Microsoft 70-640 Study Guides 2021

NEW QUESTION 1
Your company has a main office and a branch office.
The network contains an Active Directory domain named contoso.com. The DNS zone for contoso.com is configured as an Active Directory-integrated zone and is replicated to all domain controllers in the domain.
The main office contains a writable domain controller named DC1. The branch office contains a read- only domain controller (RODC) named RODC1. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers.
You uninstall the DNS server role from RODC1.
You need to prevent DNS records from replicating to RODC1.
What should you do?

• A. Modify the replication scope for the contoso.com zon
• B. Flush the DNS cache and enable cache locking on RODC1.
• C. Configure conditional forwarding for the contoso.com zon
• D. Modify the zone transfer settings for the contoso.com zon

Answer: A

Explanation:
http://technet.microsoft.com/en-us/library/cc754916.aspx Change the Zone Replication Scope You can use the following procedure to change the replication scope for a zone. Only Active Directory Domain Services (AD DS)–integrated primary and stub forward lookup zones can change their replication scope. Secondary forward lookup zones cannot change their replication scope. http://technet.microsoft.com/en-us/library/cc772101.aspx Understanding DNS Zone Replication in Active Directory Domain Services You can store Domain Name System (DNS) zones in the domain or application directory partitions of Active Directory Domain Services (AD DS). A partition is a data structure in AD DS that distinguishes data for different replication purposes. The following table describes the available zone replication scopes for AD DS-integrated DNS zone data.

C:Documents and Settingsusernwz1Desktop1.PNG
When you decide which replication scope to choose, consider that the broader the replication scope, the greater the network traffic caused by replication. For example, if you decide to have AD DS–integrated DNS zone data replicated to all DNS servers in the forest, this will produce greater network traffic than replicating the DNS zone data to all DNS servers in a single AD DS domain in that forest.
AD DS-integrated DNS zone data that is stored in an application directory partition is not replicated to the global catalog for the forest. The domain controller that contains the global catalog can also host application directory partitions, but it will not replicate this data to its global catalog. AD DS-integrated DNS zone data that is stored in a domain partition is replicated to all domain controllers in its AD DS domain, and a portion of this data is stored in the global catalog. This setting is used to support Windows 2000. If an application directory partition's replication scope replicates across AD DS sites, replication will occur with the same intersite replication schedule as is used for domain partition data. By default, the Net Logon service registers domain controller locator (Locator) DNS resource records for the application directory partitions that are hosted on a domain controller in the same manner as it registers domain controller locator (Locator) DNS resource records for the domain partition that is hosted on a domain controller.

NEW QUESTION 2
You had installed Windows Server 2008 on a computer and configured it as a file server, named FileSrv1. The FileSrv1 computer contains four hard disks, which are configured as basic disks.
For fault tolerance and performance you want to configure Redundant Array of Independent Disks (RAID) 0 +1 on FileSrv1.
Which utility you will use to convert basic disks to dynamic disks on FileSrv1?

• A. Diskpart.exe
• B. Chkdsk.exe
• C. Fsutil.exe
• D. Fdisk.exe
• E. None of the above

Answer: A

Explanation:
http://technet.microsoft.com/en-us/library/cc771534.aspx
[Diskpart] Convert dynamic Converts a basic disk into a dynamic disk.

NEW QUESTION 3
You have a domain controller named DC1 that runs Windows Server 2008 R2. DC1 is configured as a DNS server for contoso.com.
You install the DNS server server role on a member server named server1 and then you create a standard secondary zone for contoso.com. You configure DC1 as the master server for the zone.
You need to ensure that Server1 receives zone updates from DC1.
What should you do?

• A. On DC1, modify the permissions of contoso.com zon
• B. On Server1, add a conditional forwarde
• C. Add the Server1 computer account to the DNsUpdateProxy grou
• D. On DC1, modify the zone transfer settings for the contoso.com zon

Answer: D

Explanation:
http://technet.microsoft.com/en-us/library/cc771652.aspx
Modify Zone Transfer Settings You can use the following procedure to control whether a zone will be transferred to other servers and which servers can receive the zone transfer.
To modify zone transfer settings using the Windows interface
1. Open DNS Manager.
2. Right-click a DNS zone, and then click Properties.
3. On the Zone Transfers tab, do one of the following:
To disable zone transfers, clear the Allow zone transfers check box.
To allow zone transfers, select the Allow zone transfers check box.
4. If you allowed zone transfers, do one of the following:
To allow zone transfers to any server, click To any server.
To allow zone transfers only to the DNS servers that are listed on the Name Servers tab,
click Only to servers listed on the Name Servers tab.
To allow zone transfers only to specific DNS servers, click Only to the following servers,
and then add the IP address of one or more DNS servers.

NEW QUESTION 4
HOTSPOT
Your network contains an Active Directory domain named contoso.com.
You need to view which password setting object is applied to a user.
Which filter option in Attribute Editor should you enable? To answer, select the appropriate
filter option in the answer area.

Answer:

Explanation:

NEW QUESTION 5
You have a Windows Server 2008 R2 Enterprise Root certification authority (CA).
You need to grant members of the Account Operators group the ability to only manage Basic EFS certificates.
You grant the Account Operators group the Issue and Manage Certificates permission on the CA.
Which three tasks should you perform next? (Each correct answer presents part of the solution.
Choose three.)

• A. Enable the Restrict Enrollment Agents option on the C
• B. Enable the Restrict Certificate Managers option on the C
• C. Add the Basic EFS certificate template for the Account Operators grou
• D. Grant the Account Operators group the Manage CA permission on the C
• E. Remove all unnecessary certificate templates that are assigned to the Account Operators grou

Answer: BCE

Explanation:
http://technet.microsoft.com/en-us/library/cc779954%28v=ws.10%29.aspx
Role-based administration
Role explanation
Role-based administration involves CA roles, users, and groups. To assign a role to a user or group, you must assign the role's corresponding security permissions, group memberships, or user rights to the user or group.
These security permissions, group memberships, and user rights are used to distinguish which users have which roles. The following table describes the CA roles of role-based administration and the groups relevant to role-based administration.

C:Documents and Settingsusernwz1Desktop1.PNG
Certificate Manager: Delete multiple rows in database (bulk deletion)
Issue and approve certificates
Deny certificates
Revoke certificates
Reactivate certificates placed on hold
Renew certificates
Recover archived key
Read CA database
Read CA configuration information
http://technet.microsoft.com/en-us/library/cc753372.aspx
Restrict Certificate Managers
A certificate manager can approve certificate enrollment and revocation requests, issue certificates, and manage certificates. This role can be configured by assigning a user or group the Issue and Manage Certificatespermission.
When you assign this permission to a user or group, you can further refine their ability to manage certificates by group and by certificate template. For example, you might want to implement a restriction that they can only approve requests or revoke smart card logon certificates for users in a certain office or organizational unit that is the basis for a security group. This restriction is based on a subset of the certificate templates enabled for the certification authority (CA) and the user groups that have Enroll permissions for that certificate template from that CA.
To configure certificate manager restrictions for a CA:
1. Open the Certification Authority snap-in, and right-click the name of the CA.
2. Click Properties, and then click the Security tab.
3. Verify that the user or group that you have selected has Issue and Manage Certificates permission. If they do not yet have this permission, select the Allow check box, and then click Apply.
4. Click the Certificate Managers tab.
5. Click Restrict certificate managers, and verify that the name of the group or user is displayed.
6. Under Certificate Templates, click Add, select the template for the certificates that you want this user or group to manage, and then click OK. Repeat this step until you have selected all certificate templates that you want to allow this certificate manager to manage.
7. Under Permissions, click Add, type the name of the client for whom you want the certificate manager to manage the defined certificate types, and then click OK.
8. If you want to block the certificate manager from managing certificates for a specific user, computer, or group, under Permissions, select this user, computer, or group, and click Deny.
9. When you are finished configuring certificate manager restrictions, click OK or Apply.

NEW QUESTION 6
Your network contains an Active Directory domain named contoso.com.
Members of the sales department are issued laptops that have wireless network cards.
You need to ensure that when users connect to an unidentified network from their laptop,
the network is configured as a Public network.
Which node in Group Policy Management Editor should you use?To answer, select the
appropriate node in the answer area.

Answer:

Explanation:

NEW QUESTION 7
Your network contains an Active Directory forest. The forest contains a single domain.
You want to access resources in a domain that is located in another forest.
You need to configure a trust between the domain in your forest and the domain in the other forest.
What should you create?

• A. an incoming external trust
• B. an incoming realm trust
• C. an outgoing external trust
• D. an outgoing realm trust

Answer: A

Explanation:
http://technet.microsoft.com/en-us/library/cc816877.aspx
A one-way, incoming, external trust allows users in your domain (the domain that you are logged on to at the time that you run the New Trust Wizard) to access resources in another Active Directory domain (outside your forest).

NEW QUESTION 8
You need to ensure that domain controllers only replicate between domain controllers in adjacent sites.What should you configure from Active Directory Sites and Services?

• A. From the IP properties, select Ignore all schedule
• B. From the IP properties, select Disable site link bridgin
• C. From the NTDS Settings object, manually configure the Active Directory Domain Services connection object
• D. From the properties of the NTDS Site Settings object, configure the Inter-Site Topology Generator for each sit

Answer: B

Explanation:
http://www.omnisecu.com/windows-2003/active-directory/what-is-site-link-bridge.htm What is Site Link Bridge and How to create Site Link Bridge A site link bridge connects two or more site links. A site link bridge enables transitivity between site links. Each site link in a bridge must have a site in common with another site link in the bridge. By default, all site links are transitive and it is recommended to keep transitivity enabled by not changing the default value of "Bridge all site links" (enabled by default).

C:Documents and Settingsusernwz1Desktop1.PNG
We may need to disable "Bridge all site links" and create a site link bridge design if
. When the IP network is not fully routed.
. When we need to control the replication flow in Active Directory.

NEW QUESTION 9
Your company has a main office and 40 branch offices. Each branch office is configured as a separate Active Directory site that has a dedicated read-only domain controller (RODC).
You need to identify the user accounts that can be cached on the RODC server.
Which utility should you use?

• A. Dsmod.exe
• B. Repadmin.exe
• C. Active Directory Domain and Trusts
• D. Active Directory Sites and Services

Answer: B

NEW QUESTION 10
Your company has two Active Directory forests as shown in the following table.

The forests are connected by using a two-way forest trust. Each trust direction is configured with forest-wide authentication. The new security policy of the company prohibits users from the eng.fabrikam.com domain to access resources in the contoso.com domain.
You need to configure the forest trust to meet the new security policy requirement.
What should you do?

• A. Delete the outgoing forest trust in the contoso.com domai
• B. Delete the incoming forest trust in the contoso.com domai
• C. Change the properties of the existing incoming forest trust in the contoso.com domain from Forest-wide authentication to Selective authenticatio
• D. Change the properties of the existing outgoing forest trust in the contoso.com domain to exclude *.en
• E. fabrikam.com from the Name Suffix Routing trust propertie

Answer: D

Explanation:
http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx How Domain and Forest Trusts Work Active Directory provides security across multiple domains or forests through domain and forest trust relationships. Before authentication can occur across trusts, Windows must first determine whether the domain being requested by a user, computer or service has a trust relationship with the logon domain of the requesting account. To make this determination, the Windows security system computes a trust path between the domain controller for the server that receives the request and a domain controller in the domain of the requesting account.
Trust Flow The flow of secured communications over trusts determines the elasticity of a trust: how you create or configure a trust determines how far the communication extends within a forest or across forests. The flow of communication over trusts is determined by the direction of the trust (one-way or two-way) and the transitivity of the trust (transitive or nontransitive). One-Way and Two-Way Trusts Trust relationships that are established to enable access to resources can be either one-way or two-way. A one-way trust is a unidirectional authentication path created between two domains. In a one-way trust between Domain A and Domain B, users in Domain A can access resources in Domain B. However, users in Domain B cannot access resources in Domain A. Some one-way trusts can be either nontransitive or transitive depending on the type of trust being created. All domain trusts in an Active Directory forest are two-way, transitive trusts. When a new child domain is created, a two-way, transitive trust is automatically created between the new child domain and the parent domain. In a two-way trust, Domain A trusts Domain B and Domain B trusts Domain A. This means that authentication requests can be passed between the two domains in both directions. Some two-way relationships can be nontransitive or transitive depending on the type of trust being created. An Active Directory domain can establish a one-way or two-way trust with: Windows Server 2003 domains in the same forest. Windows Server 2003 domains in a different forest. Windows NT 4.0 domains. Kerberos V5 realms. Transitive and Nontransitive Trusts Transitivity determines whether a trust can be extended outside of the two domains with which it was formed. A transitive trust can be used to extend trust relationships with other domains; a nontransitive trust can be used to deny trust relationships with other domains. Each time you create a new domain in a forest, a two-way, transitive trust relationship is automatically created between the new domain and its parent domain. If child domains are added to the new domain, the trust path flows upward through the domain hierarchy extending the initial trust path created between the new domain and its parent domain. Transitive trust relationships flow upward through a domain tree as it is formed, creating transitive trusts between all domains in the domain tree. Authentication requests follow these trust paths, so accounts from any domain in the forest can be authenticated by any other domain in the forest. With a single logon process, accounts with the proper permissions can access resources in any domain in the forest. The following figure shows that all domains in Tree 1 and Tree 2 have transitive trust relationships by default. As a result, users in Tree 1 can access resources in domains in Tree 2 and users in Tree 1 can access resources in Tree 2, when the proper permissions are assigned at the resource.
Default Transitive Trust Relationships

C:Documents and Settingsusernwz1Desktop1.PNG
In addition to the default transitive trusts established in a Windows Server 2003 forest, by using the New Trust Wizard you can manually create the following transitive trusts. Shortcut trust. A transitive trust between domains in the same domain tree or forest that is used to shorten the trust path in a large and complex domain tree or forest. Forest trust. A transitive trust between one forest root domain and another forest root domain. Realm trust. A transitive trust between an Active Directory domain and a Kerberos V5 realm. A nontransitive trust is restricted to the two domains in the trust relationship and does not flow to any other domains in the forest. A nontransitive trust can be a two-way trust or a one-way trust. Nontransitive trusts are one-way by default, although you can also create a two-way relationship by creating two one-way trusts. Nontransitive domain trusts are the only form of trust relationship possible between: A Windows Server 2003 domain and a Windows NT domain A Windows Server 2003 domain in one forest and a domain in another forest (when not joined by a forest trust) By using the New Trust Wizard, you can manually create the following nontransitive trusts: External trust. A nontransitive trust created between a Windows Server 2003 domain and a Windows NT, Windows 2000, or Windows Server 2003 domain in another forest. When you upgrade a Windows NT domain to a Windows Server 2003 domain, all existing Windows NT trusts are preserved intact. All trust relationships between Windows Server 2003 domains and Windows NT domains are nontransitive. Realm trust A nontransitive trust between an Active Directory domain and a Kerberos V5 realm

NEW QUESTION 11
Your network contains an Active Directory domain. The domain contains several domain controllers. All domain controllers run Windows Server 2008 R2.
You need to restore the Default Domain Policy Group Policy object (GPO) to the Windows Server 2008 R2 default settings.
What should you do?

• A. Run dcgpofix.exe /target:d
• B. Run dcgpofix.exe /target:domai
• C. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /forc
• D. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /syn

Answer: B

NEW QUESTION 12
Your company has an Active Directory domain. A user attempts to log on to the domain from a client computer and receives the following message: "This user account has expired. Ask your administrator to reactivate the account."
You need to ensure that the user is able to log on to the domain.
What should you do?

• A. Modify the properties of the user account to set the account to never expir
• B. Modify the properties of the user account to extend the Logon Hours settin
• C. Modify the default domain policy to decrease the account lockout duratio
• D. Modify the properties of the user account to set the password to never expir

Answer: A

Explanation:

C:Documents and Settingsusernwz1Desktop1.PNG
Further information: http://technet.microsoft.com/en-us/library/dd145547.aspx User Properties - Account Tab Account expires Sets the account expiration policy for this user. You can select between the following options: Use Never to specify that the selected account will never expire. This option is the default for new users. Select End of and then select a date if you want to have the user's account expire on a specified date.

NEW QUESTION 13
Your network contains an Active Directory forest. All client computers run Windows 7.
The network contains a high-volume enterprise certification authority (CA).
You need to minimize the amount of network bandwidth required to validate a certificate.
What should you do?

• A. Configure an LDAP publishing point for the certificate revocation list (CRL).
• B. Configure an Online Certification Status Protocol (OCSP) responde
• C. Modify the settings of the delta certificate revocation list (CRL).
• D. Replicate the certificate revocation list (CRL) by using Distributed File System (DFS).

Answer: B

Explanation:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 779
Online responder
This service is designed to respond to specific certificate validation requests through the Online Certificate
Status Protocol (OCSP). Using an online responder (OR), the system relying on PKI does not need to obtain a full CRL and can submit a validation request for a specific certificate. The online responder decodes the validation request and determines whether the certificate is valid. When it determines the status of the requested certificate, it sends back an encrypted response containing the information to the requester. Using online responders is much faster and more efficient than using CRLs. AD CS includes online
responders as a new feature in Windows Server 2008 R2.

NEW QUESTION 14
Your network contains an Active Directory domain. The domain contains an enterprise certification authority (CA).
You need to ensure that only members of a group named Admin1 can create certificate templates.
Which tool should you use to assign permissions to Admin1?

• A. the Certification Authority console
• B. Active Directory Users and Computers
• C. the Certificates snap-in
• D. Active Directory Sites and Services

Answer: D

Explanation:
We need to use Active Directory Sites and Services to assign permissions to create
certificate templates to global or universal groups.
The first Explanation lists what needs to be done, the second Explanation explains how to do it.
Explanation 1:
http://technet.microsoft.com/en-us/library/cc725621.aspx
Delegating Template Management
You can delegate the ability to manage individual certificate templates or to create any
certificate templates by defining appropriate permissions to global groups or universal
groups that a user belongs to.
There are three levels of delegation for certificate template administration:
Modify existing templates
Create new templates (by duplicating existing templates)
Full delegation (including modifying all existing templates and creating new ones)
Create New Templates
To delegate the ability to create certificate templates to users who are not members of the Domain Admins group in the forest root domain, or members of the Enterprise Admins group, it is necessary to define the appropriate permissions in the Configuration naming context of AD DS. To delegate the ability to duplicate and create new certificate templates, you must make the following permission assignments to a global or universal group of which the user is a member: Grant Create All Child Objects permission on the following container: CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot. Grant Full Control permission to every certificate template in the following container: CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRoot. The permissions assigned to the Certificate Templates container are not inherited by the individual certificate templates. Grant Create All Child Objects permission on the following container: CN=OID,CN=Public Key Services, CN=Services,CN=Configuration,DC=ForestRoot container. Explanation 2: Windows Server 2008 - PKI and Certificate Security (Microsoft Press, 2008) page 298 Delegate Permissions for Creation of New Templates You can delegate the permission to create new templates by assigning permissions to a custom universal group for the CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration, ForestRootDomain container.
1. Log on as a member of the Enterprise Admins group or the forest root domain Domain
Admins group.
2. Open the Active Directory Sites And Services console.
3. From the View menu, ensure that the Show Services Node setting is enabled.
4. In the console tree, expand Services, expand Public Key Services, and then click
Certificate Templates.
5. In the console tree, right-click Certificate Templates, and then click Delegate Control.
6. In the Delegation Of Control wizard, click Next.
7. On the Users Or Groups page, click Add.
8. In the Select Users, Computers, Or Groups dialog box, type a user or group name, and
then click OK.
9. On the Users Or Groups page, click Next.
10.On the Tasks To Delegate page, click Create A Custom Task To Delegate, and then
click Next.
11.On the Active Directory Object Type page, click This Folder, Existing Objects In This
Folder, and Creation Of
New Objects In This Folder, and then click Next.
12.On the Permissions page, in the Permissions list, enable Full Control, and then click
Next.
13.On the Completing The Delegation Of Control wizard page, click Finish.

NEW QUESTION 15
Your network contains an Active Directory domain named contoso.com. The domain contains an enterprise certification authority (CA).
You need to deploy certificates based on Version 1 templates to all of the computers in the domain. The solution must minimize administrative effort.
You create a Group Policy object (GPO) named GPO1 and link the GPO to the domain.
What should you do next?

• A. In GPO1, configure Certificate Services Client - Certificate Enrollment Polic
• B. In GPO1, configure Automatic Certificate Request Setting
• C. In GPO1, configure Software installatio
• D. Duplicate the template
• E. In GPO1, configure Software installatio

Answer: B

Explanation: Automatic certificate request settings Certificate enrollment is the process of requesting, receiving, and installing a certificate. By using automatic certificate settings in public key policies, you can have computers that are associated with a Group Policy object (GPO) automatically enroll for certificates. This can save you the step of explicitly enrolling for computer-related certificates for each computer. After you establish an automatic certificate request, the actual certificate requests occur the next time the computers associated with the GPO log on to the network.

NEW QUESTION 16
Your network contains an Active Directory forest. All domain controllers run Windows
Server 2008 Standard.
The functional level of the domain is Windows Server 2003.
You have a certification authority (CA).
The relevant servers in the domain are configured as shown below:

You need to ensure that you can install the Active Directory Certificate Services (AD CS) Certificate Enrollment Web Service on the network.
What should you do?

• A. Upgrade Server1 to Windows Server 2008 R2.
• B. Upgrade Server2 to Windows Server 2008 R2.
• C. Raise the functional level of the domain to Windows Server 2008.
• D. Install the Windows Server 2008 R2 Active Directory Schema update

Answer: D

Explanation:
http://technet.microsoft.com/en-us/library/dd759243.aspx
Installation requirements
Before installing the certificate enrollment Web services, ensure that your environment
meets these requirements:
A host computer as a domain member running Windows Server 2008 R2.
An Active Directory forest with a Windows Server 2008 R2 schema.
An enterprise certification authority (CA) running Windows Server 2008 R2, Windows
Server 2008, or
Windows Server 2003.

NEW QUESTION 17
You are decommissioning a child domain. The child domain contains five operations master roles.
You need to transfer the forest operations master roles to a newly installed domain controller in a different child domain.
Which two domain operations master roles should you transfer? (Each correct answer presents part of the solution. Choose two.)

• A. RID master
• B. PDC emulator
• C. Schema master
• D. Domain naming master
• E. Infrastructure master

Answer: CD

Explanation: Forestwide Operations Master Roles The schema master and domain naming master are forestwide roles, meaning that there is only one schema master and one domain naming master in the entire forest.
Note:
* Operations Master Roles
The five operations master roles are assigned automatically when the first domain
controller in a given domain is created. Two forest-level roles are assigned to the first
domain controller created in a forest and three domain-level roles are assigned to the first
domain controller created in a domain.
* The five FSMO roles [in Windows 2003] are:
Schema master - Forest-wide and one per forest.
Domain naming master - Forest-wide and one per forest.
RID master - Domain-specific and one for each domain.
PDC - PDC Emulator is domain-specific and one for each domain.
Infrastructure master - Domain-specific and one for each domain.