70-640 Exam
Key benefits of exam 70-640
Cause all that matters here is passing the Microsoft 70-640 exam. Cause all that you need is a high score of 70-640 TS: Windows Server 2008 Active Directory. Configuring exam. The only one thing you need to do is downloading Examcollection 70-640 exam study guides now. We will not let you down with our money-back guarantee.
2021 Sep mcsa 70-640:
Q151. You have an enterprise subordinate certification authority (CA).
You have a custom Version 3 certificate template.
Users can enroll for certificates based on the custom certificate template by using the
Certificates console. The certificate template is unavailable for Web enrollment.
You need to ensure that the certificate template is available on the Web enrollment pages.
What should you do?
A. Run certutil.exe pulse.
B. Run certutil.exe installcert.
C. Change the certificate template to a Version 2 certificate template.
D. On the certificate template, assign the Autoenroll permission to the users.
Answer: C
Explanation:
Explanation
Identical to F/Q33. Explanation 1: http://technet.microsoft.com/en-us/library/cc732517.aspx Certificate Web enrollment cannot be used with version 3 certificate templates. Explanation 2: http://blogs.technet.com/b/ad/archive/2008/06/30/2008-web-enrollment-and-version-3-templates.aspx The reason for this blog post is that one of our customers called after noticing some unexpected behavior when they were trying to use the Server 2008 certificate web enrollment page to request a Version 3 Template based certificate. The problem was that no matter what they did the Version 3 Templates would not appear as certificates which could be requested via the web page. On the other hand, version 1 and 2 templates did appear in the page and requests could be done successfully using those templates.
Q152. Your network contains an Active Directory domain named contoso.com.
You need to identify whether the Active Directory Recycle Bin is enabled.
What should you do?
A. From Ldp, search for the Reanimate-Tombstones object.
B. From Ldp, search for the LostAndFound container.
C. From Windows PowerShell, run the Get-ADObject cmdlet.
D. From Windows PowerShell, run the Get-ADOptionalFeature cmdlet.
Answer: D
Explanation:
http://www.frickelsoft.net/blog/?p=224
How can I check whether the AD Recycle-Bin is enabled in my R2 forest?
[He shows how to use the PowerShell cmdlet Get- ADOptionalFeature to determine if the AD Recycle Bin is enabled.]
Q153. Your network contains an Active Directory domain named contoso.com.
You create a GlobalNames zone. You add an alias (CNAME) resource record named
Server1 to the zone. The target host of the record is server2.contoso.com.
When you ping Server1, you discover that the name fails to resolve. You successfully resolve server2.contoso.com.
You need to ensure that you can resolve names by using the GlobalNames zone.
What should you do?
A. From the command prompt, use the netsh tool.
B. From the command prompt, use the dnscmd tool.
C. From DNS Manager, modify the properties of the GlobalNames zone.
D. From DNS Manager, modify the advanced settings of the DNS server.
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc731744.aspx Enable GlobalNames zone support The GlobalNames zone is not available to provide name resolution until GlobalNames zone support is explicitly enabled by using the following command on every authoritative DNS server in the forest: dnscmd<ServerName> /config /enableglobalnamessupport 1
Q154. Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1. DC1 hosts a standard primary zone for contoso.com.
You discover that non-domain member computers register records in the contoso.com zone.
You need to prevent the non-domain member computers from registering records in the contoso.com zone.
All domain member computers must be allowed to register records in the contoso.com zone.
What should you do first?
A. Configure a trust anchor.
B. Run the Security Configuration Wizard (SCW).
C. Change the contoso.com zone to an Active Directory-integrated zone.
D. Modify the security settings of the %SystemRoot%\System32\Dns folder.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc772746%28v=ws.10%29.aspx Active Directory-Integrated Zones DNS servers running on domain controllers can store their zones in Active Directory. In this way, it is not necessary to configure a separate DNS replication topology that uses ordinary DNS zone transfers, because all zone data is replicated automatically by means of Active Directory replication. This simplifies the process of deploying DNS and provides the following advantages: Multiple masters are created for DNS replication. Therefore: Any domain controller in the domain running the DNS server service can write updates to the Active Directory–integrated zones for the domain name for which they are authoritative. A separate DNS zone transfer topology is not needed. Secure dynamic updates are supported. Secure dynamic updates allow an administrator to control which computers update which names, and prevent unauthorized computers from overwriting existing names in DNS
Q155. Your company has an Active Directory forest that contains Windows Server 2008 R2 domain controllers and DNS servers. All client computers run Windows XP SP3.
You need to use your client computers to edit domain-based GPOs by using the ADMX files that are stored in the ADMX central store.
What should you do?
A. Add your account to the Domain Admins group.
B. Upgrade your client computers to Windows 7.
C. Install .NET Framework 3.0 on your client computers.
D. Create a folder on PDC emulator for the domain in the PolicyDefinitions path. Copy the ADMX files to the PolicyDefinitions folder.
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc709647%28v=ws.10%29.aspx Managing Group Policy ADMX Files Step-by-Step Guide
Microsoft Windows Vista. and Windows Server 2008 introduce a new format for displaying registry-based policy settings. Registry-based policy settings (located under the Administrative Templates category in the Group Policy Object Editor) are defined using a standards-based, XML file format known as ADMX files. These new files replace ADM files, which used their own markup language. The Group Policy tools —Group Policy Object Editor and Group Policy Management Console—remain largely unchanged. In the majority of situations, you will not notice the presence of ADMX files during your day-to-day Group Policy administration tasks. http://blogs.technet.com/b/grouppolicy/archive/2008/12/17/questions-on-admx-in-windows-xp-and-windows2003-environments.aspx Questions on ADMX in Windows XP and Windows 2003 environments We had a question a couple of days ago about the usage of ADMX template formats in Windows XP/Server 2003 environments. Essentially the question was: “…What’s the supported or recommended way of getting W2k8 ADMX templates applying in a W2k3 domain with or with no W2k8 DCs. What I’ve done in test is, created a central store in the /Sysvol/domain/policies folder on the 2k3 DC (PDC) and created and edited a GPO using GPMC from the W2k8 member server applying to a W2k8 machine and it seems to work just fine. Is this the right way to do it?…” The answer is Yes. Again this is one of those things that confuse people. The template format has nothing to do with the policy file that’s created. Its just used to create the policy by the administrative tool itself. In the case of GPMC on Windows XP and Windows Server 2003 and previous – this tool used the ADM file format. These ADM files were copied into every policy object on the SYSVOL, which represents about 4MB of duplicated bloat per policy. This was one of the areas that caused major problems with an issue called SYSVOL bloat. In Vista and Server 2008 this template format changed to ADMX. This was a complete change towards a new XML based format that aimed to eliminate SYSVOL bloat. It doesn’t copy itself into every policy object but relies on a central or local store of these templates (Note that even in the newer tools you can still import custom ADM files for stuff like Office etc). In the question above, the person wanted to know if copying the local store, located under c:/windows/ policydefinitions, could be copied into a Windows Server 2003 domain environment as the central store and Explanationd by the newer admin tools. Again the domain functional mode has little to do with Group Policy. I talked about that one before. The things that we care about are the administrative tools and the client support for the policy functions. So of course it can. Here’s the confusion-reducing scoop – Group Policy as a platform only relies on two main factors. Active Directory to store metadata about the policy objects and to allow client discoverability for the location of the policy files. The other is the SYSVOL to store the policy files. So at its core that’s LDAP and SMB file shares. Specific extensions on top of the policy platform may require certain domain functionality but that’s very specific to that extension. Examples are the new Wireless policy and BitLocker extensions in Vista SP1. They require schema updates – not GP itself. So if you don't currently use them then you don't have to update schema. So provided you’re using Windows Vista SP1 with RSAT or Windows Server 2008 to administer the policies you get all the benefits to manage downlevel clients. That means eliminating SYSVOL bloat. That means all the joys of Group Policy PExplanations. Honestly – it amazes us the amount of IT Pros that still haven’t discovered GPP…especially with the power it has to practically eliminate logon scripts! As a last point – IT Pros also ask us when we will be producing an updated GPMC version for Windows XP to support all the new stuff. The answer is that we are not producing any updated GPMC versions for Windows XP and Server 2003. All the new administrative work is being done on the newer platforms. So get moving ahead! There are some really good benefits in the newer tools and very low impact to your current environment. You only need a single Windows Vista SP1 machine to start!
Abreast of the times self paced training kit 70-640:
Q156. Your network contains 10 domain controllers that run Windows Server 2008 R2. The network contains a member server that is configured to collect all of the events that occur on the domain controllers.
You need to ensure that administrators are notified when a specific event occurs on any of the domain controllers. You want to achieve this goal by using the minimum amount of administrative effort.
What should you do?
A. From Event Viewer on the member server, create a subscription.
B. From Event Viewer on each domain controller, create a subscription.
C. From Event Viewer on the member server, run the Create Basic Task Wizard.
D. From Event Viewer on each domain controller, run the Create Basic Task Wizard.
Answer: C
Explanation:
Since the member server is collecting all domain controller events we just need to run the Create Basic Task Wizard on the member server, which enables us to send an e-mail when a specific event is logged. Running the wizard on every domain controller would work, but is much more work and we need to use the minimum amount of administrative effort.
Explanation:
http://technet.microsoft.com/en-us/library/cc748900.aspx
To Run a Task in Response to a Given Event
1. Start Event Viewer.
2. In the console tree, navigate to the log that contains the event you want to associate with a task.
3. Right-click the event and select Attach Task to This Event.
4. Perform each step presented by the Create Basic Task Wizard. In the Action step in the wizard you can decide to send an e-mail.
Q157. Active Directory Rights Management Services (AD RMS) is deployed on your network.
Users who haveWindows Mobile 6 devices report that they cannot access documents that are protected by AD RMS.
You need to ensure that all users can access AD RMS protected content by using Windows Mobile 6 devices.
What should you do?
A. Modify the security of the ServerCertification.asmx file.
B. Modify the security of the MobileDeviceCertification.asmx file.
C. Enable anonymous authentication for the _wmcs virtual directory.
D. Enable anonymous authentication for the certification virtual directory.
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/ff608252%28v=ws.10%29.aspx Windows Mobile Considerations for AD RMS AD RMS and Windows Mobile Requirements Active Directory Rights Management Services (AD RMS) integrates with Microsoft Windows Mobile. in Windows Mobile 6 and later devices. End users can create and consume protected e-mail messages and can read protected Microsoft Office documents on their Windows Mobile device.
AD RMS client capabilities are embedded in the operating system of Windows Mobile 6 and later devices. There is no AD RMS client available for Windows Mobile 5.0 or earlier; AD RMS can be used only on devices with Windows Mobile 6 and later. There is full interoperability when sharing AD RMS protected content between the different versions and editions of Windows Mobile 6 or later. By default the Discretionary access control lists (DACLs) of the AD RMS mobile certification pipeline is restricted and must be enabled for Windows Mobile 6 or later devices to obtain certificates and licenses to create and consume AD RMS protected content. You can enable the certification of mobile devices by giving the AD RMS Service Group and the user account objects of the AD RMS-enabled application Read and Read & Execute permissions to the MobileDeviceCertification.asmx file. This file is located under %systemdrive%\Inetpub\wwwroot\_wmcs\Certification by default. You must complete this process on each AD RMS server in the cluster.
Q158. Your company has recently acquired a new subsidiary company in Quebec. The Active Directory administrators of the subsidiary company must use the French-language version of the administrative templates.
You create a folder on the PDC emulator for the subsidiary domain in the path %systemroot%\SYSVOL\domain\Policies\PolicyDefinitions\FR.
You need to ensure that the French-language version of the templates is available.
What should you do?
A. Download the Conf.adm, System.adm, Wuau.adm, and Inetres.adm files from the Microsoft Web site. Copy the ADM files to the FR folder.
B. Copy the ADML files from the French local installation media for Windows Server 2008 R2 to the FR folder on the subsidiary PDC emulator.
C. Copy the Install.WIM file from the French local installation media for Windows Server 2008 R2 to the FR folder on the subsidiary PDC emulator.
D. Copy the ADMX files from the French local installation media for Windows Server 2008 R2 to the FR folder on the subsidiary PDC emulator.
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc772507%28v=ws.10%29.aspx admx and .adml File Structure In order to support the multilingual display of policy settings, the ADMX file structure must be broken into two types of files: A language-neutral file, .admx, describing the structure of the categories and Administrative template policy settings displayed in the Group Policy Management Console (GPMC) or Local Group Policy Editor.
A set of language-dependent files, .adml, providing the localized portions displayed in the GPMC or Local Group Policy Editor. Each .adml file represents a single language you wish to support. Language-neutral file (.admx) structure
Language resource file (.adml) structure The language resource files, .adml, provide the language specific information needed by the language neutral file. The language neutral file will then Explanation specific sections of the language resource file in order for the GPMC or Local Group Policy Editor to display a policy setting in the correct language.
Q159. Your company has an Active Directory domain.
You log on to the domain controller. The Active Directory Schema snap-in is not available in the Microsoft Management Console (MMC).
You need to access the Active Directory Schema snap-in.
What should you do?
A. Add the Active Directory Lightweight Directory Services (AD LDS) role to the domain controller by using Server Manager.
B. Log off and log on again by using an account that is a member of the Schema Administrators group.
C. Use the Ntdsutil.exe command to connect to the Schema Master operations master and open the schema for writing.
D. Register Schmmgmt.dll.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc732110.aspx Install the Active Directory Schema Snap-In You can use this procedure to first register the dynamic-link library (DLL) that is required for the Active Directory Schema snap-in. You can then add the snap-in to Microsoft Management Console (MMC). To install the Active Directory Schema snap-in
1. To open an elevated command prompt, click Start, type command prompt and then right-click Command Prompt when it appears in the Start menu. Next, click Run as administrator and then click OK. To open an elevated command prompt in Windows Server 2012, click Start, type cmd, right click cmd and then click Run as administrator.
2. Type the following command, and then press ENTER: regsvr32 schmmgmt.dll
3. Click Start, click Run, type mmc and then click OK.
4. On the File menu, click Add/Remove Snap-in.
5. Under Available snap-ins, click Active Directory Schema, click Add and then click OK.
6. To save this console, on the File menu, click Save.
7. In the Save As dialog box, do one of the following:
* To place the snap-in in the Administrative Tools folder, in File name, type a name for the snap-in, and then click Save.
* To save the snap-in to a location other than the Administrative Tools folder, in Save in navigate to a location for the snap-in. In File name, type a name for the snap-in, and then click Save
Q160. Your company has an Active Directory domain. A user attempts to log on to a computer that was turned off for twelve weeks. The administrator receives an error message that authentication has failed.
You need to ensure that the user is able to log on to the computer.
What should you do?
A. Run the netsh command with the set and machine options.
B. Reset the computer account. Disjoin the computer from the domain, and then rejoin the computer to the domain.
C. Run the netdom TRUST /reset command.
D. Run the Active Directory Users and Computers console to disable, and then enable the computer account.
Answer: B
Explanation:
Answer: Reset the computer account. Disjoin the computer from the domain, and then rejoin the computer to the domain.
http://social.technet.microsoft.com/wiki/contents/articles/9157.trust-relationship-between-workstation-andprimary-domain-failed.aspx Trust Relationship between Workstation and Primary Domain failed What are the common causes which generates this message on client systems? There might be multiple reasons for this kind of behaviour. Below are listed a few of them:
1. Single SID has been assigned to multiple computers.
2. If the Secure Channel is Broken between Domain controller and workstations
3. If there are no SPN or DNSHost Name mentioned in the computer account attributes
4. Outdated NIC Drivers. How to Troubleshoot this behaviour?
2. If the Secure Channel is Broken between Domain controller and workstations When a Computer account is joined to the domain, Secure Channel password is stored with computer account in domain controller. By default this password will change every 30 days (This is an automatic process, no manual intervention is required). Upon starting the computer, Netlogon attempts to discover a DC for the domain in which its machine account exists. After locating the appropriate DC, the machine account password from the workstation is authenticated against the password on the DC. If there are problems with system time, DNS configuration or other settings, secure channel’s password between Workstation and DCs may not synchronize with each other. A common cause of broken secure channel [machine account password] is that the secure channel password held by the domain member does not match that held by the AD. Often, this is caused by performing a Windows System Restore (or reverting to previous backup or snapshot) on the member machine, causing an old (previous) machine account password to be presented to the AD. Resolution: Most simple resolution would be unjoin/disjoin the computer from the domain and rejoin the computer account back to the domain. (this is a somewhat similar principle to performing a password reset for a user account) Or You can go ahead and reset the computer account using netdom.exe tool http://technet.microsoft.com/en-us/library/cc772217%28v=ws.10%29.aspx Netdom Enables administrators to manage Active Directory domains and trust relationships from the command prompt. Netdom is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the Active Directory Domain Services (AD DS) server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT).
You can use netdom to:
Join a computer that runs Windows XP Professional, Windows Vista, or Windows 7 to a
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000,
or Windows NT 4.0 domain. Manage computer accounts for domain member workstations
and member servers. Management operations include:
Establish one-way or two-way trust relationships between domains, including the following
kinds of trust relationships:
Verify or reset the secure channel for the following configurations:
* Member workstations and servers.
* Backup domain controllers (BDCs) in a Windows NT 4.0 domain.
* Specific Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, or
Windows 2000 replicas.
Manage trust relationships between domains.
Syntax
NetDom <Operation> [<Computer>] [{/d: | /domain:} <Domain>] [<Options>]
http://technet.microsoft.com/en-us/library/cc788073%28v=ws.10%29.aspx
Netdom reset Resets the secure connection between a workstation and a domain
controller.
Syntax netdom reset <Computer> {/d: | /domain:}<Domain> [{/s: | /server:}<Server>] [{/uo: |
/usero:}<User> {/po: | /
passwordo}{<Password>|*}] [{/help | /?}]
Further information:
http://technet.microsoft.com/en-us/library/cc835085%28v=ws.10%29.aspx
Netdom trust
Establishes, verifies, or resets a trust relationship between domains.
Syntax netdom trust <TrustingDomainName> {/d: | /domain:} <TrustedDomainName> [{/ud:
| /userd:}[<Domain>\]<User> [{/pd: | /passwordd:}{<Password>|*}] [{/uo: | /usero:}<User>]
[{/po: | /passwordo:}{<Password>|*}] [/verify] [/reset]
[/passwordt:<NewRealmTrustPassword>] [/add [/realm]] [/remove [/force]] [/twoway]
[/kerberos] [/transitive[:{YES|NO}]] [/oneside:{TRUSTED | TRUSTING}] [/force]
[/quarantine[:{YES | NO}]] [/namesuffixes:<TrustName> [/togglesuffix:#]]
[/EnableSIDHistory] [/ForestTRANsitive]
[/SelectiveAUTH][/AddTLN][/AddTLNEX][/RemoveTLN] [/RemoveTLNEX][{/help | /?}]