Verified 70-640 Exam Questions and Answers 2021

NEW QUESTION 1
Your network contains an Active Directory domain named contoso.com. You have a management computer named Computer1 that runs Windows 7.
You need to forward the logon events of all the domain controllers in contoso.com to Computer1.
All new domain controllers must be dynamically added to the subscription.
What should you do?

• A. From Computer1, configure source-initiated event subscription
• B. From a Group Policy object (GPO) linked to the Domain Controllers organizational unit (OU), configure the Event Forwarding nod
• C. From Computer1, configure collector-initiated event subscription
• D. From a Group Policy object (GPO) linked to the Domain Controllers organizational unit (OU), configure the Event Forwarding nod
• E. From Computer1, configure source-initiated event subscription
• F. Install a server authentication certificate on Computer1. Implement autoenrollment for the Domain Controllers organizational unit (OU).
• G. From Computer1, configure collector-initiated event subscription
• H. Install a server authentication certificate on Computer1. Implement autoenrollment for the Domain Controllers organizational unit (OU).

Answer: A

Explanation:
http://msdn.microsoft.com/en-us/library/windows/desktop/bb870973(v=vs.85).aspx
Setting up a Source Initiated Subscription
Source-initiated subscriptions allow you to define a subscription on an event collector computer without defining the event source computers, and then multiple remote event source computers can be set up (using a group policy setting) to forward events to the event collector computer. This differs from a collector initiated subscription because in the collector initiated subscription model, the event collector must define all the event sources in the event subscription.

NEW QUESTION 2
A domain controller named DC12 runs critical services. Restructuring of the organizational unit hierarchy for the domain has been completed and unnecessary objects have been deleted.
You need to perform an offline defragmentation of the Active Directory database on DC12. You also need to ensure that the critical services remain online.
What should you do?

• A. Start the domain controller in the Directory Services restore mod
• B. Run the Defrag utilit
• C. Start the domain controller in the Directory Services restore mod
• D. Run the Ntdsutil utilit
• E. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the Defrag utilit
• F. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the Ntdsutil utilit

Answer: D

Explanation:
http://support.microsoft.com/kb/232122 Performing offline defragmentation of the Active Directory database Active Directory automatically performs online defragmentation of the database at certain intervals (by default, every 12 hours) as part of the Garbage Collection process. Online defragmentation does not reduce the size of the database file (Ntds.dit), but instead optimizes data storage in the database and reclaims space in the directory for new objects. Performing an offline defragmentation creates a new, compacted version of the database file. Depending on how fragmented the original database file was, the new file may be considerably smaller. http://rickardnobel.se/when-to-offline-defrag-ntds-dit/ When to offline defrag the Active Directory database This article will show a simple way to determine if there is any gain to do an offline defrag of your Active Directory database. During normal operations the Active Directory service will do an online defragmentation of the Active Directory database (always called ntds.dit) each 12 hours. This online defrag will arrange all pages in an optimal way internal in the ntds.dit, however the file size will never shrink, sometimes even grow. During the years of operations of the ntds.dit the file size will increase as user accounts, organizational units, groups, computers, dns records and more are added and later removed. When deleted objects are finally removed (after the so called tombstone lifetime, typically 180 days) the space they have occupied will unfortunately not decrease.

C:Documents and Settingsusernwz1Desktop1.PNG
The actual size of the ntds.dit could be easily studied through Explorer, as above. The size of the database is in this example around 575 MB. Note that Active Directory does not use a file level replication, so the file could be of various size on each Domain Controller in your domain. If wanted there is the possibility to take the AD services offline on one DC and then do an offline defragmentation of ntds.dit. This would both arrange all pages the best possible way, and also to reclaim any empty space inside the database, which could make backup and restore faster and also possible increase AD performance. The offline defrag means “offline” from an Active Directory perspective. This means that on Windows 2000 and 2003 you will have to reboot into Directory Services Restore Mode, and on Windows 2008 and R2 you will have to stop the AD services by typing “net stop ntds” in the command prompt. So in Windows 2008 and later it is far easier, but still something that you do not want to do if not necessary. There are numerous article on the web how to do the actual offline defrag, so we will not cover that part here. However, we will see the perhaps most important information and that is to be able to see in advance the amount of space that we could reclaim. With this information we could make our decision based on fact and not guesses. This has been possible since at least Windows 2003, but is not well documented.

C:Documents and Settingsusernwz1Desktop1.PNG
To enable this you will have to alter a registry value on the Domain Controller you will investigate the reclaimable MBs. Use regedit and find the following key: HKEY_LOCAL_MACHINE System CurrentControlSet Services NTDS Diagnostics Change the value “6 Garbage Collection” from 0 to 1. This will increase the logging from the Garbage Collection process which runs together with the online defrag. So now wait for the next online defragmentation which runs twice a day and then study the Directory Service log in Event Viewer.

C:Documents and Settingsusernwz1Desktop1.PNG
Search for event id 1646, usually together with event ids 700 and 701.

C:Documents and Settingsusernwz1Desktop1.PNG
Here we can note the amount of space that would be reclaimed from an offline defrag. The top value is the number of MB that the offline defrag would recover, here almost half the database size. If the amount is negligible then do not worry about this any more, and if there is a considerable amount of MBs reported then you could plan to do the offline defrag.

C:Documents and Settingsusernwz1Desktop1.PNG
Note that both the change of registry key and the actual offline defrag has to be done on
each domain controller, since neither does replicate.
As noted above we will not look at the commands for the offline defragmentation here,
since they are well documented already.

NEW QUESTION 3
Your network contains an Active Directory domain named contoso.com.
The properties of the contoso.com DNS zone are configured as shown in the exhibit. (Click the Exhibit button.)

You need to update all service location (SRV) records for a domain controller in the domain.
What should you do?

• A. Restart the Netlogon servic
• B. Restart the DNS Client servic
• C. Run sc.exe and specify the triggerinfo paramete
• D. Run ipconfig.exe and specify the /registerdns paramete

Answer: A

Explanation:
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62
The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller’s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam question might ask you how to troubleshoot the nonregistration of SRV resource records.

NEW QUESTION 4
Your network contains a server named Server1. The Active Directory Rights Management Services (AD RMS) server role is installed on Server1.
An administrator changes the password of the user account that is used by AD RMS.
You need to update AD RMS to use the new password.
Which console should you use?

• A. Active Directory Rights Management Services
• B. Active Directory Users and Computers
• C. Component Services
• D. Services

Answer: A

Explanation:
http://social.technet.microsoft.com/wiki/contents/articles/13034.ad-rms-how-to-change-the-rms-serviceaccount-password.aspx AD RMS How To: Change the RMS Service Account Password The Active Directory Rights Management Services management console provides a wizard to change or update the AD RMS service account. The most common use for this process is to update the service account password when it has been changed.
It is important to use this process to update or change the AD RMS service account. This ensures the necessary components are updated properly. These processes include, but are not limited to the following items. Ensure the service account meets the criteria (is a domain account, is not the domain account that provisioned RMS, and etc.) Temporarily suspends RMS functionality on the server during the change Updates the RMS local groups Updates the database role for the service account Updates and restarts the MSMQ and logging services Updates the service account for the _DRMSAppPool1 web application pool Updates appropriate AD RMS configuration database tables There are important requirements to run this wizard. Must be logged on to the AD RMS server Account running the wizard must be:
* A local administrator on the RMS server,
* A member of the AD RMS Enterprise Administrators group, and
* A SQL SysAdmin on the AD RMS instance
Lastly, this must be performed on each server of the AD RMS cluster

C:Documents and Settingsusernwz1Desktop1.PNG

C:Documents and Settingsusernwz1Desktop1.PNG

C:Documents and Settingsusernwz1Desktop1.PNG

NEW QUESTION 5
Your company has an Active Directory forest that contains client computers that run Windows Vista andMicrosoft Windows XP.
You need to ensure that users are able to install approved application updates on their computers.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

• A. Set up Automatic Updates through Control Panel on the client computer
• B. Create a GPO and link it to the Domain Controllers organizational uni
• C. Configure the GPO to automatically search for updates on the Microsoft Update sit
• D. Create a GPO and link it to the domai
• E. Configure the GPO to direct the client computers to the Windows Server Update Services (WSUS) server for approved update
• F. Install the Windows Server Update Services (WSUS). Configure the server to search for new updates on the Interne
• G. Approve all required update

Answer: CD

Explanation:
http://technet.microsoft.com/en-us/library/cc720539%28v=ws.10%29.aspx
Configure Automatic Updates by Using Group Policy
When you configure the Group Policy settings for WSUS, use a Group Policy object (GPO)
linked to an Active Directory container appropriate for your environment.

NEW QUESTION 6
Your company has an Active Directory forest. You plan to install an Enterprise certification
authority (CA) on a dedicated stand-alone server.
When you attempt to add the Active Directory Certificate Services (AD CS) server role, you
find that the EnterpriseCA option is not available.
You need to install the AD CS server role as an EnterpriseCA. What should you do first?

• A. Add the DNS Server server rol
• B. Add the Active Directory Lightweight Directory Services (AD LDS) server rol
• C. Join the server to the domai
• D. Add the Web Server (IIS) server role and the AD CS server rol

Answer: C

NEW QUESTION 7
You need to create a Password Settings object (PSO).
Which tool should you use?

• A. Active Directory Users and Computers
• B. ADSI Edit
• C. Group Policy Management Console
• D. Ntdsutil

Answer: B

Explanation:
http://technet.microsoft.com/en-us/library/cc754461.aspx You can create Password Settings objects (PSOs): using the Active Directory module for Windows PowerShell using ADSI Edit using ldifde

NEW QUESTION 8
You need to receive an e-mail message whenever a domain user account is locked out.
Which tool should you use?

• A. Active Directory Administrative Center
• B. Event Viewer
• C. Resource Monitor
• D. Security Configuration Wizard

Answer: B

Explanation:
MS Press - Self-Paced Training Kit (Exam 70-642) (2nd Edition, 2011) page 525 Automatically Responding to Events One of the most useful ways to use Task Scheduler is to launch a task in response to a specific event type that appears in Event Viewer. You can respond to events in three ways: Start A Program - Launches an application. Often, administrators write a script that carries
out a series of tasks that they would otherwise need to manually perform, and automatically
run that script when an event appears.
Send An E-mail - Sends an email by using the Simple Mail Transport Protocol (SMTP)
server you specify.
Often, administrators configure urgent events to be sent to a mobile device.
Display A Message - Displays a dialog box showing a message. This is typically useful only
when a user needs to be notified of something happening on the computer.
To trigger a task when an event occurs, follow one of these three procedures:
Find an example of the event in Event Viewer. Then, right-click the event and click Attach
Task To This Event. A wizard will guide you through the process.

NEW QUESTION 9
Your network contains an Active Directory forest named contoso.com.
You need to identify whether a fine-grained password policy is applied to a specific group.
Which tool should you use?

• A. Credential Manager
• B. Group Policy Management Editor
• C. Active Directory Users and Computers
• D. Active Directory Sites and Services

Answer: C

Explanation:
Use Active Directory Users and Computers to determine the value of the msDS-PSOApplied attribute of the specific group:
1. Open the Properties windows for the group in Active Directory Users and Computers
2. Click the Attribute Editor tab, and then click Filter
3. Ensure that the Show attributes/Optional check box is selected.
4. Ensure that the Show read-only attributes/Backlinks check box is selected.
5. Locate the value of msDS-PSOApplied in the Attributes list. Explanation:
http://technet.microsoft.com/en-us/library/cc754544.aspx
Defining the scope of fine-grained password policies
A PSO can be linked to a user (or inetOrgPerson) or a group object that is in the same domain as the PSO: (...)
A new attribute named msDS-PSOApplied has been added to the user and group objects in Windows Server 2008. The msDS-PSOApplied attribute contains a back-link to the PSO. Because the msDSPSOApplied attribute has a back-link, a user or group can have multiple PSOs applied to it.
As stated previously, in Windows Server 2008, a user or group can have multiple PSOs applied to it since the msDS-PSOApplied attribute of the user and group objects has a back-link to the PSO.

NEW QUESTION 10
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1. The Active Directory Federation Services (AD FS) role is installed on Server1. Contoso.com is defined as an account store.
A partner company has a Web-based application that uses AD FS authentication. The partner company plans to provide users from contoso.com access to the Web application.
You need to configure AD FS on contoso.com to allow contoso.com users to be authenticated by the partner company.
What should you create on Server1?

• A. a new application
• B. a resource partner
• C. an account partner
• D. an organization claim

Answer: D

Explanation:
Since the account store has already been configured, what needs to be done is to use the account store to map an AD DS global security group to an organization claim (called group claim extraction). So that's what we need to create for authentication: an organization claim.
Creating a resource/account partner is part of setting up the Federation Trust.
Explanation 1: http://technet.microsoft.com/en-us/library/dd378957.aspx
Configuring the Federation Servers [All the steps for setting up an AD FS environment are listed in an extensive step-by-step guide, too long to post here.]
Explanation 2: http://technet.microsoft.com/en-us/library/cc732147.aspx
Add an AD DS Account Store If user and computer accounts that require access to a resource that is protected by Active Directory Federation Services (AD FS) are stored in Active Directory Domain Services (AD DS), you must add AD DS as anaccount storeon a federation server in the Federation Service that authenticates the accounts.
Explanation 3: http://technet.microsoft.com/en-us/library/cc731719.aspx
Map an Organization Group Claim to an AD DS Group (Group Claim Extraction) When you use Active Directory Domain Services (AD DS) as the Active Directory Federation Services (AD FS)account storefor an account Federation Service, you mapan organization group claimto a security group in AD DS. This mapping is called a group claim extraction.

NEW QUESTION 11
You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 is configured as an Enterprise Root certification authority (CA).
You install the Online Responder role service on Server2.
You need to configure Server2 to issue certificate revocation lists (CRLs) for the enterprise root CA.
Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)

• A. Import the enterprise root CA certificat
• B. Import the OCSP Response Signing certificat
• C. Add the Server1 computer account to the CertPublishers grou
• D. Set the Startup Type of the Certificate Propagation service to Automati

Answer: AB

Explanation:
Further information: http://technet.microsoft.com/en-us/library/cc770413%28v=ws.10%29.aspx Online Responder Installation, Configuration, and Troubleshooting Guide Public key infrastructure (PKI) consists of multiple components, including certificates, certificate revocation lists (CRLs) and certification authorities (CAs). In most cases, applications that depend on X.509 certificates, such as Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Sockets Layer (SSL) and smart cards, are required to validate the status of the certificates used when performing authentication, signing, or encryption operations. The certificate status and revocation checking is the process by which the validity of certificates is verified based on two main categories: time and revocation status.
Although validating the revocation status of certificates can be performed in multiple ways, the common mechanisms are CRLs, delta CRLs, and Online Certificate Status Protocol (OCSP) responses.
http://technet.microsoft.com/en-us/library/cc772393%28v=ws.10%29.aspx
Active Directory Certificate Services Step-by-Step Guide http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-andplanning.aspx Designing and Implementing a PKI: Part I Design and Planning http://technet.microsoft.com/en-us/library/cc725937.aspx Set Up an Online Responder http://technet.microsoft.com/en-us/library/cc731099.aspx Creating a Revocation Configuration

NEW QUESTION 12
A corporate network includes an Active Directory-integrated zone. All DNS servers that host the zone are domain controllers.
You add multiple DNS records to the zone.
You need to ensure that the new records are available on all DNS servers as soon as possible.
Which tool should you use?

• A. Repadmin
• B. Active Directory Domains and Trusts console
• C. Ldp
• D. Ntdsutil

Answer: A

Explanation:
http://technet.microsoft.com/en-us/library/cc811569.aspx
Forcing Replication
Sometimes it becomes necessary to forcefully replicate objects and entire partitions
between domain controllers that may or may not have replication agreements.
Force a replication event with all partners
The repadmin /syncall command synchronizes a specified domain controller with all
replication partners.
Syntax
repadmin /syncall <DC> [<NamingContext>] [<Flags>]
Parameters <DC> Specifies the host name of the domain controller to synchronize with all
replication partners.
<NamingContext>
Specifies the distinguished name of the directory partition.
<Flags>
Performs specific actions during the replication.

NEW QUESTION 13
Your company has an organizational unit named Production. The Production organizational unit has a child organizational unit named R&D. You create a GPO named Software Deployment and link it to the Production organizational unit.
You create a shadow group for the R&D organizational unit. You need to deploy an application to users in the Production organizational unit.
You also need to ensure that the application is not deployed to users in the R&D organizational unit.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)

• A. Configure the Block Inheritance setting on the R&D organizational uni
• B. Configure the Enforce setting on the software deployment GP
• C. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&D security grou
• D. Configure the Block Inheritance setting on the Production organizational uni

Answer: AC

Explanation:
Answer: Configure the Block Inheritance setting on the R&D organizational unit. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&D security group.
http://technet.microsoft.com/en-us/library/cc757050%28v=ws.10%29.aspx Managing inheritance of Group Policy
Blocking Group Policy inheritance You can block policy inheritance for a domain or organizational unit. Using block inheritance prevents GPOs linked to higher sites, domains, or organizational units from being automatically inherited by the child-level. By default, children inherit all GPOs from the parent, but it is sometimes useful to block inheritance. For example, if you want to apply a single set of policies to an entire domain except for one organizational unit, you can link the required GPOs at the domain level (from which all organizational units inherit policies
by default) and then block inheritance only on the organizational unit to which the policies
should not be applied.
Enforcing a GPO link You can specify that the settings in a GPO link should take
precedence over the settings of any child object by setting that link to Enforced. GPO-links
that are enforced cannot be blocked from the parent container. Without enforcement from
above, the settings of the GPO links at the higher level (parent) are overwritten by settings
in GPOs linked to child organizational units, if the GPOs contain conflicting settings. With
enforcement, the parent
GPO link always has precedence. By default, GPO links are not enforced. In tools prior to
GPMC, "enforced" was known as "No override."
In addition to using GPO links to apply policies, you can also control how GPOs are applied
by using security filters or WMI filters.
http://technet.microsoft.com/en-us/library/cc781988%28v=ws.10%29.aspx
Security filtering using GPMC
Security filtering Security filtering is a way of refining which users and computers will
receive and apply the settings in a Group Policy object (GPO). Using security filtering, you
can specify that only certain security principals within a container where the GPO is linked
apply the GPO. Security group filtering determines whether the GPO as a whole applies to
groups, users, or computers; it cannot be used selectively on different settings within a
GPO.
Notes:
GPOs cannot be linked directly to users, computers, or security groups. They can only be
linked to sites, domains and organizational units. However, by using security filtering, you
can narrow the scope of a GPO so that it applies only to a single group, user, or computer.
The location of a security group in Active Directory is irrelevant to security group filtering
and, more generally, irrelevant to Group Policy processing.
Further information:
http://technet.microsoft.com/en-us/library/cc731076.aspx
Block Inheritance
http://en.wikipedia.org/wiki/Active_Directory#Shadow_groups
Active Directory
Shadow groups
In Microsoft's Active Directory, OUs do not confer access permissions, and objects placed
within OUs are not automatically assigned access privileges based on their containing OU.
This is a design limitation specific to Active Directory. Other competing directories such as
Novell NDS are able to assign access privileges through object placement within an OU.
Active Directory requires a separate step for an administrator to assign an object in an OU
as a member of a group also within that OU. Relying on OU location alone to determine access permissions is unreliable, because the object may not have been assigned to the group object for that OU. A common workaround for an Active Directory administrator is to write a custom PowerShell or Visual Basic script to automatically create and maintain a user group for each OU in their directory. The scripts are run periodically to update the group to match the OU's account membership, but are unable to instantly update the security groups anytime the directory changes, as occurs in competing directories where security is directly implemented into the directory itself. Such groups are known as Shadow Groups. Once created, these shadow groups are selectable in place of the OU in the administrative tools. Microsoft refers to shadow groups in the Server 2008 Explanation documentation, but does not explain how to create them. There are no built-in server methods or console snap-ins for managing shadow groups.[5] The division of an organization's information infrastructure into a hierarchy of one or more domains and toplevel OUs is a key decision. Common models are by business unit, by geographical location, by IT Service, or by object type and hybrids of these. OUs should be structured primarily to facilitate administrative delegation, and secondarily, to facilitate group policy application. Although OUs form an administrative boundary, the only true security boundary is the forest itself and an administrator of any domain in the forest must be trusted across all domains in the forest.[6]

NEW QUESTION 14
Your network contains an Active Directory domain named contoso.com. Contoso.com contains two sites named Site1 and Site2. Site1 contains a domain controller named DC1.
In Site1, you install a new domain controller named DC2. You ship DC2 to Site2.
You discover that certain users in Site2 authenticate to DC1.
You need to ensure that the users in Site2 always attempt to authenticate to DC2 first.
What should you do?

• A. From Active Directory Users and Computers, modify the Location settings of the DC2 computer objec
• B. From Active Directory Sites and Services, modify the Location attribute for Site2.
• C. From Active Directory Sites and Services, move the DC2 server objec
• D. From Active Directory Users and Computers, move the DC2 computer objec

Answer: C

Explanation:
DC2 may be shipped to Site2, but it's not yet associated properly with Site2 in Active Directory. Explanation1: http://technet.microsoft.com/en-us/library/cc816674.aspx To move a server object to a new site
1. Open Active Directory Sites and Services.
2. In the console tree, expand Sites and the site in which the server object resides.
3. Expand Servers to display the domain controllers that are currently configured for that site.
4. Right-click the server object that you want to move, and then click Move.
5. In Site Name, click the destination site, and then click OK.
6. Expand the site object to which you moved the server, and then expand the Servers container.
7. Verify that an object for the server that you moved exists.
8. Expand the server object, and verify that an NTDS Settings object exists. Explanation2: http://technet.microsoft.com/en-us/library/cc754697.aspx Using sites Sites help facilitate several activities, including: (...) Authentication. Site information helps make authentication faster and more efficient. When a client logs on to a domain, it first requests a domain controller in its local site for authentication. By establishing sites, you can ensure that clients use domain controllers that are nearest to them for authentication, which reduces authentication latency and traffic on wide area network (WAN) connections.

NEW QUESTION 15
Your network contains an Active Directory forest named contoso.com. The forest contains a single domain and 10 domain controllers. All of the domain controllers run Windows Server 2008 R2 Service Pack 1 (SP1).
The forest contains an application directory partition named dc=app1,dc=contoso,dc=com. A domain controller named DC1 has a copy of the application directory partition.
You need to configure a domain controller named DC2 to receive a copy of dc=app1,dc=contoso,dc=com.
Which tool should you use?

• A. Dsamain
• B. Ntdsutil
• C. Active Directory Sites and Services
• D. Dcpromo

Answer: C

Explanation: Active DirectorySites and Services is a Microsoft Management Console (MMC) snap-in that you can use to administer the replication of directory data among all sites in an Active Directory Domain Services (AD DS) forest.
You can use the Active Directory Sites and Services snap-in to manage the site-specific objects that implement the intersite replication topology.

NEW QUESTION 16
Your network contains a single Active Directory domain.
You need to create an Active Directory Domain Services snapshot.
What should you do?

• A. Use the Ldp too
• B. Use the NTDSUtil too
• C. Use the Wbadmin too
• D. From Windows Server Backup, perform a full backu

Answer: B

Explanation: http://technet.microsoft.com/en-us/library/cc753609.aspx To create an AD DS or AD LDS snapshot
1. Log on to a domain controller as a member of the Enterprise Admins groups or the Domain Admins group.
2. Click Start, right-click Command Prompt, and then click Run as administrator.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
4. At the elevated command prompt, type the following command, and then press ENTER: ntdsutil
5. At the ntdsutil prompt, type the following command, and then press ENTER: snapshot
6. At the snapshot prompt, type the following command, and then press ENTER: activate instance ntds
7. At the snapshot prompt, type the following command, and then press ENTER: create

NEW QUESTION 17
Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise.
You have a custom certificate template named Template 1. Template1 is published to the CA.
You need to ensure that all of the members of a group named Group1 can enroll for certificates that use Template1.
Which snap-in should you use?

• A. Security Templates
• B. Enterprise PKI
• C. Certification Authority
• D. Certificate Templates
• E. Certificates
• F. TPM Management
• G. Authorization Manager
• H. Group Policy Management
• I. Active Directory Users and Computers

Answer: D

Explanation:
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 593
Configuring Certificate Templates
AD CS provides the Certificate Templates snap-in (Certtmpl.msc), which provides the
following capabilities:
(...)
Configuring access control lists (ACLs) on certificate templates

NEW QUESTION 18
You are the administrator for a large organization with multiple remote sites.
Your supervisor would like to have remote users log in locally to their own site, but he is
nervous about security.
What type of server can you implement to ease their concerns?

• A. Domain controller
• B. Global Catalog
• C. Read-only domain controller
• D. Universal Group Membership Caching Server

Answer: C

Explanation:
http://technet.microsoft.com/en-us/library/cc772234%28v=ws.10%29.aspx
Read-Only Domain Controllers Step-by-Step Guide
An RODC makes it possible for organizations to easily deploy a domain controller in
scenarios where physical security cannot be guaranteed, such as branch office locations,
or in scenarios where local storage of all domain passwords is considered a primary threat,
such as in an extranet or in an application-facing role.

NEW QUESTION 19
A corporate network includes an Active Directory-integrated zone. All DNS servers that host the zone are domain controllers.
You add multiple DNS records to the zone.
You need to ensure that the new records are available on all DNS servers as soon as possible.
Which tool should you use?

• A. Ntdsutil
• B. Dnscmd
• C. Repadmin
• D. Nslookup

Answer: C

Explanation:
To make sure that the new DNS records are replicated to all DNS servers we can use the repadmin tool. Explanation: http://technet.microsoft.com/en-us/library/cc811569.aspx Forcing Replication Sometimes it becomes necessary to forcefully replicate objects and entire partitions between domain controllers that may or may not have replication agreements. Force a replication event with all partners The repadmin /syncall command synchronizes a specified domain controller with all replication partners. Syntax repadmin /syncall <DC> [<NamingContext>] [<Flags>] Parameters <DC> Specifies the host name of the domain controller to synchronize with all replication partners. <NamingContext>
Specifies the distinguished name of the directory partition.
<Flags>
Performs specific actions during the replication.

NEW QUESTION 20
Your company has a server that runs Windows Server 2008 R2. The server runs an instance of ActiveDirectory Lightweight Directory Services (AD LDS).
You need to replicate the AD LDS instance on a test computer that is located on the network.
What should you do?

• A. Run the repadmin /kcc <servername> command on the test compute
• B. Create a naming context by running the Dsmgmt command on the test compute
• C. Create a new directory partition by running the Dsmgmt command on the test compute
• D. Create and install a replica by running the AD LDS Setup wizard on the test compute

Answer: D

Explanation:
http://technet.microsoft.com/en-us/library/cc771946.aspx
Create a Replica AD LDS Instance
To create an AD LDS instance and join it to an existing configuration set, use the Active Directory Lightweight Directory Services Set Wizard to create a replica AD LDS instance. To create a replica AD LDS instance
1. Click Start, point to Administrative Tools, and then click Active Directory Lightweight Directory Services Setup Wizard.
2. On the Welcome to the Active Directory Lightweight Directory Services Setup Wizard page, click Next.
3. On the Setup Options page, click A replica of an existing instance, and then click Next.
4. Finish creating the new instance by following the wizard instructions.