Tested 70-640 Dumps 2021

NEW QUESTION 1
Your network contains an Active Directory domain. The domain contains four domain controllers.
You create a new application directory partition.
You need to ensure that the new application directory partition replicates to only three of the domain controllers.
Which tool should you use?

• A. Active Directory Administrative Center
• B. Dsamain
• C. Dsmod
• D. Ntdsutil

Answer: A

NEW QUESTION 2
Your network contains an Active Directory domain named contoso.com.
You have a server named Server1 that is configured as an enterprise root certification authority (CA).
You need to ensure that private keys can be archived on Server1.
Which three actions should you perform in sequence? (To answer, move the appropriate three actions from the list of actions to the answer area and arrange them in the correct order.)

Answer:

Explanation:

NEW QUESTION 3
A user attempts to join a computer to the domain, but the attempt fails.
You need to ensure that the user can join fifty computer to the domain. You must ensure that the user is denied any additional rights beyond those required to complete the task.
What should you do?

• A. Prestage each computer account in the Active Directory domai
• B. Deploy a Group Policy Object (GPO) that modifies the user rights setting
• C. Add the user to the Domain Administrators group for one da
• D. Deploy a Group Policy object (GPO) that modifies the Restricted Groups setting

Answer: A

NEW QUESTION 4
A corporate network includes a single Active Directory Domain Services (AD DS) domain and two AD DS sites.
The AD DS sites are named Toronto and Montreal. Each site has multiple domain controllers.
You need to determine which domain controller holds the Inter-Site Topology Generator role for the Toronto site.
What should you do?

• A. Use the Active Directory Sites and Services console to view the NTDS Site Settings for the Toronto sit
• B. Use the Ntdsutil tool with the roles paramete
• C. Use the Ntdsutil tool with the LDAP policies paramete
• D. Use the Active Directory Sites and Services console to view the properties of each domain controller in the Toronto sit

Answer: A

Explanation:
http://technet.microsoft.com/en-us/library/cc794776.aspx
Determine the ISTG Role Owner for a Site
The Intersite Topology Generator (ISTG) is the domain controller in each site that is responsible for generating the intersite topology. If you want to regenerate the intersite topology, you must determine the identity of the ISTG role owner in a site. You can use this procedure to view the NTDS Site Settings object properties and determine the ISTG role owner for the site.
To determine the ISTG role owner for a site
1. Open Active Directory Sites and Services.
2. In the console tree, click the site object whose ISTG role owner you want to determine.
3. In the details pane, right-click the NTDS Site Settings object, and then click Properties. The current role owner appears in the Server box under Inter-Site Topology Generator.

NEW QUESTION 5
Your network contains an Active Directory domain that has the password policy shown in the following exhibit. (Click the Exhibit button.)

To answer, complete each statement according to the information presented in the exhibit.

Answer:

Explanation:

NEW QUESTION 6
Your company has two offices. The offices are located in Miami and London.
The network contains an Active Directory forest named contoso.com. The forest contains two child domains named miami.contoso.com and london.contoso.com. The domain contains 50 domain controllers that run Windows Server 2008 R2. Each office is configured as an Active Directory site.
You plan to deploy several read-only domain controllers (RODCs) to the Miami site.
You need to pre-create the computer accounts of the RODCs.
What should you do?

• A. Run the dsadd.exe command
• B. Run the nltest.exe comman
• C. Run the Set-AdDomain cmdle
• D. Run the dsmove.exe comman
• E. Run the dcpromo.exe comman
• F. Run the Move-AdDirectoryServer cmdle
• G. Use the Active Directory Schema snap-i
• H. Use the Active Directory Users and Computers consol

Answer: H

NEW QUESTION 7
Your company has an Active Directory forest. The forest includes organizational units corresponding to the following four locations:
. London
. Chicago
. New York
. Madrid
Each location has a child organizational unit named Sales. The Sales organizational unit contains all the users and computers from the sales department.
The offices in London, Chicago, and New York are connected by T1 connections. The office in Madrid is connected by a 256-Kbps ISDN connection.
You need to install an application on all the computers in the sales department.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

• A. Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to user
• B. Link the GPO to each Sales organizational uni
• C. Disable the slow link detection setting in the Group Policy Object (GPO).
• D. Configure the slow link detection threshold setting to 1,544 Kbps (T1) in the Group Policy Object (GPO).
• E. Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to the computer
• F. Link the GPO to each Sales organizational uni

Answer: BD

Explanation:
http://technet.microsoft.com/en-us/library/cc781031%28v=ws.10%29.aspx Specifying Group Policy for Slow Link Detection Administrators can partially control which Group Policy extensions are processed over a slow link. By default, when processing over a slow link, not all components of Group Policy are processed. Table 2.6 shows the default settings for processing Group Policy over slow links.

C:Documents and Settingsusernwz1Desktop1.PNG
Administrators can use a Group Policy setting to define a slow link for the purposes of applying and updating Group Policy. The default value defines a rate slower than 500 Kbps as a slow link. http://technet.microsoft.com/en-us/library/cc783635%28v=ws.10%29.aspx Assigning and Publishing Software
Assigning software to computers After you assign a software package to computers in a site, domain, or OU, the software is installed the next time the computer restarts or the user logs on. Further information: http://technet.microsoft.com/en-us/library/cc978717.aspx Group Policy slow link detection

NEW QUESTION 8
Your company uses an application that stores data in an Active Directory Lightweight Directory Services (AD LDS) instance named Instance1.
You attempt to create a snapshot of Instance1 as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that you can take a snapshot of Instance1.
What should you do?

• A. At the command prompt, run net start VS
• B. At the command prompt, run net start Instance1.
• C. Set the Startup Type for the Instance1 service to Disable
• D. Set the Startup Type for the Volume Shadow Copy Service (VSS) to Manua

Answer: A

Explanation:
Hard to find Explanations on this, but the solution can be found by eliminating the rest.
Instance1 is running, otherwise you'd get a different message at the snaphot: create step.
("AD service
must be running in order to perform this operation", on my virtual server.)
Disabling Instance1 makes no sense because you need it, nor is setting the Startup Type
for the Volume
Shadow Copy Service (VSS) to Manual.

NEW QUESTION 9
Your network contains an Active Directory forest. The forest contains two domains. You have a standalone root certification authority (CA).
On a server in the child domain, you run the Add Roles Wizard and discover that the option to select an enterprise CA is disabled.
You need to install an enterprise subordinate CA on the server.
What should you use to log on to the new server?

• A. an account that is a member of the Certificate Publishers group in the child domain
• B. an account that is a member of the Certificate Publishers group in the forest root domain
• C. an account that is a member of the Schema Admins group in the forest root domain
• D. an account that is a member of the Enterprise Admins group in the forest root domain

Answer: D

Explanation:
http://social.technet.microsoft.com/Forums/uk/winserversecurity/thread/887f4cec-12f6-4c15-a506-568ddb21d46b
In order to install Enterprise CA you MUST have Enterprise Admins permissions, because Configuration naming context is replicated between domain controllers in the forest (not only current domain) and are writable for Enterprise Admins (domain admins permissions are insufficient).

NEW QUESTION 10
Your network contains an Active Directory domain. The domain contains a group named Group1.
The minimum password length for the domain is set to six characters.
You need to ensure that the passwords for all users in Group1 are at least 10 characters long. All other users must be able to use passwords that are six characters long.
What should you do first?

• A. Run the New-ADFineGrainedPasswordPolicy cmdle
• B. Run the Add-ADFineGrainedPasswordPolicySubject cmdle
• C. From the Default Domain Policy, modify the password polic
• D. From the Default Domain Controller Policy, modify the password polic

Answer: A

Explanation:
http://technet.microsoft.com/en-us/library/ee617238.aspx
New-ADFineGrainedPasswordPolicy
Creates a new Active Directory fine grained password policy.

NEW QUESTION 11
Your network contains an Active Directory forest. The forest contains two domains named contoso.com and woodgrovebank.com.
You have a custom attribute named Attribute 1 in Active Directory. Attribute 1 is associated to User objects.
You need to ensure that Attribute1 is included in the global catalog.
What should you do?

• A. From the Active Directory Schema snap-in, modify the properties of the Attribute 1 attributeSchema objec
• B. In Active Directory Users and Computers, configure the permissions on the Attribute 1 attribute for User object
• C. From the Active Directory Schema snap-in, modify the properties of the User classSchema objec
• D. In Active Directory Sites and Services, configure the Global Catalog settings for all domain controllers in the fores

Answer: A

Explanation:
http://technet.microsoft.com/en-us/library/how-global-catalog-servers-work.aspx
Global Catalog Partial Attribute Set
The attributes that are replicated to the global catalog by default include a base set that have been defined by Microsoft as the attributes that are most likely to be used in searches. Administrators can use the Microsoft Management Console (MMC) Active Directory Schema snap-in to specify additional attributes to meet the needs of their installation. In the Active Directory Schema snap-in, you can select the Replicate this attribute to the global catalog check box to designate an attributeSchema object as a member of the PAS, which sets the value of the isMemberOfPartialAttributeSet attribute to TRUE.
Global Catalog Replication of Additions to the Partial Attribute Set Each global catalog server in an AD DS forest hosts a copy of every existing object in that forest. For the objects of its own domain, a global catalog server has information related to all attributes that are associated with those objects. For the objects in domains other than its own, a global catalog server has only information that is related to the set of attributes that are marked in the AD DS schema to be included in the partial attribute set (PAS). As described earlier, the PAS is defined by Microsoft as those attributes that are most likely to be used for searches. These attributes are replicated to every global catalog server in an AD DS forest.
If you want to add an attribute to the PAS, you can mark the attribute by using the Active Directory Schema snap-in to edit the isMemberOfPartialAttributeSet value on the respective attributeSchema object. You mark the attribute by placing a checkmark next to isMemberOfPartialAttributeSet. If the
isMemberOfPartialAttributeSet value is checked (set to TRUE), the attribute is replicated to the global catalog.
If the value is not checked (set to FALSE), the attribute is not replicated to the global catalog.

NEW QUESTION 12
You have a server named Server1 that has the following Active Directory Certificate Services (AD CS) role services installed:
Enterprise root certification authority (CA)
Certificate Enrollment Web Service
Certificate Enrollment Policy Web Service
You create a new certificate template.
External users report that the new template is unavailable when they request a new certificate.
You verify that all other templates are available to the external users.
You need to ensure that the external users can request certificates by using the new template.
What should you do on Server1?

• A. Run iisreset.exe /restar
• B. Run gpupdate.exe /forc
• C. Run certutil.exe dspublis
• D. Restart the Active Directory Certificate Services servic

Answer: A

Explanation:
http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-activedirectory-certificate-services.aspx Certificate Enrollment Web Services in Active Directory Certificate Services Troubleshooting Managing Certificate Enrollment Policy Web Service Polling for Certificate Templates Certificate Templates are stored in AD DS, and the Certificate Enrollment Policy Web Service polls the AD DS periodically for template changes. Changes made to templates are not reflected in real time on the Certificate Enrollment Policy Web Service. When administrators duplicate or modify templates, there can be a lag between the time at which the change is made and when the new templates are available. By default, the Certificate Enrollment Policy Web Service polls the directory every 30 minutes for changes. The Certificate Enrollment Policy Web Service can be manually forced to refresh its template cache by recycling IIS using the command iisreset.

NEW QUESTION 13
DRAG DROP
ABC.com has an Active Directory forest on a single domain. The domain operates Windows Server 2008. A new administrator accidentally deletes the entire organizational unit in the Active Directory database that hosts 6000 objects.
You have backed up the system state data using third-party backup software. To restore backup, you start the domain controller in the Directory Services Restore Mode (DSRM).
You need to perform an authoritative restore of the organizational unit and restore the domain controller to its original state.
Which three actions should you perform?

Answer:

Explanation:

NEW QUESTION 14
Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. The Audit account management policy setting and Audit directory services access setting are enabled for the entire domain.
You need to ensure that changes made to Active Directory objects can be logged. The logged changes must include the old and new values of any attributes.
What should you do?

• A. Run auditpol.exe and then configure the Security settings of the Domain Controllers O
• B. From the Default Domain Controllers policy, enable the Audit directory service access setting and enable directory service change
• C. Enable the Audit account management policy in the Default Domain Controller Polic
• D. Run auditpol.exe and then enable the Audit directory service access setting in the Default Domain polic

Answer: A

Explanation:
http://technet.microsoft.com/en-us/library/cc731607%28v=ws.10%29.aspx AD DS Auditing Step-by-Step Guide In Windows Server 2008 you can now set up AD DS auditing with a new audit subcategory to log old and new values when changes are made to objects and their attributes.
The ability to audit changes to objects in AD DS is enabled with the new audit policy subcategory Directory Service Changes. This guide provides instructions for implementing this audit policy subcategory. The types of changes that you can audit include a user (or any security principal) creating, modifying, moving, or undeleting an object. The new audit policy subcategory adds the following capabilities to auditing in AD DS: When a successful modify operation is performed on an attribute, AD DS logs the previous and current values of the attribute. If the attribute has more than one value, only the values that change as a result of the modify operation are logged. If a new object is created, values of the attributes that are populated at the time of creation are logged. If the user adds attributes during the create operation, those new attribute values are logged. In most cases, AD DS assigns default values to attributes (such as samAccountName). The values of such system attributes are not logged. If an object is moved, the previous and new location (distinguished name) is logged for moves within the domain. When an object is moved to a different domain, a create event is generated on the domain controller in the target domain. If an object is undeleted, the location where the object is moved to is logged. In addition, if the user adds, modifies, or deletes attributes while performing an undelete operation, the values of those attributes are logged.
In Windows Server 2008, you implement the new auditing feature by using the following controls: Global audit policy System access control list (SACL) Schema Global audit policy Enabling the global audit policy, Audit directory service access, enables all directory service policy subcategories. You can set this global audit policy in the Default Domain Controllers Group Policy (under Security SettingsLocal PoliciesAudit Policy). In Windows Server 2008, this global audit policy is not enabled by default. Although the subcategory Directory Service Access is enabled for success events by default, the other subcategories are not enabled by default. You can use the command-line tool Auditpol.exe to view or set audit policy subcategories. There is no
Windows interface tool available in Windows Server 2008 to view or set audit policy
subcategories.
Further information:
http://technet.microsoft.com/en-us/library/cc731451%28v=ws.10%29.aspx
Auditpol
Displays information about and performs functions to manipulate audit policies.
http://servergeeks.wordpress.com/2012/12/31/auditing-directory-services/
AD Scenario – Auditing Directory Services
Auditing of Directory Services depends on several controls, these are:
1. Global Audit Policy (at category level using gpmc.msc tool)
2. Individual Audit Policy (at subcategory level using auditpol.exe tool)
3. System ACLs – to specify which operations are to be audited for a security principal.
4. Schema (optional) – this is an additional control in the schema that you can use to create
exceptions to what is audited.
In Windows Server 2008, you can now set up AD DS (Active Directory Domain Services)
auditing with a new audit policy subcategory (Directory Service Changes) to log old and
new values when changes are made to AD DS objects and their attributes. This can be
done using auditpol.exe tool.
Command to check which audit policies are active on your machine: auditpol /get
/category:*

C:Documents and Settingsusernwz1Desktop1.PNG Command to view the audit policy categories and Subcategories:

C:Documents and Settingsusernwz1Desktop1.PNG
How to enable the global audit policy using the Windows interface i.e. gpmc tool Click Start, point to Administrative Tools, and then Group Policy Management or run gpmc.msc command.
In the console tree, double-click the name of the forest, double-click Domains, double-click the name of your domain, double-click Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.

C:Documents and Settingsusernwz1Desktop1.PNG
Under Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then click Audit Policy.

C:Documents and Settingsusernwz1Desktop1.PNG
In the details pane, right-click Audit directory service access, and then click Properties.
Select the Define these policy settings check box.
Under Audit these attempts, select the Success, check box, and then click OK.

C:Documents and Settingsusernwz1Desktop1.PNG
How to enable the change auditing policy using a command line
Click Start, right-click Command Prompt, and then click Run as administrator.
Type the following command, and then press ENTER:
auditpol /set /subcategory:”directory service changes” /success:enable
To verify if the auditing is enabled or not for “Directory Service Changes”, you can run
below command:
auditpol /get /category:”DS Access”

C:Documents and Settingsusernwz1Desktop1.PNG
How to set up auditing in object SACLs Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. Right-click the organizational unit (OU) (or any object) for which you want to enable
auditing, and then click Properties.
Click the Security tab, click Advanced, and then click the Auditing tab.

C:Documents and Settingsusernwz1Desktop1.PNG
Click Add, and under Enter the object name to select, type Authenticated Users (or any other security principal) and then click OK.

C:Documents and Settingsusernwz1Desktop1.PNG
In Apply onto, click Descendant User objects (or any other objects). Under Access, select the Successful check box for Write all properties. Click OK

C:Documents and Settingsusernwz1Desktop1.PNG
Click OK until you exit the property sheet for the OU or other object.
To Test whether auditing is working or not, try creating or modifying objects in Finance OU
and check the Security event logs.
I just created a new user account in Finance OU named f4.

C:Documents and Settingsusernwz1Desktop1.PNG
If you check the security event logs you will find eventid 5137 (Create)
Note:
Once the auditing is enabled these eventids will appear in security event logs: 5136
(Modify), 5137 (Create), 5138 (Undelete), 5139 (Move).

C:Documents and Settingsusernwz1Desktop1.PNG

NEW QUESTION 15
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1. DC1 has the DNS Server server role installed and hosts the zone for contoso.com.
All host (A) records are registered in DNS by using dynamic updates.
You deploy a new server named dns.contoso.com.
You install the DNS Server server role on dns.contoso.com.
The Name Servers list is shown in the Name Server exhibit. (Click the Exhibit button.)

The Zone Transfers settings are shown in the Zone Transfers exhibit. (Click the Exhibit button.)

On dns.contoso.com, you create a secondary zone for contoso.com and you specify DC1 as the master server.
You discover that the zone fails to transfer to dns.contoso.com.
You open DNS Manager as shown in the DNS Manager exhibit. (Click the Exhibit button.)

You need to ensure that dns.contoso.com can transfer the contoso.com zone.
What should you do?

• A. Modify the name servers list for the contoso.com zon
• B. Change the A record for dns.contoso.com to use 10.0.0.2.
• C. Add an A record for contoso.com that has a value of 10.0.0.2.
• D. Allow zone transfers to the 10.0.0.2 IP addres
• E. Add a name server (NS) record for contoso.com that has a value of 10.0.0.2.

Answer: A

NEW QUESTION 16
Your company has a main office and a branch office.
The network contains a single Active Directory domain.
The main office contains a domain controller named DC1.
You need to install a domain controller in the branch office by using an offline copy of the Active Directory database.
What should you do first?

• A. From the Ntdsutil tool, create an IFM media se
• B. From the command prompt, run djoin.exe /loadfil
• C. From Windows Server Backup, perform a system state backu
• D. From Windows PowerShell, run the get-ADDomainController cmdle

Answer: A

Explanation:
http://technet.microsoft.com/en-us/library/cc816722%28v=ws.10%29.aspx
Installing an Additional Domain Controller by Using IFM When you install Active Directory Domain Services (AD DS) by using the install from media (IFM) method, you can reduce the replication traffic that is initiated during the installation of an additional domain controller in an Active Directory domain. Reducing the replication traffic reduces the time that is necessary to install the additional domain controller. Windows Server 2008 and Windows Server 2008 R2 include an improved version of the Ntdsutil tool that you can use to create installation media for an additional domain controller. You can use Ntdsutil.exe to create installation media for additional domain controllers that you are creating in a domain. The IFM method uses the data in the installation media to install AD DS, which eliminates the need to replicate every object from a partner domain controller. However, objects that were modified, added, or deleted since the installation media was created must be replicated. If the installation media was created recently, the amount of replication that is required is considerably less than the amount of replication that is required for a regular AD DS installation.

NEW QUESTION 17
You need to receive an e-mail message whenever a domain user account is locked out.
Which tool should you use?

• A. Active Directory Administrative Center
• B. Event Viewer
• C. Resource Monitor
• D. Security Configuration Wizard

Answer: B

Explanation:
MS Press - Self-Paced Training Kit (Exam 70-642) (2nd Edition, 2011) page 525 Automatically Responding to Events One of the most useful ways to use Task Scheduler is to launch a task in response to a specific event type that appears in Event Viewer. You can respond to events in three ways: Start A Program - Launches an application. Often, administrators write a script that carries
out a series of tasks that they would otherwise need to manually perform, and automatically
run that script when an event appears.
Send An E-mail - Sends an email by using the Simple Mail Transport Protocol (SMTP)
server you specify.
Often, administrators configure urgent events to be sent to a mobile device.
Display A Message - Displays a dialog box showing a message. This is typically useful only
when a user needs to be notified of something happening on the computer.
To trigger a task when an event occurs, follow one of these three procedures:
Find an example of the event in Event Viewer. Then, right-click the event and click Attach
Task To This Event. A wizard will guide you through the process.