aiotestking uk

70-640 Exam Questions - Online Test


70-640 Premium VCE File

Learn More 100% Pass Guarantee - Dumps Verified - Instant Download
150 Lectures, 20 Hours

Q1. An Active Directory database is installed on the C volume of a domain controller. 

You need to move the Active Directory database to a new volume. 

What should you do? 

A. Copy the ntds.dit file to the new volume by using the ROBOCOPY command. 

B. Move the ntds.dit file to the new volume by using Windows Explorer. 

C. Move the ntds.dit file to the new volume by running the Move-item command in Microsoft Windows PowerShell. 

D. Move the ntds.dit file to the new volume by using the Files option in the Ntdsutil utility. 

Answer:

Explanation: 

Q2. Your company has a main office and a branch office. 

The network contains an Active Directory domain. 

The main office contains a writable domain controller named DC1. The branch office 

contains a read- only domain controller (RODC) named DC2. 

You discover that the password of an administrator named Admin1 is cached on DC2. 

You need to prevent Admin1's password from being cached on DC2. 

What should you do? 

A. Modify the NTDS Site Settings. 

B. Modify the properties of the domain. 

C. Create a Password Setting object (PSO). 

D. Modify the properties of DC2's computer account. 

Answer:

Explanation: 

http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy%28v=ws.10%29.aspx Administering the Password Replication Policy This topic describes the steps for viewing, configuring, and monitoring the Password Replication Policy (PRP) and password caching for read-only domain controllers (RODCs). Viewing the PRP You can view the PRP in a graphical user interface (GUI) by using the Active Directory Users and Computers snap-in or in a Command Prompt window by using the Repadmin tool. The following procedures describe how to view the PRP. To view the PRP using Active Directory Users and Computers 

1. Open Active Directory Users and Computers. To open Active Directory Users and 

Computers, click Start. 

In Start Search, type dsa.msc, and then press ENTER. 

2. Ensure that you are connected to the correct domain. To connect to the appropriate 

domain, in the details pane, right-click the Active Directory Users and Computers object, 

and then click Change Domain. 3. Expand Domain Controllers, right-click the RODC 

account object for which you want to modify the PRP, and then click Properties. 

4. Click the Password Replication Policy tab. An example is shown in the following 

illustration. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Q3. Your company uses shared folders. Users are granted access to the shared folders by using domain local groups. One of the shared folders contains confidential data. 

You need to ensure that unauthorized users are not able to access the shared folder that contains confidential data. 

What should you do? 

A. Enable the Do not trust this computer for delegation property on all the computers of unauthorized users by using the Dsmod utility. 

B. Instruct the unauthorized users to log on by using the Guest account. Configure the Deny Full control permission on the shared folders that hold the confidential data for the Guest account. 

C. Create a Global Group named Deny DLG. Place the global group that contains the unauthorized users in to the Deny DLG group. Configure the Allow Full control permission on the shared folder that hold the confidential data for the Deny DLG group. 

D. Create a Domain Local Group named Deny DLG. Place the global group that contains the unauthorized users in to the Deny DLG group. Configure the Deny Full control permission on the shared folder that hold the confidential data for the Deny DLG group. 

Answer:

Explanation: 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

http://technet.microsoft.com/en-us/library/cc755692%28v=ws.10%29.aspx 

Any group, whether it is a security group or a distribution group, is characterized by a scope that identifies the extent to which the group is applied in the domain tree or forest. 

The boundary, or reach, of a group scope is also determined by the domain functional level setting of the domain in which it resides. There are three group scopes: universal, global, and domain local. 

The following table describes the differences between the scopes of each group. 

C:\Documents and Settings\usernwz1\Desktop\1.PNG 

When to use groups with domain local scope Groups with domain local scope help you define and manage access to resources within a single domain. For example, to give five users access to a particular printer, you can add all five user accounts in the printer permissions list. If, however, you later want to give the five users access to a new printer, you must again specify all five accounts in the permissions list for the new printer. 

Q4. You have a server named Server1 that has the following Active Directory Certificate Services (AD CS) role services installed: 

Enterprise root certification authority (CA) 

Certificate Enrollment Web Service 

Certificate Enrollment Policy Web Service 

You create a new certificate template. 

External users report that the new template is unavailable when they request a new certificate. 

You verify that all other templates are available to the external users. 

You need to ensure that the external users can request certificates by using the new template. 

What should you do on Server1? 

A. Run iisreset.exe /restart. 

B. Run gpupdate.exe /force. 

C. Run certutil.exe dspublish. 

D. Restart the Active Directory Certificate Services service. 

Answer:

Explanation: 

http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-activedirectory-certificate-services.aspx Certificate Enrollment Web Services in Active Directory Certificate Services Troubleshooting Managing Certificate Enrollment Policy Web Service Polling for Certificate Templates Certificate Templates are stored in AD DS, and the Certificate Enrollment Policy Web Service polls the AD DS periodically for template changes. Changes made to templates are not reflected in real time on the Certificate Enrollment Policy Web Service. When administrators duplicate or modify templates, there can be a lag between the time at which the change is made and when the new templates are available. By default, the Certificate Enrollment Policy Web Service polls the directory every 30 minutes for changes. The Certificate Enrollment Policy Web Service can be manually forced to refresh its template cache by recycling IIS using the command iisreset. 

Q5. You have an Active Directory domain that runs Windows Server 2008 R2. 

You need to implement a certification authority (CA) server that meets the following requirements: 

Allows the certification authority to automatically issue certificates 

Integrates with Active Directory Domain Services 

What should you do? 

A. Install and configure the Active Directory Certificate Services server role as a Standalone Root CA. 

B. Install and configure the Active Directory Certificate Services server role as an Enterprise Root CA. 

C. Purchase a certificate from a third-party certification authority, Install and configure the Active Directory Certificate Services server role as a Standalone Subordinate CA. 

D. Purchase a certificate from a third-party certification authority, Import the certificate into the computer store of the schema master. 

Answer:

Explanation: 

http://technet.microsoft.com/en-us/library/cc776874%28v=ws.10%29.aspx Enterprise certification authorities The Enterprise Administrator can install Certificate Services to create an enterprise certification authority (CA). Enterprise CAs can issue certificates for purposes such as digital signatures, secure e-mail using S/MIME (Secure Multipurpose Internet Mail Extensions), authentication to a secure Web server using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) and logging on to a Windows Server 2003 family domain using a smart card. An enterprise CA has the following features: An enterprise CA requires the Active Directory directory service. When you install an enterprise root CA, it uses Group Policy to propagate its certificate to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. You must be a Domain Administrator or be an administrator with write access to Active Directory to install an enterprise root CA. Certificates can be issued for logging on to a Windows Server 2003 family domain using smart cards. The enterprise exit module publishes user certificates and the certificate revocation list (CRL) to Active Directory. In order to publish certificates to Active Directory, the server that the CA is installed on must be a member of the Certificate Publishers group. This is automatic for the domain the server is in, but the server must be delegated the proper security permissions to publish certificates in other domains. For more information about the exit module, see Policy and exit modules. An enterprise CA uses certificate types, which are based on a certificate template. The following functionality is possible when you use certificate templates: Enterprise CAs enforce credential checks on users during certificate enrollment. Each certificate template has a security permission set in Active Directory that determines whether the certificate requester is authorized to receive the type of certificate they have requested. The certificate subject name can be generated automatically from the information in Active Directory or supplied explicitly by the requestor. The policy module adds a predefined list of certificate extensions to the issued certificate. The extensions are defined by the certificate template. This reduces the amount of information a certificate requester has to provide about the certificate and its intended use. http://technet.microsoft.com/en-us/library/cc780501%28WS.10%29.aspx Stand-alone certification authorities You can install Certificate Services to create a stand-alone certification authority (CA). Stand-alone CAs can issue certificates for purposes such as digital signatures, secure e-mail using S/MIME (Secure Multipurpose Internet Mail Extensions) and authentication to a secure Web server using Secure Sockets Layer (SSL) or Transport Layer Security (TLS). A stand-alone CA has the following characteristics: Unlike an enterprise CA, a stand-alone CA does not require the use of the Active Directory directory service. Stand-alone CAs are primarily intended to be used as Trusted Offline Root CAs in a CA hierarchy or when extranets and the Internet are involved. Additionally, if you want to use a custom policy module for a CA, you would first install a stand-alone CA and then replace the stand-alone policy module with your custom policy module. When submitting a certificate request to a stand-alone CA, a certificate requester must explicitly supply all identifying information about themselves and the type of certificate that is wanted in the certificate request. (This does not need to be done when submitting a request to an enterprise CA, since the enterprise user's information is already in Active Directory and the certificate type is described by a certificate template). The authentication information for requests is obtained from the local computer's Security Accounts Manager database. By default, all certificate requests sent to the stand-alone CA are set to Pending until the administrator of the stand-alone CA verifies the identity of the requester and approves the request. This is done for security reasons, because the certificate requester's credentials are not verified by the stand-alone CA. Certificate templates are not used. No certificates can be issued for logging on to a Windows Server 2003 family domain using smart cards, but other types of certificates can be issued and stored on a smart card. The administrator has to explicitly distribute the stand-alone CA's certificate to the domain user's trusted root store or users must perform that task themselves. When a stand-alone CA uses Active Directory, it has these additional features: If a member of the Domain Administrators group or an administrator with write access to Active Directory, installs a stand-alone root CA, it is automatically added to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. For this reason, if you install a stand-alone root CA in an Active Directory domain, you should not change the default action of the CA upon receiving certificate requests (which marks requests as Pending). Otherwise, you will have a trusted root CA that automatically issues certificates without verifying the identity of the certificate requester. If a stand-alone CA is installed by a member of the Domain Administrators group of the parent domain of a tree in the enterprise, or by an administrator with write access to Active Directory, then the stand-alone CA will publish its CA certificate and the certificate revocation list (CRL) to Active Directory. 

Q6. HOTSPOT 

Your network contains an Active Directory forest named contoso.com. The forest contains two Active Directory sites named Seattle and Montreal. The Montreal site is a branch office that contains only a single read-only domain controller (RODC). 

You accidentally delete the site link between the two sites. 

You recreate the site link while you are connected to a domain controller in Seattle. 

You need to replicate the change to the RODC in Montreal. 

Which node in Active Directory Sites and Services should you use?To answer, select the 

appropriate node in the answer area. 

Answer:  

Q7. Your network contains a single Active Directory domain. The functional level of the forest is Windows Server 2008. The functional level of the domain is Windows Server 2008 R2. All DNS servers run Windows Server 2008. All domain controllers run Windows Server 2008 R2. 

You need to ensure that you can enable the Active Directory Recycle Bin. 

What should you do? 

A. Change the functional level of the forest. 

B. Change the functional level of the domain. 

C. Modify the Active Directory schema. 

D. Modify the Universal Group Membership Caching settings. 

Answer:

Explanation: 

http://technet.microsoft.com/en-us/library/dd392261.aspx 

Active Directory Recycle Bin Step-by-Step Guide 

By default, Active Directory Recycle Bin in Windows Server 2008 R2 is disabled. To enable it, you must first raise the forest functional level of your AD DS or AD LDS environment to Windows Server 2008 R2, which in turn requires all forest domain controllers or all servers that host instances of AD LDS configuration sets to be running Windows Server 2008 R2. 

Q8. Your network contains a single Active Directory domain that has two sites named Site1 and 

Site2. Site1 has two domain controllers named DC1 and DC2. Site2 has two domain controllers named DC3 and DC4. 

DC3 fails. 

You discover that replication no longer occurs between the sites. 

You verify the connectivity between DC4 and the domain controllers in Site1. 

On DC4, you run repadmin.exe /kcc. 

Replication between the sites continues to fail. 

You need to ensure that Active Directory data replicates between the sites. 

What should you do? 

A. From Active Directory Sites and Services, modify the properties of DC3. 

B. From Active Directory Sites and Services, modify the NTDS Site Settings of Site2. 

C. From Active Directory Users and Computers, modify the location settings of DC4. 

D. From Active Directory Users and Computers, modify the delegation settings of DC4. 

Answer:

Explanation: 

MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) pages 193, 194 

Bridgehead Servers 

A bridgehead server is the domain controller designated by each site’s KCC to take control of intersite replication. The bridgehead server receives information replicated from other sites and replicates it to its site’s other domain controllers. It ensures that the greatest portion of replication occurs within sites rather than between them. 

In most cases, the KCC automatically decides which domain controller acts as the bridgehead server. 

However, you can use Active Directory Sites and Services to specify which domain controller will be the preferred bridgehead server by using the following steps: 

1. In Active Directory Sites and Services, expand the site in which you want to specify the preferred bridgehead server. 

2. Expand the Servers folder to locate the desired server, right-click it, and then choose Properties. 

3. From the list labeled Transports available for intersite data transfer, select the protocol(s) for which you want to designate this server as a preferred bridgehead server and then click Add. 

Q9. Your network contains an Active Directory domain that contains five domain controllers. You have a management computer that runs Windows 7. 

From the Windows 7 computer, you need to view all account logon failures that occur in the 

domain. 

The information must be consolidated on one list. 

Which command should you run on each domain controller? 

A. Wecutil.exe qc 

B. Wevtutil.exe gli 

C. Winrm.exe quickconfig 

D. Winrshost.exe 

Answer:

Explanation: 

http://blogs.technet.com/b/jonjor/archive/2009/01/09/winrm-windows-remote-managementtroubleshooting.aspx 

WinRM (Windows Remote Management) Troubleshooting 

What is WinRM? 

New in Windows Vista, Windows Server 2003 R2, Windows Server 2008 (and Server 2008 

Core) are WinRM & WinRS. Windows Remote Management (known as WinRM) is a handy 

new remote management service. 

WinRM is the “server” component of this remote management application and WinRS 

(Windows Remote Shell) is the “client” for WinRM, which runs on the remote computer 

attempting to remotely manage the WinRM server. However, I should note that BOTH 

computers must have WinRM installed and enabled on them for WinRS to work and 

retrieve information from the remote system. 

How to install WinRM 

The WinRM is not dependent on any other service except WinHttp. If the IIS Admin Service 

is installed on the same computer, you may see messages that indicate WinRM cannot be 

loaded before Interent Information Services (IIS). However, WinRM does not actually 

depend on IIS: these messages occur because the load order ensures that the IIS service 

starts before the HTTP service. WinRM does require that WinHTTP.dll be registered. 

(Stated simply: WinRM service should be set to Automatic (Delayed Start) on Windows 

Vista and Server 2008) 

· The WinRM service starts automatically on Windows Server 2008. 

· On Windows Vista, the service must be started manually. 

How to configure WinRM 

To set the default configuration type: 

winrm quickconfig (or the abbreviated version, winrm qc) 

‘winrm qc’ performs the following operations: 

1. Starts the WinRM service and sets the service startup type to auto-start. 

2. Configures a listener for the ports that send and receive WS-Management protocol 

messages using either 

HTTP or HTTPS on any IP address. 

3. Defines ICF exceptions for the WinRM service and opens the ports for HTTP and 

HTTPS. 

(Note: Winrm quickconfig also configures Winrs default settings) 

Q10. You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 is configured as an enterprise root certification authority (CA). 

You install the Online Responder role service on Server2. 

You need to configure Server1 to support the Online Responder. 

What should you do? 

A. Import the enterprise root CA certificate. 

B. Configure the Certificate Revocation List Distribution Point extension. 

C. Configure the Authority Information Access (AIA) extension. 

D. Add the Server2 computer account to the CertPublishers group. 

Answer:

Explanation: 

http://technet.microsoft.com/en-us/library/cc732526.aspx 

Configure a CA to Support OCSP Responders 

To function properly, an Online Responder must have a valid Online Certificate Status Protocol (OCSP)Response Signing certificate. This OCSP Response Signing certificate is also needed if you are using a non-Microsoft OCSP responder. 

Configuring a certification authority (CA) to support OCSP responder services includes the following steps: 

1. Configure certificate templates and issuance properties for OCSP Response Signing certificates. 

2. Configure enrollment permissions for any computers that will be hosting Online Responders. 

3. If this is a Windows Server 2003–based CA, enable the OCSP extension in issued certificates. 

4. Add the location of the Online Responder or OCSP responder to the authority information access extension on the CA. 

5. Enable the OCSP Response Signing certificate template for the CA.