Vivid 70-640 Exam Questions and Answers 2021

NEW QUESTION 1
Your company has an Active Directory domain. All servers run Windows Server 2008 R2.
Your company uses an Enterprise Root certificate authority (CA).
You need to ensure that revoked certificate information is highly available.
What should you do?

• A. Implement an Online Certificate Status Protocol (OCSP) responder by using an Internet Security and Acceleration Server arra
• B. Publish the trusted certificate authorities list to the domain by using a Group Policy Object (GPO).
• C. Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancin
• D. Create a new Group Policy Object (GPO) that allows users to trust peer certificate
• E. Link the GPO to the domai

Answer: C

Explanation:
Answer: Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing.
http://technet.microsoft.com/en-us/library/cc731027%28v=ws.10%29.aspx AD CS: Online Certificate Status Protocol Support Certificate revocation is a necessary part of the process of managing certificates issued by certification authorities (CAs). The most common means of communicating certificate status is by distributing certificate revocation lists (CRLs). In the Windows Server. 2008 operating system, public key infrastructures (PKIs) where the use of conventional CRLs is not an optimal solution, an Online Responder based on the Online Certificate Status Protocol (OCSP) can be used to manage and distribute revocation status information. What does OCSP support do? The use of Online Responders that distribute OCSP responses, along with the use of CRLs, is one of two common methods for conveying information about the validity of certificates. Unlike CRLs, which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to requests from clients for information about the status of a single certificate. The amount of data retrieved per request remains constant no matter how many revoked certificates there might be. In many circumstances, Online Responders can process certificate status requests more efficiently than by using CRLs.
Adding one or more Online Responders can significantly enhance the flexibility and scalability of an organization's PKI.
Further information: http://blogs.technet.com/b/askds/archive/2009/08/20/implementing-an-ocsp-responder-part-v-highavailability.aspx Implementing an OCSP Responder: Part V High Availability There are two major pieces in implementing the High Availability Configuration. The first step is to add the OCSP Responders to what is called an Array. When OCSP Responders are configured in an Array, the configuration of the OCSP responders can be easily maintained, so that all Responders in the Array have the same configuration. The configuration of the Array Controller is used as the baseline configuration that is then applied to other members of the Array. The second piece is to load balance the OCSP Responders. Load balancing of the OCSP responders is what actually provides fault tolerance.

NEW QUESTION 2
A corporate network includes a single Active Directory Domain Services (AD DS) domain. All regular user accounts reside in an organizational unit (OU) named Employees. All administrator accounts reside in an OU named Admins.
You need to ensure that any time an administrator modifies an employee's name in AD DS, the change is audited.
What should you do first?

• A. Enable the Audit directory service access setting in the Default Domain Controllers Policy Group PolicyObjec
• B. Create a Group Policy Object with the Audit directory service access setting enabled and link it to the Employees O
• C. Enable the Audit directory service access setting in the Default Domain Policy Group Policy Objec
• D. Modify the searchFlags property for the User class in the schem

Answer: A

Explanation: http://technet.microsoft.com/en-us/library/cc731607.aspx
In Windows 2000 Server and Windows Server 2003, there was one audit policy, Audit directory service access, that controlled whether auditing for directory service events was enabled or disabled. In Windows Server 2008, this policy is divided into four subcategories:
Directory Service Access Directory Service Changes Directory Service Replication Detailed Directory Service Replication
This step includes procedures to enable change auditing with either the Windows interface or a command line:
By using Group Policy Management, you can turn on the global audit policy, Audit directory service access, which enables all the subcategories for AD DS auditing.
To enable the global audit policy using the Windows interface
1. Click Start, point to Administrative Tools, and then Group Policy Management.
2. In the console tree, double-click the name of the forest, double-click Domains, double-click the name of your domain, double-click Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.
3. Under Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then click Audit Policy.
4. In the details pane, right-click Audit directory service access, and then click Properties.
5. Select the Define these policy settings check box.
6. Under Audit these attempts, select the Success, check box, and then click OK.

NEW QUESTION 3
Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company uses an Enterprise Root certification authority (CA) and an Enterprise Intermediate CA.
The Enterprise Intermediate CA certificate expires.
You need to deploy a new Enterprise Intermediate CA certificate to all computers in the domain.
What should you do?

• A. Import the new certificate into the Intermediate Certification Store on the Enterprise Root CA serve
• B. Import the new certificate into the Intermediate Certification Store on the Enterprise Intermediate CA serve
• C. Import the new certificate into the Intermediate Certification Store in the Default Domain Controllers group policy objec
• D. Import the new certificate into the Intermediate Certification Store in the Default Domain group policy objec

Answer: B

Explanation:
http://technet.microsoft.com/en-us/library/cc962065.aspx
Certification Authority Trust Model Certification Authority Hierarchies The Windows 2000 public key infrastructure supports a hierarchical CA trust model, called the certification hierarchy, to provide scalability, ease of administration, and compatibility with a growing number of commercial third-party CA services and public key-aware products. In its simplest form, a certification hierarchy consists of a single CA. However, the hierarchy usually contains multiple CAs that have clearly defined parent-child relationships. Figure 16.5 shows some possible CA hierarchies.

C:Documents and Settingsusernwz1Desktop1.PNG
You can deploy multiple CA hierarchies to meet your needs. The CA at the top of the hierarchy is called a root CA . Root CAs are self-certified by using a self-signed CA certificate. Root CAs are the most trusted CAs in the organization and it is recommended that they have the highest security of all. There is no requirement that all CAs in an enterprise share a common top-level CA parent or root. Although trust for CAs depends on each domain's CA trust policy, each CA in the hierarchy can be in a different domain. Child CAs are called subordinate CAs. Subordinate CAs are certified by the parent CAs. A parent CA certifies the subordinate CA by issuing and signing the subordinate CA certificate. A subordinate CA can be either an intermediate or an issuing CA. An intermediate CA issues certificates only to subordinate CAs. An issuing CA issues certificates to users, computers, or services.
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/605dbf9d-2694-4783-8002-c08b9c7d4149

NEW QUESTION 4
Your network contains an Active Directory forest. The forest contains domain controllers that run Windows Server 2008 R2. The functional level of the forest is Windows Server 2003. The functional level of the domain is Windows Server 2008.
From a domain controller, you need to perform an authoritative restore of an organizational unit (OU).
What should you do first?

• A. Raise the functional level of the forest
• B. Modify the tombstone lifetime of the fores
• C. Restore the system stat
• D. Raise the functional level of the domai

Answer: C

Explanation:
The Recycle Bin feature cannot be applied here, see the Explanation below. Explanation:
Windows Server 2008 R2 Unleashed (SAMS, 2010) pages 1292 and 1297
Active Directory Recycle Bin Recovery
Let’s begin this section with a very clear statement: If you need to recover a deleted Active Directory object and the Active Directory Recycle Bin was not enabled before the object was deleted, skip this section and proceed to the “Active Directory Authoritative Restore” section.
Active Directory Authoritative Restore
When Active Directory has been modified and needs to be restored to a previous state, and this rollback needs to be replicated to all domain controllers in the domain and possibly the forest, an authoritative restore of Active Directory is required. An authoritative restore of Active Directory can include the entire Active Directory database, a single object, or a container, such as an organizational unit including all objects previously stored within the container. To perform an authoritative restore of Active Directory, perform the System State restore of a domain controller.

NEW QUESTION 5
You are the administrator for a large organization with multiple remote sites.
Your supervisor would like to have remote users log in locally to their own site, but he is
nervous about security.
What type of server can you implement to ease their concerns?

• A. Domain controller
• B. Global Catalog
• C. Read-only domain controller
• D. Universal Group Membership Caching Server

Answer: C

Explanation:
http://technet.microsoft.com/en-us/library/cc772234%28v=ws.10%29.aspx
Read-Only Domain Controllers Step-by-Step Guide
An RODC makes it possible for organizations to easily deploy a domain controller in
scenarios where physical security cannot be guaranteed, such as branch office locations,
or in scenarios where local storage of all domain passwords is considered a primary threat,
such as in an extranet or in an application-facing role.

NEW QUESTION 6
Your network contains an Active Directory domain named contoso.com.
You have a comma separated value (CSV) file named Users.txt. Users.txt contains the information for 500 users and all of the attributes required to create user accounts.
You plan to automate the creation of user accounts by using the Users.txt file.
You need to identify which two cmdlets you must run. The solution must pipe the output from the first cmdlet to the second cmdlet.
What should you run from Windows PowerShell? To answer, configure the appropriate PowerShell command in the answer area.

Answer:

Explanation:

NEW QUESTION 7
You install an Active Directory domain in a test environment.
You need to reset the passwords of all the user accounts in the domain from a domain controller.
Which two Windows PowerShell commands should you run? (Each correct answer presents part of the solution, choose two.)

• A. $ newPassword = *
• B. Import-Module ActiveDirectory
• C. Import-Module WebAdministration
• D. Get- AdUser -filter * | Set- ADAccountPossword - NewPassword $ newPassword -Reset
• E. Set- ADAccountPossword - NewPassword - Reset
• F. $ newPassword = (Read-Host - Prompt "New Password" - AsSecureString )
• G. Import-Module ServerManager

Answer: DF

Explanation:
First we create a variable, $newPassword, and prompt the user for the password to assign
it to the variable.
Next we use Get-ADUser -filter * to collect all user accounts and pipe it through to
SetADAccountPassword to assign the $newPassword variable to every account's new
password.
Note that Set- ADAccountPossword must be a typo.
Explanation 1:
http://technet.microsoft.com/en-us/library/ee176935.aspx
Prompting a User to Enter Information
The Read-Host cmdlet enables you to interactively prompt a user for information. For
example, this command prompts the user to enter his or her name, then stores that name
in the variable $Name (to answer the prompt, type a name and then press ENTER):
$Name = Read-Host "Please enter your name"
Explanation 2:
http://technet.microsoft.com/en-us/library/ee617241.aspx
Get-ADUser Gets one or more Active Directory users.
Explanation 3:
http://technet.microsoft.com/en-us/library/ee617261.aspx
Set-ADAccountPassword Modifies the password of an Active Directory account.
Parameters
NewPassword
Specifies a new password value.
Reset
Specifies to reset the password on an account. When you use this parameter, you must set
the NewPassword parameter. You do not need to specify the OldPassword parameter.

NEW QUESTION 8
You want users to log on to Active Directory by using a new Principal Name (UPN).
You need to modify the UPN suffix for all user accounts.
Which tool should you use?

• A. Dsmod
• B. Netdom
• C. Redirusr
• D. Active Directory Domains and Trusts

Answer: A

Explanation:
http://technet.microsoft.com/en-us/library/cc732954%28v=ws.10%29.aspx
Dsmod user dsmod user -upn <UPN>
Specifies the user principal names (UPNs) of the users that you want to modify, for
example,
Linda@widgets.contoso.com.

NEW QUESTION 9
You have an enterprise subordinate certification authority (CA).
You have a custom Version 3 certificate template.
Users can enroll for certificates based on the custom certificate template by using the
Certificates console. The certificate template is unavailable for Web enrollment.
You need to ensure that the certificate template is available on the Web enrollment pages.
What should you do?

• A. Run certutil.exe puls
• B. Run certutil.exe installcer
• C. Change the certificate template to a Version 2 certificate templat
• D. On the certificate template, assign the Autoenroll permission to the user

Answer: C

Explanation:
Explanation
Identical to F/Q33. Explanation 1: http://technet.microsoft.com/en-us/library/cc732517.aspx Certificate Web enrollment cannot be used with version 3 certificate templates. Explanation 2: http://blogs.technet.com/b/ad/archive/2008/06/30/2008-web-enrollment-and-version-3-templates.aspx The reason for this blog post is that one of our customers called after noticing some unexpected behavior when they were trying to use the Server 2008 certificate web enrollment page to request a Version 3 Template based certificate. The problem was that no matter what they did the Version 3 Templates would not appear as certificates which could be requested via the web page. On the other hand, version 1 and 2 templates did appear in the page and requests could be done successfully using those templates.

NEW QUESTION 10
You have Active Directory Certificate Services (AD CS) deployed. You create a custom certificate template.
You need to ensure that all of the users in the domain automatically enroll for a certificate based on the custom certificate template.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

• A. In a Group Policy object (GPO), configure the autoenrollment setting
• B. In a Group Policy object (GPO), configure the Automatic Certificate Request Setting
• C. On the certificate template, assign the Read and Autoenroll permission to the Authenticated Users grou
• D. On the certificate template, assign the Read, Enroll, and Autoenroll permission to the Domain Users grou

Answer: AD

Explanation:
http://technet.microsoft.com/en-us/library/dd379539.aspx
To automatically enroll client computers for certificates in a domain environment, you must:
Configure an autoenrollment policy for the domain.
(...)
In Configuration Model, select Enabled to enable autoenrollment.
Configure certificate templates for autoenrollment.
(...)
In the Permissions for Authenticated Users list, select Read, Enroll, and Autoenroll in the
Allow column, and then click OK and Close to finish
Configure an enterprise CA.

NEW QUESTION 11
Your company has an Active Directory domain. You install an Enterprise Root certification authority (CA) on a member server named Server1.
You need to ensure that only the Security Manager is authorized to revoke certificates that are supplied by Server1.
What should you do?

• A. Remove the Request Certificates permission from the Domain Users grou
• B. Remove the Request Certificated permission from the Authenticated Users grou
• C. Assign the Allow - Manage CA permission to only the Security Manager user Accoun
• D. Assign the Allow - Issue and Manage Certificates permission to only the Security Manger user account

Answer: D

Explanation:
http://technet.microsoft.com/en-us/library/cc732590.aspx
Implement Role-Based Administration You can use role-based administration to organize certification authority (CA) administrators into separate, predefined CA roles, each with its own set of tasks. Roles are assigned by using each user's security settings.
You assign a role to a user by assigning that user the specific security settings that are associated with the role. A user that has one type of permission, such as Manage CA permission, can perform specific CA tasks that a user with another type of permission, such as Issue and Manage Certificates permission, cannot perform.
The following table describes the roles, users, and groups that can be used to implement role-based administration.
Roles and groups
Certificate manager
Security permission
Issue and Manage Certificates
Description
Approve certificate enrollment and revocation requests. This is a CA role. This role is sometimes referred to as CA officer. These permissions are assigned by using the Certification Authority snap-in.

NEW QUESTION 12
Your network contains an Active Directory domain named contoso.com.
You have an organizational unit (OU) named Sales and an OU named Engineering.
You have two Group Policy objects (GPOs) named GPO1 and GPO2. GPO1 and GPO2
are linked to the Sales OU and contain multiple settings.
You discover that GPO2 has a setting that conflicts with a setting in GPO1. When the
policies are applied, the setting in GPO2 takes effect.
You need to ensure that the settings in GPO1 supersede the settings in GPO2. The solution must ensure that all non-conflicting settings in both GPOs are applied.
What should you do?

• A. Modify the Group Policy permission
• B. Enable block inheritanc
• C. Configure the link orde
• D. Enable loopback processing in merge mod
• E. Enable loopback processing in replace mod
• F. Configure WMI filterin
• G. Configure Restricted Group
• H. Configure Group Policy PExplanation
• I. Link the GPO to the Sales O
• J. Link the GPO to the Engineering O

Answer: C

NEW QUESTION 13
You have an enterprise subordinate certification authority (CA). You have a custom Version 3 certificate template.
Users can enroll for certificates based on the custom certificate template by using the
Certificates console. The certificate template is unavailable for Web enrollment.
You need to ensure that the certificate template is available on the Web enrollment pages.
What should you do?

• A. Run certutil.exe Cpuls
• B. Run certutil.exe Cinstallcer
• C. Change the certificate template to a Version 2 certificate templat
• D. On the certificate template, assign the Autoenroll permission to the user

Answer: C

Explanation:
Identical to F/Q12. Explanation 1: http://technet.microsoft.com/en-us/library/cc732517.aspx Certificate Web enrollment cannot be used with version 3 certificate templates. Explanation 2: http://blogs.technet.com/b/ad/archive/2008/06/30/2008-web-enrollment-and-version-3-templates.aspx The reason for this blog post is that one of our customers called after noticing some unexpected behavior when they were trying to use the Server 2008 certificate web enrollment page to request a Version 3 Template based certificate. The problem was that no matter what they did the Version 3 Templates would not appear as certificates which could be requested via the web page. On the other hand, version 1 and 2 templates did appear in the page and requests could be done successfully using those templates.

NEW QUESTION 14
Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.
You need to receive a notification when more than 100 Active Directory objects are deleted per second.
What should you do?

• A. Create custom views from Event Viewe
• B. Run the Get-ADForest cmdle
• C. Run the ntdsutil.exe comman
• D. Configure the Active Directory Diagnostics Data Collector Set (DCS).
• E. Create a Data Collector Set (DCS).
• F. Run the dsamain.exe comman
• G. Run the dsquery.exe comman
• H. Run the repadmin.exe comman
• I. Configure subscriptions from Event Viewe
• J. Run the eventcreate.exe comman

Answer: E

Explanation:
http://technet.microsoft.com/en-us/magazine/ff458614.aspx
Configure Windows Server 2008 to Notify you when Certain Events Occur
You can configure alerts to notify you when certain events occur or when certain performance thresholds are reached. You can send these alerts as network messages and as events that are logged in the application event log. You can also configure alerts to start applications and performance logs.
To configure an alert, follow these steps:
1. In Performance Monitor, under the Data Collector Sets node, right-click the User-Defined node in the left pane, point to New, and then choose Data Collector Set.
2. (...)
3. In the Performance Counters panel, select the first counter, and then use the Alert When Value Is text box to set the occasion when an alert for this counter is triggered. Alerts can be triggered when the counter is above or below a specific value. Select Above or Below, and then set the trigger value. The unit of measurement is whatever makes sense for the currently selected counter or counters. For example, to generate an alert if processor time is over 95 percent, select Over, and then type 95. Repeat this process to configure other counters you’ve selected.

NEW QUESTION 15
Your network contains an Active Directory forest named contoso.com. The forest contains a single domain and 10 domain controllers. All of the domain controllers run Windows Server 2008 R2 Service Pack 1 (SP1).
The forest contains an application directory partition named dc=app1, dc=contoso,dc=com. A domain controller named DC1 has a copy of the application directory partition.
You need to configure a domain controller named DC2 to receive a copy of dc=app1, dc=contoso,dc=corn.
Which tool should you use?

• A. Active Directory Sites and Services
• B. Dsmod
• C. Dcpromo
• D. Dsmgmt

Answer: C

Explanation:
http://technet.microsoft.com/en-us/library/cc732887.aspx
Dcpromo
Installs and removes Active Directory Domain Services (AD DS).
Parameter
ApplicationPartitionsToReplicate:""
Specifies the application directory partitions that dcpromo will replicate. Use the following format:
"partition1" "partition2" "partitionN"
Use * to replicate all application directory partitions.
Original explanation:
Please Check Answer
I don't think this is Dsmod. It is most likely Dcpromo.
Dsmod -- Modifies an existing object of a specific type in the directory.

NEW QUESTION 16
Your network contains a server named Server1. The Active Directory Rights Management Services (AD RMS) server role is installed on Server1.
An administrator changes the password of the user account that is used by AD RMS.
You need to update AD RMS to use the new password.
Which console should you use?

• A. Active Directory Rights Management Services
• B. Active Directory Users and Computers
• C. Local Users and Groups
• D. Services

Answer: A

Explanation:
http://social.technet.microsoft.com/wiki/contents/articles/13034.ad-rms-how-to-change-the-rms-serviceaccount-password.aspx
AD RMS How To: Change the RMS Service Account Password
The Active Directory Rights Management Services management console provides a wizard to change or update the AD RMS service account. The most common use for this process is to update the service account password when it has been changed.
It is important to use this process to update or change the AD RMS service account. This ensures the necessary components are updated properly.

NEW QUESTION 17
Your network contains an Active Directory forest. The forest contains two domains named contoso.com and woodgrovebank.com. You have a custom attribute named Attributel in Active Directory. Attributel is associated to User objects. You need to ensure that Attributel is included in the global catalog. What should you do?

• A. From the Active Directory Schema snap-in, modify the properties of the Attributel attributeSchema objec
• B. In Active Directory Sites and Services, configure the Global Catalog settings for all domain controllers in the fores
• C. In Active Directory Users and Computers, configure the permissions on the Attributel attribute for User object
• D. From the Active Directory Schema snap-in, modify the properties of the User classSchema objec

Answer: A