[Free] 2018(Aug) Ensurepass Microsoft 70-640 Dumps with VCE and PDF 31-40

Ensurepass.com : Ensure you pass the IT Exams
2018 Aug Microsoft Official New Released 70-640
100% Free Download! 100% Pass Guaranteed!

Windows Server 2008 Active Directory, Configuring

Question No: 31 – (Topic 1)

Your network consists of a single Active Directory domain. You have a domain controller and a member server that run Windows Server 2008 R2. Both servers are configured as DNS servers. Client computers run either Windows XP Service Pack 3 or Windows 7.

You have a standard primary zone on the domain controller. The member server hosts a secondary copy of the zone.

You need to ensure that only authenticated users are allowed to update host (A) records in the DNS zone.

What should you do first?

  1. On the member server, add a conditional forwarder.

  2. On the member server, install Active Directory Domain Services.

  3. Add all computer accounts to the DNS UpdateProxy group.

  4. Convert the standard primary zone to an Active Directory-integrated zone.

Answer: D Explanation:

http://technet.microsoft.com/en-us/library/cc726034.aspx Understanding Active Directory Domain Services Integration

The DNS Server service is integrated into the design and implementation of Active Directory Domain Services (AD DS). AD DS provides an enterprise-level tool for organizing, managing, and locating resources in a network.

How DNS integrates with AD DS

When you install AD DS on a server, you promote the server to the role of a domain controller for a specified domain. As part of this process, you are prompted to specify a DNS domain name for the AD DS domain which you are joining and for which you are promoting the server, and you are offered the option to install the DNS Server role. This option is provided because a DNS server is required to locate this server or other domain controllers for members of an AD DS domain.

Benefits of AD DS integration

For networks that deploy DNS to support AD DS, directory-integrated primary zones are strongly recommended. They provide the following benefits:

DNS features multimaster data replication and enhanced security based on the capabilities of AD DS.

In a standard zone storage model, DNS updates are conducted based on a single-master update model. In this model, a single authoritative DNS server for a zone is designated as the primary source for the zone. This server maintains the master copy of the zone in a local file. With this model, the primary server for the zone represents a single fixed point of failure. If this server is not available, update requests from DNS clients are not processed for the zone.

With directory-integrated storage, dynamic updates to DNS are sent to any AD DS- integrated DNS server and are replicated to all other AD DS-integrated DNS servers by means of AD DS replication. In this model, any AD DS-integrated DNS servercan accept dynamic updates for the zone. Because the master copy of the zone is maintained in the AD DS database, which is fully replicated to all domain controllers, the zone can be updated by the DNS servers operating at any domain controller for the domain. With the

multimaster update model of AD DS, any of the primary servers for the directoryintegrated zone can process requests from DNS clients to update the zone as long as a domain controller is available and reachable on the network.

Also, when you use directory-integrated zones, you can use access control list (ACL) editing to secure a dnsZone object container in the directory tree. This feature provides detailed access to either the zone or a specified resource record in the zone. For example, an ACL for a zone resource record can be restricted so that dynamic updates are allowed only for a specified client computer or a secure group, such as a domain administrators group. This security feature is not available with standard primary zones.

Zones are replicated and synchronized to new domain controllers automatically whenever a new one is added to an AD DS domain.

By integrating storage of your DNS zone databases in AD DS, you can streamline database replication planning for your network.

Directory-integrated replication is faster and more efficient than standard DNS replication.

Question No: 32 – (Topic 1)

Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. A domain controller named DC1 has a standard primary zone for contoso.com. A domain controller named DC2 has a standard secondary zone for contoso.com.

You need to ensure that the replication of the contoso.com zone is encrypted. You must not lose any zone data.

What should you do?

  1. Convert the primary zone into an Active Directory-integrated stub zone. Delete the secondary zone.

  2. Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone.

  3. Configure the zone transfer settings of the standard primary zone. Modify the Master Servers lists on the secondary zone.

  4. On both servers, modify the interface that the DNS server listens on.

Answer: B Explanation:

Answer: Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone.

http://technet.microsoft.com/en-us/library/cc771150.aspx Change the Zone Type

You can use this procedure to change make a zone a primary, secondary, or stub zone. You can also use it to integrate a zone with Active Directory Domain Services (AD DS). http://technet.microsoft.com/en-us/library/cc726034.aspx

Understanding Active Directory Domain Services Integration

The DNS Server service is integrated into the design and implementation of Active Directory Domain Services (AD DS). AD DS provides an enterprise-level tool for organizing, managing, and locating resources in a network.

Benefits of AD DS integration

For networks that deploy DNS to support AD DS, directory-integrated primary zones are strongly recommended. They provide the following benefits:

DNS features multimaster data replication and enhanced security based on the capabilities of AD DS.

In a standard zone storage model, DNS updates are conducted based on a single-master update model.

In this model, a single authoritative DNS server for a zone is designated as the primary source for the zone. This server maintains the master copy of the zone in a local file. With this model, the primary server for the zone represents a single fixed point of failure. If this server is not available, update requests from DNS clients are not processed for the zone. With directory-integrated storage, dynamic updates to DNS are sent to any AD DS- integrated DNS server and are replicated to all other AD DS-integrated DNS servers by means of AD DS replication. In this model, any AD DS-integrated DNS servercan accept dynamic updates for the zone. Because the master copy of the zone is maintained in the AD DS database, which is fully replicated to all domain controllers, the zone can be updated by the DNS servers operating at any domain controller for the domain. With the multimaster update model of AD DS, any of the primary servers for the directoryintegrated zone can process requests from DNS clients to update the zone as long as a domain controller is available and reachable on the network.

Zones are replicated and synchronized to new domain controllers automatically whenever a new one is added to an AD DS domain.

By integrating storage of your DNS zone databases in AD DS, you can streamline database replication planning for your network.

Directory-integrated replication is faster and more efficient than standard DNS replication. http://technet.microsoft.com/en-us/library/ee649124(v=ws.10).aspx

Deploy IPsec Policy to DNS Servers

You can deploy IPsec rules through one of the following mechanisms:

Domain Controllers organizational unit (OU): If the DNS servers in your domain are Active Directoryintegrated, you can deploy IPsec policy settings using the Domain Controllers OU. This option is recommended to make configuration and deployment easier.

DNS Server OU or security group: If you have DNS servers that are not domain controllers, then consider creating a separate OU or a security group with the computer accounts of your DNS servers.

Local firewall configuration: Use this option if you have DNS servers that are not domain members or if you have a small number of DNS servers that you want to configure locally. http://technet.microsoft.com/en-us/library/cc772661(v=ws.10).aspx

Deploying Secure DNS Protecting DNS Servers

When the integrity of the responses of a DNS server are compromised or corrupted, or when the DNS data is tampered with, clients can be misdirected to unauthorized locations without their knowledge. After the clients start communicating with these unauthorized locations, attempts can be made to gain access to information that is stored on the client computers. Spoofing and cache pollution are examples of this type of attack. Another type of attack, the denial-of-service attack, attempts to incapacitate a DNS server to make DNS infrastructure unavailable in an enterprise. To protect your DNS servers from these types of attacks:

Use IPsec between DNS clients and servers. Monitor network activity.

Close all unused firewall ports.

Implementing IPsec Between DNS Clients and Servers

IPsec encrypts all traffic over a network connection. Encryption minimizes the risk that data that is sent between the DNS clients and the DNS servers can be scanned for sensitive information or tampered with by anyone attempting to collect information by monitoring traffic on the network. When IPsec is enabled, both ends of a connection are validated before communication begins. A client can be certain that the DNS server with which it is communicating is a valid server. Also, all communication over the connection is encrypted, thereby eliminating the possibility of tampering with client communication. Encryption prevents spoofing attacks, which are false responses to DNS client queries by unauthorized sources that act like a DNS server.

Further information:

http://technet.microsoft.com/en-us/library/cc771898.aspx Understanding Zone Types

The DNS Server service provides for three types of zones: Primary zone

Secondary zone Stub zone

Note: If the DNS server is also an Active Directory Domain Services (AD DS) domain

controller, primary zones and stub zones can be stored in AD DS. The following sections describe each of these zone types:

Primary zone When a zone that this DNS server hosts is a primary zone, the DNS server is the primary source for information about this zone, and it stores the master copy of zone data in a local file or in AD DS. When the zone is stored in a file, by default the primary zone file is named zone_name.dns and it is located in the % windir%\System32\Dns folder on the server.

Secondary zone When a zone that this DNS server hosts is a secondary zone, this DNS server is a secondary source for information about this zone. The zone at this server must be obtained from another remote DNS server computer that also hosts the zone. This DNS server must have network access to the remote DNS server that supplies this server with updated information about the zone. Because a secondary zone is merely a copy of a primary zone that is hosted on another server, it cannot be stored in AD DS.

Stub zone

When a zone that this DNS server hosts is a stub zone, this DNS server is a source only for information about the authoritative name servers for this zone. The zone at this server must be obtained from another DNS server that hosts the zone. This DNS server must have network access to the remote DNS server to copy the authoritative name server information about the zone.

You can use stub zones to:

Keep delegated zone information current. By updating a stub zone for one of its child zones regularly, the DNS server that hosts both the parent zone and the stub zone will maintain a current list of authoritative DNS servers for the child zone.

Improve name resolution. Stub zones enable a DNS server to perform recursion using the stub zone#39;s list of name servers, without having to query the Internet or an internal root server for the DNS namespace.

Simplify DNS administration. By using stub zones throughout your DNS infrastructure, you can distribute a list of the authoritative DNS servers for a zone without using secondary zones. However, stub zones do not serve the same purpose as secondary zones, and they are not an alternative for enhancing redundancy and load sharing.

There are two lists of DNS servers involved in the loading and maintenance of a stub zone: The list of master servers from which the DNS server loads and updates a stub zone. A master server may be a primary or secondary DNS server for the zone. In both cases, it will have a complete list of the DNS servers for the zone.

The list of the authoritative DNS servers for a zone. This list is contained in the stub zone using name server (NS) resource records.

When a DNS server loads a stub zone, such as widgets.tailspintoys.com, it queries the master servers, which can be in different locations, for the necessary resource records of the authoritative servers for the zone widgets.tailspintoys.com. The list of master servers may contain a single server or multiple servers, and it can be changed anytime.

http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/d352966e-b1ec- 46b6-a8b4-317c2c3388c3/

Answered what is non-standard dns secondary zone?

Q: While passing through 70-291 exam prep questions, I encountered the term quot;standard secondary zonequot;.

From the context of other questions I understood that quot;standardquot;, in context of primary zone, mean quot;non-ADintegratedquot;.

A: Standard means it is not an AD integrated zone. AD integrated zones are stored in the AD database and not in a text file.

Q: What does quot;standardquot; mean in context of DNS secondary zone?

A: It means the same thing in context of a Standard Primary Zone. Simply stated, quot;Standardquot; means the zone data is stored in a text file, which can be found in system32\dns.

Question No: 33 – (Topic 1)

Your company has a single Active Directory domain. All domain controllers run Windows Server 2003.

You install Windows Server 2008 R2 on a server.

You need to add the new server as a domain controller in your domain. What should you do first?

  1. On a domain controller run adprep /rodcprep.

  2. On the new server, run dcpromo /adv.

  3. On the new server, run dcpromo /createdcaccount.

  4. On a domain controller, run adprep /forestprep.

Answer: D Explanation:

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/9931e32f-6302- 40f0-a7a1-2598a96cd0c1/

DC promotion and adprep/forestprep

Q: I#39;ve tried to dcpromo a new Windows 2008 server installation to be a Domain Controller, running in an existing domain. I am informed that, first, I must run adprep/forestprep (quot;To install a domain controller into this Active Directory forest, you must first perpare the forest

using quot;adprep/forestprepquot;. The Adprep utility is available on the Windows Server 2008 installation media in the Windows\sources\adprep folderquot;

A1:

You can run adprep from an existing Windows Server 2003 domain controller. Copy the contents of the \sources\adprep folder from the Windows Server 2008 installation DVD to the schema master role holder and run Adprep from there.

A2: to introduce the first W2K8 DC within an AD forest….

  1. no AD forest exists yet:

    -gt; on the stand alone server execute: DCPROMO

    -gt; and provide the information needed

  2. an W2K or W2K3 AD forest already exists:

-gt; ADPREP /Forestprep on the w2k/w2k3 schema master (both w2k/w2k3 forests)

-gt; ADPREP /rodcprep on the w2k3 domain master (only w2k3 forests)

-gt; ADPREP /domainprep on the w2k3 infrastructure master (only w2k3 domains)

-gt; ADPREP /domainprep /gpprep on the w2k infrastructure master (only w2k domains)

-gt; on the stand alone server execute: DCPROMO

-gt; and provide the information needed

Question No: 34 – (Topic 1)

Your company has a domain controller that runs Windows Server 2008. The domain controller has the backup features installed.

You need to perform a non-authoritative restore of the doman controller using an existing backup file.

What should you do?

  1. Restart the domain controller in Directory Services Restore Mode and use wbadmin to restore critical volume

  2. Restart the domain controller in Directory Services Restore Mode and use the backup snap-in to restore critical volume

  3. Restart the domain controller in Safe Mode and use wbadmin to restore critical volume

  4. Restart the domain controller in Safe Mode and use the backup snap-in to restore critical volume

Answer: A

Explanation:

Almost identical to B42

http://technet.microsoft.com/en-us/library/cc816627(v=ws.10).aspx Performing Nonauthoritative Restore of Active Directory Domain Services

A nonauthoritative restore is the method for restoring Active Directory Domain Services (AD DS) from a system state, critical-volumes, or full server backup. A nonauthoritative restore returns the domain controller to its state at the time of backup and then allows normal replication to overwrite that state with any changes that occurred after the backup was taken. After you restore AD DS from backup, the domain controller queries its replication partners. Replication partners use the standard replication protocols to update AD DS and associated information, including the SYSVOL shared folder, on the restored domain controller.

You can use a nonauthoritative restore to restore the directory service on a domain controller without reintroducing or changing objects that have been modified since the backup. The most common use of a nonauthoritative restore is to reinstate a domain controller, often after catastrophic or debilitating hardware failures. In the case of data corruption, do not use nonauthoritative restore unless you have confirmed that the problem is with AD DS.

Nonauthoritative Restore Requirements You can perform a nonauthoritative restore from backup on a Windows Server 2008 system that is a standalone server, member server, or domain controller.

On domain controllers that are running Windows Server 2008, you can stop and restart AD DS as a service. Therefore, in Windows Server 2008, performing offline defragmentation and other database management tasks does not require restarting the domain controller in Directory Services Restore Mode (DSRM). However, you cannot perform a nonauthoritative restore after simply stopping the AD DS service in regular startup mode.

You must be able to start the domain controller in Directory Services Restore Mode (DSRM). If the domain controller cannot be started in DSRM, you must first reinstall the operating system.

To perform a nonauthoritative restore, you need one of the following types of backup for your backup source:

System state backup: Use this type of backup to restore AD DS. If you have reinstalled the operating system, you must use a critical-volumes or full server backup. If you are restoring a system state backup, use the wbadmin start systemstaterecovery command.

Critical-volumes backup: A critical-volumes backup includes all data on all volumes that contain operating system and registry files, boot files, SYSVOL files, or Active Directory files. Use this type of backup if you want to restore more than the system state. To restore a critical-volumes backup, use the wbadmin start recovery command.

Full server backup: Use this type of backup only if you cannot start the server or you do not have a system state or critical-volumes backup. A full server backup is generally larger

than a critical-volumes backup.

Restoring a full server backup not only rolls back data in AD DS to the time of backup, but it also rolls back all data in all other volumes. Rolling back this additional data is not necessary to achieve nonauthoritative restore of AD DS.

Question No: 35 – (Topic 1)

Your company has an Active Directory forest that contains only Windows Server 2008 domain controllers.

You need to prepare the Active Directory domain to install Windows Server 2008 R2 domain controllers.

Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)

  1. Run the adprep /domainprep command.

  2. Raise the forest functional level to Windows Server 2008.

  3. Raise the domain functional level to Windows Server 2008.

  4. Run the adprep /forestprep command.

    Answer: A,D Explanation:

    http://www.petri.co.il/prepare-for-server-2008-r2-domain-controller.htm Prepare your Domain for the Windows Server 2008 R2 Domain Controller

    Before installing the first Windows Server 2008 R2 domain controller (DC) into an existing Windows 2000, Windows Server 2003 or Windows Server 2008 domain, you must prepare the AD forest and domain. You do so by running a tool called ADPREP.

    ADPREP extends the Active Directory schema and updates permissions as necessary to prepare a forest and domain for a domain controller that runs the Windows Server 2008 R2 operating system.

    Note: You may remember that ADPREP was used on previous operating systems such as Windows Server 2003, Windows Server 2003 R2 and Windows Server 2008. This article focuses on Windows Server 2008 R2.

    What does ADPREP do? ADPREP has parameters that perform a variety of operations that help prepare an existing Active Directory environment for a domain controller that runs Windows Server 2008 R2. Not all versions of ADPREP perform the same operations, but

    generally the different types of operations that ADPREP can perform include the following: Updating the Active Directory schema

    Updating security descriptors

    Modifying access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared folder

    Creating new objects, as needed Creating new containers, as needed

    To prepare the forest and domain for the installation of the first Windows Server 2008 R2 domain controller please perform these tasks:

    Lamer note: The following tasks are required ONLY before adding the first Windows Server 2008 R2 domain controller. If you plan on simply joining a Windows Server 2008 R2 Server to the domain and configuring as a regular member server, none of the following tasks are required.

    Another lamer note: Please make sure you read the system requirements for Windows Server 2008 R2. For example, you cannot join a Windows Server 2008 R2 server to a Windows NT 4.0 domain, not can it participate as a domain controller in a mixed domain. If any domain controllers in the forest are running Windows 2000 Server, they must be running Service Pack 4 (SP4).

    First, you should review and understand the schema updates and other changes that ADPREP makes as part of the schema management process in Active Directory Domain Services (AD DS). You should test the ADPREP schema updates in a lab environment to ensure that they will not conflict with any applications that run in your environment.

    You must make a system state backup for your domain controllers, including the schema master and at least one other domain controller from each domain in the forest (you do have backups, don#39;t you?). Also, make sure that you can log on to the schema master with an account that has sufficient credentials to run adprep /forestprep. You must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema master, which is, by default, the forest root domain.

    Next, insert the Windows Server 2008 R2 DVD media into your DVD drive. Note that if you do not have the media handy, you may use the evaluation version that is available to download from Microsoft#39;s website.

    If you only have the ISO file and do not want to or cannot actually burn it to a physical DVD media, you can mount it by using a virtual ISO mounting tool such as MagicIso (can Convert BIN to ISO, Create, Edit, Burn, Extract ISO file, ISO/BIN converter/extractor/editor).

    Browse to the X:\support\adprep folder, where X: is the drive letter of your DVD drive. Find a file called adprep.exe or adprep32.exe.

    Note: Unlike in Windows Server 2008 where you had to use either the 32-bit or 64-bit installation media to get the right version of ADPREP, Windows Server 2008 R2 ADPREP is available in a 32-bit version and a 64-bit version. The 64-bit version runs by default. If

    you need to run ADPREP on a 32-bit computer, run the 32-bit version (adprep32.exe).

    Ensurepass 2018 PDF and VCE

    C:\Documents and Settings\usernwz1\Desktop\1.PNG

    To perform this procedure, you must use an account that has membership in all of the following groups:

    Enterprise Admins Schema Admins

    Domain Admins for the domain that contains the schema master

    Open a Command Prompt window by typing CMD and pressing ENTER in the Run menu. Drag the adprep.exe file from the Windows Explorer window to the Command Prompt window. Naturally, if you want, you can always manually type the path of the file in the Command Prompt window if that makes you feel better…

    Note: You must run adprep.exe from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

    Note: If your existing DCs are Windows Server 2008, dragging and dropping into a Command Prompt window will not work, as that feature was intentionally disabled in windows Server 2008 and Windows Vista.

    In the Command Prompt window, type the following command: adprep /forestprep

    Ensurepass 2018 PDF and VCE

    C:\Documents and Settings\usernwz1\Desktop\1.PNG

    You will be prompted to type the letter quot;cquot; and then press ENTER. After doing so, process will begin.

    Ensurepass 2018 PDF and VCE

    C:\Documents and Settings\usernwz1\Desktop\1.PNG

    ADPREP will take several minutes to complete. During that time, several LDF files will be imported into the AD Schema, and messages will be displayed in the Command Prompt window. File sch47.ldf seems to be the largest one.

    Ensurepass 2018 PDF and VCE

    C:\Documents and Settings\usernwz1\Desktop\1.PNG When completed, you will receive a success message.

    Ensurepass 2018 PDF and VCE

    C:\Documents and Settings\usernwz1\Desktop\1.PNG

    Note: As mentioned above, ADPREP should only be run on an existing DC. When trying to run it from a non-DC, you will get this error:

    Adprep cannot run on this platform because it is not an Active Directory Domain Controller. [Status/Consequence]

    Adprep stopped without making any changes. [User Action]

    Run Adprep on a Active Directory Domain Controller.

    Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2.

    In the Command Prompt window, type the following command: adprep /domainprep Process will take less than a second.

    Ensurepass 2018 PDF and VCE

    C:\Documents and Settings\usernwz1\Desktop\1.PNG

    ADPREP must only be run in a Windows 2000 Native Mode or higher. If you attempt to run in Mixed Mode you will get this error:

    Adprep detected that the domain is not in native mode [Status/Consequence]

    Adprep has stopped without making changes. [User Action]

    Configure the domain to run in native mode and re-run domainprep

    Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2.

    If you#39;re running a Windows 2008 Active Directory domain, that#39;s it, no additional tasks are needed.

    If you#39;re running a Windows 2000 Active Directory domain, you must also the following command: adprep /domainprep /gpprep

    Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2.

    If you#39;re running a Windows 2003 Active Directory domain, that#39;s it, no additional tasks are needed. However, if you#39;re planing to run Read Only Domain controllers (RODCs), you

    must also type the following command: adprep /rodcprep

    If you already ran this command for Windows Server 2008, you do not need to run it again for Windows Server 2008 R2.

    Process will complete in less than a second.

    Ensurepass 2018 PDF and VCE

    C:\Documents and Settings\usernwz1\Desktop\1.PNG

    Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2.

    To verify that adprep /forestprep completed successfully please perform these steps:

    1. Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default on domain controllers that run Windows Server 2008 or Windows Server 2008 R2. On Windows Server 2003 you must install the Resource Kit Tools.

    2. Click Start, click Run, type ADSIEdit.msc, and then click OK.

    3. Click Action, and then click Connect to.

    4. Click Select a well known Naming Context, select Configuration in the list of available naming contexts, and then click OK.

    5. Double-click Configuration, and then double-click CN=Configuration, DC=forest_root_domain where forest_root_domain is the distinguished name of your forest root domain.

    6. Double-click CN=ForestUpdates.

    7. Right-click CN=ActiveDirectoryUpdate, and then click Properties.

      Ensurepass 2018 PDF and VCE

      C:\Documents and Settings\usernwz1\Desktop\1.PNG

    8. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the Revision attribute value is 5, and then click OK.

      Ensurepass 2018 PDF and VCE

      C:\Documents and Settings\usernwz1\Desktop\1.PNG

    9. Click ADSI Edit, click Action, and then click Connect to.

    10. Click Select a Well known naming context, select Schema in the list of available naming contexts, and then click OK.

    11. Double-click Schema.

    12. Right-click CN=Schema,CN=Configuration,DC=forest_root_domain, and then click Properties.

      Ensurepass 2018 PDF and VCE

      C:\Documents and Settings\usernwz1\Desktop\1.PNG

    13. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the objectVersion attribute value is set to 47, and then click OK.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Question No: 36 – (Topic 1)

Your company has an Active Directory domain. The company has two domain controllers named DC1 and DC2. DC1 holds the Schema Master role.

DC1 fails. You log on to Active Directory by using the administrator account. You are not able to transfer the Schema Master operations role.

You need to ensure that DC2 holds the Schema Master role. What should you do?

  1. Configure DC2 as a bridgehead server.

  2. On DC2, seize the Schema Master role.

  3. Log off and log on again to Active Directory by using an account that is a member of the Schema Administrators group. Start the Active Directory Schema snap-in.

  4. Register the Schmmgmt.dll. Start the Active Directory Schema snap-in.

Answer: B Explanation:

Answer: On DC2, seize the Schema Master role.

http://technet.microsoft.com/en-us/library/cc816645(v=ws.10).aspx Transfer the Schema Master

You can use this procedure to transfer the schema operations master role if the domain controller that currently hosts the role is inadequate, has failed, or is being decommissioned. The schema master is a forest-wide operations master (also known as flexible single master operations or FSMO) role.

Note: You perform this procedure by using a Microsoft Management Console (MMC) snap- in, although you can also transfer this role by using Ntdsutil.exe.

Membership in Schema Admins, or equivalent, is the minimum required to complete this procedure.

http://technet.microsoft.com/en-us/library/cc794853(v=ws.10).aspx Seize the AD LDS Schema Master Role

The schema master is responsible for performing updates to the Active Directory Lightweight Directory Services (AD LDS) schema. Each configuration set has only one schema master. All write operations to the AD

LDS schema can be performed only when connected to the AD LDS instance that holds the schema master role within its configuration set. Those schema updates are replicated from the schema master to all other instances in the configuration set.

Membership in the AD LDS Administrators group, or equivalent, is the minimum required to complete this procedure.

Caution: Do not seize the schema master role if you can transfer it instead. Seizing the schema master role is a drastic step that should be considered only if the current operations master will never be available again.

Question No: 37 – (Topic 1)

You have a single Active Directory domain. All domain controllers run Windows Server 2008 and are configured as DNS servers.

The domain contains one Active Directory-integrated DNS zone.

You need to ensure that outdated DNS records are automatically removed from the DNS zone.

What should you do?

  1. From the properties of the zone, modify the TTL of the SOA record.

  2. From the properties of the zone, enable scavenging.

  3. From the command prompt, run ipconfig /flushdns.

  4. From the properties of the zone, disable dynamic updates.

Answer: B Explanation:

http://technet.microsoft.com/en-us/library/cc753217.aspx Set Aging and Scavenging Properties for the DNS Server

The DNS Server service supports aging and scavenging features. These features are provided as a mechanism for performing cleanup and removal of stale resource records, which can accumulate in zone data over time. You can use this procedure to set the default aging and scavenging properties for the zones on a server.

Further information:

http://technet.microsoft.com/en-us/library/cc771677.aspx Understanding Aging and Scavenging

Question No: 38 – (Topic 1)

Your company uses a Windows 2008 Enterprise certificate authority (CA) to issue certificates.

You need to implement key archival. What should you do?

  1. Configure the certificate for automatic enrollment for the computers that store encrypted files.

  2. Install an Enterprise Subordinate CA and issue a user certificate to users of the encrypted files.

  3. Apply the Hisecdc security template to the domain controllers.

  4. Archive the private key on the server.

    Answer: D Explanation:

    Answer: Archive the private key on the server.

    http://technet.microsoft.com/en-us/library/cc753011.aspx Enable Key Archival for a CA

    Before a key recovery agent can use a key recovery certificate, the key recovery agent must have enrolled for the key recovery certificate and be registered as the recovery agent for the certification authority (CA).

    You must be a CA administrator to complete this procedure. To enable key archival for a CA:

    1. Open the Certification Authority snap-in.

    2. In the console tree, click the name of the CA.

    3. On the Action menu, click Properties.

    4. Click the Recovery Agents tab, and then click Archive the key.

    5. In Number of recovery agents to use, type the number of key recovery agents that will be used to encrypt the archived key.

      The Number of recovery agents to use must be between one and the number of key recovery agent certificates that have been configured.

    6. Click Add. Then, in Key Recovery Agent Selection, click the key recovery certificates that are displayed, and click OK.

    7. The certificates should appear in the Key recovery agent certificates list, but their status is listed as Not loaded.

    8. Click OK or Apply. When prompted to restart the CA, click Yes. When the CA has restarted, the status of the certificates should be listed as Valid.

      Further information:

      http://technet.microsoft.com/en-us/library/ee449489(v=ws.10).aspx Key Archival and Management in Windows Server 2008

      http://technet.microsoft.com/en-us/library/cc730721.aspx Managing Key Archival and Recovery

      Question No: 39 – (Topic 1)

      Your network consists of a single Active Directory domain. The functional level of the forest is Windows Server 2008 R2.

      You need to create multiple password policies for users in your domain. What should you do?

      1. From the Group Policy Management snap-in, create multiple Group Policy objects.

      2. From the Schema snap-in, create multiple class schema objects.

      3. From the ADSI Edit snap-in, create multiple Password Setting objects.

      4. From the Security Configuration Wizard, create multiple security policies.

Answer: C Explanation:

Answer: From the ADSI Edit snap-in, create multiple Password Setting objects.

http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx

AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide

In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies and apply different password restrictions and account lockout policies to different sets of users within a single domain.

To store fine-grained password policies, Windows Server 2008 includes two new object classes in the Active

Directory Domain Services (AD DS) schema: Password Settings Container

Password Settings The Password Settings Container (PSC) object class is created by default under the System container in the domain. It stores the Password Settings objects (PSOs) for that domain. You cannot rename, move, or delete this container.

Steps to configure fine-grained password and account lockout policies

When the group structure of your organization is defined and implemented, you can configure and apply finegrained password and account lockout policies to users and global security groups. Configuring fine-grained password and account lockout policies involves the following steps:

Step 1: Create a PSO

Step 2: Apply PSOs to Users and Global Security Groups Step 3: Manage a PSO

Step 4: View a Resultant PSO for a User or a Global Security Group http://technet.microsoft.com/en-us/library/cc754461(v=ws.10).aspx Step 1: Create a PSO

You can create Password Settings objects (PSOs):

Creating a PSO using the Active Directory module for Windows PowerShell Creating a PSO using ADSI Edit

Creating a PSO using ldifde

Question No: 40 – (Topic 1)

The default domain GPO in your company is configured by using the following account policy settings:

->Minimum password length: 8 characters

->Maximum password age: 30 days

->Enforce password history: 12 passwords remembered

->Account lockout threshold: 3 invalid logon attempts

->Account lockout duration: 30 minutes

You install Microsoft SQL Server on a computer named Server1 that runs Windows Server 2008 R2. The SQL Server application uses a service account named SQLSrv. The SQLSrv account has domain user rights.

The SQL Server computer fails after running successfully for several weeks. The SQLSrv user account is not locked out.

You need to resolve the server failure and prevent recurrence of the failure. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

  1. Reset the password of the SQLSrv user account.

  2. Configure the local security policy on Server1 to grant the Logon as a service right on the SQLSrv user account.

  3. Configure the properties of the SQLSrv account to Password never expires.

  4. Configure the properties of the SQLSrv account to User cannot change password.

  5. Configure the local security policy on Server1 to explicitly grant the SQLSrv user account the Allow logon locally user right.

Answer: A,C Explanation: Personal comment:

Maximum password age: 30 days

The most probable cause for the malfunction is that the password has expired. You need to reset the password and set it to never expire.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

100% Ensurepass Free Download!
70-640 PDF
100% Ensurepass Free Guaranteed!
70-640 Dumps

EnsurePass ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
PDF VCE Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.