[Free] 2018(June) Ensurepass Microsoft 70-640 Dumps with VCE and PDF 11-20

Ensurepass.com : Ensure you pass the IT Exams
2018 May Microsoft Official New Released 70-640
100% Free Download! 100% Pass Guaranteed!

Windows Server 2008 Active Directory, Configuring

Question No: 11 – (Topic 1)

Your company has two Active Directory forests named Forest1 and Forest2, The forest functional level and the domain functional level of Forest1 are set to Windows Server 2008.

The forest functional level of Forest2 is set to Windows 2000, and the domain functional levels in Forest2 are set to Windows Server 2003.

You need to set up a transitive forest trust between Forest1 and Forest2. What should you do first?

  1. Raise the forest functional level of Forest2 to Windows Server 2003 Interim mode.

  2. Raise the forest functional level of Forest2 to Windows Server 2003.

  3. Upgrade the domain controllers in Forest2 to Windows Server 2008.

  4. Upgrade the domain controllers in Forest2 to Windows Server 2003.

Answer: B

Reference:

http://technet.microsoft.com/en-us/library/cc816810.aspx

Creating Forest Trusts

You can link two disjoined Active Directory Domain Services (AD DS) forests together to form a one-way or two-way, transitive trust relationship.

The following are required to create forest trusts successfully:

You can create a forest trust between two Windows Server 2003 forests, between two Windows Server 2008 forests, between two Windows Server 2008 R2 forests, between a Windows Server 2003 forest and a Windows Server 2008 forest, between a Windows Server 2003 forest and a Windows Server 2008 R2 forest, or between a Windows Server 2008 forest and a Windows Server 2008 R2 forest. Forest trusts cannot be extended implicitly to a third forest.

To create a forest trust, the minimum forest functional level for the forests that are involved in the trust relationship is Windows Server 2003.

Question No: 12 – (Topic 1)

Your company has an Active Directory domain.

You plan to install the Active Directory Certificate Services (AD CS) server role on a member server that runs Windows Server 2008 R2.

You need to ensure that members of the Account Operators group are able to issue smartcard credentials.They should not be able to revoke certificates.

Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)

  1. Create an Enrollment Agent certificate.

  2. Create a Smartcard logon certificate.

  3. Restrict enrollment agents for the Smartcard logon certificate to the Account Operator group.

  4. Install the AD CS role and configure it as an Enterprise Root CA.

  5. Install the AD CS role and configure it as a Standalone CA.

  6. Restrict certificate managers for the Smartcard logon certificate to the Account Operator group.

Answer: B,C,D Explanation:

http://technet.microsoft.com/en-us/library/cc753800(v=ws.10).aspx AD CS: Restricted Enrollment Agent

The restricted enrollment agent is a new functionality in the Windows Server庐 2008 Enterprise operating system that allows limiting the permissions that users designated as enrollment agents have for enrolling smart card certificates on behalf of other users.

What does the restricted enrollment agent do?

Enrollment agents are one or more authorized individuals within an organization. The enrollment agent needs to be issued an enrollment agent certificate, which enables the agent to enroll for smart card certificates on behalf of users. Enrollment agents are typically members of the corporate security, Information Technology (IT) security, or help desk teams because these individuals have already been trusted with safeguarding valuable resources. In some organizations, such as banks that have many branches, help desk and security workers might not be conveniently located to perform this task. In this case, designating a branch manager or other trusted employee to act as an enrollment agent is required to enable smart card credentials to be issued from multiple locations.

On a Windows Server 2008 Enterprise-based certification authority (CA), the restricted enrollment agent features allow an enrollment agent to be used for one or many certificate templates. For each certificate template, you can choose which users or security groups the enrollment agent can enroll on behalf of. You cannot constrain an enrollment agent

based on a certain Active Directory庐 organizational unit (OU) or container; you must use security groups instead. The restricted enrollment agent is not available on a Windows

http://technet.microsoft.com/en-us/library/cc776874(v=ws.10).aspx Enterprise certification authorities

The Enterprise Administrator can install Certificate Services to create an enterprise certification authority (CA).

Enterprise CAs can issue certificates for purposes such as digital signatures, secure e-mail using S/MIME (Secure Multipurpose Internet Mail Extensions), authentication to a secure Web server using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) and logging on to a Windows Server 2003 family domain using a smart card.

An enterprise CA has the following features:

An enterprise CA requires the Active Directory directory service.

When you install an enterprise root CA, it uses Group Policy to propagate its certificate to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. You must be a Domain Administrator or be an administrator with write access to Active Directory to install an enterprise root CA.

Certificates can be issued for logging on to a Windows Server 2003 family domain using smart cards. The enterprise exit module publishes user certificates and the certificate revocation list (CRL) to Active Directory. In order to publish certificates to Active Directory, the server that the CA is installed on must be a member of the Certificate Publishers group. This is automatic for the domain the server is in, but the server must be delegated the proper security permissions to publish certificates in other domains. For more information about the exit module, see Policy and exit modules.

An enterprise CA uses certificate types, which are based on a certificate template. The following functionality is possible when you use certificate templates:

Enterprise CAs enforce credential checks on users during certificate enrollment. Each certificate template has a security permission set in Active Directory that determines whether the certificate requester is authorized to receive the type of certificate they have requested.

The certificate subject name can be generated automatically from the information in Active Directory or supplied explicitly by the requestor.

The policy module adds a predefined list of certificate extensions to the issued certificate. The extensions are defined by the certificate template. This reduces the amount of information a certificate requester has to provide about the certificate and its intended use. http://technet.microsoft.com/en-us/library/cc780501(WS.10).aspx

Stand-alone certification authorities

You can install Certificate Services to create a stand-alone certification authority (CA).

Stand-alone CAs can issue certificates for purposes such as digital signatures, secure e- mail using S/MIME (Secure Multipurpose

Internet Mail Extensions) and authentication to a secure Web server using Secure Sockets Layer (SSL) or Transport Layer Security (TLS).

A stand-alone CA has the following characteristics:

Unlike an enterprise CA, a stand-alone CA does not require the use of the Active Directory directory service. Stand-alone CAs are primarily intended to be used as Trusted Offline Root CAs in a CA hierarchy or when extranets and the Internet are involved. Additionally, if you want to use a custom policy module for a CA, you would first install a stand-alone CA and then replace the stand-alone policy module with your custom policy module.

When submitting a certificate request to a stand-alone CA, a certificate requester must explicitly supply all identifying information about themselves and the type of certificate that is wanted in the certificate request. (This does not need to be done when submitting a request to an enterprise CA, since the enterprise user#39;s information is already in Active Directory and the certificate type is described by a certificate template). The authentication information for requests is obtained from the local computer#39;s Security Accounts Manager database.

By default, all certificate requests sent to the stand-alone CA are set to Pending until the administrator of the stand-alone CA verifies the identity of the requester and approves the request. This is done for security reasons, because the certificate requester#39;s credentials are not verified by the stand-alone CA. Certificate templates are not used.

No certificates can be issued for logging on to a Windows Server 2003 family domain using smart cards, but other types of certificates can be issued and stored on a smart card.

The administrator has to explicitly distribute the stand-alone CA#39;s certificate to the domain user#39;s trusted root store or users must perform that task themselves.

When a stand-alone CA uses Active Directory, it has these additional features:

If a member of the Domain Administrators group or an administrator with write access to Active Directory, installs a stand-alone root CA, it is automatically added to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. For this reason, if you install a stand-alone root CA in an Active Directory domain, you should not change the default action of the CA upon receiving certificate requests (which marks requests as Pending). Otherwise, you will have a trusted root CA that automatically issues certificates without verifying the identity of the certificate requester.

If a stand-alone CA is installed by a member of the Domain Administrators group of the parent domain of a tree in the enterprise, or by an administrator with write access to Active Directory, then the stand-alone CA will publish its CA certificate and the certificate revocation list (CRL) to Active Directory.

Question No: 13 – (Topic 1)

Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company runs an Enterprise Root certification authority (CA).

You need to ensure that only administrators can sign code.

Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)

  1. Edit the local computer policy of the Enterprise Root CA to allow only administrators to manage Trusted Publishers.

  2. Modify the security settings on the template to allow only administrators to request code signing certificates.

  3. Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certificates and allow only administrators to apply the policy.

  4. Publish the code signing template.

Answer: B,D Explanation:

http://techblog.mirabito.net.au/?p=297

Generating and working with code signing certificates

A code signing certificate is a security measure designed to assist in the prevention of malicious code execution. The intention is that code must be “signed” with a certificate that is trusted by the machine on which the code is executed. The trust is verified by contacting the certification authority for the certificate, which could be either a local (on the machine itself, such as a self-signed certificate), internal (on the domain, such as an enterprise certification authority) or external certification authority (third party, such as Verisign or Thawte).

For an Active Directory domain with an enterprise root certification authority, the enterprise root certification authority infrastructure is trusted by all machines that are a member of the Active Directory domain, and therefore any certificates issued by this certification authority are automatically trusted.

In the case of code signing, it may be necessary also for the issued certificate to be in the “Trusted Publishers” store of the local machine in order to avoid any prompts upon executing code, even if the certificate was issued by a trusted certification authority.

Therefore, it is required to ensure that certificates are added to this store where user interaction is unavailable, such as running automated processes that call signed code.

A certificate can be assigned to a user or a computer, which will then be the “publisher” of

the code in question.

Generally, this should be the user, and the user will then become the trusted publisher. As an example, members of the development team in your organisation will probably each have their own code signing certificate, which would all be added to the “Trusted Publishers” store on the domain machines. Alternatively, a special domain account might exist specifically for signing code, although one of the advantages of code signing is to be able to determine the person who signed it.

Question No: 14 – (Topic 1)

Your company purchases a new application to deploy on 200 computers. The application requires that you modify the registry on each target computer before you install the application.

The registry modifications are in a file that has an .adm extension. You need to prepare the target computers for the application.

What should you do?

  1. Import the .adm file into a new Group Policy Object (GPO). Edit the GPO and link it to an organizational unit that contains the target computers.

  2. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the REDIRUsr CONTAINER-DN command on each target computer.

  3. Create a Microsoft Windows PowerShell script to copy the .adm file to the startup folder of each target computer.

  4. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the REDIRCmp CONTAINER-DN command on each target computer.

    Answer: A Explanation:

    http://www.petri.co.il/adding_new_administrative_templates_to_gpo.htm Adding New Administrative Templates to a GPO

    Adding .ADM files to the Administrative Templates in a GPO

    In order to add additional .ADM files to the existing Administrative Templates section in GPO please follow the next steps:

    1. Open the Group Policy Management Console (or GPMC) from the Administrative Tools

      folder in the Stat menu, or by typing gpmc.msc in the Run command.

    2. Right-click an existing GPO (or create an new GPO, then right-click on it) and select Edit.

      Question No: 15 – (Topic 1)

      Your company has an Active Directory domain. A user attempts to log on to a computer that was turned off for twelve weeks. The administrator receives an error message that authentication has failed.

      You need to ensure that the user is able to log on to the computer. What should you do?

      1. Run the netsh command with the set and machine options.

      2. Reset the computer account. Disjoin the computer from the domain, and then rejoin the computer to the domain.

      3. Run the netdom TRUST /reset command.

      4. Run the Active Directory Users and Computers console to disable, and then enable the computer account.

        Answer: B Explanation:

        Answer: Reset the computer account. Disjoin the computer from the domain, and then rejoin the computer to the domain.

        http://social.technet.microsoft.com/wiki/contents/articles/9157.trust-relationship-between- workstation-andprimary-domain-failed.aspx

        Trust Relationship between Workstation and Primary Domain failed

        What are the common causes which generates this message on client systems?

        There might be multiple reasons for this kind of behaviour. Below are listed a few of them:

        1. Single SID has been assigned to multiple computers.

        2. If the Secure Channel is Broken between Domain controller and workstations

        3. If there are no SPN or DNSHost Name mentioned in the computer account attributes

        4. Outdated NIC Drivers.

How to Troubleshoot this behaviour?

  1. If the Secure Channel is Broken between Domain controller and workstations

    When a Computer account is joined to the domain, Secure Channel password is stored with computer account in domain controller. By default this password will change every 30 days (This is an automatic process, no manual intervention is required). Upon starting the computer, Netlogon attempts to discover a DC for the domain in which its machine account exists. After locating the appropriate DC, the machine account password from the workstation is authenticated against the password on the DC.

    If there are problems with system time, DNS configuration or other settings, secure channel’s password between Workstation and DCs may not synchronize with each other. A common cause of broken secure channel [machine account password] is that the secure channel password held by the domain member does not match that held by the AD. Often, this is caused by performing a Windows System Restore (or reverting to previous backup or snapshot) on the member machine, causing an old (previous) machine account password to be presented to the AD.

    Resolution:

    Most simple resolution would be unjoin/disjoin the computer from the domain and rejoin the computer account back to the domain. (this is a somewhat similar principle to performing a password reset for a user account)

    Or

    You can go ahead and reset the computer account using netdom.exe tool http://technet.microsoft.com/en-us/library/cc772217(v=ws.10).aspx Netdom

    Enables administrators to manage Active Directory domains and trust relationships from the command prompt.

    Netdom is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the Active Directory Domain Services (AD DS) server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT).

    You can use netdom to:

    Join a computer that runs Windows XP Professional, Windows Vista, or Windows 7 to a Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, or Windows NT 4.0 domain. Manage computer accounts for domain member workstations and member servers. Management operations include:

    Establish one-way or two-way trust relationships between domains, including the following kinds of trust relationships:

    Verify or reset the secure channel for the following configurations:

    • Member workstations and servers.

    • Backup domain controllers (BDCs) in a Windows NT 4.0 domain.

    • Specific Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, or Windows 2000 replicas.

      Manage trust relationships between domains.

      Syntax

      NetDom lt;Operationgt; [lt;Computergt;] [{/d: | /domain:} lt;Domaingt;] [lt;Optionsgt;] http://technet.microsoft.com/en-us/library/cc788073(v=ws.10).aspx Netdom reset Resets the secure connection between a workstation and a domain controller.

      Syntax netdom reset lt;Computergt; {/d: | /domain:}lt;Domaingt; [{/s: | /server:}lt;Servergt;] [{/uo: |

      /usero:}lt;Usergt; {/po: | / passwordo}{lt;Passwordgt;|*}] [{/help | /?}] Further information:

      http://technet.microsoft.com/en-us/library/cc835085(v=ws.10).aspx Netdom trust

      Establishes, verifies, or resets a trust relationship between domains.

      Syntax netdom trust lt;TrustingDomainNamegt; {/d: | /domain:} lt;TrustedDomainNamegt; [{/ud:

      | /userd:}[lt;Domaingt;\]lt;Usergt; [{/pd: | /passwordd:}{lt;Passwordgt;|*}] [{/uo: | /usero:}lt;Usergt;] [{/po: | /passwordo:}{lt;Passwordgt;|*}] [/verify] [/reset] [/passwordt:lt;NewRealmTrustPasswordgt;] [/add [/realm]] [/remove [/force]] [/twoway] [/kerberos] [/transitive[:{YES|NO}]] [/oneside:{TRUSTED | TRUSTING}] [/force] [/quarantine[:{YES | NO}]] [/namesuffixes:lt;TrustNamegt; [/togglesuffix:#]] [/EnableSIDHistory] [/ForestTRANsitive] [/SelectiveAUTH][/AddTLN][/AddTLNEX][/RemoveTLN] [/RemoveTLNEX][{/help | /?}]

      Question No: 16 – (Topic 1)

      Your company has an Active Directory forest.

      You plan to install an Enterprise certification authority (CA) on a dedicated stand-alone server.

      When you attempt to add the Active Directory Certificate Services (AD CS) role, you find that the Enterprise CA option is not available.

      You need to install the AD CS role as an Enterprise CA. What should you do first?

      1. Add the DNS Server role.

      2. Add the Active Directory Lightweight Directory Service (AD LDS) role.

      3. Add the Web server (IIS) role and the AD CS role.

      4. Join the server to the domain.

Answer: D Explanation:

http://technet.microsoft.com/en-us/library/cc772393(v=ws.10).aspx Active Directory Certificate Services Step-by-Step Guide

http://kazmierczak.eu/itblog/2012/09/23/enterprise-ca-option-is-greyed-out-unavailable/ Enterprise CA option is greyed out / unavailable

Ensurepass 2018 PDF and VCE

Many times, administrators ask me what to do when installing Active Directory Certificate Services they cannot choose to install Enterprise Certification Authority, because it’s unavailable as in following picture:

C:\Documents and Settings\usernwz1\Desktop\1.PNG Well, you need to fulfill basic requirements:

Server machine has to be a member server (domain joined).

You can run an Enterprise CA on the Standard, Enterprise, or Data Center Windows Edition. The difference is the number of ADCS features and components that can be enabled. To get full functionality, you need to run on Enterprise or Data Center Windows Server 2008 /R2/ Editions. It includes functionality like Role separation, Certificate manager restrictions, Delegated enrollment agent restrictions, Certificate enrollment across forests, Online Responder, Network Device Enrollment. In order to install an Enterprise CA, you must be a member of either Enterprise Admins or Domain Admins in the forest root domain

(either directly or through a group nesting).

If issue still persists, there is probably a problem with getting correct credentials of your account. There are many thing that can cause it (network blockage, domain settings, server configuration, and other issues). In all cases I got, this troubleshooting helped perfectly: First of all, carefully check all above requirements.

Secondly, install all available patches and Service Packs with Windows Update before trying to install Enterprise CA.

Check network settings on the CA Server. If there is no DNS setting, Certificate Authority Server cannot resolve and find domain.

Sufficient privileges for writing the Enterprise CA configuration information in AD configuration partition are required. Determine if you are a member of the Enterprise Admins or Domain Admins in the forest root domain. Think about the account you are currently trying to install ADCS with. In fact, you may be sure, that your account is in Enterprise Admins group, but check this how CA Server “sees” your account membership by typing whoami /groups.

You also need to be a member of local Administrators group. If you are not, you wouldn’t be able to run Server Manager, but still needs to be checked.

View C:\windows\certocm.log file. There you can find helpful details on problems with group membership. For example status of ENUM_ENTERPRISE_UNAVAIL_REASON_NO_INSTALL_RIGHTS indicates that needed memberships are not correct.

Don’t forget to check event viewer on CA Server side and look for red lines.

Verify that network devices or softwareamp;hardware firewalls are not blocking access from/to server and Domain Controllers. If so, Certificate Authority Server may not be communicating correctly with the domain. To check that, simply run nltest

/sc_verify:DomainName

Check also whether Server CA is connected to a writable Domain Controller.

Enterprise Admins groups is the most powerful group and has ADCS required full control permissions, but who knows – maybe someone changed default permissions? Run adsiedit.msc on Domain Controller, connect to default context and first of all check if CN=Public Key Service,CN=Services,CN=Configuration,DC=Your,DC=Domain,DC=Com container does

exist. If so, check permissions for all subcontainers under Public Key Service if Enterprise Admins group has full control permissions. The main subcontainers to verify are Certificate Templates, OID, KRA containers.

If no above tips help, disjoin the server from domain and join again. Ultimately reinstall operation system on CA Server.

Question No: 17 – (Topic 1)

Your company has an Active Directory forest. The company has branch offices in three locations. Each location has an organizational unit.

You need to ensure that the branch office administrators are able to create and apply GPOs only to their respective organizational units.

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

  1. Run the Delegation of Control wizard and delegate the right to link GPOs for their branch organizational units to the branch office administrators.

  2. Add the user accounts of the branch office administrators to the Group Policy Creator Owners Group.

  3. Modify the Managed By tab in each organizational unit to add the branch office administrators to their respective organizational units.

  4. Run the Delegation of Control wizard and delegate the right to link GPOs for the domain to the branch office administrators.

    Answer: A,B Explanation:

    Answer: Run the Delegation of Control wizard and delegate the right to link GPOs for their branch organizational units to the branch office administrators.

    Add the user accounts of the branch office administrators to the Group Policy Creator Owners Group.

    http://technet.microsoft.com/en-us/library/cc732524.aspx Delegate Control of an Organizational Unit

    1. To delegate control of an organizational unit

    2. To open Active Directory Users and Computers, click Start , click Control Panel , double- click Administrative

      Tools and then double-click Active Directory Users and Computers .

    3. In the console tree, right-click the organizational unit (OU) for which you want to delegate control.

      Where?

      Active Directory Users and Computers\ domain node \ organizational unit

    4. Click Delegate Control to start the Delegation of Control Wizard, and then follow the instructions in the wizard.

      http://technet.microsoft.com/en-us/library/cc781991(v=ws.10).aspx Delegating Administration of Group Policy

      Your Group Policy design will probably call for delegating certain Group Policy administrative tasks.

      Determining to what degree to centralize or distribute administrative control of Group Policy is one of the most important factors to consider when assessing the needs of your organization. In organizations that use a centralized administration model, an IT group provides services, makes decisions, and sets standards for the entire company. In organizations that use a distributed administration model, each business unit manages its own IT group.

      You can delegate the following Group Policy tasks: Creating GPOs

      Managing individual GPOs (for example, granting Edit or Read access to a GPO) etc.

      Delegating Creation of GPOs

      The ability to create GPOs in a domain is a permission that is managed on a per-domain basis. By default, only

      Domain Administrators, Enterprise Administrators, Group Policy Creator Owners, and SYSTEM can create new Group Policy objects. If the domain administrator wants a non- administrator or non-administrative group to be able to create GPOs, that user or group can be added to the Group Policy Creator Owners security group. Alternatively, you can use the Delegation tab on the Group Policy Objects container in GPMC to delegate creation of GPOs. When a non-administrator who is a member of the Group Policy Creator Owners group creates a GPO, that user becomes the creator owner of the GPO and can edit the GPO and modify permissions on the GPO. However, members of the Group Policy Creator Owners group cannot link GPOs to containers unless they have been separately delegated the right to do so on a particular site, domain, or OU.

      Being a member of the Group Policy Creator Owners group gives the non-administrator full control of only those GPOs that the user creates. Group Policy Creator Owner members do not have permissions for GPOs that they do not create.

      Note: When an administrator creates a GPO, the Domain Administrators group becomes the Creator Owner of the Group Policy object. By default, Domain Administrators can edit all GPOs in the domain.

      The right to link GPOs is delegated separately from the right to create GPOs and the right to edit GPOs. Be sure to delegate both rights to those groups you want to be able to create and link GPOs. By default, non- Domain Admins cannot manage links, and this prevents them from being able to use GPMC to create and link a GPO. However, non-Domain Admins can create an unlinked GPO if they are members of the Group Policy Creator Owners group. After a non-Domain Admin creates an unlinked GPO, the Domain Admin or someone else who has been delegated permissions to link GPOs an a container can link the GPO as appropriate.

      Creation of GPOs can be delegated to any group or user. There are two methods of

      granting a group or user this permission:

      Add the group or user to the Group Policy Creator Owners group. This was the only method available prior to GPMC.

      Explicitly grant the group or user permission to create GPOs. This method is newly available with GPMC.

      You can manage this permission by using the Delegation tab on the Group Policy objects container for a given domain in GPMC. This tab shows the groups that have permission to create GPOs in the domain, including the Group Policy Creator Owners group. From this tab, you can modify the membership of existing groups that have this permission, or add new groups.

      Because the Group Policy Creator Owners group is a domain global group, it cannot contain members from outside the domain. Being able to grant users permissions to create GPOs without using Group Policy Creator Owners facilitates delegating GPO creation to users outside the domain. Without GPMC, this task cannot be delegated to members outside the domain.

      If you require that users outside the domain have the ability to create GPOs, create a new domain local group in the domain (for example, quot;GPCO – Externalquot;), grant that group GPO creation permissions in the domain, and then add domain global groups from external domains to that group. For users and groups in the domain, you should continue to use the Group Policy Creator Owners group to grant GPO-creation permissions.

      Adding a user to the membership of Group Policy Creator Owners and granting the user GPO-creation permissions directly using the new method available in GPMC are identical in terms of permissions.

      Question No: 18 – (Topic 1)

      Your network consists of an Active Directory forest that contains one domain named contoso.com. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. You have two Active Directory-integrated zones: contoso.com and nwtraders.com.

      You need to ensure a user is able to modify records in the contoso.com zone. You must prevent the user from modifying the SOA record in the nwtraders.com zone.

      What should you do?

      1. From the Active Directory Users and Computers console, run the Delegation of Control Wizard.

      2. From the Active Directory Users and Computers console, modify the permissions of the Domain Controllers organizational unit (OU).

      3. From the DNS Manager console, modify the permissions of the contoso.com zone.

      4. From the DNS Manager console, modify the permissions of the nwtraders.com zone.

        Answer: C Explanation:

        Answer: From the DNS Manager console, modify the permissions of the contoso.com zone.

        http://technet.microsoft.com/en-us/library/cc753213.aspx Modify Security for a Directory-Integrated Zone

        You can manage the discretionary access control list (DACL) on the DNS zones that are stored in Active Directory Domain Services (AD DS). You can use the DACL to control the permissions for the Active Directory users and groups that may control the DNS zones.

        Membership in DnsAdmins or Domain Admins in AD DS, or the equivalent, is the minimum required to complete this procedure.

        To modify security for a directory-integrated zone:

        1. Open DNS Manager.

        2. In the console tree, click the applicable zone. Where?

          DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable zone

        3. On the Action menu, click Properties.

        4. On the General tab, verify that the zone type is Active Directory-integrated.

        5. On the Security tab, modify the list of member users or groups that are allowed to securely update the applicable zone and reset their permissions as needed.

          Further information: http://support.microsoft.com/kb/163971 The Structure of a DNS SOA Record

          The first resource record in any Domain Name System (DNS) Zone file should be a Start of Authority (SOA) resource record. The SOA resource record indicates that this DNS name server is the best source of information for the data within this DNS domain.

          The SOA resource record contains the following information: Source host – The host where the file was created.

          Contact e-mail – The e-mail address of the person responsible for administering the domain#39;s zone file. Note that a quot;.quot; is used instead of an quot;@quot; in the e-mail name.

          Serial number – The revision number of this zone file. Increment this number each time the

          zone file is changed. It is important to increment this value each time a change is made, so that the changes will be distributed to any secondary DNS servers.

          Refresh Time – The time, in seconds, a secondary DNS server waits before querying the primary DNS server#39;s SOA record to check for changes. When the refresh time expires, the secondary DNS server requests a copy of the current SOA record from the primary. The primary DNS server complies with this request. The secondary DNS server compares the serial number of the primary DNS server#39;s current SOA record and the serial number in it#39;s own SOA record. If they are different, the secondary DNS server will request a zone transfer from the primary DNS server. The default value is 3,600.

          Retry time – The time, in seconds, a secondary server waits before retrying a failed zone transfer. Normally, the retry time is less than the refresh time. The default value is 600. Expire time – The time, in seconds, that a secondary server will keep trying to complete a zone transfer. If this time expires prior to a successful zone transfer, the secondary server will expire its zone file. This means the secondary will stop answering queries, as it considers its data too old to be reliable. The default value is 86,400.

          Minimum TTL – The minimum time-to-live value applies to all resource records in the zone file. This value is supplied in query responses to inform other servers how long they should keep the data in cache. The default value is 3,600.

          http://technet.microsoft.com/en-us/library/cc787600(v=ws.10).aspx Modify the start of authority (SOA) record for a zone

          Notes: To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

          Question No: 19 – (Topic 1)

          Your company has an Active Directory domain. The main office has a DNS server named DNS1 that is configured with Active Directory-integrated DNS. The branch office has a DNS server named DNS2 that contains a secondary copy of the zone from DNS1. The two offices are connected with an unreliable WAN link.

          You add a new server to the main office.

          Five minutes after adding the server, a user from the branch office reports that he is unable to connect to the new server.

          You need to ensure that the user is able to connect to the new server. What should you do?

          1. Clear the cache on DNS2.

          2. Reload the zone on DNS1.

          3. Refresh the zone on DNS2.

          4. Export the zone from DNS1 and import the zone to DNS2.

Answer: C Explanation:

Old answer: Refresh the zone on DNS2.

http://technet.microsoft.com/en-us/library/cc794900(v=ws.10).aspx Adjust the Refresh Interval for a Zone

You can use this procedure to adjust the refresh interval for a Domain Name System (DNS) zone. The refresh interval determines how often other DNS servers that load and host the zone must attempt to renew the zone.

By default, the refresh interval for each zone is set to 15 minutes. http://blog.ijun.org/2008/11/difference-between-dnscmd-clearcache.htmldifference between dnscmd /clearcache and ipconfig /flushdns

Q: Do quot;dnscmd /clearcachequot; and quot;ipconfig /flushdnsquot; the exact same thing, on a windows 2003 server? What is the difference, if any?

A: Ipconfig /flushdns will flush the local computer cache. And dnscmd /clearcache will clear the dns server cache.

Meaning that with the first you will clear the quot;localquot; cache of the server you work on. (Even if it is the dns server. It will NOT clear the dns server cache.) While with dnscmd you will clear the dns server cache.

Question No: 20 – (Topic 1)

Your network contains an Active Directory forest. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers.

You have an Active Directory-integrated zone for contoso.com.

You have a Unix-based DNS server.

You need to configure your Windows Server 2008 R2 environment to allow zone transfers of the contoso.com zone to the Unix-based DNS server.

What should you do in the DNS Manager console?

  1. Enable BIND secondaries

  2. Create a stub zone

  3. Disable recursion

  4. Create a secondary zone

Answer: A Explanation:

http://skibbz.com/understanding-of-advance-properties-settings-in-window-server-2003- and-2008-dns-serverbind-secondaries/

Understanding Of Advance Properties Settings In Window Server 2003 And 2008 DNS Server (BIND Secondaries)

BIND Secondaries controls the zone transfer between different vendor DNS server. It help verifies the type of format used zone transfer, whether it is fast or slow transfer (zone transfer). The full mean of BIND is Berkeley Internet Name domain (BIND). BIND is a based on UNIX operating system.

Two window servers do not required BIND. BIND is only required when transfer dns zone between two different dns server vendors (UNIX and Microsoft Window). If you are using only Window server for dns and zone transfer you will have to disable this option in the window dns server. However if you want the server to perform a slow zone transfer and uncompressed data transfer then you will have to enable BIND in the dns server.

To reiterate, BIND only provide slow dns zone transfer and data compression mechanism for DNS server.

BIND is understood to have been introduced in window server to support UNIX. System admin will normally disable this option if they want the data in their dns zone transfer to between primary and secondary dns server to be transfer faster in order to improve dns queries efficiency within their network environment

Bind is used in a DNS window server, when the needs to configured zone transfer between window server and UNIX server or operative system.

Bind is enabled when a window server is configured as a primary dns server and a UNIX computer is configured as a secondary dns server for zone transfer.

BIND Secondaries need to be configured to mitigate, the problem of interoperability between the two server operating system since they are from different vendors.

Note that old version of the BIND was noted to be very slow and uses an uncompressed zone transfer format.

However, BIND in window server 2008 and later has improved this problem. This is because it was noted that

BIND in window server 2008 and later uses faster, compressed format during zone transfer between primary and secondary DNS server configured in for different server operating system (UNIX and Window server).

100% Ensurepass Free Download!
Download Free Demo:70-640 Demo PDF
100% Ensurepass Free Guaranteed!
Download 2018 EnsurePass 70-640 Full Exam PDF and VCE

EnsurePass ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
PDF VCE Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.