aiotestking uk

70-640 Exam Questions - Online Test


70-640 Premium VCE File

Learn More 100% Pass Guarantee - Dumps Verified - Instant Download
150 Lectures, 20 Hours

Q1. Your network contains three Active Directory forests named Forest1, Forest2, and Forest3. Each forest contains three domains. A two-way forest trust exists between Forest1 and Forest2. A two-way forest trust exists between Forest2 andForest3. 

You need to configure the forests to meet the following requirements: 

. Users in Forest3 must be able to access resources in Forest1 

. Users in Forest1 must be able to access resources in Forest3. 

. The number of trusts must be minimized. 

What should you do? 

A. In Forest2, modify the name suffix routing settings. 

B. In Forest1 and Forest3, configure selective authentication. 

C. In Forest1 and Forest3, modify the name suffix routing settings. 

D. Create a two-way forest trust between Forest1 and Forest3. 

E. Create a shortcut trust in Forest1 and a shortcut trust in Forest3. 

Answer:

Explanation: 

MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, December 14 2012) page 

639: 

Forest Trusts 

(...) 

You can specify whether the forest trust is one-way, incoming or outgoing, or two-way. As mentioned earlier, a forest trust is transitive, allowing all domains in a trusting forest to trust all domains in a trusted forest. However, forest trusts are not themselves transitive. For example, if the tailspintoys.com forest trusts the worldwideimporters .com forest, and the worldwideimporters.com forest trusts the northwindtraders.com forest, those two trust relationships do not allow the tailspintoys.com forest to trust the northwindtraders.com forest. If you want those two forests to trust each other, you must create a specific forest trust between them. 

Q2. One of the remote branch offices is running a Windows Server 2008 read only domain controller (RODC). For security reasons you don't want some critical credentials like (passwords, encryption keys) to be stored on RODC. 

What should you do so that these credentials are not replicated to any RODC's in the forest? (Select 2) 

A. Configure RODC filtered attribute set on the server 

B. Configure RODC filtered set on the server that holds Schema Operations Master role. 

C. Delegate local administrative permissions for an RODC to any domain user without granting that user any user rights for the domain 

D. Configure forest functional level server for Windows server 2008 to configure filtered attribute set. 

E. None of the above 

Answer: B,D 

Explanation: 

http://technet.microsoft.com/en-us/library/cc753223.aspx Adding attributes to the RODC filtered attribute set The RODC filtered attribute set is a dynamic set of attributes that is not replicated to any RODCs in the forest. You can configure the RODC filtered attribute set on a schema master that runs Windows Server 2008. When the attributes are prevented from replicating to RODCs, that data cannot be exposed unnecessarily if an RODC is stolen or compromised. A malicious user who compromises an RODC can attempt to configure it in such a way that it tries to replicate attributes that are defined in the RODC filtered attribute set. If the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2008, the replication request is denied. However, if the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2003, the replication request could succeed. Therefore, as a security precaution, ensure that forest functional level is Windows Server 2008 if you plan to configure the RODC filtered attribute set. When the forest functional level is Windows Server 2008, an RODC that is compromised cannot be exploited in this manner because domain controllers that are running Windows Server 2003 are not allowed in the forest. 

Q3. Your network contains a single Active Directory domain. Client computers run either Windows XP Service Pack 3 (SP3) or Windows 7. All of the computer accounts for the client computers are located in an organizational unit (OU) named OU1. 

You link a new Group Policy object (GPO) named GPO10 to OU1. 

You need to ensure that GPO10 is applied only to client computers that run Windows 7. 

What should you do? 

A. Create a new OU in OU1. Move the Windows XP computer accounts to the new OU. 

B. Enable block inheritance on OU1. 

C. Create a WMI filter and assign the filter to GPO10. 

D. Modify the permissions of OU1. 

Answer:

Explanation: 

http://technet.microsoft.com/en-us/library/cc947846.aspx 

To make sure that each GPO associated with a group can only be applied to computers running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each computer. 

Q4. Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1. DC1 hosts a standard primary zone for contoso.com. 

You discover that non-domain member computers register records in the contoso.com zone. 

You need to prevent the non-domain member computers from registering records in the contoso.com zone. 

All domain member computers must be allowed to register records in the contoso.com zone. 

What should you do first? 

A. Configure a trust anchor. 

B. Run the Security Configuration Wizard (SCW). 

C. Change the contoso.com zone to an Active Directory-integrated zone. 

D. Modify the security settings of the %SystemRoot%\System32\Dns folder. 

Answer:

Explanation: 

http://technet.microsoft.com/en-us/library/cc772746%28v=ws.10%29.aspx Active Directory-Integrated Zones DNS servers running on domain controllers can store their zones in Active Directory. In this way, it is not necessary to configure a separate DNS replication topology that uses ordinary DNS zone transfers, because all zone data is replicated automatically by means of Active Directory replication. This simplifies the process of deploying DNS and provides the following advantages: Multiple masters are created for DNS replication. Therefore: Any domain controller in the domain running the DNS server service can write updates to the Active Directory–integrated zones for the domain name for which they are authoritative. A separate DNS zone transfer topology is not needed. Secure dynamic updates are supported. Secure dynamic updates allow an administrator to control which computers update which names, and prevent unauthorized computers from overwriting existing names in DNS 

Q5. Your company has an Active Directory domain. The company has two domain controllers named DC1 and DC2. DC1 holds the Schema Master role. 

DC1 fails. You log on to Active Directory by using the administrator account. You are not able to transfer the Schema Master operations role. 

You need to ensure that DC2 holds the Schema Master role. 

What should you do? 

A. Configure DC2 as a bridgehead server. 

B. On DC2, seize the Schema Master role. 

C. Log off and log on again to Active Directory by using an account that is a member of the Schema Administrators group. Start the Active Directory Schema snap-in. 

D. Register the Schmmgmt.dll. Start the Active Directory Schema snap-in. 

Answer:

Explanation: 

Q6. Your network contains a server that runs Windows Server 2008 R2. The server is configured as an enterprise root certification authority (CA). 

You have a Web site that uses x.509 certificates for authentication. The Web site is configured to use a manyto-one mapping. 

You revoke a certificate issued to an external partner. You need to prevent the external partner from accessing the Web site. 

What should you do? 

A. Run certutil.exe -crl. 

B. Run certutil.exe -delkey. 

C. From Active Directory Users and Computers, modify the membership of the IIS_IUSRS group. 

D. From Active Directory Users and Computers, modify the Contact object for the external partner. 

Answer:

Explanation: 

http://technet.microsoft.com/library/cc732443.aspx Certutil Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains. Verbs -CRL Publish new certificate revocation lists (CRLs) [or only delta CRLs] http://technet.microsoft.com/en-us/library/cc783835%28v=ws.10%29.aspx Requesting Offline Domain Controller Certificates (Advanced Certificate Enrollment and Management) If you have determined the keycontainername for a specific certificate, you can delete the key container with the following command. certutil.exe -delkey <KeyContainerName> The -delkey option is supported only with the Windows Server 2003 version of certutil. On Windows 2000, you must add a prefix to the commands. The prefix is the path you have copied the Windows Server 2003 version of certutil to. In this white paper, the %HOMEDRIVE%\W2K3AdmPak path is used. 

Q7. Your network consists of a single Active Directory domain. The functional level of the forest is Windows Server 2008 R2. 

You need to create multiple password policies for users in your domain. 

What should you do? 

A. From the Group Policy Management snap-in, create multiple Group Policy objects. 

B. From the Schema snap-in, create multiple class schema objects. 

C. From the ADSI Edit snap-in, create multiple Password Setting objects. 

D. From the Security Configuration Wizard, create multiple security policies. 

Answer:

Explanation: 

Q8. You need to ensure that users who enter three successive invalid passwords within 5 minutes are locked out for 5 minutes. 

Which three actions should you perform? (Each correct answer presents part of the solution. 

Choose three.) 

A. Set the Minimum password age setting to one day. 

B. Set the Maximum password age setting to one day. 

C. Set the Account lockout duration setting to 5 minutes. 

D. Set the Reset account lockout counter after setting to 5 minutes. 

E. Set the Account lockout threshold setting to 3 invalid logon attempts. 

F. Set the Enforce password history setting to 3 passswords remembered. 

Answer: C,D,E 

Explanation: 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Q9. You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a server namedServer1. 

You need to configure the Windows Firewall on Server1 to allow external users to authenticate by using AD FS. 

Which inbound TCP port should you allow on Server1? 

A. 88 

B. 135 

C. 443 

D. 445 

Answer:

Q10. You have a Windows Server 2008 R2 that has the Active Directory Certificate Services server role installed. 

You need to minimize the amount of time it takes for client computers to download a certificate revocation list (CRL). 

What should you do? 

A. Install and configure an Online Responder. 

B. Import the Issuing CA certificate into the Trusted Root Certification Authorities store on all client workstations. 

C. Install and configure an additional domain controller. 

D. Import the Root CA certificate into the Trusted Root Certification Authorities store on all client workstations. 

Answer:

Explanation: 

http://technet.microsoft.com/en-us/library/cc725958.aspx 

What Is an Online Responder? An Online Responder is a trusted server that receives and responds to individual client requests for information about the status of a certificate. The use of Online Responders is one of two common methods for conveying information about the validity of certificates. Unlike certificate revocation lists (CRLs), which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to individual requests from clients for information about the status of a certificate. The amount of data retrieved per request remains constant no matter how many revoked certificates there might be. In many circumstances, Online Responders can process certificate status requests more efficiently than by using CRLs.