70-640 Exam
Key benefits of microsoft 70 640
we provide Top Quality Microsoft mcitp 70 640 real exam which are the best for clearing microsoft 70 640 test, and to get certified by Microsoft TS: Windows Server 2008 Active Directory. Configuring. The microsoft 70 640 Questions & Answers covers all the knowledge points of the real 70 640 pdf exam. Crack your Microsoft microsoft 70 640 Exam with latest dumps, guaranteed!
Q71. You need to ensure that domain controllers only replicate between domain controllers in adjacent sites.What should you configure from Active Directory Sites and Services?
A. From the IP properties, select Ignore all schedules.
B. From the IP properties, select Disable site link bridging.
C. From the NTDS Settings object, manually configure the Active Directory Domain Services connection objects.
D. From the properties of the NTDS Site Settings object, configure the Inter-Site Topology Generator for each site.
Answer: B
Explanation:
http://www.omnisecu.com/windows-2003/active-directory/what-is-site-link-bridge.htm What is Site Link Bridge and How to create Site Link Bridge A site link bridge connects two or more site links. A site link bridge enables transitivity between site links. Each site link in a bridge must have a site in common with another site link in the bridge. By default, all site links are transitive and it is recommended to keep transitivity enabled by not changing the default value of "Bridge all site links" (enabled by default).
C:\Documents and Settings\usernwz1\Desktop\1.PNG
We may need to disable "Bridge all site links" and create a site link bridge design if
. When the IP network is not fully routed.
. When we need to control the replication flow in Active Directory.
Q72. You configure and deploy a Group Policy object (GPO) that contains AppLocker settings. You need to identify whether a specific application file is allowed to run on a computer. Which Windows PowerShell cmdlet should you use?
A. Get-AppLockerFileInformation
B. Get-GPOReport
C. Get-GPPermissions
D. Test-AppLockerPolicy
Answer: D
Explanation: http://technet.microsoft.com/en-us/library/ee460960.aspx Test-AppLockerPolicy Tests whether the input files are allowed to run for a given user based on the specified
AppLocker policy.
Q73. Your network contains an Active Directory domain. The domain contains five domain controllers. A domain controller named DC1 has the DHCP role and the file server role installed.
You need to move the Active Directory database on DC1 to an alternate location.The solution must minimize impact on the network during the database move.
What should you do first?
A. Restart DC1 in Safe Mode.
B. Restart DC1 in Directory Services Restore Mode.
C. Start DC1 from Windows PE.
D. Stop the Active Directory Domain Services service on DC1.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc794895%28v=ws.10%29.aspx Relocating the Active Directory Database Files Applies To: Windows Server 2008, Windows Server 2008 R2 Relocating Active Directory database files usually involves moving files to a temporary location while hardware updates are being performed and then moving the files to a permanent location. On domain controllers that are running versions of Windows 2000 Server and Windows Server 2003, moving database files requires restarting the domain controller in Directory Services Restore Mode (DSRM). Windows Server 2008 introduces restartable Active Directory Domain Services (AD DS), which you can use to perform database management tasks without restarting the domain controller in DSRM. Before you move database files, you must stop AD DS as a service.
Q74. Your network contains a single Active Directory domain. All client computers run Windows Vista Service Pack 2 (SP2).
You need to prevent all users from running an application named App1.exe.
Which Group Policy settings should you configure?
A. Application Compatibility
B. AppLocker
C. Software Installation
D. Software Restriction Policies
Answer: D
Explanation:
http://gpfaq.se/2007/09/30/how-to-using-software-restriction-policies/ How-to: Using Software Restriction Policies Using SRP is not that common today and what I will write here is a small how-to so that you can start trying it today and maybe even sometime soon apply it in your production environment.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
First thing to notice is that SRP is a very powerful tool so try in a test-environment before
you apply it to users in production.
First you need to choose your default level which you do at Security Levels:
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Default when you start using this, the default level is “Unrestricted” which allows all programs to run. Which means you can use SRP to block specific programs but the power is that you can change this so “Disallowed” is the default level which means you specify which programs you can run (all others are blocked) instead of blocking specific programs. So to start with change so “Disallowed” is default. Double-click on “Disallowed” and press the button “Set as Default”
C:\Documents and Settings\usernwz1\Desktop\1.PNG
This means that all clients affected by this policy now would be able to run anything except what you define as exclusions which you do at “Additional rules”:
C:\Documents and Settings\usernwz1\Desktop\1.PNG
As you can see in the above picture you have two default values already included. These two values are registry paths which makes all programs defined in these two registry paths to unrestricted which of course makes them available to run even if you selected “Disallowed” as your default choice in the above selection at “Security Levels”. There are four different choices on how to enable/disable programs to run: Hash-rule Path-rule Network zone-rule Certificate-rule The normal ones to use is HASH or PATH. HASH is always something you should prefer to use since if the user tries to run a program it looks at the hash-value and evaluates if you can run the program or not. Sometimes when you have different versions of a program for example it might be a problem to use HASH, then you use PATH instead. Also if you don’t have the program installed in the same location on each computer but you know somewhere in the registry where it types the path to the program you can use PATH and use the registry location instead. I will show you the two ways of allowing Windows Live Messenger to run Hash:
C:\Documents and Settings\usernwz1\Desktop\1.PNG
As what you can see above is that it takes the values from the executable and stores the
hash-value of the file.
When someone tries to run the program the system evaluates this hash-value and
compare it with the one you defined and then selecting if you can run the program or not.
Path:
C:\Documents and Settings\usernwz1\Desktop\1.PNG
As you can see above is that you need to select the path to the executable. This path needs to be same on each computer you would like to use this on but of course you can use environment variables as I have done in the above picture. You could also use a registry location if you did know where the path to the program where stored. You can of course also use this to block programs instead of allowing them. This is not really the preferred method on how to use SRP but fully functional. On my computer I have “Unrestricted” as my default and I added an application on my desktop named radio.exe as “Disallowed”
C:\Documents and Settings\usernwz1\Desktop\1.PNG
So the result if I’m trying to run the file is:
C:\Documents and Settings\usernwz1\Desktop\1.PNG
As conclusion you can see that this is a powerful way of giving your users minimal rights in the system with the result that your users will have a large problem messing up the computer :) This only covers some parts of SRP. For example local administrators also get these rules but that you can exclude in the “Enforcement” choice and also dll-files are excluded by default but you can change that too. Make sure to try this in a safe environment before applying it to production as you might get a big headache if you have made some wrong turns in setting this up. :)
Q75. Your company has a server that runs Windows Server 2008 R2. Active Directory Certificate Services (AD CS) is configured as a standalone Certification Authority (CA) on the server.
You need to audit changes to the CA configuration settings and the CA security settings.
Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Configure auditing in the Certification Authority snap-in.
B. Enable auditing of successful and failed attempts to change permissions on files in the
%SYSTEM32% \CertSrv directory.
C. Enable auditing of successful and failed attempts to write to files in the %SYSTEM32%\CertLog directory.
D. Enable the Audit object access setting in the Local Security Policy for the Active Directory Certificate Services (AD CS) server.
Answer: A,D
Explanation:
http://technet.microsoft.com/en-us/library/cc772451.aspx
Configure CA Event Auditing
You can audit a variety of events relating to the management and activities of a certification
authority (CA):
Back up and restore the CA database.
Change the CA configuration.
Change CA security settings.
Issue and manage certificate requests.
Revoke certificates and publish certificate revocation lists (CRLs).
Store and retrieve archived keys.
Start and stop Active Directory Certificate Services (AD CS).
To configure CA event auditing
1. Open the Certification Authority snap-in.
2. In the console tree, click the name of the CA.
3. On the Action menu, click Properties.
4. On the Auditing tab, click the events that you want to audit, and then click OK.
5. On the Action menu, point to All Tasks, and then click Stop Service.
6. On the Action menu, point to All Tasks, and then click Start Service.
Additional considerations
To audit events, the computer must also be configured for auditing of object access. Audit policy options can be viewed and managed in local or domain Group Policy under Computer Configuration\Windows Settings\Security Settings\Local Policies.
Q76. Your network consists of a single Active Directory domain. The functional level of the forest is Windows Server 2008 R2.
You need to create multiple password policies for users in your domain.
What should you do?
A. From the Group Policy Management snap-in, create multiple Group Policy objects.
B. From the Schema snap-in, create multiple class schema objects.
C. From the ADSI Edit snap-in, create multiple Password Setting objects.
D. From the Security Configuration Wizard, create multiple security policies.
Answer: C
Explanation:
Answer: From the ADSI Edit snap-in, create multiple Password Setting objects.
http://technet.microsoft.com/en-us/library/cc770842%28v=ws.10%29.aspx AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide
In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies and apply different password restrictions and account lockout policies to different sets of users within a single domain.
To store fine-grained password policies, Windows Server 2008 includes two new object classes in the Active Directory Domain Services (AD DS) schema: Password Settings Container Password Settings The Password Settings Container (PSC) object class is created by default under the System container in the domain. It stores the Password Settings objects (PSOs) for that domain. You cannot rename, move, or delete this container.
Steps to configure fine-grained password and account lockout policies When the group structure of your organization is defined and implemented, you can configure and apply finegrained password and account lockout policies to users and global security groups. Configuring fine-grained password and account lockout policies involves the following steps: Step 1: Create a PSO Step 2: Apply PSOs to Users and Global Security Groups Step 3: Manage a PSO Step 4: View a Resultant PSO for a User or a Global Security Group http://technet.microsoft.com/en-us/library/cc754461%28v=ws.10%29.aspx Step 1: Create a PSO You can create Password Settings objects (PSOs): Creating a PSO using the Active Directory module for Windows PowerShell Creating a PSO using ADSI Edit Creating a PSO using ldifde
Q77. Your network contains an Active Directory domain. All servers run Windows Server 2008 R2.
You need to audit the deletion of registry keys on each server.
What should you do?
A. From Audit Policy, modify the Object Access settings and the Process Tracking settings.
B. From Audit Policy, modify the System Events settings and the Privilege Use settings.
C. From Advanced Audit Policy Configuration, modify the System settings and the Detailed Tracking settings.
D. From Advanced Audit Policy Configuration, modify the Object Access settings and the Global Object Access Auditing settings.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/dd408940.aspx
Advanced Security Audit Policy Step-by-Step Guide
A global object access audit policy can be used to enforce object access audit policy for a computer, file share, or registry.
Q78. You install a read-only domain controller (RODC) named RODC1.
You need to ensure that a user named User1 can administer RODC1. The solution must minimize the number of permissions assigned to User1.
Which tool should you use?
A. Active Directory Administrative Center
B. Active Directory Users and Computers
C. Dsadd
D. Dsmgmt
Answer: B
Explanation:
Explanation 1:
http://technet.microsoft.com/en-us/library/cc755310.aspx
Delegating local administration of an RODC
Administrator Role Separation (ARS) is an RODC feature that you can use to delegate the
ability to administer an RODC to a user or a security group. When you delegate the ability
to log on to an RODC to a user or a security group, the user or group is not added the
Domain Admins group and therefore does not have additional rights to perform directory
service operations.
Steps and best practices for setting up ARS
You can specify a delegated RODC administrator during an RODC installation or after it.
To specify the delegated RODC administrator after installation, you can use either of the
following options:
Modify the Managed By tab of the RODC account properties in theActive Directory Users and Computerssnap-in, as shown in the following figure. You can click Change to change which security principal is the delegated RODC administrator. You can choose only one security principal. Specify a security group rather than an individual user so you can control RODC administration permissions most efficiently. This method changes the managedBy attribute of the computer object that corresponds to the RODC to the SID of the security principal that you specify. This is the recommended way to specify the delegated RODC administrator account because the information is stored in AD DS, where it can be centrally managed by domain administrators.
Use the ntdsutil local roles command or thedsmgmtlocal roles command. You can use this command to view, add, or remove members from the Administrators group and other built-in groups on the RODC.[See also the second Explanation for more information on how to use dsmgmt.]
Using ntdsutil or dsmgmt to specify the delegated RODC administrator account is not recommendedbecause the information is stored only locally on the RODC. Therefore, when you use ntdsutil local roles to delegate an administrator for the RODC, the account that you specify does not appear on the Managed By tab of the RODC account properties. As a result, using the Active Directory Users and Computers snap-in or a similar tool will not reveal that the RODC has a delegated administrator.
In addition, if you demote an RODC, any security principal that you specified by using ntdsutil local roles remains stored in the registry of the server. This can be a security concern if you demote an RODC in one domain and then promote it to be an RODC again in a different domain. In that case, the original security principal would have administrative rights on the new RODC in the different domain.
Explanation 2: http://technet.microsoft.com/en-us/library/cc732301.aspx
Administrator Role Separation Configuration This section provides procedures for creating a local administrator role for an RODC and for adding a user to that role.
To configure Administrator Role Separation for an RODC
Click Start, click Run, type cmd, and then press ENTER.
At the command prompt, typedsmgmt.exe, and then press ENTER.
At the DSMGMT prompt, typelocal roles, and then press ENTER.
For a list of valid parameters, type ?, and then press ENTER.
By default, no local administrator role is defined on the RODC after AD DS installation. To add the local administrator role, use the Add parameter.
Type add <DOMAIN>\<user><administrative role>
For example, type add CONTOSO\testuser administrators
Q79. Your network contains an Active Directory domain named contoso.com.
You create a GlobalNames zone. You add an alias (CNAME) resource record named
Server1 to the zone. The target host of the record is server2.contoso.com.
When you ping Server1, you discover that the name fails to resolve. You successfully resolve server2.contoso.com.
You need to ensure that you can resolve names by using the GlobalNames zone.
What should you do?
A. From the command prompt, use the netsh tool.
B. From the command prompt, use the dnscmd tool.
C. From DNS Manager, modify the properties of the GlobalNames zone.
D. From DNS Manager, modify the advanced settings of the DNS server.
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc731744.aspx Enable GlobalNames zone support The GlobalNames zone is not available to provide name resolution until GlobalNames zone support is explicitly enabled by using the following command on every authoritative DNS server in the forest: dnscmd<ServerName> /config /enableglobalnamessupport 1
Q80. You create 200 new user accounts. The users are located in six different sites. New users report that they receive the following error message when they try to log on: "The username or password is incorrect." You confirm that the user accounts exist and are enabled. You also confirm that the user name and password information supplied are correct.
You need to identify the cause of the failure. You also need to ensure that the new users are able to log on.
Which utility should you run?
A. Active Directory Domains and Trusts
B. Repadmin
C. Rstools
D. Rsdiag
Answer: B
Explanation: Repadmin allows us to check the replication status and also allows us to
force a replication between domain controllers.
Explanation:
http://technet.microsoft.com/en-us/library/cc770963.aspx
Repadmin /replsummary
Identifies domain controllers that are failing inbound replication or outbound replication, and summarizes the results in a report.
Repadmin /showrepl Displays the replication status when the specified domain controller last attempted to perform inbound replication on Active Directory partitions.
Repadmin /syncall Synchronizes a specified domain controller with all replication partners.