[Free] 2018(July) Dumps4cert Microsoft 70-640 Dumps with VCE and PDF Download 51-60

Dumps4cert.com : Latest Dumps with PDF and VCE Files
2018 July Microsoft Official New Released 70-640
100% Free Download! 100% Pass Guaranteed!

Windows Server 2008 Active Directory, Configuring

Question No: 51 – (Topic 1)

You have a Windows Server 2008 R2 Enterprise Root CA.

Security policy prevents port 443 and port 80 from being opened on domain controllers and on the issuing CA.

You need to allow users to request certificates from a Web interface. You install the Active Directory Certificate Services (AD CS) server role.

What should you do next?

  1. Configure the Online Responder Role Service on a member server.

  2. Configure the Online Responder Role Service on a domain controller.

  3. Configure the Certificate Enrollment Web Service role service on a member server.

  4. Configure the Certificate Enrollment Web Service role service on a domain controller.

Answer: C Explanation:

http://technet.microsoft.com/en-us/library/dd759209.aspx Certificate Enrollment Web Service Overview

The Certificate Enrollment Web Service is an Active Directory Certificate Services (AD CS) role service that enables users and computers to perform certificate enrollment by using the HTTPS protocol. Together with the Certificate Enrollment Policy Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain.

Personal note:

Since domain controllers are off-limits (regarding open ports), you are left to install the Certificate Enrollment Web Service role service on a plain member server

Question No: 52 – (Topic 1)

You have a domain controller that runs Windows Server 2008 R2 and is configured as a DNS server.

You need to record all inbound DNS queries to the server. What should you configure in the DNS Manager console?

  1. Enable debug logging.

  2. Enable automatic testing for simple queries.

  3. Configure event logging to log errors and warnings.

  4. Enable automatic testing for recursive queries.

Answer: A Explanation:

http://technet.microsoft.com/en-us/library/cc753579.aspx DNS Tools

Event-monitoring utilities

The Windows Server 2008 family includes two options for monitoring DNS servers: Default logging of DNS server event messages to the DNS server log.

DNS server event messages are separated and kept in their own system event log, the DNS server log, which you can view using DNS Manager or Event Viewer.

The DNS server log contains events that are logged by the DNS Server service. For example, when the DNS server starts or stops, a corresponding event message is written to this log. Most additional critical DNS Server service events are also logged here, for example, when the server starts but cannot locate initializing data and zones or boot information stored in the registry or (in some cases) Active Directory Domain Services (AD DS).

You can use Event Viewer to view and monitor client-related DNS events. These events appear in the System log, and they are written by the DNS Client service at any computers running Windows (all versions).

Optional debug options for trace logging to a text file on the DNS server computer.

You can also use DNS Manager to selectively enable additional debug logging options for temporary trace logging to a text-based file of DNS server activity. The file that is created and used for this feature, Dns.log, is stored in the %systemroot%\System32\Dns folder. http://technet.microsoft.com/en-us/library/cc776361(v=ws.10).aspx

Using server debug logging options

The following DNS debug logging options are available: Direction of packets

Send Packets sent by the DNS server are logged in the DNS server log file. Receive Packets received by the DNS server are logged in the log file.

Further information:

http://technet.microsoft.com/en-us/library/cc759581(v=ws.10).aspx Select and enable debug logging options on the DNS server

Question No: 53 – (Topic 1)

Your company has a main office and a branch office. The company has a single-domain Active Directory forest. The main office has two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. The branch office has a Windows Server 2008 R2 read- only domain controller (RODC) named DC3.

All domain controllers hold the DNS Server role and are configured as Active Directory- integrated zones. The DNS zones only allow secure updates.

You need to enable dynamic DNS updates on DC3. What should you do?

  1. Run the Dnscmd.exe /ZoneResetType command on DC3.

  2. Reinstall Active Directory Domain Services on DC3 as a writable domain controller.

  3. Create a custom application directory partition on DC1. Configure the partition to store Active Directoryintegrated zones.

  4. Run the Ntdsutil.exe gt; DS Behavior commands on DC3.

Answer: B Explanation:

Answer: Reinstall Active Directory Domain Services on DC3 as a writable domain controller.

http://technet.microsoft.com/en-us/library/cc754218(WS.10).aspx#BKMK_DDNS Appendix A: RODC Technical Reference Topics

DNS updates for clients that are located in an RODC site

When a client attempts a dynamic update, it sends a start of authority (SOA) query to its preferred Domain Name System (DNS) server. Typically, clients are configured to use the DNS server in their branch site as their preferred DNS server. The RODC does not hold a writeable copy of the DNS zone. Therefore, when it is queried for the SOA record, it returns the name of a writable domain controller that runs Windows Server 2008 or later and hosts the Active Directory-integrated zone, just as a secondary DNS server handles updates for

zones that are not Active Directory-integrated zones. After it receives the name of a writable domain controller that runs Windows Server 2008 or later, the client is then responsible for performing the DNS record registration against the writeable server. The RODC waits a certain amount of time, as explained below, and then it attempts to replicate the updated DNS object in Active Directory Domain Services (AD DS) from the DNS server that it referred the client to through an RSO operation.

Note:

For the DNS server on the RODC to perform an RSO operation of the DNS record update, a DNS server that runs Windows Server 2008 or later must host writeable copies of the zone that contains the record. That DNS server must register a name server (NS) resource record for the zone. The Windows Server 2003 Branch Office Guide recommended restricting name server (NS) resource record registration to a subset of the available DNS servers. If you followed those guidelines and you do not register at least one writable DNS server that runs Windows Server 2008 or later as a name server for the zone, the DNS server on the RODC attempts to perform the RSO operation with a DNS server that runs Windows Server 2003. That operation fails and generates a 4015 Error in the DNS event log of the RODC, and replication of the DNS record update will be delayed until the next scheduled replication cycle.

Further information:

http://technet.microsoft.com/en-us/library/dd737255(v=ws.10).aspx Plan DNS Servers for Branch Office Environments

This topic describes best practices for installing Domain Name System (DNS) servers to support Active Directory Domain Services (AD DS) in branch office environments.

As a best practice, use Active Directory-integrated DNS zones, which are hosted in the application directory partitions named ForestDNSZones and DomainDNSZones. The following guidelines are based on the assumption that you are following this best practice. In branch offices that have a read-only domain controller (RODC), install a DNS server on each RODC so that client computers in the branch office can still perform DNS lookups when the wide area network (WAN) link to a DNS server in a hub site is not available. The best practice is to install the DNS server when you install AD DS, using Dcpromo.exe.

Otherwise, you must use Dnscmd.exe to enlist the RODC in the DNS application directory partitions that host Active Directory-integrated DNS zones.

Note: You also have to configure the DNS client’s setting for the RODC so that it points to itself as its preferred DNS server.

To facilitate dynamic updates for DNS clients in branch offices that have an RODC, you should have at least one writeable Windows Server 2008 DNS server that hosts the corresponding DNS zone for which client computers in the branch office are attempting to make DNS updates. The writeable Windows Server 2008 DNS server must register name server (NS) resource records for that zone.

By having the writeable Windows Server 2008 DNS server host the corresponding zone,

client computers that are in branch offices that are serviced by RODCs can make dynamic updates more efficiently. This is because the updates replicate back to the RODCs in their respective branch offices by means of a replicate-singleobject (RSO) operation, rather than waiting for the next scheduled replication cycle.

For example, suppose that you add a new member server in a branch office, Branch1, which includes an RODC. The member server hosts an application that you want client computers in Branch1 to locate by using a DNS query. When the member server attempts to register its host (A or AAAA) resource records for its IP address to a DNS zone, it performs a dynamic update on a writeable Windows Server 2008 or Windows Server 2008 R2 DNS server that the RODC tracks in Branch1. If a writeable Windows Server 2008 DNS server hosts the DNS zone, the RODC in Branch1 replicates the updated zone information as soon as possible from the writeable Windows Server 2008 DNS server. Then, client computers in Branch1 can successfully locate the new member server by querying the RODC in Branch1 for its IP address.

If you do not have a writeable Windows Server 2008 DNS server that hosts the DNS zone, the update can still succeed against Windows Server 2003 DNS server if one is available but the updated record in the DNS zone will not replicate to the RODC in Branch1 until the next scheduled replication cycle, which can delay client computers that use the RODC DNS server for name resolution from locating the new member server.

Question No: 54 – (Topic 1)

Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.

You need to capture all replication errors from all domain controllers to a central location. What should you do?

  1. Start the Active Directory Diagnostics data collector set.

  2. Start the System Performance data collector set.

  3. Install Network Monitor and create a new a new capture.

  4. Configure event log subscriptions.

Answer: D Explanation:

http://technet.microsoft.com/en-us/library/cc748890.aspx Configure Computers to Forward and Collect Events

Before you can create a subscription to collect events on a computer, you must configure both the collecting computer (collector) and each computer from which events will be collected (source).

http://technet.microsoft.com/en-us/library/cc749183.aspx Event Subscriptions

Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue might require you to examine a set of events stored in multiple logs on multiple computers.

Windows Vista includes the ability to collect copies of events from multiple remote computers and store them locally. To specify which events to collect, you create an event subscription. Among other details, the subscription specifies exactly which events will be collected and in which log they will be stored locally. Once a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events.

Using the event collecting feature requires that you configure both the forwarding and the collecting computers.

The functionality depends on the Windows Remote Management (WinRM) service and the Windows Event Collector (Wecsvc) service. Both of these services must be running on computers participating in the forwarding and collecting process. http://technet.microsoft.com/en-us/library/cc961808.aspx

Replication Issues

Question No: 55 – (Topic 1)

Your company has a main office and 10 branch offices. Each branch office has an Active Directory site that contains one domain controller. Only domain controllers in the main office are configured as Global Catalog servers.

You need to deactivate the Universal Group Membership Caching (UGMC) option on the domain controllers in the branch offices.

At which level should you deactivate UGMC?

  1. Server

  2. Connection object

  3. Domain

  4. Site

    Answer: D Explanation:

    http://www.ntweekly.com/?p=788

    http://gallery.technet.microsoft.com/scriptcenter/c1bd08d2-1440-40f8-95be-ad2050674d91 Script to Disable Universal Group Membership Caching in all Sites

    How to Disable Universal Group Membership Caching in all Sites using a Script Starting with Windows Server 2003, a new feature called Universal Group Membership

    Caching (UGMC) caches a user’s membership in Universal Groups on domain controllers authenticating the user. This feature allows a domain controller to have knowledge of Universal Groups a user is member of rather than contacting a Global Catalog.

    Unlike Global group memberships, which are stored in each domain, Universal Group memberships are only stored in a Global Catalog. For example, when a user who belongs to a Universal Group logs on to a domain that is set to the Windows 2000 native domain functional level or higher, the Global Catalog provides Universal Group membership information for the user’s account at the time the user logs on to the domain to the authenticating domain controller.

    UGMC is generally a good idea for multiple domain forests when:

    1. Universal Group membership does not change frequently.

    2. Low WAN bandwidth between Domain Controllers in different sites.

      It is also recommended to disable UGMC if all Domain Controllers in a forest are Global Catalogs.

      Question No: 56 – (Topic 1)

      Your company has an Active Directory domain. All servers run Windows Server. You deploy a Certification Authority (CA) server.

      You create a new global security group named CertIssuers.

      You need to ensure that members of the CertIssuers group can issue, approve, and revoke

      certificates.

      What should you do?

      1. Assign the Certificate Manager role to the CertIssuers group

      2. Place CertIssuers group in the Certificate Publisher group

      3. Run the certsrv -add CertIssuers command promt of the certificate server

      4. Run the add -member-membertype memberset CertIssuers command by using Microsoft Windows Powershell

Answer: A Explanation:

http://technet.microsoft.com/en-us/library/cc779954(v=ws.10).aspx Role-based administration

Role explanation

Role-based administration involves CA roles, users, and groups. To assign a role to a user or group, you must assign the role#39;s corresponding security permissions, group memberships, or user rights to the user or group.

Dumps4Cert 2018 PDF and VCE

These security permissions, group memberships, and user rights are used to distinguish which users have which roles. The following table describes the CA roles of role-based administration and the groups relevant to role-based administration.

C:\Documents and Settings\usernwz1\Desktop\1.PNG Certificate Manager:

Delete multiple rows in database (bulk deletion) Issue and approve certificates

Deny certificates Revoke certificates

Reactivate certificates placed on hold Renew certificates

Recover archived key Read CA database

Read CA configuration information

Question No: 57 – (Topic 1)

An Active Directory database is installed on the C volume of a domain controller. You need to move the Active Directory database to a new volume.

What should you do?

  1. Copy the ntds.dit file to the new volume by using the ROBOCOPY command.

  2. Move the ntds.dit file to the new volume by using Windows Explorer.

  3. Move the ntds.dit file to the new volume by running the Move-item command in Microsoft Windows PowerShell.

  4. Move the ntds.dit file to the new volume by using the Files option in the Ntdsutil utility.

Answer: D Explanation:

Answer: Move the ntds.dit file to the new volume by using the Files option in the Ntdsutil utility.

http://technet.microsoft.com/en-us/library/cc816720(v=ws.10).aspx Move the Directory Database and Log Files to a Local Drive

You can use this procedure to move Active Directory database and log files to a local drive. When you move the files to a folder on the local domain controller, you can move them permanently or temporarily. Move the files to a temporary destination if you need to reformat the original location, or move the files to a permanent location if you have additional disk space. If you reformat the original drive, use the same procedure to move the files back after the reformat is complete. Ntdsutil.exe updates the registry when you move files locally. Even if you are moving the files only temporarily, use Ntdsutil.exe so that the registry is always current.

On a domain controller that is running Windows Server 2008, you do not have to restart the domain controller in Directory Services Restore Mode (DSRM) to move database files. You can stop the Active Directory Domain

Services (AD DS) service and then restart the service after you move the files to their permanent location.

To move the directory database and log files to a local drive:

  1. At the ntdsutil prompt, type files, and then press ENTER.

  2. To move the database file, at the file maintenance: prompt, use the following commands:

    Further information:

    http://servergeeks.wordpress.com/2013/01/01/moving-active-directory-database-and-logs/ Moving Active Directory Database and Logs

    Step 1

    Start the server in Directory Services Restore Mode

    Windows Server 2003/2008 Directory Service opens its files in exclusive mode. This means that the files cannot be managed while the server is operating as a domain controller. To perform any files movement related activities using ntdsutil, we need to start the server in Directory Services Restore Mode.

    To start the server in Directory Services Restore mode, follow these steps: Restart the computer.

    After the BIOS information is displayed, press F8.

    Use the DOWN ARROW to select Directory Services Restore Mode, and then press ENTER.

    Dumps4Cert 2018 PDF and VCE

    C:\Documents and Settings\usernwz1\Desktop\1.PNG

    Log on with your local administrative account and password. (Not Domain Administrative account)

    Dumps4Cert 2018 PDF and VCE

    C:\Documents and Settings\usernwz1\Desktop\1.PNG

    Dumps4Cert 2018 PDF and VCE

    Note: using service control (SC.exe) you can verify quickly ntds services are running or stopped. In command prompt type SC query ntds

    C:\Documents and Settings\usernwz1\Desktop\1.PNG Step 2

    How to Move Active Directory Database and Logs

    You can move the Ntds.dit data file to a new folder. If you do so, the registry is updated so that Directory

    Service uses the new location when you restart the server. To move the data file to another folder, follow these steps:

    Click Start, click Run, type ntdsutil in the Open box, and then press ENTER.

    Dumps4Cert 2018 PDF and VCE

    C:\Documents and Settings\usernwz1\Desktop\1.PNG

    At the Ntdsutil command prompt, type activate instance ntds, and then press ENTER.

    Dumps4Cert 2018 PDF and VCE

    C:\Documents and Settings\usernwz1\Desktop\1.PNG

    At the Ntdsutil command prompt, type files, and then press ENTER.

    Dumps4Cert 2018 PDF and VCE

    C:\Documents and Settings\usernwz1\Desktop\1.PNG

    At the file maintenance command prompt, type move DB to lt;new locationgt; (where new location is an existing folder that you have created for this purpose) and then press ENTER.

    In this case, the new location for database is C:\AD\Database Now

    Dumps4Cert 2018 PDF and VCE

    C:\Documents and Settings\usernwz1\Desktop\1.PNG

    Now to move logs , at the file maintenance command prompt, type move logs to lt;new locationgt; (where new location is an existing folder that you have created for this purpose) and then press ENTER. In our case, the new location for database is C:\AD\Logs

    Dumps4Cert 2018 PDF and VCE

    C:\Documents and Settings\usernwz1\Desktop\1.PNG

    To quit file maintenance, type quit. Again to Ntdsutil, type quit to close the prompt Restart the computer. AD database and Logs are moved successfully to new location.

    Question No: 58 – (Topic 1)

    Your company has a single Active Directory domain named intranet.adatum.com. The domain controllers run Windows Server 2008 and the DNS server role. All computers, including non-domain members, dynamically register their DNS records.

    You need to configure the intranet.adatum.com zone to allow only domain members to dynamically register DNS records.

    What should you do?

    1. Set dynamic updates to Secure Only.

    2. Remove the Authenticated Users group.

    3. Enable zone transfers to Name Servers.

    4. Deny the Everyone group the Create All Child Objects permission.

Answer: A Explanation:

Answer: Set dynamic updates to Secure Only. http://technet.microsoft.com/en-us/library/cc753751.aspx Allow Only Secure Dynamic Updates

Domain Name System (DNS) client computers can use dynamic update to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use Dynamic Host Configuration Protocol (DHCP) to obtain an IP address.

Dynamic updates can be secure or nonsecure. DNS update security is available only for zones that are integrated into Active Directory Domain Services (AD DS). After you directory-integrate a zone, access control list (ACL) editing features are available in DNS Manager so that you can add or remove users or groups from the ACL for a specified zone or resource record.

Further information:

http://technet.microsoft.com/en-us/library/cc771255.aspx Understanding Dynamic Update

Question No: 59 – (Topic 1)

Your company has a main office and three branch offices. Each office is configured as a separate Active Directory site that has its own domain controller.

You disable an account that has administrative rights.

You need to immediately replicate the disabled account information to all sites.

What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)

  1. From the Active Directory Sites and Services console, configure all domain controllers as global catalog servers.

  2. From the Active Directory Sites and Services console, select the existing connection objects and force replication.

  3. Use Repadmin.exe to force replication between the site connection objects.

  4. Use Dsmod.exe to configure all domain controllers as global catalog servers.

    Answer: B,C Explanation:

    http://technet.microsoft.com/en-us/library/cc835086(v=ws.10).aspx

    Repadmin /syncall Synchronizes a specified domain controller with all of its replication partners.

    http://ivan.dretvic.com/2012/01/how-to-force-replication-of-domain-controllers/

    How to force replication of Domain Controllers From time to time its necessary to kick off AD replication to speed up a task you may be doing, or just a good too to check the status of replication between DC’s.

    Below is a command to replicate from a specified DC to all other DC’s.

    Repadmin /syncall DC_name /Aped By running a repadmin /syncall with the /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished names) parameters, you have duplicated exactly what Replmon used to do in Windows 2003, except that you did it in one step, not many.And with the benefit of seeing immediate results on how the operations are proceeding.

    If I am running it on the DC itself, I don’t even have to specify the server name. http://technet.microsoft.com/en-us/library/cc776188(v=ws.10).aspx Force replication over a connection

    To force replication over a connection

    1. Open Active Directory Sites and Services.

      Dumps4Cert 2018 PDF and VCE

      C:\Documents and Settings\usernwz1\Desktop\1.PNG

      Question No: 60 – (Topic 1)

      Your company has an Active Directory forest. Each branch office has an organizational unit and a child organizational unit named Sales.

      The Sales organizational unit contains all users and computers of the sales department.

      You need to install an Office 2007 application only on the computers in the Sales organizational unit.

      You create a GPO named SalesApp GPO. What should you do next?

      1. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the Sales organizational unit in each location.

      2. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the domain.

      3. Configure the GPO to publish the application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each location.

      4. Configure the GPO to assign the application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each location.

Answer: A

100% Dumps4cert Free Download!
Download Free Demo:70-640 Demo PDF
100% Dumps4cert Pass Guaranteed!
70-640 Dumps

Dumps4cert ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
PDF VCE Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.