[Jun 2016] cbt nuggets for 70-640

Actualtests older Microsoft lecturers and professionals may approve that Actualtests Microsoft 70-640 examination answers and questions are usually practically appropriate. The pass fee of TS: Windows Server 2008 Active Directory. Configuring has been practically 95 %. Over ing, were able to prove the 70-640 study components produced useful research regarding Microsoft prospects. Our own 70-640 pdf definitely worth the examinees sparing with out to examine. You are able to wager the shoe you will have a optimistic outcome from the Actualtests TS: Windows Server 2008 Active Directory. Configuring apply checks.

2016 Jun 70-640 dumps

Q151. You had installed Windows Server 2008 on a computer and configured it as a file server, named FileSrv1. The FileSrv1 computer contains four hard disks, which are configured as basic disks. 

For fault tolerance and performance you want to configure Redundant Array of Independent Disks (RAID) 0 +1 on FileSrv1. 

Which utility you will use to convert basic disks to dynamic disks on FileSrv1? 

A. Diskpart.exe 

B. Chkdsk.exe 

C. Fsutil.exe 

D. Fdisk.exe 

E. None of the above 

Answer: A 

Explanation: 

http://technet.microsoft.com/en-us/library/cc771534.aspx 

[Diskpart] Convert dynamic Converts a basic disk into a dynamic disk. 


Q152. You have an enterprise subordinate certification authority (CA). You have a custom Version 3 certificate template. 

Users can enroll for certificates based on the custom certificate template by using the 

Certificates console. The certificate template is unavailable for Web enrollment. 

You need to ensure that the certificate template is available on the Web enrollment pages. 

What should you do? 

A. Run certutil.exe Cpulse. 

B. Run certutil.exe Cinstallcert. 

C. Change the certificate template to a Version 2 certificate template. 

D. On the certificate template, assign the Autoenroll permission to the users. 

Answer: C 

Explanation: 

Identical to F/Q12. Explanation 1: http://technet.microsoft.com/en-us/library/cc732517.aspx Certificate Web enrollment cannot be used with version 3 certificate templates. Explanation 2: http://blogs.technet.com/b/ad/archive/2008/06/30/2008-web-enrollment-and-version-3-templates.aspx The reason for this blog post is that one of our customers called after noticing some unexpected behavior when they were trying to use the Server 2008 certificate web enrollment page to request a Version 3 Template based certificate. The problem was that no matter what they did the Version 3 Templates would not appear as certificates which could be requested via the web page. On the other hand, version 1 and 2 templates did appear in the page and requests could be done successfully using those templates. 


Q153. You need to identify all failed logon attempts on the domain controllers. 

What should you do? 

A. View the Netlogon.log file. 

B. View the Security tab on the domain controller computer object. 

C. Run Event Viewer. 

D. Run the Security and Configuration Wizard. 

Answer: C 

Explanation: 

http://support.microsoft.com/kb/174074 Security Event Descriptions This article contains descriptions of various security-related and auditing- related events, and tips for interpreting them. These events will all appear in the Security event log and will be logged with a source of "Security." Event ID: 529 Type: Failure Audit Description: Logon Failure: Reason: Unknown user name or bad password User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 530 Type: Failure Audit Description: Logon Failure: Reason: Account logon time restriction violation User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 531 Type: Failure Audit Description: Logon Failure: Reason: Account currently disabled User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 532 Type: Failure Audit Description: Logon Failure: Reason: The specified user account has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 533 Type: Failure Audit Description: Logon Failure: Reason: User not allowed to logon at this computer User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 534 Type: Failure Audit Description: Logon Failure: Reason: The user has not been granted the requested logon type at this machine User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 535 Type: Failure Audit Description: Logon Failure: Reason: The specified account's password has expired User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 536 Type: Failure Audit Description: Logon Failure: Reason: The NetLogon component is not active User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 537 Type: Failure Audit Description: Logon Failure: Reason: An unexpected error occurred during logon User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 


Q154. Your company, Contoso Ltd has a main office and a branch office. The offices are 

connected by a WAN link. Contoso has an Active Directory forest that contains a single domain named ad.contoso.com. 

The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1 is configured as a DNS server for the ad.contoso.com DNS zone. This zone is configured as a standard primary zone. 

You install a new domain controller named DC2 in the branch office. You install DNS on DC2. 

You need to ensure that the DNS service can update records and resolve DNS queries in the event that aWAN link fails. 

What should you do? 

A. Create a new stub zone named ad.contoso.com on DC2. 

B. Create a new standard secondary zone named ad.contoso.com on DC2. 

C. Configure the DNS server on DC2 to forward requests to DC1. 

D. Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone. 

Answer: D 

Explanation: 

Answer: Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone. 

http://technet.microsoft.com/en-us/library/cc726034.aspx Understanding Active Directory Domain Services Integration The DNS Server service is integrated into the design and implementation of Active Directory Domain Services (AD DS). AD DS provides an enterprise-level tool for organizing, managing, and locating resources in a network. How DNS integrates with AD DS When you install AD DS on a server, you promote the server to the role of a domain controller for a specified domain. As part of this process, you are prompted to specify a DNS domain name for the AD DS domain which you are joining and for which you are promoting the server, and you are offered the option to install the DNS Server role. This option is provided because a DNS server is required to locate this server or other domain controllers for members of an AD DS domain. Benefits of AD DS integration For networks that deploy DNS to support AD DS, directory-integrated primary zones are strongly recommended. They provide the following benefits: DNS features multimaster data replication and enhanced security based on the capabilities of AD DS. In a standard zone storage model, DNS updates are conducted based on a single-master update model. In this model, a single authoritative DNS server for a zone is designated as the primary source for the zone. This server maintains the master copy of the zone in a local file. With this model, the primary server for the zone represents a single fixed point of failure. If this server is not available, update requests from DNS clients are not processed for the zone. With directory-integrated storage, dynamic updates to DNS are sent to any AD DS-integrated DNS server and are replicated to all other AD DS-integrated DNS servers by means of AD DS replication. In this model, any AD DS-integrated DNS servercan accept dynamic updates for the zone. Because the master copy of the zone is maintained in the AD DS database, which is fully replicated to all domain controllers, the zone can be updated by the DNS servers operating at any domain controller for the domain. With the multimaster update model of AD DS, any of the primary servers for the directoryintegrated zone can process requests from DNS clients to update the zone as long as a domain controller is available and reachable on the network. Also, when you use directory-integrated zones, you can use access control list (ACL) editing to secure a dnsZone object container in the directory tree. This feature provides detailed access to either the zone or a specified resource record in the zone. For example, an ACL for a zone resource record can be restricted so that dynamic updates are allowed only for a specified client computer or a secure group, such as a domain administrators group. This security feature is not available with standard primary zones. Zones are replicated and synchronized to new domain controllers automatically whenever a new one is added to an AD DS domain. By integrating storage of your DNS zone databases in AD DS, you can streamline database replication planning for your network. Directory-integrated replication is faster and more efficient than standard DNS replication. Further information: 


Q155. You have a domain controller that runs Windows Server 2008 R2. The Windows Server Backup feature is installed on the domain controller. 

You need to perform a non-authoritative restore of the domain controller by using an existing backup file. 

What should you do? 

A. Restart the domain controller in Directory Services Restore Mode. Use the WBADMIN command to perform a critical volume restore. 

B. Restart the domain controller in Directory Services Restore Mode. Use the Windows Server Backup snap-in to perform a critical volume restore. 

C. Restart the domain controller in safe mode. Use the Windows Server Backup snap-in to perform a critical volume restore. 

D. Restart the domain controller in safe mode. Use the WBADMIN command to perform a critical volume restore. 

Answer: A 

Explanation: 

Almost identical to B26 http://technet.microsoft.com/en-us/library/cc816627%28v=ws.10%29.aspx Performing Nonauthoritative Restore of Active Directory Domain Services A nonauthoritative restore is the method for restoring Active Directory Domain Services (AD DS) from a system state, critical-volumes, or full server backup. A nonauthoritative restore returns the domain controller to its state at the time of backup and then allows normal replication to overwrite that state with any changes that occurred after the backup was taken. After you restore AD DS from backup, the domain controller queries its replication partners. Replication partners use the standard replication protocols to update AD DS and associated information, including the SYSVOL shared folder, on the restored domain controller. You can use a nonauthoritative restore to restore the directory service on a domain controller without reintroducing or changing objects that have been modified since the backup. The most common use of a nonauthoritative restore is to reinstate a domain controller, often after catastrophic or debilitating hardware failures. In the case of data corruption, do not use nonauthoritative restore unless you have confirmed that the problem is with AD DS. Nonauthoritative Restore Requirements You can perform a nonauthoritative restore from backup on a Windows Server 2008 system that is a standalone server, member server, or domain controller. On domain controllers that are running Windows Server 2008, you can stop and restart AD DS as a service. Therefore, in Windows Server 2008, performing offline defragmentation and other database management tasks does not require restarting the domain controller in Directory Services Restore Mode (DSRM). However, you cannot perform a nonauthoritative restore after simply stopping the AD DS service in regular startup mode. You must be able to start the domain controller in Directory Services Restore Mode (DSRM). If the domain controller cannot be started in DSRM, you must first reinstall the operating system. To perform a nonauthoritative restore, you need one of the following types of backup for your backup source: System state backup: Use this type of backup to restore AD DS. If you have reinstalled the operating system, you must use a critical-volumes or full server backup. If you are restoring a system state backup, use the wbadmin start systemstaterecovery command. Critical-volumes backup: A critical-volumes backup includes all data on all volumes that contain operating system and registry files, boot files, SYSVOL files, or Active Directory files. Use this type of backup if you want to restore more than the system state. To restore a critical-volumes backup, use the wbadmin start recovery command. Full server backup: Use this type of backup only if you cannot start the server or you do not have a system state or critical-volumes backup. A full server backup is generally larger than a critical-volumes backup. Restoring a full server backup not only rolls back data in AD DS to the time of backup, but it also rolls back all data in all other volumes. Rolling back this additional data is not necessary to achieve nonauthoritative restore of AD DS. 


70-640  latest exam

Most recent free training 70-640:

Q156. Your company has a main office and four branch offices. An Active Directory site exists for each office. Each site contains one domain controller. Each branch office site has a site link to the main office site. 

You discover that the domain controllers in the branch offices sometimes replicate directly to each other. 

You need to ensure that the domain controllers in the branch offices only replicate to the domain controller in the main office. 

What should you do? 

A. Modify the firewall settings for the main office site. 

B. Disable the Knowledge Consistency Checker (KCC) for each branch office site. 

C. Disable site link bridging. 

D. Modify the security settings for the main office site. 

Answer: C 

Explanation: 

http://technet.microsoft.com/en-us/library/cc757117.aspx 

Configuring site link bridges 

By default, all site links are bridged, or transitive. This allows any two sites that are not connected by an explicit site link to communicate directly, through a chain of intermediary site links and sites. One advantage to bridging all site links is that your network is easier to maintain because you do not need to create a site link to describe every possible path between pairs of sites. 

Generally, you can leave automatic site link bridging enabled. However, you might want to disable automatic site link bridging and create site link bridges manually just for specific site links, in the following cases: 

You have a network routing or security policy in place that prevents every domain controller from being able to directly communicate with every other domain controller. 


Q157. Your network contains an Active Directory domain. The functional level of the domain is Windows Server 2003. 

The domain contains five domain controllers that run Windows Server 2008 and five domain controllers that run Windows Server 2008 R2. 

You need to ensure that SYSVOL is replicated by using Distributed File System Replication (DFSR). 

What should you do first? 

A. Run dfsrdiag.exe PollAD. 

B. Run dfsrmig.exe /SetGlobalState 0. 

C. Upgrade all domain controllers to Windows Server 2008 R2. 

D. Raise the functional level of the domain to Windows Server 2008. 

Answer: D 

Explanation: 

http://technet.microsoft.com/en-us/library/cc753479%28v=ws.10%29.aspx Distributed File System Distributed File System (DFS) Namespaces and DFS Replication offer simplified, highly-available access to files, load sharing, and WAN-friendly replication. In the Windows Server. 2003 R2 operating system, Microsoft revised and renamed DFS Namespaces (formerly called DFS), replaced the Distributed File System snap-in with the DFS Management snap-in, and introduced the new DFS Replication feature. In the Windows Server. 2008 operating system, Microsoft added the Windows Server 2008 mode of domain-based namespaces and added a number of usability and performance improvements. What does Distributed File System (DFS) do? The Distributed File System (DFS) technologies offer wide area network (WAN)-friendly replication as well as simplified, highly-available access to geographically dispersed files. The two technologies in DFS are the following: DFS Namespaces. Enables you to group shared folders that are located on different servers into one or more logically structured namespaces. Each namespace appears to users as a single shared folder with a series of subfolders. This structure increases availability and automatically connects users to shared folders in the same Active Directory Domain Services site, when available, instead of routing them over WAN connections. DFS Replication. DFS Replication is an efficient, multiple-master replication engine that you can use to keep folders synchronized between servers across limited bandwidth network connections. It replaces the File Replication Service (FRS) as the replication engine for DFS Namespaces, as well as for replicating the AD DS SYSVOL folder in domains that use the Windows Server 2008 domain functional level. 


Q158. You have an Active Directory domain named contoso.com. 

You have a domain controller named Server1 that is configured as a DNS server. 

Server1 hosts a standard primary zone for contoso.com. The DNS configuration of Server1 

is shown in the exhibit. (Click the Exhibit button.) 


You discover that stale resource records are not automatically removed from the contoso.com zone. 

You need to ensure that the stale resource records are automatically removed from the contoso.com zone. 

What should you do? 

A. Set the scavenging period of Server1 to 0 days. 

B. Modify the Server Aging/Scavenging properties. 

C. Configure the aging properties for the contoso.com zone. 

D. Convert the contoso.com zone to an Active Directory-integrated zone. 

Answer: C 

Explanation: 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

http://technet.microsoft.com/en-us/library/cc816625%28v=ws.10%29.aspx Set Aging and Scavenging Properties for a Zone The DNS Server service supports aging and scavenging features. These features are provided as a mechanism for performing cleanup and removal of stale resource records, which can accumulate in zone data over time. You can use this procedure to set the aging and scavenging properties for a specific zone using either the DNS Manager snap-in or the dnscmd command-line tool. To set aging and scavenging properties for a zone using the Windows interface 

1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools, 

and then click DNS. 

2. In the console tree, right-click the applicable zone, and then click Properties. 

3. On the General tab, click Aging. 

4. Select the Scavenge stale resource records check box. 

5. Modify other aging and scavenging properties as needed. 

To set aging and scavenging properties for a zone using a command line 

1. Open a command prompt. To open an elevated Command Prompt window, click Start, 

point to All 

Programs, click Accessories, right-click Command Prompt, and then click Run as 

administrator. 

2. At the command prompt, type the following command, and then press ENTER: 

dnscmd <ServerName> /Config <ZoneName> {/Aging <Value>|/RefreshInterval <Value>|/ 

NoRefreshInterval <Value>} 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 


Q159. Your network contains two Active Directory forests named contoso.com and adatum.com. Active Directory Rights Management Services (AD RMS) is deployed in contoso.com. An AD RMS trusted user domain (TUD) exists between contoso.com and adatum.com. 

From the AD RMS logs, you discover that some clients that have IP addresses in the adatum.com forest are authenticating as users from contoso.com. 

You need to prevent users from impersonating contoso.com users. 

What should you do? 

A. Configure trusted e-mail domains. 

B. Enable lockbox exclusion in AD RMS. 

C. Create a forest trust between adatum.com and contoso.com. 

D. Add a certificate from a third-party trusted certification authority (CA). 

Answer: A 

Explanation: 

http://technet.microsoft.com/en-us/library/cc753930.aspx Add a Trusted User Domain By default, Active Directory Rights Management Services (AD RMS) does not service requests from users whose rights account certificate (RAC) was issued by a different AD RMS installation. However, you can add user domains to the list of trusted user domains (TUDs), which allows AD RMS to process such requests. For each trusted user domain (TUD), you can also add and remove specific users or groups of users. In addition, you can remove a TUD; however, you cannot remove the root cluster for this Active Directory forest from the list of TUDs. Every AD RMS server trusts the root cluster in its own forest. You can add TUDs as follows: To support external users in general, you can trust Windows Live ID. This allows an AD RMS cluster that is in your company to process licensing requests that include a RAC that was issued by Microsoft’s online RMS service. For more information about trusting Windows Live ID in your organization, see Use Windows Live ID to Establish RACs for Users. To trust external users from another organization’s AD RMS installation, you can add the organization to the list of TUDs. This allows an AD RMS cluster to process a licensing request that includes a RAC that was issued by an AD RMS server that is in the other organization. In the same manner, to process licensing requests from users within your own organization who reside in a different Active Directory forest, you can add the AD RMS installation in that forest to the list of TUDs. This allows an AD RMS cluster in the current forest to process a licensing request that includes a RAC that was issued by an AD RMS cluster in the other forest. For each TUD, you can specify which e-mail domains are trusted. For trusted Windows Live ID sites and services, you can specify which e-mail users or domains are not trusted. 


Q160. Your network contains an Active Directory domain. The domain contains four domain 

controllers. 

You modify the Active Directory schema. 

You need to verify that all the domain controllers received the schema modification. 

Which command should you run? 

A. dcdiag.exe /a 

B. netdom.exe query fsmo 

C. repadmin.exe /showrepl * 

D. sc.exe query ntds 

Answer: C 

Explanation: 

http://blogs.technet.com/b/askds/archive/2009/07/01/getting-over-replmon.aspx Getting Over Replmon 

Status Checking Replmon had the option to generate a status report text file. It could tell 

you which servers were configured to replicate with each other, if they had any errors, and 

so on. It was pretty useful actually, and one of the main reasons people liked the tool. 

Repadmin.exe offers similar functionality within a few of its command line options. For 

example, we can get a summary report: 

Repadmin /replsummary * 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Several DCs have been taken offline. Repadmin shows the correct error of 58 – that the 

other DCs are not available and cannot tell you their status. 

You can also use more verbose commands with Repadmin to see details about which DCs 

are or are not replicating: 

Repadmin /showrepl * 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 



see more http://www.2passeasy.com/exam/70-640/