[Free] 2018(Aug) Ensurepass Microsoft 70-640 Dumps with VCE and PDF 71-80

Ensurepass.com : Ensure you pass the IT Exams
2018 Aug Microsoft Official New Released 70-640
100% Free Download! 100% Pass Guaranteed!

Windows Server 2008 Active Directory, Configuring

Question No: 71 – (Topic 1)

You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 is configured as an enterprise root certification authority (CA).

You install the Online Responder role service on Server2.

You need to configure Server1 to support the Online Responder. What should you do?

  1. Import the enterprise root CA certificate.

  2. Configure the Certificate Revocation List Distribution Point extension.

  3. Configure the Authority Information Access (AIA) extension.

  4. Add the Server2 computer account to the CertPublishers group.

    Answer: C Explanation:

    http://technet.microsoft.com/en-us/library/cc732526.aspx Configure a CA to Support OCSP Responders

    To function properly, an Online Responder must have a valid Online Certificate Status Protocol (OCSP)Response Signing certificate. This OCSP Response Signing certificate is also needed if you are using a non-Microsoft OCSP responder.

    Configuring a certification authority (CA) to support OCSP responder services includes the following steps:

    1. Configure certificate templates and issuance properties for OCSP Response Signing certificates.

    2. Configure enrollment permissions for any computers that will be hosting Online Responders.

    3. If this is a Windows Server 2003-based CA, enable the OCSP extension in issued certificates.

    4. Add the location of the Online Responder or OCSP responder to the authority information access extension on the CA.

    5. Enable the OCSP Response Signing certificate template for the CA.

      Question No: 72 – (Topic 1)

      Your company has an Active Directory domain named contoso.com. The company network has two DNS servers named DNS1 and DNS2.

      The DNS servers are configured as shown in the following table.

      Ensurepass 2018 PDF and VCE

      Domain users, who are configured to use DNS2 as the preferred DNS server, are unable to connect to Internet Web sites.

      You need to enable Internet name resolution for all client computers. What should you do?

      1. Update the list of root hints servers on DNS2.

      2. Create a copy of the .(root) zone on DNS1.

      3. Delete the .(root) zone from DNS2. Configure conditional forwarding on DNS2.

      4. Update the Cache.dns file on DNS2. Configure conditional forwarding on DNS1.

Answer: C Explanation:

http://support.microsoft.com/kb/298148 How To Remove the Root Zone (Dot Zone)

When you install DNS on a Windows 2000 server that does not have a connection to the Internet, the zone for the domain is created and a root zone, also known as a dot zone, is also created. This root zone may prevent access to the Internet for DNS and for clients of the DNS. If there is a root zone, there are no other zones other than those that are listed with DNS, and you cannot configure forwarders or root hint servers. For these reasons, you may have to remove the root zone.

Question No: 73 – (Topic 1)

Your company has two Active Directory forests named contoso.com and fabrikam.com.

The company network has three DNS servers named DNS1, DNS2, and DNS3. The DNS servers are configured as shown in the following table.

Ensurepass 2018 PDF and VCE

All computers that belong to the fabrikam.com domain have DNS3 configured as the preferred DNS server. All other computers use DNS1 as the preferred DNS server.

Users from the fabrikam.com domain are unable to connect to the servers that belong to the contoso.com domain.

You need to ensure users in the fabrikam.com domain are able to resolve all contoso.com queries.

What should you do?

  1. Configure conditional forwarding on DNS1 and DNS2 to forward fabrikam.com queries to DNS3.

  2. Create a copy of the _msdcs.contoso.com zone on the DNS3 server.

  3. Create a copy of the fabrikam.com zone on the DNS1 server and the DNS2 server.

  4. Configure conditional forwarding on DNS3 to forward contoso.com queries to DNS1.

Answer: D Explanation:

http://technet.microsoft.com/en-us/library/cc730756.aspx Understanding Forwarders

A forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for external DNS names to DNS servers outside that network. You can also forward queries according to specific domain names using conditional forwarders.

You designate a DNS server on a network as a forwarder by configuring the other DNS servers in the network to forward the queries that they cannot resolve locally to that DNS server. By using a forwarder, you can manage name resolution for names outside your network, such as names on the Internet, and improve the efficiency of name resolution for the computers in your network.

The following figure illustrates how external name queries are directed with forwarders.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Conditional forwarders

A conditional forwarder is a DNS server on a network that forwards DNS queries according to the DNS domain name in the query. For example, you can configure a DNS server to forward all the queries that it receives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers.

Question No: 74 – (Topic 1)

Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. The Audit account management policy setting and Audit directory services access setting are enabled for the entire domain.

You need to ensure that changes made to Active Directory objects can be logged. The logged changes must include the old and new values of any attributes.

What should you do?

  1. Run auditpol.exe and then configure the Security settings of the Domain Controllers OU.

  2. From the Default Domain Controllers policy, enable the Audit directory service access setting and enable directory service changes.

  3. Enable the Audit account management policy in the Default Domain Controller Policy.

  4. Run auditpol.exe and then enable the Audit directory service access setting in the Default Domain policy.

    Answer: A Explanation:

    http://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx AD DS Auditing Step-by-Step Guide

    In Windows Server 2008 you can now set up AD DS auditing with a new audit subcategory to log old and new values when changes are made to objects and their attributes.

    The ability to audit changes to objects in AD DS is enabled with the new audit policy subcategory Directory Service Changes. This guide provides instructions for implementing this audit policy subcategory.

    The types of changes that you can audit include a user (or any security principal) creating, modifying, moving, or undeleting an object. The new audit policy subcategory adds the following capabilities to auditing in AD DS:

    When a successful modify operation is performed on an attribute, AD DS logs the previous and current values of the attribute. If the attribute has more than one value, only the values that change as a result of the modify operation are logged.

    If a new object is created, values of the attributes that are populated at the time of creation are logged. If the user adds attributes during the create operation, those new attribute values are logged. In most cases, AD DS assigns default values to attributes (such as samAccountName). The values of such system attributes are not logged.

    If an object is moved, the previous and new location (distinguished name) is logged for moves within the domain. When an object is moved to a different domain, a create event is generated on the domain controller in the target domain.

    If an object is undeleted, the location where the object is moved to is logged. In addition, if the user adds, modifies, or deletes attributes while performing an undelete operation, the values of those attributes are logged.

    In Windows Server 2008, you implement the new auditing feature by using the following controls:

    Global audit policy

    System access control list (SACL) Schema

    Global audit policy

    Enabling the global audit policy, Audit directory service access, enables all directory service policy subcategories. You can set this global audit policy in the Default Domain Controllers Group Policy (under Security Settings\Local Policies\Audit Policy). In Windows Server 2008, this global audit policy is not enabled by default. Although the subcategory Directory Service Access is enabled for success events by default, the other subcategories are not enabled by default.

    You can use the command-line tool Auditpol.exe to view or set audit policy subcategories.

    There is no

    Windows interface tool available in Windows Server 2008 to view or set audit policy subcategories.

    Further information:

    http://technet.microsoft.com/en-us/library/cc731451(v=ws.10).aspx Auditpol

    Displays information about and performs functions to manipulate audit policies. http://servergeeks.wordpress.com/2012/12/31/auditing-directory-services/

    AD Scenario – Auditing Directory Services

    Auditing of Directory Services depends on several controls, these are:

    1. Global Audit Policy (at category level using gpmc.msc tool)

    2. Individual Audit Policy (at subcategory level using auditpol.exe tool)

    3. System ACLs – to specify which operations are to be audited for a security principal.

    4. Schema (optional) – this is an additional control in the schema that you can use to create exceptions to what is audited.

In Windows Server 2008, you can now set up AD DS (Active Directory Domain Services) auditing with a new audit policy subcategory (Directory Service Changes) to log old and new values when changes are made to AD DS objects and their attributes. This can be done using auditpol.exe tool.

Command to check which audit policies are active on your machine: auditpol /get

/category:*

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG Command to view the audit policy categories and Subcategories:

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

How to enable the global audit policy using the Windows interface i.e. gpmc tool Click Start, point to Administrative Tools, and then Group Policy Management or run gpmc.msc command.

In the console tree, double-click the name of the forest, double-click Domains, double-click the name of your domain, double-click Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Under Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then click Audit Policy.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

In the details pane, right-click Audit directory service access, and then click Properties. Select the Define these policy settings check box.

Under Audit these attempts, select the Success, check box, and then click OK.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

How to enable the change auditing policy using a command line

Click Start, right-click Command Prompt, and then click Run as administrator. Type the following command, and then press ENTER:

auditpol /set /subcategory:”directory service changes” /success:enable

To verify if the auditing is enabled or not for “Directory Service Changes”, you can run below command:

Ensurepass 2018 PDF and VCE

auditpol /get /category:”DS Access”

C:\Documents and Settings\usernwz1\Desktop\1.PNG How to set up auditing in object SACLs

Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

Right-click the organizational unit (OU) (or any object) for which you want to enable

auditing, and then click Properties.

Click the Security tab, click Advanced, and then click the Auditing tab.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Click Add, and under Enter the object name to select, type Authenticated Users (or any other security principal) and then click OK.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

In Apply onto, click Descendant User objects (or any other objects). Under Access, select the Successful check box for Write all properties. Click OK

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Click OK until you exit the property sheet for the OU or other object.

To Test whether auditing is working or not, try creating or modifying objects in Finance OU and check the Security event logs.

I just created a new user account in Finance OU named f4.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

If you check the security event logs you will find eventid 5137 (Create) Note:

Once the auditing is enabled these eventids will appear in security event logs: 5136 (Modify), 5137 (Create), 5138 (Undelete), 5139 (Move).

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Question No: 75 – (Topic 1)

Your company has an Active Directory domain. A user attempts to log on to the domain from a client computer and receives the following message: quot;This user account has expired. Ask your administrator to reactivate the account.quot;

You need to ensure that the user is able to log on to the domain. What should you do?

  1. Modify the properties of the user account to set the account to never expire.

  2. Modify the properties of the user account to extend the Logon Hours setting.

  3. Modify the default domain policy to decrease the account lockout duration.

  4. Modify the properties of the user account to set the password to never expire.

Ensurepass 2018 PDF and VCE

Answer: A Explanation:

C:\Documents and Settings\usernwz1\Desktop\1.PNG Further information:

http://technet.microsoft.com/en-us/library/dd145547.aspx User Properties – Account Tab

Account expires

Sets the account expiration policy for this user. You can select between the following options:

Use Never to specify that the selected account will never expire. This option is the default for new users.

Select End of and then select a date if you want to have the user#39;s account expire on a specified date.

Question No: 76 – (Topic 1)

Your company has an Active Directory forest that contains a single domain. The domain member server has an Active Directory Federation Services (AD FS) role installed.

You need to configure AD FS to ensure that AD FS tokens contain information from the Active Directory domain.

What should you do?

  1. Add and configure a new account partner.

  2. Add and configure a new resource partner.

  3. Add and configure a new account store.

  4. Add and configure a Claims-aware application.

Answer: C Explanation:

http://technet.microsoft.com/en-us/library/cc732095.aspx Understanding Account Stores

Active Directory Federation Services (AD FS) uses account stores to log on users and extract security claims for those users. You can configure multiple account stores for a single Federation Service. You can also define their priority. The Federation Service uses Lightweight Directory Access Protocol (LDAP) to communicate with account stores. AD FS supports the following two account stores:

Active Directory Domain Services (AD DS)

Active Directory Lightweight Directory Services (AD LDS)

Question No: 77 – (Topic 1)

Your company has an Active Directory forest that contains two domains, The forest has universal groups that contain members from each domain. A branch office has a domain controller named DC1, Users at the branch office report that the logon process takes too long.

You need to decrease the amount of time it takes for the branch office users to logon. What should you do?

  1. Configure DC1 as a Global Catalog server.

  2. Configure DC1 as a bridgehead server for the branch office site.

  3. Decrease the replication interval on the site link that connects the branch office to the corporate network.

  4. Increase the replication interval on the site link that connects the branch office to the corporate network.

Answer: A Explanation:

http://technet.microsoft.com/en-us/library/cc728188.aspx What Is the Global Catalog?

The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication.

Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.

In addition to configuration and schema directory partition replicas, every domain controller in a forest stores a full, writable replica of a single domain directory partition. Therefore, a domain controller can locate only the objects in its domain. Locating an object in a different domain would require the user or application to provide the domain of the requested object. The global catalog provides the ability to locate objects from any domain without having to know the domain name. A global catalog server is a domain controller that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest. The additional domain directory partitions are partial because only a limited set of attributes is included for each object. By including only the attributes that are most used for searching, every object in every domain in even the largest forest can be represented in the database of a single global catalog server.

Question No: 78 – (Topic 1)

Your company has an Active Directory domain that has an organizational unit named Sales. The Sales organizational unit contains two global security groups named sales managers and sales executives.

You need to apply desktop restrictions to the sales executives group.

You must not apply these desktop restrictions to the sales managers group.

You create a GPO named DesktopLockdown and link it to the Sales organizational unit. What should you do next?

  1. Configure the Deny Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO.

  2. Configure the Deny Apply Group Policy permission for the sales executives on the DesktopLockdown GPO.

  3. Configure the Allow Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO.

  4. Configure the Deny Apply Group Policy permission for the sales managers on the DesktopLockdown GPO.

Answer: D Explanation:

http://support.microsoft.com/kb/816100

How to prevent domain Group Policies from applying to certain user or computer accounts Typically, if you want Group Policy to apply only to specific accounts (either user accounts, computer accounts, or both), you can put the accounts in an organizational unit, and then apply Group Policy at that organizational unit level. However, there may be situations where you want to apply Group Policy to a whole domain, although you may not want those policy settings to also apply to administrator accounts or to other specific users or groups. http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a- group-policy-object/

Best Practice: How to exclude individual users or computers from a Group Policy Object One of the common question I see on the forums from time to time is how to exclude a user and/or a computer from having a Group Policy Object (GPO) applied. This is a relatively straight forward process however I should stress this should be used sparingly and should

always be done via group membership to avoid the administrative overhead of having to constantly update the security filtering on the GPO.

Step 1. Open the Group Policy Object that you want to apply an exception and then click on the “Delegation” tab and then click on the “Advanced” button.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Step 2. Click on the “Add” button and select the group (recommended) that you want to exclude from having this policy applied.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Step 3. In this example I am excluding the “Users GPO Exceptions” group for this policy. Select this group in the “Group or user names” list and then scroll down the permission and tick the “Deny” option against the “Apply Group Policy” permission.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Now any members of this “User GPO Exceptions” security group will not have this Group Policy Object applied.

Having a security group to control this exception makes it much easier to control as someone only needs to modify the group membership of the group to makes changes to who (or what) get the policy applied. This makes the delegation of this task to level 1 or level 2 support much more practical as you don’t need to grant them permission to the Group Policy Objects.

Question No: 79 – (Topic 1)

All consultants belong to a global group named TempWorkers. You place three file servers in a new organizational unit named SecureServers. The three file servers contain confidential data located in shared folders.

You need to record any failed attempts made by the consultants to access the confidential data.

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

  1. Create and link a new GPO to the SecureServers organizational unit. Configure the Deny access to this computer from the network user rights setting for the TempWorkers global group.

  2. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit privilege use

    Failure audit policy setting.

  3. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit object access

    Failure audit policy setting.

  4. On each shared folder on the three file servers, add the three servers to the Auditing tab. Configure the Failed Full control setting in the Auditing Entry dialog box.

  5. On each shared folder on the three file servers, add the TempWorkers global group to the Auditing tab. Configure the Failed Full control setting in the Auditing Entry dialog box.

    Answer: C,E

    Reference:

    Windows Server 2008 R2 Unleashed (SAMS, 2010) page 671

    Auditing Resource Access

    Object access can be audited, although it is not one of the recommended settings. Auditing object access can place a significant load on the servers, so it should only be enabled when it is specifically needed. Auditing object access is a two-step process: Step one is enabling “Audit object access” and step two is selecting the objects to be audited. When enabling Audit object access, you need to decide if both failure and success events will be logged. The two options are as follows:

    Audit object access failure enables you to see if users are attempting to access objects to which they have no rights. This shows unauthorized attempts.

    Audit object access success enables you to see usage patterns. This shows misuse of privilege.

    After object access auditing is enabled, you can easily monitor access to resources such as folders, files, and printers.

    Auditing Files and Folders

    The network administrator can tailor the way Windows Server 2008 R2 audits files and folders through the property pages for those files or folders. Keep in mind that the more files and folders that are audited, the more events that can be generated, which can increase administrative overhead and system resource requirements.

    Therefore, choose wisely which files and folders to audit. To audit a file or folder, do the following:

    1. In Windows Explorer, right-click the file or folder to audit and select Properties.

    2. Select the Security tab and then click the Advanced button.

    3. In the Advanced Security Settings window, select the Auditing tab and click the Edit button.

    4. Click the Add button to display the Select User or Group window.

    5. Enter the name of the user or group to audit when accessing the file or folder. Click the Check Names button to verify the name.

      Question No: 80 – (Topic 1)

      Your network consists of an Active Directory forest named contoso.com. All servers run Windows Server 2008 R2. All domain controllers are configured as DNS servers. The contoso.com DNS zone is stored in the ForestDnsZones Active Directory application partition.

      You have a member server that contains a standard primary DNS zone for dev.contoso.com.

      You need to ensure that all domain controllers can resolve names for dev.contoso.com. What should you do?

      1. Modify the properties of the SOA record in the contoso.com zone.

      2. Create a NS record in the contoso.com zone.

      3. Create a delegation in the contoso.com zone.

      4. Create a standard secondary zone on a Global Catalog server.

Answer: C Explanation:

http://technet.microsoft.com/en-us/library/cc771640.aspx Understanding Zone Delegation

Domain Name System (DNS) provides the option of dividing up the namespace into one or more zones, which can then be stored, distributed, and replicated to other DNS servers.

When you are deciding whether to divide your DNS namespace to make additional zones, consider the following reasons to use additional zones:

You want to delegate management of part of your DNS namespace to another location or department in your organization.

You want to divide one large zone into smaller zones to distribute traffic loads among multiple servers, improve DNS name resolution performance, or create a more-fault- tolerant DNS environment.

You want to extend the namespace by adding numerous subdomains at once, for example, to accommodate the opening of a new branch or site.

When you delegate zones within your namespace, remember that for each new zone that you create, you need delegation records in other zones that point to the authoritative DNS servers for the new zone. This is necessary both to transfer authority and to provide correct referral to other DNS servers and clients of the new servers that are being made authoritative for the new zone.

Example: Delegating a subdomain to a new zone

As shown in the following illustration, when a new zone for a subdomain (example.microsoft.com) is created, delegation from the parent zone (microsoft.com) is needed.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

100% Ensurepass Free Download!
70-640 PDF
100% Ensurepass Free Guaranteed!
70-640 Dumps

EnsurePass ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
PDF VCE Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

You must be logged in to post a comment.

Proudly powered by WordPress   Premium Style Theme by www.gopiplus.com