Do you want to pass the 70-640 Examsavior exam? What are the new questions of the latest 70-640 exam? Examsavior 70-640 VCE dumps and 70-640 PDF dumps will tell you all about the 70-640 Examsavior exam.Here are the Examsavior newest and covered all new added questions and answers, which will help you 100% passing 70-640 Examsavior exam.Hurry up and get the free exam from here!
NOW FREE DOWNLOAD
QUESTION 41
You have a Windows Server 2008 R2 Enterprise Root CA .
Security policy prevents port 443 and port 80 from being opened on domain controllers and on the
issuing CA .
You need to allow users to request certificates from a Web interface.
You install the Active Directory Certificate Services (AD CS) server role.
What should you do next?
A. Configure the Online Responder Role Service on a member server.
B. Configure the Online Responder Role Service on a domain controller.
C. Configure the Certificate Enrollment Web Service role service on a member server.
D. Configure the Certificate Enrollment Web Service role service on a domain controller.
Correct Answer: C
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/dd759209.aspx
Certificate Enrollment Web Service Overview
The Certificate Enrollment Web Service is an Active Directory Certificate Services (AD CS) role service
that enables users and computers to perform certificate enrollment by using the HTTPS protocol. Together
with the Certificate Enrollment Policy Web Service, this enables policy-based certificate enrollment when
the client computer is not a member of a domain or when a domain member is not connected to the
domain.
Personal note:
since domain controllers are off-limits (regarding open ports), you are left to install the Certificate
Enrollment Web Service role service on a plain member server
QUESTION 42
You need to relocate the existing user and computer objects in your company to different
organizational units.
What are two possible ways to achieve this goal?
(Each correct answer presents a complete solution. Choose two.)
A. Run the move-item command in the Microsoft Windows PowerShell utility.
B. Run the Active Directory Users and Computers utility.
C. Run the Dsmove utility.
D. Run the Active Directory Migration Tool (ADMT).
bbs.hh010.com
Correct Answer: BC
Explanation
Explanation/Reference:
Personal note:
You can simply drag and drop objects when using the Active Directory Users and Computers utility or use
the dsmove command.
http://technet.microsoft.com/en-us/library/cc731094%28v=ws.10%29.aspx
Dsmove
Moves a single object, within a domain, from its current location in the directory to a new location, or
renames a single object without moving it in the directory tree.
QUESTION 43
Your network consists of an Active Directory forest named contoso.com.
All servers run Windows Server 2008 R2.
All domain controllers are configured as DNS servers.
The contoso.com DNS zone is stored in the ForestDnsZones Active Directory application partition.
You have a member server that contains a standard primary DNS zone for dev.contoso.com.
You need to ensure that all domain controllers can resolve names for dev.contoso.com.
What should you do?
A. Modify the properties of the SOA record in the contoso.com zone.
B. Create a NS record in the contoso.com zone.
C. Create a delegation in the contoso.com zone.
D. Create a standard secondary zone on a Global Catalog server.
Correct Answer: C
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc771640.aspx
Understanding Zone Delegation
Domain Name System (DNS) provides the option of dividing up the namespace into one or more zones,
which can then be stored, distributed, and replicated to other DNS servers. When you are deciding
whether to divide your DNS namespace to make additional zones, consider the following reasons to use
additional zones:
You want to delegate management of part of your DNS namespace to another location or
department in your organization.
You want to divide one large zone into smaller zones to distribute traffic loads among multiple
servers, improve DNS name resolution performance, or create a more-fault-tolerant DNS environment.
You want to extend the namespace by adding numerous subdomains at once, for example, to
accommodate the opening of a new branch or site.
..
When you delegate zones within your namespace, remember that for each new zone that you create, you
need delegation records in other zones that point to the authoritative DNS servers for the new zone. This
is necessary both to transfer authority and to provide correct referral to other DNS servers and clients of
the new servers that are being made authoritative for the new zone.
..
Example: Delegating a subdomain to a new zone
As shown in the following illustration, when a new zone for a subdomain (example.microsoft.com) is
created, delegation from the parent zone (microsoft.com) is needed.
You have a Windows Server 2008 R2 Enterprise Root CA .
Security policy prevents port 443 and port 80 from being opened on domain controllers and on the
issuing CA .
You need to allow users to request certificates from a Web interface.
You install the Active Directory Certificate Services (AD CS) server role.
What should you do next?
A. Configure the Online Responder Role Service on a member server.
B. Configure the Online Responder Role Service on a domain controller.
C. Configure the Certificate Enrollment Web Service role service on a member server.
D. Configure the Certificate Enrollment Web Service role service on a domain controller.
Correct Answer: C
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/dd759209.aspx
Certificate Enrollment Web Service Overview
The Certificate Enrollment Web Service is an Active Directory Certificate Services (AD CS) role service
that enables users and computers to perform certificate enrollment by using the HTTPS protocol. Together
with the Certificate Enrollment Policy Web Service, this enables policy-based certificate enrollment when
the client computer is not a member of a domain or when a domain member is not connected to the
domain.
Personal note:
since domain controllers are off-limits (regarding open ports), you are left to install the Certificate
Enrollment Web Service role service on a plain member server
QUESTION 42
You need to relocate the existing user and computer objects in your company to different
organizational units.
What are two possible ways to achieve this goal?
(Each correct answer presents a complete solution. Choose two.)
A. Run the move-item command in the Microsoft Windows PowerShell utility.
B. Run the Active Directory Users and Computers utility.
C. Run the Dsmove utility.
D. Run the Active Directory Migration Tool (ADMT).
bbs.hh010.com
Correct Answer: BC
Explanation
Explanation/Reference:
Personal note:
You can simply drag and drop objects when using the Active Directory Users and Computers utility or use
the dsmove command.
http://technet.microsoft.com/en-us/library/cc731094%28v=ws.10%29.aspx
Dsmove
Moves a single object, within a domain, from its current location in the directory to a new location, or
renames a single object without moving it in the directory tree.
QUESTION 43
Your network consists of an Active Directory forest named contoso.com.
All servers run Windows Server 2008 R2.
All domain controllers are configured as DNS servers.
The contoso.com DNS zone is stored in the ForestDnsZones Active Directory application partition.
You have a member server that contains a standard primary DNS zone for dev.contoso.com.
You need to ensure that all domain controllers can resolve names for dev.contoso.com.
What should you do?
A. Modify the properties of the SOA record in the contoso.com zone.
B. Create a NS record in the contoso.com zone.
C. Create a delegation in the contoso.com zone.
D. Create a standard secondary zone on a Global Catalog server.
Correct Answer: C
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc771640.aspx
Understanding Zone Delegation
Domain Name System (DNS) provides the option of dividing up the namespace into one or more zones,
which can then be stored, distributed, and replicated to other DNS servers. When you are deciding
whether to divide your DNS namespace to make additional zones, consider the following reasons to use
additional zones:
You want to delegate management of part of your DNS namespace to another location or
department in your organization.
You want to divide one large zone into smaller zones to distribute traffic loads among multiple
servers, improve DNS name resolution performance, or create a more-fault-tolerant DNS environment.
You want to extend the namespace by adding numerous subdomains at once, for example, to
accommodate the opening of a new branch or site.
..
When you delegate zones within your namespace, remember that for each new zone that you create, you
need delegation records in other zones that point to the authoritative DNS servers for the new zone. This
is necessary both to transfer authority and to provide correct referral to other DNS servers and clients of
the new servers that are being made authoritative for the new zone.
..
Example: Delegating a subdomain to a new zone
As shown in the following illustration, when a new zone for a subdomain (example.microsoft.com) is
created, delegation from the parent zone (microsoft.com) is needed.
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam A PART3 (41-50) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uLu2q2nH6EI-ZZPrD0nyXsbaCQpL4uPydTljrw27tAs28dApMbH2d5GwkSjsj245nUUz5SfnNiDrkchIwYJO1latlVdFhlH2AiZTXXQ2MKoroqg0GQMiVvJzq2WMRpiFyazMsl=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam A PART3 (41-50) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
QUESTION 44
Your company has a single Active Directory domain.
All domain controllers run Windows Server 2003.
You install Windows Server 2008 R2 on a server.
You need to add the new server as a domain controller in your domain.
What should you do first?
A. On a domain controller run adprep /rodcprep.
B. On the new server, run dcpromo /adv.
C. On the new server, run dcpromo /createdcaccount.
D. On a domain controller, run adprep /forestprep.
Correct Answer: D
Explanation
Explanation/Reference:
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/9931e32f-6302-40f0-a7a1-
2598a96cd0c1/
DC promotion and adprep/forestprep
Q: I’ve tried to dcpromo a new Windows 2008 server installation to be a Domain Controller, running in an
existing domain. I am informed that, first, I must run adprep/forestprep (“To install a domain controller into
this Active Directory forest, you must first perpare the forest using “adprep/forestprep”. The Adprep utility
is available on the Windows Server 2008 installation media in the Windows\sources\adprep folder”
A1:
You can run adprep from an existing Windows Server 2003 domain controller. Copy the contents of the
\sources\adprep folder from the Windows Server 2008 installation DVD to the schema master role holder
and run Adprep from there.
A2:
to introduce the first W2K8 DC within an AD forest….
Your company has a single Active Directory domain.
All domain controllers run Windows Server 2003.
You install Windows Server 2008 R2 on a server.
You need to add the new server as a domain controller in your domain.
What should you do first?
A. On a domain controller run adprep /rodcprep.
B. On the new server, run dcpromo /adv.
C. On the new server, run dcpromo /createdcaccount.
D. On a domain controller, run adprep /forestprep.
Correct Answer: D
Explanation
Explanation/Reference:
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/9931e32f-6302-40f0-a7a1-
2598a96cd0c1/
DC promotion and adprep/forestprep
Q: I’ve tried to dcpromo a new Windows 2008 server installation to be a Domain Controller, running in an
existing domain. I am informed that, first, I must run adprep/forestprep (“To install a domain controller into
this Active Directory forest, you must first perpare the forest using “adprep/forestprep”. The Adprep utility
is available on the Windows Server 2008 installation media in the Windows\sources\adprep folder”
A1:
You can run adprep from an existing Windows Server 2003 domain controller. Copy the contents of the
\sources\adprep folder from the Windows Server 2008 installation DVD to the schema master role holder
and run Adprep from there.
A2:
to introduce the first W2K8 DC within an AD forest….
(1) no AD forest exists yet:
–> on the stand alone server execute: DCPROMO
–> and provide the information needed
(2) an W2K or W2K3 AD forest already exists:
–> ADPREP /Forestprep on the w2k/w2k3 schema master (both w2k/w2k3 forests)
–> ADPREP /rodcprep on the w2k3 domain master (only w2k3 forests)
–> ADPREP /domainprep on the w2k3 infrastructure master (only w2k3 domains)
–> ADPREP /domainprep /gpprep on the w2k infrastructure master (only w2k domains)
–> on the stand alone server execute: DCPROMO
–> and provide the information needed
QUESTION 45
Your company has a main office and three branch offices.
Each office is configured as a separate Active Directory site that has its own domain controller.
You disable an account that has administrative rights.
You need to immediately replicate the disabled account information to all sites.
What are two possible ways to achieve this goal?
(Each correct answer presents a complete solution. Choose two.)
A. From the Active Directory Sites and Services console, configure all domain controllers as global
catalog servers.
B. From the Active Directory Sites and Services console, select the existing connection objects and force
replication.
C. Use Repadmin.exe to force replication between the site connection objects.
D. Use Dsmod.exe to configure all domain controllers as global catalog servers.
Correct Answer: BC
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc835086%28v=ws.10%29.aspx
Repadmin /syncall
Synchronizes a specified domain controller with all of its replication partners.
http://ivan.dretvic.com/2012/01/how-to-force-replication-of-domain-controllers/
How to force replication of Domain Controllers
From time to time its necessary to kick off AD replication to speed up a task you may be doing, or just a
good too to check the status of replication between DC’s.
Below is a command to replicate from a specified DC to all other DC’s.
Repadmin /syncall DC_name /APed
By running a repadmin /syncall with the /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished
names) parameters, you have duplicated exactly what Replmon used to do in Windows 2003, except that
you did it in one step, not many.And with the benefit of seeing immediate results on how the operations
are proceeding.
If I am running it on the DC itself, I don’t even have to specify the server name.
http://technet.microsoft.com/en-us/library/cc776188%28v=ws.10%29.aspx
Force replication over a connection
To force replication over a connection
bbs.hh010.com
1. Open Active Directory Sites and Services.
–> on the stand alone server execute: DCPROMO
–> and provide the information needed
(2) an W2K or W2K3 AD forest already exists:
–> ADPREP /Forestprep on the w2k/w2k3 schema master (both w2k/w2k3 forests)
–> ADPREP /rodcprep on the w2k3 domain master (only w2k3 forests)
–> ADPREP /domainprep on the w2k3 infrastructure master (only w2k3 domains)
–> ADPREP /domainprep /gpprep on the w2k infrastructure master (only w2k domains)
–> on the stand alone server execute: DCPROMO
–> and provide the information needed
QUESTION 45
Your company has a main office and three branch offices.
Each office is configured as a separate Active Directory site that has its own domain controller.
You disable an account that has administrative rights.
You need to immediately replicate the disabled account information to all sites.
What are two possible ways to achieve this goal?
(Each correct answer presents a complete solution. Choose two.)
A. From the Active Directory Sites and Services console, configure all domain controllers as global
catalog servers.
B. From the Active Directory Sites and Services console, select the existing connection objects and force
replication.
C. Use Repadmin.exe to force replication between the site connection objects.
D. Use Dsmod.exe to configure all domain controllers as global catalog servers.
Correct Answer: BC
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc835086%28v=ws.10%29.aspx
Repadmin /syncall
Synchronizes a specified domain controller with all of its replication partners.
http://ivan.dretvic.com/2012/01/how-to-force-replication-of-domain-controllers/
How to force replication of Domain Controllers
From time to time its necessary to kick off AD replication to speed up a task you may be doing, or just a
good too to check the status of replication between DC’s.
Below is a command to replicate from a specified DC to all other DC’s.
Repadmin /syncall DC_name /APed
By running a repadmin /syncall with the /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished
names) parameters, you have duplicated exactly what Replmon used to do in Windows 2003, except that
you did it in one step, not many.And with the benefit of seeing immediate results on how the operations
are proceeding.
If I am running it on the DC itself, I don’t even have to specify the server name.
http://technet.microsoft.com/en-us/library/cc776188%28v=ws.10%29.aspx
Force replication over a connection
To force replication over a connection
bbs.hh010.com
1. Open Active Directory Sites and Services.
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam A PART3 (41-50) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_u1o9BkYPcndyxPSdUp-MkD9vhheWlNYrlNBvxM2HUPPyG15h2wivz4kZ1KQMhgCNdW_FUKP0OcuhVRhGAuaFoLeJ1dZg8NueJ4oRofmk3AXLJRZ0usLDeY9c9HnWail1p7s0hh=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam A PART3 (41-50) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
QUESTION 46
Your network consists of a single Active Directory domain.
All domain controllers run Windows Server 2008 R2.
You need to capture all replication errors from all domain controllers to a central location.
What should you do?
A. Start the Active Directory Diagnostics data collector set.
B. Start the System Performance data collector set.
C. Install Network Monitor and create a new a new capture.
D. Configure event log subscriptions.
Correct Answer: D
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc748890.aspx
Configure Computers to Forward and Collect Events
Before you can create a subscription to collect events on a computer, you must configure both the
collecting computer (collector) and each computer from which events will be collected (source).
http://technet.microsoft.com/en-us/library/cc749183.aspx
Event Subscriptions
Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue
might require you to examine a set of events stored in multiple logs on multiple computers.
Windows Vista includes the ability to collect copies of events from multiple remote computers and store
them locally. To specify which events to collect, you create an event subscription. Among other details,
the subscription specifies exactly which events will be collected and in which log they will be stored locally.
Once a subscription is active and events are being collected, you can view and manipulate these
forwarded events as you would any other locally stored events.
Using the event collecting feature requires that you configure both the forwarding and the collecting
computers. The functionality depends on the Windows Remote Management (WinRM) service and the
Windows Event Collector (Wecsvc) service. Both of these services must be running on computers
bbs.hh010.com
participating in the forwarding and collecting process.
http://technet.microsoft.com/en-us/library/cc961808.aspx
Replication Issues
QUESTION 47
Your company has an Active Directory forest that contains client computers that run Windows Vista
and Microsoft Windows XP.
You need to ensure that users are able to install approved application updates on their computers.
Which two actions should you perform?
(Each correct answer presents part of the solution. Choose two.)
A. Set up Automatic Updates through Control Panel on the client computers.
B. Create a GPO and link it to the Domain Controllers organizational unit. Configure the GPO to
automatically search for updates on the Microsoft Update site.
C. Create a GPO and link it to the domain. Configure the GPO to direct the client computers to the
Windows Server Update Services (WSUS) server for approved updates.
D. Install the Windows Server Update Services (WSUS). Configure the server to search for new updates
on the Internet. Approve all required updates.
Correct Answer: CD
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc720539%28v=ws.10%29.aspx
Configure Automatic Updates by Using Group Policy
When you configure the Group Policy settings for WSUS, use a Group Policy object (GPO) linked to an
Active Directory container appropriate for your environment.
QUESTION 48
Your company has an Active Directory domain that has an organizational unit named Sales.
The Sales organizational unit contains two global security groups named Sales Managers and
Sales Executives.
You need to apply desktop restrictions to the Sales Executives group.
You must not apply these desktop restrictions to the Sales Managers group.
You create a GPO named DesktopLockdown and link it to the Sales organizational unit.
What should you do next?
A. Configure the Deny Apply Group Policy permission for Authenticated Users on the DesktopLockdown
GPO.
B. Configure the Deny Apply Group Policy permission for the Sales Executives on the DesktopLockdown
GPO.
C. Configure the Allow Apply Group Policy permission for Authenticated Users on the DesktopLockdown
GPO.
D. Configure the Deny Apply Group Policy permission for the Sales Managers on the DesktopLockdown
GPO.
Correct Answer: D
Explanation
Explanation/Reference:
http://support.microsoft.com/kb/816100
bbs.hh010.com
How to prevent domain Group Policies from applying to certain user or computer accounts
Typically, if you want Group Policy to apply only to specific accounts (either user accounts, computer
accounts, or both), you can put the accounts in an organizational unit, and then apply Group Policy at that
organizational unit level. However, there may be situations where you want to apply Group Policy to a
whole domain, although you may not want those policy settings to also apply to administrator accounts or
to other specific users or groups.
http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policyobject/
Best Practice: How to exclude individual users or computers from a Group Policy Object
One of the common question I see on the forums from time to time is how to exclude a user and/or a
computer from having a Group Policy Object (GPO) applied. This is a relatively straight forward process
however I should stress this should be used sparingly and should always be done via group membership to
avoid the administrative overhead of having to constantly update the security filtering on the GPO.
Step 1. Open the Group Policy Object that you want to apply an exception and then click on the
“Delegation” tab and then click on the “Advanced” button.
Your network consists of a single Active Directory domain.
All domain controllers run Windows Server 2008 R2.
You need to capture all replication errors from all domain controllers to a central location.
What should you do?
A. Start the Active Directory Diagnostics data collector set.
B. Start the System Performance data collector set.
C. Install Network Monitor and create a new a new capture.
D. Configure event log subscriptions.
Correct Answer: D
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc748890.aspx
Configure Computers to Forward and Collect Events
Before you can create a subscription to collect events on a computer, you must configure both the
collecting computer (collector) and each computer from which events will be collected (source).
http://technet.microsoft.com/en-us/library/cc749183.aspx
Event Subscriptions
Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue
might require you to examine a set of events stored in multiple logs on multiple computers.
Windows Vista includes the ability to collect copies of events from multiple remote computers and store
them locally. To specify which events to collect, you create an event subscription. Among other details,
the subscription specifies exactly which events will be collected and in which log they will be stored locally.
Once a subscription is active and events are being collected, you can view and manipulate these
forwarded events as you would any other locally stored events.
Using the event collecting feature requires that you configure both the forwarding and the collecting
computers. The functionality depends on the Windows Remote Management (WinRM) service and the
Windows Event Collector (Wecsvc) service. Both of these services must be running on computers
bbs.hh010.com
participating in the forwarding and collecting process.
http://technet.microsoft.com/en-us/library/cc961808.aspx
Replication Issues
QUESTION 47
Your company has an Active Directory forest that contains client computers that run Windows Vista
and Microsoft Windows XP.
You need to ensure that users are able to install approved application updates on their computers.
Which two actions should you perform?
(Each correct answer presents part of the solution. Choose two.)
A. Set up Automatic Updates through Control Panel on the client computers.
B. Create a GPO and link it to the Domain Controllers organizational unit. Configure the GPO to
automatically search for updates on the Microsoft Update site.
C. Create a GPO and link it to the domain. Configure the GPO to direct the client computers to the
Windows Server Update Services (WSUS) server for approved updates.
D. Install the Windows Server Update Services (WSUS). Configure the server to search for new updates
on the Internet. Approve all required updates.
Correct Answer: CD
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc720539%28v=ws.10%29.aspx
Configure Automatic Updates by Using Group Policy
When you configure the Group Policy settings for WSUS, use a Group Policy object (GPO) linked to an
Active Directory container appropriate for your environment.
QUESTION 48
Your company has an Active Directory domain that has an organizational unit named Sales.
The Sales organizational unit contains two global security groups named Sales Managers and
Sales Executives.
You need to apply desktop restrictions to the Sales Executives group.
You must not apply these desktop restrictions to the Sales Managers group.
You create a GPO named DesktopLockdown and link it to the Sales organizational unit.
What should you do next?
A. Configure the Deny Apply Group Policy permission for Authenticated Users on the DesktopLockdown
GPO.
B. Configure the Deny Apply Group Policy permission for the Sales Executives on the DesktopLockdown
GPO.
C. Configure the Allow Apply Group Policy permission for Authenticated Users on the DesktopLockdown
GPO.
D. Configure the Deny Apply Group Policy permission for the Sales Managers on the DesktopLockdown
GPO.
Correct Answer: D
Explanation
Explanation/Reference:
http://support.microsoft.com/kb/816100
bbs.hh010.com
How to prevent domain Group Policies from applying to certain user or computer accounts
Typically, if you want Group Policy to apply only to specific accounts (either user accounts, computer
accounts, or both), you can put the accounts in an organizational unit, and then apply Group Policy at that
organizational unit level. However, there may be situations where you want to apply Group Policy to a
whole domain, although you may not want those policy settings to also apply to administrator accounts or
to other specific users or groups.
http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policyobject/
Best Practice: How to exclude individual users or computers from a Group Policy Object
One of the common question I see on the forums from time to time is how to exclude a user and/or a
computer from having a Group Policy Object (GPO) applied. This is a relatively straight forward process
however I should stress this should be used sparingly and should always be done via group membership to
avoid the administrative overhead of having to constantly update the security filtering on the GPO.
Step 1. Open the Group Policy Object that you want to apply an exception and then click on the
“Delegation” tab and then click on the “Advanced” button.
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam A PART3 (41-50) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tnsZPyzblq1E3U7UqvbPdEX5jjeiQVN0lGPmkFXJLMvwriIUaS51mtXhgK1kSS6vBW6YqLImifTWAH39d2B4RizHPCGcmkdLTUuBILQNX-xPmyjGcSKGeyhlzX7wbYtRMr644=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam A PART3 (41-50) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
Step 2. Click on the “Add” button and select the group (recommended) that you want to exclude from
having this policy applied.
having this policy applied.
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam A PART3 (41-50) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sES0irfbtdcKlkyiBI4qN-VZ6gcl2Q0cqyBnU21o9EXSIEZ5ZhQxC7fbuh3bz8EZiGH-OhSvvsKmUNTMQ8k3RZfCvfG9-XbdRuSh3B_o18ZjdaWpdxf5YR2d0Jk91GA3R9_bI=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam A PART3 (41-50) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
Step 3. In this example I am excluding the “Users GPO Exceptions” group for this policy. Select this group
in the “Group or user names” list and then scroll down the permission and tick the “Deny” option against
the “Apply Group Policy” permission.
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam A PART3 (41-50) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_t_Id3c9jjoL8mS7mQmg8r5uHYVLy3UcITpDmybXA3vyO-m_IrkNmt002QYIGJd4yC_ruZ7cmCYOcZgu7Ut20U89KHMYM7Hsu_Slg0cgmcCucaldXG4g5kikzK2ez_8Rm__l18o=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam A PART3 (41-50) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
in the “Group or user names” list and then scroll down the permission and tick the “Deny” option against
the “Apply Group Policy” permission.
Now any members of this “User GPO Exceptions” security group will not have this Group Policy Object
applied. Having a security group to control this exception makes it much easier to control as someone only
needs to modify the group membership of the group to makes changes to who (or what) get the policy
applied. This makes the delegation of this task to level 1 or level 2 support much more practical as you
don’t need to grant them permission to the Group Policy Objects.
QUESTION 49
Your company network has an Active Directory forest that has one parent domain and one child
domain.
The child domain has two domain controllers that run Windows Server 2008.
All user accounts from the child domain are migrated to the parent domain.
The child domain is scheduled to be decommissioned.
You need to remove the child domain from the Active Directory forest.
What are two possible ways to achieve this goal?
(Each correct answer presents a complete solution. Choose two.)
A. Run the Computer Management console to stop the Domain Controller service on both domain
controllers in the child domain.
B. Delete the computer accounts for each domain controller in the child domain. Remove the trust
relationship between the parent domain and the child domain.
C. Use Server Manager on both domain controllers in the child domain to uninstall the Active Directory
domain services role.
D. Run the Dcpromo tool that has individual answer files on each domain controller in the child domain.
Correct Answer: CD
Explanation
Explanation/Reference:
bbs.hh010.com
http://technet.microsoft.com/en-us/library/cc755937%28v=ws.10%29.aspx
Decommissioning a Domain Controller
To complete this task, perform the following procedures:
1. View the current operations master role holders
2. Transfer the schema master
3. Transfer the domain naming master
4. Transfer the domain-level operations master roles
5. Determine whether a domain controller is a global catalog server
6. Verify DNS registration and functionality
7. Verify communication with other domain controllers
8. Verify the availability of the operations masters
9. If the domain controller hosts encrypted documents, perform the following procedure before you
remove Active Directory to ensure that the encrypted files can be recovered after Active Directory is
removed: Export a certificate with the private key
10.Uninstall Active Directory
11.If the domain controller hosts encrypted documents and you backed up the certificate and private key
before you remove Active Directory, perform the following procedure to re-import the certificate to the
server: Import a certificate
12.Determine whether a Server object has child objects
13.Delete a Server object from a site
http://technet.microsoft.com/en-us/library/cc737258%28v=ws.10%29.aspx
Uninstall Active Directory
To uninstall Active Directory
1. Click Start, click Run, type dcpromo and then click OK.
…
QUESTION 50
Your network consists of a single Active Directory domain.
The domain contains 10 domain controllers.
The domain controllers run Windows Server 2008 R2 and are configured as DNS servers.
You plan to create a new Active Directory-integrated zone.
You need to ensure that the new zone is only replicated to four of your domain controllers.
What should you do first?
A. From the command prompt, run dnscmd and specify the /createdirectorypartition parameter.
B. Create a new delegation in the ForestDnsZones application directory partition.
C. From the command prompt, run dnscmd and specify the /enlistdirectorypartition parameter.
D. Create a new delegation in the DomainDnsZones application directory partition.
Correct Answer: A
Explanation
Explanation/Reference:
Practically the same question as D/Q25 and K/Q17, different set of answers.
To control which servers get a copy of the zone we have to store the zone in an application directory
partition. That application directory partition must be created before we create the zone, otherwise it won’t
work. So that’s what we have to do first. Directory partitions are also called naming contexts and we can
create one using ntdsutil.
Here I tried to create a zone with dnscmd /zoneadd. It failed because the directory partition I wanted to
use did not exist yet. To fix that I used ntdsutil to create the directory partition
dc=venomous,dc=contoso,dc=com. Note that after creating it a new naming context had been added.
Then, after a minute or two, I tried to create the new zone again, and this time it worked.
applied. Having a security group to control this exception makes it much easier to control as someone only
needs to modify the group membership of the group to makes changes to who (or what) get the policy
applied. This makes the delegation of this task to level 1 or level 2 support much more practical as you
don’t need to grant them permission to the Group Policy Objects.
QUESTION 49
Your company network has an Active Directory forest that has one parent domain and one child
domain.
The child domain has two domain controllers that run Windows Server 2008.
All user accounts from the child domain are migrated to the parent domain.
The child domain is scheduled to be decommissioned.
You need to remove the child domain from the Active Directory forest.
What are two possible ways to achieve this goal?
(Each correct answer presents a complete solution. Choose two.)
A. Run the Computer Management console to stop the Domain Controller service on both domain
controllers in the child domain.
B. Delete the computer accounts for each domain controller in the child domain. Remove the trust
relationship between the parent domain and the child domain.
C. Use Server Manager on both domain controllers in the child domain to uninstall the Active Directory
domain services role.
D. Run the Dcpromo tool that has individual answer files on each domain controller in the child domain.
Correct Answer: CD
Explanation
Explanation/Reference:
bbs.hh010.com
http://technet.microsoft.com/en-us/library/cc755937%28v=ws.10%29.aspx
Decommissioning a Domain Controller
To complete this task, perform the following procedures:
1. View the current operations master role holders
2. Transfer the schema master
3. Transfer the domain naming master
4. Transfer the domain-level operations master roles
5. Determine whether a domain controller is a global catalog server
6. Verify DNS registration and functionality
7. Verify communication with other domain controllers
8. Verify the availability of the operations masters
9. If the domain controller hosts encrypted documents, perform the following procedure before you
remove Active Directory to ensure that the encrypted files can be recovered after Active Directory is
removed: Export a certificate with the private key
10.Uninstall Active Directory
11.If the domain controller hosts encrypted documents and you backed up the certificate and private key
before you remove Active Directory, perform the following procedure to re-import the certificate to the
server: Import a certificate
12.Determine whether a Server object has child objects
13.Delete a Server object from a site
http://technet.microsoft.com/en-us/library/cc737258%28v=ws.10%29.aspx
Uninstall Active Directory
To uninstall Active Directory
1. Click Start, click Run, type dcpromo and then click OK.
…
QUESTION 50
Your network consists of a single Active Directory domain.
The domain contains 10 domain controllers.
The domain controllers run Windows Server 2008 R2 and are configured as DNS servers.
You plan to create a new Active Directory-integrated zone.
You need to ensure that the new zone is only replicated to four of your domain controllers.
What should you do first?
A. From the command prompt, run dnscmd and specify the /createdirectorypartition parameter.
B. Create a new delegation in the ForestDnsZones application directory partition.
C. From the command prompt, run dnscmd and specify the /enlistdirectorypartition parameter.
D. Create a new delegation in the DomainDnsZones application directory partition.
Correct Answer: A
Explanation
Explanation/Reference:
Practically the same question as D/Q25 and K/Q17, different set of answers.
To control which servers get a copy of the zone we have to store the zone in an application directory
partition. That application directory partition must be created before we create the zone, otherwise it won’t
work. So that’s what we have to do first. Directory partitions are also called naming contexts and we can
create one using ntdsutil.
Here I tried to create a zone with dnscmd /zoneadd. It failed because the directory partition I wanted to
use did not exist yet. To fix that I used ntdsutil to create the directory partition
dc=venomous,dc=contoso,dc=com. Note that after creating it a new naming context had been added.
Then, after a minute or two, I tried to create the new zone again, and this time it worked.
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam A PART3 (41-50) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_teeMmDffo__dkU1l7XDg8XuqwSeEaCHLu5YN52RkgqYgt4TUZ3tgftW-cgkNRHNAujODi-TW08MIagutP6Gk3xnqVKkOfqp7Q_Xf9AW85Uh5O-bTRyRIdmjAqL7316gv9ADXtk=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam A PART3 (41-50) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
Reference 1:
http://technet.microsoft.com/en-us/library/cc725739.aspx
Store Data in an AD DS Application Partition
You can store Domain Name System (DNS) zones in the domain or application directory partitions of
Active Directory Domain Services (AD DS). An application directory partition is a data structure in AD DS
that distinguishes data for different replication purposes. When you store a DNS zone in an application
directory partition, you can control the zone replication scope by controlling the replication scope
of the application directory partition.
Reference 2:
http://technet.microsoft.com/en-us/library/cc730970.aspx
bbs.hh010.com
partition management
Manages directory partitions for Active Directory Domain Services (AD DS) or Active Directory Lightweight
Directory Services (AD LDS).
This is a subcommand of Ntdsutil and Dsmgmt.
Examples
To create an application directory partition named AppPartition in the contoso.com domain, complete the
following steps:
1. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories,
right-click Command Prompt, and then click Run as administrator.
2. Type: ntdsutil
3. Type: Ac in ntds
4. Type: partition management
5. Type: connections
6. Type: Connect to server DC_Name
7. Type: quit
8. Type: list
The following partitions will be listed:
0 CN=Configuration,DC=Contoso,DC=com
1 DC=Contoso,DC=com
2 CN=Schema,CN=Configuration,DC=Contoso,DC=com
3 DC=DomainDnsZones,DC=Contoso,DC=com
4 DC=ForestDnsZones,DC=Contoso,DC=com
9. At the partition management prompt, type: create nc dc=AppPartition,dc=contoso,dc=com
ConDc1.contoso.com
10.Run the list command again to refresh the list of partitions. bbs.hh01
http://technet.microsoft.com/en-us/library/cc725739.aspx
Store Data in an AD DS Application Partition
You can store Domain Name System (DNS) zones in the domain or application directory partitions of
Active Directory Domain Services (AD DS). An application directory partition is a data structure in AD DS
that distinguishes data for different replication purposes. When you store a DNS zone in an application
directory partition, you can control the zone replication scope by controlling the replication scope
of the application directory partition.
Reference 2:
http://technet.microsoft.com/en-us/library/cc730970.aspx
bbs.hh010.com
partition management
Manages directory partitions for Active Directory Domain Services (AD DS) or Active Directory Lightweight
Directory Services (AD LDS).
This is a subcommand of Ntdsutil and Dsmgmt.
Examples
To create an application directory partition named AppPartition in the contoso.com domain, complete the
following steps:
1. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories,
right-click Command Prompt, and then click Run as administrator.
2. Type: ntdsutil
3. Type: Ac in ntds
4. Type: partition management
5. Type: connections
6. Type: Connect to server DC_Name
7. Type: quit
8. Type: list
The following partitions will be listed:
0 CN=Configuration,DC=Contoso,DC=com
1 DC=Contoso,DC=com
2 CN=Schema,CN=Configuration,DC=Contoso,DC=com
3 DC=DomainDnsZones,DC=Contoso,DC=com
4 DC=ForestDnsZones,DC=Contoso,DC=com
9. At the partition management prompt, type: create nc dc=AppPartition,dc=contoso,dc=com
ConDc1.contoso.com
10.Run the list command again to refresh the list of partitions. bbs.hh01
Latest online browsing the 70-640 exam!
70-640PDF dumps & 70-640VCE dumps: http://examsavior.com/70-640
 |  |  |  |  | |
|---|---|---|---|---|---|
Test King
|
Pass4sure
|
Actual Tests
|
Other Brands
| ||
| Customer Reviews |  |  |  |  |  |
$89.99
|
$124.99
|
$125.99
|
$189.00
|
$29.99~$49.99
| |
| Up-To-Dated |  |  |  |  |  |
| Real Questions & Answers |  |  |  |  |  |
| Correct All Error |  |  |  |  |  |
| Premium VCE Dumps |  |  |  |  |  |
| Free VCE Simulator |  |  |  |  |  |
| Unlimited After One Time Purchasing |  |  |  |  |  |
| Instant Download |  |  |  |  |  |
| Printable PDF Dumps |  |  |  |  |  |
| 100% Pass Guarantee |  |  |  |  |  |
| 100% Money Back |  |  |  |  |  |
100% Pass:http://examsavior.com/
No comments:
Post a Comment