70-640 Exam
Surprising mcitp 70 640
Our pass rate is high to 98.9% and the similarity percentage between our mcitp 70 640 study guide and real exam is 90% based on our seven-year educating experience. Do you want achievements in the Microsoft 70 640 pdf exam in just one try? I am currently studying for the Microsoft 70 640 pdf exam. Latest Microsoft microsoft 70 640 Test exam practice questions and answers, Try Microsoft 70 640 pdf Brain Dumps First.
Q161. Your network consists of an Active Directory forest named contoso.com. All servers run Windows Server 2008 R2. All domain controllers are configured as DNS servers. The contoso.com DNS zone is stored in the ForestDnsZones Active Directory application partition.
You have a member server that contains a standard primary DNS zone for dev.contoso.com.
You need to ensure that all domain controllers can resolve names for dev.contoso.com.
What should you do?
A. Modify the properties of the SOA record in the contoso.com zone.
B. Create a NS record in the contoso.com zone.
C. Create a delegation in the contoso.com zone.
D. Create a standard secondary zone on a Global Catalog server.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc771640.aspx
Understanding Zone Delegation
Domain Name System (DNS) provides the option of dividing up the namespace into one or
more zones, which can then be stored, distributed, and replicated to other DNS servers.
When you are deciding whether to divide your DNS namespace to make additional zones,
consider the following reasons to use additional zones:
You want to delegate management of part of your DNS namespace to another location or
department in your organization.
You want to divide one large zone into smaller zones to distribute traffic loads among
multiple servers, improve DNS name resolution performance, or create a more-fault-tolerant DNS environment.
You want to extend the namespace by adding numerous subdomains at once, for example,
to accommodate the opening of a new branch or site.
When you delegate zones within your namespace, remember that for each new zone that
you create, you need delegation records in other zones that point to the authoritative DNS
servers for the new zone. This is necessary both to transfer authority and to provide correct
referral to other DNS servers and clients of the new servers that are being made
authoritative for the new zone.
Example: Delegating a subdomain to a new zone As shown in the following illustration, when a new zone for a subdomain (example.microsoft.com) is created, delegation from the parent zone (microsoft.com) is needed.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Q162. Your company has two Active Directory forests named contoso.com and fabrikam.com.
The company network has three DNS servers named DNS1, DNS2, and DNS3. The DNS servers are configured as shown in the following table.
All computers that belong to the fabrikam.com domain have DNS3 configured as the preferred DNS server. All other computers use DNS1 as the preferred DNS server.
Users from the fabrikam.com domain are unable to connect to the servers that belong to the contoso.com domain.
You need to ensure users in the fabrikam.com domain are able to resolve all contoso.com queries.
What should you do?
A. Configure conditional forwarding on DNS1 and DNS2 to forward fabrikam.com queries to DNS3.
B. Create a copy of the _msdcs.contoso.com zone on the DNS3 server.
C. Create a copy of the fabrikam.com zone on the DNS1 server and the DNS2 server.
D. Configure conditional forwarding on DNS3 to forward contoso.com queries to DNS1.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc730756.aspx Understanding Forwarders A forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for external DNS names to DNS servers outside that network. You can also forward queries according to specific domain names using conditional forwarders. You designate a DNS server on a network as a forwarder by configuring the other DNS servers in the network to forward the queries that they cannot resolve locally to that DNS server. By using a forwarder, you can manage name resolution for names outside your network, such as names on the Internet, and improve the efficiency of name resolution for the computers in your network. The following figure illustrates how external name queries are directed with forwarders.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Conditional forwarders A conditional forwarder is a DNS server on a network that forwards DNS queries according to the DNS domain name in the query. For example, you can configure a DNS server to forward all the queries that it receives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers.
Q163. Your company has an Active Directory forest. The company has branch offices in three locations. Each location has an organizational unit.
You need to ensure that the branch office administrators are able to create and apply GPOs only to their respective organizational units.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Run the Delegation of Control wizard and delegate the right to link GPOs for their branch organizational units to the branch office administrators.
B. Add the user accounts of the branch office administrators to the Group Policy Creator Owners Group.
C. Modify the Managed By tab in each organizational unit to add the branch office administrators to their respective organizational units.
D. Run the Delegation of Control wizard and delegate the right to link GPOs for the domain to the branch office administrators.
Answer: A,B
Explanation:
Answer: Run the Delegation of Control wizard and delegate the right to link GPOs for their
branch organizational units to the branch office administrators.
Add the user accounts of the branch office administrators to the Group Policy Creator
Owners Group.
http://technet.microsoft.com/en-us/library/cc732524.aspx
Delegate Control of an Organizational Unit
1. To delegate control of an organizational unit
2. To open Active Directory Users and Computers, click Start , click Control Panel , double-
click Administrative
Tools and then double-click Active Directory Users and Computers .
3. In the console tree, right-click the organizational unit (OU) for which you want to delegate
control.
Where?
Active Directory Users and Computers\ domain node \ organizational unit
4. Click Delegate Control to start the Delegation of Control Wizard, and then follow the
instructions in the wizard.
http://technet.microsoft.com/en-us/library/cc781991%28v=ws.10%29.aspx
Delegating Administration of Group Policy
Your Group Policy design will probably call for delegating certain Group Policy
administrative tasks.
Determining to what degree to centralize or distribute administrative control of Group Policy
is one of the most important factors to consider when assessing the needs of your
organization. In organizations that use a centralized administration model, an IT group
provides services, makes decisions, and sets standards for the entire company. In
organizations that use a distributed administration model, each business unit manages its
own IT group.
You can delegate the following Group Policy tasks:
Creating GPOs
Managing individual GPOs (for example, granting Edit or Read access to a GPO) etc.
Delegating Creation of GPOs The ability to create GPOs in a domain is a permission that is managed on a per-domain basis. By default, only Domain Administrators, Enterprise Administrators, Group Policy Creator Owners, and SYSTEM can create new Group Policy objects. If the domain administrator wants a non-administrator or non-administrative group to be able to create GPOs, that user or group can be added to the Group Policy Creator Owners security group. Alternatively, you can use the Delegation tab on the Group Policy Objects container in GPMC to delegate creation of GPOs. When a non-administrator who is a member of the Group Policy Creator Owners group creates a GPO, that user becomes the creator owner of the GPO and can edit the GPO and modify permissions on the GPO. However, members of the Group Policy Creator Owners group cannot link GPOs to containers unless they have been separately delegated the right to do so on a particular site, domain, or OU. Being a member of the Group Policy Creator Owners group gives the non-administrator full control of only those GPOs that the user creates. Group Policy Creator Owner members do not have permissions for GPOs that they do not create. Note: When an administrator creates a GPO, the Domain Administrators group becomes the Creator Owner of the Group Policy object. By default, Domain Administrators can edit all GPOs in the domain. The right to link GPOs is delegated separately from the right to create GPOs and the right to edit GPOs. Be sure to delegate both rights to those groups you want to be able to create and link GPOs. By default, non- Domain Admins cannot manage links, and this prevents them from being able to use GPMC to create and link a GPO. However, non-Domain Admins can create an unlinked GPO if they are members of the Group Policy Creator Owners group. After a non-Domain Admin creates an unlinked GPO, the Domain Admin or someone else who has been delegated permissions to link GPOs an a container can link the GPO as appropriate. Creation of GPOs can be delegated to any group or user. There are two methods of granting a group or user this permission: Add the group or user to the Group Policy Creator Owners group. This was the only method available prior to GPMC. Explicitly grant the group or user permission to create GPOs. This method is newly available with GPMC. You can manage this permission by using the Delegation tab on the Group Policy objects container for a given domain in GPMC. This tab shows the groups that have permission to create GPOs in the domain, including the Group Policy Creator Owners group. From this tab, you can modify the membership of existing groups that have this permission, or add new groups. Because the Group Policy Creator Owners group is a domain global group, it cannot contain members from outside the domain. Being able to grant users permissions to create GPOs without using Group Policy Creator Owners facilitates delegating GPO creation to users outside the domain. Without GPMC, this task cannot be delegated to members outside the domain. If you require that users outside the domain have the ability to create GPOs, create a new domain local group in the domain (for example, "GPCO – External"), grant that group GPO creation permissions in the domain, and then add domain global groups from external domains to that group. For users and groups in the domain, you should continue to use the Group Policy Creator Owners group to grant GPO-creation permissions. Adding a user to the membership of Group Policy Creator Owners and granting the user GPO-creation permissions directly using the new method available in GPMC are identical in terms of permissions.
Q164. You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 is configured as an Enterprise Root certification authority (CA).
You install the Online Responder role service on Server2.
You need to configure Server2 to issue certificate revocation lists (CRLs) for the enterprise root CA.
Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Import the enterprise root CA certificate.
B. Import the OCSP Response Signing certificate.
C. Add the Server1 computer account to the CertPublishers group.
D. Set the Startup Type of the Certificate Propagation service to Automatic.
Answer: A,B
Explanation:
Further information: http://technet.microsoft.com/en-us/library/cc770413%28v=ws.10%29.aspx Online Responder Installation, Configuration, and Troubleshooting Guide Public key infrastructure (PKI) consists of multiple components, including certificates, certificate revocation lists (CRLs) and certification authorities (CAs). In most cases, applications that depend on X.509 certificates, such as Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Sockets Layer (SSL) and smart cards, are required to validate the status of the certificates used when performing authentication, signing, or encryption operations. The certificate status and revocation checking is the process by which the validity of certificates is verified based on two main categories: time and revocation status.
Although validating the revocation status of certificates can be performed in multiple ways, the common mechanisms are CRLs, delta CRLs, and Online Certificate Status Protocol (OCSP) responses.
http://technet.microsoft.com/en-us/library/cc772393%28v=ws.10%29.aspx
Active Directory Certificate Services Step-by-Step Guide http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-andplanning.aspx Designing and Implementing a PKI: Part I Design and Planning http://technet.microsoft.com/en-us/library/cc725937.aspx Set Up an Online Responder http://technet.microsoft.com/en-us/library/cc731099.aspx Creating a Revocation Configuration
Q165. You have a Windows Server 2008 R2 Enterprise Root CA.
Security policy prevents port 443 and port 80 from being opened on domain controllers and on the issuing CA.
You need to allow users to request certificates from a Web interface. You install the Active Directory Certificate Services (AD CS) server role.
What should you do next?
A. Configure the Online Responder Role Service on a member server.
B. Configure the Online Responder Role Service on a domain controller.
C. Configure the Certificate Enrollment Web Service role service on a member server.
D. Configure the Certificate Enrollment Web Service role service on a domain controller.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/dd759209.aspx Certificate Enrollment Web Service Overview The Certificate Enrollment Web Service is an Active Directory Certificate Services (AD CS) role service that enables users and computers to perform certificate enrollment by using the HTTPS protocol. Together with the Certificate Enrollment Policy Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain. Personal note: Since domain controllers are off-limits (regarding open ports), you are left to install the Certificate Enrollment Web Service role service on a plain member server
Q166. Company has an active directory forest on a single domain.
Company needs a distributed application that employs a custom application. The application is directory partition software named PARDAT.
You need to implement this application for data replication.
Which two tools should you use to achieve this task? (Choose two answers. Each answer is a part of a complete solution)
A. Dnscmd.
B. Ntdsutil.
C. Ipconfig
D. Dnsutil
E. All of the above
Answer: A,B
Explanation:
http://support.microsoft.com/kb/884116 How to create and apply a custom application directory partition on an Active Directory integrated DNS zone in Windows Server 2003 You can create a custom Active Directory partition by using the DnsCmd command. If the new naming context that you created does not appear in the Repadmin output, you can verify the state of this naming context by using the Ntdsutil command.
Q167. Your network contains two Active Directory forests named contoso.com and adatum.com.
The functional level of both forests is Windows Server 2008 R2. Each forest contains one
domain. Active Directory Certificate Services (AD CS) is configured in the contoso.com forest to allow users from both forests to automatically enroll user certificates.
You need to ensure that all users in the adatum.com forest have a user certificate from the contoso.com certification authority (CA).
What should you configure in the adatum.com domain?
A. From the Default Domain Controllers Policy, modify the Enterprise Trust settings.
B. From the Default Domain Controllers Policy, modify the Trusted Publishers settings.
C. From the Default Domain Policy, modify the Certificate Enrollment policy.
D. From the Default Domain Policy, modify the Trusted Root Certification Authority settings.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/dd851772.aspx Manage Certificate Enrollment Policy by Using Group Policy Configuring certificate enrollment policy settings by using Group Policy
Q168. Your network contains an Active Directory domain named contoso.com. All domain controllers and member servers run Windows Server 2008. All client computers run Windows 7.
From a client computer, you create an audit policy by using the Advanced Audit Policy Configuration settings in the Default Domain Policy Group Policy object (GPO).
You discover that the audit policy is not applied to the member servers. The audit policy is applied to the client computers.
You need to ensure that the audit policy is applied to all member servers and all client computers.
What should you do?
A. Add a WMI filter to the Default Domain Policy GPO.
B. Modify the security settings of the Default Domain Policy GPO.
C. Configure a startup script that runs auditpol.exe on the member servers.
D. Configure a startup script that runs auditpol.exe on the domain controllers.
Answer: C
Explanation:
Advanced audit policy settings cannot be applied using group policy to Windows Server 2008 servers. To circumvent that we have to use a logon script to apply the audit policy to the Windows Server 2008 member servers.
Explanation1: http://technet.microsoft.com/en-us/library/ff182311.aspx Advanced Security Auditing FAQ The advanced audit policy settings were introduced in Windows Vista and Windows Server 2008. The advanced settings can only be used on computers running Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008.
Note In Windows Vista and Windows Server 2008, advanced audit event settings were not integrated withGroup Policy and could only be deployed by using logon scripts generated with the Auditpol.exe command-line tool. In Windows Server 2008 R2 and Windows 7, all auditing capabilities are integrated with Group Policy. This allows administrators to
configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
Q169. Your network contains an Active Directory domain named contoso.com.
You need to identify whether the Active Directory Recycle Bin is enabled.
What should you do?
A. From Ldp, search for the Reanimate-Tombstones object.
B. From Ldp, search for the LostAndFound container.
C. From Windows PowerShell, run the Get-ADObject cmdlet.
D. From Windows PowerShell, run the Get-ADOptionalFeature cmdlet.
Answer: D
Explanation:
http://www.frickelsoft.net/blog/?p=224
How can I check whether the AD Recycle-Bin is enabled in my R2 forest?
[He shows how to use the PowerShell cmdlet Get- ADOptionalFeature to determine if the AD Recycle Bin is enabled.]
Q170. Your company has an Active Directory domain that has an organizational unit named Sales. The Sales organizational unit contains two global security groups named sales managers and sales executives.
You need to apply desktop restrictions to the sales executives group.
You must not apply these desktop restrictions to the sales managers group.
You create a GPO named DesktopLockdown and link it to the Sales organizational unit.
What should you do next?
A. Configure the Deny Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO.
B. Configure the Deny Apply Group Policy permission for the sales executives on the DesktopLockdown GPO.
C. Configure the Allow Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO.
D. Configure the Deny Apply Group Policy permission for the sales managers on the DesktopLockdown GPO.
Answer: D
Explanation:
http://support.microsoft.com/kb/816100 How to prevent domain Group Policies from applying to certain user or computer accounts Typically, if you want Group Policy to apply only to specific accounts (either user accounts, computer accounts, or both), you can put the accounts in an organizational unit, and then apply Group Policy at that organizational unit level. However, there may be situations where you want to apply Group Policy to a whole domain, although you may not want those policy settings to also apply to administrator accounts or to other specific users or groups. http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/ Best Practice: How to exclude individual users or computers from a Group Policy Object One of the common question I see on the forums from time to time is how to exclude a user and/or a computer from having a Group Policy Object (GPO) applied. This is a relatively straight forward process however I should stress this should be used sparingly and should always be done via group membership to avoid the administrative overhead of having to constantly update the security filtering on the GPO. Step 1. Open the Group Policy Object that you want to apply an exception and then click on the “Delegation” tab and then click on the “Advanced” button.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Step 2. Click on the “Add” button and select the group (recommended) that you want to exclude from having this policy applied.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Step 3. In this example I am excluding the “Users GPO Exceptions” group for this policy. Select this group in the “Group or user names” list and then scroll down the permission and tick the “Deny” option against the “Apply Group Policy” permission.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Now any members of this “User GPO Exceptions” security group will not have this Group Policy Object applied. Having a security group to control this exception makes it much easier to control as someone only needs to modify the group membership of the group to makes changes to who (or what) get the policy applied. This makes the delegation of this task to level 1 or level 2 support much more practical as you don’t need to grant them permission to the Group Policy Objects.