[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 21-30

Ensurepass

QUESTION 21

Your company has an Active Directory domain that has an organizational unit named Sales. The Sales organizational unit contains two global security groups named sales managers and sales executives.

 

You need to apply desktop restrictions to the sales executives group.

 

You must not apply these desktop restrictions to the sales managers group.

 

You create a GPO named DesktopLockdown and link it to the Sales organizational unit.

 

What should you do next?

 

A.

Configure the Deny Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO.

B.

Configure the Deny Apply Group Policy permission for the sales executives on the DesktopLockdown GPO.

C.

Configure the Allow Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO.

D.

Configure the Deny Apply Group Policy permission for the sales managers on the DesktopLockdown GPO.

Correct Answer: D

Explanation:

http://support.microsoft.com/kb/816100

How to prevent domain Group Policies from applying to certain user or computer accounts Typically, if you want Group Policy to apply only to specific accounts (either user accounts, computer accounts, or both), you can put the accounts in an organizational unit, and then apply Group Policy at that organizational unit level. However, there may be situations where you want to apply Group Policy to a whole domain, although you may not want those policy settings to also apply to administrator accounts or to other specific users or groups.

http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/

Best Practice: How to exclude individual users or computers from a Group Policy Object One of the common question I see on the forums from time to time is how to exclude a user and/or a computer from having a Group Policy Object (GPO) applied. This is a relatively straight forward process however I should stress this should be used sparingly and should always be done via group membership to avoid the administrative overhead of having to constantly update the security filtering on the GPO.

Step 1. Open the Group Policy Object that you want to apply an exception and then click on the “Delegation” tab and then click on the “Advanced” button.

 

clip_image002

 

Step 2. Click on the “Add” button and select the group (recommended) that you want to exclude from having this policy applied.

 

clip_image004

 

Step 3. In this example I am excluding the “Users GPO Exceptions” group for this policy. Select this group in the “Group or user names” list and then scroll down the permission and tick the “Deny” option against the “Apply Group Policy” permission.

 

clip_image006

 

Now any members of this “User GPO Exceptions” security group will not have this Group Policy Object applied.

Having a security group to control this exception makes it much easier to control as someone only needs to modify the group membership of the group to makes changes to who (or what) get the policy applied. This makes the delegation of this task to level 1 or level 2 support much more practical as you don’t need to grant them permission to the Group Policy Objects.

 

 

QUESTION 22

You need to remove the Active Directory Domain Services role from a domain controller named DC1.

 

What should you do?

 

A.

Run the netdom remove DC1 command.

B.

Run the Dcpromo utility. Remove the Active Directory Domain Services role.

C.

Run the nltest /remove_server: DC1 command.

D.

Reset the Domain Controller computer account by using the Active Directory Users and Computers utility.

 

Correct Answer: B

Explanation:

http://technet.microsoft.com/en-us/library/cc771844%28v=ws.10%29.aspx

Removing a Domain Controller from a Domain

 

To remove a domain controller by using the Windows interface

1. Click Start, click Run, type dcpromo, and then press ENTER.

 

Further information:

http://technet.microsoft.com/en-us/library/cc772217%28v=ws.10%29.aspx

Netdom

Enables administrators to manage Active Directory domains and trust relationships from the command prompt.

Netdom is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the Active Directory Domain Services (AD DS) server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT).

Commands

Netdom remove

 

Removes a workstation or server from the domain.

 

http://technet.microsoft.com/en-us/library/cc731935%28v=ws.10%29.aspx

Nltest Performs network administrative tasks.

Nltest is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the AD DS or the AD LDS server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT).

You can use nltest to:

Get a list of domain controllers

Force a remote shutdown

Query the status of trust

Test trust relationships and the state of domain controller replication in a Windows domain Force a user-account database to synchronize on Windows NT version 4.0 or earlier domain controllers

Personal comment #1:

There is no /remove_server switch for the nltest command

Personal comment #2:

Resetting the Domain Controller’s computer account has nothing to do with this question

 

 

QUESTION 23

Your company has an Active Directory domain.

 

You log on to the domain controller. The Active Directory Schema snap-in is not available in the Microsoft Management Console (MMC).

 

You need to access the Active Directory Schema snap-in.

 

What should you do?

 

A.

Add the Active Directory Lightweight Directory Services (AD LDS) role to the domain controller by using Server Manager.

B.

Log off and log on again by using an account that is a member of the Schema Administrators group.

C.

Use the Ntdsutil.exe command to connect to the Schema Master operations master and open the schema for writing.

D.

Register Schmmgmt.dll.

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/cc732110.aspx

Install the Active Directory Schema Snap-In

You can use this procedure to first register the dynamic-link library (DLL) that is required for the Active Directory Schema snap-in. You can then add the snap-in to Microsoft Management Console (MMC).

To install the Active Directory Schema snap-in

1. To open an elevated command prompt, click Start, type command prompt and then rightclick Command Prompt when it appears in the Start menu. Next, click Run as administrator and then click OK. To open an elevated command prompt in Windows Server 2012, click Start, type cmd, right click cmd and then click Run as administrator.

2. Type the following command, and then press ENTER: regsvr32 schmmgmt.dll

3. Click Start, click Run, type mmc and then click OK.

4. On the File menu, click Add/Remove Snap-in.

5. Under Available snap-ins, click Active Directory Schema, click Add and then click OK.

6. To save this console, on the File menu, click Save.

7. In the Save As dialog box, do one of the following:

* To place the snap-in in the Administrative Tools folder, in File name, type a name for the snap-in, and then click Save.

* To save the snap-in to a location other than the Administrative Tools folder, in Save in navigate to a location for the snap-in. In File name, type a name for the snap-in, and then click Save

 

 

 

 

 

 

 

 

 

 

QUESTION 24

Your network contains an Active Directory forest. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers.

 

You have an Active Directory-integrated zone for contoso.com.

 

You have a Unix-based DNS server.

 

You need to configure your Windows Server 2008 R2 environment to allow zone transfers of the contoso.com zone to the Unix-based DNS server.

 

What should you do in the DNS Manager console?

 

A.

Enable BIND secondaries

B.

Create a stub zone

C.

Disable recursion

D.

Create a secondary zone

 

Correct Answer: A

Explanation:

http://skibbz.com/understanding-of-advance-properties-settings-in-window-server-2003- and-2008-dns-serverbind-secondaries/

Understanding Of Advance Properties Settings In Window Server 2003 And 2008 DNS Server (BIND Secondaries)

BIND Secondaries controls the zone transfer between different vendor DNS server. It help verifies the type of format used zone transfer, whether it is fast or slow transfer (zone transfer). The full mean of BIND is Berkeley Internet Name domain (BIND). BIND is a based on UNIX operating system.

Two window servers do not required BIND. BIND is only required when transfer dns zone between two different dns server vendors (UNIX and Microsoft Window). If you are using only Window server for dns and zone transfer you will have to disable this option in the window dns server. However if you want the server to perform a slow zone transfer and uncompressed data transfer then you will have to enable BIND in the dns server. To reiterate, BIND only provide slow dns zone transfer and data compression mechanism for DNS server.

BIND is understood to have been introduced in window server to support UNIX. System admin will normally disable this option if they want the data in their dns zone transfer to between primary and secondary dns server to be transfer faster in order to improve dns queries efficiency within their network environment.

Bind is used in a DNS window server, when the needs to configured zone transfer between window server and UNIX server or operative system.

Bind is enabled when a window server is configured as a primary dns server and a UNIX computer is configured as a secondary dns server for zone transfer.

BIND Secondaries need to be configured to mitigate, the problem of interoperability between the two server operating system since they are from different vendors. Note that old version of the BIND was noted to be very slow and uses an uncompressed zone transfer format.

However, BIND in window server 2008 and later has improved this problem. This is because it was noted that BIND in window server 2008 and later uses faster, compressed format during zone transfer between primary and secondary DNS server configured in for different server operating system (UNIX and Window server).

 

 

 

 

 

 

QUESTION 25

Your company has file servers located in an organizational unit named Payroll. The file servers contain payroll files located in a folder named Payroll.

 

You create a GPO.

 

You need to track which employees access the Payroll files on the file servers.

 

What should you do?

 

A.

Enable the Audit process tracking option. Link the GPO to the Domain Controllers organizational unit. On the file servers, configure Auditing for the Authenticated Users group in the Payroll folder.

B.

Enable the Audit object access option. Link the GPO to the Payroll organizational unit. On the file servers, configure Auditing for the Everyone group in the Payroll folder.

C.

Enable the Audit process tracking option. Link the GPO to the Payroll organizational unit. On the file servers, configure Auditing for the Everyone group in the Payroll folder.

D.

Enable the Audit object access option. Link the GPO to the domain. On the domain controllers, configure Auditing for the Authenticated Users group in the Payroll folder.

 

Correct Answer: B

Explanation:

http://technet.microsoft.com/en-us/library/dd349800%28v=ws.10%29.aspx

Audit Policy

Establishing an organizational computer system audit policy is an important facet of information security.

Configuring Audit policy settings that monitor the creation or modification of objects gives you a way to track potential security problems, helps to ensure user accountability, and provides evidence in the event of a security breach.

There are nine different kinds of events for which you can specify Audit Policy settings. If you audit any of these kinds of events, Windows?records the events in the Security log, which you can find in Event Viewer.

 

Object access. Audit this to record when someone has used a file, folder, printer, or other object.

 

Process tracking. Audit this to record when events such as program activation or a process exiting occur.

 

When you implement Audit Policy settings:

 

If you want to audit directory service access or object access, determine which objects you want to audit access of and what type of access you want to audit. For example, if you want to audit all attempts by users to open a particular file, you can configure audit policy settings in the object acc
ess event category so that both successful and failed attempts to read a file are recorded.

Further information:

http://technet.microsoft.com/en-us/library/hh147307%28v=ws.10%29.aspx

Group Policy for Beginners

Group Policy Links

At the top level of AD DS are sites and domains. Simple implementations will have a single site and a single domain. Within a domain, you can create organizational units (OUs). OUs are like folders in Windows Explorer.

Instead of containing files and subfolders, however, they can contain computers, users, and other objects.

For example, in Figure 1 you see an OU named Departments. Below the Departments OU, you see four subfolders: Accounting, Engineering, Management, and Marketing. These are child OUs. Other than the Domain Controllers OU that you see in Figure 1, nothing else in the figure is an OU. What does this have to do with Group Policy links? Well, GPOs in the Group Policy objects folder have no impact unless you link them to a site, domain, or OU. When you link a GPO to a container, Group Policy applies the GPO’s settings to the computers and users in that container.

 

 

QUESTION 26

Your company has an Active Directory domain. The company has purchased 100 new computers. You want to deploy the computers as members of the domain.

 

You need to create the computer accounts in an OU.

 

What should you do?

 

A.

Run the csvde -f computers.csv command

B.

Run the ldifde -f computers.ldf command

C.

Run the dsadd computer <computerdn> command

D.

Run the dsmod computer <computerdn> command

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/cc754539%28v=ws.10%29.aspx

Dsadd computer

Syntax: dsadd computer <ComputerDN> [-samid <SAMName>] [-desc <Description>] [-loc <Location>] [-memberof <GroupDN …>] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [{-uc | -uco | -uci}]

Personal comment: you use ldifde and csvde to import and export directory objects to Active Directory

http://support.microsoft.com/kb/237677

http://technet.microsoft.com/en-us/library/cc732101%28v=ws.10%29.aspx

 

 

QUESTION 27

You need to ensure that users who enter three successive invalid passwords within 5 minutes are locked out for 5 minutes.

 

Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)

 

A.

Set the Minimum password age setting to one day.

B.

Set the Maximum password age setting to one day.

C.

Set the Account lockout duration setting to 5 minutes.

D.

Set the Reset account lockout counter after setting to 5 minutes.

E.

Set the Account lockout threshold setting to 3 invalid logon attempts.

F.

Set the Enforce password history setting to 3 passswords remembered.

 

Correct Answer: CDE

Explanation:

clip_image008

 

 

QUESTION 28

You have an existing Active Directory site named Site1. You create a new Active Directory site and name it Site2.

 

You need to configure Active Directory replication between Site1 and Site2. You install a new domain controller.

 

You create the site link between Site1 and Site2.

 

What should you do next?

 

A.

Use the Active Directory Sites and Services console to assign a new IP subnet to Site2.

Move the new domain controller object to Si
te2.

B.

Use the Active Directory Sites and Services console to configure a new site link bridge object.

C.

Use the Active Directory Sites and Services console to decrease the site link cost between Site1 and Site2.

D.

Use the Active Directory Sites and Services console to configure the new domain controller as a preferred bridgehead server for Site1.

 

Correct Answer: A

Explanation:

http://www.enterprisenetworkingplanet.com/netsysm/article.php/624411/Intersite-eplication.htm

Inter-site Replication

The process of creating a custom site link has five basic steps:

 

1. Create the site link.

2. Configure the site link’s associated attributes.

3. Create site link bridges.

4. Configure connection objects. (This step is optional.)

5. Designate a preferred bridgehead server. (This step is optional)

 

http://technet.microsoft.com/en-us/library/cc759160%28v=ws.10%29.aspx

Replication between sites

 

 

QUESTION 29

You need to relocate the existing user and computer objects in your company to different organizational units.

 

What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)

 

A.

Run the move-item command in the Microsoft Windows PowerShell utility.

B.

Run the Active Directory Users and Computers utility.

C.

Run the Dsmove utility.

D.

Run the Active Directory Migration Tool (ADMT).

 

Correct Answer: BC

Explanation:

Personal note:

You can simply drag and drop objects when using the Active Directory Users and Computers utility or use the dsmove command.

http://technet.microsoft.com/en-us/library/cc731094%28v=ws.10%29.aspx

Dsmove Moves a single object, within a domain, from its current location in the directory to a new location, or renames a single object without moving it in the directory tree.

 

 

QUESTION 30

Your company has an Active Directory domain. A user attempts to log on to the domain from a client computer and receives the following message: “This user account has expired. Ask your administrator to reactivate the account.”

 

You need to ensure that the user is able to log on to the domain.

 

What should you do?

 

A.

Modify the properties of the user account to set the account to never expire.

B.

Modify the properties of the user account to extend the Logon Hours setting.

C.

Modify the default domain policy to decrease the account lockout duration.

D.

Modify the properties of the user account to set the password to never expire.

 

Correct Answer: A

Explanation:

clip_image010

 

Further information:

http://technet.microsoft.com/en-us/library/dd145547.aspx

User Properties – Account Tab

Account expires

Sets the account expiration policy for this user. You can select between the following options:

Use Never to specify that the selected account will never expire. This option is the default for new users.

Select End of and then select a date if you want to have the user’s account expire on a specified date.

 

Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…