Microsoft 70-640 Study Guides 2019

70-640 Royal Pack Testengine pdf

100% Actual & Verified — 100% PASS

Unlimited access to the world's largest Dumps library!

https://www.2passeasy.com/dumps/70-640/

Proper study guides for 70-640 TS: Windows Server 2008 Active Directory. Configuring certified begins with preparation products which designed to deliver the by making you pass the 70-640 test at your first time. Try the free right now.

Online Microsoft 70-640 free dumps demo Below:

NEW QUESTION 1
HOTSPOT
Your network contains an Active Directory forest named contoso.com. The forest contains two sites named Seattle and Montreal. The Seattle site contains two domain controllers. The domain controllers are configured as shown in the following table.
70-640 dumps exhibit
You need to enable universal group membership caching in the Seattle site.
Which object's properties should you modify?
To answer, select the appropriate object in the answer area.
70-640 dumps exhibit

    Answer:

    Explanation: 70-640 dumps exhibit

    NEW QUESTION 2
    A corporate network includes a single Active Directory Domain Services (AD D5) domain. The AD DS infrastructure is shown in the following graphic.
    70-640 dumps exhibit
    When the Montreal Site domain controller is offline, authentication requests for Montreal branch office users are sent to the Toronto Site domain controller.
    You need to ensure that when the Montreal Site domain controller is offline, authentication requests for Montreal branch office users are sent to the Quebec City Site domain controller.
    What should you do?

    • A. Create a site link bridge between the Montreal Site and the Quebec City Sit
    • B. Create a registry entry on each client computer in the Montreal branch office,
    • C. Enable the global catalog role on the Montreal Site domain controller
    • D. Delete the Toronto-Montreal Site Lin

    Answer: A

    NEW QUESTION 3
    Your company hires 10 new employees.
    You want the new employees to connect to the main office through a VPN connection.
    You create new user accounts and grant the new employees they Allow Read and Allow Execute permissions to shared resources in the main office.
    The new employees are unable to access shared resources in the main office.
    You need to ensure that users are able to establish a VPN connection to the main office.
    What should you do?

    • A. Grant the new employees the Allow Access Dial-in permissio
    • B. Grant the new employees the Allow Full control permissio
    • C. Add the new employees to the Remote Desktop Users security grou
    • D. Add the new employees to the Windows Authorization Access security grou

    Answer: A

    Explanation:
    http://technet.microsoft.com/en-us/library/cc738142%28v=ws.10%29.aspx Dial-in properties of a user account The dial-in properties for a user account are: Remote Access Permission (Dial-in or VPN) You can use this property to set remote access permission to be explicitly allowed, denied, or determined through remote access policies. In all cases, remote access policies are used to authorize the connection attempt. If access is explicitly allowed, remote access policy conditions, user account properties, or profile properties can still deny the connection attempt.

    NEW QUESTION 4
    Your network contains an Active Directory domain. The domain contains four domain controllers.
    You create a new application directory partition.
    You need to ensure that the new application directory partition replicates to only three of the domain controllers.
    Which tool should you use?

    • A. Dsdbutil
    • B. Active Directory Administrative Center
    • C. Dsmod
    • D. Dsmgmt

    Answer: B

    NEW QUESTION 5
    Your company has an Active Directory domain named contoso.com. The company network has two DNS servers named DNS1 and DNS2.
    The DNS servers are configured as shown in the following table.
    70-640 dumps exhibit
    Domain users, who are configured to use DNS2 as the preferred DNS server, are unable to connect to Internet Web sites.
    You need to enable Internet name resolution for all client computers.
    What should you do?

    • A. Update the list of root hints servers on DNS2.
    • B. Create a copy of the .(root) zone on DNS1.
    • C. Delete the .(root) zone from DNS2. Configure conditional forwarding on DNS2.
    • D. Update the Cache.dns file on DNS2. Configure conditional forwarding on DNS1.

    Answer: C

    Explanation:
    http://support.microsoft.com/kb/298148 How To Remove the Root Zone (Dot Zone) When you install DNS on a Windows 2000 server that does not have a connection to the Internet, the zone for the domain is created and a root zone, also known as a dot zone, is also created. This root zone may prevent access to the Internet for DNS and for clients of the DNS. If there is a root zone, there are no other zones other than those that are listed with DNS, and you cannot configure forwarders or root hint servers. For these reasons, you may have to remove the root zone.

    NEW QUESTION 6
    You have an Active Directory domain named contoso.com.
    You need to view the account lockout threshold and duration for the domain.
    Which tool should you use?

    • A. Computer Management
    • B. Net Config
    • C. Active Directory Users and Computers
    • D. Gpresult

    Answer: C

    Explanation:
    You can see the required settings when you:
    1. Open Active Directory Users and Computers
    2. Go to View in the menubar and make sure "Advanced Features"is checked.
    3. Right click on the domain and choose Properties
    4. On the Attribute Editor tab click on Filter
    5. Ensure that the Show attributes/Optional check box is selected.
    6. In the Attributes list locate lockoutThreshold and lockoutDuration.
    Played with the settings in the Group Policy Management Editor and the settings were
    reflected in the steps above every time.

    NEW QUESTION 7
    Your company has a single Active Directory domain. All domain controllers run Windows Server 2003.
    You install Windows Server 2008 R2 on a server.
    You need to add the new server as a domain controller in your domain.
    What should you do first?

    • A. On a domain controller run adprep /rodcpre
    • B. On the new server, run dcpromo /ad
    • C. On the new server, run dcpromo /createdcaccoun
    • D. On a domain controller, run adprep /forestpre

    Answer: D

    Explanation:
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/9931e32f-6302-40f0-a7a1-2598a96cd0c1/ DC promotion and adprep/forestprep
    Q: I've tried to dcpromo a new Windows 2008 server installation to be a Domain Controller, running in an existing domain. I am informed that, first, I must run adprep/forestprep ("To install a domain controller into this Active Directory forest, you must first perpare the forest using "adprep/forestprep". The Adprep utility is available on the Windows Server 2008 installation media in the Windows\sources\adprep folder"
    A1:
    You can run adprep from an existing Windows Server 2003 domain controller. Copy the
    contents of the \sources\adprep folder from the Windows Server 2008 installation DVD to
    the schema master role holder and run Adprep from there.
    A2: to introduce the first W2K8 DC within an AD forest....
    (1) no AD forest exists yet:
    --> on the stand alone server execute: DCPROMO
    --> and provide the information needed
    (2) an W2K or W2K3 AD forest already exists:
    --> ADPREP /Forestprep on the w2k/w2k3 schema master (both w2k/w2k3 forests)
    --> ADPREP /rodcprep on the w2k3 domain master (only w2k3 forests)
    --> ADPREP /domainprep on the w2k3 infrastructure master (only w2k3 domains)
    --> ADPREP /domainprep /gpprep on the w2k infrastructure master (only w2k domains)
    --> on the stand alone server execute: DCPROMO
    --> and provide the information needed

    NEW QUESTION 8
    Your company has a main office and 50 branch offices. Each office contains multiple subnets.
    You need to automate the creation of Active Directory subnet objects.
    What should you use?

    • A. the Dsadd tool
    • B. the Netsh tool
    • C. the New-ADObject cmdlet
    • D. the New-Object cmdlet

    Answer: C

    Explanation:
    http://technet.microsoft.com/en-us/library/ee617260.aspx New-ADObject Creates an Active Directory object. Syntax: New-ADObject [-Name] <string> [-Type] <string> [-AuthType {<Negotiate> | <Basic>}] [-Credential <PSCredential>] [-Description <string>] [-DisplayName <string>] [-Instance <ADObject>] [-OtherAttributes <hashtable>] [-PassThru <switch>] [-Path <string>] [-ProtectedFromAccidentalDeletion <System.Nullable [bool]>] [-Server <string>] [-Confirm] [-WhatIf] [<CommonParameters>] Detailed Description The New-ADObject cmdlet creates a new Active Directory object such as a new organizational unit or new user account. You can use this cmdlet to create any type of Active Directory object. Many object properties are defined by setting cmdlet parameters. Properties that are not set by cmdlet parameters can be set by using the OtherAttributes parameter. You must set the Name and Type parameters to create a new Active Directory object. The Name specifies the name of the new object. The Type parameter specifies the LDAP display name of the Active Directory Schema Class that represents the type of object you want to create. Examples of Type values include computer, group, organizational unit, and user. The Path parameter specifies the container where the object will be created.. When you do not specify the Path parameter, the cmdlet creates an object in the default naming context container for Active Directory objects in the domain.

    NEW QUESTION 9
    DRAG DROP
    Your network contains an Active Directory forest named contoso.com. You need to create an Active Directory Rights Management Services (AD RMS) licensing-only cluster.
    What should you do?
    To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order.
    70-640 dumps exhibit

      Answer:

      Explanation: 70-640 dumps exhibit

      NEW QUESTION 10
      Your network contains an Active Directory forest named contoso.com.
      You need to provide a user named User1 with the ability to create and manage subnet objects.
      The solution must minimize the number of permissions assigned to User1.
      What should you do?

      • A. From Active Directory Users and Computers, run the Delegation of Control wizar
      • B. From Active Directory Administrative Centre, add User1 to the Schema Admins grou
      • C. From Active Directory Sites and Services, run the Delegation of Control wizar
      • D. From Active Directory Administrative Centre, add User1 to the Network Configuration Operators grou

      Answer: C

      Explanation:
      http://technet.microsoft.com/en-us/library/cc736770.aspx
      Delegate control of a site
      To delegate control of a site
      1. Open Active Directory Sites and Services.
      2. Right-click the container whose control you want to delegate, and then click Delegate Control to start the Delegation of Control Wizard.
      3. Follow the instructions in the Delegation of Control Wizard.
      Notes
      (...)
      In Active Directory Sites and Services, you can delegate control for the subnets, intersite
      transports, sites, and server containers.

      NEW QUESTION 11
      Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008 R2.
      The network contains an enterprise certification authority (CA).
      You need to ensure that all of the members of a group named Managers can view the event log entries for Certificate Services.
      Which snap-in should you use?

      • A. Active Directory Administrative Center
      • B. Authorization Manager
      • C. Certificate Templates
      • D. Certificates
      • E. Certification Authority
      • F. Enterprise PKI
      • G. Group Policy Management
      • H. Security Configuration Wizard
      • I. Share and Storage Management

      Answer: G

      Explanation: We can make the Group1 group a member of theEvent Log Readers Group
      , giving them read access to all event logs, thus including the Certificate Services events.
      We can do that by usingGroup Policy Management.
      Explanation 1:
      It's a bit hard to find some good, clear Explanation for this. There's nothing wrong with doing it
      yourself, so here's what I did in VMWare, using a domain controller and a member server.
      Click along if you want!
      In VMWare I have setup a domain controller, DC01 and a member server MEM01, both
      belonging to the contoso.com domain. I have placed MEM01 in an OU named Events. I
      have created a global security group, named TESTGROUP, and I want to make it a member of the built-in Event Log Readers group on MEM01.
      Start the Group Policy Management console on DC01.
      Right-click the Events OU and choose "Create a GPO in this domain, and Link it
      here..."
      I named the GPO "EventLog_TESTGROUP"
      Right-click the "EventLog_TESTGROUP" GPO and choose "Edit..."
      Go to Computer Configuration \ Policies\ Windows Settings \ Security Settings and
      select "Restricted Groups"
      Right-click "Restricted Groups" and choose "Add Group..."
      Now there are two ways to do this. We can select TESTGROUP and make it a
      member of the Event Log Readers group, or we can select the Event Log Readers
      group and add TESTGROUP as a member. Let's do the second one. Click the
      Browse button and go find the Event Log Readers group. Click OK.
      Click the Browse button next to "Members of this group", search for the
      TESTGROUP group and add it.
      Click OK.
      10. On MEM01 open a command prompt and rungpupdate /force.
      Check the Event Log Readers group properties and see that the TESTGROUP
      group is now a member.
      Explanation 2: http://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-administrators-permission-to-read-event-logs-windows-2003-and-windows-2008.aspx
      Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008
      So if you want to give Non-Administrator users access remotely to Event logs if the Servers or Domain Controllers they are accessing are Windows 2003 follow the steps below.
      (...)
      Windows 2008 is much easier as long as you are giving the users and groups in question read access to all event logs. If that is the case just add them to the Built inEvent Log Readers group.

      NEW QUESTION 12
      Your network contains an Active Directory domain named contoso.com. Contoso.com contains a member server that runs Windows Server 2008 Standard.
      You need to install an enterprise subordinate certification authority (CA) that supports private key archival.
      You must achieve this goal by using the minimum amount of administrative effort.
      What should you do first?

      • A. Initialize the Trusted Platform Module (TPM).
      • B. Upgrade the member server to Windows Server 2008 R2 Standar
      • C. Install the Certificate Enrollment Policy Web Service role service on the member serve
      • D. Run the Security Configuration Wizard (SCW) and select the Active Directory Certificate Services - Certification Authority server role template check bo

      Answer: B

      Explanation:
      Not sure about this one. See my thoughts below.
      to MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) key archival
      is not available in the Windows Server 2008 R2 Standard edition, so that would leave out
      answer B.
      70-640 dumps exhibit
      C:\Documents and Settings\usernwz1\Desktop\1.PNG
      Another dump gives the following for answer B:
      "Upgrade the menber [sic] server to Windows Server 2008 R2 Enterprise."
      Should the actual exam mention to upgrade to the Enterprise edition for answer B, I'd go
      for that. In this VCE it doesn't seem to make sense to go for B as it shouldn't work, I think.
      Certificate Enrollment Policy Web Service role of answer C was introduced in Windows
      Server 2008 R2, so that would not be an option on the mentioned Windows Server 2008
      machine.
      Trusted Platform Module is "a secure cryptographic integrated circuit (IC), provides a
      hardware-based approach to manage user authentication, network access, data protection
      and more that takes security to higher level than software-based security."
      (http://www.trustedcomputinggroup.org/resources/
      how_to_use_the_tpm_a_guide_to_hardwarebased_endpoint_security/)
      Pfff... I'm bothered that answer B speaks of the Standard edition, and not the Enterprise
      edition. Hope the VCE is wrong.

      NEW QUESTION 13
      Your company has a main office and 10 branch offices. Each branch office has an Active Directory site that contains one domain controller. Only domain controllers in the main office are configured as Global Catalog servers.
      You need to deactivate the Universal Group Membership Caching (UGMC) option on the domain controllers in the branch offices.
      At which level should you deactivate UGMC?

      • A. Server
      • B. Connection object
      • C. Domain
      • D. Site

      Answer: D

      Explanation:
      http://www.ntweekly.com/?p=788
      http://gallery.technet.microsoft.com/scriptcenter/c1bd08d2-1440-40f8-95be-ad2050674d91 Script to Disable Universal Group Membership Caching in all Sites How to Disable Universal Group Membership Caching in all Sites using a Script Starting with Windows Server 2003, a new feature called Universal Group Membership Caching (UGMC) caches a user’s membership in Universal Groups on domain controllers authenticating the user. This feature allows a domain controller to have knowledge of Universal Groups a user is member of rather than contacting a Global Catalog. Unlike Global group memberships, which are stored in each domain, Universal Group memberships are only stored in a Global Catalog. For example, when a user who belongs to a Universal Group logs on to a domain that is set to the Windows 2000 native domain functional level or higher, the Global Catalog provides Universal Group membership information for the user’s account at the time the user logs on to the domain to the authenticating domain controller. UGMC is generally a good idea for multiple domain forests when:
      1. Universal Group membership does not change frequently.
      2. Low WAN bandwidth between Domain Controllers in different sites.
      It is also recommended to disable UGMC if all Domain Controllers in a forest are Global
      Catalogs.

      NEW QUESTION 14
      You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a server namedServer1.
      You need to configure the Windows Firewall on Server1 to allow external users to authenticate by using AD FS.
      Which inbound TCP port should you allow on Server1?

      • A. 88
      • B. 135
      • C. 443
      • D. 445

      Answer: C

      NEW QUESTION 15
      You have an Active Directory domain named contoso.com.
      You need to view the account lockout threshold and duration for the domain.
      Which tool should you use?

      • A. Net User
      • B. Active Directory Users and Computers
      • C. Group Policy Management Console (GPMC)
      • D. Computer Management

      Answer: C

      NEW QUESTION 16
      Your network contains an Active Directory domain named contoso.com.
      The contoso.com DNS zone is stored in Active Directory. All domain controllers run Windows Server 2008 R2.
      You need to identify if all of the DNS records used for Active Directory replication are correctly registered.
      What should you do?

      • A. From the command prompt, use netsh.ex
      • B. From the command prompt, use dnslint.ex
      • C. From the Active Directory Module for Windows PowerShell, run the Get-ADRootDSE cmdle
      • D. From the Active Directory Module for Windows PowerShell, run the Get-ADDomainController cmdle

      Answer: B

      Explanation:
      http://technet.microsoft.com/en-us/library/dd197560.aspx Dnslint.exe
      DNSLint is a Microsoft Windows tool that can be used to help diagnose common DNS name resolution issues. It can be targeted to look for specific DNS record sets and ensure that they are consistent across multiple DNS servers. It can also be used to verify that DNS records used specifically for Active Directory replication are correct.

      100% Valid and Newest Version 70-640 Questions & Answers shared by 2passeasy, Get Full Dumps HERE: https://www.2passeasy.com/dumps/70-640/ (New 631 Q&As)