70-640 Exam
Questions Ask for 70-640 pdf
Exam Code: 70-640 (Practice Exam Latest Test Questions VCE PDF)
Exam Name: TS: Windows Server 2008 Active Directory. Configuring
Certification Provider: Microsoft
Free Today! Guaranteed Training- Pass 70-640 Exam.
2021 Nov microsoft exam 70-640:
Q191. You need to receive an e-mail message whenever a domain user account is locked out.
Which tool should you use?
A. Active Directory Administrative Center
B. Event Viewer
C. Resource Monitor
D. Security Configuration Wizard
Answer: B
Explanation:
MS Press - Self-Paced Training Kit (Exam 70-642) (2nd Edition, 2011) page 525 Automatically Responding to Events One of the most useful ways to use Task Scheduler is to launch a task in response to a specific event type that appears in Event Viewer. You can respond to events in three ways: Start A Program - Launches an application. Often, administrators write a script that carries
out a series of tasks that they would otherwise need to manually perform, and automatically
run that script when an event appears.
Send An E-mail - Sends an email by using the Simple Mail Transport Protocol (SMTP)
server you specify.
Often, administrators configure urgent events to be sent to a mobile device.
Display A Message - Displays a dialog box showing a message. This is typically useful only
when a user needs to be notified of something happening on the computer.
To trigger a task when an event occurs, follow one of these three procedures:
Find an example of the event in Event Viewer. Then, right-click the event and click Attach
Task To This Event. A wizard will guide you through the process.
Q192. Your network contains an Active Directory domain named contoso.com. All domain controllers and member servers run Windows Server 2008. All client computers run Windows 7.
From a client computer, you create an audit policy by using the Advanced Audit Policy Configuration settings in the Default Domain Policy Group Policy object (GPO).
You discover that the audit policy is not applied to the member servers. The audit policy is applied to the client computers.
You need to ensure that the audit policy is applied to all member servers and all client computers.
What should you do?
A. Add a WMI filter to the Default Domain Policy GPO.
B. Modify the security settings of the Default Domain Policy GPO.
C. Configure a startup script that runs auditpol.exe on the member servers.
D. Configure a startup script that runs auditpol.exe on the domain controllers.
Answer: C
Explanation:
Advanced audit policy settings cannot be applied using group policy to Windows Server 2008 servers. To circumvent that we have to use a logon script to apply the audit policy to the Windows Server 2008 member servers.
Explanation1: http://technet.microsoft.com/en-us/library/ff182311.aspx Advanced Security Auditing FAQ The advanced audit policy settings were introduced in Windows Vista and Windows Server 2008. The advanced settings can only be used on computers running Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008.
Note In Windows Vista and Windows Server 2008, advanced audit event settings were not integrated withGroup Policy and could only be deployed by using logon scripts generated with the Auditpol.exe command-line tool. In Windows Server 2008 R2 and Windows 7, all auditing capabilities are integrated with Group Policy. This allows administrators to
configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
Q193. You want users to log on to Active Directory by using a new Principal Name (UPN).
You need to modify the UPN suffix for all user accounts.
Which tool should you use?
A. Dsmod
B. Netdom
C. Redirusr
D. Active Directory Domains and Trusts
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc732954%28v=ws.10%29.aspx
Dsmod user dsmod user -upn <UPN>
Specifies the user principal names (UPNs) of the users that you want to modify, for
example,
Linda@widgets.contoso.com.
Q194. Your company has a main office and a branch office. The branch office has an Active Directory site that contains a read-only domain controller (RODC).
A user from the branch office reports that his account is locked out.
From a writable domain controller in the main office, you discover that the user's account is not locked out. You need to ensure that the user can log on to the domain.
What should you do?
A. Modify the Password Replication Policy.
B. Reset the password of the user account.
C. Run the Knowledge Consistency Checker (KCC) on the RODC.
D. Restore network communication between the branch office and the main office.
Answer: D
Explanation:
Not sure if:
Run the Knowledge Consistency Checker (KCC) on the RODC.
or
Restore network communication between the branch office and the main office.
Q195. Your company has an Active Directory forest that runs at the functional level of Windows Server 2008.
You implement Active Directory Rights Management Services (AD RMS).
You install Microsoft SQL Server 2005. When you attempt to open the AD RMS administration Web site, you receive the following error message: "SQL Server does not exist or access denied."
You need to open the AD RMS administration Web site.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A. Restart IIS.
B. Manually delete the Service Connection Point in AD DS and restart AD RMS.
C. Install Message Queuing.
D. Start the MSSQLSVC service.
Answer: A,D
Explanation:
http://technet.microsoft.com/en-us/library/cc747605%28v=ws.10%29.aspx#BKMK_1 RMS Administration Issues "SQL Server does not exist or access denied" message received when attempting to open the RMS Administration Web site If you have installed RMS by using a new installation of SQL Server 2005 as your database server the SQL Server Service might not be started. In SQL Server 2005, the MSSQLSERVER service is not configured to automatically start when the server is started. If you have restarted your SQL Server since installing RMS and have not configured this service to automatically restart RMS will not be able to function and only the RMS Global Administration page will be accessible. After you have started the MSSQLSERVER service, you must restart IIS on each RMS server in the cluster to restore RMS functionality.
Update testking microsoft 70-640:
Q196. Your company has a main office and a branch office.
The network contains an Active Directory domain.
The main office contains a writable domain controller named DC1. The branch office
contains a read- only domain controller (RODC) named DC2.
You discover that the password of an administrator named Admin1 is cached on DC2.
You need to prevent Admin1's password from being cached on DC2.
What should you do?
A. Modify the NTDS Site Settings.
B. Modify the properties of the domain.
C. Create a Password Setting object (PSO).
D. Modify the properties of DC2's computer account.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy%28v=ws.10%29.aspx Administering the Password Replication Policy This topic describes the steps for viewing, configuring, and monitoring the Password Replication Policy (PRP) and password caching for read-only domain controllers (RODCs). Viewing the PRP You can view the PRP in a graphical user interface (GUI) by using the Active Directory Users and Computers snap-in or in a Command Prompt window by using the Repadmin tool. The following procedures describe how to view the PRP. To view the PRP using Active Directory Users and Computers
1. Open Active Directory Users and Computers. To open Active Directory Users and
Computers, click Start.
In Start Search, type dsa.msc, and then press ENTER.
2. Ensure that you are connected to the correct domain. To connect to the appropriate
domain, in the details pane, right-click the Active Directory Users and Computers object,
and then click Change Domain. 3. Expand Domain Controllers, right-click the RODC
account object for which you want to modify the PRP, and then click Properties.
4. Click the Password Replication Policy tab. An example is shown in the following
illustration.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Q197. Your network contains a domain controller that is configured as a DNS server. The server hosts an Active Directory-integrated zone for the domain.
You need to reduce how long it takes until stale records are deleted from the zone.
What should you do?
A. From the configuration directory partition of the forest, modify the tombstone lifetime.
B. From the configuration directory partition of the forest, modify the garbage collection interval.
C. From the aging properties of the zone, modify the no-refresh interval and the refresh interval.
D. From the start of authority (SOA) record of the zone, modify the refresh interval and the expire interval.
Answer: C
Explanation:
C:\Documents and Settings\usernwz1\Desktop\1.PNG
http://technet.microsoft.com/en-us/library/cc816625%28v=ws.10%29.aspx Set Aging and Scavenging Properties for a Zone The DNS Server service supports aging and scavenging features. These features are provided as a mechanism for performing cleanup and removal of stale resource records, which can accumulate in zone data over time. You can use this procedure to set the aging and scavenging properties for a specific zone using either the DNS Manager snap-in or the dnscmd command-line tool. To set aging and scavenging properties for a zone using the Windows interface
1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools,
and then click DNS.
2. In the console tree, right-click the applicable zone, and then click Properties.
3. On the General tab, click Aging.
4. Select the Scavenge stale resource records check box.
5. Modify other aging and scavenging properties as needed.
To set aging and scavenging properties for a zone using a command line
1. Open a command prompt. To open an elevated Command Prompt window, click Start,
point to All
Programs, click Accessories, right-click Command Prompt, and then click Run as
administrator.
2. At the command prompt, type the following command, and then press ENTER:
dnscmd <ServerName> /Config <ZoneName> {/Aging <Value>|/RefreshInterval <Value>|/
NoRefreshInterval <Value>}
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Q198. The default domain GPO in your company is configured by using the following account policy settings:
Minimum password length: 8 characters
Maximum password age: 30 days
Enforce password history: 12 passwords remembered
Account lockout threshold: 3 invalid logon attempts
Account lockout duration: 30 minutes
You install Microsoft SQL Server on a computer named Server1 that runs Windows Server 2008 R2. The SQL Server application uses a service account named SQLSrv. The SQLSrv account has domain user rights.
The SQL Server computer fails after running successfully for several weeks. The SQLSrv user account is not locked out.
You need to resolve the server failure and prevent recurrence of the failure. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Reset the password of the SQLSrv user account.
B. Configure the local security policy on Server1 to grant the Logon as a service right on the SQLSrv user account.
C. Configure the properties of the SQLSrv account to Password never expires.
D. Configure the properties of the SQLSrv account to User cannot change password.
E. Configure the local security policy on Server1 to explicitly grant the SQLSrv user account the Allow logon locally user right.
Answer: A,C
Explanation:
Personal comment:
Maximum password age: 30 days
The most probable cause for the malfunction is that the password has expired.
You need to reset the password and set it to never expire.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Q199. You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 is configured as an Enterprise Root certification authority (CA).
You install the Online Responder role service on Server2.
You need to configure Server2 to issue certificate revocation lists (CRLs) for the enterprise root CA.
Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Import the enterprise root CA certificate.
B. Import the OCSP Response Signing certificate.
C. Add the Server1 computer account to the CertPublishers group.
D. Set the Startup Type of the Certificate Propagation service to Automatic.
Answer: A,B
Explanation:
Further information: http://technet.microsoft.com/en-us/library/cc770413%28v=ws.10%29.aspx Online Responder Installation, Configuration, and Troubleshooting Guide Public key infrastructure (PKI) consists of multiple components, including certificates, certificate revocation lists (CRLs) and certification authorities (CAs). In most cases, applications that depend on X.509 certificates, such as Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Sockets Layer (SSL) and smart cards, are required to validate the status of the certificates used when performing authentication, signing, or encryption operations. The certificate status and revocation checking is the process by which the validity of certificates is verified based on two main categories: time and revocation status.
Although validating the revocation status of certificates can be performed in multiple ways, the common mechanisms are CRLs, delta CRLs, and Online Certificate Status Protocol (OCSP) responses.
http://technet.microsoft.com/en-us/library/cc772393%28v=ws.10%29.aspx
Active Directory Certificate Services Step-by-Step Guide http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-andplanning.aspx Designing and Implementing a PKI: Part I Design and Planning http://technet.microsoft.com/en-us/library/cc725937.aspx Set Up an Online Responder http://technet.microsoft.com/en-us/library/cc731099.aspx Creating a Revocation Configuration
Q200. Your company has a server that runs an instance of Active Directory Lightweight Directory Service (AD LDS).
You need to create new organizational units in the AD LDS application directory partition.
What should you do?
A. Use the dsmod OU <OrganizationalUnitDN> command to create the organizational units.
B. Use the Active Directory Users and Computers snap-in to create the organizational units on the AD LDS application directory partition.
C. Use the dsadd OU <OrganizationalUnitDN> command to create the organizational units.
D. Use the ADSI Edit snap-in to create the organizational units on the AD LDS application directory partition.
Answer: D
Explanation:
Answer: Use the ADSI Edit snap-in to create the organizational units on the AD LDS application directory partition.
http://technet.microsoft.com/en-us/library/cc773354%28v=ws.10%29.aspx ADSI Edit (adsiedit.msc) Active Directory. Service Interfaces Editor (ADSI Edit) is a Lightweight Directory Access Protocol (LDAP) editor that you can use to manage objects and attributes in Active Directory. ADSI Edit (adsiedit.msc) provides a view of every object and attribute in an Active Directory forest. You can use ADSI Edit to query, view, and edit attributes that are not exposed through other Active Directory Microsoft Management Console (MMC) snap-ins: Active Directory Users and Computers, Active Directory Sites and Services, Active Directory Domains and Trusts, and Active Directory Schema. http://technet.microsoft.com/en-us/library/cc730701%28v=ws.10%29.aspx#BKMK_1 Step 4: Practice Managing AD LDS Organizational Units, Groups, and Users Create an OU To keep your AD LDS users and groups organized, you may want to place users and groups in OUs. In Active Directory Domain Services (AD DS) and in AD LDS, as well as in other Lightweight Directory Access Protocol (LDAP)–based directories, OUs are most commonly used for keeping users and groups organized. To create an OU
1. Click Start, point to Administrative Tools, and then click ADSI Edit.
2. Connect and bind to the directory partition of the AD LDS instance to which you want to add an OU.
3. In the console tree, double-click the o=Microsoft,c=US directory partition, right-click the container to which you want to add the OU, point to New, and then click Object.
4. In Select a class, click organizationalUnit, and then click Next.
5. In Value, type a name for the new OU, and then click Next.
6. If you want to set values for additional attributes, click More attributes. Further information: http://technet.microsoft.com/en-us/library/cc754663%28v=ws.10%29.aspx Step 5: Practice Working with Application Directory Partitions The Active Directory Lightweight Directory Services (AD LDS) directory store is organized into logical directory partitions. There are three different types of directory partitions: Configuration directory partitions Schema directory partitions Application directory partitions Each AD LDS directory store must contain a single configuration directory partition and a single schema directory partition. The directory store can contain zero or more application directory partitions. Application directory partitions hold the data that your applications use. You can create an application directory partition during AD LDS setup or anytime after installation.