[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 361-370

Ensurepass

QUESTION 361

Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise.

 

You need to approve a pending certificate request.

 

Which snap-in should you use?

 

A.

Active Directory Users and Computers

B.

Authorization Manager

C.

Certification Authority

D.

Group Policy Management

E.

Certificate Templates

F.

TPM Management

G.

Certificates

H.

Enterprise PKI

I.

Security Templates

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/de-de/library/ff849263.aspx

 

To issue a pending certificate request:

1. Log on to your root CA by using an account that is a certificate manager.

2. Start the Certification Authority snap-in.

3. In the console tree, expand your root CA, and click Pending Certificates.

4. In the details pane, right-click the pending CA certificate, and click Issue.

 

 

QUESTION 362

Your network contains an Active Directory forest named contoso.com. The forest contains a single domain and 10 domain controllers. All of the domain controllers run Windows Server 2008 R2 Service Pack 1 (SP1).

 

The forest contains an application directory partition named dc=app1, dc=contoso,dc=com. A domain controller named DC1 has a copy of the application directory partition.

 

You need to configure a domain controller named DC2 to receive a copy of dc=app1, dc=contoso,dc=corn.

 

Which tool should you use?

 

A.

Active Directory Sites and Services

B.

Dsmod

C.

Dcpromo

D.

Dsmgmt

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/cc732887.aspx

 

Dcpromo

 

Installs and removes Active Directory Domain Services (AD DS).

 

Parameter

 

ApplicationPartitionsToReplicate:””

 

Specifies the application directory partitions that dcpromo will replicate. Use the following format:

 

“partition1” “partition2” “partitionN”

 

Use * to replicate all application directory partitions.

 

Original explanation:

 

Please Check Answer

 

I don’t think this is Dsmod. It is most likely Dcpromo.

 

Dsmod — Modifies an existing object of a specific type in the directory.

 

 

 

 

 

QUESTION 363

Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise.

 

You have a custom certificate template named Template 1. Template1 is published to the CA.

 

You need to ensure that all of the members of a group named Group1 can enroll for certificates that use Template1.

 

Which snap-in should you use?

 

A.

Security Templates

B.

Enterprise PKI

C.

Certification Authority

D.

Certificate Templates

E.

Certificates

F.

TPM Management

G.

Authorization Manager

H.

Group Policy Management

I.

Active Directory Users and Computers

 

Correct Answer: D

Explanation:

MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 593

 

Configuring Certificate Templates

 

AD CS provides the Certificate Templates snap-in (Certtmpl.msc), which provides the following capabilities:

 

(…)

 

Configuring access control lists (ACLs) on certificate templates

 

 

QUESTION 364

Your network contains an Active Directory domain named adatum.com. The domain contains a domain controller named DC1. DC1 has an IP address of 192.168.200.100.

 

You need to identify the zone that contains the Pointer (PTR) record for DC1.

 

Which zone should you identify?

 

A.

adatum.com

B.

_msdcs.adatum.com

C.

100.168.192.in-addr.arpa

D.

200.168.192.in-addr.arpa

 

Correct Answer: D

Explanation:

Reference 1:

MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 57

Reverse lookup: This occurs wh
en a client computer knows the IP address of another computer and requires its hostname, which can be found in the DNS server’s PTR (pointer) resource record.

 

Reference 2:

MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 45/730

You are configuring a reverse lookup zone for your network, which uses the Class C network address range of 192.168.5.0/24. Which of the following addresses should you use for the reverse lookup zone?

 

a. 5.168.192.in-addr.arpa

b. 0.5.168.192.in-addr.arpa

c. 192.168.5.in-addr.arpa

d. 192.168.5.0.in-addr.arpa

 

The reverse lookup zone contains octets of the network portion of the IP address in reverse sequence and uses a special domain name ending in in-addr.arpa. Thus the correct address is 5.168.192.in-addr.arpa. You do not use the host portion of the IP address, so 0.5.168.192.in-addr.arpa is incorrect. The octets must be specified in reverse sequence, so the other two choices are both incorrect.

 

 

QUESTION 365

Your network contains an Active Directory domain named contoso.com. The functional level of the forest is Windows Server 2008 R2.

 

The Default Domain Controller Policy Group Policy object (GPO) contains audit policy settings.

 

On a domain controller named DC1, an administrator configures the Advanced Audit Policy Configuration settings by using a local GPO.

 

You need to identify what will be audited on DC1.

 

Which tool should you use?

 

A.

Get-ADObject

B.

Secedit

C.

Security Configuration and Analysis

D.

Auditpol

 

Correct Answer: D

Explanation:

Reference 1:

http://technet.microsoft.com/en-us/library/cc772576.aspx

 

Auditpol get

Retrieves the system policy, per-user policy, auditing options, and audit security descriptor object.

 

Reference 2:

Windows Server 2008 R2 Unleashed (SAMS, 2010) page 670

You can use the AUDITPOL command to get and set the audit categories and subcategories. To retrieve a list of all the settings for the audit categories and subcategories, use the following command:

auditpol /get /category:*

QUESTION 366

You have a client computer named Computer1 that runs Windows 7.

 

On Computer1, you configure a source-initiated subscription.

 

You configure the subscription to retrieve all events from the Windows logs of a domain controller named DC1.

 

The subscription is configured to use the HTTP protocol.

 

You discover that events from the Security log of DC1 are not collected on Computer1.

 

Events from the Application log of DC1 and the System log of DC1 are collected on Computer1.

 

You need to ensure that events from the Security log of DC1 are collected on Computer1.

 

What should you do?

 

A.

Add the computer account of Computer1 to the Event Log Readers group on the domain controller.

B.

Add the Network Service security principal to the Event Log Readers group on the domain.

C.

Configure the subscription to use custom Event Delivery Optimization settings.

D.

Configure the subscription to use the HTTPS protocol.

 

Correct Answer: B

Explanation:

Reference 1:

http://blogs.technet.com/b/askds/archive/2011/08/29/the-security-log-haystack-event-forwarding-and-you.aspx

Preparing Windows Server 2008 and Windows Server 2008 R2

You have to prepare your Windows Server 2008/2008 R2 machines for collection of security events. To do this, simply add the Network Service account to the Built-in Event Log Readers group.

 

Reference 2:

http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/8434ffb3-1621-4bc5-8311-66d88b215886/

How to collect security logs using event forwarding?

For Windows Vista, Windows Server 2008 and later version of clients, please follow the steps below to configure it.

1. Click start->run, type CompMgmt.msc to open Computer Management Console.

2. Under Local Users and Groups, click Groups->Event Log Readers to open Event Log Readers Properties.

3. Click Add, then click Location button, select your computer and click OK.

4. Click Object Types button, check the checkbox of Build-in security principals and click OK.

5. Add “Network Service” build-in account to Event Log Readers group.

6. Reboot the client computer.

After these steps have been taken, you will see the security event logs in the Forwarded Events on your event collector.

 

 

 

 

 

 

QUESTION 367

Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise.

 

You enable key archival on the CA. The CA is configured to use custom certificate templates for Encrypted File System (EFS) certificates.

 

You need to archive the private key for all new EFS certificates.

 

Which snap-in should you use?

 

A.

Active Directory Users and Computers

B.

Authorization Manager

C.

Group Policy Management

D.

Enterprise PKI

E.

Security Templates

F.

TPM Management

G.

Certificates

H.

Certification Authority

I.

Certificate Templates

 

Correct Answer: I

Explanation:

http://technet.microsoft.com/en-us/library/cc753826.aspx

 

Configure a Certificate Template for Key Archival

The key archival process takes place when a certificate is issued. Therefore, a certificate template must be modified to archive keys before any certificates are issued based on this template.

 

Key archival is strongly recommended for use with the Basic Encrypting File System (EFS) certificate template in order to protect users from data loss, but it can also be useful when applied to other types of certificates.

 

To configure a certificate template for key archival and recovery

1. Open the Certificate Templates snap-in.

2. In the details pane, right-click the certificate template that you want to change, and then click Duplicate Template.

3. In the Duplicate Template dialog box, click Windows Server 2003 Enterprise unless all of your certification authorities (CAs) and client computers are running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

4. In Template, type a new template display name, and then modify any other optional properties as needed.

5. On the Security tab, click Add, type the name of the users or groups you want to issue the certificates to, and then click OK.

6. Under Group or user names, select the user or group names that you just added. Under Permissions, select the Read and Enroll check boxes, and if you want to automatically issue the certificate, also select the Autoenroll check box.

7. On the Request Handling tab, select the Archive subject’s encryption private key check box.

 

Original explanation:

http://technet.microsoft.com/en-us/library/cc730721

 

Original explanation:

http://technet.microsoft.com/en-us/library/cc730721

QUESTION 368

Your network contains an Active Directory forest named contoso.com. The forest contains four computers. The computers are configured as shown in the following table.

 

clip_image002

 

An administrator creates a script that contains the following commands:

 

clip_image004

 

You need to identity which computers can successfully run all of the commands in the script.

 

Which two computers should you identify? (Each correct answer presents part of the solution. Choose two.)

 

A.

Computer1

B.

Server1

C.

Computer2

D.

Server2

 

Correct Answer: CD

Explanation:

Original answer was B, D (“Server1”, “Server2”).

According to Technet the “Auditpol /resourceSACL” command applies only to Windows 7 and Windows

Server 2008 R2 (and I suppose Windows 8 and Windows Server 2012), so the answer should be Computer2 and Server2

 

Reference:

http://technet.microsoft.com/en-us/library/ff625687.aspx

 

Auditpol resourceSACL

 

Applies only to Windows 7 and Windows Server 2008 R2.

 

 

 

 

 

 

 

 

 

QUESTION 369

Your network contains a domain controller that runs Window
s Server 2008 R2.

 

You need to reset the Directory Services Restore Mode (DSRM) password on the domain controller.

 

Which tool should you use?

 

A.

Ntdsutil

B.

Dsamain

C.

Active Directory Users and Computers

D.

Local Users and Groups

 

Correct Answer: A

Explanation:

http://blogs.technet.com/b/meamcs/archive/2012/05/29/reset-the-dsrm-administrator-password.aspx

 

To Reset the DSRM Administrator Password

1. Click, Start, click Run, type ntdsutil, and then click OK.

2. At the Ntdsutil command prompt, type set dsrm password.

 

 

QUESTION 370

Your network contains an Active Directory domain named contoso.com.

 

The network has a branch office site that contains a read-only domain controller (RODC) named RODC1.

 

RODC1 runs Windows Server 2008 R2.

 

A user logs on to a computer in the branch office site.

 

You discover that the user’s password is not stored on RODC1.

 

You need to ensure that the user’s password is stored on RODC1 when he logs on to a branch office site computer.

 

What should you do?

 

A.

Modify the RODC s password replication policy by removing the entry for the Allowed RODC Password

Replication Group.

B.

Modify the RODC’s password replication policy by adding RODC1’s computer account to the list of allowed users, groups, and computers.

C.

Add the user’s user account to the built-in Allowed RODC Password Replication Group on RODC1.

D.

Add RODC1’s computer account to the built-in Allowed RODC Password Replication Group on RODC1.

 

Correct Answer: C

Explanation:

MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 416-417

 

Password Replication Policy

Password Replication Policy (PRP) determines which users’ credentials can be cached on a specific RODC. If PRP allows an RODC to cache a user’s credentials, authentication and service ticket activities of that user can be processed by the RODC. If a user’s credentials cannot be cached on an RODC, authentication and service ticket activities are referred by the RODC to a writable domain controller.

< font face="Arial"> 

An RODC’s PRP is determined by two multivalued attributes of the RODC’s computer account. These attributes are commonly known as the Allowed List and the Denied List. If a user’s account is on the Allowed List, the user’s credentials are cached. You can include groups on the Allowed List, in which case all users who belong to the group can have their credentials cached on the RODC. If the user is on both the Allowed List and the Denied List, the user’s credentials will not be cached–the Denied List takes precedence.

 

Configuring Domain-Wide Password Replication Policy

To facilitate the management of PRP, Windows Server 2008 R2 creates two domain local security groups in the Users container of Active Directory. The first group, Allowed RODC Password Replication Group, is added to the Allowed List of each new RODC. By default, the group has no members. Therefore, by default, a new RODC will not cache any user’s credentials. If you have users whose credentials you want to be cached by all domain RODCs, add those users to the Allowed RODC Password Replication Group.

Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…