70-640 Exam
Beginners Guide: 70 640 pdf
Pass4sure microsoft 70 640 Questions are updated and all mcitp 70 640 answers are verified by experts. Once you have completely prepared with our mcitp 70 640 exam prep kits you will be ready for the real mcitp 70 640 exam without a problem. We have Update Microsoft microsoft 70 640 dumps study guide. PASSED mcitp 70 640 First attempt! Here What I Did.
Q131. You have an enterprise subordinate certification authority (CA) configured for key archival. Three key recovery agent certificates are issued. The CA is configured to use two recovery agents.
You need to ensure that all of the recovery agent certificates can be used to recover all new private keys.
What should you do?
A. Add a data recovery agent to the Default Domain Policy.
B. Modify the value in the Number of recovery agents to use box.
C. Revoke the current key recovery agent certificates and issue three new key recovery agent certificates.
D. Assign the Issue and Manage Certificates permission to users who have the key recovery agent certificates.
Answer: B
Explanation:
MS Press - Self-Paced Training Kit (Exams 70-648 & 70-649) (Microsoft Press, 2009) page 357
You enable key archival on the Recovery Agents tab of the CA Properties in the CA console by selecting the Archive The Key option and specifying a key recovery agent. In the number of recovery agents to use, select the number of key recovery agent (KRA) certificates you have added to the CA. This ensures that each KRA can be used to recover a private key. If you specify a smaller number than the number of KRA certificates installed, the CA will randomly select that number of KRA certificates from the available total and encrypt the private key, using those certificates. This complicates recovery because you then have to figure out which recovery agent certificate was used to encrypt the private key before beginning recovery.
Q132. HOTSPOT
Your network contains two Active Directory forests named contoso.com and fabrikam.com. A two-way forest trust exists between the forests. Selective authentication is enabled on the trust. Fabrikam.com contains a server named Server1.
You assign Contoso\Domain Users the Manage documents permission and the Print
permission to a shared printer on Server1.
You discover that users from contoso.com cannot access the shared printer on Server1.
You need to ensure that the contoso.com users can access the shared printer on Server1.
Which permission should you assign to Contoso\Domain Users.
To answer, select the appropriate permission in the answer area.
Answer:
Q133. Your network contains a single Active Directory domain that has two sites named Site1 and
Site2. Site1 has two domain controllers named DC1 and DC2. Site2 has two domain controllers named DC3 and DC4.
DC3 fails.
You discover that replication no longer occurs between the sites.
You verify the connectivity between DC4 and the domain controllers in Site1.
On DC4, you run repadmin.exe /kcc.
Replication between the sites continues to fail.
You need to ensure that Active Directory data replicates between the sites.
What should you do?
A. From Active Directory Sites and Services, modify the properties of DC3.
B. From Active Directory Sites and Services, modify the NTDS Site Settings of Site2.
C. From Active Directory Users and Computers, modify the location settings of DC4.
D. From Active Directory Users and Computers, modify the delegation settings of DC4.
Answer: A
Explanation:
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) pages 193, 194
Bridgehead Servers
A bridgehead server is the domain controller designated by each site’s KCC to take control of intersite replication. The bridgehead server receives information replicated from other sites and replicates it to its site’s other domain controllers. It ensures that the greatest portion of replication occurs within sites rather than between them.
In most cases, the KCC automatically decides which domain controller acts as the bridgehead server.
However, you can use Active Directory Sites and Services to specify which domain controller will be the preferred bridgehead server by using the following steps:
1. In Active Directory Sites and Services, expand the site in which you want to specify the preferred bridgehead server.
2. Expand the Servers folder to locate the desired server, right-click it, and then choose Properties.
3. From the list labeled Transports available for intersite data transfer, select the protocol(s) for which you want to designate this server as a preferred bridgehead server and then click Add.
Q134. Your network contains two Active Directory forests named contoso.com and nwtraders.com. A two-way forest trust exists between contoso.com and nwtraders.com. The forest trust is configured to use selective authentication.
Contoso.com contains a server named Server1. Server1 contains a shared folder named Marketing.
Nwtraders.com contains a global group named G_Marketing. The Change share permission and the Modify NTFS permission for the Marketing folder are assigned to the G_Marketing group. Members of G_Marketing report that they cannot access the Marketing folder.
You need to ensure that the G_Marketing members can access the folder from the network.
What should you do?
A. From Windows Explorer, modify the NTFS permissions of the folder.
B. From Windows Explorer, modify the share permissions of the folder.
C. From Active Directory Users and Computers, modify the computer object for Server1.
D. From Active Directory Users and Computers, modify the group object for G_Marketing.
Answer: C
Explanation:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 643-644
After you have selected Selective Authentication for the trust, no trusted users will be able to access resources in the trusting domain, even if those users have been given permissions. The users must also be assigned the Allowed To Authenticate permission on the computer object in the domain.
To assign this permission:
1. Open the Active Directory Users And Computers snap-in and make sure that Advanced Features is selected on the View menu.
2. Open the properties of the computer to which trusted users should be allowed to authenticate—that is, the computer that trusted users will log on to or that contains resources to which trusted users have been given permissions.
3. On the Security tab, add the trusted users or a group that contains them and select the Allow check box for the Allowed To Authenticate permission.
Q135. Your network consists of an Active Directory forest that contains one domain. All domain controllers run.
Windows Server 2008 R2 and are configured as DNS servers. You have an Active Directory- integrated zone.
You have two Active Directory sites. Each site contains five domain controllers.
You add a new NS record to the zone.
You need to ensure that all domain controllers immediately receive the new NS record.
What should you do?
A. From the DNS Manager console, reload the zone.
B. From the DNS Manager console, increase the version number of the SOA record.
C. From the command prompt, run repadmin /syncall.
D. From the Services snap-in, restart the DNS Server service.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc835086%28v=ws.10%29.aspx Repadmin /syncall Synchronizes a specified domain controller with all of its replication partners. http://ivan.dretvic.com/2012/01/how-to-force-replication-of-domain-controllers/ How to force replication of Domain Controllers From time to time its necessary to kick off AD replication to speed up a task you may be doing, or just a good too to check the status of replication between DC’s. Below is a command to replicate from a specified DC to all other DC’s. Repadmin /syncall DC_name /Aped By running a repadmin /syncall with the /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished names) parameters, you have duplicated exactly what Replmon used to do in Windows 2003, except that you did it in one step, not many.And with the benefit of seeing immediate results on how the operations are proceeding.
If I am running it on the DC itself, I don’t even have to specify the server name.
Q136. Your company has an Active Directory forest. The forest includes organizational units corresponding to the following four locations:
. London
. Chicago
. New York
. Madrid
Each location has a child organizational unit named Sales. The Sales organizational unit contains all the users and computers from the sales department.
The offices in London, Chicago, and New York are connected by T1 connections. The office in Madrid is connected by a 256-Kbps ISDN connection.
You need to install an application on all the computers in the sales department.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to
users.
Link the GPO to each Sales organizational unit.
B. Disable the slow link detection setting in the Group Policy Object (GPO).
C. Configure the slow link detection threshold setting to 1,544 Kbps (T1) in the Group
Policy Object (GPO).
D. Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to
the computers. Link the GPO to each Sales organizational unit.
Answer: B,D
Explanation:
http://technet.microsoft.com/en-us/library/cc781031%28v=ws.10%29.aspx Specifying Group Policy for Slow Link Detection Administrators can partially control which Group Policy extensions are processed over a slow link. By default, when processing over a slow link, not all components of Group Policy are processed. Table 2.6 shows the default settings for processing Group Policy over slow links.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Administrators can use a Group Policy setting to define a slow link for the purposes of applying and updating Group Policy. The default value defines a rate slower than 500 Kbps as a slow link. http://technet.microsoft.com/en-us/library/cc783635%28v=ws.10%29.aspx Assigning and Publishing Software
Assigning software to computers After you assign a software package to computers in a site, domain, or OU, the software is installed the next time the computer restarts or the user logs on. Further information: http://technet.microsoft.com/en-us/library/cc978717.aspx Group Policy slow link detection
Q137. You are an administrator at ABC.com. Company has a network of 5 member servers acting as file servers. It has an Active Directory domain.
You have installed a software application on the servers. As soon as the application is installed, one of the member servers shuts down itself. To trace and rectify the problem, you create a Group Policy Object (GPO).
You need to change the domain security settings to trace the shutdowns and identify the cause of it.
What should you do to perform this task?
A. Link the GPO to the domain and enable System Events option
B. Link the GPO to the domain and enable Audit Object Access option
C. Link the GPO to the Domain Controllers and enable Audit Object Access option
D. Link the GPO to the Domain Controllers and enable Audit Process tracking option
E. Perform all of the above actions
Answer: A
Explanation:
http://msdn.microsoft.com/en-us/library/ms813610.aspx
Audit system events Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
Description Determines whether to audit when a user restarts or shuts down the computer;
or an event has occurred that affects either the system security or the security log.
By default, this value is set to No auditing in the Default Domain Controller Group Policy
object (GPO) and in the local policies of workstations and servers.
If you define this policy setting, you can specify whether to audit successes, audit failures,
or not to audit the event type at all. Success audits generate an audit entry when a system
event is successfully executed. Failure audits generate an audit entry when a system event
is unsuccessfully attempted. You can select No auditing by defining the policy setting and
unchecking Success and Failure.
Q138. Your network contains an Active Directory forest. The functional level of the forest is Windows Server 2008 R2.
Your company's corporate security policy states that the password for each user account must be changed at least every 45 days.
You have a user account named Service1. Service1 is used by a network application named Application1.
Every 45 days, Application1 fails.
After resetting the password for Service1, Application1 runs properly. You need to resolve the issue that causes Application1 to fail. The solution must adhere to the corporate security policy.
What should you do?
A. Run the cmdlet.
B. Run the Set-ADServiceAccount cmdlet.
C. Create a new password policy.
D. Create a new Password Settings object (PSO).
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/ee617252.aspx Set-ADServiceAccount Syntax Set-ADServiceAccount [-Identity] <ADServiceAccount> [-AccountExpirationDate <System.Nullable[System.DateTime]>] [-AccountNotDelegated <System.Nullable[bool]>] [-Add <hashtable>] [-Certificates<string[]>] [-Clear <string[]>] [-Description <string>] [-DisplayName <string>] [-Enabled <System.Nullable[bool]>] [-HomePage <string>] [-Remove <hashtable>] [-Replace <hashtable>] [-SamAccountName <string>] [-ServicePrincipalNames <hashtable>] [-TrustedForDelegation <System.Nullable[bool]>] [-AuthType{<Negotiate> | <Basic>}] [-Credential <PSCredential>] [-Partition <string>] [-PassThru <switch>] [-Server<string>] [-Confirm] [-WhatIf] [<CommonParameters>]Detailed Description The Set-ADServiceAccount cmdlet modifies the properties of an Active Directory service account. You can modify commonly used property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be modified by using the Add, Replace, Clear and Remove parameters. The Identity parameter specifies the Active Directory service account to modify. You can identify a service account by its distinguished name (DN), GUID, security identifier (SID), or Security Accounts Manager (SAM) account name. You can also set the Identity parameter to an object variable such as $<localServiceAccountObject>, or you can pass an object through the pipeline to the Identity parameter. For example, you can use the Get-ADServiceAccount cmdlet to retrieve a service account object and then pass the object through the pipeline to the Set-ADServiceAccount cmdlet. The Instance parameter provides a way to update a service account object by applying the changes made to a copy of the object. When you set the Instance parameter to a copy of an Active Directory service account object that has been modified, the Set-ADServiceAccount cmdlet makes the same changes to the original service account object. To get a copy of the object to modify, use the Get-ADServiceAccount object. When you specify the Instance parameter you should not pass the Identity parameter. For more
information about the Instance parameter, see the Instance parameter description.
Q139. Your network contains an Active Directory forest. The forest contains two domains named contoso.com and woodgrovebank.com.
You have a custom attribute named Attibute1 in Active Directory. Attribute1 is associated to User objects.
You need to ensure that Attribute1 is replicated to the global catalog.
What should you do?
A. In Active Directory Sites and Services, configure the NTDS Settings.
B. In Active Directory Sites and Services, configure the universal group membership caching.
C. From the Active Directory Schema snap-in, modify the properties of the User class schema object.
D. From the Active Directory Schema snap-in, modify the properties of the Attibute1 class schema attribute.
Answer: D
Explanation:
http://www.tech-faq.com/the-global-catalog-server.html The Global Catalog Server The Global Catalog (GC) is an important component in Active Directory because it serves as the central information store of the Active Directory objects located in domains and forests. Because the GC maintains a list of the Active Directory objects in domains and forests without actually including all information on the objects and it is used when users search for Active Directory objects or for specific attributes of an object, the GC improves network performance and provides maximum accessibility to Active Directory objects.
How to Include Additional Attributes in the GC The number of attributes in the GC affects GC replication. The more attributes the GC servers have to replicate, the more network traffic GC replication creates. Default attributes are included in the GC when Active Directory is first deployed. The Active Directory Schema snap-in can be used to add any additional attribute to the GC. Because the snap-in is by default not included in the Administrative Tools Menu, users have to add it to the MMC before it can be used to customize the GC. To add the Active Directory Schema snap-in in the MMC:
1. Click Start, Run, and enter cmd in the Run dialog box. Press Enter.
2. Enter the following at the command prompt: regsvr32 schmmgmt.dll.
3. Click OK to acknowledge that the dll was successfully registered.
4. Click Start, Run, and enter mmc in the Run dialog box.
5. When the MMC opens, select Add/Remove Snap-in from the File menu.
6. In the Add/Remove Snap-in dialog box, click Add then add the Active Directory Schema snap-in from the Add Standalone Snap-in dialog box.
7. Close all open dialog boxes. To include additional attributes in the GC:
1. Open the Active Directory Schema snap-in.
2. In the console tree, expand the Attributes container, right-click an attribute, and click Properties from the shortcut menu.
3. Additional attributes are added on the General tab.
4. Ensure that the Replicate this attribute to the Global Catalog checkbox is enabled.
5. Click OK.
Q140. Your company has an Active Directory forest. The company has servers that run Windows Server 2008 R2 and client computers that run Windows 7. The domain uses a set of GPO administrative templates that have been approved to support regulatory compliance requirements.
Your partner company has an Active Directory forest that contains a single domain. The company has servers that run Windows Server 2008 R2 and client computers that run Windows 7.
You need to configure your partner company's domain to use the approved set of administrative templates.
What should you do?
A. Use the Group Policy Management Console (GPMC) utility to back up the GPO to a file. In each site, import the GPO to the default domain policy.
B. Copy the ADMX files from your company's PDC emulator to the PolicyDefinitions folder on the partner company's PDC emulator.
C. Copy the ADML files from your company's PDC emulator to the PolicyDefinitions folder on the partner company's PDC emulator.
D. Download the conf.adm, system.adm, wuau.adm, and inetres.adm files from the Microsoft Updates Web site. Copy the ADM files to the PolicyDefinitions folder on thr partner company's emulator.
Answer: B
Explanation:
http://support.microsoft.com/kb/929841 How to create the Central Store for Group Policy Administrative Template files in Windows Vista Windows Vista uses a new format to display registry-based policy settings. These registry-based policy settings appear under Administrative Templates in the Group Policy Object Editor. In Windows Vista, these registry-based policy settings are defined by standards-based XML files that have an .admx file name extension. The .admx file format replaces the legacy .adm file format. The .adm file format uses a proprietary markup language. In Windows Vista, Administrative Template files are divided into .admx files and language-specific .adml files that are available to Group Policy administrators.
Administrative Template file storage In earlier operating systems, all the default Administrative Template files are added to the ADM folder of a Group Policy object (GPO) on a domain controller. The GPOs are stored in the SYSVOL folder. The SYSVOL folder is automatically replicated to other domain
controllers in the same domain. A policy file uses approximately 2 megabytes (MB) of hard
disk space. Because each domain controller stores a distinct version of a policy, replication
traffic is increased.
Windows Vista uses a Central Store to store Administrative Template files. In Windows
Vista, the ADM folder is not created in a GPO as in earlier versions of Windows. Therefore,
domain controllers do not store or replicate redundant copies of .adm files.
The Central Store
To take advantage of the benefits of .admx files, you must create a Central Store in the
SYSVOL folder on a domain controller. The Central Store is a file location that is checked
by the Group Policy tools. The Group Policy tools use any .admx files that are in the
Central Store. The files that are in the Central Store are later replicated to all domain
controllers in the domain.
To create a Central Store for .admx and .adml files, create a folder that is named
PolicyDefinitions in the following location:
\\FQDN\SYSVOL\FQDN\policies
Note: FQDN is a fully qualified domain name.
http://www.frickelsoft.net/blog/?p=31
How can I export local Group Policy settings made in gpedit.msc?
Mark Heitbrink, MVP for Group Policy... came up with a good solution on how you can
“export” the Group
Policy and Security... settings you made in on a machine with the Local Group Policy
Editor (gpedit.msc) to other machines pretty easy:
Normal settings can be copied like this:
1.) Open %systemroot%\system32\grouppolicy\
Within this folder, there are two folders - “machine” and “user”. Copy these to folders to the
“%systemroot%
\system32\grouppolicy - folder on the target machine. All it needs now is a reboot or a
“gpupdate /force”.
Note: If you cannot see the “grouppolicy” folder on either the source or the target machine,
be sure to have your explorer folder options set to “Show hidden files and folders”…
For security settings:
1.) Open MMC and add the Snapin “Security Templates”.
2.) Create your own customized template and save it as an “*inf” file.
3.) Copy the file to the target machine and import it via command line tool “secedit”: secedit
/configure /db %temp%\temp.sdb /cfg yourcreated.inf
Further information on secedit can be found
here:http://www.microsoft.com/resources/documentation/
windows/xp/all/proddocs/en-us/secedit_cmds.mspx?mfr=true
If you’re building custom installations, you can pretty easy script the “overwriting” of the
“machine”/”user”- folders or the import via secedit by copying these file to a share and copy and execute them with a script.