70-640 Exam
Surprising mcitp 70 640
Master the 70 640 pdf TS: Windows Server 2008 Active Directory. Configuring content and be ready for exam day success quickly with this Ucertify mcitp 70 640 exam prep. We guarantee it!We make it a reality and give you real mcitp 70 640 questions in our Microsoft 70 640 pdf braindumps.Latest 100% VALID Microsoft mcitp 70 640 Exam Questions Dumps at below page. You can use our Microsoft microsoft 70 640 braindumps and pass your exam.
Q111. Your company has an Active Directory domain that runs Windows Server 2008 R2. The Sales OU contains an OU for Computers, an OU for Groups, and an OU for Users.
You perform nightly backups. An administrator deletes the Groups OU.
You need to restore the Groups OU without affecting users and computers in the Sales OU.
What should you do?
A. Perform an authoritative restore of the Sales OU.
B. Perform a non-authoritative restore of the Sales OU.
C. Perform an authoritative restore of the Groups OU.
D. Perform a non-authoritative restore of the Groups OU.
Answer: C
Explanation:
Answer: Perform an authoritative restore of the Groups OU.
http://technet.microsoft.com/en-us/library/cc816878%28v=ws.10%29.aspx
Performing Authoritative Restore of Active Directory Objects
An authoritative restore process returns a designated, deleted Active Directory object or container of objects to its predeletion state at the time when it was backed up. For example, you might have to perform an authoritative restore if an administrator inadvertently deletes an organizational unit (OU) that contains a large number of users. In most cases, there are two parts to the authoritative restore process: a nonauthoritative restore from backup, followed by an authoritative restore of the deleted objects. If you perform a nonauthoritative restore from backup only, the deleted OU is not restored because the restored domain controller is updated after the restore process to the current status of its replication partners, which have deleted the OU. To recover the deleted OU, after you perform nonauthoritative restore from backup and before allowing replication to occur, you must perform an authoritative restore procedure. During the authoritative restore procedure, you mark the OU as authoritative and let the replication process restore it to all the other domain controllers in the domain. After an authoritative restore, you also restore group memberships, if necessary.
Q112. You have an enterprise root certification authority (CA) that runs Windows Server 2008 R2.
You need to ensure that you can recover the private key of a certificate issued to a Web server.
What should you do?
A. From the CA, run the Get-PfxCertificate cmdlet.
B. From the Web server, run the Get-PfxCertificate cmdlet.
C. From the CA, run the certutil.exe tool and specify the -exportpfx parameter.
D. From the Web server, run the certutil.exe tool and specify the -exportpfx parameter.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/ee449471%28v=ws.10%29.aspx
Manual Key Archival Manual key archival can be used in the following common scenarios
that are not supported by automatic key archival:
Secure/Multipurpose Internet Mail Extensions (S/MIME) certificates used by Microsoft.
Office Outlook. Certificates issued by CAs that do not support key archival. Certificates installed on the Microsoft Windows. 2000 and Windows Millennium Edition operating systems. This topic includes procedures for exporting a private key by using the following programs and for importing a private key to a CA database: Certutil.exe Certificates snap-in Microsoft Office Outlook
To export private keys by using Certutil.exe
1. Open a Command Prompt window.
2. Type the Certutil.exe –exportpfx command using the command-line options described in
the following table.
Certutil.exe [-p <Password>] –exportpfx <CertificateId> <OutputFileName>
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Q113. You have a domain controller that runs the DHCP service.
You need to perform an offline defragmentation of the Active Directory database on the domain controller.
You must achieve this goal without affecting the availability of the DHCP service.
What should you do?
A. Restart the domain controller in Directory Services Restore Mode. Run the Disk Defragmenter utility.
B. Restart the domain controller in Directory Services Restore Mode. Run the Ntdsutil utility.
C. Stop the Active Directory Domain Services service. Run the Ntdsutil utility.
D. Stop the Active Directory Domain Services service. Run the Disk Defragmenter utility.
Answer: C
Explanation:
We don't need to restart the server to defragment the AD database. We do need to stop
AD DS in order to defragment the database.
Explanation:
http://technet.microsoft.com/en-us/library/cc794920.aspx
To perform offline defragmentation of the directory database
1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide credentials, if required, and then click Continue.
2. At the command prompt, type the following command, and then press ENTER: net stop ntds
3. Type Y to agree to stop additional services, and then press ENTER.
4. At the command prompt, type ntdsutil, and then press ENTER.
Q114. A user in a branch office of your company attempts to join a computer to the domain, but the attempt fails.
You need to enable the user to join a single computer to the domain.
You must ensure that the user is denied any additional rights beyond those required to complete the task.
What should you do?
A. Prestage the computer account in the Active Directory domain.
B. Add the user to the Domain Administrators group for one day.
C. Add the user to the Server Operators group in the Active Directory domain.
D. Grant the user the right to log on locally by using a Group Policy Object (GPO).
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc770832%28v=ws.10%29.aspx#BKMK_1 Prestaging Client Computers Benefits of Prestaging Client Computers Prestaging clients provides three main benefits: An additional layer of security. You can configure Windows Deployment Services to answer only prestaged clients, therefore ensuring that clients that are not prestaged will not be able to boot from the network. Additional flexibility. Prestaging clients increases flexibility by enabling you to control the following. For instructions on performing these tasks, see the “Prestage Computers” section of How to Manage Client Computers.
* The computer account name and location within AD DS.
* Which server the client should network boot from.
* Which network boot program the client should receive.
* Other advanced options — for example, what boot image a client will receive or what
Windows Deployment Services client unattend file the client should use.
The ability for multiple Windows Deployment Services servers to service the same network
segment. You can do this by restricting the server to answer only a particular set of clients.
Note that the prestaged client must be in the same forest as the Windows Deployment
Services server (trusted forests do not work).
Further information:
http://www.windows-noob.com/forums/index.php?/topic/506-how-can-i-prestage-a-computer-for-wds/howcan I PRESTAGE a computer for WDS?
Q115. Company runs Window Server 2008 on all of its servers. It has a single Active Directory domain and it uses Enterprise Certificate Authority. The security policy at ABC.com makes it necessary to examine revoked certificate information.
You need to make sure that the revoked certificate information is available at all times.
What should you do to achieve that?
A. Add and configure a new GPO (Group Policy Object) that enables users to accept peer certificates and link the GPO to the domain.
B. Configure and use a GPO to publish a list of trusted certificate authorities to the domain
C. Configure and publish an OCSP (Online certificate status protocol) responder through ISAS (Internet Security and Acceleration Server) array.
D. Use network load balancing and publish an OCSP responder.
E. None of the above
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/ee619754%28v=ws.10%29.aspx How Certificate Revocation Works
Q116. Your company has a main office and three branch offices. The company has an Active Directory forest that has a single domain. Each office has one domain controller. Each office is configured as an Active Directory site.
All sites are connected with the DEFAULTIPSITELINK object.
You need to decrease the replication latency between the domain controllers.
What should you do?
A. Decrease the replication schedule for the DEFAULTIPSITELINK object.
B. Decrease the replication interval for the DEFAULTIPSITELINK object.
C. Decrease the cost between the connection objects.
D. Decrease the replication interval for all connection objects.
Answer: B
Explanation:
Answer: Decrease the replication interval for the DEFAULTIPSITELINK object.
Personal comment:
All sites are connected with the DEFAULTIPSITELINK object. <- this roughly translates into
all sites are connected with the first domain controller in the forest
So the topology is star shaped.
Thus, decreasing the cost between the connection objects will offer no benefit.
We know we have multiple sites linked and are using a DEFAULTIPSITELINK object.
Thus, the most plausible answer is to decrease the replication interval for
DEFAULTIPSITELINK.
http://www.informit.com/articles/article.aspx?p=26866&seqNum=5
Understanding Active Directory, Part III
Replication
Active Directory replication between domain controllers is managed by the system
administrator on a site-bysite basis. As domain controllers are added, a replication path
must be established. This is done by the Knowledge Consistency Checker (KCC), coupled
with Active Directory replication components. The KCC is a dynamic process that runs on
all domain controllers to create and modify the replication topology. If a domain controller
fails, the KCC automatically creates new paths to the remaining domain controllers. Manual
intervention with the KCC will also force a new path.
The Active Directory replaces PDCs and BDCs with multimaster replication services. Each
domain controller retains a copy of the entire directory for that particular domain. As
changes are made in one domain controller, the originator communicates these changes to
the peer domain controllers. The directory data itself is stored in the ntds.dit file.
Active Directory replication uses the Remote Procedure Call (RPC) over IP to conduct replication within a site. Replication between sites can utilize either RPC or the Simple Mail Transfer Protocol (SMTP) for data transmission. The default intersite replication protocol is RPC. Intersite and Intrasite Replication There are distinct differences in internal and intersite domain controller replication. In theory, the network bandwidth within a site is sufficient to handle all network traffic associated with replication and other Active Directory activities. By the definition of a site, the network must be reliable and fast. A change notification process is initiated when modifications occur on a domain controller. The domain controller waits for a configurable period (by default, five minutes) before it forwards a message to its replication partners. During this interval, it continues to accept changes. Upon receiving a message, the partner domain controllers copy the modification from the original domain controller. In the event that no changes were noted during a configurable period (six hours, by default), a replication sequence ensures that all possible modifications are communicated. Replication within a site involves the transmission of uncompressed data. NOTE Security-related modifications are replicated within a site immediately. These changes include account and individual user lockout policies, changes to password policies, changes to computer account passwords, and modifications to the Local Security Authority (LSA). Replication between sites assumes that there are network-connectivity problems, including insufficient bandwidth, reliability, and increased cost. Therefore, the Active Directory permits the system to make decisions on the type, frequency, and timing of intersite replication. All replication objects transmitted between sites are compressed, which may reduce traffic by 10 to 25 percent, but because this is not sufficient to guarantee proper replication, the system administrator has the responsibility of scheduling intersite replication. Replication Component Objects Whereas the KCC represents the process elements associated with replication, the following comprise the Active Directory object components: Connection object. Domain controllers become replication "partners" when linked by a connection object. This is represented by a one-way path between two domain controller server objects. Connection objects are created by the KCC by default. They can also be manually created by the system administrator. NTDS settings object. The NTDS settings object is a container that is automatically created by the Active Directory. It contains all of the connection objects, and is a child of the server object. Server object. The Active Directory represents every computer as a computer object. The domain controller is also represented by a computer object, plus a specially created server object. The server object's parent is the site object that defines its IP subnet. However, in the event that the domain controller server object was created prior to site creation, it will be necessary to manually define the IP subnet to properly assign the domain controller a site. When it is necessary to link multiple sites, two additional objects are created to manage the replication topology. Site link. The site link object specifies a series of values (cost, interval, and schedule) that define the connection between sites. The KCC uses these values to manage replication and to modify the replication path if it detects a more efficient one. The Active Directory DEFAULTIPSITELINK is used by default until the system administrator intervenes. The cost value, ranging from 1 to 32767, is an arbitrary estimate of the actual cost of data transmission as defined bandwidth. The interval value sets the number of times replication will occur: 15 minutes to a maximum of once a week (or 10080 minutes) is the minimum; three hours is the default. The schedule interval establishes the time when replication should occur. Although replication can be at any time by default, the system administrator may want to schedule it only during offpeak network hours. Site link bridges. The site link bridge object defines a set of links that communicate via the same protocol. By default, all site links use the same protocol, and are transitive. Moreover, they belong to a single site link bridge. No configuration is necessary to the site link bridge if the IP network is fully routed. Otherwise, manual configuration may be necessary. Further information: http://technet.microsoft.com/en-us/library/cc775549%28v=ws.10%29.aspx What Is Active Directory Replication Topology? Replication of updates to Active Directory objects are transmitted between multiple domain controllers to keep replicas of directory partitions synchronized. Multiple domains are common in large organizations, as are multiple sites in disparate locations. In addition, domain controllers for the same domain are commonly placed in more than one site. Therefore, replication must often occur both within sites and between sites to keep domain and forest data consistent among domain controllers that store the same directory partitions. Site objects can be configured to include a set of subnets that provide local area network (LAN) network speeds. As such, replication within sites generally occurs at high speeds between domain controllers that are on the same network segment. Similarly, site link objects can be configured to represent the wide area network (WAN) links that connect LANs. Replication between sites usually occurs over these WAN links, which might be costly in terms of bandwidth. To accommodate the differences in distance and cost of replication within a site and replication between sites, the intrasite replication topology is created to optimize speed, and the intersite replication topology is created to minimize cost.
The Knowledge Consistency Checker (KCC) is a distributed application that runs on every domain controller and is responsible for creating the connections between domain controllers that collectively form the replication topology. The KCC uses Active Directory data to determine where (from what source domain controller to what destination domain controller) to create these connections.
The following diagram shows the interaction of these technologies with the replication topology, which is indicated by the two-way connections between each set of domain controllers.
Replication Topology and Dependent Technologies
C:\Documents and Settings\usernwz1\Desktop\1.PNG
http://technet.microsoft.com/en-us/library/cc755994%28v=ws.10%29.aspx How Active Directory Replication Topology Works
Replication Topology Physical Structure The Active Directory replication topology can use many different components. Some components are required and others are not required but are available for optimization. The following diagram illustrates most replication topology components and their place in a sample Active Directory multisite and multidomain forest. The depiction of the intersite topology that uses multiple bridgehead servers for each domain assumes that at least one domain controller in each site is running at least Windows Server 2003. All components of this diagram and their interactions are explained in detail later in this section. Replication Topology Physical Structure
C:\Documents and Settings\usernwz1\Desktop\1.PNG
In the preceding diagram, all servers are domain controllers. They independently use global knowledge of onfiguration data to generate one-way, inbound connection objects. The KCCs in a site collectively create an intrasite topology for all domain controllers in the site. The ISTGs from all sites collectively create an intersite topology. Within sites, one-way arrows indicate the inbound connections by which each domain controller replicates changes from its partner in the ring. For intersite replication, one-way arrows represent inbound connections that are created by the ISTG of each site from bridgehead servers (BH) for the same domain (or from a global catalog server [GC] acting as a bridgehead if the domain is not present in the site) in other sites that share a site link. Domains are indicated as D1, D2, D3, and D4. Each site in the diagram represents a physical LAN in the network, and each LAN is represented as a site object in Active Directory. Heavy solid lines between sites indicate WAN links over which two-way replication can occur, and each WAN link is represented in Active Directory as a site link object. Site link objects allow connections to be created between bridgehead servers in each site that is connected by the site link. Not shown in the diagram is that where TCP/IP WAN links are available, replication between sites uses the RPC replication transport. RPC is always used within sites. The site link between Site A and Site D uses the SMTP protocol for the replication transport to replicate the configuration and schema directory partitions and global catalog partial, read-only directory partitions. Although the SMTP transport cannot be used to replicate writable domain directory partitions, this transport is required because a TCP/IP connection is not available between Site A and Site D. This configuration is acceptable for replication because Site D does not host domain controllers for any domains that must be replicated over the site link A-D. By default, site links A-B and A-C are transitive (bridged), which means that replication of domain D2 is possible between Site B and Site C, although no site link connects the two sites. The cost values on site links A-B and A-C are site link settings that determine the routing pExplanation for replication, which is based on the aggregated cost of available site links. The cost of a direct connection between Site C and Site B is the sum of costs on site links A-B and A-C. For this reason, replication between Site B and Site C is automatically routed through Site A to avoid the more expensive, transitive route. Connections are created between Site B and Site C only if replication through Site A becomes impossible due to network or bridgehead server conditions.
Control Replication Latency and Cost Replication latency is inherent in a multimaster directory service. A period of replication latency begins when a directory update occurs on an originating domain controller and ends when replication of the change is received on the last domain controller in the forest that requires the change. Generally, the latency that is inherent in a WAN link is relative to a combination of the speed of the connection and the available bandwidth. Replication cost is an administrative value that can be used to indicate the latency that is associated with different replication routes between sites. A lower-cost route is preferred by the ISTG when generating the replication topology. Site topology is the topology as represented by the physical network: the LANs and WANs that connect domain controllers in a forest. The replication topology is built to use the site topology. The site topology is represented in Active Directory by site objects and site link objects. These objects influence Active Directory replication to achieve the best balance between replication speed and the cost of bandwidth utilization by distinguishing between replication that occurs within a site and replication that must span sites. When the KCC creates replication connections between domain controllers to generate the replication topology, it creates more connections between domain controllers in the same site than between domain controllers in different sites. The results are lower replication latency within a site and less replication bandwidth utilization between sites. Within sites, replication is optimized for speed as follows: Connections between domain controllers in the same site are always arranged in a ring,
with possible additional connections to reduce latency.
Replication within a site is triggered by a change notification mechanism when an update
occurs, moderated by a short, configurable delay (because groups of updates frequently
occur together).
Data is sent uncompressed, and thus without the processing overhead of data
compression.
Between sites, replication is optimized for minimal bandwidth usage (cost) as follows:
Replication data is compressed to minimize bandwidth consumption over WAN links.
Store-and-forward replication makes efficient use of WAN links — each update crosses an
expensive link only once.
Replication occurs at intervals that you can schedule so that use of expensive WAN links is
managed.
The intersite topology is a layering of spanning trees (one intersite connection between any
two sites for each directory partition) and generally does not contain redundant
connections.
Topology-Related Objects in Active Directory
Active Directory stores replication topology information in the configuration directory
partition. Several configuration objects define the components that are required by the KCC
to establish and implement the replication topology:
Site Link Objects
For a connection object to be created on a destination domain controller in one site that
specifies a source domain controller in another site, you must manually create a site link
object (class siteLink ) that connects the two sites. Site link objects identify the transport
protocol and scheduling required to replicate between two or more sites. You can use
Active Directory Sites and Services to create the site links. The KCC uses the information
stored in the properties of these site links to create the intersite topology connections.
A site link is associated with a network transport by creating the site link object in the
appropriate transport container (either IP or SMTP). All intersite domain replication must
use IP site links. The Simple Mail Transfer Protocol (SMTP) transport can be used for
replication between sites that contain domain controllers that do not host any common
domain directory partition replicas.
Site Link Properties
A site link specifies the following:
Two or more sites that are permitted to replicate with each other.
An administrator-defined cost value associated with that replication path. The cost value
controls the route that replication takes, and thus the remote sites that are used as sources
of replication information.
A schedule during which replication is permitted to occur.
An interval that determines how frequently replication occurs over this site link during the times when the schedule allows replication. Default Site Link When you install Active Directory on the first domain controller in the forest, an object named DEFAULTIPSITELINK is created in the Sites container (in the IP container within the Inter-Site Transports container). This site link contains only one site, Default-First-Site-Name.
Q117. Your company uses shared folders. Users are granted access to the shared folders by using domain local groups. One of the shared folders contains confidential data.
You need to ensure that unauthorized users are not able to access the shared folder that contains confidential data.
What should you do?
A. Enable the Do not trust this computer for delegation property on all the computers of unauthorized users by using the Dsmod utility.
B. Instruct the unauthorized users to log on by using the Guest account. Configure the Deny Full control permission on the shared folders that hold the confidential data for the Guest account.
C. Create a Global Group named Deny DLG. Place the global group that contains the unauthorized users in to the Deny DLG group. Configure the Allow Full control permission on the shared folder that hold the confidential data for the Deny DLG group.
D. Create a Domain Local Group named Deny DLG. Place the global group that contains the unauthorized users in to the Deny DLG group. Configure the Deny Full control permission on the shared folder that hold the confidential data for the Deny DLG group.
Answer: D
Explanation:
C:\Documents and Settings\usernwz1\Desktop\1.PNG
C:\Documents and Settings\usernwz1\Desktop\1.PNG
http://technet.microsoft.com/en-us/library/cc755692%28v=ws.10%29.aspx
Any group, whether it is a security group or a distribution group, is characterized by a scope that identifies the extent to which the group is applied in the domain tree or forest.
The boundary, or reach, of a group scope is also determined by the domain functional level setting of the domain in which it resides. There are three group scopes: universal, global, and domain local.
The following table describes the differences between the scopes of each group.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
When to use groups with domain local scope Groups with domain local scope help you define and manage access to resources within a single domain. For example, to give five users access to a particular printer, you can add all five user accounts in the printer permissions list. If, however, you later want to give the five users access to a new printer, you must again specify all five accounts in the permissions list for the new printer.
Q118. Your company has an Active Directory domain. You install an Enterprise Root certification authority (CA) on a member server named Server1.
You need to ensure that only the Security Manager is authorized to revoke certificates that are supplied by Server1.
What should you do?
A. Remove the Request Certificates permission from the Domain Users group.
B. Remove the Request Certificated permission from the Authenticated Users group.
C. Assign the Allow - Manage CA permission to only the Security Manager user Account.
D. Assign the Allow - Issue and Manage Certificates permission to only the Security Manger user account
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc732590.aspx
Implement Role-Based Administration You can use role-based administration to organize certification authority (CA) administrators into separate, predefined CA roles, each with its own set of tasks. Roles are assigned by using each user's security settings.
You assign a role to a user by assigning that user the specific security settings that are associated with the role. A user that has one type of permission, such as Manage CA permission, can perform specific CA tasks that a user with another type of permission, such as Issue and Manage Certificates permission, cannot perform.
The following table describes the roles, users, and groups that can be used to implement role-based administration.
Roles and groups
Certificate manager
Security permission
Issue and Manage Certificates
Description
Approve certificate enrollment and revocation requests. This is a CA role. This role is sometimes referred to as CA officer. These permissions are assigned by using the Certification Authority snap-in.
Q119. You remotely monitor several domain controllers.
You run winrm.exe quickconfig on each domain controller.
You need to create a WMI script query to retrieve information from the bios of each domain controller.
Which format should you use to write the query?
A. XrML
B. XML
C. WQL
D. HTML
Answer: C
Explanation:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa394606%28v=vs.85%29.aspx
WQL (SQL for WMI)
The WMI Query Language (WQL) is a subset of the American National Standards Institute
Structured Query Language (ANSI SQL)—with minor semantic changes.
Q120. Your network contains an Active Directory forest. The forest contains an Active Directory site for a remote office. The remote site contains a read-only domain controller (RODC).
You need to configure the RODC to store only the passwords of users in the remote site.
What should you do?
A. Create a Password Settings object (PSO).
B. Modify the Partial-Attribute-Set attribute of the forest.
C. Add the user accounts of the remote site users to the Allowed RODC Password Replication Group.
D. Add the user accounts of users who are not in the remote site to the Denied RODC Password Replication Group.
Answer: C
Explanation: http://technet.microsoft.com/en-us/library/cc730883.aspx Password Replication Policy Allowed and Denied lists Two new built-in groups are introduced in Windows Server 2008 Active Directory domains
to support RODC operations. These are the Allowed RODC Password Replication Group and Denied RODC Password Replication Group.
These groups help implement a default Allowed List and Denied List for the RODC Password Replication Policy. By default, the two groups are respectively added to the msDS-RevealOnDemandGroup and msDSNeverRevealGroup
Active Directory attributes mentioned earlier.