[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 191-200

Ensurepass

QUESTION 191

HOTSPOT

Your network contains an Active Directory forest named contoso.com. The forest contains two Active Directory sites named Seattle and Montreal. The Montreal site is a branch office that contains only a single read-only domain controller (RODC).

 

You accidentally delete the site link between the two sites.

 

You recreate the site link while you are connected to a domain controller in Seattle.

 

You need to replicate the change to the RODC in Montreal.

 

Which node in Active Directory Sites and Services should you use?

 

To answer, select the appropriate node in the answer area.

 

clip_image002

 

Correct Answer:

clip_image004

 

 

 

 

 

 

 

 

 

 

 

 

 

 

QUESTION 192

Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1. DC1 hosts a standard primary zone for contoso.com.

 

You discover that non-domain member computers register records in the contoso.com zone.

 

You need to prevent the non-domain member computers from registering records in the contoso.com zone.

 

All domain member computers must be allowed to register records in the contoso.com zone.

 

What should you do first?

 

A.

Configure a trust anchor.

B.

Run the Security Configuration Wizard (SCW).

C.

Change the contoso.com zone to an Active Directory-integrated zone.

D.

Modify the security settings of the %SystemRoot%System32Dns folder.

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/cc772746%28v=ws.10%29.aspx

Active Directory-Integrated Zones

DNS servers running on domain controllers can store their zones in Active Directory. In this way, it is not necessary to configure a separate DNS replication topology that uses ordinary DNS zone transfers, because all zone data is replicated automatically by means of Active Directory replication. This simplifies the process of deploying DNS and provides the following advantages:

Multiple masters are created for DNS replication. Therefore:

Any domain controller in the domain running the DNS server service can write updates to the Active Directory-integrated zones for the domain name for which they are authoritative. A separate DNS zone transfer topology is not needed. Secure dynamic updates are supported. Secure dynamic updates allow an administrator to control which comp
uters update which names, and prevent unauthorized computers from overwriting existing names in DNS.

 

 

QUESTION 193

Company has a single domain network with Windows 2000, Windows 2003, and Windows 2008 servers. Client computers running Windows XP and Windows Vista. All domain controllers are running Windows server 2008.

 

clip_image006

 

You need to deploy Active Directory Rights Management System (AD RMS) to secure all documents, spreadsheets and to provide user authentication.

 

What do you need to configure, in order to complete the deployment of AD RMS?

 

A.

Upgrade all client computers to Windows Vista. Install AD RMS on domain controller Company _DC1

B.

Ensure that all Windows XP computers have the latest service pack and install the RMS client on all systems. Install AD RMS on domain controller Company _DC1

C.

Upgrade all client computers to Windows Vista. Install AD RMS on Company _SRV5

D.

Ensure that all Windows XP computers have the latest service pack and install the RMS client on all systems. Install AD RMS on domain controller Company _SRV5

E.

None of the above

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/dd772753%28v=ws.10%29.aspx

AD RMS Client Requirements

Windows AD RMS Client

Windows 7, all editions

Windows Server 2008 R2, all editions except Core Editions Windows Vista, all editions

Windows Server 2008, all editions except Core Editions Windows XP SP3 32-bit Edition

Windows XP SP3 64-bit Edition

Windows Server 2003 with SP1 32-bit Edition

Windows Server 2003 with SP1 64-bit Edition

Windows Server 2003 for Itanium-based systems with SP1 Windows Server 2003 R2 32-bit Edition

Windows Server 2003 R2 64-bit Edition

Windows Server 2003 R2 for Itanium-based systems

Windows Small Business Server 2003 32-bit Edition

Windows Server 2000 SP4 32-bit Edition

 

http://technet.microsoft.com/en-us/library/dd772659%28v=ws.10%29.aspx

AD RMS Prerequisites

Before you install AD RMS

Before you install Active Directory Rights Management Services (AD RMS) on Windows Server® 2008 R2 for the first time, there are several requirements that must be met. Install the AD RMS server as a member server in the same Active Directory Domain Services (AD DS) forest as the user accounts that will be using rights-protected content.

 

 

QUESTION 194

Your network contains an Active Directory forest. The forest contains multiple sites.

 

You need to enable universal group membership caching for a site.

 

What should you do?

 

A.

From Active Directory Sites and Services, modify the NTDS Settings.

B.

From Active Directory Sites and Services, modify the NTDS Site Settings.

C.

From Active Directory Users and Computers, modify the properties of all universal groups used in the site.

D.

From Active Directory Users and Computers, modify the computer objects for the domain controllers in the site.

 

Correct Answer: B

Explanation:

http://technet.microsoft.com/en-us/library/cc816797%28v=ws.10%29.aspx

Enabling Universal Group Membership Caching in a Site

In a multidomain forest, when a user logs on to a domain, a global catalog server must be contacted to determine the universal group memberships of the user. A universal group can contain users from other domains, and it can be applied to access control lists (ACLs) on objects in all domains in the forest. Therefore, universal group memberships must be ascertained at domain logon so that the user has appropriate access in the domain and in other domains during the logon session. Only global catalog servers store the memberships of all universal groups in the forest.

If a global catalog server is not available in the site when a user logs on to a domain, the domain controller must contact a global catalog server in another site. In multidomain forests where remote sites do not have a global catalog server, the need to contact a global catalog server over a potentially slow wide are network (WAN) connection can be problematic and a user can potentially be unable to log on to the domain if a global catalog server is not available. You can enable Universal Group Membership Caching on domain controllers that are running Windows Server 2008 so that when the domain controller contacts a global catalog server for the user’s initial domain logon, the domain controller retrieves universal group memberships for the user. On subsequent logon requests by the same user, the domain controller uses cached universal group memberships and does not have to contact a global catalog server.

To complete this task, perform the following procedure:

http://technet.microsoft.com/en-us/library/cc816928%28v=ws.10%29.aspx

Enable Universal Group Membership Caching in a Site

1. Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services.

2. In the console tree, expand Sites, and then click the site in which you want to enable Universal Group Membership Caching.

3. In the details pane, right-click the NTDS Site Settings object, and then click Properties.

4. Under Universal Group Membership Caching, select Enable Universal Group Membership Caching.

5. In the Refresh cache from list, click the site that you want the domain controller to contact when the Universal Group membership cache must be updated, and then click OK.

 

 

QUESTION 195

HOTSPOT

Your network contains two Active Directory forests named contoso.com and fabrikam.com. A two-way forest trust exists between the forests. Selective authentication is enabled on the trust. Fabrikam.com contains a server named Server1.

 

You assign ContosoDomain Users the Manage documents permission and the Print permission to a shared printer on Server1.

 

You discover that users from contoso.com cannot access the shared printer on Server1.

 

You need to ensure that the contoso.com users can access the shared printer on Server1.

 

Which permission should you assign to ContosoDomain Users.

 

To answer, select the appropriate permission in the answer area.

 

clip_image008

 

Correct Answer:

clip_image010

 

 

QUESTION 196

Your network contains a server that runs Windows Server 2008 R2. The server is configured as an enterprise root certification authority (CA).

 

You have a Web site that uses x.509 certificates for authentication. The Web site is configured to use a manyto-one mapping.

 

You revoke a certificate issued to an external partner. You need to prevent the external partner from accessing the Web site.

 

What should you do?

 

A.

Run certutil.exe -crl.

B.

Run certutil.exe -delkey.

C.

From Active Directory Users and Computers, modify the membership of the IIS_IUSRS group.

D.

From Active Directory Users and Computers, modify the Contact object for the external partner.

 

Correct Answer: A

Explanation:

http://technet.microsoft.com/library/cc732443.aspx

Certutil

Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.

Verbs -CRL

Publish new certificate revocation lists (CRLs) [or only delta CRLs]

http://technet.microsoft.com/en-us/library/cc783835%28v=ws.10%29.aspx

Requesting Offline Domain Controller Certificates (Advanced Certificate Enrollment and Management)

If you have determined the keycontainername for a specific certificate, you can delete the key container with the following command.

certutil.exe -delkey <KeyContainerName>

The -delkey option is supported only with the Windows Server 2003 version of certutil. On Windows 2000, you must add a prefix to the commands. The prefix is the path you have copied the Windows Server 2003 version of certutil to. In this white paper, the %HOMEDRIVE%W2K3AdmPak path is used.

 

 

QUESTION 197

Your network contains an Active Directory domain named contoso.com. The domain contains the servers shown in the following table.

 

clip_image012

 

The functional level of the forest is Windows Server 2003. The functional level of the domain is Windows Server 2003.

 

DNS1 and DNS2 host the contoso.com zone.

 

All client computers run Windows 7 Enterprise.

 

You need to ensure that all of the names in the contoso.com zone are secured by using DNSSEC.

 

What should you do first?

 

A.

Change the functional level of the forest.

B.

Change the functional level of the domain.

C.

Upgrade DC1 to Windows Server 2008 R2.

D.

Upgrade DNS1 to Windows Server 2008 R2.

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/ee683904%28v=ws.10%29.aspx

DNS Security Extensions (DNSSEC)

What are the major changes?

Support for Domain Name System Security Extensions (DNSSEC) is introduced in Windows Server® 2008 R2 and Windows® 7. With Windows Server 2008 R2 DNS server, you can now sign and host DNSSECsigned zones to provide security for your DNS infrastructure.

The following changes are available in DNS server in Windows Server 2008 R2:

Ability to sign a zone and host signed zones.

Support for changes to the DNSSEC protocol.

Support for DNSKEY, RRSIG, NSEC, and DS resource records. The following changes are available in DNS client in Windows 7:

Ability to indicate knowledge of DNSSEC in queries. Ability to process the DNSKEY, RRSIG, NSEC, and DS resource records. Ability to check whether the DNS server with which it communicated has performed validation on the client’s behalf.

The DNS client’s behavior with respect to DNSSEC is controlled through the Name Resolution Policy Table (NRPT), which stores settings that define the DNS client’s behavior. The NRPT is typically managed through Group Policy.

What does DNSSEC do?

DNSSEC is a suite of extensions that add security to the DNS protocol. The core DNSSEC extensions are specified in RFCs 4033, 4034, and 4035 and add origin authority, data integrity, and authenticated denial of existence to DNS. In addition to several new concepts and operations for both the DNS server and the DNS client, DNSSEC introduces four new resource records (DNSKEY, RRSIG, NSEC, and DS) to DNS. In short, DNSSEC allows for a DNS zone and all the records in the zone to be cryptographically signed.

When a DNS server hosting a signed zone receives a query, it returns the digital signatures in addition to the records queried for. A resolver or another server can obtain the public key of the public/private key pair and validate that the responses are authentic and have not been tampered with. In order to do so, the resolver or server must be configured with a trust anchor for the signed zone, or for a parent of the signed zone.

 

 

QUESTION 198

Your company has a server that runs Windows Server 2008 R2. The server runs an instance of ActiveDirectory Lightweight Directory Services (AD LDS).

 

You need to replicate the AD LDS instance on a test computer that is located on the network.

 

What should you do?

 

A.

Run the repadmin /kcc <servername> command on the test computer.

B.

Create a naming context by running the Dsmgmt command on the test computer.

C.

Create a new directory partition by running the Dsmgmt command on the test computer.

D.

Create and install a replica by running the AD LDS Setup wizard on the test computer.

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/cc771946.aspx

 

Create a Replica AD LDS Instance

To create an AD LDS instance and join it to an existing configuration set, use the Active Directory Lightweight

 

Directory Services Set Wizard to create a replica AD LDS instance.

 

To create a replica AD LDS instance

1. Click Start, point to Administrative Tools, and then click Active Directory Lightweight Directory Services Setup Wizard.

2. On the Welcome to the Active Directory Lightweight Directory Services Setup Wizard page, click Next.

3. On the Setup Options page, click A replica of an ex
isting instance, and then click Next.

4. Finish creating the new instance by following the wizard instructions.

 

QUESTION 199

Company has servers on the main network that run Windows Server 2008. It also has two domain controllers.

 

Active Directory services are running on a domain controller named CKDC1.

 

You have to perform critical updates of Windows Server 2008 on CKDC1 without rebooting the server.

 

What should you do to perform offline critical updates on CKDC1 without rebooting the server?

 

A.

Start the Active Directory Domain Services on CKDC1

B.

Disconnect from the network and start the Windows update feature

C.

Stop the Active Directory domain services and install the updates. Start the Active Directory domain services after installing the updates.

D.

Stop Active Directory domain services and install updates. Disconnect from the network and then connect again.

E.

None of the above

 

Correct Answer: C

Explanation:

Personal comment: I don’t believe you can avoid restarting the server when installing some (not all) updates

http://class10e.com/Microsoft/what-should-you-do-to-perform-offline-critical-updates-on- ckdc1-withoutrebooting-the-server/

To perform offline critical updates on CKDC1 without rebooting the server, you should stop the Active Directory domain services and install the updates. Start the Active Directory domain services after installing the updates.

By stopping the Active Directory domain services, you don’t need to reboot the server. The updates are related to the Windows Server 2008 on CKDC1 so when you stop the Active Directory domain services and start it again after the installation of the updates, the Server will perform in a normal way.

 

 

QUESTION 200

Your network contains an Active Directory forest. The forest contains a single domain.

 

You want to access resources in a domain that is located in another forest.

 

You need to configure a trust between the domain in your forest and the domain in the other forest.

 

What should you create?

 

A.

an incoming external trust

B.

an incoming realm trust

C.

an outgoing external trust

D.

an outgoing realm trust

 

Correct Answer: A

Explanation:

http://technet.microsoft.com/en-us/library/cc816877.aspx

A one-way, incoming, external trust allows users in your domain (the domain that you are logged on to at the time that you run the New Trust Wizard) to access resources in another Active Director
y domain (outside your forest).

 

Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…