[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 201-210

Ensurepass

QUESTION 201

Your network contains an Active Directory domain. All servers run Windows Server 2008 R2.

 

You need to audit the deletion of registry keys on each server.

 

What should you do?

 

A.

From Audit Policy, modify the Object Access settings and the Process Tracking settings.

B.

From Audit Policy, modify the System Events settings and the Privilege Use settings.

C.

From Advanced Audit Policy Configuration, modify the System settings and the Detailed Tracking settings.

D.

From Advanced Audit Policy Configuration, modify the Object Access settings and the Global Object Access Auditing settings.

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/dd408940.aspx

Advanced Security Audit Policy Step-by-Step Guide

A global object access audit policy can be used to enforce object access audit policy for a computer, file share, or registry.

 

 

QUESTION 202

Your network contains three Active Directory forests named Forest1, Forest2, and Forest3. Each forest contains three domains. A two-way forest trust exists between Forest1 and Forest2. A two-way forest trust exists between Forest2 andForest3.

 

You need to configure the forests to meet the following requirements:

 

clip_image002Users in Forest3 must be able to access resources in Forest1

clip_image002[1]Users in Forest1 must be able to access resources in Forest3.

clip_image002[2]The number of trusts must be minimized.

 

What should you do?

 

A.

In Forest2, modify the name suffix routing settings.

B.

In Forest1 and Forest3, configure selective authentication.

C.

In Forest1 and Forest3, modify the name suffix routing settings.

D.

Create a two-way forest trust between Forest1 and Forest3.

E.

Create a shortcut trust in Forest1 and a shortcut trust in Forest3.

 

Correct Answer: D

Explanation:

MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, December 14 2012) page 639: Forest Trusts

 

(…)

 

You can specify whether the forest trust is one-way, incoming or outgoing, or two-way. As mentioned earlier, a forest trust is transitive, allowing all domains in a trusting forest to trust all domains in a trusted forest. However, forest trusts are not themselves transitive. For example, if the tailspintoys.com forest trusts the worldwideimporters .com forest, and the worldwideimporters.com forest trusts the northwindtraders.com forest, those two trust relationships do not allow the tailspintoys.com forest to trust the northwindtraders.com forest. If you want those two forests to trust each other, you must create a specific forest trust between them.

 

 

QUESTION 203

You create a Password Settings object (PSO).

 

You need to apply the PSO to a domain user named User1.

 

What should you do?

 

A.

Modify the properties of the PSO.

B.

Modify the account options of the User1 account.

C.

Modify the security settings of the User1 account.

D.

Modify the password policy of the Default Domain Policy Group Policy object (GPO).

 

Correct Answer: A

Explanation:

http://technet.microsoft.com/en-us/library/cc731589.aspx

 

To apply PSOs to users or global security groups using the Windows interface

1. Open Active Directory Users and Computers

2. On the View menu, ensure that Advanced Features is checked.

3. In the console tree, click Password Settings Container.

4. In the details pane, right-click the PSO, and then click Properties.

5. Click the Attribute Editor tab.

6. Select the msDS-PsoAppliesTo attribute, and then click Edit.

7. In the Multi-valued String Editor dialog box, enter the Distinguished Name (also known as DN) of the user or the global security group that you want to apply this PSO to, click Add, and then click OK.

 

 

QUESTION 204

You have an enterprise subordinate certification authority (CA).

 

You have a custom certificate template that has a key length of 1,024 bits. The template is enabled for autoenrollment.

 

You increase the template key length to 2,048 bits.

 

You need to ensure that all current certificate holders automatically enroll for a certificate that uses the new template.

 

Which console should you use?

 

A.

Active Directory Administrative Center

B.

Certification Authority

C.

Certificate Templates

D.

Group Policy Management

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/cc771246.aspx

 

Re-Enroll All Certificate Holders

This procedure is used when a critical change is made to the certificate template and you want all subjects that hold a certificate that is based on this template to re-enroll as quickly as possible. The next time the subject verifies the version of the certificate against the version of the template on the certification authority (CA), the subject will re-enroll.

 

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

 

To re-enroll all certificate holders

1. Open the Certificate Templates snap-in.

2. Right-click the template that you want to use, and then click Reenroll All Certificate Holders.

 

 

QUESTION 205

Active Directory Rights Management Services (AD RMS) is deployed on your network.

 

You need to configure AD RMS to use Kerberos authentication.

 

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

 

A.

Register a service principal name (SPN) for AD RMS.

B.

Register a service connection point (SCP) for AD RMS.

C.

Configure the identity setting of the _DRMSAppPool1 application pool.

D.

Configure the useAppPoolCredentials attribute in the Internet Information Services (IIS) metabase.

 

Correct Answer: AD

Explanation:

http://technet.microsoft.com/en-us/library/dd759186.aspx

 

If you plan to use Active Directory Rights Management Services (AD RMS) with Kerberos authentication, you must take additional steps to configure the server running AD RMS after installing the AD RMS server role and provisioning the server. Specifically, you must perform these procedures:

 

Set the Internet Information Services (IIS) useAppPoolCredentials variable to True

 

Set the Service Principal Names (SPN) value for the AD RMS service account

 

 

QUESTION 206

Your network contains a single Active Directory domain named contoso.com.

 

An administrator accidentally deletes the _msdsc.contoso.com zone. You recreate the _msdsc.contoso.com zone.

 

You need to ensure that the _msdsc.contoso.com zone contains all of the required DNS records.

 

What should you do on each domain controller?

 

A.

Restart the Netlogon service.

B.

Restart the DNS Server service.

C.

Run dcdiag.exe /fix.

D.

Run ipconfig.exe /registerdns.

 

Correct Answer: A

Explanation:

Reference 1:

http://support.microsoft.com/kb/817470

To register the required records to the single root domain controller, restart the Net Logon service on all the domain controllers. The replication works correctly if the replication window is not less than the default DNS Time to Live (TTL) entry. To restart the Net Logon service, follow these steps:

1. Click Start, click Run, type cmd in the Open box, and then press ENTER.

2. At the command prompt, type the following command, and then press ENTER: net stop netlogon

3. Type net start netlogon, and then press ENTER.

Reference 2:

http://serverfault.com/questions/383915/how-do-i-manually-create-the-msdcs-dns-zone-for-a-domain-that-wascreated-pre-s

Be sure to restart the Netlogon services on all DC’s when the zone has been replicated to them. This forces the DC’s to register their SRV records in the _msdcs zone.

 

 

QUESTION 207

Your network contains an Active Directory domain named contoso.com.

 

You need to identify whether the Active Directory Recycle Bin is enabled.

 

What should you do?

 

A.

From Ldp, search for the Reanimate-Tombstones object.

B.

From Ldp, search for the LostAndFound container.

C.

From Windows PowerShell, run the Get-ADObject cmdlet.

D.

From Windows PowerShell, run the Get-ADOptionalFeature cmdlet.

 

Correct Answer: D

Explanation:

http://www.frickelsoft.net/blog/?p=224

How can I check whether the AD Recycle-Bin is enabled in my R2 forest?

[He shows how to use the PowerShell cmdlet Get- ADOptionalFeature to determine if the AD Recycle Bin is enabled.]

 

 

QUESTION 208

Your company uses an application that stores data in an Active Directory Lightweight Directory Services (AD LDS) instance named Instance1.

 

You attempt to create a snapshot of Instance1 as shown in the exhibit. (Click the Exhibit button.)

 

clip_image004

 

You need to ensure that you can take a snapshot of Instance1.

 

What should you do?

 

A.

At the command prompt, run net start VSS.

B.

At the command prompt, run net start Instance1.

C.

Set the Startup Type for the Instance1 service to Disabled.

D.

Set the Startup Type for the Volume Shadow Copy Service (VSS) to Manual.

 

Correct Answer: A

Explanation:

Hard to find references on this, but the solution can be found by eliminating the rest. Instance1 is running, otherwise you’d get a different message at the snaphot: create step.

(“AD service must be running in order to perform this operation”, on my virtual server.) Disabling Instance1 makes no sense because you need it, nor is setting the Startup Type for the Volume

Shadow Copy Service (VSS) to Manual.

 

 

QUESTION 209

You have an enterprise subordinate certification authority (CA) configured for key archival. Three key recovery agent certificates are issued. The CA is configured to use two recovery agents.

 

You need to ensure that all of the recovery agent certificates can be used to recover all new private keys.

 

What should you do?

 

A.

Add a data recovery agent to the Default Domain Policy.

B.

Modify the value in the Number of recovery agents to use box.

C.

Revoke the current key recovery agent certificates and issue three new key recovery agent certificates.

D.

Assign the Issue and Manage Certificates permission to users who have the key recovery agent certificates.

 

Correct Answer: B

Explanation:

MS Press – Self-Paced Training Kit (Exams 70-648 & 70-649) (Microsoft Press, 2009) page You enable key archival on the Recovery Agents tab of the CA Properties in the CA console by selecting the Archive The Key option and specifying a key recovery agent. In the number of recovery agents to use, select the number of key recovery agent (KRA) certificates you have added to the CA. This ensures that each KRA can be used to recover a private key. If you specify a smaller number than the number of KRA certificates installed, the CA will randomly select that number of KRA certificates from the available total and encrypt the private key, using those certificates. This complicates recovery because you then have to figure out which recovery agent certificate was used to encrypt the private key before beginning recovery.

 

 

QUESTION 210

Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Client computers run either Windows XP Service Pack 3 (SP3) or Windows Vista.

 

You need to ensure that all client computers can apply Group Policy preferences.

 

What should you do?

 

A.

Upgrade all Windows XP client computers to Windows 7.

B.

Create a central store that contains the Group Policy ADMX files.

C.

Install the Group Policy client-side extensions (CSEs) on all client computers.

D.

Upgrade all Windows Vista client computers to Windows Vista Service Pack 2 (SP2).

 

Correct Answer: C

Explanation:

http://www.microsoft.com/en-us/download/details.aspx?id=3628

Group Policy Preference Client Side Extensions for Windows XP (KB943729) Multiple Group Policy Preferences have been added to the Windows Server 2008 Group Policy Management Console (which are also available through the Remote Server Administration Toolset (RSAT) for Windows Vista SP1).

 

Multiple Group Policy Preferences have been added to the Windows Server 2008 Group Policy Management Console (which are also available through the Remote Server Administration Toolset (RSAT) for Windows Vista SP1). Group Policy Preferences enable information technology professionals to configure, deploy, and manage operating system and application settings they previously were not able to manage using Group Policy. After you install this update, your computer will be able to process the new Group Policy Preference extensions.

http://www.petenetlive.com/KB/Article/0000389.htm

 

Server 2008 Group Policy Preferences and Client Side Extensions Problem Group Policy Preferences (GPP) first came in with Server 2008 and were enhanced for Server 2008 R2, To be able to apply them to older Windows clients, you need to install the “Client side Extensions” (CSE), You can either script this, deploy with a group policy, or if you have WSUS you can send out the update that way.

 

clip_image006

 

Solution

You may not have noticed, but if you edit or create a group policy in Server 2008 now, you will see there is a “Preferences” branch. Most IT Pro’s will have seen the addition of the “Policies” folder some time ago because it adds an extra level to get to the policies that were there before 🙂

 

clip_image008

 

OK Cool! What can you do with them?

1. Computer Preferences: Windows Settings

Environment: Lets you control, and send out Environment variables via Group Policy. Files: Allows you to copy, modify the attributes, replace or delete a file (for folders see the next section).

Folder: As above, but for folders.

Ini Files: Allows you to Create, Replace, Update or Delete an ini file. Registry: Allows you to Create, Replace, Update or Delete a Registry value, You can either manually type in the reference use a Wizard, or extract the key(s) values you want to send them out via group policy.

Network Shares: Allow you to Create, Replace, Update, or Delete shares on clients via group policy.

Shortcuts: Allows you to Create, Replace, Update, or Delete shortcuts on clients via group policy.

2. Computer Preferences: Control Panel Settings

Data Sources: Allows you to Create, Replace, Update, or Delete, Data Sources and ODBC settings via group policy. (Note: there’s a bug if your using SQL authentication see here).

Devices: Lets you enable and disable hardware devices by type and class, to be honest it’s a little “clunky”.

Folder Options: Allows you to set “File Associations” and set the default programs that will open particular file extensions.

Local Users and Groups: Lets you Create, Replace, Update, or Delete either local users OR local groups.

Handy if you want to create an additional admin account, or reset all the local administrators passwords via group policy.

Network Options: Lets you send out VPN and dial up connection settings to your clients, handy if you use PPTP Windows Server VPN’s.

Power Options: With XP these are Power Options and Power Schemes, With Vista and later OS’s they are Power Plans. This is much needed, I’ve seen many “Is there a group policy for power options?” or disabling hibernation questions in forums. And you can use the options Tab, to target particular machine types (i.e. only apply if there is a battery present).

Printers: Lets you install printers (local or TCP/IP), handy if you want all the machines in accounts to have the accounts printer.

Scheduled Tasks: Lets you create a scheduled task or an immediate task (Vista or Later), this could be handy to deploy a patch or some virus/malware removal process. Service: Essentially anything you can do in the services snap in you can push out through group policy, set services to disables or change the logon credentials used for a service. In addition you can set the recovery option should a service fail.

3. User Configuration: Windows Settings

Applications: Answers on a Postcard? I can’t work out what these are for! Drive Mappings: Traditionally done by login script or from the user object, but use this and you can assign mapped drives on a user/group basis. Environment: As above lets you control and send out Environment variables via Group Policy, but on a user basis.

Files: As above. allows you to copy, modify the attributes, replace or delete a file (for folders see the next section), but on a user basis. Folders: As above, but for folders on a user by user basis. Ini Files: As above, allows you to Create, Replace, Update or Delete an ini file, on a user by user basis.

Registry: As above, allows you to Create, Replace, Update or Delete a Registry value, You can either manually type in the reference use a Wizard, or extract the key(s) values you want to send out via group policy, this time for users not computers. Shortcuts: As Above, allows you to Create, Replace, Update, or Delete shortcuts on clients via group policy for users.

4. User Configuration: Control Panel Settings

All of the following options are covered above on “Computer Configuration”

Data Sources

Devices

Folder Options

Local Users and Groups

Network Options

Power Options

Printers

Scheduled Tasks

Internet Settings: Using this Group Policy you can specify Internet Explorer settings/options on a user by user basis.

Regional Options: Designed so you can change a users Locale, handy if you have one user who wants an American keyboard.

Start Menu: Provides the same functionality as right clicking your task bar > properties > Start Menu >

Customise, only set user by user.

References:

http://technet.microsoft.com/en-us/library/dd367850%28WS.10%29.aspx

Group Policy Preferences

 

Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…