Proper study guides for 70-640 TS: Windows Server 2008 Active Directory. Configuring certified begins with preparation products which designed to deliver the by making you pass the 70-640 test at your first time. Try the free right now.
Check 70-640 free dumps before getting the full version:
NEW QUESTION 1
You need to purge the list of user accounts that were authenticated on a read-only domain
What should you do?
- A. Run the repadmin.exe command and specify the /prp paramete
- B. From Active Directory Sites and Services, modify the properties of the RODC computer objec
- C. From Active Directory Users and Computers, modify the properties of the RODC computer objec
- D. Run the dsrm.exe command and specify the -u paramete
Clearing the authenticated accounts list
In addition to reviewing the list of authenticated users, you may decide to periodically clean up the list of accounts that are authenticated to the RODC. Cleaning up this list may help you more easily determine the new accounts that have authenticated through the RODC.
Membership in the Domain Admins group of the domain in which the RODC is a member, or equivalent, is the minimum required to complete this procedure.
To clear all entries from the list, run the command repadmin /prp delete <hostname> auth2 /all.
Substitute the actual host name of the RODC that you want to clear. For example, if you want to clear the list of authenticated accounts for RODC2, type repadmin /prp delete rodc2 auth2 /all, and then press ENTER.
NEW QUESTION 2
Your network contains an Active Directory domain. The domain contains five domain controllers. A domain controller named DC1 has the DHCP role and the file server role installed.
You need to move the Active Directory database on DC1 to an alternate location.The solution must minimize impact on the network during the database move.
What should you do first?
- A. Restart DC1 in Safe Mod
- B. Restart DC1 in Directory Services Restore Mod
- C. Start DC1 from Windows P
- D. Stop the Active Directory Domain Services service on DC1.
http://technet.microsoft.com/en-us/library/cc794895%28v=ws.10%29.aspx Relocating the Active Directory Database Files Applies To: Windows Server 2008, Windows Server 2008 R2 Relocating Active Directory database files usually involves moving files to a temporary location while hardware updates are being performed and then moving the files to a permanent location. On domain controllers that are running versions of Windows 2000 Server and Windows Server 2003, moving database files requires restarting the domain controller in Directory Services Restore Mode (DSRM). Windows Server 2008 introduces restartable Active Directory Domain Services (AD DS), which you can use to perform database management tasks without restarting the domain controller in DSRM. Before you move database files, you must stop AD DS as a service.
NEW QUESTION 3
All vendors belong to a global group named vendors.
You place three file servers in a new organizational unit (OU) named ConfidentialFileServers. The three file servers contain confidential data located in shared folders.
You need to record any failed attempts made by the vendors to access the confidential data.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
- A. Create a new Group Policy Object (GPO) and link it to the ConfidentialFileServers O
- B. Configure the Audit object access failure audit policy settin
- C. Create a new Group Policy Object (GPO) and link it to the ConfidentialFileServers O
- D. Configure the Audit privilege use Failure audit policy settin
- E. On each shared folder on the three file servers, add the Vendors global group to the Auditing ta
- F. Configure Failed Full control setting in the AuditingEntry dialog bo
- G. On each shared folder on the three file servers, add the three servers to the Auditing ta
- H. Configure Failed Full control setting in the AuditingEntry dialog bo
- I. Create a new Group Policy Object (GPO) and link it to the ConfidentialFileServers O
- J. Configure the Deny access to this computer from the network user rights setting for the Vendors global grou
Windows Server 2008 R2 Unleashed (SAMS, 2010) page 671
Auditing Resource Access Object access can be audited, although it is not one of the recommended settings. Auditing object access can place a significant load on the servers, so it should only be enabled when it is specifically needed. Auditing object access is a two-step process: Step one is enabling “Audit object access” and step two is selecting the objects to be audited. When enabling Audit object access, you need to decide if both failure and success events will be logged. The two options are as follows: Audit object access failure enables you to see if users are attempting to access objects to which they have no rights. This shows unauthorized attempts.
Audit object access success enables you to see usage patterns. This shows misuse of privilege.
After object access auditing is enabled, you can easily monitor access to resources such as folders, files, and printers.
Auditing Files and Folders
The network administrator can tailor the way Windows Server 2008 R2 audits files and folders through the property pages for those files or folders. Keep in mind that the more files and folders that are audited, the more events that can be generated, which can increase administrative overhead and system resource requirements.
Therefore, choose wisely which files and folders to audit. To audit a file or folder, do the following:
1. In Windows Explorer, right-click the file or folder to audit and select Properties.
2. Select the Security tab and then click the Advanced button.
3. In the Advanced Security Settings window, select the Auditing tab and click the Edit button.
4. Click the Add button to display the Select User or Group window.
5. Enter the name of the user or group to audit when accessing the file or folder. Click the Check Names button to verify the name.
NEW QUESTION 4
Your network contains an Active Directory forest. The forest schema contains a custom attribute for user objects.
You need to modify the custom attribute value of 500 user accounts.
Which tool should you use?
- A. Csvde
- B. Dsmod
- C. Dsrm
- D. Ldifde
Creates, modifies, and deletes directory objects.
NEW QUESTION 5
Your company has recently acquired a new subsidiary company in Quebec. The Active Directory administrators of the subsidiary company must use the French-language version of the administrative templates.
You create a folder on the PDC emulator for the subsidiary domain in the path %systemroot%\SYSVOL\domain\Policies\PolicyDefinitions\FR.
You need to ensure that the French-language version of the templates is available.
What should you do?
- A. Download the Conf.adm, System.adm, Wuau.adm, and Inetres.adm files from the Microsoft Web sit
- B. Copy the ADM files to the FR folde
- C. Copy the ADML files from the French local installation media for Windows Server 2008 R2 to the FR folder on the subsidiary PDC emulato
- D. Copy the Install.WIM file from the French local installation media for Windows Server 2008 R2 to the FR folder on the subsidiary PDC emulato
- E. Copy the ADMX files from the French local installation media for Windows Server 2008 R2 to the FR folder on the subsidiary PDC emulato
http://technet.microsoft.com/en-us/library/cc772507%28v=ws.10%29.aspx admx and .adml File Structure In order to support the multilingual display of policy settings, the ADMX file structure must be broken into two types of files: A language-neutral file, .admx, describing the structure of the categories and Administrative template policy settings displayed in the Group Policy Management Console (GPMC) or Local Group Policy Editor.
A set of language-dependent files, .adml, providing the localized portions displayed in the GPMC or Local Group Policy Editor. Each .adml file represents a single language you wish to support. Language-neutral file (.admx) structure
Language resource file (.adml) structure The language resource files, .adml, provide the language specific information needed by the language neutral file. The language neutral file will then Explanation specific sections of the language resource file in order for the GPMC or Local Group Policy Editor to display a policy setting in the correct language.
NEW QUESTION 6
Your company has an Active Directory forest that contains two domains, The forest has universal groups that contain members from each domain. A branch office has a domain controller named DC1, Users at the branch office report that the logon process takes too long.
You need to decrease the amount of time it takes for the branch office users to logon.
What should you do?
- A. Configure DC1 as a Global Catalog serve
- B. Configure DC1 as a bridgehead server for the branch office sit
- C. Decrease the replication interval on the site link that connects the branch office to the corporate networ
- D. Increase the replication interval on the site link that connects the branch office to the corporate networ
http://technet.microsoft.com/en-us/library/cc728188.aspx What Is the Global Catalog? The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers. In addition to configuration and schema directory partition replicas, every domain controller in a forest stores a full, writable replica of a single domain directory partition. Therefore, a domain controller can locate only the objects in its domain. Locating an object in a different domain would require the user or application to provide the domain of the requested object. The global catalog provides the ability to locate objects from any domain without having to know the domain name. A global catalog server is a domain controller that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest. The additional domain directory partitions are partial because only a limited set of attributes is included for each object. By including only the attributes that are most used for searching, every object in every domain in even the largest forest can be represented in the database of a single global catalog server.
NEW QUESTION 7
A corporate network includes a single Active Directory Domain Services (AD DS) domain. All regular user accounts reside in an organisational unit (OU) named Employees. All administrator accounts reside in an OU named Admins.
You need to ensure that any time an administrator modifies an employee's name in AD DS, the change is audited.
What should you do first?
- A. Create a Group Policy Object with the Audit directory service access setting enabled and link it to the Employees O
- B. Modify the searchFlags property for the Name attribute in the Schem
- C. Create a Group Policy Object with the Audit directory service access setting enabled and link it to the Admins O
- D. Use the Auditpol.exe command-line tool to enable the directory service changes auditing subcategor
Auditing changes to objects in AD DS
In Windows 2000 Server and Windows Server 2003, there was one audit policy, Audit
directory service access, that controlled whether auditing for directory service events was
enabled or disabled. In Windows Server 2008, this policy is divided into four subcategories:
Directory Service Access
Directory Service Changes
Directory Service Replication
Detailed Directory Service Replication
The ability to audit changes to objects in AD DS is enabled with the new audit policy subcategory Directory Service Changes. This guide provides instructions for implementing this audit policy subcategory.
The types of changes that you can audit include a user (or any security principal) creating, modifying, moving, or undeleting an object. The new audit policy subcategory adds the following capabilities to auditing in AD DS:
When a successful modify operation is performed on an attribute, AD DS logs the previous and current values of the attribute. If the attribute has more than one value, only the values that change as a result of the modify operation are logged.
Steps to set up auditing
This section includes procedures for each of the primary steps for enabling change
Step 1: Enable audit policy.
Step 2: Set up auditing in object SACLs by using Active Directory Users and Computers. Step 1: Enable audit policy.
This step includes procedures to enable change auditing with either the Windows interface or a command line:
By using the Auditpol command-line tool, you can enable individual subcategories. To enable the change auditing policy using a command line
1. Click Start, right-click Command Prompt, and then click Run as administrator.
2. Type the following command, and then press ENTER:
auditpol /set /subcategory:"directory service changes" /success:enable
NEW QUESTION 8
You have a DNS zone that is stored in a custom application partition.
You need to add a domain controller to the replication scope of the custom application partition.
Which tool should you use?
- A. DNScmd
- B. DNS Manager
- C. Server Manager
- D. Dsmod
After you create a Domain Name System (DNS) application directory partition to store a zone, you must enlist the DNS server that hosts the zone in the application directory
To enlist a DNS server in a DNS application directory partition
1. Open a command prompt.
2. Type the following command, and then press ENTER: dnscmd <ServerName> / EnlistDirectoryPartition <FQDN>
NEW QUESTION 9
A corporate network includes a single Active Directory Domain Services (AD DS} domain.
The HR department has a dedicated organization unit (OU) named HR. The HR OU has two sub-OUs: HR Users and HR Computers. User accounts for the HR department reside in the HR Users OU. Computer accounts for the HR department reside in the HR Computers OU. All HR department employees belong to a security group named HR Employees. All HR department computers belong to a security group named HR PCs.
Company policy requires that passwords are a minimum of six characters.
You need to ensure that, the next time HR department employees change their passwords, the passwords are required to have at least eight characters. The password length requirement should not change for employees of any other department.
What should you do?
- A. Modify the local security policy on each computer in the HR PCs grou
- B. Create a fine-grained password policy and apply it to the HR Employees grou
- C. Create a new GPO, with the necessary password policy, and link it to the HR Computers O
- D. Create a fine-grained password policy and apply it to the HR Computers O
NEW QUESTION 10
You have a standard primary zone named contoso.com.
You need to configure how often the zone will be transferred to servers that host a
secondary copy of the zone.
Which tab should you use?
To answer, select the appropriate tab in the answer area.
NEW QUESTION 11
Your network contains an Active Directory forest. All domain controllers run Windows
Server 2008 Standard.
The functional level of the domain is Windows Server 2003.
You have a certification authority (CA).
The relevant servers in the domain are configured as shown below:
You need to ensure that you can install the Active Directory Certificate Services (AD CS) Certificate Enrollment Web Service on the network.
What should you do?
- A. Upgrade Server1 to Windows Server 2008 R2.
- B. Upgrade Server2 to Windows Server 2008 R2.
- C. Raise the functional level of the domain to Windows Server 2008.
- D. Install the Windows Server 2008 R2 Active Directory Schema update
Before installing the certificate enrollment Web services, ensure that your environment
meets these requirements:
A host computer as a domain member running Windows Server 2008 R2.
An Active Directory forest with a Windows Server 2008 R2 schema.
An enterprise certification authority (CA) running Windows Server 2008 R2, Windows
Server 2008, or
Windows Server 2003.
NEW QUESTION 12
Your company has a main office and a branch office.
The network contains an Active Directory domain named contoso.com. The DNS zone for contoso.com is configured as an Active Directory-integrated zone and is replicated to all domain controllers in the domain.
The main office contains a writable domain controller named DC1. The branch office contains a read- only domain controller (RODC) named RODC1. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers.
You uninstall the DNS server role from RODC1.
You need to prevent DNS records from replicating to RODC1.
What should you do?
- A. Modify the replication scope for the contoso.com zon
- B. Flush the DNS cache and enable cache locking on RODC1.
- C. Configure conditional forwarding for the contoso.com zon
- D. Modify the zone transfer settings for the contoso.com zon
http://technet.microsoft.com/en-us/library/cc754916.aspx Change the Zone Replication Scope You can use the following procedure to change the replication scope for a zone. Only Active Directory Domain Services (AD DS)–integrated primary and stub forward lookup zones can change their replication scope. Secondary forward lookup zones cannot change their replication scope. http://technet.microsoft.com/en-us/library/cc772101.aspx Understanding DNS Zone Replication in Active Directory Domain Services You can store Domain Name System (DNS) zones in the domain or application directory partitions of Active Directory Domain Services (AD DS). A partition is a data structure in AD DS that distinguishes data for different replication purposes. The following table describes the available zone replication scopes for AD DS-integrated DNS zone data.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
When you decide which replication scope to choose, consider that the broader the replication scope, the greater the network traffic caused by replication. For example, if you decide to have AD DS–integrated DNS zone data replicated to all DNS servers in the forest, this will produce greater network traffic than replicating the DNS zone data to all DNS servers in a single AD DS domain in that forest.
AD DS-integrated DNS zone data that is stored in an application directory partition is not replicated to the global catalog for the forest. The domain controller that contains the global catalog can also host application directory partitions, but it will not replicate this data to its global catalog. AD DS-integrated DNS zone data that is stored in a domain partition is replicated to all domain controllers in its AD DS domain, and a portion of this data is stored in the global catalog. This setting is used to support Windows 2000. If an application directory partition's replication scope replicates across AD DS sites, replication will occur with the same intersite replication schedule as is used for domain partition data. By default, the Net Logon service registers domain controller locator (Locator) DNS resource records for the application directory partitions that are hosted on a domain controller in the same manner as it registers domain controller locator (Locator) DNS resource records for the domain partition that is hosted on a domain controller.
NEW QUESTION 13
A corporate environment includes a Windows Server 2008 R2 Active Directory Domain Services (AD DS) domain.
You need to enable Universal Group Membership Caching on several domain controllers in the domain.
Which tool should you use?
- A. Dsmod
- B. Dscmd
- C. Ntdsutil
- D. Active Directory Sites and Services console
Enable Universal Group Membership Caching in a Site
In a branch site that has no global catalog server and in a forest that has multiple domains, you can use this procedure to enable Universal Group Membership Caching on a domain controller in the site so that a global catalog server does not have to be contacted across a wide area network (WAN) link for every initial user logon.
To enable Universal Group Membership Caching in a site
1. Open Active Directory Sites and Services.
2. In the console tree, expand Sites, and then click the site in which you want to enable Universal Group Membership Caching.
3. In the details pane, right-click the NTDS Site Settings object, and then click Properties.
4. Under Universal Group Membership Caching, select Enable Universal Group Membership Caching.
5. In the Refresh cache from list, click the site that you want the domain controller to contact when the
Universal Group membership cache must be updated, and then click OK.
NEW QUESTION 14
Your network contains an Active Directory domain.
You have a server named Server1 that runs Windows Server 2008 R2. Server1 is an enterprise root certification authority (CA).
You have a client computer named Computer1 that runs Windows 7.
You enable automatic certificate enrollment for all client computers that run Windows 7.
You need to verify that the Windows 7 client computers can automatically enroll for certificates.
Which command should you run on Computer1?
- A. certreq.exe retrieve
- B. certreq.exe submit
- C. certutil.exe getkey
- D. certutil.exe pulse
What does "certutil -pulse" command do?
Certutil -pulse will initiate autoenrollment requests.
It is equivalent to doing the following in the CertMgr.msc console (in Vista and Windows 7)
Right-click Certificates , point to All Tasks , click Automatically Enroll and Retrieve
The command does require that
-any autoenrollment GPO settings have already been applied to the target user or computer
-a certificate template enables Read, Enroll and Autoenroll permissions for the user or a global or universal group containing the user
-The group membership is recognized in the users Token (they have logged on after the membership was added http://technet.microsoft.com/library/cc732443.aspx Certutil Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains. When certutil is run on a certification authority without additional parameters, it displays the current certification authority configuration. When cerutil is run on a non-certification authority, the command defaults to running the certutil -dump verb. Verbs The following table describes the verbs that can be used with the certutil command. pulse Pulse auto enrollment events
NEW QUESTION 15
Your network contains an Active Directory forest named contoso.com. The forest contains a single domain and 10 domain controllers. All of the domain controllers run Windows Server 2008 R2 Service Pack 1 (SP1).
The forest contains an application directory partition named dc=app1, dc=contoso,dc=com. A domain controller named DC1 has a copy of the application directory partition.
You need to configure a domain controller named DC2 to receive a copy of dc=app1, dc=contoso,dc=corn.
Which tool should you use?
- A. Active Directory Sites and Services
- B. Dsmod
- C. Dcpromo
- D. Dsmgmt
Installs and removes Active Directory Domain Services (AD DS).
Specifies the application directory partitions that dcpromo will replicate. Use the following format:
"partition1" "partition2" "partitionN"
Use * to replicate all application directory partitions.
Please Check Answer
I don't think this is Dsmod. It is most likely Dcpromo.
Dsmod -- Modifies an existing object of a specific type in the directory.
NEW QUESTION 16
A company has an Active Directory forest. You plan to install an offline Enterprise root certification authority (CA) on a server named CA1. CA1 is a member of the PerimeterNetwork workgroup and is attached to a hardware security module for private key storage.
You attempt to add the Active Directory Certificate Services (AD CS) server role to CA1. The Enterprise CA option is not available.
You need to install the AD CS server role as an Enterprise CA on CA1.
What should you do first?
- A. Add the DNS Server server role to CA1.
- B. Add the Web Server (IIS) server role and the AD CS server role to CA1.
- C. Add the Active Directory Lightweight Directory Services (AD LDS) server role to CA1.
- D. Join CA1 to the domai
Many times, administrators ask me what to do when installing Active Directory Certificate
Services they cannot choose to install Enterprise Certification Authority, because it’s
Well, you need to fulfill basic requirements:
1. Server machine has to be a member server (domain joined).
Explanation 2: http://social.technet.microsoft.com/Forums/en/w7itproSP/thread/34f95b81-b196-4211-9a99-a0610852128
NEW QUESTION 17
Your network contains an Active Directory domain named adatum.com.
You need to ensure that IP addresses can be resolved to fully qualified domain names (FQDNs).
Under which node in the DNS snap-in should you add a zone?
- A. Reverse Lookup Zones
- B. adatum.com
- C. Forward Lookup Zones
- D. Conditional Forwarders
- E. _msdcs.adatum.com
Mastering Microsoft Windows Server 2008 R2 (Sybex, 2010) page 193
A forward lookup means the client provides a fully qualified domain name and the DNS server returns an IP address. A reverse lookup does the opposite: the client provides an IP address, and then the DNS server returns an FQDN.
NEW QUESTION 18
Your network contains an Active Directory domain named contoso.com. The domain contains the servers shown in the following table.
The functional level of the forest is Windows Server 2003. The functional level of the domain is Windows Server 2003.
DNS1 and DNS2 host the contoso.com zone.
All client computers run Windows 7 Enterprise.
You need to ensure that all of the names in the contoso.com zone are secured by using DNSSEC.
What should you do first?
- A. Change the functional level of the fores
- B. Change the functional level of the domai
- C. Upgrade DC1 to Windows Server 2008 R2.
- D. Upgrade DNS1 to Windows Server 2008 R2.
DNS Security Extensions (DNSSEC)
What are the major changes?
Support for Domain Name System Security Extensions (DNSSEC) is introduced in
Windows Server. 2008 R2 and Windows. 7. With Windows Server 2008 R2 DNS server,
you can now sign and host DNSSECsigned zones to provide security for your DNS
The following changes are available in DNS server in Windows Server 2008 R2:
Ability to sign a zone and host signed zones.
Support for changes to the DNSSEC protocol.
Support for DNSKEY, RRSIG, NSEC, and DS resource records.
The following changes are available in DNS client in Windows 7:
Ability to indicate knowledge of DNSSEC in queries.
Ability to process the DNSKEY, RRSIG, NSEC, and DS resource records.
Ability to check whether the DNS server with which it communicated has performed
validation on the client’s behalf. The DNS client’s behavior with respect to DNSSEC is controlled through the Name Resolution Policy Table (NRPT), which stores settings that define the DNS client’s behavior. The NRPT is typically managed through Group Policy. What does DNSSEC do? DNSSEC is a suite of extensions that add security to the DNS protocol. The core DNSSEC extensions are specified in RFCs 4033, 4034, and 4035 and add origin authority, data integrity, and authenticated denial of existence to DNS. In addition to several new concepts and operations for both the DNS server and the DNS client, DNSSEC introduces four new resource records (DNSKEY, RRSIG, NSEC, and DS) to DNS. In short, DNSSEC allows for a DNS zone and all the records in the zone to be cryptographically signed. When a DNS server hosting a signed zone receives a query, it returns the digital signatures in addition to the records queried for. A resolver or another server can obtain the public key of the public/private key pair and validate that the responses are authentic and have not been tampered with. In order to do so, the resolver or server must be configured with a trust anchor for the signed zone, or for a parent of the signed zone.
NEW QUESTION 19
Your network contains an Active Directory domain named contoso.com.
The properties of the contoso.com DNS zone are configured as shown in the exhibit. (Click the Exhibit button.)
You need to update all service location (SRV) records for a domain controller in the domain.
What should you do?
- A. Restart the Netlogon servic
- B. Restart the DNS Client servic
- C. Run sc.exe and specify the triggerinfo paramete
- D. Run ipconfig.exe and specify the /registerdns paramete
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62
The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller’s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam question might ask you how to troubleshoot the nonregistration of SRV resource records.
Thanks for reading the newest 70-640 exam dumps! We recommend you to try the PREMIUM Certleader 70-640 dumps in VCE and PDF here: https://www.certleader.com/70-640-dumps.html (631 Q&As Dumps)