[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 371-380

Ensurepass

QUESTION 371

Your network contains an Active Directory domain. The domain contains several domain controllers.

 

You need to modify the Password Replication Policy on a read-only domain controller (RODC).

 

Which tool should you use?

 

A.

Group Policy Management

B.

Active Directory Domains and Trusts

C.

Active Directory Users and Computers

D.

Computer Management

E.

Security Configuration Wizard

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy.aspx

 

Administering the Password Replication Policy

 

This topic describes the steps for viewing, configuring, and monitoring the Password Replication Policy (PRP) and password caching for read-only domain controllers (RODCs).

 

To configure the PRP using Active Directory Users and Computers

1. Open Active Directory Users and Computers as a member of the Domain Admins group.

2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain.

3. Click Domain Controllers, and in the details pane, right-click the RODC computer account, and then click Properties.

4. Click the Password Replication Policy tab.

5. The Password Replication Policy tab lists the accounts that, by default, are defined in the Allowed list and the Deny list on the RODC. To add other groups that should be included in either the Allowed list or the Deny list, click Add.

 

To add other accounts that will have credentials cached on the RODC, click Allow passwords for the account to replicate to this RODC.

 

To add other accounts that are not allowed to have credentials cached on the RODC, click Deny passwords for the account from replicating to this RODC.

 

 

QUESTION 372

Your network contains an Active Directory domain. The domain contains 10 domain controllers that run Windows Server 2008 R2.

 

You need to monitor the following information on the domain controllers during the next five days:

 

clip_image002Memory usage

clip_image002[1]Processor usage

clip_image002[2]The number of LDAP queries

 

What should you do?

 

A.

Create a User Defined Data Collector Set (DCS) that uses the Active Directory Diagnostics template.

B.

Use the System Performance Data Collector Set (DCS).

C.

Create a User Defined Data Collector Set (DCS) that uses the System Performance template.

D.

Use the Active Directory Diagnostics Data Collector Set (DCS).

 

Correct Answer: A

Explanation:

The System Performance Data Collector Set/System Performance template does not monitor Active Directory data (we need the number of LDAP queries). That leaves out answers

B (“Use the System Performance Data Collector Set (DCS)”) and C (“Create a User Defined Data Collector Set (DCS) that uses the System Performance template”).

Because the Active Directory Diagnostics Data Collector Set (DCS) runs only for 5 minutes and we need to monitor for 5 days we have to use a User Defined Data Collector Set (DCS) that uses the Active Directory Diagnostics template. For a User Defined Data Collector Set we can set the monitoring duration in seconds, minutes, hours, days or weeks.

So we have to create a User Defined Data Collector Set (DCS) that uses the Active Directory Diagnostics template.

 

Reference:

http://blogs.technet.com/b/askds/archive/2010/06/08/son-of-spa-ad-data-collector-sets-in-win2008-andbeyond.aspx

 

AD Data Collector Sets in Win2008 and beyond

 

The Active Directory Diagnostics data collector set runs for a default of 5 minutes. This duration period cannot be modified for the built-in collector. However, the collection can be stopped manually by clicking the Stop button or from the command line. If reducing or increasing the time that a data collector set runs is required, and manually stopping the collection is not desirable, then see How to Create a User Defined Data Collection Set.

 

 

 

 

QUESTION 373

A corporate network includes a single Active Directory Domain Services (AD DS) domain.

 

The domain contains 10 domain controllers. The domain controllers run Windows Server 2008 R2 and are configured as DNS servers.

 

You plan to create an Active Directory-integrated zone.

 

You need to ensure that the new zone is replicated to only four of the domain controllers.

 

What should you do first?

 

A.

Use the ntdsutil tool to modify the DS behavior for the domain.

B.

Use the ntdsutil tool to add a naming context.

C.

Create a new delegation in the ForestDnsZones application directory partition.

D.

Use the dnscmd tool with the /zoneadd parameter.

 

Correct Answer: B

Explanation:

clip_image003

Reference 1:

http://technet.microsoft.com/en-us/library/cc725739.aspx

 

Store Data in an AD DS Application Partition

You can store Domain Name System (DNS) zones in the domain or application directory partitions of Active Directory Domain Services (AD DS). An application directory partition is a data structure in AD DS that distinguishes data for different replication purposes. When you store a DNS zone in an application directory partition, you can control the zone replication scope by controlling the replication scope of the application directory partition.

 

Reference 2:

http://technet.microsoft.com/en-us/library/cc730970.aspx

 

Partition management

Manages directory partitions for Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS).

This is a subcommand of Ntdsutil and Dsmgmt.

Examples

To create an application directory partition named AppPartition in the contoso.com domain, complete the following steps:

1. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, rightclick Command Prompt, and then click Run as administrator.

2. Type: ntdsutil

3. Type: Ac in ntds

4. Type: partition management

5. Type: connections

6. Type: Connect to server DC_Name

7. Type: quit

8. Type: list

The following partitions will be listed:

0 CN=Configuration,DC=Contoso,DC=com

1 DC=Contoso,DC=com

2 CN=Schema,CN=Configuration,DC=Contoso,DC=com

3 DC=DomainDnsZones,DC=Contoso,DC=com

4 DC=ForestDnsZones,DC=Contoso,DC=com

9. At the partition management prompt, type: create nc dc=AppPartition,dc=contoso,dc=com ConDc1.contoso.com

10. Run the list command again to refresh the list of partitions.

 

 

QUESTION 374

Your network contains an Active Directory forest. The forest contains two domains named contoso.com and woodgrovebank.com.

 

You have a custom attribute named Attribute 1 in Active Directory. Attribute 1 is associated to User objects.

 

You need to ensure that Attribute1 is included in the global catalog.

 

What should you do?

 

A.

From the Active Directory Schema snap-in, modify the properties of the Attribute 1 attributeSchema object.

B.

In Active Directory Users and Computers, configure the permissions on the Attribute 1 attribute for User objects.

C.

From the Active Directory Schema snap-in, modify the properties of the User classSchema object.

D.

In Active Directory Sites and Services, configure the Global Catalog settings for all domain controllers in the forest.

 

Correct Answer: A

Explanation:

http://technet.microsoft.com/en-us/library/how-global-catalog-servers-work.aspx

 

Global Catalog Partial Attribute Set

 

The attributes that are replicated to the global catalog by default include a base set that have been defined by Microsoft as the attributes that are most likely to be used in searches. Administrators can use the Microsoft Management Console (MMC) Active Directory Schema snap-in to specify additional attributes to meet the needs of their installation. In the Active Directory Schema snap-in, you can select the Replicate this attribute to the global catalog check box to designate an attributeSchema object as a member of the PAS, which sets the value of the isMemberOfPartialAttributeSet attribute to TRUE.

 

Global Catalog Replication of Additions to the Partial Attribute Set Each global catalog server in an AD DS forest hosts a copy of every existing object in that forest. For the objects of its own domain, a global catalog server has information related to all attributes that are associated with those objects. For the objects in domains other than its own, a global catalog server has only information that is related to the set of attributes that are marked in the AD DS schema to be included in the partial attribute set (PAS). As described earlier, the PAS is defined by Microsoft as those attributes that are most likely to be used for searches. These attributes are replicated to every global catalog server in an AD DS forest.

 

If you want to add an attribute to the PAS, you can mark the attribute by using the Active Directory Schema snap-in to edit the isMemberOfPartialAttributeSet value on the respective attributeSchema object. You mark the attribute by placing a checkmark next to isMemberOfPartialAttributeSet. If the isMemberOfPartialAttributeSet value is checked (set to TRUE), the attribute is replicated to the global catalog.

 

If the value is not checked (set to FALSE), the attribute is not replicated to the global catalog.

 

 

QUESTION 375

Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008 R2 Enterprise. All client computers run Windows 7 Professional.

 

The network contains an enterprise certification authority (CA).

 

You need to approve a pending certificate request.

 

Which snap-in should you use?

 

A.

Active Directory Administrative Center

B.

Authorization Manager

C.

Certificate Templates

D.

Certificates

E.

Certification Authority

F.

Enterprise PKI

G.

Group Policy Management

H.

Security Configuration Wizard

I.

Share and Storage Management

 

Correct Answer: E

Explanation:

Reference 1:

http://technet.microsoft.com/de-de/library/ff849263.aspx

To issue a pending certificate request:

1. Log on to your root CA by using an account that is a certificate manager.

2. Start the Certification Authority snap-in.

3. In the console tree, expand your root CA, and click Pending Certificates.

4. In the details pane, right-click the pending CA certificate, and click Issue.

 

 

QUESTION 376

Your network contains an Active Directory domain named adatum.com. The functional level of the domain is Windows Server 2003. All domain controllers run Windows Server 2008 R2.

 

You mount an Active Directory snapshot.

 

You need to ensure that you can connect to the snapshot by using LDAP.

 

What should you do?

 

A.

Run the Get-ADDomain cmdlet.

B.

Run the dsget.exe command.

C.

Run the ntdsutil.exe command.

D.

Run the ocsetup.exe command.

E.

Run the dsamain.exe command.

F.

Run the eventcreate.exe command,

G.

Create a Data Collector Set (DCS).

H.

Create custom views from Event Viewer.

I.

Configure subscriptions from Event Viewer.

J.

Import the Active Directory module for Windows PowerShell.

 

Correct Answer: E

Explanation:

http://technet.microsoft.com/en-us/library/cc753609.aspx

 

The Active Directory database mounting tool (Dsamain.exe) can improve recovery processes for your organization by providing a means to compare data as it exists in snapshots that are taken at different times so that you can better decide which data to restore after data loss. This eliminates the need to restore multiple backups to compare the Active Directory data that they contain.

 

Requirements for using the Active Directory database mounting tool

 

You do not need any additional software to use the Active Directory database mounting tool. All the tools that are required to use this feature are built into Windows Server 2008 and are available if you have the AD DS or the AD LDS server role installed. These tools include the following: (…)

 

Dsamain.exe, which you can use to expose the snapshot data as an LDAP server

 

Existing LDAP tools, such as Ldp.exe and Active Directory Users and Computers

 

 

QUESTION 377

Your network contains an Active Directory domain. The domain is configured as shown in the exhibit
. (Click the Exhibit button.)

 

clip_image005

 

Each organizational unit (OU) contains over 500 user accounts.

 

The Finance OU and the Human Resources OU contain several user accounts that are members of a universal group named Group1.

 

You have a Group Policy object (GPO) linked to the domain.

 

You need to prevent the GPO from being applied to the members of Group1 only.

 

What should you do?

 

A.

Modify the Group Policy permissions.

B.

Enable block inheritance.

C.

Configure the link order.

D.

Enable loopback processing in merge mode.

E.

Enable loopback processing in replace mode.

F.

Configure WMI filtering.

G.

Configure Restricted Groups.

H.

Configure Group Policy Preferences.

I.

Link the GPO to the Finance OU.

J.

Link the GPO to the Human Resources OU.

 

Correct Answer: A

Explanation:

“GPOs are linked to OUs, not groups. Block inhertance blocks all inherited GPOs from being applied to the OU. The security filter will only help you specify groups. So you have two choices. You could remove authenticated users in the secuirty filter and add groups containing everyone except group1 members(messy solution) or you could leave authenticated users there, and specify group1 with deny apply gpo permission for the gpo(since deny will alwys win over allow).”

 

The reference below explains a situation where the GPO only needs to be applied to one group, it’s the other way around so to speak.

 

Reference:

MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 285, 286

 

Using Security Filtering to Modify GPO Scope

 

By now, you’ve learned that you can link a GPO to a site, domain, or OU. However, you might need to apply GPOs only to certain groups of users or computers rather than to all users or computers within the scope of the GPO. Although you cannot directly link a GPO to a security group, there is a way to apply GPOs to specific security groups. The policies in a GPO apply only to users who have Allow Read and Allow Apply Group Policy permissions to the GPO.

 

Each GPO has an access control list (ACL) that defines permissions to the GPO. Two permissions, Allow Read and Allow Apply Group Policy, are required for a GPO to apply to a user or computer. If a GPO is scoped to a computer (for example, by its link to the computer’s OU), but the computer does not have Read and Apply Group Policy permissions, it will not download and apply the GPO. Therefore, by setting the appropriate permissions for security groups, you can filter a GPO so that its settings apply only to the computers and users you specify.

 

Filtering a GPO to Apply to Specific Groups

 

To apply a GPO to a specific security group, perform the following steps:

4. Select the GPO in the Group Policy Objects container in the console tree.

5. In the Security Filtering section, select the Authenticated Users group and click Remove.

6. Click OK to confirm the change.

7. Click Add.

8. Select the group to which you want the policy to apply and click OK.

 

 

QUESTION 378

Your network contains an Active Directory forest named contoso.com. The forest contains six domains.

 

You need to ensure that the administrators of any of the domains can specify a user principal name (UPN) suffix oflitwareinc.com when they create user accounts by using Active Directory Users and Computers.

 

Which tool should you use?

 

A.

Active Directory Administrative Center

B.

Se
t-ADDomain

C.

Active Directory Sites and Services

D.

Set-ADForest

 

Correct Answer: D

Explanation:

We would use the following command to achieve this:

Set-ADForest -UPNSuffixes @{Add=”contoso.com”}

 

Reference 1:

http://technet.microsoft.com/en-us/library/dd391925.aspx

Creating a UPN Suffix for a Forest

This topic explains how to use the Active Directory module for Windows PowerShell to create a new user principal name (UPN) suffix for the users in a forest. Creating an additional UPN suffix helps simplify the names that are used to log on to another domain in the forest.

 

Example

The following example demonstrates how to create a new UPN suffix for the users in the Fabrikam.com forest:

Set-ADForest -UPNSuffixes @{Add=”headquarters.fabrikam.com”}

Reference 2

http://technet.microsoft.com/en-us/library/ee617221.aspx

Set-ADForest Modifies an Active Directory forest.

Parameter

UPNSuffixes Modifies the list of user principal name (UPN) suffixes of the forest. This parameter sets the multi-valued msDS-UPNSuffixes property of the cross-reference container. This parameter uses the following syntax to add remove, replace, or clear UPN suffix values.

 

Syntax:

To add values:

-UPNSuffixes @{Add=value1,value2,…}

 

 

QUESTION 379

Your network contains a server named Server1. Server1 runs Windows Server 2008 R2 and has the Active Directory Lightweight Directory Services (AD LDS) role installed. Server1 hosts two AD LDS instances named Instance1 and Instance2.

 

You need to remove Instance2 from Server1 without affecting Instance1.

 

Which tool should you use?

 

A.

NTDSUtil

B.

Dsdbutil

C.

Programs and Features in the Control Panel

D.

Server Manager

 

Correct Answer: C

Explanation:

Reference 1:

http://technet.microsoft.com/en-us/library/cc794857.aspx

 

Administering AD LDS Instances

Each AD LDS instance runs as an independent–and separately administered–service on a computer.

 

Reference 2:

technet.microsoft.com/en-us/library/cc794886.aspx

 

To remove an AD LDS instance

1. To open Programs and Features, click Start, click Settings, click Control Panel, and then double-click Programs and Features.

2. Locate and click the AD LDS instance that you want to remove.

3. Click Uninstall.

Note

It is not necessary to restart the computer after you remove an AD LDS instance.

 

 

QUESTION 380

Your network contains an Active Directory forest named contoso.com.

 

You plan to migrate all user accounts to a new forest named litwareinc.com.

 

The functional level of the contoso.com forest is Windows Server 2003. Contoso.com contains four servers.

 

The servers are configured as shown in the following table.

 

clip_image007

 

The functional level of the litwareinc.com forest is Windows Server 2008. Litwareinc.com contains four servers.

 

The servers are configured as shown in the following table.

 

clip_image009

 

You need to identify on which server in the litwareinc.com forest you must install Active Directory Migration Tool version 3.2 (ADMT v3.2).

 

Which server should you identify?

 

A.

Litw_Srv4

B.

Litw_Srv1

C.

Litw_Srv2

D.

Litw_Srv3

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/cc974370.aspx

 

Prerequisites for installing ADMT v3.2

Although you can use ADMT v3.2 to migrate accounts and resources from Active Directory environments that have a domain functional level of Windows Server 2003 or later, you can install ADMT v3.2 only on a server running Windows Server 2008 R2.

 

In addition to running Windows Server 2008 R2, the server computer that you use to install ADMT v3.2 must not be installed under the Server Core installation option or be running as a read-only domain controller (RODC).

 

Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…