[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 261-270

Ensurepass

QUESTION 261

You create a new Active Directory domain. The functional level of the domain is Windows Server 2003. The domain contains five domain controllers that run Windows Server 2008 R2.

 

You need to monitor the replication of the group policy template files.

 

Which tool should you use?

 

A.

Dfsrdiag

B.

Fsutil

C.

Ntdsutil

D.

Ntfrsutl

 

Correct Answer: D

Explanation:

With domain functional level 2008 you have available dfs-r sysvol replication. So with DFL2008 you can use the DFSRDIAG tool. It is not available with domain functional level 2003.

With domain functional level 2003 you can only use Ntfrsutl.

 

 

QUESTION 262

Your network contains an Active Directory domain named contoso.com.

 

The properties of the contoso.com DNS zone are configured as shown in the exhibit. (Click the Exhibit button.)

 

clip_image001

You need to update all service location (SRV) records for a domain controller in the domain.

 

What should you do?

 

A.

Restart the Netlogon service.

B.

Restart the DNS Client service.

C.

Run sc.exe and specify the triggerinfo parameter.

D.

Run ipconfig.exe and specify the /registerdns parameter.

 

Correct Answer: A

Explanation:

MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62

The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller’s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam question might ask you how to troubleshoot the nonregistration of SRV resource records.

 

 

QUESTION 263

Your network contains an Active Directory domain named contoso.com. Contoso.com contains three servers.

 

The servers are configured as shown in the following table.

 

cli
p_image003

 

You need to ensure that users can manually enroll and renew their certificates by using the Certificate Enrollment Web Service.

 

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

 

A.

Configure the policy module settings.

B.

Configure the issuance requirements for the certificate templates.

C.

Configure the Certificate Services Client – Certificate Enrollment Policy Group Policy setting.

D.

Configure the delegation settings for the Certificate Enrollment Web Service application pool account.

 

Correct Answer: BD

Explanation:

Reference 1:

http://technet.microsoft.com/en-us/library/dd759245.aspx

 

The Certificate Enrollment Web Service can process enrollment requests for new certificates and for certificate renewal. In both cases, the client computer submits the request to the Web service and the Web service submits the request to the certification authority (CA) on behalf of the client computer. For this reason, the Web service account must be trusted for delegation in order to present the client identity to the CA.

 

Reference 2:

http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx

 

Delegation is required for the Certificate Enrollment Web Service account when all of the following are true:

The CA is not on the same computer as the Certificate Enrollment Web Service Certificate Enrollment Web Service needs to be able to process initial enrollment requests, as opposed to only processing certificate renewal requeststhe authentication type is set to Windows Integrated Authentication or Client certificate authentication

 

 

QUESTION 264

You need to receive an e-mail message whenever a domain user account is locked out.

 

Which tool should you use?

 

A.

Active Directory Administrative Center

B.

Event Viewer

C.

Resource Monitor

D.

Security Configuration Wizard

 

Correct Answer: B

Explanation:

MS Press – Self-Paced Training Kit (Exam 70-642) (2nd Edition, 2011) page 525 Automatically Responding to Events

One of the most useful ways to use Task Scheduler is to launch a task in response to a specific event type that appears in Event Viewer. You can respond to events in three ways:

Start A Program – Launches an application. Often, administrators write a script that carries out a series of tasks that they would otherwise need to manually perform, and automatically run that script when an event appears.

Send An E-mail – Sends an email by using the Simple Mail Transport Protocol (SMTP) server you specify.

Often, administrators configure urgent events to be sent to a mobile device.

Display A Message – Displays a dialog box showing a message. This is typically useful only when a user needs to be notified of something happening on the computer.

To trigger a task when an event occurs, follow one of these three procedures:

Find an example of the event in Event Viewer. Then, right-click the event and click Attach Task To This Event. A wizard will guide you through the process.

 

 

QUESTION 265

Your network contains an Active Directory domain. The domain contains a member server named Server1 that runs Windows Server 2008 R2.

 

You need to configure Server1 as a global catalog server.

 

What should you do?

 

A.

Modify the Active Directory schema.

B.

From Ntdsutil, use the Roles option.

C.

Run the Active Directory Domain Services Installation Wizard on Server1.

D.

Move the Server1 computer object to the Domain Controllers organizational unit (OU).

Correct Answer: C

Explanation:

Now it’s just a member server, so you’ll have to run dcpromo to start the Active Directory Domain Services Installation Wizard in order to promote the server to a domain controller. Only a domain controller can be a global catalog server.

 

Reference:

http://technet.microsoft.com/en-us/library/cc728188.aspx

 

The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication.

 

 

QUESTION 266

Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1. The Active Directory Federation Services (AD FS) role is installed on Server1. Contoso.com is defined as an account store.

 

A partner company has a Web-based application that uses AD FS authentication. The partner company plans to provide users from contoso.com access to the Web application.

 

You need to configure AD FS on contoso.com to allow contoso.com users to be authenticated by the partner company.

 

What should you create on Server1?

 

A.

a new application

B.

a resource partner

C.

an account partner

D.

an organization claim

 

Correct Answer: D

Explanation:

Since the account store has already been configured, what needs to be done is to use the account store to map an AD DS global security group to an organization claim (called group claim extraction). So that’s what we need to create for authentication: an organization claim.

 

Creating a resource/account partner is part of setting up the Federation Trust.

 

Reference 1:

http://technet.microsoft.com/en-us/library/dd378957.aspx

 

Configuring the Federation Servers

[All the steps for setting up an AD FS environment are listed in an extensive step-by-step guide, too long to post here.]

 

Reference 2:

http://technet.microsoft.com/en-us/library/cc732147.aspx

 

Add an AD DS Account Store

If user and computer accounts that require access to a resource that is protected by Active Directory Federation Services (AD FS) are stored in Active Directory Domain Services (AD DS), you must add AD DS as anaccount storeon a federation server in the Federation Service that authenticates the accounts.

 

Reference 3:

http://technet.microsoft.com/en-us/library/cc731719.aspx

 

Map an Organization Group Claim to an AD DS Group (Group Claim Extraction) When you use Active Directory Domain Services (AD DS) as the Active Directory Federation Services (AD FS)account storefor an account Federation Service, you mapan organization group claimto a security group in AD DS. This mapping is called a group claim extraction.

 

 

QUESTION 267

You need to compact an Active Directory database on a domain controller that runs Windows Server 2008 R2.

 

What should you do?

 

A.

Run defrag.exe /a /c.

B.

Run defrag.exe /c /u.

C.

From Ntdsutil, use the Files option.

D.

From Ntdsutil, use the Metadata cleanup option.

 

Correct Answer: C

Explanation:

Reference 1:

http://technet.microsoft.com/en-us/library/cc794920.aspx

Compact the Directory Database File (Offline Defragmentation)

You can use this procedure to compact the Active Directory database offline. Offline defragmentation returns free disk space in the Active Directory database to the file system. As part of the offline defragmentation procedure, check directory database integrity.

Performing offline defragmentation creates a new, compacted version of the database file in a different location.

 

Reference 2:

Mastering Windows Server 2008 R2 (Sybex, 2010) page 805 Performing Offline Defragmentation of Ntds.dit

These steps assume that you will be compacting the Ntds.dit file to a local folder. If you plan to defragment and compact the database to a remote shared folder, map a drive letter to that shared folder before you begin these steps, and use that drive letter in the path where appropriate.

1. Open an elevated command prompt. Click Start, and then right-click Command Prompt. Click Run as Administrator.

2. Type ntdsutil, and then press Enter.

3. Type Activate instance NTDS, and press Enter.

4. At the resulting ntdsutil prompt, type Files (case sensitive), and then press Enter.

5. At the file maintenance prompt, type compact to followed by the path to the destination folder for the defragmentation, and then press Enter.

 

 

 

 

 

 

 

 

QUESTION 268

Your network contains an Active Directory domain. The domain contains two Active Directory sites named Site1 and Site2. Site1 contains two domain controllers named DC1 and DC2. Site2 contains two domain controller named DC3 and DC4. The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is Windows Server 2003. Active Directory replication between Site1 and Site2 occurs from 20:00 to 01:00 every day.

 

At 07:00, an administrator deletes a user account while he is logged on to DC1.

 

You need to restore the deleted user account. You want to achieve this goal by using the minimum amount of administrative effort.

 

What should you do?

 

A.

On DC1, run the Restore-ADObject cmdlet.

B.

On DC3, run the Restore-ADObject cmdlet.

C.

On DC1, stop Active Directory Domain Services, restore the System State, and then start Active Directory Domain Services.

D.

On DC3, stop Active Directory Domain Services, perform an authoritative restore, and then start Active Directory Domain Services.

 

Correct Answer: D

Explanation:

We ca
nnot use Restore-ADObject, because Restore-ADObject is a part of the Recycle Bin feature, and you can only use Recycle Bin when the forest functional level is set to Windows Server 2008 R2. In the question text it says “The functional level of the forest is Windows Server 2003.”

Seehttp://technet.microsoft.com/nl-nl/library/dd379481.aspx

Performing an authoritative restore on DC3 updates the Update Sequence Number (USN) on that DC, which causes it to replicate the restored user account to other DC’s.

Reference 1:

MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 692

An authoritative restore restores data that was lost and updates the Update Sequence Number (USN) for the data to make it authoritative and ensure that it is replicated to all other servers.

Reference 2:

http://technet.microsoft.com/en-us/library/cc755296.aspx

Authoritative restore of AD DS has the following requirements:

You must stop the Active Directory Domain Services service before you run the ntdsutil authoritative restore command and restart the service after the command is complete.

 

 

QUESTION 269

You have Active Directory Certificate Services (AD CS) deployed.

 

You create a custom certificate template.

 

You need to ensure that all of the users in the domain automatically enroll for a certificate based on the custom certificate template.

 

Which two actions should you perform? (Each correct answer presents part of the solution.

Choose two.)

 < /p>

A.

In a Group Policy object (GPO), configure the autoenrollment settings.

B.

In a Group Policy object (GPO), configure the Automatic Certificate Request Settings.

C.

On the certificate template, assign the Read and Autoenroll permission to the Authenticated Users group.

D.

On the certificate template, assign the Read, Enroll, and Autoenroll permission to the Domain Users group.

 

Correct Answer: AD

Explanation:

http://technet.microsoft.com/en-us/library/dd379539.aspx

 

To automatically enroll client computers for certificates in a domain environment, you must:

 

Configur
e an autoenrollment policy for the domain.

 

(…)

 

In Configuration Model, select Enabled to enable autoenrollment.

 

Configure certificate templates for autoenrollment.

 

(…)

 

In the Permissions for Authenticated Users list, select Read, Enroll, and Autoenroll in the Allow column, and then click OK and Close to finish Configure an enterprise CA.

 

 

QUESTION 270

Your network contains a domain controller that runs Windows Server 2008 R2.

 

You need to change the location of the Active Directory log files.

 

Which tool should you use?

 

A.

Dsamain

B.

Dsmgmt

C.

Dsmove

D.

Ntdsutil

 

Correct Answer: D

Explanation:

http://support.microsoft.com/kb/257420

How To Move the Ntds.dit File or Log Files

Moving a Database or Log File

1. Restart the domain controller.

2. Press F8 at the Startup menu, and then click Directory Services Restore Mode.

3. Select the appropriate installation if more than one exists, and then log on as an administrator at the logon prompt.

4. Start a command prompt, and then type ntdsutil.exe.NOTE: To get a list of commands that you can use at the Ntdsutil prompt, type ?

5. At a Ntdsutil prompt, type files.

6. At the File Maintenance prompt, use one or both of the following procedures:

* To move a database, type move db to %s, where %s is the drive and folder where you want the database moved.

* To move log files, type move logs to %s, where %s is the drive and folder where you want the log files moved.

7. To view the log files or database, type info. To verify the integrity of the database at its new location, type integrity.

8. Type quit, and then type quit to return to a command prompt.

9. Restart the computer in Normal mode.

NOTE: When you move the database and log files, you must back up the domain controller.

 

Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…