70-640 Exam
The Only Tip You Need: 70 640 pdf
Q11. Your network contains an Active Directory domain named contoso.com. Contoso.com contains three servers.
The servers are configured as shown in the following table.
You need to ensure that users can manually enroll and renew their certificates by using the Certificate Enrollment Web Service.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Configure the policy module settings.
B. Configure the issuance requirements for the certificate templates.
C. Configure the Certificate Services Client - Certificate Enrollment Policy Group Policy setting.
D. Configure the delegation settings for the Certificate Enrollment Web Service application pool account.
Answer: B,D
Explanation: Explanation 1:
http://technet.microsoft.com/en-us/library/dd759245.aspx
The Certificate Enrollment Web Service can process enrollment requests for new certificates and for certificate renewal. In both cases, the client computer submits the request to the Web service and the Web service submits the request to the certification authority (CA) on behalf of the client computer. For this reason, the Web service account must be trusted for delegation in order to present the client identity to the CA.
Explanation 2: http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx
Delegation is required for the Certificate Enrollment Web Service account when all of the following are true: The CA is not on the same computer as the Certificate Enrollment Web Service Certificate Enrollment Web Service needs to be able to process initial enrollment requests, as opposed to only processing certificate renewal requeststhe authentication type is set to Windows Integrated Authentication or Client certificate authentication
Q12. Your network contains an Active Directory forest. The forest contains two domains named contoso.com and eu.contoso.com. All domain controllers are DNS servers.
The domain controllers in contoso.com host the zone for contoso.com. The domain controllers in eu.contoso.com host the zone for eu.contoso.com. The DNS zone for contoso.com is configured as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that all domain controllers in the forest host a writable copy of _msdsc.contoso.com.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Create a zone delegation record in the contoso.com zone.
B. Create a zone delegation record in the eu.contoso.com zone.
C. Create an Active Directory-integrated zone for _msdsc.contoso.com.
D. Create a secondary zone named _msdsc.contoso.com in eu.contoso.com.
Answer: A,C
Explanation:
Note that the question speaks of _msdSC, instead of _msdCS. Not sure if it means something, probably a typo.
Q13. You have an enterprise subordinate certification authority (CA). The CA is configured to use a hardware security module.
You need to back up Active Directory Certificate Services on the CA.
Which command should you run?
A. certutil.exe backup
B. certutil.exe backupdb
C. certutil.exe backupkey
D. certutil.exe store
Answer: B
Explanation:
Because a hardware security module (HSM) is used that stores the private keys, the command certutil. exe -backup would fail, since we cannot extract the private keys from the module. The HSM should have a proprietary procedure for that. The given commands are: certutil -backup Backup set includes certificate database, CA certificate an the CA key pair certutil -backupdb Backup set only includes certificate database certutil -backupkey Backup set only includes CA certificate and the CA key pair certutil –store Provides a dump of the certificate store onscreen.
Since we cannot extract the keys from the HSM we have to use backupdb. Explanation 1: Microsoft Windows Server(TM) 2003 PKI and Certificate Security (Microsoft Press, 2004) page 215 For the commands listed above. Explanation 2: http://technet.microsoft.com/en-us/library/cc732443.aspx Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains. Syntax Certutil <-parameter> [-parameter] Parameter -backupdb Backup the Active Directory Certificate Services database Explanation 3: http://poweradmin.se/blog/2010/01/11/backup-and-restore-for-active-directory-certificate-services/
Q14. Your company security policy requires complex passwords.
You have a comma delimited file named import.csv that contains user account information.
You need to create user account in the domain by using the import.csv file.
You also need to ensure that the new user accounts are set to use default passwords and are disabled.
What should you do?
A. Modify the userAccountControl attribute to disabled. Run the csvde i k f import.csv command. Run the DSMOD utility to set default passwords for the user accounts.
B. Modify the userAccountControl attribute to accounts disabled. Run the csvde -f import.csv command. Run the DSMOD utility to set default passwords for the user accounts.
C. Modify the userAccountControl attribute to disabled. Run the wscript import.csv command. Run the DSADD utility to set default passwords for the imported user accounts.
D. Modify the userAccountControl attribute to disabled. Run ldifde -i -f import.csv command. Run the DSADD utility to set passwords for the imported user accounts.
Answer: A
Explanation:
Personal note:
The correct command should be:
csvde - i -k -f import.csv
http://support.microsoft.com/kb/305144
How to use the UserAccountControl flags to manipulate user account properties When you open the properties for a user account, click the Account tab, and then either select or clear the check boxes in the Account options dialog box, numerical values are assigned to the UserAccountControl attribute. The value that is assigned to the attribute tells Windows which options have been enabled.
You can view and edit these attributes by using either the Ldp.exe tool or the Adsiedit.msc snap-in.
The following table lists possible flags that you can assign. You cannot set some of the values on a user or computer object because these values can be set or reset only by the directory service. Note that Ldp.exe shows the values in hexadecimal. Adsiedit.msc displays the values in decimal. The flags are cumulative. To disable a user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In decimal, this is 514 (2 + 512).
http://technet.microsoft.com/en-us/library/cc732101%28v=ws.10%29.aspx
Csvde
Imports and exports data from Active Directory Domain Services (AD DS) using files that store data in the comma-separated value (CSV) format. You can also support batch operations based on the CSV file format standard.
Syntax:
Csvde [-i] [-f <FileName>] [-s <ServerName>] [-c <String1> <String2>] [-v] [-j <Path>] [-t <PortNumber>] [-d <BaseDN>] [-r <LDAPFilter>] [-p <Scope] [-l <LDAPAttributeList>] [-o <LDAPAttributeList>] [-g] [-m] [-n] [-k] [-a <UserDistinguishedName> {<Password> | *}] [-b <UserName> <Domain> {<Password> | *}] Parameters
Specifies import mode. If not specified, the default mode is export. -f <FileName> Identifies the import or export file name. -k Ignores errors during an import operation and continues processing. http://technet.microsoft.com/en-us/library/cc732954%28v=ws.10%29.aspx Dsmod user Modifies attributes of one or more existing users in the directory. Syntax: dsmod user <UserDN> ... [-upn <UPN>] [-fn <FirstName>] [-mi <Initial>] [-ln <LastName>] [-display<DisplayName>] [-empid <EmployeeID>] [-pwd (<Password> | *)] [-desc <Description>] [-office <Office>] [-tel <PhoneNumber>] [-email <E-mailAddress>] [-hometel <HomePhoneNumber>] [-pager <PagerNumber>] [-mobile <CellPhoneNumber>] [-fax <FaxNumber>] [-iptel <IPPhoneNumber>] [-webpg <WebPage>] [-title <Title>] [-dept <Department>] [-company <Company>] [-mgr <Manager>] [-hmdir <HomeDirectory>] [-hmdrv <DriveLetter>:] [-profile <ProfilePath>] [-loscr <ScriptPath>] [-mustchpwd {yes | no}] [-canchpwd {yes | no}] [-reversiblepwd {yes | no}] [-pwdneverexpires {yes | no}] [-acctexpires <NumberOfDays>] [-disabled {yes | no}] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}][-c] [-q] [{-uc | -uco | -uci}] Parameters <UserDN>Required. Specifies the distinguished names of the users that you want to modify. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command.
-pwd {<Password> | *}
Resets the passwords for the users that you want to modify as Password or an asterisk (*).
If you type *, AD
DS prompts you for a user password.
Q15. Your company asks you to implement Windows Cardspace in the domain.
You want to use Windows Cardspace at your home.
Your home and office computers run Windows Vista Ultimate.
What should you do to create a backup copy of Windows Cardspace cards to be used at home?
A. Log on with your administrator account and copy \Windows\ServiceProfiles folder to your USB drive
B. Backup \Windows\Globalization folder by using backup status and save the folder on your USB drive
C. Back up the system state data by using backup status tool on your USB drive
D. Employ Windows Cardspace application to backup the data on your USB drive.
E. Reformat the C: Drive
F. None of the above
Answer: D
Explanation:
http://windows.microsoft.com/en-us/windows7/windows-cardspace-for-itpros#
BKMK_HowdoIbackupmycardsortransferthemtoanothercomputer
Windows CardSpace for IT pros
Microsoft Windows CardSpace. is a system for creating relationships with websites and
online services.
Windows CardSpace provides a consistent way for:
Sites to request information from you.
You to review the identity of a site.
You to manage your information by using Information Cards.
You to review card information before you send it.
Windows CardSpace can replace the user names and passwords that you use to register
with and log on to websites and online services.
15. How do I back up my cards or transfer them to another computer?
Cards are stored on your computer in an encrypted format. To save a backup file
containing some or all of your cards or to use a card on a different computer, you can save
cards to a backup card file.
To back up your cards:
1. Start Windows CardSpace.
2. View all your cards.
3. In the pane on the right of your screen, click Back up cards.
4. Select the cards that you want to back up.
5. Browse to the folder where you want to save the backup card file, and then give it a
name.
When you complete these steps, you save a file containing some or all of your cards. You
can copy the backup card file to media such as a Universal Serial Bus (USB) storage
device, CD, or other digital media. You can restore the backup card file on this computer or
on another computer.
To restore your cards
1. Save the backup card file to the computer.
2. Browse to the location of the file on the computer.
3. Double-click the file, and then follow the instructions to restore the cards.
Q16. Your company has a single Active Directory domain named intranet.adatum.com. The domain controllers run Windows Server 2008 and the DNS server role. All computers, including non-domain members, dynamically register their DNS records.
You need to configure the intranet.adatum.com zone to allow only domain members to dynamically register DNS records.
What should you do?
A. Set dynamic updates to Secure Only.
B. Remove the Authenticated Users group.
C. Enable zone transfers to Name Servers.
D. Deny the Everyone group the Create All Child Objects permission.
Answer: A
Explanation:
Answer: Set dynamic updates to Secure Only.
http://technet.microsoft.com/en-us/library/cc753751.aspx
Allow Only Secure Dynamic Updates
Domain Name System (DNS) client computers can use dynamic update to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use
Dynamic Host Configuration Protocol (DHCP) to obtain an IP address. Dynamic updates can be secure or nonsecure. DNS update security is available only for zones that are integrated into Active Directory Domain Services (AD DS). After you directory-integrate a zone, access control list (ACL) editing features are available in DNS Manager so that you can add or remove users or groups from the ACL for a specified zone or resource record.
Further information:
http://technet.microsoft.com/en-us/library/cc771255.aspx Understanding Dynamic Update
Q17. Your network contains 10 domain controllers that run Windows Server 2008 R2. The network contains a member server that is configured to collect all of the events that occur on the domain controllers.
You need to ensure that administrators are notified when a specific event occurs on any of the domain controllers. You want to achieve this goal by using the minimum amount of administrative effort.
What should you do?
A. From Event Viewer on the member server, create a subscription.
B. From Event Viewer on each domain controller, create a subscription.
C. From Event Viewer on the member server, run the Create Basic Task Wizard.
D. From Event Viewer on each domain controller, run the Create Basic Task Wizard.
Answer: C
Explanation:
Since the member server is collecting all domain controller events we just need to run the Create Basic Task Wizard on the member server, which enables us to send an e-mail when a specific event is logged. Running the wizard on every domain controller would work, but is much more work and we need to use the minimum amount of administrative effort.
Explanation:
http://technet.microsoft.com/en-us/library/cc748900.aspx
To Run a Task in Response to a Given Event
1. Start Event Viewer.
2. In the console tree, navigate to the log that contains the event you want to associate with a task.
3. Right-click the event and select Attach Task to This Event.
4. Perform each step presented by the Create Basic Task Wizard. In the Action step in the wizard you can decide to send an e-mail.
Q18. HOTSPOT
Your network contains an Active Directory domain named contoso.com.
You need to view which password setting object is applied to a user.
Which filter option in Attribute Editor should you enable? To answer, select the appropriate
filter option in the answer area.
Answer:
Q19. Your company has an Active Directory forest.
You plan to install an Enterprise certification authority (CA) on a dedicated stand-alone server.
When you attempt to add the Active Directory Certificate Services (AD CS) role, you find that the Enterprise CA option is not available.
You need to install the AD CS role as an Enterprise CA.
What should you do first?
A. Add the DNS Server role.
B. Add the Active Directory Lightweight Directory Service (AD LDS) role.
C. Add the Web server (IIS) role and the AD CS role.
D. Join the server to the domain.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc772393%28v=ws.10%29.aspx
Active Directory Certificate Services Step-by-Step Guide
http://kazmierczak.eu/itblog/2012/09/23/enterprise-ca-option-is-greyed-out-unavailable/
Enterprise CA option is greyed out / unavailable Many times, administrators ask me what to do when installing Active Directory Certificate Services they cannot choose to install Enterprise Certification Authority, because it’s unavailable as in following picture:
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Well, you need to fulfill basic requirements: Server machine has to be a member server (domain joined). You can run an Enterprise CA on the Standard, Enterprise, or Data Center Windows Edition. The difference is the number of ADCS features and components that can be enabled. To get full functionality, you need to run on Enterprise or Data Center Windows Server 2008 /R2/ Editions. It includes functionality like Role separation, Certificate manager restrictions, Delegated enrollment agent restrictions, Certificate enrollment across forests, Online Responder, Network Device Enrollment. In order to install an Enterprise CA, you must be a member of either Enterprise Admins or Domain Admins in the forest root domain (either directly or through a group nesting). If issue still persists, there is probably a problem with getting correct credentials of your account. There are many thing that can cause it (network blockage, domain settings, server configuration, and other issues). In all cases I got, this troubleshooting helped perfectly: First of all, carefully check all above requirements. Secondly, install all available patches and Service Packs with Windows Update before trying to install Enterprise CA. Check network settings on the CA Server. If there is no DNS setting, Certificate Authority Server cannot resolve and find domain. Sufficient privileges for writing the Enterprise CA configuration information in AD configuration partition are required. Determine if you are a member of the Enterprise Admins or Domain Admins in the forest root domain. Think about the account you are currently trying to install ADCS with. In fact, you may be sure, that your account is in Enterprise Admins group, but check this how CA Server “sees” your account membership by typing whoami /groups. You also need to be a member of local Administrators group. If you are not, you wouldn’t be able to run Server Manager, but still needs to be checked. View C:\windows\certocm.log file. There you can find helpful details on problems with group membership. For example status of ENUM_ENTERPRISE_UNAVAIL_REASON_NO_INSTALL_RIGHTS indicates that needed memberships are not correct. Don’t forget to check event viewer on CA Server side and look for red lines. Verify that network devices or software&hardware firewalls are not blocking access from/to server and Domain Controllers. If so, Certificate Authority Server may not be communicating correctly with the domain. To check that, simply run nltest /sc_verify:DomainName Check also whether Server CA is connected to a writable Domain Controller. Enterprise Admins groups is the most powerful group and has ADCS required full control permissions, but who knows – maybe someone changed default permissions? Run adsiedit.msc on Domain Controller, connect to default context and first of all check if CN=Public Key Service,CN=Services,CN=Configuration,DC=Your,DC=Domain,DC=Com container does exist. If so, check permissions for all subcontainers under Public Key Service if Enterprise Admins group has full control permissions. The main subcontainers to verify are Certificate Templates, OID, KRA containers. If no above tips help, disjoin the server from domain and join again. Ultimately reinstall operation system on CA Server.
Q20. Your network contains an Active Directory domain.
You create and mount an Active Directory snapshot.
You run dsamain.exe as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that you can browse the contents of the Active Directory snapshot.
What should you?
A. Stop Active Directory Domain Services (AD DS), and then rerun dsamain.exe.
B. Change the value of the dbpath parameter, and then rerun dsamain.exe.
C. Change the value of the ldapport parameter, and then rerun dsamain.exe.
D. Restart the Volume Shadow Copy Service (VSS), and then rerun dsamain.exe.
Answer: B
Explanation:
The path in the exhibit points to the running Active Directory database, not to the snapshot. Explanation:
http://technet.microsoft.com/en-us/library/cc772168.aspx
For the dbpath parameter, you must specify a mounted snapshot or a backup that you want to view along with the complete path to the Ntds.dit file, for example: /dbpath E:\$SNAP_200704181137_VOLUMED$\WINDOWS\NTDS\ntds.dit