[Free] 2018(June) Ensurepass Microsoft 70-640 Dumps with VCE and PDF 281-290

Ensurepass.com : Ensure you pass the IT Exams
2018 May Microsoft Official New Released 70-640
100% Free Download! 100% Pass Guaranteed!

Windows Server 2008 Active Directory, Configuring

Question No: 281 – (Topic 3)

Your company has a main office and a branch office. The branch office contains a read- only domain controller named RODC1.

You need to ensure that a user named Admin1 can install updates on RODC1. The solution must prevent Admin1 from logging on to other domain controllers.

What should you do?

  1. Run ntdsutil.exe and use the Roles option.

  2. Run dsmgmt.exe and use the Local Roles option.

  3. From Active Directory Sites and Services, modify the NTDS Site Settings.

  4. From Active Directory Users and Computers, add the user to the Server Operators group.

    Answer: B

    Reference:

    http://technet.microsoft.com/en-us/library/cc732301.aspx Administrator Role Separation Configuration

    This section provides procedures for creating a local administrator role for an RODC and for adding a user to that role.

    To configure Administrator Role Separation for an RODC

    1. Click Start, click Run, type cmd, and then press ENTER.

    2. At the command prompt, type dsmgmt.exe, and then press ENTER.

    3. At the DSMGMT prompt, type local roles, and then press ENTER.

      Question No: 282 – (Topic 3)

      Your network contains an Active Directory domain named contoso.com. All domain controllers and member servers run Windows Server 2008. All client computers run Windows 7.

      From a client computer, you create an audit policy by using the Advanced Audit Policy Configuration settings in the Default Domain Policy Group Policy object (GPO).

      You discover that the audit policy is not applied to the member servers. The audit policy is applied to the client computers.

      You need to ensure that the audit policy is applied to all member servers and all client computers.

      What should you do?

      1. Add a WMI filter to the Default Domain Policy GPO.

      2. Modify the security settings of the Default Domain Policy GPO.

      3. Configure a startup script that runs auditpol.exe on the member servers.

      4. Configure a startup script that runs auditpol.exe on the domain controllers.

Answer: C Explanation:

Advanced audit policy settings cannot be applied using group policy to Windows Server 2008 servers. To circumvent that we have to use a logon script to apply the audit policy to the Windows Server 2008 member servers.

Reference1:

http://technet.microsoft.com/en-us/library/ff182311.aspx Advanced Security Auditing FAQ

The advanced audit policy settings were introduced in Windows Vista and Windows Server 2008. The advanced settings can only be used on computers running Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008.

Note

In Windows Vista and Windows Server 2008, advanced audit event settings were not integrated withGroup Policy and could only be deployed by using logon scripts generated with the Auditpol.exe command-line tool. In Windows Server 2008 R2 and Windows 7, all auditing capabilities are integrated with Group Policy. This allows administrators to configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).

Question No: 283 – (Topic 3)

Your network contains an Active Directory domain. The domain contains five domain controllers. A domain controller named DC1 has the DHCP role and the file server role installed.

You need to move the Active Directory database on DC1 to an alternate location.The solution must minimize impact on the network during the database move.

What should you do first?

  1. Restart DC1 in Safe Mode.

  2. Restart DC1 in Directory Services Restore Mode.

  3. Start DC1 from Windows PE.

  4. Stop the Active Directory Domain Services service on DC1.

Answer: D Explanation:

http://technet.microsoft.com/en-us/library/cc794895(v=ws.10).aspx Relocating the Active Directory Database Files

Applies To: Windows Server 2008, Windows Server 2008 R2

Relocating Active Directory database files usually involves moving files to a temporary location while hardware updates are being performed and then moving the files to a permanent location. On domain controllers that are running versions of Windows 2000 Server and Windows Server 2003, moving database files requires restarting the domain controller in Directory Services Restore Mode (DSRM). Windows Server 2008 introduces restartable Active Directory Domain Services (AD DS), which you can use to perform database management tasks without restarting the domain controller in DSRM. Before you move database files, you must stop AD DS as a service.

Question No: 284 – (Topic 3)

Your network contains an Active Directory forest. The forest contains two domain controllers. The domain controllers are configured as shown in the following table.

Ensurepass 2018 PDF and VCE

All client computers run Windows 7.

You need to ensure that all client computers in the domain keep the same time as an external time server.

What should you do?

  1. From DC1, run the time command.

  2. From DC2, run the time command.

  3. From DC1, run the w32tm.exe command.

  4. From DC2, run the w32tm.exe command.

Answer: D Explanation:

Reference 1:

http://technet.microsoft.com/en-us/library/cc816748.aspx

Change the Windows Time Service Configuration on the PDC Emulator in the Forest Root Domain

The domain controller in the forest root domain that holds the primary domain controller (PDC) emulator operations master (also known as flexible single master operations or FSMO) role is the default time source for the domain hierarchy of time sources in the forest.

Reference 2:

http://technet.microsoft.com/en-us/library/cc773263.aspx Windows Time Service Tools and Settings

Most domain member computers have a time client type of NT5DS, which means that they synchronize time from the domain hierarchy. The only typical exception to this is the domain controller that functions as the primary domain controller (PDC) emulator operations master of the forest root domain, which is usually configured to synchronize time with an external time source.

W32tm.exe is used to configure Windows Time service settings. It can also be used to diagnose problems with the time service. W32tm.exe is the preferred command line tool for configuring, monitoring, or troubleshooting the Windows Time service.

Question No: 285 – (Topic 3)

Your network contains an Active Directory domain named contoso.com. You need to identify whether the Active Directory Recycle Bin is enabled.

What should you do?

  1. From Ldp, search for the Reanimate-Tombstones object.

  2. From Ldp, search for the LostAndFound container.

  3. From Windows PowerShell, run the Get-ADObject cmdlet.

  4. From Windows PowerShell, run the Get-ADOptionalFeature cmdlet.

Answer: D

Reference: http://www.frickelsoft.net/blog/?p=224

How can I check whether the AD Recycle-Bin is enabled in my R2 forest?

[He shows how to use the PowerShell cmdlet Get- ADOptionalFeature to determine if the AD Recycle Bin is enabled.]

Question No: 286 – (Topic 3)

Your network contains an Active Directory forest.

You add an additional user principal name (UPN) suffix to the forest.

You need to modify the UPN suffix of all users. You want to achieve this goal by using the minimum amount of administrative effort.

What should you use?

  1. the Active Directory Domains and Trusts console

  2. the Active Directory Users and Computers console

  3. the Csvde tool

  4. the Ldifde tool

Answer: D

Question No: 287 – (Topic 3)

Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 is configured as an Active Directory Federation Services (AD FS) 2.0 standalone

server.

You plan to add a new token-signing certificate to Server1.

You import the certificate to the server as shown in the exhibit. (Click the Exhibit button.)

Ensurepass 2018 PDF and VCE

When you run the Add Token-Signing Certificate wizard, you discover that the new certificate is unavailable.

You need to ensure that you can use the new certificate for AD FS. What should you do?

  1. From the properties of the certificate, modify the Certificate Policy OIDs setting.

  2. Import the certificate to the AD FS 2.0 Windows Service personal certificate store.

  3. From the properties of the certificate, modify the Certificate purposes setting.

  4. Import the certificate to the local computer personal certificate store.

Answer: D

Reference:

http://technet.microsoft.com/en-us/library/hh341466.aspx

When you deploy the first federation server in a new AD FS 2.0 installation, you must obtain a token-signing certificate and install it in the local computer personal certificate store on that federation server.

Question No: 288 – (Topic 3)

You install a read-only domain controller (RODC) named RODC1.

You need to ensure that a user named User1 can administer RODC1. The solution must minimize the number of permissions assigned to User1.

Which tool should you use?

  1. Active Directory Administrative Center

  2. Active Directory Users and Computers

  3. Dsadd

  4. Dsmgmt

Answer: B Explanation:

Reference 1:

http://technet.microsoft.com/en-us/library/cc755310.aspx

Delegating local administration of an RODC

Administrator Role Separation (ARS) is an RODC feature that you can use to delegate the ability to administer an RODC to a user or a security group. When you delegate the ability to log on to an RODC to a user or a security group, the user or group is not added the Domain Admins group and therefore does not have additional rights to perform directory service operations.

Steps and best practices for setting up ARS

You can specify a delegated RODC administrator during an RODC installation or after it.

To specify the delegated RODC administrator after installation, you can use either of the following options:

Modify the Managed By tab of the RODC account properties in theActive Directory Users and Computerssnap-in, as shown in the following figure. You can click Change to change which security principal is the delegated RODC administrator. You can choose only one security principal. Specify a security group rather than an individual user so you can control RODC administration permissions most efficiently. This method changes the managedBy

attribute of the computer object that corresponds to the RODC to the SID of the security principal that you specify. This is the recommended way to specify the delegated RODC administrator account because the information is stored in AD DS, where it can be centrally managed by domain administrators.

Ensurepass 2018 PDF and VCE

Use the ntdsutil local roles command or thedsmgmtlocal roles command. You can use this command to view, add, or remove members from the Administrators group and other built- in groups on the RODC.[See also the second reference for more information on how to use dsmgmt.]

Using ntdsutil or dsmgmt to specify the delegated RODC administrator account is not recommendedbecause the information is stored only locally on the RODC. Therefore, when you use ntdsutil local roles to delegate an administrator for the RODC, the account that you specify does not appear on the Managed By tab of the RODC account properties. As a result, using the Active Directory Users and Computers snap-in or a similar tool will not reveal that the RODC has a delegated administrator.

In addition, if you demote an RODC, any security principal that you specified by using ntdsutil local roles remains stored in the registry of the server. This can be a security concern if you demote an RODC in one domain and then promote it to be an RODC again

in a different domain. In that case, the original security principal would have administrative rights on the new RODC in the different domain.

Reference 2:

http://technet.microsoft.com/en-us/library/cc732301.aspx

Administrator Role Separation Configuration

This section provides procedures for creating a local administrator role for an RODC and for adding a user to that role.

To configure Administrator Role Separation for an RODC

->Click Start, click Run, type cmd, and then press ENTER.

->At the command prompt, typedsmgmt.exe, and then press ENTER.

->At the DSMGMT prompt, typelocal roles, and then press ENTER.

->For a list of valid parameters, type ?, and then press ENTER.

By default, no local administrator role is defined on the RODC after AD DS installation. To add the local administrator role, use the Add parameter.

->Type add lt;DOMAINgt;\lt;usergt;lt;administrative rolegt;

For example, type add CONTOSO\testuser administrators

Question No: 289 – (Topic 3)

Your network contains a single Active Directory domain. All servers run Windows Server 2008 R2.

You deploy a new server that runs Windows Server 2008 R2. The server is not connected to the internal network.

You need to ensure that the new server is already joined to the domain when it first connects to the internal network.

What should you do?

  1. From a domain controller, run sysprep.exe and specify the /oobe parameter. From the new server, run sysprep.exe and specify the /generalize parameter.

  2. From a domain controller, run sysprep.exe and specify the /generalize parameter. From the new server, run sysprep.exe and specify the /oobe parameter.

  3. From a domain-joined computer, run djoin.exe and specify the /provision parameter. From the new server, run djoin.exe and specify the /requestodj parameter.

  4. From a domain-joined computer, run djoin.exe and specify the /requestodj parameter. From the new server, run djoin.exe and specify the /provision parameter.

    Answer: C Explanation:

    Reference 1:

    MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 217, 218 Offline Domain Join

    Offline domain join is also useful when a computer is deployed in a lab or other disconnected environment.

    When the computer is connected to the domain network and started for the first time, it will already be a member of the domain. This also helps to ensure that Group Policy settings are applied at the first startup. Four major steps are required to join a computer to the domain by using offline domain join:

    1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with an account that has permissions to join computers to the domain.

    2. Use the DJoin command to provision a computer for offline domain join. This step prepopulates Active

      Directory with the information that Active Directory needs to join the computer to the domain, and exports the information called a blob to a text file.

    3. At the offline computer that you want to join the domain use DJoin to import the blob into the Windows directory.

    4. When you start or restart the computer, it will be a member of the domain. Reference 2:

http://technet.microsoft.com/nl-nl/library/offline-domain-join-djoin-step-by-step.aspx Steps for performing an offline domain join

The offline domain join process includes the following steps:

  1. Run the djoin.exe /provision command to create computer account metadata for the destination computer (the computer that you want to join to the domain). As part of this command, you must specify the name of the domain that you want the computer to join.

  2. Run the djoin.exe /requestODJ command to insert the computer account metadata into the Windows directory of the destination computer.

  3. When you start the destination computer, either as a virtual machine or after a complete operating system installation, the computer will be joined to the domain that you specify.

    Question No: 290 – (Topic 3)

    Your network contains an Active Directory forest. The forest schema contains a custom attribute for user objects.

    You need to give the human resources department a file that contains the last logon time and the custom attribute values for each user in the forest.

    What should you use?

    1. the Dsquery tool

    2. the Export-CSV cmdlet

    3. the Get-ADUser cmdlet

    4. the Net.exe user command

Answer: C Explanation:

References:

https://devcentral.f5.com/weblogs/Joe/archive/2009/01/09/powershell-abcs–o-is-for- output.aspx

http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/thread/8d8649d9- f591-4b44-b838-e0f5f3a591d7

http://kpytko.wordpress.com/2012/07/30/lastlogon-vs-lastlogontimestamp/

Export-Csv Reference:

http://technet.microsoft.com/en-us/library/ee176825.aspx Saving Data as a Comma-Separated Values File

The Export-Csv cmdlet makes it easy to export data as a comma-separated values (CSV) file; all you need to do is call Export-Csv followed by the path to the CSV file. For example, thiscommand uses Get-Process to grab information about all the processes running on the computer,then uses Export-Csv to write that data to a file named C:\Scripts\Test.txt:

Get-Process | Export-Csv c:\scripts\test.txt. Net User

Reference:

http://technet.microsoft.com/en-us/library/cc771865.aspx

Adds or modifies user accounts, or displays user account information.

DSQUERY

Reference 1:

http://technet.microsoft.com/en-us/library/cc754232.aspx

Parameters

{lt;StartNodegt; | forestroot | domainroot}

Specifies the node in the console tree where the search starts. You can specify the forest root (forestroot), domain root (domainroot), or distinguished name of a node as the start node lt;StartNodegt;. If you specify

forestroot, AD DS searches by using the global catalog.

-attr {lt;AttributeListgt; | *}

Specifies that the semicolon separated LDAP display names included in lt;AttributeListgt; for each entry in the result set. If you specify the value of this parameter as a wildcard character (*), this parameter displays all attributes that are present on the object in the result set. In addition, if you specify a *, this parameter uses the default output format (a list), regardless of whether you specify the -l parameter. The default lt;AttributeListgt; is a distinguished name.

Reference 2:

http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/dda5fcd6-1a10-4d47- 9379-02ca38aaa65b

Gives an example of how to find a user with certain attributes using Dsquery. Note that it uses domainroot as the startnode, instead of forestroot what we need.

Reference 3:

http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/c6fc3826-78e1- 48fd-ab6f-690378e0f787/

List all last login times for all users, regardless of whether they are disabled.

dsquery * -filter quot;(amp;(objectCategory=user)(objectClass=user))quot; -limit 0 -attr givenName sn sAMAccountName

lastLogongt;gt;c:\last_logon_for_all.txt

100% Ensurepass Free Download!
Download Free Demo:70-640 Demo PDF
100% Ensurepass Free Guaranteed!
Download 2018 EnsurePass 70-640 Full Exam PDF and VCE

EnsurePass ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
PDF VCE Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.