Braindump2go Real Latest 70-640 Exam Questions Updated By Official Microsoft Exam Center! Braindump2go Offers 70-640 Dumps sample questions for free download now! You also can visit our website, download our premium Microsoft 70-640 Exam Real Answers, 100% Exam Pass Guaranteed!
Vendor: Microsoft
Exam Code: 70-640
Exam Name: TS: Windows Server 2008 Active Directory, Configuring
QUESTION 1
Your company has a single Active Directory domain named intranet.adatum.com.
The domain controllers run Windows Server 2008 and the DNS server role.
All computers, including non-domain members, dynamically register their DNS records.
You need to configure the intranet.adatum.com zone to allow only domain members to dynamically register DNS records.
What should you do?
A. Set dynamic updates to Secure Only.
B. Remove the Authenticated Users group.
C. Enable zone transfers to Name Servers.
D. Deny the Everyone group the Create All Child Objects permission.
Answer: A
QUESTION 2
Your network consists of a single Active Directory domain.
All domain controllers run Windows Server 2008 R2 and are configured as DNS servers.
A domain controller named DC1 has a standard primary zone for contoso.com.
A domain controller named DC2 has a standard secondary zone for contoso.com.
You need to ensure that the replication of the contoso.com zone is encrypted.
You must not lose any zone data.
What should you do?
A. Convert the primary zone into an Active Directory-integrated stub zone.
Delete the secondary zone.
B. Convert the primary zone into an Active Directory-integrated zone.
Delete the secondary zone.
C. Configure the zone transfer settings of the standard primary zone.
Modify the Master Servers lists on the secondary zone.
D. On both servers, modify the interface that the DNS server listens on.
Answer: B
Explanation:
Convert the primary zone into an Active Directory-integrated zone.
Delete the secondary zone.
http://technet.microsoft.com/en-us/library/cc771150.aspx
QUESTION 3
You are decommissioning domain controllers that hold all forest-wide operations master roles. You need to transfer all forest-wide operations master roles to another domain controller.
Which two roles should you transfer? (Each correct answer presents part of the solution. Choose two.)
A. Domain naming master
B. Infrastructure master
C. RID master
D. PDC emulator
E. Schema master
Answer: AE
Explanation:
Schema master
Domain naming master
http://social.technet.microsoft.com/wiki/contents/articles/832.transferring-fsmo-roles-in-indows-server-2008.aspx
Transferring FSMO Roles in Windows Server 2008
One of any system administrator duties, would be to upgrade a current domain controller to a new hardware server. One of the crucial steps required to successfully migrate your domain controller, is to be able to successfully transfer the FSMO roles to the new hardware server.
FSMO stands for Flexible Single Master Operations, and in a forest there are at least five roles.
The five FSMO roles are:
Schema Master
Domain Naming Master
Infrastructure Master
Relative ID (RID) Master
PDC Emulator
The first two roles above are forest-wide, meaning there is one of each for the entire forest.
The last three are domain-wide, meaning there is one of each per domain. If there is one domain in your forest, you will have five FSMO roles. If you have three domains in your forest, there will be 11 FSMO roles.
QUESTION 4
An Active Directory database is installed on the C volume of a domain controller.
You need to move the Active Directory database to a new volume.
What should you do?
A. Copy the ntds.dit file to the new volume by using the ROBOCOPY command.
B. Move the ntds.dit file to the new volume by using Windows Explorer.
C. Move the ntds.dit file to the new volume by running the Move-item command in Microsoft
Windows PowerShell.
D. Move the ntds.dit file to the new volume by using the Files option in the Ntdsutil utility.
Answer: D
Explanation:
Move the ntds.dit file to the new volume by using the Files option in the Ntdsutil utility.
http://technet.microsoft.com/en-us/library/cc816720%28v=ws.10%29.aspx
QUESTION 5
Contoso, Ltd. has an Active Directory domain named ad.contoso.com.
Fabrikam, Inc. has an Active Directory domain named intranet.fabrikam.com.
Fabrikam’s security policy prohibits the transfer of internal DNS zone data outside the Fabrikam network.
You need to ensure that the Contoso users are able to resolve names from the intranet.fabrikam.com domain.
What should you do?
A. Create a new stub zone for the intranet.fabrikam.com domain.
B. Configure conditional forwarding for the intranet.fabrikam.com domain.
C. Create a standard secondary zone for the intranet.fabrikam.com domain.
D. Create an Active DirectoryCintegrated zone for the intranet.fabrikam.com domain.
Answer: B
Explanation:
Configure conditional forwarding for the intranet.fabrikam.com domain.
http://technet.microsoft.com/en-us/library/cc730756.aspx
Understanding Forwarders
A forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for external DNS names to DNS servers outside that network.
You can also forward queries according to specific domain names using conditional forwarders. You designate a DNS server on a network as a forwarder by configuring the other DNS servers in the network to forward the queries that they cannot resolve locally to that DNS server. By using a forwarder, you can manage name resolution for names outside your network, such as names on the Internet, and improve the efficiency of name resolution for the computers in your network.
The following figure illustrates how external name queries are directed with forwarders.
Conditional forwarders
A conditional forwarder is a DNS server on a network that forwards DNS queries according to the DNS domain name in the query. For example, you can configure a DNS server to forward all the queries that it receives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers.
Further information:
http://technet.microsoft.com/en-us/library/cc794735%28v=ws.10%29.aspx
Assign a Conditional Forwarder for a Domain Name
http://technet.microsoft.com/en-us/library/cc754941.aspx
Configure a DNS Server to Use Forwarders
QUESTION 6
Your company has file servers located in an organizational unit named Payroll.
The file servers contain payroll files located in a folder named Payroll.
You create a GPO.
You need to track which employees access the Payroll files on the file servers.
What should you do?
A. Enable the Audit process tracking option.
Link the GPO to the Domain Controllers organizational unit.
On the file servers, configure Auditing for the Authenticated Users group in the Payroll folder.
B. Enable the Audit object access option.
Link the GPO to the Payroll organizational unit.
On the file servers, configure Auditing for the Everyone group in the Payroll folder.
C. Enable the Audit process tracking option.
Link the GPO to the Payroll organizational unit.
On the file servers, configure Auditing for the Everyone group in the Payroll folder.
D. Enable the Audit object access option.
Link the GPO to the domain.
On the domain controllers, configure Auditing for the Authenticated Users group in the
Payroll folder.
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/dd349800%28v=ws.10%29.aspx
QUESTION 7
Your company uses a Windows 2008 Enterprise certificate authority (CA) to issue certificates. You need to implement key archival.
What should you do?
A. Configure the certificate for automatic enrollment for the computers that store encrypted files.
B. Install an Enterprise Subordinate CA and issue a user certificate to users of the encrypted
files.
C. Apply the Hisecdc security template to the domain controllers.
D. Archive the private key on the server.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc753011.aspx
QUESTION 8
Your company has an Active Directory domain that runs Windows Server 2008 R2.
The Sales OU contains an OU for Computers, an OU for Groups, and an OU for Users.
You perform nightly backups.
An administrator deletes the Groups OU.
You need to restore the Groups OU without affecting users and computers in the Sales OU.
What should you do?
A. Perform an authoritative restore of the Sales OU.
B. Perform a non-authoritative restore of the Sales OU.
C. Perform an authoritative restore of the Groups OU.
D. Perform a non-authoritative restore of the Groups OU.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc816878%28v=ws.10%29.aspx
Performing Authoritative Restore of Active Directory Objects
An authoritative restore process returns a designated, deleted Active Directory object or container of objects to its predeletion state at the time when it was backed up. For example, you might have to perform an authoritative restore if an administrator inadvertently deletes an organizational unit (OU) that contains a large number of users. In most cases, there are two parts to the authoritative restore process: a nonauthoritative restore from backup, followed by an authoritative restore of the deleted objects. If you perform a nonauthoritative restore from backup only, the deleted OU is not restored because the restored domain controller is updated after the restore process to the current status of its replication partners, which have deleted the OU. To recover the deleted OU, after you perform nonauthoritative restore from backup and before allowing replication to occur, you must perform an authoritative restore procedure. During the authoritative restore procedure, you mark the OU as authoritative and let the replication process restore it to all the other domain controllers in the domain. After an authoritative restore, you also restore group memberships, if necessary.
QUESTION 9
Your network consists of a single Active Directory domain.
The functional level of the forest is Windows Server 2008 R2.
You need to create multiple password policies for users in your domain.
What should you do?
A. From the Group Policy Management snap-in, create multiple Group Policy objects.
B. From the Schema snap-in, create multiple class schema objects.
C. From the ADSI Edit snap-in, create multiple Password Setting objects.
D. From the Security Configuration Wizard, create multiple security policies.
Answer: C
Explanation:
From the ADSI Edit snap-in, create multiple Password Setting objects.
http://technet.microsoft.com/en-us/library/cc770842%28v=ws.10%29.aspx
AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide
In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies and apply different password restrictions and account lockout policies to different sets of users within a single domain.
To store fine-grained password policies, Windows Server 2008 includes two new object classes in the Active
Directory Domain Services (AD DS) schema:
Password Settings Container
Password Settings The Password Settings Container (PSC) object class is created by default under the System container in the domain. It stores the Password Settings objects (PSOs) for that domain. You cannot rename, move, or delete this container.
Steps to configure fine-grained password and account lockout policies
When the group structure of your organization is defined and implemented, you can configure and apply finegrained password and account lockout policies to users and global security groups. Configuring fine-grained password and account lockout policies involves the following steps:
Step 1: Create a PSO
Step 2: Apply PSOs to Users and Global Security Groups
Step 3: Manage a PSO
Step 4: View a Resultant PSO for a User or a Global Security Group http://technet.microsoft.com/en-us/library/cc754461%28v=ws.10%29.aspx
Step 1: Create a PSO
You can create Password Settings objects (PSOs):
Creating a PSO using the Active Directory module for Windows PowerShell
Creating a PSO using ADSI Edit
Creating a PSO using ldifde
QUESTION 10
You have a domain controller that runs Windows Server 2008 R2 and is configured as a DNS server.
You need to record all inbound DNS queries to the server.
What should you configure in the DNS Manager console?
A. Enable debug logging.
B. Enable automatic testing for simple queries.
C. Configure event logging to log errors and warnings.
D. Enable automatic testing for recursive queries.
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc753579.aspx
Braindump2go New Published Exam Dumps: Microsoft 70-640 Practice Tests Questions, 651 Latest Questions and Answers from Official Exam Centre Guarantee You a 100% Pass! Free Download Instantly!