QUESTION 221
Your network contains an Active Directory domain named contoso.com. The domain contains five domain controllers. You add a logoff script to an existing Group Policy object (GPO).
You need to verify that each domain controller successfully replicates the updated group policy. Which two objects should you verify on each domain controller? (Each Answer presents part of the solution. Choose two.)
A. \\servername\SYSVOL\contoso.com\Policies\{GUID}\gpt.ini
B. \\servername\SYSVOL\contoso.com\Policies\{GUID}\machine\registry.pol
C. the uSNChanged value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com container
D. the versionNumber value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com container
Answer: AD
QUESTION 222
A server named DC1 has the Active Directory Domain Services (AD DS) role and the Active Directory Lightweight Directory Services (AD LDS) role installed. An AD LDS instance named LDS1 stores its data on the C: drive.
You need to relocate the LDS1 instance to the D: drive. Which three actions should you perform in sequence? (To answer, move the three appropriate actions from the list of actions to the answer area and arrange them in the correct order.)
Answer:
Explanation:
Reference: http://www.ucertify.com/blog/windows-server-2008-tools-used-for-configuring-and-maintaining- active-directory.html
QUESTION 223
You need to perform an offline defragmentation of an Active Directory database.
Which four actions should you perform in sequence? (To answer, move the appropriate four actions from the list of actions to the answer area and arrange them in the correct order.)
Answer:
Explanation:
To perform offline defragmentation of the directory database (…)
3. At the command prompt, type the following command, and then press ENTER:
net stop ntds
1. At the command prompt, type ntdsutil, and then press ENTER.
2. At the ntdsutilprompt, type activate instance ntds, and then press ENTER.
3. At the ntdsutilprompt, type files, and then press ENTER. (…)
9. If defragmentation succeeds with no errors, follow the Ntdsutil.exeonscreen instructions to: (…)
c. Manually copy the compacted database file to the original location, as follows:
copy “<temporaryDrive>:\ntds.dit” “<originalDrive>:
\<pathToOriginalDatabaseFile> \ntds.dit”(…)
14. Restart AD DS. At the command prompt, type the following command, and then press ENTER:
net start ntds
Reference: http://technet.microsoft.com/en-us/library/cc794920%28v=ws.10%29.aspx
QUESTION 224
Your network contains an Active Directory domain. You have a server named Server1 that runs Windows Server 2008 R2. Server1 is an enterprise root certification authority (CA).
You have a client computer named Computer1 that runs Windows 7. You enable automatic certificate enrollment for all client computers that run Windows 7.
You need to verify that the Windows 7 client computers can automatically enroll for certificates.
Which command should you run on Computer1?
A. certreq.exe -retrieve
B. certreq.exe -submit
C. certutil.exe -getkey
D. certutil.exe -pulse
Answer: D
QUESTION 225
Your network contains an Active Directory forest named adatum.com. All domain controllers currently run Windows Server 2003 Service Pack 2 (SP2). The functional level of the forest and the domain is Windows Server 2003.
You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2.
What should you do first?
A. Run adprep.exe
B. Raise the functional level of the domain to Windows Server 2008.
C. Raise the functional level of the forest to Windows Server 2008.
D. Deploy a writable domain controller that runs Windows Server 2008 R2.
Answer: A
Explanation:
Reference: http://technet.microsoft.com/en-us/library/cc754629%28v=ws.10%29.aspx
QUESTION 226
Your network contains a server named Server1. The Active Directory Rights Management Services (AD RMS) server role is installed on Server1. An administrator changes the password of the user account that is used by AD RMS. You need to update AD RMS to use the new password.
Which console should you use?
A. Active Directory Rights Management Services
B. Local Users and Groups
C. Services
D. Active Directory Users and Computers
Answer: A
Explanation:
The Active Directory Rights Management Services management console provides a wizard to change or update the AD RMS service account. The most common use for this process is to update the service account password when it has been changed.
It is important to use this process to update or change the AD RMS service account. This ensures the necessary components are updated properly.
Reference: http://social.technet.microsoft.com/wiki/contents/articles/13034.ad-rms-how-to-change-the-rms- service-account-password.aspx
The AD RMS service account is a domain account, but does not appear to be something to change in ADUC.
The AD RMS service account gets added to a local group on the RMS server, but the account itself clearly reside there.
The service account for AD RMS on the local service could possibly be changed from the Services console, but this provides no functionality for changing the password.
QUESTION 227
Your network contains two Active Directory forests named contoso.com and adatum.com. The functional level of both forests is Windows Server 2008 R2.
Each forest contains one domain. Active Directory Certificate Services (AD CS) is configured in the contoso.com forest to allow users from both forests to automatically enroll user certificates.
You need to ensure that all users in the adatum.com forest have a user certificate from the contoso.com certification authority (CA).
What should you configure in the adatum.com domain?
A. From the Default Domain Controllers Policy, modify the Enterprise Trust settings.
B. From the Default Domain Controllers Policy, modify the Trusted Publishers settings.
C. From the Default Domain Policy, modify the Certificate Enrollment policy.
D. From the Default Domain Policy, modify the Trusted Root Certification Authority settings.
Answer: C
Explanation:
The question says you must ensure users have a certificate from the CA, so the Default Domain Policy is what needs editing, as it will affect all users. The Default Domain Controllers Policy would allow you to change settings on domain controllers only and would not affect all users or machines.
The Certificate Enrollment policy option, as the name indicates, lets you configure enrollment options to control how/where users get their certificates.
The Trusted Root Certification Authority policy would let you control the enterprise list of Trusted Root CA’s. Since AD Cs is configured to allow users from both forests to automatically enroll, it is likely that both CA’s are already trusted.
QUESTION 228
You have a server named Server1 that has the following Active Directory Certificate Services (AD CS) role services installed:
Enterprise Root Certification Authority (CA)
Certificate Enrollment Web Service
Certificate Enrollment Policy Web Service
You create a new certificate template. External users report that the new template is unavailable when they request a new certificate. You verify that all other templates are available to the external users. You need to ensure that the external users can request certificates by using the new template. What should you do on Server1?
A. Run iisreset.exe /restart.
B. Run gpupdate.exe /force.
C. Run certutil.exe dspublish.
D. Restart the Active Directory Certificate Services service.
Answer: A
Explanation:
All other templates are available to the users, so the certificate services are working correctly. The website is simply not aware of the new certificates available in the store, so IIS must be reset so that the list is updated.
certutil.exe dspublishwill publish a certificate toe AD, but this will already take place when the new certificate is issued since we are using an Enterprise Root.
Reference: http://technet.microsoft.com/library/cc732443.aspx
Restarting the AD CS service is likely not needed since all other aspects of certificate management are functioning as expected.
gpupdate.exe /forcewill force a group policy update on the client it is run from, but group policy is not at issue in this question.
QUESTION 229
Your network contains an enterprise root certification authority (CA).
You need to ensure that a certificate issued by the CA is valid. What should you do?
A. Run syskey.exe and use the Updateoption.
B. Run sigverif.exeand use the Advancedoption.
C. Run certutil.exeand specify the -verifyparameter.
D. Run certreq.exeand specify the -retrieveparameter.
Answer: C
QUESTION 230
You have an enterprise subordinate certification authority (CA). The CA issues smart card logon certificates.
Users are required to log on to the domain by using a smart card. Your company’s corporate security policy states that when an employee resigns, his ability to log on to the network must be immediately revoked.
An employee resigns. You need to immediately prevent the employee from logging on to the domain. What should you do?
A. Revoke the employee’s smart card certificate.
B. Disable the employee’s Active Directory account.
C. Publish a new delta certificate revocation list (CRL).
D. Reset the password for the employee’s Active Directory account.
Answer: B
Explanation:
Only disabling the AD account will prevent logon to the domain. Resetting the password will prevent the user from logging on with the password he had been using, but if he could guess the password he would still be able to logon. Revoking the smart card certificate will not prevent the user from his smart card to login. This is also why publishin a new delta CRL will not work.
If you want to pass Microsoft 70-648 successfully, donot missing to read latest lead2pass Microsoft 70-648 dumps.
If you can master all lead2pass questions you will able to pass 100% guaranteed.