Braindump2go Free Exam Microsoft 70-640 Practice Exam Questions (641-650)
100% Pass 70-640 Real Test is not a dream! Braindump2go Latest Released 70-640 Exam Practice Exam Dumps will help you pass 70-640 Exam one time easiluy! Free Sample Exam QAuestions and Answers are offered for free download now! Quickly having a try today! Never loose this valuable chance!
Vendor: Microsoft
Exam Code: 70-640
Exam Name: TS: Windows Server 2008 Active Directory, Configuring
Keywords: 70-640 Exam Dumps,70-640 Practice Tests,70-640 Practice Exams,70-640 Exam Questions,70-640 Dumps,70-640 Dumps PDF,70-640 VCE,70-640 Braindump,70-640 TS: Windows Server 2008 Active Directory, Configuring
QUESTION 641
You want to deploy security settings to multiple servers by using Group Policy.
The settings need to configure services, firewall rules, and audit policies appropriate for servers in your enterprise that act as file and print servers.
Which tool would be the best choice for you to use?
A. Local Security Policy
B. Security Configuration And Analysis
C. Security Configuration Wizard
D. Security Templates
Answer: C
QUESTION 642
You created a security policy by using the Security Configuration Wizard.
Now you want to deploy the settings in that security policy to the servers in your Servers OU.
Which of the following steps are required? (Choose two. Each correct answer is a part of the solution.)
A. Use Scwcmd.exe Transform.
B. Create a Group Policy object in the Group Policy Objects container.
C. Right-click the Security Settings node of a GPO and click Import.
D. Link the GPO to the Servers OU.
Answer: AD
QUESTION 643
Your company has an Active Directory domain and an organizational unit.
The organizational unit is named Web.
You configure and test new security settings for Internet Information Service (IIS) Servers on a server named IISServerA.
You need to deploy the new security settings only on the IIS servers that are members of the Web organizational unit.
What should you do?
A. Run secedit /configure /db iis.inf from the command prompt on IISServerA, then run secedit
/configure /db webou.inf from the comand prompt.
B. Export the settings on IISServerA to create a security template.
Import the security template into a GPO and link the GPO to the Web organizational unit.
C. Export the settings on IISServerA to create a security template.
Run secedit /configure /db webou.inf from the comand prompt.
D. Import the hisecws.inf file template into a GPO and link the GPO to the Web organizational
unit.
Answer: B
Explanation:
http://www.itninja.com/blog/view/using-secedit-to-apply-security-templates
Using Secedit To Apply Security Templates
Secedit /configure /db secedit.sdb /cfg”c:\temp\custom.inf” /silent >nul
This command imports a security template file, “custom.inf” into the workstation’s or server’s local security database. /db must be specified. When specifying the default secuirty database (secedit.sdb,) I found that providing no path worked best. The /cfg option informs Secedit that it is to import the .inf file into the specified database, appending it to any existing .inf files that have already been imported to this system. You can optionally include an /overwrite switch to overwrite all previous configurations for this machine. The /silent option supresses any pop-ups and the >nul hides the command line output stating success or failure of the action.
QUESTION 644
Your network consists of an Active Directory forest that contains two domains.
All servers run Windows Server 2008 R2.
All domain controllers are configured as DNS Servers.
You have a standard primary zone for dev. contoso.com that is stored on a member server.
You need to ensure that all domain controllers can resolve names from the dev.contoso.com zone.
What should you do?
A. On the member server, create a stub zone.
B. On the member server, create a NS record for each domain controller.
C. On one domain controller, create a conditional forwarder.
Configure the conditional forwarder to replicate to all DNS servers in the forest.
D. On one domain controller, create a conditional forwarder.
Configure the conditional forwarder to replicate to all DNS servers in the domain.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc730756.aspx
Understanding Forwarders
A forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for external DNS names to DNS servers outside that network.
You can also forward queries according to specific domain names using conditional forwarders. You designate a DNS server on a network as a forwarder by configuring the other DNS servers in the network to forward the queries that they cannot resolve locally to that DNS server. By using a forwarder, you can manage name resolution for names outside your network, such as names on the Internet, and improve the efficiency of name resolution for the computers in your network.
The following figure illustrates how external name queries are directed with forwarders.
Conditional forwarders
A conditional forwarder is a DNS server on a network that forwards DNS queries according to the DNS domain name in the query. For example, you can configure a DNS server to forward all the queries that it receives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers.
Further information:
http://technet.microsoft.com/en-us/library/cc794735%28v=ws.10%29.aspx
Assign a Conditional Forwarder for a Domain Name
http://technet.microsoft.com/en-us/library/cc754941.aspx
Configure a DNS Server to Use Forwarders
QUESTION 645
Your company has an Active Directory domain.
You install a new domain controller in the domain.
Twenty users report that they are unable to log on to the domain.
You need to register the SRV records.
Which command should you run on the new domain controller?
A. Run the netsh interface reset command.
B. Run the ipconfig /flushdns command.
C. Run the dnscmd /EnlistDirectoryPartition command.
D. Run the sc stop netlogon command followed by the sc start netlogon command.
Answer: D
Explanation:
The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller’s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam Question might ask you how to troubleshoot the nonregistration of SRV resource records.
QUESTION 646
You have a Windows Server 2008 R2 that has the Active Directory Certificate Services server role installed.
You need to minimize the amount of time it takes for client computers to download a certificate revocation list (CRL).
What should you do?
A. Install and configure an Online Responder.
B. Import the Issuing CA certificate into the Trusted Root Certification Authorities store on all
client workstations.
C. Install and configure an additional domain controller.
D. Import the Root CA certificate into the Trusted Root Certification Authorities store on all
client workstations.
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc725958.aspx
What Is an Online Responder?
An Online Responder is a trusted server that receives and responds to individual client requests for information about the status of a certificate.
The use of Online Responders is one of two common methods for conveying information about the validity of certificates. Unlike certificate revocation lists (CRLs), which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to individual requests from clients for information about the status of a certificate. The amount of data retrieved per request remains constant no matter how many revoked certificates there might be. In many circumstances, Online Responders can process certificate status requests more efficiently than by using CRLs.
QUESTION 647
You want users to log on to Active Directory by using a new Principal Name (UPN).
You need to modify the UPN suffix for all user accounts.
Which tool should you use?
A. Dsmod
B. Netdom
C. Redirusr
D. Active Directory Domains and Trusts
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc732954%28v=ws.10%29.aspx
Dsmod user dsmod user -upn <UPN>
Specifies the user principal names (UPNs) of the users that you want to modify, for example,
[email protected].
QUESTION 648
Your network consists of a single Active Directory domain.
All domain controllers run Windows Server 2008 R2.
Auditing is configured to log changes made to the Managed By attribute on group objects in an organizational unit named OU1.
You need to log changes made to the Description attribute on all group objects in OU1 only.
What should you do?
A. Run auditpol.exe.
B. Modify the auditing entry for OU1.
C. Modify the auditing entry for the domain.
D. Create a new Group Policy Object (GPO).
Enable Audit account management policy setting.
Link the GPO to OU1.
Answer: B
Explanation:
http://ithompson.wordpress.com/tag/organizational-unit-move/
QUESTION 649
Your company uses shared folders.
Users are granted access to the shared folders by using domain local groups.
One of the shared folders contains confidential data.
You need to ensure that unauthorized users are not able to access the shared folder that contains confidential data.
What should you do?
A. Enable the Do not trust this computer for delegation property on all the computers of
unauthorized users by using the Dsmod utility.
B. Instruct the unauthorized users to log on by using the Guest account.
Configure the Deny Full control permission on the shared folders that hold the confidential
data for the Guest account.
C. Create a Global Group named Deny DLG.
Place the global group that contains the unauthorized users in to the Deny DLG group.
Configure the Allow Full control permission on the shared folder that hold the confidential
data for the Deny DLG group.
D. Create a Domain Local Group named Deny DLG.
Place the global group that contains the unauthorized users in to the Deny DLG group.
Configure the Deny Full control permission on the shared folder that hold the confidential
data for the Deny DLG group.
Answer: D
QUESTION 650
Your company has an Active Directory domain.
You install an Enterprise Root certification authority (CA) on a member server named Server1.
You need to ensure that only the Security Manager is authorized to revoke certificates that are supplied by Server1.
What should you do?
A. Remove the Request Certificates permission from the Domain Users group.
B. Remove the Request Certificated permission from the Authenticated Users group.
C. Assign the Allow-Manage CA permission toonly the Security Manager user Account.
D. Assign the Allow-Issue and Manage Certificates permission to only the Security Manger
user account
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc732590.aspx
Braindump2go 70-640 Latest Updaed Braindumps Including All New Added 70-640 Exam Questions from Exam Center which Guarantees You Can 100% Success 70-640 Exam in Your First Try Exam!