[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 131-140

Ensurepass

QUESTION 131

Your network contains an Active Directory domain named contoso.com. The network contains client computers that run either Windows Vista or Windows 7. Active Directory Rights Management Services (AD RMS) is deployed on the network.

 

You create a new AD RMS template that is distributed by using the AD RMS pipeline. The template is updated every month.

 

You need to ensure that all the computers can use the most up-to-date version of the AD RMS template.

 

You want to achieve this goal by using the minimum amount of administrative effort.

 

What should you do?

 

A.

Upgrade all of the Windows Vista computers to Windows 7.

B.

Upgrade all of the Windows Vista computers to Windows Vista Service Pack 2 (SP2).

C.

Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all users by using a Software Installation extension of Group Policy.

D.

Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all computers by using a Software Installation extension of Group Policy.

Correct Answer: B

 

 

QUESTION 132

One of the remote branch offices is running a Windows Server 2008 read only domain controller (RODC). For security reasons you don’t want some critical credentials like (passwords, encryption keys) to be stored on RODC.

 

What should you do so that these credentials are not replicated to any RODC’s in the forest? (Select 2)

 

A.

Configure RODC filtered attribute set on the server

B.

Configure RODC filtered set on the server that holds Schema Operations Master role.

C.

Delegate local administrative permissions for an RODC to any domain user without granting that user any user rights for the domain

D.

Configure forest functional level server for Windows server 2008 to configure filtered attribute set.

E.

None of the above

 

Correct Answer: BD

Explanation:

http://technet.microsoft.com/en-us/library/cc753223.aspx

Adding attributes to the RODC filtered attribute set

The RODC filtered attribute set is a dynamic set of attributes that is not replicated to any RODCs in the forest. You can configure the RODC filtered attribute set on a schema master that runs Windows Server

2008. When the attributes are prevented from replicating to RODCs, that data cannot be exposed unnecessarily if an RODC is stolen or compromised. A malicious user who compromises an RODC can attempt to configure it in such a way that it tries to replicate attributes that are defined in the RODC filtered attribute set. If the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2008, the replication request is denied. However, if the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2003, the replication request could succeed.

Therefore, as a security precaution, ensure that forest functional level is Windows Server 2008 if you plan to configure the RODC filtered attribute set. When the forest functional level is Windows Server 2008, an RODC that is compromised cannot be exploited in this manner because domain controllers that are running Windows Server 2003 are not allowed in the forest.

 

 

QUESTION 133

Company has a server with Active Directory Rights Management Services (AD RMS) server installed. Users have computers with Windows Vista installed on them with an Active Directory domain installed at Windows Server 2003 functional level.

 

As an administrator at Company, you discover that the users are unable to benefit from AD RMS to protect their documents.

 

You need to configure AD RMS to enable users to use it and protect their documents.

 

What should you do to achieve this functionality?

 

A.

Configure an email account in Active Directory Domain Services (AD DS) for each user.

B.

Add and configure ADRMSADMIN account in local administrators group on the user computers

C.

Add and configure the ADRMSSRVC account in AD RMS server’s local administrator group

D.

Reinstall the Active Directory domain on user computers

E.

All of the above

 

Correct Answer: A

Explanation:

http://technet.microsoft.com/en-us/library/cc753531%28v=ws.10%29.aspx

AD RMS Step-by-Step Guide

For each user account and group that you configure with AD RMS, you need to add an e-mail address and then assign the users to groups.

 

 

QUESTION 134

You have a server named Server1 that has the following Active Directory Certificate Services (AD CS) role services installed:

 

clip_image002Enterprise root certification authority (CA)

clip_image002[1]Certificate Enrollment Web Service

clip_image002[2]Certificate Enrollment Policy Web Service

 

You create a new certificate template.

 

External users report that the new template is unavailable when they request a new certificate.

 

You verify that all other templates are available to the external users.

 

You need to ensure that the external users can request certificates by using the new template.

 

What should you do on Server1?

 

A.

Run iisreset.exe /restart.

B.

Run gpupdate.exe /force.

C.

Run certutil.exe dspublish.

D.

Restart the Active Directory Certificate Services service.

 

Correct Answer: A

Explanation:

http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-activedirectory-certificate-services.aspx

Certificate Enrollment Web Services in Active Directory Certificate Services Troubleshooting

Managing Certificate Enrollment Policy Web Service Polling for Certificate Templates Certificate Templates are stored in AD DS, and the Certificate Enrollment Policy Web Service polls the AD DS periodically for template changes. Changes made to templates are not reflected in real time on the Certificate Enrollment Policy Web Service. When administrators duplicate or modify templates, there can be a lag between the time at which the change is made and when the new templates are available. By default, the Certificate Enrollment Policy Web Service polls the directory every 30 minutes for changes. The Certificate Enrollment Policy Web Service can be manually forced to refresh its template cache by recycling IIS using the command iisreset.

 

 

 

 

 

 

 

 

 

QUESTION 135

Your network contains a server named Server1 that runs Windows Server 2008 R2.

 

On Server1, you create an Active Directory Lightweight Directory Services (AD LDS) instance named Instance1.

 

You connect to Instance1 by using ADSI Edit.

 

You run the Create Object wizard and you discover that there is no User object class. You need to ensure that you can create user objects in Instance1.

 

What should you do?

 

A.

Run the AD LDS Setup Wizard.

B.

Modify the schema of Instance1.

C.

Modify the properties of the Instance1 service.

D.

Install the Remote Server Administration Tools (RSAT).

 

Correct Answer: B

Explanation:

http://technet.microsoft.com/en-us/library/cc772194.aspx

To create users in AD LDS, you must first import the optional user classes that are provided with AD LDS into the AD LDS schema. These user classes are provided in importable .ldf files, which you can find in the directory %windir%adam on the computer where AD LDS is installed.

The user, inetOrgPerson, and OrganizationalPerson object classes are not available until you import the AD LDS user class definitions into the schema.

 

 

QUESTION 136

Your company has an Active Directory domain named contoso.com. FS1 is a member server in contoso.com.

 

You add a second network interface card, NIC2, to FS1 and connect NIC2 to a subnet that contains computers in a DNS domain named fabrikam.com. Fabrikam.com has a DHCP server and a DNS server.

 

Users in fabrikam.com are unable to resolve FS1 by using DNS.

 

You need to ensure that FS1 has an A record in the fabrikam.com DNS zone.

 

What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)

 

A.

Configure the DHCP server in fabrikam.com with the scope option 044 WINS/NBNS Servers.

B.

Configure the DHCP server in fabrikam.com by setting the scope option 015 DNS Domain Name to the domain name fabrikam.com.

C.

Configure NIC2 by configuring the Append these DNS suffixes (in order): option.

D.

Configure NIC2 by configuring the Use this connection’s DNS suffix in DNS registration option.

E.

Configure the DHCP server in contoso.com by setting the scope option 015 DNS Domain Name to the domain name fabrikam.com.

 

Correct Answer: BD

 

 

QUESTION 137

Company has an active directory forest on a single domain.

 

Company needs a distributed application that employs a custom application. The application is directory partition software named PARDAT.

 

You need to implement this application for data
replication.

 

Which two tools should you use to achieve this task? (Choose two answers. Each answer is a part of a complete solution)

 

A.

Dnscmd.

B.

Ntdsutil.

C.

Ipconfig

D.

Dnsutil

E.

All of the above

 

Correct Answer: AB

Explanation:

http://support.microsoft.com/kb/884116

How to create and apply a custom application directory partition on an Active Directory integrated DNS zone in

Windows Server 2003

You can create a custom Active Directory partition by using the DnsCmd command. If the new naming context that you created does not appear in the Repadmin output, you can verify the state of this naming context by using the Ntdsutil command.

 

 

QUESTION 138

Your network contains an Active Directory domain named contoso.com.

 

You run nslookup.exe as shown in the following Command Prompt window.

 

clip_image004

 

You need to ensure that you can use Nslookup to list all of the service location (SRV) resource records for contoso.com.

 

What should you modify?

 

A.

the root hints of the DNS server

B.

the security settings of the zone

C.

the Windows Firewall settings on the DNS server

D.

the zone transfer settings of the zone

 

Correct Answer: D

Explanation:

http://www.c3.hu/docs/oreilly/tcpip/dnsbind/ch11_07.htm

11.7 Troubleshooting nslookup Problems

11.7.4 Query Refused

Refused queries can cause problems at startup, and they can cause lookup failures during a session. Here’s what it looks like when nslookup exits on startup because of a refused query:

% nslookup

*** Can’t find server name for address 192.249.249.3: Query refused

*** Default servers are not available

%

This one has two possible causes. Either your name server does not support inverse queries (older nslookups only), or zone security is stopping the lookup.

Zone security is not limited to causing nslookup to fail to start up. It can also cause lookups and zone transfers to fail in the middle of a session when you point nslookup to a remote name server. This is what you will see:

% nslookup

Default Server: hp.com

Address: 15.255.152.4

> server terminator.movie.edu

Default Server: terminator.movie.edu

Address: 192.249.249.3

> carrie.movie.edu.

Server: terminator.movie.edu

Address: 192.249.249.3

*** terminator.movie.edu can’t find carrie.movie.edu.: Query refused

> ls movie.edu – This attempts a zone transfer

[terminator.movie.edu]

*** Can’t list domain movie.edu: Query refused

 

 

QUESTION 139

Your company has an Active Directory domain. All consultants belong to a global group named TempWorkers.

 

The TempWorkers group is not nested in any other groups.

 

You move the computer objects of three file servers to a new organizational unit named SecureServers. These file servers contain only confidential data in shared folders.

 

You need to prevent members of the TempWorkers group from accessing the confidential data on the file servers.

 

You must achieve this goal without affecting access to other domain resources.

 

What should you do?

 

A.

Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny access to this computer from the network user right to the TempWorkers global group.

B.

Create a new GPO and link it to the domain. Assign the Deny access to this computer from the network user right to the TempWorkers global group.

C.

Create a new GPO and link it to the domain. Assign the Deny log on locally user right to the TempWorkers global group.

D.

Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny log on locally user right to the TempWorkers global group.

 

Correct Answer: A

Explanation:

Personal comment:

Basically, you need to create a GPO for the Secure Servers and deny the TempWorkers access to the shared folders (implies access from the network). “Deny log on locally” makes no sense in this instance, because we are reffering to shared folder and supposedly physical access to servers should be highly restricted. And best practices recommend that you link GPOs at the domain level only for domain wide purposes.

 

 

QUESTION 140

The corporate network of Company consists of a Windows Server 2008 single Active Directory domain. The domain has two servers named Company 1 and Company 2.

 

To ensure central monitoring of events you decided to collect all the events on one server, to collect events from Company, and transfer them to Company 1.

 

You configure the required event subscriptions.

 

You selected the Normal option for the Event delivery optimization setting by using the HTTP protocol.

 

However, you discovered that none of the subscriptions work.

 

Which of the following actions would you perform to configure the event collection and event forwarding on the two servers? (Select three. Each answer is a part of the complete solution).

 

A.

Run window execute the winrm quickconfig command on Company 2.

B.

Run window execute the wecutil qc command on Company 2.

C.

Add the Company 1 account to the Administrators group on Company 2.

D.

Run window execute the winrm quickconfig command on Company 1.

E.

Add the Company 2 account to the Administrators group on Company 1.

F.

Run window execute the wecutil qc command on Company 1.

 

Correct Answer: ACF

Explanation:

We need t
o do three things:

1 – run winrm quickconfig on the source computer (Company 2)

2 – run wecutil qc on the collector computer (Company 1)

3 – add the computer account of the collector computer to the local Administrators group on the source computer

Had the Event delivery optimization setting been set to Minimize Bandwidth or Minimize Latency, then we would need to run winrm quickconfig on the collector computer too.

Because it’s set to Normal we can skip that step.

If the HTTPS protocol had been used we also would have had to configure Windows Firewall exceptions for port 443. But it’s not, and it’s not even listed, so that’s cool.

Reference:

 

http://technet.microsoft.com/en-us/library/cc748890.aspx

 

Configure Computers to Forward and Collect Events

 

Before you can create a subscription to collect events on a computer, you must configure both the collecting computer (collector) and each computer from which events will be collected (source).

 

To configure computers in a domain to forward and collect events

1. Log on to all collector and source computers. It is a best practice to use a domain account with administrative privileges.

2. On each source computer, type the following at an elevated command prompt: winrm quickconfig

Note

If you intend to specify an event delivery optimization of Minimize Bandwidth or Minimize Latency, then you must also run the above command on the collector computer.

3. On the collector computer, type the following at an elevated command prompt: wecutil qc

4.
Add the computer account of the collector computer to the local Administrators group on each of the source computers.

5. The computers are now configured to forward and collect events. Follow the steps in Create a New Subscription to specify the events you want to have forwarded to the collector.

 

Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…