[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 231-240

Ensurepass

QUESTION 231

You create a new Active Directory domain. The functional level of the domain is Windows Server 2008 R2. The domain contains five domain controllers.

 

You need to monitor the replication of the group policy template files.

 

Which tool should you use?

 

A.

Dfsrdiag

B.

Fsutil

C.

Ntdsutil

D.

Ntfrsutl

Correct Answer: A

Explanation:

With domain functional level 2008 you have available dfs-r sysvol replication. So with DFL2008 you can use the DFSRDIAG tool. It is not available with domain functional level 2003.

With domain functional level 2003 you can only use Ntfrsutl.

 

 

QUESTION 232

Your company has a main office and a branch office. The branch office contains a read- only domain controller named RODC1.

 

You need to ensure that a user named Admin1 can install updates on RODC1. The solution must prevent Admin1 from logging on to other domain controllers.

 

What should you do?

 

A.

Run ntdsutil.exe and use the Roles option.

B.

Run dsmgmt.exe and use the Local Roles option.

C.

From Active Directory Sites and Services, modify the NTDS Site Settings.

D.

From Active Directory Users and Computers, add the user to the Server Operators group.

 

Correct Answer: B

Explanation:

http://technet.microsoft.com/en-us/library/cc732301.aspx

 

Administrator Role Separation Configuration

This section provides procedures for creating a local administrator role for an RODC and for adding a user to that role.

 

To configure Administrator Role Separation for an RODC

1. Click Start, click Run, type cmd, and then press ENTER.

2. At the command prompt, type dsmgmt.exe, and then press ENTER.

3. At the DSMGMT prompt, type local roles, and then press ENTER.

 

 

QUESTION 233

Your network contains an Active Directory domain named contoso.com. The network has a branch office site that contains a read-only domain controller (RODC) named RODC1.

RODC1 runs Windows Server 2008 R2.

 

A user named User1 logs on to a computer in the b
ranch office site.

 

You discover that the password of User1 is not stored on RODC1. You need to ensure that User1’s password is stored on RODC1.

 

What should you modify?

 

A.

the Member Of properties of RODC1

B.

the Member Of properties of User1

C.

the Security properties of RODC1

D.

the Security properties of User1

 

Correct Answer: B

Explanation:

http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy%28v=ws.10%29.aspx

 

Administering the Password Replication Policy

Personal comment:

Basically, these are the default settings for the Password Replication Policy of a specific RODC:

 

clip_image002

 

So, if you would add a user to be a member of a group that is allowed to store passwords on that specific RODC, then that user’s password would be stored on that RODC.

 

clip_image004

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

QUESTION 234

Your network contains an Active Directory forest. The forest contains two domains named contoso.com and eu.contoso.com. All domain controllers are DNS servers.

 

The domain controllers in contoso.com host the zone for contoso.com. The domain controllers in eu.contoso.com host the zone for eu.contoso.com. The DNS zone for contoso.com is configured as shown in the exhibit. (Click the Exhibit button.)

 

clip_image006

 

You need to ensure that all domain controllers in the forest host a writable copy of _msdsc.contoso.com.

 

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

 

A.

Create a zone delegation record in the contoso.com zone.

B.

Create a zone delegation record in the eu.contoso.com zone.

C.

Create an Active Directory-integrated zone for _msdsc.contoso.com.

D.

Create a secondary zone named _msdsc.contoso.com in eu.contoso.com.

 

Correct Answer: AC

Explanation:

Note that the question speaks of _msdSC, instead of _msdCS. Not sure if it means something, probably a typo.

 

 

 

 

 

 

 

 

 

 

QUESTION 235

Your network contains an Active Directory forest. The forest contains two domains. You have a standalone root certification authority (CA).

 

On a server in the child domain, you run the Add Roles Wizard and discover that the option to select an enterprise CA is disabled.

 

You need to install an enterprise subordinate CA on the server.

 

What should you use to log on to the new server?

 

A.

an account that is a member of the Certificate Publishers group in the child domain

B.

an account that is a member of the Certificate Publishers group in the forest root domain

C.

an account that is a member of the Schema Admins group in the forest root domain

D.

an account that is a member of the Enterprise Admins group in the forest root domain

 

Correct Answer: D

Explanation:

http://social.technet.microsoft.com/Forums/uk/winserversecurity/thread/887f4cec-12f6-4c15-a506-568ddb21d46b

In order to install Enterprise CA you MUST have Enterprise Admins permissions, because Configuration naming context is replicated between domain controllers in the forest (not only current domain) and are writable for Enterprise Admins (domain admins permissions are insufficient).

 

 

QUESTION 236

Your network contains an Active Directory forest.

 

You set the Windows PowerShell execution policy to allow unsigned scripts on a domain controller in the network.

 

You create a Windows PowerShell script named new-users.ps1 that contains the following lines:

 

clip_image008new-aduser user1

clip_image008[1]new-aduser user2

clip_image008[2]new-aduser user3

clip_image008[3]new-aduser user4

clip_image008[4]new-aduser user5

 

On the domain controller, you double-click the script and the script runs. You discover that the script fails to create the user accounts.

 

You need to ensure that the script creates the user accounts. Which cmdlet should you add to the script?

 

A.

Import-Module

B.

Register-ObjectEvent

C.

Set-ADDomain

D.

Set-ADUser

 

Correct Answer: A

Explanation:

http://blog.coretech.dk/jgs/powershell-creating-new-users-from-csv-with-password-and- enabled-accounts-orhow-to-pipe-into-multiple-cmdlets/

 

PowerShell: Creating new users from CSV with password and enabled accounts or How to Pipe into multiple cmdlets

 

1. Import-Module ActiveDirectory

2. import-csv e:usersnewusers.csv |

3. New-ADUser -path “ou=test1,dc=contoso,dc=com” -passthru |

4. ForEach-Object {

5. $_ | Set-ADAccountPassword -Reset -Ne
wPassword (ConvertTo-SecureString – AsPlainText “Pa$$w0rd” – Force)

6. $_ | Enable-ADAccount }

 

 

QUESTION 237

Your network contains an Active Directory forest. The functional level of the forest is Windows Server 2008 R2.

 

Your company’s corporate security policy states that the password for each user account must be changed at least every 45 days.

 

You have a user account named Service1. Service1 is used by a network application named Application1.

 

Every 45 days, Application1 fails.

 

After resetting the password for Service1, Application1 runs properly. You need to resolve the issue that causes Application1 to fail. The solution must adhere to the corporate security policy.

 

What should you do?

 

A.

Run the cmdlet.

B.

Run the Set-ADServiceAccount cmdlet.

C.

Create a new password policy.

D.

Create a new Password Settings object (PSO).

 

Correct Answer: B

Explanation:

http://technet.microsoft.com/en-us/library/ee617252.aspx

Set-ADServiceAccount

Syntax

Set-ADServiceAccount [-Identity] <ADServiceAccount> [-AccountExpirationDate <System.Nullable[System.DateTime]>] [-AccountNotDelegated <System.Nullable[bool]>] [- Add <hashtable>] [-Certificates<string[]>] [-Clear <string[]>] [-Description <string>] [- DisplayName <string>] [-Enabled <System.Nullable[bool]>] [-HomePage <string>] [- Remove <hashtable>] [-Replace <hashtable>] [-SamAccountName <string>] [- ServicePrincipalNames <hashtable>] [-TrustedForDelegation <System.Nullable[bool]>] [- AuthType{<Negotiate> | <Basic>}] [-Credential <PSCredential>] [-Partition <string>] [- PassThru <switch>] [-Server<string>] [-Confirm] [-WhatIf] [<CommonParameters>]

Detailed Description

The Set-ADServiceAccount cmdlet modifies the properties of an Active Directory service account. You can modify commonly used property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be modified by using the Add, Replace, Clear and Remove parameters.

The Identity parameter specifies the Active Directory service account to modify. You can identify a service account by its distinguished name (DN), GUID, security identifier (SID), or Security Accounts Manager (SAM) account name. You can also set the Identity parameter to an object variable such as $<localServiceAccountObject>, or you can pass an object through the pipeline to the Identity parameter. For example, you can use the Get- ADServiceAccount cmdlet to retrieve a service account object and then pass the object through the pipeline to the Set-ADServiceAccount cmdlet.

T
he Instance parameter provides a way to update a service account object by applying the changes made to a copy of the object. When you set the Instance parameter to a copy of an Active Directory service account object that has been modified, the Set- ADServiceAccount cmdlet makes the same changes to the original service account object. To get a copy of the object to modify, use the Get-ADServiceAccount object. When you specify the Instance parameter you should not pass the Identity parameter. For more information about the Instance parameter, see the Instance parameter description.

 

 

QUESTION 238

Your network contains an Active Directory domain. All domain controller run Windows Server 2003.

 

You replace all domain controllers with domain controllers that run Windows Server 2008 R2. You raise the functional level of the domain to Windows Server 2008 R2.

 

You need to minimize the amount of SYSVOL replication traffic on the network.

 

What should you do?

 

A.

Raise the functional level of the forest to Windows Server 2008 R2.

B.

Modify the path of the SYSVOL folder on all of the domain controllers.

C.

On a global catalog server, run repadmin.exe and specify the KCC parameter.

D.

On the domain controller that holds the primary domain controller (PDC) emulator FSMO role, run dfsrmig.exe.

 

Correct Answer: D

Explanation:

Now that the domain controllers have been upgraded to Windows Server 2008 R2 and the domain functional level has been upgraded to Windows Server 2008 R2 we can use DFS Replication for replicating SYSVOL, instead of File Replication Service (FRS) of previous Windows Server versions.

The migration takes place on a domain controller holding the PDC Emulator role.

 

Reference 1:

http://technet.microsoft.com/en-us/library/cc794837.aspx

Using DFS Replication for replicating SYSVOL in Windows Server 2008 DFS Replication technology significantly improves replication of SYSVOL. In Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2, FRS is used to replicate the contents of the SYSVOL share.

 

When a change to a file occurs, FRS replicates the entire updated file. With DFS Replication, for files larger than 64 KB, only the updated portion of the file is replicated.

 

Reference 2:

http://technet.microsoft.com/en-us/library/dd639809.aspx

Migrating to the Prepared State

The following sections provide an overview of the procedures that you perform when you migrate SYSVOL replication from File Replication Service (FRS) to Distributed File System (DFS Replication).

 

This migration phase includes the tasks in the following list. Running the dfsrmig /SetGlobalState 1 command on the PDC emulator to start the migration to the Prepared state.

 

 

QUESTION 239

Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Client computers run either Windows 7 or Windows Vista Service Pack 2 (SP2).

 

You need to audit user access to the administrative shares on the client computers.

 

What should you do?

 

A.

Deploy a logon script that runs Icacls.exe.

B.

Deploy a logon script that runs Auditpol.exe.

C.

From the Default Domain Policy, modify the Advanced Audit Policy Configuration.

D.

From the Default Domain Controllers Policy, modify the Advanced Audit Policy Configuration.

 

Correct Answer: B

Explanation:

http://support.microsoft.com/kb/921469

 

Administrators can use the procedure that is described in this article to deploy a custom audit policy that applies detailed security auditing settings to Windows Vista-based and Windows Server 2008-based computers in a Windows Server 2003 domain or in a Windows 2000 domain.

 

Use the Auditpol.exe command-line tool to configure the custom audit policy settings that you want.

 

 

QUESTION 240

You have a domain controller that runs the DHCP service.

 

You need to perform an offline defragmentation of the Active Directory database on the domain controller.

 

You must achieve this goal without affecting the availability of the DHCP service.

 

What should you do?

 

A.

Restart the domain controller in Directory Services Restore Mode. Run the Disk Defragmenter utility.

B.

Restart the domain controller in Directory Services Restore Mode. Run the Ntdsutil utility.

C.

Stop the Active Directory Domain Services service. Run the Ntdsutil utility.

D.

Stop the Active Directory Domain Services service. Run the Disk Defragmenter utility.

 

Correct Answer: C

Explanation:

We don’t need to restart the server to defragment the AD database. We do need to stop AD DS in order to defragment the database.

Reference:

 

http://technet.microsoft.com/en-us/library/cc794920.aspx

 

To perform offline defragmentation of the directory database

1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide credentials, if required, and then click Continue.

2. At the command prompt, type the following command, and then press ENTER: net stop ntds

3. Type Y to agree to stop additional services, and then press ENTER.

4. At the command prompt, type ntdsutil, and then press ENTER.

 

Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…