70-640 Exam
Resources to 70-640 audio book
Pinpoint of 70-640 practice exam materials and vce for Microsoft certification for IT specialist, Real Success Guaranteed with Updated 70-640 pdf dumps vce Materials. 100% PASS TS: Windows Server 2008 Active Directory. Configuring exam Today!
2021 Nov windows server 70-640:
Q81. Your company has a server that runs Windows Server 2008 R2. Active Directory Certificate Services (AD CS) is configured as a standalone Certification Authority (CA) on the server.
You need to audit changes to the CA configuration settings and the CA security settings.
Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Configure auditing in the Certification Authority snap-in.
B. Enable auditing of successful and failed attempts to change permissions on files in the
%SYSTEM32% \CertSrv directory.
C. Enable auditing of successful and failed attempts to write to files in the %SYSTEM32%\CertLog directory.
D. Enable the Audit object access setting in the Local Security Policy for the Active Directory Certificate Services (AD CS) server.
Answer: A,D
Explanation:
http://technet.microsoft.com/en-us/library/cc772451.aspx
Configure CA Event Auditing
You can audit a variety of events relating to the management and activities of a certification
authority (CA):
Back up and restore the CA database.
Change the CA configuration.
Change CA security settings.
Issue and manage certificate requests.
Revoke certificates and publish certificate revocation lists (CRLs).
Store and retrieve archived keys.
Start and stop Active Directory Certificate Services (AD CS).
To configure CA event auditing
1. Open the Certification Authority snap-in.
2. In the console tree, click the name of the CA.
3. On the Action menu, click Properties.
4. On the Auditing tab, click the events that you want to audit, and then click OK.
5. On the Action menu, point to All Tasks, and then click Stop Service.
6. On the Action menu, point to All Tasks, and then click Start Service.
Additional considerations
To audit events, the computer must also be configured for auditing of object access. Audit policy options can be viewed and managed in local or domain Group Policy under Computer Configuration\Windows Settings\Security Settings\Local Policies.
Q82. Your company has an Active Directory domain. A user attempts to log on to the domain from a client computer and receives the following message: "This user account has expired. Ask your administrator to reactivate the account."
You need to ensure that the user is able to log on to the domain.
What should you do?
A. Modify the properties of the user account to set the account to never expire.
B. Modify the properties of the user account to extend the Logon Hours setting.
C. Modify the default domain policy to decrease the account lockout duration.
D. Modify the properties of the user account to set the password to never expire.
Answer: A
Explanation:
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Further information: http://technet.microsoft.com/en-us/library/dd145547.aspx User Properties - Account Tab Account expires Sets the account expiration policy for this user. You can select between the following options: Use Never to specify that the selected account will never expire. This option is the default for new users. Select End of and then select a date if you want to have the user's account expire on a specified date.
Q83. You need to compact an Active Directory database on a domain controller that runs Windows Server 2008 R2.
What should you do?
A. Run defrag.exe /a /c.
B. Run defrag.exe /c /u.
C. From Ntdsutil, use the Files option.
D. From Ntdsutil, use the Metadata cleanup option.
Answer: C
Explanation:
Explanation 1:
http://technet.microsoft.com/en-us/library/cc794920.aspx
Compact the Directory Database File (Offline Defragmentation)
You can use this procedure to compact the Active Directory database offline. Offline
defragmentation returns free disk space in the Active Directory database to the file system.
As part of the offline defragmentation procedure, check directory database integrity.
Performing offline defragmentation creates a new, compacted version of the database file in a different location.
Explanation 2: Mastering Windows Server 2008 R2 (Sybex, 2010) page 805 Performing Offline Defragmentation of Ntds.dit These steps assume that you will be compacting the Ntds.dit file to a local folder. If you plan to defragment and compact the database to a remote shared folder, map a drive letter to that shared folder before you begin these steps, and use that drive letter in the path where appropriate.
1. Open an elevated command prompt. Click Start, and then right-click Command Prompt. Click Run as Administrator.
2. Type ntdsutil, and then press Enter.
3. Type Activate instance NTDS, and press Enter.
4. At the resulting ntdsutil prompt, type Files (case sensitive), and then press Enter.
5. At the file maintenance prompt, type compact to followed by the path to the destination folder for the defragmentation, and then press Enter.
Q84. Your company has a single Active Directory domain. All domain controllers run Windows Server 2003.
You install Windows Server 2008 R2 on a server.
You need to add the new server as a domain controller in your domain.
What should you do first?
A. On a domain controller run adprep /rodcprep.
B. On the new server, run dcpromo /adv.
C. On the new server, run dcpromo /createdcaccount.
D. On a domain controller, run adprep /forestprep.
Answer: D
Explanation:
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/9931e32f-6302-40f0-a7a1-2598a96cd0c1/ DC promotion and adprep/forestprep
Q: I've tried to dcpromo a new Windows 2008 server installation to be a Domain Controller, running in an existing domain. I am informed that, first, I must run adprep/forestprep ("To install a domain controller into this Active Directory forest, you must first perpare the forest using "adprep/forestprep". The Adprep utility is available on the Windows Server 2008 installation media in the Windows\sources\adprep folder"
A1:
You can run adprep from an existing Windows Server 2003 domain controller. Copy the
contents of the \sources\adprep folder from the Windows Server 2008 installation DVD to
the schema master role holder and run Adprep from there.
A2: to introduce the first W2K8 DC within an AD forest....
(1) no AD forest exists yet:
--> on the stand alone server execute: DCPROMO
--> and provide the information needed
(2) an W2K or W2K3 AD forest already exists:
--> ADPREP /Forestprep on the w2k/w2k3 schema master (both w2k/w2k3 forests)
--> ADPREP /rodcprep on the w2k3 domain master (only w2k3 forests)
--> ADPREP /domainprep on the w2k3 infrastructure master (only w2k3 domains)
--> ADPREP /domainprep /gpprep on the w2k infrastructure master (only w2k domains)
--> on the stand alone server execute: DCPROMO
--> and provide the information needed
Q85. Your company has an Active Directory domain named contoso.com. The company network has two DNS servers named DNS1 and DNS2.
The DNS servers are configured as shown in the following table.
Domain users, who are configured to use DNS2 as the preferred DNS server, are unable to connect to Internet Web sites.
You need to enable Internet name resolution for all client computers.
What should you do?
A. Update the list of root hints servers on DNS2.
B. Create a copy of the .(root) zone on DNS1.
C. Delete the .(root) zone from DNS2. Configure conditional forwarding on DNS2.
D. Update the Cache.dns file on DNS2. Configure conditional forwarding on DNS1.
Answer: C
Explanation:
http://support.microsoft.com/kb/298148 How To Remove the Root Zone (Dot Zone) When you install DNS on a Windows 2000 server that does not have a connection to the Internet, the zone for the domain is created and a root zone, also known as a dot zone, is also created. This root zone may prevent access to the Internet for DNS and for clients of the DNS. If there is a root zone, there are no other zones other than those that are listed with DNS, and you cannot configure forwarders or root hint servers. For these reasons, you may have to remove the root zone.
Avant-garde windows server 2008 active directory configuring 70-640:
Q86. Your network contains a single Active Directory domain. The functional level of the forest is Windows Server 2008. The functional level of the domain is Windows Server 2008 R2. All DNS servers run Windows Server 2008. All domain controllers run Windows Server 2008 R2.
You need to ensure that you can enable the Active Directory Recycle Bin.
What should you do?
A. Change the functional level of the forest.
B. Change the functional level of the domain.
C. Modify the Active Directory schema.
D. Modify the Universal Group Membership Caching settings.
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/dd392261.aspx
Active Directory Recycle Bin Step-by-Step Guide
By default, Active Directory Recycle Bin in Windows Server 2008 R2 is disabled. To enable it, you must first raise the forest functional level of your AD DS or AD LDS environment to Windows Server 2008 R2, which in turn requires all forest domain controllers or all servers that host instances of AD LDS configuration sets to be running Windows Server 2008 R2.
Q87. Your company uses an application that stores data in an Active Directory Lightweight Directory Services (AD LDS) instance named Instance1.
You attempt to create a snapshot of Instance1 as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that you can take a snapshot of Instance1.
What should you do?
A. At the command prompt, run net start VSS.
B. At the command prompt, run net start Instance1.
C. Set the Startup Type for the Instance1 service to Disabled.
D. Set the Startup Type for the Volume Shadow Copy Service (VSS) to Manual.
Answer: A
Explanation:
Hard to find Explanations on this, but the solution can be found by eliminating the rest.
Instance1 is running, otherwise you'd get a different message at the snaphot: create step.
("AD service
must be running in order to perform this operation", on my virtual server.)
Disabling Instance1 makes no sense because you need it, nor is setting the Startup Type
for the Volume
Shadow Copy Service (VSS) to Manual.
Q88. Your network contains a server that runs Windows Server 2008 R2. The server is configured as an enterprise root certification authority (CA).
You have a Web site that uses x.509 certificates for authentication. The Web site is configured to use a manyto-one mapping.
You revoke a certificate issued to an external partner. You need to prevent the external partner from accessing the Web site.
What should you do?
A. Run certutil.exe -crl.
B. Run certutil.exe -delkey.
C. From Active Directory Users and Computers, modify the membership of the IIS_IUSRS group.
D. From Active Directory Users and Computers, modify the Contact object for the external partner.
Answer: A
Explanation:
http://technet.microsoft.com/library/cc732443.aspx Certutil Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains. Verbs -CRL Publish new certificate revocation lists (CRLs) [or only delta CRLs] http://technet.microsoft.com/en-us/library/cc783835%28v=ws.10%29.aspx Requesting Offline Domain Controller Certificates (Advanced Certificate Enrollment and Management) If you have determined the keycontainername for a specific certificate, you can delete the key container with the following command. certutil.exe -delkey <KeyContainerName> The -delkey option is supported only with the Windows Server 2003 version of certutil. On Windows 2000, you must add a prefix to the commands. The prefix is the path you have copied the Windows Server 2003 version of certutil to. In this white paper, the %HOMEDRIVE%\W2K3AdmPak path is used.
Q89. Active Directory Rights Management Services (AD RMS) is deployed on your network.
You need to configure AD RMS to use Kerberos authentication.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Register a service principal name (SPN) for AD RMS.
B. Register a service connection point (SCP) for AD RMS.
C. Configure the identity setting of the _DRMSAppPool1 application pool.
D. Configure the useAppPoolCredentials attribute in the Internet Information Services (IIS) metabase.
Answer: A,D
Explanation:
http://technet.microsoft.com/en-us/library/dd759186.aspx
If you plan to use Active Directory Rights Management Services (AD RMS) with Kerberos authentication, you must take additional steps to configure the server running AD RMS after installing the AD RMS server role and provisioning the server. Specifically, you must perform these procedures:
Set the Internet Information Services (IIS) useAppPoolCredentials variable to True
Set the Service Principal Names (SPN) value for the AD RMS service account
Q90. Your company has a main office and a branch office.
You discover that when you disable IPv4 on a computer in the branch office, the computer authenticates by using a domain controller in the main office.
You need to ensure that IPv6-only computers authenticate to domain controllers in the same site.
What should you do?
A. Configure the NTDS Site Settings object.
B. Create Active Directory subnet objects.
C. Create Active Directory Domain Services connection objects.
D. Install an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router.
Answer: B