70-640 Exam
Ultimate Guide: mcitp 70 640
Want to know Ucertify mcitp 70 640 Exam practice test features? Want to lear more about Microsoft TS: Windows Server 2008 Active Directory. Configuring certification experience? Study Guaranteed Microsoft 70 640 pdf answers to Leading microsoft 70 640 questions at Ucertify. Gat a success with an absolute guarantee to pass Microsoft microsoft 70 640 (TS: Windows Server 2008 Active Directory. Configuring) test on your first attempt.
Q171. Your network contains an Active Directory domain.
A user named User1 takes a leave of absence for one year.
You need to restrict access to the User1 user account while User1 is away.
What should you do?
A. From the Default Domain Policy, modify the account lockout settings.
B. From the Default Domain Controller Policy, modify the account lockout settings.
C. From the properties of the user account, modify the Account options.
D. From the properties of the user account, modify the Session settings.
Answer: C
Explanation:
Account lockout settings deal with logon security, like how many times a wrong password
can be entered before an account gets locked out, or after how many minutes a locked out
user can try again.
To really restrict access to the User1 account it has to be disabled, by modifying the
account options.
Explanation:
http://blogs.technet.com/b/msonline/archive/2009/08/17/disabling-and-deleting-user-accounts.aspx
Disabling a user account prevents user access to e-mail and Microsoft SharePoint Online
data, but retains the user’s data. Disabling a user account also keeps the user license
associated with that account. This is the best option to utilize when a person leaves an
organization temporarily.
Q172. Your network contains an Active Directory domain. The relevant servers in the domain are configured as shown in the following table.
You need to ensure that all device certificate requests use the MD5 hash algorithm.
What should you do?
A. On Server2, run the Certutil tool.
B. On Server1, update the CEP Encryption certificate template.
C. On Server1, update the Exchange Enrollment Agent (Offline Request) template.
D. On Server3, set the value of the HKLM\Software\Microsoft\Cryptography\MSCEP\ HashAlgorithm\HashAlgorithm registry key.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/ff955642.aspx
Managing Network Device Enrollment Service
Configuring NDES
NDES stores its configuration in the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography
\MSCEP.
To change NDES configuration, edit the NDES registry settings by using Regedit.exe or Reg.exe, then restart IIS. If necessary, create the key and value using the names and data types described in the following table.
Key name HashAlgorithm \ HashAlgorithm Value Data Type String Default value SHA1 Description Accepted values are SHA1 and MD5.
Q173. Your company Datum Corporation, has a single Active Directory domain named intranet.adatum.com. The domain has two domain controllers that run Windows Server 2008 R2 operating system. The domain controllers also run DNS servers.
The intranet.adatum.com DNS zone is configured as an Active Directory-integrated zone with the Dynamic updates setting configured to Secure only.
A new corporate security policy requires that the intranet.adatum.com DNS zone must be updated only by domain controllers or member servers.
You need to configure the intranet.adatum.com zone to meet the new security policy requirement.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Remove the Authenticated Users account from the Security tab of the intranet.adatum.com DNS zone properties.
B. Assign the SELF Account Deny on Write permission on the Security tab of the intranet.adatum.com DNS zone properties.
C. Assign the server computer accounts the Allow on Write All Properties permission on the Security tab of the intranet.adatum.com DNS zone properties.
D. Assign the server computer accounts the Allow on Create All Child Objects permission on the Security tab of the intranet.adatum.com DNS zone properties.
Answer: A,D
Explanation:
http://www.advicehow.com/managing-dns-dynamic-updates-in-windows-server-2008-r2/ Managing DNS Dynamic Updates in Windows Server 2008 R2 What Is DNS Dynamic Update? When a DNS server is installed in a network, during the installation administrators can configure it to accept dynamic updates of client records. Dynamic updates means that DNS client computers can automatically register their names along with their IP addresses in the DNS server. When this happens DNS server automatically creates a Host (A) record for that client computer that contains hostname of the client and its associated IP address. Also, during the installation of DNS server administrators can choose an option according to which DNS server should not automatically update its records and in this condition administrators must manually create Host (A) records in the DNS database. http://www.windowsecurity.com/articles-tutorials/windows_server_2008_security/DNS-
Security-Part2.html
DNS Security (Part 2): DNS Security Steps Prior to Deploying DNSSEC In this article, then, we’ll take a look at the details of the following preliminary steps you can take to help secure your Windows DNS infrastructure: Decide who can resolve Internet host names Don’t co-locate internal and external zones Lock down the DNS cache Enable recursion only where needed Restrict DNS servers to listen on specific addresses Consider using a private root hints file Randomize your DNS source ports Be aware of the Global Query Block List Limit zone transfers Take advantage of Active Directory integrated zone security
Take advantage of Active Directory integrated zone security Active Directory integrated zones enable you to secure the registration of resource records when dynamic name registration is enabled. Members of the Active Directory domain can register their resource records dynamically while non-domain members will be unable to register their names. You can also use discretionary access control lists (DACLs) to control which computers are able to register or change their addressing information. The figure below shows how you configure secure dynamic updates.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
http://www.tutorialspoint.com/shorttutorials/configuring-dns-server-for-secure-only-dynamic-updates/ Configuring DNS Server for Secure Only Dynamic Updates
Q174. ABC.com boasts a two-node Network Load Balancing cluster which is called web.CK1.com. The purpose of this cluster is to provide load balancing and high availability of the intranet website only.
With monitoring the cluster, you discover that the users can view the Network Load Balancing cluster in their Network Neighborhood and they can use it to connect to various services by using the name web.CK1.com.
You also discover that there is only one port rule configured for Network Load Balancing cluster. You have to configure web.CK1.com NLB cluster to accept HTTP traffic only.
Which two actions should you perform to achieve this objective? (Choose two answers. Each answer is part of the complete solution)
A. Create a new rule for TCP port 80 by using the Network Load Balancing Cluster console
B. Run the wlbs disable command on the cluster nodes
C. Assign a unique port rule for NLB cluster by using the NLB Cluster console
D. Delete the default port rules through Network Load Balancing Cluster console
Answer: A,D
Explanation:
http://technet.microsoft.com/en-us/library/cc733056.aspx Create a new Network Load Balancing Port Rule Port rules control how a Network Load Balancing (NLB) cluster functions. To maximize control of various types of TCP/IP traffic, you can set up port rules to control how each port's cluster-network traffic is handled. The method by which a port's network traffic is handled is called its filtering mode. There are three possible filtering modes: Multiple hosts, Single host, and Disabled. You can also specify that a filtering mode apply to a numerical range of ports. You do this by defining a port rule with a set of configuration parameters that define the filtering mode. Each rule consists of the following configuration parameters: The virtual IP address that the rule should apply to The TCP or UDP port range that this rule should apply to The protocols that this rule should apply to, including TCP, UDP, or both The filtering mode that specifies how the cluster handles traffic, which is described by the port range and the protocols In addition, you can select one of three options for client affinity: None, Single, or Network. Single and Network are used to ensure that all network traffic from a particular client is directed to the same cluster host.
To allow NLB to properly handle IP fragments, you should avoid using None when you select UDP or Both for your protocol setting. As an extension to the Single and Network options, you can configure a time-out setting to preserve client affinity when the configuration of an NLB cluster is changed. This extension also allows clients to keep affinity to a cluster host even if there are no active, existing connections from the client to the host.
Q175. Your company purchases a new application to deploy on 200 computers. The application requires that you modify the registry on each target computer before you install the application.
The registry modifications are in a file that has an .adm extension.
You need to prepare the target computers for the application.
What should you do?
A. Import the .adm file into a new Group Policy Object (GPO). Edit the GPO and link it to an organizational unit that contains the target computers.
B. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the REDIRUsr CONTAINER-DN command on each target computer.
C. Create a Microsoft Windows PowerShell script to copy the .adm file to the startup folder of each target computer.
D. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the REDIRCmp CONTAINER-DN command on each target computer.
Answer: A
Explanation:
http://www.petri.co.il/adding_new_administrative_templates_to_gpo.htm Adding New Administrative Templates to a GPO Adding .ADM files to the Administrative Templates in a GPO In order to add additional .ADM files to the existing Administrative Templates section in GPO please follow the next steps:
1. Open the Group Policy Management Console (or GPMC) from the Administrative Tools folder in the Stat menu, or by typing gpmc.msc in the Run command.
2. Right-click an existing GPO (or create an new GPO, then right-click on it) and select Edit.
Q176. You need to create a Password Settings object (PSO).
Which tool should you use?
A. Active Directory Users and Computers
B. ADSI Edit
C. Group Policy Management Console
D. Ntdsutil
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc754461.aspx You can create Password Settings objects (PSOs): using the Active Directory module for Windows PowerShell using ADSI Edit using ldifde
Q177. Your network contains two standalone servers named Server1 and Server2 that have
Active Directory Lightweight Directory Services (AD LDS) installed.
Server1 has an AD LDS instance.
You need to ensure that you can replicate the instance from Server1 to Server2.
What should you do on both servers?
A. Obtain a server certificate.
B. Import the MS-User.ldf file.
C. Create a service user account for AD LDS.
D. Register the service location (SRV) resource records.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc794857%28v=ws.10%29.aspx Administering AD LDS Instances Each AD LDS instance runs as an independent—and separately administered—service on a computer. You can configure the account under which an AD LDS instance runs, stop and restart an AD LDS instance, and change the AD LDS instance service display name and service description. In addition, you can enable Secure Sockets Layer (SSL) connections in AD LDS by installing certificates. In Active Directory environments, each AD LDS instance attempts to create a Service Principal Name (SPN) object in the directory to be used for replication authentication. Depending on the network environment into which you install AD LDS, you may have to create SPNs manually. AD LDS service account The service account that an AD LDS instance uses determines the access that the AD LDS instance has on the local computer and on other computers in the network. AD LDS instances also use the service account to authenticate other AD LDS instances in their configuration set, to ensure replication security. You determine the AD LDS service account during AD LDS installation.
Q178. Your network contains an Active Directory domain. All domain controllers run Windows Server 2008. The functional level of the domain is Windows Server 2003. All client computers run Windows 7.
You install Windows Server 2008 R2 on a server named Server1.
You need to perform an offline domain join of Server1.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. From Server1, run djoin.exe.
B. From Server1, run netdom.exe.
C. From a Windows 7 computer, run djoin.exe.
D. Upgrade one domain controller to Windows Server 2008 R2.
E. Raise the functional level of the domain to Windows Server 2008.
Answer: A,C
Explanation:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 217, 218
Offline Domain Join
Offline domain join is also useful when a computer is deployed in a lab or other disconnected environment.
When the computer is connected to the domain network and started for the first time, it will already be a member of the domain. This also helps to ensure that Group Policy settings are applied at the first startup.
Four major steps are required to join a computer to the domain by using offline domain join:
1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with an account that has permissions to join computers to the domain.
2. Use the DJoin command to provision a computer for offline domain join. This step prepopulates Active Directory with the information that Active Directory needs to join the computer to the domain, and exports the information called a blob to a text file.
3. At the offline computer that you want to join the domain use DJoin to import the blob into the Windows directory.
4. When you start or restart the computer, it will be a member of the domain.
Q179. ABC.com has purchased laptop computers that will be used to connect to a wireless network.
You create a laptop organizational unit and create a Group Policy Object (GPO) and configure user profiles by utilizing the names of approved wireless networks.
You link the GPO to the laptop organizational unit. The new laptop users complain to you that they cannot connect to a wireless network.
What should you do to enforce the group policy wireless settings to the laptop computers?
A. Execute gpupdate/target:computer command at the command prompt on laptop computers
B. Execute Add a network command and leave the SSID (service set identifier) blank
C. Execute gpupdate/boot command at the command prompt on laptops computers
D. Connect each laptop computer to a wired network and log off the laptop computer and then login again.
E. None of the above
Answer: D
Q180. Your network contains an Active Directory forest. The forest contains multiple sites.
You need to enable universal group membership caching for a site.
What should you do?
A. From Active Directory Sites and Services, modify the NTDS Settings.
B. From Active Directory Sites and Services, modify the NTDS Site Settings.
C. From Active Directory Users and Computers, modify the properties of all universal groups used in the site.
D. From Active Directory Users and Computers, modify the computer objects for the domain controllers in the site.
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc816797%28v=ws.10%29.aspx Enabling Universal Group Membership Caching in a Site In a multidomain forest, when a user logs on to a domain, a global catalog server must be contacted to determine the universal group memberships of the user. A universal group can contain users from other domains, and it can be applied to access control lists (ACLs) on objects in all domains in the forest. Therefore, universal group memberships must be ascertained at domain logon so that the user has appropriate access in the domain and in other domains during the logon session. Only global catalog servers store the memberships of all universal groups in the forest. If a global catalog server is not available in the site when a user logs on to a domain, the domain controller must contact a global catalog server in another site. In multidomain forests where remote sites do not have a global catalog server, the need to contact a global catalog server over a potentially slow wide are network (WAN) connection can be problematic and a user can potentially be unable to log on to the domain if a global catalog server is not available. You can enable Universal Group Membership Caching on domain controllers that are running Windows Server 2008 so that when the domain controller contacts a global catalog server for the user’s initial domain logon, the domain controller retrieves universal group memberships for the user. On subsequent logon requests by the same user, the domain controller uses cached universal group memberships and does not have to contact a global catalog server. To complete this task, perform the following procedure: http://technet.microsoft.com/en-us/library/cc816928%28v=ws.10%29.aspx Enable Universal Group Membership Caching in a Site
1. Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services.
2. In the console tree, expand Sites, and then click the site in which you want to enable Universal Group Membership Caching.
3. In the details pane, right-click the NTDS Site Settings object, and then click Properties.
4. Under Universal Group Membership Caching, select Enable Universal Group Membership Caching.
5. In the Refresh cache from list, click the site that you want the domain controller to contact when the Universal Group membership cache must be updated, and then click OK.