Proper study guides for 70-640 TS: Windows Server 2008 Active Directory. Configuring certified begins with preparation products which designed to deliver the by making you pass the 70-640 test at your first time. Try the free right now.

Also have 70-640 free dumps questions for you:

NEW QUESTION 1
Company has servers on the main network that run Windows Server 2008. It also has two domain controllers.
Active Directory services are running on a domain controller named CKDC1.
You have to perform critical updates of Windows Server 2008 on CKDC1 without rebooting the server.
What should you do to perform offline critical updates on CKDC1 without rebooting the server?

  • A. Start the Active Directory Domain Services on CKDC1
  • B. Disconnect from the network and start the Windows update feature
  • C. Stop the Active Directory domain services and install the update
  • D. Start the Active Directory domain services after installing the update
  • E. Stop Active Directory domain services and install update
  • F. Disconnect from the network and then connect agai
  • G. None of the above

Answer: C

Explanation:
Personal comment: I don't believe you can avoid restarting the server when installing some (not all) updates http://class10e.com/Microsoft/what-should-you-do-to-perform-offline-critical-updates-on-ckdc1-withoutrebooting-the-server/ To perform offline critical updates on CKDC1 without rebooting the server, you should stop the Active Directory domain services and install the updates. Start the Active Directory domain services after installing the updates. By stopping the Active Directory domain services, you don’t need to reboot the server. The updates are related to the Windows Server 2008 on CKDC1 so when you stop the Active Directory domain services and start it again after the installation of the updates, the Server will perform in a normal way.

NEW QUESTION 2
Your network contains an Active Directory domain named contoso.com.
You need to create one password policy for administrators and another password policy for all other users.
Which tool should you use?

  • A. Group Policy Management Editor
  • B. Group Policy Management Console (GPMC)
  • C. Authorization Manager
  • D. Ldifde

Answer: D

Explanation: http://technet.microsoft.com/en-US/library/cc754461.aspx
Creating a PSO using ldifde You can use the ldifde command as a scriptable alternative for creating PSOs. To create a PSO using ldifde
1. Define the settings of a new PSO by saving the following sample code as a file, for example, pso.ldf: dn: CN=PSO1, CN=Password Settings Container,CN=System,DC=dc1,DC=contoso,DC=com changetype: add objectClass: msDS-PasswordSettings
msDS-MaximumPasswordAge:-1728000000000 msDS-MinimumPasswordAge:-864000000000 msDS-MinimumPasswordLength:8 msDS-PasswordHistoryLength:24 msDS-PasswordComplexityEnabled:TRUE msDS-PasswordReversibleEncryptionEnabled:FALSE msDS-LockoutObservationWindow:-18000000000 msDS-LockoutDuration:-18000000000 msDS-LockoutThreshold:0 msDS-PasswordSettingsPrecedence:20 msDS-PSOAppliesTo:CN=user1,CN=Users,DC=dc1,DC=contoso,DC=com
2. Open a command prompt. To open a command prompt, click Start, click Run, type cmd, and then click OK.
3. Type the following command, and then press ENTER: ldifde –i –f pso.ldf

NEW QUESTION 3
Your network contains a domain controller that runs Windows Server 2008 R2. You run the following command on the domain controller:
dsamain.exe -dbpath c:\$SNAP_201006170326_VOLUMEC$\Windows\NTDS\ntds.dit -ldapport 389 -allowNonAdminAccess
The command fails.
You need to ensure that the command completes successfully.
How should you modify the command?

  • A. Include the path to Dsamai
  • B. Change the value of the -dbpath paramete
  • C. Change the value of the -ldapport paramete
  • D. Remove the allowNonAdminAccess

Answer: C

Explanation: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 690 Use the AD DS database mounting tool to load the snapshot as an LDAP server. dsamain -dbpath c:\$SNAP_datetime_VOLUMEC$\windows\ntds\ntds.dit -ldapport portnumber Be sure to use ALL CAPS for the -dbpath value and use any number beyond 40,000 for the
-ldapport value to ensure that you do not conflict with AD DS.
Also note that you can use the minus (–) sign or the slash (/) for the options in the
command.

NEW QUESTION 4
Your network contains a single Active Directory domain. The domain contains five read-only domain controllers (RODCs) and five writable domain controllers. All servers run Windows Server 2008.
You plan to install a new RODC that runs Windows Server 2008 R2.
You need to ensure that you can add the new RODC to the domain. You want to achieve this goal by using the minimum amount of administrative effort.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

  • A. From Active Directory Domains and Trusts, raise the functional level of the domai
  • B. At the command prompt, run adprep.exe /forestpre
  • C. From Active Directory Users and Computers, pre-stage the RODC computer accoun
  • D. At the command prompt, run adprep.exe /domainpre
  • E. At the command prompt, run adprep.exe /rodcpre

Answer: CD

Explanation: C:
* During the first stage of the installation, the wizard records all the data about the RODC that will be stored in the distributed Active Directory database, including the read-only domain controller account name and the site in which it will be placed. This stage must be performed by a member of the Domain Admins group.
* To create an RODC account by using the Windows interface Click Start, click Administrative Tools, and then click Active Directory Users and Computers. Double-click the domain container, then you can either right-click the Domain Controllers container or click the Domain Controllers container, and then click Action. Click Pre-create Read-only Domain Controller account

NEW QUESTION 5
Your network contains an Active Directory forest named contoso.com. The domain contains two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. DC2 holds the PDC emulator role.
The power supply on DC2 fails.
You seize the PDC emulator role to DC1.
You replace the power supply on DC2.
You need to bring DC2 back online as the PDC emulator as soon as possible. The solution must minimize the disruption of services for users.
What should you do?

  • A. Connect DC2 to the networ
  • B. Turn on DC2, and then transfer the PDC emulator rol
  • C. Reinstall Windows Server 2008 on DC2 and promote DC2 to a domain controlle
  • D. Transfer the PDC emulator rol
  • E. Reinstall Windows Server 2008 on DC2 and promote DC2 to a domain controlle
  • F. Seize the PDC emulator rol
  • G. Disconnect DC2 from the networ
  • H. Turn on DC2, and then seize the PDC emulator rol
  • I. Connect DC2 to the networ

Answer: A

NEW QUESTION 6
Your network contains an Active Directory forest. The forest contains one domain named contoso.com.
You attempt to create a new child domain and you receive the following error message: "An LDAP read of operational attributes failed."
You need to ensure that you can add a new child domain to the forest.
What should you do?

  • A. Move the PDC emulator rol
  • B. Move the RID master rol
  • C. Move the infrastructure master rol
  • D. Move the schema master rol
  • E. Move the domain naming master rol
  • F. Move the global catalog serve
  • G. Move the bridgehead serve
  • H. Install a read-only domain controller (RODC).
  • I. Deploy an additional global catalog serve
  • J. Restart the Active Directory Domain Services (AD DS) servic

Answer: E

Explanation:
http://technet.microsoft.com/en-us/library/bb727058.aspx
Troubleshooting Active Directory Installation Wizard Problems
Symptom or Error
An LDAP read of operational attributes failed.
Root Cause
The domain naming master for the forest is offline or cannot be contacted.
Solution Make the current domain naming master accessible. If necessary, see "Seizing
Operations Master Roles" in this guide.

NEW QUESTION 7
Your company has an Active Directory domain.
You log on to the domain controller. The Active Directory Schema snap-in is not available in the Microsoft Management Console (MMC).
You need to access the Active Directory Schema snap-in.
What should you do?

  • A. Add the Active Directory Lightweight Directory Services (AD LDS) role to the domain controller by using Server Manage
  • B. Log off and log on again by using an account that is a member of the Schema Administrators grou
  • C. Use the Ntdsutil.exe command to connect to the Schema Master operations master and open the schema for writin
  • D. Register Schmmgmt.dl

Answer: D

Explanation:
http://technet.microsoft.com/en-us/library/cc732110.aspx Install the Active Directory Schema Snap-In You can use this procedure to first register the dynamic-link library (DLL) that is required for the Active Directory Schema snap-in. You can then add the snap-in to Microsoft Management Console (MMC). To install the Active Directory Schema snap-in
1. To open an elevated command prompt, click Start, type command prompt and then right-click Command Prompt when it appears in the Start menu. Next, click Run as administrator and then click OK. To open an elevated command prompt in Windows Server 2012, click Start, type cmd, right click cmd and then click Run as administrator.
2. Type the following command, and then press ENTER: regsvr32 schmmgmt.dll
3. Click Start, click Run, type mmc and then click OK.
4. On the File menu, click Add/Remove Snap-in.
5. Under Available snap-ins, click Active Directory Schema, click Add and then click OK.
6. To save this console, on the File menu, click Save.
7. In the Save As dialog box, do one of the following:
* To place the snap-in in the Administrative Tools folder, in File name, type a name for the snap-in, and then click Save.
* To save the snap-in to a location other than the Administrative Tools folder, in Save in navigate to a location for the snap-in. In File name, type a name for the snap-in, and then click Save

NEW QUESTION 8
You are the administrator of an organization with a single Active Directory domain.
A user who left the company returns after 16 weeks.
The user tries to log onto their old computer and receives an error stating that
authentication has failed.
The user's account has been enabled.
You need to ensure that the user is able to log onto the domain using that computer.
What do you do?

  • A. Reset the computer account in Active Director
  • B. Disjoin the computer from the domain and then rejoin the computer to the domai
  • C. Run the ADadd command to rejoin the computer accoun
  • D. Run the MMC utility on the user's computer and add the Domain Computers snap-i
  • E. Re-create the user account and reconnect the user account to the computer accoun

Answer: A

Explanation:
http://social.technet.microsoft.com/wiki/contents/articles/9157.trust-relationship-between-workstation-andprimary-domain-failed.aspx Trust Relationship between Workstation and Primary Domain failed What are the common causes which generates this message on client systems?
There might be multiple reasons for this kind of behaviour. Below are listed a few of them:
1. Single SID has been assigned to multiple computers.
2. If the Secure Channel is Broken between Domain controller and workstations
3. If there are no SPN or DNSHost Name mentioned in the computer account attributes
4. Outdated NIC Drivers. How to Troubleshoot this behaviour?
2. If the Secure Channel is Broken between Domain controller and workstations When a Computer account is joined to the domain, Secure Channel password is stored with computer account in domain controller. By default this password will change every 30 days (This is an automatic process, no manual intervention is required). Upon starting the computer, Netlogon attempts to discover a DC for the domain in which its machine account exists. After locating the appropriate DC, the machine account password from the workstation is authenticated against the password on the DC. If there are problems with system time, DNS configuration or other settings, secure channel’s password between Workstation and DCs may not synchronize with each other. A common cause of broken secure channel [machine account password] is that the secure channel password held by the domain member does not match that held by the AD. Often, this is caused by performing a Windows System Restore (or reverting to previous backup or snapshot) on the member machine, causing an old (previous) machine account password to be presented to the AD.
Resolution: Most simple resolution would be unjoin/disjoin the computer from the domain and rejoin the computer account back to the domain. (this is a somewhat similar principle to performing a password reset for a user account) Or You can go ahead and reset the computer account using netdom.exe tool http://technet.microsoft.com/en-us/library/cc772217%28v=ws.10%29.aspx Netdom Enables administrators to manage Active Directory domains and trust relationships from the command prompt. Netdom is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the Active Directory Domain Services (AD DS) server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). You can use netdom to: Join a computer that runs Windows XP Professional, Windows Vista, or Windows 7 to a Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, or Windows NT 4.0 domain.
Manage computer accounts for domain member workstations and member servers.
Management operations include:
Establish one-way or two-way trust relationships between domains, including the following
kinds of trust relationships:
Verify or reset the secure channel for the following configurations:
* Member workstations and servers.
* Backup domain controllers (BDCs) in a Windows NT 4.0 domain.
* Specific Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, or
Windows 2000 replicas.
Manage trust relationships between domains.
Syntax
NetDom <Operation> [<Computer>] [{/d: | /domain:} <Domain>] [<Options>]
http://technet.microsoft.com/en-us/library/cc788073%28v=ws.10%29.aspx
Netdom reset Resets the secure connection between a workstation and a domain
controller.
Syntax netdom reset <Computer> {/d: | /domain:}<Domain> [{/s: | /server:}<Server>] [{/uo: |
/usero:}<User> {/po: | /passwordo}{<Password>|*}] [{/help | /?}]
Further information:
http://technet.microsoft.com/en-us/library/cc835085%28v=ws.10%29.aspx
Netdom trust
Establishes, verifies, or resets a trust relationship between domains.
Syntax netdom trust <TrustingDomainName> {/d: | /domain:} <TrustedDomainName> [{/ud:
| /userd:}[<Domain>\]
<User> [{/pd: | /passwordd:}{<Password>|*}] [{/uo: | /usero:}<User>] [{/po: |
/passwordo:}{<Password>|*}] [/verify] [/reset] [/passwordt:<NewRealmTrustPassword>]
[/add [/realm]] [/remove [/force]] [/twoway] [/kerberos] [/transitive[:{YES|NO}]]
[/oneside:{TRUSTED | TRUSTING}] [/force] [/quarantine[:{YES | NO}]]
[/namesuffixes:<TrustName> [/togglesuffix:#]] [/EnableSIDHistory] [/ForestTRANsitive]
[/SelectiveAUTH][/AddTLN][/AddTLNEX][/RemoveTLN] [/RemoveTLNEX][{/help | /?}]

NEW QUESTION 9
Your network contains an Active Directory forest. The forest contains multiple sites.
You need to enable universal group membership caching for a site.
What should you do?

  • A. From Active Directory Sites and Services, modify the NTDS Setting
  • B. From Active Directory Sites and Services, modify the NTDS Site Setting
  • C. From Active Directory Users and Computers, modify the properties of all universal groups used in the sit
  • D. From Active Directory Users and Computers, modify the computer objects for the domain controllers in the sit

Answer: B

Explanation:
http://technet.microsoft.com/en-us/library/cc816797%28v=ws.10%29.aspx Enabling Universal Group Membership Caching in a Site In a multidomain forest, when a user logs on to a domain, a global catalog server must be contacted to determine the universal group memberships of the user. A universal group can contain users from other domains, and it can be applied to access control lists (ACLs) on objects in all domains in the forest. Therefore, universal group memberships must be ascertained at domain logon so that the user has appropriate access in the domain and in other domains during the logon session. Only global catalog servers store the memberships of all universal groups in the forest. If a global catalog server is not available in the site when a user logs on to a domain, the domain controller must contact a global catalog server in another site. In multidomain forests where remote sites do not have a global catalog server, the need to contact a global catalog server over a potentially slow wide are network (WAN) connection can be problematic and a user can potentially be unable to log on to the domain if a global catalog server is not available. You can enable Universal Group Membership Caching on domain controllers that are running Windows Server 2008 so that when the domain controller contacts a global catalog server for the user’s initial domain logon, the domain controller retrieves universal group memberships for the user. On subsequent logon requests by the same user, the domain controller uses cached universal group memberships and does not have to contact a global catalog server. To complete this task, perform the following procedure: http://technet.microsoft.com/en-us/library/cc816928%28v=ws.10%29.aspx Enable Universal Group Membership Caching in a Site
1. Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services.
2. In the console tree, expand Sites, and then click the site in which you want to enable Universal Group Membership Caching.
3. In the details pane, right-click the NTDS Site Settings object, and then click Properties.
4. Under Universal Group Membership Caching, select Enable Universal Group Membership Caching.
5. In the Refresh cache from list, click the site that you want the domain controller to contact when the Universal Group membership cache must be updated, and then click OK.

NEW QUESTION 10
Your company has a domain controller that runs Windows Server 2008. The domain controller has the backup features installed.
You need to perform a non-authoritative restore of the doman controller using an existing backup file.
What should you do?

  • A. Restart the domain controller in Directory Services Restore Mode and use wbadmin to restore critical volume
  • B. Restart the domain controller in Directory Services Restore Mode and use the backup snap-in to restore critical volume
  • C. Restart the domain controller in Safe Mode and use wbadmin to restore critical volume
  • D. Restart the domain controller in Safe Mode and use the backup snap-in to restore critical volume

Answer: A

Explanation:
Almost identical to B42
http://technet.microsoft.com/en-us/library/cc816627%28v=ws.10%29.aspx
Performing Nonauthoritative Restore of Active Directory Domain Services
A nonauthoritative restore is the method for restoring Active Directory Domain Services (AD DS) from a system state, critical-volumes, or full server backup. A nonauthoritative restore returns the domain controller to its state at the time of backup and then allows normal replication to overwrite that state with any changes that occurred after the backup was taken. After you restore AD DS from backup, the domain controller queries its replication partners. Replication partners use the standard replication protocols to update AD DS and associated information, including the SYSVOL shared folder, on the restored domain controller.
You can use a nonauthoritative restore to restore the directory service on a domain controller without reintroducing or changing objects that have been modified since the backup. The most common use of a nonauthoritative restore is to reinstate a domain controller, often after catastrophic or debilitating hardware failures. In the case of data corruption, do not use nonauthoritative restore unless you have confirmed that the problem is with AD DS.
Nonauthoritative Restore Requirements You can perform a nonauthoritative restore from backup on a Windows Server 2008 system that is a standalone server, member server, or domain controller.
On domain controllers that are running Windows Server 2008, you can stop and restart AD DS as a service. Therefore, in Windows Server 2008, performing offline defragmentation and other database management tasks does not require restarting the domain controller in Directory Services Restore Mode (DSRM). However, you cannot perform a nonauthoritative restore after simply stopping the AD DS service in regular startup mode. You must be able to start the domain controller in Directory Services Restore Mode (DSRM). If the domain controller cannot be started in DSRM, you must first reinstall the operating system.
To perform a nonauthoritative restore, you need one of the following types of backup for your backup source:
System state backup: Use this type of backup to restore AD DS. If you have reinstalled the operating system, you must use a critical-volumes or full server backup. If you are restoring a system state backup, use the wbadmin start systemstaterecovery command.
Critical-volumes backup: A critical-volumes backup includes all data on all volumes that contain operating system and registry files, boot files, SYSVOL files, or Active Directory files. Use this type of backup if you want to restore more than the system state. To restore a critical-volumes backup, use the wbadmin start recovery command. Full server backup: Use this type of backup only if you cannot start the server or you do not have a system state or critical-volumes backup. A full server backup is generally larger than a critical-volumes backup.
Restoring a full server backup not only rolls back data in AD DS to the time of backup, but it also rolls back all data in all other volumes. Rolling back this additional data is not necessary to achieve nonauthoritative restore of AD DS.

NEW QUESTION 11
Your company has two offices. The offices are located in Miami and London.
The network contains an Active Directory forest named contoso.com. The forest contains two child domains named miami.contoso.com and london.contoso.com. Each domain contains 50 domain controllers that run Windows Server 2008 R2. Each office is configured as an Active Directory site.
The office in London recently hired several thousand new employees.
You need to move 10 domain controllers from miami.contoso.com to london.contoso.com.
What should you do?

  • A. Run the dsadd.exe command
  • B. Run the nltest.exe comman
  • C. Run the Set-AdDomain cmdle
  • D. Run the dsmove.exe comman
  • E. Run the dcpromo.exe comman
  • F. Run the Move-AdDirectoryServer cmdle
  • G. Use the Active Directory Schema snap-i
  • H. Use the Active Directory Users and Computers consol

Answer: E

NEW QUESTION 12
Your company has three Active Directory domains in a single forest. You install a new Active Directory enabled application. The application ads new user attributes to the Active Directory schema.
You discover that the Active Directory replication traffic to the Global Catalogs has increased.
You need to prevent the new attributes from being replicated to the Global Catalog.
You must achieve this goal without affecting application functionality.
What should you do?

  • A. Change the replication interval for the DEFAULTIPSITELINK object to 9990.
  • B. Change the cost for the DEFAULTIPSITELINK object to 9990.
  • C. Make the new attributes in the Active Directory as defunc
  • D. Modify the properties in the Active Directory schema for the new attribute

Answer: D

Explanation:
http://support.microsoft.com/kb/248717 How to Modify Attributes That Replicate to the Global Catalog The Global Catalog (GC) contains a partial replica of every object in the enterprise. This article discusses how to manipulate the attributes which make up the set values replicated to the GC. Deciding which attributes will replicate (in addition to the default attributes) requires careful planning with consideration for network traffic and necessary disk space. Before describing how to set an attribute to replicate in the GC, it is important to note the effects this has on network replication traffic. After an attributeSchema object is created, marking an additional attribute to replicate to the GC causes a full replication (also known as a "full sync") of all objects to the GC as described below. This behavior occurs on the versions of Windows 2000 listed in this article. Every server has a full and write-able copy of its own domain. If that server is also a GC, the remaining domains in the forest are held as read-only, partial copies. "Partial" means that only a subset of the attributes is kept. When an attribute is added to the GC, it is added to the partial copy subset (partial attribute set). This causes the GC to perform a "full sync" of all the read-only copies again to repopulate itself with only the partial attributes that it needs to hold. This full sync occurs even if the attribute property isMemberOfPartialAttributeSet is set to "True." Thus, it only does a full sync on the read-only partial copy domains and not its own write-able domain, the configuration directory partition or schema directory partition. In order to modify the attributes that replicate to the Active Directory GC, you must modify the schema. To modify the schema, an administrator must be made a member of the "Schema Admins" group. In addition to being a member of this group, a registry key must be set on the Schema master.

NEW QUESTION 13
Your network contains an Active Directory forest. The forest contains multiple domains.
You need to ensure that users in the human resources department can search for employees by using the employeeNumber attribute.
What should you do?

  • A. From Active Directory Sites and Services, modify the properties of each global catalog serve
  • B. From the Active Directory Schema snap-in, modify the properties of the user object clas
  • C. From Active Directory Sites and Services, modify the NTDS Settings objectof each global catalog serve
  • D. From the Active Directory Schema snap-in, modify the properties of the employeeNumber attribut

Answer: D

Explanation:
http://technet.microsoft.com/en-us/library/how-global-catalog-servers-work.aspx
Global Catalog Replication of Additions to the Partial Attribute Set
Each global catalog server in an AD DS forest hosts a copy of every existing object in that forest. For the objects of its own domain, a global catalog server has information related to all attributes that are associated with those objects. For the objects in domains other than its own, a global catalog server has only information that is related to the set of attributes that are marked in the AD DS schema to be included in the partial attribute set (PAS). As described earlier, the PAS is defined by Microsoft as those attributes that are most likely to be used for searches. These attributes are replicated to every global catalog server in an AD DS forest." "The attributes that are replicated to the global catalog by default include a base set that have been defined by Microsoft as the attributes that are most likely to be used in searches. Administrators can use the Microsoft Management Console (MMC) Active Directory Schema snap-in to specify additional attributes to meet the needs of their installation. In the Active Directory Schema snap-in, you can select the Replicate this attribute to the global catalog check box to designate an attributeSchema object as a member of the PAS, which sets the value of the isMemberOfPartialAttributeSet attribute to TRUE.

NEW QUESTION 14
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1.
You install Active Directory Lightweight Directory Services (AD LDS) on a member server named Server2. On Server2, you create a directory partition named fabrikam.com.
You need to configure the MS-AdamSyncConfig.xml file to synchronize data from contoso.com to fabrikam.com.
What should you do? (To answer, select the appropriate options in the answer area.)
70-640 dumps exhibit
70-640 dumps exhibit

    Answer:

    Explanation: 70-640 dumps exhibit

    NEW QUESTION 15
    Your network contains an Active Directory domain.
    A user named User1 takes a leave of absence for one year.
    You need to restrict access to the User1 user account while User1 is away.
    What should you do?

    • A. From the Default Domain Policy, modify the account lockout setting
    • B. From the Default Domain Controller Policy, modify the account lockout setting
    • C. From the properties of the user account, modify the Account option
    • D. From the properties of the user account, modify the Session setting

    Answer: C

    Explanation:
    http://blogs.technet.com/b/msonline/archive/2009/08/17/disabling-and-deleting-user-accounts.aspx
    Disabling a user account prevents user access to e-mail and Microsoft SharePoint Online
    data, but retains the user’s data. Disabling a user account also keeps the user license
    associated with that account. This is the best option to utilize when a person leaves an
    organization temporarily.

    NEW QUESTION 16
    Your network contains an Active Directory domain named contoso.com. The domain
    contains a domain controller named DC1.
    You have a member server named Server1.
    Both DC1 and Server1 have the DNS Server server role installed.
    On DC1, you create an Active Directory-integrated zone named adatum.com.
    You need to ensure that Server1 receives a copy of the zone.
    Which two actions should you perform? (Each correct answer presents part of the solution.
    Choose two.)

    • A. Create a secondary zone on Server1.
    • B. Modify the zone type of adatum.co
    • C. Modify the Zone Transfers settings of adatum.com,
    • D. Add Server1 to the DNSUpdateProxy grou
    • E. Create a primary zone on Server1.

    Answer: AC

    NEW QUESTION 17
    A corporate network includes a single Active Directory Domain Services (AD D5) domain. The AD DS infrastructure is shown in the following graphic.
    70-640 dumps exhibit
    When the Montreal Site domain controller is offline, authentication requests for Montreal branch office users are sent to the Toronto Site domain controller.
    You need to ensure that when the Montreal Site domain controller is offline, authentication requests for Montreal branch office users are sent to the Quebec City Site domain controller.
    What should you do?

    • A. Create a site link bridge between the Montreal Site and the Quebec City Sit
    • B. Create a registry entry on each client computer in the Montreal branch office,
    • C. Enable the global catalog role on the Montreal Site domain controller
    • D. Delete the Toronto-Montreal Site Lin

    Answer: A

    NEW QUESTION 18
    Your network contains an Active Directory domain named litwareinc.com. The domain contains two sites named Site1 and Site2. Site2 contains a read-only domain controller (RODC).
    You need to identify which user accounts attempted to authenticate to the RODC.
    Which tool should you use?

    • A. Get-ADAccountResultantPasswordReplicationPolicy
    • B. Get-ADFineGrainedPasswordPolicy
    • C. Dcdiag
    • D. Repadmin

    Answer: D

    NEW QUESTION 19
    You have a Windows Server 2008 R2 Enterprise Root certification authority (CA).
    You need to grant members of the Account Operators group the ability to only manage Basic EFS certificates.
    You grant the Account Operators group the Issue and Manage Certificates permission on the CA.
    Which three tasks should you perform next? (Each correct answer presents part of the solution.
    Choose three.)

    • A. Enable the Restrict Enrollment Agents option on the C
    • B. Enable the Restrict Certificate Managers option on the C
    • C. Add the Basic EFS certificate template for the Account Operators grou
    • D. Grant the Account Operators group the Manage CA permission on the C
    • E. Remove all unnecessary certificate templates that are assigned to the Account Operators grou

    Answer: BCE

    Explanation:
    http://technet.microsoft.com/en-us/library/cc779954%28v=ws.10%29.aspx
    Role-based administration
    Role explanation
    Role-based administration involves CA roles, users, and groups. To assign a role to a user or group, you must assign the role's corresponding security permissions, group memberships, or user rights to the user or group.
    These security permissions, group memberships, and user rights are used to distinguish which users have which roles. The following table describes the CA roles of role-based administration and the groups relevant to role-based administration.
    70-640 dumps exhibit
    C:\Documents and Settings\usernwz1\Desktop\1.PNG
    Certificate Manager: Delete multiple rows in database (bulk deletion)
    Issue and approve certificates
    Deny certificates
    Revoke certificates
    Reactivate certificates placed on hold
    Renew certificates
    Recover archived key
    Read CA database
    Read CA configuration information
    http://technet.microsoft.com/en-us/library/cc753372.aspx
    Restrict Certificate Managers
    A certificate manager can approve certificate enrollment and revocation requests, issue certificates, and manage certificates. This role can be configured by assigning a user or group the Issue and Manage Certificatespermission.
    When you assign this permission to a user or group, you can further refine their ability to manage certificates by group and by certificate template. For example, you might want to implement a restriction that they can only approve requests or revoke smart card logon certificates for users in a certain office or organizational unit that is the basis for a security group. This restriction is based on a subset of the certificate templates enabled for the certification authority (CA) and the user groups that have Enroll permissions for that certificate template from that CA.
    To configure certificate manager restrictions for a CA:
    1. Open the Certification Authority snap-in, and right-click the name of the CA.
    2. Click Properties, and then click the Security tab.
    3. Verify that the user or group that you have selected has Issue and Manage Certificates permission. If they do not yet have this permission, select the Allow check box, and then click Apply.
    4. Click the Certificate Managers tab.
    5. Click Restrict certificate managers, and verify that the name of the group or user is displayed.
    6. Under Certificate Templates, click Add, select the template for the certificates that you want this user or group to manage, and then click OK. Repeat this step until you have selected all certificate templates that you want to allow this certificate manager to manage.
    7. Under Permissions, click Add, type the name of the client for whom you want the certificate manager to manage the defined certificate types, and then click OK.
    8. If you want to block the certificate manager from managing certificates for a specific user, computer, or group, under Permissions, select this user, computer, or group, and click Deny.
    9. When you are finished configuring certificate manager restrictions, click OK or Apply.

    P.S. Surepassexam now are offering 100% pass ensure 70-640 dumps! All 70-640 exam questions have been updated with correct answers: https://www.surepassexam.com/70-640-exam-dumps.html (631 New Questions)