[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 211-220

Ensurepass

QUESTION 211

Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 is configured as an Active Directory Federation Services (AD FS) 2.0 standalone server.

 

You plan to add a new token-signing certificate to Server1.

 

You import the certificate to the server as shown in the exhibit. (Click the Exhibit button.)

 

clip_image002

 

When you run the Add Token-Signing Certificate wizard, you discover that the new certificate is unavailable.

 

You need to ensure that you can use the new certificate for AD FS.

 

What should you do?

 

A.

From the properties of the certificate, modify the Certificate Policy OIDs setting.

B.

Import the certificate to the AD FS 2.0 Windows Service personal certificate store.

C.

From the properties of the certificate, modify the Certificate purposes setting.

D.

Import the certificate to the local computer personal certificate store.

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/hh341466.aspx

When you deploy the first federation server in a new AD FS 2.0 installation, you must obtain a token-signing certificate and install it in the local computer personal certificate store on that federation server.

 

 

 

 

 

QUESTION 212

You need to purge the list of user accounts that were authenticated on a read-only domain controller (RODC).

 

What should you do?

 

A.

Run the repadmin.exe command and specify the /prp parameter.

B.

From Active Directory Sites and Services, modify the properties of the RODC computer object.

C.

From Active Directory Users and Computers, modify the properties of the RODC computer object.

D.

Run the dsrm.exe command and specify the -u parameter.

 

Correct Answer: A

Explanation:

http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy.aspx

 

Clearing the authenticated accounts list

In addition to reviewing the list of authenticated users, you may decide to periodically clean up the list of accounts that are authenticated to the RODC. Cleaning up this list may help you more easily determine the new accounts that have authenticated through the RODC.

 

Membership in the Domain Admins group of the domain in which the RODC is a member, or equivalent, is the minimum required to complete this procedure.

 

To clear all entries from the list, run the command repadmin /prp delete <hostname> auth2 /all.

 

Substitute the actual host name of the RODC that you want to clear. For example, if you want to clear the list of authenticated accounts for RODC2, type repadmin /prp delete rodc2 auth2 /all, and then press ENTER.

 

 

QUESTION 213

Your network contains an Active Directory domain named contoso.com.

 

You need to audit changes to a service account. The solution must ensure that the audit logs contain the before and after values of all the changes.

 

Which security policy setting should you configure?

 

A.

Audit Sensitive Privilege Use

B.

Audit User Account Management

C.

Audit Directory Service Changes

D.

Audit Other Account Management Events

 

Correct Answer: C

Explanation:

Reference 1:

http://technet.microsoft.com/en-us/library/dd772641.aspx

 

Audit Directory Service Changes

This security policy setting determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS).

 

Reference 2:

http://technet.microsoft.com/en-us/library/cc731607.aspx

AD DS Auditing Step-by-Step Guide

This guide includes a description of the new Active Directory┬« Domain Services (AD DS) auditing feature in Windows Server┬« 2008. With the new auditing feature, you can log events that show old and new values; for example, you can show that Joe’s favorite drink changed from single latte to triple-shot latte.

 

 

QUESTION 214

Your network contains an Active Directory forest. The forest contains an Active Directory site for a remote office. The remote site contains a read-only domain controller (RODC).

 

You need to configure the RODC to store only the passwords of users in the remote site.

 

What should you do?

 

A.

Create a Password Settings object (PSO).

B.

Modify the Partial-Attribute-Set attribute of the forest.

C.

Add the user accounts of the remote site users to the Allowed RODC Password Replication Group.

D.

Add the user accounts of users who are not in the remote site to the Denied RODC Password Replication Group.

 

Correct Answe
r:
C

Explanation:

http://technet.microsoft.com/en-us/library/cc730883.aspx

 

Password Replication Policy Allowed and Denied lists

Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODC operations. These are the Allowed RODC Password Replication Group and Denied RODC Password

 

Replication Group.

These groups help implement a default Allowed List and Denied List for the RODC Password Replication Policy. By default, the two groups are respectively added to the msDS-RevealOnDemandGroup and msDSNeverRevealGroup

 

Active Directory attributes mentioned earlier.

 

 

QUESTION 215

Your network contains an Active Directory domain. The domain contains four domain controllers.

 

You modify the Active Directory schema.

 

You need to verify that all the domain controllers received the schema modification.

 

Which command should you run?

 

A.

dcdiag.exe /a

B.

netdom.exe query fsmo

C.

repadmin.exe /showrepl *

D.

sc.exe query ntds

 

Correct Answer: C

Explanation:

http://blogs.technet.com/b/askds/archive/2009/07/01/getting-over-replmon.aspx

 

Getting Over Replmon

Status Checking Replmon had the option to generate a status report text file. It could tell you which servers were configured to replicate with each other, if they had any errors, and so on. It was pretty useful actually, and one of the main reasons people liked the tool. Repadmin.exe offers similar functionality within a few of its command line options. For example, we can get a summary report:

Repadmin /replsummary *

 

clip_image003

 

Several DCs have been taken offline. Repadmin shows the correct error of 58 ?that the other DCs are not available and cannot tell you their status. You can also use more verbose commands with Repadmin to see details about which DCs are or are not replicating:

Repadmin /showrepl *

 

clip_image004

 

 

 

 

 

 

QUESTION 216

Your network contains two Active Directory forests named contoso.com and nwtraders.com. A two-way forest trust exists between contoso.com and nwtraders.com. The forest trust is configured to use selective authentication.

 

Contoso.com contains a server named Server1. Server1 contains a shared folder named Marketing.

 

Nwtraders.com contains a global group named G_Marketing. The Change share permission and the Modify NTFS permission for the Marketing folder are assigned to the G_Marketing group. Members of G_Marketing report that they cannot access the Marketing folder.

 

You need to ensure that the G_Marketing members can access the f
older from the network.

 

What should you do?

 

A.

From Windows Explorer, modify the NTFS permissions of the folder.

B.

From Windows Explorer, modify the share permissions of the folder.

C.

From Active Directory Users and Computers, modify the computer object for Server1.

D.

From Active Directory Users and Computers, modify the group object for G_Marketing.

 

Correct Answer: C

Explanation:

MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 643-644

 

After you have selected Selective Authentication for the trust, no trusted users will be able to access resources in the trusting domain, even if those users have been given permissions. The users must also be assigned the Allowed To Authenticate permission on the computer object in the domain.

 

To assign this permission:

1. Open the Active Directory Users And Computers snap-in and make sure that Advanced Features is selected on the View menu.

2. Open the properties of the computer to which trusted users should be allowed to authenticate-that is, the computer that trusted users will log on to or that contains resources to which trusted users have been given permissions.

3. On the Security tab, add the trusted users or a group that contains them and select the Allow check box for the Allowed To Authenticate permission.

 

 

QUESTION 217

You have a domain controller named Server1 that runs Windows Server 2008 R2.

 

You need to determine the size of the Active Directory database on Server1.

 

What should you do?

 

A.

Run the Active Directory Sizer tool.

B.

Run the Active Directory Diagnostics data collector set.

C.

From Windows Explorer, view the properties of the %systemroot%ntdsntds.dit file.

D.

From Windows Explorer, view the properties of the %systemroot%sysvoldomain folder.

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/cc961761.aspx

Directory Data Store

Active Directory data is stored in the Ntds.dit ESE database file. Two copies of Ntds.dit are present in separate locations on a given domain controller:

%SystemRoot%NTDSNtds.dit This file stores the database that is in use on the domain controller. It contains the values for the domain and a replica of the values for the forest (the Configuration container data).

%SystemRoot%System32Ntds.dit This file is the distribution copy of the default directory that is used when you promote a Windows 2000 ?based computer to a domain controller. The availability of this file allows you to run the Active Directory Installation Wizard (Dcpromo.exe) without your having to use the Windows 2000 Server operating system CD. During the promotion process, Ntds.dit is copied from the %SystemRoot% System32 directory into the %SystemRoot%NTDS directory. Active Directory is then started from this new copy of the file, and replication updates the file from other domain controllers.

 

 

QUESTION 218

Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1. Server1 has the Active Directory Federation Services (AD FS) role installed.

 

You have an application named App1 that is configured to use Server1 for AD FS authentication.

 

You deploy a new server named Server2. Server2 is configured as an AD FS 2.0 server.

 

You need to ensure that App1 can use Server2 for authentication.

 

What should you do on Server2?

 

A.

Add an attribute store.

B.

Create a relying party trust.

C.

Create a claims provider trust.

D.

Create a relaying provider trust.

 

Correct Answer: B

Explanation:

http://technet.microsoft.com/en-us/library/dd807132%28v=ws.10%29.aspx

Create a Relying Party Trust Using Federation Metadata

http://pipe2text.com/?page_id=815

Setting up a Relying Party Trust in ADFS 2.0

http://blogs.msdn.com/b/card/archive/2010/06/25/using-federation-metadata-to-establish-a-relying-party-trustin-ad-fs-2-0.aspx

Using Federation Metadata to establish a Relying Party Trust in AD FS 2.0

 

 

QUESTION 219

Your network contains an Active Directory domain.

 

You need to restore a deleted computer account from the Active Directory Recycle Bin.

 

What should you do?

 

A.

From the command prompt, run recover.exe.

B.

From the command prompt, run ntdsutil.exe.

C.

From the Active Directory Module for Windows PowerShell, run the Restore-Computer cmdlet.

D.

From the Active Directory Module for Windows PowerShell, run the Restore-ADObject cmdlet.

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/dd379509%28v=ws.10%29.aspx

Step 2: Restore a Deleted Active Directory Object

Applies To: Windows Server 2008 R2

This step provides instructions for completing the following tasks with Active Directory Recycle Bin:

Displaying the Deleted Objects container

Restoring a deleted Active Directory object using Ldp.exe Restoring a deleted Active Directory object using the Get-ADObject and Restore-ADObject cmdlets

Restoring multiple, deleted Active Directory objects

 

To restore a single, deleted Active Directory object using the Get-ADObject and Restore- ADObject cmdlets

1. Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.

2. At the Active Directory module for Windows PowerShell command prompt, type the following command, and then press ENTER:

Get-ADObject -Filter {String} -IncludeDeletedObjects | Restore-ADObject For example, if you want to restore an accidentally deleted user object with the display name Mary, type the following command, and then press ENTER:

Get-ADObject -Filter {displayName -eq “Mary”} -IncludeDeletedObjects | Restore-ADObject http://blogs.msdn.com/b/dsadsi/archive/2009/08/26/restoring-object-from-the-active- directory-recycle-binusing-ad-powershell.aspx

Restoring object from the Active Directory Recycle Bin using AD Powershell

 

 

QUESTION 220

Your network contains an Active Directory domain named contoso.com. Contoso.com contains two domain controllers. The domain controllers are configured as shown in the following table.

 

clip_image006

 

All client computers have IP addresses in the 10.1.2.1 to 10.1.2.240 range.

 

You need to minimize the number of client authentication requests sent to DC2.

 

What should you do?

 

A.

Create a new site named Site1. Create a new subnet object that has the 10.1.1.0/24 prefix and assign the subnet to Site1. Move DC1 to Site1.

B.

Create a new site named Site1. Create a new subnet object that has the 10.1.1.1/32 prefix and assign the subnet to Site1. Move DC1 to Site1.

C.

Create a new site named Site1. Create a new subnet object that has the 10.1.1.2/32 prefix and assign the subnet to Site1. Move DC2 to Site1.

D.

Create a new site named Site1. Create a new subnet object that has the 10.1.2.0/24 prefix and assign the subnet to Site1. Move DC2 to Site1.

 

Correct Answer: C

Explanation:

Creating a new site and assigning a subnet of 10.1.1.2 with subnet mask of 255.255.255.255, it means only ONE ip (the DC2 ip) will be included on the site1 subnet coverage. Therefore all the request will be processed from the DC1 in the default-first-site and dc2 will authenticate only itself.

 

Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…