70-640 Exam
Getting Smart with: mcts 70-640
Act now and download your Microsoft 70-640 test today! Do not waste time for the worthless Microsoft 70-640 tutorials. Download Up to the immediate present Microsoft TS: Windows Server 2008 Active Directory. Configuring exam with real questions and answers and begin to learn Microsoft 70-640 with a classic professional.
2021 Sep cbt nuggets 70-640 free download:
Q1. Your company has an Active Directory domain. The company has purchased 100 new computers. You want to deploy the computers as members of the domain.
You need to create the computer accounts in an OU.
What should you do?
A. Run the csvde -f computers.csv command
B. Run the ldifde -f computers.ldf command
C. Run the dsadd computer <computerdn> command
D. Run the dsmod computer <computerdn> command
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc754539%28v=ws.10%29.aspx Dsadd computer Syntax: dsadd computer <ComputerDN> [-samid <SAMName>] [-desc <Description>] [-loc <Location>] [-memberof <GroupDN ...>] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}] [-q] [{-uc | -uco | -uci}] Personal comment: you use ldifde and csvde to import and export directory objects to Active Directory http://support.microsoft.com/kb/237677 http://technet.microsoft.com/en-us/library/cc732101%28v=ws.10%29.aspx
Q2. Your company has a main office and 40 branch offices. Each branch office is configured as a separate Active Directory site that has a dedicated read-only domain controller (RODC).
An RODC server is stolen from one of the branch offices.
You need to identify the user accounts that were cached on the stolen RODC server.
Which utility should you use?
A. Dsmod.exe
B. Ntdsutil.exe
C. Active Directory Sites and Services
D. Active Directory Users and Computers
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc835486%28v=ws.10%29.aspx Securing Accounts After an RODC Is Stolen If you become aware of a stolen or otherwise compromised read-only domain controller (RODC), you should act quickly to delete the RODC account from the domain and to reset the passwords of the accounts whose current passwords are stored on the RODC. An efficient tool for removing the RODC computer account and resetting all the passwords for the accounts that were authenticated to it is the Active Directory Users and Computers snap-in.
Q3. Your company network has an Active Directory forest that has one parent domain and one child domain. The child domain has two domain controllers that run Windows Server 2008. All user accounts from the child domain are migrated to the parent domain. The child domain is scheduled to be decommissioned.
You need to remove the child domain from the Active Directory forest.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)
A. Run the Computer Management console to stop the Domain Controller service on both domain controllers in the child domain.
B. Delete the computer accounts for each domain controller in the child domain. Remove the trust relationship between the parent domain and the child domain.
C. Use Server Manager on both domain controllers in the child domain to uninstall the Active Directory domain services role.
D. Run the Dcpromo tool that has individual answer files on each domain controller in the child domain.
Answer: C,D
Explanation:
http://technet.microsoft.com/en-us/library/cc755937%28v=ws.10%29.aspx Decommissioning a Domain Controller To complete this task, perform the following procedures:
1. View the current operations master role holders
2. Transfer the schema master
3. Transfer the domain naming master
4. Transfer the domain-level operations master roles
5. Determine whether a domain controller is a global catalog server
6. Verify DNS registration and functionality
7. Verify communication with other domain controllers
8. Verify the availability of the operations masters
9. If the domain controller hosts encrypted documents, perform the following procedure before you remove Active Directory to ensure that the encrypted files can be recovered after Active Directory is removed: Export a certificate with the private key 10.Uninstall Active Directory 11.If the domain controller hosts encrypted documents and you backed up the certificate and private key before you remove Active Directory, perform the following procedure to re-import the certificate to the server: Import a certificate
12. Determine whether a Server object has child objects
13. Delete a Server object from a site
http://technet.microsoft.com/en-us/library/cc737258%28v=ws.10%29.aspx Uninstall Active Directory To uninstall Active Directory
1. Click Start, click Run, type dcpromo and then click OK.
Q4. Your network contains an Active Directory domain. All domain controllers run Windows Server 2008. The functional level of the domain is Windows Server 2003. All client computers run Windows 7.
You install Windows Server 2008 R2 on a server named Server1.
You need to perform an offline domain join of Server1.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. From Server1, run djoin.exe.
B. From Server1, run netdom.exe.
C. From a Windows 7 computer, run djoin.exe.
D. Upgrade one domain controller to Windows Server 2008 R2.
E. Raise the functional level of the domain to Windows Server 2008.
Answer: A,C
Explanation:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 217, 218
Offline Domain Join
Offline domain join is also useful when a computer is deployed in a lab or other disconnected environment.
When the computer is connected to the domain network and started for the first time, it will already be a member of the domain. This also helps to ensure that Group Policy settings are applied at the first startup.
Four major steps are required to join a computer to the domain by using offline domain join:
1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with an account that has permissions to join computers to the domain.
2. Use the DJoin command to provision a computer for offline domain join. This step prepopulates Active Directory with the information that Active Directory needs to join the computer to the domain, and exports the information called a blob to a text file.
3. At the offline computer that you want to join the domain use DJoin to import the blob into the Windows directory.
4. When you start or restart the computer, it will be a member of the domain.
Q5. Your company has a main office and three branch offices. Each office is configured as a separate Active Directory site that has its own domain controller.
You disable an account that has administrative rights.
You need to immediately replicate the disabled account information to all sites.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)
A. From the Active Directory Sites and Services console, configure all domain controllers as global catalog servers.
B. From the Active Directory Sites and Services console, select the existing connection objects and force replication.
C. Use Repadmin.exe to force replication between the site connection objects.
D. Use Dsmod.exe to configure all domain controllers as global catalog servers.
Answer: B,C
Explanation:
http://technet.microsoft.com/en-us/library/cc835086%28v=ws.10%29.aspx Repadmin /syncall Synchronizes a specified domain controller with all of its replication partners. http://ivan.dretvic.com/2012/01/how-to-force-replication-of-domain-controllers/ How to force replication of Domain Controllers From time to time its necessary to kick off AD replication to speed up a task you may be doing, or just a good too to check the status of replication between DC’s. Below is a command to replicate from a specified DC to all other DC’s. Repadmin /syncall DC_name /Aped By running a repadmin /syncall with the /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished names) parameters, you have duplicated exactly what Replmon used to do in Windows 2003, except that you did it in one step, not many.And with the benefit of seeing immediate results on how the operations are proceeding. If I am running it on the DC itself, I don’t even have to specify the server name. http://technet.microsoft.com/en-us/library/cc776188%28v=ws.10%29.aspx Force replication over a connection To force replication over a connection
1. Open Active Directory Sites and Services.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Far out 70-640 score:
Q6. Your network contains an Active Directory domain named contoso.com.
You need to audit changes to a service account. The solution must ensure that the audit logs contain the before and after values of all the changes.
Which security policy setting should you configure?
A. Audit Sensitive Privilege Use
B. Audit User Account Management
C. Audit Directory Service Changes
D. Audit Other Account Management Events
Answer: C
Explanation:
Explanation 1: http://technet.microsoft.com/en-us/library/dd772641.aspx
Audit Directory Service Changes This security policy setting determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS). Explanation 2: http://technet.microsoft.com/en-us/library/cc731607.aspx AD DS Auditing Step-by-Step Guide This guide includes a description of the new Active Directory. Domain Services (AD DS) auditing feature in Windows Server. 2008. With the new auditing feature, you can log events that show old and new values; for example, you can show that Joe's favorite drink changed from single latte to triple-shot latte.
Q7. Your company has an Active Directory forest that contains eight linked Group Policy Objects (GPOs). One of these GPOs publishes applications to user objects. A user reports that the application is not available for installation.
You need to identify whether the GPO has been applied.
What should you do?
A. Run the Group Policy Results utility for the user.
B. Run the GPRESULT /S <system name> /Z command at the command prompt.
C. Run the GPRESULT /SCOPE COMPUTER command at the command prompt.
D. Run the Group Policy Results utility for the computer.
Answer: A
Explanation:
Personal note: You run the utility for the user and not for the computer because the application publishes to user objects http://technet.microsoft.com/en-us/library/bb456989.aspx How to Use the Group Policy Results (GPResult.exe) Command Line Tool Intended for administrators, the Group Policy Results (GPResult.exe) command line tool verifies all policy settings in effect for a specific user or computer. Administrators can run GPResult on any remote computer within their scope of management. By default, GPResult returns settings in effect on the computer on which GPResult is run. To run GPResult on your own computer:
1. Click Start, Run, and enter cmd to open a command window.
2. Type gpresult and redirect the output to a text file as shown in Figure 1 below:
C:\Documents and Settings\usernwz1\Desktop\1.PNG
3. Enter notepad gp.txt to open the file. Results appear as shown in the figure below.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Q8. Your company has an Active Directory domain and an organizational unit. The organizational unit is named Web.
You configure and test new security settings for Internet Information Service (IIS) Servers on a server named IISServerA.
You need to deploy the new security settings only on the IIS servers that are members of the Web organizational unit.
What should you do?
A. Run secedit /configure /db iis.inf from the command prompt on IISServerA, then run secedit /configure /db webou.inf from the comand prompt.
B. Export the settings on IISServerA to create a security template. Import the security template into a GPO and link the GPO to the Web organizational unit.
C. Export the settings on IISServerA to create a security template. Run secedit /configure /db webou.inf from the comand prompt.
D. Import the hisecws.inf file template into a GPO and link the GPO to the Web organizational unit.
Answer: B
Explanation:
http://www.itninja.com/blog/view/using-secedit-to-apply-security-templates Using Secedit To Apply Security Templates Secedit /configure /db secedit.sdb /cfg"c:\temp\custom.inf" /silent >nul This command imports a security template file, “custom.inf” into the workstation’s or server’s local security database. /db must be specified. When specifying the default secuirty database (secedit.sdb,) I found that providing no path worked best. The /cfg option informs Secedit that it is to import the .inf file into the specified database, appending it to any existing .inf files that have already been imported to this system. You can optionally include an /overwrite switch to overwrite all previous configurations for this machine. The /silent option supresses any pop-ups and the >nul hides the command line output stating success or failure of the action.
Q9. Your network contains an Active Directory domain.
You have a server named Server1 that runs Windows Server 2008 R2. Server1 is an enterprise root certification authority (CA).
You have a client computer named Computer1 that runs Windows 7.
You enable automatic certificate enrollment for all client computers that run Windows 7.
You need to verify that the Windows 7 client computers can automatically enroll for certificates.
Which command should you run on Computer1?
A. certreq.exe retrieve
B. certreq.exe submit
C. certutil.exe getkey
D. certutil.exe pulse
Answer: D
Explanation:
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/795f209d-b056-4de8-8dcf-7c7f80529aab/
What does "certutil -pulse" command do?
Certutil -pulse will initiate autoenrollment requests.
It is equivalent to doing the following in the CertMgr.msc console (in Vista and Windows 7)
Right-click Certificates , point to All Tasks , click Automatically Enroll and Retrieve
Certificates.
The command does require that
-any autoenrollment GPO settings have already been applied to the target user or computer
-a certificate template enables Read, Enroll and Autoenroll permissions for the user or a global or universal group containing the user
-The group membership is recognized in the users Token (they have logged on after the membership was added http://technet.microsoft.com/library/cc732443.aspx Certutil Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains. When certutil is run on a certification authority without additional parameters, it displays the current certification authority configuration. When cerutil is run on a non-certification authority, the command defaults to running the certutil -dump verb. Verbs The following table describes the verbs that can be used with the certutil command. pulse Pulse auto enrollment events
Q10. HOTSPOT
Your network contains an Active Directory domain named contoso.com.
You need to view which password setting object is applied to a user.
Which filter option in Attribute Editor should you enable? To answer, select the appropriate
filter option in the answer area.
Answer: