[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 351-360

Ensurepass

QUESTION 351

Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1. DC1 has the DNS Server server role installed and hosts an Active Directory-integrated zone for contoso.com. The no-refresh interval and the refresh interval are both set to three days. The Advanced DNS settings of DC1 are shown in the Advanced DNS Settings exhibit. (Click the Exhibit button.)

 

clip_image001

 

You open the properties of a static record named Server1 as shown in the Server1 Record exhibit.(Click the Exhibit button.)

 

clip_image003

 

You discover that the scavenging process ran today, but the record for Server1 was not deleted.

 

You run dnscmd.exe and specify the age all records parameter.

 

You need to identify when the record for Server1 will be deleted from the zone.

 

In how many days will the record be deleted?

 

A.

13

B.

10

C.

23

D.

7

 

Correct Answer: D

Explanation:

The blank Record time stamp field indicates a static record. That’s the reason it wasn’t deleted. The timestamp has been set using dnscmd /ageallrecords. The Time to live setting means that the server will hold a cached record for 10 days, so it has nothing to do with this question. The record will become stale in six days (no-refresh interval + refresh interval, that’s 3 + 3 days), so now that the timestamp has been set it will be deleted when the next scavenging operation occurs, in seven days.

 

Reference 1:

http://technet.microsoft.com/en-us/library/cc772069.aspx

dnscmd /ageallrecords Sets the current time on all time stamps in a zone or node. Record scavenging does not occur unless the records are time stamped. Name server (NS) resource records, start of authority (SOA) resource records, and Windows Internet Name Service (WINS) resource records are not included in the scavenging process, and they are not time stamped even when the ageallrecords command runs.

 

Reference 2:

http://www.windowsitpro.com/article/dns/scavenging-stale-dns-records

When a record is older than the sum of the no-refresh interval and the refresh interval, the scavenging feature considers the record stale and deletes it. So, when you set No-refresh interval to 3 days and Refresh interval to 5 days, scavenging will delete records that are more than 8 days old.

 

 

QUESTION 352

Your company has an Active Directory forest. Each regional office has an organizational unit (OU) named Marketing. The Marketing OU contains all users and computers in the region’s Marketing department.

 

You need to install a Microsoft Office 2007 application only on the computers in the Marketing OUs.

 

You create a GPO named MarketingApps.

 

What should you do next?

 

A.

Configure the GPO to assign the application to the computer account. Link the GPO to the domain.

B.

Configure the GPO to assign the application to the user account. Link the GPO to each Marketing OU.

C.

Configure the GPO to assign the application to the computer account. Link the GPO to each Marketing OU.

D.

Configure the GPO to publish the application to the user account. Link the GPO to each Marketing OU.

 

Correct Answer: C

Explanation:

We need to assign the software to the computers, and link the GPO to each Marketing OU. We do not link it to the domain, then every computer would have the software.

 

Reference:

http://support.microsoft.com/kb/816102

 

You can use Group Policy to distribute computer programs by using the following methods:

 

Assigning Software You can assign a program distribution to users or computers. If you assign the program to a user, it is installed when the user logs on to the computer. When the user first runs the program, the installation is completed. If you assign the program to a computer, it is installed when the computer starts, and it is available to all users who log on to the computer. When a user first runs the program, the installation is completed.

 

Publishing Software

You can publish a program distribution to users. When the user logs on to the computer, the published program is displayed in the Add or Remove Programs dialog box, and it can be installed from there.

 

 

QUESTION 353

Your network contains an Active Directory domain named contoso.com. Contoso.com contains a member server that runs Windows Server 2008 R2 Standard.

 

You need to create an enterprise subordinate certification authority (CA) that can issue certificates based on version 3 certificate templates.

 

You must achieve this goal by using the minimum amount of administrative effort.

 

What should you do first?

 

A.

Run the certutil.exe – addenrollmentserver command.

B.

Install the Active Directory Certificate Services (AD CS) role on the member server.

C.

Upgrade the member server to Windows Server 2008 R2 Enterprise.

D.

Run the certutil.exe – installdefaulttemplates command.

 

Correct Answer: C

 

 

QUESTION 354

Your network contains an Active Directory domain. The domain is configured as shown in the exhibit. (Click the Exhibit button.)

 

clip_image005

 

Users in the Finance organizational unit (OU) frequently log on to client computers in the Human Resources OU.

 

You need to meet the following requirements:

clip_image007All of the user settings in the Group Policy objects (GPOs) linked to both the Finance OU and the Human Resources OU must be applied to finance users when they log on to client computers in the Engineering OU.

clip_image007[1]Only the policy settings in the GPOs linked to the Finance OU must be applied to finance users when they log on to client computers in the Finance OU.

clip_image007[2]Policy settings in the
GPOs linked to the Finance OU must not be applied to users in the Human Resources OU.

 

What should you do?

 

A.

Modify the Group Policy permissions.

B.

Enable block inheritance.

C.

Configure the link order.

D.

Enable loopback processing in merge mode.

E.

Enable loopback processing in replace mode.

F.

Configure WMI filtering.

G.

Configure Restricted Groups.

H.

Configure Group Policy Preferences.

I.

Link the GPO to the Finance OU.

J.

Link the GPO to the Human Resources OU.

 

Correct Answer: D

Explanation:

Very similar question to K/Q11.

We have to use loopback processing in merge mode if we want all User Configuration settings from the GPO’s that are linked to the Sales OU and the Engineering OU to be applied.

 

Reference 1:

http://technet.microsoft.com/en-us/library/cc782810.aspx

< span lang="EN-US" style="font-family: ; mso-font-kerning: 0pt; mso-no-proof: yes"> 

Loopback processing with merge or replace

Setting loopback causes the User Configuration settings in GPOs that apply to the computer to be applied to every user logging on to that computer, instead of (in replace mode) or in addition to (in merge mode) the User Configuration settings of the user. This allows you to ensure that a consistent set of policies is applied to any user logging on to a particular computer, regardless of their location in Active Directory.

Loopback can be set to Not Configured, Enabled, or Disabled. In the Enabled state, loopback can be set to Merge or Replace. In either case the user only receives user-related policy settings.

Loopback with Replace–In the case of Loopback with Replace, the GPO list for the user is replaced in its entirety by the GPO list that is already obtained for the computer at computer startup (during step 2 in Group Policy processing and precedence). The User Configuration settings from this list are applied to the user.

Loopback with Merge–In the case of Loopback with Merge, the Group Policy object list is a concatenation. The default list of GPOs for the user object is obtained, as normal, but then the list of GPOs for the computer (obtained during computer startup) is appended to this list. Because the computer’s GPOs are processed after the user’s GPOs, they have precedence if any of the settings conflict.

 

Reference 2:

http://kudratsapaev.blogspot.in/2009/07/loopback-processing-of-group-policy.html

 

For a clear and easy explanation of Loopback Processing. Recommended!

 

Reference 3:

Windows Server 2008 R2 Unleashed (SAMS, 2010) page 1028

 

Loopback Processing

When a user is processing domain policies, the policies that apply to that user are based on the location of the user object in the Active Directory hierarchy. The same goes for domain policy application for computers. There are situations, however, when administrators or organizations want to ensure that all users get the same policy when logging on to a particular computer or server. For example, on a computer that is used for training or on a Remote Desktop Session Host, also known as a Terminal Server, when the user desktop environment must be the same for each user, this can be controlled by enabling loopback processing in Replace mode on a policy that is applied to the computer objects.

 

To explain a bit further, if a domain policy has the loopback settings enabled and set to Replace mode, any settings defined within that policy in the User Configuration node are applied to all users who log on to the computer this particular policy is applied to. When loopback processing is enabled and configured in Merge mode on a policy applied to a computer object and a user logs on, all of the user policies are applied and then all of the user settings within the policy applied to the computer object are also applied to the user. This ensures that in either Replace or Merge mode, loopback processing applies the settings contained in the computer-linked policies last.

 

 

QUESTION 355

Your network contains an Active Directory forest. The forest contains multiple domains.

 

You need to ensure that users in the human resources department can search for employees by using the employeeNumber attribute.

 

What should you do?

 

A.

From Active Directory Sites and Services, modify the properties of each global catalog server.

B.

From the Active Directory Schema snap-in, modify the properties of the user object class.

C.

From Active Directory Sites and Services, modify the NTDS Settings objectof each global catalog server.

D.

From the Active Directory Schema snap-in, modify the properties of the employeeNumber attribute.

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/how-global-catalog-servers-work.aspx

 

Global Catalog Replication of Additions to the Partial Attribute Set

Each global catalog server in an AD DS forest hosts a copy of every existing object in that forest. For the objects of its own domain, a global catalog server has information related to all attributes that are associated with those objects. For the objects in domains other than its own, a global catalog server has only information that is related to the set of attributes that are marked in the AD DS schema to be included in the partial attribute set (PAS). As described earlier, the PAS is defined by Microsoft as those attributes that are most likely to be used for searches. These attributes are replicated to every global catalog server in an AD DS forest.” “The attributes that are replicated to the global catalog by default include a base set that have been defined by Microsoft as the attributes that are most likely to be used in searches. Administrators can use the Microsoft Management Console (MMC) Active Directory Schema snap-in to specify additional attributes to meet the needs of their installation. In the Active Directory Schema snap-in, you can select the Replicate this attribute to the global catalog check box to designate an attributeSchema object as a member of the PAS, which sets the value of the isMemberOfPartialAttributeSet attribute to TRUE.

QUESTION 356

Your network contains an Active Directory domain named adatum.com.

 

You need to ensure that IP addresses can be resolved to fully qualified domain names (FQDNs).

 

Under which node in the DNS snap-in should you add a zone?

 

A.

Reverse Lookup Zones

B.

adatum.com

C.

Forward Lookup Zones

D.

Conditional Forwarders

E.

_msdcs.adatum.com

 

Correct Answer: A

Explanation:

Mastering Microsoft Windows Server 2008 R2 (Sybex, 2010) page 193

A forward lookup means the client provides a fully qualified domain name and the DNS server returns an IP address. A reverse lookup does the opposite: the client provides an IP address, and then the DNS server returns an FQDN.

 

 

QUESTION 357

Your network contains an Active Directory domain named contoso.com.

 

The Active Directory sites are configured as shown in the Sites exhibit. (Click the Exhibit button.)

 

clip_image008

 

You need to ensure that DC1 and DC4 are the only servers that replicate Active Directory changes between the sites.

 

What should you do?

 

A.

Configure DC1 as a preferred bridgehead server for IP transport.

B.

Configure DC4 as a preferred bridgehead server for IP transport.

C.

From the DC4 server object, create a Connection object for DC1.

D.

From the DC1 server object, create a Connection object for DC4.

 

Correct Answer: A

Explanation:

MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) pages 193, 194

 

Bridgehead Servers

A bridgehead server is the domain controller designated by each site’s KCC to take control of intersite replication. The bridgehead server receives information replicated from other sites and replicates it to its site’s other domain controllers. It ensures that the greatest portion of replication occurs within sites rather than between them.

 

In most cases, the KCC automatically decides which domain controller acts as the bridgehead server.

 

However, you can use Active Directory Sites and Services to specify which domain controller will be the preferred bridgehead server by using the following steps:

 

1. In Active Directory Sites and Services, expand the site in which you want to specify the preferred bridgehead server.

2. Expand the Servers folder to locate the desired server, right-click it, and then choose Properties.

3. From the list labeled Transports available for intersite data transfer, select the protocol(s) for which you want to designate this server as a preferred bridgehead server and then click add.

 

 

QUESTION 35
8

Your network contains an Active Directory domain. You have five organizational units (OUs) named Finance, HR, Marketing, Sales, and Dev. You link a Group Policy object named GPO1 to the domain as shown in the exhibit. (Click the Exhibit button.)

 

clip_image009

 

You need to ensure that GPO1 is applied to users in the Finance, HR, Marketing, and Sales OUs.

 

The solution must prevent GPO1 from being applied to users in the Dev OU.

 

What should you do?

A.

Enforce GPO1.

B.

Modify the security settings of the Dev OU.

C.

Link GPO1 to the Finance OU.

D.

Modify the security settings of the Finance OU.

 

Correct Answer: C

Explanation:

The OUs that are indicated by a blue exclamation mark in the console tree have blocked inheritance. This means that GPO1 will not be applied to those OUs. For the Dev OU that’s ok, but not for the Finance OU. So we have to link GPO1 to the Finance OU.

 

Reference:

http://technet.microsoft.com/en-us/library/cc731076.aspx

 

Block Inheritance

You can block inheritance for a domain or organizational unit. Blocking inheritance prevents Group Policy objects (GPOs) that are linked to higher sites, domains, or organizational units from being automatically inherited by the child-level.

 

If a domain or OU is set to block inheritance, it will appear with a blue exclamation mark in the console tree.

 

 

QUESTION 359

Your network contains an Active Directory domain. The domain contains an enterprise certification authority (CA).

 

You need to ensure that only members of a group named Admin1 can create certificate templates.

 

Which tool should you use to assign permissions to Admin1?

 

A.

the Certification Authority console

B.

Active Directory Users and Computers

C.

the Certificates snap-in

D.

Active Directory Sites and Services

 

Correct Answer: D

Explanation:

We need to use Active Directory Sites and Services to assign permissions to create certificate templates to global or universal groups. The first reference lists what needs to be done, the second reference explains how to do it.

 

Reference 1:

http://technet.microsoft.com/en-us/library/cc725621.aspx

Delegating Template Management

You can delegate the ability to manage individual certificate templates or to create any certificate templates by defining appropriate permissions to global groups or universal groups that a user belongs to.

There are three levels of delegation for certificate template administration:

Modify existing templates

Create new templates (by duplicating existing templates)

Full delegation (including modifying all existing templates and creating new ones)

Create New Templates

 

To delegate the ability to create certificate templates to users who are not members of the Domain Admins group in the forest root domain, or members of the Enterprise Admins group, it is necessary to define the appropriate permissions in the Configuration naming context of AD DS.

To delegate the ability to duplicate and create new certificate templates, you must make the following permission assignments to a global or universal group of which the user is a member:

Grant Create All Child Objects permission on the following container: CN=Certificate Templates,CN=Public

Key Services,CN=Services,CN=Configuration,DC=ForestRoot. Grant Full Control permission to every certificate template in the following container:

CN=Certificate

Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot. The permissions assigned to the Certificate Templates container are not inherited by the individual certificate templates.

Grant Create All Child Objects permission on the following container: CN=OID,CN=Public Key Services,

CN=Services,CN=Configuration,DC=ForestRoot container.

Reference 2:

Windows Server 2008 – PKI and Certificate Security (Microsoft Press, 2008) page 298 Delegate Permissions for Creation of New Templates

You can delegate the permission to create new templates by assigning permissions to a custom universal group for the CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,

ForestRootDomain container.

1. Log on as a member of the Enterprise Admins group or the forest root domain Domain Admins group.

2. Open the Active Directory Sites And Services console.

3. From the View menu, ensure that the Show Services Node setting is enabled.

4. In the console tree, expand Services, expand Public Key Services, and then click Certificate Templates.

5. In the console tree, right-click Certificate Templates, and then click Delegate Control.

6. In the Delegation Of Control wizard, click Next.

7. On the Users Or Groups page, click Add.

8. In the Select Users, Computers, Or Groups dialog box, type a user or group name, and then click OK.

9. On the Users Or Groups page, click Next.

10.On the Tasks To Delegate page, click Create A Custom Task To Delegate, and then click Next.

11.On the Active Directory Object Type page, click This Folder, Existing Objects In This Folder, and Creation Of New Objects In This Folder, and then click Next.

12.On the Permissions page, in the Permissions list, enable Full Control, and then click Next.

13.On the Completing The Delegation Of Control wizard page, click Finish.

 

 

QUESTION 360

Your network contains an Active Directory domain. The domain contains two Active Directory sites named Site1 and Site2. Site1 contains two domain controllers named DC1 and DC2. Site2 contains two domain controller named DC3 and DC4, The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is Windows Server 2003.

 

Active Directory replication between Site1 and Site2 occurs from 20:00 to 01:00 every day.

 

At 07:00, an administrator deletes a user account while he is logged on to DC1.

 

You need to restore the deleted user account. You want to achieve this goal by using the minimum amount of administrative effort.

 

What should you do?

 

A.

On DC3, stop Active Directory Domain Services, perform an authoritative restore, and then start Active Directory Domain Services.

B.

On DC3, run the Restore-ADObject cmdlet.

C.

On DC1, run the Restore-ADObject cmdlet.

D.

On DC1, stop Active Directory Domain Services, restore the SystemState, and then start Active Directory Domain Services.

 

Correct Answer: A

Explanation:

We cannot use Restore-ADObject, because Restore-ADObject is a part of the Recycle Bin feature, and you can only use Recycle Bin when the forest functional level is set to Windows Server 2008 R2. In the question text it says “The functional level of the forest is Windows Server 2003.”

Seehttp://technet.microsoft.com/nl-nl/library/dd379481.aspx

Performing an authoritative restore on DC3 updates the Update Sequence Number (USN) on that DC, which causes it to replicate the restored user account to other DC’s.

 

Reference 1:

MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 692 “An authoritative restore restores data that was lost and updates the Update Sequence Number (USN) for the data to make it authoritative and ensure that it is replicated to all other servers.”

 

Reference 2:

http://technet.microsoft.com/en-us/library/cc755296.aspx

Authoritative restore of AD DS has the following requirements:

(…)

You must stop the Active Directory Domain Services service before you run the ntdsutil authoritative restore command and restart the service after the command is complete.

 

Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…