70-640 Exam
Questions Ask for cbt nuggets 70-640 download
Cause all that matters here is passing the Microsoft 70-640 exam. Cause all that you need is a high score of 70-640 TS: Windows Server 2008 Active Directory. Configuring exam. The only one thing you need to do is downloading Testking 70-640 exam study guides now. We will not let you down with our money-back guarantee.
2021 Sep cbt nuggets 70-640 download:
Q171. Your network contains a single Active Directory domain.
A domain controller named DC2 fails.
You need to remove DC2 from Active Directory.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A. At the command prompt, run dcdiag.exe /fix.
B. At the command prompt, run netdom.exe remove dc2.
C. From Active Directory Sites and Services, delete DC2.
D. From Active Directory Users and Computers, delete DC2.
Answer: C,D
Explanation:
http://technet.microsoft.com/en-us/library/cc816907.aspx
Clean Up Server Metadata
Metadata cleanup is a required procedure after a forced removal of Active Directory
Domain Services (AD DS).
You perform metadata cleanup on a domain controller in the domain of the domain
controller that you forcibly removed. Metadata cleanup removes data from AD DS that
identifies a domain controller to the replication system.
Clean up server metadata by using GUI tools
Clean up server metadata by using Active Directory Users and Computers
1. Open Active Directory Users and Computers: On the Start menu, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Expand the domain of the domain controller that was forcibly removed, and then click Domain Controllers.
3. In the details pane, right-click the computer object of the domain controller whose metadata you want to clean up, and then click Delete.
Clean up server metadata by using Active Directory Sites and Services
1. Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services
2. Expand the site of the domain controller that was forcibly removed, expand Servers, expand the name of the domain controller, right-click the NTDS Settings object, and then click Delete.
Q172. Your network contains an Active Directory domain. The domain contains three domain
controllers.
One of the domain controllers fails.
Seven days later, the help desk reports that it can no longer create user accounts. You need to ensure that the help desk can create new user accounts.
Which operations master role should you seize?
A. domain naming master
B. infrastructure master
C. primary domain controller (PDC) emulator
D. RID master
E. schema master
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc773108%28v=ws.10%29.aspx Operations master roles Active Directory supports multimaster replication of the directory data store between all domain controllers (DC) in the domain, so all domain controllers in a domain are essentially peers. However, some changes are impractical to perform in using multimaster replication, so, for each of these types of changes, one domain controller, called the operations master, accepts requests for such changes. In every forest, there are at least five operations master roles that are assigned to one or more domain controllers. Forest-wide operations master roles must appear only once in every forest. Domain-wide operations master roles must appear once in every domain in the forest.
RID master The RID master allocates sequences of relative IDs (RIDs) to each of the various domain controllers in its domain. At any time, there can be only one domain controller acting as the RID master in each domain in the forest. Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security ID (SID). The SID consists of a domain SID, which is the same for all SIDs created in the domain, and a RID, which is unique for each SID created in the domain. To move an object between domains (using Movetree.exe), you must initiate the move on the domain controller acting as the RID master of the domain that currently contains the object.
http://www.techrepublic.com/article/step-by-step-learn-how-to-transfer-and-seize-fsmo-roles-in-activedirectory/ 5081138 Step-By-Step: Learn how to transfer and seize FSMO roles in Active Directory http://www.petri.co.il/seizing_fsmo_roles.htm Seizing FSMO Roles
Q173. Your network contains two Active Directory forests named contoso.com and nwtraders.com. A two-way forest trust exists between contoso.com and nwtraders.com. The forest trust is configured to use selective authentication.
Contoso.com contains a server named Server1. Server1 contains a shared folder named Marketing.
Nwtraders.com contains a global group named G_Marketing. The Change share permission and the Modify NTFS permission for the Marketing folder are assigned to the G_Marketing group. Members of G_Marketing report that they cannot access the Marketing folder.
You need to ensure that the G_Marketing members can access the folder from the network.
What should you do?
A. From Windows Explorer, modify the NTFS permissions of the folder.
B. From Windows Explorer, modify the share permissions of the folder.
C. From Active Directory Users and Computers, modify the computer object for Server1.
D. From Active Directory Users and Computers, modify the group object for G_Marketing.
Answer: C
Explanation:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 643-644
After you have selected Selective Authentication for the trust, no trusted users will be able to access resources in the trusting domain, even if those users have been given permissions. The users must also be assigned the Allowed To Authenticate permission on the computer object in the domain.
To assign this permission:
1. Open the Active Directory Users And Computers snap-in and make sure that Advanced Features is selected on the View menu.
2. Open the properties of the computer to which trusted users should be allowed to authenticate—that is, the computer that trusted users will log on to or that contains resources to which trusted users have been given permissions.
3. On the Security tab, add the trusted users or a group that contains them and select the Allow check box for the Allowed To Authenticate permission.
Q174. Your network contains an Active Directory forest.
You add an additional user principal name (UPN) suffix to the forest.
You need to modify the UPN suffix of all users. You want to achieve this goal by using the minimum amount of administrative effort.
What should you use?
A. the Active Directory Domains and Trusts console
B. the Active Directory Users and Computers console
C. the Csvde tool
D. the Ldifde tool
Answer: D
Q175. Your company has file servers located in an organizational unit named Payroll. The file servers contain payroll files located in a folder named Payroll.
You create a GPO.
You need to track which employees access the Payroll files on the file servers.
What should you do?
A. Enable the Audit process tracking option. Link the GPO to the Domain Controllers organizational unit. On the file servers, configure Auditing for the Authenticated Users group in the Payroll folder.
B. Enable the Audit object access option. Link the GPO to the Payroll organizational unit. On the file servers, configure Auditing for the Everyone group in the Payroll folder.
C. Enable the Audit process tracking option. Link the GPO to the Payroll organizational unit. On the file servers, configure Auditing for the Everyone group in the Payroll folder.
D. Enable the Audit object access option. Link the GPO to the domain. On the domain controllers, configure Auditing for the Authenticated Users group in the Payroll folder.
Answer: B
Explanation:
Answer: Enable the Audit object access option. Link the GPO to the Payroll organizational unit. On the file servers, configure Auditing for the Everyone group in the Payroll folder.
http://technet.microsoft.com/en-us/library/dd349800%28v=ws.10%29.aspx Audit Policy Establishing an organizational computer system audit policy is an important facet of information security. Configuring Audit policy settings that monitor the creation or modification of objects gives you a way to track potential security problems, helps to ensure user accountability, and provides evidence in the event of a security breach. There are nine different kinds of events for which you can specify Audit Policy settings. If you audit any of these kinds of events, Windows. records the events in the Security log, which you can find in Event Viewer.
Object access. Audit this to record when someone has used a file, folder, printer, or other object.
Process tracking. Audit this to record when events such as program activation or a process exiting occur.
When you implement Audit Policy settings:
If you want to audit directory service access or object access, determine which objects you want to audit access of and what type of access you want to audit. For example, if you want to audit all attempts by users to open a particular file, you can configure audit policy settings in the object access event category so that both successful and failed attempts to read a file are recorded. Further information: http://technet.microsoft.com/en-us/library/hh147307%28v=ws.10%29.aspx Group Policy for Beginners Group Policy Links At the top level of AD DS are sites and domains. Simple implementations will have a single site and a single domain. Within a domain, you can create organizational units (OUs). OUs are like folders in Windows Explorer. Instead of containing files and subfolders, however, they can contain computers, users, and other objects. For example, in Figure 1 you see an OU named Departments. Below the Departments OU, you see four subfolders: Accounting, Engineering, Management, and Marketing. These are child OUs. Other than the Domain Controllers OU that you see in Figure 1, nothing else in the figure is an OU. What does this have to do with Group Policy links? Well, GPOs in the Group Policy objects folder have no impact unless you link them to a site, domain, or OU. When you link a GPO to a container, Group Policy applies the GPO’s settings to the computers and users in that container.
Most recent mcts 70-640:
Q176. Your network contains an Active Directory forest. The functional level of the forest is Windows Server 2008 R2.
Your company's corporate security policy states that the password for each user account must be changed at least every 45 days.
You have a user account named Service1. Service1 is used by a network application named Application1.
Every 45 days, Application1 fails.
After resetting the password for Service1, Application1 runs properly. You need to resolve the issue that causes Application1 to fail. The solution must adhere to the corporate security policy.
What should you do?
A. Run the cmdlet.
B. Run the Set-ADServiceAccount cmdlet.
C. Create a new password policy.
D. Create a new Password Settings object (PSO).
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/ee617252.aspx Set-ADServiceAccount Syntax Set-ADServiceAccount [-Identity] <ADServiceAccount> [-AccountExpirationDate <System.Nullable[System.DateTime]>] [-AccountNotDelegated <System.Nullable[bool]>] [-Add <hashtable>] [-Certificates<string[]>] [-Clear <string[]>] [-Description <string>] [-DisplayName <string>] [-Enabled <System.Nullable[bool]>] [-HomePage <string>] [-Remove <hashtable>] [-Replace <hashtable>] [-SamAccountName <string>] [-ServicePrincipalNames <hashtable>] [-TrustedForDelegation <System.Nullable[bool]>] [-AuthType{<Negotiate> | <Basic>}] [-Credential <PSCredential>] [-Partition <string>] [-PassThru <switch>] [-Server<string>] [-Confirm] [-WhatIf] [<CommonParameters>]Detailed Description The Set-ADServiceAccount cmdlet modifies the properties of an Active Directory service account. You can modify commonly used property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be modified by using the Add, Replace, Clear and Remove parameters. The Identity parameter specifies the Active Directory service account to modify. You can identify a service account by its distinguished name (DN), GUID, security identifier (SID), or Security Accounts Manager (SAM) account name. You can also set the Identity parameter to an object variable such as $<localServiceAccountObject>, or you can pass an object through the pipeline to the Identity parameter. For example, you can use the Get-ADServiceAccount cmdlet to retrieve a service account object and then pass the object through the pipeline to the Set-ADServiceAccount cmdlet. The Instance parameter provides a way to update a service account object by applying the changes made to a copy of the object. When you set the Instance parameter to a copy of an Active Directory service account object that has been modified, the Set-ADServiceAccount cmdlet makes the same changes to the original service account object. To get a copy of the object to modify, use the Get-ADServiceAccount object. When you specify the Instance parameter you should not pass the Identity parameter. For more
information about the Instance parameter, see the Instance parameter description.
Q177. ABC.com boasts a two-node Network Load Balancing cluster which is called web.CK1.com. The purpose of this cluster is to provide load balancing and high availability of the intranet website only.
With monitoring the cluster, you discover that the users can view the Network Load Balancing cluster in their Network Neighborhood and they can use it to connect to various services by using the name web.CK1.com.
You also discover that there is only one port rule configured for Network Load Balancing cluster. You have to configure web.CK1.com NLB cluster to accept HTTP traffic only.
Which two actions should you perform to achieve this objective? (Choose two answers. Each answer is part of the complete solution)
A. Create a new rule for TCP port 80 by using the Network Load Balancing Cluster console
B. Run the wlbs disable command on the cluster nodes
C. Assign a unique port rule for NLB cluster by using the NLB Cluster console
D. Delete the default port rules through Network Load Balancing Cluster console
Answer: A,D
Explanation:
http://technet.microsoft.com/en-us/library/cc733056.aspx Create a new Network Load Balancing Port Rule Port rules control how a Network Load Balancing (NLB) cluster functions. To maximize control of various types of TCP/IP traffic, you can set up port rules to control how each port's cluster-network traffic is handled. The method by which a port's network traffic is handled is called its filtering mode. There are three possible filtering modes: Multiple hosts, Single host, and Disabled. You can also specify that a filtering mode apply to a numerical range of ports. You do this by defining a port rule with a set of configuration parameters that define the filtering mode. Each rule consists of the following configuration parameters: The virtual IP address that the rule should apply to The TCP or UDP port range that this rule should apply to The protocols that this rule should apply to, including TCP, UDP, or both The filtering mode that specifies how the cluster handles traffic, which is described by the port range and the protocols In addition, you can select one of three options for client affinity: None, Single, or Network. Single and Network are used to ensure that all network traffic from a particular client is directed to the same cluster host.
To allow NLB to properly handle IP fragments, you should avoid using None when you select UDP or Both for your protocol setting. As an extension to the Single and Network options, you can configure a time-out setting to preserve client affinity when the configuration of an NLB cluster is changed. This extension also allows clients to keep affinity to a cluster host even if there are no active, existing connections from the client to the host.
Q178. Company runs Window Server 2008 on all of its servers. It has a single Active Directory domain and it uses Enterprise Certificate Authority. The security policy at ABC.com makes it necessary to examine revoked certificate information.
You need to make sure that the revoked certificate information is available at all times.
What should you do to achieve that?
A. Add and configure a new GPO (Group Policy Object) that enables users to accept peer certificates and link the GPO to the domain.
B. Configure and use a GPO to publish a list of trusted certificate authorities to the domain
C. Configure and publish an OCSP (Online certificate status protocol) responder through ISAS (Internet Security and Acceleration Server) array.
D. Use network load balancing and publish an OCSP responder.
E. None of the above
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/ee619754%28v=ws.10%29.aspx How Certificate Revocation Works
Q179. ABC.com has a network that consists of a single Active Directory domain.Windows Server 2008 is installed on all domain controllers in the network.
You are instructed to capture all replication errors from all domain controllers to a central location.
What should you do to achieve this task?
A. Initiate the Active Directory Diagnostics data collector set
B. Set event log subscriptions and configure it
C. Initiate the System Performance data collector set
D. Create a new capture in the Network Monitor
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc748890.aspx Configure Computers to Forward and Collect Events Before you can create a subscription to collect events on a computer, you must configure both the collecting computer (collector) and each computer from which events will be collected (source). http://technet.microsoft.com/en-us/library/cc749183.aspx Event Subscriptions Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue might require you to examine a set of events stored in multiple logs on multiple computers. Windows Vista includes the ability to collect copies of events from multiple remote computers and store them locally. To specify which events to collect, you create an event subscription. Among other details, the subscription specifies exactly which events will be collected and in which log they will be stored locally. Once a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events. Using the event collecting feature requires that you configure both the forwarding and the collecting computers. The functionality depends on the Windows Remote Management (WinRM) service and the Windows Event Collector (Wecsvc) service. Both of these services must be running on computers participating in the forwarding and collecting process. http://technet.microsoft.com/en-us/library/cc961808.aspx Replication Issues
Q180. Your network contains an Active Directory forest. All domain controllers run Windows
Server 2008 Standard.
The functional level of the domain is Windows Server 2003.
You have a certification authority (CA).
The relevant servers in the domain are configured as shown below:
You need to ensure that you can install the Active Directory Certificate Services (AD CS) Certificate Enrollment Web Service on the network.
What should you do?
A. Upgrade Server1 to Windows Server 2008 R2.
B. Upgrade Server2 to Windows Server 2008 R2.
C. Raise the functional level of the domain to Windows Server 2008.
D. Install the Windows Server 2008 R2 Active Directory Schema updates.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/dd759243.aspx
Installation requirements
Before installing the certificate enrollment Web services, ensure that your environment
meets these requirements:
A host computer as a domain member running Windows Server 2008 R2.
An Active Directory forest with a Windows Server 2008 R2 schema.
An enterprise certification authority (CA) running Windows Server 2008 R2, Windows
Server 2008, or
Windows Server 2003.