[Free] 2018(Mar) EnsurePass Passguide Microsoft 70-640 Dumps with VCE and PDF 151-160

Ensurepass.com : Ensure you pass the IT Exams
2018 Mar Microsoft Official New Released 70-640
100% Free Download! 100% Pass Guaranteed!

Windows Server 2008 Active Directory, Configuring

Question No: 151 – (Topic 2)

Your company has a main office and a branch office. The main office contains two domain controllers.

You create an Active Directory site named BranchOfficeSite.

You deploy a domain controller in the branch office, and then add the domain controller to the BranchOfficeSite site.

You discover that users in the branch office are randomly authenticated by either the domain controller in the branch office or the domain controllers in the main office.

You need to ensure that the users in the branch office always attempt to authenticate to the domain controller in the branch office first.

What should you do?

  1. Create organizational units (OUs).

  2. Create Active Directory subnet objects.

  3. Modify the slow link detection threshold.

  4. Modify the Location attribute of the computer objects.

Answer: B Explanation:

http://technet.microsoft.com/en-us/library/cc754697.aspx Understanding Sites, Subnets, and Site Links

Sites overview

Sites in AD DS represent the physical structure, or topology, of your network. AD DS uses network topology information, which is stored in the directory as site, subnet, and site link objects, to build the most efficient replication topology. The replication topology itself consists of the set of connection objects that enable inbound replication from a source domain controller to the destination domain controller that stores the connection object.

The Knowledge Consistency Checker (KCC) creates these connection objects automatically on each domain controller.

Associating sites and subnets

A subnet object in AD DS groups neighboring computers in much the same way that postal codes group neighboring postal addresses. By associating a site with one or more subnets, you assign a set of IP addresses to the site.


The term quot;subnetquot; in AD DS does not have the strict networking definition of the set of all addresses behind a single router. The only requirement for an AD DS subnet is that the address prefix conforms to the IP version 4 (IPv4) or IP version 6 (IPv6) format.

When you add the Active Directory Domain Services server role to create the first domain controller in a forest, a default site (Default-First-Site-Name) is created in AD DS. As long as this site is the only site in the directory, all domain controllers that you add to the forest are assigned to this site. However, if your forest will have multiple sites, you must create subnets that assign IP addresses to Default-First-Site-Name as well as to all additional sites.

Locating domain controllers by site

Domain controllers register service (SRV) resource records in Domain Name System (DNS) that identify their site names. Domain controllers also register host (A) resource records in DNS that identify their IP addresses. When a client requests a domain controller, it provides its site name to DNS. DNS uses the site name to locate a domain controller in that site (or in the next closest site to the client). DNS then provides the IP address of the domain controller to the client for the purpose of connecting to the domain controller. For this reason, it is important to ensure that the IP address that you assign to a domain controller maps to a subnet that is associated with the site of the respective server object. Otherwise, when a client requests a domain controller, the IP address that is returned might be the IP address of a domain controller in a distant site. When a client connects to a distant site, the result can be slow performance and unnecessary traffic on expensive WAN links.

Question No: 152 – (Topic 2)

Your network contains an Active Directory domain named contoso.com.

You create a GlobalNames zone. You add an alias (CNAME) resource record named Server1 to the zone. The target host of the record is server2.contoso.com.

When you ping Server1, you discover that the name fails to resolve. You successfully resolve server2.contoso.com.

You need to ensure that you can resolve names by using the GlobalNames zone. What should you do?

  1. From the command prompt, use the netsh tool.

  2. From the command prompt, use the dnscmd tool.

  3. From DNS Manager, modify the properties of the GlobalNames zone.

  4. From DNS Manager, modify the advanced settings of the DNS server.

Answer: B Explanation:


Enable GlobalNames zone support

The GlobalNames zone is not available to provide name resolution until GlobalNames zone support is explicitly enabled by using the following command on every authoritative DNS server in the forest:

dnscmdlt;ServerNamegt; /config /enableglobalnamessupport 1

Question No: 153 – (Topic 2)

ABC.com boasts a main office and 20 branch offices. Configured as a separate site, each branch office has a Read-Only Domain Controller (RODC) server installed.

Users in remote offices complain that they are unable to log on to their accounts. What should you do to make sure that the cached credentials for user accounts are only stored in their local branch office RODC server?

  1. Open the RODC computer account security tab and set Allow on the Receive as permission only for the users that are unable to log on to their accounts

  2. Add a password replication policy to the main Domain RODC and add user accounts in the security group

  3. Configure a unique security group for each branch office and add user accounts to the respective security group. Add the security groups to the password replication allowed group on the main RODC server

  4. Configure and add a separate password replication policy on each RODC computer account

Answer: D Explanation:

http://technet.microsoft.com/en-us/library/cc730883(v=ws.10).aspx Password Replication Policy

When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain controller that will be its replication partner.

The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached. The same account can then perform subsequent logons more efficiently.

The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that are explicitly denied from being cached. The list of user and computer

accounts that are permitted to be cached does not imply that the RODC has necessarily cached the passwords for those accounts. An administrator can, for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticate those accounts, even if the WAN link to the hub site is offline.

Question No: 154 – (Topic 2)

Your network contains an Active Directory domain. The relevant servers in the domain are configured as shown in the following table.

Ensurepass 2018 PDF and VCE

You need to ensure that all device certificate requests use the MD5 hash algorithm. What should you do?

  1. On Server2, run the Certutil tool.

  2. On Server1, update the CEP Encryption certificate template.

  3. On Server1, update the Exchange Enrollment Agent (Offline Request) template.

  4. On Server3, set the value of the HKLM\Software\Microsoft\Cryptography\MSCEP\ HashAlgorithm\HashAlgorithm registry key.

Answer: D



Managing Network Device Enrollment Service Configuring NDES

NDES stores its configuration in the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography


To change NDES configuration, edit the NDES registry settings by using Regedit.exe or Reg.exe, then restart IIS. If necessary, create the key and value using the names and data types described in the following table.

Key name

HashAlgorithm \ HashAlgorithm Value Data Type

String Default value SHA1


Accepted values are SHA1 and MD5.

Question No: 155 – (Topic 2)

Your network contains a domain controller that is configured as a DNS server. The server hosts an Active Directory-integrated zone for the domain.

You need to reduce how long it takes until stale records are deleted from the zone. What should you do?

  1. From the configuration directory partition of the forest, modify the tombstone lifetime.

  2. From the configuration directory partition of the forest, modify the garbage collection interval.

  3. From the aging properties of the zone, modify the no-refresh interval and the refresh interval.

  4. From the start of authority (SOA) record of the zone, modify the refresh interval and the expire interval.

    Answer: C Explanation:

    Ensurepass 2018 PDF and VCE

    C:\Documents and Settings\usernwz1\Desktop\1.PNG

    http://technet.microsoft.com/en-us/library/cc816625(v=ws.10).aspx Set Aging and Scavenging Properties for a Zone

    The DNS Server service supports aging and scavenging features. These features are provided as a mechanism for performing cleanup and removal of stale resource records, which can accumulate in zone data over time.

    You can use this procedure to set the aging and scavenging properties for a specific zone using either the DNS Manager snap-in or the dnscmd command-line tool.

    To set aging and scavenging properties for a zone using the Windows interface

    1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.

    2. In the console tree, right-click the applicable zone, and then click Properties.

    3. On the General tab, click Aging.

    4. Select the Scavenge stale resource records check box.

    5. Modify other aging and scavenging properties as needed.

To set aging and scavenging properties for a zone using a command line

  1. Open a command prompt. To open an elevated Command Prompt window, click Start, point to All

    Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. At the command prompt, type the following command, and then press ENTER:

    dnscmd lt;ServerNamegt; /Config lt;ZoneNamegt; {/Aging lt;Valuegt;|/RefreshInterval lt;Valuegt;|/ NoRefreshInterval lt;Valuegt;}

    Ensurepass 2018 PDF and VCE

    C:\Documents and Settings\usernwz1\Desktop\1.PNG

    Question No: 156 – (Topic 2)

    Your network contains a single Active Directory domain. Active Directory Rights Management Services (AD RMS) is deployed on the network.

    A user named User1 is a member of only the AD RMS Enterprise Administrators group.

    You need to ensure that User1 can change the service connection point (SCP) for the AD RMS installation.The solution must minimize the administrative rights of User1.

    To which group should you add User1?

    1. AD RMS Auditors

    2. AD RMS Service Group

    3. Domain Admins

    4. Schema Admins

Answer: C Explanation:

http://social.technet.microsoft.com/wiki/contents/articles/710.the-ad-rms-service- connection-point.aspx

The AD RMS Service Connection Point

The Active Directory Rights Management Services (AD RMS) Service Connection Point (SCP) is an object in Active Directory that holds the web address of the AD RMS certification cluster. AD RMS-enabled applications use the SCP to discover the AD RMS

service; it is the first connection point for users to discover the AD RMS web services.

The AD RMS SCP can be registered automatically during AD RMS installation, or it can be registered after installation has completed. To register the SCP you must be a member of the local AD RMS Enterprise Administrators group and the Active Directory Domain Services (AD DS) Enterprise Admins group, or you must have been given the appropriate authority.

Question No: 157 – (Topic 2)

Your company has an Active Directory Rights Management Services (AD RMS) server. Users have Windows Vista computers. An Active Directory domain is configured at the Windows Server 2003 functional level.

You need to configure AD RMS so that users are able to protect their documents. What should you do?

  1. Install the AD RMS client 2.0 on each client computer.

  2. Add the RMS service account to the local administrators group on the AD RMS server.

  3. Establish an e-mail account in Active Directory Domain Services (AD DS) for each RMS user.

  4. Upgrade the Active Directory domain to the functional level of Windows Server 2008.

Answer: C Explanation:

http://technet.microsoft.com/en-us/library/cc753531(v=ws.10).aspx AD RMS Step-by-Step Guide

For each user account and group that you configure with AD RMS, you need to add an e- mail address and then assign the users to groups.

Question No: 158 – (Topic 2)

ABC.com has purchased laptop computers that will be used to connect to a wireless


You create a laptop organizational unit and create a Group Policy Object (GPO) and configure user profiles by utilizing the names of approved wireless networks.

You link the GPO to the laptop organizational unit. The new laptop users complain to you that they cannot connect to a wireless network.

What should you do to enforce the group policy wireless settings to the laptop computers?

  1. Execute gpupdate/target:computer command at the command prompt on laptop computers

  2. Execute Add a network command and leave the SSID (service set identifier) blank

  3. Execute gpupdate/boot command at the command prompt on laptops computers

  4. Connect each laptop computer to a wired network and log off the laptop computer and then login again.

  5. None of the above

Answer: D

Question No: 159 – (Topic 2)

You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2.

What is the minimal forest functional level that you should use?

  1. Windows Server 2008 R2

  2. Windows Server 2008

  3. Windows Server 2003

  4. Windows 2000

Answer: C


http://technet.microsoft.com/en-us/library/cc731243.aspx Prerequisites for Deploying an RODC

Complete the following prerequisites before you deploy a read-only domain controller (RODC):

Ensure that the forest functional level is Windows Server 2003 or higher, so that linked- valuereplication (LVR) is available.

Question No: 160 – (Topic 2)

ABC.com has a network that is comprise of a single Active Directory Domain.

As an administrator at ABC.com, you install Active Directory Lightweight Directory Services (AD LDS) on a server that runs Windows Server 2008. To enable Secure Sockets Layer (SSL) based connections to the AD LDS server, you install certificates from a trusted Certification Authority (CA) on the AD LDS server and client computers.

Which tool should you use to test the certificate with AD LDS?

  1. Ldp.exe

  2. Active Directory Domain services

  3. ntdsutil.exe

  4. Lds.exe

  5. wsamain.exe

  6. None of the above

    Answer: A Explanation:

    http://technet.microsoft.com/en-us/library/cc725767(v=ws.10).aspx Appendix A: Configuring LDAP over SSL Requirements for AD LDS

    The Lightweight Directory Access Protocol (LDAP) is used to read from and write to Active Directory

    Lightweight Directory Services (AD LDS). By default, LDAP traffic is not transmitted securely. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology.

    Step 3: Connect to the AD LDS instance over LDAPS using Ldp.exe

    To test your server authentication certificate, you can open Ldp.exe on the computer that is running the AD LDS instance and then connect to this AD LDS instance that has the SSL option enabled.

    100% Ensurepass Free Download!
    Download Free Demo:70-640 Demo PDF
    100% Ensurepass Free Guaranteed!
    70-640 Dumps

    EnsurePass ExamCollection Testking
    Lowest Price Guarantee Yes No No
    Up-to-Dated Yes No No
    Real Questions Yes No No
    Explanation Yes No No
    PDF VCE Yes No No
    Free VCE Simulator Yes No No
    Instant Download Yes No No

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.