70-640 Exam
Get Smart with mcts 70-640
Now, We recommend you our Actualtests 70-640 braindumps. Our own Microsoft products are usually provided in two forms, Pdf and Test Powerplant. You can download the actual Microsoft Microsoft dumps for totally free within 120 days soon after purchasing. Actualtests features all the Microsoft 70-640 certification exam practice questions you need. 70-640 training materials are the most accurate and elaborate study resources revised by the veterans in That field. You need to visit our internet site regularly to verify if there are a few updates, as well as the Microsoft Microsoft exam dumps will be renovated simultaneously on your PC. Strive on the Microsoft certification exam preparation by means of Actualtests Microsoft practice questions length by length. All of us ensure that you will certainly get certified. The actual passing rate reaches up to 90%. Getting the Microsoft Microsoft certification is both your current and the expectation. And do not worry in case you let the actual 70-640 slip at 1st attempt. Actualtests provides 100% cash back policy. Just fax us your failed transcript and related supporting documents, we will certainly return your current money inside 12hs.
2021 Oct pdf 70-640:
Q101. our company, Contoso Ltd, has offices in North America and Europe. Contoso has an Active Directory forest that has three domains.
You need to reduce the time required to authenticate users from the labs.eu.contoso.com domain when they access resources in the eng.na.contoso.com domain.
What should you do?
A. Decrease the replication interval for all Connection objects.
B. Decrease the replication interval for the DEFAULTIPSITELINK site link.
C. Set up a one-way shortcut trust from eng.na.contoso.com to labs.eu.contoso.com.
D. Set up a one-way shortcut trust from labs.eu.contoso.com to eng.na.contoso.com.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc754538.aspx
Understanding When to Create a Shortcut Trust
When to create a shortcut trust
Shortcut trusts are one-way or two-way, transitive trusts that administrators can use to optimize the authentication process.
Authentication requests must first travel a trust path between domain trees. In a complex forest this can take time, which you can reduce with shortcut trusts. A trust path is the series of domain trust relationships that authentication requests must traverse between any two domains. Shortcut trusts effectively shorten the path that authentication requests travel between domains that are located in two separate domain trees.
Shortcut trusts are necessary when many users in a domain regularly log on to other domains in a forest.
Using the following illustration as an example, you can form a shortcut trust between domain B and domain D, between domain A and domain 1, and so on.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Using one-way trusts
A one-way, shortcut trust that is established between two domains in separate domain trees can reduce the time that is necessary to fulfill authentication requests—but in only one direction. For example, when a oneway, shortcut trust is established between domain A and domain B, authentication requests that are made in domain A to domain B can use the new one-way trust path. However, authentication requests that are made in domain B to domain A must still travel the longer trust path.
Using two-way trusts
A two-way, shortcut trust that is established between two domains in separate domain trees reduces the time that is necessary to fulfill authentication requests that originate in either domain. For example, when a two-way trust is established between domain A and domain B, authentication requests that are made from either domain to the other domain can use the new, two-way trust path.
Q102. Your network contains an Active Directory forest. The forest contains two domains. You have a standalone root certification authority (CA).
On a server in the child domain, you run the Add Roles Wizard and discover that the option to select an enterprise CA is disabled.
You need to install an enterprise subordinate CA on the server.
What should you use to log on to the new server?
A. an account that is a member of the Certificate Publishers group in the child domain
B. an account that is a member of the Certificate Publishers group in the forest root domain
C. an account that is a member of the Schema Admins group in the forest root domain
D. an account that is a member of the Enterprise Admins group in the forest root domain
Answer: D
Explanation:
http://social.technet.microsoft.com/Forums/uk/winserversecurity/thread/887f4cec-12f6-4c15-a506-568ddb21d46b
In order to install Enterprise CA you MUST have Enterprise Admins permissions, because Configuration naming context is replicated between domain controllers in the forest (not only current domain) and are writable for Enterprise Admins (domain admins permissions are insufficient).
Q103. Your network contains an Active Directory domain controller named DC1. DC1 runs Windows Server 2008 R2.
You need to defragment the Active Directory database on DC1. The solution must minimize downtime on DC1.
What should you do first?
A. At the command prompt, run net stop ntds.
B. At the command prompt, run net stop netlogon.
C. Restart DC1 in Safe Mode.
D. Restart DC1 in Directory Services Restore Mode (DSRM).
Answer: A
Explanation:
We don't need to restart the server to defragment the AD database. We only need to stop
AD DS in order to defragment the database, using ntdsutil.
Explanation:
http://technet.microsoft.com/en-us/library/cc794920.aspx
To perform offline defragmentation of the directory database
1. Open a Command Prompt as an administrator.
2. At the command prompt, type the following command, and then press ENTER: net stop ntds
3. Type Y to agree to stop additional services, and then press ENTER.
4. At the command prompt, type ntdsutil, and then press ENTER.
Q104. Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company runs an Enterprise Root certification authority (CA).
You need to ensure that only administrators can sign code.
Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Edit the local computer policy of the Enterprise Root CA to allow only administrators to manage Trusted Publishers.
B. Modify the security settings on the template to allow only administrators to request code signing certificates.
C. Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certificates and allow only administrators to apply the policy.
D. Publish the code signing template.
Answer: B,D
Explanation:
http://techblog.mirabito.net.au/?p=297 Generating and working with code signing certificates A code signing certificate is a security measure designed to assist in the prevention of malicious code execution. The intention is that code must be “signed” with a certificate that is trusted by the machine on which the code is executed. The trust is verified by contacting the certification authority for the certificate, which could be either a local (on the machine itself, such as a self-signed certificate), internal (on the domain, such as an enterprise certification authority) or external certification authority (third party, such as Verisign or Thawte). For an Active Directory domain with an enterprise root certification authority, the enterprise root certification authority infrastructure is trusted by all machines that are a member of the Active Directory domain, and therefore any certificates issued by this certification authority are automatically trusted. In the case of code signing, it may be necessary also for the issued certificate to be in the “Trusted Publishers” store of the local machine in order to avoid any prompts upon executing code, even if the certificate was issued by a trusted certification authority. Therefore, it is required to ensure that certificates are added to this store where user interaction is unavailable, such as running automated processes that call signed code. A certificate can be assigned to a user or a computer, which will then be the “publisher” of the code in question. Generally, this should be the user, and the user will then become the trusted publisher. As an example, members of the development team in your organisation will probably each have their own code signing certificate, which would all be added to the “Trusted Publishers” store on the domain machines. Alternatively, a special domain account might exist specifically for signing code, although one of the advantages of code signing is to be able to determine the person who signed it.
Q105. Your company has a domain controller that runs Windows Server 2008. The domain controller has the backup features installed.
You need to perform a non-authoritative restore of the doman controller using an existing backup file.
What should you do?
A. Restart the domain controller in Directory Services Restore Mode and use wbadmin to restore critical volume
B. Restart the domain controller in Directory Services Restore Mode and use the backup snap-in to restore critical volume
C. Restart the domain controller in Safe Mode and use wbadmin to restore critical volume
D. Restart the domain controller in Safe Mode and use the backup snap-in to restore critical volume
Answer: A
Explanation:
Almost identical to B42
http://technet.microsoft.com/en-us/library/cc816627%28v=ws.10%29.aspx
Performing Nonauthoritative Restore of Active Directory Domain Services
A nonauthoritative restore is the method for restoring Active Directory Domain Services (AD DS) from a system state, critical-volumes, or full server backup. A nonauthoritative restore returns the domain controller to its state at the time of backup and then allows normal replication to overwrite that state with any changes that occurred after the backup was taken. After you restore AD DS from backup, the domain controller queries its replication partners. Replication partners use the standard replication protocols to update AD DS and associated information, including the SYSVOL shared folder, on the restored domain controller.
You can use a nonauthoritative restore to restore the directory service on a domain controller without reintroducing or changing objects that have been modified since the backup. The most common use of a nonauthoritative restore is to reinstate a domain controller, often after catastrophic or debilitating hardware failures. In the case of data corruption, do not use nonauthoritative restore unless you have confirmed that the problem is with AD DS.
Nonauthoritative Restore Requirements You can perform a nonauthoritative restore from backup on a Windows Server 2008 system that is a standalone server, member server, or domain controller.
On domain controllers that are running Windows Server 2008, you can stop and restart AD DS as a service. Therefore, in Windows Server 2008, performing offline defragmentation and other database management tasks does not require restarting the domain controller in Directory Services Restore Mode (DSRM). However, you cannot perform a nonauthoritative restore after simply stopping the AD DS service in regular startup mode. You must be able to start the domain controller in Directory Services Restore Mode (DSRM). If the domain controller cannot be started in DSRM, you must first reinstall the operating system.
To perform a nonauthoritative restore, you need one of the following types of backup for your backup source:
System state backup: Use this type of backup to restore AD DS. If you have reinstalled the operating system, you must use a critical-volumes or full server backup. If you are restoring a system state backup, use the wbadmin start systemstaterecovery command.
Critical-volumes backup: A critical-volumes backup includes all data on all volumes that contain operating system and registry files, boot files, SYSVOL files, or Active Directory files. Use this type of backup if you want to restore more than the system state. To restore a critical-volumes backup, use the wbadmin start recovery command. Full server backup: Use this type of backup only if you cannot start the server or you do not have a system state or critical-volumes backup. A full server backup is generally larger than a critical-volumes backup.
Restoring a full server backup not only rolls back data in AD DS to the time of backup, but it also rolls back all data in all other volumes. Rolling back this additional data is not necessary to achieve nonauthoritative restore of AD DS.
Most recent 70-640 windows server 2008 active directory:
Q106. You have Active Directory Certificate Services (AD CS) deployed. You create a custom certificate template.
You need to ensure that all of the users in the domain automatically enroll for a certificate based on the custom certificate template.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. In a Group Policy object (GPO), configure the autoenrollment settings.
B. In a Group Policy object (GPO), configure the Automatic Certificate Request Settings.
C. On the certificate template, assign the Read and Autoenroll permission to the Authenticated Users group.
D. On the certificate template, assign the Read, Enroll, and Autoenroll permission to the Domain Users group.
Answer: A,D
Explanation:
http://technet.microsoft.com/en-us/library/dd379539.aspx
To automatically enroll client computers for certificates in a domain environment, you must:
Configure an autoenrollment policy for the domain.
(...)
In Configuration Model, select Enabled to enable autoenrollment.
Configure certificate templates for autoenrollment.
(...)
In the Permissions for Authenticated Users list, select Read, Enroll, and Autoenroll in the
Allow column, and then click OK and Close to finish
Configure an enterprise CA.
Q107. Your company security policy requires complex passwords.
You have a comma delimited file named import.csv that contains user account information.
You need to create user account in the domain by using the import.csv file.
You also need to ensure that the new user accounts are set to use default passwords and are disabled.
What should you do?
A. Modify the userAccountControl attribute to disabled. Run the csvde i k f import.csv command. Run the DSMOD utility to set default passwords for the user accounts.
B. Modify the userAccountControl attribute to accounts disabled. Run the csvde -f import.csv command. Run the DSMOD utility to set default passwords for the user accounts.
C. Modify the userAccountControl attribute to disabled. Run the wscript import.csv command. Run the DSADD utility to set default passwords for the imported user accounts.
D. Modify the userAccountControl attribute to disabled. Run ldifde -i -f import.csv command. Run the DSADD utility to set passwords for the imported user accounts.
Answer: A
Explanation:
Personal note:
The correct command should be:
csvde - i -k -f import.csv
http://support.microsoft.com/kb/305144
How to use the UserAccountControl flags to manipulate user account properties When you open the properties for a user account, click the Account tab, and then either select or clear the check boxes in the Account options dialog box, numerical values are assigned to the UserAccountControl attribute. The value that is assigned to the attribute tells Windows which options have been enabled.
You can view and edit these attributes by using either the Ldp.exe tool or the Adsiedit.msc snap-in.
The following table lists possible flags that you can assign. You cannot set some of the values on a user or computer object because these values can be set or reset only by the directory service. Note that Ldp.exe shows the values in hexadecimal. Adsiedit.msc displays the values in decimal. The flags are cumulative. To disable a user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In decimal, this is 514 (2 + 512).
http://technet.microsoft.com/en-us/library/cc732101%28v=ws.10%29.aspx
Csvde
Imports and exports data from Active Directory Domain Services (AD DS) using files that store data in the comma-separated value (CSV) format. You can also support batch operations based on the CSV file format standard.
Syntax:
Csvde [-i] [-f <FileName>] [-s <ServerName>] [-c <String1> <String2>] [-v] [-j <Path>] [-t <PortNumber>] [-d <BaseDN>] [-r <LDAPFilter>] [-p <Scope] [-l <LDAPAttributeList>] [-o <LDAPAttributeList>] [-g] [-m] [-n] [-k] [-a <UserDistinguishedName> {<Password> | *}] [-b <UserName> <Domain> {<Password> | *}] Parameters
Specifies import mode. If not specified, the default mode is export. -f <FileName> Identifies the import or export file name. -k Ignores errors during an import operation and continues processing. http://technet.microsoft.com/en-us/library/cc732954%28v=ws.10%29.aspx Dsmod user Modifies attributes of one or more existing users in the directory. Syntax: dsmod user <UserDN> ... [-upn <UPN>] [-fn <FirstName>] [-mi <Initial>] [-ln <LastName>] [-display<DisplayName>] [-empid <EmployeeID>] [-pwd (<Password> | *)] [-desc <Description>] [-office <Office>] [-tel <PhoneNumber>] [-email <E-mailAddress>] [-hometel <HomePhoneNumber>] [-pager <PagerNumber>] [-mobile <CellPhoneNumber>] [-fax <FaxNumber>] [-iptel <IPPhoneNumber>] [-webpg <WebPage>] [-title <Title>] [-dept <Department>] [-company <Company>] [-mgr <Manager>] [-hmdir <HomeDirectory>] [-hmdrv <DriveLetter>:] [-profile <ProfilePath>] [-loscr <ScriptPath>] [-mustchpwd {yes | no}] [-canchpwd {yes | no}] [-reversiblepwd {yes | no}] [-pwdneverexpires {yes | no}] [-acctexpires <NumberOfDays>] [-disabled {yes | no}] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}][-c] [-q] [{-uc | -uco | -uci}] Parameters <UserDN>Required. Specifies the distinguished names of the users that you want to modify. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command.
-pwd {<Password> | *}
Resets the passwords for the users that you want to modify as Password or an asterisk (*).
If you type *, AD
DS prompts you for a user password.
Q108. Your company has a main office and a branch office.
The network contains a single Active Directory domain.
The main office contains a domain controller named DC1.
You need to install a domain controller in the branch office by using an offline copy of the Active Directory database.
What should you do first?
A. From the Ntdsutil tool, create an IFM media set.
B. From the command prompt, run djoin.exe /loadfile.
C. From Windows Server Backup, perform a system state backup.
D. From Windows PowerShell, run the get-ADDomainController cmdlet.
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc816722%28v=ws.10%29.aspx
Installing an Additional Domain Controller by Using IFM When you install Active Directory Domain Services (AD DS) by using the install from media (IFM) method, you can reduce the replication traffic that is initiated during the installation of an additional domain controller in an Active Directory domain. Reducing the replication traffic reduces the time that is necessary to install the additional domain controller. Windows Server 2008 and Windows Server 2008 R2 include an improved version of the Ntdsutil tool that you can use to create installation media for an additional domain controller. You can use Ntdsutil.exe to create installation media for additional domain controllers that you are creating in a domain. The IFM method uses the data in the installation media to install AD DS, which eliminates the need to replicate every object from a partner domain controller. However, objects that were modified, added, or deleted since the installation media was created must be replicated. If the installation media was created recently, the amount of replication that is required is considerably less than the amount of replication that is required for a regular AD DS installation.
Q109. Your company has an Active Directory domain. All servers run Windows Server.
You deploy a Certification Authority (CA) server.
You create a new global security group named CertIssuers.
You need to ensure that members of the CertIssuers group can issue, approve, and revoke certificates.
What should you do?
A. Assign the Certificate Manager role to the CertIssuers group
B. Place CertIssuers group in the Certificate Publisher group
C. Run the certsrv -add CertIssuers command promt of the certificate server
D. Run the add -member-membertype memberset CertIssuers command by using Microsoft Windows Powershell
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc779954%28v=ws.10%29.aspx
Role-based administration
Role explanation
Role-based administration involves CA roles, users, and groups. To assign a role to a user or group, you must assign the role's corresponding security permissions, group memberships, or user rights to the user or group.
These security permissions, group memberships, and user rights are used to distinguish which users have which roles. The following table describes the CA roles of role-based administration and the groups relevant to role-based administration.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Certificate Manager:
Delete multiple rows in database (bulk deletion)
Issue and approve certificates
Deny certificates
Revoke certificates
Reactivate certificates placed on hold
Renew certificates
Recover archived key
Read CA database
Read CA configuration information
Q110. Your network contains an Active Directory domain. The domain contains two domain controllers named DC1 and DC2. DC1 hosts a standard primary DNS zone for the domain. Dynamic updates are enabled on the zone. DC2 hosts a standard secondary DNS zone for the domain.
You need to configure DNS to allow only secure dynamic updates.
What should you do first?
A. On DC1 and DC2, configure a trust anchor.
B. On DC1 and DC2, configure a connection security rule.
C. On DC1, configure the zone transfer settings.
D. On DC1, configure the zone to be stored in Active Directory.
Answer: D
Explanation:
http://www.tutorialspoint.com/shorttutorials/configuring-dns-server-for-secure-only-dynamic-updates/ Configuring DNS Server for Secure Only Dynamic Updates About Dynamic Updates During the installation of Active Directory Domain Services on Windows Server 2008 R2, the installation process automatically installs the DNS server on the computer, in case it does not already exist in the network. After the successful installation of Active Directory Domain Services, the DNS server is by default configured to automatically update the records of only the domain client computers as soon as it receives the registration request from them. This automatic update of DNS records in the DNS database is technically known as ‘Dynamic Updates’. Types of DNS Updates Dynamic updates that DNS server in Windows Server 2008 R2 supports include: Nonsecure and Secure – When this type of dynamic update is selected, any computer can send registration request to the DNS server. The DNS server in return automatically adds the record of the requesting computer in the DNS database, even if the computer does not belong to the same DNS domain. Although this configuration remarkably reduces administrative overhead, this setting is not recommended for the organizations that have highly sensitive information available in the computers. Secure only – When this type of dynamic update is selected, only the computers that are members of the DNS domain can register themselves with the DNS server. The DNS server automatically rejects the requests from the computers that do not belong to the domain. This protects the DNS server from getting automatically populated with records of unwanted, suspicious and/or fake computers. None – When this option is selected, the DNS server does not accept any registration request from any computers whatsoever. In such cases, DNS administrators must manually add the IP addresses and the Fully Qualified Domain Names (FQDNs) of the client computers to the DNS database. In most production environments, systems administrators configure Secure Only dynamic updates for DNS. This remarkably reduces the security risks by allowing only the authentic domain client computers to register themselves with the DNS server automatically, and decreases the administrative overhead at the same time. However in some scenarios, administrators choose to have non-Active Directory integrated zone to stay compliant with the policies of the organization. This configuration is not at all recommended because it does not allow administrators to configure DNS server for Secure only updates, and it does not allow the DNS database to get replicated automatically to the other DNS servers along with the Active Directory replication process. When DNS zone is not Active Directory integrated, DNS database replication process must be performed manually by the administrators. Configure Secure Only Dynamic Updates in Windows Server 2008 R2 DNS Server To configure Secure Only dynamic DNS updates in Windows Server 2008 R2, administrators must follow the steps given as below:
1. Log on to Windows Server 2008 R2 DNS server computer with the domain admin or enterprise admin account on which ‘Secure only’ dynamic updates are to be configured.
2. On the desktop screen, click Start.
3. From the Start menu, go to Administrator Tools > DNS.
4. On DNS Manager snap-in, from the console tree in the left, double-click to expand the DNS server name.
5. From the expanded list, double-click Forward Lookup Zones.
6. From the displayed zones list, right-click the DNS zone on which secure only dynamic updates are to be configured.
7. From the displayed context menu, click Properties.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
8. On the zone’s properties box, make sure that the General tab is selected.
9. On the selected tab, choose Secure only option from the Dynamic updates drop-down
list.
Note: Secure only option is available only if the DNS zone is Active Directory integrated.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Secure Only Dynamic Update
10. Click OK to apply the modified changes.
11. Close DNS Manager snap-in when done.