70-640 Exam
Secrets to microsoft 70 640
Simulation of mcitp 70 640 exams materials and secret for Microsoft certification for IT learners, Real Success Guaranteed with Updated microsoft 70 640 pdf dumps vce Materials. 100% PASS TS: Windows Server 2008 Active Directory. Configuring exam Today!
Q1. Your company has an Active Directory forest that contains client computers that run Windows Vista andMicrosoft Windows XP.
You need to ensure that users are able to install approved application updates on their computers.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Set up Automatic Updates through Control Panel on the client computers.
B. Create a GPO and link it to the Domain Controllers organizational unit. Configure the GPO to automatically search for updates on the Microsoft Update site.
C. Create a GPO and link it to the domain. Configure the GPO to direct the client computers to the Windows Server Update Services (WSUS) server for approved updates.
D. Install the Windows Server Update Services (WSUS). Configure the server to search for new updates on the Internet. Approve all required updates.
Answer: C,D
Explanation:
http://technet.microsoft.com/en-us/library/cc720539%28v=ws.10%29.aspx
Configure Automatic Updates by Using Group Policy
When you configure the Group Policy settings for WSUS, use a Group Policy object (GPO)
linked to an Active Directory container appropriate for your environment.
Q2. You are formulating the backup strategy for Active Directory Lightweight Directory Services (AD LDS) to ensure that data and log files are backed up regularly. This will also ensure the continued availability of data to applications and users in the event of a system failure.
Because you have limited media resources, you decided to backup only specific ADLDS instance instead of taking backup of the entire volume.
What should you do to accomplish this task?
A. Use Windows Server backup utility and enable checkbox to take only backup of database and log files of AD LDS
B. Use Dsdbutil.exe tool to create installation media that corresponds only to the ADLDS instance
C. Move AD LDS database and log files on a separate volume and use windows server backup utility
D. None of the above
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc730941.aspx
Backing up AD LDS instance data with Dsdbutil.exe
With the Dsdbutil.exe tool, you can create installation media that corresponds only to the AD LDS instance that you want to back up, as opposed to backing up entire volumes that contain the AD LDS instance.
Q3. Your company has a main office and a branch office.
You discover that when you disable IPv4 on a computer in the branch office, the computer authenticates by using a domain controller in the main office.
You need to ensure that IPv6-only computers authenticate to domain controllers in the same site.
What should you do?
A. Configure the NTDS Site Settings object.
B. Create Active Directory subnet objects.
C. Create Active Directory Domain Services connection objects.
D. Install an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router.
Answer: B
Q4. Your network contains an Active Directory Rights Management Services (AD RMS) cluster.
You have several custom policy templates. The custom policy templates are updated
frequently.
Some users report that it takes as many as 30 days to receive the updated policy
templates.
You need to ensure that users receive the updated custom policy templates within seven
days.
What should you do?
A. Modify the registry on the AD RMS servers.
B. Modify the registry on the users' computers.
C. Change the schedule of the AD RMS Rights Policy Template Management (Manual) scheduled task.
D. Change the schedule of the AD RMS Rights Policy Template Management (Automated) scheduled task.
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc771971.aspx
Configuring the AD RMS client
The automated scheduled task will not query the AD RMS template distribution pipeline each time that this scheduled task runs. Instead, it checks updateFrequency DWORD value registry entry. This registry entry specifies the time interval (in days) after which the client should update its rights policy templates. By default the registry key is not present on the client computer. In this scenario, the client checks for new, deleted, or modified rights policy templates every 30 days. To configure an interval other than 30 days, create a registry entry at the following location: HKEY_CURRENT_USER\Software\Policies\Microsoft\MSDRM
\TemplateManagement. In this registry key, you can also configure the updateIfLastUpdatedBeforeTime, which forces the client computer to update its rights policy templates.
Q5. Your network contains an Active Directory forest. The forest contains one domain and three sites. Each site contains two domain controllers. All domain controllers are DNS servers.
You create a new Active Directory-integrated zone.
You need to ensure that the new zone is replicated to the domain controllers in only one of
the sites.
What should you do first?
A. Modify the NTDS Site Settings object for the site.
B. Modify the replication settings of the default site link.
C. Create an Active Directory connection object.
D. Create an Active Directory application directory partition.
Answer: D
Explanation:
Practically the same question as A/Q50 and K/Q17, different set of answers. To control which servers get a copy of the zone we have to store the zone in an application directory partition. That application directory partition must be created before we create the zone, otherwise it won't work. So that's what we have to do first. Directory partitions are also called naming contexts and we can create one using ntdsutil. Here I tried to create a zone with dnscmd /zoneadd. It failed because the directory partition I wanted to use did not exist yet. To fix that I used ntdsutil to create the directory partition dc=venomous,dc=contoso,dc=com. Note that after creating it a new naming context had been added. Then, after a minute or two, I tried to create the new zone again, and this time it worked.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Explanation 1:
http://technet.microsoft.com/en-us/library/cc725739.aspx
Store Data in an AD DS Application Partition
You can store Domain Name System (DNS) zones in the domain or application directory
partitions of Active
Directory Domain Services (AD DS). An application directory partition is a data structure in
AD DS that distinguishes data for different replication purposes. When you store a DNS
zone in an application directory partition, you can control the zone replication scope by
controlling the replication scope of the application directory partition.
Explanation 2:
http://technet.microsoft.com/en-us/library/cc730970.aspx
Partition management
Manages directory partitions for Active Directory Domain Services (AD DS) or Active
Directory Lightweight
Directory Services (AD LDS).
This is a subcommand of Ntdsutil and Dsmgmt.
Examples
To create an application directory partition named AppPartition in the contoso.com domain,
complete the following steps:
1. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, rightclick Command Prompt, and then click Run as administrator.
2. Type: ntdsutil
3. Type: Ac in ntds
4. Type: partition management
5. Type: connections
6. Type: Connect to server DC_Name
7. Type: quit
8. Type: list
The following partitions will be listed: 0 CN=Configuration, DC=Contoso, DC=com 1 DC=Contoso, DC=com 2 CN=Schema, CN=Configuration, DC=Contoso, DC=com 3 DC=DomainDnsZones, DC=Contoso, DC=com 4 DC=ForestDnsZones, DC=Contoso, DC=com
9. At the partition management prompt, type: create nc dc=AppPartition, DC=contoso,dc=com
ConDc1.contoso.com
10. Run the list command again to refresh the list of partitions.
Q6. Your network contains an Active Directory forest. The forest contains a single domain.
You want to access resources in a domain that is located in another forest.
You need to configure a trust between the domain in your forest and the domain in the other forest.
What should you create?
A. an incoming external trust
B. an incoming realm trust
C. an outgoing external trust
D. an outgoing realm trust
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc816877.aspx
A one-way, incoming, external trust allows users in your domain (the domain that you are logged on to at the time that you run the New Trust Wizard) to access resources in another Active Directory domain (outside your forest).
Q7. Your network consists of a single Active Directory domain. All domain controllers run
Windows Server 2003.
You upgrade all domain controllers to Windows Server 2008 R2.
You need to ensure that the Sysvol share replicates by using DFS Replication (DFS-R).
What should you do?
A. From the command prompt, run dfsutil /addroot:sysvol.
B. From the command prompt, run netdom /reset.
C. From the command prompt, run dcpromo /unattend:unattendfile.xml.
D. Raise the functional level of the domain to Windows Server 2008 R2.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc794837%28v=ws.10%29.aspx Introduction to Administering DFS-Replicated SYSVOL SYSVOL is a collection of folders that contain a copy of the domain’s public files, including system policies, logon scripts, and important elements of Group Policy objects (GPOs). The SYSVOL directory must be present and the appropriate subdirectories must be shared on a server before the server can advertise itself on the network as a domain controller. Shared subdirectories in the SYSVOL tree are replicated to every domain controller in the domain. Note: For Group Policy, only the Group Policy template (GPT) is replicated through SYSVOL replication. The Group Policy container (GPC), which is stored in the domain, is replicated through Active Directory replication. For Group Policy to be effective, both parts must be available on a domain controller. Using DFS Replication for replicating SYSVOL in Windows Server 2008 Distributed File System (DFS) Replication is a replication service that is available for replicating SYSVOL to all domain controllers in domains that have the Windows Server 2008 domain functional level. DFS Replication was introduced in Windows Server 2003 R2. However, on domain controllers that are running Windows Server 2003 R2, SYSVOL replication is performed by the File Replication Service (FRS).
Q8. You have an enterprise subordinate certification authority (CA). You have a custom Version 3 certificate template.
Users can enroll for certificates based on the custom certificate template by using the
Certificates console. The certificate template is unavailable for Web enrollment.
You need to ensure that the certificate template is available on the Web enrollment pages.
What should you do?
A. Run certutil.exe Cpulse.
B. Run certutil.exe Cinstallcert.
C. Change the certificate template to a Version 2 certificate template.
D. On the certificate template, assign the Autoenroll permission to the users.
Answer: C
Explanation:
Identical to F/Q12. Explanation 1: http://technet.microsoft.com/en-us/library/cc732517.aspx Certificate Web enrollment cannot be used with version 3 certificate templates. Explanation 2: http://blogs.technet.com/b/ad/archive/2008/06/30/2008-web-enrollment-and-version-3-templates.aspx The reason for this blog post is that one of our customers called after noticing some unexpected behavior when they were trying to use the Server 2008 certificate web enrollment page to request a Version 3 Template based certificate. The problem was that no matter what they did the Version 3 Templates would not appear as certificates which could be requested via the web page. On the other hand, version 1 and 2 templates did appear in the page and requests could be done successfully using those templates.
Q9. Your network contains an Active Directory domain named contoso.com.
The contoso.com DNS zone is stored in Active Directory. All domain controllers run Windows Server 2008 R2.
You need to identify if all of the DNS records used for Active Directory replication are correctly registered.
What should you do?
A. From the command prompt, use netsh.exe.
B. From the command prompt, use dnslint.exe.
C. From the Active Directory Module for Windows PowerShell, run the Get-ADRootDSE cmdlet.
D. From the Active Directory Module for Windows PowerShell, run the Get-ADDomainController cmdlet.
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/dd197560.aspx Dnslint.exe
DNSLint is a Microsoft Windows tool that can be used to help diagnose common DNS name resolution issues. It can be targeted to look for specific DNS record sets and ensure that they are consistent across multiple DNS servers. It can also be used to verify that DNS records used specifically for Active Directory replication are correct.
Q10. An Active Directory database is installed on the C volume of a domain controller.
You need to move the Active Directory database to a new volume.
What should you do?
A. Copy the ntds.dit file to the new volume by using the ROBOCOPY command.
B. Move the ntds.dit file to the new volume by using Windows Explorer.
C. Move the ntds.dit file to the new volume by running the Move-item command in Microsoft Windows PowerShell.
D. Move the ntds.dit file to the new volume by using the Files option in the Ntdsutil utility.
Answer: D
Explanation:
Answer: Move the ntds.dit file to the new volume by using the Files option in the Ntdsutil utility.
http://technet.microsoft.com/en-us/library/cc816720%28v=ws.10%29.aspx Move the Directory Database and Log Files to a Local Drive You can use this procedure to move Active Directory database and log files to a local drive. When you move the files to a folder on the local domain controller, you can move them permanently or temporarily. Move the files to a temporary destination if you need to reformat the original location, or move the files to a permanent location if you have additional disk space. If you reformat the original drive, use the same procedure to move the files back after the reformat is complete. Ntdsutil.exe updates the registry when you move files locally. Even if you are moving the files only temporarily, use Ntdsutil.exe so that the registry is always current. On a domain controller that is running Windows Server 2008, you do not have to restart the domain controller in Directory Services Restore Mode (DSRM) to move database files. You can stop the Active Directory Domain Services (AD DS) service and then restart the service after you move the files to their permanent location. To move the directory database and log files to a local drive:
7. At the ntdsutil prompt, type files, and then press ENTER.
8. To move the database file, at the file maintenance: prompt, use the following commands:
Further information:
http://servergeeks.wordpress.com/2013/01/01/moving-active-directory-database-and-logs/
Moving Active Directory Database and Logs
Step 1
Start the server in Directory Services Restore Mode
Windows Server 2003/2008 Directory Service opens its files in exclusive mode. This
means that the files cannot be managed while the server is operating as a domain
controller. To perform any files movement related activities using ntdsutil, we need to start
the server in Directory Services Restore Mode.
To start the server in Directory Services Restore mode, follow these steps:
Restart the computer.
After the BIOS information is displayed, press F8.
Use the DOWN ARROW to select Directory Services Restore Mode, and then press
ENTER.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Log on with your local administrative account and password. (Not Domain Administrative account)
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Note: using service control (SC.exe) you can verify quickly ntds services are running or stopped. In command prompt type SC query ntds
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Step 2
How to Move Active Directory Database and Logs
You can move the Ntds.dit data file to a new folder. If you do so, the registry is updated so that Directory
Service uses the new location when you restart the server.
To move the data file to another folder, follow these steps:
Click Start, click Run, type ntdsutil in the Open box, and then press ENTER.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
At the Ntdsutil command prompt, type activate instance ntds, and then press ENTER.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
At the Ntdsutil command prompt, type files, and then press ENTER.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
At the file maintenance command prompt, type move DB to <new location> (where new location is an existing folder that you have created for this purpose) and then press ENTER.
In this case, the new location for database is C:\AD\Database Now
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Now to move logs , at the file maintenance command prompt, type move logs to <new location> (where new location is an existing folder that you have created for this purpose) and then press ENTER. In our case, the new location for database is C:\AD\Logs
C:\Documents and Settings\usernwz1\Desktop\1.PNG
To quit file maintenance, type quit. Again to Ntdsutil, type quit to close the prompt Restart the computer. AD database and Logs are moved successfully to new location.