[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 141-150

Ensurepass

QUESTION 141

HOTSPOT

Your network contains an Active Directory forest named contoso.com. The forest contains two sites named Seattle and Montreal. The Seattle site contains two domain controllers. The domain controllers are configured as shown in the following table.

 

clip_image002

 

The Montreal site contains a domain controller named DC3. DC3 is the only global catalog server in the forest.

 

You need to configure DC2 as a global catalog server.

 

Which object’s properties should you modify?

 

To answer, select the appropriate object in the answer area.

 

clip_image004

 

Correct Answer:

clip_image006

 

 

 

 

 

 

 

 

 

 

QUESTION 142

You are an administrator at ABC.com. Company has a network of 5 member servers acting as file servers. It has an Active Directory domain.

 

You have installed a software application on the servers. As soon as the application is installed, one of the member servers shuts down itself. To trace and rectify the problem, you create a Group Policy Object (GPO).

 

You need to change the domain security settings to trace the shutdowns and identify the cause of it.

 

What should you do to perform this task?

 

A.

Link the GPO to the domain and enable System Events option

B.

Link the GPO to the domain and enable Audit Object Access option

C.

Link the GPO to the Domain Controllers and enable Audit Object Access option

D.

Link the GPO to the Domain Controllers and enable Audit Process tracking option

E.

Perform all of the above actions

 

Correct Answer: A

Explanation:

http://msdn.microsoft.com/en-us/library/ms813610.aspx

Audit system events

Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit Policy Description Determines whether to audit when a user restarts or shuts down the computer; or an event has occurred that affects either the system security or the security log. By default, this value is set to No auditing in the Default Domain Controller Group Policy object (GPO) and in the local policies of workstations and servers. If you define this policy setting, you can specify whether to audit successes, audit failures, or not to audit the event type at all. Success audits generate an audit entry when a system event is successfully executed. Failure audits generate an audit entry when a system event is unsuccessfully attempted. You can select No auditing by defining the policy setting and unchecking Success and Failure.

 

 

QUESTION 143

Your network contains a domain controller that is configured as a DNS server. The server hosts an Active Directory-integrated zone for the domain.

 

You need to reduce how long it takes until stale records are deleted from the zone.

 

What should you do?

 

A.

From the configuration directory partition of the forest, modify the tombstone lifetime.

B.

From the configuration directory partition of the forest, modify the garbage collection interval.

C.

From the aging properties of the zone, modify the no-refresh interval and the refresh interval.

D.

From the start of authority (SOA) record of the zone, modify the refresh interval and the expire interval.

 

Correct Answer: C

Explanation:

clip_image008

 

http://technet.microsoft.com/en-us/library/cc816625%28v=ws.10%29.aspx

Set Aging and Scavenging Properties for a Zone

The DNS Server service supports aging and scavenging features. These features are provided as a mechanism for performing cleanup and removal of stale resource records, which can accumulate in zone data over time.

You can use this procedure to set the aging and scavenging properties for a specific zone using either the DNS Manager snap-in or the dnscmd command-line tool. To set aging and scavenging properties for a zone using the Windows interface

1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.

2. In the console tree, right-click the applicable zone, and then click Properties.

3. On the General tab, click Aging.

4. Select the Scavenge stale resource records check box.

5. Modify other aging and scavenging properties as needed.

To set aging and scavenging properties for a zone using a command line

1. Open a command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

2. At the command prompt, type the following command, and then press ENTER: dnscmd <ServerName> /Config <ZoneName> {/Aging <Value>|/RefreshInterval <Value>|/NoRefreshInterval <Value>}

 

clip_image010

 

 

QUESTION 144

Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. Auditing is configured to log changes made to the Managed By attribute on group objects in an organizational unit named OU1.

 

You need to log changes made to the Description attribute on all group objects in OU1 only.

 

What should you do?

 

A.

Run auditpol.exe.

B.

Modify the auditing entry for OU1.

C.

Modify the auditing entry for the domain.

D.

Create a new Group Policy Object (GPO). Enable Audit account management policy setting. Link the GPO to OU1.

 

Correct Answer: B

Explanation:

http://ithompson.wordpress.com/tag/organizational-unit-move/

Do you need to track who/where/when for activities done against the OU’s in your AD?

With Windows 2003 those were difficult questions to answer, we could get some very basic information from Directory Services Auditing; but it was limited and you had to read through several cryptic events (id 566).

With the advanced auditing settings with Windows 2008 R2 you can get some better information (you can do this same thing with Windows 2008 but it has to be done via command line and applied every time servers restart). I don’t want to bore you with Windows 2003 auditing or the command line options for Windows 2008 Domains (if you need them, I will get you the information). So let’s just jump right to using Windows 2008 R2, because we can now apply the advanced auditing settings via Group Policy.

Now when you turn on the Advanced Audit Policy Configuration you are turning OFF the basic or standard Audit Policies. The Advanced Audit Policy Configuration allows you to control what AD will audit at a more granular level. Now for the focus of this discussion we are only going to talk about setting up auditing for activity on our Domain Controllers, the other systems in your environment will be a different discussion. So where do we start so that we can answer our question at the top of this discussion?

First, turn on the correct auditing. Open up Group Policy Management Editor and drill down as seen in Fig 1.

 

clip_image012

 

For this discussion we are focusing on DS Access and its subcategories. We only want to turn on Audit Directory Service Changes, see Fig 2. This category only generates events on domain controllers and is very useful for tracking changes to Active Directory objects that have object level auditing enabled. These events not only tell you what object and property was changed and by whom but also the new value of the affected properties.

 

clip_image014

 

Now that we have step 1 completed, setting up AD for auditing, it’s time to configure WHAT we want to audit.

This next step is done via Active Directory Users and Computers. Open up the properties of your AD and drill down to setup the auditing for Create and Delete Organizational Unit objects as seen in Fig 3.

 

clip_image016

 

Now we need to add more granularity so we need to do this process 1 more time and this time instead of checking boxes on the Object tab we are going to check 2 boxes on the Properties tab, see Fig 4.

 

clip_image018

 

Now that our auditing is setup what type of events can we expect to see?

Here are a few examples:

In this example (Fig 5), id 5137, we see an OU being created by the Administrator.

 

clip_image020

 

Figure 6 shows a Sub OU being created.

 

clip_image022

Figure 7 shows id 5139, an OU being moved.

 

clip_image024

 

Now for the best one, this one comes as a pair of messages ?OU rename, part of id 5136. Figure 8 shows the first part of the rename process.

 

clip_image026

 

Figure 9 shows the second part of the rename process.

 

clip_image028

 

Now let’s contrast all of this with an event that is part of the good old standard auditing. Let’s take moving an OU; with the Advanced Auditing we get id 5139 (fig 7), nice and easy to read and understand. Now here is id 4662 that you would get for the same thing with standard auditing, fig 10.

 

clip_image030

 

With standard auditing some of the other items that we looked at would be next to impossible with auditing, such as tracking when an OU is renamed and as you can see from fig 10 hard to read and understand if you did get an event. Now if your AD is in Mixed Mode (W2k8 and W2k3) you are stuck with standard auditing.

 

 

 

 

QUESTION 145

ABC.com has a network that consists of a single Active Directory domain. A technician has accidently deleted an Organizational unit (OU) on the domain controller. As an administrator of ABC.com, you are in process of restoring the OU.

 

You need to execute a non-authoritative restore before an authoritative restore of the OU.

 

Which backup should you use to perform non- authoritative restore of Active Directory Domain Services (AD DS) without disturbing other data stored on domain controller?

 

A.

Critical volume backup

B.

Backup of all the volumes

C.

Backup of the volume that hosts Operating system

D.

Backup of AD DS folders

E.

all of the above

 

Correct Answer: A

Explanation:

http://technet.microsoft.com/en-us/library/cc730683%28v=ws.10%29.aspx

Performing a Nonauthoritative Restore of AD DS

To perform a nonauthoritative restore of Active Directory Domain Services (AD DS), you need at least a system state backup.

To restore a system state backup, use the wbadmin start systemstaterecovery command. The procedure in this topic uses the wbadmin start systemstaterecovery command. You can also use a critical-volume backup to perform a nonauthoritative restore, or a full server backup if you do not have a system state or critical-volume backup. A full server backup is generally larger than a critical-volume backup or system state backup. Restoring a full server backup not only rolls back data in AD DS to the time of backup, but it also rolls back all data in other volumes. Rolling back this additional data is not necessary to achieve nonauthoritative restore of AD DS. To restore a critical-volume backup or full server backup, use the wbadmin start recovery command.

 

 

QUESTION 146

Your company has a main office and a branch office.

 

The network contains an Active Directory domain named contoso.com. The DNS zone for contoso.com is configured as an Active Directory-integrated zone and is replicated to all domain controllers in the domain.

 

The main office contains a writable domain controller named DC1. The branch office contains a read- only domain controller (RODC) named RODC1. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers.

 

You uninstall the DNS server role from RODC1.

 

You need to prevent DNS records from replicating to RODC1.

 

What should you do?

 

A.

Modify the replication scope for the contoso.com zone.

B.

Flush the DNS cache and enable cache locking on RODC1.

C.

Configure conditional forwarding for the contoso.com zone.

D.

Modify the zone transfer settings for the contoso.com zone.

 

Correct Answer: A

Explanation:


http://technet.microsoft.com/en-us/library/cc754916.aspx

Change the Zone Replication Scope

You can use the following procedure to change the replication scope for a zone. Only Active Directory Domain Services (AD DS)ntegrated primary and stub forward lookup zones can change their replication scope.

Secondary forward lookup zones cannot change their replication scope.

http://technet.microsoft.com/en-us/library/cc772101.aspx

Understanding DNS Zone Replication in Active Directory Domain Services

You can store Domain Name System (DNS) zones in the domain or application directory partitions of Active Directory Domain Services (AD DS). A partition is a data structure in AD DS that distinguishes data for different replication purposes. The following table describes the available zone replication scopes for AD DS-integrated DNS zone data.

 

clip_image032

 

When you decide which replication scope to choose, consider that the broader the replication scope, the greater the network traffic caused by replication. For example, if you decide to have AD DS-integrated DNS zone data replicated to all DNS servers in the forest, this will produce greater network traffic than replicating the DNS zone data to all DNS servers in a single AD DS domain in that forest.

 

AD DS-integrated DNS zone data that is stored in an application directory partition is not replicated to the global catalog for the forest. The domain controller that contains the global catalog can also host application directory partitions, but it will not replicate this data to its global catalog.

AD DS-integrated DNS zone data that is stored in a domain partition is replicated to all domain controllers in its AD DS domain, and a portion of this data is stored in the global catalog. This setting is used to support Windows 2000.

If an application directory partition’s replication scope replicates across AD DS sites, replication will occur with the same intersite replication schedule as is used for domain partition data.

By default, the Net Logon service registers domain controller locator (Locator) DNS resource records for the application directory partitions that are hosted on a domain controller in the same manner as it registers domain controller locator (Locator) DNS resource records for the domain partition that is hosted on a domain controller.

 

 

 

QUESTION 147

Your network contains an Active Directory domain named contoso.com.

 

You remove several computers from the network.

 

You need to ensure that the host (A) records for the removed computers are automatically deleted from the contoso.com DNS zone.

 

What should you do?

 

A.

Configure dynamic updates.

B.

Configure aging and scavenging.

C.

Create a scheduled task that runs the Dnscmd /ClearCache command.

D.

Create a scheduled task that runs the Dnscmd /ZoneReload contoso.com command.

 

Correct Answer: B

Explanation:

clip_image034

 

http://technet.microsoft.com/en-us/library/cc816625%28v=ws.10%29.aspx

Set Aging and Scavenging Properties for a Zone

The DNS Server service supports aging and scavenging features. These features are provided as a mechanism for performing cleanup and removal of stale resource records, which can accumulate in zone data over time.

You can use this procedure to set the aging and scavenging properties for a specific zone using either the DNS Manager snap-in or the dnscmd command-line tool.

To set aging and scavenging properties for a zone using the Windows interface

1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.

2. In the console tree, right-click the applicable zone, and then click Properties.

3. On the General tab, click Aging.

4. Select the Scavenge stale resource records check box.

5. Modify other aging and scavenging properties as needed.

To set aging and scavenging properties for a zone using a command line

1. Open a command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

< span lang="EN-US" style="font-family: ; mso-font-kerning: 0pt; mso-no-proof: yes">2. At the command prompt, type the following command, and then press ENTER: dnscmd <ServerName> /Config <ZoneName> {/Aging <Value>|/RefreshInterval <Value>|/NoRefreshInterval <Value>}

 

clip_image035

 

 

QUESTION 148

Your company has a main office and five branch offices that are connected by WAN links. The company has an Active Directory domain named contoso.com.

 

Each branch office has a member server configured as a DNS server. All branch office DNS servers host a secondary zone for contoso.com.

 

You need to configure the contoso.com zone to resolve client queries for at least four days in the event that a WAN link fails.

 

What should you do?

 

A.

Configure the Expires after option for the contoso.com zone to 4 days.

B.

Configure the Retry interval option for the contoso.com zone to 4 days.

C.

Configure the Refresh interval option for the contoso.com zone to 4 days.

D.

Configure the Minimum (default) TTL option for the contoso.com zone to 4 days.

 

Correct Answer: A

Explanation:

http://technet.microsoft.com/en-us/library/cc816704%28v=ws.10%29.aspx

 

Adjust the Expire Interval for a Zone

You can use this procedure to adjust the expire interval for a Domain Name System (DNS) zone. Other DNS servers that are configured to load and host the zone use the expire interval to determine when zone data expires if it is not successfully transferred. By default, the expire interval for each zone is set to one day. You can complete this procedure using either the DNS Manager snap-in or the dnscmd command-line tool.

To adjust the expire interval for a zone using the Windows interface

1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.

2. In the console tree, right-click the applicable zone, and then click Properties.

3. On the General tab, verify that the zone type is either Primary or Active Directoryintegrated.

4. Click the Start of Authority (SOA) tab.

5. In Expires after, click a time period in minutes, hours, or days, and then type a number in the text box.

6. Click OK to save the adjusted interval.

 

 

QUESTION 149

Your network contains an Active Directory domain named contoso.com.

 

You plan to deploy a child domain named sales.contoso.com.

 

The domain controllers in sales.contoso.com will be DNS servers for sales.contoso.com.

 

You need to ensure that users in contoso.com can connect to servers in sales.contoso.com by using fully qualified domain names (FQDNs).

 

What should you do?

 

A.

Create a DNS forwarder.

B.

Create a DNS delegation.

C.

Configure root hint
servers.

D.

Configure an alternate DNS server on all client computers.

 

Correct Answer: B

Explanation:

http://technet.microsoft.com/en-us/library/cc784494%28v=ws.10%29.aspx

 

Delegating zones

DNS provides the option of dividing up the namespace into one or more zones, which can then be stored, distributed, and replicated to other DNS servers. When deciding whether to divide your DNS namespace to make additional zones, consider the following reasons to use additional zones:

A need to delegate management of part of your DNS namespace to another location or department within your organization.

A need to divide one large zone into smaller zones for distributing traffic loads among multiple servers, improve DNS name resolution performance, or create a more fault- tolerant DNS environment.

A need to extend the namespace by adding numerous subdomains at once, such as to accommodate the opening of a new branch or site.

If, for any of these reasons, you could benefit from delegating zones, it might make sense to restructure your namespace by adding additional zones. When choosing how to structure zones, you should use a plan that reflects the structure of your organization. When delegating zones within your namespace, be aware that for each new zone you create, you will need delegation records in other zones that point to the authoritative DNS servers for the new zone. This is necessary both to transfer authority and to provide correct referral to other DNS servers and clients of the new servers being made authoritative for the new zone.

When a standard primary zone is first created, it is stored as a text file containing all resource record information on a single DNS server. This server acts as the primary master for the zone. Zone information can be replicated to other DNS servers to improve fault tolerance and server performance.

When structuring your zones, there are several good reasons to use additional DNS servers for zone replication:

1. Added DNS servers provide zone redundancy, enabling DNS names in the zone to be resolved for clients if a primary server for the zone stops responding.

2. Added DNS servers can be placed so as to reduce DNS network traffic. For example, adding a DNS server to the opposing side of a low-speed WAN link can be useful in managing and reducing network traffic.

3. Additional secondary servers can be used to reduce loads on a primary server for a zone.

Example: Delegating a subdomain to a new zone

As shown in the following figure, when a new zone for a subdomain (example.microsoft.com) is created, delegation from the parent zone (microsoft.com) is needed.

In this example, an authoritative DNS server computer for the newly delegated example.microsoft.com subdomain is named based on a derivative subdomain included in the new zone (ns1.us.example.microsoft.com). To make this server known to others outside of the new delegated zone, two RRs are needed in the microsoft.com zone to complete delegation to the new zone.

These RRs include:

An NS RR to effect the delegation. This RR is used to advertise that the server named ns1.us.example.microsoft.com is an authoritative server for the delegated subdomain. An A RR (also known as a glue record) is needed to resolve the name of the server specified in the NS RR to its IP address. The process of resolving the host name in this RR to the delegated DNS server in the NS RR is sometimes referred to as glue chasing. Note When zone delegations are correctly configured, normal zone referral behavior can sometimes be circumvented if you are using forwarders in your DNS server configuration.

 

 

QUESTION 150

You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2.

 

What is the minimal forest functional level that you should use?

 

A.

Windows Server 2008 R2

B.

Windows Server 2008

C.

Windows Server 2003

D.

Windows 2000

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/cc731243.aspx

 

Prerequisites for Deploying an RODC

Complete the following prerequisites before you deploy a read-only domain controller (RODC):

Ensure that the forest functional level is Windows Server 2003 or higher, so that linked-valuereplication (LVR) is available.

 

Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…