70-640 Exam
Why You Need To 70-640 windows server 2008 active directory configuration pdf?
Outdo a Microsoft 70-640 book in addition to dive strait into 70-640 Audit papers while using the not matched TS: Windows Server 2008 Active Directory. Configuring ¡§C Microsoft 70-640 Exercise Audit Solutions you will come to Pass4sure. 70-640 Exercise Audit in addition to 70-640 are unrivaled around Level of quality in addition to Pass4sure produce 100% make sure that youll complete a persons 70-640 Audit.
2021 Sep cbt nuggets for 70-640:
Q31. Your company asks you to implement Windows Cardspace in the domain.
You want to use Windows Cardspace at your home.
Your home and office computers run Windows Vista Ultimate.
What should you do to create a backup copy of Windows Cardspace cards to be used at home?
A. Log on with your administrator account and copy \Windows\ServiceProfiles folder to your USB drive
B. Backup \Windows\Globalization folder by using backup status and save the folder on your USB drive
C. Back up the system state data by using backup status tool on your USB drive
D. Employ Windows Cardspace application to backup the data on your USB drive.
E. Reformat the C: Drive
F. None of the above
Answer: D
Explanation:
http://windows.microsoft.com/en-us/windows7/windows-cardspace-for-itpros#
BKMK_HowdoIbackupmycardsortransferthemtoanothercomputer
Windows CardSpace for IT pros
Microsoft Windows CardSpace. is a system for creating relationships with websites and
online services.
Windows CardSpace provides a consistent way for:
Sites to request information from you.
You to review the identity of a site.
You to manage your information by using Information Cards.
You to review card information before you send it.
Windows CardSpace can replace the user names and passwords that you use to register
with and log on to websites and online services.
15. How do I back up my cards or transfer them to another computer?
Cards are stored on your computer in an encrypted format. To save a backup file
containing some or all of your cards or to use a card on a different computer, you can save
cards to a backup card file.
To back up your cards:
1. Start Windows CardSpace.
2. View all your cards.
3. In the pane on the right of your screen, click Back up cards.
4. Select the cards that you want to back up.
5. Browse to the folder where you want to save the backup card file, and then give it a
name.
When you complete these steps, you save a file containing some or all of your cards. You
can copy the backup card file to media such as a Universal Serial Bus (USB) storage
device, CD, or other digital media. You can restore the backup card file on this computer or
on another computer.
To restore your cards
1. Save the backup card file to the computer.
2. Browse to the location of the file on the computer.
3. Double-click the file, and then follow the instructions to restore the cards.
Q32. Your network contains an Active Directory Rights Management Services (AD RMS) cluster.
You have several custom policy templates. The custom policy templates are updated
frequently.
Some users report that it takes as many as 30 days to receive the updated policy
templates.
You need to ensure that users receive the updated custom policy templates within seven
days.
What should you do?
A. Modify the registry on the AD RMS servers.
B. Modify the registry on the users' computers.
C. Change the schedule of the AD RMS Rights Policy Template Management (Manual) scheduled task.
D. Change the schedule of the AD RMS Rights Policy Template Management (Automated) scheduled task.
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc771971.aspx
Configuring the AD RMS client
The automated scheduled task will not query the AD RMS template distribution pipeline each time that this scheduled task runs. Instead, it checks updateFrequency DWORD value registry entry. This registry entry specifies the time interval (in days) after which the client should update its rights policy templates. By default the registry key is not present on the client computer. In this scenario, the client checks for new, deleted, or modified rights policy templates every 30 days. To configure an interval other than 30 days, create a registry entry at the following location: HKEY_CURRENT_USER\Software\Policies\Microsoft\MSDRM
\TemplateManagement. In this registry key, you can also configure the updateIfLastUpdatedBeforeTime, which forces the client computer to update its rights policy templates.
Q33. You need to back up all of the group policies in a domain. The solution must minimize the size of the backup.
What should you use?
A. the Add-WBSystemState cmdlet
B. the Group Policy Management console
C. the Wbadmin tool
D. the Windows Server Backup feature
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc770536.aspx
To back up a Group Policy object
1. In the Group Policy Management Console (GPMC) console tree, open Group Policy Objects in the forest and domain containing the Group Policy object (GPO) to back up.
2. To back up a single GPO, right-click the GPO, and then click Back Up. To back up all GPOs in the domain, right-click Group Policy objects and click Back Up All.
Q34. Your network contains an Active Directory domain named contoso.com. Contoso.com contains a member server that runs Windows Server 2008 Standard.
You need to install an enterprise subordinate certification authority (CA) that supports private key archival.
You must achieve this goal by using the minimum amount of administrative effort.
What should you do first?
A. Initialize the Trusted Platform Module (TPM).
B. Upgrade the member server to Windows Server 2008 R2 Standard.
C. Install the Certificate Enrollment Policy Web Service role service on the member server.
D. Run the Security Configuration Wizard (SCW) and select the Active Directory Certificate Services - Certification Authority server role template check box.
Answer: B
Explanation:
Not sure about this one. See my thoughts below.
to MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) key archival
is not available in the Windows Server 2008 R2 Standard edition, so that would leave out
answer B.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Another dump gives the following for answer B:
"Upgrade the menber [sic] server to Windows Server 2008 R2 Enterprise."
Should the actual exam mention to upgrade to the Enterprise edition for answer B, I'd go
for that. In this VCE it doesn't seem to make sense to go for B as it shouldn't work, I think.
Certificate Enrollment Policy Web Service role of answer C was introduced in Windows
Server 2008 R2, so that would not be an option on the mentioned Windows Server 2008
machine.
Trusted Platform Module is "a secure cryptographic integrated circuit (IC), provides a
hardware-based approach to manage user authentication, network access, data protection
and more that takes security to higher level than software-based security."
(http://www.trustedcomputinggroup.org/resources/
how_to_use_the_tpm_a_guide_to_hardwarebased_endpoint_security/)
Pfff... I'm bothered that answer B speaks of the Standard edition, and not the Enterprise
edition. Hope the VCE is wrong.
Q35. Your company has an Active Directory forest. The company has branch offices in three locations. Each location has an organizational unit.
You need to ensure that the branch office administrators are able to create and apply GPOs only to their respective organizational units.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Run the Delegation of Control wizard and delegate the right to link GPOs for their branch organizational units to the branch office administrators.
B. Add the user accounts of the branch office administrators to the Group Policy Creator Owners Group.
C. Modify the Managed By tab in each organizational unit to add the branch office administrators to their respective organizational units.
D. Run the Delegation of Control wizard and delegate the right to link GPOs for the domain to the branch office administrators.
Answer: A,B
Explanation:
Answer: Run the Delegation of Control wizard and delegate the right to link GPOs for their
branch organizational units to the branch office administrators.
Add the user accounts of the branch office administrators to the Group Policy Creator
Owners Group.
http://technet.microsoft.com/en-us/library/cc732524.aspx
Delegate Control of an Organizational Unit
1. To delegate control of an organizational unit
2. To open Active Directory Users and Computers, click Start , click Control Panel , double-
click Administrative
Tools and then double-click Active Directory Users and Computers .
3. In the console tree, right-click the organizational unit (OU) for which you want to delegate
control.
Where?
Active Directory Users and Computers\ domain node \ organizational unit
4. Click Delegate Control to start the Delegation of Control Wizard, and then follow the
instructions in the wizard.
http://technet.microsoft.com/en-us/library/cc781991%28v=ws.10%29.aspx
Delegating Administration of Group Policy
Your Group Policy design will probably call for delegating certain Group Policy
administrative tasks.
Determining to what degree to centralize or distribute administrative control of Group Policy
is one of the most important factors to consider when assessing the needs of your
organization. In organizations that use a centralized administration model, an IT group
provides services, makes decisions, and sets standards for the entire company. In
organizations that use a distributed administration model, each business unit manages its
own IT group.
You can delegate the following Group Policy tasks:
Creating GPOs
Managing individual GPOs (for example, granting Edit or Read access to a GPO) etc.
Delegating Creation of GPOs The ability to create GPOs in a domain is a permission that is managed on a per-domain basis. By default, only Domain Administrators, Enterprise Administrators, Group Policy Creator Owners, and SYSTEM can create new Group Policy objects. If the domain administrator wants a non-administrator or non-administrative group to be able to create GPOs, that user or group can be added to the Group Policy Creator Owners security group. Alternatively, you can use the Delegation tab on the Group Policy Objects container in GPMC to delegate creation of GPOs. When a non-administrator who is a member of the Group Policy Creator Owners group creates a GPO, that user becomes the creator owner of the GPO and can edit the GPO and modify permissions on the GPO. However, members of the Group Policy Creator Owners group cannot link GPOs to containers unless they have been separately delegated the right to do so on a particular site, domain, or OU. Being a member of the Group Policy Creator Owners group gives the non-administrator full control of only those GPOs that the user creates. Group Policy Creator Owner members do not have permissions for GPOs that they do not create. Note: When an administrator creates a GPO, the Domain Administrators group becomes the Creator Owner of the Group Policy object. By default, Domain Administrators can edit all GPOs in the domain. The right to link GPOs is delegated separately from the right to create GPOs and the right to edit GPOs. Be sure to delegate both rights to those groups you want to be able to create and link GPOs. By default, non- Domain Admins cannot manage links, and this prevents them from being able to use GPMC to create and link a GPO. However, non-Domain Admins can create an unlinked GPO if they are members of the Group Policy Creator Owners group. After a non-Domain Admin creates an unlinked GPO, the Domain Admin or someone else who has been delegated permissions to link GPOs an a container can link the GPO as appropriate. Creation of GPOs can be delegated to any group or user. There are two methods of granting a group or user this permission: Add the group or user to the Group Policy Creator Owners group. This was the only method available prior to GPMC. Explicitly grant the group or user permission to create GPOs. This method is newly available with GPMC. You can manage this permission by using the Delegation tab on the Group Policy objects container for a given domain in GPMC. This tab shows the groups that have permission to create GPOs in the domain, including the Group Policy Creator Owners group. From this tab, you can modify the membership of existing groups that have this permission, or add new groups. Because the Group Policy Creator Owners group is a domain global group, it cannot contain members from outside the domain. Being able to grant users permissions to create GPOs without using Group Policy Creator Owners facilitates delegating GPO creation to users outside the domain. Without GPMC, this task cannot be delegated to members outside the domain. If you require that users outside the domain have the ability to create GPOs, create a new domain local group in the domain (for example, "GPCO – External"), grant that group GPO creation permissions in the domain, and then add domain global groups from external domains to that group. For users and groups in the domain, you should continue to use the Group Policy Creator Owners group to grant GPO-creation permissions. Adding a user to the membership of Group Policy Creator Owners and granting the user GPO-creation permissions directly using the new method available in GPMC are identical in terms of permissions.
Far out 70-640 pdf:
Q36. You need to identify all failed logon attempts on the domain controllers.
What should you do?
A. View the Netlogon.log file.
B. View the Security tab on the domain controller computer object.
C. Run Event Viewer.
D. Run the Security and Configuration Wizard.
Answer: C
Explanation:
http://support.microsoft.com/kb/174074 Security Event Descriptions This article contains descriptions of various security-related and auditing- related events, and tips for interpreting them. These events will all appear in the Security event log and will be logged with a source of "Security." Event ID: 529 Type: Failure Audit Description: Logon Failure: Reason: Unknown user name or bad password User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 530 Type: Failure Audit Description: Logon Failure: Reason: Account logon time restriction violation User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 531 Type: Failure Audit Description: Logon Failure: Reason: Account currently disabled User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 532 Type: Failure Audit Description: Logon Failure: Reason: The specified user account has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 533 Type: Failure Audit Description: Logon Failure: Reason: User not allowed to logon at this computer User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 534 Type: Failure Audit Description: Logon Failure: Reason: The user has not been granted the requested logon type at this machine User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 535 Type: Failure Audit Description: Logon Failure: Reason: The specified account's password has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 536 Type: Failure Audit Description: Logon Failure: Reason: The NetLogon component is not active User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 537 Type: Failure Audit Description: Logon Failure: Reason: An unexpected error occurred during logon User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6
Q37. Your company has two Active Directory forests named contoso.com and fabrikam.com. Both forests run only domain controllers that run Windows Server 2008. The domain functional level of contoso.com is Windows Server 2008. The domain functional level of fabrikam.com is Windows Server 2003 Native mode.
You configure an external trust between contoso.com and fabrikam.com.
You need to enable the Kerberos AES encryption option.
What should you do?
A. Raise the forest functional level of fabrikam.com to Windows Server 2008.
B. Raise the domain functional level of fabrikam.com to Windows Server 2008.
C. Raise the forest functional level of contoso.com to Windows Server 2008.
D. Create a new forest trust and enable forest-wide authentication.
Answer: B
Explanation:
Answer: Raise the domain functional level of fabrikam.com to Windows Server 2008.
http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28v=ws.10%29.aspx Understanding Active Directory Domain Services (AD DS) Functional Levels Functional levels determine the available Active Directory Domain Services (AD DS) domain or forest capabilities. They also determine which Windows Server operating systems you can run on domain controllers in the domain or forest. However, functional levels do not affect which operating systems you can run on workstations and member servers that are joined to the domain or forest.
Features that are available at domain functional levels
Windows Server 2008 All of the default AD DS features, all of the features from the Windows Server 2003 domain functional level, and the following features are available:
* Advanced Encryption Standard (AES 128 and AES 256) support for the Kerberos protocol. In order for TGTs to be issued using AES, the domain functional level must be Windows Server 2008 or higher and the domain password needs to be changed.
Further information: http://technet.microsoft.com/en-us/library/cc749438%28WS.10%29.aspx Kerberos Enhancements
Requirements All Kerberos authentication requests involve three different parties: the client requesting a connection, the server that will provide the requested data, and the Kerberos KDC that provides the keys that are used to protect the various messages. This discussion focuses on how AES can be used to protect these Kerberos authentication protocol messages and data structures that are exchanged among the three parties. Typically, when the parties are operating systems running Windows Vista or Windows Server 2008, the exchange will use AES. However, if one of the parties is an operating system running Windows 2000 Professional, Windows 2000 Server, Windows XP, or Windows Server 2003, the exchange will not use AES.
Q38. Your company has an Active Directory domain. The company has two domain controllers named DC1 and DC2. DC1 holds the Schema Master role.
DC1 fails. You log on to Active Directory by using the administrator account. You are not able to transfer the Schema Master operations role.
You need to ensure that DC2 holds the Schema Master role.
What should you do?
A. Configure DC2 as a bridgehead server.
B. On DC2, seize the Schema Master role.
C. Log off and log on again to Active Directory by using an account that is a member of the Schema Administrators group. Start the Active Directory Schema snap-in.
D. Register the Schmmgmt.dll. Start the Active Directory Schema snap-in.
Answer: B
Explanation:
Answer: On DC2, seize the Schema Master role.
http://technet.microsoft.com/en-us/library/cc816645%28v=ws.10%29.aspx Transfer the Schema Master You can use this procedure to transfer the schema operations master role if the domain controller that currently hosts the role is inadequate, has failed, or is being decommissioned. The schema master is a forest-wide operations master (also known as flexible single master operations or FSMO) role.
Note: You perform this procedure by using a Microsoft Management Console (MMC) snap-in, although you can also transfer this role by using Ntdsutil.exe. Membership in Schema Admins, or equivalent, is the minimum required to complete this procedure. http://technet.microsoft.com/en-us/library/cc794853%28v=ws.10%29.aspx Seize the AD LDS Schema Master Role The schema master is responsible for performing updates to the Active Directory Lightweight Directory Services (AD LDS) schema. Each configuration set has only one schema master. All write operations to the AD LDS schema can be performed only when connected to the AD LDS instance that holds the schema master role within its configuration set. Those schema updates are replicated from the schema master to all other instances in the configuration set. Membership in the AD LDS Administrators group, or equivalent, is the minimum required to complete this procedure. Caution: Do not seize the schema master role if you can transfer it instead. Seizing the schema master role is a drastic step that should be considered only if the current operations master will never be available again.
Q39. You are decommissioning domain controllers that hold all forest-wide operations master roles.
You need to transfer all forest-wide operations master roles to another domain controller.
Which two roles should you transfer? (Each correct answer presents part of the solution. Choose two.)
A. Domain naming master
B. Infrastructure master
C. RID master
D. PDC emulator
E. Schema master
Answer: A,E
Explanation:
Answer: Schema master Domain naming master
http://social.technet.microsoft.com/wiki/contents/articles/832.transferring-fsmo-roles-in-
indows-server-2008.aspx
Transferring FSMO Roles in Windows Server 2008 One of any system administrator duties, would be to upgrade a current domain controller to a new hardware server. One of the crucial steps required to successfully migrate your domain controller, is to be able to successfully transfer the FSMO roles to the new hardware server. FSMO stands for Flexible Single Master Operations, and in a forest there are at least five roles. The five FSMO roles are: Schema Master Domain Naming Master Infrastructure Master Relative ID (RID) Master PDC Emulator The first two roles above are forest-wide, meaning there is one of each for the entire forest. The last three are domain-wide, meaning there is one of each per domain. If there is one domain in your forest, you will have five FSMO roles. If you have three domains in your forest, there will be 11 FSMO roles.
Q40. Your company has an Active Directory domain named contoso.com. FS1 is a member server in contoso.com.
You add a second network interface card, NIC2, to FS1 and connect NIC2 to a subnet that contains computers in a DNS domain named fabrikam.com. Fabrikam.com has a DHCP server and a DNS server.
Users in fabrikam.com are unable to resolve FS1 by using DNS.
You need to ensure that FS1 has an A record in the fabrikam.com DNS zone.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)
A. Configure the DHCP server in fabrikam.com with the scope option 044 WINS/NBNS Servers.
B. Configure the DHCP server in fabrikam.com by setting the scope option 015 DNS Domain Name to the domain name fabrikam.com.
C. Configure NIC2 by configuring the Append these DNS suffixes (in order): option.
D. Configure NIC2 by configuring the Use this connection's DNS suffix in DNS registration option.
E. Configure the DHCP server in contoso.com by setting the scope option 015 DNS Domain Name to the domain name fabrikam.com.
Answer: B,D