[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 331-340

Ensurepass

QUESTION 331

Your network contains an Active Directory domain named adatum.com. The functional level of the domain is Windows Server 2008. All domain controllers run Windows Server 2008 R2. All client computers run Windows 7 Enterprise.

 

You need to receive a notification when more than 50 Active Directory objects are deleted per second.

 

What should you do?

 

A.

Run the Get-ADDomain cmdlet.

B.

Run the dsget.exe command.

C.

Run the ntdsutil.exe command.

D.

Run the ocsetup.exe command.

E.

Run the dsamain.exe command.

F.

Run the eventcreate.exe command.

G.

Create a Data Collector Set (DCS).

H.

Create custom views from Event Viewer.

I.

Configure subscriptions from Event Viewer.

J.

Import the Active Directory module for Windows PowerShell.

 

Correct Answer: G

Explanation:

http://technet.microsoft.com/en-us/magazine/ff458614.aspx

 

Configure Windows Server 2008 to Notify you when Certain Events Occur

 

You can configure alerts to notify you when certain events occur or when certain performance thresholds are reached. You can send these alerts as network messages and as events that are logged in the application event log. You can also configure alerts to start applications and performance logs.

 

To configure an alert, follow these steps:

1. In Performance Monitor, under the Data Collector Sets node, right-click the User-Defined node in the left pane, point to New, and then choose Data Collector Set.

2. (…)

3. In the Performance Counters panel, select the first counter, and then use the Alert When Value Is text box to set the occasion when an alert for this counter is triggered. Alerts can be triggered when the counter is above or below a specific value. Select Above or Below, and then set the trigger value. The unit of measurement is whatever makes sense for the currently selected counter or counters. For example, to generate an alert if processor time is over 95 percent, select Over, and then type 95. Repeat this process to configure other counters you’ve selected.

 

 

QUESTION 332

Your network contains an Active Directory domain named litwareinc.com. The domain contains two sites named Sitel and Site2. Site2 contains a read-only domain controller (RODC).

 

You need to identify which user accounts attempted to authenticate to the RODC.

 

Which tool should you use?

 

A.

Active Directory Users and Computers

B.

Ntdsutil

C.

Get-ADAccountResultantPasswordReplicationPolicy

D.

Adtest

 

Correct Answer: A

Explanation:

Original answer was C (“Get-ADAccountResultantPasswordReplicationPolicy”).

Ntdsutil cannot be used for this.

http://technet.microsoft.com/en-us/library/cc753343.aspx

Get-ADAccountResultantPasswordReplicationPolicy is used to get the members of the allowed list or denied list of a read-only domain controller’s password replication policy.

Get-ADDomainControllerPasswordReplicationPolicyUsage could be used, but is not listed. http://technet.microsoft.com/en-us/library/ee617207.aspx

 

Adtest is used for perfomance testing.

 

Reference 1:

http://technet.microsoft.com/en-us/library/cc755310.aspx

 

Review whose accounts have been authenticated to an RODC Periodically, you should review whose accounts have been authenticated to an RODC. (…) You can use Active Directory Users and Computers or repadmin /prp to review whose accounts have been authenticated to an RODC.

 

Reference 2:

http://technet.microsoft.com/en-us/library/83a6daba-cdde-4606-97a3-ebb9d7fa6bf(v=ws.10)#BKMK_Auth2

Gives a step by step explanation on using Active Directory Users and Computers.

 

Old explanation:

Get-ADDomainControllerPasswordReplicationPolicyUsage o get accounts that are authenticated by the RODC, use the AuthenticatedAccounts parameter. To get the accounts that have passwords stored on the RODC, use the RevealedAccounts parameter.

http://technet.microsoft.com/en-us/library/ee617194.aspx

 

 

QUESTION 333

Your network contains an Active Directory domain.

 

The password policy for the domain is configured as shown in the Current Policy exhibit, (Click the Exhibit button.)

 

clip_image002

 

You change the password policy for the domain as shown in the New Policy exhibit. (Click the Exhibit button.)

 

clip_image004

 

You need to provide users with examples of a valid password.

 

Which password examples should you provide to the users? (Each correct answer presents a complete solution. Choose three.)

 

A.

123456!@#$%^

B.

!@#$1234ABCD

C.

passwordl234

D.

1-2-3-4-5-a-b-c-e

E.

%%PASS1234%%

F.

111111aaaaaaa

 

Correct Answer: BDE

Explanation:

http://technet.microsoft.com/en-us/library/cc786468.aspx

 

Passwords must meet complexity requirements

 

This security setting determines whether passwords must meet complexity requirements. Complexity requirements are enforced when passwords are changed or created.

 

If this policy is enabled, passwords must meet the following minimum requirements when they are changed or created:

 

1. Passwords must not contain the user’s entire samAccountName (Account Name) value or entire displayName (Full Name) value.

2. Passwords must contain characters from three of the following five categories:

 

Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)

 

Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)

 

Base 10 digits (0 through 9)

 

Nonalphanumeric characters:~!@#$%^&*_-+=`|(){}[]:;”‘<>,.?/Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase.

 

This includes Unicode characters from Asian languages.

 

 

QUESTION 334

Your network contains an Active Directory domain named adatum.com.

 

The password policy of the domain requires that the passwords for all user accounts be changed every 50 days.

 

You need to create several user accounts that will be used by services. The passwords for these accounts must be changed automatically every 50 days.

 

Which tool should you use to create the accounts?

 

A.

Active Directory Administrative Center

B.

Active Directory Users and Computers

C.

Active Directory Module for Windows PowerShell

D.

ADSI Edit

E.

Active Directory Domains and Trusts

 

Correct Answer: C

Explanation:

Use the New-ADServiceAccount cmdlet in PowerShell to create the new accounts as managed service accounts. Managed service accounts offer Automatic password management, making password management easier.

 

Reference 1:

http://technet.microsoft.com/en-us/library/dd367859.aspx

 

What are the benefits of new service accounts?

In addition to the enhanced security that is provided by having individual accounts for critical services, there are four important administrative benefits associated with managed service accounts:

(…)

Unlike with regular domain accounts in which administrators must reset passwords manually, the network passwords for these accounts will be reset automatically.

(…)

 

Reference 2:

http://technet.microsoft.com/en-us/library/dd391964.aspx

Use the Active Directory module for Windows PowerShell to create a managed service account.

 

Reference 3:

http://technet.microsoft.com/en-us/library/dd548356.aspx

To create a new managed service account

1. On the domain controller, click Start, and then click Run. In the Open box, type dsa.msc, and then click OK to open the Active Directory Users and Computers snap-in. Confirm that the Managed Service Account container exists.

2. Click Start, click All Programs, click Windows PowerShell 2.0, and then click the Windows PowerShell icon.

3. Run the following command: New-ADServiceAccount [-SAMAccountName <String>] [- Path <String>].

 

Reference 4:

http://technet.microsoft.com/en-us/library/hh852236.aspx

Use the -ManagedPasswordIntervalInDays parameter with New-ADServiceAccount to specify the number of days for the password change interval. -ManagedPasswordIntervalInDays<Int32>Specifies the number of days for the password change interval. If set to 0 then the default is used. This can only be set on object creation. After that the setting is read only. This value returns the msDSManagedPasswordInterval of the group managed service account object.

The following example shows how to specify a 90 day password changes interval:

-ManagedPasswordIntervalInDays 90

 

 

QUESTION 335

Your network contains an Active Directory domain. All DNS servers are domain controllers. You view the properties of the DNS zone as shown in the exhibit. (Click the Exhibit button.)

 

clip_image006

 

You need to ensure that only domain members can register DNS records in the zone.

 

What should you do first?

 

A.

Modify the zone type.

B.

Create a trust anchor.

C.

Modify the Advanced properties of the DNS server.

D.

Modify the Dynamic updates setting.

 

Correct Answer: A

Explanation:

To ensure that only domain members are allowed to register DNS records we have to:

1. modify the zone type to Active Directory-Integrated.

2. set the Dynamic updates option to Secure only, which is only available to Active Directory-Integrated zones.

 

Reference 1:

MCTS Windows ServerĀ® 2008 Active Directory Configuration Study Guide (Sybex, 2008) page 53

Secure only–This means that only machines with accounts in Active Directory can register with DNS.

Before DNS registers any account in its database, it checks Active Directory to make sure that account is an authorized domain computer.

 

Reference 2:

http://technet.microsoft.com/en-us/library/ee649287.aspx

Secure dynamic update is supported only for Active Directory-integrated zones. If the zone type is configured differently, you must change the zone type and directory-integrate the zone before securing it for DNS dynamic updates.

 

 

QUESTION 336

A corporate environment includes a Windows Server 2008 R2 Active Directory Domain Services (AD DS) domain.

 

You need to enable Universal Group Membership Caching on several domain controllers in the domain.

 

Which tool should you use?

 

A.

Dsmod

B.

Dscmd

C.

Ntdsutil

D.

Active Directory Sites and Services console

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/cc816928.aspx

 

Enable Universal Group Membership Caching in a Site

In a branch site that has no global catalog server and in a forest that has multiple domains, you can use this procedure to enable Universal Group Membership Caching on a domain controller in the site so that a global catalog server does not have to be contacted across a wide area network (WAN) link for every initial user logon.

 

To enable Universal Group Membership Caching in a site

1. Open Active Directory Sites and Services.

2. In the console tree, expand Sites, and then click the site in which you want to enable Universal Group Membership Caching.

3. In the details pane, right-click the NTDS Site Settings object, and then click Properties.

4. Under Universal Group Membership Caching, select Enable Universal Group Membership Caching.

5. In the Refresh cache from list, click the site that you want the domain controller to contact when the Universal Group membership cache must be updated, and then click OK.

 

 

QUESTION 337

Your network contains an Active Directory forest named adatum.com. The DNS infrastructure fails.

 

You rebuild the DNS infrastructure.

 

You need to force the registration of the Active Directory Service Locator (SRV) records in DNS.

 

Which service should you restart on the domain controllers?

 

A.

Netlogon

B.

DNS Server

C.

Network Location Awareness

D.

Network Store Interface Service

E.

Online Responder Service

 

Correct Answer: A

Explanation:

MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62

 

The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller’s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam question might ask you how to troubleshoot the nonregistration of SRV resource records.

 

 

QUESTION 338

Your network contains an Active Directory domain named contoso.com. The contoso.com domain contains a domain controller named DC1.

 

You create an Active Directory-integrated GlobalNames zone. You add an alias (CNAME) resource record named Server1 to the zone. The target host of the record is server2.contoso.com.

 

When you ping Server1, you discover that the name fails to resolve. You are able to successfully ping server2.contoso.com.

 

You need to ensure that you can resolve names by using the GlobalNames zone.

 

Which command should you run?

 

A.

Dnscmd DCl.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /domain

B.

Dnscmd DCl.contoso.com /config /Enableglobalnamessupport forest

C.

Dnscmd DCl.contoso.com /config /Enableglobalnamessupport 1

D.

Dnscmd DCl.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /forest

 

Correct Answer: C

Explanation:

Support for Globalnames must be enabled, otherwise the DNS Server service does not resolve single-label names in the GlobalNames zone.

 

Reference:

http://technet.microsoft.com/en-us/library/cc772069.aspx

 

dnscmd /config Changes values in the registry for the DNS server and individual zones. Accepts server-level settings and zone-level settings.

 

Parameter

 

/enableglobalnamessupport {0|1}

 

Enables or disables support for the GlobalNames zone. The GlobalNames zone supports resolution of singlelabel

 

DNS names across a forest.

 

0

 

Disables support for the GlobalNames zone. When you set the value of this command to 0, the DNS Server service does not resolve single-label names in the GlobalNames zone. Enables support for the GlobalNames zone. When you set the value of this command to 1, the DNS Server service resolves single-label names in the GlobalNames zone.

 

 

QUESTION 339

You install an Active Directory domain in a test environment.

 

You need to reset the passwords of all the user accounts in the domain from a domain controller.

 

Which two Windows PowerShell commands should you run? (Each correct answer presents part of the solution, choose two.)

 

A.

$ newPassword = *

B.

Import-Module ActiveDirectory

C.

Import-Module WebAdministration

D.

Get- AdUser -filter * | Set- ADAccountPossword – NewPassword $ newPassword – Reset

E.

Set- ADAccountPossword – NewPassword – Reset

F.

$ newPassword = (Read-Host – Prompt “New Password” – AsSecureString )

G.

Import-Module ServerManager

 

Correct Answer: DF

Explanation:

First we create a variable, $newPassword, and prompt the user for the password to assign it to the variable.

Next we use Get-ADUser -filter * to collect all user accounts and pipe it through to SetADAccountPassword to assign the $newPassword variable to every account’s new password.

Note that Set- ADAccountPossword must be a typo.

 

Reference 1:

http://technet.microsoft.com/en-us/library/ee176935.aspx

 

Prompting a User to Enter Information

The Read-Host cmdlet enables you to interactively prompt a user for information. For example, this command prompts the user to enter his or her name, then stores that name in the variable $Name (to answer the prompt, type a name and then press ENTER):

$Name = Read-Host “Please enter your name”

 

Reference 2:

http://technet.microsoft.com/en-us/library/ee617241.aspx

Get-ADUser Gets one or more Active Directory users.

 

Reference 3:

http://technet.microsoft.com/en-us/library/ee617261.aspx

Set-ADAccountPassword Modifies the password of an Active Directory account.

Parameters

NewPassword

Specifies a new password value.

Reset

Specifies to reset the password on an account. When you use this parameter, you must set the NewPassword parameter. You do not need to specify the OldPassword parameter.

 

 

QUESTION 340

Your network contains an Active Directory domain named contoso.com.

 

You have an organizational unit (OU) named Sales and an OU named Engineering.

 

You need to ensure that when users log on to client computers, they are added automatically to the local Administrators group. The users must be removed from the group when they log off of the client computers.

 

What should you do?

 

A.

Modify the Group Policy permissions.

B.

Enable block inheritance.

C.

Configure the link order.

D.

Enable loopback processing in merge mode.

E.

Enable loopback processing in replace mode.

F.

Configure WMI filtering.

G.

Configure Restricted Groups.

H.

Configure Group Policy Preferences.

I.

Link the Group Policy object (GPO) to the Sales OU.

J.

Link the Group Policy object (GPO) to the Engineering OU.

 

Correct Answer: H

Explanation:

http://daniel.streefkerkonline.com/managing-local-admins-using-gpp/

http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

 

Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…