♥♥ 2017 NEW RECOMMEND ♥♥
Free VCE & PDF File for Microsoft 70-640 Real Exam (Full Version!)
★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions
70-640 Product Description:
Exam Number/Code: 70-640 vce
Exam name: TS: Windows Server 2008 Active Directory. Configuring
n questions with full explanations
Certification: Microsoft Certification
Last updated on Global synchronizing
We have been the best in introducing probably the most beneficial 70-640 resources for the customers which will certainly help make they flourish in the true Microsoft 70-640 test. An ideal Microsoft guidebook has a wonderful and greatest preparatory material which usually works on you completely and provides the guarantee from the achievement which is not a little factor. Merely download the particular Testking 70-640 TS: Windows Server 2008 Active Directory. Configuring totally free demonstration characteristics to determine the features as well as degree of Testking goods. Youll be influenced in the 70-640 examine guidebook pdf file certainly. Should you title the 100% sucess, using Testking 70-640 for the TS: Windows Server 2008 Active Directory. Configuring qualified preparation is the greatest selection.
2016 Jun 70-640 pdf:
Q151. Your network contains an Active Directory domain named contoso.com. The domain contains the servers shown in the following table.
The functional level of the forest is Windows Server 2003. The functional level of the domain is Windows Server 2003.
DNS1 and DNS2 host the contoso.com zone.
All client computers run Windows 7 Enterprise.
You need to ensure that all of the names in the contoso.com zone are secured by using DNSSEC.
What should you do first?
A. Change the functional level of the forest.
B. Change the functional level of the domain.
C. Upgrade DC1 to Windows Server 2008 R2.
D. Upgrade DNS1 to Windows Server 2008 R2.
DNS Security Extensions (DNSSEC)
What are the major changes?
Support for Domain Name System Security Extensions (DNSSEC) is introduced in
Windows Server. 2008 R2 and Windows. 7. With Windows Server 2008 R2 DNS server,
you can now sign and host DNSSECsigned zones to provide security for your DNS
The following changes are available in DNS server in Windows Server 2008 R2:
Ability to sign a zone and host signed zones.
Support for changes to the DNSSEC protocol.
Support for DNSKEY, RRSIG, NSEC, and DS resource records.
The following changes are available in DNS client in Windows 7:
Ability to indicate knowledge of DNSSEC in queries.
Ability to process the DNSKEY, RRSIG, NSEC, and DS resource records.
Ability to check whether the DNS server with which it communicated has performed
validation on the client’s behalf. The DNS client’s behavior with respect to DNSSEC is controlled through the Name Resolution Policy Table (NRPT), which stores settings that define the DNS client’s behavior. The NRPT is typically managed through Group Policy. What does DNSSEC do? DNSSEC is a suite of extensions that add security to the DNS protocol. The core DNSSEC extensions are specified in RFCs 4033, 4034, and 4035 and add origin authority, data integrity, and authenticated denial of existence to DNS. In addition to several new concepts and operations for both the DNS server and the DNS client, DNSSEC introduces four new resource records (DNSKEY, RRSIG, NSEC, and DS) to DNS. In short, DNSSEC allows for a DNS zone and all the records in the zone to be cryptographically signed. When a DNS server hosting a signed zone receives a query, it returns the digital signatures in addition to the records queried for. A resolver or another server can obtain the public key of the public/private key pair and validate that the responses are authentic and have not been tampered with. In order to do so, the resolver or server must be configured with a trust anchor for the signed zone, or for a parent of the signed zone.
Your network contains an Active Directory forest named contoso.com. The forest contains two sites named Seattle and Montreal. The Seattle site contains two domain controllers. The domain controllers are configured as shown in the following table.
The Montreal site contains a domain controller named DC3. DC3 is the only global catalog server in the forest.
You need to configure DC2 as a global catalog server.
Which object's properties should you modify? To answer, select the appropriate object in the answer area.
Q153. Your company has an Active Directory forest.
You plan to install an Enterprise certification authority (CA) on a dedicated stand-alone server.
When you attempt to add the Active Directory Certificate Services (AD CS) role, you find that the Enterprise CA option is not available.
You need to install the AD CS role as an Enterprise CA.
What should you do first?
A. Add the DNS Server role.
B. Add the Active Directory Lightweight Directory Service (AD LDS) role.
C. Add the Web server (IIS) role and the AD CS role.
D. Join the server to the domain.
Active Directory Certificate Services Step-by-Step Guide
Enterprise CA option is greyed out / unavailable Many times, administrators ask me what to do when installing Active Directory Certificate Services they cannot choose to install Enterprise Certification Authority, because it’s unavailable as in following picture:
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Well, you need to fulfill basic requirements: Server machine has to be a member server (domain joined). You can run an Enterprise CA on the Standard, Enterprise, or Data Center Windows Edition. The difference is the number of ADCS features and components that can be enabled. To get full functionality, you need to run on Enterprise or Data Center Windows Server 2008 /R2/ Editions. It includes functionality like Role separation, Certificate manager restrictions, Delegated enrollment agent restrictions, Certificate enrollment across forests, Online Responder, Network Device Enrollment. In order to install an Enterprise CA, you must be a member of either Enterprise Admins or Domain Admins in the forest root domain (either directly or through a group nesting). If issue still persists, there is probably a problem with getting correct credentials of your account. There are many thing that can cause it (network blockage, domain settings, server configuration, and other issues). In all cases I got, this troubleshooting helped perfectly: First of all, carefully check all above requirements. Secondly, install all available patches and Service Packs with Windows Update before trying to install Enterprise CA. Check network settings on the CA Server. If there is no DNS setting, Certificate Authority Server cannot resolve and find domain. Sufficient privileges for writing the Enterprise CA configuration information in AD configuration partition are required. Determine if you are a member of the Enterprise Admins or Domain Admins in the forest root domain. Think about the account you are currently trying to install ADCS with. In fact, you may be sure, that your account is in Enterprise Admins group, but check this how CA Server “sees” your account membership by typing whoami /groups. You also need to be a member of local Administrators group. If you are not, you wouldn’t be able to run Server Manager, but still needs to be checked. View C:\windows\certocm.log file. There you can find helpful details on problems with group membership. For example status of ENUM_ENTERPRISE_UNAVAIL_REASON_NO_INSTALL_RIGHTS indicates that needed memberships are not correct. Don’t forget to check event viewer on CA Server side and look for red lines. Verify that network devices or software&hardware firewalls are not blocking access from/to server and Domain Controllers. If so, Certificate Authority Server may not be communicating correctly with the domain. To check that, simply run nltest /sc_verify:DomainName Check also whether Server CA is connected to a writable Domain Controller. Enterprise Admins groups is the most powerful group and has ADCS required full control permissions, but who knows – maybe someone changed default permissions? Run adsiedit.msc on Domain Controller, connect to default context and first of all check if CN=Public Key Service,CN=Services,CN=Configuration,DC=Your,DC=Domain,DC=Com container does exist. If so, check permissions for all subcontainers under Public Key Service if Enterprise Admins group has full control permissions. The main subcontainers to verify are Certificate Templates, OID, KRA containers. If no above tips help, disjoin the server from domain and join again. Ultimately reinstall operation system on CA Server.
Q154. Your network contains an Active Directory domain named contoso.com.
You plan to deploy a child domain named sales.contoso.com.
The domain controllers in sales.contoso.com will be DNS servers for sales.contoso.com.
You need to ensure that users in contoso.com can connect to servers in sales.contoso.com by using fully qualified domain names (FQDNs).
What should you do?
A. Create a DNS forwarder.
B. Create a DNS delegation.
C. Configure root hint servers.
D. Configure an alternate DNS server on all client computers.
http://technet.microsoft.com/en-us/library/cc784494%28v=ws.10%29.aspx Delegating zones DNS provides the option of dividing up the namespace into one or more zones, which can then be stored, distributed, and replicated to other DNS servers. When deciding whether to divide your DNS namespace to make additional zones, consider the following reasons to use additional zones: A need to delegate management of part of your DNS namespace to another location or department within your organization. A need to divide one large zone into smaller zones for distributing traffic loads among multiple servers, improve DNS name resolution performance, or create a more fault-tolerant DNS environment. A need to extend the namespace by adding numerous subdomains at once, such as to accommodate the opening of a new branch or site. If, for any of these reasons, you could benefit from delegating zones, it might make sense to restructure your namespace by adding additional zones. When choosing how to structure zones, you should use a plan that reflects the structure of your organization. When delegating zones within your namespace, be aware that for each new zone you create, you will need delegation records in other zones that point to the authoritative DNS servers for the new zone. This is necessary both to transfer authority and to provide correct referral to other DNS servers and clients of the new servers being made authoritative for the new zone. When a standard primary zone is first created, it is stored as a text file containing all resource record information on a single DNS server. This server acts as the primary master for the zone. Zone information can be replicated to other DNS servers to improve fault tolerance and server performance. When structuring your zones, there are several good reasons to use additional DNS servers for zone replication:
1. Added DNS servers provide zone redundancy, enabling DNS names in the zone to be resolved for clients if a primary server for the zone stops responding.
2. Added DNS servers can be placed so as to reduce DNS network traffic. For example, adding a DNS server to the opposing side of a low-speed WAN link can be useful in managing and reducing network traffic.
3. Additional secondary servers can be used to reduce loads on a primary server for a zone. Example: Delegating a subdomain to a new zone As shown in the following figure, when a new zone for a subdomain (example.microsoft.com) is created, delegation from the parent zone (microsoft.com) is needed.
In this example, an authoritative DNS server computer for the newly delegated example.microsoft.com subdomain is named based on a derivative subdomain included in the new zone (ns1.us.example.microsoft.com). To make this server known to others outside of the new delegated zone, two RRs are needed in the microsoft.com zone to complete delegation to the new zone. These RRs include: An NS RR to effect the delegation. This RR is used to advertise that the server named ns1.us.example.microsoft.com is an authoritative server for the delegated subdomain. An A RR (also known as a glue record) is needed to resolve the name of the server specified in the NS RR to its IP address. The process of resolving the host name in this RR to the delegated DNS server in the NS RR is sometimes referred to as glue chasing. Note When zone delegations are correctly configured, normal zone referral behavior can sometimes be circumvented if you are using forwarders in your DNS server configuration.
Q155. Your network contains an Active Directory domain named contoso.com. All domain controllers and member servers run Windows Server 2008. All client computers run Windows 7.
From a client computer, you create an audit policy by using the Advanced Audit Policy Configuration settings in the Default Domain Policy Group Policy object (GPO).
You discover that the audit policy is not applied to the member servers. The audit policy is applied to the client computers.
You need to ensure that the audit policy is applied to all member servers and all client computers.
What should you do?
A. Add a WMI filter to the Default Domain Policy GPO.
B. Modify the security settings of the Default Domain Policy GPO.
C. Configure a startup script that runs auditpol.exe on the member servers.
D. Configure a startup script that runs auditpol.exe on the domain controllers.
Advanced audit policy settings cannot be applied using group policy to Windows Server 2008 servers. To circumvent that we have to use a logon script to apply the audit policy to the Windows Server 2008 member servers.
Explanation1: http://technet.microsoft.com/en-us/library/ff182311.aspx Advanced Security Auditing FAQ The advanced audit policy settings were introduced in Windows Vista and Windows Server 2008. The advanced settings can only be used on computers running Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008.
Note In Windows Vista and Windows Server 2008, advanced audit event settings were not integrated withGroup Policy and could only be deployed by using logon scripts generated with the Auditpol.exe command-line tool. In Windows Server 2008 R2 and Windows 7, all auditing capabilities are integrated with Group Policy. This allows administrators to
configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).
Rebirth cbt nuggets 70-640 free download:
Q156. Your company has an Active Directory forest that runs at the functional level of Windows Server 2008.
You implement Active Directory Rights Management Services (AD RMS).
You install Microsoft SQL Server 2005. When you attempt to open the AD RMS administration Web site, you receive the following error message: "SQL Server does not exist or access denied."
You need to open the AD RMS administration Web site.
Which two actions should you perform? (Each correct answer presents part of the solution.
A. Restart IIS.
B. Manually delete the Service Connection Point in AD DS and restart AD RMS.
C. Install Message Queuing.
D. Start the MSSQLSVC service.
http://technet.microsoft.com/en-us/library/cc747605%28v=ws.10%29.aspx#BKMK_1 RMS Administration Issues "SQL Server does not exist or access denied" message received when attempting to open the RMS Administration Web site If you have installed RMS by using a new installation of SQL Server 2005 as your database server the SQL Server Service might not be started. In SQL Server 2005, the MSSQLSERVER service is not configured to automatically start when the server is started. If you have restarted your SQL Server since installing RMS and have not configured this service to automatically restart RMS will not be able to function and only the RMS Global Administration page will be accessible. After you have started the MSSQLSERVER service, you must restart IIS on each RMS server in the cluster to restore RMS functionality.
Q157. Company has a server with Active Directory Rights Management Services (AD RMS) server installed. Users have computers with Windows Vista installed on them with an Active Directory domain installed at Windows Server 2003 functional level.
As an administrator at Company, you discover that the users are unable to benefit from AD RMS to protect their documents.
You need to configure AD RMS to enable users to use it and protect their documents.
What should you do to achieve this functionality?
A. Configure an email account in Active Directory Domain Services (AD DS) for each user.
B. Add and configure ADRMSADMIN account in local administrators group on the user computers
C. Add and configure the ADRMSSRVC account in AD RMS server's local administrator group
D. Reinstall the Active Directory domain on user computers
E. All of the above
http://technet.microsoft.com/en-us/library/cc753531%28v=ws.10%29.aspx AD RMS Step-by-Step Guide For each user account and group that you configure with AD RMS, you need to add an e-mail address and then assign the users to groups.
Q158. You need to compact an Active Directory database on a domain controller that runs Windows Server 2008 R2.
What should you do?
A. Run defrag.exe /a /c.
B. Run defrag.exe /c /u.
C. From Ntdsutil, use the Files option.
D. From Ntdsutil, use the Metadata cleanup option.
Compact the Directory Database File (Offline Defragmentation)
You can use this procedure to compact the Active Directory database offline. Offline
defragmentation returns free disk space in the Active Directory database to the file system.
As part of the offline defragmentation procedure, check directory database integrity.
Performing offline defragmentation creates a new, compacted version of the database file in a different location.
Explanation 2: Mastering Windows Server 2008 R2 (Sybex, 2010) page 805 Performing Offline Defragmentation of Ntds.dit These steps assume that you will be compacting the Ntds.dit file to a local folder. If you plan to defragment and compact the database to a remote shared folder, map a drive letter to that shared folder before you begin these steps, and use that drive letter in the path where appropriate.
1. Open an elevated command prompt. Click Start, and then right-click Command Prompt. Click Run as Administrator.
2. Type ntdsutil, and then press Enter.
3. Type Activate instance NTDS, and press Enter.
4. At the resulting ntdsutil prompt, type Files (case sensitive), and then press Enter.
5. At the file maintenance prompt, type compact to followed by the path to the destination folder for the defragmentation, and then press Enter.
Q159. Company has a single domain network with Windows 2000, Windows 2003, and Windows 2008 servers. Client computers running Windows XP and Windows Vista. All domain controllers are running Windows server 2008.
You need to deploy Active Directory Rights Management System (AD RMS) to secure all documents, spreadsheets and to provide user authentication.
What do you need to configure, in order to complete the deployment of AD RMS?
A. Upgrade all client computers to Windows Vista. Install AD RMS on domain controller Company _DC1
B. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all systems. Install AD RMS on domain controller Company _DC1
C. Upgrade all client computers to Windows Vista. Install AD RMS on Company _SRV5
D. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all systems. Install AD RMS on domain controller Company _SRV5
E. None of the above
http://technet.microsoft.com/en-us/library/dd772753%28v=ws.10%29.aspx AD RMS Client Requirements Windows AD RMS Client Windows 7, all editions Windows Server 2008 R2, all editions except Core Editions Windows Vista, all editions Windows Server 2008, all editions except Core Editions Windows XP SP3 32-bit Edition Windows XP SP3 64-bit Edition Windows Server 2003 with SP1 32-bit Edition Windows Server 2003 with SP1 64-bit Edition Windows Server 2003 for Itanium-based systems with SP1 Windows Server 2003 R2 32-bit Edition Windows Server 2003 R2 64-bit Edition Windows Server 2003 R2 for Itanium-based systems Windows Small Business Server 2003 32-bit Edition Windows Server 2000 SP4 32-bit Edition
http://technet.microsoft.com/en-us/library/dd772659%28v=ws.10%29.aspx AD RMS Prerequisites Before you install AD RMS Before you install Active Directory Rights Management Services (AD RMS) on Windows Server. 2008 R2 for the first time, there are several requirements that must be met. Install the AD RMS server as a member server in the same Active Directory Domain Services (AD DS) forest as the user accounts that will be using rights-protected content.
Q160. Your network contains an Active Directory forest. The forest contains a single domain.
You want to access resources in a domain that is located in another forest.
You need to configure a trust between the domain in your forest and the domain in the other forest.
What should you create?
A. an incoming external trust
B. an incoming realm trust
C. an outgoing external trust
D. an outgoing realm trust
A one-way, incoming, external trust allows users in your domain (the domain that you are logged on to at the time that you run the New Trust Wizard) to access resources in another Active Directory domain (outside your forest).
see more TS: Windows Server 2008 Active Directory. Configuring