[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 321-330

Ensurepass

QUESTION 321

Your network contains three servers named ADFS1, ADFS2, and ADFS3 that run Windows Server 2008 R2. ADFS1 has the Active Directory Federation Services (AD FS) Federation Service role service installed.

 

You plan to deploy AD FS 2.0 on ADFS2 and ADFS3.

 

You need to export the token-signing certificate from ADFS1, and then import the certificate to ADFS2 and ADFS3.

 

In which format should you export the certificate?

 

A.

Personal Information Exchange PKCS #12 (.pfx)

B.

DER encoded binary X.509 (.cer)

C.

Cryptographic Message Syntax Standard PKCS #7 (.p7b)

D.

Base-64 encoded X.S09 (.cer)

 

Correct Answer: A

Explanation:

Reference 1:

http://technet.microsoft.com/en-us/library/ff678038.aspx

 

Checklist: Migrating Settings in the AD FS 1.x Federation Service to AD FS 2.0 If the AD FS 1.x Federation Service has a token-signing certificate that was issued by a trusted certification authority (CA) and you want to reuse it, you will have to export it from AD FS 1.x.

[The site provides also a link for instructions on how to export the token-signing certificate. That link point to the site mentioned in reference 2.]

 

Reference 2:

http://technet.microsoft.com/en-us/library/cc784075.aspx

 

Export the private key portion of a token-signing certificate

 

To export the private key of a token-signing certificate

Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

Right-click Federation Service, and then click Properties.

On the General tab, click View.

In the Certificate dialog box, click the Details tab.

On the Details tab, click Copy to File.

On the Welcome to the Certificate Export Wizard page, click Next.

On the Export Private Key page, select Yes, export the private key, and then click Next.

On the Export File Format page, selectPersonal Information Exchange = PKCS #12 (.PFX), and then click Next.

(…)

 

 

QUESTION 322

A network contains an Active Directory forest. The forest schema contains a custom attribute for user objects.

 

You need to view the custom attribute value of 500 user accounts in a Microsoft Excel table.

 

Which tool should you use?

 

A.

Dsmod

B.

Csvde

C.

Ldifde

D.

Dsrm

 

Correct Answer: B

Explanation:

We can achieve this by using csvde:

CSVDE -f onlyusers.csv -r “objectCategory=person” -l “CN,<CustomAttributeName>” The exported CSV file can be viewed in Excel.

 

Reference:

http://technet.microsoft.com/en-us/library/cc732101.aspx

 

Csvde

Imports and exports data from Active Directory Domain Services (AD DS) using files that store data in the comma-separated value (CSV) format. You can also support batch operations based on the CSV file format standard.

 

Syntax

 

Csvde [-i] [-f <FileName>] [-r <LDAPFilter>] [-l <LDAPAttributeList>] (…)

 

Parameters

 

-i

Specifies im
port mode. If not specified, the default mode is export.

 

-f <FileName>

 

Identifies the import or export file name.

 

-r <LDAPFilter>

 

Creates an LDAP search filter for data export.

 

-l <LDAPAttributeList>Sets the list of attributes to return in the results of an export query. LDAP can return attributes in any order, and csvde does not attempt to impose any order on the columns. If you omit this parameter, AD DS returns all attributes.

 

 

QUESTION 323

DRAG DROP

Your network contains an Active Directory forest named contoso.com.

 

You need to use Group Policies to deploy the applications shown in the following table:

 

clip_image002

 

What should you do?

 

To answer, drag the appropriate deployment method to the correct application in the answer area.

 

clip_image003

 

Correct Answer:

clip_image004

 

 

QUESTION 324

Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.

 

You need to receive a notification when more than 100 Active Directory objects are deleted per second.

 

What should you do?

 

A.

Create custom views from Event Viewer.

B.

Run the Get-ADForest cmdlet.

C.

Run the ntdsutil.exe command.

D.

Configure the Active Directory Diagnostics Data Collector Set (DCS).

E.

Create a Data Collector Set (DCS).

F.

Run the dsamain.exe command.

G.

Run the dsquery.exe command.

H.

Run the repadmin.exe command.

I.

Configure subscriptions from Event Viewer.

J.

Run the eventcreate.exe command.

 

Correct Answer: E

Explanation:

http://technet.microsoft.com/en-us/magazine/ff458614.aspx

 

Configure Windows Server 2008 to Notify you when Certain Events Occur

 

You can configure alerts to notify you when certain events occur or when certain performance thresholds are reached. You can send these alerts as network messages and as events that are logged in the application event log. You can also configure alerts to start applications and performance logs.

 

To configure an alert, follow these steps:

 

1. In Performance Monitor, under the Data Collector Sets node, right-click the User-Defined node in the left pane, point to New, and then choose Data Collector Set.

2. (…)

3. In the Performance Counters panel, select the first counter, and then use the Alert When Value Is text box to set the occasion when an alert for this counter is triggered. Alerts can be triggered when the counter is above or below a specific value. Select Above or Below, and then set the trigger value. The unit of measurement is whatever makes sense for the currently selected counter or counters. For example, to generate an alert if processor time is over 95 percent, select Over, and then type 95. Repeat this process to configure other counters you’ve selected.

 

QUESTION 325

Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.

 

You need to collect all of the Directory Services events from all of the domain controllers and store the events in a single central computer.

 

What should you do?

 

A.

Run the ntdsutil.exe command.

B.

Run the repodmin.exe command.

C.

Run the Get-ADForest cmdlet.

D.

Run the dsamain.exe command.

E.

Create custom views from Event Viewer.

F.

Run the dsquery.exe command.

G.

Configure the Active Directory Diagnostics Data Collector Set (DCS),

H.

Configure subscriptions from Event Viewer.

I.

Run the eventcreate.exe command.

J.

Create a Data Collector Set (DCS).

 

Correct Answer: H

Explanation:

http://technet.microsoft.com/en-us/library/cc749183.aspx

 

Event Subscriptions

Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue might require you to examine a set of events stored in multiple logs on multiple computers.

 

Windows Vista includes the ability to collect copies of events from multiple remote computers and store them locally. To specify which events to collect, you create an event subscription. Among other details, the subscription specifies exactly which events will be collected and in which log they will be stored locally. Once a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events.

 

Using the event collecting feature requires that you configure both the forwarding and the collecting computers.

 

The functionality depends on the Windows Remote Management (WinRM) service and the Windows Event Collector (Wecsvc) service. Both of these services must be running on computers participating in the forwarding and collecting process. To learn about the steps required to configure event collecting and forwarding computers, see Configure Computers to Forward and Collect Events (http://technet.microsoft.com/en-us/library/cc748890.aspx).

 

 

 

 

 

 

 

 

 

 

 

QUESTION 326

Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008 R2.

 

The network contains an enterprise certification authority (CA).

 

You need to ensure that all of the members of a group named Managers can view the event log entries for Certificate Services.

 

Which snap-in should you use?

 

A.

Active Directory Administrative Center

B.

Authorization Manager

C.

Certificate Templates

D.

Certificates

E.

Certification Authority

F.

Enterprise PKI

G.

Group Policy Management

H.

Security Configuration Wizard

I.

Share and Storage Management

 

Correct Answer: G

Explanation:

We can make the Group1 group a member of theEvent Log Readers Group , giving them read access to all event logs, thus including the Certificate Services events.

We can do that by usingGroup Policy Management.

 

Reference 1:

It’s a bit hard to find some good, clear reference for this. There’s nothing wrong with doing it yourself, so here’s what I did in VMWare, using a domain controller and a member server.

Click along if you want!

 

In VMWare I have setup a domain controller, DC01 and a member server MEM01, both belonging to the contoso.com domain. I have placed MEM01 in an OU named Events. I have created a global security group, named TESTGROUP, and I want to make it a member of the built-in Event Log Readers group on MEM01.

 

Start the Group Policy Management console on DC01.

Right-click the Events OU and choose “Create a GPO in this domain, and Link it here…”

I named the GPO “EventLog_TESTGROUP”

Right-click the “EventLog_TESTGROUP” GPO and choose “Edit…”

Go to Computer Configuration Policies Windows Settings Security Settings and select “Restricted Groups”

Right-click “Restricted Groups” and choose “Add Group…”

Now there are two ways to do this. We can select TESTGROUP and make it a member of the Event Log Readers group, or we can select the Event Log Readers group and add TESTGROUP as a member. Let’s do the second one. Click the Browse button and go find the Event Log Readers group. Click OK.

Click the Browse button next to “Members of this group”, search for the TESTGROUP group and add it.

Click OK.

On MEM01 open a command prompt and rungpupdate /force. Check the Event Log Readers group properties and see that the TESTGROUP group is now a member.

 

Reference 2:

http://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-administrators- permission-to-read-event-logs-windows-2003-and-windows-2008.aspx

 

Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008

 

So if you want to give Non-Administrator users access remotely to Event logs if the Servers or Domain Controllers they are accessing are Windows 2003 follow the steps below.

 

(…)

 

Windows 2008 is much easier as long as you are giving the users and groups in question read access to all event logs. If that is the case just add them to the Built inEvent Log Readers group.

 

 

QUESTION 327

Your company has a single Active Directory forest with a single domain. Consultants in different departments of the company require access to different network resources. The consultants belong to a global group named TempWorkers.

 

Three file servers are placed in a new organizational unit named SecureServers. The file servers contain confidential data in shared folders.

 

You need to prevent the consultants from accessing the confidential data.

 

What should you do?

 

A.

Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit. Assign the Deny access to this computer from the network user right to the TempWorkers global group.

B.

Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny access to this computer from the network user right to the TempWorkers global group.

C.

On the three file servers, create a share on the root of each hard disk. Configure the Deny Full control permission for the TempWorkers global group on the share.

D.

Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny log on locally user right to the TempWorkers global group.

E.

Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit. Assign the Deny log on locally user right to the TempWorkers global group.

 

Correct Answer: A

 

 

QUESTION 328

Your network contains a server named Server1 that runs Windows Server 2008 R2 Standard. Server1 has the Active Directory Certificate Services (AD CS) role installed.

 

You configure a certificate template named Template1 for autoenrollment.

 

You discover that certificates are not being issued to any client computers. The event logs on the client computers do not contain any autoenrollment errors.

 

You need to ensure that all of the client computers automatically receive certificates based on Template1.

 

What should you do?

 

A.

Modify the Default Domain Policy Group Policy object (GPO).

B.

Modify the Default Domain Controllers Policy Group Policy object (GPO).

C.

Upgrade Server1 to Windows Server 2008 R2 Enterprise.

D.

Restart Certificate Services on Server1.

 

Correct Answer: A

Explanation:

http://technet.microsoft.com/en-us/library/cc731522.aspx

 

Configure Certificate Autoenrollment

Many certificates can be distributed without the client even being aware that enrollment is taking place. These can include most types of certificates issued to computers and services, as well as many certificates issued to users.

 

To automatically enroll clients for certificates in a domain environment, you must:

 

Configure a certificate template with Autoenroll permissions.

 

Configure an autoenrollment policy for the domain.

 

To configure autoenrollment Group Policy for a domain

1. On a domain controller running Windows Server 2008 R2 or Windows Server 2008, click Start, point to Administrative Tools, and then click Group Policy Management.

2. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.

 

 

QUESTION 329

Your network contains an Active Directory forest named adatum.com.

 

You need to create an Active Directory Rights Management Services (AD RMS) licensing- only cluster.

 

What should you install before you create the AD RMS root cluster?

 

A.

The Failover Cluster feature

B.

The Active Directory Certificate Services (AD CS) role

C.

Microsoft Exchange Server 2010

D.

Microsoft SharePoint Server 2010

E.

Microsoft SQL Server 2008

 

Correct Answer: E

Explanation:

http://technet.microsoft.com/en-us/library/cc771789.aspx

 

Before you install AD RMS

 

Before you install Active Directory Rights Management Services (AD RMS) on Windows ServerĀ® 2008 R2 for the first time, there are several requirements that must be met:

 

(…)

 

In addition to pre-installation requirements for AD RMS, we strongly recommend the following:

 

Install the database server that is used to host the AD RMS databases on a separate computer.

 

(…)

 

 

QUESTION 330

Your network contains an Active Directory forest named contoso.com. The forest contains two member servers named Server1 and Server2. Server1 and Server2 have the DNS Server server role installed.

 

Server1 hosts a standard primary zone for contoso.com. Server2 is configured as a secondary name server for contoso.com.

 

You experience issues with the copy of the zone on Server2,

 

You verify that both copies of the zone have the same serial number.

 

You need to transfer a complete copy of the zone from Server1 to Server2.

 

What should you do on Server2?

 

A.

From DNS Manager, right-click contoso.com and click Transfer from Master.

B.

From Services, right-click DNS Server and click Refresh.

C.

From Services, right-click DNS Server and click Restart.

D.

From DNS Manager, right-click contoso.com and click Reload.

E.

From DNS Manager, right-click contoso.com and click Transfer a new copy of zone from Master.

 

Correct Answer: E

Explanation:

MS Press – Self-Paced Training Kit (Exam 70-642) (2nd Edition, 2011) page 212

 

Manually Updating a Secondary Zone

 

By right-clicking a secondary zone in the DNS Manager console tree, you can use the shortcut menu to perform the following secondary zone update operations:

 

Reload – This operation reloads the secondary zone from the local storage.

 

Transfer From Master – The server hosting the local secondary zone determines whether the serial number in the secondary zone’s SOA resource record has expired and then pulls a zone transfer from the master server. Transfer New Copy Of Zone From Master – This operation performs a zone transfer from the secondary zone’s master server regardless of the serial number in the secondary zone’s SOA resource record.

 

Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…