Online Access Free 70-742 Exam Questions

Passed today with 85%.up to 10% new question. Read carefully as some the question in this dump has been reworded. Still valid.

No.# Correct Answer B

We recommend that you transfer FSMO roles in the following scenarios:
The current role holder is operational and can be accessed on the network by the new FSMO owner.
You are gracefully demoting a domain controller that currently owns FSMO roles that you want to assign to a specific domain controller in your Active Directory forest.
The domain controller that currently owns FSMO roles is being taken offline for scheduled maintenance and you need specific FSMO roles to be assigned to a “live” domain controller. This may be required to perform operations that connect to the FSMO owner. This would be especially true for the PDC Emulator role but less true for the RID master role, the Domain naming master role and the Schema master roles.

We recommend that you seize FSMO roles in the following scenarios:
The current role holder is experiencing an operational error that prevents an FSMO-dependent operation from completing successfully and that role cannot be transferred.

A domain controller that owns an FSMO role is force-demoted by using the dcpromo /forceremoval command.

The operating system on the computer that originally owned a specific role no longer exists or has been reinstalled

No.# Answer: A

Reset the secure channel Occasionally, you might need to reset the computer’s secure channel. When a computer signs in to the AD DS domain, it establishes a secure channel with the domain controller; the secure channel is sometimes referred to as a trust. Under some circumstances, this trust becomes unavailable, and the computer cannot establish the secure channel. This can result in users being unable to sign in at the computer, and in the failure of the application of GPOs on the computer. Often, when a secure channel failure has occurred, users receive the following message when they attempt to sign in: “The trust relationship between the workstation and the primary domain failed.” Some administrators remove the computer from the domain, adding it temporarily to a workgroup, and then after restarting the computer, they add it to the domain again. This is usually successful. However, this removes the computer object in AD DS and creates a new one, albeit with the same name. Because the object is new, and has a new security identity (SID), any group memberships for the computer are lost; this might not be a concern. However, if you use group memberships extensively, it is better to reset the secure channel rather than remove the computer from the domain. You can reset the channel by using Active Directory Users and Computers, Windows PowerShell, or the Dsmod.exe command-line tool. Resetting the channel ensures that the computer’s SID remains the same, and this means that group memberships are retained.

from: Exam Ref 70-742 Identity with Windows Server 2016 book

No.# D does seem to be right
there is indeed a "GPO status option on the right click menu on the GPO objects under "Group Policy Objects" container which disables or enables each and every GPO.
I would think that DCdiag is not necessary since all other GPOs are correctly applied so it cannot be a general replication setting.

No.# Is this true? Delete the computer account enough? Metadata cleanup not needed?

No.# We can see SPN in ADUC now! It is new feature..

fdfdffdfdfd

No.# Answer is NO. Restricted group settings delete all the users and we are adding here.

No.# There is no Status under Default domain policy! So, I think DCDIAG.exe

No.# In my opinion it is not true. Correct answer is No! If someone can explain why yes, please….

No.# When we use Restricted Groups settings, it deletes all existing user from the administrators group!
You need to add a domain user named user1, so ADD! I think the answer is NO.

No.# Corract answer is "B"

No.# Correct!
But if you have true option CA manager approval - step three is not required (pending request is automatical)

No.# This question is wrong!
Right order: A3(site), A1(domain), A5(OU1), A7(OU4).
A3 links to OU3, OU3 is not consist our objects

No.# First, Convert to Universal

No.# Answer is NO
bacause
create and configure gMSA:
1. Add-KdsRootKey –EffectiveImmediately
2. New-ADServiceAccount –Name LON-IIS-GMSA –DNSHostname LON-DC1.Adatum.com –
PrincipalsAllowedToRetrieveManagedPassword LON-DC1$, LON-DC2$, LON-IIS$
3. Add-ADComputerServiceAccount –identity LON-DC1 –ServiceAccount LON-IIS-GMSA
4. Install-ADServiceAccount -Identity LON-IIS-GMSA
5. configure settings of service

No.# Container Trust stores Certification Trust Lists - NOT SSL Certificate, that right answer is NO

No.# Computer Configuration/Policies/Administrative Templates/Network/network Connections
User Configuration/Policies/Administrative Templates/Network/Network Connections
DOES NOT EXIST these options
A,D is Wrong

User Configuration/Preferences/Control Panel Settings/Network Options
Wrong in this case, because we have to deploy ON COMPUTER

Computer Configuration/Preferences/Control Panel Settings/Network Options
RIGHT!

No.# Example:
netdom join %computername% /Domain:winitpro.ru /OU:ou=Win,dc= winitpro,dc=ru /UserD:admin /PasswordD:P@sw0rd

No.# Answer B is right, because:

It is not always possible to anticipate the removal of an operations master role holder. Consequently, if a
domain controller hosting one of the operations master roles becomes unavailable, and you cannot quickly
and easily get it operational again, you might consider seizing the operations master roles held by the
failed domain controller.
If you must seize a role, you cannot use the management console to perform the task. Instead, you
must use the Move-ADDirectoryServerOperationMasterRole -force cmdlet. Each role is assigned a
number identifier, as described
0-PDC
1-RID
2-Infrastructure
3-Schema
4-Domain naming

To seize role RID
Move-ADDirectoryServerOperationMasterRole -Identity "LON-SVR3" -OperationMasterRole 1 -Force
(key -Force is a difference between transfering and seizing)
Seizing (role holder is offline)

You can also use ntdsutil.exe