[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 91-100

Ensurepass

QUESTION 91

Your company has an Active Directory domain. You have a two-tier PKI infrastructure that contains an offline root CA and an online issuing CA. The Enterprise certification authority is running Windows Server 2008 R2.

 

You need to ensure users are able to enroll new certificates.

 

What should you do?

 

A.

Renew the Certificate Revocation List (CRL) on the root CA. Copy the CRL to the CertEnroll folder on the issuing CA.

B.

Renew the Certificate Revocation List (CRL) on the issuing CA, Copy the CRL to the SysternCertificates folder in the users’ profile.

C.

Import the root CA certificate into the Trusted Root Certification Authorities store on all client workstations.

D.

Import the issuing CA certificate into the Intermediate Certification Authorities store on all client workstations.

 

Correct Answer: A

Explanation:

http://social.technet.microsoft.com/wiki/contents/articles/2900.offline-root-certification- authority-ca.aspx

 

Offline Root Certification Authority (CA)

A root certification authority (CA) is the top of a public key infrastructure (PKI) and generates a self-signed certificate. This means that the root CA is validating itself (self- validating). This root CA could then have subordinate CAs that effectively trust it. The subordinate CAs receive a certificate signed by the root CA, so the subordinate CAs can issue certificates that are validated by the root CA. This establishes a CA hierarchy and trust path.

CA Compromise

If a root CA is in some way compromised (broken into, hacked, stolen, or accessed by an unauthorized or malicious person), then all of the certificates that were issued by that CA are also compromised. Since certificates are used for data protection, identification, and authorization, the compromise of a CA could compromise the security of an entire organizational network. For that reason, many organizations that run internal PKIs install their root CA offline. That is, the CA is never connected to the company network, which makes the root CA an offline root CA. Make sure that you keep all CAs in secure areas with limited access.

To ensure the reliability of your CA infrastructure, specify that any root and non-issuing intermediate CAs must be offline. A non-issuing CA is one that is not expected to provide certificates to client computers, network devices, and so on. This minimizes the risk of the CA private keys becoming compromised, which would in turn compromise all the certificates that were issued by the CA.

How Do Offline CAs issue certificates?

Offline root CAs can issue certificates to removable media devices (e.g. floppy disk, USB drive, CD/DVD) and then physically transported to the subordinate CAs that need the certificate in order to perform their tasks. If the subordinate CA is a non-issuing intermediate that is offline, then it will also be used to generate a certificate and that certificate will be placed on removable media. Each CA receives its authorization to issue certificates from the CA directly above it in the CA hierarchy. However, you can have multiple CAs at the same level of the CA hierarchy. Issuing CAs are typically online and used to issue certificates to client computers, network devices, mobile devices, and so on. Do not join offline CAs to an Active Directory Domain Services domain Since offline CAs should not be connected to a network, it does not make sense to join them to an Active Directory Domain Services (AD DS) domain, even with the Offline Domain Join [This link is external to TechNet Wiki. It will open in a new window.] option introduced with Windows 7 and Windows Server 2008 R2.

Furthermore, installing an offline CA on a server that is a member of a domain can cause problems with a secure channel when you bring the CA back online after a long offline period. This is because the computer account password changes every 30 days. You can get around this by problem and better protect your CA by making it a member of a workgroup, instead of a domain. Since Enterprise CAs need to be joined to an AD DS domain, do not attempt to install an offline CA as a Windows Server Enterprise CA.

http://technet.microsoft.com/en-us/library/cc740209%28v=ws.10%29.aspx

Renewing a certification authority

A certification authority may need to be renewed for either of the following reasons:

Change in the policy of certificates issued by the CA Expiration of the CA’s issuing certificate

 

 

QUESTION 92

Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.

 

You need to capture all replication errors from all domain controllers to a central location.

 

What should you do?

 

A.

Start the Active Directory Diagnostics data collector set.

B.

Start the System Performance data collector set.

C.

Install Network Monitor and create a new a new capture.

D.

Configure event log subscriptions.

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/cc748890.aspx

Configure Computers to Forward and Collect Events

Before you can create a subscription to collect events on a computer, you must configure both the collecting computer (collector) and each computer from which events will be collected (source).

http://technet.microsoft.com/en-us/library/cc749183.aspx

Event Subscriptions

Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue might require you to examine a set of events stored in multiple logs on multiple computers.

Windows Vista includes the ability to collect copies of events from multiple remote computers and store them locally. To specify which events to collect, you create an event subscription. Among other details, the subscription specifies exactly which events will be collected and in which log they will be stored locally. Once a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events.

Using the event collecting feature requires that you configure both the forwarding and the collecting computers.

The functionality depends on the Windows Remote Management (WinRM) service and the Windows Event Collector (Wecsvc) service. Both of these services must be running on computers participating in the forwarding and collecting process.

http://technet.microsoft.com/en-us/library/cc961808.aspx

Replication Issues

 

 

 

QUESTION 93

A user in a branch office of your company attempts to join a computer to the domain, but the attempt fails.

 

You need to enable the user to join a single computer to the domain.

 

You must ensure that the user is denied any additional rights beyond those required to complete the task.

 

What should you do?

 

A.

Prestage the computer account in the Active Directory domain.

B.

Add the user to the Domain Administrators group for one day.

C.

Add the user to the Server Operators group in the Active Directory domain.

D.

Grant the user the right to log on locally by using a Group Policy Object (GPO).

 

Correct Answer: A

Explanation:

http://technet.microsoft.com/en-us/library/cc770832%28v=ws.10%29.aspx#BKMK_1

Prestaging Client Computers

Benefits of Prestaging Client Computers

Prestaging clients provides three main benefits:

An additional layer of security. You can configure Windows Deployment Services to answer only prestaged clients, therefore ensuring that clients that are not prestaged will not be able to boot from the network. Additional flexibility. Prestaging clients increases flexibility by enabling you to control the following. For instructions on performing these tasks, see the “Prestage Computers” section of How to Manage Client Computers.

* The computer account name and location within AD DS.

* Which server the client should network boot from.

* Which network boot program the client should receive.

* Other advanced options — for example, what boot image a client will receive or what Windows Deployment Services client unattend file the client should use.

The ability for multiple Windows Deployment Services servers to service the same network segment. You can do this by restricting the server to answer only a particular set of clients. Note that the prestaged client must be in the same forest as the Windows Deployment Services server (trusted forests do not work).

Further information:

http://www.windows-noob.com/forums/index.php?/topic/506-how-can-i-prestage-a- computer-for-wds/

 

 

QUESTION 94

Your network consists of a single Active Directory domain. The domain contains 10 domain controllers. The domain controllers run Windows Server 2008 R2 and are configured as DNS servers.

 

You plan to create a new Active Directory-integrated zone.

 

You need to ensure that the new zone is only replicated to four of your domain controllers.

 

What should you do first?

 

A.

From the command prompt, run dnscmd and specify the /createdirectorypartition parameter.

B.

Create a new delegation in the ForestDnsZones application directory partition.

C.

From the command prompt, run dnscmd and specify the /enlistdirectorypartition parameter.

D.

Create a new delegation in the DomainDnsZones application directory partition.

 

Correct Answer: A

Explanation:

Practically the same question as D/Q25 and K/Q17, different set of answers.

To control which servers get a copy of the zone we have to store the zone in an application directory partition.

That application directory partition must be created before we create the zone, otherwise it won’t work. So that’s what we have to do first. Directory partitions are also called naming contexts and we can create one using ntdsutil.

Here I tried to create a zone with dnscmd /zoneadd. It failed because the directory partition I wanted to use did not exist yet. To fix that I used ntdsutil to create the directory partition dc=venomous,dc=contoso,dc=com.

Note that after creating it a new naming context had been added. Then, after a minute or two, I tried to create the new zone again, and this time it worked.

 

clip_image001

 

Reference 1:

http://technet.microsoft.com/en-us/library/cc725739.aspx

Store Data in an AD DS Application Partition

You can store Domain Name System (DNS) zones in the domain or application directory partitions of Active Directory Domain Services (AD DS). An application directory partition is a data structure in AD DS that distinguishes data for different replication purposes. When you store a DNS zone in an application directory partition, you can control the zone replication scope by controlling the replication scope of the application directory partition.

Reference 2:

http://technet.microsoft.com/en-us/library/cc730970.aspx

Partition management

Manages directory partitions for Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS).

This is a subcommand of Ntdsutil and Dsmgmt.

Examples To create an application directory partition named AppPartition in the contoso.com domain, complete the following steps:

1. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, rightclick Command Prompt, and then click Run as administrator.

2. Type: ntdsutil

3. Type: Ac in ntds

4. Type: partition management

5. Type: connections

6. Type: Connect to server DC_Name

7. Type: quit

8. Type: list

The following partitions will be listed:

0 CN=Configuration,DC=Contoso,DC=com

1 DC=Contoso,DC=com

2 CN=Schema,CN=Configuration,DC=Contoso,DC=com

3 DC=DomainDnsZones,DC=Contoso,DC=com

4 DC=ForestDnsZones,DC=Contoso,DC=com

9. At the partition management prompt, type: create nc dc=AppPartition,dc=contoso,dc=com ConDc1.contoso.com

10. Run the list command again to refresh the list of partitions..

 

 

QUESTION 95

Your company has an Active Directory forest that contains two domains, The forest has universal groups that contain members from each domain. A branch office has a domain controller named DC1, Users at the branch office report that the logon process takes too long.

 

You need to decrease the amount of time it takes for the branch office users to logon.

< span lang="EN-US" style="font-family: ; mso-font-kerning: 0pt; mso-no-proof: yes"> 

What should you do?

 

A.

Configure DC1 as a Global Catalog server.

B.

Configure DC1 as a bridgehead server for the branch office site.

C.

Decrease the replication interval on the site link that connects the branch office to the corporate network.

D.

Increase the replication interval on the site link that connects the branch office to the corporate network.

 

Correct Answer: A

Explanation:

http://technet.microsoft.com/en-us/library/cc728188.aspx

What Is the Global Catalog?

The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.

In addition to configuration and schema directory partition replicas, every domain controller in a forest stores a full, writable replica of a single domain directory partition. Therefore, a domain controller can locate only the objects in its domain. Locating an object in a different domain would require the user or application to provide the domain of the requested object. The global catalog provides the ability to locate objects from any domain without having to know the domain name. A global catalog server is a domain controller that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest. The additional domain directory partitions are partial because only a limited set of attributes is included for each object. By including only the attributes that are most used for searching, every object in every domain in even the largest forest can be represented in the database of a single global catalog server.

 

 

QUESTION 96

Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company runs an Enterprise Root certification authority (CA).

 

You need to ensure that only administrators can sign code.

 

Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)

 

A.

Edit the local computer policy of the Enterprise Root CA to allow only administrators to manage Trusted Publishers.

B.

Modify the security settings on the template to allow only administrators to request code signing certificates.

C.

Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certificates and allow only administrators to apply the policy.

D.

Publish the code signing template.

 

Correct Answer: BD

Explanation:

http://techblog.mirabito.net.au/?p=297

Generating and working with code signing certificates A code signing certificate is a security measure designed to assist in the prevention of malicious code execution. The intention is that code must be “signed” with a certificate that is trusted by the machine on which the code is executed. The trust is verified by contacting the certification authority for the certificate, which could be either a local (on the machine itself, such as a self-signed certificate), internal (on the domain, such as an enterprise certification authority) or external certification authority (third party, such as Verisign or Thawte).

For an Active Directory domain with an enterprise root certification authority, the enterprise root certification authority infrastructure is trusted by all machines that are a member of the Active Directory domain, and therefore any certificates issued by this certification authority are automatically trusted.

In the case of code signing, it may be necessary also for the issued certificate to be in the “Trusted Publishers” store of the local machine in order to avoid any prompts upon executing code, even if the certificate was issued by a trusted certification authority. Therefore, it is required to ensure that certificates are added to this store where user interaction is unavailable, such as running automated processes that call signed code. A certificate can be assigned to a user or a computer, which will then be the “publisher” of the code in question.

Generally, this should be the user, and the user will then become the trusted publisher. As an example, members of the development team in your organisation will probably each have their own code signing certificate, which would all be added to the “Trusted Publishers” store on the domain machines. Alternatively, a special domain account might exist specifically for signing code, although one of the advantages of code signing is to be able to determine the person who signed it.

 

 

QUESTION 97

Your company has an Active Directory domain named contoso.com. The company network has two DNS servers named DNS1 and DNS2.

 

The DNS servers are configured as shown in the following table.

 

clip_image003

 

Domain users, who are configured to use DNS2 as the preferred DNS server, are unable to connect to Internet Web sites.

 

You need to enable Internet name resolution for all client computers.

 

What should you do?

 

A.

Update the list of root hints servers on DNS2.

B.

Create a copy of the .(root) zone on DNS1.

C.

Delete the .
(root) zone from DNS2. Configure conditional forwarding on DNS2.

D.

Update the Cache.dns file on DNS2. Configure conditional forwarding on DNS1.

 

Correct Answer: C

Explanation:

http://support.microsoft.com/kb/298148

How To Remove the Root Zone (Dot Zone)

When you install DNS on a Windows 2000 server that does not have a connection to the Internet, the zone for the domain is created and a root zone, also known as a dot zone, is also created. This root zone may prevent access to the Internet for DNS and for clients of the DNS. If there is a root zone, there are no other zones other than those that are listed with DNS, and you cannot configure forwarders or root hint servers. For these reasons, you may have to remove the root zone.

 

 

QUESTION 98

Your company has an Active Directory domain. The main office has a DNS server named DNS1 that is configured with Active Directory-integrated DNS. The branch office has a DNS server named DNS2 that contains a secondary copy of the zone from DNS1. The two offices are connected with an unreliable WAN link.

 

You add a new server to the main office.

 

Five minutes after adding the server, a user from the branch office reports that he is unable to connect to the new server.

 

You need to ensure that the user is able to connect to the new server.

&nb
sp;

What should you do?

 

A.

Clear the cache on DNS2.

B.

Reload the zone on DNS1.

C.

Refresh the zone on DNS2.

D.

Export the zone from DNS1 and import the zone to DNS2.

 

Correct Answer: C

Explanation:

Old answer: Refresh the zone on DNS2.

http://technet.microsoft.com/en-us/library/cc794900%28v=ws.10%29.aspx

Adjust the Refresh Interval for a Zone

You can use this procedure to adjust the refresh interval for a Domain Name System (DNS) zone. The refresh interval determines how often other DNS servers that load and host the zone must attempt to renew the zone.

By default, the refresh interval for each zone is set to 15 minutes. http://blog.ijun.org/2008/11/difference-between-dnscmd-clearcache.html

difference between dnscmd /clearcache and ipconfig /flushdns

Q: Do “dnscmd /clearcache” and “ipconfig /flushdns” the exact same thing, on a windows 2003 server? What is the difference, if any?

A: Ipconfig /flushdns will flush the local computer cache. And dnscmd /clearcache will clear the dns server cache.

Meaning that with the first you will clear the “local” cache of the server you work on. (Even if it is the dns server. It will NOT clear the dns server cache.) While with dnscmd you will clear the dns server cache.

 

 

QUESTION 99

Your company has two Active Directory forests named contoso.com and fabrikam.com.

 

The company network has three DNS servers named DNS1, DNS2, and DNS3. The DNS servers are configured as shown in the following table.

 

clip_image005

 

All computers that belong to the fabrikam.com domain have DNS3 configured as the preferred DNS server. All other computers use DNS1 as the preferred DNS server.

 

Users from the fabrikam.com domain are unable to connect to the servers that belong to the contoso.com domain.

 

You need to ensure users in the fabrikam.com domain are able to resolve all contoso.com queries.

 

What should you do?

 

A.

Configure conditional forwarding on DNS1 and DNS2 to forward fabrikam.com queries to DNS3.

B.

Create a copy of the _msdcs.contoso.com zone on the DNS3 server.

C.

Create a copy of the fabrikam.com zone on the DNS1 server and the DNS2 server.

D.

Configure conditional forwarding on DNS3 to forward contoso.com queries to DNS1.

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/cc730756.aspx

 

Understanding Forwarders

A forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for external DNS names to DNS servers outside that network. You can also forward queries according to specific domain names using conditional forwarders. You designate a DNS server on a network as a forwarder by configuring the other DNS servers in the network to forward the queries that they cannot resolve locally to that DNS server. By using a forwarder, you can manage name resolution for names outside your network, such as names on the Internet, and improve the efficiency of name resolution for the computers in your network.

The following figure illustrates how external name queries are directed with forwarders.

 

clip_image007

 

Conditional forwarders

A conditional forwarder is a DNS server on a network that forwards DNS queries according to the DNS domain name in the query. For example, you can configure a DNS server to forward all the queries that it receives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers.

 

 

QUESTION 100

Your company has an Active Directory forest that contains a single domain. The domain member server has an Active Directory Federation Services (AD FS) role installed.

 

You need to configure AD FS to ensure that AD FS tokens contain information from the Active Directory domain.

 

What should you do?

 

A.

Add and configure a new account partner.

B.

Add and configure a new resource partner.

C.

Add and configure a new account store.

D.

Add and configure a Claims-aware application.

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/cc732095.aspx

Understanding Account Stores

Active Directory Federation Services (AD FS) uses account stores to log on users and extract security claims for those users. You can configure multiple account stores for a single Federation Service. You can also define their priority. The Federation Service uses Lightweight Directory Access Protocol (LDAP) to communicate with account stores. AD FS supports the following two account stores:

Active Directory Domain Services (AD DS)

Active Directory Lightweight Directory Services (AD LDS)

 

Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…