Download 70-640 Dumps Questions 2021

NEW QUESTION 1
Your network contains an Active Directory forest. The functional level of the forest is Windows Server 2008 R2.
Your company's corporate security policy states that the password for each user account must be changed at least every 45 days.
You have a user account named Service1. Service1 is used by a network application named Application1.
Every 45 days, Application1 fails.
After resetting the password for Service1, Application1 runs properly. You need to resolve the issue that causes Application1 to fail. The solution must adhere to the corporate security policy.
What should you do?

• A. Run the cmdle
• B. Run the Set-ADServiceAccount cmdle
• C. Create a new password polic
• D. Create a new Password Settings object (PSO).

Answer: B

Explanation:
http://technet.microsoft.com/en-us/library/ee617252.aspx Set-ADServiceAccount Syntax Set-ADServiceAccount [-Identity] <ADServiceAccount> [-AccountExpirationDate <System.Nullable[System.DateTime]>] [-AccountNotDelegated <System.Nullable[bool]>] [-Add <hashtable>] [-Certificates<string[]>] [-Clear <string[]>] [-Description <string>] [-DisplayName <string>] [-Enabled <System.Nullable[bool]>] [-HomePage <string>] [-Remove <hashtable>] [-Replace <hashtable>] [-SamAccountName <string>] [-ServicePrincipalNames <hashtable>] [-TrustedForDelegation <System.Nullable[bool]>] [-AuthType{<Negotiate> | <Basic>}] [-Credential <PSCredential>] [-Partition <string>] [-PassThru <switch>] [-Server<string>] [-Confirm] [-WhatIf] [<CommonParameters>]Detailed Description The Set-ADServiceAccount cmdlet modifies the properties of an Active Directory service account. You can modify commonly used property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be modified by using the Add, Replace, Clear and Remove parameters. The Identity parameter specifies the Active Directory service account to modify. You can identify a service account by its distinguished name (DN), GUID, security identifier (SID), or Security Accounts Manager (SAM) account name. You can also set the Identity parameter to an object variable such as $<localServiceAccountObject>, or you can pass an object through the pipeline to the Identity parameter. For example, you can use the Get-ADServiceAccount cmdlet to retrieve a service account object and then pass the object through the pipeline to the Set-ADServiceAccount cmdlet. The Instance parameter provides a way to update a service account object by applying the changes made to a copy of the object. When you set the Instance parameter to a copy of an Active Directory service account object that has been modified, the Set-ADServiceAccount cmdlet makes the same changes to the original service account object. To get a copy of the object to modify, use the Get-ADServiceAccount object. When you specify the Instance parameter you should not pass the Identity parameter. For more
information about the Instance parameter, see the Instance parameter description.

NEW QUESTION 2
Your network contains an Active Directory domain named adatum.com. The domain contains a domain controller named DC1. DC1 has an IP address of 192.168.200.100.
You need to identify the zone that contains the Pointer (PTR) record for DC1.
Which zone should you identify?

• A. adatum.com
• B. _msdcs.adatum.com
• C. 100.168.192.in-addr.arpa
• D. 200.168.192.in-addr.arpa

Answer: D

Explanation:
Explanation 1: MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 57 Reverse lookup: This occurs when a client computer knows the IP address of another computer and requires its hostname, which can be found in the DNS server’s PTR (pointer) resource record. Explanation 2: MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 45/730 You are configuring a reverse lookup zone for your network, which uses the Class C network address range of 192.168.5.0/24. Which of the following addresses should you use for the reverse lookup zone?
a. 5.168.192.in-addr.arpa
b. 0.5.168.192.in-addr.arpa
c. 192.168.5.in-addr.arpa
d. 192.168.5.0.in-addr.arpa
The reverse lookup zone contains octets of the network portion of the IP address in reverse sequence and uses a special domain name ending in in-addr.arpa. Thus the correct address is 5.168.192.in-addr.arpa. You do not use the host portion of the IP address, so 0.5.168.192.in-addr.arpa is incorrect. The octets must be specified in reverse sequence, so the other two choices are both incorrect.

NEW QUESTION 3
Your network contains an Active Directory domain. The domain contains a group named Group1. The minimum password length for the domain is set to six characters.
You need to ensure that the passwords for all users in Group1 are at least 10 characters
long. All other users must be able to use passwords that are six characters long.
You create an Active Directory Fine Grained Password Policy.
What should you do next?

• A. From the Default Domain Policy, modify the password polic
• B. Run the Add-ADFineGrainedPasswordPolicySubject cmdle
• C. Run the Set-ADDomain cmdle
• D. From the Default Domain Controller Policy, modify the password polic

Answer: B

NEW QUESTION 4
Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company runs an Enterprise Root certification authority (CA).
You need to ensure that only administrators can sign code.
Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)

• A. Edit the local computer policy of the Enterprise Root CA to allow only administrators to manage Trusted Publisher
• B. Modify the security settings on the template to allow only administrators to request code signing certificate
• C. Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certificates and allow only administrators to apply the polic
• D. Publish the code signing templat

Answer: BD

Explanation:
http://techblog.mirabito.net.au/?p=297 Generating and working with code signing certificates A code signing certificate is a security measure designed to assist in the prevention of malicious code execution. The intention is that code must be “signed” with a certificate that is trusted by the machine on which the code is executed. The trust is verified by contacting the certification authority for the certificate, which could be either a local (on the machine itself, such as a self-signed certificate), internal (on the domain, such as an enterprise certification authority) or external certification authority (third party, such as Verisign or Thawte). For an Active Directory domain with an enterprise root certification authority, the enterprise root certification authority infrastructure is trusted by all machines that are a member of the Active Directory domain, and therefore any certificates issued by this certification authority are automatically trusted. In the case of code signing, it may be necessary also for the issued certificate to be in the “Trusted Publishers” store of the local machine in order to avoid any prompts upon executing code, even if the certificate was issued by a trusted certification authority. Therefore, it is required to ensure that certificates are added to this store where user interaction is unavailable, such as running automated processes that call signed code. A certificate can be assigned to a user or a computer, which will then be the “publisher” of the code in question. Generally, this should be the user, and the user will then become the trusted publisher. As an example, members of the development team in your organisation will probably each have their own code signing certificate, which would all be added to the “Trusted Publishers” store on the domain machines. Alternatively, a special domain account might exist specifically for signing code, although one of the advantages of code signing is to be able to determine the person who signed it.

NEW QUESTION 5
You need to force a domain controller to register all service location (SRV) resource records in DNS.
Which command should you run?

• A. ipconfig.exe /registerdns
• B. net.exe stop dnscache & net.exe start dnscache
• C. net.exe stop netlogon & net.exe start netlogon
• D. regsvr32.exe dnsrslvr.dll

Answer: C

Explanation:
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62 The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller’s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam question might ask you how to troubleshoot the nonregistration of SRV resource records.

NEW QUESTION 6
Your company, Contoso Ltd has a main office and a branch office. The offices are
connected by a WAN link. Contoso has an Active Directory forest that contains a single domain named ad.contoso.com.
The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1 is configured as a DNS server for the ad.contoso.com DNS zone. This zone is configured as a standard primary zone.
You install a new domain controller named DC2 in the branch office. You install DNS on DC2.
You need to ensure that the DNS service can update records and resolve DNS queries in the event that aWAN link fails.
What should you do?

• A. Create a new stub zone named ad.contoso.com on DC2.
• B. Create a new standard secondary zone named ad.contoso.com on DC2.
• C. Configure the DNS server on DC2 to forward requests to DC1.
• D. Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zon

Answer: D

Explanation:
Answer: Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.
http://technet.microsoft.com/en-us/library/cc726034.aspx Understanding Active Directory Domain Services Integration The DNS Server service is integrated into the design and implementation of Active Directory Domain Services (AD DS). AD DS provides an enterprise-level tool for organizing, managing, and locating resources in a network. How DNS integrates with AD DS When you install AD DS on a server, you promote the server to the role of a domain controller for a specified domain. As part of this process, you are prompted to specify a DNS domain name for the AD DS domain which you are joining and for which you are promoting the server, and you are offered the option to install the DNS Server role. This option is provided because a DNS server is required to locate this server or other domain controllers for members of an AD DS domain. Benefits of AD DS integration For networks that deploy DNS to support AD DS, directory-integrated primary zones are strongly recommended. They provide the following benefits: DNS features multimaster data replication and enhanced security based on the capabilities of AD DS. In a standard zone storage model, DNS updates are conducted based on a single-master update model. In this model, a single authoritative DNS server for a zone is designated as the primary source for the zone. This server maintains the master copy of the zone in a local file. With this model, the primary server for the zone represents a single fixed point of failure. If this server is not available, update requests from DNS clients are not processed for the zone. With directory-integrated storage, dynamic updates to DNS are sent to any AD DS-integrated DNS server and are replicated to all other AD DS-integrated DNS servers by means of AD DS replication. In this model, any AD DS-integrated DNS servercan accept dynamic updates for the zone. Because the master copy of the zone is maintained in the AD DS database, which is fully replicated to all domain controllers, the zone can be updated by the DNS servers operating at any domain controller for the domain. With the multimaster update model of AD DS, any of the primary servers for the directoryintegrated zone can process requests from DNS clients to update the zone as long as a domain controller is available and reachable on the network. Also, when you use directory-integrated zones, you can use access control list (ACL) editing to secure a dnsZone object container in the directory tree. This feature provides detailed access to either the zone or a specified resource record in the zone. For example, an ACL for a zone resource record can be restricted so that dynamic updates are allowed only for a specified client computer or a secure group, such as a domain administrators group. This security feature is not available with standard primary zones. Zones are replicated and synchronized to new domain controllers automatically whenever a new one is added to an AD DS domain. By integrating storage of your DNS zone databases in AD DS, you can streamline database replication planning for your network. Directory-integrated replication is faster and more efficient than standard DNS replication. Further information:

NEW QUESTION 7
HOTSPOT
Your network contains an Active Directory domain named contoso.com.
You need to ensure that IP addresses can be resolved to fully qualified domain names
(FQDNs).
Under which node in the DNS snap-in should you add a zone?
To answer, select the appropriate node in the answer area.

Answer:

Explanation:

NEW QUESTION 8
DRAG DROP
You manage an Active Directory forest named contoso.com.
The forest contains an empty root domain named contoso.com and a child domain named child.contoso.com.
All domain controllers run Windows Server 2008. The functional level of the forest is Windows Server 2008.
You need to raise the functional level of the forest to Windows Server 2008 R2. You must achieve this goal by using the minimum amount of administrative effort.
What should you do?
To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation:

NEW QUESTION 9
Your network contains an Active Directory domain named contoso.com.
The Administrator deletes an OU named OU1 accidentally.
You need to restore OU1. Which cmdlet should you use?

• A. Set-ADObject cmdle
• B. Set-ADOrganizationalUnit cmdle
• C. Set-ADUser cmdle
• D. Set-ADGroup cmdle

Answer: A

Explanation: Explanation/Explanation: http://technet.microsoft.com/en-us/library/dd379509.aspx Restoring a deleted Active Directory object using the Get-ADObject and Restore-ADObject cmdlets You can also restore a deleted Active Directory object by using the Get-ADObject and Restore-ADObject Active Directory module for Windows PowerShell cmdlets. The recommended approach is to use the Get-ADObject cmdlet to retrieve the deleted object and then pass that object through the pipeline to the Restore-ADObject cmdlet.

NEW QUESTION 10
Your network contains an Active Directory domain named contoso.com.
The Zone Transfers settings of contoso.com are configured as shown in the Zone Transfers exhibit. (Click the Exhibit button.)

The Name Servers settings of contoso.com are configured as shown in the Name Servers exhibit. (Click the Exhibit button.)

To answer, complete each statement according to the information presented in the exhibits.

Answer:

Explanation:

NEW QUESTION 11
Your company has an Active Directory forest. Not all domain controllers in the forest are configured as Global Catalog Servers. Your domain structure contains one root domain and one child domain.
You modify the folder permissions on a file server that is in the child domain. You discover that some Access Control entries start with S-1-5-21 and that no account name is listed.
You need to list the account names.
What should you do?

• A. Move the RID master role in the child domain to a domain controller that holds the Global Catalo
• B. Modify the schema to enable replication of the friendlynames attribute to the Global Catalo
• C. Move the RID master role in the child domain to a domain controller that does not hold the Global Catalo
• D. Move the infrastructure master role in the child domain to a domain controller that does not hold the Global Catalo

Answer: D

Explanation:
http://technet.microsoft.com/en-us/library/cc780850%28v=ws.10%29.aspx Security identifiers Security identifiers (SIDs) are numeric values that identify a user or group. For each access control entry (ACE), there exists a SID that identifies the user or group for whom access is allowed, denied, or audited. Well-known security identifiers (special identities): Network (S-1-5-2) Includes all users who are logged on through a network connection. Access tokens for interactive users do not contain the Network SID. http://technet.microsoft.com/en-us/library/cc773108%28v=ws.10%29.aspx Operations master roles Active Directory supports multimaster replication of the directory data store between all domain controllers (DC) in the domain, so all domain controllers in a domain are essentially peers. However, some changes are impractical to perform in using multimaster replication, so, for each of these types of changes, one domain controller, called the operations master, accepts requests for such changes. In every forest, there are at least five operations master roles that are assigned to one or more domain controllers. Forest-wide operations master roles must appear only once in every forest. Domain-wide operations master roles must appear once in every domain in the forest.
Domain-wide operations master roles Every domain in the forest must have the following roles: Relative ID (RID) master Primary domain controller (PDC) emulator master Infrastructure master These roles must be unique in each domain. This means that each domain in the forest can have only one RID master, PDC emulator master, and infrastructure master.
Infrastructure master At any time, there can be only one domain controller acting as the infrastructure master in each domain. The infrastructure master is responsible for updating Explanations from objects in its domain to objects in other domains. The infrastructure master compares its data with that of a global catalog. Global catalogs receive regular updates for objects in all domains through replication, so the global catalog data will always be up to date. If the infrastructure master finds data that is out of date, it requests the updated data from a global catalog. The infrastructure master then replicates that updated data to the other domain controllers in the domain. Important Unless there is only one domain controller in the domain, the infrastructure master role should not be assigned to the domain controller that is hosting the global catalog. If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will never find data that is out of date, so it will never replicate any changes to the other domain controllers in the domain.
In the case where all of the domain controllers in a domain are also hosting the global catalog, all of the domain controllers will have the current data and it does not matter which domain controller holds the infrastructure master role. The infrastructure master is also responsible for updating the group-to-user Explanations whenever the members of groups are renamed or changed. When you rename or move a member of a group (and that member resides in a different domain from the group), the group may temporarily appear not to contain that member. The infrastructure master of the group's domain is responsible for updating the group so it knows the new name or location of the member. This prevents the loss of group memberships associated with a user account when the user account is renamed or moved. The infrastructure master distributes the update via multimaster replication. There is no compromise to security during the time between the member rename and the group update. Only an administrator looking at that particular group membership would notice the temporary inconsistency.

NEW QUESTION 12
Your network contains a server named Server1 that runs Windows Server 2008 R2.
On Server1, you create an Active Directory Lightweight Directory Services (AD LDS)
instance named
Instance1.
You connect to Instance1 by using ADSI Edit.
You run the Create Object wizard and you discover that there is no User object class. You
need to ensure that you can create user objects in Instance1.
What should you do?

• A. Run the AD LDS Setup Wizar
• B. Modify the schema of Instance1.
• C. Modify the properties of the Instance1 servic
• D. Install the Remote Server Administration Tools (RSAT).

Answer: B

Explanation:
http://technet.microsoft.com/en-us/library/cc772194.aspx To create users in AD LDS, you must first import the optional user classes that are provided with AD LDS into the AD LDS schema. These user classes are provided in importable .ldf files, which you can find in the directory %windir%adam on the computer where AD LDS is installed. The user, inetOrgPerson, and OrganizationalPerson object classes are not available until you import the AD LDS user class definitions into the schema.

NEW QUESTION 13
Your network contains two Active Directory forests named contoso.com and nwtraders.com. Active Directory Rights Management Services (AD RMS) is deployed in each forest.
You need to ensure that users from the nwtraders.com forest can access AD RMS protected content in the contoso.com forest.
What should you do?

• A. Add a trusted user domain to the AD RMS cluster in the nwtraders.com domai
• B. Add a trusted user domain to the AD RMS cluster in the contoso.com domai
• C. Create an external trust from nwtraders.com to contoso.co
• D. Create an external trust from contoso.com to nwtraders.cor

Answer: B

Explanation:
http://technet.microsoft.com/en-us/library/hh311036.aspx
Using AD RMS trust
It is not necessary to create trust or federation relationships between the Active Directory forests of organizations to be able to share rights-protected information between separate organizations. AD RMS provides two types of trust relationships that provide this kind of rights-protected information exchange. A trusted user domain (TUD) allows the AD RMS root cluster to process requests for client licensor certificates or use licenses from users whose rights account certificates (RACs) were issued by a different AD RMS root cluster. You add a trusted user domain by importing the server licensor certificate of the AD RMS cluster to trust.
http://technet.microsoft.com/en-us/library/dd772648(v=ws.10).aspx

NEW QUESTION 14
Your network contains an Active Directory domain. The relevant servers in the domain are configured as shown in the following table.

You need to ensure that all device certificate requests use the MD5 hash algorithm.
What should you do?

• A. On Server2, run the Certutil too
• B. On Server1, update the CEP Encryption certificate templat
• C. On Server1, update the Exchange Enrollment Agent (Offline Request) templat
• D. On Server3, set the value of the HKLMSoftwareMicrosoftCryptographyMSCEP HashAlgorithmHashAlgorithm registry ke

Answer: D

Explanation:
http://technet.microsoft.com/en-us/library/ff955642.aspx
Managing Network Device Enrollment Service
Configuring NDES
NDES stores its configuration in the registry key HKEY_LOCAL_MACHINESoftwareMicrosoftCryptography
MSCEP.
To change NDES configuration, edit the NDES registry settings by using Regedit.exe or Reg.exe, then restart IIS. If necessary, create the key and value using the names and data types described in the following table.
Key name HashAlgorithm HashAlgorithm Value Data Type String Default value SHA1 Description Accepted values are SHA1 and MD5.

NEW QUESTION 15
A corporate environment includes two Active Directory Domain Services (AD DS) forests, as shown in the following table.

You need to ensure that users in the contoso.com domain can access resources in the eng.fabrikam.com domain.
What should you do?

• A. Enable selective authenticatio
• B. Enable forest-wide authenticatio
• C. Create an external trust between contoso.com and eng.fabrikam.co
• D. Enable domain-wide authenticatio

Answer: C

Explanation:
http://technet.microsoft.com/en-us/library/cc816837.aspx
Creating External Trusts
You can create an external trust to form a one-way or two-way, nontransitive trust with domains that are outside your forest. External trusts are sometimes necessary when users need access to resources that are located in a Windows NT 4.0 domain or in a domain that is in a separate Active Directory Domain Services (AD DS) forest that is not joined by a forest trust.

NEW QUESTION 16
Your network contains an Active Directory forest. The forest contains a single domain named contoso.com. The domain contains domain controllers that run either Windows Server 2003 or Windows Server 2008 R2.
The functional level of the domain and the forest is Windows Server 2003.
You need to add a read-only domain controller (RODC) to the forest.
What should you do first?

• A. Upgrade the domain controllers that run Windows Server 2003.
• B. Raise the domain functional leve
• C. Run the adprep comman
• D. Raise the forest functional leve

Answer: C

NEW QUESTION 17
Your network contains an Active Directory domain. The domain is configured as shown in the exhibit.

You have a Group Policy Object (GPO) linked to the domain.
You need to ensure that the settings in the GPO are not processed by user accounts or computer accounts in the Finance organizational unit (OU). You must achieve this goal by using the minimum amount of administrative effort.
What should you do?

• A. Modify the Group Policy Permissio
• B. Configure WMI filterin
• C. Enable block inheritanc
• D. Enable loopback processing in replace mod
• E. Configure the link orde
• F. Configure Group Policy PExplanation
• G. Link the GPO to the Human Resources O
• H. Configure Restricted Group
• I. Enable loopback processing in merge mod
• J. Link the GPO to the Finance O

Answer: C

Explanation:
http://technet.microsoft.com/en-us/library/cc731076.aspx
Block Inheritance
You can block inheritance for a domain or organizational unit. Blocking inheritance prevents Group Policy objects (GPOs) that are linked to higher sites, domains, or organizational units from being automatically inherited by the child-level.