[Free] 2018(June) Ensurepass Microsoft 70-640 Dumps with VCE and PDF 201-210

Ensurepass.com : Ensure you pass the IT Exams
2018 May Microsoft Official New Released 70-640
100% Free Download! 100% Pass Guaranteed!

Windows Server 2008 Active Directory, Configuring

Question No: 201 – (Topic 3)

You have an enterprise subordinate certification authority (CA). The CA is configured to use a hardware security module.

You need to back up Active Directory Certificate Services on the CA. Which command should you run?

  1. certutil.exe backup

  2. certutil.exe backupdb

  3. certutil.exe backupkey

  4. certutil.exe store

Answer: B Explanation:

Because a hardware security module (HSM) is used that stores the private keys, the command certutil. exe -backup would fail, since we cannot extract the private keys from the module. The HSM should have a proprietary procedure for that.

The given commands are: certutil -backup

Backup set includes certificate database, CA certificate an the CA key pair certutil -backupdb

Backup set only includes certificate database certutil -backupkey

Backup set only includes CA certificate and the CA key pair certutil -store Provides a dump of the certificate store onscreen.

Since we cannot extract the keys from the HSM we have to use backupdb. Reference 1:

Microsoft Windows Server(TM) 2003 PKI and Certificate Security (Microsoft Press, 2004) page 215

For the commands listed above. Reference 2:

http://technet.microsoft.com/en-us/library/cc732443.aspx

Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains.

Syntax

Certutil lt;-parametergt; [-parameter] Parameter

-backupdb

Backup the Active Directory Certificate Services database Reference 3:

http://poweradmin.se/blog/2010/01/11/backup-and-restore-for-active-directory-certificate- services/

Question No: 202 – (Topic 3)

Your network contains an Active Directory domain. The domain contains a member server named Server1 that runs Windows Server 2008 R2.

You need to configure Server1 as a global catalog server. What should you do?

  1. Modify the Active Directory schema.

  2. From Ntdsutil, use the Roles option.

  3. Run the Active Directory Domain Services Installation Wizard on Server1.

  4. Move the Server1 computer object to the Domain Controllers organizational unit (OU).

Answer: C Explanation:

Now it#39;s just a member server, so you#39;ll have to run dcpromo to start the Active Directory Domain Services Installation Wizard in order to promote the server to a domain controller. Only a domain controller can be a global catalog server.

Reference:

http://technet.microsoft.com/en-us/library/cc728188.aspx

The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication.

Question No: 203 – (Topic 3)

Your network contains a single Active Directory domain. All client computers run Windows Vista Service Pack 2 (SP2).

You need to prevent all users from running an application named App1.exe. Which Group Policy settings should you configure?

  1. Application Compatibility

  2. AppLocker

  3. Software Installation

  4. Software Restriction Policies

Answer: D Explanation:

http://gpfaq.se/2007/09/30/how-to-using-software-restriction-policies/ How-to: Using Software Restriction Policies

Using SRP is not that common today and what I will write here is a small how-to so that you can start trying it today and maybe even sometime soon apply it in your production environment.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

First thing to notice is that SRP is a very powerful tool so try in a test-environment before you apply it to users in production.

First you need to choose your default level which you do at Security Levels:

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Default when you start using this, the default level is “Unrestricted” which allows all programs to run. Which means you can use SRP to block specific programs but the power is that you can change this so “Disallowed” is the default level which means you specify which programs you can run (all others are blocked) instead of blocking specific programs. So to start with change so “Disallowed” is default. Double-click on “Disallowed” and press the button “Set as Default”

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

This means that all clients affected by this policy now would be able to run anything except what you define as exclusions which you do at “Additional rules”:

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

As you can see in the above picture you have two default values already included. These two values are registry paths which makes all programs defined in these two registry paths to unrestricted which of course makes them available to run even if you selected “Disallowed” as your default choice in the above selection at “Security Levels”.

There are four different choices on how to enable/disable programs to run: Hash-rule

Path-rule

Network zone-rule Certificate-rule

The normal ones to use is HASH or PATH. HASH is always something you should prefer to use since if the user tries to run a program it looks at the hash-value and evaluates if you can run the program or not.

Sometimes when you have different versions of a program for example it might be a problem to use HASH, then you use PATH instead. Also if you don’t have the program installed in the same location on each computer but you know somewhere in the registry where it types the path to the program you can use PATH and use the registry location instead.

I will show you the two ways of allowing Windows Live Messenger to run Hash:

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

As what you can see above is that it takes the values from the executable and stores the hash-value of the file.

When someone tries to run the program the system evaluates this hash-value and compare it with the one you defined and then selecting if you can run the program or not. Path:

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

As you can see above is that you need to select the path to the executable. This path needs to be same on each computer you would like to use this on but of course you can use environment variables as I have done in the above picture. You could also use a registry location if you did know where the path to the program where stored.

You can of course also use this to block programs instead of allowing them. This is not really the preferred method on how to use SRP but fully functional.

On my computer I have “Unrestricted” as my default and I added an application on my desktop named radio.exe as “Disallowed”

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG So the result if I’m trying to run the file is:

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

As conclusion you can see that this is a powerful way of giving your users minimal rights in the system with the result that your users will have a large problem messing up the computer 🙂

This only covers some parts of SRP. For example local administrators also get these rules but that you can exclude in the “Enforcement” choice and also dll-files are excluded by default but you can change that too.

Make sure to try this in a safe environment before applying it to production as you might get a big headache if you have made some wrong turns in setting this up. 🙂

Question No: 204 – (Topic 3)

Your network contains an Active Directory domain. The domain contains two domain controllers named DC1 and DC2.

You perform a full backup of the domain controllers every night by using Windows Server Backup.

You update a script in the SYSVOL folder.

You discover that the new script fails to run properly. You need to restore the previous version of the script in the SYSVOL folder. The solution must minimize the amount of time required to restore the script.

What should you do first?

  1. Run the Restore-ADObject cmdlet.

  2. Restore the system state to its original location.

  3. Restore the system state to an alternate location.

  4. Attach the VHD file created by Windows Server Backup.

Answer: D Explanation:

http://technet.microsoft.com/en-us/magazine/2008.05.adbackup.aspx Active Directory Backup and Restore in Windows Server 2008 NTBACKUP vs. Windows Server Backup

As an added bonus, Windows Server Backup stores its backup images in Microsoft庐 Virtual Hard Disk (VHD) format. You can actually take a backup image and mount it as a volume in a virtual machine running under Microsoft Virtual Server 2005. You can simply mount the VHDs in a virtual machine and browse for a particular file rather than having to perform test restores of tapes to see which one has the file is on it. (A note of caution: you can#39;t take a backup image and boot a virtual machine from it. Since the backed-up

hardware configuration doesn#39;t correspond to the virtual machine#39;s configuration, you can#39;t use Windows Server Backup as a physical-to-virtual migration tool.)

Question No: 205 – (Topic 3)

You have an enterprise subordinate certification authority (CA). You have a group named Group1.

You need to allow members of Group1 to publish new certificate revocation lists. Members of Group1 must not be allowed to revoke certificates.

What should you do?

  1. Add Group1 to the local Administrators group.

  2. Add Group1 to the Certificate Publishers group.

  3. Assign the Manage CA permission to Group1.

  4. Assign the Issue and Manage Certificates permission to Group1.

Answer: C

Reference:

http://technet.microsoft.com/en-us/library/cc732590.aspx

Manage CA is a security permission belonging to the CA Administrator role. The CA Administrator can enable, publish, or configure certificate revocation list (CRL) schedules.

Revoking certificates is an activity of the Certificate Manager role.

Question No: 206 – (Topic 3)

Your network contains an Active Directory forest. The forest schema contains a custom attribute for user objects.

You need to modify the custom attribute value of 500 user accounts.

Which tool should you use?

  1. Csvde

  2. Dsmod

  3. Dsrm

  4. Ldifde

Answer: D Explanation:

We cannot use Dsmod here, because it supports only a subset of commonly used object class attributes.

Csvde can only import and export data.

Dsrm is used to delete objects from the directory. Reference:

http://technet.microsoft.com/en-us/library/cc731033.aspx Ldifde

Creates, modifies, and deletes directory objects.

Question No: 207 – (Topic 3)

Your network contains an Active Directory domain that contains five domain controllers. You have a management computer that runs Windows 7.

From the Windows 7 computer, you need to view all account logon failures that occur in the domain.

The information must be consolidated on one list.

Which command should you run on each domain controller?

  1. Wecutil.exe qc

  2. Wevtutil.exe gli

  3. Winrm.exe quickconfig

  4. Winrshost.exe

    Answer: C Explanation:

    http://blogs.technet.com/b/jonjor/archive/2009/01/09/winrm-windows-remote- managementtroubleshooting.aspx

    WinRM (Windows Remote Management) Troubleshooting What is WinRM?

    New in Windows Vista, Windows Server 2003 R2, Windows Server 2008 (and Server 2008 Core) are WinRM amp; WinRS. Windows Remote Management (known as WinRM) is a handy new remote management service.

    WinRM is the “server” component of this remote management application and WinRS (Windows Remote Shell) is the “client” for WinRM, which runs on the remote computer attempting to remotely manage the WinRM server. However, I should note that BOTH computers must have WinRM installed and enabled on them for WinRS to work and retrieve information from the remote system.

    How to install WinRM

    The WinRM is not dependent on any other service except WinHttp. If the IIS Admin Service is installed on the same computer, you may see messages that indicate WinRM cannot be loaded before Interent Information Services (IIS). However, WinRM does not actually depend on IIS: these messages occur because the load order ensures that the IIS service starts before the HTTP service. WinRM does require that WinHTTP.dll be registered. (Stated simply: WinRM service should be set to Automatic (Delayed Start) on Windows Vista and Server 2008)

    • The WinRM service starts automatically on Windows Server 2008.

    • On Windows Vista, the service must be started manually. How to configure WinRM

    To set the default configuration type:

    winrm quickconfig (or the abbreviated version, winrm qc) ‘winrm qc’ performs the following operations:

    1. Starts the WinRM service and sets the service startup type to auto-start.

    2. Configures a listener for the ports that send and receive WS-Management protocol messages using either

      HTTP or HTTPS on any IP address.

    3. Defines ICF exceptions for the WinRM service and opens the ports for HTTP and HTTPS.

      (Note: Winrm quickconfig also configures Winrs default settings)

      Question No: 208 – (Topic 3)

      Your network contains a single Active Directory domain. The functional level of the forest is Windows Server 2008 R2.

      You need to enable the Active Directory Recycle Bin. What should you use?

      1. the Dsmod tool

      2. the Enable-ADOptionalFeature cmdlet

      3. the Ntdsutil tool

      4. the Set-ADDomainMode cmdlet

Answer: B Explanation:

Similar question to question L/Q5. Reference:

http://technet.microsoft.com/en-us/library/dd379481.aspx Enabling Active Directory Recycle Bin

After the forest functional level of your environment is set to Windows Server 2008 R2, you can enable Active

Directory Recycle Bin by using the following methods:

Enable-ADOptionalFeature Active Directory module cmdlet (This is the recommended method.)

Ldp.exe

Question No: 209 – (Topic 3)

Your network contains an Active Directory domain named contoso.com.

You need to create a central store for the Group Policy Administrative templates.

What should you do?

  1. Run dfsrmig.exe /createglobalobjects.

  2. Run adprep.exe /domainprep /gpprep.

  3. Copy the %SystemRoot%\PolicyDefinitions folder to the\\contoso.com\SYSVOL\contoso.com\Policiesfolder.

  4. Copy the %SystemRoot%\System32\GroupPolicy folder to the\\contoso.com\SYSVOL\contoso.com\Policies folder.

Answer: C Explanation:

http://www.vmadmin.co.uk/microsoft/43-winserver2008/220-svr08admxcentralstore Creating an ADMX central store for group policies

To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder. The Central Store is a location that is checked by GPMC. The GPMC will use .admx files that are in the Central Store. The files that are in the Central Store are replicated to all domain controllers in the domain.

First on a domain controller (Windows Server 2008/2008 R2) the ADMX policy definitions and language template files in %SYSTEMROOT%\PolicyDefinitions need copying to

%SYSTEMROOT%\SYSVOL\domain

\Policies\PolicyDefinitions.

Run the following command to copy the entire folder contents to SYSVOL. This will then replicate to all domain controllers (the default ADMX policies and EN-US language templates (ADML) are about 6.5 MB in total).

xcopy /E quot;%SYSTEMROOT%\PolicyDefinitionsquot; quot;%SYSTEMROOT%\SYSVOL\domain\Policies

\PolicyDefinitions\quot;

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Next ensure you have remote server administration tools (RSAT) installed on your client computer you are using to edit the GPO#39;s. This will need to be Windows Vista or Windows 7.

For Windows Vista enable the RSAT feature (GPMC).

For Windows 7 download and install RSAT then enable the RSAT feature (GPMC).

When editing a GPO in the GMPC you will find that the Administrative Templates show as quot;Policy Definitions

(ADMX files) retrieved from the central storequot;. This confirms it is working as expected.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Further information: http://support.microsoft.com/kb/929841/en-us

How to create the Central Store for Group Policy Administrative Template files in Windows

Vista

http://msdn.microsoft.com/en-us/library/bb530196.aspx Managing Group Policy ADMX Files Step-by-Step Guide

http://technet.microsoft.com/en-us/library/cc748955(v=ws.10).aspx Scenario 2: Editing Domain-Based GPOs Using ADMX Files

Question No: 210 – (Topic 3)

Your network contains two Active Directory forests named contoso.com and nwtraders.com. A two-way forest trust exists between contoso.com and nwtraders.com. The forest trust is configured to use selective authentication.

Contoso.com contains a server named Server1. Server1 contains a shared folder named Marketing.

Nwtraders.com contains a global group named G_Marketing. The Change share permission and the Modify NTFS permission for the Marketing folder are assigned to the G_Marketing group. Members of G_Marketing report that they cannot access the Marketing folder.

You need to ensure that the G_Marketing members can access the folder from the network.

What should you do?

  1. From Windows Explorer, modify the NTFS permissions of the folder.

  2. From Windows Explorer, modify the share permissions of the folder.

  3. From Active Directory Users and Computers, modify the computer object for Server1.

  4. From Active Directory Users and Computers, modify the group object for G_Marketing.

    Answer: C

    Reference:

    MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 643-644

    After you have selected Selective Authentication for the trust, no trusted users will be able to access resources in the trusting domain, even if those users have been given permissions. The users must also be assigned the Allowed To Authenticate permission on the computer object in the domain.

    To assign this permission:

    1. Open the Active Directory Users And Computers snap-in and make sure that Advanced Features is selected on the View menu.

    2. Open the properties of the computer to which trusted users should be allowed to authenticate-that is, the computer that trusted users will log on to or that contains resources to which trusted users have been given permissions.

    3. On the Security tab, add the trusted users or a group that contains them and select the Allow check box for the Allowed To Authenticate permission.

      100% Ensurepass Free Download!
      Download Free Demo:70-640 Demo PDF
      100% Ensurepass Free Guaranteed!
      Download 2018 EnsurePass 70-640 Full Exam PDF and VCE

      EnsurePass ExamCollection Testking
      Lowest Price Guarantee Yes No No
      Up-to-Dated Yes No No
      Real Questions Yes No No
      Explanation Yes No No
      PDF VCE Yes No No
      Free VCE Simulator Yes No No
      Instant Download Yes No No


Leave a Reply

Your email address will not be published. Required fields are marked *

  • Categories

  • Tags

  • Hot Exams

  • Hot Exams

  • Hot Catageories

  • microsoft dumps

    62-193 Dumps
    70-243 Dumps
    70-246 Dumps
    70-247 Dumps
    70-331 Dumps
    70-332 Dumps
    70-333 Dumps
    70-334 Dumps
    70-339 Dumps
    70-341 Dumps
    70-342 Dumps
    70-345 Dumps
    70-346 Dumps
    70-347 Dumps
    70-348 Dumps
    70-354 Dumps
    70-355 Dumps
    70-357 Dumps
    70-383 Dumps
    70-384 Dumps
    70-385 Dumps
    70-398 Dumps
    70-410 Dumps
    70-411 Dumps
    70-412 Dumps
    70-413 Dumps
    70-414 Dumps
    70-417 Dumps
    70-461 Dumps
    70-462 Dumps
    70-463 Dumps
    70-464 Dumps
    70-465 Dumps
    70-466 Dumps
    70-467 Dumps
    70-469 Dumps
    70-470 Dumps
    70-473 Dumps
    70-475 Dumps
    70-480 Dumps
    70-481 Dumps
    70-482 Dumps
    70-483 Dumps
    70-484 Dumps
    70-485 Dumps
    70-486 Dumps
    70-487 Dumps
    70-488 Dumps
    70-489 Dumps
    70-490 Dumps
    70-491 Dumps
    70-492 Dumps
    70-494 Dumps
    70-496 Dumps
    70-497 Dumps
    70-498 Dumps
    70-499 Dumps
    70-517 Dumps
    70-532 Dumps
    70-533 Dumps
    70-534 Dumps
    70-535 Dumps
    70-537 Dumps
    70-640 Dumps
    70-642 Dumps
    70-646 Dumps
    70-673 Dumps
    70-680 Dumps
    70-681 Dumps
    70-682 Dumps
    70-684 Dumps
    70-685 Dumps
    70-686 Dumps
    70-687 Dumps
    70-688 Dumps
    70-689 Dumps
    70-692 Dumps
    70-694 Dumps
    70-695 Dumps
    70-696 Dumps
    70-697 Dumps
    70-698 Dumps
    70-703 Dumps
    70-705 Dumps
    70-713 Dumps
    70-734 Dumps
    70-735 Dumps
    70-740 Dumps
    70-741 Dumps
    70-742 Dumps
    70-743 Dumps
    70-744 Dumps
    70-745 Dumps
    70-761 Dumps
    70-762 Dumps
    70-764 Dumps
    70-765 Dumps
    70-767 Dumps
    70-768 Dumps
    70-773 Dumps
    70-774 Dumps
    70-775 Dumps
    70-776 Dumps
    70-778 Dumps
    70-779 Dumps
    70-980 Dumps
    70-981 Dumps
    70-982 Dumps
    74-343 Dumps
    74-344 Dumps
    74-409 Dumps
    74-678 Dumps
    74-697 Dumps
    77-418 Dumps
    77-419 Dumps
    77-420 Dumps
    77-421 Dumps
    77-422 Dumps
    77-423 Dumps
    77-424 Dumps
    77-425 Dumps
    77-426 Dumps
    77-427 Dumps
    77-428 Dumps
    77-600 Dumps
    77-601 Dumps
    77-602 Dumps
    77-603 Dumps
    77-604 Dumps
    77-605 Dumps
    77-725 Dumps
    77-726 Dumps
    77-727 Dumps
    77-728 Dumps
    77-729 Dumps
    77-730 Dumps
    77-731 Dumps
    77-853 Dumps
    77-881 Dumps
    77-882 Dumps
    77-883 Dumps
    77-884 Dumps
    77-885 Dumps
    77-886 Dumps
    77-887 Dumps
    77-888 Dumps
    77-891 Dumps
    98-349 Dumps
    98-361 Dumps
    98-362 Dumps
    98-363 Dumps
    98-364 Dumps
    98-365 Dumps
    98-366 Dumps
    98-367 Dumps
    98-368 Dumps
    98-369 Dumps
    98-372 Dumps
    98-373 Dumps
    98-374 Dumps
    98-375 Dumps
    98-379 Dumps
    98-380 Dumps
    98-381 Dumps
    98-382 Dumps
    98-383 Dumps
    98-388 Dumps
    AZ-100 Dumps
    AZ-101 Dumps
    AZ-102 Dumps
    INF-203x Dumps
    INF-204x Dumps
    INF-205x Dumps
    INF-206x Dumps
    MB2-700 Dumps
    MB2-701 Dumps
    MB2-702 Dumps
    MB2-703 Dumps
    MB2-704 Dumps
    MB2-706 Dumps
    MB2-707 Dumps
    MB2-708 Dumps
    MB2-709 Dumps
    MB2-710 Dumps
    MB2-711 Dumps
    MB2-712 Dumps
    MB2-713 Dumps
    MB2-714 Dumps
    MB2-715 Dumps
    MB2-716 Dumps
    MB2-717 Dumps
    MB2-718 Dumps
    MB2-719 Dumps
    MB2-877 Dumps
    MB5-705 Dumps
    MB6-700 Dumps
    MB6-701 Dumps
    MB6-702 Dumps
    MB6-703 Dumps
    MB6-704 Dumps
    MB6-705 Dumps
    MB6-884 Dumps
    MB6-885 Dumps
    MB6-886 Dumps
    MB6-889 Dumps
    MB6-890 Dumps
    MB6-892 Dumps
    MB6-893 Dumps
    MB6-894 Dumps
    MB6-895 Dumps
    MB6-896 Dumps
    MB6-897 Dumps
    MB6-898 Dumps