70-640 Exam
Secrets to windows server 2008 exam 70-640 answers
It is more faster and easier to pass the Microsoft 70-640 exam by using 100% Correct Microsoft TS: Windows Server 2008 Active Directory. Configuring questuins and answers. Immediate access to the Up to date 70-640 Exam and find the same core area 70-640 questions with professionally verified answers, then PASS your exam with a high score now.
2021 Jul mcsa 70-640:
Q61. Your network contains a domain controller that has two network connections named Internal and Private.
Internal has an IP address of 192.168.0.20. Private has an IP address of 10.10.10.5. You need to prevent the domain controller from registering Host (A) records for the 10.10.10.5 IP address.
What should you do?
A. Modify the netlogon.dns file on the domain controller.
B. Modify the Name Server settings of the DNS zone for the domain.
C. Modify the properties of the Private network connection on the domain controller.
D. Disable netmask ordering on the DNS server that hosts the DNS zone for the domain.
Answer: C
Explanation:
http://support.microsoft.com/kb/2023004 Steps to avoid registering unwanted NIC(s) in DNS on a Mulithomed Domain Controller Symptoms On Domain Controllers with more than one NIC where each NIC is connected to separate Network, there is a possibility that the Host A DNS registration can occur for unwanted NIC(s). If the client queries for DC’s DNS records and gets an unwanted record or the record of a different network which is not reachable to client, the client will fail to contact the DC causing authentication and many other issues.
Cause The DNS server will respond to the query in a round robin fashion. If the DC has multiple NICs registered in DNS. The DNS will serve the client with all the records available for that DC. To prevent this, we need to make sure the unwanted NIC address is not registered in DNS. Below are the services that are responsible for Host A record registration on a DC
1. Netlogon service
2. DNS server service (if the DC is running DNS server service)
3. DHCP client /DNS client (2003/2008) If the NIC card is configured to register the connection address in DNS, then the DHCP /DNS client service will Register the record in DNS. Unwanted NIC should be configured not to register the connection address in DNS If the DC is running DNS server service, then the DNS service will register the interface Host A record that it has set to listen on. The Zone properties, “Name server” tab list out the IP addresses of interfaces present on the DC. If it has listed both the IPs, then DNS server will register Host A record for both the IP addresses. We need to make sure only the required interface listens for DNS and the zone properties, name server tab has required IP address information
Resolution To avoid this problem perform the following 3 steps (It is important that you follow all the steps to avoid the issue).
1. Under Network Connections Properties: On the Unwanted NIC TCP/IP Properties ->
Advanced -> DNS -
> Uncheck "Register this connections Address in DNS"
2. Open the DNS server console: highlight the server on the left pane Action-> Properties
and on the "Interfaces" tab select "listen on only the following IP addresses". Remove
unwanted IP address from the list
3. On the Zone properties, select Name server tab. Along with FQDN of the DC, you will
see the IP address associated with the DC. Remove unwanted IP address if it is listed.
After performing this delete the existing unwanted Host A record of the DC.
Q62. You need to force a domain controller to register all service location (SRV) resource records in DNS.
Which command should you run?
A. ipconfig.exe /registerdns
B. net.exe stop dnscache & net.exe start dnscache
C. net.exe stop netlogon & net.exe start netlogon
D. regsvr32.exe dnsrslvr.dll
Answer: C
Explanation:
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62 The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller’s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam question might ask you how to troubleshoot the nonregistration of SRV resource records.
Q63. Your network contains a server named Server1. The Active Directory Rights Management Services (AD RMS) server role is installed on Server1.
An administrator changes the password of the user account that is used by AD RMS.
You need to update AD RMS to use the new password.
Which console should you use?
A. Active Directory Rights Management Services
B. Active Directory Users and Computers
C. Component Services
D. Services
Answer: A
Explanation:
http://social.technet.microsoft.com/wiki/contents/articles/13034.ad-rms-how-to-change-the-rms-serviceaccount-password.aspx AD RMS How To: Change the RMS Service Account Password The Active Directory Rights Management Services management console provides a wizard to change or update the AD RMS service account. The most common use for this process is to update the service account password when it has been changed.
It is important to use this process to update or change the AD RMS service account. This ensures the necessary components are updated properly. These processes include, but are not limited to the following items. Ensure the service account meets the criteria (is a domain account, is not the domain account that provisioned RMS, and etc.) Temporarily suspends RMS functionality on the server during the change Updates the RMS local groups Updates the database role for the service account Updates and restarts the MSMQ and logging services Updates the service account for the _DRMSAppPool1 web application pool Updates appropriate AD RMS configuration database tables There are important requirements to run this wizard. Must be logged on to the AD RMS server Account running the wizard must be:
* A local administrator on the RMS server,
* A member of the AD RMS Enterprise Administrators group, and
* A SQL SysAdmin on the AD RMS instance
Lastly, this must be performed on each server of the AD RMS cluster
C:\Documents and Settings\usernwz1\Desktop\1.PNG
C:\Documents and Settings\usernwz1\Desktop\1.PNG
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Q64. You create 200 new user accounts. The users are located in six different sites. New users report that they receive the following error message when they try to log on: "The username or password is incorrect." You confirm that the user accounts exist and are enabled. You also confirm that the user name and password information supplied are correct.
You need to identify the cause of the failure. You also need to ensure that the new users are able to log on.
Which utility should you run?
A. Active Directory Domains and Trusts
B. Repadmin
C. Rstools
D. Rsdiag
Answer: B
Explanation: Repadmin allows us to check the replication status and also allows us to
force a replication between domain controllers.
Explanation:
http://technet.microsoft.com/en-us/library/cc770963.aspx
Repadmin /replsummary
Identifies domain controllers that are failing inbound replication or outbound replication, and summarizes the results in a report.
Repadmin /showrepl Displays the replication status when the specified domain controller last attempted to perform inbound replication on Active Directory partitions.
Repadmin /syncall Synchronizes a specified domain controller with all replication partners.
Q65. Your company has an Active Directory forest that contains only Windows Server 2008 domain controllers.
You need to prepare the Active Directory domain to install Windows Server 2008 R2 domain controllers.
Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Run the adprep /domainprep command.
B. Raise the forest functional level to Windows Server 2008.
C. Raise the domain functional level to Windows Server 2008.
D. Run the adprep /forestprep command.
Answer: A,D
Explanation:
http://www.petri.co.il/prepare-for-server-2008-r2-domain-controller.htm Prepare your Domain for the Windows Server 2008 R2 Domain Controller Before installing the first Windows Server 2008 R2 domain controller (DC) into an existing Windows 2000, Windows Server 2003 or Windows Server 2008 domain, you must prepare the AD forest and domain. You do so by running a tool called ADPREP. ADPREP extends the Active Directory schema and updates permissions as necessary to prepare a forest and domain for a domain controller that runs the Windows Server 2008 R2 operating system. Note: You may remember that ADPREP was used on previous operating systems such as Windows Server 2003, Windows Server 2003 R2 and Windows Server 2008. This article focuses on Windows Server 2008 R2. What does ADPREP do? ADPREP has parameters that perform a variety of operations that help prepare an existing Active Directory environment for a domain controller that runs Windows Server 2008 R2. Not all versions of ADPREP perform the same operations, but generally the different types of operations that ADPREP can perform include the following: Updating the Active Directory schema Updating security descriptors Modifying access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared folder Creating new objects, as needed Creating new containers, as needed To prepare the forest and domain for the installation of the first Windows Server 2008 R2 domain controller please perform these tasks: Lamer note: The following tasks are required ONLY before adding the first Windows Server 2008 R2 domain controller. If you plan on simply joining a Windows Server 2008 R2 Server to the domain and configuring as a regular member server, none of the following tasks are required. Another lamer note: Please make sure you read the system requirements for Windows Server 2008 R2. For example, you cannot join a Windows Server 2008 R2 server to a Windows NT 4.0 domain, not can it participate as a domain controller in a mixed domain. If any domain controllers in the forest are running Windows 2000 Server, they must be running Service Pack 4 (SP4). First, you should review and understand the schema updates and other changes that ADPREP makes as part of the schema management process in Active Directory Domain Services (AD DS). You should test the ADPREP schema updates in a lab environment to ensure that they will not conflict with any applications that run in your environment. You must make a system state backup for your domain controllers, including the schema master and at least one other domain controller from each domain in the forest (you do have backups, don't you?). Also, make sure that you can log on to the schema master with an account that has sufficient credentials to run adprep /forestprep. You must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema master, which is, by default, the forest root domain. Next, insert the Windows Server 2008 R2 DVD media into your DVD drive. Note that if you do not have the media handy, you may use the evaluation version that is available to download from Microsoft's website. If you only have the ISO file and do not want to or cannot actually burn it to a physical DVD media, you can mount it by using a virtual ISO mounting tool such as MagicIso (can Convert BIN to ISO, Create, Edit, Burn, Extract ISO file, ISO/BIN converter/extractor/editor). Browse to the X:\support\adprep folder, where X: is the drive letter of your DVD drive. Find a file called adprep.exe or adprep32.exe. Note: Unlike in Windows Server 2008 where you had to use either the 32-bit or 64-bit installation media to get the right version of ADPREP, Windows Server 2008 R2 ADPREP is available in a 32-bit version and a 64-bit version. The 64-bit version runs by default. If you need to run ADPREP on a 32-bit computer, run the 32-bit version (adprep32.exe).
C:\Documents and Settings\usernwz1\Desktop\1.PNG
To perform this procedure, you must use an account that has membership in all of the following groups: Enterprise Admins Schema Admins Domain Admins for the domain that contains the schema master Open a Command Prompt window by typing CMD and pressing ENTER in the Run menu. Drag the adprep.exe file from the Windows Explorer window to the Command Prompt window. Naturally, if you want, you can always manually type the path of the file in the Command Prompt window if that makes you feel better...
Note: You must run adprep.exe from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator. Note: If your existing DCs are Windows Server 2008, dragging and dropping into a Command Prompt window will not work, as that feature was intentionally disabled in windows Server 2008 and Windows Vista. In the Command Prompt window, type the following command: adprep /forestprep
C:\Documents and Settings\usernwz1\Desktop\1.PNG
You will be prompted to type the letter "c" and then press ENTER. After doing so, process will begin.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
ADPREP will take several minutes to complete. During that time, several LDF files will be imported into the AD Schema, and messages will be displayed in the Command Prompt window. File sch47.ldf seems to be the largest one.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
When completed, you will receive a success message.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Note: As mentioned above, ADPREP should only be run on an existing DC. When trying to
run it from a non-DC, you will get this error:
Adprep cannot run on this platform because it is not an Active Directory Domain Controller.
[Status/Consequence]
Adprep stopped without making any changes.
[User Action]
Run Adprep on a Active Directory Domain Controller.
Allow the operation to complete, and then allow the changes to replicate throughout the
forest before you prepare any domains for a domain controller that runs Windows Server
2008 R2.
In the Command Prompt window, type the following command: adprep /domainprep
Process will take less than a second.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
ADPREP must only be run in a Windows 2000 Native Mode or higher. If you attempt to run in Mixed Mode you will get this error: Adprep detected that the domain is not in native mode [Status/Consequence] Adprep has stopped without making changes. [User Action] Configure the domain to run in native mode and re-run domainprep Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2. If you're running a Windows 2008 Active Directory domain, that's it, no additional tasks are needed. If you're running a Windows 2000 Active Directory domain, you must also the following command: adprep /domainprep /gpprep Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2. If you're running a Windows 2003 Active Directory domain, that's it, no additional tasks are needed. However, if you're planing to run Read Only Domain controllers (RODCs), you must also type the following command: adprep /rodcprep If you already ran this command for Windows Server 2008, you do not need to run it again for Windows Server 2008 R2. Process will complete in less than a second.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Allow the operation to complete, and then allow the changes to replicate throughout the
forest before you prepare any domains for a domain controller that runs Windows Server
2008 R2.
To verify that adprep /forestprep completed successfully please perform these steps:
1. Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default on domain controllers that run Windows Server 2008 or Windows Server 2008 R2. On Windows Server 2003 you must install the Resource Kit Tools.
2. Click Start, click Run, type ADSIEdit.msc, and then click OK.
3. Click Action, and then click Connect to.
4. Click Select a well known Naming Context, select Configuration in the list of available naming contexts, and then click OK.
5. Double-click Configuration, and then double-click CN=Configuration, DC=forest_root_domain where forest_root_domain is the distinguished name of your forest root domain.
6. Double-click CN=ForestUpdates.
7. Right-click CN=ActiveDirectoryUpdate, and then click Properties.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
8. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the Revision attribute value is 5, and then click OK.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
9. Click ADSI Edit, click Action, and then click Connect to.
10. Click Select a Well known naming context, select Schema in the list of available naming contexts, and then click OK.
11. Double-click Schema.
12. Right-click CN=Schema,CN=Configuration,DC=forest_root_domain, and then click Properties.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
13. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the objectVersion attribute value is set to 47, and then click OK.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Refresh mcsa 70-640:
Q66. Your network contains an Active Directory domain named contoso.com. The network contains client computers that run either Windows Vista or Windows 7. Active Directory Rights Management Services (AD RMS) is deployed on the network.
You create a new AD RMS template that is distributed by using the AD RMS pipeline. The template is updated every month.
You need to ensure that all the computers can use the most up-to-date version of the AD RMS template.
You want to achieve this goal by using the minimum amount of administrative effort.
What should you do?
A. Upgrade all of the Windows Vista computers to Windows 7.
B. Upgrade all of the Windows Vista computers to Windows Vista Service Pack 2 (SP2).
C. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all users by using a Software Installation extension of Group Policy.
D. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all computers by using a Software Installation extension of Group Policy.
Answer: B
Q67. You have a DNS zone that is stored in a custom application directory partition. You install a new domain controller.
You need to ensure that the custom application directory partition replicates to the new domain controller.
What should you use?
A. the Active Directory Administrative Center console
B. the Active Directory Sites and Services console
C. the DNS Manager console
D. the Dnscmd tool
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc772069.aspx
dnscmd /enlistdirectorypartition Adds the DNS server to the specified directory partition's replica set.
Q68. Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 is configured as an Active Directory Federation Services (AD FS) 2.0 standalone server.
You plan to add a new token-signing certificate to Server1.
You import the certificate to the server as shown in the exhibit. (Click the Exhibit button.)
When you run the Add Token-Signing Certificate wizard, you discover that the new certificate is unavailable.
You need to ensure that you can use the new certificate for AD FS.
What should you do?
A. From the properties of the certificate, modify the Certificate Policy OIDs setting.
B. Import the certificate to the AD FS 2.0 Windows Service personal certificate store.
C. From the properties of the certificate, modify the Certificate purposes setting.
D. Import the certificate to the local computer personal certificate store.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/hh341466.aspx
When you deploy the first federation server in a new AD FS 2.0 installation, you must obtain a token-signing certificate and install it in the local computer personal certificate store on that federation server.
Q69. Your network contains a single Active Directory domain. Active Directory Rights Management Services (AD RMS) is deployed on the network.
A user named User1 is a member of only the AD RMS Enterprise Administrators group. You need to ensure that User1 can change the service connection point (SCP) for the AD RMS installation.The solution must minimize the administrative rights of User1.
To which group should you add User1?
A. AD RMS Auditors
B. AD RMS Service Group
C. Domain Admins
D. Schema Admins
Answer: C
Explanation:
http://social.technet.microsoft.com/wiki/contents/articles/710.the-ad-rms-service-connection-point.aspx The AD RMS Service Connection Point The Active Directory Rights Management Services (AD RMS) Service Connection Point (SCP) is an object in Active Directory that holds the web address of the AD RMS certification cluster. AD RMS-enabled applications use the SCP to discover the AD RMS service; it is the first connection point for users to discover the AD RMS web services. The AD RMS SCP can be registered automatically during AD RMS installation, or it can be registered after installation has completed. To register the SCP you must be a member of the local AD RMS Enterprise Administrators group and the Active Directory Domain Services (AD DS) Enterprise Admins group, or you must have been given the appropriate authority.
Q70. Your company has two Active Directory forests named contoso.com and fabrikam.com.
The company network has three DNS servers named DNS1, DNS2, and DNS3. The DNS servers are configured as shown in the following table.
All computers that belong to the fabrikam.com domain have DNS3 configured as the preferred DNS server. All other computers use DNS1 as the preferred DNS server.
Users from the fabrikam.com domain are unable to connect to the servers that belong to the contoso.com domain.
You need to ensure users in the fabrikam.com domain are able to resolve all contoso.com queries.
What should you do?
A. Configure conditional forwarding on DNS1 and DNS2 to forward fabrikam.com queries to DNS3.
B. Create a copy of the _msdcs.contoso.com zone on the DNS3 server.
C. Create a copy of the fabrikam.com zone on the DNS1 server and the DNS2 server.
D. Configure conditional forwarding on DNS3 to forward contoso.com queries to DNS1.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc730756.aspx Understanding Forwarders A forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for external DNS names to DNS servers outside that network. You can also forward queries according to specific domain names using conditional forwarders. You designate a DNS server on a network as a forwarder by configuring the other DNS servers in the network to forward the queries that they cannot resolve locally to that DNS server. By using a forwarder, you can manage name resolution for names outside your network, such as names on the Internet, and improve the efficiency of name resolution for the computers in your network. The following figure illustrates how external name queries are directed with forwarders.
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Conditional forwarders A conditional forwarder is a DNS server on a network that forwards DNS queries according to the DNS domain name in the query. For example, you can configure a DNS server to forward all the queries that it receives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers.