70-640 formatted - GRATIS EXAM · 2012. 10. 16. · directory partition of the AD LDS? A. You...

70-640_formatted

Number: 000-000Passing Score: 800Time Limit: 120 minFile Version: 1.0

http://www.gratisexam.com/

Microsoft 70-640

TS: Windows Server 2008 Active Directory,

Configuring

Version: 30.6Microsoft 70-640 Exam

Topic 1, Exam Set 1

Exam A

QUESTION 1You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. Allservers on the ABC.com network run Windows Server 2008.

Only one Active-Directory integrated zone has been configured in the ABC.com domain. ABC.com hasrequested that you configure DNS zone to automatically remove DNS records that are outdated.

What action should you consider?

A. You should consider running the netsh /Reset DNS command from the Command prompt.B. You should consider enabling Scavenging in the DNS zone properties page.C. You should consider reducing the TTL of the SOA record in the DNS zone properties page.D. You should consider disabling updates in the DNS zone properties page.

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Explanation: In the scenario you should enable scavenging through the zone properties because scavengingremoves the outdated DNS records from the DNS zone automatically. You should additionally note thatpatience would be required when enabling scavenging as there are some safety valves built into scavengingwhich takes long to pop.

Reference: http://www.gilham.org/Blog/Lists/Posts/Post.aspx?List=aab85845-88d2-4091-8088-a6bbce0a4304&ID=211


The ABC.com network has a server named ABC-SR15. You install the Active Directory Lightweight DirectoryServices (AD LDS) on ABC-SR15.

Which of the following options can be used for the creation of new Organizational Units (OU's) in the applicationdirectory partition of the AD LDS?

A. You should run the net start command on ABC-SR15.B. You should open the ADSI Edit Microsoft Management Console on ABC-SR15.C. You should run the repadmin /dsaguid command on ABC-SR15.

"Pass Any Exam. Any Time." - www.actualtests.com 2Microsoft 70-640 Exam

D. You should open the Active Directory Users and Computers Console on ABC-SR15.


Explanation/Reference:Explanation: You need to use the ADSI Edit snap-in to create new OUs in the AD LDS application directorypartition. You also need to add the snap-in in the Microsoft Management Console (MMC).


The ABC.com network has two domain controllers ABC-DC01 and ABC-DC02. ABC-DC01 suffers acatastrophic failure but it is causing problems because it was configured to have Schema Master Operationsrole. You log on to the ABC.com domain as a domain administrator but your attempts to transfer the SchemaMaster Operations role to ABC-DC02 are unsuccessful.

What action should you take to transfer the Schema Master Operations role to ABC-DC02?

A. Your best option would be to have the dcpromo /adv command executed on ABC-DC02.B. Your best option would be to have the Schema Master role seized to ABC-DC02.C. Your best option would be to have Schmmgmt.dll registered on ABC-DC02.D. Your best option would be to add your user account to the Schema Administrators group.


Explanation/Reference:Explanation: To ensure that ABC-DC02 holds the Schema Master role you need to seize the Schema Masterrole on ABC-DC02. Seizing the schema master role is a drastic step that should be considered only if thecurrent operations master will never be available again. So to transfer the schema master operations role, youhave to seize it on ABC-DC02.

Reference: http://technet2.microsoft.com/windowsserver/en/library/d4301a14-dd18-4b3c-a3cc-ec9a773f7ffb1033.mspx?mfr=true

QUESTION 4You work as the network administrator at ABC.com. The ABC.com network has a single forest. The forestfunctional level is set at Windows Server 2008.

The ABC.com network has a Microsoft SQL Server 2005 database server named ABC-DB04 that

"Pass Any Exam. Any Time." - www.actualtests.com 3Microsoft 70-640 Examhosts the Active Directory Rights Management Service (AD RMS).

You try to access the Active Directory Rights Management Services administration website but received anerror message stating:

"SQL Server does not exist or access is denied."

How can you access the AD RMS administration website?

A. You need to restart the Internet Information Server (IIS) service and the MSSQLSVC service on ABC-DB04.B. You need to install the Active Directory Lightweight Directory Services (AD LDS) on ABC-DB04.C. You need to reinstall the AD RMS instance on ABC-DB04.D. You need to reinstall the SQL Server 2005 instance on ABC-DB04.E. You need to run the DCPRO command on ABC-SR04

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Explanation: You need to restart the internet information server (IIS) to correct the problem. The starting of theMSSQULSVC service will allow you to access the database from AD RMS administration website.

QUESTION 5You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com.The ABC.com network has a Windows Server 2008 computer named ABC-SR03 that functions as anEnterprise Root certificate authority (CA).

A new ABC.com security policy requires that revoked certificate information should be available for examinationat all times.

What action should you take adhere to the new policy?

A. This can be accomplished by having a list of trusted certificate authorities published to the ABC.comdomain.

B. This can be accomplished by having the Online Certificate Status Protocol (OCSP) responder implemented.C. This can be accomplished by having the OCSP Response Signing certificate imported.D. This can be accomplished by having the Startup Type of the Certificate Propagation service set to

Automatic.E. This can be accomplished by having the computer account of ABC-SR03 added to the PGCertificates

group."Pass Any Exam. Any Time." - www.actualtests.com 4Microsoft 70-640 Exam


Explanation/Reference:Explanation: You should use the network load balancing and publish an OCSP responder. This will ensure thatthe revoked certificate information will be available at all times. You do not need to download the entire CRL tocheck for revocation of a certificate; the OCSP is an online responder that can receive a request to check forrevocation of a certificate. This will also speed up certificate revocation checking as well as reducing networkbandwidth tremendously.


You are responsible for managing two servers ABC-SR01 and ABC-SR02. They are setup with the followingconfiguration.

ABC-SR01 running Enterprise Root certificate authority (CA)

ABC-SR02 running Online Responder role service

Which of the steps must you perform for configuring the Online Responder to be supported on ABC-SR01?

A. You should enable the Dual Certificate List extension on ABC-SR01.B. You should ensure that ABC-SR01 is a member of the CertPublishers group.C. You should import the OCSP Response Signing certificate to ABC-SR01.D. You should enable the Authority Information Access (AIA) extension on ABC-SR01.E. You should run the CERTSRV command on ABC-SR01.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:Explanation: In order to configure the online responder role service on ABC-SR01 you need to configure the

AIA extension. The authority information access extension will indicate how to access CA information andservices for the issuer of the certificate in which the extension appears. Information and services may includeon-line validation services and CA policy data. This extension may be included in subject or CA certificates, andit MUST be non-critical

QUESTION 7You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. Allservers on the ABC.com network run Windows Server 2008 and all client computers

"Pass Any Exam. Any Time." - www.actualtests.com 5Microsoft 70-640 Examrun Windows Vista.

The ABC.com network has a client computer named ABC-WS640 that was last used six months ago. Duringthe course of the day you attempt to log on to ABC-WS640 but you are unable to authenticate during the logonprocess.


What action should you consider in order to log on to ABC-WS640?

A. You should consider opening the command prompt on ABC-WS640 and running the netsh set machinecommand.

B. You should consider opening the command prompt on ABC-WS640 and running the repadmin command.C. You should consider removing ABC-WS640 from the domain and then rejoining it.D. You should consider deleting the computer account for ABC-WS640 in Active Directory Users and

Computers, and then recreate the computer account.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Explanation: In the scenario you should have the computer disjoined from the domain and rejoined to thedomain whilst having the computer account reset as well. You should additionally note that the long inactivitycaused the computer to stop responding to the authentication query using the Active Directory records. Youshould note by disjoining and rejoining with the account being reset would refresh the computer accountpasswords.

QUESTION 8You work as an enterprise administrator at ABC.com. The ABC.com network has a forest with a domain namedABC.com.

The ABC.com network has a Windows Server 2008 domain controller named ABC-DC01 that hosts theDirectory Services Recovery Mode (DSRM) role.

What would be the best option to take to have the DSRM password reset?

A. The best option is to open the Active Directory Security for Computers snap-in.B. The best option is to run the ntdsutil command.C. The best option is to run the Netsh command.D. The best option is to open the Domain Controller security snap-in.


Explanation/Reference:Explanation: You should use the ntdsutil utility to reset the DSRM password. You can use Ntdsutil.exe to resetthis password for the server on which you are working, or for another domain


controller in the domain. Type ntdsutil and at the ntdsutil command prompt, type set dsrm password.Reference: http://support.microsoft.com/kb/322672

QUESTION 9You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com.All servers on the ABC.com network run Windows Server 2008. ABC.com has two offices Chicago and Dallas.

The network has the following setup.

Chicago Office - Domain Controller named ABC-DC01

Dallas Office - Read-Only Domain Controller named ABC-DC02

How can you make sure that Dallas Office users use only ABC-DC02 for authentication?

A. You should consider having ABC-DC02 configured as a bridehead server in the Dallas office.B. You should consider installing and configuring the Password Replication Policy on ABC-DC02.C. You should consider having ABC-DC01 configured as a bridehead server in the Chicago office.D. You should consider installing and configuring the Password Replication Policy on ABC-DC01.E. You should consider having the Global Catalog installed on ABC-DC01.


Explanation/Reference:Explanation: You should use the Password Replication Policy on the RODC. This will allow the users at theDallas office to log on to the domain with RODC. RODCs don't cache any user or machine passwords.

QUESTION 10You work as the network administrator at ABC.com. The ABC.com network has a domain named intl.ABC.com.All servers on the ABC.com network run Windows Server 2008. The domain controllers on the ABC.comdomain are configured to function as DNS servers.

What action should you take to ensure that computers that are not part of the intl.ABC.com domain are not ableto dynamically register their DNS registration information in the intl.ABC.com zone?


A. You should consider removing the .(root) zone from the intl.ABC.com zone.B. You should consider running the dnscmd /AgeAllRecords command.C. You should consider configuring Secure Only dynamic updates.D. You should consider configuring the intl.ABC.com zone as an Active Directory integrated zone.


Explanation/Reference:Explanation: In order to ensure that only domain members are able to register their DNS records dynamicallyyou need to set the option Secure only for Dynamic updates. This will only allow the domain members toregister their DNS records dynamically.

Reference:www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cncf_imp_afpf.mspx

QUESTION 11You work as a network administrator at ABC.com. The ABC.com network has a domain named ABC.com. Allservers on the ABC.com network run Windows Server 2008.

The ABC.com network has two servers named ABC-SR01 and ABC-SR02 that are configured as domaincontrollers and as DNS servers. Both servers have the following setup for the ABC.com domain.

ABC-SR01 - Standard Primary zone

ABC-SR02 - Standard Secondary zone.

You have to perform the following tasks

- Perform the replication of ABC.com Zone Data

- Make sure that Zone Data maintains encryption

- Prevent the loss of Zone Data

How can you accomplish the goals. (Each correct answer presents part of the solution. (Choose TWO.)

A. You should consider having the zone transfer settings configured on ABC-SR01 and ABC- SR02.B. You should consider having the primary zone on ABC-SR02 converted to an Active Directory- integrated

stub zone."Pass Any Exam. Any Time." - www.actualtests.com 8Microsoft 70-640 Exam

C. You should consider having the primary zone on ABC-SR01 converted to an Active Directory- integratedzone.

D. You should consider having the secondary zone on ABC-SR02 deleted.E. You should consider having the primary zone on ABC-SR01 deleted.

Correct Answer: CDSection: (none)Explanation

Explanation/Reference:Explanation: In the scenario you should have the ABC.com primary zone converted to an active directory-integrated zone and delete the secondary zone as this would ensure replication of the ABC.com zone isencrypted whilst preventing data loss.


All master roles in the forest are maintained at a domain controller ABC-DC01. You have another domaincontroller in the network named ABC-DC02 which contains better hardware and can improve performance.

ABC-DC01 is to be removed from the network.

Which option can you select in order to ensure that proper roles are transferred to ABC-DC02 without disruptingthe forest wide operations?

A. You should consider transferring the RID Master role and the Schema master role.B. You should consider transferring the Schema master role and the Domain naming master role.C. You should consider transferring the Infrastructure master role and the PDC emulator role.D. You should consider transferring the Infrastructure master role and the Domain naming master role.E. You should consider transferring the RID Master role and the PDC emulator role.


Explanation/Reference:Explanation: In order to transfer all forest-wide operation master roles to another domain you need to transferDomain naming master as well as the Schema master. Schema Master: The schema master domain controllercontrols all updates and modifications to the schema. To update the schema of a forest, you must have accessto the schema master. There can be only one schema master in the whole forest. Domain naming master: Thedomain naming master domain controller controls the addition or removal of domains in the forest. There canbe only one domain naming master in the whole forest.

Reference: http://support.microsoft.com/kb/324801


QUESTION 13You work as the enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com.All servers on the ABC.com network run Windows Server 2008. The ABC.com network has a domain controllernamed ABC-DC01 that has a single hard drive named Drive C. Drive C hosts the ntds.dit database. You haveinstalled an additional hard drive named Drive D on ABC-DC01.

What would be the best option to take to transfer the ntds.dit database to Drive D?

A. The best option is to run the Ntdsutil command with the Files option.B. The best option is to open the Windows Power Shell and use the Copy and Paste functions.C. The best option is to run the xcopy command.D. The best option is to open the Windows Explorer and use the Cut and Paste functions.


Explanation/Reference:Explanation: The way you move the Active Directory database to a new volume, is to move the ntds.dit file tothe new volume by opening the Files option in the ntdsutil utility. Use Ntdsutil.exe to move the database file, thelog files, or both to a larger existing partition.

Reference: http://technet2.microsoft.com/windowsserver/en/library/af6646aa-2360-46e4-81ca-d51707bf01eb1033.mspx?mfr=true

QUESTION 14DRAG DROP

You work as a network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All

servers on the ABC.com network run Windows Server 2008.

The ABC.com network has organizational units (OU's) named Sales, Marketing and Admin. The Sales OUcontains a file server named ABC-SR04 that hosts a shared folder named SalesDocs that contains sensitivecustomer information.

What action should you take to track access to the SalesDocs folder? (To answer, drag the appropriate actionto the appropriate location in the work area.)


A.B.C.D.

Correct Answer: Section: (none)Explanation

Explanation/Reference:

Explanation:


QUESTION 15You work as the network administrator at ABC.com. All servers on the ABC.com network run Windows Server2008.

The ABC.com network has a server named ABC-SR01 that functions as an Enterprise Root certificate authority(CA).

What action should you take to configure ABC-SR01 to support key archival?

A. The Hisecdc security template should be applied to ABC-SR01.B. The OCSP Response Signing certificate should be imported to ABC-SR01.C. The private key on ABC-SR01 should be archived.D. The Startup Type of the Certificate Propagation service on ABC-SR01 should be set to Automatic.


Explanation/Reference:Explanation:

QUESTION 16You work as the enterprise administrator at ABC.com. The ABC.com network has a domain

"Pass Any Exam. Any Time." - www.actualtests.com 12Microsoft 70-640 Examnamed ABC.com that operates at the Windows Server 2008.

How can you configure the network so that it allows the users of ABC.com to have multiple password policies?

A. You should consider creating multiple class schema objects in the Schema console.B. You should consider creating multiple Group Policy objects in the Group Policy Management console.C. You should consider creating multiple Password Setting objects in the ADSI Edit console.D. You should consider creating multiple passwords in Active Directory Users and Computers.




The ABC.com Network contains a server which is configured as:

- Domain Controller

- DNS Server

What option can you sure to ensure tracking of all DNS queries received by ABC-SR01?

A. You should consider having automatic logging for recursive queries enabled in the DNS Manager Consoleon ABC-SR01.

B. You should consider having debug logging enabled in the DNS Manager Console on ABC- SR01.C. You should consider having event logging configured in the DNS Manager Console on ABC- SR01.D. You should consider having system event logging configured in the Even Viewer on ABC- SR01.



QUESTION 18You work as an enterprise administrator at ABC.com. All servers on the ABC.com network run

"Pass Any Exam. Any Time." - www.actualtests.com 13Microsoft 70-640 ExamWindows Server 2008. ABC.com has its headquarters in Chicago and a branch office in Miami.The two offices are configured as separate sites.

The Miami site contains a domain controller named ABC-DC06. You receive an instruction from the CIO toinstall a new application at the Miami office. In order for the application to run a Global Catalog server isrequired.

What action should you consider to add a Global Catalog server to the Miami site?

A. You should consider running the DCPROMO command on ABC-DC06 to install the Global Catalog.B. You should consider using the Server Manager console to configure ABC-DC06 as a Global Catalog server.C. You should consider using the Active Directory Domains and Trusts console to configure ABC- DC06 as a

Global Catalog server.D. You should consider using the Active Directory Sites and Services console to configure the ABC-DC06 as a

Global Catalog server.




The network contains two sites London and Paris. The following configuration applies to each location.

London

- Single Domain Controller named ABC-DC01

- Separate Active Directory Site.

Paris

- Single Domain Controller named ABC-DC02

- Separate Active Directory Site.

Network Setup

"Pass Any Exam. Any Time." - www.actualtests.com 14Microsoft 70-640 Exam- Both Active Directory Sites are using DEFAULTIPSITELINK object for connectivity.

What action should you take to reduce the delay it takes during replication between ABC-DC01 and ABC-DC02?

A. You should consider having the replication interval for the DEFAULTIPSITELINK object decreased.B. You should consider having the replication schedule for the DEFAULTIPSITELINK object increased.C. You should consider having the cost for the DEFAULTIPSITELINK object decreased.D. You should consider having a site link bridge installed between ABC-DC01 and ABC-DC02.




You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. Allservers on the ABC.com network run Windows Server 2008.

The ABC.com network has four file servers named ABC-SR01, ABC-SR02, ABC-SR03 and ABC- SR04 thatare placed in an Organizational Unit (OU) named PGServers.

ABC has several contractual workers who are members of a global group named PartTimeUsers. A newABC.com security policy requires that any attempts by contractual workers to access the folders and files onthe file servers in the PGServers OU needs to be tracked.

What action should you take to implement this policy? (To answer, drag the appropriate action to theappropriate location in the work area.)


A.B.C.D.



Explanation:


QUESTION 21You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All

servers on the ABC.com network run Windows Server 2008.

The ABC.com network has two servers named ABC-SR01 and ABC-SR02.

ABC-SR01 - Enterprise Root certificate authority (CA).

ABC-SR02 - Hosts the Online Responder role.

What step you can perform to make sure that ABC-SR02 is issuing the certificate revocation lists (CRL).

A. You should enable the Dual Certificate List extension on ABC-SR02.B. You should ensure that ABC-SR02 is a member of the CertPublishers group.C. You should import the enterprise root CA certificate and the OCSP Response Signing certificate.D. You should enable the Authority Information Access (AIA) extension on ABC-SR02.E. You should run the CERTSRV command on ABC-SR02.



QUESTION 22You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. Allservers on the ABC.com network run Windows Server 2008 and all client computers run Windows Vista.

During the course of the day a ABC.com user named Rory Allen complains that he receives an error messagestating that his account has expired when he attempts to authenticate to the ABC.com domain from his clientcomputer.

What action should you consider to have Rory Allen log on to the ABC.com domain from his client computer?


A. You should consider reducing the account lockout duration in the default domain policy.B. You should consider resetting Rory Allen's user account.C. You should consider setting Rory Allen's user account to never expire.D. You should consider resetting the computer account for Rory Allen's client computer.



QUESTION 23You work as the network administrator at ABC.com. ABC.com has its headquarters in London. The ABC.comnetwork has a domain named ABC.com that consists of a single Active Directory site named LondonSite. TheLondonSite contains a domain controller named ABC-DC01.

ABC.com opens a branch office in York and you create another Active Directory site named YorkSite.

How can you have Active Directory replication configured between the two sites?

A. You need to consider installing a new domain controller in YorkSite and creating a site link between the twosites. Then you should consider decreasing the site link cost.

B. You need to consider installing a new domain controller in the LondonSite and configuring it as a preferredbridgehead server.

C. You need to consider installing a new domain controller in the LondonSite and configuring a new site linkbridge between the two sites.

D. You need to consider installing a new domain controller in the YorkSite and configuring a new IP subnet forthe YorkSite.



QUESTION 24You work as the enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com.The ABC.com network has three domain controllers named ABC-DC01, ABC- DC02 and ABC-DC03 that runWindows Server 2003. ABC.com purchases a new Windows Server 2008 computer named ABC-SR04.

What is the first step you should take to install ABC-SR04 as a domain controller on the ABC.com network?

A. You should consider running the dconfig command on ABC-SR04."Pass Any Exam. Any Time." - www.actualtests.com 18Microsoft 70-640 Exam

B. You should consider running the adprep /forestprep command on ABC-DC01.C. You should consider raising the domain functional level to Windows Server 2008.D. You should consider running the adprep /domainprep command on ABC-DC01.E. You should consider running the dcpromo /remove command on ABC-DB01, ABC-DB02 and ABC-DB03.



QUESTION 25You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com.All servers on the ABC.com network run Windows Server 2008.

A new ABC.com domain controller management policy states that replication errors need to be logged to acentral server.

How would you implement this policy?

A. You should consider having the RepMonitor configured for central logging.B. You should consider having the System Performance data collector set is started on each domain

controller.C. You should consider having event log subscriptions created on each domain controller.D. You should consider having the RepAdmin Diagnostics data collector started on each domain controller.




You work as a network administrator at ABC.com. The ABC.com network has a forest with a domain namedABC.com and a child domain named intl.ABC.com. All domain controllers and servers on the ABC.com networkrun Windows Serer 2008.

The ABC.com domain has two domain controllers named ABC-DC01 and ABC-DC02 and the intl.ABC.comdomain has two domain controllers named ABC-DC03 and ABC-DC04.

ABC.com decides to reorganize the forest structure by removing the intl.ABC.com child domain.

"Pass Any Exam. Any Time." - www.actualtests.com 19Microsoft 70-640 ExamWhat actions should you take to remove the intl.ABC.com child domain? (To answer, drag the appropriateaction to the appropriate location in the work area.)

A.B.C.D.



Explanation:



The ABC.com network has six domain controllers named ABC-DC01, ABC-DC02, ABC-DC03, ABC-DC04,ABC-DC05 and ABC-DC06. All six domain controllers function as DNS servers. You are in the process ofimplementing a new Active Directory-integrated DNS zone.

What action should you take first if you want the new zone replicated only to ABC-DC05 and ABC- DC06?

A. You should consider having the dnscmd /createdirectorypartition command executed on ABC- DC05 andABC-DC06.

B. You should consider having the dnscmd /config command executed on ABC-DC05 and ABC- DC06.C. You should consider having the .(root) zone is deleted from ABC-DC01, ABC-DC02, ABC- DC03 and ABC-

DC04.D. You should consider having BIND secondaries enabled on ABC-DC05 and ABC-DC06.E. You should consider having the dnscmd /unenlistdirectorypartition command executed on ABC- DC01,

ABC-DC02, ABC-DC03 and ABC-DC04.





The ABC.com network has a domain controller named ABC-SR01 that also functions as a DNS server. Youadd a new stand alone server named ABC-SR02 and configure it as a DNS server. You then configure astandard secondary zone with ABC-SR01 as the master server.

What action should you take to have zone updates replicated from ABC-SR01 to ABC-SR02?

A. You should consider having ABC-SR02 made a member of the DNSUpdateProxy group.B. You should consider having the permission of the ABC.com zone modified on ABC-SR01.C. You should consider having the dnscmd /ZoneUpdateFromDs command run on ABC-SR02.D. You should consider having the zone transfer settings of the ABC.com zone configured on ABC-SR01.E. You should consider having ABC-SR02 promoted to a domain controller.




The ABC.com network has a server named ABC-SR03 that functions as an Enterprise Root certificationauthority (CA). ABC.com issues a new security policy that states that only a ABC.com CEO named Kara Langmust be allowed to sign code.

What action should you take to implement this policy? (Choose all that apply.)

A. You should publish a list of trusted certificate authorities and only grant Kara Lang the necessarypermissions to access the Trusted Publishers list.

B. You should apply the code signing template to ABC-SR03 and configure the template only grant Kara Langthe necessary permissions to request code signing certificates.

C. You should import the Online Certificate Status Protocol (OCSP) Response Signing certificate to ABC-SR03and only grant Kara Lang the necessary permissions to distribute code signing certificates.

D. You should add ABC-SR03 to the CertPublishers group and only grant Kara Lang the necessarypermissions to manage ABC-SR03.


Explanation/Reference:"Pass Any Exam. Any Time." - www.actualtests.com 22Microsoft 70-640 Exam

Explanation:

QUESTION 30

You work as a systems administrator at ABC.com. The ABC.com network has a forest with a domain namedABC.com. All servers on the ABC.com network run Windows Server 2008.

You are responsible for managing a stand-alone server named ABC-SR05. You are in the process ofconfiguring ABC-SR05 as an Enterprise certification authority (CA). You now want to assign the Active DirectoryCertificate Services (AD CS) role to ABC-SR05. However, you notice that you cannot select the Enterprise CAoption.


What action should you take configuring ABC-SR05 as an Enterprise CA?

A. Your best option would be to first configure ABC-SR05 as a Standalone CA.B. Your best option would be to first have ABC-SR05 joined to the ABC.com domain.C. Your best option would be to first install Internet Information Services (IIS) on ABC-SR05.D. Your best option would be to first assign the Active Directory Certificate Services (AD CS) role to ABC-

SR05.



QUESTION 31You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com.All servers on the ABC.com network run Windows Server 2008 and all client computers run Windows VistaEnterprise Edition. All client computers are located in an Organizational Unit named ClientPCs.

ABC.com has acquired a new third-party application that you need to install on the client computers. Before youcan install the application you need prepare the client computers by applying a file named PGApp.adm to them.The PGApp.adm file makes changes to the registry on the client computers.

What action should you take to apply the PGApp.adm file?

A. Your best option would be to create a transformation package that applies the PGApp.adm file and assignthe package to the client computers.

B. Your best option would be to copy the PGApp.adm file to a network share and write a Microsoft "Pass AnyExam. Any Time." - www.actualtests.com 23Microsoft 70-640 ExamWindows PowerShell script that applies the file to the client computers.

C. Your best option would be to write that the Microsoft Windows PowerShell script that copies thePGApp.adm file to the client computers.

D. Your best option would be to create a Group Policy Object (GPO) that imports the PGApp.adm and link theGPO to the ClientPCs OU.



Explanation:


You work as the enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com.All servers on the ABC.com network run Windows Server 2008.

The ABC.com network has a member server named ABC-SR05. You assign the Active Directory CertificateService (AD CS) role to ABC-SR05. You create a security group named SMCGRP. You want to grant theSMCARD group the necessary permissions to issue smartcard credentials. However, the SMCGRP must notbe granted the permissions to revoke certificates.

Which actions should you take? (To answer, drag the appropriate action to the appropriate location in the workarea.)

A.B.C.D.


Explanation/Reference:"Pass Any Exam. Any Time." - www.actualtests.com 24Microsoft 70-640 Exam

Explanation:

QUESTION 33You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. Allservers on the ABC.com network run Windows Server 2008 and all client computers run Windows Vista.ABC.com has its headquarters in London and branch offices in Lisbon, Madrid and Paris. Each office isstructured as a separate site named London, Lisbon, Madrid and Paris.

Due to company growth, ABC.com has hired 150 additional employees that are distributed among the foursites. You create user accounts for the new ABC.com users. However, the new users complain that when theyattempt to logon to the domain they receive an error message stating that their username or password isincorrect.

What action should you take to allow the new ABC.com users to log on to the domain?

A. You should consider resetting the user accounts for the new users.B. You should consider adding the new users to the Remote Desktop Users group.C. You should consider running the repadmin /replicate command.D. You should consider install Global Catalog servers at the Lisbon, Madrid and Paris sites.



QUESTION 34You work as the network administrator at ABC.com. The ABC.com network has a forest with a domain namedABC.com.

"Pass Any Exam. Any Time." - www.actualtests.com 25

Microsoft 70-640 ExamThe ABC.com network has four Windows Server 2008 domain controllers named ABC-DC01, ABC-DC02,TESKING-DC03 and ABC-DC04. All four domain controllers run the DNS Server role and are part of an ActiveDirectory integrated zone. The ABC.com network also has a UNIX-based DNS server named ABC-SR05.

One of the administrators in your department created an Active Directory-integrated zone for ABC.com.ABC.com has recently acquired a During the course of the business day you receive an instruction from theCIO to configure the Windows Server 2008 organization. ABC.com plans to make use of this configuration topermit zone transfers of the ABC.com zone to ABC-SR01.

What action should you take to ensure that zone transfers to ABC-SR05 can occur?

A. You should consider installing Active Directory Lightweight Directory Services (AD LDS) on ABC-SR05.B. You should consider running the dcpromo command on ABC-SR05.C. You should consider having a stub zone created for ABC-SR05.D. You should consider configuring BIND secondaries.



QUESTION 35You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com.The ABC.com has a Windows Server 2008 domain controller named ABC-DC01.

You log on as the Domain Administrator on ABC-DC01 to view the Active Directory Schema console. However,you cannot locate the Active Directory Schema console.

What action should you take to locate the console?

A. You should consider running the net start "Active Directory Services" command on ABC-DC01.B. You should have the Schema Master Operations role assigned to ABC-DC01.C. You should consider having Schmmgmt.dll registered on ABC-DC01.D. You should consider logging on to ABC-DC01 as the Local Administrator.



QUESTION 36"Pass Any Exam. Any Time." - www.actualtests.com 26Microsoft 70-640 ExamYou work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. Allservers on the ABC.com network run Windows Server 2008.

The ABC.com network has a server named ABC-SR02 that functions as stand-alone Certificate Authority (CA).You want to track any modifications made to the configuration and security settings of the ABC-SR02.

What action should you take?

A. You should configure auditing in the Certification Services console.

B. You should add ABC-SR02 to the PGCertificates group.C. You should configured the Audit object Access setting on ABC-SR02.D. You should join ABC-SR02 to the ABC.com domain.E. You should enable the Authority Information Access (AIA) extension on ABC-SR02.



QUESTION 37You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com.The domain functional level is set at Windows Server 2008.

The ABC.com network has a file server named ABC-SR04. You configure a shared folder named KINGDATAon ABC-SR04. You then move users to a new global distribution group named DISTGRP. You grant a domainlocal group named DLOCGRP access to KINGDATA. You then add DISTGRP to DLOCGRP.

What action should you take to make sure that all users in the DISTGRP group are able to access theKINGDATA share?

A. You should configure DISGRP to be a universal distribution group.B. You should configure DISGRP to be a security group.C. You should configure DLOCGRP to be a universal security group.D. You should add the DISTGRP to the Local Administrators group on ABC-SR04.



QUESTION 38"Pass Any Exam. Any Time." - www.actualtests.com 27Microsoft 70-640 ExamYou work as an enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com.All servers on the ABC.com network run Windows Server 2008. ABC.com has its headquarters in Chicago.

ABC.com opens a new branch office in Dallas. You need to allow ABC.com users in the Dallas office to accessnetwork resources in the Chicago office. You assign the ABC.com users in the Dallas office the Read andExecute permissions to the network resources in the Chicago office. You then create a VPN connection whichthe ABC.com users in the Dallas office to establish connectivity to the Chicago office. However, the users in theDallas office report that they cannot connect to the Chicago office by using the VPN connection.

What action should you take to resolve this problem?

A. Your best option would to assign the Allow Access Dial-in permission to the users in the Dallas office.B. Your best option would to make the users in the Dallas office members of the Remote Desktop Users

security group.C. Your best option would to make the users in the Dallas office members of the Network Configuration

Operators security group.D. Your best option would to delete and recreate the VPN connection.



QUESTION 39You work as the network administrator at ABC.com. The network has the following configuration.

Server named ABC-DC01.

Setup as a domain controller.

Running Windows Server 2008.

The client computers are using Lightweight Directory Access (LDAP).

What action should you take to determine which LDAP clients are consuming the most CPU resources onABC-DC01?

A. You should open System Information and view the Hardware Resources node.B. You should open Task Manager and view the Processes tab.C. You should open the Active Directory Diagnostics Data Collector and view of the Active "Pass Any Exam.

Any Time." - www.actualtests.com 28Microsoft 70-640 ExamDirectory report.

D. You should open the Resource Monitor opened and view the CPU performance data.



QUESTION 40You work as an enterprise administrator at ABC.com. The ABC.com network has a forest with a domain namedABC.com. All servers on the ABC.com network run Windows Server 2003.

You need to upgrade the domain controllers from Windows Server 2003 to Windows 2008 on ABC.comdomain.

What command can be used on servers running Windows 2003 in order to prepare ABC.com for the upgrade?

A. You should execute the dcpromo /adv command.B. You should execute the adprep /forestprep and the adprep /domainprep commands.C. You should set the domain functional level to Windows Server 2008.D. You should execute the dcpromo /createdcaccount command.




The ABC.com network has a server named ABC-SR01 configured as a domain controller as well as a DNSserver configured with several Active Directory Integrated Zones.

What action should you take if you want to copy the zone files on ABC-SR01 to a network share?

A. You should consider having the dnscmd /ZoneExport command executed on ABC-SR01.B. You should consider having the dnscmd /WriteBackFiles command executed on ABC-SR01.C. You should consider having the dnscmd /Info command executed on ABC-SR01.D. You should consider having the dnscmd /EnumRecords command executed on ABC-SR01.E. You should consider having the dnscmd /EnumZones command executed on ABC-SR01.




QUESTION 42You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com.All servers on the ABC.com network run Windows Server 2008. ABC.com has its headquarters in Seattle andbranch offices in Dallas, Miami and Chicago. Each office is configured as a separate site named Seattle,Dallas, Miami and Chicago.

The Seattle site as three domain controllers named ABC-DC01, ABC-DC02 and TGESPGING- DC03. TheDallas site has a single domain controller named ABC-DC04, the Miami site has a single domain controllernamed ABC-DC05 and the Chicago site has a single domain controller named ABC-DC06. ABC-DC01, ABC-DC02 and TGESPGING-DC03 are configured as Global Catalog servers.

Where should you consider deactivating the Universal Group Membership Caching (UGMC) option at theDallas, Miami and Chicago offices?

A. You should consider deactivating the UGMC in Active Directory Users and Computers.B. You should consider deactivating the UGMC at the Site level.C. You should consider deactivating the UGMC through a Group Policy Object linked to the domain.D. You should consider deactivating the UGMC at the Organizational Unit (OU) level.




You have just performed the migration of domain controllers from Windows 2003 to Windows 2008.

Which of following commands can be used to configure DFS Replication (DFS-R) to replicate the Sysvol

share?

A. This can be accomplished by running the netdom /dfs -r command."Pass Any Exam. Any Time." - www.actualtests.com 30Microsoft 70-640 Exam

B. This can be accomplished by raising the domain functional level to Windows Server 2008.C. This can be accomplished by running dfsutil /share:sysvol command.D. This can be accomplished by running dfsutil /addstdroot command.



QUESTION 44You work as an enterprise administrator at ABC.com. The ABC.com network has a forest with a domain namedABC.com. The forest functional level is set at Windows Server 2003 Native Mode. ABC.com has two divisionsnamely Chicago and a Dallas.

The ABC.com network has three Windows Server 2003 domain controllers named ABC-DC01, ABC-DC02 andABC-DC03 that are located in the Chicago office. You want to install a read-only domain controller (RODC)named ABC-DC04 in the Dallas office.

What action should you consider?

A. You should consider upgrading ABC-DC01 to Windows Server 2008 and then execute the adprep /rodcprepcommand on ABC-DC01.

B. You should consider configuring the Dallas network as a separate site and upgrading ABC- DC04 toWindows Server 2008.

C. You should consider upgrading all domain controllers to Windows Server 2008 and having the forestfunctional level set to Windows Server 2008.

D. You should consider configuring the Dallas network as a child domain with the domain functional level set atWindows Server 2008.



QUESTION 45You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com.All servers on the ABC.com network run Windows Server 2008.

You have a workstation called ABC-WS10 and performed the following tasks:

- Install Windows Vista Enterprize.

-Added to ABC.com domain.

"Pass Any Exam. Any Time." - www.actualtests.com 31Microsoft 70-640 ExamWhat action should you take to make sure that the ABC-WS10 computer account has been created in anorganizational unit (OU)?

A. You should consider using Active Directory Users and Computers to create the computer accounts.B. You should consider using the csvde command.C. You should consider using the Idifde command.D. You should consider using the dsadd command.



QUESTION 46You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. Allserver on the ABC.com network run Windows Server 2008. The ABC.com network has two domain controllersnamed ABC-DC01 and ABC-DC02.

What action should you take to verify the successful replication of Active Directory information ABC-DC01 toABC-DC02?

A. You should execute the RepAdmin command on ABC-SR02.B. You should execute the Dnscmd command on ABC-SR02.C. You should execute the Dsmod command on ABC-SR02.D. You should execute the RepMonitor command on ABC-SR02.E. You should execute the Rsdiag command on ABC-SR02.


Explanation/Reference:Explanation: RepAdmin is a command line utility which is used to view as well as configure Windows Server2008 replication amid domain controllers.

Topic 2, Exam Set 2

QUESTION 47You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. Allservers on the ABC.com network run Windows Server 2008 R2. ABC.com has its headquarters in London anda branch office in Paris.

"Pass Any Exam. Any Time." - www.actualtests.com 32Microsoft 70-640 ExamYou are planning to install Windows Server 2008 on a domain controller at each office. IP addresses will beassigned using a Dynamic Host Configuration Protocol (DHCP) server at each office. Your solution must meetthe following requirements:

* Administrators in London need to be able to create and modify Active Directory accounts.

* Administrators in Paris need to be able to update drivers on the domain controller in Paris, but should not beable to create or modify user accounts.

* Records in the Domain Name System (DNS) database must be kept up to date.

* Only Active Directory domain members can register with the DNS server.

* Name resolution traffic across the Wide Area Network (WAN) link should be minimized.

How would you plan the DNS configuration? (Each correct answer presents part of the solution.Choose two.)

A. Deploy a standard primary zone in London.B. Deploy an Active Directory-Integrated zone in Paris.C. Deploy a primary read-only zone in Paris.D. Deploy a stub zone in Paris.E. Deploy an Active Directory-Integrated zone in London.

Correct Answer: BESection: (none)Explanation



You have deployed Active Directory Federation Services (AD FS) in your organization. You need to configureanother organization as a federated partner. Your organization is the resource partner in this partnership.

You need to exchange partner values with the partner organization.

How would you accomplish this task using as little administrative effort as possible?


A. Add your partner's domain as an Active Directory Domain Services (AD DS) Account store.B. Export your trust policy files and send the resulting file to the partner administrator.C. Have the partner send its federation server's validation certificate.D. Deploy an AD FS Proxy in the partner's perimeter network.



QUESTION 49You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. Acomputer running Microsoft Windows Server 2008 is configured as a domain controller. The computer alsosupports other services, including the Dynamic Host Configuration Protocol (DHCP) service.

You need to move the Active Directory database on the computer. You must minimize the impact on the otherservices running on the computer.

What could be your first actions? (Each correct answer presents a complete solution. Choose two.)

A. Use Computer Manager to stop the Active Directory service.B. Run Net stop to stop the Active Directory service.

C. Run Ntdsutil to compact the database.D. Run Dcpromo to force removal of the Active Directory Domain Services (AD DS) role.E. Restart the domain controller in Directory Services Restore Mode (DSRM).

Correct Answer: ABSection: (none)Explanation


QUESTION 50You work as the network administrator at ABC.com. The ABC.com network consists of 10 Microsoft WindowsServer 2008 domain controllers. There are also 15 member servers running Windows Server 2008 and 1,000client computers running Windows XP Professional. All computers are members of a single Active Directorydomain. A Public Key Infrastructure (PKI) is also in place using Active Directory Certificate Services. ABC.comusers are required to enroll for

"Pass Any Exam. Any Time." - www.actualtests.com 34Microsoft 70-640 Exama User certificate using Web enrollment.

The users complain that the response time is very slow when accessing servers that host financial data.Certificate authentication is required to access these servers. You discover that the network is extremely busyand network bandwidth is reaching capacity.

You need to re-configure the Certificate Authority (CA) infrastructure to help reduce traffic on the network.

What must be done?

A. Open Active Directory Sites and Services. Deny users the Enroll permission on all templates except theUser template.

B. Open the Certificate Authority snap-in and configure the CA to use a Delta Certificate Revocation List(CRL).

C. Open the Certificate Templates snap-in and configure auto-enrollment instead of Web-based enrollment.D. Open the Certificate Authority snap-in and decrease the Certificate Revocation List (CRL) publication

interval.



QUESTION 51You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. Alldomain controllers are running Windows Server 2008. The network currently has only a single site. ABC.comhas its headquarters in Berlin and is preparing to open a branch office in Paris.

You must ensure that administrators at the Paris office can create, modify, and delete user accounts only foremployees at the branch office. Administrators must be able to manage user accounts even if the link toheadquarters is unavailable.

How would you accomplish this task?

A. Install a read-only domain controller (RODC) at the Paris office.Create a global group named BranchAdmins.

Create an organizational unit (OU) named BranchUsers."Pass Any Exam. Any Time." - www.actualtests.com 35Microsoft 70-640 ExamDelegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins.

B. Install a read-only domain controller (RODC) at the Paris office.Create a global group named BranchAdmins.Create domain local group named BranchUsers.Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins.

C. Install a standard domain controller at the Paris office.Create a global group named BranchAdmins.Create a domain local group named BranchUsers.Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins.

D. Install a standard domain controller at the Paris office.Create a global group named BranchAdmins.Create an organizational unit (OU) named BranchUsers.Delegate the Create, delete, and manage user accounts task on BranchUsers to BranchAdmins.



QUESTION 52You work as a Network Administrator for ABC.com. ABC.com has its headquarters in Los Angeles and branchoffices in Denver, San Jose, and San Diego. All locations are connected through 128Kbps leased lines.

ABC.com wants you to configure a Windows 2008 Active Directory-based network. You are supposed toprovide a design for the network. The ABC.com management does not want unnecessary traffic over the WANconnection.

Which of the following strategies will you implement to fulfill these requirements?

A. Create a separate site for each location. Move the domain controllers to their respective sites.B. Create a separate site for each location. Keep all domain controllers at the headquarters site.C. Create a site for the headquarters and move all domain controllers to this site.D. Create a single site that covers all locations. Keep all domain controllers at the headquarters.




QUESTION 53You work as a Network Administrator for ABC.com. ABC.com has a Windows 2008 Active Directory-basednetwork. The ABC.com network consists of two sites, namely San Francisco and San Diego. These sites areconnected with a high-speed T1 line as shown in the image below:

The San Francisco site is highly protected and a firewall has been configured for its security.

You create a site link to replicate the Active Directory data between the two sites. You find that the replication isnot working properly. You know that the firewall is preventing data from being replicated between the two sites.

What can you do to resolve this issue?

A. Increase the cost of the site link.B. Remove the firewall from the San Francisco site.C. Make the firewall proxy server of the San Francisco site a preferred bridgehead server.D. Schedule the site link to replicate the Active Directory data twenty-four hours a day.



QUESTION 54You work as a Network Administrator for ABC.com. ABC.com has a Windows 2008 Active Directory-basednetwork. All client computers on the network run Windows Vista Ultimate. You have configured a Dynamic DNS(DDNS) on the network.

There are a lot of mobile users who often connect to and disconnect from the network. ABC.com users on thenetwork complain of slow network responses. You suspect that the stale records on the DNS server may be thecause of the issue. You want to remove the stale records.

"Pass Any Exam. Any Time." - www.actualtests.com 37Microsoft 70-640 ExamWhich of the following technologies will you use to accomplish this task?

A. ScavengingB. AgingC. ForwardingD. RODC



QUESTION 55You work as a Network Administrator for ABC.com. ABC.com has a Windows 2008 Active Directory-basedsingle domain network. The company has organized its OU structure according to its departments. Threeorganizational units (OUs) named HR, Marketing, and Administration are configured in the domain.

You create a GPO named ADM and configure it to show desktop items that are required by most of the users inthe Administration department. You link the GPO with the Administration OU. You find that the users in the

Administration OU are not receiving the setting that was applied by the GPO on their computers. You suspectthat the issue is due to some conflicting policies that are taking higher precedence on the other policies appliedby the GPO.

Which of the following actions can you take to find out the policies applied on the users? (Each correct answerrepresents a complete solution. Choose two.)

A. Use the HFNETCHK.EXE command.B. Use the NTDSUTIL utility.C. Use the GPRESULT /z command.D. Use the RSoP Wizard in logging mode.

Correct Answer: CDSection: (none)Explanation


QUESTION 56"Pass Any Exam. Any Time." - www.actualtests.com 38Microsoft 70-640 ExamYou work as a Network Administrator for ABC.com. ABC.com currently has a Windows 2000 single domainActive Directory-based network. The company wants to upgrade all its servers to Windows Server 2008 andthen its network to a Windows 2008 Active Directory-based network. Before upgrading the network, you want totest the transfer of user and computer accounts from the existing environment to the new environment. Youtake the following steps:

* Create some test users and a test group in the existing environment.

* Make these users members of the group.

* Create a new Windows 2008 forest in a new server.

Which of the following tools will you use to test the successful transfer of user and computer accounts andgroups?

A. Windows Easy TransferB. ADMT v3C. CSVDED. USMT 3.0



QUESTION 57You work as a Network Administrator for ABC.com. ABC.com has a Windows 2008 Active Directory-basedsingle domain network. ABC.com has its headquarters in Atlanta and a branch office in Denver Both locationshave been configured as separate sites. The headquarters contains 500 users, whereas the branch office inDenver contains fifty users.

ABC.com users use an application named REPORT that requires directory access.

The ABC.com management wants to raise the level of security data. The new company policy dictates that

Active Directory data must be secure. You know that the physical security in the branch office can becompromised. You need to secure the domain controller in the branch office.

Which of the following steps will you take to accomplish this task?

A. Configure universal group membership caching at the branch office. Remove the domain "Pass Any Exam.Any Time." - www.actualtests.com 39Microsoft 70-640 Examcontroller.

B. Install a global catalog server at the branch office. Remove the domain controller.C. Install an RODC at the branch office. Remove the domain controller.D. Place the domain controller at the branch in a strong room secured with locks and keys.



QUESTION 58You work as a Network Administrator for ABC.com. ABC.com has an Active Directory-based Windows singleforest network.

Organizational units (OUs) are configured separately for each department. All the department's users andcomputers are placed in their respective OUs. A domain-level OU is also configured on the network toimplement domain-wide policies.

A ABC.com user named Rick complains that he is unable to access an application. You suspect that a grouppolicy is preventing Rick from accessing the application. You want to find out the effective group policies onRick.

Which command-line tool will you use to accomplish this task?

A. GPUPDATEB. GETRESULTC. GPRESULTD. Resultant Set of Policy Wizard



QUESTION 59You work as a Network Administrator for ABC.com. ABC.com has an Active Directory-based network. Youhave installed Windows Server 2008 on a computer. You want to configure the server as a Certificate Authority(CA).

"Pass Any Exam. Any Time." - www.actualtests.com 40Microsoft 70-640 ExamWhich of the following utilities will you use to accomplish this task?

A. Manage Your ServerB. Configure Your Server

C. Security Configuration WizardD. Server Manager



QUESTION 60You work as a Network Administrator for ABC.com. ABC.com has a Windows Active Directory- based singledomain network. The company's offices are located in Los Angeles, Denver, San Jose, and San Diego. Alllocations have been configured as separates sites. The company' headquarters is located in Los Angeles.

The network is configured as shown in the image below:

You have configured domain controllers at each site. A bridgehead server is configured at the headquarters.Each branch office contains fifty users. ABC.com users make use an Active Directory integrated application.You experience that the bridgehead server at the headquarters is receiving a lot of Active Directory replicationtraffic from the branch offices. You are required to reduce the Active Directory replication traffic.



A. Install a global catalog server at the branch offices.B. Configure universal group membership caching at the branch offices. Remove the domain controllers from

the branch offices.C. Replace the domain controllers at the branch offices with RODCs.D. Change the 256kbps lines to T1 lines.



QUESTION 61You work as a Network Administrator for ABC.com. ABC.com has an Active Directory-based network.

You install Server Core of Windows Server 2008 on a computer. You want to install an Active DirectoryCertificate Authority (CA) on the server.


A. Run the Configure Your Server wizard.B. Run the Manage Your Server wizard.C. You cannot install AD CA in a Server Core installation of Windows Server 2008.D. Run the Server Manager console.



QUESTION 62You work as a Network Administrator for ABC.com. ABC.com has a Windows Active Directory- based singleforest network. The functional level of the forest is Windows Server 2008. All client computers on the networkrun Windows Vista Ultimate.

ABC.com has its headquarters in San Francisco and three branch offices in San Jose, San Diego, and NewOrleans. Each office is configured as a different site and each site location is configured as a separate domain.The branch offices are connected to headquarters as shown in the image

"Pass Any Exam. Any Time." - www.actualtests.com 42Microsoft 70-640 Exambelow:

The location information of the resources is placed in Active Directory. Users in the New Orleans domainregularly search for available resources in Active Directory by using the Entire Directory option. The ABC.comusers complain of slow response time while searching Active Directory for resources. You are required toimprove the response time for users at the New Orleans office.


A. Configure a domain controller of the San Francisco domain at the New Orleans site.B. Configure universal group membership caching at the New Orleans site.C. Upgrade the 256Kbps WAN link to a 1Mbps WAN link.D. Configure a global catalog server at the New Orleans office.



QUESTION 63You work as a Network Administrator for ABC.com. The ABC.com network is configured as a Windows ActiveDirectory-based single forest with a single domain named ABC.com. The network contains Windows Server2003 and Windows Server 2008 domain controllers. Client computers on the network either run Windows VistaUltimate or Windows XP Professional.

A new security policy is to be implemented. It requires multiple password policies to be implemented on thenetwork. You are required to prepare the network for implementing the new security policy. Your solution mustinvolve minimum administrative efforts.

Which of the following steps will you take to accomplish this task? (Each correct answer represents a part ofthe solution. Choose two.)


A. Upgrade all domain controllers running Windows Server 2003 to Windows Server 2008.B. Raise the functional level of the forest to Windows Server 2008.C. Configure different domains for different password policies.D. Upgrade all computers running Windows XP Professional to Windows Vista.E. Raise the functional level of the domain to Windows Server 2008.

Correct Answer: AESection: (none)Explanation


QUESTION 64You work as a Network Administrator for ABC.com. ABC.com has a Windows Server 2003- based network.

ABC.com wants to upgrade all its Windows 2003 servers to Windows Server 2008. Before upgrading theservers, you want to test the new operating system and its reliability. You also want to test various differentoperating systems.

Which of the following features of Windows Server 2008 allows you to install and run different operatingsystems on a single computer?

A. RODCB. Hyper-VC. RSoPD. Online Responder



QUESTION 65You have been hired by ABC.com to design the company's network. ABC.com has its headquarters is in

Denver. The company has many branch offices. All branch offices are connected to the headquarters throughdedicated T1 lines. The ABC.com management of the company wants to have a Windows 2008 ActiveDirectory-based network.

"Pass Any Exam. Any Time." - www.actualtests.com 44Microsoft 70-640 ExamABC.com's policy states that only the administrators of the headquarters are allowed to create and manageuser accounts. The local administrators in the branch offices are allowed to control their own resources only.Replication or authentication traffic on the WAN is not an issue here.

Which of the following designs will you use to fulfill these requirements?

A. Create a multi-forest network.Create a forest for each branch office and one for the main office.Delegate the authority for the resource administration to the local Administrators for their respective forests.Delegate the authority to the main office's forest to the Domain Admins group only.

B. Create a single domain network.Create an organizational unit (OU) for each branch office and an OU for the main office.Delegate the authority for the resource administration to the local Administrators for their own OUs.Delegate the authority for the main office's OU to the Domain Admins group only.

C. Create a domain for the main office.Create child domains for the branch offices.Keep all the user accounts in the main office domain and the resources on each domain of the branchoffices.Give Administrators Full Control access to the domain controllers.

D. Create a single domain network.Create a site for each branch office and a site for the main office.Delegate the authority for the resource administration to the local Administrators for their respective sites.Delegate the authority of the main office's site to the Domain Admins group only.



QUESTION 66You are the systems administrator for a company named ABC.com. The ABC.com network consists of a singleActive Directory forest. The network contains an Internet Information Services (IIS) server that hosts a Webapplication that allows users to purchase your company's products online.

ABC.com has a partner organization, a graphic design firm that designs your company's products. The partnercompany has its own Active Directory forest. You are required to enable users in the partner organization toaccess your Web application without being prompted for secondary credentials.

"Pass Any Exam. Any Time." - www.actualtests.com 45Microsoft 70-640 ExamWhich Windows Server 2008 server role should you install in your network to provide Web-based Single-Sign-On (SSO) capabilities to users in the partner organization?

A. Active Directory Rights Management Services (AD RMS)B. Active Directory Federation Services (AD FS)C. Active Directory Lightweight Directory Services (AD LDS)D. Active Directory Domain Services (AD DS)

Correct Answer: BSection: (none)

Explanation


QUESTION 67You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. Allservers run Windows Server 2008, and all client computers run Windows Vista.

ABC.com's written security policy stipulates that employees must use certificates for remote access and securee-mail. Only designated administrators are authorized to approve users' requests for certificates, issuecertificates, and revoke certificates.

You install Certificate Services on several servers and configure them as enterprise certification authorities(CAs).

You must assign the appropriate privileges to the designated administrators in accordance with the companypolicy. Which of the following actions should you take?

A. Issue an Enrollment Agent certificate to each designated administrator.B. Assign the designated administrators to the Certificate Manager role on each CA.C. Assign the Allow - Enroll permission for each certificate template to the designated administrators.D. Assign the Allow - Write permission for each CA to the designated administrators.



QUESTION 68"Pass Any Exam. Any Time." - www.actualtests.com 46Microsoft 70-640 ExamYou are the systems administrator for ABC.com. The ABC.com network consists of a single Active Directorydomain named ABC.com. A computer running Windows Server 2008 has both Active Directory DomainServices (AD DS) and Active Directory Lightweight Directory Services (AD LDS) roles installed. The AD LDSserver contains an instance with the default name that is used by several applications that access data fromand write data to the AD LDS database.

Over time, ABC.com users report to you that the AD LDS applications have become slow. To resolve thisproblem, you want to defragment the AD LDS database.

How would you perform an offline defragmentation of AD LDS database? (Choose all that apply.Each correct answer is part of a single solution.)

A. Restart the domain controller in Directory Services Restore Mode.B. Run the Net stop Adam_instance1 command.C. Run the Net stop Ntds command.D. Use the Ntdsutil command with the appropriate parameters to defrag the database.E. Run the Net start Adam_instance1 command.F. Run the Net start Ntds command.

Correct Answer: BDESection: (none)Explanation


QUESTION 69You are a network administrator for ABC.com. The ABC.com network consists of a single Active Directorydomain where all servers run Windows Server 2003 and all client computers run Windows XP Professional.

You use a Group Policy object (GPO) to deploy an application on the network. Later, you receive a differentapplication to work with the files that have the same file name extensions instead of the previously deployedapplication. You must deploy the new application, but users should not have to install it if they choose to use theoriginal application instead of the new one. However, only one of these applications should be installed on thesame computer.

Which actions should you take?

A. Assign the new application to computers; specify in the GPO that the original application be removed beforethe new one is installed.

B. Publish the new application to computers and remove the GPO that deploys the original "Pass Any Exam.Any Time." - www.actualtests.com 47Microsoft 70-640 Examapplication.

C. Assign the new application to users and remove the GPO that deploys the original application.D. Publish the new application to users; specify in the GPO that the original application be removed before the

new one is installed.



QUESTION 70You are the network administrator for ABC.com. The ABC.com network has a single domain, and all of thedomain controllers run Windows Server 2008.

A domain controller in the branch office failed this morning. This domain controller does not hold any otherroles. You bring the domain controller back on line, but you need to perform a non- authoritative restore of thedomain controller. You do not have a critical volume backup of the domain controller on hand, but you do havea recent full backup.

What should be your first action to perform a non-authoritative restore of the domain controller?

A. Perform a critical backup of another domain controller. Reboot the failed domain controller into DirectoryServices Restore Mode (DSRM).

B. Perform a full backup of another domain controller. Reboot the failed domain controller into DirectoryServices Restore Mode (DSRM).

C. At the command prompt, type bcdedit/set safeboot dsrepair and hit Enter. At the next command prompt,type shutdown -t 0 -r and hit Enter.

D. At the command prompt, type bcdedit /set safeboot and hit Enter. At the next command prompt, typeshutdown -t 0 -r and hit Enter.



Explanation:

QUESTION 71You are the network administrator of ABC.com. ABC.com has its headquarters in Atlanta and a branch office inDenver. The Atlanta office network consists of a single Active Directory domain.

"Pass Any Exam. Any Time." - www.actualtests.com 48Microsoft 70-640 ExamYou want to create a new domain for the Denver office in the same forest as the domain at the Atlanta office.

Which operations master role must be available in the forest for you to create a new domain for the Denveroffice?

A. Schema masterB. Domain naming masterC. Relative ID (RID) masterD. Primary domain controller (PDC) emulator masterE. Infrastructure master



QUESTION 72You are the network administrator of ABC.com. You install Windows Server 2008 on all servers on the network.All client computers are configured to run Windows Vista. You want to be able to use Advanced EncryptionStandard (AES) with Kerberos for encryption of Ticket Granting Tickets (TGTs), service tickets, and sessionkeys.

What is the minimum domain functional level that is required to support AES encryption with Kerberos?

A. Windows 2000 Server mixedB. Windows 2000 Server nativeC. Windows Server 2003D. Windows Server 2008



QUESTION 73You are the systems administrator for ABC.com. The ABC.com network consists of a single Active

"Pass Any Exam. Any Time." - www.actualtests.com 49Microsoft 70-640 ExamDirectory domain. All domain controllers run Windows Server 2008, and all client computers run WindowsVista. You have a public key infrastructure that has a subordinate enterprise Certification Authority (CA), whichissues certificates on behalf of the root CA.

You have a certificate template that allows users to autoenroll, and a group policy object that distributes thecertificates to users. All users are able to automatically obtain certificates. You now want routers and other

network devices are able to obtain certificates from the CA.

How would you accomplish this task?

A. Assign the routers and network devices the Autoenroll permission in a certificate template.B. Change the Publish Delta CRL to 1 hour so expired certificates for routers and network devices are

published in Active Directory.C. Install the Online Certificate Status Protocol (OCSP) role service for AD CS.D. Install the Microsoft Simple Certificate Enrollment Protocol (MSCEP) role service for AD CS.



QUESTION 74You are the network administrator for ABC.com. The ABC.com network has a single forest with three domains.All domain controllers in your forest are Windows Server 2008. Each domain is configured to be a separatesite.

Recently the telephone company has changed the telephone number of a department in the location of one ofABC.com's domains. There are 55 accounts that are affected by the telephone number change. You need tochange the telephone number property in the 55 different accounts.

How would you accomplish this as quickly as possible?

A. Use CSVDE to export the 55 accounts to a CSV file. Change the telephone number and use CSVDE toimport the accounts.

B. In Active Directory Users and Computers, select Find from the Action menu and create a saved LDAP querythat will return the 55 user accounts. Select all of the user accounts returned by the query andsimultaneously modify the telephone number in their accounts' properties.

C. Create a saved LDAP query that will return user accounts of the 55 user accounts. Export the results to atab-delimited file, modify the expiration date in the file and use the LDIFDE utility to import the file into ActiveDirectory."Pass Any Exam. Any Time." - www.actualtests.com 50Microsoft 70-640 Exam

D. In Active Directory Users and Computers, select Find from the Action menu and create a LDAP query thatwill return the 55 user accounts. Export the results to a comma-delimited file, modify the expiration date inthe file and use the CSVDE utility to import the file into Active Directory.



QUESTION 75You are the administrator for ABC.com. ABC.com has over 5,000 employees. ABC.com's head office hasapproximately 4,500 employees, while the company's ten branch offices have 50 users residing in each. Youare often unaware of the physical security in place at these offices. However, since there is a fairly sizableamount of users at each office, you must provide them with directory services.

What is the BEST option to use for directory services when security is unknown?

A. Lightweight Directory ServicesB. Read-only domain controllersC. Active Directory Federation ServicesD. Active Director Rights Management Services



QUESTION 76You are the administrator for ABC.com. ABC.com has just signed into a partnership with another organization.You will be responsible for ensuring that authentication can occur between both organizations without the needfor additional sign-on accounts. The partner has a variety of Directory Services installed throughout theirorganizations.

Which of the following can Active Directory Federation Services NOT connect to?

A. Lightweight Directory ServicesB. Windows Server 2003 Directory Services


C. Windows Server 2003 R2 Directory ServicesD. All of the above



QUESTION 77You are the administrator for a nationwide company named ABC.com that currently runs Windows Server 2008DNS and are reviewing the resource records in your Active Directoryintegrated DNS zone.

You notice there are hostnames that do not meet ABC.com's naming convention and verify that the computersare not members of your Active Directory domain.

What must you do to ensure these hosts cannot create records in your DNS zone?

A. Disable DNS and enable DHCP.B. Configure your zone to enable secure dynamic updates.C. Disable dynamic updates in your zone.D. You cannot prevent this from occurring in DNS.



QUESTION 78

You are creating a new standard primary zone for the company you work for, ABC.com, using the domainABC.corp. You create the zone through the DNS management console, and now you want to view thecorresponding DNS zone file named ABC.corp.dns.

Where do you need to look in order to find this file?

A. You cannot view the zone file because it is stored in Active Directory.B. You can look in the %systemroot%\system32\dns folder.C. You cannot view the DNS file except by using the DNS management console.


D. The DNS zone file is actually just a key in the Windows Registry. You need to use the Registry Editor if youwant to view the file.



QUESTION 79You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com.You have implemented DNS on a Windows Server 2008 Core Server installation. You want to list the DNSzones on this server.

What command-line utility would you use to accomplish this?

A. ocsetup.B. netsh.C. dnscmd.D. None of the above. You must use the GUI from another Windows Server 2008 host.



QUESTION 80What is the purpose of resetting an account?

A. Helps you reset a computer password stored in Active Directory so the computer can make a trustedconnection with Active Directory.

B. Helps you reboot the computer.C. Helps you restart netlogon services.D. Helps you change the authentication protocol from NTML to Kerberos.



70-640 formatted - GRATIS EXAM · 2012. 10. 16. · directory partition of the AD LDS? A. You...

Documents

Transcript of 70-640 formatted - GRATIS EXAM · 2012. 10. 16. · directory partition of the AD LDS? A. You...