[Free] 2018(June) Ensurepass Microsoft 70-640 Dumps with VCE and PDF 201-210

Ensurepass.com : Ensure you pass the IT Exams
2018 May Microsoft Official New Released 70-640
100% Free Download! 100% Pass Guaranteed!

Windows Server 2008 Active Directory, Configuring

Question No: 201 – (Topic 3)

You have an enterprise subordinate certification authority (CA). The CA is configured to use a hardware security module.

You need to back up Active Directory Certificate Services on the CA. Which command should you run?

  1. certutil.exe backup

  2. certutil.exe backupdb

  3. certutil.exe backupkey

  4. certutil.exe store

Answer: B Explanation:

Because a hardware security module (HSM) is used that stores the private keys, the command certutil. exe -backup would fail, since we cannot extract the private keys from the module. The HSM should have a proprietary procedure for that.

The given commands are: certutil -backup

Backup set includes certificate database, CA certificate an the CA key pair certutil -backupdb

Backup set only includes certificate database certutil -backupkey

Backup set only includes CA certificate and the CA key pair certutil -store Provides a dump of the certificate store onscreen.

Since we cannot extract the keys from the HSM we have to use backupdb. Reference 1:

Microsoft Windows Server(TM) 2003 PKI and Certificate Security (Microsoft Press, 2004) page 215

For the commands listed above. Reference 2:


Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains.


Certutil lt;-parametergt; [-parameter] Parameter


Backup the Active Directory Certificate Services database Reference 3:

http://poweradmin.se/blog/2010/01/11/backup-and-restore-for-active-directory-certificate- services/

Question No: 202 – (Topic 3)

Your network contains an Active Directory domain. The domain contains a member server named Server1 that runs Windows Server 2008 R2.

You need to configure Server1 as a global catalog server. What should you do?

  1. Modify the Active Directory schema.

  2. From Ntdsutil, use the Roles option.

  3. Run the Active Directory Domain Services Installation Wizard on Server1.

  4. Move the Server1 computer object to the Domain Controllers organizational unit (OU).

Answer: C Explanation:

Now it#39;s just a member server, so you#39;ll have to run dcpromo to start the Active Directory Domain Services Installation Wizard in order to promote the server to a domain controller. Only a domain controller can be a global catalog server.



The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication.

Question No: 203 – (Topic 3)

Your network contains a single Active Directory domain. All client computers run Windows Vista Service Pack 2 (SP2).

You need to prevent all users from running an application named App1.exe. Which Group Policy settings should you configure?

  1. Application Compatibility

  2. AppLocker

  3. Software Installation

  4. Software Restriction Policies

Answer: D Explanation:

http://gpfaq.se/2007/09/30/how-to-using-software-restriction-policies/ How-to: Using Software Restriction Policies

Using SRP is not that common today and what I will write here is a small how-to so that you can start trying it today and maybe even sometime soon apply it in your production environment.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

First thing to notice is that SRP is a very powerful tool so try in a test-environment before you apply it to users in production.

First you need to choose your default level which you do at Security Levels:

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Default when you start using this, the default level is “Unrestricted” which allows all programs to run. Which means you can use SRP to block specific programs but the power is that you can change this so “Disallowed” is the default level which means you specify which programs you can run (all others are blocked) instead of blocking specific programs. So to start with change so “Disallowed” is default. Double-click on “Disallowed” and press the button “Set as Default”

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

This means that all clients affected by this policy now would be able to run anything except what you define as exclusions which you do at “Additional rules”:

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

As you can see in the above picture you have two default values already included. These two values are registry paths which makes all programs defined in these two registry paths to unrestricted which of course makes them available to run even if you selected “Disallowed” as your default choice in the above selection at “Security Levels”.

There are four different choices on how to enable/disable programs to run: Hash-rule


Network zone-rule Certificate-rule

The normal ones to use is HASH or PATH. HASH is always something you should prefer to use since if the user tries to run a program it looks at the hash-value and evaluates if you can run the program or not.

Sometimes when you have different versions of a program for example it might be a problem to use HASH, then you use PATH instead. Also if you don’t have the program installed in the same location on each computer but you know somewhere in the registry where it types the path to the program you can use PATH and use the registry location instead.

I will show you the two ways of allowing Windows Live Messenger to run Hash:

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

As what you can see above is that it takes the values from the executable and stores the hash-value of the file.

When someone tries to run the program the system evaluates this hash-value and compare it with the one you defined and then selecting if you can run the program or not. Path:

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

As you can see above is that you need to select the path to the executable. This path needs to be same on each computer you would like to use this on but of course you can use environment variables as I have done in the above picture. You could also use a registry location if you did know where the path to the program where stored.

You can of course also use this to block programs instead of allowing them. This is not really the preferred method on how to use SRP but fully functional.

On my computer I have “Unrestricted” as my default and I added an application on my desktop named radio.exe as “Disallowed”

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG So the result if I’m trying to run the file is:

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

As conclusion you can see that this is a powerful way of giving your users minimal rights in the system with the result that your users will have a large problem messing up the computer 🙂

This only covers some parts of SRP. For example local administrators also get these rules but that you can exclude in the “Enforcement” choice and also dll-files are excluded by default but you can change that too.

Make sure to try this in a safe environment before applying it to production as you might get a big headache if you have made some wrong turns in setting this up. 🙂

Question No: 204 – (Topic 3)

Your network contains an Active Directory domain. The domain contains two domain controllers named DC1 and DC2.

You perform a full backup of the domain controllers every night by using Windows Server Backup.

You update a script in the SYSVOL folder.

You discover that the new script fails to run properly. You need to restore the previous version of the script in the SYSVOL folder. The solution must minimize the amount of time required to restore the script.

What should you do first?

  1. Run the Restore-ADObject cmdlet.

  2. Restore the system state to its original location.

  3. Restore the system state to an alternate location.

  4. Attach the VHD file created by Windows Server Backup.

Answer: D Explanation:

http://technet.microsoft.com/en-us/magazine/2008.05.adbackup.aspx Active Directory Backup and Restore in Windows Server 2008 NTBACKUP vs. Windows Server Backup

As an added bonus, Windows Server Backup stores its backup images in Microsoft庐 Virtual Hard Disk (VHD) format. You can actually take a backup image and mount it as a volume in a virtual machine running under Microsoft Virtual Server 2005. You can simply mount the VHDs in a virtual machine and browse for a particular file rather than having to perform test restores of tapes to see which one has the file is on it. (A note of caution: you can#39;t take a backup image and boot a virtual machine from it. Since the backed-up

hardware configuration doesn#39;t correspond to the virtual machine#39;s configuration, you can#39;t use Windows Server Backup as a physical-to-virtual migration tool.)

Question No: 205 – (Topic 3)

You have an enterprise subordinate certification authority (CA). You have a group named Group1.

You need to allow members of Group1 to publish new certificate revocation lists. Members of Group1 must not be allowed to revoke certificates.

What should you do?

  1. Add Group1 to the local Administrators group.

  2. Add Group1 to the Certificate Publishers group.

  3. Assign the Manage CA permission to Group1.

  4. Assign the Issue and Manage Certificates permission to Group1.

Answer: C



Manage CA is a security permission belonging to the CA Administrator role. The CA Administrator can enable, publish, or configure certificate revocation list (CRL) schedules.

Revoking certificates is an activity of the Certificate Manager role.

Question No: 206 – (Topic 3)

Your network contains an Active Directory forest. The forest schema contains a custom attribute for user objects.

You need to modify the custom attribute value of 500 user accounts.

Which tool should you use?

  1. Csvde

  2. Dsmod

  3. Dsrm

  4. Ldifde

Answer: D Explanation:

We cannot use Dsmod here, because it supports only a subset of commonly used object class attributes.

Csvde can only import and export data.

Dsrm is used to delete objects from the directory. Reference:

http://technet.microsoft.com/en-us/library/cc731033.aspx Ldifde

Creates, modifies, and deletes directory objects.

Question No: 207 – (Topic 3)

Your network contains an Active Directory domain that contains five domain controllers. You have a management computer that runs Windows 7.

From the Windows 7 computer, you need to view all account logon failures that occur in the domain.

The information must be consolidated on one list.

Which command should you run on each domain controller?

  1. Wecutil.exe qc

  2. Wevtutil.exe gli

  3. Winrm.exe quickconfig

  4. Winrshost.exe

    Answer: C Explanation:

    http://blogs.technet.com/b/jonjor/archive/2009/01/09/winrm-windows-remote- managementtroubleshooting.aspx

    WinRM (Windows Remote Management) Troubleshooting What is WinRM?

    New in Windows Vista, Windows Server 2003 R2, Windows Server 2008 (and Server 2008 Core) are WinRM amp; WinRS. Windows Remote Management (known as WinRM) is a handy new remote management service.

    WinRM is the “server” component of this remote management application and WinRS (Windows Remote Shell) is the “client” for WinRM, which runs on the remote computer attempting to remotely manage the WinRM server. However, I should note that BOTH computers must have WinRM installed and enabled on them for WinRS to work and retrieve information from the remote system.

    How to install WinRM

    The WinRM is not dependent on any other service except WinHttp. If the IIS Admin Service is installed on the same computer, you may see messages that indicate WinRM cannot be loaded before Interent Information Services (IIS). However, WinRM does not actually depend on IIS: these messages occur because the load order ensures that the IIS service starts before the HTTP service. WinRM does require that WinHTTP.dll be registered. (Stated simply: WinRM service should be set to Automatic (Delayed Start) on Windows Vista and Server 2008)

    • The WinRM service starts automatically on Windows Server 2008.

    • On Windows Vista, the service must be started manually. How to configure WinRM

    To set the default configuration type:

    winrm quickconfig (or the abbreviated version, winrm qc) ‘winrm qc’ performs the following operations:

    1. Starts the WinRM service and sets the service startup type to auto-start.

    2. Configures a listener for the ports that send and receive WS-Management protocol messages using either

      HTTP or HTTPS on any IP address.

    3. Defines ICF exceptions for the WinRM service and opens the ports for HTTP and HTTPS.

      (Note: Winrm quickconfig also configures Winrs default settings)

      Question No: 208 – (Topic 3)

      Your network contains a single Active Directory domain. The functional level of the forest is Windows Server 2008 R2.

      You need to enable the Active Directory Recycle Bin. What should you use?

      1. the Dsmod tool

      2. the Enable-ADOptionalFeature cmdlet

      3. the Ntdsutil tool

      4. the Set-ADDomainMode cmdlet

Answer: B Explanation:

Similar question to question L/Q5. Reference:

http://technet.microsoft.com/en-us/library/dd379481.aspx Enabling Active Directory Recycle Bin

After the forest functional level of your environment is set to Windows Server 2008 R2, you can enable Active

Directory Recycle Bin by using the following methods:

Enable-ADOptionalFeature Active Directory module cmdlet (This is the recommended method.)


Question No: 209 – (Topic 3)

Your network contains an Active Directory domain named contoso.com.

You need to create a central store for the Group Policy Administrative templates.

What should you do?

  1. Run dfsrmig.exe /createglobalobjects.

  2. Run adprep.exe /domainprep /gpprep.

  3. Copy the %SystemRoot%\PolicyDefinitions folder to the\\contoso.com\SYSVOL\contoso.com\Policiesfolder.

  4. Copy the %SystemRoot%\System32\GroupPolicy folder to the\\contoso.com\SYSVOL\contoso.com\Policies folder.

Answer: C Explanation:

http://www.vmadmin.co.uk/microsoft/43-winserver2008/220-svr08admxcentralstore Creating an ADMX central store for group policies

To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder. The Central Store is a location that is checked by GPMC. The GPMC will use .admx files that are in the Central Store. The files that are in the Central Store are replicated to all domain controllers in the domain.

First on a domain controller (Windows Server 2008/2008 R2) the ADMX policy definitions and language template files in %SYSTEMROOT%\PolicyDefinitions need copying to



Run the following command to copy the entire folder contents to SYSVOL. This will then replicate to all domain controllers (the default ADMX policies and EN-US language templates (ADML) are about 6.5 MB in total).

xcopy /E quot;%SYSTEMROOT%\PolicyDefinitionsquot; quot;%SYSTEMROOT%\SYSVOL\domain\Policies


Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Next ensure you have remote server administration tools (RSAT) installed on your client computer you are using to edit the GPO#39;s. This will need to be Windows Vista or Windows 7.

For Windows Vista enable the RSAT feature (GPMC).

For Windows 7 download and install RSAT then enable the RSAT feature (GPMC).

When editing a GPO in the GMPC you will find that the Administrative Templates show as quot;Policy Definitions

(ADMX files) retrieved from the central storequot;. This confirms it is working as expected.

Ensurepass 2018 PDF and VCE

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Further information: http://support.microsoft.com/kb/929841/en-us

How to create the Central Store for Group Policy Administrative Template files in Windows


http://msdn.microsoft.com/en-us/library/bb530196.aspx Managing Group Policy ADMX Files Step-by-Step Guide

http://technet.microsoft.com/en-us/library/cc748955(v=ws.10).aspx Scenario 2: Editing Domain-Based GPOs Using ADMX Files

Question No: 210 – (Topic 3)

Your network contains two Active Directory forests named contoso.com and nwtraders.com. A two-way forest trust exists between contoso.com and nwtraders.com. The forest trust is configured to use selective authentication.

Contoso.com contains a server named Server1. Server1 contains a shared folder named Marketing.

Nwtraders.com contains a global group named G_Marketing. The Change share permission and the Modify NTFS permission for the Marketing folder are assigned to the G_Marketing group. Members of G_Marketing report that they cannot access the Marketing folder.

You need to ensure that the G_Marketing members can access the folder from the network.

What should you do?

  1. From Windows Explorer, modify the NTFS permissions of the folder.

  2. From Windows Explorer, modify the share permissions of the folder.

  3. From Active Directory Users and Computers, modify the computer object for Server1.

  4. From Active Directory Users and Computers, modify the group object for G_Marketing.

    Answer: C


    MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 643-644

    After you have selected Selective Authentication for the trust, no trusted users will be able to access resources in the trusting domain, even if those users have been given permissions. The users must also be assigned the Allowed To Authenticate permission on the computer object in the domain.

    To assign this permission:

    1. Open the Active Directory Users And Computers snap-in and make sure that Advanced Features is selected on the View menu.

    2. Open the properties of the computer to which trusted users should be allowed to authenticate-that is, the computer that trusted users will log on to or that contains resources to which trusted users have been given permissions.

    3. On the Security tab, add the trusted users or a group that contains them and select the Allow check box for the Allowed To Authenticate permission.

      100% Ensurepass Free Download!
      Download Free Demo:70-640 Demo PDF
      100% Ensurepass Free Guaranteed!
      70-640 Dumps

      EnsurePass ExamCollection Testking
      Lowest Price Guarantee Yes No No
      Up-to-Dated Yes No No
      Real Questions Yes No No
      Explanation Yes No No
      PDF VCE Yes No No
      Free VCE Simulator Yes No No
      Instant Download Yes No No
      Tagged , , , , , , , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *