[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 81-90

Ensurepass

QUESTION 81

Your company has a main office and a branch office that are configured as a single Active Directory forest. The functional level of the Active Directory forest is Windows Server 2003. There are four Windows Server 2003 domain controllers in the main office.

 

You need to ensure that you are able to deploy a read-only domain controller (RODC) at the branch office.

 

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

 

A.

Raise the functional level of the forest to Windows Server 2008.

B.

Deploy a Windows Server 2008 domain controller at the main office.

C.

Raise the functional level of the domain to Windows Server 2008.

D.

Run the adprep/rodcprep command.

 

Correct Answer: BD

Explanation:

http://technet.microsoft.com/en-us/library/cc731243%28v=ws.10%29.aspx

Prerequisites for Deploying an RODC

Complete the following prerequisites before you deploy a read-only domain controller (RODC):

Ensure that the forest functional level is Windows Server 2003 or higher Run Adprep.exe commands to prepare your existing forest and domains for domain controllers that run Windows Server 2008 or Windows Server 2008 R2. The adprep commands extend the Active Directory schema and update security descriptors so that you can add the new domain controllers. There are different versions of Adprep.exe for Windows Server 2008 and Windows Server 2008 R2.

1. Prepare the forest and domains. There are three adprep commands to complete and have the changes replicate throughout the forest. Run the three commands as follows:

* Prepare the forest by running adprep /forestprep on the server that holds the schema master operations master (also known as flexible single master operations or FSMO) role to update the schema.

* Prepare the domain by running adprep /domainprep /gpprep on the server that holds the infrastructure operations master role.

* If you are installing an RODC in an existing Windows Server 2003 domain, you must also run adprep /rodcprep.

2. Install Active Directory Domain Services (AD DS). You can install AD DS by using a wizard, the command line, or an answer file.

Deploy at least one writable domain controller running Windows Server 2008 or Windows Server 2008 R2 in the same domain as the RODC and ensure that the writable domain controller is also a DNS server that has registered a name server (NS) resource record for the relevant DNS zone. An RODC must replicate domain updates from a writable domain controller running Windows Server 2008 or Windows Server 2008 R2.

 

 

QUESTION 82

Your company network has an Active Directory forest that has one parent domain and one child domain. The child domain has two domain controllers that run Windows Server 2008. All user accounts from the child domain are migrated to the parent domain. The child domain is scheduled to be decommissioned.

 

You need to remove the child domain from the Active Directory forest.

 

What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)

 

A.

Run the Computer Management console to stop the Domain Controller service on both domain controllers in the child domain.

B.

Delete the computer accounts for each domain controller in the child domain. Remove the trust relationship between the parent domain and the child domain.

C.

Use Server Manager on both domain controllers in the child domain to uninstall the Active Directory domain services role.

D.

Run the Dcpromo tool that has individual answer files on each domain controller in the child domain.

Correct Answer: CD

Explanation:

http://technet.microsoft.com/en-us/library/cc755937%28v=ws.10%29.aspx

Decommissioning a Domain Controller

To complete this task, perform the following procedures:

1. View the current operations master role holders

2. Transfer the schema master

3. Transfer the domain naming master

4. Transfer the domain-level operations master roles

5. Determine whether a domain controller is a global catalog server

6. Verify DNS registration and functionality

7. Verify communication with other domain controllers

8. Verify the availability of the operations masters

9. If the domain controller hosts encrypted documents, perform the following procedure before you remove Active Directory to ensure that the encrypted files can be recovered after Active Directory is removed: Export a certificate with the private key

10.Uninstall Active Directory

11.If the domain controller hosts encrypted documents and you backed up the certificate and private key before you remove Active Directory, perform the following procedure to reimport the certificate to the server: Import a certificate

12. Determine whether a Server object has child objects

13. Delete a Server object from a site

http://technet.microsoft.com/en-us/library/cc737258%28v=ws.10%29.aspx

Uninstall Active Directory

To uninstall Active Directory

1. Click Start, click Run, type dcpromo and then click OK.

 

 

QUESTION 83

Your company has recently acquired a new subsidiary company in Quebec. The Active Directory administrat
ors of the subsidiary company must use the French-language version of the administrative templates.

 

You create a folder on the PDC emulator for the subsidiary domain in the path %systemroot%SYSVOLdomainPoliciesPolicyDefinitionsFR.

 

You need to ensure that the French-language version of the templates is available.

 

What should you do?

 

A.

Download the Conf.adm, System.adm, Wuau.adm, and Inetres.adm files from the Microsoft Web site. Copy the ADM files to the FR folder.

B.

Copy the ADML files from the French local installation media for Windows Server 2008 R2 to the FR folder on the subsidiary PDC emulator.

C.

Copy the Install.WIM file from the French local installation media for Windows Server 2008 R2 to the FR folder on the subsidiary PDC emulator.

D.

Copy the ADMX files from the French local installation media for Windows Server 2008 R2 to the FR folder on the subsidiary PDC emulator.

 

Correct Answer: B

Explanation:

http://technet.microsoft.com/en-us/library/cc772507%28v=ws.10%29.aspx

admx and .adml File Structure

In order to support the multilingual display of policy settings, the ADMX file structure must be broken into two types of files:

A language-neutral file, .admx, describing the structure of the categories and Administrative template policy settings displayed in the Group Policy Management Console (GPMC) or Local Group Policy Editor.

A set of language-dependent files, .adml, providing the localized portions displayed in the GPMC or Local Group Policy Editor. Each .adml file represents a single language you wish to support.

Language-neutral file (.admx) structure

Language resource file (.adml) structure

The language resource files, .adml, provide the language specific information needed by the language neutral file. The language neutral file will then reference specific sections of the language resource file in order for the GPMC or Local Group Policy Editor to display a policy setting in the correct language.

 

 

QUESTION 84

Your company has a main office and 10 branch offices. Each branch office has an Active Directory site that contains one domain controller. Only domain controllers in the main office are configured as Global Catalog servers.

 

You need to deactivate the Universal Group Membership Caching (UGMC) option on the domain controllers in the branch offices.

 

At which level should you deactivate UGMC?

 

A.

Server

B.

Connection object

C.

Domain

D.

Site

 

Correct Answer: D

Explanation:

http://www.ntweekly.com/?p=788

http://gallery.technet.microsoft.com/scriptcenter/c1bd08d2-1440-40f8-95be-ad2050674d91

Script to Disable Universal Group Membership Caching in all Sites How to Disable Universal Group Membership Caching in all Sites using a Script Starting with Windows Server 2003, a new feature called Universal Group Membership Caching (UGMC) caches a user’s membership in Universal Groups on domain controllers authenticating the user. This feature allows a domain controller to have knowledge of Universal Groups a user is member of rather than contacting a Global Catalog. Unlike Global group memberships, which are stored in each domain, Universal Group memberships are only stored in a Global Catalog. For example, when a user who belongs to a Universal Group logs on to a domain that is set to the Windows 2000 native domain functional level or higher, the Global Catalog provides Universal Group membership information for the user’s account at the time the user logs on to the domain to the authenticating domain controller.

UGMC is generally a good idea for multiple
domain forests when:

1. Universal Group membership does not change frequently.

2. Low WAN bandwidth between Domain Controllers in different sites.

It is also recommended to disable UGMC if all Domain Controllers in a forest are Global Catalogs.

 

 

QUESTION 85

Your network consists of a single Active Directory domain. The functional level of the forest is Windows Server 2008 R2.

 

You need to create multiple password policies for users in your domain.

 

What should you do?

 

A.

From the Group Policy Management snap-in, create multiple Group Policy objects.

B.

From the Schema snap-in, create multiple class schema objects.

C.

From the ADSI Edit snap-in, create multiple Password Setting objects.

D.

From the Security Configuration Wizard, create multiple security policies.

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/cc770842%28v=ws.10%29.aspx

AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide

 

In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies and apply different password restrictions and account lockout policies to different sets of users within a single domain.

 

To store fine-grained password policies, Windows Server 2008 includes two new object classes in the Active Directory Domain Services (AD DS) schema:

Password Settings Container

Password Settings The Password Settings Container (PSC) object class is created by default under the System container in the domain. It stores the Password Settings objects (PSOs) for that domain. You cannot rename, move, or delete this container.

 

Steps to configure fine-grained password and account lockout policies When the group structure of your organization is defined and implemented, you can configure and apply finegrained password and account lockout policies to users and global security groups. Configuring fine-grained password and account lockout policies involves the following steps:

Step 1: Create a PSO

Step 2: Apply PSOs to Users and Global Security Groups

Step 3: Manage a PSO

Step 4: View a Resultant PSO for a User or a Global Security Group

http://technet.microsoft.com/en-us/library/cc754461%28v=ws.10%29.aspx

Step 1: Create a PSO

You can create Password Settings objects (PSOs):

Creating a PSO using the Active Directory module for Windows PowerShell

Creating a PSO using ADSI Edit

Creating a PSO using ldifde

 

 

QUESTION 86

Your company has an Active Directory forest that contains eight linked Group Policy Objects (GPOs). One of these GPOs publishes applications to user objects. A user reports that the application is not available for installation.

 

You need to identify whether the GPO has been applied.

 

What should you do?

 

A.

Run the Group Policy Results utility for the user.

B.

Run the GPRESULT /S <system name> /Z command at the command prompt.

C.

Run the GPRESULT /SCOPE COMPUTER command at the command prompt.

D.

Run the Group Policy Results utility for the computer.

 

Correct Answer: A

Explanation:

Personal note:

You run the utility for the user and not for the computer because the application publishes to user objects

http://technet.microsoft.com/en-us/library/bb456989.aspx

How to Use the Group Policy Results (GPResult.exe) Command Line Tool Intended for administrators, the Group Policy Results (GPResult.exe) command line tool verifies all policy settings in effect for a specific user or computer. Administrators can run GPResult on any remote computer within their scope of management. By default, GPResult returns settings in effect on the computer on which GPResult is run.

To run GPResult on your own computer:

1. Click Start, Run, and enter cmd to open a command window.

2. Type gpresult and redirect the output to a text file as shown in Figure 1 below:

 

clip_image002

 

3. Enter notepad gp.txt to open the file. Results appear as shown in the figure below.

 

clip_image004

 

 

QUESTION 87

Your company has an Active Directory forest that contains client computers that run Windows Vista andMicrosoft Windows XP.

 

You need to ensure that users are able to install approved application updates on their computers.

 

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

 

A.

Set up Automatic Updates through Control Panel on the client computers.

B.

Create a GPO and link it to the Domain Controllers organizational unit. Configure the GPO to automatically search for updates on the Microsoft Update site.

C.

Create a GPO and link it to the domain. Configure the GPO to direct the client computers to the Windows Server Update Services (WSUS) server for approved updates.

D.

Install the Windows Server Update Services (WSUS). Configure the server to search for new updates on the Internet. Approve all required updates.

 

Correct Answer: CD

Explanation:

http://technet.microsoft.com/en-us/library/cc720539%28v=ws.10%29.aspx

Configure Automatic Updates by Using Group Policy

When you configure the Group Policy settings for WSUS, use a Group Policy object (GPO) linked to an Active Directory container appropriate for your environment.

 

 

QUESTION 88

Your company has an Active Directory domain. The company has two domain controllers named DC1 and DC2. DC1 holds the Schema Master role.

 

DC1 fails. You log on to Active Directory by using the administrator account. You are not able to transfer the Schema Master operations role.

 

You need to ensure that DC2 holds the Schema Master role.

 

What should you do?

 

A.

Configure DC2 as a bridgehead server.

B.

On DC2, seize the Schema Master role.

C.

Log off and log on again to Active Directory by using an account that is a member of the Schema Administrators group. Start the Active Directory Schema snap-in.

D.

Register the Schmmgmt.dll. Start the Active Directory Schema snap-in.

 

Correct Answer: B

Explanation:

http://technet.microsoft.com/en-us/library/cc816645%28v=ws.10%29.aspx

Transfer the Schema Master

You can use this procedure to transfer the schema operations master role if the domain controller that currently hosts the role is inadequate, has failed, or is being decommissioned. The schema master is a forest-wide operations master (also known as flexible single master operations or FSMO) role.

Note: You perform this procedure by using a Microsoft Management Console (MMC) snap- in, although you can also transfer this role by using Ntdsutil.exe. Membership in Schema Admins, or equivalent, is the minimum required to complete this procedure.

http://technet.microsoft.com/en-us/library/cc794853%28v=ws.10%29.aspx

Seize the AD LDS Schema Master Role

The schema master is responsible for performing updates to the Active Directory Lightweight Directory Services (AD LDS) schema. Each configuration set has only one schema master. All write operations to the AD LDS schema can be performed only when connected to the AD LDS instance that holds the schema master role within its configuration set. Those schema updates are replicated from the schema master to all other instances in the configuration set. Membership in the AD LDS Administrators group, or equivalent, is the minimum required to complete this procedure.

Caution: Do not seize the schema master role if you can transfer it instead. Seizing the schema master role is a drastic step that should be considered only if the current operations master will never be available again.

QUESTION 89

Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. The Audit account management policy setting and Audit directory services access setting are enabled for the entire domain.

 

You need to ensure that changes made to Active Directory objects can be logged. The logged changes must include the old and new values of any attributes.

 

What should you do?

 

A.

Run auditpol.exe and then configure the Security settings of the Domain Controllers OU.

B.

From the Default Domain Controllers policy, enable the Audit directory service access setting and enable directory service changes.

C.

Enable the Audit account management policy in the Default Domain Controller Policy.

D.

Run auditpol.exe and then enable the Audit directory service access setting in the Default Domain policy.

 

Correct Answer: A

Explanation:

http://technet.microsoft.com/en-us/library/cc731607%28v=ws.10%29.aspx

 

AD DS Auditing Step-by-Step Guide

In Windows Server 2008 you can now set up AD DS auditing with a new audit subcategory to log old and new values when changes are made to objects and their attributes.

 

The ability to audit changes to objects in AD DS is enabled with the new audit policy subcategory Directory Service Changes. This guide provides instructions for implementing this audit policy subcategory.

The types of changes that you can audit include a user (or any security principal) creating, modifying, moving, or undeleting an object. The new audit policy subcategory adds the following capabilities to auditing in AD DS:

When a successful modify operation is performed on an attribute, AD DS logs the previous and current values of the attribute. If the attribute has more than one value, only the values that change as a result of the modify operation are logged.

If a new object is created, values of the attributes that are populated at the time of creation are logged. If the user adds attributes during the create operation, those new attribute values are logged. In most cases, AD DS assigns default values to attributes (such as samAccountName). The values of such system attributes are not logged.

If an object is moved, the previous and new location (distinguished name) is logged for moves within the domain. When an object is moved to a different domain, a create event is generated on the domain controller in the target domain.

If an object is undeleted, the location where the object is moved to is logged. In addition, if the user adds, modifies, or
deletes attributes while performing an undelete operation, the values of those attributes are logged.

 

In Windows Server 2008, you implement the new auditing feature by using the following controls:

Global audit policy

System access control list (SACL)

Schema

Global audit policy

Enabling the global audit policy, Audit directory service access, enables all directory service policy subcategories. You can set this global audit policy in the Default Domain Controllers Group Policy (under Security SettingsLocal PoliciesAudit Policy). In Windows Server 2008, this global audit policy is not enabled by default. Although the subcategory Directory Service Access is enabled for success events by default, the other subcategories are not enabled by default.

You can use the command-line tool Auditpol.exe to view or set audit policy subcategories.

There is no Windows interface tool available in Windows Server 2008 to view or set audit policy subcategories.

Further information:

http://technet.microsoft.com/en-us/library/cc731451%28v=ws.10%29.aspx

Auditpol

Displays information about and performs functions to manipulate audit policies.

http://servergeeks.wordpress.com/2012/12/31/auditing-directory-services/

AD Scenario – Auditing Directory Services

Auditing of Directory Services depends on several controls, these are:

1. Global Audit Policy (at category level using gpmc.msc tool)

2. Individual Audit Policy (at subcategory level using auditpol.exe tool)

3. System ACLs – to specify which operations are to be audited for a security principal.

4. Schema (optional) – this is an additional control in the schema that you can use to create exceptions to what is audited.

< span lang="EN-US" style="font-family: ; mso-font-kerning: 0pt; mso-no-proof: yes">In Windows Server 2008, you can now set up AD DS (Active Directory Domain Services) auditing with a new audit policy subcategory (Directory Service Changes) to log old and new values when changes are made to AD DS objects and their attributes. This can be done using auditpol.exe tool.

Command to check which audit policies are active on your machine: auditpol /get /category:*

 

clip_image006

 

Command to view the audit policy categories and Subcategories:

 

clip_image008

 

How to enable the global audit policy using the Windows interface i.e. gpmc tool Click Start, point to Administrative Tools, and then Group Policy Management or run gpmc.msc command.

 

In the console tree, double-click the name of the forest, double-click Domains, double-click the name of your domain, double-click Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.

 

clip_image010

 

Under Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then click Audit Policy.

 

clip_image012

 

In the details pane, right-click Audit directory service access, and then click Properties. Select the Define these policy settings check box. Under Audit these attempts, select the Success, check box, and then click OK.

 

clip_image014

 

How to enable the change auditing policy using a command line Click Start, right-click Command Prompt, and then click Run as administrator.

Type the following command, and then press ENTER:

auditpol /set /subcategory:”directory service changes” /success:enable To verify if the auditing is enabled or not for “Directory Service Changes”, you can run below command:

auditpol /get /category:”DS Access”

 

clip_image016

 

How to set up auditing in object SACLs

Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

Right-click the organizational unit (OU) (or any object) for which you want to enable auditing, and then click Properties.

Click the Security tab, click Advanced, and then click the Auditing tab.

 

clip_image018

 

Click Add, and under Enter the object name to select, type Authenticated Users (or any other security principal) and then click OK.

 

clip_image020

 

In Apply onto, click Descendant User objects (or any other objects). Under Access, select the Successful check box for Write all properties.

Click OK

 

clip_image022

 

Click OK until you exit the property sheet for the OU or other object. To Test whether auditing is working or not, try creating or modifying objects in Finance OU and check the Security event logs.

I just created a new user account in Finance OU named f4.

 

clip_image024

 

If you check the security event logs you will find eventid 5137 (Create)

Note:

Once the auditing is enabled these eventids will appear in security event logs: 5136 (Modify), 5137 (Create), 5138 (Undelete), 5139 (Move).

 

clip_image026

 

 

QUESTION 90

Your company has an Active Directory forest. The company has three locations. Each location has an organizational unit and a child organizational unit named Sales.

 

The Sales organizational unit contains all users and computers of the sales department.

 

The company plans to deploy a Microsoft Office 2007 application on all computers within the three Sales organizational units.

 

You need to ensure that the Office 2007 application is installed only on the computers in the Sales organizational units.

 

What should you do?

 

A.

Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the domain.

B.

Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each location.

C.

Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the Sales organizational unit in each location.

D.

Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to publish the application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each location.

Correct Answer: C

 

Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…