70-640 Exam
Key benefits of braindump 70-640
It is impossible to pass Microsoft 70-640 exam without any help in the short term. Come to Examcollection soon and find the most advanced, correct and guaranteed Microsoft 70-640 practice questions. You will get a surprising result by our Avant-garde TS: Windows Server 2008 Active Directory. Configuring practice guides.
2021 Sep mcitp 70-640 pdf:
Q141. You have a domain controller that runs Windows Server 2008 R2. The Windows Server Backup feature is installed on the domain controller.
You need to perform a non-authoritative restore of the domain controller by using an existing backup file.
What should you do?
A. Restart the domain controller in Directory Services Restore Mode. Use the WBADMIN command to perform a critical volume restore.
B. Restart the domain controller in Directory Services Restore Mode. Use the Windows Server Backup snap-in to perform a critical volume restore.
C. Restart the domain controller in safe mode. Use the Windows Server Backup snap-in to perform a critical volume restore.
D. Restart the domain controller in safe mode. Use the WBADMIN command to perform a critical volume restore.
Answer: A
Explanation:
Almost identical to B26 http://technet.microsoft.com/en-us/library/cc816627%28v=ws.10%29.aspx Performing Nonauthoritative Restore of Active Directory Domain Services A nonauthoritative restore is the method for restoring Active Directory Domain Services (AD DS) from a system state, critical-volumes, or full server backup. A nonauthoritative restore returns the domain controller to its state at the time of backup and then allows normal replication to overwrite that state with any changes that occurred after the backup was taken. After you restore AD DS from backup, the domain controller queries its replication partners. Replication partners use the standard replication protocols to update AD DS and associated information, including the SYSVOL shared folder, on the restored domain controller. You can use a nonauthoritative restore to restore the directory service on a domain controller without reintroducing or changing objects that have been modified since the backup. The most common use of a nonauthoritative restore is to reinstate a domain controller, often after catastrophic or debilitating hardware failures. In the case of data corruption, do not use nonauthoritative restore unless you have confirmed that the problem is with AD DS. Nonauthoritative Restore Requirements You can perform a nonauthoritative restore from backup on a Windows Server 2008 system that is a standalone server, member server, or domain controller. On domain controllers that are running Windows Server 2008, you can stop and restart AD DS as a service. Therefore, in Windows Server 2008, performing offline defragmentation and other database management tasks does not require restarting the domain controller in Directory Services Restore Mode (DSRM). However, you cannot perform a nonauthoritative restore after simply stopping the AD DS service in regular startup mode. You must be able to start the domain controller in Directory Services Restore Mode (DSRM). If the domain controller cannot be started in DSRM, you must first reinstall the operating system. To perform a nonauthoritative restore, you need one of the following types of backup for your backup source: System state backup: Use this type of backup to restore AD DS. If you have reinstalled the operating system, you must use a critical-volumes or full server backup. If you are restoring a system state backup, use the wbadmin start systemstaterecovery command. Critical-volumes backup: A critical-volumes backup includes all data on all volumes that contain operating system and registry files, boot files, SYSVOL files, or Active Directory files. Use this type of backup if you want to restore more than the system state. To restore a critical-volumes backup, use the wbadmin start recovery command. Full server backup: Use this type of backup only if you cannot start the server or you do not have a system state or critical-volumes backup. A full server backup is generally larger than a critical-volumes backup. Restoring a full server backup not only rolls back data in AD DS to the time of backup, but it also rolls back all data in all other volumes. Rolling back this additional data is not necessary to achieve nonauthoritative restore of AD DS.
Q142. Your network contains an Active Directory domain. The domain contains two Active Directory sites named Site1 and Site2. Site1 contains two domain controllers named DC1 and DC2. Site2 contains two domain controller named DC3 and DC4. The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is Windows Server 2003. Active Directory replication between Site1 and Site2 occurs from 20:00 to
01:00 every day.
At 07:00, an administrator deletes a user account while he is logged on to DC1.
You need to restore the deleted user account. You want to achieve this goal by using the minimum amount of administrative effort.
What should you do?
A. On DC1, run the Restore-ADObject cmdlet.
B. On DC3, run the Restore-ADObject cmdlet.
C. On DC1, stop Active Directory Domain Services, restore the System State, and then start Active Directory Domain Services.
D. On DC3, stop Active Directory Domain Services, perform an authoritative restore, and then start Active Directory Domain Services.
Answer: D
Explanation:
We cannot use Restore-ADObject, because Restore-ADObject is a part of the Recycle Bin feature, and you can only use Recycle Bin when the forest functional level is set to Windows Server 2008 R2. In the question text it says "The functional level of the forest is Windows Server 2003." Seehttp://technet.microsoft.com/nl-nl/library/dd379481.aspx Performing an authoritative restore on DC3 updates the Update Sequence Number (USN) on that DC, which causes it to replicate the restored user account to other DC's. Explanation 1: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 692 An authoritative restore restores data that was lost and updates the Update Sequence Number (USN) for the data to make it authoritative and ensure that it is replicated to all other servers. Explanation 2: http://technet.microsoft.com/en-us/library/cc755296.aspx Authoritative restore of AD DS has the following requirements: You must stop the Active Directory Domain Services service before you run the ntdsutil authoritative restore command and restart the service after the command is complete.
Q143. Your company has a server that runs Windows Server 2008 R2. The server runs an instance of ActiveDirectory Lightweight Directory Services (AD LDS).
You need to replicate the AD LDS instance on a test computer that is located on the network.
What should you do?
A. Run the repadmin /kcc <servername> command on the test computer.
B. Create a naming context by running the Dsmgmt command on the test computer.
C. Create a new directory partition by running the Dsmgmt command on the test computer.
D. Create and install a replica by running the AD LDS Setup wizard on the test computer.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc771946.aspx
Create a Replica AD LDS Instance
To create an AD LDS instance and join it to an existing configuration set, use the Active Directory Lightweight Directory Services Set Wizard to create a replica AD LDS instance. To create a replica AD LDS instance
1. Click Start, point to Administrative Tools, and then click Active Directory Lightweight Directory Services Setup Wizard.
2. On the Welcome to the Active Directory Lightweight Directory Services Setup Wizard page, click Next.
3. On the Setup Options page, click A replica of an existing instance, and then click Next.
4. Finish creating the new instance by following the wizard instructions.
Q144. Your network contains an Active Directory domain named contoso.com. You remove several computers from the network.
You need to ensure that the host (A) records for the removed computers are automatically deleted from the contoso.com DNS zone.
What should you do?
A. Configure dynamic updates.
B. Configure aging and scavenging.
C. Create a scheduled task that runs the Dnscmd /ClearCache command.
D. Create a scheduled task that runs the Dnscmd /ZoneReload contoso.com command.
Answer: B
Explanation:
C:\Documents and Settings\usernwz1\Desktop\1.PNG
http://technet.microsoft.com/en-us/library/cc816625%28v=ws.10%29.aspx Set Aging and Scavenging Properties for a Zone The DNS Server service supports aging and scavenging features. These features are provided as a mechanism for performing cleanup and removal of stale resource records, which can accumulate in zone data over time. You can use this procedure to set the aging and scavenging properties for a specific zone using either the DNS Manager snap-in or the dnscmd command-line tool. To set aging and scavenging properties for a zone using the Windows interface
1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools,
and then click DNS.
2. In the console tree, right-click the applicable zone, and then click Properties.
3. On the General tab, click Aging.
4. Select the Scavenge stale resource records check box.
5. Modify other aging and scavenging properties as needed.
To set aging and scavenging properties for a zone using a command line
1. Open a command prompt. To open an elevated Command Prompt window, click Start, point to All
Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
2. At the command prompt, type the following command, and then press ENTER:
dnscmd <ServerName> /Config <ZoneName> {/Aging <Value>|/RefreshInterval <Value>|/
NoRefreshInterval <Value>}
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Q145. Your network contains an Active Directory forest. The forest contains a single domain.
You want to access resources in a domain that is located in another forest.
You need to configure a trust between the domain in your forest and the domain in the other forest.
What should you create?
A. an incoming external trust
B. an incoming realm trust
C. an outgoing external trust
D. an outgoing realm trust
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc816877.aspx
A one-way, incoming, external trust allows users in your domain (the domain that you are logged on to at the time that you run the New Trust Wizard) to access resources in another Active Directory domain (outside your forest).
Most up-to-date pdf 70-640:
Q146. Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2003.
You upgrade all domain controllers to Windows Server 2008.
You need to configure the Active Directory environment to support the application of multiple password policies.
What should you do?
A. Raise the functional level of the domain to Windows Server 2008.
B. On one domain controller, run dcpromo /adv.
C. Create multiple Active Directory sites.
D. On all domain controllers, run dcpromo /adv.
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc770842%28v=ws.10%29.aspx AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide This step-by-step guide provides instructions for configuring and applying fine-grained password and account lockout policies for different sets of users in Windows Server. 2008 domains. In Microsoft. Windows. 2000 and Windows Server 2003 Active Directory domains, you could apply only one password and account lockout policy, which is specified in the domain's Default Domain Policy, to all users in the domain. As a result, if you wanted different password and account lockout settings for different sets of users, you had to either create a password filter or deploy multiple domains. Both options were costly for different reasons. In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies and apply different password restrictions and account lockout policies to different sets of users within a single domain. Requirements and special considerations for fine-grained password and account lockout policies Domain functional level: The domain functional level must be set to Windows Server 2008 or higher.
Q147. Your network contains an Active Directory forest. The forest schema contains a custom attribute for user objects.
You need to give the human resources department a file that contains the last logon time and the custom attribute values for each user in the forest.
What should you use?
A. the Dsquery tool
B. the Export-CSV cmdlet
C. the Get-ADUser cmdlet
D. the Net.exe user command
Answer: C
Explanation:
Explanations:
https://devcentral.f5.com/weblogs/Joe/archive/2009/01/09/powershell-abcs---o-is-for-output.aspx
http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/thread/8d8649d9-f591-4b44-b838-e0f5f3a591d7
http://kpytko.wordpress.com/2012/07/30/lastlogon-vs-lastlogontimestamp/
Export-Csv
Explanation:
http://technet.microsoft.com/en-us/library/ee176825.aspx
Saving Data as a Comma-Separated Values File
The Export-Csv cmdlet makes it easy to export data as a comma-separated values (CSV)
file; all you need to do is call Export-Csv followed by the path to the CSV file. For example,
thiscommand uses Get-Process to grab information about all the processes running on the
computer,then uses Export-Csv to write that data to a file named C:\Scripts\Test.txt:
Get-Process | Export-Csv c:\scripts\test.txt.
Net User
Explanation:
http://technet.microsoft.com/en-us/library/cc771865.aspx
Adds or modifies user accounts, or displays user account information.
DSQUERY
Explanation 1:
http://technet.microsoft.com/en-us/library/cc754232.aspx
Parameters
{<StartNode> | forestroot | domainroot}
Specifies the node in the console tree where the search starts. You can specify the forest root (forestroot), domain root (domainroot), or distinguished name of a node as the start node <StartNode>. If you specify
forestroot, AD DS searches by using the global catalog.
-attr {<AttributeList> | *}
Specifies that the semicolon separated LDAP display names included in <AttributeList> for each entry in the result set. If you specify the value of this parameter as a wildcard character (*), this parameter displays all attributes that are present on the object in the result set. In addition, if you specify a *, this parameter uses the default output format (a list), regardless of whether you specify the -l parameter. The default <AttributeList> is a distinguished name.
Explanation 2:
http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/dda5fcd6-1a10-4d47-9379-02ca38aaa65b
Gives an example of how to find a user with certain attributes using Dsquery. Note that it uses domainroot as the startnode, instead of forestroot what we need.
Explanation 3:
http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/c6fc3826-78e1-48fd-ab6f-690378e0f787/
List all last login times for all users, regardless of whether they are disabled.
dsquery * -filter "(&(objectCategory=user)(objectClass=user))" -limit 0 -attr givenName sn sAMAccountName
lastLogon>>c:\last_logon_for_all.txt
Q148. Your network contains an Active Directory domain. The relevant servers in the domain are configured as shown in the following table.
You need to ensure that all device certificate requests use the MD5 hash algorithm.
What should you do?
A. On Server2, run the Certutil tool.
B. On Server1, update the CEP Encryption certificate template.
C. On Server1, update the Exchange Enrollment Agent (Offline Request) template.
D. On Server3, set the value of the HKLM\Software\Microsoft\Cryptography\MSCEP\ HashAlgorithm\HashAlgorithm registry key.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/ff955642.aspx
Managing Network Device Enrollment Service
Configuring NDES
NDES stores its configuration in the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography
\MSCEP.
To change NDES configuration, edit the NDES registry settings by using Regedit.exe or Reg.exe, then restart IIS. If necessary, create the key and value using the names and data types described in the following table.
Key name HashAlgorithm \ HashAlgorithm Value Data Type String Default value SHA1 Description Accepted values are SHA1 and MD5.
Q149. Your network contains an Active Directory-integrated zone. All DNS servers that host the zone are domain controllers.
You add multiple DNS records to the zone.
You need to ensure that the records are replicated to all DNS servers.
Which tool should you use?
A. Dnslint
B. Ldp
C. Nslookup
D. Repadmin
Answer: D
Explanation:
To make sure that the new DNS records are replicated to all DNS servers we can use the repadmin tool.
Explanation: http://technet.microsoft.com/en-us/library/cc811569.aspx
Forcing Replication Sometimes it becomes necessary to forcefully replicate objects and entire partitions between domain controllers that may or may not have replication agreements.
Force a replication event with all partners The repadmin /syncall command synchronizes a specified domain controller with all replication partners.
Syntax
repadmin /syncall <DC> [<NamingContext>] [<Flags>]
Parameters
<DC>Specifies the host name of the domain controller to synchronize with all replication
partners.
<NamingContext>Specifies the distinguished name of the directory partition.
<Flags> Performs specific actions during the replication.
Q150. You have an enterprise subordinate certification authority (CA). The CA is configured to use a hardware security module.
You need to back up Active Directory Certificate Services on the CA.
Which command should you run?
A. certutil.exe backup
B. certutil.exe backupdb
C. certutil.exe backupkey
D. certutil.exe store
Answer: B
Explanation:
Because a hardware security module (HSM) is used that stores the private keys, the command certutil. exe -backup would fail, since we cannot extract the private keys from the module. The HSM should have a proprietary procedure for that. The given commands are: certutil -backup Backup set includes certificate database, CA certificate an the CA key pair certutil -backupdb Backup set only includes certificate database certutil -backupkey Backup set only includes CA certificate and the CA key pair certutil –store Provides a dump of the certificate store onscreen.
Since we cannot extract the keys from the HSM we have to use backupdb. Explanation 1: Microsoft Windows Server(TM) 2003 PKI and Certificate Security (Microsoft Press, 2004) page 215 For the commands listed above. Explanation 2: http://technet.microsoft.com/en-us/library/cc732443.aspx Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains. Syntax Certutil <-parameter> [-parameter] Parameter -backupdb Backup the Active Directory Certificate Services database Explanation 3: http://poweradmin.se/blog/2010/01/11/backup-and-restore-for-active-directory-certificate-services/