[Free] 2018(June) Ensurepass Microsoft 70-640 Dumps with VCE and PDF 391-400

Ensurepass.com : Ensure you pass the IT Exams
2018 May Microsoft Official New Released 70-640
100% Free Download! 100% Pass Guaranteed!

Windows Server 2008 Active Directory, Configuring

Question No: 391 – (Topic 4)

Your network contains an Active Directory domain named contoso.com.

Contoso.com contains a domain controller named DC1 and a read-only domain controller (RODC) namedRODC1.

You need to view the most recent user accounts authenticated by RODC1. What should you do first?

  1. From Active Directory Sites and Services, right-click the Connection object for DC1, and then click Replicate Now.

  2. From Active Directory Sites and Services, right-click the Connection object for DC2, and then click Replicate Now.

  3. From Active Directory Users and Computers, right-click contoso.com, click Change DomainController, and then connect to DC1.

  4. From Active Directory Users and Computers, right-click contoso.com, click Change Domain Controller, and then connect to RODC1.

    Answer: C

    Reference:

    http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password- replication-policy.aspx#BKMK_Auth2

    To view authenticated accounts using Active Directory Users and Computers

    1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start.

      In Start Search, type dsa.msc, and then press ENTER.

    2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain. To connect to the appropriate domain or domain controller, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain or Change Domain Controller, respectively.

    3. Click Domain Controllers.

    4. In the details pane, right-click the RODC computer account, and then click Properties.

    5. Click the Password Replication Policy tab.

    6. Click Advanced.

    7. In the drop-down list, click Accounts that have been authenticated to this Read-only Domain Controller, as shown in the following illustration.

      Question No: 392 – (Topic 4)

      A network contains an Active Directory forest. The forest contains three domains and two sites.

      You remove the global catalog from a domain controller named DC2. DC2 is located in

      Site1.

      You need to reduce the size of the Active Directory database on DC2. The solution must minimize the impact on all users in Site1.

      What should you do first?

      1. On DC2, start the Protected Storage service.

      2. On DC2, stop the Active Directory Domain Services service.

      3. Start DC2 in Safe Mode.

      4. Start DC2 in Directory Services Restore Mode.

Answer: B

Reference:

http://technet.microsoft.com/en-us/library/cc816811.aspx

Returning Unused Disk Space from the Active Directory Database to the File System

During ordinary operation, the free disk space in the Active Directory database file becomes fragmented. Each time garbage collection runs (every 12 hours, by default), free disk space is automatically defragmented online to optimize its use within the database file. The unused disk space is maintained for the database; it is not returned to the file system.

Only offline defragmentation can return unused disk space from the directory database to the file system.

When database contents have decreased considerably through a bulk deletion (for example, when you remove the global catalog from a domain controller), or if the size of the database backup is significantly increased as a result of the amount of free disk space, use offline defragmentation to reduce the size of the Ntds.dit file.

On domain controllers that are running Windows Server 2008, offline defragmentation does not require restarting the domain controller in Directory Services Restore Mode (DSRM), as is required on domain controllers that are running versions of Windows Server 2000 and Windows Server 2003. You can use a new feature in Windows Server 2008, restartable Active Directory Domain Services (AD DS), to stop the AD DS service. When the service is stopped, services that depend on AD DS shut down automatically. However, any other services that are running on the domain controller, such as Dynamic Host Configuration Protocol (DHCP), continue to run and respond to clients.

Question No: 393 – (Topic 4)

Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008 R2 Enterprise. All client computers run Windows 7 Professional.

The network contains an enterprise certification authority (CA). You need to approve a pending certificate request.

Which snap-in should you use?

  1. Active Directory Administrative Center

  2. Authorization Manager

  3. Certificate Templates

  4. Certificates

  5. Certification Authority

  6. Enterprise PKI

  7. Group Policy Management

  8. Security Configuration Wizard

  9. Share and Storage Management

Answer: E Explanation:

Reference 1:

http://technet.microsoft.com/de-de/library/ff849263.aspx To issue a pending certificate request:

  1. Log on to your root CA by using an account that is a certificate manager.

  2. Start the Certification Authority snap-in.

  3. In the console tree, expand your root CA, and click Pending Certificates.

  4. In the details pane, right-click the pending CA certificate, and click Issue.

    Question No: 394 – (Topic 4)

    Your network contains a server named Server1. Server1 runs Windows Server 2008 R2 and has the Active Directory Lightweight Directory Services (AD LDS) role installed.

    Server1 hosts two AD LDS instances named Instance1 and Instance2. You need to remove Instance2 from Server1 without affecting Instance1.

    Which tool should you use?

    1. NTDSUtil

    2. Dsdbutil

    3. Programs and Features in the Control Panel

    4. Server Manager

      Answer: C Explanation:

      Reference 1:

      http://technet.microsoft.com/en-us/library/cc794857.aspx

      Administering AD LDS Instances

      Each AD LDS instance runs as an independent-and separately administered-service on a computer.

      Reference 2:

      technet.microsoft.com/en-us/library/cc794886.aspx

      To remove an AD LDS instance

      1. To open Programs and Features, click Start, click Settings, click Control Panel, and then double-click

        Programs and Features.

      2. Locate and click the AD LDS instance that you want to remove.

      3. Click Uninstall. Note

        It is not necessary to restart the computer after you remove an AD LDS instance.

        Question No: 395 – (Topic 4)

        Your network contains an Active Directory domain. The domain is configured as shown in the exhibit. (Click the Exhibit button.)

        Ensurepass 2018 PDF and VCE

        Each organizational unit (OU) contains over 500 user accounts.

        The Finance OU and the Human Resources OU contain several user accounts that are members of a universal group named Group1.

        You have a Group Policy object (GPO) linked to the domain.

        You need to prevent the GPO from being applied to the members of Group1 only. What should you do?

        1. Modify the Group Policy permissions.

        2. Enable block inheritance.

        3. Configure the link order.

        4. Enable loopback processing in merge mode.

        5. Enable loopback processing in replace mode.

        6. Configure WMI filtering.

        7. Configure Restricted Groups.

        8. Configure Group Policy Preferences.

        9. Link the GPO to the Finance OU.

        10. Link the GPO to the Human Resources OU.

          Answer: A Explanation:

          quot;GPOs are linked to OUs, not groups. Block inhertance blocks all inherited GPOs from

          being applied to the OU. The security filter will only help you specify groups. So you have two choices. You could remove authenticated users in the secuirty filter and add groups containing everyone except group1 members(messy solution) or you could leave authenticated users there, and specify group1 with deny apply gpo permission for the gpo(since deny will alwys win over allow).quot;

          The reference below explains a situation where the GPO only needs to be applied to one group, it#39;s the other way around so to speak.

          Reference:

          MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 285, 286 Using Security Filtering to Modify GPO Scope

          By now, you’ve learned that you can link a GPO to a site, domain, or OU. However, you might need to apply GPOs only to certain groups of users or computers rather than to all users or computers within the scope of the GPO. Although you cannot directly link a GPO to a security group, there is a way to apply GPOs to specific security groups. The policies in a GPO apply only to users who have Allow Read and Allow Apply Group Policy permissions to the GPO.

          Each GPO has an access control list (ACL) that defines permissions to the GPO. Two permissions, Allow Read and Allow Apply Group Policy, are required for a GPO to apply to a user or computer. If a GPO is scoped to a computer (for example, by its link to the computer’s OU), but the computer does not have Read and Apply Group Policy permissions, it will not download and apply the GPO. Therefore, by setting the appropriate permissions for security groups, you can filter a GPO so that its settings apply only to the computers and users you specify.

          Filtering a GPO to Apply to Specific Groups

          To apply a GPO to a specific security group, perform the following steps:

      4. Select the GPO in the Group Policy Objects container in the console tree.

      5. In the Security Filtering section, select the Authenticated Users group and click Remove.

      6. Click OK to confirm the change.

      7. Click Add.

      8. Select the group to which you want the policy to apply and click OK.

        Question No: 396 – (Topic 4)

        Your network contains an Active Directory domain named contoso.com. The functional level of the forest is Windows Server 2008 R2.

        The Default Domain Controller Policy Group Policy object (GPO) contains audit policy settings.

        On a domain controller named DC1, an administrator configures the Advanced Audit Policy Configuration settings by using a local GPO.

        You need to identify what will be audited on DC1. Which tool should you use?

        1. Get-ADObject

        2. Secedit

        3. Security Configuration and Analysis

        4. Auditpol

Answer: D Explanation:

Reference 1:

http://technet.microsoft.com/en-us/library/cc772576.aspx Auditpol get

Retrieves the system policy, per-user policy, auditing options, and audit security descriptor object.

Reference 2:

Windows Server 2008 R2 Unleashed (SAMS, 2010) page 670

You can use the AUDITPOL command to get and set the audit categories and subcategories. To retrieve a list of all the settings for the audit categories and subcategories, use the following command:

auditpol /get /category:*

Question No: 397 – (Topic 4)

Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.

You need to compact the Active Directory database. What should you do?

  1. Run the Get-ADForest cmdlet.

  2. Configure subscriptions from Event Viewer.

  3. Run the eventcreate.exe command.

  4. Configure the Active Directory Diagnostics Data Collector Set (OCS).

  5. Create a Data Collector Set (DCS).

  6. Run the repadmin.exe command.

  7. Run the ntdsutil.exe command.

  8. Run the dsquery.exe command.

  9. Run the dsamain.exe command.

  10. Create custom views from Event Viewer.

    Answer: G Explanation:

    Reference 1:

    http://technet.microsoft.com/en-us/library/cc794920.aspx Compact the Directory Database File (Offline Defragmentation)

    You can use this procedure to compact the Active Directory database offline. Offline defragmentation returns free disk space in the Active Directory database to the file system. As part of the offline defragmentation procedure, check directory database integrity.

    Performing offline defragmentation creates a new, compacted version of the database file in a different location.

    Reference 2:

    Mastering Windows Server 2008 R2 (Sybex, 2010) page 805 Performing Offline Defragmentation of Ntds.dit

    These steps assume that you will be compacting the Ntds.dit file to a local folder. If you plan to defragment and compact the database to a remote shared folder, map a drive letter to that shared folder before you begin these steps, and use that drive letter in the path where appropriate.

    1. Open an elevated command prompt. Click Start, and then right-click Command Prompt. Click Run as Administrator.

    2. Type ntdsutil, and then press Enter.

    3. Type Activate instance NTDS, and press Enter.

    4. At the resulting ntdsutil prompt, type Files (case sensitive), and then press Enter.

    5. At the file maintenance prompt, type compact to followed by the path to the destination folder for the defragmentation, and then press Enter.

      Question No: 398 – (Topic 4)

      Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.

      You need to collect all of the Directory Services events from all of the domain controllers and store the events in a single central computer.

      What should you do?

      1. Run the ntdsutil.exe command.

      2. Run the repodmin.exe command.

      3. Run the Get-ADForest cmdlet.

      4. Run the dsamain.exe command.

      5. Create custom views from Event Viewer.

      6. Run the dsquery.exe command.

      7. Configure the Active Directory Diagnostics Data Collector Set (DCS),

      8. Configure subscriptions from Event Viewer.

      9. Run the eventcreate.exe command.

      10. Create a Data Collector Set (DCS).

Answer: H

Reference:

http://technet.microsoft.com/en-us/library/cc749183.aspx

Event Subscriptions

Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue might require you to examine a set of events stored in multiple logs on multiple computers.

Windows Vista includes the ability to collect copies of events from multiple remote computers and store them locally. To specify which events to collect, you create an event subscription. Among other details, the subscription specifies exactly which events will be

collected and in which log they will be stored locally. Once a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events.

Using the event collecting feature requires that you configure both the forwarding and the collecting computers.

The functionality depends on the Windows Remote Management (WinRM) service and the Windows Event Collector (Wecsvc) service. Both of these services must be running on computers participating in the forwarding and collecting process. To learn about the steps required to configure event collecting and forwarding computers, see Configure Computers to Forward and Collect Events (http://technet.microsoft.com/en-us/library/cc748890.aspx).

Question No: 399 – (Topic 4)

A corporate network includes a single Active Directory Domain Services (AD DS) domain. The domain contains 10 domain controllers. The domain controllers run Windows Server 2008 R2 and are configured as DNS servers.

You plan to create an Active Directory-integrated zone.

You need to ensure that the new zone is replicated to only four of the domain controllers. What should you do first?

  1. Use the ntdsutil tool to modify the DS behavior for the domain.

  2. Use the ntdsutil tool to add a naming context.

  3. Create a new delegation in the ForestDnsZones application directory partition.

  4. Use the dnscmd tool with the /zoneadd parameter.

    Answer: B Explanation:

    Ensurepass 2018 PDF and VCE

    Reference 1:

    http://technet.microsoft.com/en-us/library/cc725739.aspx

    Store Data in an AD DS Application Partition

    You can store Domain Name System (DNS) zones in the domain or application directory partitions of Active Directory Domain Services (AD DS). An application directory partition is a data structure in AD DS that distinguishes data for different replication purposes. When you store a DNS zone in an application directory partition, you can control the zone replication scope by controlling the replication scope of the application directory partition.

    Reference 2:

    http://technet.microsoft.com/en-us/library/cc730970.aspx Partition management

    Manages directory partitions for Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS).

    This is a subcommand of Ntdsutil and Dsmgmt. Examples

    To create an application directory partition named AppPartition in the contoso.com domain, complete the following steps:

    1. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, rightclick

      Command Prompt, and then click Run as administrator.

    2. Type: ntdsutil

    3. Type: Ac in ntds

    4. Type: partition management

    5. Type: connections

    6. Type: Connect to server DC_Name

    7. Type: quit

    8. Type: list

      The following partitions will be listed:

      0 CN=Configuration,DC=Contoso,DC=com

      1. DC=Contoso,DC=com

      2. CN=Schema,CN=Configuration,DC=Contoso,DC=com

      3. DC=DomainDnsZones,DC=Contoso,DC=com

      4. DC=ForestDnsZones,DC=Contoso,DC=com

    9. At the partition management prompt, type: create nc dc=AppPartition,dc=contoso,dc=com ConDc1.contoso.com

    10. Run the list command again to refresh the list of partitions.

Question No: 400 – (Topic 4)

Your network contains an Active Directory forest named contoso.com. The forest contains two domains named contoso.com and child.contoso.com. All domain controllers run Windows Server 2008. All forest-wide operations master roles are in child.contoso.com.

An administrator successfully runs adprep.exe /forestprep from the Windows Server 2008 R2 Service Pack 1 (SP1) installation media.

You plan to run adprep.exe /domainprep in each domain.

You need to ensure that you have the required user rights to run the command successfully in each domain.

Of which groups should you be a member? (Each correct answer presents part of the solution.

Choose two.)

  1. Administrators in child.contoso.com

  2. Enterprise Admins in contoso.com

  3. Domain Admins in child.contoso.com

  4. Domain Admins in contoso.com

  5. Administrators in contoso.com

  6. Schema Admins in contoso.com

Answer: C,D

Reference:

http://technet.microsoft.com/de-de/library/cc731728.aspx

Adprep /domainprep

Prepares a domain for the introduction of a domain controller that runs Windows Server 2008. You run this command after the forestprep command finishes and after the changes replicate to all the domain controllers in the forest.

Run this command in each domain where you plan to add a domain controller that runs Windows Server 2008.

You must run this command on the domain controller that holds the infrastructure operations master role for the domain. You must be a member of the Domain Admins group to run this command.

100% Ensurepass Free Download!
Download Free Demo:70-640 Demo PDF
100% Ensurepass Free Guaranteed!
Download 2018 EnsurePass 70-640 Full Exam PDF and VCE

EnsurePass ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
PDF VCE Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.