70-640 Exam
[Down to date] mcitp 70 640
We provide real mcitp 70 640 exam questions and answers braindumps in two formats. Download PDF & Practice Tests. Pass Microsoft mcitp 70 640 Exam quickly & easily. The mcitp 70 640 PDF type is available for reading and printing. You can print more and practice many times. With the help of our Microsoft microsoft 70 640 dumps pdf and vce product and material, you can easily pass the 70 640 pdf exam.
Q121. Your network contains a single Active Directory domain. Client computers run either Windows XP Service Pack 3 (SP3) or Windows 7. All of the computer accounts for the client computers are located in an organizational unit (OU) named OU1.
You link a new Group Policy object (GPO) named GPO10 to OU1.
You need to ensure that GPO10 is applied only to client computers that run Windows 7.
What should you do?
A. Create a new OU in OU1. Move the Windows XP computer accounts to the new OU.
B. Enable block inheritance on OU1.
C. Create a WMI filter and assign the filter to GPO10.
D. Modify the permissions of OU1.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc947846.aspx
To make sure that each GPO associated with a group can only be applied to computers running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each computer.
Q122. Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1 has Active Directory Federation Services (AD FS) 2.0 installed.
Server1 is a member of an AD FS farm. The AD FS farm is configured to use a configuration database that is stored on a separate Microsoft SQL Server.
You install AD FS 2.0 on Server2.
You need to add Server2 to the existing AD FS farm.
What should you do?
A. On Server1, run fsconfig.exe.
B. On Server1, run fsconfigwizard.exe.
C. On Server2, run fsconfig.exe.
D. On Server2, run fsconfigwizard.exe.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/adfs2-help-how-to-configure-a-new-federation-server.aspx
Configure a New Federation Server To configure a new federation server using the command line
1. Open a Command Prompt window.
2. Change the directory to the path where AD FS 2.0 was installed.
3. To configure this computer as a federation server, type the applicable syntax using either of the following command parameters, and then press ENTER: fsconfig.exe {StandAlone|CreateFarm| CreateSQLFarm|JoinFarm|JoinSQLFarm} [deployment specific parameters] Parameter JoinSQLFarm Joins this computer to an existing federation server farm that is using SQL Server.
Q123. Your network contains a single Active Directory forest. The forest contains two domains named contoso.com and sales.contoso.com. The domain controllers are configured as shown in the following table.
All domain controllers run Windows Server 2008 R2. All zones are configured as Active Directory- integrated zones.
You need to ensure that contoso.com records are available on DC3.
Which command should you run?
A. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com /domain
B. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com /forest
C. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com /domain
D. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com /forest
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx#BKMK_23 Dnscmd A command-line interface for managing DNS servers. This utility is useful in scripting batch files to help automate routine DNS management tasks, or to perform simple unattended setup and configuration of new DNS servers on your network. dnscmd /zonechangedirectorypartition Changes the directory partition on which the specified zone resides. Syntax dnscmd [<ServerName>] /zonechangedirectorypartition <ZoneName>] {[<NewPartitionName>] | [<ZoneType>] }
Parameters
<ServerName>
Specifies the DNS server to manage, represented by IP address, FQDN, or host name. If
this parameter is omitted, the local server is used.
<ZoneName> The FQDN of the current directory partition on which the zone resides.
<NewPartitionName> The FQDN of the directory partition that the zone will be moved to.
<ZoneType> Specifies the type of directory partition that the zone will be moved to.
/domain Moves the zone to the built-in domain directory partition.
/forest Moves the zone to the built-in forest directory partition.
/legacy Moves the zone to the directory partition that is created for pre–Active Directory
domain controllers. These directory partitions are not necessary for native mode.
Q124. Your network contains an Active Directory domain named contoso.com. The domain contains the servers shown in the following table.
The functional level of the forest is Windows Server 2003. The functional level of the domain is Windows Server 2003.
DNS1 and DNS2 host the contoso.com zone.
All client computers run Windows 7 Enterprise.
You need to ensure that all of the names in the contoso.com zone are secured by using DNSSEC.
What should you do first?
A. Change the functional level of the forest.
B. Change the functional level of the domain.
C. Upgrade DC1 to Windows Server 2008 R2.
D. Upgrade DNS1 to Windows Server 2008 R2.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/ee683904%28v=ws.10%29.aspx
DNS Security Extensions (DNSSEC)
What are the major changes?
Support for Domain Name System Security Extensions (DNSSEC) is introduced in
Windows Server. 2008 R2 and Windows. 7. With Windows Server 2008 R2 DNS server,
you can now sign and host DNSSECsigned zones to provide security for your DNS
infrastructure.
The following changes are available in DNS server in Windows Server 2008 R2:
Ability to sign a zone and host signed zones.
Support for changes to the DNSSEC protocol.
Support for DNSKEY, RRSIG, NSEC, and DS resource records.
The following changes are available in DNS client in Windows 7:
Ability to indicate knowledge of DNSSEC in queries.
Ability to process the DNSKEY, RRSIG, NSEC, and DS resource records.
Ability to check whether the DNS server with which it communicated has performed
validation on the client’s behalf. The DNS client’s behavior with respect to DNSSEC is controlled through the Name Resolution Policy Table (NRPT), which stores settings that define the DNS client’s behavior. The NRPT is typically managed through Group Policy. What does DNSSEC do? DNSSEC is a suite of extensions that add security to the DNS protocol. The core DNSSEC extensions are specified in RFCs 4033, 4034, and 4035 and add origin authority, data integrity, and authenticated denial of existence to DNS. In addition to several new concepts and operations for both the DNS server and the DNS client, DNSSEC introduces four new resource records (DNSKEY, RRSIG, NSEC, and DS) to DNS. In short, DNSSEC allows for a DNS zone and all the records in the zone to be cryptographically signed. When a DNS server hosting a signed zone receives a query, it returns the digital signatures in addition to the records queried for. A resolver or another server can obtain the public key of the public/private key pair and validate that the responses are authentic and have not been tampered with. In order to do so, the resolver or server must be configured with a trust anchor for the signed zone, or for a parent of the signed zone.
Q125. Your company has an Active Directory forest that contains Windows Server 2008 R2 domain controllers and DNS servers. All client computers run Windows XP SP3.
You need to use your client computers to edit domain-based GPOs by using the ADMX files that are stored in the ADMX central store.
What should you do?
A. Add your account to the Domain Admins group.
B. Upgrade your client computers to Windows 7.
C. Install .NET Framework 3.0 on your client computers.
D. Create a folder on PDC emulator for the domain in the PolicyDefinitions path. Copy the ADMX files to the PolicyDefinitions folder.
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc709647%28v=ws.10%29.aspx Managing Group Policy ADMX Files Step-by-Step Guide
Microsoft Windows Vista. and Windows Server 2008 introduce a new format for displaying registry-based policy settings. Registry-based policy settings (located under the Administrative Templates category in the Group Policy Object Editor) are defined using a standards-based, XML file format known as ADMX files. These new files replace ADM files, which used their own markup language. The Group Policy tools —Group Policy Object Editor and Group Policy Management Console—remain largely unchanged. In the majority of situations, you will not notice the presence of ADMX files during your day-to-day Group Policy administration tasks. http://blogs.technet.com/b/grouppolicy/archive/2008/12/17/questions-on-admx-in-windows-xp-and-windows2003-environments.aspx Questions on ADMX in Windows XP and Windows 2003 environments We had a question a couple of days ago about the usage of ADMX template formats in Windows XP/Server 2003 environments. Essentially the question was: “…What’s the supported or recommended way of getting W2k8 ADMX templates applying in a W2k3 domain with or with no W2k8 DCs. What I’ve done in test is, created a central store in the /Sysvol/domain/policies folder on the 2k3 DC (PDC) and created and edited a GPO using GPMC from the W2k8 member server applying to a W2k8 machine and it seems to work just fine. Is this the right way to do it?…” The answer is Yes. Again this is one of those things that confuse people. The template format has nothing to do with the policy file that’s created. Its just used to create the policy by the administrative tool itself. In the case of GPMC on Windows XP and Windows Server 2003 and previous – this tool used the ADM file format. These ADM files were copied into every policy object on the SYSVOL, which represents about 4MB of duplicated bloat per policy. This was one of the areas that caused major problems with an issue called SYSVOL bloat. In Vista and Server 2008 this template format changed to ADMX. This was a complete change towards a new XML based format that aimed to eliminate SYSVOL bloat. It doesn’t copy itself into every policy object but relies on a central or local store of these templates (Note that even in the newer tools you can still import custom ADM files for stuff like Office etc). In the question above, the person wanted to know if copying the local store, located under c:/windows/ policydefinitions, could be copied into a Windows Server 2003 domain environment as the central store and Explanationd by the newer admin tools. Again the domain functional mode has little to do with Group Policy. I talked about that one before. The things that we care about are the administrative tools and the client support for the policy functions. So of course it can. Here’s the confusion-reducing scoop – Group Policy as a platform only relies on two main factors. Active Directory to store metadata about the policy objects and to allow client discoverability for the location of the policy files. The other is the SYSVOL to store the policy files. So at its core that’s LDAP and SMB file shares. Specific extensions on top of the policy platform may require certain domain functionality but that’s very specific to that extension. Examples are the new Wireless policy and BitLocker extensions in Vista SP1. They require schema updates – not GP itself. So if you don't currently use them then you don't have to update schema. So provided you’re using Windows Vista SP1 with RSAT or Windows Server 2008 to administer the policies you get all the benefits to manage downlevel clients. That means eliminating SYSVOL bloat. That means all the joys of Group Policy PExplanations. Honestly – it amazes us the amount of IT Pros that still haven’t discovered GPP…especially with the power it has to practically eliminate logon scripts! As a last point – IT Pros also ask us when we will be producing an updated GPMC version for Windows XP to support all the new stuff. The answer is that we are not producing any updated GPMC versions for Windows XP and Server 2003. All the new administrative work is being done on the newer platforms. So get moving ahead! There are some really good benefits in the newer tools and very low impact to your current environment. You only need a single Windows Vista SP1 machine to start!
Q126. Your network contains an Active Directory domain named contoso.com. The network has a branch office site that contains a read-only domain controller (RODC) named RODC1. RODC1 runs Windows Server 2008 R2.
A user named User1 logs on to a computer in the branch office site.
You discover that the password of User1 is not stored on RODC1. You need to ensure that User1's password is stored on RODC1.
What should you modify?
A. the Member Of properties of RODC1
B. the Member Of properties of User1
C. the Security properties of RODC1
D. the Security properties of User1
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy%28v=ws.10%29.aspx
Administering the Password Replication Policy
Personal comment:
Basically, these are the default settings for the Password Replication Policy of a specific
RODC:
C:\Documents and Settings\usernwz1\Desktop\1.PNG
So, if you would add a user to be a member of a group that is allowed to store passwords on that specific RODC, then that user's password would be stored on that RODC.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Q127. Your network contains an Active Directory domain.
You need to restore a deleted computer account from the Active Directory Recycle Bin.
What should you do?
A. From the command prompt, run recover.exe.
B. From the command prompt, run ntdsutil.exe.
C. From the Active Directory Module for Windows PowerShell, run the Restore-Computer cmdlet.
D. From the Active Directory Module for Windows PowerShell, run the Restore-ADObject cmdlet.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/dd379509%28v=ws.10%29.aspx Step 2: Restore a Deleted Active Directory Object Applies To: Windows Server 2008 R2 This step provides instructions for completing the following tasks with Active Directory Recycle Bin: Displaying the Deleted Objects container Restoring a deleted Active Directory object using Ldp.exe Restoring a deleted Active Directory object using the Get-ADObject and Restore-ADObject cmdlets Restoring multiple, deleted Active Directory objects
To restore a single, deleted Active Directory object using the Get-ADObject and Restore-ADObject cmdlets
1. Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.
2. At the Active Directory module for Windows PowerShell command prompt, type the following command, and then press ENTER: Get-ADObject -Filter {String} -IncludeDeletedObjects | Restore-ADObject For example, if you want to restore an accidentally deleted user object with the display name Mary, type the following command, and then press ENTER: Get-ADObject -Filter {displayName -eq "Mary"} -IncludeDeletedObjects | Restore-ADObject http://blogs.msdn.com/b/dsadsi/archive/2009/08/26/restoring-object-from-the-active-directory-recycle-binusing-ad-powershell.aspx Restoring object from the Active Directory Recycle Bin using AD Powershell
Q128. You need to back up all of the group policies in a domain. The solution must minimize the size of the backup.
What should you use?
A. the Add-WBSystemState cmdlet
B. the Group Policy Management console
C. the Wbadmin tool
D. the Windows Server Backup feature
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc770536.aspx
To back up a Group Policy object
1. In the Group Policy Management Console (GPMC) console tree, open Group Policy Objects in the forest and domain containing the Group Policy object (GPO) to back up.
2. To back up a single GPO, right-click the GPO, and then click Back Up. To back up all GPOs in the domain, right-click Group Policy objects and click Back Up All.
Q129. You have a domain controller that runs Windows Server 2008 R2 and is configured as a DNS server.
You need to record all inbound DNS queries to the server.
What should you configure in the DNS Manager console?
A. Enable debug logging.
B. Enable automatic testing for simple queries.
C. Configure event logging to log errors and warnings.
D. Enable automatic testing for recursive queries.
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc753579.aspx DNS Tools Event-monitoring utilities The Windows Server 2008 family includes two options for monitoring DNS servers: Default logging of DNS server event messages to the DNS server log. DNS server event messages are separated and kept in their own system event log, the DNS server log, which you can view using DNS Manager or Event Viewer. The DNS server log contains events that are logged by the DNS Server service. For example, when the DNS server starts or stops, a corresponding event message is written to this log. Most additional critical DNS Server service events are also logged here, for example, when the server starts but cannot locate initializing data and zones or boot information stored in the registry or (in some cases) Active Directory Domain Services (AD DS).
You can use Event Viewer to view and monitor client-related DNS events. These events appear in the System log, and they are written by the DNS Client service at any computers running Windows (all versions). Optional debug options for trace logging to a text file on the DNS server computer. You can also use DNS Manager to selectively enable additional debug logging options for temporary trace logging to a text-based file of DNS server activity. The file that is created and used for this feature, Dns.log, is stored in the %systemroot%\System32\Dns folder.
http://technet.microsoft.com/en-us/library/cc776361%28v=ws.10%29.aspx Using server debug logging options The following DNS debug logging options are available: Direction of packets Send Packets sent by the DNS server are logged in the DNS server log file. Receive Packets received by the DNS server are logged in the log file. Further information:
http://technet.microsoft.com/en-us/library/cc759581%28v=ws.10%29.aspx Select and enable debug logging options on the DNS server
Q130. You have a Windows Server 2008 R2 Enterprise Root certification authority (CA).
You need to grant members of the Account Operators group the ability to only manage Basic EFS certificates.
You grant the Account Operators group the Issue and Manage Certificates permission on the CA.
Which three tasks should you perform next? (Each correct answer presents part of the solution.
Choose three.)
A. Enable the Restrict Enrollment Agents option on the CA.
B. Enable the Restrict Certificate Managers option on the CA.
C. Add the Basic EFS certificate template for the Account Operators group.
D. Grant the Account Operators group the Manage CA permission on the CA.
E. Remove all unnecessary certificate templates that are assigned to the Account Operators group.
Answer: B,C,E
Explanation:
http://technet.microsoft.com/en-us/library/cc779954%28v=ws.10%29.aspx
Role-based administration
Role explanation
Role-based administration involves CA roles, users, and groups. To assign a role to a user or group, you must assign the role's corresponding security permissions, group memberships, or user rights to the user or group.
These security permissions, group memberships, and user rights are used to distinguish which users have which roles. The following table describes the CA roles of role-based administration and the groups relevant to role-based administration.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Certificate Manager: Delete multiple rows in database (bulk deletion)
Issue and approve certificates
Deny certificates
Revoke certificates
Reactivate certificates placed on hold
Renew certificates
Recover archived key
Read CA database
Read CA configuration information
http://technet.microsoft.com/en-us/library/cc753372.aspx
Restrict Certificate Managers
A certificate manager can approve certificate enrollment and revocation requests, issue certificates, and manage certificates. This role can be configured by assigning a user or group the Issue and Manage Certificatespermission.
When you assign this permission to a user or group, you can further refine their ability to manage certificates by group and by certificate template. For example, you might want to implement a restriction that they can only approve requests or revoke smart card logon certificates for users in a certain office or organizational unit that is the basis for a security group. This restriction is based on a subset of the certificate templates enabled for the certification authority (CA) and the user groups that have Enroll permissions for that certificate template from that CA.
To configure certificate manager restrictions for a CA:
1. Open the Certification Authority snap-in, and right-click the name of the CA.
2. Click Properties, and then click the Security tab.
3. Verify that the user or group that you have selected has Issue and Manage Certificates permission. If they do not yet have this permission, select the Allow check box, and then click Apply.
4. Click the Certificate Managers tab.
5. Click Restrict certificate managers, and verify that the name of the group or user is displayed.
6. Under Certificate Templates, click Add, select the template for the certificates that you want this user or group to manage, and then click OK. Repeat this step until you have selected all certificate templates that you want to allow this certificate manager to manage.
7. Under Permissions, click Add, type the name of the client for whom you want the certificate manager to manage the defined certificate types, and then click OK.
8. If you want to block the certificate manager from managing certificates for a specific user, computer, or group, under Permissions, select this user, computer, or group, and click Deny.
9. When you are finished configuring certificate manager restrictions, click OK or Apply.