70-640 Exam
Beginners Guide: 70 640 pdf
Our pass rate is high to 98.9% and the similarity percentage between our microsoft 70 640 study guide and real exam is 90% based on our seven-year educating experience. Do you want achievements in the Microsoft microsoft 70 640 exam in just one try? I am currently studying for the Microsoft mcitp 70 640 exam. Latest Microsoft mcitp 70 640 Test exam practice questions and answers, Try Microsoft microsoft 70 640 Brain Dumps First.
Q81. You have a server named Server1 that has the following Active Directory Certificate Services (AD CS) role services installed:
Enterprise root certification authority (CA)
Certificate Enrollment Web Service
Certificate Enrollment Policy Web Service
You create a new certificate template.
External users report that the new template is unavailable when they request a new certificate.
You verify that all other templates are available to the external users.
You need to ensure that the external users can request certificates by using the new template.
What should you do on Server1?
A. Run iisreset.exe /restart.
B. Run gpupdate.exe /force.
C. Run certutil.exe dspublish.
D. Restart the Active Directory Certificate Services service.
Answer: A
Explanation:
http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-activedirectory-certificate-services.aspx Certificate Enrollment Web Services in Active Directory Certificate Services Troubleshooting Managing Certificate Enrollment Policy Web Service Polling for Certificate Templates Certificate Templates are stored in AD DS, and the Certificate Enrollment Policy Web Service polls the AD DS periodically for template changes. Changes made to templates are not reflected in real time on the Certificate Enrollment Policy Web Service. When administrators duplicate or modify templates, there can be a lag between the time at which the change is made and when the new templates are available. By default, the Certificate Enrollment Policy Web Service polls the directory every 30 minutes for changes. The Certificate Enrollment Policy Web Service can be manually forced to refresh its template cache by recycling IIS using the command iisreset.
Q82. Your company has a main office and a branch office.
The network contains a single Active Directory domain.
The main office contains a domain controller named DC1.
You need to install a domain controller in the branch office by using an offline copy of the Active Directory database.
What should you do first?
A. From the Ntdsutil tool, create an IFM media set.
B. From the command prompt, run djoin.exe /loadfile.
C. From Windows Server Backup, perform a system state backup.
D. From Windows PowerShell, run the get-ADDomainController cmdlet.
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc816722%28v=ws.10%29.aspx
Installing an Additional Domain Controller by Using IFM When you install Active Directory Domain Services (AD DS) by using the install from media (IFM) method, you can reduce the replication traffic that is initiated during the installation of an additional domain controller in an Active Directory domain. Reducing the replication traffic reduces the time that is necessary to install the additional domain controller. Windows Server 2008 and Windows Server 2008 R2 include an improved version of the Ntdsutil tool that you can use to create installation media for an additional domain controller. You can use Ntdsutil.exe to create installation media for additional domain controllers that you are creating in a domain. The IFM method uses the data in the installation media to install AD DS, which eliminates the need to replicate every object from a partner domain controller. However, objects that were modified, added, or deleted since the installation media was created must be replicated. If the installation media was created recently, the amount of replication that is required is considerably less than the amount of replication that is required for a regular AD DS installation.
Q83. Your company has a main office and 50 branch offices. Each office contains multiple subnets.
You need to automate the creation of Active Directory subnet objects.
What should you use?
A. the Dsadd tool
B. the Netsh tool
C. the New-ADObject cmdlet
D. the New-Object cmdlet
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/ee617260.aspx New-ADObject Creates an Active Directory object. Syntax: New-ADObject [-Name] <string> [-Type] <string> [-AuthType {<Negotiate> | <Basic>}] [-Credential <PSCredential>] [-Description <string>] [-DisplayName <string>] [-Instance <ADObject>] [-OtherAttributes <hashtable>] [-PassThru <switch>] [-Path <string>] [-ProtectedFromAccidentalDeletion <System.Nullable [bool]>] [-Server <string>] [-Confirm] [-WhatIf] [<CommonParameters>] Detailed Description The New-ADObject cmdlet creates a new Active Directory object such as a new organizational unit or new user account. You can use this cmdlet to create any type of Active Directory object. Many object properties are defined by setting cmdlet parameters. Properties that are not set by cmdlet parameters can be set by using the OtherAttributes parameter. You must set the Name and Type parameters to create a new Active Directory object. The Name specifies the name of the new object. The Type parameter specifies the LDAP display name of the Active Directory Schema Class that represents the type of object you want to create. Examples of Type values include computer, group, organizational unit, and user. The Path parameter specifies the container where the object will be created.. When you do not specify the Path parameter, the cmdlet creates an object in the default naming context container for Active Directory objects in the domain.
Q84. ABC.com has a network that is comprise of a single Active Directory Domain.
As an administrator at ABC.com, you install Active Directory Lightweight Directory Services (AD LDS) on a server that runs Windows Server 2008. To enable Secure Sockets Layer (SSL) based connections to the AD LDS server, you install certificates from a trusted Certification Authority (CA) on the AD LDS server and client computers.
Which tool should you use to test the certificate with AD LDS?
A. Ldp.exe
B. Active Directory Domain services
C. ntdsutil.exe
D. Lds.exe
E. wsamain.exe
F. None of the above
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc725767%28v=ws.10%29.aspx Appendix A: Configuring LDAP over SSL Requirements for AD LDS The Lightweight Directory Access Protocol (LDAP) is used to read from and write to Active Directory Lightweight Directory Services (AD LDS). By default, LDAP traffic is not transmitted securely. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology. Step 3: Connect to the AD LDS instance over LDAPS using Ldp.exe To test your server authentication certificate, you can open Ldp.exe on the computer that is running the AD LDS instance and then connect to this AD LDS instance that has the SSL option enabled.
Q85. There are 100 servers and 2000 computers present at your company's headquarters.
The DHCP service is installed on a two-node Microsoft failover cluster named CKMFO to ensure the high availability of the service.
The nodes are named as CKMFON1 and CKMFON2.
The cluster on CKMFO has one physical shared disk of 400 GB capacity.
A 200GB single volume is configured on the shared disk.
Company has decided to host a Windows Internet Naming Service (WINS) on CKMFON1.
The DHCP and WINS services will be hosted on other nodes.
Using High Availability Wizard, you begin creating the WINS service group on cluster available on CKMFON1 node.
The wizard shows an error "no disks are available" during configuration.
Which action should you perform to configure storage volumes on CKMFON1 to successfully add the WINS Service group to CKMFON1?
A. Backup all data on the single volume on CKMFON1 and configure the disk with GUID partition table and create two volumes. Restore the backed up data on one of the volumes and use the other for WINS service group
B. Add a new physical shared disk to the CKMFON1 cluster and configure a new volume on it. Use this volume to fix the error in the wizard.
C. Add new physical shared disks to CKMFON1 and EMBFON2. Configure the volumes onthese disk and direct CKMOFONI to use CKMFON2 volume for the WINS service group
D. Add and configure a new volume on the existing shared disk which has 400GB of space. Use this volume to fix the error in the wizard
E. None of the above
Answer: B
Explanation:
http://class10e.com/Microsoft/which-action-should-you-perform-to-configure-storage-volumes-on-ckmfon1-tosuccessfully-add-the-wins-service-group-to-ckmfon1/
To configure storage volumes on CKMFON1 to successfully add the WINS Service group
to CKMFON1, you need to add a new physical shared disk to the CKMFON1 cluster and
configure a new volume on it.
Use this volume to fix the error in the wizard.
This is because a cluster does not use shared storage.
A cluster must use a hardware solution based either on shared storage or on replication
between nodes.
Q86. You are decommissioning domain controllers that hold all forest-wide operations master roles.
You need to transfer all forest-wide operations master roles to another domain controller.
Which two roles should you transfer? (Each correct answer presents part of the solution. Choose two.)
A. Domain naming master
B. Infrastructure master
C. RID master
D. PDC emulator
E. Schema master
Answer: A,E
Explanation:
Answer: Schema master Domain naming master
http://social.technet.microsoft.com/wiki/contents/articles/832.transferring-fsmo-roles-in-
indows-server-2008.aspx
Transferring FSMO Roles in Windows Server 2008 One of any system administrator duties, would be to upgrade a current domain controller to a new hardware server. One of the crucial steps required to successfully migrate your domain controller, is to be able to successfully transfer the FSMO roles to the new hardware server. FSMO stands for Flexible Single Master Operations, and in a forest there are at least five roles. The five FSMO roles are: Schema Master Domain Naming Master Infrastructure Master Relative ID (RID) Master PDC Emulator The first two roles above are forest-wide, meaning there is one of each for the entire forest. The last three are domain-wide, meaning there is one of each per domain. If there is one domain in your forest, you will have five FSMO roles. If you have three domains in your forest, there will be 11 FSMO roles.
Q87. You deploy a new Active Directory Federation Services (AD FS) federation server.
You request new certificates for the AD FS federation server.
You need to ensure that the AD FS federation server can use the new certificates.
To which certificate store should you import the certificates?
A. Computer
B. IIS Admin Service service account
C. Local Administrator
D. World Wide Web Publishing Service service account
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/dd378922%28v=ws.10%29.aspx#BKMK_13 Step 2: Installing AD FS Role Services and Configuring Certificates To import the server authentication certificate for adfsresource to adfsweb
1. Click Start, click Run, type mmc, and then click OK.
2. Click File, and then click Add/Remove Snap-in.
3. Select Certificates, click Add, click Computer account, and then click Next.
4. Click Local computer: (the computer this console is running on), click Finish, and then click OK.
5. In the console tree, double-click the Certificates (Local Computer) icon, double-click the Trusted Root Certification Authorities folder, right-click Certificates, point to All Tasks, and then click Import.
6. On the Welcome to the Certificate Import Wizard page, click Next.
7. On the File to Import page, type \\adfsresource\d$\adfsresource.pfx, and then click Next.
8. On the Password page, type the password for the adfsresource.pfx file, and then click Next.
9. On the Certificate Store page, click Place all certificates in the following store, and then click Next.
10. On the Completing the Certificate Import Wizard page, verify that the information you provided is accurate, and then click Finish.
Q88. Your network contains an Active Directory domain named contoso.com. You run nslookup.exe as shown in the following Command Prompt window.
You need to ensure that you can use Nslookup to list all of the service location (SRV) resource records for contoso.com.
What should you modify?
A. the root hints of the DNS server
B. the security settings of the zone
C. the Windows Firewall settings on the DNS server
D. the zone transfer settings of the zone
Answer: D
Explanation:
http://www.c3.hu/docs/oreilly/tcpip/dnsbind/ch11_07.htm
11.7 Troubleshooting nslookup Problems
11.7.4 Query Refused Refused queries can cause problems at startup, and they can cause lookup failures during a session. Here's what it looks like when nslookup exits on startup because of a refused query: % nslookup *** Can't find server name for address 192.249.249.3: Query refused *** Default servers are not available % This one has two possible causes. Either your name server does not support inverse queries (older nslookups only), or zone security is stopping the lookup. Zone security is not limited to causing nslookup to fail to start up. It can also cause lookups and zone transfers to fail in the middle of a session when you point nslookup to a remote name server. This is what you will see: % nslookup Default Server: hp.com
Address: 15.255.152.4 > server terminator.movie.edu Default Server: terminator.movie.edu Address: 192.249.249.3 > carrie.movie.edu. Server: terminator.movie.edu Address: 192.249.249.3 *** terminator.movie.edu can't find carrie.movie.edu.: Query refused > ls movie.edu - This attempts a zone transfer [terminator.movie.edu] *** Can't list domain movie.edu: Query refused
Q89. Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site 1 contains five domain controllers. Site2 contains one read-only domain controller (RODC). Site1 and Site2 connect to each other by using a slow WAN link.
You discover that the cached password for a user named User1 is compromised on the RODC.
On a domain controller in Site1, you change the password for User1.
You need to replicate the new password for User1 to the RODC immediately. The solution must not replicate other objects to the RODC.
Which tool should you use?
A. Active Directory Sites and Services
B. Active Directory Users and Computers
C. Repadmin
D. Replmon
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc742095.aspx
Repadmin /rodcpwdrepl
Triggers replication of passwords for the specified users from a writable Windows Server 2008 source domain controller to one or more read-only domain controllers (RODCs).
Example:
The following example triggers replication of the passwords for the user account named JaneOh from the source domain controller named source-dc01 to all RODCs that have the name prefix dest-rodc:
repadmin /rodcpwdrepl dest-rodc* source-dc01 cn=JaneOh,ou=execs,dc=contoso,dc=com
Q90. Your network contains an Active Directory domain named contoso.com. You remove several computers from the network.
You need to ensure that the host (A) records for the removed computers are automatically deleted from the contoso.com DNS zone.
What should you do?
A. Configure dynamic updates.
B. Configure aging and scavenging.
C. Create a scheduled task that runs the Dnscmd /ClearCache command.
D. Create a scheduled task that runs the Dnscmd /ZoneReload contoso.com command.
Answer: B
Explanation:
C:\Documents and Settings\usernwz1\Desktop\1.PNG
http://technet.microsoft.com/en-us/library/cc816625%28v=ws.10%29.aspx Set Aging and Scavenging Properties for a Zone The DNS Server service supports aging and scavenging features. These features are provided as a mechanism for performing cleanup and removal of stale resource records, which can accumulate in zone data over time. You can use this procedure to set the aging and scavenging properties for a specific zone using either the DNS Manager snap-in or the dnscmd command-line tool. To set aging and scavenging properties for a zone using the Windows interface
1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools,
and then click DNS.
2. In the console tree, right-click the applicable zone, and then click Properties.
3. On the General tab, click Aging.
4. Select the Scavenge stale resource records check box.
5. Modify other aging and scavenging properties as needed.
To set aging and scavenging properties for a zone using a command line
1. Open a command prompt. To open an elevated Command Prompt window, click Start, point to All
Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
2. At the command prompt, type the following command, and then press ENTER:
dnscmd <ServerName> /Config <ZoneName> {/Aging <Value>|/RefreshInterval <Value>|/
NoRefreshInterval <Value>}
C:\Documents and Settings\usernwz1\Desktop\1.PNG