Microsoft 70-640 Exam Questions and Answers 2019

70-640 Royal Pack Testengine pdf

100% Actual & Verified — 100% PASS

Unlimited access to the world's largest Dumps library!

https://www.2passeasy.com/dumps/70-640/

for Microsoft certification, Real Success Guaranteed with Updated . 100% PASS 70-640 TS: Windows Server 2008 Active Directory. Configuring exam Today!

Microsoft 70-640 Free Dumps Questions Online, Read and Test Now.

NEW QUESTION 1
Your network contains an Active Directory domain.
A user named User1 takes a leave of absence for one year.
You need to restrict access to the User1 user account while User1 is away.
What should you do?

  • A. From the Default Domain Policy, modify the account lockout setting
  • B. From the Default Domain Controller Policy, modify the account lockout setting
  • C. From the properties of the user account, modify the Account option
  • D. From the properties of the user account, modify the Session setting

Answer: C

Explanation:
http://blogs.technet.com/b/msonline/archive/2009/08/17/disabling-and-deleting-user-accounts.aspx
Disabling a user account prevents user access to e-mail and Microsoft SharePoint Online
data, but retains the user’s data. Disabling a user account also keeps the user license
associated with that account. This is the best option to utilize when a person leaves an
organization temporarily.

NEW QUESTION 2
Your company has an Active Directory domain. You have a two-tier PKI infrastructure that contains an offline root CA and an online issuing CA. The Enterprise certification authority is running Windows Server 2008 R2.
You need to ensure users are able to enroll new certificates.
What should you do?

  • A. Renew the Certificate Revocation List (CRL) on the root C
  • B. Copy the CRL to the CertEnroll folder on the issuing C
  • C. Renew the Certificate Revocation List (CRL) on the issuing CA, Copy the CRL to the SysternCertificates folder in the users' profil
  • D. Import the root CA certificate into the Trusted Root Certification Authorities store on all client workstation
  • E. Import the issuing CA certificate into the Intermediate Certification Authorities store on all client workstation

Answer: A

Explanation:
http://social.technet.microsoft.com/wiki/contents/articles/2900.offline-root-certification-authority-ca.aspx Offline Root Certification Authority (CA) A root certification authority (CA) is the top of a public key infrastructure (PKI) and generates a self-signed certificate. This means that the root CA is validating itself (self-validating). This root CA could then have subordinate CAs that effectively trust it. The subordinate CAs receive a certificate signed by the root CA, so the subordinate CAs can issue certificates that are validated by the root CA. This establishes a CA hierarchy and trust path. CA Compromise If a root CA is in some way compromised (broken into, hacked, stolen, or accessed by an unauthorized or malicious person), then all of the certificates that were issued by that CA are also compromised. Since certificates are used for data protection, identification, and authorization, the compromise of a CA could compromise the security of an entire organizational network. For that reason, many organizations that run internal PKIs install their root CA offline. That is, the CA is never connected to the company network, which makes the root CA an offline root CA. Make sure that you keep all CAs in secure areas with limited access. To ensure the reliability of your CA infrastructure, specify that any root and non-issuing intermediate CAs must be offline. A non-issuing CA is one that is not expected to provide certificates to client computers, network devices, and so on. This minimizes the risk of the CA private keys becoming compromised, which would in turn compromise all the certificates that were issued by the CA. How Do Offline CAs issue certificates? Offline root CAs can issue certificates to removable media devices (e.g. floppy disk, USB drive, CD/DVD) and then physically transported to the subordinate CAs that need the certificate in order to perform their tasks. If the subordinate CA is a non-issuing intermediate that is offline, then it will also be used to generate a certificate and that certificate will be placed on removable media. Each CA receives its authorization to issue certificates from the CA directly above it in the CA hierarchy. However, you can have multiple CAs at the same level of the CA hierarchy. Issuing CAs are typically online and used to issue certificates to client computers, network devices, mobile devices, and so on. Do not join offline CAs to an Active Directory Domain Services domain Since offline CAs should not be connected to a network, it does not make sense to join them to an Active Directory Domain Services (AD DS) domain, even with the Offline Domain Join [This link is external to TechNet Wiki. It will open in a new window.] option introduced with Windows 7 and Windows Server 2008 R2. Furthermore, installing an offline CA on a server that is a member of a domain can cause problems with a secure channel when you bring the CA back online after a long offline period. This is because the computer account password changes every 30 days. You can get around this by problem and better protect your CA by making it a member of a workgroup, instead of a domain. Since Enterprise CAs need to be joined to an AD DS domain, do not attempt to install an offline CA as a Windows Server Enterprise CA. http://technet.microsoft.com/en-us/library/cc740209%28v=ws.10%29.aspx Renewing a certification authority A certification authority may need to be renewed for either of the following reasons: Change in the policy of certificates issued by the CA Expiration of the CA's issuing certificate

NEW QUESTION 3
Your network contains an Active Directory forest named contoso.com.
You need to identify whether a fine-grained password policy is applied to a specific group.
Which tool should you use?

  • A. Credential Manager
  • B. Group Policy Management Editor
  • C. Active Directory Users and Computers
  • D. Active Directory Sites and Services

Answer: C

Explanation:
Use Active Directory Users and Computers to determine the value of the msDS-PSOApplied attribute of the specific group:
1. Open the Properties windows for the group in Active Directory Users and Computers
2. Click the Attribute Editor tab, and then click Filter
3. Ensure that the Show attributes/Optional check box is selected.
4. Ensure that the Show read-only attributes/Backlinks check box is selected.
5. Locate the value of msDS-PSOApplied in the Attributes list. Explanation:
http://technet.microsoft.com/en-us/library/cc754544.aspx
Defining the scope of fine-grained password policies
A PSO can be linked to a user (or inetOrgPerson) or a group object that is in the same domain as the PSO: (...)
A new attribute named msDS-PSOApplied has been added to the user and group objects in Windows Server 2008. The msDS-PSOApplied attribute contains a back-link to the PSO. Because the msDSPSOApplied attribute has a back-link, a user or group can have multiple PSOs applied to it.
As stated previously, in Windows Server 2008, a user or group can have multiple PSOs applied to it since the msDS-PSOApplied attribute of the user and group objects has a back-link to the PSO.

NEW QUESTION 4
You have an enterprise subordinate certification authority (CA) configured for key archival. Three key recovery agent certificates are issued. The CA is configured to use two recovery agents.
You need to ensure that all of the recovery agent certificates can be used to recover all new private keys.
What should you do?

  • A. Add a data recovery agent to the Default Domain Polic
  • B. Modify the value in the Number of recovery agents to use bo
  • C. Revoke the current key recovery agent certificates and issue three new key recovery agent certificate
  • D. Assign the Issue and Manage Certificates permission to users who have the key recovery agent certificate

Answer: B

Explanation:
MS Press - Self-Paced Training Kit (Exams 70-648 & 70-649) (Microsoft Press, 2009) page 357
You enable key archival on the Recovery Agents tab of the CA Properties in the CA console by selecting the Archive The Key option and specifying a key recovery agent. In the number of recovery agents to use, select the number of key recovery agent (KRA) certificates you have added to the CA. This ensures that each KRA can be used to recover a private key. If you specify a smaller number than the number of KRA certificates installed, the CA will randomly select that number of KRA certificates from the available total and encrypt the private key, using those certificates. This complicates recovery because you then have to figure out which recovery agent certificate was used to encrypt the private key before beginning recovery.

NEW QUESTION 5
Your network contains an Active Directory domain. The functional level of the domain is Windows Server 2003.
The domain contains five domain controllers that run Windows Server 2008 and five domain controllers that run Windows Server 2008 R2.
You need to ensure that SYSVOL is replicated by using Distributed File System Replication (DFSR).
What should you do first?

  • A. Run dfsrdiag.exe PollA
  • B. Run dfsrmig.exe /SetGlobalState 0.
  • C. Upgrade all domain controllers to Windows Server 2008 R2.
  • D. Raise the functional level of the domain to Windows Server 2008.

Answer: D

Explanation:
http://technet.microsoft.com/en-us/library/cc753479%28v=ws.10%29.aspx Distributed File System Distributed File System (DFS) Namespaces and DFS Replication offer simplified, highly-available access to files, load sharing, and WAN-friendly replication. In the Windows Server. 2003 R2 operating system, Microsoft revised and renamed DFS Namespaces (formerly called DFS), replaced the Distributed File System snap-in with the DFS Management snap-in, and introduced the new DFS Replication feature. In the Windows Server. 2008 operating system, Microsoft added the Windows Server 2008 mode of domain-based namespaces and added a number of usability and performance improvements. What does Distributed File System (DFS) do? The Distributed File System (DFS) technologies offer wide area network (WAN)-friendly replication as well as simplified, highly-available access to geographically dispersed files. The two technologies in DFS are the following: DFS Namespaces. Enables you to group shared folders that are located on different servers into one or more logically structured namespaces. Each namespace appears to users as a single shared folder with a series of subfolders. This structure increases availability and automatically connects users to shared folders in the same Active Directory Domain Services site, when available, instead of routing them over WAN connections. DFS Replication. DFS Replication is an efficient, multiple-master replication engine that you can use to keep folders synchronized between servers across limited bandwidth network connections. It replaces the File Replication Service (FRS) as the replication engine for DFS Namespaces, as well as for replicating the AD DS SYSVOL folder in domains that use the Windows Server 2008 domain functional level.

NEW QUESTION 6
HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named Server1. Server1 has an IP address of 192.168.200.100.
You need to view the Pointer (PTR) record for Server1.
Which zone should you open in the DNS snap-in to view the record?
To answer, select the appropriate zone in the answer area.
70-640 dumps exhibit

    Answer:

    Explanation: 70-640 dumps exhibit

    NEW QUESTION 7
    You are the administrator of an organization with a single Active Directory domain.
    One of your senior executives tries to log onto a machine and receives the error "This user account has expired. Ask your administrator to reactivate your account".
    You need to make sure this doesn't happen again to this user.
    What do you do?

    • A. Configure the domain policy to disable account lockout
    • B. Configure the password policy to extend the maximum password age to 0.
    • C. Modify the user's properties to set the Account Never Expires settin
    • D. Modify the user's properties to extend the maximum password age to 0.

    Answer: C

    Explanation:
    70-640 dumps exhibit
    C:\Documents and Settings\usernwz1\Desktop\1.PNG
    Further information: http://technet.microsoft.com/en-us/library/dd145547.aspx
    User Properties - Account Tab Account expires Sets the account expiration policy for this user. You can select between the following options:
    Use Never to specify that the selected account will never expire. This option is the default
    for new users.
    Select End of and then select a date if you want to have the user's account expire on a
    specified date.

    NEW QUESTION 8
    Your network contains an Active Directory forest. The forest contains one domain and three sites. Each site contains two domain controllers. All domain controllers are DNS servers.
    You create a new Active Directory-integrated zone.
    You need to ensure that the new zone is replicated to the domain controllers in only one of
    the sites.
    What should you do first?

    • A. Modify the NTDS Site Settings object for the sit
    • B. Modify the replication settings of the default site lin
    • C. Create an Active Directory connection objec
    • D. Create an Active Directory application directory partitio

    Answer: D

    Explanation:
    Practically the same question as A/Q50 and K/Q17, different set of answers. To control which servers get a copy of the zone we have to store the zone in an application directory partition. That application directory partition must be created before we create the zone, otherwise it won't work. So that's what we have to do first. Directory partitions are also called naming contexts and we can create one using ntdsutil. Here I tried to create a zone with dnscmd /zoneadd. It failed because the directory partition I wanted to use did not exist yet. To fix that I used ntdsutil to create the directory partition dc=venomous,dc=contoso,dc=com. Note that after creating it a new naming context had been added. Then, after a minute or two, I tried to create the new zone again, and this time it worked.
    70-640 dumps exhibit
    C:\Documents and Settings\usernwz1\Desktop\1.PNG
    Explanation 1:
    http://technet.microsoft.com/en-us/library/cc725739.aspx
    Store Data in an AD DS Application Partition
    You can store Domain Name System (DNS) zones in the domain or application directory
    partitions of Active
    Directory Domain Services (AD DS). An application directory partition is a data structure in
    AD DS that distinguishes data for different replication purposes. When you store a DNS
    zone in an application directory partition, you can control the zone replication scope by
    controlling the replication scope of the application directory partition.
    Explanation 2:
    http://technet.microsoft.com/en-us/library/cc730970.aspx
    Partition management
    Manages directory partitions for Active Directory Domain Services (AD DS) or Active
    Directory Lightweight
    Directory Services (AD LDS).
    This is a subcommand of Ntdsutil and Dsmgmt.
    Examples
    To create an application directory partition named AppPartition in the contoso.com domain,
    complete the following steps:
    1. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, rightclick Command Prompt, and then click Run as administrator.
    2. Type: ntdsutil
    3. Type: Ac in ntds
    4. Type: partition management
    5. Type: connections
    6. Type: Connect to server DC_Name
    7. Type: quit
    8. Type: list
    The following partitions will be listed: 0 CN=Configuration, DC=Contoso, DC=com 1 DC=Contoso, DC=com 2 CN=Schema, CN=Configuration, DC=Contoso, DC=com 3 DC=DomainDnsZones, DC=Contoso, DC=com 4 DC=ForestDnsZones, DC=Contoso, DC=com
    9. At the partition management prompt, type: create nc dc=AppPartition, DC=contoso,dc=com
    ConDc1.contoso.com
    10. Run the list command again to refresh the list of partitions.

    NEW QUESTION 9
    Your network contains an Active Directory domain named contoso.com.
    You need to create one password policy for administrators and another password policy for all other users.
    Which tool should you use?

    • A. Group Policy Management Editor
    • B. Authorization Manager
    • C. Dsadd
    • D. Ldifde

    Answer: D

    Explanation:
    http://technet.microsoft.com/en-US/library/cc754461.aspx
    Creating a PSO using ldifde
    You can use the ldifde command as a scriptable alternative for creating PSOs.
    To create a PSO using ldifde
    1. Define the settings of a new PSO by saving the following sample code as a file, for example, pso.ldf: dn: CN=PSO1, CN=Password Settings Container,CN=System,DC=dc1,DC=contoso,DC=com changetype: add objectClass: msDS-PasswordSettings
    msDS-MaximumPasswordAge:-1728000000000 msDS-MinimumPasswordAge:-864000000000 msDS-MinimumPasswordLength:8 msDS-PasswordHistoryLength:24 msDS-PasswordComplexityEnabled:TRUE msDS-PasswordReversibleEncryptionEnabled:FALSE msDS-LockoutObservationWindow:-18000000000 msDS-LockoutDuration:-18000000000 msDS-LockoutThreshold:0 msDS-PasswordSettingsPrecedence:20
    msDS-PSOAppliesTo:CN=user1,CN=Users,DC=dc1,DC=contoso,DC=com
    2. Open a command prompt. To open a command prompt, click Start, click Run, type cmd, and then click OK.
    3. Type the following command, and then press ENTER: ldifde –i –f pso.ldf

    NEW QUESTION 10
    Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.
    You need to identify the Lightweight Directory Access Protocol (LDAP) clients that are using the largest amount of available CPU resources on a domain controller.
    What should you do?

    • A. Review performance data in Resource Monito
    • B. Review the Hardware Events log in the Event Viewe
    • C. Run the Active Directory Diagnostics Data Collector Se
    • D. Review the Active Directory Diagnostics repor
    • E. Run the LAN Diagnostics Data Collector Se
    • F. Review the LAN Diagnostics repor

    Answer: C

    Explanation:
    http://servergeeks.wordpress.com/2012/12/31/active-directory-diagnostics/ Active Directory Diagnostics Prior to Windows Server 2008, troubleshooting Active Directory performance issues often required the installation of SPA. SPA is helpful because the Active Directory data set collects performance data and it generates XML based diagnostic reports that make analyzing AD performance issues easier by identifying the IP addresses of the highest volume callers and the type of network traffic that is placing the most loads on the CPU. Download SPA tool:http://www.microsoft.com/en-us/download/details.aspx?id=15506 Now the same functionality has been built into Windows Server 2008 and Windows Server 2008 R2 and you don’t have to install SPA anymore.
    This performance feature is located in the Server Manager snap-in under the Diagnostics node and when the Active Directory Domain Services Role is installed the Active Directory Diagnostics data collector set is automatically created under System as shown here.
    70-640 dumps exhibit
    C:\Documents and Settings\usernwz1\Desktop\1.PNG
    When you will check the properties of the collector you will notice that the data is stored under %systemdrive %\perflogs, only now it is under the \ADDS folder and when a data collection is run it creates a new subfolder called YYYYMMDD-#### where YYYY = Year, MM = Month and DD=Day and #### starts with 0001 . Active Directory Diagnostics data collector set runs for a default of 5 minutes. This duration period cannot be modified for the built-in collector. However, the collection can be stopped manually by clicking the Stop button or from the command line.
    70-640 dumps exhibit
    C:\Documents and Settings\usernwz1\Desktop\1.PNG
    To start the data collector set, you just have to right click on Active Directory Diagnostics data collector set and select Start. Data will be stored at %systemdrive%\perflogs location.
    70-640 dumps exhibit
    C:\Documents and Settings\usernwz1\Desktop\1.PNG
    Once you’ve gathered your data, you will have these interesting and useful reports under Report section, to aid in your troubleshooting and server performance trending.
    70-640 dumps exhibit
    C:\Documents and Settings\usernwz1\Desktop\1.PNG
    Further information: http://technet.microsoft.com/en-us/library/dd736504%28v=ws.10%29.aspx
    Monitoring Your Branch Office Environment
    http://blogs.technet.com/b/askds/archive/2010/06/08/son-of-spa-ad-data-collector-sets-in-win2008-andbeyond.aspx
    Son of SPA: AD Data Collector Sets in Win2008 and beyond

    NEW QUESTION 11
    A user in a branch office of your company attempts to join a computer to the domain, but the attempt fails.
    You need to enable the user to join a single computer to the domain.
    You must ensure that the user is denied any additional rights beyond those required to complete the task.
    What should you do?

    • A. Prestage the computer account in the Active Directory domai
    • B. Add the user to the Domain Administrators group for one da
    • C. Add the user to the Server Operators group in the Active Directory domai
    • D. Grant the user the right to log on locally by using a Group Policy Object (GPO).

    Answer: A

    Explanation:
    http://technet.microsoft.com/en-us/library/cc770832%28v=ws.10%29.aspx#BKMK_1 Prestaging Client Computers Benefits of Prestaging Client Computers Prestaging clients provides three main benefits: An additional layer of security. You can configure Windows Deployment Services to answer only prestaged clients, therefore ensuring that clients that are not prestaged will not be able to boot from the network. Additional flexibility. Prestaging clients increases flexibility by enabling you to control the following. For instructions on performing these tasks, see the “Prestage Computers” section of How to Manage Client Computers.
    * The computer account name and location within AD DS.
    * Which server the client should network boot from.
    * Which network boot program the client should receive.
    * Other advanced options — for example, what boot image a client will receive or what
    Windows Deployment Services client unattend file the client should use.
    The ability for multiple Windows Deployment Services servers to service the same network
    segment. You can do this by restricting the server to answer only a particular set of clients.
    Note that the prestaged client must be in the same forest as the Windows Deployment
    Services server (trusted forests do not work).
    Further information:
    http://www.windows-noob.com/forums/index.php?/topic/506-how-can-i-prestage-a-computer-for-wds/howcan I PRESTAGE a computer for WDS?

    NEW QUESTION 12
    You have an enterprise subordinate certification authority (CA).
    You have a custom Version 3 certificate template.
    Users can enroll for certificates based on the custom certificate template by using the
    Certificates console. The certificate template is unavailable for Web enrollment.
    You need to ensure that the certificate template is available on the Web enrollment pages.
    What should you do?

    • A. Run certutil.exe puls
    • B. Run certutil.exe installcer
    • C. Change the certificate template to a Version 2 certificate templat
    • D. On the certificate template, assign the Autoenroll permission to the user

    Answer: C

    Explanation:
    Explanation
    Identical to F/Q33. Explanation 1: http://technet.microsoft.com/en-us/library/cc732517.aspx Certificate Web enrollment cannot be used with version 3 certificate templates. Explanation 2: http://blogs.technet.com/b/ad/archive/2008/06/30/2008-web-enrollment-and-version-3-templates.aspx The reason for this blog post is that one of our customers called after noticing some unexpected behavior when they were trying to use the Server 2008 certificate web enrollment page to request a Version 3 Template based certificate. The problem was that no matter what they did the Version 3 Templates would not appear as certificates which could be requested via the web page. On the other hand, version 1 and 2 templates did appear in the page and requests could be done successfully using those templates.

    NEW QUESTION 13
    Your company has an Active Directory domain that has an organizational unit named Sales. The Sales organizational unit contains two global security groups named sales managers and sales executives.
    You need to apply desktop restrictions to the sales managers group. You must not apply these desktop restrictions to the sales executive group.
    You create a GPO named DesktopLockdown and link it to the Sales organizational unit.
    What should you do next?

    • A. Configure the Deny Apply Group Policy permission for Authenticated Users on the DesktopLockdown GP
    • B. Configure the Allow Apply Group Policy permission for Authenticated Users on the DesktopLockdown GP
    • C. Configure the Deny Apply Group Policy permission for the sales executives on the DesktopLockdown GP
    • D. Configure the Deny Apply Group Policy permission for the sales managers on the DesktopLockdown GP

    Answer: C

    NEW QUESTION 14
    Your network contains an Active Directory domain. The domain contains several domain controllers.
    You need to modify the Password Replication Policy on a read-only domain controller (RODC).
    Which tool should you use?

    • A. Group Policy Management
    • B. Active Directory Domains and Trusts
    • C. Active Directory Users and Computers
    • D. Computer Management
    • E. Security Configuration Wizard

    Answer: C

    Explanation:
    http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-
    replication-policy.aspx
    Administering the Password Replication Policy
    This topic describes the steps for viewing, configuring, and monitoring the Password Replication Policy (PRP) and password caching for read-only domain controllers (RODCs). To configure the PRP using Active Directory Users and Computers
    1. Open Active Directory Users and Computers as a member of the Domain Admins group.
    2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain.
    3. Click Domain Controllers, and in the details pane, right-click the RODC computer account, and then click Properties.
    4. Click the Password Replication Policy tab.
    5. The Password Replication Policy tab lists the accounts that, by default, are defined in the Allowed list and the Deny list on the RODC. To add other groups that should be included in either the Allowed list or the Deny list, click Add.
    To add other accounts that will have credentials cached on the RODC, click Allow passwords for the account to replicate to this RODC.
    To add other accounts that are not allowed to have credentials cached on the RODC, click Deny passwords for the account from replicating to this RODC.

    NEW QUESTION 15
    Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2008 R2. The domain contains a domain controller named DC1. DC1 hosts an Active Directory-integrated zone for contoso.com.
    You enable record scavenging for contoso.com by using the default settings. You configure scavenging to run every seven days.
    After 30 days, you discover that some DNS records of computers that were removed from the network are still present in the contoso.com zone.
    You need to ensure that the scavenging process can remove the stale records.
    What command should you run? (To answer, select the appropriate options in the answer area.)
    70-640 dumps exhibit

      Answer:

      Explanation: 70-640 dumps exhibit

      NEW QUESTION 16
      DRAG DROP
      Your network contains an Active Directory forest named contoso.com.
      You need to use Group Policies to deploy the applications shown in the following table:
      70-640 dumps exhibit
      What should you do?
      To answer, drag the appropriate deployment method to the correct application in the answer area.
      70-640 dumps exhibit

        Answer:

        Explanation: 70-640 dumps exhibit

        100% Valid and Newest Version 70-640 Questions & Answers shared by Surepassexam, Get Full Dumps HERE: https://www.surepassexam.com/70-640-exam-dumps.html (New 631 Q&As)