[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 101-110

Ensurepass

QUESTION 101

ABC.com has a domain controller that runs Windows Server 2008. The ABC.com network boasts 40 Windows Vista client machines.

 

As an administrator at ABC.com, you want to deploy Active Directory Certificate service (AD CS) to authorize the network users by issuing digital certificates.

 

What should you do to manage certificate settings on all machines in a domain from one main location?

 

A.

Configure Enterprise CA certificate settings

B.

Configure Enterprise trust certificate settings

C.

Configure Advance CA certificate settings

D.

Configure Group Policy certificate settings

E.

All of the above

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/cc725911.aspx

 

AD CS: Policy Settings

In the Windows Server?2008 operating system, certificate-related Group Policy settings enable administrators to manage certificate validation settings according to the security needs of the organization.

 

What are certificate settings in Group Policy?

Certificate settings in Group Policy enable administrators to manage the certificate settings on all the computers in the domain from a central location.

 

 

QUESTION 102

Your network contains an Active Directory domain. The domain contains a server named Server1.Server1 runs Windows Server 2008 R2.

 

You need to mount an Active Directory Lightweight Directory Services (AD LDS) snapshot from Server1.

 

What should you do?

 

A.

Run ldp.exe and use the Bind option.

B.

Run diskpart.exe and use the Attach option.

C.

Run dsdbutil.exe and use the snapshot option.

D.

Run imagex.exe and specify the /mount parameter.

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/cc753151%28v=ws.10%29.aspx

 

Dsdbutil

Performs database maintenance of the Active Directory Domain Services (AD DS) store, facilitates configuration of Active Directory Lightweight Directory Services (AD LDS) communication ports, and views AD LDS instances that are installed on a computer.

Commands

snapshot

Manages snapshots.

http://technet.microsoft.com/en-us/library/cc731620%28v=ws.10%29.aspx

snapshot Manages snapshots of the volumes that contain the Active Directory database and log files, which you can view on a domain controller without starting in Directory Services Restore Mode (DSRM). You can also run the snapshot subcommand on an Active Directory Lightweight Directory Services (AD LDS) server.

This is a subcommand of Ntdsutil and Dsdbutil. Ntdsutil and Dsdbutil are command-line tools that are built into Windows Server 2008 and Windows Server 2008 R2. Syntax activate instance %s [create] [delete %s] [unmount %s] [list all] [list mounted ] [mount %s] [quit]

Parameters

Mount %s Mounts a snapshot with GUID %s. You can refer to an index number of any mounted snapshot instead of its GUID.

 

 

QUESTION 103

Your network contains an Active Directory domain. The domain is configured as shown in the following table.

 

clip_image002

 

Users in Branch2 sometimes authenticate to a domain controller in Branch1.

 

You need to ensure that users inBranch2 only authenticate to the domain controllers in Main.

 

What should you do?

 

A.

On DC3, set the AutoSiteCoverage value to 0.

B.

On DC3, set the AutoSiteCoverage value to 1.

C.

On DC1 and DC2, set the AutoSiteCoverage value to 0.

D.

On DC1 and DC2, set the AutoSiteCoverage value to 1.

 

Correct Answer: A

 

 

QUESTION 104

You want users to log on to Active Directory by using a new Principal Name (UPN).

 

You need to modify the UPN suffix for all user accounts.

 

Which tool should you use?

 

A.

Dsmod

B.

Netdom

C.

Redirusr

D.

Active Directory Domains and Trusts

 

Correct Answer: A

Explanation:

http://technet.microsoft.com/en-us/library/cc732954%28v=ws.10%29.aspx

Dsmod user dsmod user -upn <UPN>

Specifies the user principal names (UPNs) of the users that you want to modify, for example,

Linda@widgets.contoso.com.

 

 

QUESTION 105

Your company uses shared folders. Users are granted access to the shared folders by using domain local groups. One of the shared folders contains confidential data.

 

You need to ensure that unauthorized users are not able to access the shared folder that contains confidential data.

 

What should you do?

 

A.

Enable the Do not trust this computer for delegation property on all the computers of unauthorized users by using the Dsmod utility.

B.

Instruct the unauthorized users to log on by using the Guest account. Configure the Deny Full control permission on the shared folders that hold the confidential data for the Guest account.

C.

Create a Global Group named Deny DLG. Place the global group that contains the unauthorized users in to the Deny DLG group. Configure the Allow Full control permission on the shared folder that hold the confidential data for the Deny DLG group.

D.

Create a Domain Local Group named Deny DLG. Place the global group that contains the unauthorized users in to the Deny DLG group. Configure the Deny Full control permission on the shared folder that
hold the confidential data for the Deny DLG group.

 

Correct Answer: D

Explanation:

clip_image004

clip_image006

 

http://technet.microsoft.com/en-us/library/cc755692%28v=ws.10%29.aspx

Any group, whether it is a security group or a distribution group, is characterized by a scope that identifies the extent to which the group is applied in the domain tree or forest. The boundary, or reach, of a group scope is also determined by the domain functional level setting of the domain in which it resides. There are three group scopes: universal, global, and domain local.

The following table describes the differences between the scopes of each group.

 

clip_image008

 

When to use groups with domain local scope

Groups with domain local scope help you define and manage access to resources within a single domain. For example, to give five users access to a particular printer, you can add all five user accounts in the printer permissions list. If, however, you later want to give the five users access to a new printer, you must again specify all five accounts in the permissions list for the new printer.

 

 

QUESTION 106

Your company asks you to implement Windows Cardspace in the domain.

 

You want to use Windows Cardspace at your home.

 

Your home and office computers run Windows Vista Ultimate.

 

What should you do to create a backup copy of Windows Cardspace cards to be used at home?

 

A.

Log on with your administrator account and copy WindowsServiceProfiles folder to your USB drive

B.

Backup WindowsGlobalization folder by using backup status and save the folder on your USB drive

C.

Back up the system state data by using backup status tool on your USB drive

D.

Employ Windows Cardspace application to backup the data on your USB drive.

E.

Reformat the C: Drive

F.

None of the above

 

Correct Answer: D

Explanation:

http://windows.microsoft.com/en-us/windows7/windows-cardspace-for-itpros# BKMK_HowdoIbackupmycardsortransferthemtoanothercomputer

Windows CardSpace for IT pros

Microsoft Windows CardSpaceTM is a system for creating relationships with websites and online services.

Windows CardSpace provides a consistent way for:

Sites to request information from you.

You to review the identity of a site.

You to manage your information by using Information Cards. You to review card information before you send it. Windows CardSpace can replace the user names and passwords that you use to register with and log on to websites and online services.

15. How do I back up my cards or transfer them to another computer?

Cards are stored on your computer in an encrypted format. To save a backup file containing some or all of your cards or to use a card on a different computer, you can save cards to a backup card file.

To back up your cards:

1. Start Windows CardSpace.

2. View all your cards.

3. In the pane on the right of your screen, click Back up cards.

4. Select the cards that you want to back up.

5. Browse to the folder where you want to save the backup card file, and then give it a name.

When you complete these steps, you save a file containing some or all of your cards. You can copy the backup card file to media such as a Universal Serial Bus (USB) storage device, CD, or other digital media. You can restore the backup card file on this computer or on another computer.

To restore your cards

1. Save the backup card file to the computer.

2. Browse to the location of the file on the computer.

3. Double-click the file, and then follow the instructions to restore the cards.

 

 

QUESTION 107

Your network contains an Active Directory Rights Management Services (AD RMS) cluster.

 

You have several custom policy templates. The custom policy templates are updated frequently.

 

Some users report that it takes as many as 30 days to receive the updated policy templates.

 

You need to ensure that users receive the updated custom policy templates within seven days.

 

What should you do?

 

A.

Modify the registry on the AD RMS servers.

B.

Modify the registry on the users’ computers.

C.

Change the schedule of the AD RMS Rights Policy Template Management (Manual) scheduled task.

D.

Change the schedule of the AD RMS Rights Policy Template Management (Automated) scheduled task.

 

Correct Answer: B

Explanation:

http://technet.microsoft.com/en-us/library/cc771971.aspx

 

Configuring the AD RMS client

The automated scheduled task will not query the AD RMS template distribution pipeline each time that this scheduled task runs. Instead, it checks updateFrequency DWORD value registry entry. This registry entry specifies the time interval (in days) after which the client should update its rights policy templates. By default the registry key is not present on the client computer. In this scenario, the client checks for new, deleted, or modified rights policy templates every 30 days. To configure an interval other than 30 days, create a registry entry at the following location:

HKEY_CURRENT_USERSoftwarePoliciesMicrosoftMSDRMTemplateManagement. In this registry key, you can also configure the updateIfLastUpdatedBeforeTime, which forces the client computer to update its rights policy templates.

 

 

QUESTION 108

You have a DNS zone that is stored in a custom application directory partition.

 

You install a new domain controller.

 

You need to ensure that the custom application directory partition replicates to the new domain controller.

 

What should you use?

 

A.

the Active Directory Administrative Center console

B.

the Active Directory Sites and Services console

C.

the DNS Manager console

D.

the Dnscmd tool

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/cc772069.aspx

dnscmd /enlistdirectorypartition Adds the DNS server to the specified directory partition’s replica set.

 

 

QUESTION 109

You have an enterprise subordinate certification authority (CA). The CA issues smart card logon certificates.

 

Users are required to log on to the domain by using a smart card.

 

Your company’s corporate security policy states that when an employee resigns, his ability to log on to the network must be immediately revoked.

 

An employee resigns.

 

You need to immediately prevent the employee from logging on to the domain.

 

What should you do?

 

A.

Revoke the employee’s smart card certificate.

B.

Disable the employee’s Active Directory account.

C.

Publish a new delta certificate revocation list (CRL).

D.

Reset the password for the employee’s Active Directory account.

 

Correct Answer: B

Explanation:

http://blog.imanami.com/blog/bid/68864/Delete-or-disable-an-Active-Directory-account- One-best-practice

Delete or disable an Active Directory account?

One best practice. I was recently talking to a customer about the best practice for deprovisioning a terminated employee in Active Directory. Delete or disable? Microsoft doesn’t give the clearest direction on this but common sense does.

The case for deleting an account is that, BOOM, no more access. No ifs ands or buts, if there is no account it cannot do anything. The case for disabling an account is that all of the SIDs are still attached to the account and you can bring it back and get the same access right away.

And then the reason for MSFT’s lack of direction came into play. Individual needs of the customer. This particular customer is a public school system and they often lay off an employee and have to re-hire them the next month or semester. They need that account back.

 

 

QUESTION 110

Your network contains an Active Directory domain named contoso.com.

 

The contoso.com DNS zone is stored in Active Directory. All domain controllers run Windows Server 2008 R2.

 

You need to identify if all of the DNS records used for Active Directory replication are correctly registered.

 

What should you do?

 

A.

From the command prompt, use netsh.exe.

B.

From the command prompt, use dnslint.exe.

C.

From the Active Directory Module for Windows PowerShell, run the Get-ADRootDSE cmdlet.

D.

From the Active Directory Module for Windows PowerShell, run the Get- ADDomainController cmdlet.

 

Correct Answer: B

Explanation:

http://technet.microsoft.com/en-us/library/dd197560.aspx

Dnslint.exe

DNSLint is a Microsoft Windows tool that can be used to help diagnose common DNS name resolution issues.

It can be targeted to look for specific DNS record sets and ensure that they are consistent across multiple DNS servers. It can also be used to verify that DNS records used specifically for Active Directory replication are correct.

 

Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…