[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 111-120



Your network contains two Active Directory forests. One forest contains two domains named contoso.com and na.contoso.com. The other forest contains a domain named nwtraders.com. A forest trust is configured between the two forests.


You have a user named User1 in the na.contoso.com domain. User1 reports that he fails to log on to a computer in the nwtraders.com domain by using the user name NAUser1.


Other users from na.contoso.com report that they can log on to the computers in the nwtraders.com domain.


You need to ensure that User1 can log on to the computer in the nwtraders.com domain.


What should you do?



Enable selective authentication over the forest trust.


Create an external one-way trust from na.contoso.com to nwtraders.com.


Instruct User1 to log on to the computer by using his user principal name (UPN).


Instruct User1 to log on to the computer by using the user name nwtradersUser1.

Correct Answer: C



What is UPN and why to use it?

UPN or User Principal Name is a logon method of authentication when you enter the credentials as username@domainname.com instead of Windows authentication method:

domainnameusername to be used as login.

So UPN is BASICALLY a suffix that is added after a username which can be used in place of “Samaccount” name to authenticate a user. So lets say your company is called ABC, then instead of ABCUsername you can use username@ABC.com at the authentication popup.

The additional UPN suffix can help users to simplify the logon information in long domain names with an easier name. Example: instead of username@this.is.my.long.domain.name.in.atlanta.com”, change it to “username@atlanta”, if you create an UPN suffix called Atlanta.

http://blogs.technet.com/b/mir/archive/2011/06/12/accessing-resources-across-forest-and- achieve-single-signon-part1.aspx

Accessing Resources across forest and achieve Single Sign ON (Part1)


Accessing resources across forests

When a forest trust is first established, each forest collects all of the trusted namespaces in its partner forest and stores the information in a TDO. Trusted namespaces include domain tree names, user principal name (UPN) suffixes, service principal name (SPN) suffixes, and security ID (SID) namespaces used in the other forest. TDO objects are replicated to the global catalog.




Your company has a main office and a branch office.


You discover that when you disable IPv4 on a computer in the branch office, the computer authenticates by using a domain controller in the main office.


You need to ensure that IPv6-only computers authenticate to domain controllers in the same site.


What should you do?



Configure the NTDS Site Settings object.


Create Active Directory subnet objects.


Create Active Directory Domain Services connection objects.


Install an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router.


Correct Answer: B




Your network contains an Active Directory forest. The forest contains two domains named contoso.com and woodgrovebank.com.


You have a custom attribute named Attibute1 in Active Directory. Attribute1 is associated to User objects.


You need to ensure that Attribute1 is replicated to the global catalog.


What should you do?



In Active Directory Sites and Services, configure the NTDS Settings.


In Active Directory Sites and Services, configure the universal group membership caching.


From the Active Directory Schema snap-in, modify the properties of the User class schema object.


From the Active Directory Schema snap-in, modify the properties of the Attibute1 class schema attribute.


Correct Answer: D



The Global Catalog Server

The Global Catalog (GC) is an important component in Active Directory because it serves as the central information store of the Active Directory objects located in domains and forests. Because the GC maintains a list of the Active Directory objects in domains and forests without actually including all information on the objects and it is used when users search for Active Directory objects or for specific attributes of an object, the GC improves network performance and provides maximum accessibility to Active Directory objects.


How to Include Additional Attributes in the GC

The number of attributes in the GC affects GC replication. The more attributes the GC servers have to replicate, the more network traffic GC replication creates. Default attributes are included in the GC when Active Directory is first deployed. The Active Directory Schema snap-in can be used to add any additional attribute to the GC. Because the snap-in is by default not included in the Administrative Tools Menu, users have to add it to the MMC before it can be used to customize the GC.

To add the Active Directory Schema snap-in in the MMC:

1. Click Start, Run, and enter cmd in the Run dialog box. Press Enter.

2. Enter the following at the command prompt: regsvr32 schmmgmt.dll.

3. Click OK to acknowledge that the dll was successfully registered.

4. Click Start, Run, and enter mmc in the Run dialog box.

5. When the MMC opens, select Add/Remove Snap-in from the File menu.

6. In the Add/Remove Snap-in dialog b
ox, click Add then add the Active Directory Schema snap-in from the Add Standalone Snap-in dialog box.

7. Close all open dialog boxes.

To include additional attributes in the GC:

1. Open the Active Directory Schema snap-in.

2. In the console tree, expand the Attributes container, right-click an attribute, and click Properties from the shortcut menu.

3. Additional attributes are added on the General tab.

4. Ensure that the Replicate this attribute to the Global Catalog checkbox is enabled.

5. Click OK.




You have a Windows Server 2008 R2 that has the Active Directory Certificate Services server role installed.


You need to minimize the amount of time it takes for client computers to download a certificate revocation list (CRL).


What should you do?



Install and configure an Online Responder.


Import the Issuing CA certificate into the Trusted Root Certification Authorities store on all client workstations.


Install and configure an additional domain controller.


Import the Root CA certificate into the Trusted Root Certification Authorities store on all client workstations.


Correct Answer: A




What Is an Online Responder?

An Online Responder is a trusted server that receives and responds to individual client requests for information about the status of a certificate.

The use of Online Responders is one of two common methods for conveying information about the validity of certificates. Unlike certificate revocation lists (CRLs), which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to individual requests from clients for information about the status of a certificate. The amount of data retrieved per request remains constant no matter how many revoked certificates there might be. In many circumstances, Online Responders can process certificate status requests more efficiently than by using CRLs.




Your company has a main office and 40 branch offices. Each branch office is configured as a separate Active Directory site that has a dedicated read-only domain controller (RODC).


An RODC server is stolen from one of the branch offices.


You need to identify the user accounts that were cached on the stolen RODC server.


Which utility should you use?







Active Directory Sites and Services


Active Directory Users and Computers


Correct Answer: D



Securing Accounts After an RODC Is Stolen

If you become aware of a stolen or otherwise compromised read-only domain controller (RODC), you should act quickly to delete the RODC account from the domain and to reset the passwords of the accounts whose current passwords are stored on the RODC. An efficient tool for removing the RODC computer account and resetting all the passwords for the accounts that were authenticated to it is the Active Directory Users and Computers snap-in.




A domain controller named DC12 runs critical services. Restructuring of the organizational unit hierarchy for the domain has been completed and unnecessary objects have been deleted.


You need to perform an offline defragmentation of the Active Directory database on DC12. You also need to ensure that the critical services remain online.


What should you do?



Start the domain controller in the Directory Services restore mode. Run the Defrag utility.


Start the domain controller in the Directory Services restore mode. Run the Ntdsutil utility.


Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the Defrag utility.


Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the Ntdsutil utility.


Correct Answer: D



Performing offline defragmentation of the Active Directory database Active Directory automatically performs online defragmentation of the database at certain intervals (by default, every 12 hours) as part of the Garbage Collection process. Online defragmentation does not reduce the size of the database file (Ntds.dit), but instead optimizes data storage in the database and reclaims space in the directory for new objects. Performing an offline defragmentation creates a new, compacted version of the database file. Depending on how fragmented the original database file was, the new file may be considerably smaller.


When to offline defrag the Active Directory database

This article will show a simple way to determine if there is any gain to do an offline defrag of your Active Directory database.

During normal operations the Active Directory service will do an online defragmentation of the Active Directory database (always called ntds.dit) each 12 hours. This online defrag will arrange all pages in an optimal way internal in the ntds.dit, however the file size will never shrink, sometimes even grow. During the years of operations of the ntds.dit the file size will increase as user accounts, organizational units, groups, computers, dns records and more are added and later removed. When deleted objects are finally removed (after the so called tombstone lifetime, typically 180 days) the space they have occupied will unfortunately not decrease.




The actual size of the ntds.dit could be easily studied through Explorer, as above. The size of the database is in this example around 575 MB. Note that Active Directory does not use a file level replication, so the file could be of various size on each Domain Controller in your domain. If wanted there is the possibility to take the AD services offline on one DC and then do an offline defragmentation of ntds.dit. This would both arrange all pages the best possible way, and also to reclaim any empty space inside the database, which could make backup and restore faster and also possible increase AD performance. The offline defrag means “offline” from an Active Directory perspective. This means that on Windows 2000 and 2003 you will have to reboot into Directory Services Restore Mode, and on Windows 2008 and R2 you will have to stop the AD services by typing “net stop ntds” in the command prompt. So in Windows 2008 and later it is far easier, but still something that you do not want to do if not necessary.

There are numerous article on the web how to do the actual offline defrag, so we will not cover that part here. However, we will see the perhaps most important information and that is to be able to see in advance the amount of space that we could reclaim. With this information we could make our decision based on fact and not guesses. This has been possible since at least Windows 2003, but is not well documented.




To enable this you will have to alter a registry value on the Domain Controller you will investigate the reclaimable MBs. Use regedit and find the following key:

HKEY_LOCAL_MACHINE System CurrentControlSet Services NTDS Diagnostics Change the value “6 Garbage Collection” from 0 to 1. This will increase the logging from the Garbage Collection process which runs together with the online defrag. So now wait for the next online defragmentation which runs twice a day and then study the Directory Service log in Event Viewer.




Search for event id 1646, usually together with event ids 700 and 701.




Here we can note the amount of space that would be reclaimed from an offline defrag. The top value is the number of MB that the offline defrag would recover, here almost half the database size. If the amount is negligible then do not worry about this
any more, and if there is a considerable amount of MBs reported then you could plan to do the offline defrag.




Note that both the change of registry key and the actual offline defrag has to be done on each domain controller, since neither does replicate. As noted above we will not look at the commands for the offline defragmentation here, since they are well documented already.




Your network contains an Active Directory domain named contoso.com.


You create a GlobalNames zone. You add an alias (CNAME) resource record named Server1 to the zone. The target host of the record is server2.contoso.com.


When you ping Server1, you discover that the name fails to resolve.


You successfully resolve server2.contoso.com.


You need to ensure that you can resolve names by using the GlobalNames zone.


What should you do?



From the command prompt, use the netsh tool.


From the command prompt, use the dnscmd tool.


From DNS Manager, modify the properties of the GlobalNames zone.


From DNS Manager, modify the advanced settings of the DNS server.


Correct Answer: B



Enable GlobalNames zone support

The GlobalNames zone is not available to provide name resolution until GlobalNames zone support is explicitly enabled by using the following command on every authoritative DNS server in the forest:

dnscmd<ServerName> /config /enableglobalnamessupport 1




You had installed Windows Server 2008 on a computer and configured it as a file server, named FileSrv1. The FileSrv1 computer contains four hard disks, which are configured as basic disks.


For fault tolerance and performance you want to configure Redundant Array of Independent Disks (RAID) 0 +1 on FileSrv1.


Which utility you will use to convert basic disks to dynamic disks on FileSrv1?











None of the above


Correct Answer: A



[Diskpart] Convert dynamic Converts a basic disk into a dynamic disk.




ABC.com boasts a two-node Network Load Balancing cluster which is called web.CK1.com. The purpose of this cluster is to provide load balancing and high availability of the intranet website only.


With monitoring the cluster, you discover that the users can view the Network Load Balancing cluster in their Network Neighborhood and they can use it to connect to various services by using the name web.CK1.com.


You also discover that there is only one port rule configured for Network Load Balancing cluster. You have to configure web.CK1.com NLB cluster to accept HTTP traffic only.


Which two actions should you perform to achieve this objective? (Choose two answers. Each answer is part of the complete solution)



Create a new rule for TCP port 80 by using the Network Load Balancing Cluster console


Run the wlbs disable command on the cluster nodes


Assign a unique port rule for NLB cluster by using the NLB Cluster console


Delete the default port rules through Network Load Balancing Cluster console


Correct Answer: AD



Create a new Network Load Balancing Port Rule

Port rules control how a Network Load Balancing (NLB) cluster functions. To maximize control of various types of TCP/IP traffic, you can set up port rules to control how each port’s cluster-network traffic is handled. The method by which a port’s network traffic is handled is called its filtering mode. There are three possible filtering modes: Multiple hosts, Single host, and Disabled.

You can also specify that a filtering mode apply to a numerical range of ports. You do this by defining a port rule with a set of configuration parameters that define the filtering mode. Each rule consists of the following configuration parameters:

The virtual IP address that the rule should apply to The TCP or UDP port range that this rule should apply to The protocols that this rule should apply to, including TCP, UDP, or both The filtering mode that specifies how the cluster handles traffic, which is described by the port range and the protocols

In addition, you can select one of three options for client affinity: None, Single, or Network. Single and Network are used to ensure that all network traffic from a particular client is directed to the same cluster host.

To allow NLB to properly handle IP fragments, you should avoid using None when you select UDP or Both for your protocol setting. As an extension to the Single and Network options, you can configure a time-out setting to preserve client affinity when the configu
ration of an NLB cluster is changed. This extension also allows clients to keep affinity to a cluster host even if there are no active, existing connections from the client to the host.



As the Company administrator you had installed a read-only domain controller (RODC) server at remote location.


The remote location doesn’t provide enough physical security for the server.


What should you do to allow administrative accounts to replicate authentication information to Read-Only Domain Controllers?



Remove any administrative accounts from RODC’s group


Add administrative accounts to the domain Allowed RODC Password Replication group


Set the Deny on Receive as permission for administrative accounts on the RODC computer account Security tab for the Group Policy Object (GPO)


Configure a new Group Policy Object (GPO) with the Account Lockou
t settings enabled. Link the GPO to the remote location. Activate the Read Allow and the Apply group policy Allow permissions for the administrators on the Security tab for the GPO.


None of the above


Correct Answer: B





Password Replication Policy

When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain controller that will be its replication partner. The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached. The same account can then perform subsequent logons more efficiently.

The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that are explicitly denied from being cached. The list of user and computer accounts that are permitted to be cached does not imply that the RODC has necessarily cached the passwords for those accounts. An administrator can, for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticate those accounts, even if the WAN link to the hub site is offline.


Password Replication Policy Allowed and Denied lists Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODC operations. These are the Allowed RODC Password Replication Group and Denied RODC Password Replication Group.

These groups help implement a default Allowed List and Denied List for the RODC Password Replication Policy. By default, the two groups are respectively added to the msDS-RevealOnDemandGroup and msDSNeverRevealGroup

Active Directory attributes mentioned earlier.

By de
fault, the Allowed RODC Password Replication Group has no members. Also by default, the Allowed List attribute contains only the Allowed RODC Password Replication Group.

By default, the Denied RODC Password Replication Group contains the following members:

Enterprise Domain Controllers

Enterprise Read-Only Domain Controllers

Group Policy Creator Owners

Domain Admins

Cert Publishers

Enterprise Admins

Schema Admins

Domain-wide krbtgt account

By default, the Denied List attribute contains the following security principals, all of which are built-in groups:

Denied RODC Password Replication Group

Account Operators

Server Operators

Backup Operators


The combination of the Allowed List and Denied List attributes for each RODC and the domain-wide Denied

RODC Password Replication Group and Allowed RODC Password Replication Group give administrators great flexibility. They can decide precisely which accounts can be cached on specific RODCs.

The following table summarizes the three possible administrative models for the Password Replication Policy.




Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…