[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 71-80

Ensurepass

QUESTION 71

Your network consists of an Active Directory forest that contains one domain. All domain controllers run.

 

Windows Server 2008 R2 and are configured as DNS servers. You have an Active Directory- integrated zone.

 

You have two Active Directory sites. Each site contains five domain controllers.

 

You add a new NS record to the zone.

 

You need to ensure that all domain controllers immediately receive the new NS record.

 

What should you do?

 

A.

From the DNS Manager console, reload the zone.

B.

From the DNS Manager console, increase the version number of the SOA record.

C.

From the command prompt, run repadmin /syncall.

D.

From the Services snap-in, restart the DNS Server service.

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/cc835086%28v=ws.10%29.aspx

Repadmin /syncall Synchronizes a specified domain controller with all of its replication partners.

http://ivan.dretvic.com/2012/01/how-to-force-replication-of-domain-controllers/ How to force replication of Domain Controllers

From time to time its necessary to kick off AD replication to speed up a task you may be doing, or just a good too to check the status of replication between DC’s. Below is a command to replicate from a specified DC to all other DC’s. Repadmin /syncall DC_name /Aped By running a repadmin /syncall with the /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished names) parameters, you have duplicated exactly what Replmon used to do in Windows 2003, except that you did it in one step, not many.And with the benefit of seeing immediate results on how the operations are proceeding.

If I am running it on the DC itself, I don’t even have to specify the server name.

 

 

 

QUESTION 72

You need to identify all failed logon attempts on the domain controllers.

 

What should you do?

 

A.

View the Netlogon.log file.

B.

View the Security tab on the domain controller computer object.

C.

Run Event Viewer.

D.

Run the Security and Configuration Wizard.

 

Correct Answer: C

Explanation:

http://support.microsoft.com/kb/174074

Security Event Descriptions

This article contains descriptions of various security-related and auditing- related events, and tips for interpreting them.

These events will all appear in the Security event log and will be logged with a source of “Security.”

Event ID: 529

Type: Failure Audit

Description: Logon Failure:

Reason: Unknown user name or bad password

User Name: %1 Domain: %2

Logon Type: %3 Logon Process: %4

Authentication Package: %5 Workstation Name: %6

Event ID: 530

Type: Failure Audit

Description: Logon Failure:

Reason: Account logon time restriction violation

User Name: %1 Domain: %2

Logon Type: %3 Logon Process: %4

Authentication Package: %5 Workstation Name: %6

Event ID: 531

Type: Failure Audit

Description: Logon Failure:

Reason: Account currently disabled

User Name: %1 Domain: %2

Logon Type: %3 Logon Process: %4

Authentication Package: %5 Workstation Name: %6

Event ID: 532

Type: Failure Audit

Description: Logon Failure:

Reason: The specified user account has expired

User Name: %1 Domain: %2

Logon Type: %3 Logon Process: %4

Authentication Package: %5 Workstation Name: %6

Event ID: 533

Type: Failure Audit

Description: Logon Failure:

Reason: User not allowed to logon at this computer User Name: %1 Domain: %2

Logon Type: %3 Logon Process: %4

Authentication Package: %5 Workstation Name: %6

Event ID: 534

Type: Failure Audit

Description: Logon Failure:

Reason: The user has not been granted the requested logon type at this machine

User Name: %1 Domain: %2

Logon Type: %3 Logon Process: %4

Authentication Package: %5 Workstation Name: %6

Event ID: 535

Type: Failure Audit

Description: Logon Failure:

Reason: The specified account’s password has expired User Name: %1 Domain: %2

Logon Type: %3 Logon Process: %4

Authentication Package: %5 Workstation Name: %6

Event ID: 536

Type: Failure Audit

Description: Logon Failure:

Reason: The NetLogon component is not active

User Name: %1 Domain: %2

Logon Type: %3 Logon Process: %4

Authentication Package: %5 Workstation Name: %6

Event ID: 537

Type: Failure Audit

Description: Logon Failure:

Reason: An unexpected error occurred during logon

User Name: %1 Domain: %2

Logon Type: %3 Logon Process: %4

Authentication Package: %5 Workstation Name: %6

 

 

QUESTION 73

You have a domain controller named DC1 that runs Windows Server 2008 R2. DC1 is configured as a DNS Server for contoso.com.

 

You install the DNS Server role on a member server named Server1 and then you create a standard secondary zone for contoso.com.

 

You configure DC1 as the master server for the zone.

 

You need to ensure that Server1 receives zone updates from DC1.

 

What should you do?

 

A.

On DC1, modify the permissions of contoso.com zone.

B.

On Server1, add a conditional forwarder.

C.

On DC1, modify the zone transfer settings for the contoso.com zone.

D.

Add the Server1 computer account to the DNSUpdateProxy group.

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/cc771652.aspx

 

Modify Zone Transfer Settings

You can use the following procedure to control whether a zone will be transferred to other servers and which servers can receive the zone transfer.

 

To modify zone transfer settings using the Windows interface

1. Open DNS Manager.

2. Right-click a DNS zone, and then click Properties.

3. On the Zone Transfers tab, do one of the following:

To disable zone transfers, clear the Allow zone transfers check box.

To allow zone transfers, select the Allow zone transfers check box.

4. If you allowed zone transfers, do one of the following:

To allow zone transfers to any server, click To any server.

To allow zone transfers only to the DNS servers that are listed on the Name Servers tab, click Only to servers listed on the Name Servers tab.

To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add the IP address of one or more DNS servers.

 

 

QUESTION 74

All consultants belong to a global group named TempWorkers. You place three file servers in a new organizational unit named SecureServers. The three file servers contain confidential data located in shared folders.

 

You need to record any failed attempts made by the consultants to access the confidential data.

 

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

 

A.

Create and link a new GPO to the SecureServers organizational unit. Configure the Deny access to this computer from the network user rights setting for the TempWorkers global group.

B.

Create and link a new GPO to the SecureServers organizational unit. Configure the Audit privilege use Failure audit policy setting.

C.

Create and link a new GPO to the SecureServers organizational unit. Configure the Audit object access Failure audit policy setting.

D.

On each shared folder on the three file servers, add the three servers to the Auditing tab. Configure the Failed Full control setting in the Auditing Entry dialog box.

E.

On each shared folder on the three file servers, add the TempWorkers global group to the Auditing tab. Configure the Failed Full control setting in the Auditing Entry dialog box.

 

Correct Answer: CE

Explanation:

Windows Server 2008 R2 Unleashed (SAMS, 2010) page 671

 

Auditing Resource Access

 

Object access can be audited, although it is not one of the recommended settings. Auditing object access can place a significant load on the servers, so it should only be enabled when it is specifically needed. Auditing object access is a two-step process: Step one is enabling “Audit object access” and step two is selecting the objects to be audited. When enabling Audit object access, you need to decide if both failure and success events will be logged. The two options are as follows:

 

Audit object access failure enables you to see if users are attempting to access objects to which they have no rights. This shows unauthorized attempts.

 

Audit object access success enables you to see usage patterns. This shows misuse of privilege.

 

After object access auditing is enabled, you can easily monitor access to resources such as folders, files, and printers.

 

Auditing Files and Folders

 

The network administrator can tailor the way Windows Server 2008 R2 audits files and folders through the property pages for those files or folders. Keep in mind that the more files and folders that are audited, the more events that can be generated, which can increase administrative overhead and system resource requirements.

 

Therefore, choose wisely which files and folders to audit. To audit a file or folder, do the following:

1. In Windows Explorer, right-click the file or folder to audit and select Properties.

2. Select the Security tab and then click the Advanced button.

3. In the Advanced Security Settings window, select the Auditing tab and click the Edit button.

4. Click the Add button to display the Select User or Group window.

5. Enter the name of the user or group to audit when accessing the file or folder. Click the Check Names button to verify the name.

 

 

QUESTION 75

You have a Windows Server 2008 R2 Enterprise Root CA.

 

Security policy prevents port 443 and port 80 from being opened on domain controllers and on the issuing CA.

 

You need to allow users to request certificates from a Web interface. You install the Active Directory Certificate Services (AD CS) server role.

 

What should you do next?

 

A.

Configure the Online Responder Role Service on a member server.

B.

Configure the Online Responder Role Service on a domain controller.

C.

Configure the Certificate Enrollment Web Service role service on a member server.

D.

Configure the Certificate Enrollment Web Service role service on a domain controller.

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/dd759209.aspx

Certificate Enrollment Web Service Overview

The Certificate Enrollment Web Service is an Active Directory Certificate Services (AD CS) role service that enables users and computers to perform certificate enrollment by using the HTTPS protocol. Together with the Certificate Enrollment Policy Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain.

Personal note:

Since domain controllers are off-limits (regarding open ports), you are left to install the Certificate Enrollment Web Service role service on a plain member server

 

 

QUESTION 76

Your company has an organizational unit named Production. The Production organizational unit has a child organizational unit named R&D.You create a GPO named Software Deployment and link it to the Production organizational unit.

 

You create a shadow group for the R&D organizational unit. You need to deploy an application to users in the Production organizational unit.

 

You also need to ensure that the application is not deployed to users in the R&D organizational unit.

 

What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)

 

A.

Configure the Block Inheritance setting on the R&D organizational unit.

B.

Configure the Enforce setting on the software deployment GPO.

C.

Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&D security group.

D.

Configure the Block Inheritance setting on the Production organizational unit.

 

Correct Answer: AC

Explanation:

http://technet.microsoft.com/en-us/library/cc757050%28v=ws.10%29.aspx

 

Managing inheritance of Group Policy

Blocking Group Policy inheritance

You can block policy inheritance for a domain or organizational unit. Using block inheritance prevents GPOs linked to higher sites, domains, or organizational units from being automatically inherited by the child-level. By default, children inherit all GPOs from the parent, but it is sometimes useful to block inheritance. For example, if you want to apply a single set of policies to an entire domain except for one organizational unit, you can link the required GPOs at the domain level (from which all organizational units inherit policies by default) and then block inheritance only on the organizational unit to which the policies should not be applied.

Enforcing a GPO link You can specify that the settings in a GPO link should take precedence over the settings of any child object by setting that link to Enforced. GPO-links that are enforced cannot be blocked from the parent container. Without enforcement from above, the settings of the GPO links at the higher level (parent) are overwritten by settings in GPOs linked to child organizational units, if the GPOs contain conflicting settings. With enforcement, the parent

GPO link always has precedence. By default, GPO links are not enforced. In tools prior to GPMC, “enforced” was known as “No override.”

 

In addition to using GPO links to apply policies, you can also control how GPOs are applied by using security filters or WMI filters.

http://technet.microsoft.com/en-us/library/cc781988%28v=ws.10%29.aspx

Security filtering using GPMC

Security filtering Security filtering is a way of refining which users and computers will receive and apply the settings in a Group Policy object (GPO). Using security filtering, you can specify that only certain security principals within a container where the GPO is linked apply the GPO. Security group filtering determines whether the GPO as a whole applies to groups, users, or computers; it cannot be used selectively on different settings within a GPO.

 

Notes:

GPOs cannot be linked directly to users, computers, or security groups. They can only be linked to sites, domains and organizational units. However, by using security filtering, you can narrow the scope of a GPO so that it applies only to a single group, user, or computer.

 

The location of a security group in Active Directory is irrelevant to security group filtering and, more generally, irrelevant to Group Policy processing.

Further information:

http://technet.microsoft.com/en-us/library/cc731076.aspx

Block Inheritance

http://en.wikipedia.org/wiki/Active_Directory#Shadow_groups

Active Directory

Shadow groups

In Microsoft’s Active Directory, OUs do not confer access permissions, and objects placed within OUs are not automatically assigned access privileges based on their containing OU. This is a design limitation specific to Active Directory. Other competing directories such as Novell NDS are able to assign access privileges through object placement within an OU. Active Directory requires a separate step for an administrator to assign an object in an OU as a member of a group also within that OU. Relying on OU location alone to determine access permissions is unreliable, because the object may not have been assigned to the group object for that OU. A common workaround for an Active Directory administrator is to write a custom PowerShell or Visual Basic script to automatically create and maintain a user group for each OU in their directory. The scripts are run periodically to update the group to match the OU’s account membership, but are unable to instantly update the security groups anytime the directory changes, as occurs in competing directories where security is directly implemented into the directory itself. Such groups are known as Shadow Groups. Once created, these shadow groups are selectable in place of the OU in the administrative tools.

Microsoft refers to shadow groups in the Server 2008 Reference documentation, but does not explain how to create them. There are no built-in server methods or console snap-ins for managing shadow groups.[5]

The division of an organization’s information infrastructure into a hierarchy of one or more domains and toplevel OUs is a key decision. Common models are by business unit, by geographical location, by IT Service, or by object type and hybrids of these. OUs should be structured primarily to facilitate administrative delegation, and secondarily, to facilitate group policy application. Although OUs form an administrative boundary, the only true security boundary is the forest itself and an administrator of any domain in the forest must be trusted across all domains in the forest.[6]

 

 

QUESTION 77

Your company has two domain controllers that are configured as internal DNS servers. All zones on the DNS servers are Active Directory-integrated zones. The zones allow all dynamic updates.

 

You discover that the contoso.com zone has multiple entries for the host names of computers that do not exist.

 

You need to configure the contoso.com zone to automatically remove expired records.

 

What should you do?

 

A.

Enable only secure updates on the contoso.com zone,

B.

Enable scavenging and configure the refresh interval on the contoso.com zone.

C.

From the Start of Authority tab, decrease the default refresh interval on the contoso.com zone.

D.

From the Start of Authority tab, increase the default expiration interval on the contoso.com zone

 

Correct Answer: B

Explanation:

http://www.it-support.com.au/configure-aging-and-scavenging-of-a-dns-server/2012/12/

Configure aging and scavenging of a DNS Server

Resource records that are either outdated or decayed from DNS zone data are removed through the use of the Server aging and scavenging feature in Windows Server 2008. Issues develop if decayed resource records are not dealt with, such as:

Zone transfers take longer as the DNS server disk space contains a large number of stale records

The accumulation of stale records degrades the DNS server performance and response time

Potential conflicts can occur, if an IP address in a dynamic DNS environment is assigned to a different host. By default, the aging and scavenging feature is disabled. In order to use this particular feature, the user is required to enable the operations on the zone and at the DNS server.

In addition, a user is able to manually enable individual resource records to be aged and scavenged. This process involves permitting the records to use the current (non-zero) timestamp value.

The aging and scavenging operation figures out when the records should be cleared by reviewing their timestamps. The DNS Server uses a simple equation when setting a time value on a record: current server time + refresh interval.

Procedure:

Navigate to Start – Administrative Tools – DNS Manager. Right click the relevant DNS server and select Set Aging/Scavenging for All Zones from the drop down list.

 

clip_image002

 

The Server Aging/Scavenging Properties dialog box opens. Tick the option Scavenge stale resource records.

Under the No-refresh interval heading, specify the duration for which the server must not refresh its records.

Configuring this setting reduces replication traffic as unnecessary updates to existing records are prevented.

Under the Refresh interval heading, specify the duration for which the server must refresh its records. The fresh interval is the time required between when a no-refresh interval expires and when a record is considered stale.

When you have configured these settings, click OK to continue.

 

clip_image004

 

A confirmation box appears showing a summary of your settings. Tick the Apply these settings to the existing Active Directory-integrated zones option and click OK.

 

clip_image006

 

The Aging and Scavenging intervals have now been configured for all zones managed by the DNS server.

http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-bepatient.aspx

Don’t be afraid of DNS Scavenging. Just be patient.

http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/bb556cfb-3217-4dcf-af4f-460366faa1b8

Answered Best Practices configuration for DNS server on Windows 2008 R2 Server (aging/scavenging, etc.)

 

 

 

QUESTION 78

Your company has an Active Directory forest. Not all domain controllers in the forest are configured as Global Catalog Servers. Your domain structure contains one root domain and one child domain.

 

You modify the folder permissions on a file server that is in the child domain. You discover that some Access Control entries start with S-1-5-21 and that no account name is listed.

 

You need to list the account names.

 

What should you do?

 

A.

Move the RID master role in the child domain to a domain controller that holds the Global Catalog.

B.

Modify the schema to enable replication of the friendlynames attribute to the Global Catalog.

C.

Move the RID master role in the child domain to a domain controller that does not hold the Global Catalog.

D.

Move the infrastructure master role in the child domain to a domain controller that does not hold the Global Catalog.

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/cc780850%28v=ws.10%29.aspx

Security identifiers

Security identifiers (SIDs) are numeric values that identify a user or group. For each access control entry (ACE), there exists a SID that identifies the user or group for whom access is allowed, denied, or audited. Well-known security identifiers (special identities):

Network (S-1-5-2) Includes all users who are logged on through a network connection.

Access tokens for interactive users do not contain the Network SID.

http://technet.microsoft.com/en-us/library/cc773108%28v=ws.10%29.aspx

Operations master roles Active Directory supports multimaster replication of the directory data store between all domain controllers (DC) in the domain, so all domain controllers in a domain are essentially peers. However, some changes are impractical to perform in using multimaster replication, so, for each of these types of changes, one domain controller, called the operations master, accepts requests for such changes.

In every forest, there are at least five operations master roles that are assigned to one or more domain controllers. Forest-wide operations master roles must appear only once in every forest. Domain-wide operations master roles must appear once in every domain in the forest.

 

Domain-wide operations master roles

Every domain in the forest must have the following roles:

Relative ID (RID) master

Primary domain controller (PDC) emulator master

Infrastructure master

These roles must be unique in each domain. This means that each domain in the forest can have only one RID master, PDC emulator master, and infrastructure master.

 

Infrastructure master

At any time, there can be only one domain controller acting as the infrastructure master in each domain.

The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The infrastructure master compares its data with that of a global catalog. Global catalogs receive regular updates for objects in all domains through replication, so the global catalog data will always be up to date. If the infrastructure master finds data that is out of date, it requests the updated data from a global catalog. The infrastructure master then replicates that updated data to the other domain controllers in the domain.

Important

Unless there is only one domain controller in the domain, the infrastructure master role should not be assigned to the domain controller that is hosting the global catalog. If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will never find data that is out of date, so it will never replicate any changes to the other domain controllers in the domain.

In the case where all of the domain controllers in a domain are also hosting the global catalog, all of the domain controllers will have the current data and it does not matter which domain controller holds the infrastructure master role.

The infrastructure master is also responsible for updating the group-to-user references whenever the members of groups are renamed or changed. When you rename or move a member of a group (and that member resides in a different domain from the group), the group may temporarily appear not to contain that member.

Th
e infrastructure master of the group’s domain is responsible for updating the group so it knows the new name or location of the member. This prevents the loss of group memberships associated with a user account when the user account is renamed or moved. The infrastructure master distributes the update via multimaster replication. There is no compromise to security during the time between the member rename and the group update. Only an administrator looking at that particular group membership would notice the temporary inconsistency.

 

 

QUESTION 79

Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2003.

 

You upgrade all domain controllers to Windows Server 2008 R2.

 

You need to ensure that the Sysvol share replicates by using DFS Replication (DFS-R).

 

What should you do?

 

A.

From the command prompt, run dfsutil /addroot:sysvol.

B.

From the command prompt, run netdom /reset.

C.

From the command prompt, run dcpromo /unattend:unattendfile.xml.

< /td>

D.

Raise the functional level of the domain to Windows Server 2008 R2.

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/cc794837%28v=ws.10%29.aspx

Introduction to Administering DFS-Replicated SYSVOL

SYSVOL is a collection of folders that contain a copy of the domain’s public files, including system policies, logon scripts, and important elements of Group Policy objects (GPOs). The SYSVOL directory must be present and the appropriate subdirectories must be shared on a server before the server can advertise itself on the network as a domain controller. Shared subdirectories in the SYSVOL tree are replicated to every domain controller in the domain.

Note:

For Group Policy, only the Group Policy template (GPT) is replicated through SYSVOL replication. The Group Policy container (GPC), which is stored in the domain, is replicated through Active Directory replication. For Group Policy to be effective, both parts must be available on a domain controller.

Using DFS Replication for replicating SYSVOL in Windows Server 2008 Distributed File System (DFS) Replication is a replication service that is available for replicating SYSVOL to all domain controllers in domains that have the Windows Server 2008 domain functional level. DFS Replication was introduced in Windows Server 2003 R2. However, on domain controllers that are running Windows Server 2003 R2, SYSVOL replication is performed by the File Replication Service (FRS).

 

 

QUESTION 80

Your company has a single-domain Active Directory forest. The functional level of the domain is Windows Server 2008.

 

You perform the following activities:

 

Create a global distribution group.

 

Add users to the global distribution group.

 

Create a shared folder on a Windows Server 2008 member server.

 

Place the global distribution group in a domain local group that has access to the shared folder.

 

You need to ensure that the users have access to the shared folder.

 

What should you do?

 

A.

Add the global distribution group to the Domain Administrators group.

B.

Change the group type of the global distribution group to a security group.

C.

Change the scope of the global distribution group to a Universal distribution group.

D.

Raise the forest functional level to Windows Server 2008.

 

Correct Answer: B

Explanation:

http://kb.iu.edu/data/ajlt.html

In Microsoft Active Directory, what are security and distribution groups?

In Microsoft Active Directory, when you create a new group, you must select a group type. The two group types, security and distribution, are described below:

Security: Security groups allow you to manage user and computer access to shared resources. You can also control who receives group policy settings. This simplifies administration by allowing you to set permissions once on multiple computers, then to change the membership of the group as your needs change. The change in group membership automatically takes effect everywhere. You can also use these groups as email distribution lists.

Distribution: Distribution groups are intended to be used solely as email distribution lists. These lists are for use with email applications such as Microsoft Exchange or Outlook. You can add and remove contacts from the list so that they will or will not receive email sent to the distribution group. You can’t use distribution groups to assign permissions on any objects, and you can’t use them to filter group policy settings.

http://technet.microsoft.com/en-us/library/cc781446%28v=ws.10%29.aspx

Group types

 

Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…