[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 381-390

Ensurepass

QUESTION 381

Your network contains an Active Directory forest. The forest contains three domains. All domain controllers have the DNS Server server role installed.

 

The forest contains three sites named Site1, Site2, and Site3. Each site contains the users, client computers, and domain controllers of each domain. Site1 contains the first domain controller deployed to the forest.

 

The sites connect to each other by using unreliable WAN links.

 

The users in Site2 and Site3 report that is takes a long time to log on to their client computer when they use their user principal name (UPN). The users in Site1 do not experience the same issue.

 

You need to reduce the amount of time it takes for the Site2 users and the Site3 users to log on to their client computer by using their UPN.

 

What should you do?

 

A.

Configure a global catalog server in Site2 and a global catalog server in Site3.

B.

Reduce the replication interval of the site links.

C.

Move a primary domain controller (PDC) emulator to Site2 and to Site3.

D.

Add additional domain controllers to Site2 and to Site3.

E.

Reduce the cost of the site links.

F.

Enable universal group membership caching in Site2 and in Site3.

 

Correct Answer: A

Explanation:

http://technet.microsoft.com/en-us/library/cc728188.aspx

 

Common Global Catalog Scenarios

 

The following events require a global catalog server:

 

(…) User logon. In a forest that has more than one domain, two conditions require the global catalog during user authentication:

1. When a user principal name (UPN) is used at logon and the forest has more than one domain, a global catalog server is required to resolve the name.

2. (…)

 

 

QUESTION 382

You have an enterprise subordinate certification authority (CA).

 

You have a custom certificate template that has a key length of 1,024 bits. The template is enabled for autoenrollment.

 

You increase the template key length to 2,048 bits.

 

You need to ensure that all current certificate holders automatically enroll for a certificate that uses the new template.

 

Which console should you use?

 

A.

Group Policy Management MMC Snap-In

B.

Certificates MMC Snap-In on the Certificate Authority

C.

Certificate Templates MMC Snap-In

D.

Certification Authority MMC Snap-In

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/cc771246.aspx

 

Re-Enroll All Certificate Holders

This procedure is used when a critical change is made to the certificate template and you want all subjects that hold a certificate that is based on this template to re-enroll as quickly as possible. The next time the subject verifies the version of the certificate against the version of the template on the certification authority (CA), the subject will re-enroll.

 

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

 

To re-enroll all certificate holders

1. Open the Certificate Templates snap-in.

2. Right-click the template that you want to use, and then click Reenroll All Certificate Holders.

 

 

QUESTION 383

Your network contains an Active Directory domain.

 

You need to back up all of the Group Policy objects (GPOs), Group Policy permissions, and Group Policy links for the domain.

 

What should you do?

 

A.

From Group Policy Management Console (GPMC), back up the GPOs.

B.

From Windows Explorer, copy the content of the %systemroot%SYSVOL folder.

C.

From Windows Server Backup, perform a system state backup.

D.

From Windows PowerShell, run the Backup-GPO cmdlet.

 

Correct Answer: C

Explanation:

http://www.microsoft.com/en-us/download/details.aspx?id=22478

Planning and Deploying Group Policy (.doc)

Links to OUs, however, are not part of the backup data and will not be restored during a restore operation.

http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/c361339f-7266-4991-8309-c957a123a455/

 

Permissions are backed up but links are not. The links are actually properties of the OU and would be backed up as part of the system state. The backup function in GPMC only backs up the properties of selected GPOs (the settings inside the GPOs as well as Security Filters and all other things that belong directly to the GPO). It never backs up OU / Site links -these are not properties of the GPO itself, but of the respective OUs and Sites… http://sdmsoftware.com/general-stuff/the-clash-of-the-gpo-links/

Group Policy links are stored within the gpLink attribute on an AD container (in the case of GP, the container is a site, domain or OU object). http://technet.microsoft.com/de-de/library/cc756808%28v=ws.10%29.aspx http://technet.microsoft.com/en-us/library/cc784474%28v=ws.10%29.aspx

Information saved in a backup

Backing up a GPO saves all information that is stored inside the GPO to the file system.

This includes the following information:

GPO globally unique identifier (GUID) and domain.

GPO settings.

Discretionary access control list (DACL) on the GPO.

WMI filter link, if there is one, but not the filter itself.

Links to IP Security Policies, if any.

XML report of the GPO settings, which can be viewed as HTML from within GPMC.

Date and time stamp of when the backup was taken.

User-supplied description of the backup.

Information not saved in a backup

 

Backing up a GPO only saves data that is stored inside the GPO. Data that is stored outside the GPO is not available when the backup is restored to the original GPO or imported into a new one. This data that becomes unavailable includes the following information:

Links to a site, domain, or organizational unit.

WMI filter.

IP Security policy.

 

Reference:

http://social.technet.microsoft.com/Forums/en/winserverGP/thread/d7c621fc-e0e9-47dd-a4df-9082b33132a6

 

For back up all of the Group Policy objets (GPOs Policy permissions, and Group Policy links for the domain) the answer is C.

 

For details:

System State data

http://technet.microsoft.com/en-us/library/cc785306(WS.10).aspx

 

 

 

 

 

 

 

 

QUESTION 384

Your network contains an Active Directory domain. The domain contains five sites. One of the sites contains a read-only domain controller (RODC) named RODC1.

 

You need to identify which user accounts can have their password cached on RODC1.

 

Which tool should you use?

 

A.

Repadmin

B.

Dcdiag

C.

Get-ADDomainControllerPasswordReplicationPolicyUsage

D.

Adtest

 

Correct Answer: A

Explanation:

Original answer was C (“Get-ADDomainControllerPasswordReplicationPolicyUsage”). On why it’s not correct, I quote the original explanation:

“The Get-ADDomainControllerPasswordReplicationPolicyUsage gets the user or computer accounts that are authenticated by a read-only domain controller (RODC) or that have passwords that are stored on that RODC. The list of accounts that are stored on a RODC is known as the revealed list.”

So, this revealed list has a list of accounts whose passwords are cached on RODC’s. But we don’t need the accounts that are cached on RODC1, but the ones that can be cached on RODC1. Those are in the allowed list, and we can get it using repadmin.

 

Reference:

http://technet.microsoft.com/en-us/library/cc835090.aspx

 

Repadmin /prp

 

Lists and modifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs).

 

Syntax

 

repadmin /prp view <RODC> {<List_Name>|<User>}

 

Displays the security principals in the specified list or displays the current PRP setting (allowed or denied) for a specified user.

 

Parameters

 

<RODC>

 

Specifies the host name of the RODC. You can specify the single-label host name or the fully qualified domain name. In addition, you can use an asterisk (*) as a wildcard c
haracter to specify multiple RODCs in one domain.

 

<List_Name>

 

Specifies all the security principals that are in the list that you want to view. The valid list names are as follows:

 

auth2: The list of security principals that the RODC has authenticated.

 

reveal: The list of security principals for which the RODC has cached passwords.

 

allow: The list of security principals in the msDS-RevealOnDemandGroup attribute. The RODC can cache

 

passwords for this list of security principals only.

 

deny: The list of security principals in the msDS-NeverRevealGroup attribute. The RODC cannot cache

 

passwords for any security principals in this list.

 

Original explanation for answer C:

 

The Get-ADDomainControllerPasswordReplicationPolicyUsage gets the user or computer accounts that are authenticated by a read-only domain controller (RODC) or that have passwords that are stored on that RODC. The list of accounts that are stored on a RODC is known as the revealed list.

 

http://technet.microsoft.com/en-us/library/ee617194.aspx

 

 

QUESTION 385

Your network contains an Active Directory domain. The domain contains an organizational unit (OU) named OU1. OU1 contains all managed service accounts in the domain.

 

You need to prevent the managed service accounts from being deleted accidentally from OU1.

 

Which cmdlet should you use?

 

A.

Set-ADUser

B.

Set-ADOrganizationalUnit

C.

Set-ADServiceAccount

D.

Set-ADObject

 

Correct Answer: D

Explanation:

You can use Set-ADOrganizationalUnit and the -ProtectedFromAccidentalDeletion $true parameter to prevent OU1 from being deleted accidentally, but you would still be able to delete the accounts inside it. Use Set-ADObject to protect the accounts.

 

Reference:

http://technet.microsoft.com/en-us/library/hh852326.aspx

 

Set-ADObject Modifies an Active Directory object.

 

Parameter

-ProtectedFromAccidentalDeletion <Boolean>Specifies whether to prevent the object from being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include:

 

$false or 0

 

$true or 1

 

The following example shows how to set this parameter to true.

 

-ProtectedFromAccidentalDeletion $true

 

 

QUESTION 386

Your network contains an Active Directory forest named adatum.com.

 

All client computers used by the marketing department are in an organizational unit (OU) named Marketing Computers. All user accounts for the marketing department are in an OU named Marketing Users.

 

You purchase a new application.

 

You need to ensure that every user in the domain who logs on to a marketing department computer can use the application. The application must only be available from the marketing department computers.

 

What should you do?

 

A.

Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation package to a shared folder on the network. Assign the application.

B.

Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the installation package to a shared folder on the network. Assign the application.

C.

Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the installation package to a local drive on each marketing department computer. Publish the application.

D.

Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation package to a folder on each marketing department computer. Publish the application.

 

Correct Answer: B

Explanation:

The software must only be available on the marketing department computers, so we must link the GPO to the Marketing Computers OU. Next we need to assign the application to the Marketing Computers OU.

 

Reference:

MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 399

 

Assigning Software to Computers

When you assign software to computers, it is available to all authenticated users of the computer, regardless of their group membership or privileges. The software package is installed when the computer is next restarted after the package has been assigned. For example, suppose that you have a design application that should be available on all computers in the Engineering OU but not to computers elsewhere on your network. You would assign this application to computers in a Group Policy object (GPO) linked to the Engineering OU.

 

 

 

 

 

 

 

 

QUESTION 387

Your network contains a server named Server1. The Active Directory Rights Management Services (AD RMS) server role is installed on Server1.

 

An administrator changes the password of the user account that is used by AD RMS.

 

You need to update AD RMS to use the new password.

 

Which console should you use?

 

A.

Active Directory Rights Management Services

B.

Active Directory Users and Computers

C.

Local Users and Groups

D.

Services

 

Correct Answer: A

Explanation:

http://social.technet.microsoft.com/wiki/contents/articles/13034.ad-rms-how-to-change-the-rms-serviceaccount-password.aspx

 

AD RMS How To: Change the RMS Service Account Password

 

The Active Directory Rights Management Services management console provides a wizard to change or update the AD RMS service account. The most common use for this process is to update the service account password when it has been changed.

 

It is important to use this process to update or change the AD RMS service account. This ensures the necessary components are updated properly.

 

 

QUESTION 388

DRAG DROP

Your company plans to open a new branch office.

 

The new office will have a low-speed connection to the Internet.

 

You plan to deploy a read-only domain controller (RODC) in the branch office.

 

You need to create an offline copy of the Active Directory database that can be used to install the Active Directory on the new RODC.

 

Which commands should you run from Ntdsutil?

 

To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

 

clip_image002

 

Correct Answer:

clip_image004

 

 

QUESTION 389

Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise.

 

You need to ensure that users can enroll for certificates that use the IPSEC (Offline request) certificate template

 

Which snap-in should you use?

 

A.

Enterprise PKI

B.

TPM Management

C.

Certificates

D.

Active Directory Users and Computers

E.

Authorization Manager

F.

Certification Authority

G.

Group Policy Management

H.

Security Templates

I.

Certificate Templates

 

Correct Answer: I

Explanation:

http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/962be5d1-d824-4dd8-a501-3c3a9d600083

 

The user should have proper permission on Certificate Templates. Please follow the steps below for troubleshooting:

1. Open MMC, add Certificate Templates snap-in.

2. Double-click IPSec (Offline Request), switch to Security tab, give the user Read and Enroll rights.

3. Close and restart IE on clients computer to test.

 

 

QUESTION 390

Your network contains a domain controller that runs Windows Server 2008 R2.

 

You run the following command on the domain controller:

 

dsamain.exe C dbpath c:$SNAP_201006170326_VOLUMEC$WindowsNTDSntds.dit C ldapport 389 -allowNonAdminAccess

 

The command fails.

 

You need to ensure that the command completes successfully.

 

How should you modify the command?

 

A.

Change the value of the -dbpath parameter.

B.

Include the path to Dsamain.

C.

Change the value of the -ldapport parameter.

D.

Remove the CallowNonAdminAccess parameter.

 

Correct Answer: C

Explanation:

MS Press – Self-Pa
ced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 690

 

Use the AD DS database mounting tool to load the snapshot as an LDAP server.

 

dsamain -dbpath c:$SNAP_datetime_VOLUMEC$windowsntdsntds.dit -ldapport portnumber

 

Be sure to use ALL CAPS for the -dbpath value and use any number beyond 40,000 for the -ldapport value to ensure that you do not conflict with AD DS.

 

Also note that you can use the minus (? sign or the slash (/) for the options in the command.

 

Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…