[Free] 2018(Aug) Ensurepass Microsoft 70-640 Dumps with VCE and PDF 191-200

Ensurepass.com : Ensure you pass the IT Exams
2018 Aug Microsoft Official New Released 70-640
100% Free Download! 100% Pass Guaranteed!

Windows Server 2008 Active Directory, Configuring

Question No: 191 – (Topic 2)

You had installed an Active Directory Federation Services (AD FS) role on a Windows server 2008 in your organization.

Now you need to test the connectivity of clients in the network to ensure that they can successfully reach the new Federation server and Federation server is operational.

What should you do? (Select all that apply)

  1. Go to Services tab, and check if Active Directory Federation Services is running

  2. In the event viewer, Applications, Event ID column look for event ID 674.

  3. Open a browser window, and then type the Federation Service URL for the new federation server.

  4. None of the above

    Answer: B,C

    Reference:

    http://technet.microsoft.com/en-us/library/cc734875.aspx Verify

    Verify that a specific event (ID 674) was generated on the federation server proxy computer. This event is generated when the federation server proxy is able to successfully communicate with the Federation Service.

    To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

    1. Log on to a client computer with Internet access.

    2. Open a browser window, and then type the Uniform Resource Locator (URL) for the Federation Service endpoint, along with the path to the clientlogon.aspx page that is stored on the federation server proxy.

    3. Press ENTER.

      Note -At this point your browser should display the error Server Error in #39;/adfs#39; Application. This step is necessary to generate event message 674 to verify that the clientlogon.aspx page is being loaded properly by

      Internet Information Services (IIS).

    4. Log on to the federation server proxy.

    5. Click Start, point to Administrative Tools, and then click Event Viewer.

    6. In the details pane, double-click Application.

    7. In the Event column, look for event ID 674.

      Question No: 192 – (Topic 2)

      Your network contains an Active Directory domain. The domain contains two domain controllers named DC1 and DC2. DC1 hosts a standard primary DNS zone for the domain. Dynamic updates are enabled on the zone. DC2 hosts a standard secondary DNS zone for the domain.

      You need to configure DNS to allow only secure dynamic updates. What should you do first?

      1. On DC1 and DC2, configure a trust anchor.

      2. On DC1 and DC2, configure a connection security rule.

      3. On DC1, configure the zone transfer settings.

      4. On DC1, configure the zone to be stored in Active Directory.

        Answer: D Explanation:

        http://www.tutorialspoint.com/shorttutorials/configuring-dns-server-for-secure-only-dynamic-

        updates/

        Configuring DNS Server for Secure Only Dynamic Updates About Dynamic Updates

        During the installation of Active Directory Domain Services on Windows Server 2008 R2, the installation process automatically installs the DNS server on the computer, in case it does not already exist in the network.

        After the successful installation of Active Directory Domain Services, the DNS server is by default configured to automatically update the records of only the domain client computers as soon as it receives the registration request from them. This automatic update of DNS records in the DNS database is technically known as ‘Dynamic Updates’.

        Types of DNS Updates

        Dynamic updates that DNS server in Windows Server 2008 R2 supports include: Nonsecure and Secure – When this type of dynamic update is selected, any computer can send registration request to the DNS server. The DNS server in return automatically adds the record of the requesting computer in the DNS database, even if the computer does not belong to the same DNS domain.

        Although this configuration remarkably reduces administrative overhead, this setting is not recommended for the organizations that have highly sensitive information available in the computers.

        Secure only – When this type of dynamic update is selected, only the computers that are members of the DNS domain can register themselves with the DNS server. The DNS server automatically rejects the requests from the computers that do not belong to the domain. This protects the DNS server from getting automatically populated with records of unwanted, suspicious and/or fake computers.

        None – When this option is selected, the DNS server does not accept any registration request from any computers whatsoever. In such cases, DNS administrators must manually add the IP addresses and the Fully Qualified Domain Names (FQDNs) of the client computers to the DNS database.

        In most production environments, systems administrators configure Secure Only dynamic updates for DNS.

        This remarkably reduces the security risks by allowing only the authentic domain client computers to register themselves with the DNS server automatically, and decreases the administrative overhead at the same time.

        However in some scenarios, administrators choose to have non-Active Directory integrated zone to stay compliant with the policies of the organization. This configuration is not at all recommended because it does not allow administrators to configure DNS server for Secure only updates, and it does not allow the DNS database to get replicated automatically to the other DNS servers along with the Active Directory replication process. When DNS zone is not Active Directory integrated, DNS database replication process must be performed manually by the administrators.

        Configure Secure Only Dynamic Updates in Windows Server 2008 R2 DNS Server To configure Secure Only dynamic DNS updates in Windows Server 2008 R2, administrators must follow the steps given as below:

        1. Log on to Windows Server 2008 R2 DNS server computer with the domain admin or enterprise admin account on which ‘Secure only’ dynamic updates are to be configured.

        2. On the desktop screen, click Start.

        3. From the Start menu, go to Administrator Tools gt; DNS.

        4. On DNS Manager snap-in, from the console tree in the left, double-click to expand the DNS server name.

        5. From the expanded list, double-click Forward Lookup Zones.

        6. From the displayed zones list, right-click the DNS zone on which secure only dynamic updates are to be configured.

        7. From the displayed context menu, click Properties.

          Ensurepass 2018 PDF and VCE

          C:\Documents and Settings\usernwz1\Desktop\1.PNG

        8. On the zone’s properties box, make sure that the General tab is selected.

        9. On the selected tab, choose Secure only option from the Dynamic updates drop-down list.

          Note: Secure only option is available only if the DNS zone is Active Directory integrated.

          Ensurepass 2018 PDF and VCE

          C:\Documents and Settings\usernwz1\Desktop\1.PNG

          Secure Only Dynamic Update

        10. Click OK to apply the modified changes.

        11. Close DNS Manager snap-in when done.

Question No: 193 – (Topic 2)

Your network contains an Active Directory domain named contoso.com.

You run nslookup.exe as shown in the following Command Prompt window.

Ensurepass 2018 PDF and VCE

You need to ensure that you can use Nslookup to list all of the service location (SRV) resource records for contoso.com.

What should you modify?

  1. the root hints of the DNS server

  2. the security settings of the zone

  3. the Windows Firewall settings on the DNS server

  4. the zone transfer settings of the zone

Answer: D Explanation:

http://www.c3.hu/docs/oreilly/tcpip/dnsbind/ch11_07.htm

11.7 Troubleshooting nslookup Problems

11.7.4 Query Refused

Refused queries can cause problems at startup, and they can cause lookup failures during a session. Here#39;s what it looks like when nslookup exits on startup because of a refused query:

% nslookup

*** Can#39;t find server name for address 192.249.249.3: Query refused

*** Default servers are not available

%

This one has two possible causes. Either your name server does not support inverse queries (older nslookups only), or zone security is stopping the lookup.

Zone security is not limited to causing nslookup to fail to start up. It can also cause lookups and zone transfers to fail in the middle of a session when you point nslookup to a remote name server. This is what you will see:

% nslookup

Default Server: hp.com Address: 15.255.152.4

gt; server terminator.movie.edu

Default Server: terminator.movie.edu Address: 192.249.249.3

gt; carrie.movie.edu.

Server: terminator.movie.edu Address: 192.249.249.3

*** terminator.movie.edu can#39;t find carrie.movie.edu.: Query refused

gt; ls movie.edu – This attempts a zone transfer [terminator.movie.edu]

*** Can#39;t list domain movie.edu: Query refused

Question No: 194 – (Topic 2)

You need to force a domain controller to register all service location (SRV) resource records in DNS.

Which command should you run?

  1. ipconfig.exe /registerdns

  2. net.exe stop dnscache amp; net.exe start dnscache

  3. net.exe stop netlogon amp; net.exe start netlogon

  4. regsvr32.exe dnsrslvr.dll

Answer: C Explanation:

MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62

The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller’s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam question might ask you how to troubleshoot the nonregistration of SRV resource records.

Question No: 195 – (Topic 2)

Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. Auditing is configured to log changes made to the Managed By attribute on group objects in an organizational unit named OU1.

You need to log changes made to the Description attribute on all group objects in OU1 only.

What should you do?

  1. Run auditpol.exe.

  2. Modify the auditing entry for OU1.

  3. Modify the auditing entry for the domain.

  4. Create a new Group Policy Object (GPO). Enable Audit account management policy setting. Link the GPO to OU1.

Answer: B Explanation:

http://ithompson.wordpress.com/tag/organizational-unit-move/

Do you need to track who/where/when for activities done against the OU’s in your AD? With Windows 2003 those were difficult questions to answer, we could get some very basic information from

Directory Services Auditing; but it was limited and you had to read through several cryptic events (id 566).

With the advanced auditing settings with Windows 2008 R2 you can get some better information (you can do this same thing with Windows 2008 but it has to be done via command line and applied every time servers restart).

I don’t want to bore you with Windows 2003 auditing or the command line options for Windows 2008 Domains (if you need them, I will get you the information). So let’s just jump right to using Windows 2008 R2, because we can now apply the advanced auditing settings via Group Policy.

Now when you turn on the Advanced Audit Policy Configuration you are turning OFF the basic or standard Audit Policies. The Advanced Audit Policy Configuration allows you to control what AD will audit at a more granular level. Now for the focus of this discussion we are only going to talk about setting up auditing for activity on our Domain Controllers, the other systems in your environment will be a different discussion.

So where do we start so that we can answer our question at the top of this discussion? First, turn on the correct auditing. Open up Group Policy Management Editor and drill down as seen in Fig 1.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

For this discussion we are focusing on DS Access and its subcategories. We only want to turn on Audit Directory Service Changes, see Fig 2. This category only generates events on domain controllers and is very useful for tracking changes to Active Directory objects that have object level auditing enabled. These events not only tell you what object and property was changed and by whom but also the new value of the affected properties.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Now that we have step 1 completed, setting up AD for auditing, it’s time to configure WHAT we want to audit.

This next step is done via Active Directory Users and Computers. Open up the properties

of your AD and drill down to setup the auditing for Create and Delete Organizational Unit objects as seen in Fig 3.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Now we need to add more granularity so we need to do this process 1 more time and this time instead of checking boxes on the Object tab we are going to check 2 boxes on the Properties tab, see Fig 4.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Now that our auditing is setup what type of events can we expect to see? Here are a few examples:

In this example (Fig 5), id 5137, we see an OU being created by the Administrator.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG Figure 6 shows a Sub OU being created.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG Figure 7 shows id 5139, an OU being moved.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Now for the best one, this one comes as a pair of messages – OU rename, part of id 5136. Figure 8 shows the first part of the rename process.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG Figure 9 shows the second part of the rename process.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Now let’s contrast all of this with an event that is part of the good old standard auditing. Let’s take moving an OU; with the Advanced Auditing we get id 5139 (fig 7), nice and easy to read and understand. Now here is id 4662 that you would get for the same thing with standard auditing, fig 10.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

With standard auditing some of the other items that we looked at would be next to impossible with auditing, such as tracking when an OU is renamed and as you can see from fig 10 hard to read and understand if you did get an event.

Now if your AD is in Mixed Mode (W2k8 and W2k3) you are stuck with standard auditing.

Question No: 196 – (Topic 2)

You have a server named Server1 that has the following Active Directory Certificate Services (AD CS) role services installed:

->Enterprise root certification authority (CA)

->Certificate Enrollment Web Service

->Certificate Enrollment Policy Web Service

You create a new certificate template.

External users report that the new template is unavailable when they request a new certificate.

You verify that all other templates are available to the external users.

You need to ensure that the external users can request certificates by using the new template.

What should you do on Server1?

  1. Run iisreset.exe /restart.

  2. Run gpupdate.exe /force.

  3. Run certutil.exe dspublish.

  4. Restart the Active Directory Certificate Services service.

Answer: A Explanation:

http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web- services-in-activedirectory-certificate-services.aspx

Certificate Enrollment Web Services in Active Directory Certificate Services Troubleshooting

Managing Certificate Enrollment Policy Web Service Polling for Certificate Templates Certificate Templates are stored in AD DS, and the Certificate Enrollment Policy Web Service polls the AD DS periodically for template changes. Changes made to templates are not reflected in real time on the Certificate Enrollment Policy Web Service. When administrators duplicate or modify templates, there can be a lag between the time at which the change is made and when the new templates are available. By default, the Certificate Enrollment Policy Web Service polls the directory every 30 minutes for changes. The Certificate Enrollment Policy Web Service can be manually forced to refresh its template cache by recycling IIS using the command iisreset.

Question No: 197 – (Topic 2)

Your network contains two standalone servers named Server1 and Server2 that have Active Directory Lightweight Directory Services (AD LDS) installed.

Server1 has an AD LDS instance.

You need to ensure that you can replicate the instance from Server1 to Server2. What should you do on both servers?

  1. Obtain a server certificate.

  2. Import the MS-User.ldf file.

  3. Create a service user account for AD LDS.

  4. Register the service location (SRV) resource records.

Answer: C Explanation:

http://technet.microsoft.com/en-us/library/cc794857(v=ws.10).aspx Administering AD LDS Instances

Each AD LDS instance runs as an independent-and separately administered-service on a computer. You can configure the account under which an AD LDS instance runs, stop and restart an AD LDS instance, and change the AD LDS instance service display name and service description. In addition, you can enable Secure Sockets Layer (SSL) connections in AD LDS by installing certificates. In Active Directory environments, each AD LDS instance attempts to create a Service Principal Name (SPN) object in the directory to be used for replication authentication. Depending on the network environment into which you install AD LDS, you may have to create SPNs manually.

AD LDS service account

The service account that an AD LDS instance uses determines the access that the AD LDS instance has on the local computer and on other computers in the network. AD LDS instances also use the service account to authenticate other AD LDS instances in their configuration set, to ensure replication security. You determine the AD LDS service account during AD LDS installation.

Question No: 198 HOTSPOT – (Topic 2)

Your network contains an Active Directory forest named contoso.com. The forest contains two sites named Seattle and Montreal. The Seattle site contains two domain controllers.

The domain controllers are configured as shown in the following table.

Ensurepass 2018 PDF and VCE

The Montreal site contains a domain controller named DC3. DC3 is the only global catalog server in the forest.

You need to configure DC2 as a global catalog server.

Which object#39;s properties should you modify? To answer, select the appropriate object in the answer area.

Ensurepass 2018 PDF and VCE

Answer:

Ensurepass 2018 PDF and VCE

Question No: 199 – (Topic 2)

There are 100 servers and 2000 computers present at your company#39;s headquarters.

The DHCP service is installed on a two-node Microsoft failover cluster named CKMFO to ensure the high availability of the service.

The nodes are named as CKMFON1 and CKMFON2.

The cluster on CKMFO has one physical shared disk of 400 GB capacity. A 200GB single volume is configured on the shared disk.

Company has decided to host a Windows Internet Naming Service (WINS) on CKMFON1. The DHCP and WINS services will be hosted on other nodes.

Using High Availability Wizard, you begin creating the WINS service group on cluster available on CKMFON1 node.

The wizard shows an error quot;no disks are availablequot; during configuration.

Which action should you perform to configure storage volumes on CKMFON1 to

successfully add the WINS Service group to CKMFON1?

  1. Backup all data on the single volume on CKMFON1 and configure the disk with GUID partition table and create two volumes. Restore the backed up data on one of the volumes and use the other for WINS service group

  2. Add a new physical shared disk to the CKMFON1 cluster and configure a new volume on it. Use this volume to fix the error in the wizard.

  3. Add new physical shared disks to CKMFON1 and EMBFON2. Configure the volumes onthese disk and direct CKMOFONI to use CKMFON2 volume for the WINS service group

  4. Add and configure a new volume on the existing shared disk which has 400GB of space. Use this volume to fix the error in the wizard

  5. None of the above

Answer: B Explanation:

http://class10e.com/Microsoft/which-action-should-you-perform-to-configure-storage- volumes-on-ckmfon1-tosuccessfully-add-the-wins-service-group-to-ckmfon1/

To configure storage volumes on CKMFON1 to successfully add the WINS Service group to CKMFON1, you need to add a new physical shared disk to the CKMFON1 cluster and configure a new volume on it.

Use this volume to fix the error in the wizard.

This is because a cluster does not use shared storage.

A cluster must use a hardware solution based either on shared storage or on replication between nodes.

Question No: 200 – (Topic 2)

Your network contains an Active Directory forest. The forest contains one domain and three sites. Each site contains two domain controllers. All domain controllers are DNS servers.

You create a new Active Directory-integrated zone.

You need to ensure that the new zone is replicated to the domain controllers in only one of the sites.

What should you do first?

  1. Modify the NTDS Site Settings object for the site.

  2. Modify the replication settings of the default site link.

  3. Create an Active Directory connection object.

  4. Create an Active Directory application directory partition.

    Answer: D Explanation:

    Practically the same question as A/Q50 and K/Q17, different set of answers.

    To control which servers get a copy of the zone we have to store the zone in an application directory partition.

    That application directory partition must be created before we create the zone, otherwise it won#39;t work. So that#39;s what we have to do first. Directory partitions are also called naming contexts and we can create one using ntdsutil.

    Here I tried to create a zone with dnscmd /zoneadd. It failed because the directory partition I wanted to use did not exist yet. To fix that I used ntdsutil to create the directory partition dc=venomous,dc=contoso,dc=com.

    Note that after creating it a new naming context had been added. Then, after a minute or two, I tried to create the new zone again, and this time it worked.

    Ensurepass 2018 PDF and VCE

    C:\Documents and Settings\usernwz1\Desktop\1.PNG

    Reference 1:

    http://technet.microsoft.com/en-us/library/cc725739.aspx Store Data in an AD DS Application Partition

    You can store Domain Name System (DNS) zones in the domain or application directory partitions of Active

    Directory Domain Services (AD DS). An application directory partition is a data structure in AD DS that distinguishes data for different replication purposes. When you store a DNS zone in an application directory partition, you can control the zone replication scope by controlling the replication scope of the application directory partition.

    Reference 2:

    http://technet.microsoft.com/en-us/library/cc730970.aspx Partition management

    Manages directory partitions for Active Directory Domain Services (AD DS) or Active Directory Lightweight

    Directory Services (AD LDS).

    This is a subcommand of Ntdsutil and Dsmgmt. Examples

    To create an application directory partition named AppPartition in the contoso.com domain, complete the following steps:

    1. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, rightclick

      Command Prompt, and then click Run as administrator.

    2. Type: ntdsutil

    3. Type: Ac in ntds

    4. Type: partition management

    5. Type: connections

    6. Type: Connect to server DC_Name

    7. Type: quit

    8. Type: list

      The following partitions will be listed:

      0 CN=Configuration, DC=Contoso, DC=com 1 DC=Contoso, DC=com

      2 CN=Schema, CN=Configuration, DC=Contoso, DC=com 3 DC=DomainDnsZones, DC=Contoso, DC=com

      1. DC=ForestDnsZones, DC=Contoso, DC=com

    9. At the partition management prompt, type: create nc dc=AppPartition, DC=contoso,dc=com

      ConDc1.contoso.com

    10. Run the list command again to refresh the list of partitions.

Topic 3, Volume C

100% Ensurepass Free Download!
70-640 PDF
100% Ensurepass Free Guaranteed!
70-640 Dumps

EnsurePass ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
PDF VCE Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

You must be logged in to post a comment.

Proudly powered by WordPress   Premium Style Theme by www.gopiplus.com