tree, you can use the shortcut menu to perform the following secondary zone update operations:

Reload – This operation reloads the secondary zone from the local storage.

Transfer From Master – The server hosting the local secondary zone determines whether the serial number in the secondary zone’s SOA resource record has expired and then pulls a zone transfer from the master server. Transfer New Copy Of Zone From Master – This operation performs a zone transfer from the secondary zone’s master server regardless of the serial number in the secondary zone’s SOA resource record.

Question No: 383 – (Topic 4)

Your network contains an Active Directory forest. All client computers run Windows 7. The network contains a high-volume enterprise certification authority (CA).

You need to minimize the amount of network bandwidth required to validate a certificate. What should you do?

  1. Configure an LDAP publishing point for the certificate revocation list (CRL).

  2. Configure an Online Certification Status Protocol (OCSP) responder.

  3. Modify the settings of the delta certificate revocation list (CRL).

  4. Replicate the certificate revocation list (CRL) by using Distributed File System (DFS).

Answer: B

Reference:

MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 779

Online responder

This service is designed to respond to specific certificate validation requests through the Online Certificate

Status Protocol (OCSP). Using an online responder (OR), the system relying on PKI does not need to obtain a full CRL and can submit a validation request for a specific certificate. The online responder decodes the validation request and determines whether the certificate is valid. When it determines the status of the requested certificate, it sends back an encrypted response containing the information to the requester. Using online responders is much faster and more efficient than using CRLs. AD CS includes online responders as a new feature in Windows Server 2008 R2.

Question No: 384 – (Topic 4)

Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise.

You have a custom certificate template named Template 1. Template1 is published to the CA.

You need to ensure that all of the members of a group named Group1 can enroll for certificates that use Template1.

Which snap-in should you use?

  1. Security Templates

  2. Enterprise PKI

  3. Certification Authority

  4. Certificate Templates

  5. Certificates

  6. TPM Management

  7. Authorization Manager

  8. Group Policy Management

  9. Active Directory Users and Computers

Answer: D

Reference:

MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 593

Configuring Certificate Templates

AD CS provides the Certificate Templates snap-in (Certtmpl.msc), which provides the following capabilities:

(…)

Configuring access control lists (ACLs) on certificate templates

Question No: 385 – (Topic 4)

Your network contains an Active Directory forest named contoso.com. The forest contains six domains.

You need to ensure that the administrators of any of the domains can specify a user principal name (UPN) suffix oflitwareinc.com when they create user accounts by using Active Directory Users and Computers.

Which tool should you use?

  1. Active Directory Administrative Center

  2. Set-ADDomain

  3. Active Directory Sites and Services

  4. Set-ADForest

Answer: D Explanation:

We would use the following command to achieve this: Set-ADForest -UPNSuffixes @{Add=quot;contoso.comquot;}

Reference 1:

http://technet.microsoft.com/en-us/library/dd391925.aspx Creating a UPN Suffix for a Forest

This topic explains how to use the Active Directory module for Windows PowerShell to create a new user principal name (UPN) suffix for the users in a forest. Creating an additional UPN suffix helps simplify the names that are used to log on to another domain in the forest.

Example

The following example demonstrates how to create a new UPN suffix for the users in the Fabrikam.com forest:

Set-ADForest -UPNSuffixes @{Add=quot;headquarters.fabrikam.comquot;}

Reference 2

http://technet.microsoft.com/en-us/library/ee617221.aspx Set-ADForest Modifies an Active Directory forest.

Parameter

UPNSuffixes Modifies the list of user principal name (UPN) suffixes of the forest. This parameter sets the multi-valued msDS-UPNSuffixes property of the cross-reference container. This parameter uses the following syntax to add remove, replace, or clear UPN suffix values.

Syntax:

To add values:

-UPNSuffixes @{Add=value1,value2,…}

Question No: 386 – (Topic 4)

A network contains an Active Directory forest. The forest schema contains a custom attribute for user objects.

You need to view the custom attribute value of 500 user accounts in a Microsoft Excel table.

Which tool should you use?

  1. Dsmod

  2. Csvde

  3. Ldifde

  4. Dsrm

Answer: B Explanation:

We can achieve this by using csvde:

CSVDE -f onlyusers.csv -r quot;objectCategory=personquot; -l quot;CN,lt;CustomAttributeNamegt;quot; The exported CSV file can be viewed in Excel.

Reference:

http://technet.microsoft.com/en-us/library/cc732101.aspx Csvde

Imports and exports data from Active Directory Domain Services (AD DS) using files that store data in the comma-separated value (CSV) format. You can also support batch operations based on the CSV file format standard.

Syntax

Csvde [-i] [-f lt;FileNamegt;] [-r lt;LDAPFiltergt;] [-l lt;LDAPAttributeListgt;] (…) Parameters

-i

Specifies import mode. If not specified, the default mode is export.

-f lt;FileNamegt;

Identifies the import or export file name.

-r lt;LDAPFiltergt;

Creates an LDAP search filter for data export.

-l lt;LDAPAttributeListgt;Sets the list of attributes to return in the results of an export query. LDAP can return attributes in any order, and csvde does not attempt to impose any order on the columns. If you omit this parameter, AD DS returns all attributes.

Question No: 387 DRAG DROP – (Topic 4)

Your network contains an Active Directory forest named contoso.com.

You need to use Group Policies to deploy the applications shown in the following table:

Ensurepass 2018 PDF and VCE

What should you do?

To answer, drag the appropriate deployment method to the correct application in the answer area.

Ensurepass 2018 PDF and VCE

Answer:

Ensurepass 2018 PDF and VCE

Question No: 388 – (Topic 4)

Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise.

You need to ensure that all of the members of a group named Group1 can view the event log entries for Certificate Services.

Which snap-in should you use?

  1. Certificate Templates

  2. Certification Authority

  3. Authorization Manager

  4. Active Directory Users and Computers

  5. TPM Management

  6. Security Templates

  7. Group Policy Management

  8. Enterprise PKI

  9. Certificates

Answer: G Explanation:

We can make the Group1 group a member of theEvent Log Readers Group, giving them read access to all event logs, thus including the Certificate Services events. We can do that by usingGroup Policy Management.

Reference 1:

It#39;s a bit hard to find some good, clear reference for this. There#39;s nothing wrong with doing it yourself, so here#39;s what I did in VMWare, using a domain controller and a member server. Click along if you want!

In VMWare I have setup a domain controller, DC01 and a member server MEM01, both belonging to the contoso.com domain. I have placed MEM01 in an OU named Events. I have created a global security group, named TESTGROUP, and I want to make it a member of the built-in Event Log Readers group on MEM01.

->Start the Group Policy Management console on DC01.

->Right-click the Events OU and choose quot;Create a GPO in this domain, and Link it here…quot;

->I named the GPO quot;EventLog_TESTGROUPquot;

->Right-click the quot;EventLog_TESTGROUPquot; GPO and choose quot;Edit…quot;

->Go to Computer Configuration \ Policies\ Windows Settings \ Security Settings and select quot;Restricted Groupsquot;

->Right-click quot;Restricted Groupsquot; and choose quot;Add Group…quot;

->Now there are two ways to do this. We can select TESTGROUP and make it a

member of the Event Log Readers group, or we can select the Event Log Readers group and add TESTGROUP as a member. Let#39;s do the second one. Click the Browse button and go find the Event Log Readers group. Click OK.

->Click the Browse button next to quot;Members of this groupquot;, search for the

TESTGROUP group and add it.

It should look like this now:

Ensurepass 2018 PDF and VCE

->Click OK.

->On MEM01 open a command prompt and rungpupdate /force.

->Check the Event Log Readers group properties and see that the TESTGROUP group is now a member.

Ensurepass 2018 PDF and VCE

Reference 2:

http://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-administrators- permission-to-read-event-logs-windows-2003-and-windows-2008.aspx

Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008

So if you want to give Non-Administrator users access remotely to Event logs if the Servers or Domain Controllers they are accessing are Windows 2003 follow the steps below.

(…)

Windows 2008 is much easier as long as you are giving the users and groups in question read access to all event logs. If that is the case just add them to the Built inEvent Log Readers group.

Question No: 389 – (Topic 4)

Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.

You mount an Active Directory snapshot.

You need to ensure that you can query the snapshot by using LDAP. What should you do?

  1. Run the dsamain.exe command.

  2. Create custom views from Event Viewer.

  3. Run the ntdsutil.exe command.

  4. Configure subscriptions from Event Viewer.

  5. Run the Get-ADForest cmdlet.

  6. Create a Data Collector Set (DCS).

  7. Run the eventcreate.exe command.

  8. Configure the Active Directory Diagnostics Data Collector Set (DCS).

  9. Run the repadmin.exe command.

  10. Run the dsquery.exe command.

Answer: A Explanation:

http://technet.microsoft.com/en-us/library/cc753609.aspx

The Active Directory database mounting tool (Dsamain.exe) can improve recovery processes for your organization by providing a means to compare data as it exists in snapshots that are taken at different times so that you can better decide which data to restore after data loss. This eliminates the need to restore multiple backups to compare the Active Directory data that they contain.

Requirements for using the Active Directory database mounting tool

You do not need any additional software to use the Active Directory database mounting tool. All the tools that are required to use this feature are built into Windows Server 2008 and are available if you have the AD DS or the AD LDS server role installed. These tools include the following:

Dsamain.exe, which you can use to expose the snapshot data as an LDAP server Existing LDAP tools, such as Ldp.exe and Active Directory Users and Computers

Question No: 390 – (Topic 4)

Your network contains an Active Directory domain. The domain is configured as shown in the exhibit. (Click the Exhibit button.)

Ensurepass 2018 PDF and VCE

Users in the Finance organizational unit (OU) frequently log on to client computers in the Human Resources OU.

You need to meet the following requirements:

->All of the user settings in the Group Policy objects (GPOs) linked to both the Finance OU and the Human Resources OU must be applied to finance users when they log on to client computers in the Engineering OU.

->Only the policy settings in the GPOs linked to the Finance OU must be applied to

finance users when they log on to client computers in the Finance OU.

->Policy settings in the GPOs linked to the Finance OU must not be applied to users in the Human Resources OU.

What should you do?

  1. Modify the Group Policy permissions.

  2. Enable block inheritance.

  3. Configure the link order.

  4. Enable loopback processing in merge mode.

  5. Enable loopback processing in replace mode.

  6. Configure WMI filtering.

  7. Configure Restricted Groups.

  8. Configure Group Policy Preferences.

  9. Link the GPO to the Finance OU.

  10. Link the GPO to the Human Resources OU.

Answer: D Explanation:

Very similar question to K/Q11.

We have to use loopback processing in merge mode if we want all User Configuration settings from the GPO#39;s that are linked to the Sales OU and the Engineering OU to be applied.

Reference 1:

http://technet.microsoft.com/en-us/library/cc782810.aspx

Loopback processing with merge or replace

Setting loopback causes the User Configuration settings in GPOs that apply to the computer to be applied to every user logging on to that computer, instead of (in replace mode) or in addition to (in merge mode) the User Configuration settings of the user. This allows you to ensure that a consistent set of policies is applied to any user logging on to a particular computer, regardless of their location in Active Directory.

Loopback can be set to Not Configured, Enabled, or Disabled. In the Enabled state, loopback can be set to Merge or Replace. In either case the user only receives user-related policy settings.

Loopback with Replace-In the case of Loopback with Replace, the GPO list for the user is replaced in its entirety by the GPO list that is already obtained for the computer at computer startup (during step 2 in Group Policy processing and precedence). The User Configuration settings from this list are applied to the user.

Loopback with Merge-In the case of Loopback with Merge, the Group Policy object list is a concatenation. The default list of GPOs for the user object is obtained, as normal, but then the list of GPOs for the computer (obtained during computer startup) is appended to this list. Because the computer#39;s GPOs are processed after the user#39;s GPOs, they have precedence if any of the settings conflict.

Reference 2:

http://kudratsapaev.blogspot.in/2009/07/loopback-processing-of-group-policy.html

For a clear and easy explanation of Loopback Processing. Recommended! Reference 3:

Windows Server 2008 R2 Unleashed (SAMS, 2010) page 1028

Loopback Processing

When a user is processing domain policies, the policies that apply to that user are based on the location of the user object in the Active Directory hierarchy. The same goes for domain policy application for computers. There are situations, however, when administrators or organizations want to ensure that all users get the same policy when logging on to a particular computer or server. For example, on a computer that is used for training or on a Remote Desktop Session Host, also known as a Terminal Server, when the user desktop environment must be the same for each user, this can be controlled by enabling loopback processing in Replace mode on a policy that is applied to the computer objects.

To explain a bit further, if a domain policy has the loopback settings enabled and set to Replace mode, any settings defined within that policy in the User Configuration node are applied to all users who log on to the computer this particular policy is applied to. When loopback processing is enabled and configured in Merge mode on a policy applied to a computer object and a user logs on, all of the user policies are applied and then all of the user settings within the policy applied to the computer object are also applied to the user. This ensures that in either Replace or Merge mode, loopback processing applies the settings contained in the computer-linked policies last.

100% Ensurepass Free Download!
Download Free Demo:70-640 Demo PDF
100% Ensurepass Free Guaranteed!
70-640 Dumps

EnsurePass ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
PDF VCE Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

Leave a Reply

Your email address will not be published. Required fields are marked *