[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 221-230

Ensurepass

QUESTION 221

Your network contains an Active Directory forest. The forest schema contains a custom attribute for user objects.

 

You need to give the human resources department a file that contains the last logon time and the custom attribute values for each user in the forest.

 

What should you use?

 

A.

the Dsquery tool

B.

the Export-CSV cmdlet

C.

the Get-ADUser cmdlet

D.

the Net.exe user command

 

Correct Answer: C

Explanation:

References:

https://devcentral.f5.com/weblogs/Joe/archive/2009/01/09/powershell-abcs-o-is-for-output.aspx

http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/thread/8d8649d9- f591-4b44-b838-e0f5f3a591d7

http://kpytko.wordpress.com/2012/07/30/lastlogon-vs-lastlogontimestamp/

 

Export-Csv

Reference:

http://technet.microsoft.com/en-us/library/ee176825.aspx

 

Saving Data as a Comma-Separated Values File

The Export-Csv cmdlet makes it easy to export data as a comma-separated values (CSV) file; all you need to do is call Export-Csv followed by the path to the CSV file. For example, thiscommand uses Get-Process to grab information about all the processes running on the computer,then uses Export-Csv to write that data to a file named C:ScriptsTest.txt:

 

Get-Process | Export-Csv c:scriptstest.txt.

 

Net User

 

Reference:

http://technet.microsoft.com/en-us/library/cc771865.aspx

 

Adds or modifies user accounts, or displays user account information.

 

DSQUERY

 

Reference 1:

http://technet.microsoft.com/en-us/library/cc754232.aspx

 

Parameters

 

{<StartNode> | forestroot | domainroot}

 

Specifies the node in the console tree where the search starts. You can specify the forest root (forestroot), domain root (domainroot), or distinguished name of a node as the start node <StartNode>. If you specify

 

forestroot, AD DS searches by using the global catalog.

 

-attr {<AttributeList> | *}

 

Specifies that the semicolon separated LDAP display names included in <AttributeList> for each entry in the result set. If you specify the value of this parameter as a wildcard character (*), this parameter displays all attributes that are present on the object in the result set. In addition, if you specify a *, this parameter uses the default output format (a list), regardless of whether you specify the -l parameter. The default <AttributeList> is a distinguished name.

 

Reference 2:

http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/dda5fcd6-1a10-4d47-9379-02ca38aaa65b

 

Gives an example of how to find a user with certain attributes using Dsquery. Note that it uses domainroot as the startnode, instead of forestroot what we need.

 

Reference 3:

http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/c6fc3826-78e1-48fd-ab6f-690378e0f787/

 

List all last login times for all users, regardless of whether they are disabled.

 

dsquery * -filter “(&(objectCategory=user)(objectClass=user))” -limit 0 -attr givenName sn sAMAccountName

 

lastLogon>>c:last_logon_for_all.txt

 

 

QUESTION 222

Your network contains an Active Directory forest. The forest contains two domain controllers. The domain controllers are configured as shown in the following table.

 

clip_image002

 

All client computers run Windows 7.

 

You need to ensure that all client computers in the domain keep the same time as an external time server.

 

What should you do?

 

A.

From DC1, run the time command.

B.

From DC2, run the time command.

C.

From DC1, run the w32tm.exe command.

D.

From DC2, run the w32tm.exe command.

 

Correct Answer: D

Explanation:

Reference 1:

http://technet.microsoft.com/en-us/library/cc816748.aspx

 

Change the Windows Time Service Configuration on the PDC Emulator in the Forest Root Domain

The domain controller in the forest root domain that holds the primary domain controller (PDC) emulator operations master (also known as flexible single master operations or FSMO) role is the default time source for the domain hierarchy of time sources in the forest.

 

Reference 2:

http://technet.microsoft.com/en-us/library/cc773263.aspx

 

Windows Time Service Tools and Settings

Most domain member computers have a time client type of NT5DS, which means that they synchronize time from the domain hierarchy. The only typical exception to this is the domain controller that functions as the primary domain controller (PDC) emulator operations master of the forest root domain, which is usually configured to synchronize time with an external time source.

 

W32tm.exe is used to configure Windows Time service settings. It can also be used to diagnose problems with the time service. W32tm.exe is the preferred command line tool for configuring, monitoring, or troubleshooting the Windows Time service.

 

 

QUESTION 223

Your network contains an Active Directory domain.

 

You create and mount an Active Directory snapshot.

 

You run dsamain.exe as shown in the exhibit. (Click the Exhibit button.)

 

clip_image004

 

You need to ensure that you can browse the contents of the Active Directory snapshot.

 

What should you?

 

A.

Stop Active Directory Domain Services (AD DS), and then rerun dsamain.exe.

B.

Change the value of the dbpath parameter, and then rerun dsamain.exe.

C.

Change the value of the ldapport parameter, and then rerun dsamain.exe.

D.

Restart the Volume Shadow Copy Service (VSS), and then rerun dsamain.exe.

 

Correct Answer: B

Explanation:

The path in the exhibit points to the running Active Directory database, not to the snapshot.

 

Reference:

http://technet.microsoft.com/en-us/library/cc772168.aspx

 

For the dbpath parameter, you must specify a mounted snapshot or a backup that you want to view along with the complete path to the Ntds.dit file, for example:

 

/dbpath E:$SNAP_200704181137_VOLUMED$WINDOWSNTDSntds.dit

 

 

QUESTION 224

Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1 has the Active Directory Federation Services (AD FS) Federation Service role service installed.

 

You plan to deploy AD FS 2.0 on Server2.

 

You need to export the token-signing certificate from Server1, and then import the certificate to Server2.

 

Which format should you use to export the certificate?

 

A.

Base-64 encoded X.509 (.cer)

B.

Cryptographic Message Syntax Standard PKCS #7 (.p7b)

C.

DER encoded binary X.509 (.cer)

D.

Personal Information Exchange PKCS #12 (.pfx)

 

Correct Answer: D

Explanation:

Reference 1:

http://technet.microsoft.com/en-us/library/ff678038.aspx

 

Checklist: Migrating Settings in the AD FS 1.x Federation Service to AD FS 2.0 If the AD FS 1.x Federation Service has a token-signing certificate that was issued by a trusted certification authority (CA) and you want to reuse it, you will have to export it from AD FS 1.x.

 

[The site provides also a link for instructions on how to export the token-signing certificate. That link point to the site mentioned in reference 2.]

 

Reference 2:

http://technet.microsoft.com/en-us/library/cc784075.aspx

 

Export the private key portion of a token-signing certificate

To export the private key of a token-signing certificate Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

Right-click Federation Service, and then click Properties.

On the General tab, click View.

In the Certificate dialog box, click the Details tab.

On the Details tab, click Copy to File.

On the Welcome to the Certificate Export Wizard page, click Next. On the Export Private Key page, select Yes, export the private key, and then click Next.

On the Export File Format page, selectPersonal Information Exchange = PKCS #12 (.PFX), and then click Next.

(…)

 

 

QUESTION 225

You have an enterprise root certification authority (CA) that runs Windows Server 2008 R2.

 

You need to ensure that you can recover the private key of a certificate issued to a Web server.

 

What should you do?

 

A.

From the CA, run the Get-PfxCertificate cmdlet.

B.

From the Web server, run the Get-PfxCertificate cmdlet.

C.

From the CA, run the certutil.exe tool and specify the -exportpfx parameter.

D.

From the Web server, run the certutil.exe tool and specify the -exportpfx parameter.

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/ee449471%28v=ws.10%29.aspx

Manual Key Archival Manual key archival can be used in the following common scenarios that are not supported by automatic key archival:

Secure/Multipurpose Internet Mail Extensions (S/MIME) certificates used by Microsoft?Office Outlook.

Certificates issued by CAs that do not support key archival.

Certificates installed on the Microsoft Windows?2000 and Windows Millennium Edition operating systems.

This topic includes procedures for exporting a private key by using the following programs and for importing a private key to a CA database:

Certutil.exe

Certificates snap-in

Microsoft Office Outlook

 

To export private keys by using Certutil.exe

1. Open a Command Prompt window.

2. Type the Certutil.exe -exportpfx command using the command-line options described in the following table.

Certutil.exe [-p <Password>] -exportpfx <CertificateId> <OutputFileName>

 

clip_image006

 

 

QUESTION 226

Your company has a main office and a branch office.

 

The network contains an Active Directory domain.

 

The main office contains a writable domain controller named DC1. The branch office contains a read- only domain controller (RODC) named DC2.

 

You discover that the password of an administrator named Admin1 is cached on DC2.

 

You need to prevent Admin1’s password from being cached on DC2.

 

What should you do?

 

A.

Modify the NTDS Site Settings.

B.

Modify the properties of the domain.

C.

Create a Password Setting object (PSO).

D.

Modify the properties of DC2’s computer account.

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy%28v=ws.10%29.aspx

Administering the Password Replication Policy

This topic describes the steps for viewing, configuring, and monitoring the Password Replication Policy (PRP) and password caching for read-only domain controllers (RODCs). Viewing the PRP You can view the PRP in a graphical user interface (GUI) by using the Active Directory Users and Computers snap-in or in a Command Prompt window by using the Repadmin tool. The following procedures describe how to view the PRP.

To view the PRP using Active Directory Users and Computers

1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start.

In Start Search, type dsa.msc, and then press ENTER.

2. Ensure that you are connected to the correct domain. To connect to the appropriate domain, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain.

3. Expand Domain Controllers, right-click the RODC account object for which you want to modify the PRP, and then click Properties.

4. Click the Password Replication Policy tab. An example is shown in the following illustration.

 

clip_image008

 

 

QUESTION 227

You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a server namedServer1.

 

You need to configure the Windows Firewall on Server1 to allow external users to authenticate by using AD FS.

 

Which inbound TCP port should you allow on Server1?

 

A.

88

B.

135

C.

443

D.

445

 

Correct Answer: C

 

 

 

 

 

QUESTION 228

Your company has a main office and four branch offices. An Active Directory site exists for each office. Each site contains one domain controller. Each branch office site has a site link to the main office site.

 

You discover that the domain controllers in the branch offices sometimes replicate directly to each other.

 

You need to ensure that the domain controllers in the branch offices only replicate to the domain controller in the main office.

 

What should you do?

 

A.

Modify the firewall settings for the main office site.

B.

Disable the Knowledge Consistency Checker (KCC) for each branch office site.

C.

Disable site link bridging.

D.

Modify the security settings for the main office site.

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/cc757117.aspx

 

Configuring site link bridges

By default, all site links are bridged, or transitive. This allows any two sites that are not connected by an explicit site link to communicate directly, through a chain of intermediary site links and sites. One advantage to bridging all site links is that your network is easier to maintain because you do not need to create a site link to describe every possible path between pairs of sites.

 

Generally, you can leave automatic site link bridging enabled. However, you might want to disable automatic site link bridging and create site link bridges manually just for specific site links, in the following cases:

 

You have a network routing or security policy in place that prevents every domain controller from being able to directly communicate with every other domain controller.

 

 

QUESTION 229

Your network contains an Active Directory domain controller named DC1. DC1 runs Windows Server 2008 R2.

 

You need to defragment the Active Directory database on DC1. The solution must minimize downtime on DC1.

 

What should you do first?

 

A.

At the command prompt, run net stop ntds.

B.

At the command prompt, run net stop netlogon.

C.

Restart DC1 in Safe Mode.

D.

Restart DC1 in Directory Services Restore Mode (DSRM).

 

Correct Answer: A

Explanation:

We don’t need to restart the server to defragment the AD database. We only need to stop AD DS in order to defragment the database, using ntdsutil.

 

Reference:

http://technet.microsoft.com/en-us/library/cc794920.aspx

 

To perform offline defragmentation of the directory database

1. Open a Command Prompt as an administrator.

2. At the command prompt, type the following command, and then press ENTER: net stop ntds

3. Type Y to agree to stop additional services, and then press ENTER.

4. At the command prompt, type ntdsutil, and then press ENTER.

 

 

QUESTION 230

Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1 has Active Directory Federation Services (AD FS) 2.0 installed.

 

Server1 is a member of an AD FS farm. The AD FS farm is configured to use a configuration database that is stored on a separate Microsoft SQL Server.

 

You install AD FS 2.0 on Server2.

 

You need to add Server2 to the existing AD FS farm.

 

What should you do?

 

A.

On Server1, run fsconfig.exe.

B.

On Server1, run fsconfigwizard.exe.

C.

On Server2, run fsconfig.exe.

D.

On Server2, run fsconfigwizard.exe.

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/adfs2-help-how-to-configure-a-new-federation-server.aspx

 

Configure a New Federation Server

To configure a new federation server using the command line

1. Open a Command Prompt window.

2. Change the directory to the path where AD FS 2.0 was installed.

3. To configure this computer as a federation server, type the applicable syntax using either of the following command parameters, and then press ENTER: fsconfig.exe {StandAlone|CreateFarm|

CreateSQLFarm|JoinFarm|JoinSQLFarm} [deployment specific parameters] Parameter

JoinSQLFarm Joins this computer to an existing federation server farm that is using SQL Server.

 

Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…