70-640 Exam
Super ways to server 2008 exam 70-640
Act now and download your Microsoft 70-640 test today! Do not waste time for the worthless Microsoft 70-640 tutorials. Download Up to the minute Microsoft TS: Windows Server 2008 Active Directory. Configuring exam with real questions and answers and begin to learn Microsoft 70-640 with a classic professional.
2021 Oct cbt nuggets 70-640 download:
Q131. You install a standalone root certification authority (CA) on a server named Server1.
You need to ensure that every computer in the forest has a copy of the root CA certificate installed in the local computer's Trusted Root Certification Authorities store. Which command should you run on Server1?
A. certreq.exe and specify the -accept parameter
B. certreq.exe and specify the -retrieve parameter
C. certutil.exe and specify the -dspublish parameter
D. certutil.exe and specify the -importcert parameter
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc732443.aspx
Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains.
Syntax Certutil <-parameter> [-parameter] Parameter -dsPublish Publish a certificate or certificate revocation list (CRL) to Active Directory
Q132. You have an enterprise subordinate certification authority (CA) configured for key archival. Three key recovery agent certificates are issued. The CA is configured to use two recovery agents.
You need to ensure that all of the recovery agent certificates can be used to recover all new private keys.
What should you do?
A. Add a data recovery agent to the Default Domain Policy.
B. Modify the value in the Number of recovery agents to use box.
C. Revoke the current key recovery agent certificates and issue three new key recovery agent certificates.
D. Assign the Issue and Manage Certificates permission to users who have the key recovery agent certificates.
Answer: B
Explanation:
MS Press - Self-Paced Training Kit (Exams 70-648 & 70-649) (Microsoft Press, 2009) page 357
You enable key archival on the Recovery Agents tab of the CA Properties in the CA console by selecting the Archive The Key option and specifying a key recovery agent. In the number of recovery agents to use, select the number of key recovery agent (KRA) certificates you have added to the CA. This ensures that each KRA can be used to recover a private key. If you specify a smaller number than the number of KRA certificates installed, the CA will randomly select that number of KRA certificates from the available total and encrypt the private key, using those certificates. This complicates recovery because you then have to figure out which recovery agent certificate was used to encrypt the private key before beginning recovery.
Q133. Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.
You need to identify the Lightweight Directory Access Protocol (LDAP) clients that are using the largest amount of available CPU resources on a domain controller.
What should you do?
A. Review performance data in Resource Monitor.
B. Review the Hardware Events log in the Event Viewer.
C. Run the Active Directory Diagnostics Data Collector Set. Review the Active Directory Diagnostics report.
D. Run the LAN Diagnostics Data Collector Set. Review the LAN Diagnostics report.
Answer: C
Explanation:
http://servergeeks.wordpress.com/2012/12/31/active-directory-diagnostics/ Active Directory Diagnostics Prior to Windows Server 2008, troubleshooting Active Directory performance issues often required the installation of SPA. SPA is helpful because the Active Directory data set collects performance data and it generates XML based diagnostic reports that make analyzing AD performance issues easier by identifying the IP addresses of the highest volume callers and the type of network traffic that is placing the most loads on the CPU. Download SPA tool:http://www.microsoft.com/en-us/download/details.aspx?id=15506 Now the same functionality has been built into Windows Server 2008 and Windows Server 2008 R2 and you don’t have to install SPA anymore.
This performance feature is located in the Server Manager snap-in under the Diagnostics node and when the Active Directory Domain Services Role is installed the Active Directory Diagnostics data collector set is automatically created under System as shown here.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
When you will check the properties of the collector you will notice that the data is stored under %systemdrive %\perflogs, only now it is under the \ADDS folder and when a data collection is run it creates a new subfolder called YYYYMMDD-#### where YYYY = Year, MM = Month and DD=Day and #### starts with 0001 . Active Directory Diagnostics data collector set runs for a default of 5 minutes. This duration period cannot be modified for the built-in collector. However, the collection can be stopped manually by clicking the Stop button or from the command line.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
To start the data collector set, you just have to right click on Active Directory Diagnostics data collector set and select Start. Data will be stored at %systemdrive%\perflogs location.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Once you’ve gathered your data, you will have these interesting and useful reports under Report section, to aid in your troubleshooting and server performance trending.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Further information: http://technet.microsoft.com/en-us/library/dd736504%28v=ws.10%29.aspx
Monitoring Your Branch Office Environment
http://blogs.technet.com/b/askds/archive/2010/06/08/son-of-spa-ad-data-collector-sets-in-win2008-andbeyond.aspx
Son of SPA: AD Data Collector Sets in Win2008 and beyond
Q134. Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site 1 contains five domain controllers. Site2 contains one read-only domain controller (RODC). Site1 and Site2 connect to each other by using a slow WAN link.
You discover that the cached password for a user named User1 is compromised on the RODC.
On a domain controller in Site1, you change the password for User1.
You need to replicate the new password for User1 to the RODC immediately. The solution must not replicate other objects to the RODC.
Which tool should you use?
A. Active Directory Sites and Services
B. Active Directory Users and Computers
C. Repadmin
D. Replmon
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc742095.aspx
Repadmin /rodcpwdrepl
Triggers replication of passwords for the specified users from a writable Windows Server 2008 source domain controller to one or more read-only domain controllers (RODCs).
Example:
The following example triggers replication of the passwords for the user account named JaneOh from the source domain controller named source-dc01 to all RODCs that have the name prefix dest-rodc:
repadmin /rodcpwdrepl dest-rodc* source-dc01 cn=JaneOh,ou=execs,dc=contoso,dc=com
Q135. You create a new Active Directory domain. The functional level of the domain is Windows Server 2003. The domain contains five domain controllers that run Windows Server 2008 R2.
You need to monitor the replication of the group policy template files.
Which tool should you use?
A. Dfsrdiag
B. Fsutil
C. Ntdsutil
D. Ntfrsutl
Answer: D
Explanation:
With domain functional level 2008 you have available dfs-r sysvol replication. So with
DFL2008 you can use the DFSRDIAG tool. It is not available with domain functional level
2003.
With domain functional level 2003 you can only use Ntfrsutl.
Avant-garde testking 70-640:
Q136. Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. A domain controller named DC1 has a standard primary zone for contoso.com. A domain controller named DC2 has a standard secondary zone for contoso.com.
You need to ensure that the replication of the contoso.com zone is encrypted.
You must not lose any zone data.
What should you do?
A. Convert the primary zone into an Active Directory-integrated stub zone. Delete the secondary zone.
B. Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone.
C. Configure the zone transfer settings of the standard primary zone. Modify the Master Servers lists on the secondary zone.
D. On both servers, modify the interface that the DNS server listens on.
Answer: B
Explanation:
Answer: Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone. http://technet.microsoft.com/en-us/library/cc771150.aspx Change the Zone Type You can use this procedure to change make a zone a primary, secondary, or stub zone. You can also use it to integrate a zone with Active Directory Domain Services (AD DS).
http://technet.microsoft.com/en-us/library/cc726034.aspx Understanding Active Directory Domain Services Integration The DNS Server service is integrated into the design and implementation of Active Directory Domain Services (AD DS). AD DS provides an enterprise-level tool for organizing, managing, and locating resources in a network. Benefits of AD DS integration For networks that deploy DNS to support AD DS, directory-integrated primary zones are strongly recommended. They provide the following benefits: DNS features multimaster data replication and enhanced security based on the capabilities of AD DS. In a standard zone storage model, DNS updates are conducted based on a single-master update model. In this model, a single authoritative DNS server for a zone is designated as the primary source for the zone. This server maintains the master copy of the zone in a local file. With this model, the primary server for the zone represents a single fixed point of failure. If this server is not available, update requests from DNS clients are not processed for the zone. With directory-integrated storage, dynamic updates to DNS are sent to any AD DS-integrated DNS server and are replicated to all other AD DS-integrated DNS servers by means of AD DS replication. In this model, any AD DS-integrated DNS servercan accept dynamic updates for the zone. Because the master copy of the zone is maintained in the AD DS database, which is fully replicated to all domain controllers, the zone can be updated by the DNS servers operating at any domain controller for the domain. With the multimaster update model of AD DS, any of the primary servers for the directoryintegrated zone can process requests from DNS clients to update the zone as long as a domain controller is available and reachable on the network.
Zones are replicated and synchronized to new domain controllers automatically whenever a new one is added to an AD DS domain. By integrating storage of your DNS zone databases in AD DS, you can streamline database replication planning for your network. Directory-integrated replication is faster and more efficient than standard DNS replication.
http://technet.microsoft.com/en-us/library/ee649124%28v=ws.10%29.aspx Deploy IPsec Policy to DNS Servers You can deploy IPsec rules through one of the following mechanisms: Domain Controllers organizational unit (OU): If the DNS servers in your domain are Active Directoryintegrated, you can deploy IPsec policy settings using the Domain Controllers OU. This option is recommended to make configuration and deployment easier. DNS Server OU or security group: If you have DNS servers that are not domain controllers, then consider creating a separate OU or a security group with the computer accounts of your DNS servers. Local firewall configuration: Use this option if you have DNS servers that are not domain members or if you have a small number of DNS servers that you want to configure locally. http://technet.microsoft.com/en-us/library/cc772661%28v=ws.10%29.aspx Deploying Secure DNS Protecting DNS Servers When the integrity of the responses of a DNS server are compromised or corrupted, or when the DNS data is tampered with, clients can be misdirected to unauthorized locations without their knowledge. After the clients start communicating with these unauthorized locations, attempts can be made to gain access to information that is stored on the client computers. Spoofing and cache pollution are examples of this type of attack. Another type of attack, the denial-of-service attack, attempts to incapacitate a DNS server to make DNS infrastructure unavailable in an enterprise. To protect your DNS servers from these types of attacks: Use IPsec between DNS clients and servers. Monitor network activity. Close all unused firewall ports. Implementing IPsec Between DNS Clients and Servers IPsec encrypts all traffic over a network connection. Encryption minimizes the risk that data that is sent between the DNS clients and the DNS servers can be scanned for sensitive information or tampered with by anyone attempting to collect information by monitoring traffic on the network. When IPsec is enabled, both ends of a connection are validated before communication begins. A client can be certain that the DNS server with which it is communicating is a valid server. Also, all communication over the connection is encrypted, thereby eliminating the possibility of tampering with client communication. Encryption prevents spoofing attacks, which are false responses to DNS client queries by unauthorized sources that act like a DNS server. Further information: http://technet.microsoft.com/en-us/library/cc771898.aspx Understanding Zone Types The DNS Server service provides for three types of zones: Primary zone Secondary zone Stub zone Note: If the DNS server is also an Active Directory Domain Services (AD DS) domain controller, primary zones and stub zones can be stored in AD DS. The following sections describe each of these zone types: Primary zone When a zone that this DNS server hosts is a primary zone, the DNS server is the primary source for information about this zone, and it stores the master copy of zone data in a local file or in AD DS. When the zone is stored in a file, by default the primary zone file is named zone_name.dns and it is located in the % windir%\System32\Dns folder on the server. Secondary zone When a zone that this DNS server hosts is a secondary zone, this DNS server is a secondary source for information about this zone. The zone at this server must be obtained from another remote DNS server computer that also hosts the zone. This DNS server must have network access to the remote DNS server that supplies this server with updated information about the zone. Because a secondary zone is merely a copy of a primary zone that is hosted on another server, it cannot be stored in AD DS. Stub zone When a zone that this DNS server hosts is a stub zone, this DNS server is a source only for information about the authoritative name servers for this zone. The zone at this server must be obtained from another DNS server that hosts the zone. This DNS server must have network access to the remote DNS server to copy the authoritative name server information about the zone. You can use stub zones to: Keep delegated zone information current. By updating a stub zone for one of its child zones regularly, the DNS server that hosts both the parent zone and the stub zone will maintain a current list of authoritative DNS servers for the child zone. Improve name resolution. Stub zones enable a DNS server to perform recursion using the stub zone's list of name servers, without having to query the Internet or an internal root server for the DNS namespace. Simplify DNS administration. By using stub zones throughout your DNS infrastructure, you can distribute a list of the authoritative DNS servers for a zone without using secondary zones. However, stub zones do not serve the same purpose as secondary zones, and they are not an alternative for enhancing redundancy and load sharing. There are two lists of DNS servers involved in the loading and maintenance of a stub zone: The list of master servers from which the DNS server loads and updates a stub zone. A master server may be a primary or secondary DNS server for the zone. In both cases, it will have a complete list of the DNS servers for the zone. The list of the authoritative DNS servers for a zone. This list is contained in the stub zone using name server (NS) resource records. When a DNS server loads a stub zone, such as widgets.tailspintoys.com, it queries the master servers, which can be in different locations, for the necessary resource records of the authoritative servers for the zone widgets.tailspintoys.com. The list of master servers may contain a single server or multiple servers, and it can be changed anytime.
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/d352966e-b1ec-46b6-a8b4-317c2c3388c3/ Answered what is non-standard dns secondary zone?
Q: While passing through 70-291 exam prep questions, I encountered the term "standard
secondary zone".
From the context of other questions I understood that "standard", in context of primary
zone, mean "non-ADintegrated".
A: Standard means it is not an AD integrated zone. AD integrated zones are stored in the
AD database and not in a text file.
Q: What does "standard" mean in context of DNS secondary zone?
A: It means the same thing in context of a Standard Primary Zone. Simply stated,
"Standard" means the zone data is stored in a text file, which can be found in
system32\dns.
Q137. There are 100 servers and 2000 computers present at your company's headquarters.
The DHCP service is installed on a two-node Microsoft failover cluster named CKMFO to ensure the high availability of the service.
The nodes are named as CKMFON1 and CKMFON2.
The cluster on CKMFO has one physical shared disk of 400 GB capacity.
A 200GB single volume is configured on the shared disk.
Company has decided to host a Windows Internet Naming Service (WINS) on CKMFON1.
The DHCP and WINS services will be hosted on other nodes.
Using High Availability Wizard, you begin creating the WINS service group on cluster available on CKMFON1 node.
The wizard shows an error "no disks are available" during configuration.
Which action should you perform to configure storage volumes on CKMFON1 to successfully add the WINS Service group to CKMFON1?
A. Backup all data on the single volume on CKMFON1 and configure the disk with GUID partition table and create two volumes. Restore the backed up data on one of the volumes and use the other for WINS service group
B. Add a new physical shared disk to the CKMFON1 cluster and configure a new volume on it. Use this volume to fix the error in the wizard.
C. Add new physical shared disks to CKMFON1 and EMBFON2. Configure the volumes onthese disk and direct CKMOFONI to use CKMFON2 volume for the WINS service group
D. Add and configure a new volume on the existing shared disk which has 400GB of space. Use this volume to fix the error in the wizard
E. None of the above
Answer: B
Explanation:
http://class10e.com/Microsoft/which-action-should-you-perform-to-configure-storage-volumes-on-ckmfon1-tosuccessfully-add-the-wins-service-group-to-ckmfon1/
To configure storage volumes on CKMFON1 to successfully add the WINS Service group
to CKMFON1, you need to add a new physical shared disk to the CKMFON1 cluster and
configure a new volume on it.
Use this volume to fix the error in the wizard.
This is because a cluster does not use shared storage.
A cluster must use a hardware solution based either on shared storage or on replication
between nodes.
Q138. Your company has a single-domain Active Directory forest. The functional level of the domain is Windows Server 2008.
You perform the following activities:
Create a global distribution group.
Add users to the global distribution group.
Create a shared folder on a Windows Server 2008 member server.
Place the global distribution group in a domain local group that has access to the shared
folder.
You need to ensure that the users have access to the shared folder.
What should you do?
A. Add the global distribution group to the Domain Administrators group.
B. Change the group type of the global distribution group to a security group.
C. Change the scope of the global distribution group to a Universal distribution group.
D. Raise the forest functional level to Windows Server 2008.
Answer: B
Explanation:
http://kb.iu.edu/data/ajlt.html In Microsoft Active Directory, what are security and distribution groups? In Microsoft Active Directory, when you create a new group, you must select a group type. The two group types, security and distribution, are described below: Security: Security groups allow you to manage user and computer access to shared resources. You can also control who receives group policy settings. This simplifies administration by allowing you to set permissions once on multiple computers, then to change the membership of the group as your needs change. The change in group membership automatically takes effect everywhere. You can also use these groups as email distribution lists. Distribution: Distribution groups are intended to be used solely as email distribution lists. These lists are for use with email applications such as Microsoft Exchange or Outlook. You can add and remove contacts from the list so that they will or will not receive email sent to the distribution group. You can't use distribution groups to assign permissions on any objects, and you can't use them to filter group policy settings. http://technet.microsoft.com/en-us/library/cc781446%28v=ws.10%29.aspx Group types
Q139. Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company uses an Enterprise Root certification authority (CA) and an Enterprise Intermediate CA.
The Enterprise Intermediate CA certificate expires.
You need to deploy a new Enterprise Intermediate CA certificate to all computers in the domain.
What should you do?
A. Import the new certificate into the Intermediate Certification Store on the Enterprise Root CA server.
B. Import the new certificate into the Intermediate Certification Store on the Enterprise Intermediate CA server.
C. Import the new certificate into the Intermediate Certification Store in the Default Domain Controllers group policy object.
D. Import the new certificate into the Intermediate Certification Store in the Default Domain group policy object.
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc962065.aspx
Certification Authority Trust Model Certification Authority Hierarchies The Windows 2000 public key infrastructure supports a hierarchical CA trust model, called the certification hierarchy, to provide scalability, ease of administration, and compatibility with a growing number of commercial third-party CA services and public key-aware products. In its simplest form, a certification hierarchy consists of a single CA. However, the hierarchy usually contains multiple CAs that have clearly defined parent-child relationships. Figure 16.5 shows some possible CA hierarchies.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
You can deploy multiple CA hierarchies to meet your needs. The CA at the top of the hierarchy is called a root CA . Root CAs are self-certified by using a self-signed CA certificate. Root CAs are the most trusted CAs in the organization and it is recommended that they have the highest security of all. There is no requirement that all CAs in an enterprise share a common top-level CA parent or root. Although trust for CAs depends on each domain's CA trust policy, each CA in the hierarchy can be in a different domain. Child CAs are called subordinate CAs. Subordinate CAs are certified by the parent CAs. A parent CA certifies the subordinate CA by issuing and signing the subordinate CA certificate. A subordinate CA can be either an intermediate or an issuing CA. An intermediate CA issues certificates only to subordinate CAs. An issuing CA issues certificates to users, computers, or services.
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/605dbf9d-2694-4783-8002-c08b9c7d4149
Q140. You create a Password Settings object (PSO).
You need to apply the PSO to a domain user named User1.
What should you do?
A. Modify the properties of the PSO.
B. Modify the account options of the User1 account.
C. Modify the security settings of the User1 account.
D. Modify the password policy of the Default Domain Policy Group Policy object (GPO).
Answer: A
Explanation: http://technet.microsoft.com/en-us/library/cc731589.aspx To apply PSOs to users or global security groups using the Windows interface
1. Open Active Directory Users and Computers
2. On the View menu, ensure that Advanced Features is checked.
3. In the console tree, click Password Settings Container.
4. In the details pane, right-click the PSO, and then click Properties.
5. Click the Attribute Editor tab.
6. Select the msDS-PsoAppliesTo attribute, and then click Edit.
7. In the Multi-valued String Editor dialog box, enter the Distinguished Name (also known as DN) of the user or the global security group that you want to apply this PSO to, click Add, and then click OK.