70-640 Exam
microsoft 70 640 [Jun 2021]
Our pass rate is high to 98.9% and the similarity percentage between our 70 640 pdf study guide and real exam is 90% based on our seven-year educating experience. Do you want achievements in the Microsoft microsoft 70 640 exam in just one try? I am currently studying for the Microsoft 70 640 pdf exam. Latest Microsoft mcitp 70 640 Test exam practice questions and answers, Try Microsoft mcitp 70 640 Brain Dumps First.
Q91. Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Client computers run either Windows XP Service Pack 3 (SP3) or Windows Vista.
You need to ensure that all client computers can apply Group Policy pExplanations.
What should you do?
A. Upgrade all Windows XP client computers to Windows 7.
B. Create a central store that contains the Group Policy ADMX files.
C. Install the Group Policy client-side extensions (CSEs) on all client computers.
D. Upgrade all Windows Vista client computers to Windows Vista Service Pack 2 (SP2).
Answer: C
Explanation:
http://www.microsoft.com/en-us/download/details.aspx?id=3628 Group Policy PExplanation Client Side Extensions for Windows XP (KB943729) Multiple Group Policy PExplanations have been added to the Windows Server 2008 Group Policy Management Console (which are also available through the Remote Server Administration Toolset (RSAT) for Windows Vista SP1).
Multiple Group Policy PExplanations have been added to the Windows Server 2008 Group Policy Management Console (which are also available through the Remote Server Administration Toolset (RSAT) for Windows Vista SP1). Group Policy PExplanations enable information technology professionals to configure, deploy, and manage operating system and application settings they previously were not able to manage using Group Policy. After you install this update, your computer will be able to process the new Group Policy PExplanation extensions. http://www.petenetlive.com/KB/Article/0000389.htm
Server 2008 Group Policy PExplanations and Client Side Extensions Problem Group Policy PExplanations (GPP) first came in with Server 2008 and were enhanced for Server 2008 R2, To be able to apply them to older Windows clients, you need to install the "Client side Extensions" (CSE), You can either script this, deploy with a group policy, or if you have WSUS you can send out the update that way.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Solution
You may not have noticed, but if you edit or create a group policy in Server 2008 now, you will see there is a "PExplanations" branch. Most IT Pro's will have seen the addition of the "Policies" folder some time ago because it adds an extra level to get to the policies that were there before :)
C:\Documents and Settings\usernwz1\Desktop\1.PNG
OK Cool! What can you do with them?
1. Computer PExplanations: Windows Settings
Environment: Lets you control, and send out Environment variables via Group Policy.
Files: Allows you to copy, modify the attributes, replace or delete a file (for folders see the
next section).
Folder: As above, but for folders.
Ini Files: Allows you to Create, Replace, Update or Delete an ini file.
Registry: Allows you to Create, Replace, Update or Delete a Registry value, You can either
manually type in the Explanation use a Wizard, or extract the key(s) values you want to send
them out via group policy.
Network Shares: Allow you to Create, Replace, Update, or Delete shares on clients via
group policy.
Shortcuts: Allows you to Create, Replace, Update, or Delete shortcuts on clients via group
policy.
2. Computer PExplanations: Control Panel Settings
Data Sources: Allows you to Create, Replace, Update, or Delete, Data Sources and ODBC
settings via group policy. (Note: there's a bug if your using SQL authentication see here).
Devices: Lets you enable and disable hardware devices by type and class, to be honest it's
a little "clunky".
Folder Options: Allows you to set "File Associations" and set the default programs that will
open particular file extensions.
Local Users and Groups: Lets you Create, Replace, Update, or Delete either local users
OR local groups.
Handy if you want to create an additional admin account, or reset all the local
administrators passwords via group policy.
Network Options: Lets you send out VPN and dial up connection settings to your clients,
handy if you use PPTP Windows Server VPN's.
Power Options: With XP these are Power Options and Power Schemes, With Vista and
later OS's they are Power Plans. This is much needed, I've seen many "Is there a group
policy for power options?" or disabling hibernation questions in forums. And you can use
the options Tab, to target particular machine types (i.e. only apply if there is a battery
present).
Printers: Lets you install printers (local or TCP/IP), handy if you want all the machines in
accounts to have the accounts printer.
Scheduled Tasks: Lets you create a scheduled task or an immediate task (Vista or Later),
this could be handy to deploy a patch or some virus/malware removal process.
Service: Essentially anything you can do in the services snap in you can push out through
group policy, set services to disables or change the logon credentials used for a service. In
addition you can set the recovery option should a service fail.
3. User Configuration: Windows Settings
Applications: Answers on a Postcard? I can't work out what these are for!
Drive Mappings: Traditionally done by login script or from the user object, but use this and
you can assign mapped drives on a user/group basis.
Environment: As above lets you control and send out Environment variables via Group
Policy, but on a user basis.
Files: As above. allows you to copy, modify the attributes, replace or delete a file (for
folders see the next section), but on a user basis.
Folders: As above, but for folders on a user by user basis.
Ini Files: As above, allows you to Create, Replace, Update or Delete an ini file, on a user by
user basis.
Registry: As above, allows you to Create, Replace, Update or Delete a Registry value, You
can either manually type in the Explanation use a Wizard, or extract the key(s) values you
want to send out via group policy, this time for users not computers.
Shortcuts: As Above, allows you to Create, Replace, Update, or Delete shortcuts on clients
via group policy for users.
4. User Configuration: Control Panel Settings
All of the following options are covered above on "Computer Configuration"
Data Sources Devices Folder Options Local Users and Groups Network Options Power Options Printers Scheduled Tasks Internet Settings: Using this Group Policy you can specify Internet Explorer settings/options on a user by user basis. Regional Options: Designed so you can change a users Locale, handy if you have one user who wants an American keyboard. Start Menu: Provides the same functionality as right clicking your task bar > properties > Start Menu > Customise, only set user by user. Explanations: http://technet.microsoft.com/en-us/library/dd367850%28WS.10%29.aspx Group Policy PExplanations
Q92. Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company uses an Enterprise Root certification authority (CA) and an Enterprise Intermediate CA.
The Enterprise Intermediate CA certificate expires.
You need to deploy a new Enterprise Intermediate CA certificate to all computers in the domain.
What should you do?
A. Import the new certificate into the Intermediate Certification Store on the Enterprise Root CA server.
B. Import the new certificate into the Intermediate Certification Store on the Enterprise Intermediate CA server.
C. Import the new certificate into the Intermediate Certification Store in the Default Domain Controllers group policy object.
D. Import the new certificate into the Intermediate Certification Store in the Default Domain group policy object.
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc962065.aspx
Certification Authority Trust Model Certification Authority Hierarchies The Windows 2000 public key infrastructure supports a hierarchical CA trust model, called the certification hierarchy, to provide scalability, ease of administration, and compatibility with a growing number of commercial third-party CA services and public key-aware products. In its simplest form, a certification hierarchy consists of a single CA. However, the hierarchy usually contains multiple CAs that have clearly defined parent-child relationships. Figure 16.5 shows some possible CA hierarchies.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
You can deploy multiple CA hierarchies to meet your needs. The CA at the top of the hierarchy is called a root CA . Root CAs are self-certified by using a self-signed CA certificate. Root CAs are the most trusted CAs in the organization and it is recommended that they have the highest security of all. There is no requirement that all CAs in an enterprise share a common top-level CA parent or root. Although trust for CAs depends on each domain's CA trust policy, each CA in the hierarchy can be in a different domain. Child CAs are called subordinate CAs. Subordinate CAs are certified by the parent CAs. A parent CA certifies the subordinate CA by issuing and signing the subordinate CA certificate. A subordinate CA can be either an intermediate or an issuing CA. An intermediate CA issues certificates only to subordinate CAs. An issuing CA issues certificates to users, computers, or services.
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/605dbf9d-2694-4783-8002-c08b9c7d4149
Q93. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1. Server1 has the Active Directory Federation Services (AD FS) role installed.
You have an application named App1 that is configured to use Server1 for AD FS authentication.
You deploy a new server named Server2. Server2 is configured as an AD FS 2.0 server.
You need to ensure that App1 can use Server2 for authentication.
What should you do on Server2?
A. Add an attribute store.
B. Create a relying party trust.
C. Create a claims provider trust.
D. Create a relaying provider trust.
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/dd807132%28v=ws.10%29.aspx Create a Relying Party Trust Using Federation Metadata http://pipe2text.com/?page_id=815 Setting up a Relying Party Trust in ADFS 2.0 http://blogs.msdn.com/b/card/archive/2010/06/25/using-federation-metadata-to-establish-a-relying-party-trustin-ad-fs-2-0.aspx Using Federation Metadata to establish a Relying Party Trust in AD FS 2.0
Q94. Your network contains an Active Directory domain named contoso.com. Contoso.com contains a member server that runs Windows Server 2008 Standard.
You need to install an enterprise subordinate certification authority (CA) that supports private key archival.
You must achieve this goal by using the minimum amount of administrative effort.
What should you do first?
A. Initialize the Trusted Platform Module (TPM).
B. Upgrade the member server to Windows Server 2008 R2 Standard.
C. Install the Certificate Enrollment Policy Web Service role service on the member server.
D. Run the Security Configuration Wizard (SCW) and select the Active Directory Certificate Services - Certification Authority server role template check box.
Answer: B
Explanation:
Not sure about this one. See my thoughts below.
to MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) key archival
is not available in the Windows Server 2008 R2 Standard edition, so that would leave out
answer B.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Another dump gives the following for answer B:
"Upgrade the menber [sic] server to Windows Server 2008 R2 Enterprise."
Should the actual exam mention to upgrade to the Enterprise edition for answer B, I'd go
for that. In this VCE it doesn't seem to make sense to go for B as it shouldn't work, I think.
Certificate Enrollment Policy Web Service role of answer C was introduced in Windows
Server 2008 R2, so that would not be an option on the mentioned Windows Server 2008
machine.
Trusted Platform Module is "a secure cryptographic integrated circuit (IC), provides a
hardware-based approach to manage user authentication, network access, data protection
and more that takes security to higher level than software-based security."
(http://www.trustedcomputinggroup.org/resources/
how_to_use_the_tpm_a_guide_to_hardwarebased_endpoint_security/)
Pfff... I'm bothered that answer B speaks of the Standard edition, and not the Enterprise
edition. Hope the VCE is wrong.
Q95. Your company has a single Active Directory domain. All domain controllers run Windows Server 2003.
You install Windows Server 2008 R2 on a server.
You need to add the new server as a domain controller in your domain.
What should you do first?
A. On a domain controller run adprep /rodcprep.
B. On the new server, run dcpromo /adv.
C. On the new server, run dcpromo /createdcaccount.
D. On a domain controller, run adprep /forestprep.
Answer: D
Explanation:
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/9931e32f-6302-40f0-a7a1-2598a96cd0c1/ DC promotion and adprep/forestprep
Q: I've tried to dcpromo a new Windows 2008 server installation to be a Domain Controller, running in an existing domain. I am informed that, first, I must run adprep/forestprep ("To install a domain controller into this Active Directory forest, you must first perpare the forest using "adprep/forestprep". The Adprep utility is available on the Windows Server 2008 installation media in the Windows\sources\adprep folder"
A1:
You can run adprep from an existing Windows Server 2003 domain controller. Copy the
contents of the \sources\adprep folder from the Windows Server 2008 installation DVD to
the schema master role holder and run Adprep from there.
A2: to introduce the first W2K8 DC within an AD forest....
(1) no AD forest exists yet:
--> on the stand alone server execute: DCPROMO
--> and provide the information needed
(2) an W2K or W2K3 AD forest already exists:
--> ADPREP /Forestprep on the w2k/w2k3 schema master (both w2k/w2k3 forests)
--> ADPREP /rodcprep on the w2k3 domain master (only w2k3 forests)
--> ADPREP /domainprep on the w2k3 infrastructure master (only w2k3 domains)
--> ADPREP /domainprep /gpprep on the w2k infrastructure master (only w2k domains)
--> on the stand alone server execute: DCPROMO
--> and provide the information needed
Q96. Your network contains an Active Directory domain.
You have a server named Server1 that runs Windows Server 2008 R2. Server1 is an enterprise root certification authority (CA).
You have a client computer named Computer1 that runs Windows 7.
You enable automatic certificate enrollment for all client computers that run Windows 7.
You need to verify that the Windows 7 client computers can automatically enroll for certificates.
Which command should you run on Computer1?
A. certreq.exe retrieve
B. certreq.exe submit
C. certutil.exe getkey
D. certutil.exe pulse
Answer: D
Explanation:
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/795f209d-b056-4de8-8dcf-7c7f80529aab/
What does "certutil -pulse" command do?
Certutil -pulse will initiate autoenrollment requests.
It is equivalent to doing the following in the CertMgr.msc console (in Vista and Windows 7)
Right-click Certificates , point to All Tasks , click Automatically Enroll and Retrieve
Certificates.
The command does require that
-any autoenrollment GPO settings have already been applied to the target user or computer
-a certificate template enables Read, Enroll and Autoenroll permissions for the user or a global or universal group containing the user
-The group membership is recognized in the users Token (they have logged on after the membership was added http://technet.microsoft.com/library/cc732443.aspx Certutil Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains. When certutil is run on a certification authority without additional parameters, it displays the current certification authority configuration. When cerutil is run on a non-certification authority, the command defaults to running the certutil -dump verb. Verbs The following table describes the verbs that can be used with the certutil command. pulse Pulse auto enrollment events
Q97. Your company has a main office and a branch office.
The network contains an Active Directory domain named contoso.com. The DNS zone for contoso.com is configured as an Active Directory-integrated zone and is replicated to all domain controllers in the domain.
The main office contains a writable domain controller named DC1. The branch office contains a read- only domain controller (RODC) named RODC1. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers.
You uninstall the DNS server role from RODC1.
You need to prevent DNS records from replicating to RODC1.
What should you do?
A. Modify the replication scope for the contoso.com zone.
B. Flush the DNS cache and enable cache locking on RODC1.
C. Configure conditional forwarding for the contoso.com zone.
D. Modify the zone transfer settings for the contoso.com zone.
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc754916.aspx Change the Zone Replication Scope You can use the following procedure to change the replication scope for a zone. Only Active Directory Domain Services (AD DS)–integrated primary and stub forward lookup zones can change their replication scope. Secondary forward lookup zones cannot change their replication scope. http://technet.microsoft.com/en-us/library/cc772101.aspx Understanding DNS Zone Replication in Active Directory Domain Services You can store Domain Name System (DNS) zones in the domain or application directory partitions of Active Directory Domain Services (AD DS). A partition is a data structure in AD DS that distinguishes data for different replication purposes. The following table describes the available zone replication scopes for AD DS-integrated DNS zone data.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
When you decide which replication scope to choose, consider that the broader the replication scope, the greater the network traffic caused by replication. For example, if you decide to have AD DS–integrated DNS zone data replicated to all DNS servers in the forest, this will produce greater network traffic than replicating the DNS zone data to all DNS servers in a single AD DS domain in that forest.
AD DS-integrated DNS zone data that is stored in an application directory partition is not replicated to the global catalog for the forest. The domain controller that contains the global catalog can also host application directory partitions, but it will not replicate this data to its global catalog. AD DS-integrated DNS zone data that is stored in a domain partition is replicated to all domain controllers in its AD DS domain, and a portion of this data is stored in the global catalog. This setting is used to support Windows 2000. If an application directory partition's replication scope replicates across AD DS sites, replication will occur with the same intersite replication schedule as is used for domain partition data. By default, the Net Logon service registers domain controller locator (Locator) DNS resource records for the application directory partitions that are hosted on a domain controller in the same manner as it registers domain controller locator (Locator) DNS resource records for the domain partition that is hosted on a domain controller.
Q98. Your network contains an Active Directory forest. All domain controllers run Windows
Server 2008 Standard.
The functional level of the domain is Windows Server 2003.
You have a certification authority (CA).
The relevant servers in the domain are configured as shown below:
You need to ensure that you can install the Active Directory Certificate Services (AD CS) Certificate Enrollment Web Service on the network.
What should you do?
A. Upgrade Server1 to Windows Server 2008 R2.
B. Upgrade Server2 to Windows Server 2008 R2.
C. Raise the functional level of the domain to Windows Server 2008.
D. Install the Windows Server 2008 R2 Active Directory Schema updates.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/dd759243.aspx
Installation requirements
Before installing the certificate enrollment Web services, ensure that your environment
meets these requirements:
A host computer as a domain member running Windows Server 2008 R2.
An Active Directory forest with a Windows Server 2008 R2 schema.
An enterprise certification authority (CA) running Windows Server 2008 R2, Windows
Server 2008, or
Windows Server 2003.
Q99. Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. The Audit account management policy setting and Audit directory services access setting are enabled for the entire domain.
You need to ensure that changes made to Active Directory objects can be logged. The logged changes must include the old and new values of any attributes.
What should you do?
A. Run auditpol.exe and then configure the Security settings of the Domain Controllers OU.
B. From the Default Domain Controllers policy, enable the Audit directory service access setting and enable directory service changes.
C. Enable the Audit account management policy in the Default Domain Controller Policy.
D. Run auditpol.exe and then enable the Audit directory service access setting in the Default Domain policy.
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc731607%28v=ws.10%29.aspx AD DS Auditing Step-by-Step Guide In Windows Server 2008 you can now set up AD DS auditing with a new audit subcategory to log old and new values when changes are made to objects and their attributes.
The ability to audit changes to objects in AD DS is enabled with the new audit policy subcategory Directory Service Changes. This guide provides instructions for implementing this audit policy subcategory. The types of changes that you can audit include a user (or any security principal) creating, modifying, moving, or undeleting an object. The new audit policy subcategory adds the following capabilities to auditing in AD DS: When a successful modify operation is performed on an attribute, AD DS logs the previous and current values of the attribute. If the attribute has more than one value, only the values that change as a result of the modify operation are logged. If a new object is created, values of the attributes that are populated at the time of creation are logged. If the user adds attributes during the create operation, those new attribute values are logged. In most cases, AD DS assigns default values to attributes (such as samAccountName). The values of such system attributes are not logged. If an object is moved, the previous and new location (distinguished name) is logged for moves within the domain. When an object is moved to a different domain, a create event is generated on the domain controller in the target domain. If an object is undeleted, the location where the object is moved to is logged. In addition, if the user adds, modifies, or deletes attributes while performing an undelete operation, the values of those attributes are logged.
In Windows Server 2008, you implement the new auditing feature by using the following controls: Global audit policy System access control list (SACL) Schema Global audit policy Enabling the global audit policy, Audit directory service access, enables all directory service policy subcategories. You can set this global audit policy in the Default Domain Controllers Group Policy (under Security Settings\Local Policies\Audit Policy). In Windows Server 2008, this global audit policy is not enabled by default. Although the subcategory Directory Service Access is enabled for success events by default, the other subcategories are not enabled by default. You can use the command-line tool Auditpol.exe to view or set audit policy subcategories. There is no
Windows interface tool available in Windows Server 2008 to view or set audit policy
subcategories.
Further information:
http://technet.microsoft.com/en-us/library/cc731451%28v=ws.10%29.aspx
Auditpol
Displays information about and performs functions to manipulate audit policies.
http://servergeeks.wordpress.com/2012/12/31/auditing-directory-services/
AD Scenario – Auditing Directory Services
Auditing of Directory Services depends on several controls, these are:
1. Global Audit Policy (at category level using gpmc.msc tool)
2. Individual Audit Policy (at subcategory level using auditpol.exe tool)
3. System ACLs – to specify which operations are to be audited for a security principal.
4. Schema (optional) – this is an additional control in the schema that you can use to create
exceptions to what is audited.
In Windows Server 2008, you can now set up AD DS (Active Directory Domain Services)
auditing with a new audit policy subcategory (Directory Service Changes) to log old and
new values when changes are made to AD DS objects and their attributes. This can be
done using auditpol.exe tool.
Command to check which audit policies are active on your machine: auditpol /get
/category:*
C:\Documents and Settings\usernwz1\Desktop\1.PNG Command to view the audit policy categories and Subcategories:
C:\Documents and Settings\usernwz1\Desktop\1.PNG
How to enable the global audit policy using the Windows interface i.e. gpmc tool Click Start, point to Administrative Tools, and then Group Policy Management or run gpmc.msc command.
In the console tree, double-click the name of the forest, double-click Domains, double-click the name of your domain, double-click Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Under Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then click Audit Policy.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
In the details pane, right-click Audit directory service access, and then click Properties.
Select the Define these policy settings check box.
Under Audit these attempts, select the Success, check box, and then click OK.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
How to enable the change auditing policy using a command line
Click Start, right-click Command Prompt, and then click Run as administrator.
Type the following command, and then press ENTER:
auditpol /set /subcategory:”directory service changes” /success:enable
To verify if the auditing is enabled or not for “Directory Service Changes”, you can run
below command:
auditpol /get /category:”DS Access”
C:\Documents and Settings\usernwz1\Desktop\1.PNG
How to set up auditing in object SACLs Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. Right-click the organizational unit (OU) (or any object) for which you want to enable
auditing, and then click Properties.
Click the Security tab, click Advanced, and then click the Auditing tab.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Click Add, and under Enter the object name to select, type Authenticated Users (or any other security principal) and then click OK.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
In Apply onto, click Descendant User objects (or any other objects). Under Access, select the Successful check box for Write all properties. Click OK
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Click OK until you exit the property sheet for the OU or other object.
To Test whether auditing is working or not, try creating or modifying objects in Finance OU
and check the Security event logs.
I just created a new user account in Finance OU named f4.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
If you check the security event logs you will find eventid 5137 (Create)
Note:
Once the auditing is enabled these eventids will appear in security event logs: 5136
(Modify), 5137 (Create), 5138 (Undelete), 5139 (Move).
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Q100. You have an Active Directory domain named contoso.com.
You have a domain controller named Server1 that is configured as a DNS server.
Server1 hosts a standard primary zone for contoso.com. The DNS configuration of Server1
is shown in the exhibit. (Click the Exhibit button.)
You discover that stale resource records are not automatically removed from the contoso.com zone.
You need to ensure that the stale resource records are automatically removed from the contoso.com zone.
What should you do?
A. Set the scavenging period of Server1 to 0 days.
B. Modify the Server Aging/Scavenging properties.
C. Configure the aging properties for the contoso.com zone.
D. Convert the contoso.com zone to an Active Directory-integrated zone.
Answer: C
Explanation:
C:\Documents and Settings\usernwz1\Desktop\1.PNG
http://technet.microsoft.com/en-us/library/cc816625%28v=ws.10%29.aspx Set Aging and Scavenging Properties for a Zone The DNS Server service supports aging and scavenging features. These features are provided as a mechanism for performing cleanup and removal of stale resource records, which can accumulate in zone data over time. You can use this procedure to set the aging and scavenging properties for a specific zone using either the DNS Manager snap-in or the dnscmd command-line tool. To set aging and scavenging properties for a zone using the Windows interface
1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools,
and then click DNS.
2. In the console tree, right-click the applicable zone, and then click Properties.
3. On the General tab, click Aging.
4. Select the Scavenge stale resource records check box.
5. Modify other aging and scavenging properties as needed.
To set aging and scavenging properties for a zone using a command line
1. Open a command prompt. To open an elevated Command Prompt window, click Start,
point to All
Programs, click Accessories, right-click Command Prompt, and then click Run as
administrator.
2. At the command prompt, type the following command, and then press ENTER:
dnscmd <ServerName> /Config <ZoneName> {/Aging <Value>|/RefreshInterval <Value>|/
NoRefreshInterval <Value>}
C:\Documents and Settings\usernwz1\Desktop\1.PNG