70-640 Exam
Today Big Q: microsoft 70 640?
Our pass rate is high to 98.9% and the similarity percentage between our 70 640 pdf study guide and real exam is 90% based on our seven-year educating experience. Do you want achievements in the Microsoft mcitp 70 640 exam in just one try? I am currently studying for the Microsoft 70 640 pdf exam. Latest Microsoft mcitp 70 640 Test exam practice questions and answers, Try Microsoft 70 640 pdf Brain Dumps First.
Q21. Your company has a main office and a branch office. The branch office has an Active Directory site that contains a read-only domain controller (RODC).
A user from the branch office reports that his account is locked out.
From a writable domain controller in the main office, you discover that the user's account is not locked out. You need to ensure that the user can log on to the domain.
What should you do?
A. Modify the Password Replication Policy.
B. Reset the password of the user account.
C. Run the Knowledge Consistency Checker (KCC) on the RODC.
D. Restore network communication between the branch office and the main office.
Answer: D
Explanation:
Not sure if:
Run the Knowledge Consistency Checker (KCC) on the RODC.
or
Restore network communication between the branch office and the main office.
Q22. HOTSPOT
Your network contains an Active Directory forest named contoso.com. The forest contains two sites named Seattle and Montreal. The Seattle site contains two domain controllers. The domain controllers are configured as shown in the following table.
The Montreal site contains a domain controller named DC3. DC3 is the only global catalog server in the forest.
You need to configure DC2 as a global catalog server.
Which object's properties should you modify? To answer, select the appropriate object in the answer area.
Answer:
Q23. Your company has two domain controllers that are configured as internal DNS servers. All zones on the DNS servers are Active Directory-integrated zones. The zones allow all dynamic updates.
You discover that the contoso.com zone has multiple entries for the host names of computers that do not exist.
You need to configure the contoso.com zone to automatically remove expired records.
What should you do?
A. Enable only secure updates on the contoso.com zone,
B. Enable scavenging and configure the refresh interval on the contoso.com zone.
C. From the Start of Authority tab, decrease the default refresh interval on the contoso.com zone.
D. From the Start of Authority tab, increase the default expiration interval on the contoso.com zone
Answer: B
Explanation:
http://www.it-support.com.au/configure-aging-and-scavenging-of-a-dns-server/2012/12/ Configure aging and scavenging of a DNS Server Resource records that are either outdated or decayed from DNS zone data are removed through the use of the Server aging and scavenging feature in Windows Server 2008. Issues develop if decayed resource records are not dealt with, such as: Zone transfers take longer as the DNS server disk space contains a large number of stale records The accumulation of stale records degrades the DNS server performance and response time Potential conflicts can occur, if an IP address in a dynamic DNS environment is assigned to a different host. By default, the aging and scavenging feature is disabled. In order to use this particular feature, the user is required to enable the operations on the zone and at the DNS server. In addition, a user is able to manually enable individual resource records to be aged and scavenged. This process involves permitting the records to use the current (non-zero) timestamp value. The aging and scavenging operation figures out when the records should be cleared by reviewing their timestamps. The DNS Server uses a simple equation when setting a time value on a record: current server time + refresh interval. Procedure: Navigate to Start - Administrative Tools – DNS Manager. Right click the relevant DNS server and select Set Aging/Scavenging for All Zones from the drop down list.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
The Server Aging/Scavenging Properties dialog box opens. Tick the option Scavenge stale
resource records.
Under the No-refresh interval heading, specify the duration for which the server must not
refresh its records.
Configuring this setting reduces replication traffic as unnecessary updates to existing
records are prevented.
Under the Refresh interval heading, specify the duration for which the server must refresh
its records. The fresh interval is the time required between when a no-refresh interval
expires and when a record is considered stale.
When you have configured these settings, click OK to continue.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
A confirmation box appears showing a summary of your settings. Tick the Apply these settings to the existing Active Directory-integrated zones option and click OK.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
The Aging and Scavenging intervals have now been configured for all zones managed by the DNS server. http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-bepatient.aspx Don't be afraid of DNS Scavenging. Just be patient. http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/bb556cfb-3217-4dcf-af4f-460366faa1b8Answered Best Practices configuration for DNS server on Windows 2008 R2 Server (aging/scavenging, etc.)
Q24. Your network contains an Active Directory domain that has two sites.
You need to identify whether logon scripts are replicated to all domain controllers.
Which folder should you verify?
A. GroupPolicy
B. NTDS
C. SoftwareDistribution
D. SYSVOL
Answer: D
Explanation: http://technet.microsoft.com/en-us/library/cc794837.aspx SYSVOL is a collection of folders that contain a copy of the domain’s public files, including
system policies, logon scripts, and important elements of Group Policy objects (GPOs).
Q25. You install a standalone root certification authority (CA) on a server named Server1.
You need to ensure that every computer in the forest has a copy of the root CA certificate installed in the local computer's Trusted Root Certification Authorities store. Which command should you run on Server1?
A. certreq.exe and specify the -accept parameter
B. certreq.exe and specify the -retrieve parameter
C. certutil.exe and specify the -dspublish parameter
D. certutil.exe and specify the -importcert parameter
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc732443.aspx
Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains.
Syntax Certutil <-parameter> [-parameter] Parameter -dsPublish Publish a certificate or certificate revocation list (CRL) to Active Directory
Q26. Your company has four offices. The network contains a single Active Directory domain. Each office has a domain controller. Each office has an organizational unit (OU) that contains the user accounts for the users in that office. In each office, support technicians perform basic troubleshooting for the users in their respective office.
You need to ensure that the support technicians can reset the passwords for the user accounts in their respective office only. The solution must prevent the technicians from creating user accounts.
What should you do?
A. For each OU, run the Delegation of Control Wizard.
B. For the domain, run the Delegation of Control Wizard.
C. For each office, create an Active Directory group, and then modify the security settings for each group.
D. For each office, create an Active Directory group, and then modify the controlAccessRights attribute for each group.
Answer: A
Explanation:
Explanation 1: http://technet.microsoft.com/en-us/library/cc732524.aspx To delegate control of an organizational unit
1. To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
2. To open Active Directory Users and Computers in Windows Server. 2012, click Start, type dsa.msc.
3. In the console tree, right-click the organizational unit (OU) for which you want to delegate control.
4. Click Delegate Control to start the Delegation of Control Wizard, and then follow the instructions in the wizard.
Explanation 2: http://technet.microsoft.com/en-us/library/dd145442.aspx Delegate the following common tasks The following are common tasks that you can select to delegate control of them: Reset user passwords and force password change at next logon
Q27. Your company has a main office and a branch office. You deploy a read-only domain controller (RODC) that runs Microsoft Windows Server 2008 to the branch office.
You need to ensure that users at the branch office are able to log on to the domain by using the RODC.
What should you do?
A. Add another RODC to the branch office.
B. Configure a new bridgehead server in the main office.
C. Decrease the replication interval for all connection objects by using the Active Directory Sites and Services console.
D. Configure the Password Replication Policy on the RODC.
Answer: D
Explanation:
Answer: Configure the Password Replication Policy on the RODC.
http://technet.microsoft.com/en-us/library/cc754956%28v=ws.10%29.aspx RODC Frequently Asked Questions What new attributes support the RODC Password Replication Policy? Password Replication Policy is the mechanism for determining whether a user or computer's credentials are allowed to replicate from a writable domain controller to an RODC. The Password Replication Policy is always set on a writable domain controller running Windows Server 2008. What operations fail if the WAN is offline, but the RODC is online in the branch office? If the RODC cannot connect to a writable domain controller running Windows Server 2008 in the hub, the following branch office operations fail: Password changes Attempts to join a computer to a domain Computer rename Authentication attempts for accounts whose credentials are not cached on the RODC Group Policy updates that an administrator might attempt by running the gpupdate /force command What operations succeed if the WAN is offline, but the RODC is online in the branch office? If the RODC cannot connect to a writable domain controller running Windows Server 2008 in the hub, the following branch office operations succeed: Authentication and logon attempts, if the credentials for the resource and the requester are already cached, Local RODC server administration performed by a delegated RODC server administrator.
Q28. Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 is configured as an Active Directory Federation Services (AD FS) 2.0 standalone server.
You plan to add a new token-signing certificate to Server1.
You import the certificate to the server as shown in the exhibit. (Click the Exhibit button.)
When you run the Add Token-Signing Certificate wizard, you discover that the new certificate is unavailable.
You need to ensure that you can use the new certificate for AD FS.
What should you do?
A. From the properties of the certificate, modify the Certificate Policy OIDs setting.
B. Import the certificate to the AD FS 2.0 Windows Service personal certificate store.
C. From the properties of the certificate, modify the Certificate purposes setting.
D. Import the certificate to the local computer personal certificate store.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/hh341466.aspx
When you deploy the first federation server in a new AD FS 2.0 installation, you must obtain a token-signing certificate and install it in the local computer personal certificate store on that federation server.
Q29. ABC.com has a software evaluation lab. There is a server in the evaluation lab named as
CKT. CKT runs Windows Server 2008 and Microsoft Virtual Server 2005 R2. CKT has 200 virtual servers running on an isolated virtual segment to evaluate software. To connect to the internet, it uses physical network interface card.
ABC.com requires every server in the company to access Internet. ABC.com security policy dictates that the IP address space used by software evaluation lab must not be used by other networks. Similarly, it states the IP address space used by other networks should not be used by the evaluation lab network.
As an administrator you find you that the applications tested in the software evaluation lab need to access normal network to connect to the vendors update servers on the internet.
You need to configure all virtual servers on the CKT server to access the internet. You also need to comply with company's security policy.
Which two actions should you perform to achieve this task? (Choose two answers. Each answer is a part of the complete solution)
A. Trigger the Virtual DHCP server for the external virtual network and run ipconfig/renew command on each virtual server
B. On CKT's physical network interface, activate the Internet Connection Sharing (ICS)
C. Use ABC.com intranet IP addresses on all virtual servers on CKT.
D. Add and install a Microsoft Loopback Adapter network interface on CKT. Use a new network interface and create a new virtual network.
E. None of the above
Answer: A,D
Explanation:
http://class10e.com/Microsoft/which-two-actions-should-you-perform-to-achieve-this-task-choose-two-answers/ To configure all virtual servers on the CKT server to access the internet and comply with company’s security policy, you should trigger the virtual DHCP server for the external virtual network and run ipconfig/renew command on each virtual server. Then add and install Microsoft Loopback adapter network interface on CKT. Create a virtual network using the new interface. When you configure the Virtual DHCP server for the external virtual network, a set of IP addresses are assigned to the virtual servers on CKT server. By running ipconfig/renew command, the new IP addresses will be renewed. The Microsoft Loopback adapter network interface will ensure that the IP address space used by other networks are not been used by the virtual servers on CKT server. You create a new virtual network on the new network interface which will enable you to access internet.
Q30. Your company has an Active Directory forest that contains only Windows Server 2008 domain controllers.
You need to prepare the Active Directory domain to install Windows Server 2008 R2 domain controllers.
Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Run the adprep /domainprep command.
B. Raise the forest functional level to Windows Server 2008.
C. Raise the domain functional level to Windows Server 2008.
D. Run the adprep /forestprep command.
Answer: A,D
Explanation:
http://www.petri.co.il/prepare-for-server-2008-r2-domain-controller.htm Prepare your Domain for the Windows Server 2008 R2 Domain Controller Before installing the first Windows Server 2008 R2 domain controller (DC) into an existing Windows 2000, Windows Server 2003 or Windows Server 2008 domain, you must prepare the AD forest and domain. You do so by running a tool called ADPREP. ADPREP extends the Active Directory schema and updates permissions as necessary to prepare a forest and domain for a domain controller that runs the Windows Server 2008 R2 operating system. Note: You may remember that ADPREP was used on previous operating systems such as Windows Server 2003, Windows Server 2003 R2 and Windows Server 2008. This article focuses on Windows Server 2008 R2. What does ADPREP do? ADPREP has parameters that perform a variety of operations that help prepare an existing Active Directory environment for a domain controller that runs Windows Server 2008 R2. Not all versions of ADPREP perform the same operations, but generally the different types of operations that ADPREP can perform include the following: Updating the Active Directory schema Updating security descriptors Modifying access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared folder Creating new objects, as needed Creating new containers, as needed To prepare the forest and domain for the installation of the first Windows Server 2008 R2 domain controller please perform these tasks: Lamer note: The following tasks are required ONLY before adding the first Windows Server 2008 R2 domain controller. If you plan on simply joining a Windows Server 2008 R2 Server to the domain and configuring as a regular member server, none of the following tasks are required. Another lamer note: Please make sure you read the system requirements for Windows Server 2008 R2. For example, you cannot join a Windows Server 2008 R2 server to a Windows NT 4.0 domain, not can it participate as a domain controller in a mixed domain. If any domain controllers in the forest are running Windows 2000 Server, they must be running Service Pack 4 (SP4). First, you should review and understand the schema updates and other changes that ADPREP makes as part of the schema management process in Active Directory Domain Services (AD DS). You should test the ADPREP schema updates in a lab environment to ensure that they will not conflict with any applications that run in your environment. You must make a system state backup for your domain controllers, including the schema master and at least one other domain controller from each domain in the forest (you do have backups, don't you?). Also, make sure that you can log on to the schema master with an account that has sufficient credentials to run adprep /forestprep. You must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema master, which is, by default, the forest root domain. Next, insert the Windows Server 2008 R2 DVD media into your DVD drive. Note that if you do not have the media handy, you may use the evaluation version that is available to download from Microsoft's website. If you only have the ISO file and do not want to or cannot actually burn it to a physical DVD media, you can mount it by using a virtual ISO mounting tool such as MagicIso (can Convert BIN to ISO, Create, Edit, Burn, Extract ISO file, ISO/BIN converter/extractor/editor). Browse to the X:\support\adprep folder, where X: is the drive letter of your DVD drive. Find a file called adprep.exe or adprep32.exe. Note: Unlike in Windows Server 2008 where you had to use either the 32-bit or 64-bit installation media to get the right version of ADPREP, Windows Server 2008 R2 ADPREP is available in a 32-bit version and a 64-bit version. The 64-bit version runs by default. If you need to run ADPREP on a 32-bit computer, run the 32-bit version (adprep32.exe).
C:\Documents and Settings\usernwz1\Desktop\1.PNG
To perform this procedure, you must use an account that has membership in all of the following groups: Enterprise Admins Schema Admins Domain Admins for the domain that contains the schema master Open a Command Prompt window by typing CMD and pressing ENTER in the Run menu. Drag the adprep.exe file from the Windows Explorer window to the Command Prompt window. Naturally, if you want, you can always manually type the path of the file in the Command Prompt window if that makes you feel better...
Note: You must run adprep.exe from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator. Note: If your existing DCs are Windows Server 2008, dragging and dropping into a Command Prompt window will not work, as that feature was intentionally disabled in windows Server 2008 and Windows Vista. In the Command Prompt window, type the following command: adprep /forestprep
C:\Documents and Settings\usernwz1\Desktop\1.PNG
You will be prompted to type the letter "c" and then press ENTER. After doing so, process will begin.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
ADPREP will take several minutes to complete. During that time, several LDF files will be imported into the AD Schema, and messages will be displayed in the Command Prompt window. File sch47.ldf seems to be the largest one.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
When completed, you will receive a success message.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Note: As mentioned above, ADPREP should only be run on an existing DC. When trying to
run it from a non-DC, you will get this error:
Adprep cannot run on this platform because it is not an Active Directory Domain Controller.
[Status/Consequence]
Adprep stopped without making any changes.
[User Action]
Run Adprep on a Active Directory Domain Controller.
Allow the operation to complete, and then allow the changes to replicate throughout the
forest before you prepare any domains for a domain controller that runs Windows Server
2008 R2.
In the Command Prompt window, type the following command: adprep /domainprep
Process will take less than a second.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
ADPREP must only be run in a Windows 2000 Native Mode or higher. If you attempt to run in Mixed Mode you will get this error: Adprep detected that the domain is not in native mode [Status/Consequence] Adprep has stopped without making changes. [User Action] Configure the domain to run in native mode and re-run domainprep Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2. If you're running a Windows 2008 Active Directory domain, that's it, no additional tasks are needed. If you're running a Windows 2000 Active Directory domain, you must also the following command: adprep /domainprep /gpprep Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2. If you're running a Windows 2003 Active Directory domain, that's it, no additional tasks are needed. However, if you're planing to run Read Only Domain controllers (RODCs), you must also type the following command: adprep /rodcprep If you already ran this command for Windows Server 2008, you do not need to run it again for Windows Server 2008 R2. Process will complete in less than a second.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Allow the operation to complete, and then allow the changes to replicate throughout the
forest before you prepare any domains for a domain controller that runs Windows Server
2008 R2.
To verify that adprep /forestprep completed successfully please perform these steps:
1. Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default on domain controllers that run Windows Server 2008 or Windows Server 2008 R2. On Windows Server 2003 you must install the Resource Kit Tools.
2. Click Start, click Run, type ADSIEdit.msc, and then click OK.
3. Click Action, and then click Connect to.
4. Click Select a well known Naming Context, select Configuration in the list of available naming contexts, and then click OK.
5. Double-click Configuration, and then double-click CN=Configuration, DC=forest_root_domain where forest_root_domain is the distinguished name of your forest root domain.
6. Double-click CN=ForestUpdates.
7. Right-click CN=ActiveDirectoryUpdate, and then click Properties.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
8. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the Revision attribute value is 5, and then click OK.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
9. Click ADSI Edit, click Action, and then click Connect to.
10. Click Select a Well known naming context, select Schema in the list of available naming contexts, and then click OK.
11. Double-click Schema.
12. Right-click CN=Schema,CN=Configuration,DC=forest_root_domain, and then click Properties.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
13. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the objectVersion attribute value is set to 47, and then click OK.
C:\Documents and Settings\usernwz1\Desktop\1.PNG