[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 401-410

Ensurepass

QUESTION 401

Your network contains an Active Directory domain. The domain contains two domain controllers named DC1 and DC2.

 

You perform a full backup of the domain controllers every night by using Windows Server Backup.

 

You update a script in the 5YSVOL folder. The new script fails to run properly.

 

You need to restore the previous version of the script in the SYSVOL folder. The solution must minimize the amount of time required to restore the script.

 

What should you do first?

 

A.

Run the Restore-ADObject cmdlet.

B.

Attach the VHD file created by Windows Server Backup.

C.

Run the NTDSUtil.exe command-line tool.

D.

Restore the system state to its original location.

 

Correct Answer: B

 

 

QUESTION 402

HOTSPOT

Your network contains an Active Directory forest named contoso.com.

 

The password policy of the forest requires that the passwords for all of the user accounts be changed every 30 days.

 

You need to create user accounts that will be used by services. The passwords for these accounts must be changed automatically every 30 days.

 

Which tool should you use to create these accounts?

 

To answer, select the appropriate tool in the answer area.

 

clip_image002

 

Correct Answer:

clip_image004

 

 

 

QUESTION 403

Your network contains an Active Directory forest. The forest contains two domains named contoso.com and east.contoso.com. The contoso.com domain contains a domain controller named DC1. The east.contoso.com domain contains a domain controller named DC2. DC1 and DC2 have the DNS Server server role installed.

 

You need to create a DNS zone that is available on DC1 and DC2. The solution must ensure that zone transfers are encrypted.

 

What should you do?

 

A.

Create a primary zone on DC1 and store the zone in a zone file. On DC1 and DC2, configure inbound rules and outbound rules by using Windows Firewall with Advanced Security. Create a secondary zone on DC2 and select DC1 as the master.

B.

Create a primary zone on DC1 and store the zone in a DC=ForestDNSZones, DC=Contoso, DC=com naming context.

C.

Create a primary zone on DC2 and store the zone in a DC= DC=East, DC=Contoso/DC=com naming context. Create a secondary zone on DC1 and select DC2 as the master.

D.

Create a primary zone on DC1 and store the zone in a zone file. Configure DNSSEC for the zone. Create a secondary zone on DC2 and select DC1 as the master.

 

Correct Answer: B

Explanation:

http://technet.microsoft.com/en-us/library/cc781101.aspx

 

Securing DNS Zone Replication

 

Using Active Directory Replication

 

Replicating zones as part of Active Directory replication provides the following security benefits:

 

Active Directory replication traffic is encrypted; therefore zone replication traffic is encrypted automatically.

 

(…)

 

Reference:

http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

 

DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such as that created by DNS cache poisoning. All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (correct and complete) to the information on the authoritative DNS server. DNSSEC does not provide confidentiality of data; in particular, all DNSSEC responses are authenticated but not encrypted.

 

Reference:

http://www.nlnetlabs.nl/publications/dnssec_howto/

 

Voorbeeld opbouw DNSSEC records.

 

Reference:

http://www.efficientip.com/dnssec

 

It is important to note that DNSSEC does not supply a solution for data confidentiality but only a validation of DNS data authenticity and integrity. All information exchanged is not encrypted; it is only the signature which is encrypted.

 

Reference:

http://technet.microsoft.com/en-us/library/ee649277.aspx

 

Zone transfers Zone transfers of a DNSSEC-signed zone function in the same way they do for an unsigned zone. All of the resource records, including DNSSEC resource records, are transferred from the primary server to the secondary servers with no additional setup requirements.

 

 

QUESTION 404

Your network contains an Active Directory forest.

 

All users have a value set for the Department attribut
e.

 

From Active Directory Users and computers, you search a domain for all users who have a Department attribute value of Marketing.

 

The search returns 50 users.

 

From Active Directory Users and Computers, you search the entire directory for all users who have a Department attribute value of Marketing.

 

The search does not return any users.

 

You need to ensure that a search of the entire directory for users in the marketing department returns all of the users who have the Marketing Department attribute.

 

What should you do?

 

A.

Install the Windows Search Service role service on a global catalog server.

B.

From the Active Directory Schema snap-in, modify the properties of the Department attribute.

C.

Install the Indexing Service role service on a global catalog server.

D.

From the Active Directory Schema snap-in, modify the properties of the user class.

 

Correct Answer: B

Explanation:

http://technet.microsoft.com/en-us/library/how-global-catalog-servers-work.aspx

 

Global Catalog Partial Attribute Set

The attributes that are replicated to the global catalog by default include a base set that have been defined by Microsoft as the attributes that are most likely to be used in searches. Administrators can use the Microsoft Management Console (MMC) Active Directory Schema snap-in to specify additional attributes to meet the needs of their installation. In the Active Directory Schema snap-in, you can select the Replicate this attribute to the global catalog check box to designate an attributeSchema object as a member of the PAS, which sets the value of the isMemberOfPartialAttributeSet attribute to TRUE.

 

 

 

 

 

 

 

 

QUESTION 405

DRAG DROP

Your network contains an Active Directory forest named contoso.com.

 

All client computers used by the sales department are in an organizational unit (OU) named Sales Computers. All user accounts for the sales department are in an OU named Sales Users.

 

You purchase a new application.

 

You need to ensure that every user in the domain who logs on to a sales department computer can use the application. The application must only be available from the sales department computers.

 

What should you do?

 

To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order.

 

clip_image006

 

Correct Answer:

clip_image008

 

 

QUESTION 406

Your network contains an Active Directory domain. The domain contains 20 domain controllers.

 

You need to identify which domain controllers are global catalog servers.

 

Which tool should you use?

 

A.

Netsh

B.

Dsquery

C.

Nltest

D.

Get-ADRootDSE

 

Correct Answer: D

 

 

QUESTION 407

Your network contains an Active Directory domain named fabrikam.com. The domain has one Active Directory site.

 

The domain contains an organizational unit (OU) named SalesOU. SalesOU contains all of the user accounts for the sales department. Some of the sales users are temporary employees.

 

You apply a Group Policy object (GPO) named SalesGPO to SalesOU.

 

You need to prevent SalesGPO from being applied to the temporary sales employees. All other sales employees must have SalesGPO applied to them.

 

What should you do?

 

A.

Configure the permissions on the user accounts of the temporary sales employees.

B.

Configure the permissions of SalesGPO.

C.

Link SalesGPO to the site and remove the link for SalesGPO from SalesOU.

D.

Disable the computer configurations of SalesGPO.

 

Correct Answer: B

 

 

QUESTION 408

A corporate network includes an Active Directory-integrated zone. All DNS servers that host the zone are domain controllers.

 

You add multiple DNS records to the zone.

 

You need to ensure that the new records are available on all DNS servers as soon as possible.

 

Which tool should you use?

 

A.

Repadmin

B.

Active Directory Domains and Trusts console

C.

Ldp

D.

Ntdsutil

 

Correct Answer: A

Explanation:

To make sure that the new DNS records are replicated to all DNS servers we can use the repadmin tool.

 

Reference:

http://technet.microsoft.com/en-us/library/cc811569.aspx

 

Forcing Replication

 

Sometimes it becomes necessary to forcefully replicate objects and entire partitions between domain controllers that may or may not have replication agreements.

 

Force a replication event with all partners

 

The repadmin /syncall command synchronizes a specified domain controller with all replication partners.

 

Syntax

 

repadmin /syncall <DC> [<NamingContext>] [<Flags>]

 

Parameters <DC> Specifies the host name of the domain controller to synchronize with all replication partners.

 

<NamingContext>

 

Specifies the distinguished name of the directory partition.

 

<Flags>

 

Performs specific actions during the replication.

 

 

 

QUESTION 409

Your network contains two Active Directory forests named contoso.com and fabrikam.com. Each forest contains one domain. A two-way forest trust exists between the forests.

 

You plan to add users from fabrikam.com to groups in contoso.com.

 

You need to identify which group you must use to assign users in fabrikam.com access to the shared folders in contoso.com.

 

To which group should you add the users?

 

A.

Group 1: Security Group – Domain Local.

B.

Group 2: Distribution Group – Domain Local.

C.

Group 3: Security Group – Global.

D.

Group 4: Distribution Group – Global.

E.

Group 5: Security Group – Universal.

F.

Group 6: Distribution Group – Universal.

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/cc772808.aspx

 

Best practices for using security groups across forests

By carefully using domain local, global, and universal groups, administrators can more effectively control access to resources located in other forests. Consider the following best practices:

 

To represent the sets of users who need access to the same types of resources, create role-based global groups in every domain and forest that contains these users. For example, users in the Sales Department in ForestA require access to an order-entry application that is a resource in ForestB. Account Department users in ForestA require access to the same application, but these users are in a different domain. In ForestA, create the global group SalesOrder and add users in the Sales Department to the group.

 

Create the global group AccountsOrder and add users in the Accounting Department to that group.

 

To group the users from one forest who require similar access to the same resources in a different forest, create universal groups that correspond to the global group roles. For example, in ForestA, create a universal group called SalesAccountsOrders and add the global groups SalesOrder and AccountsOrder to the group.

 

To assign permissions to resources that are to be accessed by users from a different forest, create resource-based domain local groups in every domain and use these groups to assign permissions on the resources in that domain. For example, in ForestB, create a domain local group called

 

OrderEntryApp. Add this group to the access control list (ACL) that allows access to the order entry application, and assign appropriate permissions.

 

To implement access to a resource across a forest, add universal groups from trusted forests to the domain local groups in the trusting forests. For example, add the SalesAccountsOrders universal group from ForestA to the OrderEntryApp domain local group in ForestB.

 

 

 

QUESTION 410

DRAG DROP

Your network contains an Active Directory forest named adatum.com.

 

The forest contains four child domains named europe.adatum.com, northamerica.adatum.com, asia.adatum.com, and africa.adatum.com.

 

You need to create four new groups in the forest root domain. The groups must be configured as shown in the following table.

 

clip_image010

 

What should you do?

 

To answer, drag the appropriate group type to the correct group name in the answer area.

 

clip_image012

 

Correct Answer:

clip_image014

 

Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…