Ensurepass.com : Ensure you pass the IT Exams
2018 July Microsoft Official New Released 70-640
100% Free Download! 100% Pass Guaranteed!

Windows Server 2008 Active Directory, Configuring

Question No: 321 – (Topic 4)

Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008 R2.

The network contains an enterprise certification authority (CA).

You need to ensure that all of the members of a group named Managers can view the event log entries for Certificate Services.

Which snap-in should you use?

  1. Active Directory Administrative Center

  2. Authorization Manager

  3. Certificate Templates

  4. Certificates

  5. Certification Authority

  6. Enterprise PKI

  7. Group Policy Management

  8. Security Configuration Wizard

  9. Share and Storage Management

Answer: G

Explanation: We can make the Group1 group a member of theEvent Log Readers Group

, giving them read access to all event logs, thus including the Certificate Services events. We can do that by usingGroup Policy Management.

Reference 1:

It#39;s a bit hard to find some good, clear reference for this. There#39;s nothing wrong with doing it yourself, so here#39;s what I did in VMWare, using a domain controller and a member server. Click along if you want!

In VMWare I have setup a domain controller, DC01 and a member server MEM01, both belonging to the contoso.com domain. I have placed MEM01 in an OU named Events. I have created a global security group, named TESTGROUP, and I want to make it a member of the built-in Event Log Readers group on MEM01.

->Start the Group Policy Management console on DC01.

->Right-click the Events OU and choose quot;Create a GPO in this domain, and Link it here…quot;

->I named the GPO quot;EventLog_TESTGROUPquot;

->Right-click the quot;EventLog_TESTGROUPquot; GPO and choose quot;Edit…quot;

->Go to Computer Configuration \ Policies\ Windows Settings \ Security Settings and select quot;Restricted Groupsquot;

->Right-click quot;Restricted Groupsquot; and choose quot;Add Group…quot;

->Now there are two ways to do this. We can select TESTGROUP and make it a member of the Event Log Readers group, or we can select the Event Log Readers group and add TESTGROUP as a member. Let#39;s do the second one. Click the Browse button and go find the Event Log Readers group. Click OK.

->Click the Browse button next to quot;Members of this groupquot;, search for the

TESTGROUP group and add it.

->Click OK.

->10. On MEM01 open a command prompt and rungpupdate /force.

->Check the Event Log Readers group properties and see that the TESTGROUP group is now a member.

Reference 2:

http://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-administrators- permission-to-read-event-logs-windows-2003-and-windows-2008.aspx

Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008

So if you want to give Non-Administrator users access remotely to Event logs if the Servers or Domain Controllers they are accessing are Windows 2003 follow the steps below.

(…)

Windows 2008 is much easier as long as you are giving the users and groups in question read access to all event logs. If that is the case just add them to the Built inEvent Log Readers group.

Question No: 322 – (Topic 4)

Your network contains an Active Directory forest named adatum.com.

You need to create an Active Directory Rights Management Services (AD RMS) licensing- only cluster.

What should you install before you create the AD RMS root cluster?

  1. The Failover Cluster feature

  2. The Active Directory Certificate Services (AD CS) role

  3. Microsoft Exchange Server 2010

  4. Microsoft SharePoint Server 2010

  5. Microsoft SQL Server 2008

Answer: E

Reference:

http://technet.microsoft.com/en-us/library/cc771789.aspx Before you install AD RMS

Before you install Active Directory Rights Management Services (AD RMS) on Windows Server庐 2008 R2 for the first time, there are several requirements that must be met:

(…)

In addition to pre-installation requirements for AD RMS, we strongly recommend the following:

Install the database server that is used to host the AD RMS databases on a separate computer.

(…)

Question No: 323 – (Topic 4)

Your network contains two forests named adatum.com and litwareinc.com. The functional level of all the domains is Windows Server 2003. The functional level of both forests is Windows 2000.

You need to create a forest trust between adatum.com and litwareinc.com. What should you do first?

  1. Create an external trust.

  2. Raise the functional level of both forests.

  3. Configure SID filtering.

  4. Raise the functional level of all the domains.

Answer: B

Reference:

http://technet.microsoft.com/en-us/library/cc771397.aspx When to create a forest trust

You can create a forest trust between forest root domains if the forest functional level is

Windows Server 2003 or higher.

Question No: 324 – (Topic 4)

Your network contains an Active Directory domain. The domain contains two Active Directory sites named Site1 and Site2. Site1 contains two domain controllers named DC1 and DC2. Site2 contains two domain controller named DC3 and DC4, The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is Windows Server 2003.

Active Directory replication between Site1 and Site2 occurs from 20:00 to 01:00 every day. At 07:00, an administrator deletes a user account while he is logged on to DC1.

You need to restore the deleted user account. You want to achieve this goal by using the minimum amount of administrative effort.

What should you do?

  1. On DC3, stop Active Directory Domain Services, perform an authoritative restore, and then start Active Directory Domain Services.

  2. On DC3, run the Restore-ADObject cmdlet.

  3. On DC1, run the Restore-ADObject cmdlet.

  4. On DC1, stop Active Directory Domain Services, restore the SystemState, and then start Active Directory Domain Services.

Answer: A Explanation:

We cannot use Restore-ADObject, because Restore-ADObject is a part of the Recycle Bin feature, and you can only use Recycle Bin when the forest functional level is set to Windows Server 2008 R2. In the question text it says quot;The functional level of the forest is Windows Server 2003.quot;

Seehttp://technet.microsoft.com/nl-nl/library/dd379481.aspx

Performing an authoritative restore on DC3 updates the Update Sequence Number (USN) on that DC, which causes it to replicate the restored user account to other DC#39;s.

Reference 1:

MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 692 quot;An authoritative restore restores data that was lost and updates the Update Sequence Number (USN) for the data to make it authoritative and ensure that it is replicated to all other servers.quot;

Reference 2:

http://technet.microsoft.com/en-us/library/cc755296.aspx Authoritative restore of AD DS has the following requirements: (…)

You must stop the Active Directory Domain Services service before you run the ntdsutil authoritative restore command and restart the service after the command is complete.

Question No: 325 – (Topic 4)

Your network contains two Active Directory forests named contoso.com and nwtraders.com. The functional level of both forests is Windows Server 2003. Contoso.com contains one domain. Nwtraders.com contains two domains.

You need to ensure that users in contoso.com can access the resources in all domains. The solution must require the minimum number of trusts.

Which type of trust should you create?

  1. external

  2. forest

  3. realm

  4. shortcut

Answer: B

Reference:

http://technet.microsoft.com/en-us/library/cc771397.aspx When to create a forest trust

You can create a forest trust between forest root domains if the forest functional level is Windows Server 2003 or higher. Creating a forest trust between two root domains with a forest functional level of Windows Server 2003 or higher provides a one-way or two-way,

transitive trust relationship between every domain in each forest. Forest trusts are useful for application service providers, organizations undergoing mergers or acquisitions, collaborative business extranets, and organizations seeking a solution for administrative autonomy.

Question No: 326 – (Topic 4)

Your network contains an Active Directory forest. The forest contains multiple domains.

You need to ensure that users in the human resources department can search for employees by using the employeeNumber attribute.

What should you do?

  1. From Active Directory Sites and Services, modify the properties of each global catalog server.

  2. From the Active Directory Schema snap-in, modify the properties of the user object class.

  3. From Active Directory Sites and Services, modify the NTDS Settings objectof each global catalog server.

  4. From the Active Directory Schema snap-in, modify the properties of the employeeNumber attribute.

Answer: D

Reference:

http://technet.microsoft.com/en-us/library/how-global-catalog-servers-work.aspx Global Catalog Replication of Additions to the Partial Attribute Set

Each global catalog server in an AD DS forest hosts a copy of every existing object in that forest. For the objects of its own domain, a global catalog server has information related to all attributes that are associated with those objects. For the objects in domains other than its own, a global catalog server has only information that is related to the set of attributes that are marked in the AD DS schema to be included in the partial attribute set (PAS). As described earlier, the PAS is defined by Microsoft as those attributes that are most likely to be used for searches. These attributes are replicated to every global catalog server in an AD DS forest.quot; quot;The attributes that are replicated to the global catalog by default include a base set that have been defined by Microsoft as the attributes that are most likely to be used in searches. Administrators can use the Microsoft Management Console (MMC)

Active Directory Schema snap-in to specify additional attributes to meet the needs of their installation. In the Active Directory Schema snap-in, you can select the Replicate this attribute to the global catalog check box to designate an attributeSchema object as a member of the PAS, which sets the value of the isMemberOfPartialAttributeSet attribute to TRUE.

Question No: 327 – (Topic 4)

Your network contains an Active Directory forest. The forest contains two domains named contoso.com and woodgrovebank.com.

You have a custom attribute named Attribute 1 in Active Directory. Attribute 1 is associated to User objects.

You need to ensure that Attribute1 is included in the global catalog. What should you do?

  1. From the Active Directory Schema snap-in, modify the properties of the Attribute 1 attributeSchema object.

  2. In Active Directory Users and Computers, configure the permissions on the Attribute 1 attribute for User objects.

  3. From the Active Directory Schema snap-in, modify the properties of the User classSchema object.

  4. In Active Directory Sites and Services, configure the Global Catalog settings for all domain controllers in the forest.

Answer: A

Reference:

http://technet.microsoft.com/en-us/library/how-global-catalog-servers-work.aspx Global Catalog Partial Attribute Set

The attributes that are replicated to the global catalog by default include a base set that have been defined by

Microsoft as the attributes that are most likely to be used in searches. Administrators can use the Microsoft Management Console (MMC) Active Directory Schema snap-in to specify additional attributes to meet the needs of their installation. In the Active Directory Schema snap-in, you can select the Replicate this attribute to the global catalog check box to

designate an attributeSchema object as a member of the PAS, which sets the value of the isMemberOfPartialAttributeSet attribute to TRUE.

Global Catalog Replication of Additions to the Partial Attribute Set Each global catalog server in an AD DS forest hosts a copy of every existing object in that forest. For the objects of its own domain, a global catalog server has information related to all attributes that are associated with those objects. For the objects in domains other than its own, a global catalog server has only information that is related to the set of attributes that are marked in the AD DS schema to be included in the partial attribute set (PAS). As described earlier, the PAS is defined by Microsoft as those attributes that are most likely to be used for searches. These attributes are replicated to every global catalog server in an AD DS forest.

If you want to add an attribute to the PAS, you can mark the attribute by using the Active Directory Schema snap-in to edit the isMemberOfPartialAttributeSet value on the respective attributeSchema object. You mark the attribute by placing a checkmark next to isMemberOfPartialAttributeSet. If the

isMemberOfPartialAttributeSet value is checked (set to TRUE), the attribute is replicated to the global catalog.

If the value is not checked (set to FALSE), the attribute is not replicated to the global catalog.

Question No: 328 – (Topic 4)

Your network contains an Active Directory domain. The domain contains an enterprise certification authority (CA).

You need to ensure that only members of a group named Admin1 can create certificate templates.

Which tool should you use to assign permissions to Admin1?

  1. the Certification Authority console

  2. Active Directory Users and Computers

  3. the Certificates snap-in

  4. Active Directory Sites and Services

    Answer: D Explanation:

    We need to use Active Directory Sites and Services to assign permissions to create certificate templates to global or universal groups.

    The first reference lists what needs to be done, the second reference explains how to do it.

    Reference 1:

    http://technet.microsoft.com/en-us/library/cc725621.aspx Delegating Template Management

    You can delegate the ability to manage individual certificate templates or to create any certificate templates by defining appropriate permissions to global groups or universal groups that a user belongs to.

    There are three levels of delegation for certificate template administration:

    ->Modify existing templates

    ->Create new templates (by duplicating existing templates)

    ->Full delegation (including modifying all existing templates and creating new ones)

    ->Create New Templates

    To delegate the ability to create certificate templates to users who are not members of the Domain Admins group in the forest root domain, or members of the Enterprise Admins group, it is necessary to define the appropriate permissions in the Configuration naming context of AD DS.

    To delegate the ability to duplicate and create new certificate templates, you must make the following permission assignments to a global or universal group of which the user is a member:

    Grant Create All Child Objects permission on the following container: CN=Certificate Templates,CN=Public

    Key Services,CN=Services,CN=Configuration,DC=ForestRoot.

    Grant Full Control permission to every certificate template in the following container: CN=Certificate

    Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot. The permissions assigned to the Certificate Templates container are not inherited by the individual certificate templates.

    Grant Create All Child Objects permission on the following container: CN=OID,CN=Public Key Services,

    CN=Services,CN=Configuration,DC=ForestRoot container. Reference 2:

    Windows Server 2008 – PKI and Certificate Security (Microsoft Press, 2008) page 298 Delegate Permissions for Creation of New Templates

    You can delegate the permission to create new templates by assigning permissions to a custom universal group for the CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,

    ForestRootDomain container.

    1. Log on as a member of the Enterprise Admins group or the forest root domain Domain Admins group.

    2. Open the Active Directory Sites And Services console.

    3. From the View menu, ensure that the Show Services Node setting is enabled.

    4. In the console tree, expand Services, expand Public Key Services, and then click Certificate Templates.

    5. In the console tree, right-click Certificate Templates, and then click Delegate Control.

    6. In the Delegation Of Control wizard, click Next.

    7. On the Users Or Groups page, click Add.

    8. In the Select Users, Computers, Or Groups dialog box, type a user or group name, and then click OK.

    9. On the Users Or Groups page, click Next.

    10. On the Tasks To Delegate page, click Create A Custom Task To Delegate, and then click Next.

    11. On the Active Directory Object Type page, click This Folder, Existing Objects In This Folder, and Creation Of

      New Objects In This Folder, and then click Next.

    12. On the Permissions page, in the Permissions list, enable Full Control, and then click Next.

    13. On the Completing The Delegation Of Control wizard page, click Finish.

      Question No: 329 – (Topic 4)

      A corporate network includes an Active Directory-integrated zone. All DNS servers that host the zone are domain controllers.

      You add multiple DNS records to the zone.

      You need to ensure that the new records are available on all DNS servers as soon as possible.

      Which tool should you use?

      1. Ntdsutil

      2. Dnscmd

      3. Repadmin

      4. Nslookup

Answer: C Explanation:

To make sure that the new DNS records are replicated to all DNS servers we can use the repadmin tool.

Reference:

http://technet.microsoft.com/en-us/library/cc811569.aspx Forcing Replication

Sometimes it becomes necessary to forcefully replicate objects and entire partitions between domain controllers that may or may not have replication agreements.

Force a replication event with all partners

The repadmin /syncall command synchronizes a specified domain controller with all replication partners.

Syntax

repadmin /syncall lt;DCgt; [lt;NamingContextgt;] [lt;Flagsgt;] Parameters

lt;DCgt;

Specifies the host name of the domain controller to synchronize with all replication partners.

lt;NamingContextgt;

Specifies the distinguished name of the directory partition.

lt;Flagsgt;

Performs specific actions during the replication.

Question No: 330 – (Topic 4)

Your network contains an Active Directory domain named contoso.com.

The network has a branch office site that contains a read-only domain controller (RODC) named RODC1.

RODC1 runs Windows Server 2008 R2.

A user logs on to a computer in the branch office site.

You discover that the user#39;s password is not stored on RODC1.

You need to ensure that the user#39;s password is stored on RODC1 when he logs on to a

branch office site computer. What should you do?

  1. Modify the RODC s password replication policy by removing the entry for the Allowed RODC Password

    Replication Group.

  2. Modify the RODC#39;s password replication policy by adding RODC1#39;s computer account to the list of allowed users, groups, and computers.

  3. Add the user#39;s user account to the built-in Allowed RODC Password Replication Group on RODC1.

  4. Add RODC1#39;s computer account to the built-in Allowed RODC Password Replication Group on RODC1.

Answer: C

Reference:

MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 416-417 Password Replication Policy

Password Replication Policy (PRP) determines which users’ credentials can be cached on a specific RODC. If PRP allows an RODC to cache a user’s credentials, authentication and service ticket activities of that user can be processed by the RODC. If a user’s credentials cannot be cached on an RODC, authentication and service ticket activities are referred by the RODC to a writable domain controller.

An RODC’s PRP is determined by two multivalued attributes of the RODC’s computer account. These attributes are commonly known as the Allowed List and the Denied List. If a user’s account is on the Allowed List, the user’s credentials are cached. You can include groups on the Allowed List, in which case all users who belong to the group can have their credentials cached on the RODC. If the user is on both the Allowed List and the Denied List, the user’s credentials will not be cached-the Denied List takes precedence.

Configuring Domain-Wide Password Replication Policy

To facilitate the management of PRP, Windows Server 2008 R2 creates two domain local security groups in the Users container of Active Directory. The first group, Allowed RODC Password Replication Group, is added to the Allowed List of each new RODC. By default, the group has no members. Therefore, by default, a new RODC will not cache any user’s credentials. If you have users whose credentials you want to be cached by all domain RODCs, add those users to the Allowed RODC Password Replication Group.

100% Ensurepass Free Download!
Download Free Demo:70-640 Demo PDF
100% Ensurepass Free Guaranteed!
70-640 Dumps

EnsurePass ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
PDF VCE Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.