microsoft.com 70-640 : May 2016 Edition

Exam Code: 70-640 (Practice Exam Latest Test Questions VCE PDF)
Exam Name: TS: Windows Server 2008 Active Directory. Configuring
Certification Provider: Microsoft
Free Today! Guaranteed Training- Pass 70-640 Exam.

2016 May 70-640 Study Guide Questions:

Q131. Your network contains an Active Directory-integrated zone. All DNS servers that host the zone are domain controllers. 

You add multiple DNS records to the zone. 

You need to ensure that the records are replicated to all DNS servers. 

Which tool should you use? 

A. Dnslint 

B. Ldp 

C. Nslookup 

D. Repadmin 

Answer: D 

Explanation: 

To make sure that the new DNS records are replicated to all DNS servers we can use the repadmin tool. 

Explanation: http://technet.microsoft.com/en-us/library/cc811569.aspx 

Forcing Replication Sometimes it becomes necessary to forcefully replicate objects and entire partitions between domain controllers that may or may not have replication agreements. 

Force a replication event with all partners The repadmin /syncall command synchronizes a specified domain controller with all replication partners. 

Syntax 

repadmin /syncall <DC> [<NamingContext>] [<Flags>] 

Parameters 

<DC>Specifies the host name of the domain controller to synchronize with all replication 

partners. 

<NamingContext>Specifies the distinguished name of the directory partition. 

<Flags> Performs specific actions during the replication. 


Q132. Your network contains an Active Directory forest. The forest contains two domains named contoso.com and woodgrovebank.com. 

You have a custom attribute named Attibute1 in Active Directory. Attribute1 is associated to User objects. 

You need to ensure that Attribute1 is replicated to the global catalog. 

What should you do? 

A. In Active Directory Sites and Services, configure the NTDS Settings. 

B. In Active Directory Sites and Services, configure the universal group membership caching. 

C. From the Active Directory Schema snap-in, modify the properties of the User class schema object. 

D. From the Active Directory Schema snap-in, modify the properties of the Attibute1 class schema attribute. 

Answer: D 

Explanation: 

http://www.tech-faq.com/the-global-catalog-server.html The Global Catalog Server The Global Catalog (GC) is an important component in Active Directory because it serves as the central information store of the Active Directory objects located in domains and forests. Because the GC maintains a list of the Active Directory objects in domains and forests without actually including all information on the objects and it is used when users search for Active Directory objects or for specific attributes of an object, the GC improves network performance and provides maximum accessibility to Active Directory objects. 

How to Include Additional Attributes in the GC The number of attributes in the GC affects GC replication. The more attributes the GC servers have to replicate, the more network traffic GC replication creates. Default attributes are included in the GC when Active Directory is first deployed. The Active Directory Schema snap-in can be used to add any additional attribute to the GC. Because the snap-in is by default not included in the Administrative Tools Menu, users have to add it to the MMC before it can be used to customize the GC. To add the Active Directory Schema snap-in in the MMC: 

1. Click Start, Run, and enter cmd in the Run dialog box. Press Enter. 

2. Enter the following at the command prompt: regsvr32 schmmgmt.dll. 

3. Click OK to acknowledge that the dll was successfully registered. 

4. Click Start, Run, and enter mmc in the Run dialog box. 

5. When the MMC opens, select Add/Remove Snap-in from the File menu. 

6. In the Add/Remove Snap-in dialog box, click Add then add the Active Directory Schema snap-in from the Add Standalone Snap-in dialog box. 

7. Close all open dialog boxes. To include additional attributes in the GC: 

1. Open the Active Directory Schema snap-in. 

2. In the console tree, expand the Attributes container, right-click an attribute, and click Properties from the shortcut menu. 

3. Additional attributes are added on the General tab. 

4. Ensure that the Replicate this attribute to the Global Catalog checkbox is enabled. 

5. Click OK. 


Q133. ABC.com has purchased laptop computers that will be used to connect to a wireless network. 

You create a laptop organizational unit and create a Group Policy Object (GPO) and configure user profiles by utilizing the names of approved wireless networks. 

You link the GPO to the laptop organizational unit. The new laptop users complain to you that they cannot connect to a wireless network. 

What should you do to enforce the group policy wireless settings to the laptop computers? 

A. Execute gpupdate/target:computer command at the command prompt on laptop computers 

B. Execute Add a network command and leave the SSID (service set identifier) blank 

C. Execute gpupdate/boot command at the command prompt on laptops computers 

D. Connect each laptop computer to a wired network and log off the laptop computer and then login again. 

E. None of the above 

Answer: D 


70-640  download

Latest labs 70-640:

Q134. Your network consists of an Active Directory forest that contains two domains. All servers run Windows Server 2008 R2. All domain controllers are configured as DNS Servers. 

You have a standard primary zone for dev.contoso.com that is stored on a member server. 

You need to ensure that all domain controllers can resolve names from the dev.contoso.com zone. 

What should you do? 

A. On the member server, create a stub zone. 

B. On the member server, create a NS record for each domain controller. 

C. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to all DNS servers in the forest. 

D. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to all DNS servers in the domain. 

Answer: C 

Explanation: 

http://technet.microsoft.com/en-us/library/cc730756.aspx Understanding Forwarders 

A forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for external DNS names to DNS servers outside that network. You can also forward queries according to specific domain names using conditional forwarders. You designate a DNS server on a network as a forwarder by configuring the other DNS servers in the network to forward the queries that they cannot resolve locally to that DNS server. By using a forwarder, you can manage name resolution for names outside your network, such as names on the Internet, and improve the efficiency of name resolution for the computers in your network. The following figure illustrates how external name queries are directed with forwarders. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Conditional forwarders A conditional forwarder is a DNS server on a network that forwards DNS queries according to the DNS domain name in the query. For example, you can configure a DNS server to forward all the queries that it receives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers. Further information: 

http://technet.microsoft.com/en-us/library/cc794735%28v=ws.10%29.aspx Assign a Conditional Forwarder for a Domain Name http://technet.microsoft.com/en-us/library/cc754941.aspx Configure a DNS Server to Use Forwarders 


Q135. ABC.com has a network that is comprise of a single Active Directory Domain. 

As an administrator at ABC.com, you install Active Directory Lightweight Directory Services (AD LDS) on a server that runs Windows Server 2008. To enable Secure Sockets Layer (SSL) based connections to the AD LDS server, you install certificates from a trusted Certification Authority (CA) on the AD LDS server and client computers. 

Which tool should you use to test the certificate with AD LDS? 

A. Ldp.exe 

B. Active Directory Domain services 

C. ntdsutil.exe 

D. Lds.exe 

E. wsamain.exe 

F. None of the above 

Answer: A 

Explanation: 

http://technet.microsoft.com/en-us/library/cc725767%28v=ws.10%29.aspx Appendix A: Configuring LDAP over SSL Requirements for AD LDS The Lightweight Directory Access Protocol (LDAP) is used to read from and write to Active Directory Lightweight Directory Services (AD LDS). By default, LDAP traffic is not transmitted securely. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology. Step 3: Connect to the AD LDS instance over LDAPS using Ldp.exe To test your server authentication certificate, you can open Ldp.exe on the computer that is running the AD LDS instance and then connect to this AD LDS instance that has the SSL option enabled. 


Q136. Your company uses shared folders. Users are granted access to the shared folders by using domain local groups. One of the shared folders contains confidential data. 

You need to ensure that unauthorized users are not able to access the shared folder that contains confidential data. 

What should you do? 

A. Enable the Do not trust this computer for delegation property on all the computers of unauthorized users by using the Dsmod utility. 

B. Instruct the unauthorized users to log on by using the Guest account. Configure the Deny Full control permission on the shared folders that hold the confidential data for the Guest account. 

C. Create a Global Group named Deny DLG. Place the global group that contains the unauthorized users in to the Deny DLG group. Configure the Allow Full control permission on the shared folder that hold the confidential data for the Deny DLG group. 

D. Create a Domain Local Group named Deny DLG. Place the global group that contains the unauthorized users in to the Deny DLG group. Configure the Deny Full control permission on the shared folder that hold the confidential data for the Deny DLG group. 

Answer: D 

Explanation: 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

http://technet.microsoft.com/en-us/library/cc755692%28v=ws.10%29.aspx 

Any group, whether it is a security group or a distribution group, is characterized by a scope that identifies the extent to which the group is applied in the domain tree or forest. 

The boundary, or reach, of a group scope is also determined by the domain functional level setting of the domain in which it resides. There are three group scopes: universal, global, and domain local. 

The following table describes the differences between the scopes of each group. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

When to use groups with domain local scope Groups with domain local scope help you define and manage access to resources within a single domain. For example, to give five users access to a particular printer, you can add all five user accounts in the printer permissions list. If, however, you later want to give the five users access to a new printer, you must again specify all five accounts in the permissions list for the new printer. 


2passeasy.com

Pinpoint mcts 70-640:

Q137. Your company has a main office and a branch office. 

The network contains a single Active Directory domain. 

The main office contains a domain controller named DC1. 

You need to install a domain controller in the branch office by using an offline copy of the Active Directory database. 

What should you do first? 

A. From the Ntdsutil tool, create an IFM media set. 

B. From the command prompt, run djoin.exe /loadfile. 

C. From Windows Server Backup, perform a system state backup. 

D. From Windows PowerShell, run the get-ADDomainController cmdlet. 

Answer: A 

Explanation: 

http://technet.microsoft.com/en-us/library/cc816722%28v=ws.10%29.aspx 

Installing an Additional Domain Controller by Using IFM When you install Active Directory Domain Services (AD DS) by using the install from media (IFM) method, you can reduce the replication traffic that is initiated during the installation of an additional domain controller in an Active Directory domain. Reducing the replication traffic reduces the time that is necessary to install the additional domain controller. Windows Server 2008 and Windows Server 2008 R2 include an improved version of the Ntdsutil tool that you can use to create installation media for an additional domain controller. You can use Ntdsutil.exe to create installation media for additional domain controllers that you are creating in a domain. The IFM method uses the data in the installation media to install AD DS, which eliminates the need to replicate every object from a partner domain controller. However, objects that were modified, added, or deleted since the installation media was created must be replicated. If the installation media was created recently, the amount of replication that is required is considerably less than the amount of replication that is required for a regular AD DS installation. 


Q138. Your network contains a server named Server1. The Active Directory Rights Management Services (AD RMS) server role is installed on Server1. 

An administrator changes the password of the user account that is used by AD RMS. 

You need to update AD RMS to use the new password. 

Which console should you use? 

A. Active Directory Rights Management Services 

B. Active Directory Users and Computers 

C. Component Services 

D. Services 

Answer: A 

Explanation: 

http://social.technet.microsoft.com/wiki/contents/articles/13034.ad-rms-how-to-change-the-rms-serviceaccount-password.aspx AD RMS How To: Change the RMS Service Account Password The Active Directory Rights Management Services management console provides a wizard to change or update the AD RMS service account. The most common use for this process is to update the service account password when it has been changed. 

It is important to use this process to update or change the AD RMS service account. This ensures the necessary components are updated properly. These processes include, but are not limited to the following items. Ensure the service account meets the criteria (is a domain account, is not the domain account that provisioned RMS, and etc.) Temporarily suspends RMS functionality on the server during the change Updates the RMS local groups Updates the database role for the service account Updates and restarts the MSMQ and logging services Updates the service account for the _DRMSAppPool1 web application pool Updates appropriate AD RMS configuration database tables There are important requirements to run this wizard. Must be logged on to the AD RMS server Account running the wizard must be: 

* A local administrator on the RMS server, 

* A member of the AD RMS Enterprise Administrators group, and 

* A SQL SysAdmin on the AD RMS instance 

Lastly, this must be performed on each server of the AD RMS cluster 


C:\Documents and Settings\usernwz1\Desktop\1.PNG


C:\Documents and Settings\usernwz1\Desktop\1.PNG 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 


Q139. Your company has an Active Directory domain. 

You log on to the domain controller. The Active Directory Schema snap-in is not available in the Microsoft Management Console (MMC). 

You need to access the Active Directory Schema snap-in. 

What should you do? 

A. Add the Active Directory Lightweight Directory Services (AD LDS) role to the domain controller by using Server Manager. 

B. Log off and log on again by using an account that is a member of the Schema Administrators group. 

C. Use the Ntdsutil.exe command to connect to the Schema Master operations master and open the schema for writing. 

D. Register Schmmgmt.dll. 

Answer: D 

Explanation: 

http://technet.microsoft.com/en-us/library/cc732110.aspx Install the Active Directory Schema Snap-In You can use this procedure to first register the dynamic-link library (DLL) that is required for the Active Directory Schema snap-in. You can then add the snap-in to Microsoft Management Console (MMC). To install the Active Directory Schema snap-in 

1. To open an elevated command prompt, click Start, type command prompt and then right-click Command Prompt when it appears in the Start menu. Next, click Run as administrator and then click OK. To open an elevated command prompt in Windows Server 2012, click Start, type cmd, right click cmd and then click Run as administrator. 

2. Type the following command, and then press ENTER: regsvr32 schmmgmt.dll 

3. Click Start, click Run, type mmc and then click OK. 

4. On the File menu, click Add/Remove Snap-in. 

5. Under Available snap-ins, click Active Directory Schema, click Add and then click OK. 

6. To save this console, on the File menu, click Save. 

7. In the Save As dialog box, do one of the following: 

* To place the snap-in in the Administrative Tools folder, in File name, type a name for the snap-in, and then click Save. 

* To save the snap-in to a location other than the Administrative Tools folder, in Save in navigate to a location for the snap-in. In File name, type a name for the snap-in, and then click Save 


Q140. Your company has an Active Directory domain that has an organizational unit named Sales. The Sales organizational unit contains two global security groups named sales managers and sales executives. 

You need to apply desktop restrictions to the sales executives group. 

You must not apply these desktop restrictions to the sales managers group. 

You create a GPO named DesktopLockdown and link it to the Sales organizational unit. 

What should you do next? 

A. Configure the Deny Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO. 

B. Configure the Deny Apply Group Policy permission for the sales executives on the DesktopLockdown GPO. 

C. Configure the Allow Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO. 

D. Configure the Deny Apply Group Policy permission for the sales managers on the DesktopLockdown GPO. 

Answer: D 

Explanation: 

http://support.microsoft.com/kb/816100 How to prevent domain Group Policies from applying to certain user or computer accounts Typically, if you want Group Policy to apply only to specific accounts (either user accounts, computer accounts, or both), you can put the accounts in an organizational unit, and then apply Group Policy at that organizational unit level. However, there may be situations where you want to apply Group Policy to a whole domain, although you may not want those policy settings to also apply to administrator accounts or to other specific users or groups. http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/ Best Practice: How to exclude individual users or computers from a Group Policy Object One of the common question I see on the forums from time to time is how to exclude a user and/or a computer from having a Group Policy Object (GPO) applied. This is a relatively straight forward process however I should stress this should be used sparingly and should always be done via group membership to avoid the administrative overhead of having to constantly update the security filtering on the GPO. Step 1. Open the Group Policy Object that you want to apply an exception and then click on the “Delegation” tab and then click on the “Advanced” button. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 2. Click on the “Add” button and select the group (recommended) that you want to exclude from having this policy applied. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 3. In this example I am excluding the “Users GPO Exceptions” group for this policy. Select this group in the “Group or user names” list and then scroll down the permission and tick the “Deny” option against the “Apply Group Policy” permission. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Now any members of this “User GPO Exceptions” security group will not have this Group Policy Object applied. Having a security group to control this exception makes it much easier to control as someone only needs to modify the group membership of the group to makes changes to who (or what) get the policy applied. This makes the delegation of this task to level 1 or level 2 support much more practical as you don’t need to grant them permission to the Group Policy Objects. 



see more http://www.2passeasy.com/exam/70-640/