[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 181-190

Ensurepass

QUESTION 181

You had installed an Active Directory Federation Services (AD FS) role on a Windows server 2008 in your organization.

 

Now you need to test the connectivity of clients in the network to ensure that they can successfully reach the new Federation server and Federation server is operational.

 

What should you do? (Select all that apply)

 

A.

Go to Services tab, and check if Active Directory Federation Services is running

B.

In the event viewer, Applications, Event ID column look for event ID 674.

C.

Open a browser window, and then type the Federation Service URL for the new federation server.

D.

None of the above

 

Correct Answer: BC

Explanation:

http://technet.microsoft.com/en-us/library/cc734875.aspx

 

Verify

Verify that a specific event (ID 674) was generated on the federation server proxy computer. This event is generated when the federation server proxy is able to successfully communicate with the Federation Service.

 

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

1. Log on to a client computer with Internet access.

2. Open a browser window, and then type the Uniform Resource Locator (URL) for the Federation Service endpoint, along with the path to the clientlogon.aspx page that is stored on the federation server proxy.

3. Press ENTER.

Note -At this point your browser should display the error Server Error in ‘/adfs’ Application. This step is necessary to generate event message 674 to verify that the clientlogon.aspx page is being loaded properly by

Internet Information Services (IIS).

4. Log on to the federation server proxy.

5. Click Start, point to Administrative Tools, and then click Event Viewer.

6. In the details pane, double-click Application.

7. In the Event column, look for event ID 674.

 

 

QUESTION 182

ABC.com boasts a main office and 20 branch offices. Configured as a separate site, each branch office has a Read-Only Domain Controller (RODC) server installed.

< p class="MsoNormal" style="cursor: auto; margin: 0cm 0cm 0pt; line-height: normal; text-autospace: ; mso-layout-grid-align: none" align="left"> 

Users in remote offices complain that they are unable to log on to their accounts. What should you do to make sure that the cached credentials for user accounts are only stored in their local branch office RODC server?

 

A.

Open the RODC computer account security tab and set Allow on the Receive as permission only for the users that are unable to log on to their accounts

B.

Add a password replication policy to the main Domain RODC and add user accounts in the security group

C.

Configure a unique security group for each branch office and add user accounts to the respective security group. Add the security groups to the password replication allowed group on the main RODC server

D.

Configure and add a separate password replication policy on each RODC computer account

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/cc730883%28v=ws.10%29.aspx

Password Replication Policy

When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain controller that will be its replication partner. The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached. The same account can then perform subsequent logons more efficiently.

The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that are explicitly denied from being cached. The list of user and computer accounts that are permitted to be cached does not imply that the RODC has necessarily cached the passwords for those accounts. An administrator can, for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticate those accounts, even if the WAN link to the hub site is offline.

 

 

 

 

 

 

 

 

 

 

 

 

QUESTION 183

Your company Datum Corporation, has a single Active Directory domain named intranet.adatum.com. The domain has two domain controllers that run Windows Server 2008 R2 operating system. The domain controllers also run DNS servers.

 

The intranet.adatum.com DNS zone is configured as an Active Directory-integrated zone with the Dynamic updates setting configured to Secure only.

 

A new corporate security policy requires that the intranet.adatum.com DNS zone must be updated only by domain controllers or member servers.

 

You need to configure the intranet.adatum.com zone to meet the new security policy requirement.

 

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

 

A.

Remove the Authenticated Users account from the Security tab of the intranet.adatum.com DNS zone properties.

B.

Assign the SELF Account Deny on Write permission on the Security tab of the intranet.adatum.com DNS zone properties.

C.

Assign the server computer accounts the Allow on Write All Properties permission on the Security tab of the intranet.adatum.com DNS zone properties.

D.

Assign the server computer accounts the Allow on Create All Child Objects permission on the Security tab of the intranet.adatum.com DNS zone properties.

 

Correct Answer: AD

Explanation:

http://www.advicehow.com/managing-dns-dynamic-updates-in-windows-server-2008-r2/

Managing DNS Dynamic Updates in Windows Server 2008 R2 What Is DNS Dynamic Update?

When a DNS server is installed in a network, during the installation administrators can configure it to accept dynamic updates of client records. Dynamic updates means that DNS client computers can automatically register their names along with their IP addresses in the DNS server. When this happens DNS server automatically creates a Host (A) record for that client computer that contains hostname of the client and its associated IP address. Also, during the installation of DNS server administrators can choose an option according to which DNS server should not automatically update its records and in this condition administrators must manually create Host (A) records in the DNS database.

http://www.windowsecurity.com/articles-tutorials/windows_server_2008_security/DNS-Security-Part2.html

 

DNS Security (Part 2): DNS Security Steps Prior to Deploying DNSSEC In this article, then, we’ll take a look at the details of the following preliminary steps you can take to help secure your Windows DNS infrastructure:

Decide who can resolve Internet host names

Don’t co-locate internal and external zones

Lock down the DNS cache

Enable recursion only where needed

Restrict DNS servers to listen on specific addresses

Consider using a private root hints file

Randomize your DNS source ports

Be aware of the Global Query Block List

Limit zone transfers

Take advantage of Active Directory integrated zone security

 

Take advantage of Active Directory integrated zone security

Active Directory integrated zones enable you to secure the registration of resource records when dynamic name registration is enable
d. Members of the Active Directory domain can register their resource records dynamically while non-domain members will be unable to register their names. You can also use discretionary access control lists (DACLs) to control which computers are able to register or change their addressing information. The figure below shows how you configure secure dynamic updates.

 

clip_image002

 

http://www.tutorialspoint.com/shorttutorials/configuring-dns-server-for-secure-only-dynamic-updates/

Configuring DNS Server for Secure Only Dynamic Updates

 

 

QUESTION 184

Your network contains an Active Directory domain. The domain contains three domain controllers.

 

One of the domain controllers fails.

 

Seven days later, the help desk reports that it can no longer create user accounts. You need to ensure that the help desk can create new user accounts.

 

Which operations master role should you seize?

 

A.

domain naming master

B.

infrastructure master

C.

primary domain controller (PDC) emulator

D.

RID master

E.

schema master

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/cc773108%28v=ws.10%29.aspx

Operations master roles

Active Directory supports multimaster replication of the directory data store between all domain controllers (DC) in the domain, so all domain controllers in a domain are essentially peers. However, some changes are impractical to perform in using multimaster replication, so, for each of these types of changes, one domain controller, called the operations master, accepts requests for such changes.

In every forest, there are at least five operations master roles that are assigned to one or more domain controllers. Forest-wide operations master roles must appear only once in every forest. Domain-wide operations master roles must appear once in every domain in the forest.

 

RID master

The RID master allocates sequences of relative IDs (RIDs) to each of the various domain controllers in its domain. At any time, there can be only one domain controller acting as the RID master in each domain in the forest.

Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security ID (SID). The SID consists of a domain SID, which is the same for all SIDs created in the domain, and a RID, which is unique for each SID created in the domain.

To move an object between domains (using Movetree.exe), you must initiate the move on the domain controller acting as the RID master of the domain that currently contains the object.

 

http://www.techrepublic.com/article/step-by-step-learn-how-to-transfer-and-seize-fsmo-roles-in-activedirectory/5081138

Step-By-Step: Learn how to transfer and seize FSMO roles in Active Directory http://www.petri.co.il/seizing_fsmo_roles.htm

Seizing FSMO Roles

 

 

QUESTION 185

You are formulating the backup strategy for Active Directory Lightweight Directory Services (AD LDS) to ensure that data and log files are backed up regularly. This will also ensure the continued availability of data to applications and users in the event of a system failure.

 

Because you have limited media resources, you decided to backup only specific ADLDS instance instead of taking backup of the entire volume.

 

What should you do to accomplish this task?

 

A.

Use Windows Server backup utility and enable checkbox to take only backup of database and log files of AD LDS

B.

Use Dsdbutil.exe tool to create installation media that corresponds only to the ADLDS instance

C.

Move AD LDS database and log files on a separate volume and use windows server backup utility

D.

None of the above

 

Correct Answer: B

Explanation:

http://technet.microsoft.com/en-us/library/cc730941.aspx

 

Backing up AD LDS instance data with Dsdbutil.exe

 

With the Dsdbutil.exe tool, you can create installation media that corresponds only to the AD LDS instance that you want to back up, as opposed to backing up entire volumes that contain the AD LDS instance.

 

 

QUESTION 186

Your network contains an Active Directory forest named contoso.com.

 

You plan to add a new domain named nwtraders.com to the forest.

 

All DNS servers are domain controllers.

 

You need to ensure that the computers in nwtraders.com can update their Host (A) records on any of the DNS servers in the forest.

 

What should you do?

 

A.

Add the computer accounts of all the domain controllers to the DnsAdmins group.

B.

Add the computer accounts of all the domain controllers to the DnsUpdateProxy group.

C.

Create a standard primary zone on a domain controller in the forest root domain.

D.

Create an Active Directory-integrated zone on a domain controller in the forest root domain.

 

Correct Answer: D

 

 

QUESTION 187

Your company has an Active Directory domain. You install an Enterprise Root certification authority (CA) on a member server named Server1.

 

You need to ensure that only the Security Manager is authorized to revoke certificates that are supplied by Server1.

 

What should you do?

 

A.

Remove the Request Certificates permission from the Domain Users group.

B.

Remove the Request Certificated permission from the Authenticated Users group.

C.

Assign the Allow – Manage CA permission to only the Security Manager user Account.

D.

Assign the Allow – Issue and Manage Certificates permission to only the Security Manger user account

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/cc732590.aspx

 

Implement Role-Based Administration

You can use role-based administration to organize certification authority (CA) administrators into separate, predefined CA roles, each with its own set of tasks. Roles are assigned by using each user’s security settings.

 

You assign a role to a user by assigning that user the specific security settings that are associated with the role. A user that has one type of permission, such as Manage CA permission, can perform specific CA tasks that a user with another type of permission, such as Issue and Manage Certificates permission, cannot perform.

 

The following table describes the roles, users, and groups that can be used to implement role-based administration.

 

Roles and groups

 

Certificate manager

 

Security permission

 

Issue and Manage Certificates

 

Description

 

Approve certificate enrollment and revocation requests. This is a CA role. This role is sometimes referred to as CA officer. These permissions are assigned by using the Certification Authority snap-in.

 

 

QUESTION 188

Your company has two Active Directory forests as shown in the following table.

 

clip_image003

 

The forests are connected by using a two-way forest trust. Each trust direction is configured with forest-wide authentication. The new security policy of the company prohibits users from the eng.fabrikam.com domain to access resources in the contoso.com domain.

 

You need to configure the forest trust to meet the new security policy requirement.

 

What should you do?

 

A.

Delete the outgoing forest trust in the contoso.com domain.

B.

Delete the incoming forest trust in the contoso.com domain.

C.

Change the properties of the existing incoming forest trust in the contoso.com domain from Forest-wide authentication to Selective authentication.

D.

Change the properties of the existing outgoing forest trust in the contoso.com domain to exclude *.eng. fabrikam.com from the Name Suffix Routing trust properties.

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx

 

How Domain and Forest Trusts Work

Active Directory provides security across multiple domains or forests through domain and forest trust relationships. Before authentication can occur across trusts, Windows must first determine whether the domain being requested by a user, computer or service has a trust relationship with the logon domain of the requesting account. To make this determination, the Windows security system computes a trust path between the domain controller for the server that receives the request and a domain controller in the domain of the requesting account.

 

Trust Flow

The flow of secured communications over trusts determines the elasticity of a trust: how you create or configure a trust determines how far the communication extends within a forest or across forests. The flow of communication over trusts is determined by the direction of the trust (one-way or two-way) and the transitivity of the trust (transitive or nontransitive).

One-Way and Two-Way Trusts

Trust relationships that are established to enable access to resources can be either one- way or two-way. A one-way trust is a unidirectional authentication path created between two domains. In a one-way trust between Domain A and Domain B, users in Domain A can access resources in Domain B.However, users in Domain B cannot access resources in Domain A.Some one-way trusts can be either nontransitive or transitive depending on the type of trust being created.

All domain trusts in an Active Directory forest are two-way, transitive trusts. When a new child domain is created, a two-way, transitive trust is automatically created between the new child domain and the parent domain. In a two-way trust, Domain A trusts Domain B and Domain B trusts Domain A.This means that authentication requests can be passed between the two domains in both directions. Some two-way relationships can be nontransitive or transitive depending on the type of trust being created. An Active Directory domain can establish a one-way or two-way trust with:

Windows Server 2003 domains in the same forest.

Windows Server 2003 domains in a different forest.

Windows NT 4.0 domains.

Kerberos V5 realms.

Transitive and Nontransitive Trusts

Transitivity determines whether a trust can be extended outside of the two domains with which it was formed. A transitive trust can be used to extend trust relationships with other domains; a nontransitive trust can be used to deny trust relationships with other domains. Each time you create a new domain in a forest, a two-way, transitive trust relationship is automatically created between the new domain and its parent domain. If child domains are added to the new domain, the trust path flows upward through the domain hierarchy extending the initial trust path created between the new domain and its parent domain. Transitive trust relationships flow upward through a domain tree as it is formed, creating transitive trusts between all domains in the domain tree.

Authentication requests follow these trust paths, so accounts from any domain in the forest can be authenticated by any other domain in the forest. With a single logon process, accounts with the proper permissions can access resources in any domain in the forest. The following figure shows that all domains in Tree 1 and Tree 2 have transitive trust relationships by default. As a result, users in Tree 1 can access resources in domains in Tree 2 and users in Tree 1 can access resources in Tree 2, when the proper permissions are assigned at the resource.

Default Transitive Trust Relationships

 

clip_image005

 

In addition to the default transitive trusts established in a Windows Server 2003 forest, by using the New Trust Wizard you can manually create the following transitive trusts. Shortcut trust. A transitive trust between domains in the same domain tree or forest that is used to shorten the trust path in a large and complex domain tree or forest. Forest trust. A transitive trust between one forest root domain and another forest root domain.

Realm trust. A transitive trust between an Active Directory domain and a Kerberos V5 realm.

A nontransitive trust is restricted to the two domains in the trust relationship and does not flow to any other domains in the forest. A nontransitive trust can be a two-way trust or a one-way trust.

Nontransitive trusts are one-way by default, although you can also create a two-way relationship by creating two one-way trusts. Nontransitive domain trusts are the only form of trust relationship possible between:

A Windows Server 2003 domain and a Windows NT domain A Windows Server 2003 domain in one forest and a domain in another forest (when not joined by a forest trust)

By using the New Trust Wizard, you can manually create the following nontransitive trusts:

External trust. A nontransitive trust created between a Windows Server 2003 domain and a Windows

NT, Windows 2000, or Windows Server 2003 domain in another forest. When you upgrade a Windows NT domain to a Windows Server 2003 domain, all existing Windows NT trusts are preserved intact. All trust relationships between Windows Server 2003 domains and Windows NT domains are nontransitive.

Realm trust

A nontransitive trust between an Active Directory domain and a Kerberos V5 realm

 

 

 

 

QUESTION 189

Your network contains a single Active Directory domain. Active Directory Rights Management Services (AD RMS) is deployed on the network.

 

A user named User1 is a member of only the AD RMS Enterprise Administrators group.

 

You need to ensure that User1 can change the service connection point (SCP) for the AD RMS installation.The solution must minimize the administrative rights of User1.

 


To which group should you add User1?

 

A.

AD RMS Auditors

B.

AD RMS Service Group

C.

Domain Admins

D.

Schema Admins

 

Correct Answer: C

Explanation:

http://social.technet.microsoft.com/wiki/contents/articles/710.the-ad-rms-service-connection-point.aspx

The AD RMS Service Connection Point

The Active Directory Rights Management Services (AD RMS) Service Connection Point (SCP) is an object in Active Directory that holds the web address of the AD RMS certification cluster. AD RMS-enabled applications use the SCP to discover the AD RMS service; it is the first connection point for users to discover the AD RMS web services. The AD RMS SCP can be registered automatically during AD RMS installation, or it can be registered after installation has completed. To register the SCP you must be a member of the local AD RMS Enter
prise Administrators group and the Active Directory Domain Services (AD DS) Enterprise Admins group, or you must have been given the appropriate authority.

 

 

QUESTION 190

You need to ensure that domain controllers only replicate between domain controllers in adjacent sites.What should you configure from Active Directory Sites and Services?

 

A.

From the IP properties, select Ignore all schedules.

B.

From the IP properties, select Disable site link bridging.

C.

From the NTDS Settings object, manually configure the Active Directory Domain Services connection objects.

D.

From the properties of the NTDS Site Settings object, configure the Inter-Site Topology Generator for each site.

 

Correct Answer: B

Explanation:

http://www.omnisecu.com/windows-2003/active-directory/what-is-site-link-bridge.htm

What is Site Link Bridge and How to create Site Link Bridge A site link bridge connects two or more site links. A site link bridge enables transitivity between site links. Each site link in a bridge must have a site in common with another site link in the bridge.

By default, all site links are transitive and it is recommended to keep transitivity enabled by not changing the default value of “Bridge all site links” (enabled by default).

 

clip_image007

 

We may need to disable “Bridge all site links” and create a site link bridge design if

When the IP network is not fully routed.

When we need to control the replication flow in Active Directory.

 

Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…