[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 1-10

Ensurepass

QUESTION 1

Your company, Contoso Ltd, has offices in North America and Europe. Contoso has an Active Directory forest that has three domains.

 

You need to reduce the time required to authenticate users from the labs.eu.contoso.com domain when they access resources in the eng.na.contoso.com domain.

 

What should you do?

 

A.

Decrease the replication interval for all Connection objects.

B.

Decrease the replication interval for the DEFAULTIPSITELINK site link.

C.

Set up a one-way shortcut trust from eng.na.contoso.com to labs.eu.contoso.com.

D.

Set up a one-way shortcut trust from labs.eu.contoso.com to eng.na.contoso.com.

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/cc754538.aspx

Understanding When to Create a Shortcut Trust

When to create a shortcut trust

Shortcut trusts are one-way or two-way, transitive trusts that administrators can use to optimize the authentication process.

Authentication requests must first travel a trust path between domain trees. In a complex forest this can take time, which you can reduce with shortcut trusts. A trust path is the series of domain trust relationships that authentication requests must traverse between any two domains. Shortcut trusts effectively shorten the path that authentication requests travel between domains that are located in two separate domain trees. Shortcut trusts are necessary when many users in a domain regularly log on to other domains in a forest.

Using the following illustration as an example, you can form a shortcut trust between domain B and domain D, between domain A and domain 1, and so on.

 

clip_image002

 

Using one-way trusts

A one-way, shortcut trust that is established between two domains in separate domain trees can reduce the time that is necessary to fulfill authentication requests–but in only one direction. For example, when a oneway, shortcut trust is established between domain A and domain B, authentication requests that are made in domain A to domain B can use the new one-way trust path. However, authentication requests that are made in domain B to domain A must still travel the longer trust path.

Using two-way trusts

A two-way, shortcut trust that is established between two domains in separate domain trees reduces the time that is necessary to fulfill authentication requests that originate in either domain. For example, when a two-way trust is established between domain A and domain B, authentication requests that are made from either domain to the other domain can use the new, two-way trust path.

 

 

QUESTION 2

You are installing an application on a computer that runs Windows Server 2008 R2.

 

During installation, the application will need to install new attributes and classes to the Active Directory database.

 

You need to ensure that you can install the application.

 

What should you do?

 

A.

Change the functional level of the forest to Windows Server 2008 R2.

B.

Log on by using an account that has Server Operator rights.

C.

Log on by using an account that has Schema Administrator rights and the appropriate rights to install the application.

D.

Log on by using an account that has the Enterprise Administrator rights and the appropriate rights to install the application.

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/cc756898%28v=ws.10%29.aspx

Default groups

Default groups, such as the Domain Admins group, are security groups that are created automatically when you create an Active Directory domain. You can use these predefined groups to help control access to shared resources and delegate specific domain-wide administrative roles.

 

Groups in the Builtin container

The following table provides descriptions of the default groups located in the Builtin container and lists the assigned user rights for each group.

 

clip_image004

 

Groups in the Users container

The following table provides a description of the default groups located in the Users container and lists the assigned user rights for each group.

 

clip_image006

 

 

QUESTION 3

You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 is configured as an enterprise root certification authority (CA).

 

You install the Online Responder role service on Server2.

 

You need to configure Server1 to support the Online Responder.

 

What should you do?

 

A.

Import the enterprise root CA certificate.

B.

Configure the Certificate Revocation List Distribution Point extension.

C.

Configure the Authority Information Access (AIA) extension.

D.

Add the Server2 computer account to the CertPublishers group.

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/cc732526.aspx

Configure a CA to Support OCSP Responders

To function properly, an Online Responder must have a valid Online Certificate Status Protocol (OCSP)Response Signing certificate. This OCSP Response Signing certificate is also needed if you are using a non-Microsoft OCSP responder. Configuring a certification authority (CA) to support OCSP responder services includes the following steps:

 

1. Configure certificate templates and issuance properties for OCSP Response Signing certificates.

2. Configure enrollment permissions for any computers that will be hosting Online Responders.

3. If this is a Windows Server 2003-based CA, enable the OCSP extension in issued certificates.

4. Add the location of the Online Responder or OCSP responder to the authority information access extension on the CA.

5. Enable the OCSP Response Signing certificate template for the CA.

 

 

QUESTION 4

Your company has an Active Directory domain that runs Windows Server 2008 R2. The Sales OU contains an OU for Computers, an OU for Groups, and an OU for Users.

 

You perform nightly backups. An administrator deletes the Groups OU.

 

You need to restore the Groups OU without affecting users and computers in the Sales OU.

 

What should you do?

 

A.

Perform an authoritative restore of the Sales OU.

B.

Perform a non-authoritative restore of the Sales OU.

C.

Perform an authoritative restore of the Groups OU.

D.

Perform a non-authoritative restore of the Groups OU.

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/cc816878%28v=ws.10%29.aspx

Performing Authoritative Restore of Active Directory Objects

An authoritative restore process returns a designated, deleted Active Directory object or container of objects to its predeletion state at the time when it was backed up. For example, you might have to perform an authoritative restore if an administrator inadvertently deletes an organizational unit (OU) that contains a large number of users. In most cases, there are two parts to the authoritative restore process: a nonauthoritative restore from backup, followed by an authoritative restore of the deleted objects. If you perform a nonauthoritative restore from backup only, the deleted OU is not restored because the restored domain controller is updated after the restore process to the current status of its replication partners, which have deleted the OU. To recover the deleted OU, after you perform nonauthoritative restore from backup and before allowing replication t
o occur, you must perform an authoritative restore procedure. During the authoritative restore procedure, you mark the OU as authoritative and let the replication process restore it to all the other domain controllers in the domain. After an authoritative restore, you also restore group memberships, if necessary.

 

 

QUESTION 5

An Active Directory database is installed on the C volume of a domain controller.

 

You need to move the Active Directory database to a new volume.

 

What should you do?

 

A.

Copy the ntds.dit file to the new volume by using the ROBOCOPY command.

B.

Move the ntds.dit file to the new volume by using Windows Explorer.

C.

Move the ntds.dit file to the new volume by running the Move-item command in Microsoft Windows PowerShell.

D.

Move the ntds.dit file to the new volume by using the Files option in the Ntdsutil utility.

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/cc816720%28v=ws.10%29.aspx

Move the Directory Database and Log Files to a Local Drive

You can use this procedure to move Active Directory database and log files to a local drive. When you move the files to a folder on the local domain controller, you can move them permanently or temporarily. Move the files to a temporary destination if you need to reformat the original location, or move the files to a permanent location if you have additional disk space. If you reformat the original drive, use the same procedure to move the files back after the reformat is complete. Ntdsutil.exe updates the registry when you move files locally. Even if you are moving the files only temporarily, use Ntdsutil.exe so that the registry is always current.

On a domain controller that is running Windows Server 2008, you do not have to restart the domain controller in Directory Services Restore Mode (DSRM) to move database files. You can stop the Active Directory Domain

Services (AD DS) service and then restart the service after you move the files to their permanent location.

To move the directory database and log files to a local drive:

 

7. At the ntdsutil prompt, type files, and then press ENTER.

8. To move the database file, at the file maintenance: prompt, use the following commands:

 

Further information:

http://servergeeks.wordpress.com/2013/01/01/moving-active-directory-database-and-logs/ Moving Active Directory Database and Logs

Step 1

Start the server in Directory Services Restore Mode

Windows Server 2003/2008 Directory Service opens its files in exclusive mode. This means that the files cannot be managed while the server is operating as a domain controller. To perform any files movement related activities using ntdsutil, we need to start th
e server in Directory Services Restore Mode.

To start the server in Directory Services Restore mode, follow these steps:

Restart the computer.

After the BIOS information is displayed, press F8.

Use the DOWN ARROW to select Directory Services Restore Mode, and then press ENTER.

 

clip_image008

 

Log on with your local administrative account and password. (Not Domain Administrative account)

 

clip_image010

 

Note: using service control (SC.exe) you can verify quickly ntds services are running or stopped. In command prompt type SC query ntds

 

clip_image012

 

Step 2

How to Move Active Directory Database and Logs

You can move the Ntds.dit data file to a new folder. If you do so, the registry is updated so that Directory

Service uses the new location when you restart the server. To move the data file to another folder, follow these steps:

Click Start, click Run, type ntdsutil in the Open box, and then press ENTER.

 

clip_image014

 

At the Ntdsutil command prompt, type activate instance ntds, and then press ENTER.

 

clip_image016

 

At the Ntdsutil command prompt, type files, and then press ENTER.

 

clip_image018

 

At the file maintenance command prompt, type move DB to <new location> (where new location is an existing folder that you have created for this purpose) and then press ENTER.

In this case, the new location for database is C:ADDatabase Now

 

clip_image020

 

Now to move logs , at the file maintenance command prompt, type move logs to <new location> (where new location is an existing folder that you have created for this purpose) and then press ENTER. In our case, the new location for database is C:ADLogs

 

clip_image022

 

To quit file maintenance, type quit. Again to Ntdsutil, type quit to close the prompt Restart the computer. AD database and Logs are moved successfully to new location.

 

 

QUESTION 6

Your company has a server that runs Windows Server 2008 R2. Active Directory Certificate Services (AD CS) is configured as a standalone Certification Authority (CA) on the server.

 

You need to audit changes to the CA configuration settings and the CA security settings.

 

Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)

 

A.

Configure auditing in the Certification Authority snap-in.

B.

Enable auditing of successful and failed attempts to change permissions on files in the %SYSTEM32%CertSrv directory.

C.

Enable auditing of successful and failed attempts to write to files in the %SYSTEM32%CertLog directory.

D.

Enable the Audit object access setting in the Local Security Policy for the Active Directory Certificate Services (AD CS) server.

 

Correct Answer: AD

Explanation:

http://technet.microsoft.com/en-us/library/cc772451.aspx

Configure CA Event Auditing

You can audit a variety of events relating to the management and activities of a certification authority (CA):

Back up and restore the CA database.

Change the CA configuration.

Change CA security settings.

Issue and manage certificate requests.

Revoke certificates and publish certificate revocation lists (CRLs).

Store and retrieve archived keys.

Start and stop Active Directory Certificate Services (AD CS).

To configure CA event auditing

1. Open the Certification Authority snap-in.

2. In the console tree, click the name of the CA.

3. On the Action menu, click Properties.

4. On the Auditing tab, click the events that you want to audit, and then click OK.

5. On the Action menu, point to All Tasks, and then click Stop Service.

6. On the Action menu, point to All Tasks, and then click Start Service.

Additional considerations

To audit events, the computer must also be configured for auditing of object access. Audit policy options can be viewed and managed in local or domain Group Policy under Computer ConfigurationWindows SettingsSecurity SettingsLocal Policies.

 

 

QUESTION 7

Your company has a single Active Directory domain named intranet.adatum.com. The domain controllers run Windows Server 2008 and the DNS server role. All computers, including non-domain members, dynamically register their DNS records.

 

You need to configure the intranet.adatum.com zone to allow only domain members to dynamically register DNS records.

 

What should you do?

 

A.

Set dynamic updates to Secure Only.

B.

Remove the Authenticated Users group.

C.

Enable zone transfers to Name Servers.

D.

Deny the Everyone group the Create All Child Objects permission.

 

Correct Answer: A

Explanation:

http://technet.microsoft.com/en-us/library/cc753751.aspx

Allow Only Secure Dynamic Updates

Domain Name System (DNS) client computers can use dynamic update to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use Dynamic Host Configuration Protocol (DHCP) to obtain an IP address.

Dynamic updates can be secure or nonsecure. DNS update security is available only for zones that are integrated into Active Directory Domain Services (AD DS). After you directory-integrate a zone, access control list (ACL) editing features are available in DNS Manager so that you can add or remove users or groups from the ACL for a specified zone or resource record.

Further information:

http://technet.microsoft.com/en-us/library/cc771255.aspx

Understanding Dynamic Update

 

 

 

 

 

 

 

 

 

 

 

QUESTION 8

Your company has an Active Directory domain. All servers run Windows Server.

 

You deploy a Certification Authority (CA) server.

 

You create a new global security group named CertIssuers.

 

You need to ensure that members of the CertIssuers group can issue, approve, and revoke certificates.

 

What should you do?

 

A.

Assign the Certificate Manager role to the CertIssuers group

B.

Place CertIssuers group in the Certificate Publisher group

C.

Run the certsrv -add CertIssuers command promt of the certificate server

D.

Run the add -member-membertype memberset CertIssuers command by using Microsoft Windows Powershell

 

Correct Answer: A

Explanation:

http://technet.microsoft.com/en-us/library/cc779954%28v=ws.10%29.aspx

Role-based administration

Role explanation

Role-based administration involves CA roles, users, and groups. To assign a role to a user or group, you must assign the role’s corresponding security permissions, group memberships, or user rights to the user or group.

These security permissions, group memberships, and user rights are used to distinguish which users have which roles. The following table describes the CA roles of role-based administration and the groups relevant to role-based administration.

 

clip_image023

 

Certificate Manager:

Delete multiple rows in database (bulk deletion)

Issue and approve certificates

Deny certificates

Revoke certificates

Reactivate certificates placed on hold

Renew certificates

Recover archived key

Read CA database

Read CA configuration information

 

 

 

QUESTION 9

Your company has a single Active Directory domain named intranet.contoso.com. All domain controllers run Windows Server 2008 R2. The domain functional level is Windows 2000 native and the forest functional level is Windows 2000.

 

You need to ensure the UPN suffix for contoso.com is available for user accounts.

 

What should you do first?

 

A.

Raise the intranet.contoso.com forest functional level to Windows Server 2003 or higher.

B.

Raise the intranet.contoso.com domain functional level to Windows Server 2003 or higher.

C.

Add the new UPN suffix to the forest.

D.

Change the Primary DNS Suffix option in the Default Domain Controllers Group Policy Object (GPO) to contoso.com.

 

Correct Answer: C

Explanation:

http://support.microsoft.com/kb/243629

HOW TO: Add UPN Suffixes to a Forest

Adding a UPN Suffix to a Forest

Open Active Directory Domains and Trusts.

Right-click Active Directory Domains and Trusts in the Tree window pane, and then click Properties.

On the UPN Suffixes tab, type the new UPN suffix that you would like to add to the forrest.

Click Add, and then click OK.

Now when you add users to the forest, you can select the new UPN suffix to complete the user’s logon name.

APPLIES TO

Microsoft Windows 2000 Server

Microsoft Windows 2000 Advanced Server

Microsoft Windows 2000 Datacenter Server

 

 

QUESTION 10

You have a Windows Server 2008 R2 Enterprise Root certification authority (CA).

 

You need to grant members of the Account Operators group the ability to only manage Basic EFS certificates.

 

You grant the Account Operators group the Issue and Manage Certificates permission on the CA.

 

Which three tasks should you perform next? (Each correct answer presents part of the solution. Choose three.)

 

A.

Enable the Restrict Enrollment Agents option on the CA.

B.

Enable the Restrict Certificate Managers option on the CA.

C.

Add the Basic EFS certificate template for the Account Operators group.

D.

Grant the Account Operators group the Manage CA permission on the CA.

E.

Remove all unnecessary certificate templates that are assigned to the Account Operators group.

 

Correct Answer: BCE

Explanation:

http://technet.microsoft.com/en-us/library/cc779954%28v=ws.10%29.aspx

Role-based administration

Role explanation

Role-based administration involves CA roles, users, and groups. To assign a role to a user or group, you must assign the role’s corresponding security permissions, group memberships, or user rights to the user or group.

These security permissions, group memberships, and user rights are used to distinguish which users have which roles. The following table describes the CA roles of role-based administration and the groups relevant to role-based administration.

 

clip_image023[1]

 

Certificate Manager:

Delete multiple rows i
n database (bulk deletion)

Issue and approve certificates

Deny certificates

Revoke certificates

Reactivate certificates placed on hold

Renew certificates

Recover archived key

Read CA database

Read CA configuration information

 

http://technet.microsoft.com/en-us/library/cc753372.aspx

Restrict Certificate Managers

A certificate manager can approve certificate enrollment and revocation requests, issue certificates, and manage certificates. This role can be configured by assigning a user or group the Issue and Manage Certificatespermission. When you assign this permission to a user or group, you can further refine their ability to manage certificates by group and by certificate template. For example, you might want to implement a restriction that they can only approve requests or revoke smart card logon certificates for users in a certain office or organizational unit that is the basis for a security group.

This restriction is based on a subset of the certificate templates enabled for the certification authority (CA) and the user groups that have Enroll permissions for that certificate template from that CA.

 

To configure certificate manager restrictions for a CA:

1. Open the Certification Authority snap-in, and right-click the name of the CA.

2. Click Properties, and then click the Security tab.

3. Verify that the user or group that you have selected has Issue and Manage Certificates permission. If they do not yet have this permission, select the Allow check box, and then click Apply.

4. Click the Certificate Managers tab.

5. Click Restrict certificate managers, and verify that the name of the group or user is displayed.

6. Under Certificate Templates, click Add, select the template for the certificates that you want this user or group to manage, and then click OK. Repeat this step until you have selected all certificate templates that you want to allow this certificate manager to manage.

7. Under Permissions, click Add, type the name of the client for whom you want the certificate manager to manage the defined certificate types, and then click OK.

8. If you want to block the certificate manager from managing certificates for a specific user, computer, or group, under Permissions, select this user, computer, or group, and click Deny.

9. When you are finished configuring certificate manager restrictions, click OK or Apply.

 

Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…