[Free] 2018(June) Ensurepass Microsoft 70-640 Dumps with VCE and PDF 211-220

Ensurepass.com : Ensure you pass the IT Exams
2018 May Microsoft Official New Released 70-640
100% Free Download! 100% Pass Guaranteed!

Windows Server 2008 Active Directory, Configuring

Question No: 211 – (Topic 3)

Your network contains an Active Directory domain named contoso.com. The domain contains five domain controllers.

You add a logoff script to an existing Group Policy object (GPO).

You need to verify that each domain controller successfully replicates the updated group policy.

Which two objects should you verify on each domain controller? (Each correct answer presents part of the solution. Choose two.)

  1. \\servername\SYSVOL\contoso.com\Policies\{GUID}\gpt.ini

  2. \\servername\SYSVOL\contoso.com\Policies\{GUID}\machine\registry.pol

  3. the uSNChanged value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com container

  4. the versionNumber value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com container

Answer: A,D Explanation:

http://technet.microsoft.com/en-us/library/cc784268(v=ws.10).aspx How Core Group Policy Works

The Gpt.ini File

The Gpt.ini file is located at the root of each Group Policy template. Each Gpt.ini file

contains GPO version information. Except for the Gpt.ini files created for the default GPOs, a display name value is also written to the file.

Each Gpt.ini file contains the GPO version number of the Group Policy template. [General]

Version=65539

Normally, this is identical to the version-number property of the corresponding GroupPolicyContainer object. It is encoded in the same way – as a decimal representation of a 4 byte hexadecimal number, the upper two bytes of which contain the GPO user settings version and the lower two bytes contain the computer settings version. In this example the version is equal to 10003 hexadecimal giving a user settings version of 1 and a computer settings version of 3.

Storing this version number in the Gpt.ini allows the CSEs to check if the client is out of date to the last processing of policy settings or if the currently applied policy settings (cached policies) are up-to-date. If the cached version is different from the version in the Group Policy template or Group Policy container, then policy settings will be reprocessed.

Question No: 212 – (Topic 3)

You have an enterprise subordinate certification authority (CA) configured for key archival. Three key recovery agent certificates are issued. The CA is configured to use two recovery agents.

You need to ensure that all of the recovery agent certificates can be used to recover all new private keys.

What should you do?

  1. Add a data recovery agent to the Default Domain Policy.

  2. Modify the value in the Number of recovery agents to use box.

  3. Revoke the current key recovery agent certificates and issue three new key recovery agent certificates.

  4. Assign the Issue and Manage Certificates permission to users who have the key recovery agent certificates.

Answer: B

Reference:

MS Press – Self-Paced Training Kit (Exams 70-648 amp; 70-649) (Microsoft Press, 2009) page 357

You enable key archival on the Recovery Agents tab of the CA Properties in the CA console by selecting the Archive The Key option and specifying a key recovery agent. In the number of recovery agents to use, select the number of key recovery agent (KRA) certificates you have added to the CA. This ensures that each KRA can be used to recover a private key. If you specify a smaller number than the number of KRA certificates installed, the CA will randomly select that number of KRA certificates from the available total and encrypt the private key, using those certificates. This complicates recovery because you then have to figure out which recovery agent certificate was used to encrypt the private key before beginning recovery.

Question No: 213 – (Topic 3)

Your network contains an Active Directory forest. The functional level of the forest is Windows Server 2008 R2.

Your company#39;s corporate security policy states that the password for each user account must be changed at least every 45 days.

You have a user account named Service1. Service1 is used by a network application named Application1.

Every 45 days, Application1 fails.

After resetting the password for Service1, Application1 runs properly. You need to resolve the issue that causes Application1 to fail. The solution must adhere to the corporate security policy.

What should you do?

  1. Run the cmdlet.

  2. Run the Set-ADServiceAccount cmdlet.

  3. Create a new password policy.

  4. Create a new Password Settings object (PSO).

Answer: B Explanation:

http://technet.microsoft.com/en-us/library/ee617252.aspx Set-ADServiceAccount

Syntax

Set-ADServiceAccount [-Identity] lt;ADServiceAccountgt; [-AccountExpirationDate

lt;System.Nullable[System.DateTime]gt;] [-AccountNotDelegated lt;System.Nullable[bool]gt;] [- Add lt;hashtablegt;] [-Certificateslt;string[]gt;] [-Clear lt;string[]gt;] [-Description lt;stringgt;] [- DisplayName lt;stringgt;] [-Enabled lt;System.Nullable[bool]gt;] [-HomePage lt;stringgt;] [- Remove lt;hashtablegt;] [-Replace lt;hashtablegt;] [-SamAccountName lt;stringgt;] [- ServicePrincipalNames lt;hashtablegt;] [-TrustedForDelegation lt;System.Nullable[bool]gt;] [- AuthType{lt;Negotiategt; | lt;Basicgt;}] [-Credential lt;PSCredentialgt;] [-Partition lt;stringgt;] [- PassThru lt;switchgt;] [-Serverlt;stringgt;] [-Confirm] [-WhatIf] [lt;CommonParametersgt;]Detailed Description

The Set-ADServiceAccount cmdlet modifies the properties of an Active Directory service account. You can modify commonly used property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be modified by using the Add, Replace, Clear and Remove parameters.

The Identity parameter specifies the Active Directory service account to modify. You can identify a service account by its distinguished name (DN), GUID, security identifier (SID), or Security Accounts Manager (SAM) account name. You can also set the Identity parameter to an object variable such as $lt;localServiceAccountObjectgt;, or you can pass an object through the pipeline to the Identity parameter. For example, you can use the Get- ADServiceAccount cmdlet to retrieve a service account object and then pass the object through the pipeline to the Set-ADServiceAccount cmdlet.

The Instance parameter provides a way to update a service account object by applying the changes made to a copy of the object. When you set the Instance parameter to a copy of an Active Directory service account object that has been modified, the Set- ADServiceAccount cmdlet makes the same changes to the original service account object. To get a copy of the object to modify, use the Get-ADServiceAccount object. When you specify the Instance parameter you should not pass the Identity parameter. For more information about the Instance parameter, see the Instance parameter description.

Question No: 214 – (Topic 3)

Your company has a main office and a branch office. The network contains a single Active Directory domain.

The main office contains a domain controller named DC1.

You need to install a domain controller in the branch office by using an offline copy of the

Active Directory database. What should you do first?

  1. From the Ntdsutil tool, create an IFM media set.

  2. From the command prompt, run djoin.exe /loadfile.

  3. From Windows Server Backup, perform a system state backup.

  4. From Windows PowerShell, run the get-ADDomainController cmdlet.

Answer: A Explanation:

http://technet.microsoft.com/en-us/library/cc816722(v=ws.10).aspx

Installing an Additional Domain Controller by Using IFM

When you install Active Directory Domain Services (AD DS) by using the install from media (IFM) method, you can reduce the replication traffic that is initiated during the installation of an additional domain controller in an Active Directory domain. Reducing the replication traffic reduces the time that is necessary to install the additional domain controller.

Windows Server 2008 and Windows Server 2008 R2 include an improved version of the Ntdsutil tool that you can use to create installation media for an additional domain controller. You can use Ntdsutil.exe to create installation media for additional domain controllers that you are creating in a domain. The IFM method uses the data in the installation media to install AD DS, which eliminates the need to replicate every object from a partner domain controller. However, objects that were modified, added, or deleted since the installation media was created must be replicated. If the installation media was created recently, the amount of replication that is required is considerably less than the amount of replication that is required for a regular AD DS installation.

Question No: 215 – (Topic 3)

Your network contains an Active Directory domain named contoso.com. You have a management computer named Computer1 that runs Windows 7.

You need to forward the logon events of all the domain controllers in contoso.com to Computer1.

All new domain controllers must be dynamically added to the subscription.

What should you do?

  1. From Computer1, configure source-initiated event subscriptions. From a Group Policy object (GPO) linked to the Domain Controllers organizational unit (OU), configure the Event Forwarding node.

  2. From Computer1, configure collector-initiated event subscriptions. From a Group Policy object (GPO) linked to the Domain Controllers organizational unit (OU), configure the Event Forwarding node.

  3. From Computer1, configure source-initiated event subscriptions. Install a server authentication certificate on Computer1. Implement autoenrollment for the Domain Controllers organizational unit (OU).

  4. From Computer1, configure collector-initiated event subscriptions. Install a server authentication certificate on Computer1. Implement autoenrollment for the Domain Controllers organizational unit (OU).

Answer: A

Reference:

http://msdn.microsoft.com/en-us/library/windows/desktop/bb870973(v=vs.85).aspx Setting up a Source Initiated Subscription

Source-initiated subscriptions allow you to define a subscription on an event collector computer without defining the event source computers, and then multiple remote event source computers can be set up (using a group policy setting) to forward events to the event collector computer. This differs from a collector initiated subscription because in the collector initiated subscription model, the event collector must define all the event sources in the event subscription.

Question No: 216 – (Topic 3)

You create a new Active Directory domain. The functional level of the domain is Windows Server 2003. The domain contains five domain controllers that run Windows Server 2008 R2.

You need to monitor the replication of the group policy template files. Which tool should you use?

  1. Dfsrdiag

  2. Fsutil

  3. Ntdsutil

  4. Ntfrsutl

Answer: D Explanation:

With domain functional level 2008 you have available dfs-r sysvol replication. So with DFL2008 you can use the DFSRDIAG tool. It is not available with domain functional level 2003.

With domain functional level 2003 you can only use Ntfrsutl.

Question No: 217 – (Topic 3)

You deploy a new Active Directory Federation Services (AD FS) federation server. You request new certificates for the AD FS federation server.

You need to ensure that the AD FS federation server can use the new certificates. To which certificate store should you import the certificates?

  1. Computer

  2. IIS Admin Service service account

  3. Local Administrator

  4. World Wide Web Publishing Service service account

    Answer: A Explanation:

    http://technet.microsoft.com/en-us/library/dd378922(v=ws.10).aspx#BKMK_13 Step 2: Installing AD FS Role Services and Configuring Certificates

    To import the server authentication certificate for adfsresource to adfsweb

    1. Click Start, click Run, type mmc, and then click OK.

    2. Click File, and then click Add/Remove Snap-in.

    3. Select Certificates, click Add, click Computer account, and then click Next.

    4. Click Local computer: (the computer this console is running on), click Finish, and then click OK.

    5. In the console tree, double-click the Certificates (Local Computer) icon, double-click the Trusted Root

      Certification Authorities folder, right-click Certificates, point to All Tasks, and then click Import.

    6. On the Welcome to the Certificate Import Wizard page, click Next.

    7. On the File to Import page, type \\adfsresource\d$\adfsresource.pfx, and then click Next.

    8. On the Password page, type the password for the adfsresource.pfx file, and then click Next.

    9. On the Certificate Store page, click Place all certificates in the following store, and then click Next.

    10. On the Completing the Certificate Import Wizard page, verify that the information you provided is accurate, and then click Finish.

Question No: 218 – (Topic 3)

Your network contains 10 domain controllers that run Windows Server 2008 R2. The network contains a member server that is configured to collect all of the events that occur on the domain controllers.

You need to ensure that administrators are notified when a specific event occurs on any of the domain controllers. You want to achieve this goal by using the minimum amount of administrative effort.

What should you do?

  1. From Event Viewer on the member server, create a subscription.

  2. From Event Viewer on each domain controller, create a subscription.

  3. From Event Viewer on the member server, run the Create Basic Task Wizard.

  4. From Event Viewer on each domain controller, run the Create Basic Task Wizard.

    Answer: C Explanation:

    Since the member server is collecting all domain controller events we just need to run the Create Basic Task Wizard on the member server, which enables us to send an e-mail when a specific event is logged. Running the wizard on every domain controller would work, but is much more work and we need to use the minimum amount of administrative effort.

    Reference:

    http://technet.microsoft.com/en-us/library/cc748900.aspx To Run a Task in Response to a Given Event

    1. Start Event Viewer.

    2. In the console tree, navigate to the log that contains the event you want to associate with a task.

    3. Right-click the event and select Attach Task to This Event.

    4. Perform each step presented by the Create Basic Task Wizard. In the Action step in the wizard you can decide to send an e-mail.

      Question No: 219 – (Topic 3)

      Your network contains an Active Directory domain. The domain contains a group named Group1.

      The minimum password length for the domain is set to six characters.

      You need to ensure that the passwords for all users in Group1 are at least 10 characters long. All other users must be able to use passwords that are six characters long.

      What should you do first?

      1. Run the New-ADFineGrainedPasswordPolicy cmdlet.

      2. Run the Add-ADFineGrainedPasswordPolicySubject cmdlet.

      3. From the Default Domain Policy, modify the password policy.

      4. From the Default Domain Controller Policy, modify the password policy.

Answer: A Explanation:

First we need to create a new Active Directory fine grained password policy, using New- ADFineGrainedPasswordPolicy.

Then we can apply the new policy to Group1, using Add- ADFineGrainedPasswordPolicySubject.

Reference:

http://technet.microsoft.com/en-us/library/ee617238.aspx New-ADFineGrainedPasswordPolicy

Creates a new Active Directory fine grained password policy.

Question No: 220 – (Topic 3)

Your network contains an Active Directory forest.

You need to add a new user principal name (UPN) suffix to the forest. Which tool should you use?

  1. Active Directory Administrative Center

  2. Active Directory Domains and Trusts

  3. Active Directory Sites and Services

  4. Active Directory Users and Computers

Answer: B

Reference:

http://www.kassapoglou.com/windows-server-2008-lesson-23-video-creating-a-user/ Demonstration adding a UPN Suffix

To add or modify a UPN suffix for your forest, open Active Directory Domains and Trusts from the start menu. Right click Active Directory Domains and Trusts at the top and open the properties. From here you can add and remove additional domain UPN suffixes for the forest.

100% Ensurepass Free Download!
Download Free Demo:70-640 Demo PDF
100% Ensurepass Free Guaranteed!
Download 2018 EnsurePass 70-640 Full Exam PDF and VCE

EnsurePass ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
PDF VCE Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.