[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 391-400

Ensurepass

QUESTION 391

Your network contains an Active Directory forest named contoso.com. The functional level of the forest is Windows Server 2008 R2.

 

The DNS zone for contoso.com is Active Directory-integrated.

 

You deploy a read-only domain controller (RODC) named RODC1. You install the DNS Server server role on RODC1.

 

You discover that RODC1 does not have any DNS application directory partitions.

 

You need to ensure that RODC1 has a copy of the DNS application directory partition of contoso.com.

 

What should you do? (Each correct answer presents a complete solution. Choose two.)

 

A.

From DNS Manager, right-click RODC1 and click Create Default Application Directory Partitions.

B.

Run ntdsutil.exe. From the Partition Management context, run the create nc command.

C.

Run dnscmd.exe and specify the /createbuiltindirectorypartitions parameter.

D.

Run ntdsutil.exe. From the Partition Management context, run the add nc replica command.

E.

Run dnscmd.exe and specify the /enlistdirectorypartition parameter.

 

Correct Answer: DE

Explanation:

http://technet.microsoft.com/en-us/library/cc742490.aspx

 

RODC Post-Installation Configuration

 

If you install DNS server after the AD DS installation, you must also enlist the RODC in the DNS application directory partitions. The RODC is not enlisted automatically in the DNS application directory partitions by design because it is a privileged operation. If the RODC were allowed to enlist itself, it would have permissions to add or remove other DNS servers that are enlisted in the application directory partitions.

 

To enlist a DNS server in a DNS application directory partition

1. Open an elevated command prompt.

2. At the command prompt, type the following command, and then press ENTER:

dnscmd<ServerName> /EnlistDirectoryPartition <FQDN>

 

For example, to enlist RODC01 in the domain-wide DNS application directory partition in a domain named child.contoso.com, type the following command:

 

dnscmd RODC01 /EnlistDirectoryPartition DomainDNSZones.child.contoso.com

 

You might encounter the following error when you run this command:

 

Command failed: ERROR_DS_COULDNT_CONTACT_FSMO 8367 0x20AF

 

If this error appears, use NTDSUTIL to add the RODC for the partition to be replicated:

 

1. ntdsutil

2. partition management

3. connections

4. Connect to a writeable domain controller (not an RODC): connect to server <WriteableDC>.Child.contoso.com

5. quit

6. To enlist this server in the replication scope for this zone, run the following command: add NC Replica DC=DomainDNSZones,DC=Child,DC=Contoso,DC=Com <rodc Server>.Child.contoso.com

 

Original explanation:

 

Please Check but I think this should be A and C and not A and D.

 

I
have changed it to A and C.

 

Reason: Once the application directory partition is created, contoso.com should replicate to it.

 

Dnscmd /enlistdirectorypartition — Adds the DNS server to the specified directory partition’s replica set.

 

Dnscmd /createbuiltindirectorypartitions Creates a DNS application directory partition. When DNS is installed, an application directory partition for the service is created at the forest and domain levels. Use this command to create DNS application directory partitions that were deleted or never created. With no parameter, this command creates a built-in DNS directory partition for the domain.

 

To create the default DNS application directory partitions

 

Using the Windows interface

 

Open DNS.

 

In the console tree, right-click the applicable DNS server.

 

Where?

 

DNS/applicable DNS server

 

Click Create Default Application Directory Partitions.

 

Follow the instructions to create the DNS application directory partitions.

 

 

QUESTION 392

A corporate network includes an Active Directory-integrated zone. All DNS servers that host the zone are domain controllers.

 

You add multiple DNS records to the zone.

 

You need to ensure that the new records are available on all DNS servers as soon as possible.

 

Which tool should you use?

 

A.

Ntdsutil

B.

Dnscmd

C.

Repadmin

D.

Nslookup

 

Correct Answer: C

Explanation:

To make sure that the new DNS records are replicated to all DNS servers we can use the repadmin tool.

 

Reference:

http://technet.microsoft.com/en-us/library/cc811569.aspx

 

Forcing Replication

Sometimes it becomes necessary to forcefully replicate objects and entire partitions between domain controllers that may or may not have replication agreements.

 

Force a replication event with all partners

 

The repadmin /syncall command synchronizes a specified domain controller with all replication partners.

 

Syntax

 

repadmin /syncall <DC> [<NamingContext>] [<Flags>]

 

Parameters

 

<DC>

 

Specifies the host name of the domain controller to synchronize with all replication partners.

 

<NamingContext>

 

Specifies the distinguished name of the directory partition.

 

<Flags>

 

Performs specific actions during the replication.

 

 

QUESTION 393

Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise.

 

You need to ensure that all of the members of a group named Group1 can view the event log entries for Certificate Services.

 

Which snap-in should you use?

 

A.

Certificate Templates

B.

Certification Authority

C.

Authorization Manager

D.

Active Directory Users and Computers

E.

TPM Management

F.

Security Templates

G.

Group Policy Management

H.

Enterprise PKI

I.

Certificates

 

Correct Answer: G

Explanation:

We can make the Group1 group a member of theEvent Log Readers Group, giving them read access to all event logs, thus including the Certificate Services events. We can do that by usingGroup Policy Management.

 

Reference 1:

It’s a bit hard to find some good, clear reference for this. There’s nothing wrong with doing it yourself, so here’s what I did in VMWare, using a domain controller and a member server.

Click along if you want!

 

In VMWare I have setup a domain controller, DC01 and a member server MEM01, both belonging to the contoso.com domain. I have placed MEM01 in an OU named Events. I have created a global security group, named TESTGROUP, and I want to make it a member of the built-in Event Log Readers group on MEM01.

 

Start the Group Policy Management console on DC01.

Right-click the Events OU and choose “Create a GPO in this domain, and Link it here…”

I named the GPO “EventLog_TESTGROUP”

Right-click the “EventLog_TESTGROUP” GPO and choose “Edit…”

Go to Computer Configuration Policies Windows Settings Security Settings and select “Restricted Groups”

Right-click “Restricted Groups” and choose “Add Group…”

Now there are two ways to do this. We can select TESTGROUP and m
ake it a member of the Event Log Readers group, or we can select the Event Log Readers group and add TESTGROUP as a member. Let’s do the second one. Click the Browse button and go find the Event Log Readers group. Click OK.

Click the Browse button next to “Members of this group”, search for the TESTGROUP group and add it.

 

It should look like this now:

       

clip_image002

Click OK.

On MEM01 open a command prompt and rungpupdate /force.

Check the Event Log Readers group properties and see that the TESTGROUP group is now a member.

 

clip_image004

 

Reference 2:

http://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-administrators-permission-to-read-event-logs-windows-2003-and-windows-2008.aspx

 

Giving Non Administrators permission to read Event Logs Windows 2003 and Windows So if you want to give Non-Administrator users access remotely to Event logs if the Servers or Domain Controllers they are accessing are Windows 2003 follow the steps below.

 

(…)

 

Windows 2008 is much easier as long as you are giving the users and groups in question read access to all event logs. If that is the case just add them to the Built inEvent Log Readers group.

 

 

QUESTION 394

Your network contains an Active Directory-integrated DNS zone named contoso.com.

 

You discover that the zone includes DNS records for computers that were removed from the network.

 

You need to ensure that the DNS records are deleted automatically from the zone.

 

What should you do?

 

A.

From DNS Manager, set the aging properties.

B.

Create a scheduled task that runs dnslint.exe /v /d contoso.com.

C.

From DNS Manager, modify the refresh interval of the start of authority (SOA) record.

D.

Create a scheduled task that runs ipconfig.exe /flushdns.

 

Correct Answer: A

Explanation:

http://technet.microsoft.com/en-us/library/cc753217.aspx

 

Set Aging and Scavenging Properties for the DNS Server

The DNS Server service supports aging and scavenging features. These features are provided as a mechanism for performing cleanup and removal of stale resource records, which can accumulate in zone data over time. You can use this procedure to set the default aging and scavenging properties for the zones on a server.

 

To set aging and scavenging properties for the DNS server using the Windows interface

1. Open DNS Manager.

2. In the console tree, right-click the applicable DNS server, and then click Set Aging/Scavenging for all zones.

3. Select the Scavenge stale resource records check box.

4. Modify other aging and scavenging properties as needed.

 

 

QUESTION 395

Your network contains an Active Directory domain named contoso.com.

 

A partner company has an Active Directory domain named nwtraders.com.

 

The networks for contoso.com and nwtraders.com connect to each other by using a WAN link.

 

You need to ensure that users in contoso.com can access resources in nwtraders.com and resources on the Internet.

 

What should you do first?

 

A.

Modify the Trusted Root Certification Authorities store.

B.

Modify the Intermediate Certification Authorities store.

C.

Create conditional forwarders.

D.

Add a root hint to the DNS server.

Correct Answer: C

Explanation:

MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) pages 114-115

 

Conditional Forwarders

You can configure a DNS server as a conditional forwarder. This is a DNS server that handles name resolution for specified domains only. In other words, the local DNS server will forward all the queries that it receives for names ending with a specific domain name to the conditional forwarder. This is especially useful in situations where users in your company need access to resources in another company with a separate AD DS forest and DNS zones, such as a partner company. In such a case, specify a conditional forwarder that directs such queries to the DNS server in the partner company while other queries are forwarded to the Internet. Doing so reduces the need for adding secondary zones for partner companies on your DNS servers.

 

 

QUESTION 396

Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.

 

You need to compact the Active Directory database.

 

What should you do?

 

A.

Run the Get-ADForest cmdlet.

B.

Configure subscriptions from Event Viewer.

C.

Run the eventcreate.exe command.

D.

Configure the Active Directory Diagnostics Data Collector Set (OCS).

E.

Create a Data Collector Set (DCS).

F.

Run the repadmin.exe command.

G.

Run the ntdsutil.exe command.

H.

Run the dsquery.exe command.

I.

Run the dsamain.exe command.

J.

Create custom views from Event Viewer.

 

Correct Answer: G

Explanation:

Reference 1:

http://technet.microsoft.com/en-us/library/cc794920.aspx

Compact the Directory Database File (Offline Defragmentation) You can use this procedure to compact the Active Directory database offline. Offline defragmentation returns free disk space in the Active Directory database to the file system. As part of the offline defragmentation procedure, check directory database integrity. Performing offline defragmentation creates a new, compacted version of the database file in a different location.

 

Reference 2:

Mastering Windows Server 2008 R2 (Sybex, 2010) page 805 Performing Offline Defragmentation of Ntds.dit

These steps assume that you will be compacting the Ntds.dit file to a local folder. If you plan to defragment and compact the database to a remote shared folder, map a drive letter to that shared folder before you begin these steps, and use that drive letter in the path where appropriate.

1. Open an elevated command prompt. Click Start, and then right-click Command Prompt. Click Run as Administrator.

2. Type ntdsutil, and then press Enter.

3. Type Activate instance NTDS, and press Enter.

4. At the resulting ntdsutil prompt, type Files (case sensitive), and then press Enter.

5. At the file maintenance prompt, type compact to followed by the path to the destination folder for the defragmentation, and then press Enter.

 

 

QUESTION 397

Your network contains an Active Directory domain named contoso.com.

 

Contoso.com contains a domain controller named DC1 and a read-only domain controller (RODC) namedRODC1.

 

You need to view the most recent user accounts authenticated by RODC1.

 

What should you do first?

 

A.

From Active Directory Sites and Services, right-click the Connection object for DC1, and then click Replicate Now.

B.

From Active Directory Sites and Services, right-click the Connection object for DC2, and then click Replicate Now.

C.

From Active Directory Users and Computers, right-click contoso.com, click Change DomainController, and then connect to DC1.

D.

From Active Directory Users and Computers, right-click contoso.com, click Change Domain Controller, and then connect to RODC1.

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy.aspx#BKMK_Auth2

 

To view authenticated accounts using Active Directory Users and Computers

1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER.

2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain. To connect to the appropriate domain or domain controller, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain or Change Domain Controller, respectively.

3. Click Domain Controllers.

4. In the details pane, right-click the RODC computer account, and then click Properties.

5. Click the Password Replication Policy tab.

6. Click Advanced.

7. In the drop-down list, click Accounts that have been authenticated to this Read-only Domain Controller, as shown in the following illustration.

 

 

 

 

 

 

 

 

 

 

 

QUESTION 398

Your network contains an Active Directory forest. The forest schema contains a custom attribute for user objects.

 

You need to generate a file that contains the last logon time and the custom attribute values for each user in the forest.

 

What should you use?

 

A.

the Get-ADUser cmdlet

B.

the Export-CSV cmdlet

C.

the Net User command

D.

the Dsquery User tool

 

Correct Answer: A

Explanation:

Export-CSV cannot perform queries. It is used to save queries that have been piped through.

Net User is too limited for our question.

Get-ADUser

References:

https://devcentral.f5.com/weblogs/Joe/archive/2009/01/09/powershell-abcs-o-is-for-output.aspx

http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/thread/8d8649d9-f591-4b44-b838-e0f5f3a591d7

http://kpytko.wordpress.com/2012/07/30/lastlogon-vs-lastlogontimestamp/

 

Export-Csv

Reference:

http://technet.microsoft.com/en-us/library/ee176825.aspx

 

Saving Data as a Comma-Separated Values File

The Export-Csv cmdlet makes it easy to export data as a comma-separated values (CSV) file; all you need to do is call Export-Csv followed by the path to the CSV file. For example, this command uses Get-Process to grab information about all the processes running on the computer, then uses Export-Csv to write that data to a file named C:ScriptsTest.txt: Get- Process | Export-Csv c:scriptstest.txt.

 

Net User

 

Reference:

http://technet.microsoft.com/en-us/library/cc771865.aspx

 

Adds or modifies user accounts, or displays user account information.

 

DSQUERY

 

Reference 1:

http://technet.microsoft.com/en-us/library/cc754232.aspx

 

Parameters

 

{<StartNode> | forestroot | domainroot}

 

Specifies the node in the console tree where the search starts. You can specify the forest root (forestroot), domain root (domainroot), or distinguished name of a node as the start node <StartNode>. If you specify forestroot, AD DS searches by using the global catalog.

-attr {<AttributeList> | *} Specifies that the semicolon separated LDAP display names included in <AttributeList> for each entry in the result set. If you specify the value of this parameter as a wildcard character (*), this parameter displays all attributes that are present on the object in the result set. In addition, if you specify a *, this parameter uses the default output format (a list), regardless of whether you specify the -l parameter. The default <AttributeList> is a distinguished name.

 

Reference 2:

http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/dda5fcd6-1a10-4d47-9379-02ca38aaa65b

 

Give an example of how to find a user with certain attributes using Dsquery. Note that it uses domainroot as the startnode, instead of forestroot what we need.

 

Reference 3:

http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/c6fc3826-78e1-48fd-ab6f-690378e0f787/

 

List all last login times for all users, regardless of whether they are disabled.

 

dsquery * -filter “(&(objectCategory=user)(objectClass=user))” -limit 0 -attr givenName sn sAMAccountName

 

lastLogon>>c:last_logon_for_all.txt

 

 

QUESTION 399

You have an Active Directory domain named contoso.com.

 

You need to view the account lockout threshold and duration for the domain.

 

Which tool should you use?

 

A.

Net User

B.

Active Directory Users and Computers

C.

Group Policy Management Console (GPMC)

D.

Computer Management

 

Correct Answer: C

 

 

QUESTION 400

Your network contains an Active Directory forest. The forest contains domain controllers that run Windows Server 2008 R2. The functional level of the forest is Windows Server 2003. The functional level of the domain is Windows Server 2008.

 

From a domain controller, you need to perform an authoritative restore of an organizational unit (OU).

 

What should you do first?

 

A.

Raise the functional level of the forest

B.

Modify the tombstone lifetime of the forest.

C.

Restore the system state.

D.

Raise the functional level of the domain.

Correct Answer: C

Explanation:

The Recycle Bin feature cannot be applied here, see the reference below.

 

Reference:

Windows Server 2008 R2 Unleashed (SAMS, 2010) pages 1292 and 1297

 

Active Directory Recycle Bin Recovery

Let’s begin this section with a very clear statement: If you need to recover a deleted Active Directory object and the Active Directory Recycle Bin was not enabled before the object was deleted, skip this section and proceed to the “Active Directory Authoritative Restore” section.

 

Active Directory Authoritative Restore

When Active Directory has been modified and needs to be restored to a previous state, and this rollback needs to be replicated to all domain controllers in the domain and possibly the forest, an authoritative restore of Active Directory is required. An authoritative restore of Active Directory can include the entire Active Directory database, a single object, or a container, such as an o
rganizational unit including all objects previously stored within the container. To perform an authoritative restore of Active Directory, perform the System State restore of a domain controller.

 

Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…