70-640 Exam
Facts about 70 640 pdf
Cause all that matters here is passing the Microsoft 70 640 pdf exam. Cause all that you need is a high score of 70 640 pdf TS: Windows Server 2008 Active Directory. Configuring exam. The only one thing you need to do is downloading Testking mcitp 70 640 exam study guides now. We will not let you down with our money-back guarantee.
Q61. Your company has a single-domain Active Directory forest. The functional level of the domain is Windows Server 2008.
You perform the following activities:
Create a global distribution group.
Add users to the global distribution group.
Create a shared folder on a Windows Server 2008 member server.
Place the global distribution group in a domain local group that has access to the shared
folder.
You need to ensure that the users have access to the shared folder.
What should you do?
A. Add the global distribution group to the Domain Administrators group.
B. Change the group type of the global distribution group to a security group.
C. Change the scope of the global distribution group to a Universal distribution group.
D. Raise the forest functional level to Windows Server 2008.
Answer: B
Explanation:
http://kb.iu.edu/data/ajlt.html In Microsoft Active Directory, what are security and distribution groups? In Microsoft Active Directory, when you create a new group, you must select a group type. The two group types, security and distribution, are described below: Security: Security groups allow you to manage user and computer access to shared resources. You can also control who receives group policy settings. This simplifies administration by allowing you to set permissions once on multiple computers, then to change the membership of the group as your needs change. The change in group membership automatically takes effect everywhere. You can also use these groups as email distribution lists. Distribution: Distribution groups are intended to be used solely as email distribution lists. These lists are for use with email applications such as Microsoft Exchange or Outlook. You can add and remove contacts from the list so that they will or will not receive email sent to the distribution group. You can't use distribution groups to assign permissions on any objects, and you can't use them to filter group policy settings. http://technet.microsoft.com/en-us/library/cc781446%28v=ws.10%29.aspx Group types
Q62. Your network contains a single Active Directory domain. All servers run Windows Server 2008 R2.
You deploy a new server that runs Windows Server 2008 R2. The server is not connected to the internal network.
You need to ensure that the new server is already joined to the domain when it first connects to the internal network.
What should you do?
A. From a domain controller, run sysprep.exe and specify the /oobe parameter. From the new server, run sysprep.exe and specify the /generalize parameter.
B. From a domain controller, run sysprep.exe and specify the /generalize parameter. From the new server, run sysprep.exe and specify the /oobe parameter.
C. From a domain-joined computer, run djoin.exe and specify the /provision parameter. From the new server, run djoin.exe and specify the /requestodj parameter.
D. From a domain-joined computer, run djoin.exe and specify the /requestodj parameter. From the new server, run djoin.exe and specify the /provision parameter.
Answer: C
Explanation:
Explanation 1: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 217, 218 Offline Domain Join Offline domain join is also useful when a computer is deployed in a lab or other disconnected environment. When the computer is connected to the domain network and started for the first time, it will already be a member of the domain. This also helps to ensure that Group Policy settings are applied at the first startup. Four major steps are required to join a computer to the domain by using offline domain join:
1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with an account that has permissions to join computers to the domain.
2. Use the DJoin command to provision a computer for offline domain join. This step prepopulates Active
Directory with the information that Active Directory needs to join the computer to the domain, and exports the information called a blob to a text file.
3. At the offline computer that you want to join the domain use DJoin to import the blob into
the Windows directory.
4. When you start or restart the computer, it will be a member of the domain.
Explanation 2:
http://technet.microsoft.com/nl-nl/library/offline-domain-join-djoin-step-by-step.aspx
Steps for performing an offline domain join
The offline domain join process includes the following steps:
1. Run the djoin.exe /provision command to create computer account metadata for the
destination computer (the computer that you want to join to the domain). As part of this
command, you must specify the name of the domain that you want the computer to join.
2. Run the djoin.exe /requestODJ command to insert the computer account metadata into
the Windows directory of the destination computer.
3. When you start the destination computer, either as a virtual machine or after a complete
operating system installation, the computer will be joined to the domain that you specify.
Q63. Your company has two Active Directory forests named Forest1 and Forest2, The forest functional level and the domain functional level of Forest1 are set to Windows Server 2008.
The forest functional level of Forest2 is set to Windows 2000, and the domain functional levels in Forest2 are set to Windows Server 2003.
You need to set up a transitive forest trust between Forest1 and Forest2.
What should you do first?
A. Raise the forest functional level of Forest2 to Windows Server 2003 Interim mode.
B. Raise the forest functional level of Forest2 to Windows Server 2003.
C. Upgrade the domain controllers in Forest2 to Windows Server 2008.
D. Upgrade the domain controllers in Forest2 to Windows Server 2003.
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc816810.aspx
Creating Forest Trusts
You can link two disjoined Active Directory Domain Services (AD DS) forests together to form a one-way or two-way, transitive trust relationship.
The following are required to create forest trusts successfully:
You can create a forest trust between two Windows Server 2003 forests, between two Windows Server 2008 forests, between two Windows Server 2008 R2 forests, between a Windows Server 2003 forest and a Windows Server 2008 forest, between a Windows Server 2003 forest and a Windows Server 2008 R2 forest, or between a Windows Server 2008 forest and a Windows Server 2008 R2 forest. Forest trusts cannot be extended implicitly to a third forest.
To create a forest trust, the minimum forest functional level for the forests that are involved in the trust relationship is Windows Server 2003.
Q64. Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2008 R2. The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is Windows Server 2008.
You have a member server named Server1 that runs Windows Server 2008.
You need to ensure that you can add Server1 to contoso.com as a domain controller.
What should you run before you promote Server1?
A. dcpromo.exe /CreateDCAccount
B. dcpromo.exe /ReplicaOrNewDomain:replica
C. Set-ADDomainMode -Identity contoso.com -DomainMode Windows2008Domain
D. Set-ADForestMode -Identity contoso.com -ForestMode Windows2008R2Forest
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels.aspx After you set the domain functional level to a certain value in Windows Server 2008 R2, you cannot roll back or lower the domain functional level, with one exception: when you raise the domain functional level to Windows Server 2008 R2 and if the forest functional level is Windows Server 2008 or lower, you have the option of rolling the domain functional level back to Windows Server 2008. You can lower the domain functional level only from Windows Server 2008 R2 to Windows Server 2008. If the domain functional level is set to Windows Server 2008 R2, it cannot be rolled back, for example, to Windows Server 2003.
Q65. Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. A domain controller named DC1 has a standard primary zone for contoso.com. A domain controller named DC2 has a standard secondary zone for contoso.com.
You need to ensure that the replication of the contoso.com zone is encrypted.
You must not lose any zone data.
What should you do?
A. Convert the primary zone into an Active Directory-integrated stub zone. Delete the secondary zone.
B. Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone.
C. Configure the zone transfer settings of the standard primary zone. Modify the Master Servers lists on the secondary zone.
D. On both servers, modify the interface that the DNS server listens on.
Answer: B
Explanation:
Answer: Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone. http://technet.microsoft.com/en-us/library/cc771150.aspx Change the Zone Type You can use this procedure to change make a zone a primary, secondary, or stub zone. You can also use it to integrate a zone with Active Directory Domain Services (AD DS).
http://technet.microsoft.com/en-us/library/cc726034.aspx Understanding Active Directory Domain Services Integration The DNS Server service is integrated into the design and implementation of Active Directory Domain Services (AD DS). AD DS provides an enterprise-level tool for organizing, managing, and locating resources in a network. Benefits of AD DS integration For networks that deploy DNS to support AD DS, directory-integrated primary zones are strongly recommended. They provide the following benefits: DNS features multimaster data replication and enhanced security based on the capabilities of AD DS. In a standard zone storage model, DNS updates are conducted based on a single-master update model. In this model, a single authoritative DNS server for a zone is designated as the primary source for the zone. This server maintains the master copy of the zone in a local file. With this model, the primary server for the zone represents a single fixed point of failure. If this server is not available, update requests from DNS clients are not processed for the zone. With directory-integrated storage, dynamic updates to DNS are sent to any AD DS-integrated DNS server and are replicated to all other AD DS-integrated DNS servers by means of AD DS replication. In this model, any AD DS-integrated DNS servercan accept dynamic updates for the zone. Because the master copy of the zone is maintained in the AD DS database, which is fully replicated to all domain controllers, the zone can be updated by the DNS servers operating at any domain controller for the domain. With the multimaster update model of AD DS, any of the primary servers for the directoryintegrated zone can process requests from DNS clients to update the zone as long as a domain controller is available and reachable on the network.
Zones are replicated and synchronized to new domain controllers automatically whenever a new one is added to an AD DS domain. By integrating storage of your DNS zone databases in AD DS, you can streamline database replication planning for your network. Directory-integrated replication is faster and more efficient than standard DNS replication.
http://technet.microsoft.com/en-us/library/ee649124%28v=ws.10%29.aspx Deploy IPsec Policy to DNS Servers You can deploy IPsec rules through one of the following mechanisms: Domain Controllers organizational unit (OU): If the DNS servers in your domain are Active Directoryintegrated, you can deploy IPsec policy settings using the Domain Controllers OU. This option is recommended to make configuration and deployment easier. DNS Server OU or security group: If you have DNS servers that are not domain controllers, then consider creating a separate OU or a security group with the computer accounts of your DNS servers. Local firewall configuration: Use this option if you have DNS servers that are not domain members or if you have a small number of DNS servers that you want to configure locally. http://technet.microsoft.com/en-us/library/cc772661%28v=ws.10%29.aspx Deploying Secure DNS Protecting DNS Servers When the integrity of the responses of a DNS server are compromised or corrupted, or when the DNS data is tampered with, clients can be misdirected to unauthorized locations without their knowledge. After the clients start communicating with these unauthorized locations, attempts can be made to gain access to information that is stored on the client computers. Spoofing and cache pollution are examples of this type of attack. Another type of attack, the denial-of-service attack, attempts to incapacitate a DNS server to make DNS infrastructure unavailable in an enterprise. To protect your DNS servers from these types of attacks: Use IPsec between DNS clients and servers. Monitor network activity. Close all unused firewall ports. Implementing IPsec Between DNS Clients and Servers IPsec encrypts all traffic over a network connection. Encryption minimizes the risk that data that is sent between the DNS clients and the DNS servers can be scanned for sensitive information or tampered with by anyone attempting to collect information by monitoring traffic on the network. When IPsec is enabled, both ends of a connection are validated before communication begins. A client can be certain that the DNS server with which it is communicating is a valid server. Also, all communication over the connection is encrypted, thereby eliminating the possibility of tampering with client communication. Encryption prevents spoofing attacks, which are false responses to DNS client queries by unauthorized sources that act like a DNS server. Further information: http://technet.microsoft.com/en-us/library/cc771898.aspx Understanding Zone Types The DNS Server service provides for three types of zones: Primary zone Secondary zone Stub zone Note: If the DNS server is also an Active Directory Domain Services (AD DS) domain controller, primary zones and stub zones can be stored in AD DS. The following sections describe each of these zone types: Primary zone When a zone that this DNS server hosts is a primary zone, the DNS server is the primary source for information about this zone, and it stores the master copy of zone data in a local file or in AD DS. When the zone is stored in a file, by default the primary zone file is named zone_name.dns and it is located in the % windir%\System32\Dns folder on the server. Secondary zone When a zone that this DNS server hosts is a secondary zone, this DNS server is a secondary source for information about this zone. The zone at this server must be obtained from another remote DNS server computer that also hosts the zone. This DNS server must have network access to the remote DNS server that supplies this server with updated information about the zone. Because a secondary zone is merely a copy of a primary zone that is hosted on another server, it cannot be stored in AD DS. Stub zone When a zone that this DNS server hosts is a stub zone, this DNS server is a source only for information about the authoritative name servers for this zone. The zone at this server must be obtained from another DNS server that hosts the zone. This DNS server must have network access to the remote DNS server to copy the authoritative name server information about the zone. You can use stub zones to: Keep delegated zone information current. By updating a stub zone for one of its child zones regularly, the DNS server that hosts both the parent zone and the stub zone will maintain a current list of authoritative DNS servers for the child zone. Improve name resolution. Stub zones enable a DNS server to perform recursion using the stub zone's list of name servers, without having to query the Internet or an internal root server for the DNS namespace. Simplify DNS administration. By using stub zones throughout your DNS infrastructure, you can distribute a list of the authoritative DNS servers for a zone without using secondary zones. However, stub zones do not serve the same purpose as secondary zones, and they are not an alternative for enhancing redundancy and load sharing. There are two lists of DNS servers involved in the loading and maintenance of a stub zone: The list of master servers from which the DNS server loads and updates a stub zone. A master server may be a primary or secondary DNS server for the zone. In both cases, it will have a complete list of the DNS servers for the zone. The list of the authoritative DNS servers for a zone. This list is contained in the stub zone using name server (NS) resource records. When a DNS server loads a stub zone, such as widgets.tailspintoys.com, it queries the master servers, which can be in different locations, for the necessary resource records of the authoritative servers for the zone widgets.tailspintoys.com. The list of master servers may contain a single server or multiple servers, and it can be changed anytime.
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/d352966e-b1ec-46b6-a8b4-317c2c3388c3/ Answered what is non-standard dns secondary zone?
Q: While passing through 70-291 exam prep questions, I encountered the term "standard
secondary zone".
From the context of other questions I understood that "standard", in context of primary
zone, mean "non-ADintegrated".
A: Standard means it is not an AD integrated zone. AD integrated zones are stored in the
AD database and not in a text file.
Q: What does "standard" mean in context of DNS secondary zone?
A: It means the same thing in context of a Standard Primary Zone. Simply stated,
"Standard" means the zone data is stored in a text file, which can be found in
system32\dns.
Q66. Your company has a main office and a branch office that are configured as a single Active Directory forest. The functional level of the Active Directory forest is Windows Server 2003. There are four Windows Server 2003 domain controllers in the main office.
You need to ensure that you are able to deploy a read-only domain controller (RODC) at the branch office.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A. Raise the functional level of the forest to Windows Server 2008.
B. Deploy a Windows Server 2008 domain controller at the main office.
C. Raise the functional level of the domain to Windows Server 2008.
D. Run the adprep/rodcprep command.
Answer: B,D
Explanation:
http://technet.microsoft.com/en-us/library/cc731243%28v=ws.10%29.aspx Prerequisites for Deploying an RODC Complete the following prerequisites before you deploy a read-only domain controller (RODC): Ensure that the forest functional level is Windows Server 2003 or higher Run Adprep.exe commands to prepare your existing forest and domains for domain controllers that run Windows Server 2008 or Windows Server 2008 R2. The adprep commands extend the Active Directory schema and update security descriptors so that you can add the new domain controllers. There are different versions of Adprep.exe for Windows Server 2008 and Windows Server 2008 R2.
1. Prepare the forest and domains. There are three adprep commands to complete and have the changes replicate throughout the forest. Run the three commands as follows:
* Prepare the forest by running adprep /forestprep on the server that holds the schema master operations master (also known as flexible single master operations or FSMO) role to update the schema.
* Prepare the domain by running adprep /domainprep /gpprep on the server that holds the infrastructure operations master role.
* If you are installing an RODC in an existing Windows Server 2003 domain, you must also run adprep /rodcprep.
2. Install Active Directory Domain Services (AD DS). You can install AD DS by using a wizard, the command line, or an answer file. Deploy at least one writable domain controller running Windows Server 2008 or Windows Server 2008 R2 in the same domain as the RODC and ensure that the writable domain controller is also a DNS server that has registered a name server (NS) resource record for the relevant DNS zone. An RODC must replicate domain updates from a writable domain controller running Windows Server 2008 or Windows Server 2008 R2.
Q67. Your network contains a server named Server1. The Active Directory Rights Management Services (AD RMS) server role is installed on Server1.
An administrator changes the password of the user account that is used by AD RMS.
You need to update AD RMS to use the new password.
Which console should you use?
A. Active Directory Rights Management Services
B. Active Directory Users and Computers
C. Component Services
D. Services
Answer: A
Explanation:
http://social.technet.microsoft.com/wiki/contents/articles/13034.ad-rms-how-to-change-the-rms-serviceaccount-password.aspx AD RMS How To: Change the RMS Service Account Password The Active Directory Rights Management Services management console provides a wizard to change or update the AD RMS service account. The most common use for this process is to update the service account password when it has been changed.
It is important to use this process to update or change the AD RMS service account. This ensures the necessary components are updated properly. These processes include, but are not limited to the following items. Ensure the service account meets the criteria (is a domain account, is not the domain account that provisioned RMS, and etc.) Temporarily suspends RMS functionality on the server during the change Updates the RMS local groups Updates the database role for the service account Updates and restarts the MSMQ and logging services Updates the service account for the _DRMSAppPool1 web application pool Updates appropriate AD RMS configuration database tables There are important requirements to run this wizard. Must be logged on to the AD RMS server Account running the wizard must be:
* A local administrator on the RMS server,
* A member of the AD RMS Enterprise Administrators group, and
* A SQL SysAdmin on the AD RMS instance
Lastly, this must be performed on each server of the AD RMS cluster
C:\Documents and Settings\usernwz1\Desktop\1.PNG
C:\Documents and Settings\usernwz1\Desktop\1.PNG
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Q68. You have an Active Directory domain that runs Windows Server 2008 R2.
You need to implement a certification authority (CA) server that meets the following requirements:
Allows the certification authority to automatically issue certificates
Integrates with Active Directory Domain Services
What should you do?
A. Install and configure the Active Directory Certificate Services server role as a Standalone Root CA.
B. Install and configure the Active Directory Certificate Services server role as an Enterprise Root CA.
C. Purchase a certificate from a third-party certification authority, Install and configure the Active Directory Certificate Services server role as a Standalone Subordinate CA.
D. Purchase a certificate from a third-party certification authority, Import the certificate into the computer store of the schema master.
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc776874%28v=ws.10%29.aspx Enterprise certification authorities The Enterprise Administrator can install Certificate Services to create an enterprise certification authority (CA). Enterprise CAs can issue certificates for purposes such as digital signatures, secure e-mail using S/MIME (Secure Multipurpose Internet Mail Extensions), authentication to a secure Web server using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) and logging on to a Windows Server 2003 family domain using a smart card. An enterprise CA has the following features: An enterprise CA requires the Active Directory directory service. When you install an enterprise root CA, it uses Group Policy to propagate its certificate to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. You must be a Domain Administrator or be an administrator with write access to Active Directory to install an enterprise root CA. Certificates can be issued for logging on to a Windows Server 2003 family domain using smart cards. The enterprise exit module publishes user certificates and the certificate revocation list (CRL) to Active Directory. In order to publish certificates to Active Directory, the server that the CA is installed on must be a member of the Certificate Publishers group. This is automatic for the domain the server is in, but the server must be delegated the proper security permissions to publish certificates in other domains. For more information about the exit module, see Policy and exit modules. An enterprise CA uses certificate types, which are based on a certificate template. The following functionality is possible when you use certificate templates: Enterprise CAs enforce credential checks on users during certificate enrollment. Each certificate template has a security permission set in Active Directory that determines whether the certificate requester is authorized to receive the type of certificate they have requested. The certificate subject name can be generated automatically from the information in Active Directory or supplied explicitly by the requestor. The policy module adds a predefined list of certificate extensions to the issued certificate. The extensions are defined by the certificate template. This reduces the amount of information a certificate requester has to provide about the certificate and its intended use. http://technet.microsoft.com/en-us/library/cc780501%28WS.10%29.aspx Stand-alone certification authorities You can install Certificate Services to create a stand-alone certification authority (CA). Stand-alone CAs can issue certificates for purposes such as digital signatures, secure e-mail using S/MIME (Secure Multipurpose Internet Mail Extensions) and authentication to a secure Web server using Secure Sockets Layer (SSL) or Transport Layer Security (TLS). A stand-alone CA has the following characteristics: Unlike an enterprise CA, a stand-alone CA does not require the use of the Active Directory directory service. Stand-alone CAs are primarily intended to be used as Trusted Offline Root CAs in a CA hierarchy or when extranets and the Internet are involved. Additionally, if you want to use a custom policy module for a CA, you would first install a stand-alone CA and then replace the stand-alone policy module with your custom policy module. When submitting a certificate request to a stand-alone CA, a certificate requester must explicitly supply all identifying information about themselves and the type of certificate that is wanted in the certificate request. (This does not need to be done when submitting a request to an enterprise CA, since the enterprise user's information is already in Active Directory and the certificate type is described by a certificate template). The authentication information for requests is obtained from the local computer's Security Accounts Manager database. By default, all certificate requests sent to the stand-alone CA are set to Pending until the administrator of the stand-alone CA verifies the identity of the requester and approves the request. This is done for security reasons, because the certificate requester's credentials are not verified by the stand-alone CA. Certificate templates are not used. No certificates can be issued for logging on to a Windows Server 2003 family domain using smart cards, but other types of certificates can be issued and stored on a smart card. The administrator has to explicitly distribute the stand-alone CA's certificate to the domain user's trusted root store or users must perform that task themselves. When a stand-alone CA uses Active Directory, it has these additional features: If a member of the Domain Administrators group or an administrator with write access to Active Directory, installs a stand-alone root CA, it is automatically added to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. For this reason, if you install a stand-alone root CA in an Active Directory domain, you should not change the default action of the CA upon receiving certificate requests (which marks requests as Pending). Otherwise, you will have a trusted root CA that automatically issues certificates without verifying the identity of the certificate requester. If a stand-alone CA is installed by a member of the Domain Administrators group of the parent domain of a tree in the enterprise, or by an administrator with write access to Active Directory, then the stand-alone CA will publish its CA certificate and the certificate revocation list (CRL) to Active Directory.
Q69. Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site1 contains four domain controllers. Site2 contains a read-only domain controller (RODC).
You add a user named User1 to the Allowed RODC Password Replication Group.
The WAN link between Site1 and Site2 fails. User1 restarts his computer and reports that
he is unable to log on to the domain.
The WAN link is restored and User1 reports that he is able to log on to the domain.
You need to prevent the problem from reoccurring if the WAN link fails.
What should you do?
A. Create a Password Settings object (PSO) and link the PSO to User1's user account.
B. Create a Password Settings object (PSO) and link the PSO to the Domain Users group.
C. Add the computer account of the RODC to the Allowed RODC Password Replication Group.
D. Add the computer account of User1's computer to the Allowed RODC Password Replication Group.
Answer: D
Q70. You had installed Windows Server 2008 on a computer and configured it as a file server, named FileSrv1. The FileSrv1 computer contains four hard disks, which are configured as basic disks.
For fault tolerance and performance you want to configure Redundant Array of Independent Disks (RAID) 0 +1 on FileSrv1.
Which utility you will use to convert basic disks to dynamic disks on FileSrv1?
A. Diskpart.exe
B. Chkdsk.exe
C. Fsutil.exe
D. Fdisk.exe
E. None of the above
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc771534.aspx
[Diskpart] Convert dynamic Converts a basic disk into a dynamic disk.