It is impossible to pass Microsoft 70-640 exam without any help in the short term. Come to us soon and find the most advanced, correct and guaranteed . You will get a surprising result by our .

Microsoft 70-640 Free Dumps Questions Online, Read and Test Now.

NEW QUESTION 1
Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.
You need to identify the Lightweight Directory Access Protocol (LDAP) clients that are using the largest amount of available CPU resources on a domain controller.
What should you do?

  • A. Review performance data in Resource Monito
  • B. Review the Hardware Events log in the Event Viewe
  • C. Run the Active Directory Diagnostics Data Collector Se
  • D. Review the Active Directory Diagnostics repor
  • E. Run the LAN Diagnostics Data Collector Se
  • F. Review the LAN Diagnostics repor

Answer: C

Explanation:
http://servergeeks.wordpress.com/2012/12/31/active-directory-diagnostics/ Active Directory Diagnostics Prior to Windows Server 2008, troubleshooting Active Directory performance issues often required the installation of SPA. SPA is helpful because the Active Directory data set collects performance data and it generates XML based diagnostic reports that make analyzing AD performance issues easier by identifying the IP addresses of the highest volume callers and the type of network traffic that is placing the most loads on the CPU. Download SPA tool:http://www.microsoft.com/en-us/download/details.aspx?id=15506 Now the same functionality has been built into Windows Server 2008 and Windows Server 2008 R2 and you don’t have to install SPA anymore.
This performance feature is located in the Server Manager snap-in under the Diagnostics node and when the Active Directory Domain Services Role is installed the Active Directory Diagnostics data collector set is automatically created under System as shown here.
70-640 dumps exhibit
C:\Documents and Settings\usernwz1\Desktop\1.PNG
When you will check the properties of the collector you will notice that the data is stored under %systemdrive %\perflogs, only now it is under the \ADDS folder and when a data collection is run it creates a new subfolder called YYYYMMDD-#### where YYYY = Year, MM = Month and DD=Day and #### starts with 0001 . Active Directory Diagnostics data collector set runs for a default of 5 minutes. This duration period cannot be modified for the built-in collector. However, the collection can be stopped manually by clicking the Stop button or from the command line.
70-640 dumps exhibit
C:\Documents and Settings\usernwz1\Desktop\1.PNG
To start the data collector set, you just have to right click on Active Directory Diagnostics data collector set and select Start. Data will be stored at %systemdrive%\perflogs location.
70-640 dumps exhibit
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Once you’ve gathered your data, you will have these interesting and useful reports under Report section, to aid in your troubleshooting and server performance trending.
70-640 dumps exhibit
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Further information: http://technet.microsoft.com/en-us/library/dd736504%28v=ws.10%29.aspx
Monitoring Your Branch Office Environment
http://blogs.technet.com/b/askds/archive/2010/06/08/son-of-spa-ad-data-collector-sets-in-win2008-andbeyond.aspx
Son of SPA: AD Data Collector Sets in Win2008 and beyond

NEW QUESTION 2
Your network contains an Active Directory domain named contoso.com.
The domain contains an enterprise certification authority (CA).
You plan to deploy certificates to all of the domain users. The certificates will be based on a custom Smartcard Logon template.
You need to recommend a solution to ensure that the users can log on to the domain by using smart cards.
What should you include in the recommendation?

  • A. From Certificate Templates, set the minimum certificate key size to 512.
  • B. From Active Directory Users and Computers, select Use Kerberos DES encryption types for this accoun
  • C. From Certificate Templates, include the user principal name (UPN) in the subject alternate name (SAN) of the templat
  • D. From Active Directory Users and Computers, configure Published Certificates for user account

Answer: C

Explanation: Request a smart card certificate from the third-party CA.
Enroll for a certificate from the third-party CA that meets the stated requirements. The
method for enrollment varies by the CA vendor.
The smart card certificate has specific format requirements:
* Subject Alternative Name = Other Name: Principal Name= (UPN). For example:
UPN = user1@name.com
The UPN OtherName OID is : "1.3.6.1.4.1.311.20.2.3"
The UPN OtherName value: Must be ASN1-encoded UTF8 string
* Subject = Distinguished name of user.
* The CRL Distribution Point (CDP) location (where CRL is the Certification Revocation List) must be populated, online, and available.
* Key Usage.= Digital Signature
* Basic Constraints.[Subject Type=End Entity, Path Length Constraint=None] (Optional)
* Enhanced Key Usage

NEW QUESTION 3
There are 100 servers and 2000 computers present at your company's headquarters.
The DHCP service is installed on a two-node Microsoft failover cluster named CKMFO to ensure the high availability of the service.
The nodes are named as CKMFON1 and CKMFON2.
The cluster on CKMFO has one physical shared disk of 400 GB capacity.
A 200GB single volume is configured on the shared disk.
Company has decided to host a Windows Internet Naming Service (WINS) on CKMFON1.
The DHCP and WINS services will be hosted on other nodes.
Using High Availability Wizard, you begin creating the WINS service group on cluster available on CKMFON1 node.
The wizard shows an error "no disks are available" during configuration.
Which action should you perform to configure storage volumes on CKMFON1 to successfully add the WINS Service group to CKMFON1?

  • A. Backup all data on the single volume on CKMFON1 and configure the disk with GUID partition table and create two volume
  • B. Restore the backed up data on one of the volumes and use the other for WINS service group
  • C. Add a new physical shared disk to the CKMFON1 cluster and configure a new volume on i
  • D. Use this volume to fix the error in the wizar
  • E. Add new physical shared disks to CKMFON1 and EMBFON2. Configure the volumes onthese disk and direct CKMOFONI to use CKMFON2 volume for the WINS service group
  • F. Add and configure a new volume on the existing shared disk which has 400GB of spac
  • G. Use this volume to fix the error in the wizard
  • H. None of the above

Answer: B

Explanation:
http://class10e.com/Microsoft/which-action-should-you-perform-to-configure-storage-volumes-on-ckmfon1-tosuccessfully-add-the-wins-service-group-to-ckmfon1/
To configure storage volumes on CKMFON1 to successfully add the WINS Service group
to CKMFON1, you need to add a new physical shared disk to the CKMFON1 cluster and
configure a new volume on it.
Use this volume to fix the error in the wizard.
This is because a cluster does not use shared storage.
A cluster must use a hardware solution based either on shared storage or on replication
between nodes.

NEW QUESTION 4
A corporate network includes a single Active Directory Domain Services (AD D5) domain and two AD DS sites. The AD DS sites are named Toronto and Montreal. Each site has multiple domain controllers.
You need to determine which domain controller holds the Inter-Site Topology Generator role for the Toronto site.
What should you do?

  • A. Use the Ntdsutil tool with the roles paramete
  • B. Use the Ntdsutil tool with the local roles paramete
  • C. Use the LDP tool to view the NTDS Site Settings for the Toronto sit
  • D. Use the LDP tool to view the properties of each domain controller in the Toronto site

Answer: D

NEW QUESTION 5
Your company has an Active Directory forest. You plan to install an Enterprise certification
authority (CA) on a dedicated stand-alone server.
When you attempt to add the Active Directory Certificate Services (AD CS) server role, you
find that the EnterpriseCA option is not available.
You need to install the AD CS server role as an EnterpriseCA. What should you do first?

  • A. Add the DNS Server server rol
  • B. Add the Active Directory Lightweight Directory Services (AD LDS) server rol
  • C. Join the server to the domai
  • D. Add the Web Server (IIS) server role and the AD CS server rol

Answer: C

NEW QUESTION 6
Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2008 R2. The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is Windows Server 2008.
You have a member server named Server1 that runs Windows Server 2008.
You need to ensure that you can add Server1 to contoso.com as a domain controller.
What should you run before you promote Server1?

  • A. dcpromo.exe /CreateDCAccount
  • B. dcpromo.exe /ReplicaOrNewDomain:replica
  • C. Set-ADDomainMode -Identity contoso.com -DomainMode Windows2008Domain
  • D. Set-ADForestMode -Identity contoso.com -ForestMode Windows2008R2Forest

Answer: C

Explanation:
http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels.aspx After you set the domain functional level to a certain value in Windows Server 2008 R2, you cannot roll back or lower the domain functional level, with one exception: when you raise the domain functional level to Windows Server 2008 R2 and if the forest functional level is Windows Server 2008 or lower, you have the option of rolling the domain functional level back to Windows Server 2008. You can lower the domain functional level only from Windows Server 2008 R2 to Windows Server 2008. If the domain functional level is set to Windows Server 2008 R2, it cannot be rolled back, for example, to Windows Server 2003.

NEW QUESTION 7
Your network contains an Active Directory domain named contoso.com.
The aging and scavenging settings of the contoso.com zone are configured as shown in the exhibit. (Click the Exhibit button.)
70-640 dumps exhibit
To answer, complete each statement according to the information presented in the exhibit.
70-640 dumps exhibit

    Answer:

    Explanation: 70-640 dumps exhibit

    NEW QUESTION 8
    All consultants belong to a global group named TempWorkers. You place three file servers in a new organizational unit named SecureServers. The three file servers contain confidential data located in shared folders.
    You need to record any failed attempts made by the consultants to access the confidential data.
    Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

    • A. Create and link a new GPO to the SecureServers organizational uni
    • B. Configure the Deny access to this computer from the network user rights setting for the TempWorkers global grou
    • C. Create and link a new GPO to the SecureServers organizational uni
    • D. Configure the Audit privilege use Failure audit policy settin
    • E. Create and link a new GPO to the SecureServers organizational uni
    • F. Configure the Audit object access Failure audit policy settin
    • G. On each shared folder on the three file servers, add the three servers to the Auditing ta
    • H. Configure the Failed Full control setting in the Auditing Entry dialog bo
    • I. On each shared folder on the three file servers, add the TempWorkers global group to the Auditing ta
    • J. Configure the Failed Full control setting in the Auditing Entry dialog bo

    Answer: CE

    Explanation:
    Windows Server 2008 R2 Unleashed (SAMS, 2010) page 671
    Auditing Resource Access
    Object access can be audited, although it is not one of the recommended settings. Auditing object access can place a significant load on the servers, so it should only be enabled when it is specifically needed. Auditing object access is a two-step process: Step one is enabling “Audit object access” and step two is selecting the objects to be audited. When enabling Audit object access, you need to decide if both failure and success events will be logged. The two options are as follows:
    Audit object access failure enables you to see if users are attempting to access objects to which they have no rights. This shows unauthorized attempts.
    Audit object access success enables you to see usage patterns. This shows misuse of privilege.
    After object access auditing is enabled, you can easily monitor access to resources such as folders, files, and printers.
    Auditing Files and Folders
    The network administrator can tailor the way Windows Server 2008 R2 audits files and folders through the property pages for those files or folders. Keep in mind that the more files and folders that are audited, the more events that can be generated, which can increase administrative overhead and system resource requirements.
    Therefore, choose wisely which files and folders to audit. To audit a file or folder, do the following:
    1. In Windows Explorer, right-click the file or folder to audit and select Properties.
    2. Select the Security tab and then click the Advanced button.
    3. In the Advanced Security Settings window, select the Auditing tab and click the Edit button.
    4. Click the Add button to display the Select User or Group window.
    5. Enter the name of the user or group to audit when accessing the file or folder. Click the Check Names button to verify the name.

    NEW QUESTION 9
    Your network contains two standalone servers named Server1 and Server2 that have
    Active Directory Lightweight Directory Services (AD LDS) installed.
    Server1 has an AD LDS instance.
    You need to ensure that you can replicate the instance from Server1 to Server2.
    What should you do on both servers?

    • A. Obtain a server certificat
    • B. Import the MS-User.ldf fil
    • C. Create a service user account for AD LD
    • D. Register the service location (SRV) resource record

    Answer: C

    Explanation:
    http://technet.microsoft.com/en-us/library/cc794857%28v=ws.10%29.aspx Administering AD LDS Instances Each AD LDS instance runs as an independent—and separately administered—service on a computer. You can configure the account under which an AD LDS instance runs, stop and restart an AD LDS instance, and change the AD LDS instance service display name and service description. In addition, you can enable Secure Sockets Layer (SSL) connections in AD LDS by installing certificates. In Active Directory environments, each AD LDS instance attempts to create a Service Principal Name (SPN) object in the directory to be used for replication authentication. Depending on the network environment into which you install AD LDS, you may have to create SPNs manually. AD LDS service account The service account that an AD LDS instance uses determines the access that the AD LDS instance has on the local computer and on other computers in the network. AD LDS instances also use the service account to authenticate other AD LDS instances in their configuration set, to ensure replication security. You determine the AD LDS service account during AD LDS installation.

    NEW QUESTION 10
    Your network consists of an Active Directory forest that contains one domain named contoso.com. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. You have two Active Directory-integrated zones: contoso.com and nwtraders.com.
    You need to ensure a user is able to modify records in the contoso.com zone. You must prevent the user from modifying the SOA record in the nwtraders.com zone.
    What should you do?

    • A. From the Active Directory Users and Computers console, run the Delegation of Control Wizar
    • B. From the Active Directory Users and Computers console, modify the permissions of the Domain Controllers organizational unit (OU).
    • C. From the DNS Manager console, modify the permissions of the contoso.com zon
    • D. From the DNS Manager console, modify the permissions of the nwtraders.com zon

    Answer: C

    Explanation:
    Answer: From the DNS Manager console, modify the permissions of the contoso.com
    zone.
    http://technet.microsoft.com/en-us/library/cc753213.aspx
    Modify Security for a Directory-Integrated Zone
    You can manage the discretionary access control list (DACL) on the DNS zones that are
    stored in Active Directory Domain Services (AD DS). You can use the DACL to control the
    permissions for the Active Directory users and groups that may control the DNS zones.
    Membership in DnsAdmins or Domain Admins in AD DS, or the equivalent, is the minimum
    required to complete this procedure.
    To modify security for a directory-integrated zone:
    1. Open DNS Manager.
    2. In the console tree, click the applicable zone.
    Where?
    DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable
    zone
    3. On the Action menu, click Properties.
    4. On the General tab, verify that the zone type is Active Directory-integrated.
    5. On the Security tab, modify the list of member users or groups that are allowed to
    securely update the applicable zone and reset their permissions as needed.
    Further information:
    http://support.microsoft.com/kb/163971
    The Structure of a DNS SOA Record
    The first resource record in any Domain Name System (DNS) Zone file should be a Start of
    Authority (SOA) resource record. The SOA resource record indicates that this DNS name
    server is the best source of information for the data within this DNS domain.
    The SOA resource record contains the following information:
    Source host - The host where the file was created.
    Contact e-mail - The e-mail address of the person responsible for administering the
    domain's zone file. Note that a "." is used instead of an "@" in the e-mail name.
    Serial number - The revision number of this zone file. Increment this number each time the
    zone file is changed. It is important to increment this value each time a change is made, so
    that the changes will be distributed to any secondary DNS servers.
    Refresh Time - The time, in seconds, a secondary DNS server waits before querying the
    primary DNS server's SOA record to check for changes. When the refresh time expires, the
    secondary DNS server requests a copy of the current SOA record from the primary. The
    primary DNS server complies with this request. The secondary DNS server compares the
    serial number of the primary DNS server's current SOA record and the serial number in it's
    own SOA record. If they are different, the secondary DNS server will request a zone
    transfer from the primary DNS server. The default value is 3,600.
    Retry time - The time, in seconds, a secondary server waits before retrying a failed zone transfer. Normally, the retry time is less than the refresh time. The default value is 600. Expire time - The time, in seconds, that a secondary server will keep trying to complete a zone transfer. If this time expires prior to a successful zone transfer, the secondary server will expire its zone file. This means the secondary will stop answering queries, as it considers its data too old to be reliable. The default value is 86,400. Minimum TTL - The minimum time-to-live value applies to all resource records in the zone file. This value is supplied in query responses to inform other servers how long they should keep the data in cache. The default value is 3,600. http://technet.microsoft.com/en-us/library/cc787600%28v=ws.10%29.aspx Modify the start of authority (SOA) record for a zone
    Notes: To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

    NEW QUESTION 11
    You install a read-only domain controller (RODC) named RODC1.
    You need to ensure that a user named User1 can administer RODC1. The solution must minimize the number of permissions assigned to User1.
    Which tool should you use?

    • A. Active Directory Administrative Center
    • B. Active Directory Users and Computers
    • C. Dsadd
    • D. Dsmgmt

    Answer: B

    Explanation:
    Explanation 1:
    http://technet.microsoft.com/en-us/library/cc755310.aspx
    Delegating local administration of an RODC
    Administrator Role Separation (ARS) is an RODC feature that you can use to delegate the
    ability to administer an RODC to a user or a security group. When you delegate the ability
    to log on to an RODC to a user or a security group, the user or group is not added the
    Domain Admins group and therefore does not have additional rights to perform directory
    service operations.
    Steps and best practices for setting up ARS
    You can specify a delegated RODC administrator during an RODC installation or after it.
    To specify the delegated RODC administrator after installation, you can use either of the
    following options:
    Modify the Managed By tab of the RODC account properties in theActive Directory Users and Computerssnap-in, as shown in the following figure. You can click Change to change which security principal is the delegated RODC administrator. You can choose only one security principal. Specify a security group rather than an individual user so you can control RODC administration permissions most efficiently. This method changes the managedBy attribute of the computer object that corresponds to the RODC to the SID of the security principal that you specify. This is the recommended way to specify the delegated RODC administrator account because the information is stored in AD DS, where it can be centrally managed by domain administrators.
    70-640 dumps exhibit
    Use the ntdsutil local roles command or thedsmgmtlocal roles command. You can use this command to view, add, or remove members from the Administrators group and other built-in groups on the RODC.[See also the second Explanation for more information on how to use dsmgmt.]
    Using ntdsutil or dsmgmt to specify the delegated RODC administrator account is not recommendedbecause the information is stored only locally on the RODC. Therefore, when you use ntdsutil local roles to delegate an administrator for the RODC, the account that you specify does not appear on the Managed By tab of the RODC account properties. As a result, using the Active Directory Users and Computers snap-in or a similar tool will not reveal that the RODC has a delegated administrator.
    In addition, if you demote an RODC, any security principal that you specified by using ntdsutil local roles remains stored in the registry of the server. This can be a security concern if you demote an RODC in one domain and then promote it to be an RODC again in a different domain. In that case, the original security principal would have administrative rights on the new RODC in the different domain.
    Explanation 2: http://technet.microsoft.com/en-us/library/cc732301.aspx
    Administrator Role Separation Configuration This section provides procedures for creating a local administrator role for an RODC and for adding a user to that role.
    To configure Administrator Role Separation for an RODC
    Click Start, click Run, type cmd, and then press ENTER.
    At the command prompt, typedsmgmt.exe, and then press ENTER.
    At the DSMGMT prompt, typelocal roles, and then press ENTER.
    For a list of valid parameters, type ?, and then press ENTER.
    By default, no local administrator role is defined on the RODC after AD DS installation. To add the local administrator role, use the Add parameter.
    Type add <DOMAIN>\<user><administrative role>
    For example, type add CONTOSO\testuser administrators

    NEW QUESTION 12
    Your network contains an Active Directory forest named contoso.com. The forest contains four computers. The computers are configured as shown in the following table.
    70-640 dumps exhibit
    An administrator creates a script that contains the following commands:
    70-640 dumps exhibit
    You need to identity which computers can successfully run all of the commands in the script.
    Which two computers should you identify? (Each correct answer presents part of the solution. Choose two.)

    • A. Computer1
    • B. Server1
    • C. Computer2
    • D. Server2

    Answer: CD

    Explanation:
    http://technet.microsoft.com/en-us/library/ff625687.aspx
    Auditpol resourceSACL
    Applies only to Windows 7 and Windows Server 2008 R2.

    NEW QUESTION 13
    A domain controller named DC12 runs critical services. Restructuring of the organizational unit hierarchy for the domain has been completed and unnecessary objects have been deleted.
    You need to perform an offline defragmentation of the Active Directory database on DC12. You also need to ensure that the critical services remain online.
    What should you do?

    • A. Start the domain controller in the Directory Services restore mod
    • B. Run the Defrag utilit
    • C. Start the domain controller in the Directory Services restore mod
    • D. Run the Ntdsutil utilit
    • E. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the Defrag utilit
    • F. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the Ntdsutil utilit

    Answer: D

    Explanation:
    http://support.microsoft.com/kb/232122 Performing offline defragmentation of the Active Directory database Active Directory automatically performs online defragmentation of the database at certain intervals (by default, every 12 hours) as part of the Garbage Collection process. Online defragmentation does not reduce the size of the database file (Ntds.dit), but instead optimizes data storage in the database and reclaims space in the directory for new objects. Performing an offline defragmentation creates a new, compacted version of the database file. Depending on how fragmented the original database file was, the new file may be considerably smaller. http://rickardnobel.se/when-to-offline-defrag-ntds-dit/ When to offline defrag the Active Directory database This article will show a simple way to determine if there is any gain to do an offline defrag of your Active Directory database. During normal operations the Active Directory service will do an online defragmentation of the Active Directory database (always called ntds.dit) each 12 hours. This online defrag will arrange all pages in an optimal way internal in the ntds.dit, however the file size will never shrink, sometimes even grow. During the years of operations of the ntds.dit the file size will increase as user accounts, organizational units, groups, computers, dns records and more are added and later removed. When deleted objects are finally removed (after the so called tombstone lifetime, typically 180 days) the space they have occupied will unfortunately not decrease.
    70-640 dumps exhibit
    C:\Documents and Settings\usernwz1\Desktop\1.PNG
    The actual size of the ntds.dit could be easily studied through Explorer, as above. The size of the database is in this example around 575 MB. Note that Active Directory does not use a file level replication, so the file could be of various size on each Domain Controller in your domain. If wanted there is the possibility to take the AD services offline on one DC and then do an offline defragmentation of ntds.dit. This would both arrange all pages the best possible way, and also to reclaim any empty space inside the database, which could make backup and restore faster and also possible increase AD performance. The offline defrag means “offline” from an Active Directory perspective. This means that on Windows 2000 and 2003 you will have to reboot into Directory Services Restore Mode, and on Windows 2008 and R2 you will have to stop the AD services by typing “net stop ntds” in the command prompt. So in Windows 2008 and later it is far easier, but still something that you do not want to do if not necessary. There are numerous article on the web how to do the actual offline defrag, so we will not cover that part here. However, we will see the perhaps most important information and that is to be able to see in advance the amount of space that we could reclaim. With this information we could make our decision based on fact and not guesses. This has been possible since at least Windows 2003, but is not well documented.
    70-640 dumps exhibit
    C:\Documents and Settings\usernwz1\Desktop\1.PNG
    To enable this you will have to alter a registry value on the Domain Controller you will investigate the reclaimable MBs. Use regedit and find the following key: HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ NTDS \ Diagnostics Change the value “6 Garbage Collection” from 0 to 1. This will increase the logging from the Garbage Collection process which runs together with the online defrag. So now wait for the next online defragmentation which runs twice a day and then study the Directory Service log in Event Viewer.
    70-640 dumps exhibit
    C:\Documents and Settings\usernwz1\Desktop\1.PNG
    Search for event id 1646, usually together with event ids 700 and 701.
    70-640 dumps exhibit
    C:\Documents and Settings\usernwz1\Desktop\1.PNG
    Here we can note the amount of space that would be reclaimed from an offline defrag. The top value is the number of MB that the offline defrag would recover, here almost half the database size. If the amount is negligible then do not worry about this any more, and if there is a considerable amount of MBs reported then you could plan to do the offline defrag.
    70-640 dumps exhibit
    C:\Documents and Settings\usernwz1\Desktop\1.PNG
    Note that both the change of registry key and the actual offline defrag has to be done on
    each domain controller, since neither does replicate.
    As noted above we will not look at the commands for the offline defragmentation here,
    since they are well documented already.

    NEW QUESTION 14
    You have an Active Directory domain named contoso.com.
    You need to view the account lockout threshold and duration for the domain.
    Which tool should you use?

    • A. Get-ItemProperty
    • B. Active Directory Domains and Trusts
    • C. Net User
    • D. Gpresult

    Answer: C

    NEW QUESTION 15
    Your network contains a single Active Directory domain. All servers run Windows Server 2008 R2.
    You deploy a new server that runs Windows Server 2008 R2. The server is not connected to the internal network.
    You need to ensure that the new server is already joined to the domain when it first connects to the internal network.
    What should you do?

    • A. From a domain controller, run sysprep.exe and specify the /oobe paramete
    • B. From the new server, run sysprep.exe and specify the /generalize paramete
    • C. From a domain controller, run sysprep.exe and specify the /generalize paramete
    • D. From the new server, run sysprep.exe and specify the /oobe paramete
    • E. From a domain-joined computer, run djoin.exe and specify the /provision paramete
    • F. From the new server, run djoin.exe and specify the /requestodj paramete
    • G. From a domain-joined computer, run djoin.exe and specify the /requestodj paramete
    • H. From the new server, run djoin.exe and specify the /provision paramete

    Answer: C

    Explanation:
    Explanation 1: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 217, 218 Offline Domain Join Offline domain join is also useful when a computer is deployed in a lab or other disconnected environment. When the computer is connected to the domain network and started for the first time, it will already be a member of the domain. This also helps to ensure that Group Policy settings are applied at the first startup. Four major steps are required to join a computer to the domain by using offline domain join:
    1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with an account that has permissions to join computers to the domain.
    2. Use the DJoin command to provision a computer for offline domain join. This step prepopulates Active
    Directory with the information that Active Directory needs to join the computer to the domain, and exports the information called a blob to a text file.
    3. At the offline computer that you want to join the domain use DJoin to import the blob into
    the Windows directory.
    4. When you start or restart the computer, it will be a member of the domain.
    Explanation 2:
    http://technet.microsoft.com/nl-nl/library/offline-domain-join-djoin-step-by-step.aspx
    Steps for performing an offline domain join
    The offline domain join process includes the following steps:
    1. Run the djoin.exe /provision command to create computer account metadata for the
    destination computer (the computer that you want to join to the domain). As part of this
    command, you must specify the name of the domain that you want the computer to join.
    2. Run the djoin.exe /requestODJ command to insert the computer account metadata into
    the Windows directory of the destination computer.
    3. When you start the destination computer, either as a virtual machine or after a complete
    operating system installation, the computer will be joined to the domain that you specify.

    NEW QUESTION 16
    Your network consists of a single Active Directory domain. All domain controllers run
    Windows Server 2003.
    You upgrade all domain controllers to Windows Server 2008 R2.
    You need to ensure that the Sysvol share replicates by using DFS Replication (DFS-R).
    What should you do?

    • A. From the command prompt, run dfsutil /addroot:sysvo
    • B. From the command prompt, run netdom /rese
    • C. From the command prompt, run dcpromo /unattend:unattendfile.xm
    • D. Raise the functional level of the domain to Windows Server 2008 R2.

    Answer: D

    Explanation:
    http://technet.microsoft.com/en-us/library/cc794837%28v=ws.10%29.aspx Introduction to Administering DFS-Replicated SYSVOL SYSVOL is a collection of folders that contain a copy of the domain’s public files, including system policies, logon scripts, and important elements of Group Policy objects (GPOs). The SYSVOL directory must be present and the appropriate subdirectories must be shared on a server before the server can advertise itself on the network as a domain controller. Shared subdirectories in the SYSVOL tree are replicated to every domain controller in the domain. Note: For Group Policy, only the Group Policy template (GPT) is replicated through SYSVOL replication. The Group Policy container (GPC), which is stored in the domain, is replicated through Active Directory replication. For Group Policy to be effective, both parts must be available on a domain controller. Using DFS Replication for replicating SYSVOL in Windows Server 2008 Distributed File System (DFS) Replication is a replication service that is available for replicating SYSVOL to all domain controllers in domains that have the Windows Server 2008 domain functional level. DFS Replication was introduced in Windows Server 2003 R2. However, on domain controllers that are running Windows Server 2003 R2, SYSVOL replication is performed by the File Replication Service (FRS).

    NEW QUESTION 17
    Your network contains an Active Directory forest named contoso.com. The functional level of the forest is Windows Server 2008 R2. The forest contains a single domain.
    You need to ensure that objects can be restored from the Active Directory Recycle Bin.
    Which tool should you use?

    • A. Ntdsutil
    • B. Dsamain
    • C. Ldp
    • D. Add-PSSnapin

    Answer: C

    NEW QUESTION 18
    You are the network administrator for the ABC Company.
    Your network consists of two DNS servers named DNS1 and DNS2.
    The users who are configured to use DNS2 complain because they are unable to connect
    to Internet websites.
    The following table shows the configuration of both servers:
    70-640 dumps exhibit
    The users connected to DNS2 need to be able to access the Internet.
    What needs to be done?

    • A. Build a new Active Directory Integrated zone on DNS2.
    • B. Delete the .(root) zone from DNS2 and configure Conditional forwarding on DNS2.
    • C. Delete the current cache.dns fil
    • D. Update your cache.dns file and root hint

    Answer: B

    Explanation:
    http://support.microsoft.com/kb/298148 How To Remove the Root Zone (Dot Zone) When you install DNS on a Windows 2000 server that does not have a connection to the Internet, the zone for the domain is created and a root zone, also known as a dot zone, is also created. This root zone may prevent access to the Internet for DNS and for clients of the DNS. If there is a root zone, there are no other zones other than those that are listed with DNS, and you cannot configure forwarders or root hint servers. For these reasons, you may have to remove the root zone.

    NEW QUESTION 19
    Your network contains an Active Directory forest. The forest contains two domains named contoso.com and eu.contoso.com. All domain controllers are DNS servers.
    The domain controllers in contoso.com host the zone for contoso.com. The domain controllers in eu.contoso.com host the zone for eu.contoso.com. The DNS zone for contoso.com is configured as shown in the exhibit. (Click the Exhibit button.)
    70-640 dumps exhibit
    You need to ensure that all domain controllers in the forest host a writable copy of _msdsc.contoso.com.
    Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

    • A. Create a zone delegation record in the contoso.com zon
    • B. Create a zone delegation record in the eu.contoso.com zon
    • C. Create an Active Directory-integrated zone for _msdsc.contoso.co
    • D. Create a secondary zone named _msdsc.contoso.com in eu.contoso.co

    Answer: AC

    Explanation:
    Note that the question speaks of _msdSC, instead of _msdCS. Not sure if it means something, probably a typo.

    100% Valid and Newest Version 70-640 Questions & Answers shared by 2passeasy, Get Full Dumps HERE: https://www.2passeasy.com/dumps/70-640/ (New 631 Q&As)