70-640 Exam
Today Big Q: 70 640 pdf?
Ucertify offers free demo for 70 640 pdf exam. "TS: Windows Server 2008 Active Directory. Configuring", also known as mcitp 70 640 exam, is a Microsoft Certification. This set of posts, Passing the Microsoft mcitp 70 640 exam, will help you answer those questions. The microsoft 70 640 Questions & Answers covers all the knowledge points of the real exam. 100% real Microsoft mcitp 70 640 exams and revised by experts!
Q151. You have a domain controller named Server1 that runs Windows Server 2008 R2.
You need to determine the size of the Active Directory database on Server1.
What should you do?
A. Run the Active Directory Sizer tool.
B. Run the Active Directory Diagnostics data collector set.
C. From Windows Explorer, view the properties of the %systemroot%\ntds\ntds.dit file.
D. From Windows Explorer, view the properties of the %systemroot%\sysvol\domain folder.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc961761.aspx Directory Data Store Active Directory data is stored in the Ntds.dit ESE database file. Two copies of Ntds.dit are present in separate locations on a given domain controller: %SystemRoot%\NTDS\Ntds.dit This file stores the database that is in use on the domain controller. It contains the values for the domain and a replica of the values for the forest (the Configuration container data). %SystemRoot%\System32\Ntds.dit This file is the distribution copy of the default directory that is used when you promote a Windows 2000 – based computer to a domain controller. The availability of this file allows you to run the Active Directory Installation Wizard (Dcpromo.exe) without your having to use the Windows 2000 Server operating system CD. During the promotion process, Ntds.dit is copied from the %SystemRoot% \System32 directory into the %SystemRoot%\NTDS directory. Active Directory is then started from this new copy of the file, and replication updates the file from other domain controllers.
Q152. Your network contains an Active Directory domain named contoso.com. The network contains client computers that run either Windows Vista or Windows 7. Active Directory Rights Management Services (AD RMS) is deployed on the network.
You create a new AD RMS template that is distributed by using the AD RMS pipeline. The template is updated every month.
You need to ensure that all the computers can use the most up-to-date version of the AD RMS template.
You want to achieve this goal by using the minimum amount of administrative effort.
What should you do?
A. Upgrade all of the Windows Vista computers to Windows 7.
B. Upgrade all of the Windows Vista computers to Windows Vista Service Pack 2 (SP2).
C. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all users by using a Software Installation extension of Group Policy.
D. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all computers by using a Software Installation extension of Group Policy.
Answer: B
Q153. Your network contains an Active Directory domain. All domain controller run Windows Server 2003.
You replace all domain controllers with domain controllers that run Windows Server 2008 R2. You raise the functional level of the domain to Windows Server 2008 R2.
You need to minimize the amount of SYSVOL replication traffic on the network.
What should you do?
A. Raise the functional level of the forest to Windows Server 2008 R2.
B. Modify the path of the SYSVOL folder on all of the domain controllers.
C. On a global catalog server, run repadmin.exe and specify the KCC parameter.
D. On the domain controller that holds the primary domain controller (PDC) emulator FSMO role, run dfsrmig.exe.
Answer: D
Explanation:
Now that the domain controllers have been upgraded to Windows Server 2008 R2 and the domain functional level has been upgraded to Windows Server 2008 R2 we can use DFS Replication for replicating SYSVOL, instead of File Replication Service (FRS) of previous Windows Server versions. The migration takes place on a domain controller holding the PDC Emulator role.
Explanation 1: http://technet.microsoft.com/en-us/library/cc794837.aspx Using DFS Replication for replicating SYSVOL in Windows Server 2008 DFS Replication technology significantly improves replication of SYSVOL. In Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2, FRS is used to replicate the contents of the SYSVOL share.
When a change to a file occurs, FRS replicates the entire updated file. With DFS Replication, for files larger than 64 KB, only the updated portion of the file is replicated.
Explanation 2:
http://technet.microsoft.com/en-us/library/dd639809.aspx
Migrating to the Prepared State
The following sections provide an overview of the procedures that you perform when you
migrate SYSVOL replication from File Replication Service (FRS) to Distributed File System
(DFS Replication).
This migration phase includes the tasks in the following list.
Running the dfsrmig /SetGlobalState 1 command on the PDC emulator to start the
migration to the Prepared state.
Q154. You have an enterprise subordinate certification authority (CA). The CA issues smart card logon certificates.
Users are required to log on to the domain by using a smart card.
Your company's corporate security policy states that when an employee resigns, his ability
to log on to the network must be immediately revoked.
An employee resigns.
You need to immediately prevent the employee from logging on to the domain.
What should you do?
A. Revoke the employee's smart card certificate.
B. Disable the employee's Active Directory account.
C. Publish a new delta certificate revocation list (CRL).
D. Reset the password for the employee's Active Directory account.
Answer: B
Explanation:
http://blog.imanami.com/blog/bid/68864/Delete-or-disable-an-Active-Directory-account-One-best-practice Delete or disable an Active Directory account? One best practice. I was recently talking to a customer about the best practice for deprovisioning a terminated employee in Active Directory. Delete or disable? Microsoft doesn't give the clearest direction on this but common sense does. The case for deleting an account is that, BOOM, no more access. No ifs ands or buts, if there is no account it cannot do anything. The case for disabling an account is that all of the SIDs are still attached to the account and you can bring it back and get the same access right away. And then the reason for MSFT's lack of direction came into play. Individual needs of the customer. This particular customer is a public school system and they often lay off an employee and have to re-hire them the next month or semester. They need that account back.
Q155. Your company has a main office and a branch office.
The network contains an Active Directory domain.
The main office contains a writable domain controller named DC1. The branch office
contains a read- only domain controller (RODC) named DC2.
You discover that the password of an administrator named Admin1 is cached on DC2.
You need to prevent Admin1's password from being cached on DC2.
What should you do?
A. Modify the NTDS Site Settings.
B. Modify the properties of the domain.
C. Create a Password Setting object (PSO).
D. Modify the properties of DC2's computer account.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy%28v=ws.10%29.aspx Administering the Password Replication Policy This topic describes the steps for viewing, configuring, and monitoring the Password Replication Policy (PRP) and password caching for read-only domain controllers (RODCs). Viewing the PRP You can view the PRP in a graphical user interface (GUI) by using the Active Directory Users and Computers snap-in or in a Command Prompt window by using the Repadmin tool. The following procedures describe how to view the PRP. To view the PRP using Active Directory Users and Computers
1. Open Active Directory Users and Computers. To open Active Directory Users and
Computers, click Start.
In Start Search, type dsa.msc, and then press ENTER.
2. Ensure that you are connected to the correct domain. To connect to the appropriate
domain, in the details pane, right-click the Active Directory Users and Computers object,
and then click Change Domain. 3. Expand Domain Controllers, right-click the RODC
account object for which you want to modify the PRP, and then click Properties.
4. Click the Password Replication Policy tab. An example is shown in the following
illustration.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Q156. Your company has a branch office that is configured as a separate Active Directory site and has an Active Directory domain controller.
The Active Directory site requires a local Global Catalog server to support a new application.
You need to configure the domain controller as a Global Catalog server.
Which tool should you use?
A. The Server Manager console
B. The Active Directory Sites and Services console
C. The Dcpromo.exe utility
D. The Computer Management console
E. The Active Directory Domains and Trusts console
Answer: B
Explanation:
Answer: The Active Directory Sites and Services console
http://technet.microsoft.com/en-us/library/cc781329%28v=ws.10%29.aspx
Configure a domain controller as a global catalog server
To configure a domain controller as a global catalog server
1. Open Active Directory Sites and Services.
Further information:
http://technet.microsoft.com/en-us/library/cc728188%28v=ws.10%29.aspx
What Is the Global Catalog?
The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.
In addition to configuration and schema directory partition replicas, every domain controller in a forest stores a full, writable replica of a single domain directory partition. Therefore, a domain controller can locate only the objects in its domain. Locating an object in a different domain would require the user or application to provide the domain of the requested object. The global catalog provides the ability to locate objects from any domain without having to know the domain name. A global catalog server is a domain controller that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest. The additional domain directory partitions are partial because only a limited set of attributes is included for each object. By including only the attributes that are most used for searching, every object in every domain in even the largest forest can be represented in the database of a single global catalog server. Note: A global catalog server can also store a full, writable replica of an application directory partition, but objects in application directory partitions are not replicated to the global catalog as partial, read-only directory partitions.
The global catalog is built and updated automatically by the AD DS replication system. The attributes that are replicated to the global catalog are identified in the schema as the partial attribute set (PAS) and are defined by default by Microsoft. However, to optimize searching, you can edit the schema by adding or removing attributes that are stored in the global catalog.
In Windows 2000 Server environments, any change to the PAS results in full synchronization (update of all attributes) of the global catalog. Later versions of Windows Server reduce the impact of updating the global catalog by replicating only the attributes that change.
In a single-domain forest, a global catalog server stores a full, writable replica of the domain and does not store any partial replica. A global catalog server in a single-domain forest functions in the same manner as a nonglobal-catalog server except for the processing of forest-wide searches.
Q157. You need to relocate the existing user and computer objects in your company to different organizational units.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)
A. Run the move-item command in the Microsoft Windows PowerShell utility.
B. Run the Active Directory Users and Computers utility.
C. Run the Dsmove utility.
D. Run the Active Directory Migration Tool (ADMT).
Answer: B,C
Explanation:
Personal note:
You can simply drag and drop objects when using the Active Directory Users and
Computers utility or use the dsmove command.
http://technet.microsoft.com/en-us/library/cc731094%28v=ws.10%29.aspx
Dsmove Moves a single object, within a domain, from its current location in the directory to
a new location, or renames a single object without moving it in the directory tree.
Q158. You have Active Directory Certificate Services (AD CS) deployed. You create a custom certificate template.
You need to ensure that all of the users in the domain automatically enroll for a certificate based on the custom certificate template.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. In a Group Policy object (GPO), configure the autoenrollment settings.
B. In a Group Policy object (GPO), configure the Automatic Certificate Request Settings.
C. On the certificate template, assign the Read and Autoenroll permission to the Authenticated Users group.
D. On the certificate template, assign the Read, Enroll, and Autoenroll permission to the Domain Users group.
Answer: A,D
Explanation:
http://technet.microsoft.com/en-us/library/dd379539.aspx
To automatically enroll client computers for certificates in a domain environment, you must:
Configure an autoenrollment policy for the domain.
(...)
In Configuration Model, select Enabled to enable autoenrollment.
Configure certificate templates for autoenrollment.
(...)
In the Permissions for Authenticated Users list, select Read, Enroll, and Autoenroll in the
Allow column, and then click OK and Close to finish
Configure an enterprise CA.
Q159. Your company has a main office and five branch offices that are connected by WAN links. The company has an Active Directory domain named contoso.com.
Each branch office has a member server configured as a DNS server. All branch office DNS servers host a secondary zone for contoso.com.
You need to configure the contoso.com zone to resolve client queries for at least four days in the event that a WAN link fails.
What should you do?
A. Configure the Expires after option for the contoso.com zone to 4 days.
B. Configure the Retry interval option for the contoso.com zone to 4 days.
C. Configure the Refresh interval option for the contoso.com zone to 4 days.
D. Configure the Minimum (default) TTL option for the contoso.com zone to 4 days.
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc816704%28v=ws.10%29.aspx
Adjust the Expire Interval for a Zone
You can use this procedure to adjust the expire interval for a Domain Name System (DNS)
zone. Other DNS servers that are configured to load and host the zone use the expire
interval to determine when zone data expires if it is not successfully transferred. By default,
the expire interval for each zone is set to one day.
You can complete this procedure using either the DNS Manager snap-in or the dnscmd
command-line tool.
To adjust the expire interval for a zone using the Windows interface
1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.
2. In the console tree, right-click the applicable zone, and then click Properties.
3. On the General tab, verify that the zone type is either Primary or Active Directory-integrated.
4. Click the Start of Authority (SOA) tab.
5. In Expires after, click a time period in minutes, hours, or days, and then type a number in the text box.
6. Click OK to save the adjusted interval.
Q160. Your network contains an Active Directory forest. The forest contains two domain controllers. The domain controllers are configured as shown in the following table.
All client computers run Windows 7.
You need to ensure that all client computers in the domain keep the same time as an external time server.
What should you do?
A. From DC1, run the time command.
B. From DC2, run the time command.
C. From DC1, run the w32tm.exe command.
D. From DC2, run the w32tm.exe command.
Answer: D
Explanation:
Explanation 1: http://technet.microsoft.com/en-us/library/cc816748.aspx
Change the Windows Time Service Configuration on the PDC Emulator in the Forest Root Domain The domain controller in the forest root domain that holds the primary domain controller (PDC) emulator operations master (also known as flexible single master operations or FSMO) role is the default time source for the domain hierarchy of time sources in the forest. Explanation 2: http://technet.microsoft.com/en-us/library/cc773263.aspx Windows Time Service Tools and Settings Most domain member computers have a time client type of NT5DS, which means that they synchronize time from the domain hierarchy. The only typical exception to this is the domain controller that functions as the primary domain controller (PDC) emulator operations master of the forest root domain, which is usually configured to synchronize time with an external time source.
W32tm.exe is used to configure Windows Time service settings. It can also be used to diagnose problems with the time service. W32tm.exe is the preferred command line tool for configuring, monitoring, or troubleshooting the Windows Time service.