[Free] 2018(Jan) EnsurePass Passguide Microsoft 70-640 Dumps with VCE and PDF 131-140

Ensurepass.com : Ensure you pass the IT Exams
2018 Jan Microsoft Official New Released 70-640
100% Free Download! 100% Pass Guaranteed!

Windows Server 2008 Active Directory, Configuring

Question No: 131 – (Topic 2)

You are an administrator at ABC.com. Company has a RODC (read-only domain controller) server at a remote location. The remote location doesn#39;t have proper physical security.

You need to activate nonadministrative accounts passwords on that RODC server.

Which of the following action should be considered to populate the RODC server with non- administrative accounts passwords?

  1. Delete all administrative accounts from the RODC#39;s group

  2. Configure the permission to Deny on Receive for administrative accounts on the security tab for Group Policy Object (GPO)

  3. Configure the administrative accounts to be added in the Domain RODC Password Replication Denied group

  4. Add a new GPO and enable Account Lockout settings. Link it to the remote RODC server and on the security tab on GPO, check the Read Allow and the Apply group policy permissions for the administrators.

  5. None of the above

Answer: C

Ensurepass 2018 PDF and VCE


C:\Documents and Settings\usernwz1\Desktop\1.PNG http://technet.microsoft.com/en-us/library/cc770320(v=ws.10).aspx

Advantages That an RODC Can Provide to an Existing Deployment Branch office server administration. RODCs provide Administrator Role Separation (ARS), which you can use to delegate administration of an RODC to a nonadministrative user or group. This means that it is not necessary for a highly privileged administrator to log on to the domain controller in the branch office to perform routine server maintenance.

http://technet.microsoft.com/en-us/library/cc730883(v=ws.10).aspx Password Replication Policy

When you initially deploy an RODC, you must configure the Password Replication Policy

on the writable domain controller that will be its replication partner.

The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached. The same account can then perform subsequent logons more efficiently.

The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that are explicitly denied from being cached. The list of user and computer accounts that are permitted to be cached does not imply that the RODC has necessarily cached the passwords for those accounts. An administrator can, for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticate those accounts, even if the WAN link to the hub site is offline.

Password Replication Policy Allowed and Denied lists Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODC operations. These are the Allowed RODC Password Replication Group and Denied RODC Password Replication Group.

The combination of the Allowed List and Denied List attributes for each RODC and the domain-wide Denied RODC Password Replication Group and Allowed RODC Password Replication Group give administrators great flexibility. They can decide precisely which accounts can be cached on specific RODCs.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Question No: 132 – (Topic 2)

You are decommissioning one of the domain controllers in a child domain.

You need to transfer all domain operations master roles within the child domain to a newly installed domain controller in the same child domain.

Which three domain operations master roles should you transfer? (Each correct answer presents part of the solution. Choose three.)

  1. RID master

  2. PDC emulator

  3. Schema master

  4. Infrastructure master

  5. Domain naming master

Answer: A,B,D Explanation:

http://technet.microsoft.com/en-us/library/cc781578(v=ws.10).aspx Transferring operations master roles

Transferring an operations master role means moving it from one domain controller to another with the cooperation of the original role holder. Depending upon the operations master role to be transferred, you perform the role transfer using one of the three Active Directory consoles in Microsoft Management Console (MMC).

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Question No: 133 – (Topic 2)

Your network contains an Active Directory domain. The domain contains a server named Server1.Server1 runs Windows Server 2008 R2.

You need to mount an Active Directory Lightweight Directory Services (AD LDS) snapshot from Server1.

What should you do?

  1. Run ldp.exe and use the Bind option.

  2. Run diskpart.exe and use the Attach option.

  3. Run dsdbutil.exe and use the snapshot option.

  4. Run imagex.exe and specify the /mount parameter.

Answer: C Explanation:

http://technet.microsoft.com/en-us/library/cc753151(v=ws.10).aspx Dsdbutil

Performs database maintenance of the Active Directory Domain Services (AD DS) store, facilitates configuration of Active Directory Lightweight Directory Services (AD LDS) communication ports, and views AD LDS instances that are installed on a computer.

Commands snapshot

Manages snapshots.


snapshot Manages snapshots of the volumes that contain the Active Directory database and log files, which you can view on a domain controller without starting in Directory Services Restore Mode (DSRM). You can also run the snapshot subcommand on an Active Directory Lightweight Directory Services (AD LDS) server.

This is a subcommand of Ntdsutil and Dsdbutil. Ntdsutil and Dsdbutil are command-line tools that are built into Windows Server 2008 and Windows Server 2008 R2.

Syntax activate instance %s [create] [delete %s] [unmount %s] [list all] [list mounted ] [mount %s] [quit]


Mount %s Mounts a snapshot with GUID %s. You can refer to an index number of any mounted snapshot instead of its GUID.

Question No: 134 – (Topic 2)

Company has servers on the main network that run Windows Server 2008. It also has two domain controllers.

Active Directory services are running on a domain controller named CKDC1.

You have to perform critical updates of Windows Server 2008 on CKDC1 without rebooting the server.

What should you do to perform offline critical updates on CKDC1 without rebooting the server?

  1. Start the Active Directory Domain Services on CKDC1

  2. Disconnect from the network and start the Windows update feature

  3. Stop the Active Directory domain services and install the updates. Start the Active Directory domain services after installing the updates.

  4. Stop Active Directory domain services and install updates. Disconnect from the network and then connect again.

  5. None of the above

Answer: C Explanation:

Personal comment: I don#39;t believe you can avoid restarting the server when installing some (not all) updates

http://class10e.com/Microsoft/what-should-you-do-to-perform-offline-critical-updates-on- ckdc1-withoutrebooting-the-server/

To perform offline critical updates on CKDC1 without rebooting the server, you should stop the Active Directory domain services and install the updates. Start the Active Directory domain services after installing the updates.

By stopping the Active Directory domain services, you don’t need to reboot the server. The updates are related to the Windows Server 2008 on CKDC1 so when you stop the Active Directory domain services and start it again after the installation of the updates, the Server will perform in a normal way.

Question No: 135 – (Topic 2)

Your company asks you to implement Windows Cardspace in the domain. You want to use Windows Cardspace at your home.

Your home and office computers run Windows Vista Ultimate.

What should you do to create a backup copy of Windows Cardspace cards to be used at home?

  1. Log on with your administrator account and copy \Windows\ServiceProfiles folder to your USB drive

  2. Backup \Windows\Globalization folder by using backup status and save the folder on your USB drive

  3. Back up the system state data by using backup status tool on your USB drive

  4. Employ Windows Cardspace application to backup the data on your USB drive.

  5. Reformat the C: Drive

  6. None of the above

Answer: D Explanation:

http://windows.microsoft.com/en-us/windows7/windows-cardspace-for-itpros# BKMK_HowdoIbackupmycardsortransferthemtoanothercomputer

Windows CardSpace for IT pros

Microsoft Windows CardSpace鈩?is a system for creating relationships with websites and online services.

Windows CardSpace provides a consistent way for: Sites to request information from you.

You to review the identity of a site.

You to manage your information by using Information Cards. You to review card information before you send it.

Windows CardSpace can replace the user names and passwords that you use to register with and log on to websites and online services.

15. How do I back up my cards or transfer them to another computer?

Cards are stored on your computer in an encrypted format. To save a backup file containing some or all of your cards or to use a card on a different computer, you can save cards to a backup card file.

To back up your cards:

  1. Start Windows CardSpace.

  2. View all your cards.

  3. In the pane on the right of your screen, click Back up cards.

  4. Select the cards that you want to back up.

  5. Browse to the folder where you want to save the backup card file, and then give it a name.

When you complete these steps, you save a file containing some or all of your cards. You can copy the backup card file to media such as a Universal Serial Bus (USB) storage device, CD, or other digital media. You can restore the backup card file on this computer or on another computer.

To restore your cards

  1. Save the backup card file to the computer.

  2. Browse to the location of the file on the computer.

  3. Double-click the file, and then follow the instructions to restore the cards.

    Question No: 136 – (Topic 2)

    One of the remote branch offices is running a Windows Server 2008 read only domain controller (RODC). For security reasons you don#39;t want some critical credentials like (passwords, encryption keys) to be stored on RODC.

    What should you do so that these credentials are not replicated to any RODC#39;s in the forest? (Select 2)

    1. Configure RODC filtered attribute set on the server

    2. Configure RODC filtered set on the server that holds Schema Operations Master role.

    3. Delegate local administrative permissions for an RODC to any domain user without granting that user any user rights for the domain

    4. Configure forest functional level server for Windows server 2008 to configure filtered attribute set.

    5. None of the above

Answer: B,D Explanation:

http://technet.microsoft.com/en-us/library/cc753223.aspx Adding attributes to the RODC filtered attribute set

The RODC filtered attribute set is a dynamic set of attributes that is not replicated to any RODCs in the forest. You can configure the RODC filtered attribute set on a schema master that runs Windows Server

2008. When the attributes are prevented from replicating to RODCs, that data cannot be exposed unnecessarily if an RODC is stolen or compromised.

A malicious user who compromises an RODC can attempt to configure it in such a way that it tries to replicate attributes that are defined in the RODC filtered attribute set. If the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2008, the replication request is denied. However, if the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2003, the replication request could succeed.

Therefore, as a security precaution, ensure that forest functional level is Windows Server 2008 if you plan to configure the RODC filtered attribute set. When the forest functional level is Windows Server 2008, an RODC that is compromised cannot be exploited in this manner because domain controllers that are running Windows Server 2003 are not allowed in the forest.

Question No: 137 – (Topic 2)

Your network contains an Active Directory domain. The domain contains three domain controllers.

One of the domain controllers fails.

Seven days later, the help desk reports that it can no longer create user accounts. You need to ensure that the help desk can create new user accounts.

Which operations master role should you seize?

  1. domain naming master

  2. infrastructure master

  3. primary domain controller (PDC) emulator

  4. RID master

  5. schema master

Answer: D Explanation:

http://technet.microsoft.com/en-us/library/cc773108(v=ws.10).aspx Operations master roles

Active Directory supports multimaster replication of the directory data store between all domain controllers (DC) in the domain, so all domain controllers in a domain are essentially peers. However, some changes are impractical to perform in using multimaster replication, so, for each of these types of changes, one domain controller, called the operations master, accepts requests for such changes.

In every forest, there are at least five operations master roles that are assigned to one or more domain controllers. Forest-wide operations master roles must appear only once in every forest. Domain-wide operations master roles must appear once in every domain in the forest.

RID master

The RID master allocates sequences of relative IDs (RIDs) to each of the various domain controllers in its domain. At any time, there can be only one domain controller acting as the RID master in each domain in the forest.

Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security ID (SID). The SID consists of a domain SID, which is the same for all SIDs created in the domain, and a RID, which is unique for each SID created in the domain.

To move an object between domains (using Movetree.exe), you must initiate the move on the domain controller acting as the RID master of the domain that currently contains the object.

http://www.techrepublic.com/article/step-by-step-learn-how-to-transfer-and-seize-fsmo- roles-in-activedirectory/


Step-By-Step: Learn how to transfer and seize FSMO roles in Active Directory http://www.petri.co.il/seizing_fsmo_roles.htm

Seizing FSMO Roles

Question No: 138 – (Topic 2)

Your network contains an Active Directory domain.

You have a server named Server1 that runs Windows Server 2008 R2. Server1 is an enterprise root certification authority (CA).

You have a client computer named Computer1 that runs Windows 7.

You enable automatic certificate enrollment for all client computers that run Windows 7.

You need to verify that the Windows 7 client computers can automatically enroll for certificates.

Which command should you run on Computer1?

  1. certreq.exe retrieve

  2. certreq.exe submit

  3. certutil.exe getkey

  4. certutil.exe pulse

Answer: D Explanation:

http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/795f209d-b056- 4de8-8dcf-7c7f80529aab/

What does quot;certutil -pulsequot; command do?

Certutil -pulse will initiate autoenrollment requests.

It is equivalent to doing the following in the CertMgr.msc console (in Vista and Windows 7) Right-click Certificates , point to All Tasks , click Automatically Enroll and Retrieve Certificates.

The command does require that

  • any autoenrollment GPO settings have already been applied to the target user or computer

  • a certificate template enables Read, Enroll and Autoenroll permissions for the user or a global or universal group containing the user

  • The group membership is recognized in the users Token (they have logged on after the membership was added

http://technet.microsoft.com/library/cc732443.aspx Certutil

Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.

When certutil is run on a certification authority without additional parameters, it displays the current certification authority configuration. When cerutil is run on a non-certification authority, the command defaults to running the certutil -dump verb.


The following table describes the verbs that can be used with the certutil command. pulse

Pulse auto enrollment events

Question No: 139 – (Topic 2)

Active Directory Rights Management Services (AD RMS) is deployed on your network.

Users who haveWindows Mobile 6 devices report that they cannot access documents that are protected by AD RMS.

You need to ensure that all users can access AD RMS protected content by using Windows Mobile 6 devices.

What should you do?

  1. Modify the security of the ServerCertification.asmx file.

  2. Modify the security of the MobileDeviceCertification.asmx file.

  3. Enable anonymous authentication for the _wmcs virtual directory.

  4. Enable anonymous authentication for the certification virtual directory.

Answer: B Explanation:

http://technet.microsoft.com/en-us/library/ff608252(v=ws.10).aspx Windows Mobile Considerations for AD RMS

AD RMS and Windows Mobile Requirements

Active Directory Rights Management Services (AD RMS) integrates with Microsoft Windows Mobile庐 in Windows Mobile 6 and later devices. End users can create and consume protected e-mail messages and can read protected Microsoft Office documents on their Windows Mobile device.

AD RMS client capabilities are embedded in the operating system of Windows Mobile 6 and later devices. There is no AD RMS client available for Windows Mobile 5.0 or earlier; AD RMS can be used only on devices with Windows Mobile 6 and later. There is full interoperability when sharing AD RMS protected content between the different versions and editions of Windows Mobile 6 or later.

By default the Discretionary access control lists (DACLs) of the AD RMS mobile certification pipeline is restricted and must be enabled for Windows Mobile 6 or later devices to obtain certificates and licenses to create and consume AD RMS protected content. You can enable the certification of mobile devices by giving the AD RMS Service Group and the user account objects of the AD RMS-enabled application Read and Read amp; Execute permissions to the MobileDeviceCertification.asmx file. This file is located under

%systemdrive%\Inetpub\wwwroot\_wmcs\Certification by default. You must complete this process on each AD RMS server in the cluster.

Question No: 140 – (Topic 2)

Company has an Active Directory forest with six domains. The company has 5 sites. The company requires a new distributed application that uses a custom application directory partition named ResData for data replication.

The application is installed on one member server in five sites.

You need to configure the five member servers to receive the ResData application directory partition for data replication.

What should you do?

  1. Run the Dcpromo utility on the five member servers.

  2. Run the Regsvr32 command on the five member servers

  3. Run the Webadmin command on the five member servers

  4. Run the RacAgent utility on the five member servers

Answer: A Explanation:


Dcpromo Syntax dcpromo [/answer[:lt;filenamegt;] | /unattend[:lt;filenamegt;] | /unattend | /adv]

/uninstallBinaries [/CreateDCAccount | /UseExistingAccount:Attach] /? /?[:{Promotion | CreateDCAccount | UseExistingAccount |Demotion}]dcpromo Promotion operation parameters:


Specifies the application directory partitions that dcpromo will replicate. Use the following format: quot;partition1quot; quot;partition2quot; quot;partitionNquot;

Use * to replicate all application directory partitions.

100% Ensurepass Free Download!
Download Free Demo:70-640 Demo PDF
100% Ensurepass Free Guaranteed!
70-640 Dumps

EnsurePass ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.