70-640 Exam
How to win with 70-640 audio book
We are generally proud of each of our high-quality and fantastic value Microsoft Microsoft practice resources. Because weve got got high passing rate since we commenced. Most of each of our customers have got got through the Microsoft 70-640 actual test and also made remarkable achievements. Consequently we guarantee that you will certainly also help make wonderful success as long as you acquire full benefit from Actualtests Microsoft certification simulated tests.
2021 Oct exam 70-640:
Q121. Your network contains a server named Server1 that runs Windows Server 2008 R2.
On Server1, you create an Active Directory Lightweight Directory Services (AD LDS)
instance named
Instance1.
You connect to Instance1 by using ADSI Edit.
You run the Create Object wizard and you discover that there is no User object class. You
need to ensure that you can create user objects in Instance1.
What should you do?
A. Run the AD LDS Setup Wizard.
B. Modify the schema of Instance1.
C. Modify the properties of the Instance1 service.
D. Install the Remote Server Administration Tools (RSAT).
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc772194.aspx To create users in AD LDS, you must first import the optional user classes that are provided with AD LDS into the AD LDS schema. These user classes are provided in importable .ldf files, which you can find in the directory %windir%adam on the computer where AD LDS is installed. The user, inetOrgPerson, and OrganizationalPerson object classes are not available until you import the AD LDS user class definitions into the schema.
Q122. ABC.com boasts a main office and 20 branch offices. Configured as a separate site, each branch office has a Read-Only Domain Controller (RODC) server installed.
Users in remote offices complain that they are unable to log on to their accounts. What should you do to make sure that the cached credentials for user accounts are only stored in their local branch office RODC server?
A. Open the RODC computer account security tab and set Allow on the Receive as permission only for the users that are unable to log on to their accounts
B. Add a password replication policy to the main Domain RODC and add user accounts in the security group
C. Configure a unique security group for each branch office and add user accounts to the respective security group. Add the security groups to the password replication allowed group on the main RODC server
D. Configure and add a separate password replication policy on each RODC computer account
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc730883%28v=ws.10%29.aspx Password Replication Policy When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain controller that will be its replication partner. The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached. The same account can then perform subsequent logons more efficiently. The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that are explicitly denied from being cached. The list of user and computer accounts that are permitted to be cached does not imply that the RODC has necessarily cached the passwords for those accounts. An administrator can, for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticate those accounts, even if the WAN link to the hub site is offline.
Q123. Your network consists of an Active Directory forest that contains one domain named contoso.com. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. You have two Active Directory-integrated zones: contoso.com and nwtraders.com.
You need to ensure a user is able to modify records in the contoso.com zone. You must prevent the user from modifying the SOA record in the nwtraders.com zone.
What should you do?
A. From the Active Directory Users and Computers console, run the Delegation of Control Wizard.
B. From the Active Directory Users and Computers console, modify the permissions of the Domain Controllers organizational unit (OU).
C. From the DNS Manager console, modify the permissions of the contoso.com zone.
D. From the DNS Manager console, modify the permissions of the nwtraders.com zone.
Answer: C
Explanation:
Answer: From the DNS Manager console, modify the permissions of the contoso.com
zone.
http://technet.microsoft.com/en-us/library/cc753213.aspx
Modify Security for a Directory-Integrated Zone
You can manage the discretionary access control list (DACL) on the DNS zones that are
stored in Active Directory Domain Services (AD DS). You can use the DACL to control the
permissions for the Active Directory users and groups that may control the DNS zones.
Membership in DnsAdmins or Domain Admins in AD DS, or the equivalent, is the minimum
required to complete this procedure.
To modify security for a directory-integrated zone:
1. Open DNS Manager.
2. In the console tree, click the applicable zone.
Where?
DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable
zone
3. On the Action menu, click Properties.
4. On the General tab, verify that the zone type is Active Directory-integrated.
5. On the Security tab, modify the list of member users or groups that are allowed to
securely update the applicable zone and reset their permissions as needed.
Further information:
http://support.microsoft.com/kb/163971
The Structure of a DNS SOA Record
The first resource record in any Domain Name System (DNS) Zone file should be a Start of
Authority (SOA) resource record. The SOA resource record indicates that this DNS name
server is the best source of information for the data within this DNS domain.
The SOA resource record contains the following information:
Source host - The host where the file was created.
Contact e-mail - The e-mail address of the person responsible for administering the
domain's zone file. Note that a "." is used instead of an "@" in the e-mail name.
Serial number - The revision number of this zone file. Increment this number each time the
zone file is changed. It is important to increment this value each time a change is made, so
that the changes will be distributed to any secondary DNS servers.
Refresh Time - The time, in seconds, a secondary DNS server waits before querying the
primary DNS server's SOA record to check for changes. When the refresh time expires, the
secondary DNS server requests a copy of the current SOA record from the primary. The
primary DNS server complies with this request. The secondary DNS server compares the
serial number of the primary DNS server's current SOA record and the serial number in it's
own SOA record. If they are different, the secondary DNS server will request a zone
transfer from the primary DNS server. The default value is 3,600.
Retry time - The time, in seconds, a secondary server waits before retrying a failed zone transfer. Normally, the retry time is less than the refresh time. The default value is 600. Expire time - The time, in seconds, that a secondary server will keep trying to complete a zone transfer. If this time expires prior to a successful zone transfer, the secondary server will expire its zone file. This means the secondary will stop answering queries, as it considers its data too old to be reliable. The default value is 86,400. Minimum TTL - The minimum time-to-live value applies to all resource records in the zone file. This value is supplied in query responses to inform other servers how long they should keep the data in cache. The default value is 3,600. http://technet.microsoft.com/en-us/library/cc787600%28v=ws.10%29.aspx Modify the start of authority (SOA) record for a zone
Notes: To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.
Q124. You need to ensure that users who enter three successive invalid passwords within 5 minutes are locked out for 5 minutes.
Which three actions should you perform? (Each correct answer presents part of the solution.
Choose three.)
A. Set the Minimum password age setting to one day.
B. Set the Maximum password age setting to one day.
C. Set the Account lockout duration setting to 5 minutes.
D. Set the Reset account lockout counter after setting to 5 minutes.
E. Set the Account lockout threshold setting to 3 invalid logon attempts.
F. Set the Enforce password history setting to 3 passswords remembered.
Answer: C,D,E
Explanation:
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Q125. Your company has an Active Directory forest.
You plan to install an Enterprise certification authority (CA) on a dedicated stand-alone server.
When you attempt to add the Active Directory Certificate Services (AD CS) role, you find that the Enterprise CA option is not available.
You need to install the AD CS role as an Enterprise CA.
What should you do first?
A. Add the DNS Server role.
B. Add the Active Directory Lightweight Directory Service (AD LDS) role.
C. Add the Web server (IIS) role and the AD CS role.
D. Join the server to the domain.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc772393%28v=ws.10%29.aspx
Active Directory Certificate Services Step-by-Step Guide
http://kazmierczak.eu/itblog/2012/09/23/enterprise-ca-option-is-greyed-out-unavailable/
Enterprise CA option is greyed out / unavailable Many times, administrators ask me what to do when installing Active Directory Certificate Services they cannot choose to install Enterprise Certification Authority, because it’s unavailable as in following picture:
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Well, you need to fulfill basic requirements: Server machine has to be a member server (domain joined). You can run an Enterprise CA on the Standard, Enterprise, or Data Center Windows Edition. The difference is the number of ADCS features and components that can be enabled. To get full functionality, you need to run on Enterprise or Data Center Windows Server 2008 /R2/ Editions. It includes functionality like Role separation, Certificate manager restrictions, Delegated enrollment agent restrictions, Certificate enrollment across forests, Online Responder, Network Device Enrollment. In order to install an Enterprise CA, you must be a member of either Enterprise Admins or Domain Admins in the forest root domain (either directly or through a group nesting). If issue still persists, there is probably a problem with getting correct credentials of your account. There are many thing that can cause it (network blockage, domain settings, server configuration, and other issues). In all cases I got, this troubleshooting helped perfectly: First of all, carefully check all above requirements. Secondly, install all available patches and Service Packs with Windows Update before trying to install Enterprise CA. Check network settings on the CA Server. If there is no DNS setting, Certificate Authority Server cannot resolve and find domain. Sufficient privileges for writing the Enterprise CA configuration information in AD configuration partition are required. Determine if you are a member of the Enterprise Admins or Domain Admins in the forest root domain. Think about the account you are currently trying to install ADCS with. In fact, you may be sure, that your account is in Enterprise Admins group, but check this how CA Server “sees” your account membership by typing whoami /groups. You also need to be a member of local Administrators group. If you are not, you wouldn’t be able to run Server Manager, but still needs to be checked. View C:\windows\certocm.log file. There you can find helpful details on problems with group membership. For example status of ENUM_ENTERPRISE_UNAVAIL_REASON_NO_INSTALL_RIGHTS indicates that needed memberships are not correct. Don’t forget to check event viewer on CA Server side and look for red lines. Verify that network devices or software&hardware firewalls are not blocking access from/to server and Domain Controllers. If so, Certificate Authority Server may not be communicating correctly with the domain. To check that, simply run nltest /sc_verify:DomainName Check also whether Server CA is connected to a writable Domain Controller. Enterprise Admins groups is the most powerful group and has ADCS required full control permissions, but who knows – maybe someone changed default permissions? Run adsiedit.msc on Domain Controller, connect to default context and first of all check if CN=Public Key Service,CN=Services,CN=Configuration,DC=Your,DC=Domain,DC=Com container does exist. If so, check permissions for all subcontainers under Public Key Service if Enterprise Admins group has full control permissions. The main subcontainers to verify are Certificate Templates, OID, KRA containers. If no above tips help, disjoin the server from domain and join again. Ultimately reinstall operation system on CA Server.
Renovate microsoft windows server 2008 active directory 70-640:
Q126. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1. Server1 has the Active Directory Federation Services (AD FS) role installed.
You have an application named App1 that is configured to use Server1 for AD FS authentication.
You deploy a new server named Server2. Server2 is configured as an AD FS 2.0 server.
You need to ensure that App1 can use Server2 for authentication.
What should you do on Server2?
A. Add an attribute store.
B. Create a relying party trust.
C. Create a claims provider trust.
D. Create a relaying provider trust.
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/dd807132%28v=ws.10%29.aspx Create a Relying Party Trust Using Federation Metadata http://pipe2text.com/?page_id=815 Setting up a Relying Party Trust in ADFS 2.0 http://blogs.msdn.com/b/card/archive/2010/06/25/using-federation-metadata-to-establish-a-relying-party-trustin-ad-fs-2-0.aspx Using Federation Metadata to establish a Relying Party Trust in AD FS 2.0
Q127. A domain controller named DC12 runs critical services. Restructuring of the organizational unit hierarchy for the domain has been completed and unnecessary objects have been deleted.
You need to perform an offline defragmentation of the Active Directory database on DC12. You also need to ensure that the critical services remain online.
What should you do?
A. Start the domain controller in the Directory Services restore mode. Run the Defrag utility.
B. Start the domain controller in the Directory Services restore mode. Run the Ntdsutil utility.
C. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the Defrag utility.
D. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the Ntdsutil utility.
Answer: D
Explanation:
http://support.microsoft.com/kb/232122 Performing offline defragmentation of the Active Directory database Active Directory automatically performs online defragmentation of the database at certain intervals (by default, every 12 hours) as part of the Garbage Collection process. Online defragmentation does not reduce the size of the database file (Ntds.dit), but instead optimizes data storage in the database and reclaims space in the directory for new objects. Performing an offline defragmentation creates a new, compacted version of the database file. Depending on how fragmented the original database file was, the new file may be considerably smaller. http://rickardnobel.se/when-to-offline-defrag-ntds-dit/ When to offline defrag the Active Directory database This article will show a simple way to determine if there is any gain to do an offline defrag of your Active Directory database. During normal operations the Active Directory service will do an online defragmentation of the Active Directory database (always called ntds.dit) each 12 hours. This online defrag will arrange all pages in an optimal way internal in the ntds.dit, however the file size will never shrink, sometimes even grow. During the years of operations of the ntds.dit the file size will increase as user accounts, organizational units, groups, computers, dns records and more are added and later removed. When deleted objects are finally removed (after the so called tombstone lifetime, typically 180 days) the space they have occupied will unfortunately not decrease.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
The actual size of the ntds.dit could be easily studied through Explorer, as above. The size of the database is in this example around 575 MB. Note that Active Directory does not use a file level replication, so the file could be of various size on each Domain Controller in your domain. If wanted there is the possibility to take the AD services offline on one DC and then do an offline defragmentation of ntds.dit. This would both arrange all pages the best possible way, and also to reclaim any empty space inside the database, which could make backup and restore faster and also possible increase AD performance. The offline defrag means “offline” from an Active Directory perspective. This means that on Windows 2000 and 2003 you will have to reboot into Directory Services Restore Mode, and on Windows 2008 and R2 you will have to stop the AD services by typing “net stop ntds” in the command prompt. So in Windows 2008 and later it is far easier, but still something that you do not want to do if not necessary. There are numerous article on the web how to do the actual offline defrag, so we will not cover that part here. However, we will see the perhaps most important information and that is to be able to see in advance the amount of space that we could reclaim. With this information we could make our decision based on fact and not guesses. This has been possible since at least Windows 2003, but is not well documented.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
To enable this you will have to alter a registry value on the Domain Controller you will investigate the reclaimable MBs. Use regedit and find the following key: HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ NTDS \ Diagnostics Change the value “6 Garbage Collection” from 0 to 1. This will increase the logging from the Garbage Collection process which runs together with the online defrag. So now wait for the next online defragmentation which runs twice a day and then study the Directory Service log in Event Viewer.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Search for event id 1646, usually together with event ids 700 and 701.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Here we can note the amount of space that would be reclaimed from an offline defrag. The top value is the number of MB that the offline defrag would recover, here almost half the database size. If the amount is negligible then do not worry about this any more, and if there is a considerable amount of MBs reported then you could plan to do the offline defrag.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Note that both the change of registry key and the actual offline defrag has to be done on
each domain controller, since neither does replicate.
As noted above we will not look at the commands for the offline defragmentation here,
since they are well documented already.
Q128. Your company has a main office and four branch offices. An Active Directory site exists for each office. Each site contains one domain controller. Each branch office site has a site link to the main office site.
You discover that the domain controllers in the branch offices sometimes replicate directly to each other.
You need to ensure that the domain controllers in the branch offices only replicate to the domain controller in the main office.
What should you do?
A. Modify the firewall settings for the main office site.
B. Disable the Knowledge Consistency Checker (KCC) for each branch office site.
C. Disable site link bridging.
D. Modify the security settings for the main office site.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc757117.aspx
Configuring site link bridges
By default, all site links are bridged, or transitive. This allows any two sites that are not connected by an explicit site link to communicate directly, through a chain of intermediary site links and sites. One advantage to bridging all site links is that your network is easier to maintain because you do not need to create a site link to describe every possible path between pairs of sites.
Generally, you can leave automatic site link bridging enabled. However, you might want to disable automatic site link bridging and create site link bridges manually just for specific site links, in the following cases:
You have a network routing or security policy in place that prevents every domain controller from being able to directly communicate with every other domain controller.
Q129. Your company has two Active Directory forests named Forest1 and Forest2, The forest functional level and the domain functional level of Forest1 are set to Windows Server 2008.
The forest functional level of Forest2 is set to Windows 2000, and the domain functional levels in Forest2 are set to Windows Server 2003.
You need to set up a transitive forest trust between Forest1 and Forest2.
What should you do first?
A. Raise the forest functional level of Forest2 to Windows Server 2003 Interim mode.
B. Raise the forest functional level of Forest2 to Windows Server 2003.
C. Upgrade the domain controllers in Forest2 to Windows Server 2008.
D. Upgrade the domain controllers in Forest2 to Windows Server 2003.
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc816810.aspx
Creating Forest Trusts
You can link two disjoined Active Directory Domain Services (AD DS) forests together to form a one-way or two-way, transitive trust relationship.
The following are required to create forest trusts successfully:
You can create a forest trust between two Windows Server 2003 forests, between two Windows Server 2008 forests, between two Windows Server 2008 R2 forests, between a Windows Server 2003 forest and a Windows Server 2008 forest, between a Windows Server 2003 forest and a Windows Server 2008 R2 forest, or between a Windows Server 2008 forest and a Windows Server 2008 R2 forest. Forest trusts cannot be extended implicitly to a third forest.
To create a forest trust, the minimum forest functional level for the forests that are involved in the trust relationship is Windows Server 2003.
Q130. Your company has three Active Directory domains in a single forest. You install a new Active Directory enabled application. The application ads new user attributes to the Active Directory schema.
You discover that the Active Directory replication traffic to the Global Catalogs has increased.
You need to prevent the new attributes from being replicated to the Global Catalog.
You must achieve this goal without affecting application functionality.
What should you do?
A. Change the replication interval for the DEFAULTIPSITELINK object to 9990.
B. Change the cost for the DEFAULTIPSITELINK object to 9990.
C. Make the new attributes in the Active Directory as defunct.
D. Modify the properties in the Active Directory schema for the new attributes.
Answer: D
Explanation:
http://support.microsoft.com/kb/248717 How to Modify Attributes That Replicate to the Global Catalog The Global Catalog (GC) contains a partial replica of every object in the enterprise. This article discusses how to manipulate the attributes which make up the set values replicated to the GC. Deciding which attributes will replicate (in addition to the default attributes) requires careful planning with consideration for network traffic and necessary disk space. Before describing how to set an attribute to replicate in the GC, it is important to note the effects this has on network replication traffic. After an attributeSchema object is created, marking an additional attribute to replicate to the GC causes a full replication (also known as a "full sync") of all objects to the GC as described below. This behavior occurs on the versions of Windows 2000 listed in this article. Every server has a full and write-able copy of its own domain. If that server is also a GC, the remaining domains in the forest are held as read-only, partial copies. "Partial" means that only a subset of the attributes is kept. When an attribute is added to the GC, it is added to the partial copy subset (partial attribute set). This causes the GC to perform a "full sync" of all the read-only copies again to repopulate itself with only the partial attributes that it needs to hold. This full sync occurs even if the attribute property isMemberOfPartialAttributeSet is set to "True." Thus, it only does a full sync on the read-only partial copy domains and not its own write-able domain, the configuration directory partition or schema directory partition. In order to modify the attributes that replicate to the Active Directory GC, you must modify the schema. To modify the schema, an administrator must be made a member of the "Schema Admins" group. In addition to being a member of this group, a registry key must be set on the Schema master.