[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 431-440

Ensurepass

QUESTION 431

HOTSPOT

Your network contains an Active Directory domain named contoso.com.

 

All users have laptops that run Windows 7. The laptops are joined to the domain. Windows Firewall is enabled on all the laptops.

 

You need to ensure that when the users connect to unidentified networks, Windows Firewall uses the Public Profile.

 

Which node in Group Policy Management Editor should you use?

 

To answer, select the appropriate node in the answer area.

 

clip_image002

 

Correct Answer:

clip_image004

 

QUESTION 432

DRAG DROP

Your network contains an Active Directory domain named adatum.com.

 

You need to use Group Policies to deploy the line-of-business applications shown in the following table.

 

clip_image006

 

What should you do?

 

To answer, drag the appropriate deployment method to the correct application in the answer area.

 

clip_image008

 

Correct Answer:

clip_image010

 

 

QUESTION 433

Your network contains an Active Directory domain named contoso.com.

 

You have an organizational unit (OU) named Sales and an OU named Engineering. Each OU contains over 200 user accounts.

 

The S
ales OU and the Engineering OU contain several user accounts that are members of a universal group named Group1.

 

You have a Group Policy object (GPO) linked to the domain.

 

You need to prevent the GPO from being applied to the members of Group1 only.

 

What should you do?

 

A.

Modify the Group Policy permissions.

B.

Configure Restricted Groups.

C.

Configure WMI filtering.

D.

Configure the link order.

E.

Enable loopback processing in merge mode.

F.

Link the GPO to the Sales OU.

G.

Configure Group Policy Preferences.

H.

Link the GPO to the Engineering OU.

I.

Enable block inheritance.

J.

Enable loopback processing in replace mode.

 

Correct Answer: A

Explanation:

“GPOs are linked to OUs, not groups. Block inheritance blocks all inherited GPOs from being applied to the OU. The security filter will only help you specify groups. So you have two choices. You could remove authenticated users in the security filter and add groups containing everyone except group1 members(messy solution) or you could leave authenticated users there, and s
pecify group1 with deny apply gpo permission for the gpo(since deny will always win over allow).”

The reference below explains a situation where the GPO only needs to be applied to one group, it’s the other way around so to speak.

 

Reference:

MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 285, 286

 

Using Security Filtering to Modify GPO Scope

 

By now, you’ve learned that you can link a GPO to a site, domain, or OU. However, you might need to apply GPOs only to certain groups of users or computers rather than to all users or computers within the scope of the GPO. Although you cannot directly link a GPO to a security group, there is a way to apply GPOs to specific security groups. The policies in a GPO apply only to users who have Allow Read and Allow Apply Group Policy permissions to the GPO.

 

Each GPO has an access control list (ACL) that defines permissions to the GPO. Two permissions, Allow Read and Allow Apply Group Policy, are required for a GPO to apply to a user or computer. If a GPO is scoped to a computer (for example, by its link to the computer’s OU), but the computer does not have Read and Apply Group Policy permissions, it will not download and apply the GPO. Therefore, by setting the appropriate permissions for security groups, you can filter a GPO so that its settings apply only to the computers and users you specify.

 

Filtering a GPO to Apply to Specific Groups

 

To apply a GPO to a specific security group, perform the following steps:

4. Select the GPO in the Group Policy Objects container in the console tree.

5. In the Security Filtering section, select the Authenticated Users group and click Remove.

6. Click OK to confirm the change.

7. Click Add.

8. Select the group to which you want the policy to apply and click OK.

 

 

QUESTION 434

Your network contains an Active Directory forest named fabrikam.com. The forest contains the following domains:

 

clip_image012Fabrikam.com

clip_image012[1]Eu.fabrikam.com

clip_image012[2]Na.fabrikam.com

clip_image012[3]Eu.contoso.com

clip_image012[4]Na.contoso.com

 

You need to configure the forest to ensure that the administrators of any of the domains can specify a user principal name (UPN) suffix of contoso.com when they create user accounts from Active Directory users and Computers.

 

Which tool should you use?

 

A.

Active Directory Users and Computers

B.

Set-ADAccountControl

C.

Set-ADForest

D.

New-ADObject

 

Correct Answer: C

 

 

QUESTION 435

A corporate network includes an Active Directory-integrated zone. AIl DNS servers that host the zone are domain controllers.

 

You add multiple DNS records to the zone.

 

You need to ensure that the new records are available on all DNS servers as soon as possible.

 

Which tool should you use?

 

A.

Active Directory Sites And Services console

B.

Ntdsutil

C.

Dnslint

D.

Nslookup

 

Correct Answer: A

Explanation:

http://technet.microsoft.com/en-us/library/cc794809.aspx

 

Forcing Replication

When you need updates to be replicated sooner than the intersite replication schedule allows, or when replication between sites is impossible because of configuration errors, you can force replication to and from domain controllers.

 

Forcing replication of all directory updates over a connection

 

If you want to replicate certain updates, such as a significant addition of new passwords or user accounts, to another domain controller in the domain, you can use the Replicate now option in the Active Directory Sites and Services snap-in to force replication of all directory partitions over a connection object that represents inbound replication from a specific domain controller. A connection object for a server object that represents a domain controller identifies the replication partner from which the domain controller receives replication. If the changes are made on one domain controller, you can select the connection from that domain controller and force replication to its replication partner.

 

You can also use the Repadmin.exe command-line tool to replication changes from a server to one or more other servers or to all servers.

 

ssniyer — In the case where (Exam J, Q24) Repadmin is not an answer option, I will go with AD Sites and

 

Services because it allows to force AD replication across connection objects.

 

Both DNSLint and nslookup are diagnostic tools. DNSLint is useful to make sure RRs are associated with the right services and nslookup for domain namespace resolution issues.

There is no diagnostic need in this question.

 

Dnscmd is useful to administer/maintain a DNS server or zone using a command line tool. It is also the right tool to create Application Directory Partition. However, I don’t see literature to suggest it as a good replication tool for AD integrated zones.

 

 

 

 

 

QUESTION 436

Your network contains an Active Directory domain named contoso.com.

 

All domain controllers were upgraded from Windows Server 2003 to Windows Server 2008 R2 Service Pack 1 (SP1). The functional level of the domain is Windows Server 2003.

 

You need to configure SYSVOL to use DFS Replication.

 

Which tools should you use? (Each correct answer presents part of the solution. Choose two.)

 

A.

Dfsrmig

B.

Frsdiag

C.

Ntdsutil

D.

Set-ADForest

E.

Repadmin

F.

Set-ADDomainMode

G.

DFS Management

 

Correct Answer: AF

Explanation:

First we need to upgrade the domain functional level, using Set-ADDomainMode. Then, now that the domain controllers have been upgraded to Windows Server 2008 R2 and the domain functional level has been upgraded (to Windows Server 2008 (R2)), we can migrate to DFS Replication for replicating SYSVOL, instead of File Replication Service (FRS) of previous Windows Server versions. We can use Dfsrmig for that migration.

 

Reference 1:

MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 543

In versions of Windows Server prior to Windows Server 2008, the FRS was used to replicate the contents of SYSVOL between domain controllers. FRS has limitations in both capacity and performance that cause it to break occasionally. Unfortunately, troubleshooting and configuring FRS is quite difficult. In Windows Server 2008 and Windows Server 2008 R2 domains, you have the option to use DFS-R to replicate the contents of SYSVOL.

 

Reference 2:

http://technet.microsoft.com/en-us/library/ee617230.aspx

Set-ADDomainMode

The Set-ADDomainMode cmdlet sets the domain mode for a domain. You specify the domain mode by setting the DomainMode parameter.

The domain mode can be set to the following values that are listed in order of functionality from lowest to highest.

Windows2000Domain

Windows2003InterimDomain

Windows2003Domain

Windows2008Domain

Windows2008R2Domain

 

Reference 3:

http://technet.microsoft.com/en-us/library/dd639809.aspx

Migrating to the Prepared State

The following sections provide an overview of the procedures that you perform when you migrate SYSVOL replication from File Replication Service (FRS) to Distributed File System (DFS Replication).

This migration phase includes the tasks in the following list.

(…)

Running the dfsrmig /SetGlobalState 1 command on the PDC emulator to start the migration to the Prepared state.

 

 

QUESTION 437

Your network contains an Active Directory domain. The domain is configured as shown in the exhibit.

 

clip_image014

 

You have a Group Policy Object (GPO) linked to the domain.

 

You need to ensure that the settings in the GPO are not processed by user accounts or computer accounts in the Finance organizational unit (OU). You must achieve this goal by using the minimum amount of administrative effort.

 

What should you do?

 

A.

Modify the Group Policy Permission.

B.

Configure WMI filtering.

C.

Enable block inheritance.

D.

Enable loopback processing in replace mode.

E.

Configure the link order.

F.

Configure Group Policy Preferences.

G.

Link the GPO to the Human Resources OU.

H.

Configure Restricted Groups.

I.

Enable loopback processing in merge mode.

J.

Link the GPO to the Finance OU.

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/cc731076.aspx

Block Inheritance

You can block inheritance for a domain or organizational unit. Blocking inheritance prevents Group Policy objects (GPOs) that are linked to higher sites, domains, or organizational units from being automatically inherited by the child-level.

 

 

QUESTION 438

DRAG DROP

You need to perform an offline defragmentation of an Active Directory database.

 

Which four actions should you perform in sequence?

 

To answer, move the appropriate four actions from the list of actions to the answer area and arrange them in the correct order.

 

clip_image016

 

Correct Answer:

clip_image018

 

 

QUESTION 439

Your network contains an Active Directory forest.

 

All users have a value set for the Department attribute.

 

From Active Directory Users and Computers, you search a domain for all users who have a Department attribute value of Marketing. The search returns 50 users.

 

From Active Directory Users and Computers, you search the entire directory for all users who have a Department attribute value of Marketing.

 

The search does not return any users.

 

You need to ensure that a search of the entire directory for users in the marketing department returns all of the users who have the Marketing Department attribute.

 

What should you do?

A.

Install the Windows Search Service role service on a global catalog server.

B.

From the Active Directory Schema snap-in modify the properties of the Department attribute.

C.

Install the Indexing Service role service on a global catalog server.

D.

From the Active Directory Schema snap-in modify the properties of the user class.

 

Correct Answer: B

Explanation:

http://technet.microsoft.com/en-us/library/how-global-catalog-servers-work.aspx

Global Catalog Partial Attribute Set The attributes that are replicated to the global catalog by default include a base set that have been defined by Microsoft as the attributes that are most likely to be used in searches. Administrators can use the Microsoft Management Console (MMC) Active Directory Schema snap-in to specify additional attributes to meet the needs of their installation. In the Active Directory Schema snap-in, you can select the Replicate this attribute to the global catalog check box to designate an attributeSchema object as a member of the PAS, which sets the value of the isMemberOfPartialAttributeSet attribute to TRUE.

 

 

QUESTION 440

Your network contains an Active Directory domain named contoso.com.

 

You have an organizational unit (OU) named Sales and an OU named Engineering.

 

Users in the Sates OU frequently log on to client computers in the Engineering OU.

 

You need to meet the following requirements:

 

< p class="MsoNormal" style="cursor: auto; margin: 0cm 0cm 0pt 15pt; line-height: normal; text-autospace: ; text-indent: -15pt; mso-layout-grid-align: none; tab-stops: list 15.0pt" align="left">clip_image012[5]All of the user settings in the Group Policy objects (GPOs) linked to both the Sales OU and the Engineering OU must be applied to sales users when they log on to client computers in the Engineering OU.

clip_image012[6]Only the policy settings in the GPOs linked to the Sales OU must be applied to sales users when they log on to client computers in the Sales OU.

clip_image012[7]Policy settings in the GPOs linked to the Sales OU must not be applied to users in the Engineering OU.

 

What should you do?

 

A.

Modify the Group Policy permissions.

B.

Enable block inheritance.

C.

Configure the link order.

D.

Enable loopback processing in merge mode.

E.

Enable loopback processing in replace mode.

F.

Configure WMI filtering.

G.

Configure Restricted Groups.

H.

Configure Group Policy Preferences.

I.

Link the GPO to the Sales OU.

J.

Link the GPO to the Engineering OU.

 

Correct Answer: D

Explanation:

We have to use loopback processing in merge mode if we want all User Configuration settings from the GPO’s that are linked to the Sales OU and the Engineering OU to be applied.

 

Reference 1:

http://technet.microsoft.com/en-us/library/cc782810.aspx

 

Loopback processing with merge or replace

Setting loopback causes the User Configuration settings in GPOs that apply to the computer to be applied to every user logging on to that computer, instead of (in replace mode) or in addition to (in merge mode) the User Configuration settings of the user. This allows you to ensure that a consistent set of policies is applied to any user logging on to a particular computer, regardless of their location in Active Directory. Loopback can be set to Not Configured, Enabled, or Disabled. In the Enabled state, loopback can be set to Merge or Replace. In either case the user only receives user-related policy settings.

Loopback with Replace–In the case of Loopback with Replace, the GPO list for the user is replaced in its entirety by the GPO list that is already obtained for the computer at computer startup (during step 2 in Group Policy processing and precedence). The User Configuration settings from this list are applied to the user. Loopback with Merge–In the case of Loopback with Merge, the Group Policy object list is a concatenation. The default list of GPOs for the user object is obtained, as normal, but then the list of GPOs for the computer (obtained during computer startup) is appended to this list. Because the computer’s GPOs are processed after the user’s GPOs, they have precedence if any of the settings conflict.

 

Reference 2:

http://kudratsapaev.blogspot.in/2009/07/loopback-processing-of-group-policy.html

 

For a clear and easy explanation of Loopback Processing. Recommended!

 

Reference 3:

Windows Server 2008 R2 Unleashed (SAMS, 2010) page 1028

Loopback Processing

When a user is processing domain policies, the policies that apply to that user are based on the location of the user object in the Active Directory hierarchy. The same goes for domain policy application for computers.

There are situations, however, when administrators or organizations want to ensure that all users get the same policy when logging on to a particular computer or server. For example, on a computer that is used for training or on a Remote Desktop Session Host, also known as a Terminal Server, when the user desktop environment must be the same for each user, this can be controlled by enabling loopback processing in Replace mode on a policy that is applied to the computer objects.

To explain a bit further, if a domain policy has the loopback settings enabled and set to Replace mode, any settings defined within that policy in the User Configuration node are applied to all users who log on to the computer this particular policy is applied to. When loopback processing is enabled and configured in Merge mode on a policy applied to a computer object and a user logs on, all of the user policies are applied and then all of the user settings within the policy applied to the computer object are also applied to the user. This ensures that in either Replace or Merge mode, loopback processing applies the settings contained in the computer-linked policies last.

 

Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…