Exact 70-640 Exam Dumps 2021

NEW QUESTION 1
Your network contains an Active Directory domain named contoso.com. The contoso.com domain contains a domain controller named DC1.
You create an Active Directory-integrated GlobalNames zone. You add an alias (CNAME) resource record named Server1 to the zone. The target host of the record is server2.contoso.com.
When you ping Server1, you discover that the name fails to resolve. You are able to successfully ping server2.contoso.com.
You need to ensure that you can resolve names by using the GlobalNames zone.
Which command should you run?

• A. Dnscmd DCl.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /domain
• B. Dnscmd DCl.contoso.com /config /Enableglobalnamessupport forest
• C. Dnscmd DCl.contoso.com /config /Enableglobalnamessupport 1
• D. Dnscmd DCl.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /forest

Answer: C

Explanation:
http://technet.microsoft.com/en-us/library/cc772069.aspx
dnscmd /config Changes values in the registry for the DNS server and individual zones.
Accepts server-level settings and zone-level settings.
Parameter
/enableglobalnamessupport {0|1}
Enables or disables support for the GlobalNames zone. The GlobalNames zone supports
resolution of singlelabel
DNS names across a forest.
0
Disables support for the GlobalNames zone. When you set the value of this command to 0,
the DNS Server service does not resolve single-label names in the GlobalNames zone.
1
Enables support for the GlobalNames zone. When you set the value of this command to 1,
the DNS Server service resolves single-label names in the GlobalNames zone.

NEW QUESTION 2
You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 is configured as an enterprise root certification authority (CA).
You install the Online Responder role service on Server2.
You need to configure Server1 to support the Online Responder.
What should you do?

• A. Import the enterprise root CA certificat
• B. Configure the Certificate Revocation List Distribution Point extensio
• C. Configure the Authority Information Access (AIA) extensio
• D. Add the Server2 computer account to the CertPublishers grou

Answer: C

Explanation:
http://technet.microsoft.com/en-us/library/cc732526.aspx
Configure a CA to Support OCSP Responders
To function properly, an Online Responder must have a valid Online Certificate Status Protocol (OCSP)Response Signing certificate. This OCSP Response Signing certificate is also needed if you are using a non-Microsoft OCSP responder.
Configuring a certification authority (CA) to support OCSP responder services includes the following steps:
1. Configure certificate templates and issuance properties for OCSP Response Signing certificates.
2. Configure enrollment permissions for any computers that will be hosting Online Responders.
3. If this is a Windows Server 2003–based CA, enable the OCSP extension in issued certificates.

NEW QUESTION 3
Your network consists of a single Active Directory domain. User accounts for engineering department are located in an OU named Engineering.
You need to create a password policy for the engineering department that is different from your domain password policy.
What should you do?

• A. Create a new GP
• B. Link the GPO to the Engineering O
• C. Create a new GP
• D. Link the GPO to the domai
• E. Block policy inheritance on all OUs except for the Engineering O
• F. Create a global security group and add all the user accounts for the engineering department to the grou
• G. Create a new Password Policy Object (PSO) and apply it to the grou
• H. Create a domain local security group and add all the user accounts for the engineering department to the grou
• I. From the Active Directory Users and Computer console, select the group and run the Delegation of Control Wizar

Answer: C

Explanation:
http://technet.microsoft.com/en-us/library/cc736813(WS.10).aspx
TechNet: Linking GPOs
If you need to modify some of the settings contained in the Default Domain Policy GPO, it is recommended that you create a new GPO for this purpose, link it to the domain, and set the Enforce option.
http://technet.microsoft.com/en-us/library/cc779159(WS.10).aspx
TechNet: Establishing Group Policy Operational Guidelines
Do not modify the default domain policy or default domain controller policy unless necessary. Instead, create a new GPO at the domain level and set it to override the default settings in the default policies.
Step 2
Edit the “Domain Password Policy” GPO and go to Computer Configurations>Policies>Windows
Settings>Security Settings>Account Policy>Password Policy and configured the password policies settings to the configuration you desire.
C:Documents and Settingsusernwz1Desktop1.PNG
Step 3
Once you have configured the password policy settings make the “Domain Password Policy” GPO the highest in the Linked GPO processing order.
TIP: Make sure you inform all your users when you are going to do this as it may trigger them to change their password the next time they logon.
C:Documents and Settingsusernwz1Desktop1.PNG
Done… told you it was easy….
Note: Even if you apply the password policies to the “Domain Controllers” OU it will not modify the domain’s password policy. As far as I know this is the only exception to the rule as to how GPO’s apply to objects. As you can see in the image below the “Minimum password length” in the “Domain Password Policy” GPO is still applied to the domain controller even though I have another GPO linking to the “Domain Controllers” OU configuration the same setting.
C:Documents and Settingsusernwz1Desktop1.PNG
For a better explanation as to why the GPO that is linked to the Domain and not the Domain Controllers is used for the password policy for all users check out Jorge’s Quest for Knowledge! – Why GPOs with Password and Account Lockout Policy Settings must be linked to the AD domain object to be affective on AD domain user accounts (http://blogs.dirteam.com/blogs/jorge/archive/2008/12/16/why-gpos-with-password-and-accountlockout- policy-settings-must-be-linked-to-the-ad-domain-object-to-be-affective-on-ad-domain-useraccounts.aspx)
How to set a Fine Grain Password Policy
Fine Grain Password Policies (FGPP) were introduced as a new feature of Windows Server 2008. Before this the only way to have different password polices for the users in your environment was to have separate domains… OUCH!
Pre-Requisites/Restrictions
You domain must be Windows Server 2008 Native Mode, this means ALL of your domain controllers must be running Windows Server 2008 or later. You can check this by selection the “Raise domain functional level” on the top of the domain in Active Directory Users and Computers.
C:Documents and Settingsusernwz1Desktop1.PNG
Explanation http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx AD DS: Fine-Grained Password Policies The domain functional level must be Windows Server 2008. The other restriction with this option is that you can only apply FGPP to users object or
users in global security groups (not computers). Explanation http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx AD DS: Fine-Grained Password Policies Fine-grained password policies apply only to user objects … and global security groups. TIP: If you setup an “Automatic Shadow Group
(http://policelli.com/blog/archive/2008/01/15/manage-shadowgroups-in-windows-server-2008/)” you can apply these password policies to users automatically to
any users located in an OU.
Creating a Password Setting Object (PSO)
Step 1 Under Administrator Tools Open ADSI Edit and connect it to a domain and domain controller you want to setup the new password policy.
C:Documents and Settingsusernwz1Desktop1.PNG
Note: If you do not see this option go to “Turn Windows Features On or Off” and make sure the “AD DS and AD LDS Tools” are installed. (You will need RSAT also installed if you are on Windows 7).
Step 2 Double click on the “CN=DomainName” then double click on “CN=System” and then double click on “CN=Password Settings Container”.
C:Documents and Settingsusernwz1Desktop1.PNG
Step 3
Right click on “CN=Password Settings Container” and then click on “New” then “Object.
C:Documents and Settingsusernwz1Desktop1.PNG
Step 4
Click on “Next”
C:Documents and Settingsusernwz1Desktop1.PNG
Step 5
Type the name of the PSO in the “Value” field and then click “Next”
C:Documents and Settingsusernwz1Desktop1.PNG
Note: With the exception of the password length the following values are all the same as the default values in the “Default Domain Policy”.
Step 6
Type in a number that will be the Precedence for this Password Policy then click “Next”.
Note: This is used if a users has multiple Password Settings Object (PSO) applied to them.
C:Documents and Settingsusernwz1Desktop1.PNG
Step 7
Type “FALSE” in the value field and click “Next”
Note: You should almost never use “TRUE” for this setting.
C:Documents and Settingsusernwz1Desktop1.PNG
Step 8
Type “24” in the “Value” field and click “Next”
C:Documents and Settingsusernwz1Desktop1.PNG
Step 9
Type “TRUE” in the “Value” field and click “Next”
C:Documents and Settingsusernwz1Desktop1.PNG
Step 10
Type “5” in the “Value” field and click “Next”
C:Documents and Settingsusernwz1Desktop1.PNG
Step 11
Type “1:00:00:00” in the “Value” field and click “Next”
C:Documents and Settingsusernwz1Desktop1.PNG
Step 12
Type “42:00:00:00” in the “Value” field and click “Next” C:Documents and Settingsusernwz1Desktop1.PNG Step 13
Type “10” in the “Value” field and click “Next” C:Documents and Settingsusernwz1Desktop1.PNG Step 14
Type “0:00:30:00” field and click “Next” C:Documents and Settingsusernwz1Desktop1.PNG Step 15
Type “0:00:33:00” in the “Value” field and click “Next” C:Documents and Settingsusernwz1Desktop1.PNG Step 16
Click “Finish”
C:Documents and Settingsusernwz1Desktop1.PNG
You have now created the Password Settings Object (PSO) and you can close the
ADSIEdit tool.
Now to apply the PSO to a users or group…
Step 17
Open Active Directory Users and Computers and navigate to “System > Password Settings
Container”
Note: Advanced Mode needs to be enabled.
C:Documents and Settingsusernwz1Desktop1.PNG
Step 18
Double click on the PSO you created then click on the “Attribute Editor” tab and then select the “msDS-PSOAppliedTo” attribute and click “Edit”
C:Documents and Settingsusernwz1Desktop1.PNG
Step 19
Click “Add Windows Accounts….” button.
C:Documents and Settingsusernwz1Desktop1.PNG
Step 20
Select the user or group you want to apply this PSO and click “OK”
C:Documents and Settingsusernwz1Desktop1.PNG
Step 21
Click “OK”
C:Documents and Settingsusernwz1Desktop1.PNG
Step 22
Click “OK”
C:Documents and Settingsusernwz1Desktop1.PNG
And your are done… (told you it was hard).
Fine Grain Password Policies as you can see are very difficult to setup and manage so it is probably best you use them sparingly in your organisation… But if you really have to have a simple password or extra complicated password then at least it give you away to do this without having to spin up another domain.

NEW QUESTION 4
Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. A domain controller named DC1 has a standard primary zone for contoso.com. A domain controller named DC2 has a standard secondary zone for contoso.com.
You need to ensure that the replication of the contoso.com zone is encrypted.
You must not lose any zone data.
What should you do?

• A. Convert the primary zone into an Active Directory-integrated stub zon
• B. Delete the secondary zon
• C. Convert the primary zone into an Active Directory-integrated zon
• D. Delete the secondary zon
• E. Configure the zone transfer settings of the standard primary zon
• F. Modify the Master Servers lists on the secondary zon
• G. On both servers, modify the interface that the DNS server listens o

Answer: B

Explanation:
Answer: Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone. http://technet.microsoft.com/en-us/library/cc771150.aspx Change the Zone Type You can use this procedure to change make a zone a primary, secondary, or stub zone. You can also use it to integrate a zone with Active Directory Domain Services (AD DS).
http://technet.microsoft.com/en-us/library/cc726034.aspx Understanding Active Directory Domain Services Integration The DNS Server service is integrated into the design and implementation of Active Directory Domain Services (AD DS). AD DS provides an enterprise-level tool for organizing, managing, and locating resources in a network. Benefits of AD DS integration For networks that deploy DNS to support AD DS, directory-integrated primary zones are strongly recommended. They provide the following benefits: DNS features multimaster data replication and enhanced security based on the capabilities of AD DS. In a standard zone storage model, DNS updates are conducted based on a single-master update model. In this model, a single authoritative DNS server for a zone is designated as the primary source for the zone. This server maintains the master copy of the zone in a local file. With this model, the primary server for the zone represents a single fixed point of failure. If this server is not available, update requests from DNS clients are not processed for the zone. With directory-integrated storage, dynamic updates to DNS are sent to any AD DS-integrated DNS server and are replicated to all other AD DS-integrated DNS servers by means of AD DS replication. In this model, any AD DS-integrated DNS servercan accept dynamic updates for the zone. Because the master copy of the zone is maintained in the AD DS database, which is fully replicated to all domain controllers, the zone can be updated by the DNS servers operating at any domain controller for the domain. With the multimaster update model of AD DS, any of the primary servers for the directoryintegrated zone can process requests from DNS clients to update the zone as long as a domain controller is available and reachable on the network.
Zones are replicated and synchronized to new domain controllers automatically whenever a new one is added to an AD DS domain. By integrating storage of your DNS zone databases in AD DS, you can streamline database replication planning for your network. Directory-integrated replication is faster and more efficient than standard DNS replication.
http://technet.microsoft.com/en-us/library/ee649124%28v=ws.10%29.aspx Deploy IPsec Policy to DNS Servers You can deploy IPsec rules through one of the following mechanisms: Domain Controllers organizational unit (OU): If the DNS servers in your domain are Active Directoryintegrated, you can deploy IPsec policy settings using the Domain Controllers OU. This option is recommended to make configuration and deployment easier. DNS Server OU or security group: If you have DNS servers that are not domain controllers, then consider creating a separate OU or a security group with the computer accounts of your DNS servers. Local firewall configuration: Use this option if you have DNS servers that are not domain members or if you have a small number of DNS servers that you want to configure locally. http://technet.microsoft.com/en-us/library/cc772661%28v=ws.10%29.aspx Deploying Secure DNS Protecting DNS Servers When the integrity of the responses of a DNS server are compromised or corrupted, or when the DNS data is tampered with, clients can be misdirected to unauthorized locations without their knowledge. After the clients start communicating with these unauthorized locations, attempts can be made to gain access to information that is stored on the client computers. Spoofing and cache pollution are examples of this type of attack. Another type of attack, the denial-of-service attack, attempts to incapacitate a DNS server to make DNS infrastructure unavailable in an enterprise. To protect your DNS servers from these types of attacks: Use IPsec between DNS clients and servers. Monitor network activity. Close all unused firewall ports. Implementing IPsec Between DNS Clients and Servers IPsec encrypts all traffic over a network connection. Encryption minimizes the risk that data that is sent between the DNS clients and the DNS servers can be scanned for sensitive information or tampered with by anyone attempting to collect information by monitoring traffic on the network. When IPsec is enabled, both ends of a connection are validated before communication begins. A client can be certain that the DNS server with which it is communicating is a valid server. Also, all communication over the connection is encrypted, thereby eliminating the possibility of tampering with client communication. Encryption prevents spoofing attacks, which are false responses to DNS client queries by unauthorized sources that act like a DNS server. Further information: http://technet.microsoft.com/en-us/library/cc771898.aspx Understanding Zone Types The DNS Server service provides for three types of zones: Primary zone Secondary zone Stub zone Note: If the DNS server is also an Active Directory Domain Services (AD DS) domain controller, primary zones and stub zones can be stored in AD DS. The following sections describe each of these zone types: Primary zone When a zone that this DNS server hosts is a primary zone, the DNS server is the primary source for information about this zone, and it stores the master copy of zone data in a local file or in AD DS. When the zone is stored in a file, by default the primary zone file is named zone_name.dns and it is located in the % windir%System32Dns folder on the server. Secondary zone When a zone that this DNS server hosts is a secondary zone, this DNS server is a secondary source for information about this zone. The zone at this server must be obtained from another remote DNS server computer that also hosts the zone. This DNS server must have network access to the remote DNS server that supplies this server with updated information about the zone. Because a secondary zone is merely a copy of a primary zone that is hosted on another server, it cannot be stored in AD DS. Stub zone When a zone that this DNS server hosts is a stub zone, this DNS server is a source only for information about the authoritative name servers for this zone. The zone at this server must be obtained from another DNS server that hosts the zone. This DNS server must have network access to the remote DNS server to copy the authoritative name server information about the zone. You can use stub zones to: Keep delegated zone information current. By updating a stub zone for one of its child zones regularly, the DNS server that hosts both the parent zone and the stub zone will maintain a current list of authoritative DNS servers for the child zone. Improve name resolution. Stub zones enable a DNS server to perform recursion using the stub zone's list of name servers, without having to query the Internet or an internal root server for the DNS namespace. Simplify DNS administration. By using stub zones throughout your DNS infrastructure, you can distribute a list of the authoritative DNS servers for a zone without using secondary zones. However, stub zones do not serve the same purpose as secondary zones, and they are not an alternative for enhancing redundancy and load sharing. There are two lists of DNS servers involved in the loading and maintenance of a stub zone: The list of master servers from which the DNS server loads and updates a stub zone. A master server may be a primary or secondary DNS server for the zone. In both cases, it will have a complete list of the DNS servers for the zone. The list of the authoritative DNS servers for a zone. This list is contained in the stub zone using name server (NS) resource records. When a DNS server loads a stub zone, such as widgets.tailspintoys.com, it queries the master servers, which can be in different locations, for the necessary resource records of the authoritative servers for the zone widgets.tailspintoys.com. The list of master servers may contain a single server or multiple servers, and it can be changed anytime.
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/d352966e-b1ec-46b6-a8b4-317c2c3388c3/ Answered what is non-standard dns secondary zone?
Q: While passing through 70-291 exam prep questions, I encountered the term "standard
secondary zone".
From the context of other questions I understood that "standard", in context of primary
zone, mean "non-ADintegrated".
A: Standard means it is not an AD integrated zone. AD integrated zones are stored in the
AD database and not in a text file.
Q: What does "standard" mean in context of DNS secondary zone?
A: It means the same thing in context of a Standard Primary Zone. Simply stated,
"Standard" means the zone data is stored in a text file, which can be found in
system32dns.

NEW QUESTION 5
Your company has a single Active Directory domain named intranet.contoso.com. All domain controllers run Windows Server 2008 R2. The domain functional level is Windows 2000 native and the forest functional level is Windows 2000.
You need to ensure the UPN suffix for contoso.com is available for user accounts.
What should you do first?

• A. Raise the intranet.contoso.com forest functional level to Windows Server 2003 or highe
• B. Raise the intranet.contoso.com domain functional level to Windows Server 2003 or highe
• C. Add the new UPN suffix to the fores
• D. Change the Primary DNS Suffix option in the Default Domain Controllers Group Policy Object (GPO) to contoso.co

Answer: C

Explanation:
http://support.microsoft.com/kb/243629
HOW TO: Add UPN Suffixes to a Forest
Adding a UPN Suffix to a Forest
Open Active Directory Domains and Trusts.
Right-click Active Directory Domains and Trusts in the Tree window pane, and then click Properties.
On the UPN Suffixes tab, type the new UPN suffix that you would like to add to the forrest. Click Add, and then click OK.
Now when you add users to the forest, you can select the new UPN suffix to complete the user's logon name.
APPLIES TO
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server

NEW QUESTION 6
Your company has an Active Directory domain and an organizational unit. The organizational unit is named Web.
You configure and test new security settings for Internet Information Service (IIS) Servers on a server named IISServerA.
You need to deploy the new security settings only on the IIS servers that are members of the Web organizational unit.
What should you do?

• A. Run secedit /configure /db iis.inf from the command prompt on IISServerA, then run secedit /configure /db webou.inf from the comand promp
• B. Export the settings on IISServerA to create a security templat
• C. Import the security template into a GPO and link the GPO to the Web organizational uni
• D. Export the settings on IISServerA to create a security templat
• E. Run secedit /configure /db webou.inf from the comand promp
• F. Import the hisecws.inf file template into a GPO and link the GPO to the Web organizational uni

Answer: B

Explanation:
http://www.itninja.com/blog/view/using-secedit-to-apply-security-templates Using Secedit To Apply Security Templates Secedit /configure /db secedit.sdb /cfg"c:tempcustom.inf" /silent >nul This command imports a security template file, “custom.inf” into the workstation’s or server’s local security database. /db must be specified. When specifying the default secuirty database (secedit.sdb,) I found that providing no path worked best. The /cfg option informs Secedit that it is to import the .inf file into the specified database, appending it to any existing .inf files that have already been imported to this system. You can optionally include an /overwrite switch to overwrite all previous configurations for this machine. The /silent option supresses any pop-ups and the >nul hides the command line output stating success or failure of the action.

NEW QUESTION 7
HOTSPOT
Your network contains two Active Directory forests named contoso.com and fabrikam.com.
Each forest contains one domain. A two-way forest trust exists between the forests.
You plan to add users from fabrikam.com to groups in contoso.com.
You need to identify which group you must use to assign users in fabrikam.com access to the shared folders in contoso.com.
To which group should you add the users?
To answer, select the appropriate group in the answer area.

Answer:

Explanation:

NEW QUESTION 8
Your network contains an Active Directory forest.
You set the Windows PowerShell execution policy to allow unsigned scripts on a domain controller in the network.
You create a Windows PowerShell script named new-users.ps1 that contains the following lines:
new-aduser user1
new-aduser user2
new-aduser user3
new-aduser user4
new-aduser user5
On the domain controller, you double-click the script and the script runs. You discover that the script fails to create the user accounts.
You need to ensure that the script creates the user accounts. Which cmdlet should you add to the script?

• A. Import-Module
• B. Register-ObjectEvent
• C. Set-ADDomain
• D. Set-ADUser

Answer: A

Explanation:
http://blog.coretech.dk/jgs/powershell-creating-new-users-from-csv-with-password-and-enabled-accounts-orhow-to-pipe-into-multiple-cmdlets/
PowerShell: Creating new users from CSV with password and enabled accounts or How to Pipe into multiple cmdlets
1. Import-Module ActiveDirectory
2. import-csv e:usersnewusers.csv |
3. New-ADUser -path "ou=test1,dc=contoso,dc=com" -passthru |
4. ForEach-Object {
5. $_ | Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Pa$$w0rd" -Force)
6. $_ | Enable-ADAccount }

NEW QUESTION 9
A corporate network includes an Active Directory-integrated zone. All DNS servers that host the zone are domain controllers.
You add multiple DNS records to the zone.
You need to ensure that the new records are available on all DNS servers as soon as possible.
Which tool should you use?

• A. Ldp
• B. Repadmin
• C. Ntdsutil
• D. Nslookup
• E. Active Directory Sites And Services console
• F. Active Directory Domains And Trusts console
• G. Dnslint
• H. Dnscmd

Answer: B

Explanation:
http://technet.microsoft.com/en-us/library/cc811569.aspx
Forcing Replication
Sometimes it becomes necessary to forcefully replicate objects and entire partitions
between domain controllers that may or may not have replication agreements.
Force a replication event with all partners
The repadmin /syncall command synchronizes a specified domain controller with all
replication partners.
Syntax
repadmin /syncall <DC> [<NamingContext>] [<Flags>]
Parameters
<DC>
Specifies the host name of the domain controller to synchronize with all replication
partners.
<NamingContext>
Specifies the distinguished name of the directory partition.
<Flags>
Performs specific actions during the replication.

NEW QUESTION 10
Your network contains an Active Directory domain named contoso.com. The domain contains five domain controllers.
You add a logoff script to an existing Group Policy object (GPO).
You need to verify that each domain controller successfully replicates the updated group policy. Which two objects should you verify on each domain controller? (Each correct answer presents part of the solution. Choose two.)

• A. \servernameSYSVOLcontoso.comPolicies{GUID}gpt.ini
• B. \servernameSYSVOLcontoso.comPolicies{GUID}machineregistry.pol
• C. the uSNChanged value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com container
• D. the versionNumber value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com container

Answer: AD

Explanation:
http://technet.microsoft.com/en-us/library/cc784268%28v=ws.10%29.aspx How Core Group Policy Works
The Gpt.ini File The Gpt.ini file is located at the root of each Group Policy template. Each Gpt.ini file contains GPO version information. Except for the Gpt.ini files created for the default GPOs, a display name value is also written to the file. Each Gpt.ini file contains the GPO version number of the Group Policy template. [General] Version=65539 Normally, this is identical to the version-number property of the corresponding GroupPolicyContainer object. It is encoded in the same way — as a decimal representation of a 4 byte hexadecimal number, the upper two bytes of which contain the GPO user settings version and the lower two bytes contain the computer settings version. In this example the version is equal to 10003 hexadecimal giving a user settings version of 1 and a computer settings version of 3. Storing this version number in the Gpt.ini allows the CSEs to check if the client is out of date to the last processing of policy settings or if the currently applied policy settings (cached policies) are up-to-date. If the cached version is different from the version in the Group Policy template or Group Policy container, then policy settings will be reprocessed.

NEW QUESTION 11
You are the administrator of an organization with a single Active Directory domain.
A user who left the company returns after 16 weeks.
The user tries to log onto their old computer and receives an error stating that
authentication has failed.
The user's account has been enabled.
You need to ensure that the user is able to log onto the domain using that computer.
What do you do?

• A. Reset the computer account in Active Director
• B. Disjoin the computer from the domain and then rejoin the computer to the domai
• C. Run the ADadd command to rejoin the computer accoun
• D. Run the MMC utility on the user's computer and add the Domain Computers snap-i
• E. Re-create the user account and reconnect the user account to the computer accoun

Answer: A

Explanation:
http://social.technet.microsoft.com/wiki/contents/articles/9157.trust-relationship-between-workstation-andprimary-domain-failed.aspx Trust Relationship between Workstation and Primary Domain failed What are the common causes which generates this message on client systems?
There might be multiple reasons for this kind of behaviour. Below are listed a few of them:
1. Single SID has been assigned to multiple computers.
2. If the Secure Channel is Broken between Domain controller and workstations
3. If there are no SPN or DNSHost Name mentioned in the computer account attributes
4. Outdated NIC Drivers. How to Troubleshoot this behaviour?
2. If the Secure Channel is Broken between Domain controller and workstations When a Computer account is joined to the domain, Secure Channel password is stored with computer account in domain controller. By default this password will change every 30 days (This is an automatic process, no manual intervention is required). Upon starting the computer, Netlogon attempts to discover a DC for the domain in which its machine account exists. After locating the appropriate DC, the machine account password from the workstation is authenticated against the password on the DC. If there are problems with system time, DNS configuration or other settings, secure channel’s password between Workstation and DCs may not synchronize with each other. A common cause of broken secure channel [machine account password] is that the secure channel password held by the domain member does not match that held by the AD. Often, this is caused by performing a Windows System Restore (or reverting to previous backup or snapshot) on the member machine, causing an old (previous) machine account password to be presented to the AD.
Resolution: Most simple resolution would be unjoin/disjoin the computer from the domain and rejoin the computer account back to the domain. (this is a somewhat similar principle to performing a password reset for a user account) Or You can go ahead and reset the computer account using netdom.exe tool http://technet.microsoft.com/en-us/library/cc772217%28v=ws.10%29.aspx Netdom Enables administrators to manage Active Directory domains and trust relationships from the command prompt. Netdom is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the Active Directory Domain Services (AD DS) server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). You can use netdom to: Join a computer that runs Windows XP Professional, Windows Vista, or Windows 7 to a Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, or Windows NT 4.0 domain.
Manage computer accounts for domain member workstations and member servers.
Management operations include:
Establish one-way or two-way trust relationships between domains, including the following
kinds of trust relationships:
Verify or reset the secure channel for the following configurations:
* Member workstations and servers.
* Backup domain controllers (BDCs) in a Windows NT 4.0 domain.
* Specific Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, or
Windows 2000 replicas.
Manage trust relationships between domains.
Syntax
NetDom <Operation> [<Computer>] [{/d: | /domain:} <Domain>] [<Options>]
http://technet.microsoft.com/en-us/library/cc788073%28v=ws.10%29.aspx
Netdom reset Resets the secure connection between a workstation and a domain
controller.
Syntax netdom reset <Computer> {/d: | /domain:}<Domain> [{/s: | /server:}<Server>] [{/uo: |
/usero:}<User> {/po: | /passwordo}{<Password>|*}] [{/help | /?}]
Further information:
http://technet.microsoft.com/en-us/library/cc835085%28v=ws.10%29.aspx
Netdom trust
Establishes, verifies, or resets a trust relationship between domains.
Syntax netdom trust <TrustingDomainName> {/d: | /domain:} <TrustedDomainName> [{/ud:
| /userd:}[<Domain>]
<User> [{/pd: | /passwordd:}{<Password>|*}] [{/uo: | /usero:}<User>] [{/po: |
/passwordo:}{<Password>|*}] [/verify] [/reset] [/passwordt:<NewRealmTrustPassword>]
[/add [/realm]] [/remove [/force]] [/twoway] [/kerberos] [/transitive[:{YES|NO}]]
[/oneside:{TRUSTED | TRUSTING}] [/force] [/quarantine[:{YES | NO}]]
[/namesuffixes:<TrustName> [/togglesuffix:#]] [/EnableSIDHistory] [/ForestTRANsitive]
[/SelectiveAUTH][/AddTLN][/AddTLNEX][/RemoveTLN] [/RemoveTLNEX][{/help | /?}]

NEW QUESTION 12
Company has servers on the main network that run Windows Server 2008. It also has two domain controllers.
Active Directory services are running on a domain controller named CKDC1.
You have to perform critical updates of Windows Server 2008 on CKDC1 without rebooting the server.
What should you do to perform offline critical updates on CKDC1 without rebooting the server?

• A. Start the Active Directory Domain Services on CKDC1
• B. Disconnect from the network and start the Windows update feature
• C. Stop the Active Directory domain services and install the update
• D. Start the Active Directory domain services after installing the update
• E. Stop Active Directory domain services and install update
• F. Disconnect from the network and then connect agai
• G. None of the above

Answer: C

Explanation:
Personal comment: I don't believe you can avoid restarting the server when installing some (not all) updates http://class10e.com/Microsoft/what-should-you-do-to-perform-offline-critical-updates-on-ckdc1-withoutrebooting-the-server/ To perform offline critical updates on CKDC1 without rebooting the server, you should stop the Active Directory domain services and install the updates. Start the Active Directory domain services after installing the updates. By stopping the Active Directory domain services, you don’t need to reboot the server. The updates are related to the Windows Server 2008 on CKDC1 so when you stop the Active Directory domain services and start it again after the installation of the updates, the Server will perform in a normal way.

NEW QUESTION 13
Your network contains an Active Directory domain named contoso.com.
Contoso.com contains a domain controller named DC1 and a read-only domain controller (RODC) namedRODC1.
You need to view the most recent user accounts authenticated by RODC1.
What should you do first?

• A. From Active Directory Sites and Services, right-click the Connection object for DC1, and then click Replicate No
• B. From Active Directory Sites and Services, right-click the Connection object for DC2, and then click Replicate No
• C. From Active Directory Users and Computers, right-click contoso.com, click Change DomainController, and then connect to DC1.
• D. From Active Directory Users and Computers, right-click contoso.com, click Change Domain Controller, and then connect to RODC1.

Answer: C

Explanation: http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy.aspx#BKMK_Auth2
To view authenticated accounts using Active Directory Users and Computers
1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start.
In Start Search, type dsa.msc, and then press ENTER.
2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain. To connect to the appropriate domain or domain controller, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain or Change Domain Controller, respectively.
3. Click Domain Controllers.
4. In the details pane, right-click the RODC computer account, and then click Properties.
5. Click the Password Replication Policy tab.
6. Click Advanced.
7. In the drop-down list, click Accounts that have been authenticated to this Read-only Domain Controller, as shown in the following illustration.

NEW QUESTION 14
Your network contains an Active Directory domain named fabrikam.com. The domain has one Active Directory site.
The domain contains an organizational unit (OU) named SalesOU. SalesOU contains all of the user accounts for the sales department. Some of the sales users are temporary employees.
You apply a Group Policy object (GPO) named SalesGPO to SalesOU.
You need to prevent SalesGPO from being applied to the temporary sales employees. All other sales employees must have SalesGPO applied to them.
What should you do?

• A. Configure the permissions on the user accounts of the temporary sales employee
• B. Configure the permissions of SalesGP
• C. Link SalesGPO to the site and remove the link for SalesGPO from SalesO
• D. Disable the computer configurations of SalesGP

Answer: B

NEW QUESTION 15
Your network contains an Active Directory domain named contoso.com.
The aging and scavenging settings of the contoso.com zone are configured as shown in the exhibit. (Click the Exhibit button.)

To answer, complete each statement according to the information presented in the exhibit.

Answer:

Explanation:

NEW QUESTION 16
Your company hires 10 new employees.
You want the new employees to connect to the main office through a VPN connection.
You create new user accounts and grant the new employees they Allow Read and Allow Execute permissions to shared resources in the main office.
The new employees are unable to access shared resources in the main office.
You need to ensure that users are able to establish a VPN connection to the main office.
What should you do?

• A. Grant the new employees the Allow Access Dial-in permissio
• B. Grant the new employees the Allow Full control permissio
• C. Add the new employees to the Remote Desktop Users security grou
• D. Add the new employees to the Windows Authorization Access security grou

Answer: A

Explanation:
http://technet.microsoft.com/en-us/library/cc738142%28v=ws.10%29.aspx Dial-in properties of a user account The dial-in properties for a user account are: Remote Access Permission (Dial-in or VPN) You can use this property to set remote access permission to be explicitly allowed, denied, or determined through remote access policies. In all cases, remote access policies are used to authorize the connection attempt. If access is explicitly allowed, remote access policy conditions, user account properties, or profile properties can still deny the connection attempt.

NEW QUESTION 17
DRAG DROP
Your company plans to open a new branch office. The new office will have a low-speed connection to the Internet.
You plan to deploy a read-only domain controller (RODC) in the branch office.
You need to create an offline copy of the Active Directory database that can be used to install Active Directory on the new RODC.
Which commands should you run from Ntdsutil?
To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation: