15 tips on microsoft.com 70-640

★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions

Free Instant Download NEW 70-640 Exam Dumps (PDF & VCE):
Available on: https://www.certleader.com/70-640-dumps.html


70-640 Product Description:
Exam Number/Code: 70-640 vce
Exam name: TS: Windows Server 2008 Active Directory. Configuring
n questions with full explanations
Certification: Microsoft Certification
Last updated on Global synchronizing

Instant Access to Free VCE Files: Microsoft 70-640 TS: Windows Server 2008 Active Directory. Configuring

70-640 examcollection

Exam Code: 70-640 (Practice Exam Latest Test Questions VCE PDF)
Exam Name: TS: Windows Server 2008 Active Directory. Configuring
Certification Provider: Microsoft
Free Today! Guaranteed Training- Pass 70-640 Exam.

2016 Apr 70-640 Study Guide Questions:

Q1. You have an enterprise subordinate certification authority (CA). 

You have a custom certificate template that has a key length of 1,024 bits. The template is enabled for autoenrollment. 

You increase the template key length to 2,048 bits. 

You need to ensure that all current certificate holders automatically enroll for a certificate that uses the new template. 

Which console should you use? 

A. Active Directory Administrative Center 

B. Certification Authority 

C. Certificate Templates 

D. Group Policy Management 

Answer: C 

Explanation: 

http://technet.microsoft.com/en-us/library/cc771246.aspx 

Re-Enroll All Certificate Holders 

This procedure is used when a critical change is made to the certificate template and you want all subjects that hold a certificate that is based on this template to re-enroll as quickly as possible. The next time the subject verifies the version of the certificate against the version of the template on the certification authority (CA), the subject will re-enroll. 

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration. 

To re-enroll all certificate holders 

1. Open the Certificate Templates snap-in. 

2. Right-click the template that you want to use, and then click Reenroll All Certificate Holders. 


Q2. You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2. 

What is the minimal forest functional level that you should use? 

A. Windows Server 2008 R2 

B. Windows Server 2008 

C. Windows Server 2003 

D. Windows 2000 

Answer: C 

Explanation: 

http://technet.microsoft.com/en-us/library/cc731243.aspx 

Prerequisites for Deploying an RODC 

Complete the following prerequisites before you deploy a read-only domain controller (RODC): 

Ensure that the forest functional level is Windows Server 2003 or higher, so that linked-valuereplication (LVR) is available. 


Q3. Your network contains an Active Directory domain named contoso.com. 

You need to identify whether the Active Directory Recycle Bin is enabled. 

What should you do? 

A. From Ldp, search for the Reanimate-Tombstones object. 

B. From Ldp, search for the LostAndFound container. 

C. From Windows PowerShell, run the Get-ADObject cmdlet. 

D. From Windows PowerShell, run the Get-ADOptionalFeature cmdlet. 

Answer: D 

Explanation: 

http://www.frickelsoft.net/blog/?p=224 

How can I check whether the AD Recycle-Bin is enabled in my R2 forest? 

[He shows how to use the PowerShell cmdlet Get- ADOptionalFeature to determine if the AD Recycle Bin is enabled.] 


Q4. Your company has an Active Directory forest that contains client computers that run Windows Vista andMicrosoft Windows XP. 

You need to ensure that users are able to install approved application updates on their computers. 

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) 

A. Set up Automatic Updates through Control Panel on the client computers. 

B. Create a GPO and link it to the Domain Controllers organizational unit. Configure the GPO to automatically search for updates on the Microsoft Update site. 

C. Create a GPO and link it to the domain. Configure the GPO to direct the client computers to the Windows Server Update Services (WSUS) server for approved updates. 

D. Install the Windows Server Update Services (WSUS). Configure the server to search for new updates on the Internet. Approve all required updates. 

Answer: C,D 

Explanation: 

http://technet.microsoft.com/en-us/library/cc720539%28v=ws.10%29.aspx 

Configure Automatic Updates by Using Group Policy 

When you configure the Group Policy settings for WSUS, use a Group Policy object (GPO) 

linked to an Active Directory container appropriate for your environment. 


Q5. Your network contains an Active Directory forest. The forest contains two domains named contoso.com and eu.contoso.com. All domain controllers are DNS servers. 

The domain controllers in contoso.com host the zone for contoso.com. The domain controllers in eu.contoso.com host the zone for eu.contoso.com. The DNS zone for contoso.com is configured as shown in the exhibit. (Click the Exhibit button.) 


You need to ensure that all domain controllers in the forest host a writable copy of _msdsc.contoso.com. 

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) 

A. Create a zone delegation record in the contoso.com zone. 

B. Create a zone delegation record in the eu.contoso.com zone. 

C. Create an Active Directory-integrated zone for _msdsc.contoso.com. 

D. Create a secondary zone named _msdsc.contoso.com in eu.contoso.com. 

Answer: A,C 

Explanation: 

Note that the question speaks of _msdSC, instead of _msdCS. Not sure if it means something, probably a typo. 


70-640 free download

Up to date windows server 2008 active directory configuring 70-640:

Q6. Your network contains an Active Directory domain named contoso.com. 

You need to audit changes to a service account. The solution must ensure that the audit logs contain the before and after values of all the changes. 

Which security policy setting should you configure? 

A. Audit Sensitive Privilege Use 

B. Audit User Account Management 

C. Audit Directory Service Changes 

D. Audit Other Account Management Events 

Answer: C 

Explanation: 

Explanation 1: http://technet.microsoft.com/en-us/library/dd772641.aspx 

Audit Directory Service Changes This security policy setting determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS). Explanation 2: http://technet.microsoft.com/en-us/library/cc731607.aspx AD DS Auditing Step-by-Step Guide This guide includes a description of the new Active Directory. Domain Services (AD DS) auditing feature in Windows Server. 2008. With the new auditing feature, you can log events that show old and new values; for example, you can show that Joe's favorite drink changed from single latte to triple-shot latte. 


Q7. Your company has a single Active Directory domain. All domain controllers run Windows Server 2003. 

You install Windows Server 2008 R2 on a server. 

You need to add the new server as a domain controller in your domain. 

What should you do first? 

A. On a domain controller run adprep /rodcprep. 

B. On the new server, run dcpromo /adv. 

C. On the new server, run dcpromo /createdcaccount. 

D. On a domain controller, run adprep /forestprep. 

Answer: D 

Explanation: 

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/9931e32f-6302-40f0-a7a1-2598a96cd0c1/ DC promotion and adprep/forestprep 

Q: I've tried to dcpromo a new Windows 2008 server installation to be a Domain Controller, running in an existing domain. I am informed that, first, I must run adprep/forestprep ("To install a domain controller into this Active Directory forest, you must first perpare the forest using "adprep/forestprep". The Adprep utility is available on the Windows Server 2008 installation media in the Windows\sources\adprep folder" 

A1: 

You can run adprep from an existing Windows Server 2003 domain controller. Copy the 

contents of the \sources\adprep folder from the Windows Server 2008 installation DVD to 

the schema master role holder and run Adprep from there. 

A2: to introduce the first W2K8 DC within an AD forest.... 

 (1) no AD forest exists yet: 

--> on the stand alone server execute: DCPROMO 

--> and provide the information needed 

 (2) an W2K or W2K3 AD forest already exists: 

--> ADPREP /Forestprep on the w2k/w2k3 schema master (both w2k/w2k3 forests) 

--> ADPREP /rodcprep on the w2k3 domain master (only w2k3 forests) 

--> ADPREP /domainprep on the w2k3 infrastructure master (only w2k3 domains) 

--> ADPREP /domainprep /gpprep on the w2k infrastructure master (only w2k domains) 

--> on the stand alone server execute: DCPROMO 

--> and provide the information needed 


Q8. Active Directory Rights Management Services (AD RMS) is deployed on your network. 

Users who haveWindows Mobile 6 devices report that they cannot access documents that are protected by AD RMS. 

You need to ensure that all users can access AD RMS protected content by using Windows Mobile 6 devices. 

What should you do? 

A. Modify the security of the ServerCertification.asmx file. 

B. Modify the security of the MobileDeviceCertification.asmx file. 

C. Enable anonymous authentication for the _wmcs virtual directory. 

D. Enable anonymous authentication for the certification virtual directory. 

Answer: B 

Explanation: 

http://technet.microsoft.com/en-us/library/ff608252%28v=ws.10%29.aspx Windows Mobile Considerations for AD RMS AD RMS and Windows Mobile Requirements Active Directory Rights Management Services (AD RMS) integrates with Microsoft Windows Mobile. in Windows Mobile 6 and later devices. End users can create and consume protected e-mail messages and can read protected Microsoft Office documents on their Windows Mobile device. 

AD RMS client capabilities are embedded in the operating system of Windows Mobile 6 and later devices. There is no AD RMS client available for Windows Mobile 5.0 or earlier; AD RMS can be used only on devices with Windows Mobile 6 and later. There is full interoperability when sharing AD RMS protected content between the different versions and editions of Windows Mobile 6 or later. By default the Discretionary access control lists (DACLs) of the AD RMS mobile certification pipeline is restricted and must be enabled for Windows Mobile 6 or later devices to obtain certificates and licenses to create and consume AD RMS protected content. You can enable the certification of mobile devices by giving the AD RMS Service Group and the user account objects of the AD RMS-enabled application Read and Read & Execute permissions to the MobileDeviceCertification.asmx file. This file is located under %systemdrive%\Inetpub\wwwroot\_wmcs\Certification by default. You must complete this process on each AD RMS server in the cluster. 


Q9. Your company has a main office and a branch office. 

The network contains a single Active Directory domain. 

The main office contains a domain controller named DC1. 

You need to install a domain controller in the branch office by using an offline copy of the Active Directory database. 

What should you do first? 

A. From the Ntdsutil tool, create an IFM media set. 

B. From the command prompt, run djoin.exe /loadfile. 

C. From Windows Server Backup, perform a system state backup. 

D. From Windows PowerShell, run the get-ADDomainController cmdlet. 

Answer: A 

Explanation: 

http://technet.microsoft.com/en-us/library/cc816722%28v=ws.10%29.aspx 

Installing an Additional Domain Controller by Using IFM When you install Active Directory Domain Services (AD DS) by using the install from media (IFM) method, you can reduce the replication traffic that is initiated during the installation of an additional domain controller in an Active Directory domain. Reducing the replication traffic reduces the time that is necessary to install the additional domain controller. Windows Server 2008 and Windows Server 2008 R2 include an improved version of the Ntdsutil tool that you can use to create installation media for an additional domain controller. You can use Ntdsutil.exe to create installation media for additional domain controllers that you are creating in a domain. The IFM method uses the data in the installation media to install AD DS, which eliminates the need to replicate every object from a partner domain controller. However, objects that were modified, added, or deleted since the installation media was created must be replicated. If the installation media was created recently, the amount of replication that is required is considerably less than the amount of replication that is required for a regular AD DS installation. 


Q10. Your network contains an Active Directory domain. The relevant servers in the domain are configured as shown in the following table. 


You need to ensure that all device certificate requests use the MD5 hash algorithm. 

What should you do? 

A. On Server2, run the Certutil tool. 

B. On Server1, update the CEP Encryption certificate template. 

C. On Server1, update the Exchange Enrollment Agent (Offline Request) template. 

D. On Server3, set the value of the HKLM\Software\Microsoft\Cryptography\MSCEP\ HashAlgorithm\HashAlgorithm registry key. 

Answer: D 

Explanation: 

http://technet.microsoft.com/en-us/library/ff955642.aspx 

Managing Network Device Enrollment Service 

Configuring NDES 

NDES stores its configuration in the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography 

\MSCEP. 

To change NDES configuration, edit the NDES registry settings by using Regedit.exe or Reg.exe, then restart IIS. If necessary, create the key and value using the names and data types described in the following table. 

Key name HashAlgorithm \ HashAlgorithm Value Data Type String Default value SHA1 Description Accepted values are SHA1 and MD5. 


70-640 braindumps

Breathing 70-640 braindump 2013:

Q11. HOTSPOT 

Your network contains two Active Directory forests named contoso.com and fabrikam.com. A two-way forest trust exists between the forests. Selective authentication is enabled on the trust. Fabrikam.com contains a server named Server1. 

You assign Contoso\Domain Users the Manage documents permission and the Print 

permission to a shared printer on Server1. 

You discover that users from contoso.com cannot access the shared printer on Server1. 

You need to ensure that the contoso.com users can access the shared printer on Server1. 

Which permission should you assign to Contoso\Domain Users. 

To answer, select the appropriate permission in the answer area. 


Answer: 



Q12. Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1. DC1 hosts a standard primary zone for contoso.com. 

You discover that non-domain member computers register records in the contoso.com zone. 

You need to prevent the non-domain member computers from registering records in the contoso.com zone. 

All domain member computers must be allowed to register records in the contoso.com zone. 

What should you do first? 

A. Configure a trust anchor. 

B. Run the Security Configuration Wizard (SCW). 

C. Change the contoso.com zone to an Active Directory-integrated zone. 

D. Modify the security settings of the %SystemRoot%\System32\Dns folder. 

Answer: C 

Explanation: 

http://technet.microsoft.com/en-us/library/cc772746%28v=ws.10%29.aspx Active Directory-Integrated Zones DNS servers running on domain controllers can store their zones in Active Directory. In this way, it is not necessary to configure a separate DNS replication topology that uses ordinary DNS zone transfers, because all zone data is replicated automatically by means of Active Directory replication. This simplifies the process of deploying DNS and provides the following advantages: Multiple masters are created for DNS replication. Therefore: Any domain controller in the domain running the DNS server service can write updates to the Active Directory–integrated zones for the domain name for which they are authoritative. A separate DNS zone transfer topology is not needed. Secure dynamic updates are supported. Secure dynamic updates allow an administrator to control which computers update which names, and prevent unauthorized computers from overwriting existing names in DNS 


Q13. Your network contains 10 domain controllers that run Windows Server 2008 R2. The network contains a member server that is configured to collect all of the events that occur on the domain controllers. 

You need to ensure that administrators are notified when a specific event occurs on any of the domain controllers. You want to achieve this goal by using the minimum amount of administrative effort. 

What should you do? 

A. From Event Viewer on the member server, create a subscription. 

B. From Event Viewer on each domain controller, create a subscription. 

C. From Event Viewer on the member server, run the Create Basic Task Wizard. 

D. From Event Viewer on each domain controller, run the Create Basic Task Wizard. 

Answer: C 

Explanation: 

Since the member server is collecting all domain controller events we just need to run the Create Basic Task Wizard on the member server, which enables us to send an e-mail when a specific event is logged. Running the wizard on every domain controller would work, but is much more work and we need to use the minimum amount of administrative effort. 

Explanation: 

http://technet.microsoft.com/en-us/library/cc748900.aspx 

To Run a Task in Response to a Given Event 

1. Start Event Viewer. 

2. In the console tree, navigate to the log that contains the event you want to associate with a task. 

3. Right-click the event and select Attach Task to This Event. 

4. Perform each step presented by the Create Basic Task Wizard. In the Action step in the wizard you can decide to send an e-mail. 


Q14. As an administrator at Company, you have installed an Active Directory forest that has a single domain. 

You have installed an Active Directory Federation services (AD FS) on the domain member server. 

What should you do to configure AD FS to make sure that AD FS token contains information from the active directory domain? 

A. Add a new account store and configure it. 

B. Add a new resource partner and configure it 

C. Add a new resource store and configure it 

D. Add a new administrator account on AD FS and configure it 

E. None of the above 

Answer: A 

Explanation: 

http://technet.microsoft.com/en-us/library/cc772309%28v=ws.10%29.aspx Step 3: Installing and Configuring AD FS Now that you have configured the computers that will be used as federation servers, you are ready to install Active Directory Federation Services (AD FS) components on each of the computers. This section includes the following procedures: Install the Federation Service on ADFS-RESOURCE and ADFS-ACCOUNT Configure ADFS-ACCOUNT to work with AD RMS Configure ADFS-RESOURCE to Work with AD RMS 


Q15. Your company has two domain controllers that are configured as internal DNS servers. All zones on the DNS servers are Active Directory-integrated zones. The zones allow all dynamic updates. 

You discover that the contoso.com zone has multiple entries for the host names of computers that do not exist. 

You need to configure the contoso.com zone to automatically remove expired records. 

What should you do? 

A. Enable only secure updates on the contoso.com zone, 

B. Enable scavenging and configure the refresh interval on the contoso.com zone. 

C. From the Start of Authority tab, decrease the default refresh interval on the contoso.com zone. 

D. From the Start of Authority tab, increase the default expiration interval on the contoso.com zone 

Answer: B 

Explanation: 

http://www.it-support.com.au/configure-aging-and-scavenging-of-a-dns-server/2012/12/ Configure aging and scavenging of a DNS Server Resource records that are either outdated or decayed from DNS zone data are removed through the use of the Server aging and scavenging feature in Windows Server 2008. Issues develop if decayed resource records are not dealt with, such as: Zone transfers take longer as the DNS server disk space contains a large number of stale records The accumulation of stale records degrades the DNS server performance and response time Potential conflicts can occur, if an IP address in a dynamic DNS environment is assigned to a different host. By default, the aging and scavenging feature is disabled. In order to use this particular feature, the user is required to enable the operations on the zone and at the DNS server. In addition, a user is able to manually enable individual resource records to be aged and scavenged. This process involves permitting the records to use the current (non-zero) timestamp value. The aging and scavenging operation figures out when the records should be cleared by reviewing their timestamps. The DNS Server uses a simple equation when setting a time value on a record: current server time + refresh interval. Procedure: Navigate to Start - Administrative Tools – DNS Manager. Right click the relevant DNS server and select Set Aging/Scavenging for All Zones from the drop down list. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

The Server Aging/Scavenging Properties dialog box opens. Tick the option Scavenge stale 

resource records. 

Under the No-refresh interval heading, specify the duration for which the server must not 

refresh its records. 

Configuring this setting reduces replication traffic as unnecessary updates to existing 

records are prevented. 

Under the Refresh interval heading, specify the duration for which the server must refresh 

its records. The fresh interval is the time required between when a no-refresh interval 

expires and when a record is considered stale. 

When you have configured these settings, click OK to continue. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

A confirmation box appears showing a summary of your settings. Tick the Apply these settings to the existing Active Directory-integrated zones option and click OK. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

The Aging and Scavenging intervals have now been configured for all zones managed by the DNS server. http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-bepatient.aspx Don't be afraid of DNS Scavenging. Just be patient. http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/bb556cfb-3217-4dcf-af4f-460366faa1b8Answered Best Practices configuration for DNS server on Windows 2008 R2 Server (aging/scavenging, etc.)