[Free] 2018(June) Ensurepass Microsoft 70-640 Dumps with VCE and PDF 341-350

Ensurepass.com : Ensure you pass the IT Exams
2018 May Microsoft Official New Released 70-640
100% Free Download! 100% Pass Guaranteed!

Windows Server 2008 Active Directory, Configuring

Question No: 341 – (Topic 4)

Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise.

You need to approve a pending certificate request. Which snap-in should you use?

  1. Active Directory Users and Computers

  2. Authorization Manager

  3. Certification Authority

  4. Group Policy Management

  5. Certificate Templates

  6. TPM Management

  7. Certificates

  8. Enterprise PKI

  9. Security Templates

Answer: C

Reference:

http://technet.microsoft.com/de-de/library/ff849263.aspx

To issue a pending certificate request:

  1. Log on to your root CA by using an account that is a certificate manager.

  2. Start the Certification Authority snap-in.

  3. In the console tree, expand your root CA, and click Pending Certificates.

  4. In the details pane, right-click the pending CA certificate, and click Issue.

    Question No: 342 – (Topic 4)

    Your network contains a server named Server1 that runs Windows Server 2008 R2 Standard. Server1 has the Active Directory Certificate Services (AD CS) role installed.

    You configure a certificate template named Template1 for autoenrollment.

    You discover that certificates are not being issued to any client computers. The event logs on the client computers do not contain any autoenrollment errors.

    You need to ensure that all of the client computers automatically receive certificates based on Template1.

    What should you do?

    1. Modify the Default Domain Policy Group Policy object (GPO).

    2. Modify the Default Domain Controllers Policy Group Policy object (GPO).

    3. Upgrade Server1 to Windows Server 2008 R2 Enterprise.

    4. Restart Certificate Services on Server1.

      Answer: A

      Reference:

      http://technet.microsoft.com/en-us/library/cc731522.aspx

      Many certificates can be distributed without the client even being aware that enrollment is taking place. These can include most types of certificates issued to computers and services, as well as many certificates issued to users.

      To automatically enroll clients for certificates in a domain environment, you must: Configure a certificate template with Autoenroll permissions.

      Configure an autoenrollment policy for the domain.

      To configure autoenrollment Group Policy for a domain

      1. On a domain controller running Windows Server 2008 R2 or Windows Server 2008, click Start, point to

        Administrative Tools, and then click Group Policy Management.

      2. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default

        Domain Policy Group Policy object (GPO) that you want to edit.

        Question No: 343 – (Topic 4)

        Your network contains an Active Directory domain named contoso.com. Contoso.com contains a server named Server2.

        You open the System properties on Server2 as shown in the exhibit. (Click the Exhibit button.)

        Ensurepass 2018 PDF and VCE

        When you attempt to configure Server2 as an enterprise subordinate certification authority (CA), you discover that the enterprise subordinate CA option is unavailable.

        You need to configure Server2 as an enterprise subordinate CA. What should you do first?

        1. Upgrade Server2 to Windows Server 2008 R2 Enterprise.

        2. Log in as an administrator and run Server Manager.

        3. Import the root CA certificate.

        4. Join Server2 to the domain.

Answer: D

Reference:

http://social.technet.microsoft.com/Forums/nl-BE/winserversecurity/thread/1a1172c6-abdb- 4c5a-8a7cea254de5dada

Question No: 344 – (Topic 4)

Your network contains an Active Directory domain.

The password policy for the domain is configured as shown in the Current Policy exhibit, (Click the Exhibit button.)

Ensurepass 2018 PDF and VCE

You change the password policy for the domain as shown in the New Policy exhibit. (Click the Exhibit button.)

Ensurepass 2018 PDF and VCE

You need to provide users with examples of a valid password.

Which password examples should you provide to the users? (Each correct answer presents a complete solution. Choose three.)

A. 123456!@#$%^

B. !@#$1234ABCD

C. passwordl234

D. 1-2-3-4-5-a-b-c-e

E. %%PASS1234%%

  1. 111111aaaaaaa

    Answer: B,D,E

    Reference:

    http://technet.microsoft.com/en-us/library/cc786468.aspx

    Passwords must meet complexity requirements

    This security setting determines whether passwords must meet complexity requirements. Complexity requirements are enforced when passwords are changed or created.

    If this policy is enabled, passwords must meet the following minimum requirements when they are changed or created:

    1. Passwords must not contain the user#39;s entire samAccountName (Account Name) value or entire displayName (Full Name) value.

    2. Passwords must contain characters from three of the following five categories: Uppercase characters of European languages (A through Z, with diacritic marks, Greek

      and Cyrillic characters)

      Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)

      Base 10 digits (0 through 9)

      Nonalphanumeric characters:~!@#$%^amp;*_- =`|\(){}[]:;quot;#39;lt;gt;,.?/Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase.

      This includes Unicode characters from Asian languages.

      Question No: 345 – (Topic 4)

      You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a server namedServer1.

      You need to configure the Windows Firewall on Server1 to allow external users to authenticate by using AD FS.

      Which protocol should you allow on Server1?

      1. Kerberos

      2. SSL

      3. SMB

      4. RPC

Answer: B

Reference:

MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 903

AD FS relies on secure HTTP communications by using SSL authentication certificates to verify the identity of both the server and the client during communications. Because of this, all communications occur through port 443 over HTTPS.

Question No: 346 – (Topic 4)

Your network contains an Active Directory domain. The domain is configured as shown in the exhibit, (Click the Exhibit button.)

Ensurepass 2018 PDF and VCE

You need to ensure that when users log on to client computers, they are added automatically to the local Administrators group.

The users must be removed from the group when they log off of the client computers. What should you do?

  1. Modify the Group Policy permissions.

  2. Enable block inheritance.

  3. Configure the link order.

  4. Enable loopback processing in merge mode.

  5. Enable loopback processing in replace mode.

  6. Configure WMI filtering.

  7. Configure Restricted Groups.

  8. Configure Group Policy Preferences.

  9. Link the Group Policy object (GPO) to the Finance organizational unit (OU).

  10. Link the Group Policy object (GPO) to the Human Resources organizational unit (OU).

Answer: H

Reference:

http://daniel.streefkerkonline.com/managing-local-admins-using-gpp/

http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local- administrator-groups/

Question No: 347 – (Topic 4)

Your network contains an Active Directory domain. The domain contains five sites. One of the sites contains a read-only domain controller (RODC) named RODC1.

You need to identify which user accounts can have their password cached on RODC1. Which tool should you use?

  1. Repadmin

  2. Dcdiag

  3. Get-ADDomainControllerPasswordReplicationPolicyUsage

  4. Adtest

Answer: A Explanation:

Original answer was C (quot;Get-ADDomainControllerPasswordReplicationPolicyUsagequot;). On why it#39;s not correct, I quote the original explanation:

quot;The Get-ADDomainControllerPasswordReplicationPolicyUsage gets the user or computer accounts that are authenticated by a read-only domain controller (RODC) or that have passwords that are stored on that RODC. The list of accounts that are stored on a RODC is known as the revealed list.quot;

So, this revealed list has a list of accounts whose passwords are cached on RODC#39;s. But we don#39;t need the accounts that are cached on RODC1, but the ones that can be cached on RODC1. Those are in the allowed list, and we can get it using repadmin.

Reference:

http://technet.microsoft.com/en-us/library/cc835090.aspx Repadmin /prp

Lists and modifies the Password Replication Policy (PRP) for read-only domain controllers

(RODCs).

Syntax

repadmin /prp view lt;RODCgt; {lt;List_Namegt;|lt;Usergt;}

Displays the security principals in the specified list or displays the current PRP setting (allowed or denied) for a specified user.

Parameters

lt;RODCgt;

Specifies the host name of the RODC. You can specify the single-label host name or the fully qualified domain name. In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain.

lt;List_Namegt;

Specifies all the security principals that are in the list that you want to view. The valid list names are as follows:

auth2: The list of security principals that the RODC has authenticated.

reveal: The list of security principals for which the RODC has cached passwords.

allow: The list of security principals in the msDS-RevealOnDemandGroup attribute. The RODC can cache

passwords for this list of security principals only.

deny: The list of security principals in the msDS-NeverRevealGroup attribute. The RODC cannot cache

passwords for any security principals in this list.

Original explanation for answer C:

The Get-ADDomainControllerPasswordReplicationPolicyUsage gets the user or computer accounts that are authenticated by a read-only domain controller (RODC) or that have passwords that are stored on that RODC. The list of accounts that are stored on a RODC is known as the revealed list.

http://technet.microsoft.com/en-us/library/ee617194.aspx

Question No: 348 – (Topic 4)

Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1. DC1 has the DNS Server server role installed and hosts an Active Directory-integrated zone for contoso.com. The no-refresh interval and the refresh interval are both set to three days. The Advanced DNS settings of DC1 are shown in the Advanced DNS Settings exhibit. (Click the Exhibit button.)

Ensurepass 2018 PDF and VCE

You open the properties of a static record named Server1 as shown in the Server1 Record exhibit.(Click the Exhibit button.)

Ensurepass 2018 PDF and VCE

You discover that the scavenging process ran today, but the record for Server1 was not deleted.

You run dnscmd.exe and specify the age all records parameter.

You need to identify when the record for Server1 will be deleted from the zone. In how many days will the record be deleted?

  1. 13

  2. 10

  3. 23

  4. 7

Answer: D Explanation:

The blank Record time stamp field indicates a static record. That#39;s the reason it wasn#39;t deleted. The timestamp has been set using dnscmd /ageallrecords.

The Time to live setting means that the server will hold a cached record for 10 days, so it has nothing to do with this question. The record will become stale in six days (no-refresh interval refresh interval, that#39;s 3 3 days), so now that the timestamp has been set it will be deleted when the next scavenging operation occurs, in seven days.

Reference 1:

http://technet.microsoft.com/en-us/library/cc772069.aspx

dnscmd /ageallrecords Sets the current time on all time stamps in a zone or node. Record scavenging does not occur unless the records are time stamped. Name server (NS) resource records, start of authority (SOA) resource records, and Windows Internet Name Service (WINS) resource records are not included in the scavenging process, and they are not time stamped even when the ageallrecords command runs.

Reference 2:

http://www.windowsitpro.com/article/dns/scavenging-stale-dns-records

When a record is older than the sum of the no-refresh interval and the refresh interval, the scavenging feature considers the record stale and deletes it. So, when you set No-refresh interval to 3 days and Refresh interval to

  1. days, scavenging will delete records that are more than 8 days old.

Question No: 349 – (Topic 4)

Your network contains an Active Directory domain.

You need to back up all of the Group Policy objects (GPOs), Group Policy permissions, and Group Policy links for the domain.

What should you do?

  1. From Group Policy Management Console (GPMC), back up the GPOs.

  2. From Windows Explorer, copy the content of the %systemroot%\SYSVOL folder.

  3. From Windows Server Backup, perform a system state backup.

  4. From Windows PowerShell, run the Backup-GPO cmdlet.

Answer: C Explanation:

http://www.microsoft.com/en-us/download/details.aspx?id=22478 Planning and Deploying Group Policy (.doc)

Links to OUs, however, are not part of the backup data and will not be restored during a restore operation.

http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/c361339f-7266- 4991-8309-c957a123a455/

Permissions are backed up but links are not. The links are actually properties of the OU and would be backed up as part of the system state. The backup function in GPMC only backs up the properties of selected GPOs (the settings inside the GPOs as well as Security Filters and all other things that belong directly to the GPO). It never backs up OU / Site links -these are not properties of the GPO itself, but of the respective OUs and Sites… http://sdmsoftware.com/general-stuff/the-clash-of-the-gpo-links/

Group Policy links are stored within the gpLink attribute on an AD container (in the case of GP, the container is a site, domain or OU object).

http://technet.microsoft.com/de-de/library/cc756808(v=ws.10).aspx http://technet.microsoft.com/en-us/library/cc784474(v=ws.10).aspx Information saved in a backup

Backing up a GPO saves all information that is stored inside the GPO to the file system. This includes the following information:

->GPO globally unique identifier (GUID) and domain.

->GPO settings.

->Discretionary access control list (DACL) on the GPO.

->WMI filter link, if there is one, but not the filter itself.

->Links to IP Security Policies, if any.

->XML report of the GPO settings, which can be viewed as HTML from within GPMC.

->Date and time stamp of when the backup was taken.

->User-supplied description of the backup.

->Information not saved in a backup

Backing up a GPO only saves data that is stored inside the GPO. Data that is stored outside the GPO is not available when the backup is restored to the original GPO or imported into a new one. This data that becomes unavailable includes the following information:

->Links to a site, domain, or organizational unit.

->WMI filter.

->IP Security policy.

Reference:

http://social.technet.microsoft.com/Forums/en/winserverGP/thread/d7c621fc-e0e9-47dd- a4df-9082b33132a6

For back up all of the Group Policy objets (GPOs Policy permissions, and Group Policy links for the domain) the answer is C.

For details:

System State data

http://technet.microsoft.com/en-us/library/cc785306(WS.10).aspx

Question No: 350 – (Topic 4)

Your network contains an Active Directory domain named adatum.com.

You need to ensure that IP addresses can be resolved to fully qualified domain names (FQDNs).

Under which node in the DNS snap-in should you add a zone?

  1. Reverse Lookup Zones

  2. adatum.com

  3. Forward Lookup Zones

  4. Conditional Forwarders

  5. _msdcs.adatum.com

Answer: A

Reference:

Mastering Microsoft Windows Server 2008 R2 (Sybex, 2010) page 193

A forward lookup means the client provides a fully qualified domain name and the DNS server returns an IP address. A reverse lookup does the opposite: the client provides an IP address, and then the DNS server returns an FQDN.

100% Ensurepass Free Download!
Download Free Demo:70-640 Demo PDF
100% Ensurepass Free Guaranteed!
Download 2018 EnsurePass 70-640 Full Exam PDF and VCE

EnsurePass ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
PDF VCE Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.