[Jun 2016] 70-640 pdf


♥♥ 2017 NEW RECOMMEND ♥♥

Free VCE & PDF File for Microsoft 70-640 Real Exam (Full Version!)

★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions

Free Instant Download NEW 70-640 Exam Dumps (PDF & VCE):
Available on: http://www.certleader.com/70-640-dumps.html


70-640 Product Description:
Exam Number/Code: 70-640 vce
Exam name: TS: Windows Server 2008 Active Directory. Configuring
n questions with full explanations
Certification: Microsoft Certification
Last updated on Global synchronizing

Instant Access to Free VCE Files: Microsoft 70-640 TS: Windows Server 2008 Active Directory. Configuring

70-640 examcollection

Examcollection 70-640 TS: Windows Server 2008 Active Directory. Configuring exercise test could be the best choice that you should get ready for the actual Microsoft exam. If you want to be a preeminent Examcollection technicians, you can not pass up the actual Examcollection 70-640 TS: Windows Server 2008 Active Directory. Configuring substance preventative measure. One can learn not only the true 70-640 test answers and questions but also the comprehensive explanation. Moving Microsoft 70-640 certification will be the very first most essential thing, furthermore, you can learn many specialized knowledge as well as encounters which will utilized in the future of exercise work.

2016 Jun 70-640 exam prep

Q31. Your network contains an Active Directory domain named contoso.com. The network contains client computers that run either Windows Vista or Windows 7. Active Directory Rights Management Services (AD RMS) is deployed on the network. 

You create a new AD RMS template that is distributed by using the AD RMS pipeline. The template is updated every month. 

You need to ensure that all the computers can use the most up-to-date version of the AD RMS template. 

You want to achieve this goal by using the minimum amount of administrative effort. 

What should you do? 

A. Upgrade all of the Windows Vista computers to Windows 7. 

B. Upgrade all of the Windows Vista computers to Windows Vista Service Pack 2 (SP2). 

C. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all users by using a Software Installation extension of Group Policy. 

D. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all computers by using a Software Installation extension of Group Policy. 

Answer: B 


Q32. You have a Windows Server 2008 R2 Enterprise Root CA. 

Security policy prevents port 443 and port 80 from being opened on domain controllers and on the issuing CA. 

You need to allow users to request certificates from a Web interface. You install the Active Directory Certificate Services (AD CS) server role. 

What should you do next? 

A. Configure the Online Responder Role Service on a member server. 

B. Configure the Online Responder Role Service on a domain controller. 

C. Configure the Certificate Enrollment Web Service role service on a member server. 

D. Configure the Certificate Enrollment Web Service role service on a domain controller. 

Answer: C 

Explanation: 

http://technet.microsoft.com/en-us/library/dd759209.aspx Certificate Enrollment Web Service Overview The Certificate Enrollment Web Service is an Active Directory Certificate Services (AD CS) role service that enables users and computers to perform certificate enrollment by using the HTTPS protocol. Together with the Certificate Enrollment Policy Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain. Personal note: Since domain controllers are off-limits (regarding open ports), you are left to install the Certificate Enrollment Web Service role service on a plain member server 


Q33. Your network contains an Active Directory domain named contoso.com. Contoso.com contains three servers. 

The servers are configured as shown in the following table. 


You need to ensure that users can manually enroll and renew their certificates by using the Certificate Enrollment Web Service. 

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) 

A. Configure the policy module settings. 

B. Configure the issuance requirements for the certificate templates. 

C. Configure the Certificate Services Client - Certificate Enrollment Policy Group Policy setting. 

D. Configure the delegation settings for the Certificate Enrollment Web Service application pool account. 

Answer: B,D 

Explanation: Explanation 1: 

http://technet.microsoft.com/en-us/library/dd759245.aspx 

The Certificate Enrollment Web Service can process enrollment requests for new certificates and for certificate renewal. In both cases, the client computer submits the request to the Web service and the Web service submits the request to the certification authority (CA) on behalf of the client computer. For this reason, the Web service account must be trusted for delegation in order to present the client identity to the CA. 

Explanation 2: http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx 

Delegation is required for the Certificate Enrollment Web Service account when all of the following are true: The CA is not on the same computer as the Certificate Enrollment Web Service Certificate Enrollment Web Service needs to be able to process initial enrollment requests, as opposed to only processing certificate renewal requeststhe authentication type is set to Windows Integrated Authentication or Client certificate authentication 


Q34. Your network contains a server named Server1 that runs Windows Server 2008 R2. 

On Server1, you create an Active Directory Lightweight Directory Services (AD LDS) 

instance named 

Instance1. 

You connect to Instance1 by using ADSI Edit. 

You run the Create Object wizard and you discover that there is no User object class. You 

need to ensure that you can create user objects in Instance1. 

What should you do? 

A. Run the AD LDS Setup Wizard. 

B. Modify the schema of Instance1. 

C. Modify the properties of the Instance1 service. 

D. Install the Remote Server Administration Tools (RSAT). 

Answer: B 

Explanation: 

http://technet.microsoft.com/en-us/library/cc772194.aspx To create users in AD LDS, you must first import the optional user classes that are provided with AD LDS into the AD LDS schema. These user classes are provided in importable .ldf files, which you can find in the directory %windir%adam on the computer where AD LDS is installed. The user, inetOrgPerson, and OrganizationalPerson object classes are not available until you import the AD LDS user class definitions into the schema. 


Q35. Your company has an Active Directory domain. A user attempts to log on to a computer that was turned off for twelve weeks. The administrator receives an error message that authentication has failed. 

You need to ensure that the user is able to log on to the computer. 

What should you do? 

A. Run the netsh command with the set and machine options. 

B. Reset the computer account. Disjoin the computer from the domain, and then rejoin the computer to the domain. 

C. Run the netdom TRUST /reset command. 

D. Run the Active Directory Users and Computers console to disable, and then enable the computer account. 

Answer: B 

Explanation: 

Answer: Reset the computer account. Disjoin the computer from the domain, and then rejoin the computer to the domain. 

http://social.technet.microsoft.com/wiki/contents/articles/9157.trust-relationship-between-workstation-andprimary-domain-failed.aspx Trust Relationship between Workstation and Primary Domain failed What are the common causes which generates this message on client systems? There might be multiple reasons for this kind of behaviour. Below are listed a few of them: 

1. Single SID has been assigned to multiple computers. 

2. If the Secure Channel is Broken between Domain controller and workstations 

3. If there are no SPN or DNSHost Name mentioned in the computer account attributes 

4. Outdated NIC Drivers. How to Troubleshoot this behaviour? 

2. If the Secure Channel is Broken between Domain controller and workstations When a Computer account is joined to the domain, Secure Channel password is stored with computer account in domain controller. By default this password will change every 30 days (This is an automatic process, no manual intervention is required). Upon starting the computer, Netlogon attempts to discover a DC for the domain in which its machine account exists. After locating the appropriate DC, the machine account password from the workstation is authenticated against the password on the DC. If there are problems with system time, DNS configuration or other settings, secure channel’s password between Workstation and DCs may not synchronize with each other. A common cause of broken secure channel [machine account password] is that the secure channel password held by the domain member does not match that held by the AD. Often, this is caused by performing a Windows System Restore (or reverting to previous backup or snapshot) on the member machine, causing an old (previous) machine account password to be presented to the AD. Resolution: Most simple resolution would be unjoin/disjoin the computer from the domain and rejoin the computer account back to the domain. (this is a somewhat similar principle to performing a password reset for a user account) Or You can go ahead and reset the computer account using netdom.exe tool http://technet.microsoft.com/en-us/library/cc772217%28v=ws.10%29.aspx Netdom Enables administrators to manage Active Directory domains and trust relationships from the command prompt. Netdom is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the Active Directory Domain Services (AD DS) server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). 

You can use netdom to: 

Join a computer that runs Windows XP Professional, Windows Vista, or Windows 7 to a 

Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, 

or Windows NT 4.0 domain. Manage computer accounts for domain member workstations 

and member servers. Management operations include: 

Establish one-way or two-way trust relationships between domains, including the following 

kinds of trust relationships: 

Verify or reset the secure channel for the following configurations: 

* Member workstations and servers. 

* Backup domain controllers (BDCs) in a Windows NT 4.0 domain. 

* Specific Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, or 

Windows 2000 replicas. 

Manage trust relationships between domains. 

Syntax 

NetDom <Operation> [<Computer>] [{/d: | /domain:} <Domain>] [<Options>] 

http://technet.microsoft.com/en-us/library/cc788073%28v=ws.10%29.aspx 

Netdom reset Resets the secure connection between a workstation and a domain 

controller. 

Syntax netdom reset <Computer> {/d: | /domain:}<Domain> [{/s: | /server:}<Server>] [{/uo: | 

/usero:}<User> {/po: | / 

passwordo}{<Password>|*}] [{/help | /?}] 

Further information: 

http://technet.microsoft.com/en-us/library/cc835085%28v=ws.10%29.aspx 

Netdom trust 

Establishes, verifies, or resets a trust relationship between domains. 

Syntax netdom trust <TrustingDomainName> {/d: | /domain:} <TrustedDomainName> [{/ud: 

| /userd:}[<Domain>\]<User> [{/pd: | /passwordd:}{<Password>|*}] [{/uo: | /usero:}<User>] 

[{/po: | /passwordo:}{<Password>|*}] [/verify] [/reset] 

[/passwordt:<NewRealmTrustPassword>] [/add [/realm]] [/remove [/force]] [/twoway] 

[/kerberos] [/transitive[:{YES|NO}]] [/oneside:{TRUSTED | TRUSTING}] [/force] 

[/quarantine[:{YES | NO}]] [/namesuffixes:<TrustName> [/togglesuffix:#]] 

[/EnableSIDHistory] [/ForestTRANsitive] 

[/SelectiveAUTH][/AddTLN][/AddTLNEX][/RemoveTLN] [/RemoveTLNEX][{/help | /?}] 


70-640  vce

Updated labs 70-640:

Q36. HOTSPOT 

Your network contains an Active Directory forest named contoso.com. The forest contains two sites named Seattle and Montreal. The Seattle site contains two domain controllers. The domain controllers are configured as shown in the following table. 


You need to enable universal group membership caching in the Seattle site. 

Which object's properties should you modify? 

To answer, select the appropriate object in the answer area. 


Answer: 



Q37. Your company has a single Active Directory domain named intranet.adatum.com. The domain controllers run Windows Server 2008 and the DNS server role. All computers, including non-domain members, dynamically register their DNS records. 

You need to configure the intranet.adatum.com zone to allow only domain members to dynamically register DNS records. 

What should you do? 

A. Set dynamic updates to Secure Only. 

B. Remove the Authenticated Users group. 

C. Enable zone transfers to Name Servers. 

D. Deny the Everyone group the Create All Child Objects permission. 

Answer: A 

Explanation: 

Answer: Set dynamic updates to Secure Only. 

http://technet.microsoft.com/en-us/library/cc753751.aspx 

Allow Only Secure Dynamic Updates 

Domain Name System (DNS) client computers can use dynamic update to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use 

Dynamic Host Configuration Protocol (DHCP) to obtain an IP address. Dynamic updates can be secure or nonsecure. DNS update security is available only for zones that are integrated into Active Directory Domain Services (AD DS). After you directory-integrate a zone, access control list (ACL) editing features are available in DNS Manager so that you can add or remove users or groups from the ACL for a specified zone or resource record. 

Further information: 

http://technet.microsoft.com/en-us/library/cc771255.aspx Understanding Dynamic Update 


Q38. Your company purchases a new application to deploy on 200 computers. The application requires that you modify the registry on each target computer before you install the application. 

The registry modifications are in a file that has an .adm extension. 

You need to prepare the target computers for the application. 

What should you do? 

A. Import the .adm file into a new Group Policy Object (GPO). Edit the GPO and link it to an organizational unit that contains the target computers. 

B. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the REDIRUsr CONTAINER-DN command on each target computer. 

C. Create a Microsoft Windows PowerShell script to copy the .adm file to the startup folder of each target computer. 

D. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the REDIRCmp CONTAINER-DN command on each target computer. 

Answer: A 

Explanation: 

http://www.petri.co.il/adding_new_administrative_templates_to_gpo.htm Adding New Administrative Templates to a GPO Adding .ADM files to the Administrative Templates in a GPO In order to add additional .ADM files to the existing Administrative Templates section in GPO please follow the next steps: 

1. Open the Group Policy Management Console (or GPMC) from the Administrative Tools folder in the Stat menu, or by typing gpmc.msc in the Run command. 

2. Right-click an existing GPO (or create an new GPO, then right-click on it) and select Edit. 


Q39. Your network contains an Active Directory domain named contoso.com. 

You need to audit changes to a service account. The solution must ensure that the audit logs contain the before and after values of all the changes. 

Which security policy setting should you configure? 

A. Audit Sensitive Privilege Use 

B. Audit User Account Management 

C. Audit Directory Service Changes 

D. Audit Other Account Management Events 

Answer: C 

Explanation: 

Explanation 1: http://technet.microsoft.com/en-us/library/dd772641.aspx 

Audit Directory Service Changes This security policy setting determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS). Explanation 2: http://technet.microsoft.com/en-us/library/cc731607.aspx AD DS Auditing Step-by-Step Guide This guide includes a description of the new Active Directory. Domain Services (AD DS) auditing feature in Windows Server. 2008. With the new auditing feature, you can log events that show old and new values; for example, you can show that Joe's favorite drink changed from single latte to triple-shot latte. 


Q40. Your network contains an Active Directory forest. The forest contains two domains named contoso.com and eu.contoso.com. All domain controllers are DNS servers. 

The domain controllers in contoso.com host the zone for contoso.com. The domain controllers in eu.contoso.com host the zone for eu.contoso.com. The DNS zone for contoso.com is configured as shown in the exhibit. (Click the Exhibit button.) 


You need to ensure that all domain controllers in the forest host a writable copy of _msdsc.contoso.com. 

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) 

A. Create a zone delegation record in the contoso.com zone. 

B. Create a zone delegation record in the eu.contoso.com zone. 

C. Create an Active Directory-integrated zone for _msdsc.contoso.com. 

D. Create a secondary zone named _msdsc.contoso.com in eu.contoso.com. 

Answer: A,C 

Explanation: 

Note that the question speaks of _msdSC, instead of _msdCS. Not sure if it means something, probably a typo. 



see more TS: Windows Server 2008 Active Directory. Configuring