[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 41-50

Ensurepass

QUESTION 41

The default domain GPO in your company is configured by using the following account policy settings:

 

Minimum password length: 8 characters

Maximum password age: 30 days

Enforce password history: 12 passwords remembered

Account lockout threshold: 3 invalid logon attempts

Account lockout duration: 30 minutes

 

You install Microsoft SQL Server on a computer named Server1 that runs Windows Server 2008 R2. The SQL Server application uses a service account named SQLSrv. The SQLSrv account has domain user rights.

 

The SQL Server computer fails after running successfully for several weeks. The SQLSrv user account is not locked out.

 

You need to resolve the server failure and prevent recurrence of the failure. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

 

A.

Reset the password of the SQLSrv user account.

B.

Config
ure the local security policy on Server1 to grant the Logon as a service right on the SQLSrv user account.

C.

Configure the properties of the SQLSrv account to Password never expires.

D.

Configure the properties of the SQLSrv account to User cannot change password.

E.

Configure the local security policy on Server1 to explicitly grant the SQLSrv user account the Allow logon locally user right.

 

Correct Answer: AC

Explanation:

Personal comment:

Maximum password age: 30 days

The most probable cause for the malfunction is that the password has expired. You need to reset the password and set it to never expire.

 

clip_image002

 

 

QUESTION 42

Your company has an Active Directory domain and an organizational unit. The organizational unit is named Web.

 

You configure and test new security settings for Internet Information Service (IIS) Servers on a server named IISServerA.

 

You need to deploy the new security settings only on the IIS servers that are members of the Web organizational unit.

 

What should you do?

 

A.

Run secedit /configure /db iis.inf from the command prompt on IISServerA, then run secedit /configure /db webou.inf from the comand prompt.

B.

Export the settings on IISServerA to create a security template. Import the security template into a GPO and link the GPO to the Web organizational unit.

C.

Export the settings on IISServerA to create a security template. Run secedit /configure /db webou.inf from the comand prompt.

D.

Import the hisec
ws.inf file template into a GPO and link the GPO to the Web organizational unit.

Correct Answer: B

Explanation:

http://www.itninja.com/blog/view/using-secedit-to-apply-security-templates

Using Secedit To Apply Security Templates

Secedit /configure /db secedit.sdb /cfg”c:tempcustom.inf” /silent >nul

This command imports a security template file, “custom.inf” into the workstation’s or server’s local security database. /db must be specified. When specifying the default secuirty database (secedit.sdb,) I found that providing no path worked best. The /cfg option informs Secedit that it is to import the .inf file into the specified database, appending it to any existing .inf files that have already been imported to this system. You can optionally include an /overwrite switch to overwrite all previous configurations for this machine. The /silent option supresses any pop-ups and the >nul hides the command line output stating success or failure of the action.

 

 

QUESTION 43

Your company has an Active Directory forest. The forest includes organizational units corresponding to the following four locations:

 

clip_image004London

clip_image004[1]Chicago

clip_image004[2]New York

clip_image004[3]Madrid

 

Each location has a child organizational unit named Sales. The Sales organizational unit contains all the users and computers from the sales department.

 

The offices in London, Chicago, and New York are connected by T1 connections. The office in Madrid is connected by a 256-Kbps ISDN connection.

 

You need to install an application on all the computers in the sales department.

 

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

 

A.

Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to users. Link the GPO to each Sales organizational unit.

B.

Disable the slow link detection setting in the Group Policy Object (GPO).

C.

Configure the slow link detection threshold setting to 1,544 Kbps (T1) in the Group Policy Object (GPO).

D.

Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to the computers. Link the GPO to each Sales organizational unit.

 

Correct Answer: BD

Explanation:

http://technet.microsoft.com/en-us/library/cc781031%28v=ws.10%29.aspx

Specifying Group Policy for Slow Link Detection

Administrators can partially control which Group Policy extensions are processed over a slow link. By default, when processing over a slow link, not all components of Group Policy are processed.

Table 2.6 shows the default settings for processing Group Policy over slow links.

 

clip_image006

 

Administrators can use a Group Policy setting to define a slow link for the purposes of applying and updating Group Policy. The default value defines a rate slower than 500 Kbps as a slow link.

http://technet.microsoft.com/en-us/library/cc783635%28v=ws.10%29.aspx

Assigning and Publishing Software

Assigning software to computers

After you assign a software package to computers in a site, domain, or OU, the software is installed the next time the computer restarts or the user logs on.

Further information:

http://technet.microsoft.com/en-us/library/cc9787
17.aspx

Group Policy slow link detection

 

 

QUESTION 44

Your company has a domain controller server that runs the Windows Server 2008 R2 operating system. The server is a backup server. The server has a single 500-GB hard disk that has three partitions for the operating system, applications, and data. You perform daily backups of the server.

 

The hard disk fails. You replace the hard disk with a new hard disk of the same capacity. You restart the computer on the installation media. You select the Repair your computer option.

 

You need to restore the operating system and all files.

 

What should you do?

 

A.

Select the System Image Recovery option.

B.

Run the Imagex utility at the command prompt.

C.

Run the
Wbadmin utility at the command prompt.

D.

Run the Rollback utility at the command prompt.

 

Correct Answer: A

Explanation:

http://technet.microsoft.com/en-us/library/cc755163.aspx

Recover the Operating System or Full Server

Applies To: Windows Server 2008 R2

You can recover your server operating system or full server by using Windows Recovery Environment and a backup that you created earlier with Windows Server Backup. You can access the recovery and troubleshooting tools in Windows Recovery Environment through the System Recovery Options dialog box in the Install Windows Wizard. In Windows Server 2008 R2, to launch this wizard, use the Windows Setup disc or start/restart the computer, press F8, and then select Repair Your Computer from the list of startup options.

 

To recover your operating system or full server using a backup created earlier and Windows Setup disc

1. Insert the Windows Setup disc that has the same architecture of the system that you are trying to recover into the CD or DVD drive and start or restart the computer. If needed, press the required key to boot from the disc. The Install Windows Wizard should appear.

2. In Install Windows, specify language settings, and then click Next.

3. Click Repair your computer.

4. Setup searches the hard disk drives for an existing Windows installation and then displays the results in System Recovery Options. If you are recovering the operating system onto separate hardware, the list should be empty (there should be no operating system on the computer). Click Next.

5. On the System Recovery Options page, click System Image Recovery. This opens the Re-image your computer page.

 

http://technet.microsoft.com/en-us/magazine/dd767786.aspx

Use the Wbadmin Backup Command Line Utility in Windows Server 2008 Wbadmin is the command-line counterpart to Windows Server Backup. You use Wbadmin to manage all aspects of backup configuration that you would otherwise manage in Windows Server Backup. This means that you can typically use either tool to manage backup and recovery.

After you’ve installed the Backup Command-Line Tools feature, you can use Wbadmin to manage backup and recovery. Wbadmin is located in the %SystemRoot%System32 directory. As this directory is in your command path by default, you do not need to add this directory to your command path.

Further information:

http://technet.microsoft.com/en-us/library/cc754015%28v=ws.10%29.aspx

 

Wbadmin Enables you to back up and restore your operating system, volumes, files, folders, and applications from a command prompt.

 

clip_image008

 

Remarks

The wbadmin command replaces the ntbackup command that was released with previous versions of Windows. You cannot recover backups that you created with ntbackup by using wbadmin. However, a version of ntbackup is available as a download for Windows Server 2008, Windows Vista, Windows Server 2008 R2, or Windows 7 users who want to recover backups that they created using ntbackup. This downloadable version of ntbackup enables you to perform recoveries only of legacy backups, and it cannot be used on computers running Windows Server 2008, Windows Vista, Windows Server 2008 R2, or Windows 7 to create new backups.

http://technet.microsoft.com/en-us/library/dd979562%28v=ws.10%29.aspx

Backup and Recovery Overview for Windows Server 2008 R2 Windows Server 2008 R2 contains features to help you create backups and, if needed, perform a recovery of your operating system, applications, and data. By using these features appropriately and implementing good operational practices, you can improve your organization’s ability to recover from damaged or lost data, hardware failures, and disasters. For Windows Server 2008 R2, there are new features that expand what you can back up, where you can store backups, and how you can perform recoveries.

 

This table summarizes the tools you can use to perform the following backup or recovery tasks for your computers running Windows Server 2008 R2:

 

clip_image010

 

What is Windows Recovery Environment?

You can access the recovery and troubleshooting tools in Windows Recovery Environment through the System Recovery Options dialog box in the Install Windows Wizard. In Windows Server 2008 R2, to launch this wizard, use the Windows Setup disc or start/restart the computer, press F8, and then select Repair Your Computer from the list of startup options.

Features in Windows Recovery Environment

The tools in Windows Recovery Environment include:

System Image Recovery. You can use this tool and a backup that you created earlier with Windows Server Backup to restore your operating system or full server.

Windows Memory Diagnostic. You can use this tool (which is a memory diagnostic schedule) to check your computer’s RAM. Doing this requires a restart. In addition, this tool requires a valid Windows Server 2008, Windows Vista, Windows Server 2008 R2, or Windows 7 installation to function. Command Prompt. This opens a command prompt window with Administrator privileges that provides full access to your file system and volumes. In addition, certain Wbadmin commands are only available from this command window.

 

 

QUESTION 45

Your company has an Active Directory domain. A user attempts to log on to a computer that was turned off for twelve weeks. The administrator receives an error message that authentication has failed.

 

You need to ensure that the user is able to log on to the computer.

 

What should you do?

 

A.

Run the netsh command with the set and machine options.

B.

Reset the computer account. Disjoin the computer from the domain, and then rejoin the computer to the domain.

C.

Run the netdom TRUST /reset command.

D.

Run the Active Directory Users and Computers console to disable, and then enable the computer account.

 

Correct Answer: B

Explanation:

Correct Answer: Reset the computer account. Disjoin the computer from the domain, and then rejoin the computer to the domain.

http://social.technet.microsoft.com/wiki/contents/articles/9157.trust-relationship-between- workstation-andprimary-domain-failed.aspx

Trust Relationship between Workstation and Primary Domain failed

What are the common causes which generates this message on client systems?

There might be multiple reasons for this kind of behaviour. Below are listed a few of them:

 

1. Single SID has been assigned to multiple computers.

2. If the Secure Channel is Broken between Do
main controller and workstations

3. If there are no SPN or DNSHost Name mentioned in the computer account attributes

4. Outdated NIC Drivers.

 

How to Troubleshoot this behaviour?

If the Secure Channel is Broken between Domain controller and workstations

When a Computer account is joined to the domain, Secure Channel password is stored with computer account in domain controller. By default this password will change every 30 days (This is an automatic process, no manual intervention is required). Upon starting the computer, Netlogon attempts to discover a DC for the domain in which its machine account exists. After locating the appropriate DC, the machine account password from the workstation is authenticated against the password on the DC.

If there are problems with system time, DNS configuration or other settings, secure channel’s password between Workstation and DCs may not synchronize with each other. A common cause of broken secure channel [machine account password] is that the secure channel password held by the domain member does not match that held by the AD. Often, this is caused by performing a Windows System Restore (or reverting to previous backup or snapshot) on the member machine, causing an old (previous) machine account password to be presented to the AD.

Resolution:

Most simple resolution would be unjoin/disjoin the computer from the domain and rejoin the computer account back to the domain. (this is a somewhat similar principle to performing a password reset for a user account)

Or

You can go ahead and reset the computer account using netdom.exe tool http://technet.microsoft.com/en-us/library/cc772217%28v=ws.10%29.aspx

Netdom

Enables administrators to manage Active Directory domains and trust relationships from the command prompt.

Netdom is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the Active Directory Domain Services (AD DS) server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT).

You can use netdom to:

Join a computer that runs Windows XP Professional, Windows Vista, or Windows 7 to a Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, or Windows NT 4.0 domain. Manage computer accounts for domain member workstations and member servers. Management operations include:

Establish one-way or two-way trust relationships between domains, including the following kinds of trust relationships:

Verify or reset the secure channel for the following configurations:

* Member workstations and servers.

* Backup domain controllers (BDCs) in a Windows NT 4.0 domain.

* Specific Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, or Windows 2000 replicas.

Manage trust relationships between domains.

Syntax

NetDom <Operation> [<Computer>] [{/d: | /domain:} <Domain>] [<Options>] http://technet.microsoft.com/en-us/library/cc788073%28v=ws.10%29.aspx

Netdom reset Resets the secure connection between a workstation and a domain controller.

Syntax netdom reset <Computer> {/d: | /domain:}<Domain> [{/s: | /server:}<Server>] [{/uo: | /usero:}<User> {/po: | /

passwordo}{<Password>|*}] [{/help | /?}]

Further information:

http://technet.microsoft.com/en-us/library/cc835085%28v=ws.10%29.aspx

Netdom trust

Establishes, verifies, or resets a trust relationship between domains.

Syntax netdom trust <TrustingDomainName> {/d: | /domain:} <TrustedDomainName> [{/ud:

| /userd:}[<Domain>]<User> [{/pd: | /passwordd:}{<Password>|*}] [{/uo: | /usero:}<User>] [{/po: | /passwordo:}{<Password>|*}] [/verify] [/reset] [/passwordt:<NewRealmTrustPassword>] [/add [/realm]] [/remove [/force]] [/twoway] [/kerberos] [/transitive[:{YES|NO}]] [/oneside:{TRUSTED | TRUSTING}] [/force] [/quarantine[:{YES | NO}]] [/namesuffixes:<TrustName> [/togglesuffix:#]] [/EnableSIDHistory] [/ForestTRANsitive]

[/SelectiveAUTH][/AddTLN][/AddTLNEX][/RemoveTLN] [/RemoveTLNEX][{/help | /?}]

 

 

QUESTION 46

Your company, Contoso Ltd has a main office and a branch office. The offices are connected by a WAN link. Contoso has an Active Directory forest that contains a single do
main named ad.contoso.com.

 

The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1 is configured as a DNS server for the ad.contoso.com DNS zone. This zone is configured as a standard primary zone.

 

You install a new domain controller named DC2 in the branch office. You install DNS on DC2.

 

You need to ensure that the DNS service can update records and resolve DNS queries in the event that aWAN link fails.

 

What should you do?

 

A.

Create a new stub zone named ad.contoso.com on DC2.

B.

Create a new standard secondary zone named ad.contoso.com on DC2.

C.

Configure the DNS server on DC2 to forward requests to DC1.

D.

Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/cc726034.aspx

Understanding Active Directory Domain Services Integration

The DNS Server service is integrated into the design and implementation of Active Directory Domain Services (AD DS). AD DS provides an enterprise-level tool for organizing, managing, and locating resources in a network.

How DNS integrates with AD DS

When you install AD DS on a server, you promote the server to the role of a domain controller for a specified domain. As part of this process, you are prompted to specify a DNS domain name for the AD DS domain which you are joining and for which you are promoting the server, and you are offered the option to install the DNS Server role. This option is provided because a DNS server is required to locate this server or other domain controllers for members of an AD DS domain.

Benefits of AD DS integration

For networks that deploy DNS to support AD DS, directory-integrated primary zones are strongly recommended. They provide the following benefits:

DNS features multimaster data replication and enhanced security based on the capabilities of AD DS. In a standard zone storage model, DNS updates are conducted based on a single-master update model. In this model, a single authoritative DNS server for a zone is designated as the primary source for the zone. This server maintains the master copy of the zone in a local file. With this model, the primary server for the zone represents a single fixed point of failure. If this server is not available, update requests from DNS clients are not processed for the zone.

With directory-integrated storage, dynamic updates to DNS are sent to any AD DS- integrated DNS server and are replicated to all other AD DS-integrated DNS servers by means of AD DS replication. In this model, any AD DS-integrated DNS servercan accept dynamic updates for the zone. Because the master copy of the zone is maintained in the AD DS database, which is fully replicated to all domain controllers, the zone can be updated by the DNS servers operating at any domain controller for the domain. With the multimaster update model of AD DS, any of the primary servers for the directoryintegrated zone can process requests from DNS clients to update the zone as long as a domain controller is available and reachable on the network.

Also, when you use directory-integrated zones, you can use access control list (ACL) editing to secure a dnsZone object container in the directory tree. This feature provides detailed access to either the zone or a specified resource record in the zone. For example, an ACL for a zone resource record can be restricted so that dynamic updates are allowed only for a specified client computer or a secure group, such as a domain administrators group. This security feature is not available with standard primary zones. Zones are replicated and synchronized to new domain controllers automatically whenever a new one is added to an AD DS domain.

By integrating storage of your DNS zone databases in AD DS, you can streamline database replication planning for your network.

Directory-integrated replication is faster and more efficient than standard DNS replication.

 

 

QUESTION 47

Your company has an Active Directory forest. The company has branch offices in three locations. Each location has an organizational unit.

 

You need to ensure that the branch office administrators are able to create and apply GPOs only to their respective organizational units.

 

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

 

A.

Run the Delegation of Control wizard and delegate the right to link GPOs for their branch organizational units to the branch office administrators.

B.

Add the user accounts of the branch office administrators to the Group Policy Creator Owners Group.

C.

Modify the Managed By tab in each organizational unit to add the branch office administrators to their respective organizational units.


D.

Run the Delegation of Control wizard and delegate the right to link GPOs for the domain to the branch office administrators.

 

Correct Answer: AB

Explanation:

http://technet.microsoft.com/en-us/library/cc732524.aspx

Delegate Control of an Organizational Unit

1. To delegate control of an organizational unit

2. To open Active Directory Users and Computers, click Start , click Control Panel , doubleclick Administrative Tools and then double-click Active Directory Users and Computers .

3. In the console tree, right-click the organizational unit (OU) for which you want to delegate control.

Where?

Active Directory Users and Computers domain node organizational unit

4. Click Delegate Control to start the Delegation of Control Wizard, and then follow the instructions in the wizard. http://technet.microsoft.com/en-us/library/cc781991%28v=ws.10%29.aspx

Delegating Administration of Group Policy

Your Group Policy design will probably call for delegating certain Group Policy administrative tasks.

Determining to what degree to centralize or distribute administrative control of Group Policy is one of the most important factors to consider when assessing the needs of your organization. In organizations that use a centralized administration model, an IT group provides services, makes decisions, and sets standards for the entire company. In organizations that use a distributed administration model, each business unit manages its own IT group.

You can delegate the following Group Policy tasks:

Creating GPOs

Managing individual GPOs (for example, granting Edit or Read access to a GPO) etc.

Delegating Creation of GPOs

The ability to create GPOs in a domain is a permission that is managed on a per-domain basis. By default, only Domain Administrators, Enterprise Administrators, Group Policy Creator Owners, and SYSTEM can create new Group Policy objects. If the domain administrator wants a non- administrator or non-administrative group to be able to create GPOs, that user or group can be added to the Group Policy Creator Owners security group. Alternatively, you can use the Delegation tab on the Group Policy Objects container in GPMC to delegate creation of GPOs. When a non-administrator who is a member of the Group Policy Creator Owners group creates a GPO, that user becomes the creator owner of the GPO and can edit the GPO and modify permissions on the GPO. However, members of the Group Policy Creator Owners group cannot link GPOs to containers unless they have been separately delegated the right to do so on a particular site, domain, or OU.

Being a member of the Group Policy Creator Owners group gives the non-administrator full control of only those GPOs that the user creates. Group Policy Creator Owner members do not have permissions for GPOs that they do not create.

Note: When an administrator creates a GPO, the Domain Administrators group becomes the Creator Owner of the Group Policy object. By default, Domain Administrators can edit all GPOs in the domain.

The right to link GPOs is delegated separately from the right to create GPOs and the right to edit GPOs. Be sure to delegate both rights to those groups you want to be able to create and link GPOs. By default, non- Domain Admins cannot manage links, and this prevents them from being able to use GPMC to create and link a GPO. However, non-Domain Admins can create an unlinked GPO if they are members of the Group Policy Creator Owners group. After a non-Domain Admin creates an unlinked GPO, the Domain Admin or someone else who has been delegated permissions to link GPOs an a container can link the GPO as appropriate.

Creation of GPOs can be delegated to any group or user. There are two methods of granting a group or user this permission:

Add the group or user to the Group Policy Creator Owners group. This was the only method available prior to GPMC.

Explicitly grant the group or user permission to create GPOs. This method is newly available with GPMC.

You can manage this permission by using the Delegation tab on the Group Policy objects container for a given domain in GPMC. This tab shows the groups that have permission to create GPOs in the domain, including the Group Policy Creator Owners group. From this tab, you can modify the membership of existing groups that have this permission, or add new groups.

Because the Group Policy Creator Owners group is a domain global group, it cannot contain members from outside the domain. Being able to grant users permissions to create GPOs without using Group Policy Creator Owners facilitates delegating GPO creation to users outside the domain. Without GPMC, this task cannot be delegated to members outside the domain.

If you require that users outside the domain have the ability to create GPOs, create a new domain local group in the domain (for example, “GPCO ?Externa”;), grant that group GPO creation permissions in the domain, and then add domain global groups from external domains to that group. For users and groups in the domain, you should continue to use the Group Policy Creator Owners group to grant GPO-creation permissions.

Adding a user to the membership of Group Policy Creator Owners and granting the user GPO-creation permissions directly using the new method available in GPMC are identical in terms of permissions.

QUESTION 48

Your company has a single Active Directory domain. All domain controllers run Windows Server 2003.

 

You install Windows Server 2008 R2 on a server.

 

You need to add the new server as a domain controller in your domain.

 

What should you do first?

 

A.

On a domain controller run adprep /rodcprep.

B.

On the new server, run dcpromo /adv.

C.

On the new server, run dcpromo /createdcaccount.

D.

On a domain controller, run adprep /forestprep.

 

Correct Answer: D

Explanation:

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/9931e32f-6302- 40f0-a7a1-2598a96cd0c1/

DC promotion and adprep/forestprep

Q: I’ve tried to dcpromo a new Windows 2008 server installation to be a Domain Controller, running in an existing domain. I am informed that, first, I must run adprep/forestprep (“To install a domain controller into this Active Directory forest, you must first perpare the forest using “adprep/forestprep”. The Adprep utility is available on the Windows Server 2008 installation media in the Windowssourcesadprep folder”

A1:

You can run adprep from an existing Windows Server 2003 domain controller. Copy the contents of the sourcesadprep folder from the Windows Server 2008 installation DVD to the schema master role holder and run Adprep from there.

A2: to introduce the first W2K8 DC within an AD forest….

(1) no AD forest exists yet:

–> on the stand alone server execute: DCPROMO

–> and provide the information needed

(2) an W2K or W2K3 AD forest already exists:

–> ADPREP /Forestprep on the w2k/w2k3 schema master (both w2k/w2k3 forests)

–> ADPREP /rodcprep on the w2k3 domain master (only w2k3 forests)

–> ADPREP /domainprep on the w2k3 infrastructure master (only w2k3 domains)

–> ADPREP /domainprep /gpprep on the w2k infrastructure master (only w2k domains)

–> on the stand alone server execute: DCPROMO

–> and provide the information needed

 

 

QUESTION 49

You have a domain controller that runs Windows Server 2008 R2. The Windows Server Backup feature is installed on the domain controller.

 

You need to perform a non-authoritative restore of the domain controller by using an existing backup file.

 

What should you do?

 

A.

Restart the domain controller in Directory Services Restore Mode. Use the WBADMIN command to perform a critical volume restore.

B.

Restart the domain controller in Directory Services Restore Mode. Use the Windows Server Backup snap-in to perform a critical volume restore.

C.

Restart the domain controller in safe mode. Use the Windows Server Backup snap-in to perform a critical volume restore.

D.

Restart the domain controller in safe mode. Use the WBADMIN command to perform a critical volume restore.

 

Correct Answer: A

Explanation:

Almost identical to B26

http://technet.microsoft.com/en-us/library/cc816627%28v=ws.10%29.aspx

Performing Nonauthoritative Restore of Active Directory Domain Services

A nonauthoritative restore is the method for restoring Active Directory Domain Services (AD DS) from a system state, critical-volumes, or full server backup. A nonauthoritative restore returns the domain controller to its state at the time of backup and then allows normal replication to overwrite that state with any changes that occurred after the backup was taken. After you restore AD DS from backup, the domain controller queries its replication partners. Replication partners use the standard replication protocols to update AD DS and associated information, including the SYSVOL shared folder, on the restored domain controller.

You can use a nonauthoritative restore to restore the directory service on a domain controller without reintroducing or changing objects that have been modified since the backup. The most common use of a nonauthoritative restore is to reinstate a domain controller, often after catastrophic or debilitating hardware failures. In the case of data corruption, do not use nonauthoritative restore unless you have confirmed that the problem is with AD DS.

Nonauthoritative Restore Requirements

You can perform a nonauthoritative restore from backup on a Windows Server 2008 system that is a standalone server, member server, or domain controller. On domain controllers that are running Windows Server 2008, you can stop and restart AD DS as a service.

Therefore, in Windows Server 2008, performing offline defragmentation and other database management tasks does not require restarting the domain controller in Directory Services Restore Mode (DSRM). However, you cannot perform a nonauthoritative restore after simply stopping the AD DS service in regular startup mode. You must be able to start the domain controller in Directory Services Restore Mode (DSRM). If the domain controller cannot be started in DSRM, you must first reinstall the operating system. To perform a nonauthoritative restore, you need one of the following types of backup for your backup source:

System state backup: Use this type of backup to restore AD DS. If you have reinstalled the operating system, you must use a critical-volumes or full server backup. If you are restoring a system state backup, use the wbadmin start systemstaterecovery command. Critical-volumes backup: A critical-volumes backup includes all data on all volumes that contain operating system and registry files, boot files, SYSVOL files, or Active Directory files. Use this type of backup if you want to restore more than the system state. To restore a critical-volumes backup, use the wbadmin start recovery command.

Full server backup: Use this type of backup only if you cannot start the server or you do not have a system state or critical-volumes backup. A full server backup is generally larger than a critical-volumes backup. Restoring a full server backup not only rolls back data in AD DS to the time of backup, but it also rolls back all data in all other volumes. Rolling back this additional data is not necessary to achieve nonauthoritative restore of AD DS.

 

 

 

 

 

 

 

 

 

 

 

QUESTION 50

Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. A domain controller named DC1 has a standard primary zone for contoso.com. A domain controller named DC2 has a standard secondary zone for contoso.com.

 

You need to ensure that the replication of the contoso.com zone is encrypted.

 

You must not lose any zone data.

 

What should you do?

 

A.

Convert the primary zone into an Active Directory-integrated stub zone. Delete the secondary zone.

B.

Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone.

C.

Configure the zone transfer settings of the standard primary zone. Modify the Master Servers lists on the secondary zone.

D.

On both servers, modify the interface that the DNS server listens on.

 

Correct Answer: B

Explanation:

http://technet.microsoft.com/en-us/library/cc771150.aspx

Change the Zone Type

You can use this procedure to change make a zone a primary, secondary, or stub zone. You can also use it to integrate a zone with Active Directory Domain Services (AD DS). http://technet.microsoft.com/en-us/library/cc726034.aspx

Understanding Active Directory Domain Services Integration

The DNS Server service is integrated into the design and implementation of Active Directory Domain Services (AD DS). AD DS provides an enterprise-level tool for organizing, managing, and locating resources in a network.

Benefits of AD DS integration

For networks that deploy DNS to support AD DS, directory-integrated primary zones are strongly recommended. They provide the following benefits:

DNS features multimaster data replication and enhanced security based on the capabilities of AD DS.

In a standard zone storage model, DNS updates are conducted based on a single-master update model.

In this model, a single authoritative DNS server for a zone is designated as the primary source for the zone. This server maintains the master copy of the zone in a local file. With this model, the primary server for the zone represents a single fixed point of failure. If this server is not available, update requests from DNS clients are not processed for the zone. With directory-integrated storage, dynamic updates to DNS are sent to any AD DS- integrated DNS server and are replicated to all other AD DS-integrated DNS servers by means of AD DS replication.
In this model, any AD DS-integrated DNS servercan accept dynamic updates for the zone. Because the master copy of the zone is maintained in the AD DS database, which is fully replicated to all domain controllers, the zone can be updated by the DNS servers operating at any domain controller for the domain. With the multimaster update model of AD DS, any of the primary servers for the directoryintegrated zone can process requests from DNS clients to update the zone as long as a domain controller is available and reachable on the network.

 

Zones are replicated and synchronized to new domain controllers automatically whenever a new one is added to an AD DS domain.

By integrating storage of your DNS zone databases in AD DS, you can streamline database replication planning for your network.

Directory-integrated replication is faster and more efficient than standard DNS replication. http://technet.microsoft.com/en-us/library/ee649124%28v=ws.10%29.aspx

Deploy IPsec Policy to DNS Servers

You can deploy IPsec rules through one of the following mechanisms:

Domain Controllers organizational unit (OU): If the DNS servers in your domain are Active Directoryintegrated, you can deploy IPsec policy settings using the Domain Controllers OU. This option is recommended to make configuration and deployment easier.

DNS Server OU or security group: If you have DNS servers that are not domain controllers, then consider creating a separate OU or a security group with the computer accounts of your DNS servers.

Local firewall configuration: Use this option if you have DNS servers that are not domain members or if you have a small number of DNS servers that you want to configure locally. http://technet.microsoft.com/en-us/library/cc772661%28v=ws.10%29.aspx

Deploying Secure DNS

Protecting DNS Servers

When the integrity of the responses of a DNS server are compromised or corrupted, or when the DNS data is tampered with, clients can be misdirected to unauthorized locations without their knowledge. After the clients start communicating with these unauthorized locations, attempts can be made to gain access to information that is stored on the client computers. Spoofing and cache pollution are examples of this type of attack. Another type of attack, the denial-of-service attack, attempts to incapacitate a DNS server to make DNS infrastructure unavailable in an enterprise. To protect your DNS servers from these types of attacks:

Use IPsec between DNS clients and servers.

Monitor network activity.

Close all unused firewall ports.

Implementing IPsec Between DNS Clients and Servers

IPsec encrypts all traffic over a network connection. Encryption minimizes the risk that data that is sent between the DNS clients and the DNS servers can be scanned for sensitive information or tampered
with by anyone attempting to collect information by monitoring traffic on the network. When IPsec is enabled, both ends of a connection are validated before communication begins. A client can be certain that the DNS server with which it is communicating is a valid server. Also, all communication over the connection is encrypted, thereby eliminating the possibility of tampering with client communication. Encryption prevents spoofing attacks, which are false responses to DNS client queries by unauthorized sources that act like a DNS server.

Further information:

http://technet.microsoft.com/en-us/library/cc771898.aspx

Understanding Zone Types

The DNS Server service provides for three types of zones:

Primary zone

Secondary zone

Stub zone

Note: If the DNS server is also an Active Directory Domain Services (AD DS) domain controller, primary zones and stub zones can be stored in AD DS.

The following sections describe each of these zone types:

Primary zone When a zone that this DNS server hosts is a primary zone, the DNS server is the primary source for information about this zone, and it stores the master copy of zone data in a local file or in AD DS. When the zone is stored in a file, by default the primary zone file is named zone_name.dns and it is located in the % windir%System32Dns folder on the server.

Secondary zone When a zone that this DNS server hosts is a secondary zone, this DNS server is a secondary source for information about this zone. The zone at this server must be obtained from another remote DNS server computer that also hosts the zone. This DNS server must have network access to the remote DNS server that supplies this server with updated information about the zone. Because a secondary zone is merely a copy of a primary zone that is hosted on another server, it cannot be stored in AD DS.

Stub zone

When a zone that this DNS server hosts is a stub zone, this DNS server is a source only for information about the authoritative name servers for this zone. The zone at this server must be obtained from another DNS server that hosts the zone. This DNS server must have network access to the remote DNS server to copy the authoritative name server information about the zone.

You can use stub zones to:

Keep delegated zone information current. By updating a stub zone for one of its child zones regularly, the DNS server that hosts both the parent zone and the stub zone will maintain a current list of authoritative DNS servers for the child zone.

Improve name resolution. Stub zones enable a DNS server to perform recursion using the stub zone’s list of name servers, without having to query the Internet or an internal root server for the DNS namespace.

Simplify DNS administration. By using stub zones throughout your DNS infrastructure, you can distribute
a list of the authoritative DNS servers for a zone without using secondary zones. However, stub zones do not serve the same purpose as secondary zones, and they are not an alternative for enhancing redundancy and load sharing.

There are two lists of DNS servers involved in the loading and maintenance of a stub zone:

The list of master servers from which the DNS server loads and updates a stub zone. A master server may be a primary or secondary DNS server for the zone. In both cases, it will have a complete list of the DNS servers for the zone.

The list of the authoritative DNS servers for a zone. This list is contained in the stub zone using name server (NS) resource records.

When a DNS server loads a stub zone, such as widgets.tailspintoys.com, it queries the master servers, which can be in different locations, for the necessary resource records of the authoritative servers for the zone widgets.tailspintoys.com. The list of master servers may contain a single server or multiple servers, and it can be changed anytime. http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/d352966e-b1ec- 46b6-a8b4-317c2c3388c3/

Answered what is non-standard dns secondary zone?

Q: While passing through 70-291 exam prep questions, I encountered the term “standard secondary zone”.

From the context of other questions I understood that “standard”, in context of primary zone, mean “non-ADintegrated”.

A: Standard means it is not an AD integrated zone. AD integrated zones are stored in the AD database and not in a text file.

Q: What does “standard” mean in context of DNS secondary zone?

A: It means the same thing in context of a Standard Primary Zone. Simply stated, “Standard” means the zone data is stored in a text file, which can be found in system32dns.

 

Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…