70-640 Exam
How Does Exambible Microsoft 70-640 free question Work?
Realistic of 70-640 exam engine materials and tutorials for Microsoft certification for IT engineers, Real Success Guaranteed with Updated 70-640 pdf dumps vce Materials. 100% PASS TS: Windows Server 2008 Active Directory. Configuring exam Today!
Q141. Your company has three Active Directory domains in a single forest. You install a new Active Directory enabled application. The application ads new user attributes to the Active Directory schema.
You discover that the Active Directory replication traffic to the Global Catalogs has increased.
You need to prevent the new attributes from being replicated to the Global Catalog.
You must achieve this goal without affecting application functionality.
What should you do?
A. Change the replication interval for the DEFAULTIPSITELINK object to 9990.
B. Change the cost for the DEFAULTIPSITELINK object to 9990.
C. Make the new attributes in the Active Directory as defunct.
D. Modify the properties in the Active Directory schema for the new attributes.
Answer: D
Explanation:
http://support.microsoft.com/kb/248717 How to Modify Attributes That Replicate to the Global Catalog The Global Catalog (GC) contains a partial replica of every object in the enterprise. This article discusses how to manipulate the attributes which make up the set values replicated to the GC. Deciding which attributes will replicate (in addition to the default attributes) requires careful planning with consideration for network traffic and necessary disk space. Before describing how to set an attribute to replicate in the GC, it is important to note the effects this has on network replication traffic. After an attributeSchema object is created, marking an additional attribute to replicate to the GC causes a full replication (also known as a "full sync") of all objects to the GC as described below. This behavior occurs on the versions of Windows 2000 listed in this article. Every server has a full and write-able copy of its own domain. If that server is also a GC, the remaining domains in the forest are held as read-only, partial copies. "Partial" means that only a subset of the attributes is kept. When an attribute is added to the GC, it is added to the partial copy subset (partial attribute set). This causes the GC to perform a "full sync" of all the read-only copies again to repopulate itself with only the partial attributes that it needs to hold. This full sync occurs even if the attribute property isMemberOfPartialAttributeSet is set to "True." Thus, it only does a full sync on the read-only partial copy domains and not its own write-able domain, the configuration directory partition or schema directory partition. In order to modify the attributes that replicate to the Active Directory GC, you must modify the schema. To modify the schema, an administrator must be made a member of the "Schema Admins" group. In addition to being a member of this group, a registry key must be set on the Schema master.
Q142. Your company has a main office and a branch office. The main office contains two domain controllers.
You create an Active Directory site named BranchOfficeSite.
You deploy a domain controller in the branch office, and then add the domain controller to the BranchOfficeSite site.
You discover that users in the branch office are randomly authenticated by either the domain controller in the branch office or the domain controllers in the main office.
You need to ensure that the users in the branch office always attempt to authenticate to the domain controller in the branch office first.
What should you do?
A. Create organizational units (OUs).
B. Create Active Directory subnet objects.
C. Modify the slow link detection threshold.
D. Modify the Location attribute of the computer objects.
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc754697.aspx Understanding Sites, Subnets, and Site Links Sites overview Sites in AD DS represent the physical structure, or topology, of your network. AD DS uses network topology information, which is stored in the directory as site, subnet, and site link objects, to build the most efficient replication topology. The replication topology itself consists of the set of connection objects that enable inbound replication from a source domain controller to the destination domain controller that stores the connection object. The Knowledge Consistency Checker (KCC) creates these connection objects automatically on each domain controller.
Associating sites and subnets A subnet object in AD DS groups neighboring computers in much the same way that postal codes group neighboring postal addresses. By associating a site with one or more subnets, you assign a set of IP addresses to the site. Note The term "subnet" in AD DS does not have the strict networking definition of the set of all addresses behind a single router. The only requirement for an AD DS subnet is that the address prefix conforms to the IP version 4 (IPv4) or IP version 6 (IPv6) format. When you add the Active Directory Domain Services server role to create the first domain controller in a forest, a default site (Default-First-Site-Name) is created in AD DS. As long as this site is the only site in the directory, all domain controllers that you add to the forest are assigned to this site. However, if your forest will have multiple sites, you must create subnets that assign IP addresses to Default-First-Site-Name as well as to all additional sites.
Locating domain controllers by site Domain controllers register service (SRV) resource records in Domain Name System (DNS) that identify their site names. Domain controllers also register host (A) resource records in DNS that identify their IP addresses. When a client requests a domain controller, it provides its site name to DNS. DNS uses the site name to locate a domain controller in that site (or in the next closest site to the client). DNS then provides the IP address of the domain controller to the client for the purpose of connecting to the domain controller. For this reason, it is important to ensure that the IP address that you assign to a domain controller maps to a subnet that is associated with the site of the respective server object. Otherwise, when a client requests a domain controller, the IP address that is returned might be the IP address of a domain controller in a distant site. When a client connects to a distant site, the result can be slow performance and unnecessary traffic on expensive WAN links.
Q143. You need to compact an Active Directory database on a domain controller that runs Windows Server 2008 R2.
What should you do?
A. Run defrag.exe /a /c.
B. Run defrag.exe /c /u.
C. From Ntdsutil, use the Files option.
D. From Ntdsutil, use the Metadata cleanup option.
Answer: C
Explanation:
Explanation 1:
http://technet.microsoft.com/en-us/library/cc794920.aspx
Compact the Directory Database File (Offline Defragmentation)
You can use this procedure to compact the Active Directory database offline. Offline
defragmentation returns free disk space in the Active Directory database to the file system.
As part of the offline defragmentation procedure, check directory database integrity.
Performing offline defragmentation creates a new, compacted version of the database file in a different location.
Explanation 2: Mastering Windows Server 2008 R2 (Sybex, 2010) page 805 Performing Offline Defragmentation of Ntds.dit These steps assume that you will be compacting the Ntds.dit file to a local folder. If you plan to defragment and compact the database to a remote shared folder, map a drive letter to that shared folder before you begin these steps, and use that drive letter in the path where appropriate.
1. Open an elevated command prompt. Click Start, and then right-click Command Prompt. Click Run as Administrator.
2. Type ntdsutil, and then press Enter.
3. Type Activate instance NTDS, and press Enter.
4. At the resulting ntdsutil prompt, type Files (case sensitive), and then press Enter.
5. At the file maintenance prompt, type compact to followed by the path to the destination folder for the defragmentation, and then press Enter.
Q144. Your company has an Active Directory Rights Management Services (AD RMS) server. Users have Windows Vista computers. An Active Directory domain is configured at the Windows Server 2003 functional level.
You need to configure AD RMS so that users are able to protect their documents.
What should you do?
A. Install the AD RMS client 2.0 on each client computer.
B. Add the RMS service account to the local administrators group on the AD RMS server.
C. Establish an e-mail account in Active Directory Domain Services (AD DS) for each RMS user.
D. Upgrade the Active Directory domain to the functional level of Windows Server 2008.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc753531%28v=ws.10%29.aspx AD RMS Step-by-Step Guide For each user account and group that you configure with AD RMS, you need to add an e-mail address and then assign the users to groups.
Q145. You have a Windows Server 2008 R2 that has the Active Directory Certificate Services server role installed.
You need to minimize the amount of time it takes for client computers to download a certificate revocation list (CRL).
What should you do?
A. Install and configure an Online Responder.
B. Import the Issuing CA certificate into the Trusted Root Certification Authorities store on all client workstations.
C. Install and configure an additional domain controller.
D. Import the Root CA certificate into the Trusted Root Certification Authorities store on all client workstations.
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc725958.aspx
What Is an Online Responder? An Online Responder is a trusted server that receives and responds to individual client requests for information about the status of a certificate. The use of Online Responders is one of two common methods for conveying information about the validity of certificates. Unlike certificate revocation lists (CRLs), which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to individual requests from clients for information about the status of a certificate. The amount of data retrieved per request remains constant no matter how many revoked certificates there might be. In many circumstances, Online Responders can process certificate status requests more efficiently than by using CRLs.
Q146. You are installing an application on a computer that runs Windows Server 2008 R2. During installation, the application will need to install new attributes and classes to the Active Directory database.
You need to ensure that you can install the application. What should you do?
A. Change the functional level of the forest to Windows Server 2008 R2.
B. Log on by using an account that has Server Operator rights.
C. Log on by using an account that has Schema Administrator rights and the appropriate rights to install the application.
D. Log on by using an account that has the Enterprise Administrator rights and the appropriate rights to install the application.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc756898%28v=ws.10%29.aspx
Default groups
Default groups, such as the Domain Admins group, are security groups that are created automatically when you create an Active Directory domain. You can use these predefined groups to help control access to shared resources and delegate specific domain-wide administrative roles.
Groups in the Builtin container
The following table provides descriptions of the default groups located in the Builtin container and lists the assigned user rights for each group.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Groups in the Users container
The following table provides a description of the default groups located in the Users container and lists the assigned user rights for each group.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Q147. ABC.com has a main office and a branch office. ABC.com's network consists of a single Active Directory forest.
Some of the servers in the network run Windows Server 2008 and the rest run Windows server 2003.
You are the administrator at ABC.com. You have installed Active Directory Domain Services (AD DS) on a computer that runs Windows Server 2008. The branch office is located in a physically insecure place. It has no IT personnel onsite and there are no administrators over there. You need to setup a Read-Only Domain Controller (RODC) on the Server Core installation computer in the branch office.
What should you do to setup RODC on the computer in branch office?
A. Execute an attended installation of AD DS
B. Execute an unattended installation of AD DS
C. Execute RODC through AD DS
D. Execute AD DS by using deploying the image of AD DS
E. none of the above
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc754629.aspx
Install an RODC on a Server Core installation
To install an RODC on a Server Core installation of Windows Server 2008, you must perform an unattended installation of AD DS.
Q148. Your company has a DNS server that has 10 Active Directory integrated zones.
You need to provide copies of the zone files of the DNS server to the security department.
What should you do?
A. Run the dnscmd /ZoneInfo command.
B. Run the ipconfig /registerdns command.
C. Run the dnscmd /ZoneExport command.
D. Run the ntdsutil > Partition Management > List commands.
Answer: C
Explanation:
http://servergeeks.wordpress.com/2012/12/31/dns-zone-export/ DNS Zone Export In Non-AD Integrated DNS Zones DNS zone file information is stored by default in the %systemroot%\windows\system32\dns folder. When the DNS Server service starts it loads zones from these files. This behavior is limited to any primary and secondary zones that are not AD integrated. The files will be named as <ZoneFQDN>.dns.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
In AD Integrated DNS Zones AD-integrated zones are stored in the directory they do not have corresponding zone files
i.e. they are not stored as .dns files. This makes sense because the zones are stored in, and loaded from, the directory. Now it is important task for us to take a backup of these AD integrated zones before making any changes to DNS infrastructure. Dnscmd.exe can be used to export the zone to a file. The syntax of the command is: DnsCmd <ServerName> /ZoneExport <ZoneName> <ZoneExportFile> <ZoneName> — FQDN of zone to export /Cache to export cache As an example, let’s say we have an AD integrated zone named habib.local, our DC is server1. The command to export the file would be: Dnscmd server1 /ZoneExport habib.local habib.local.bak
C:\Documents and Settings\usernwz1\Desktop\1.PNG
C:\Documents and Settings\usernwz1\Desktop\1.PNG
You can refer to a complete article on DNSCMD in Microsoft TechNet website
http://technet.microsoft.com/en-us/library/cc772069(v=ws.10).aspx
Q149. our company, Contoso Ltd, has offices in North America and Europe. Contoso has an Active Directory forest that has three domains.
You need to reduce the time required to authenticate users from the labs.eu.contoso.com domain when they access resources in the eng.na.contoso.com domain.
What should you do?
A. Decrease the replication interval for all Connection objects.
B. Decrease the replication interval for the DEFAULTIPSITELINK site link.
C. Set up a one-way shortcut trust from eng.na.contoso.com to labs.eu.contoso.com.
D. Set up a one-way shortcut trust from labs.eu.contoso.com to eng.na.contoso.com.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc754538.aspx
Understanding When to Create a Shortcut Trust
When to create a shortcut trust
Shortcut trusts are one-way or two-way, transitive trusts that administrators can use to optimize the authentication process.
Authentication requests must first travel a trust path between domain trees. In a complex forest this can take time, which you can reduce with shortcut trusts. A trust path is the series of domain trust relationships that authentication requests must traverse between any two domains. Shortcut trusts effectively shorten the path that authentication requests travel between domains that are located in two separate domain trees.
Shortcut trusts are necessary when many users in a domain regularly log on to other domains in a forest.
Using the following illustration as an example, you can form a shortcut trust between domain B and domain D, between domain A and domain 1, and so on.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Using one-way trusts
A one-way, shortcut trust that is established between two domains in separate domain trees can reduce the time that is necessary to fulfill authentication requests—but in only one direction. For example, when a oneway, shortcut trust is established between domain A and domain B, authentication requests that are made in domain A to domain B can use the new one-way trust path. However, authentication requests that are made in domain B to domain A must still travel the longer trust path.
Using two-way trusts
A two-way, shortcut trust that is established between two domains in separate domain trees reduces the time that is necessary to fulfill authentication requests that originate in either domain. For example, when a two-way trust is established between domain A and domain B, authentication requests that are made from either domain to the other domain can use the new, two-way trust path.
Q150. Active Directory Rights Management Services (AD RMS) is deployed on your network.
You need to configure AD RMS to use Kerberos authentication.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Register a service principal name (SPN) for AD RMS.
B. Register a service connection point (SCP) for AD RMS.
C. Configure the identity setting of the _DRMSAppPool1 application pool.
D. Configure the useAppPoolCredentials attribute in the Internet Information Services (IIS) metabase.
Answer: A,D
Explanation:
http://technet.microsoft.com/en-us/library/dd759186.aspx
If you plan to use Active Directory Rights Management Services (AD RMS) with Kerberos authentication, you must take additional steps to configure the server running AD RMS after installing the AD RMS server role and provisioning the server. Specifically, you must perform these procedures:
Set the Internet Information Services (IIS) useAppPoolCredentials variable to True
Set the Service Principal Names (SPN) value for the AD RMS service account