70-640 Exam
how to use windows server 2008 active directory configuring 70-640 pdf
Download of 70-640 exam question materials and faq for Microsoft certification for IT candidates, Real Success Guaranteed with Updated 70-640 pdf dumps vce Materials. 100% PASS TS: Windows Server 2008 Active Directory. Configuring exam Today!
2021 Jul exam format of 70-640:
Q21. You are installing an application on a computer that runs Windows Server 2008 R2. During installation, the application will need to install new attributes and classes to the Active Directory database.
You need to ensure that you can install the application. What should you do?
A. Change the functional level of the forest to Windows Server 2008 R2.
B. Log on by using an account that has Server Operator rights.
C. Log on by using an account that has Schema Administrator rights and the appropriate rights to install the application.
D. Log on by using an account that has the Enterprise Administrator rights and the appropriate rights to install the application.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc756898%28v=ws.10%29.aspx
Default groups
Default groups, such as the Domain Admins group, are security groups that are created automatically when you create an Active Directory domain. You can use these predefined groups to help control access to shared resources and delegate specific domain-wide administrative roles.
Groups in the Builtin container
The following table provides descriptions of the default groups located in the Builtin container and lists the assigned user rights for each group.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Groups in the Users container
The following table provides a description of the default groups located in the Users container and lists the assigned user rights for each group.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Q22. Your company has a single Active Directory domain named intranet.adatum.com. The domain controllers run Windows Server 2008 and the DNS server role. All computers, including non-domain members, dynamically register their DNS records.
You need to configure the intranet.adatum.com zone to allow only domain members to dynamically register DNS records.
What should you do?
A. Set dynamic updates to Secure Only.
B. Remove the Authenticated Users group.
C. Enable zone transfers to Name Servers.
D. Deny the Everyone group the Create All Child Objects permission.
Answer: A
Explanation:
Answer: Set dynamic updates to Secure Only.
http://technet.microsoft.com/en-us/library/cc753751.aspx
Allow Only Secure Dynamic Updates
Domain Name System (DNS) client computers can use dynamic update to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use
Dynamic Host Configuration Protocol (DHCP) to obtain an IP address. Dynamic updates can be secure or nonsecure. DNS update security is available only for zones that are integrated into Active Directory Domain Services (AD DS). After you directory-integrate a zone, access control list (ACL) editing features are available in DNS Manager so that you can add or remove users or groups from the ACL for a specified zone or resource record.
Further information:
http://technet.microsoft.com/en-us/library/cc771255.aspx Understanding Dynamic Update
Q23. Your company has a single Active Directory domain named intranet.contoso.com. All domain controllers run Windows Server 2008 R2. The domain functional level is Windows 2000 native and the forest functional level is Windows 2000.
You need to ensure the UPN suffix for contoso.com is available for user accounts.
What should you do first?
A. Raise the intranet.contoso.com forest functional level to Windows Server 2003 or higher.
B. Raise the intranet.contoso.com domain functional level to Windows Server 2003 or higher.
C. Add the new UPN suffix to the forest.
D. Change the Primary DNS Suffix option in the Default Domain Controllers Group Policy Object (GPO) to contoso.com.
Answer: C
Explanation:
http://support.microsoft.com/kb/243629
HOW TO: Add UPN Suffixes to a Forest
Adding a UPN Suffix to a Forest
Open Active Directory Domains and Trusts.
Right-click Active Directory Domains and Trusts in the Tree window pane, and then click Properties.
On the UPN Suffixes tab, type the new UPN suffix that you would like to add to the forrest. Click Add, and then click OK.
Now when you add users to the forest, you can select the new UPN suffix to complete the user's logon name.
APPLIES TO
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Q24. Your network contains an Active Directory domain named contoso.com. Contoso.com contains two domain controllers. The domain controllers are configured as shown in the following table.
All client computers have IP addresses in the 10.1.2.1 to 10.1.2.240 range.
You need to minimize the number of client authentication requests sent to DC2.
What should you do?
A. Create a new site named Site1. Create a new subnet object that has the 10.1.1.0/24 prefix and assign the subnet to Site1. Move DC1 to Site1.
B. Create a new site named Site1. Create a new subnet object that has the 10.1.1.1/32 prefix and assign the subnet to Site1. Move DC1 to Site1.
C. Create a new site named Site1. Create a new subnet object that has the 10.1.1.2/32 prefix and assign the subnet to Site1. Move DC2 to Site1.
D. Create a new site named Site1. Create a new subnet object that has the 10.1.2.0/24 prefix and assign the subnet to Site1. Move DC2 to Site1.
Answer: C
Explanation:
Creating a new site and assigning a subnet of 10.1.1.2 with subnet mask of 255.255.255.255, it means only ONE ip (the DC2 ip) will be included on the site1 subnet coverage. Therefore all the request will be processed from the DC1 in the default-first-site and dc2 will authenticate only itself.
Q25. Your network contains an Active Directory domain named contoso.com.
You need to create a central store for the Group Policy Administrative templates.
What should you do?
A. Run dfsrmig.exe /createglobalobjects.
B. Run adprep.exe /domainprep /gpprep.
C. Copy the %SystemRoot%\PolicyDefinitions folder to the\\contoso.com\SYSVOL\contoso.com\Policiesfolder.
D. Copy the %SystemRoot%\System32\GroupPolicy folder to the\\contoso.com\SYSVOL\contoso.com\Policies folder.
Answer: C
Explanation:
http://www.vmadmin.co.uk/microsoft/43-winserver2008/220-svr08admxcentralstore Creating an ADMX central store for group policies To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder. The Central Store is a location that is checked by GPMC. The GPMC will use .admx files that are in the Central Store. The files that are in the Central Store are replicated to all domain controllers in the domain. First on a domain controller (Windows Server 2008/2008 R2) the ADMX policy definitions and language template files in %SYSTEMROOT%\PolicyDefinitions need copying to %SYSTEMROOT%\SYSVOL\domain \Policies\PolicyDefinitions. Run the following command to copy the entire folder contents to SYSVOL. This will then replicate to all domain controllers (the default ADMX policies and EN-US language templates (ADML) are about 6.5 MB in total). xcopy /E "%SYSTEMROOT%\PolicyDefinitions" "%SYSTEMROOT%\SYSVOL\domain\Policies \PolicyDefinitions\"
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Next ensure you have remote server administration tools (RSAT) installed on your client computer you are using to edit the GPO's. This will need to be Windows Vista or Windows 7.
For Windows Vista enable the RSAT feature (GPMC).
For Windows 7 download and install RSAT then enable the RSAT feature (GPMC).
When editing a GPO in the GMPC you will find that the Administrative Templates show as
"Policy Definitions
(ADMX files) retrieved from the central store".
This confirms it is working as expected.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Further information: http://support.microsoft.com/kb/929841/en-us How to create the Central Store for Group Policy Administrative Template files in Windows Vista http://msdn.microsoft.com/en-us/library/bb530196.aspx Managing Group Policy ADMX Files Step-by-Step Guide http://technet.microsoft.com/en-us/library/cc748955%28v=ws.10%29.aspx Scenario 2: Editing Domain-Based GPOs Using ADMX Files
Renewal 70-640 audio book:
Q26. Your network consists of a single Active Directory domain. All domain controllers run
Windows Server 2003.
You upgrade all domain controllers to Windows Server 2008 R2.
You need to ensure that the Sysvol share replicates by using DFS Replication (DFS-R).
What should you do?
A. From the command prompt, run dfsutil /addroot:sysvol.
B. From the command prompt, run netdom /reset.
C. From the command prompt, run dcpromo /unattend:unattendfile.xml.
D. Raise the functional level of the domain to Windows Server 2008 R2.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc794837%28v=ws.10%29.aspx Introduction to Administering DFS-Replicated SYSVOL SYSVOL is a collection of folders that contain a copy of the domain’s public files, including system policies, logon scripts, and important elements of Group Policy objects (GPOs). The SYSVOL directory must be present and the appropriate subdirectories must be shared on a server before the server can advertise itself on the network as a domain controller. Shared subdirectories in the SYSVOL tree are replicated to every domain controller in the domain. Note: For Group Policy, only the Group Policy template (GPT) is replicated through SYSVOL replication. The Group Policy container (GPC), which is stored in the domain, is replicated through Active Directory replication. For Group Policy to be effective, both parts must be available on a domain controller. Using DFS Replication for replicating SYSVOL in Windows Server 2008 Distributed File System (DFS) Replication is a replication service that is available for replicating SYSVOL to all domain controllers in domains that have the Windows Server 2008 domain functional level. DFS Replication was introduced in Windows Server 2003 R2. However, on domain controllers that are running Windows Server 2003 R2, SYSVOL replication is performed by the File Replication Service (FRS).
Q27. Your network contains a single Active Directory domain. The domain contains five read-only domain controllers (RODCs) and five writable domain controllers. All servers run Windows Server 2008.
You plan to install a new read-only domain controllerRODC that runs Windows Server 2008 R2.
You need to ensure that you can add the new RODC to the domain.You want to achieve this goal by using the minimum amount of administrative effort.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. At the command prompt, run adprep.exe /rodcprep.
B. At the command prompt, run adprep.exe /forestprep.
C. At the command prompt, run adprep.exe /domainprep.
D. From Active Directory Domains and Trusts, raise the functional level of the domain.
E. From Active Directory Users and Computers, pre-stage the RODC computer account.
Answer: B,C
Q28. Your company has an organizational unit named Production. The Production organizational unit has a child organizational unit named R&D. You create a GPO named Software Deployment and link it to the Production organizational unit.
You create a shadow group for the R&D organizational unit. You need to deploy an application to users in the Production organizational unit.
You also need to ensure that the application is not deployed to users in the R&D organizational unit.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)
A. Configure the Block Inheritance setting on the R&D organizational unit.
B. Configure the Enforce setting on the software deployment GPO.
C. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&D security group.
D. Configure the Block Inheritance setting on the Production organizational unit.
Answer: A,C
Explanation:
Answer: Configure the Block Inheritance setting on the R&D organizational unit. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&D security group.
http://technet.microsoft.com/en-us/library/cc757050%28v=ws.10%29.aspx Managing inheritance of Group Policy
Blocking Group Policy inheritance You can block policy inheritance for a domain or organizational unit. Using block inheritance prevents GPOs linked to higher sites, domains, or organizational units from being automatically inherited by the child-level. By default, children inherit all GPOs from the parent, but it is sometimes useful to block inheritance. For example, if you want to apply a single set of policies to an entire domain except for one organizational unit, you can link the required GPOs at the domain level (from which all organizational units inherit policies
by default) and then block inheritance only on the organizational unit to which the policies
should not be applied.
Enforcing a GPO link You can specify that the settings in a GPO link should take
precedence over the settings of any child object by setting that link to Enforced. GPO-links
that are enforced cannot be blocked from the parent container. Without enforcement from
above, the settings of the GPO links at the higher level (parent) are overwritten by settings
in GPOs linked to child organizational units, if the GPOs contain conflicting settings. With
enforcement, the parent
GPO link always has precedence. By default, GPO links are not enforced. In tools prior to
GPMC, "enforced" was known as "No override."
In addition to using GPO links to apply policies, you can also control how GPOs are applied
by using security filters or WMI filters.
http://technet.microsoft.com/en-us/library/cc781988%28v=ws.10%29.aspx
Security filtering using GPMC
Security filtering Security filtering is a way of refining which users and computers will
receive and apply the settings in a Group Policy object (GPO). Using security filtering, you
can specify that only certain security principals within a container where the GPO is linked
apply the GPO. Security group filtering determines whether the GPO as a whole applies to
groups, users, or computers; it cannot be used selectively on different settings within a
GPO.
Notes:
GPOs cannot be linked directly to users, computers, or security groups. They can only be
linked to sites, domains and organizational units. However, by using security filtering, you
can narrow the scope of a GPO so that it applies only to a single group, user, or computer.
The location of a security group in Active Directory is irrelevant to security group filtering
and, more generally, irrelevant to Group Policy processing.
Further information:
http://technet.microsoft.com/en-us/library/cc731076.aspx
Block Inheritance
http://en.wikipedia.org/wiki/Active_Directory#Shadow_groups
Active Directory
Shadow groups
In Microsoft's Active Directory, OUs do not confer access permissions, and objects placed
within OUs are not automatically assigned access privileges based on their containing OU.
This is a design limitation specific to Active Directory. Other competing directories such as
Novell NDS are able to assign access privileges through object placement within an OU.
Active Directory requires a separate step for an administrator to assign an object in an OU
as a member of a group also within that OU. Relying on OU location alone to determine access permissions is unreliable, because the object may not have been assigned to the group object for that OU. A common workaround for an Active Directory administrator is to write a custom PowerShell or Visual Basic script to automatically create and maintain a user group for each OU in their directory. The scripts are run periodically to update the group to match the OU's account membership, but are unable to instantly update the security groups anytime the directory changes, as occurs in competing directories where security is directly implemented into the directory itself. Such groups are known as Shadow Groups. Once created, these shadow groups are selectable in place of the OU in the administrative tools. Microsoft refers to shadow groups in the Server 2008 Explanation documentation, but does not explain how to create them. There are no built-in server methods or console snap-ins for managing shadow groups.[5] The division of an organization's information infrastructure into a hierarchy of one or more domains and toplevel OUs is a key decision. Common models are by business unit, by geographical location, by IT Service, or by object type and hybrids of these. OUs should be structured primarily to facilitate administrative delegation, and secondarily, to facilitate group policy application. Although OUs form an administrative boundary, the only true security boundary is the forest itself and an administrator of any domain in the forest must be trusted across all domains in the forest.[6]
Q29. Your network contains an Active Directory domain.
You need to restore a deleted computer account from the Active Directory Recycle Bin.
What should you do?
A. From the command prompt, run recover.exe.
B. From the command prompt, run ntdsutil.exe.
C. From the Active Directory Module for Windows PowerShell, run the Restore-Computer cmdlet.
D. From the Active Directory Module for Windows PowerShell, run the Restore-ADObject cmdlet.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/dd379509%28v=ws.10%29.aspx Step 2: Restore a Deleted Active Directory Object Applies To: Windows Server 2008 R2 This step provides instructions for completing the following tasks with Active Directory Recycle Bin: Displaying the Deleted Objects container Restoring a deleted Active Directory object using Ldp.exe Restoring a deleted Active Directory object using the Get-ADObject and Restore-ADObject cmdlets Restoring multiple, deleted Active Directory objects
To restore a single, deleted Active Directory object using the Get-ADObject and Restore-ADObject cmdlets
1. Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.
2. At the Active Directory module for Windows PowerShell command prompt, type the following command, and then press ENTER: Get-ADObject -Filter {String} -IncludeDeletedObjects | Restore-ADObject For example, if you want to restore an accidentally deleted user object with the display name Mary, type the following command, and then press ENTER: Get-ADObject -Filter {displayName -eq "Mary"} -IncludeDeletedObjects | Restore-ADObject http://blogs.msdn.com/b/dsadsi/archive/2009/08/26/restoring-object-from-the-active-directory-recycle-binusing-ad-powershell.aspx Restoring object from the Active Directory Recycle Bin using AD Powershell
Q30. Your network contains two Active Directory forests named contoso.com and adatum.com. Active Directory Rights Management Services (AD RMS) is deployed in contoso.com. An AD RMS trusted user domain (TUD) exists between contoso.com and adatum.com.
From the AD RMS logs, you discover that some clients that have IP addresses in the adatum.com forest are authenticating as users from contoso.com.
You need to prevent users from impersonating contoso.com users.
What should you do?
A. Configure trusted e-mail domains.
B. Enable lockbox exclusion in AD RMS.
C. Create a forest trust between adatum.com and contoso.com.
D. Add a certificate from a third-party trusted certification authority (CA).
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc753930.aspx Add a Trusted User Domain By default, Active Directory Rights Management Services (AD RMS) does not service requests from users whose rights account certificate (RAC) was issued by a different AD RMS installation. However, you can add user domains to the list of trusted user domains (TUDs), which allows AD RMS to process such requests. For each trusted user domain (TUD), you can also add and remove specific users or groups of users. In addition, you can remove a TUD; however, you cannot remove the root cluster for this Active Directory forest from the list of TUDs. Every AD RMS server trusts the root cluster in its own forest. You can add TUDs as follows: To support external users in general, you can trust Windows Live ID. This allows an AD RMS cluster that is in your company to process licensing requests that include a RAC that was issued by Microsoft’s online RMS service. For more information about trusting Windows Live ID in your organization, see Use Windows Live ID to Establish RACs for Users. To trust external users from another organization’s AD RMS installation, you can add the organization to the list of TUDs. This allows an AD RMS cluster to process a licensing request that includes a RAC that was issued by an AD RMS server that is in the other organization. In the same manner, to process licensing requests from users within your own organization who reside in a different Active Directory forest, you can add the AD RMS installation in that forest to the list of TUDs. This allows an AD RMS cluster in the current forest to process a licensing request that includes a RAC that was issued by an AD RMS cluster in the other forest. For each TUD, you can specify which e-mail domains are trusted. For trusted Windows Live ID sites and services, you can specify which e-mail users or domains are not trusted.