QUESTION 261
Your network contains an Active Directory domain named Contoso.com. Contoso.com contains an enterprise certification authority (CA) named CA1.
You enable Secure Socket Tunneling Protocol (SSTP) on a server named Server1.
A user named User1 attempts to establish an SSTP connection to Server1 and receives the following error message:
“Error 0×80092013: The revocation function was unable to check revocation because the revocation server was offline.”
You verify that all certificates services are online. You need to ensure that
User1 can connect to Server1 by using SSTP. What should you do first?
A. Configure User1 for certificate auto enrollment.
B. Configure a pre-shared key for IPSec on User1′s computer.
C. Add a certificate to Server1 that contains Server1.contoso.com as a Subject Alternative Name (SAN).
D. Publish the certificate revocation list distribution point (CDP) to a location that is accessible from the Internet.
Answer: D
QUESTION 262
Your network contains an Active Directory domain. You create and mount an Active Directory snapshot.
You run dsamain.exeas shown in the exhibit. (Click the Exhibit button.)
You need to ensure that you can browse the contents of the Active Directory snapshot. What should you?
A. Stop Active Directory Domain Services (AD DS), and then rerun dsamain.exe.
B. Change the value of the dbpathparameter, and then rerun dsamain.exe.
C. Change the value of the ldapportparameter, and then rerun dsamain.exe.
D. Restart the Volume Shadow Copy Service (VSS), and then rerun dsamain.exe.
Answer: B
Explanation:
The error message says that the file is already in use. This makes sense, as in the exhibit, dbpath points to
C:\Windows\NTDS\ntds.dit, the location of a running Active Directory database. We need to run this command against the snapshot, which would be stored in another path.
Reference: http://technet.microsoft.com/en-us/library/cc772168.aspx
If we stopped AD DS, we might be able to run our command, but we’d be doing so against the live AD database, not the snapshot!
The ldapport parameter is fine, as it is configured for a port higher than 50000 and will not conflict with AD.
Our error doesn’t indicate a problem with VSS so we do not need to restart it.
QUESTION 263
Your network contains an Active Directory domain. You need to activate the Active Directory Recycle Bin in the domain. Which tool should you use?
A. Dsamain
B. Set-ADDomain
C. Add-WindowsFeature
D. Ldp
Answer: D
Explanation:
Reference: http://technet.microsoft.com/en-us/library/dd379481.aspx
QUESTION 264
Your network contains an Active Directory forest named contoso.com. The functional level of the forest is Windows Server 2008 R2. The forest contains a single domain. You need to ensure that objects can be restored from the Active Directory Recycle Bin. Which tool should you use?
A. Ntdsutil
B. Set-ADDomain
C. Dsamain
D. Enable-ADOptionalFeature
Answer: D
Explanation:
Reference: http://technet.microsoft.com/en-us/library/dd379481.aspx
QUESTION 265
Your company has a main office and a branch office. You deploy a read-only domain controller (RODC) that runs Microsoft Windows Server 2008 to the branch office. You need to ensure that users at the branch office are able to log on to the domain by using the RODC. What should you do?
A. Add another RODC to the branch office.
B. Configure a new bridgehead server in the main office.
C. Decrease the replication interval for all connection objects by using the Active Directory Sites and
Services console.
D. Configure the Password Replication Policy on the RODC.
Answer: D
Explanation:
To allow individual RODCs to cache user and computer credentials in specific locations, configure the Allowed and Denied Lists on the Password Replication Policy tab for the properties of each individual RODC account in the Domain Controllers OU. Reference:
https://sites.google.com/a/pccare.vn/it/ent-admin-pages/password-replication-policy-facts We wouldn’t add another RODC, as users aren’t even able to log on to the first one yet! It is not necessary to have more than 1 RODC at a branch office.
We wouldn’t change the replication interval, as we have no reason to suspect that replication is not happening or is out-of-date.
A bridgehead server is a domain controller (DC) that functions as the primary route of Active Directory (AD) replication data moving into and out of sites.
Reference: http://windowsitpro.com/systems-management/bridgehead-servers
QUESTION 266
Your company has a main office and a branch office that are configured as a single Active Directory forest. The functional level of the Active Directory forest is Windows Server 2003. There are four Windows Server 2003 domain controllers in the main office.
You need to ensure that you are able to deploy a read-only domain controller (RODC) at the branch office.
Which two actions should you perform? (Each Answer presents part of the solution. Choose two.)
A. Raise the functional level of the forest to Windows Server 2008.
B. Deploy a Windows Server 2008 domain controller at the main office.
C. Raise the functional level of the domain to Windows Server 2008.
D. Run the adprep /rodcprepcommand.
Answer: BD
Explanation:
Reference: http://technet.microsoft.com/en-us/library/cc731243%28v=ws.10%29.aspx
QUESTION 267
One of the remote branch offices is running a Windows Server 2008 read only domain controller (RODC). For security reasons you don’t want some critical credentials like (passwords, encryption keys) to be stored on RODC.
What should you do so that these credentials are not replicated to any RODC’s in the forest? (Each Answer presents part of the solution. Choose two.)
A. Configure RODC filtered attribute set on the server
B. Configure RODC filtered set on the server that holds Schema Operations Master role.
C. Delegate local administrative permissions for an RODC to any domain user without granting that user
any user rights for the domain
D. Configure forest functional level server for Windows server 2008 to configure filtered attribute set.
E. None of the above
Answer: BD
Explanation:
The RODC filtered attribute set is a dynamic set of attributes that is not replicated to any RODCs in the forest. You can configure the RODC filtered attribute set on a schema master that runs Windows Server 2008. (…) Therefore, as a security precaution, ensure that forest functional level is Windows Server 2008 if you plan to configure the RODC filtered attribute set.
Reference: http://technet.microsoft.com/en-us/library/cc753223.aspx
We can restrict administrative permissions for an RODC but this will only control who is allowed to manage the server. Critical credential information will still be replicated.
QUESTION 268
ABC.com has a main office and a branch office. ABC.com’s network consists of a single Active Directory forest. Some of the servers in the network run Windows Server 2008 and the rest run Windows server 2003.
You are the administrator at ABC.com. You have installed Active Directory Domain Services (AD DS) on a computer that runs Windows Server 2008. The branch office is located in a physically insecure place. It has no IT personnel onsite and there are no administrators over there.
You need to setup a Read-Only Domain Controller (RODC) on the Server Core installation computer in the branch office.
What should you do to setup RODC on the computer in branch office?
A. Execute an attended installation of AD DS
B. Execute an unattended installation of AD DS
C. Execute RODC through AD DS
D. Execute AD DS by using deploying the image of AD DS
E. none of the above
Answer: B
Explanation:
To install an RODC on a Server Core installation of Windows Server 2008, you must perform an unattended installation of AD DS.
Reference: http://technet.microsoft.com/en-us/library/cc754629.aspx
QUESTION 269
You are an administrator at ABC.com. Company has a RODC (read-only domain controller) server at a remote location. The remote location doesn’t have proper physical security.
You need to activate non-administrative accounts’ passwords on that RODC server.
Which of the following action should be considered to populate the RODC server with non-administrative accounts passwords?
A. Delete all administrative accounts from the RODC’s group
B. Configure the permission to Deny on Receive As for administrative accounts on the security tab for
Group Policy Object (GPO)
C. Configure the administrative accounts to be added in the Domain RODC Password Replication Denied group
D. Add a new GPO and enable Account Lockout settings. Link it to the remote RODC server and on the
security tab on GPO, check the Read Allow and the Apply group policy permissions for the administrators.
E. None of the above
Answer: C
Explanation:
If we want only non-administrative users to have passwords populated on the RODC, we basically would want to deny replication to administrative accounts. We would have a limited number of administrative accounts so it would be easy to simply deny replication to them.
We don’t want to delete administrative accounts from the RODC’s group, this would keep us from being able to administer the RODC.
Adding a new GPO with Account Lockout settings would help us control how account lockouts are handled on the RODC but does not help us populate passwords.
The “Receive As” permission is related to Exchange Servers.
QUESTION 270
ABC.com boasts a main office and 20 branch offices. Configured as a separate site, each branch office has a Read-Only Domain Controller (RODC) server installed.
Users in remote offices complain that they are unable to log on to their accounts.
What should you do to make sure that the cached credentials for user accounts are only stored in their local branch office RODC server?
A. Open the RODC computer account security tab and set Allow on Receive As permission only for the
users that are unable to log on to their accounts
B. Add a Password Replication Policy to the main domain RODC and add user accounts in the security group
C. Configure a unique security group for each branch office and add user accounts to the respective security group.
Add the security groups to the password replication Allowed group on the main RODC server
D. Configure and add a separate Password Replication Policy on each RODC computer account
Answer: D
Explanation:
The scenario basically says we have multiple sites, each with their own RODC. But we want each RODC to only cache accounts for that local site. Cached credentials are configured by assigning accounts to the groups in the Password Replication Policy tab on each computer account in ADUC. So the simplest way to do what we need is configure each RODC’s Password Replication Policy to cache accounts for users only at that local site.
Configuring a unique group for each office would be a possible way to start, but this answer goes on to suggest adding those groups to the PRP on the main RODC server. This will cache every branch office user at the main office, not on their individual branch office only. Similarly, adding a PRP to the main office’s RODC with the user accounts would suffer the same fault.
The “Receive As” permission is related to Exchange Servers.
If you want to pass Microsoft 70-648 successfully, donot missing to read latest lead2pass Microsoft 70-648 dumps.
If you can master all lead2pass questions you will able to pass 100% guaranteed.