70-640 Exam
Advanced Guide: ebook for 70-640
When the 70-640 individuals usually are obtained directly from the actual Microsoft Institution training program, they must recognize one thing, they can from your experts/senior experts teaching. Microsoft Institution is often a international online business establishments, in working with Microsoft 70-640 along with other Microsoft software program teaching center is all around the world, so all vital locations inside the devices several years of experience, individuals can simply uncover the teaching center close Microsoft.
2021 Nov cbt nuggets for 70-640:
Q201. You deploy a new Active Directory Federation Services (AD FS) federation server.
You request new certificates for the AD FS federation server.
You need to ensure that the AD FS federation server can use the new certificates.
To which certificate store should you import the certificates?
A. Computer
B. IIS Admin Service service account
C. Local Administrator
D. World Wide Web Publishing Service service account
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/dd378922%28v=ws.10%29.aspx#BKMK_13 Step 2: Installing AD FS Role Services and Configuring Certificates To import the server authentication certificate for adfsresource to adfsweb
1. Click Start, click Run, type mmc, and then click OK.
2. Click File, and then click Add/Remove Snap-in.
3. Select Certificates, click Add, click Computer account, and then click Next.
4. Click Local computer: (the computer this console is running on), click Finish, and then click OK.
5. In the console tree, double-click the Certificates (Local Computer) icon, double-click the Trusted Root Certification Authorities folder, right-click Certificates, point to All Tasks, and then click Import.
6. On the Welcome to the Certificate Import Wizard page, click Next.
7. On the File to Import page, type \\adfsresource\d$\adfsresource.pfx, and then click Next.
8. On the Password page, type the password for the adfsresource.pfx file, and then click Next.
9. On the Certificate Store page, click Place all certificates in the following store, and then click Next.
10. On the Completing the Certificate Import Wizard page, verify that the information you provided is accurate, and then click Finish.
Q202. You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 is configured as an enterprise root certification authority (CA).
You install the Online Responder role service on Server2.
You need to configure Server1 to support the Online Responder.
What should you do?
A. Import the enterprise root CA certificate.
B. Configure the Certificate Revocation List Distribution Point extension.
C. Configure the Authority Information Access (AIA) extension.
D. Add the Server2 computer account to the CertPublishers group.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc732526.aspx
Configure a CA to Support OCSP Responders
To function properly, an Online Responder must have a valid Online Certificate Status Protocol (OCSP)Response Signing certificate. This OCSP Response Signing certificate is also needed if you are using a non-Microsoft OCSP responder.
Configuring a certification authority (CA) to support OCSP responder services includes the following steps:
1. Configure certificate templates and issuance properties for OCSP Response Signing certificates.
2. Configure enrollment permissions for any computers that will be hosting Online Responders.
3. If this is a Windows Server 2003–based CA, enable the OCSP extension in issued certificates.
4. Add the location of the Online Responder or OCSP responder to the authority information access extension on the CA.
5. Enable the OCSP Response Signing certificate template for the CA.
Q203. Your company has an Active Directory forest. The company has servers that run Windows Server 2008 R2 and client computers that run Windows 7. The domain uses a set of GPO administrative templates that have been approved to support regulatory compliance requirements.
Your partner company has an Active Directory forest that contains a single domain. The company has servers that run Windows Server 2008 R2 and client computers that run Windows 7.
You need to configure your partner company's domain to use the approved set of administrative templates.
What should you do?
A. Use the Group Policy Management Console (GPMC) utility to back up the GPO to a file. In each site, import the GPO to the default domain policy.
B. Copy the ADMX files from your company's PDC emulator to the PolicyDefinitions folder on the partner company's PDC emulator.
C. Copy the ADML files from your company's PDC emulator to the PolicyDefinitions folder on the partner company's PDC emulator.
D. Download the conf.adm, system.adm, wuau.adm, and inetres.adm files from the Microsoft Updates Web site. Copy the ADM files to the PolicyDefinitions folder on thr partner company's emulator.
Answer: B
Explanation:
http://support.microsoft.com/kb/929841 How to create the Central Store for Group Policy Administrative Template files in Windows Vista Windows Vista uses a new format to display registry-based policy settings. These registry-based policy settings appear under Administrative Templates in the Group Policy Object Editor. In Windows Vista, these registry-based policy settings are defined by standards-based XML files that have an .admx file name extension. The .admx file format replaces the legacy .adm file format. The .adm file format uses a proprietary markup language. In Windows Vista, Administrative Template files are divided into .admx files and language-specific .adml files that are available to Group Policy administrators.
Administrative Template file storage In earlier operating systems, all the default Administrative Template files are added to the ADM folder of a Group Policy object (GPO) on a domain controller. The GPOs are stored in the SYSVOL folder. The SYSVOL folder is automatically replicated to other domain
controllers in the same domain. A policy file uses approximately 2 megabytes (MB) of hard
disk space. Because each domain controller stores a distinct version of a policy, replication
traffic is increased.
Windows Vista uses a Central Store to store Administrative Template files. In Windows
Vista, the ADM folder is not created in a GPO as in earlier versions of Windows. Therefore,
domain controllers do not store or replicate redundant copies of .adm files.
The Central Store
To take advantage of the benefits of .admx files, you must create a Central Store in the
SYSVOL folder on a domain controller. The Central Store is a file location that is checked
by the Group Policy tools. The Group Policy tools use any .admx files that are in the
Central Store. The files that are in the Central Store are later replicated to all domain
controllers in the domain.
To create a Central Store for .admx and .adml files, create a folder that is named
PolicyDefinitions in the following location:
\\FQDN\SYSVOL\FQDN\policies
Note: FQDN is a fully qualified domain name.
http://www.frickelsoft.net/blog/?p=31
How can I export local Group Policy settings made in gpedit.msc?
Mark Heitbrink, MVP for Group Policy... came up with a good solution on how you can
“export” the Group
Policy and Security... settings you made in on a machine with the Local Group Policy
Editor (gpedit.msc) to other machines pretty easy:
Normal settings can be copied like this:
1.) Open %systemroot%\system32\grouppolicy\
Within this folder, there are two folders - “machine” and “user”. Copy these to folders to the
“%systemroot%
\system32\grouppolicy - folder on the target machine. All it needs now is a reboot or a
“gpupdate /force”.
Note: If you cannot see the “grouppolicy” folder on either the source or the target machine,
be sure to have your explorer folder options set to “Show hidden files and folders”…
For security settings:
1.) Open MMC and add the Snapin “Security Templates”.
2.) Create your own customized template and save it as an “*inf” file.
3.) Copy the file to the target machine and import it via command line tool “secedit”: secedit
/configure /db %temp%\temp.sdb /cfg yourcreated.inf
Further information on secedit can be found
here:http://www.microsoft.com/resources/documentation/
windows/xp/all/proddocs/en-us/secedit_cmds.mspx?mfr=true
If you’re building custom installations, you can pretty easy script the “overwriting” of the
“machine”/”user”- folders or the import via secedit by copying these file to a share and copy and execute them with a script.
Q204. Your company uses shared folders. Users are granted access to the shared folders by using domain local groups. One of the shared folders contains confidential data.
You need to ensure that unauthorized users are not able to access the shared folder that contains confidential data.
What should you do?
A. Enable the Do not trust this computer for delegation property on all the computers of unauthorized users by using the Dsmod utility.
B. Instruct the unauthorized users to log on by using the Guest account. Configure the Deny Full control permission on the shared folders that hold the confidential data for the Guest account.
C. Create a Global Group named Deny DLG. Place the global group that contains the unauthorized users in to the Deny DLG group. Configure the Allow Full control permission on the shared folder that hold the confidential data for the Deny DLG group.
D. Create a Domain Local Group named Deny DLG. Place the global group that contains the unauthorized users in to the Deny DLG group. Configure the Deny Full control permission on the shared folder that hold the confidential data for the Deny DLG group.
Answer: D
Explanation:
C:\Documents and Settings\usernwz1\Desktop\1.PNG
C:\Documents and Settings\usernwz1\Desktop\1.PNG
http://technet.microsoft.com/en-us/library/cc755692%28v=ws.10%29.aspx
Any group, whether it is a security group or a distribution group, is characterized by a scope that identifies the extent to which the group is applied in the domain tree or forest.
The boundary, or reach, of a group scope is also determined by the domain functional level setting of the domain in which it resides. There are three group scopes: universal, global, and domain local.
The following table describes the differences between the scopes of each group.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
When to use groups with domain local scope Groups with domain local scope help you define and manage access to resources within a single domain. For example, to give five users access to a particular printer, you can add all five user accounts in the printer permissions list. If, however, you later want to give the five users access to a new printer, you must again specify all five accounts in the permissions list for the new printer.
Q205. You have an enterprise subordinate certification authority (CA).
You have a group named Group1.
You need to allow members of Group1 to publish new certificate revocation lists. Members of Group1 must not be allowed to revoke certificates.
What should you do?
A. Add Group1 to the local Administrators group.
B. Add Group1 to the Certificate Publishers group.
C. Assign the Manage CA permission to Group1.
D. Assign the Issue and Manage Certificates permission to Group1.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc732590.aspx
Manage CA is a security permission belonging to the CA Administrator role. The CA Administrator can enable, publish, or configure certificate revocation list (CRL) schedules.
Revoking certificates is an activity of the Certificate Manager role.
Renewal pdf 70-640:
Q206. You have a domain controller that runs Windows Server 2008 R2 and is configured as a DNS server.
You need to record all inbound DNS queries to the server.
What should you configure in the DNS Manager console?
A. Enable debug logging.
B. Enable automatic testing for simple queries.
C. Configure event logging to log errors and warnings.
D. Enable automatic testing for recursive queries.
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc753579.aspx DNS Tools Event-monitoring utilities The Windows Server 2008 family includes two options for monitoring DNS servers: Default logging of DNS server event messages to the DNS server log. DNS server event messages are separated and kept in their own system event log, the DNS server log, which you can view using DNS Manager or Event Viewer. The DNS server log contains events that are logged by the DNS Server service. For example, when the DNS server starts or stops, a corresponding event message is written to this log. Most additional critical DNS Server service events are also logged here, for example, when the server starts but cannot locate initializing data and zones or boot information stored in the registry or (in some cases) Active Directory Domain Services (AD DS).
You can use Event Viewer to view and monitor client-related DNS events. These events appear in the System log, and they are written by the DNS Client service at any computers running Windows (all versions). Optional debug options for trace logging to a text file on the DNS server computer. You can also use DNS Manager to selectively enable additional debug logging options for temporary trace logging to a text-based file of DNS server activity. The file that is created and used for this feature, Dns.log, is stored in the %systemroot%\System32\Dns folder.
http://technet.microsoft.com/en-us/library/cc776361%28v=ws.10%29.aspx Using server debug logging options The following DNS debug logging options are available: Direction of packets Send Packets sent by the DNS server are logged in the DNS server log file. Receive Packets received by the DNS server are logged in the log file. Further information:
http://technet.microsoft.com/en-us/library/cc759581%28v=ws.10%29.aspx Select and enable debug logging options on the DNS server
Q207. HOTSPOT
Your network contains two Active Directory forests named contoso.com and fabrikam.com. A two-way forest trust exists between the forests. Selective authentication is enabled on the trust. Fabrikam.com contains a server named Server1.
You assign Contoso\Domain Users the Manage documents permission and the Print
permission to a shared printer on Server1.
You discover that users from contoso.com cannot access the shared printer on Server1.
You need to ensure that the contoso.com users can access the shared printer on Server1.
Which permission should you assign to Contoso\Domain Users.
To answer, select the appropriate permission in the answer area.
Answer:
Q208. Your company has an Active Directory domain. All servers run Windows Server 2008 R2.
Your company uses an Enterprise Root certificate authority (CA).
You need to ensure that revoked certificate information is highly available.
What should you do?
A. Implement an Online Certificate Status Protocol (OCSP) responder by using an Internet Security and Acceleration Server array.
B. Publish the trusted certificate authorities list to the domain by using a Group Policy Object (GPO).
C. Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing.
D. Create a new Group Policy Object (GPO) that allows users to trust peer certificates. Link the GPO to the domain.
Answer: C
Explanation:
Answer: Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing.
http://technet.microsoft.com/en-us/library/cc731027%28v=ws.10%29.aspx AD CS: Online Certificate Status Protocol Support Certificate revocation is a necessary part of the process of managing certificates issued by certification authorities (CAs). The most common means of communicating certificate status is by distributing certificate revocation lists (CRLs). In the Windows Server. 2008 operating system, public key infrastructures (PKIs) where the use of conventional CRLs is not an optimal solution, an Online Responder based on the Online Certificate Status Protocol (OCSP) can be used to manage and distribute revocation status information. What does OCSP support do? The use of Online Responders that distribute OCSP responses, along with the use of CRLs, is one of two common methods for conveying information about the validity of certificates. Unlike CRLs, which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to requests from clients for information about the status of a single certificate. The amount of data retrieved per request remains constant no matter how many revoked certificates there might be. In many circumstances, Online Responders can process certificate status requests more efficiently than by using CRLs.
Adding one or more Online Responders can significantly enhance the flexibility and scalability of an organization's PKI.
Further information: http://blogs.technet.com/b/askds/archive/2009/08/20/implementing-an-ocsp-responder-part-v-highavailability.aspx Implementing an OCSP Responder: Part V High Availability There are two major pieces in implementing the High Availability Configuration. The first step is to add the OCSP Responders to what is called an Array. When OCSP Responders are configured in an Array, the configuration of the OCSP responders can be easily maintained, so that all Responders in the Array have the same configuration. The configuration of the Array Controller is used as the baseline configuration that is then applied to other members of the Array. The second piece is to load balance the OCSP Responders. Load balancing of the OCSP responders is what actually provides fault tolerance.
Q209. You have an enterprise subordinate certification authority (CA). The CA issues smart card logon certificates.
Users are required to log on to the domain by using a smart card.
Your company's corporate security policy states that when an employee resigns, his ability
to log on to the network must be immediately revoked.
An employee resigns.
You need to immediately prevent the employee from logging on to the domain.
What should you do?
A. Revoke the employee's smart card certificate.
B. Disable the employee's Active Directory account.
C. Publish a new delta certificate revocation list (CRL).
D. Reset the password for the employee's Active Directory account.
Answer: B
Explanation:
http://blog.imanami.com/blog/bid/68864/Delete-or-disable-an-Active-Directory-account-One-best-practice Delete or disable an Active Directory account? One best practice. I was recently talking to a customer about the best practice for deprovisioning a terminated employee in Active Directory. Delete or disable? Microsoft doesn't give the clearest direction on this but common sense does. The case for deleting an account is that, BOOM, no more access. No ifs ands or buts, if there is no account it cannot do anything. The case for disabling an account is that all of the SIDs are still attached to the account and you can bring it back and get the same access right away. And then the reason for MSFT's lack of direction came into play. Individual needs of the customer. This particular customer is a public school system and they often lay off an employee and have to re-hire them the next month or semester. They need that account back.
Q210. You remotely monitor several domain controllers.
You run winrm.exe quickconfig on each domain controller.
You need to create a WMI script query to retrieve information from the bios of each domain controller.
Which format should you use to write the query?
A. XrML
B. XML
C. WQL
D. HTML
Answer: C
Explanation:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa394606%28v=vs.85%29.aspx
WQL (SQL for WMI)
The WMI Query Language (WQL) is a subset of the American National Standards Institute
Structured Query Language (ANSI SQL)—with minor semantic changes.