[Free] 2018(July) Dumps4cert Microsoft 70-640 Dumps with VCE and PDF Download 301-310

Dumps4cert.com : Latest Dumps with PDF and VCE Files
2018 July Microsoft Official New Released 70-640
100% Free Download! 100% Pass Guaranteed!

Windows Server 2008 Active Directory, Configuring

Question No: 301 – (Topic 4)

Your network contains an Active Directory domain named contoso.com.

You have an organizational unit (OU) named Sales and an OU named Engineering. You have a Group Policy object (GPO) linked to the domain.

You need to ensure that the settings in the GPO are not processed by user accounts or computer accounts in the Sales OU. You must achieve this goal by using the minimum amount of administrative effort.

What should you do?

  1. Modify the Group Policy permissions.

  2. Enable block inheritance.

  3. Configure the link order.

  4. Enable loopback processing in merge mode.

  5. Enable loopback processing in replace mode.

  6. Configure WMI filtering.

  7. Configure Restricted Groups.

  8. Configure Group Policy Preferences.

  9. Link the GPO to the Sales OU.

  10. Link the GPO to the Engineering OU.

Answer: B

Reference:

http://technet.microsoft.com/en-us/library/cc731076.aspx

Block Inheritance You can block inheritance for a domain or organizational unit. Blocking inheritance prevents Group Policy objects (GPOs) that are linked to higher sites, domains, or organizational units from being automatically inherited by the child-level.

Question No: 302 – (Topic 4)

Your network contains an Active Directory domain. All DNS servers are domain controllers. You view the properties of the DNS zone as shown in the exhibit. (Click the Exhibit button.)

Dumps4Cert 2018 PDF and VCE

You need to ensure that only domain members can register DNS records in the zone. What should you do first?

  1. Modify the zone type.

  2. Create a trust anchor.

  3. Modify the Advanced properties of the DNS server.

  4. Modify the Dynamic updates setting.

    Answer: A Explanation:

    To ensure that only domain members are allowed to register DNS records we have to:

    1. modify the zone type to Active Directory-Integrated.

    2. set the Dynamic updates option to Secure only, which is only available to Active Directory-Integrated zones.

      Reference 1:

      MCTS Windows Server 庐 2008 Active Directory Configuration Study Guide (Sybex, 2008) page 53

      Secure only-This means that only machines with accounts in Active Directory can register with DNS.

      Before DNS registers any account in its database, it checks Active Directory to make sure that account is an authorized domain computer.

      Reference 2:

      http://technet.microsoft.com/en-us/library/ee649287.aspx

      Secure dynamic update is supported only for Active Directory-integrated zones. If the zone type is configured differently, you must change the zone type and directory-integrate the zone before securing it for DNS dynamic updates.

      Question No: 303 – (Topic 4)

      Your network contains an Active Directory domain named contoso.com. Contoso.com contains a member server that runs Windows Server 2008 R2 Standard.

      You need to create an enterprise subordinate certification authority (CA) that can issue certificates based on version 3 certificate templates.

      You must achieve this goal by using the minimum amount of administrative effort. What should you do first?

      1. Run the certutil.exe – addenrollmentserver command.

      2. Install the Active Directory Certificate Services (AD CS) role on the member server.

      3. Upgrade the member server to Windows Server 2008 R2 Enterprise.

      4. Run the certutil.exe – installdefaulttemplates command.

Answer: C

Question No: 304 – (Topic 4)

You have an enterprise subordinate certification authority (CA).

You have a custom certificate template that has a key length of 1,024 bits. The template is enabled for autoenrollment.

You increase the template key length to 2,048 bits.

You need to ensure that all current certificate holders automatically enroll for a certificate that uses the new template.

Which console should you use?

  1. Group Policy Management MMC Snap-In

  2. Certificates MMC Snap-In on the Certificate Authority

  3. Certificate Templates MMC Snap-In

  4. Certification Authority MMC Snap-In

    Answer: C

    Reference:

    http://technet.microsoft.com/en-us/library/cc771246.aspx

    Re-Enroll All Certificate Holders

    This procedure is used when a critical change is made to the certificate template and you want all subjects that hold a certificate that is based on this template to re-enroll as quickly as possible. The next time the subject verifies the version of the certificate against the version of the template on the certification authority (CA), the subject will re-enroll.

    Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

    To re-enroll all certificate holders

    1. Open the Certificate Templates snap-in.

    2. Right-click the template that you want to use, and then click Reenroll All Certificate Holders.

      Question No: 305 – (Topic 4)

      Your network contains an Active Directory domain. The domain contains 10 domain controllers that run Windows Server 2008 R2.

      You need to monitor the following information on the domain controllers during the next five days:

      ->Memory usage

      ->Processor usage

      ->The number of LDAP queries

      What should you do?

      1. Create a User Defined Data Collector Set (DCS) that uses the Active Directory Diagnostics template.

      2. Use the System Performance Data Collector Set (DCS).

      3. Create a User Defined Data Collector Set (DCS) that uses the System Performance template.

      4. Use the Active Directory Diagnostics Data Collector Set (DCS).

Answer: A Explanation:

The System Performance Data Collector Set/System Performance template does not monitor Active Directory data (we need the number of LDAP queries). That leaves out answers

B (quot;Use the System Performance Data Collector Set (DCS)quot;) and

C (quot;Create a User Defined Data Collector Set (DCS) that uses the System Performance templatequot;).

Because the Active Directory Diagnostics Data Collector Set (DCS) runs only for 5 minutes and we need to monitor for 5 days we have to use a User Defined Data Collector Set (DCS) that uses the Active Directory Diagnostics template. For a User Defined Data Collector Set we can set the monitoring duration in seconds, minutes, hours, days or weeks.

So we have to create a User Defined Data Collector Set (DCS) that uses the Active Directory Diagnostics template.

Reference:

http://blogs.technet.com/b/askds/archive/2010/06/08/son-of-spa-ad-data-collector-sets-in-

win2008-andbeyond.aspx

AD Data Collector Sets in Win2008 and beyond

The Active Directory Diagnostics data collector set runs for a default of 5 minutes. This duration period cannot be modified for the built-in collector. However, the collection can be stopped manually by clicking the Stop button or from the command line. If reducing or increasing the time that a data collector set runs is required, and manually stopping the collection is not desirable, then see How to Create a User Defined Data Collection Set.

Question No: 306 – (Topic 4)

Your network contains an Active Directory-integrated DNS zone named contoso.com.

You discover that the zone includes DNS records for computers that were removed from the network.

You need to ensure that the DNS records are deleted automatically from the zone. What should you do?

  1. From DNS Manager, set the aging properties.

  2. Create a scheduled task that runs dnslint.exe /v /d contoso.com.

  3. From DNS Manager, modify the refresh interval of the start of authority (SOA) record.

  4. Create a scheduled task that runs ipconfig.exe /flushdns.

    Answer: A

    Reference:

    http://technet.microsoft.com/en-us/library/cc753217.aspx Set Aging and Scavenging Properties for the DNS Server

    The DNS Server service supports aging and scavenging features. These features are provided as a mechanism for performing cleanup and removal of stale resource records, which can accumulate in zone data over time. You can use this procedure to set the default aging and scavenging properties for the zones on a server.

    To set aging and scavenging properties for the DNS server using the Windows interface

    1. Open DNS Manager.

    2. In the console tree, right-click the applicable DNS server, and then click Set Aging/Scavenging for all zones.

    3. Select the Scavenge stale resource records check box.

    4. Modify other aging and scavenging properties as needed.

      Question No: 307 – (Topic 4)

      A company has an Active Directory forest. You plan to install an offline Enterprise root certification authority (CA) on a server named CA1. CA1 is a member of the PerimeterNetwork workgroup and is attached to a hardware security module for private key storage.

      You attempt to add the Active Directory Certificate Services (AD CS) server role to CA1. The Enterprise CA option is not available.

      You need to install the AD CS server role as an Enterprise CA on CA1. What should you do first?

      1. Add the DNS Server server role to CA1.

      2. Add the Web Server (IIS) server role and the AD CS server role to CA1.

      3. Add the Active Directory Lightweight Directory Services (AD LDS) server role to CA1.

      4. Join CA1 to the domain.

        Answer: D Explanation:

        Reference 1:

        http://kazmierczak.eu/itblog/2012/09/23/enterprise-ca-option-is-greyed-out-unavailable/ Many times, administrators ask me what to do when installing Active Directory Certificate Services they cannot choose to install Enterprise Certification Authority, because it’s unavailable.

        Well, you need to fulfill basic requirements:

        1. Server machine has to be a member server (domain joined). 2. (…)

          Reference 2: http://social.technet.microsoft.com/Forums/en/w7itproSP/thread/34f95b81-b196-4211- 9a99-a06108521268

          Question No: 308 – (Topic 4)

          Your network contains an Active Directory domain. The domain contains several domain controllers.

          You need to modify the Password Replication Policy on a read-only domain controller (RODC).

          Which tool should you use?

          1. Group Policy Management

          2. Active Directory Domains and Trusts

          3. Active Directory Users and Computers

          4. Computer Management

          5. Security Configuration Wizard

            Answer: C

            Reference:

            http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password- replication-policy.aspx

            Administering the Password Replication Policy

            This topic describes the steps for viewing, configuring, and monitoring the Password Replication Policy (PRP) and password caching for read-only domain controllers (RODCs).

            To configure the PRP using Active Directory Users and Computers

            1. Open Active Directory Users and Computers as a member of the Domain Admins group.

            2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain.

            3. Click Domain Controllers, and in the details pane, right-click the RODC computer

              account, and then click Properties.

            4. Click the Password Replication Policy tab.

            5. The Password Replication Policy tab lists the accounts that, by default, are defined in the Allowed list and the Deny list on the RODC. To add other groups that should be included in either the Allowed list or the Deny list, click Add.

              To add other accounts that will have credentials cached on the RODC, click Allow passwords for the account to replicate to this RODC.

              To add other accounts that are not allowed to have credentials cached on the RODC, click Deny passwords for the account from replicating to this RODC.

              Question No: 309 – (Topic 4)

              Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.

              You need to create a snapshot of Active Directory. What should you do?

              1. Run the dsquery.exe command.

              2. Run the dsamain.exe command.

              3. Create custom views from Event Viewer.

              4. Configure subscriptions from Event Viewer.

              5. Create a Data Collector Set (DCS).

              6. Configure the Active Directory Diagnostics Data Collector Set (DCS).

              7. Run the repadmin.exe command.

              8. Run the ntdsutil.exe command.

              9. Run the Get-ADForest cmdlet.

              10. Run the eventcreate.exe command.

                Answer: H

                Reference:

                http://technet.microsoft.com/en-us/library/cc753609.aspx To create an AD DS or AD LDS snapshot

                1. Log on to a domain controller as a member of the Enterprise Admins groups or the

                  Domain Admins group.

                2. Click Start, right-click Command Prompt, and then click Run as administrator.

                3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

                4. At the elevated command prompt, type the following command, and then press ENTER: ntdsutil

                5. At the ntdsutil prompt, type the following command, and then press ENTER: snapshot

                6. At the snapshot prompt, type the following command, and then press ENTER: activate instance ntds

                7. At the snapshot prompt, type the following command, and then press ENTER: create

                  Question No: 310 – (Topic 4)

                  Your network contains an Active Directory domain named contoso.com.

                  A partner company has an Active Directory domain named nwtraders.com.

                  The networks for contoso.com and nwtraders.com connect to each other by using a WAN link.

                  You need to ensure that users in contoso.com can access resources in nwtraders.com and resources on the Internet.

                  What should you do first?

                  1. Modify the Trusted Root Certification Authorities store.

                  2. Modify the Intermediate Certification Authorities store.

                  3. Create conditional forwarders.

                  4. Add a root hint to the DNS server.

Answer: C

Reference:

MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) pages 114-115

Conditional Forwarders

You can configure a DNS server as a conditional forwarder. This is a DNS server that handles name resolution for specified domains only. In other words, the local DNS server will forward all the queries that it receives for names ending with a specific domain name to the conditional forwarder. This is especially useful in situations where users in your company need access to resources in another company with a separate AD DS forest and DNS zones, such as a partner company. In such a case, specify a conditional forwarder that directs such queries to the DNS server in the partner company while other queries are forwarded to the Internet. Doing so reduces the need for adding secondary zones for partner companies on your DNS servers.

100% Dumps4cert Free Download!
Download Free Demo:70-640 Demo PDF
100% Dumps4cert Pass Guaranteed!
70-640 Dumps

Dumps4cert ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
PDF VCE Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.