High value 70-640 Braindumps 2021

NEW QUESTION 1
The Company has a Windows 2008 domain controller server. This server is routinely backed up over the network from a dedicated backup server that is running Windows 2003 OS.
You need to prepare the domain controller for disaster recovery apart from the routine backup procedures.
You are unable to launch the backup utility while attempting to back up the system state data for the data controller.
You need to backup system state data from the Windows Server 2008 domain controller server.
What should you do?

• A. Add your user account to the local Backup Operators group
• B. Install the Windows Server backup feature using the Server Manager featur
• C. Install the Removable Storage Manager feature using the Server Manager feature
• D. Deactivating the backup job that is configured to backup Windows 2008 server domain controller on the Windows 2003 serve
• E. None of the above

Answer: B

Explanation:
http://technet.microsoft.com/en-us/library/cc770266%28v=ws.10%29.aspx Windows Server Backup Step-by-Step Guide for Windows Server 2008 The Windows Server Backup feature provides a basic backup and recovery solution for computers running the Windows Server. 2008 operating system. Windows Server Backup introduces new backup and recovery technology and replaces the previous Windows Backup (Ntbackup.exe) feature that was available with earlier versions of the Windows operating system. What is Windows Server Backup? The Windows Server Backup feature in Windows Server 2008 consists of a Microsoft Management Console (MMC) snap-in and command-line tools that provide a complete solution for your day-to-day backup and recovery needs. You can use four wizards to guide you through running backups and recoveries. You can use Windows Server Backup to back up a full server (all volumes), selected volumes, or the system state. You can recover volumes, folders, files, certain applications, and the system state. And, in case of disasters like hard disk failures, you can perform a system recovery, which will restore your complete system onto the new hard disk, by using a full server backup and the Windows Recovery
Environment.
You can use Windows Server Backup to create and manage backups for the local
computer or a remote computer. You can also schedule backups to run automatically and
you can perform one-time backups to augment the scheduled backups.

NEW QUESTION 2
Your network contains an Active Directory forest named contoso.com.
You need to provide a user named User1 with the ability to create and manage subnet objects.
The solution must minimize the number of permissions assigned to User1.
What should you do?

• A. From Active Directory Users and Computers, run the Delegation of Control wizar
• B. From Active Directory Administrative Centre, add User1 to the Schema Admins grou
• C. From Active Directory Sites and Services, run the Delegation of Control wizar
• D. From Active Directory Administrative Centre, add User1 to the Network Configuration Operators grou

Answer: C

Explanation:
http://technet.microsoft.com/en-us/library/cc736770.aspx
Delegate control of a site
To delegate control of a site
1. Open Active Directory Sites and Services.
2. Right-click the container whose control you want to delegate, and then click Delegate Control to start the Delegation of Control Wizard.
3. Follow the instructions in the Delegation of Control Wizard.
Notes
(...)
In Active Directory Sites and Services, you can delegate control for the subnets, intersite
transports, sites, and server containers.

NEW QUESTION 3
Your network contains three Active Directory forests named Forest1, Forest2, and Forest3. Each forest contains three domains. A two-way forest trust exists between Forest1 and Forest2. A two-way forest trust exists between Forest2 andForest3.
You need to configure the forests to meet the following requirements:
. Users in Forest3 must be able to access resources in Forest1
. Users in Forest1 must be able to access resources in Forest3.
. The number of trusts must be minimized.
What should you do?

• A. In Forest2, modify the name suffix routing setting
• B. In Forest1 and Forest3, configure selective authenticatio
• C. In Forest1 and Forest3, modify the name suffix routing setting
• D. Create a two-way forest trust between Forest1 and Forest3.
• E. Create a shortcut trust in Forest1 and a shortcut trust in Forest3.

Answer: D

Explanation:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, December 14 2012) page
639:
Forest Trusts
(...)
You can specify whether the forest trust is one-way, incoming or outgoing, or two-way. As mentioned earlier, a forest trust is transitive, allowing all domains in a trusting forest to trust all domains in a trusted forest. However, forest trusts are not themselves transitive. For example, if the tailspintoys.com forest trusts the worldwideimporters .com forest, and the worldwideimporters.com forest trusts the northwindtraders.com forest, those two trust relationships do not allow the tailspintoys.com forest to trust the northwindtraders.com forest. If you want those two forests to trust each other, you must create a specific forest trust between them.

NEW QUESTION 4
You have an enterprise subordinate certification authority (CA). The CA issues smart card logon certificates.
Users are required to log on to the domain by using a smart card.
Your company's corporate security policy states that when an employee resigns, his ability
to log on to the network must be immediately revoked.
An employee resigns.
You need to immediately prevent the employee from logging on to the domain.
What should you do?

• A. Revoke the employee's smart card certificat
• B. Disable the employee's Active Directory accoun
• C. Publish a new delta certificate revocation list (CRL).
• D. Reset the password for the employee's Active Directory accoun

Answer: B

Explanation:
http://blog.imanami.com/blog/bid/68864/Delete-or-disable-an-Active-Directory-account-One-best-practice Delete or disable an Active Directory account? One best practice. I was recently talking to a customer about the best practice for deprovisioning a terminated employee in Active Directory. Delete or disable? Microsoft doesn't give the clearest direction on this but common sense does. The case for deleting an account is that, BOOM, no more access. No ifs ands or buts, if there is no account it cannot do anything. The case for disabling an account is that all of the SIDs are still attached to the account and you can bring it back and get the same access right away. And then the reason for MSFT's lack of direction came into play. Individual needs of the customer. This particular customer is a public school system and they often lay off an employee and have to re-hire them the next month or semester. They need that account back.

NEW QUESTION 5
Your network contains an Active Directory forest named contoso.com.
You need to identify the Password Setting object (PSO) applied to a user named User1.
Which cmdlet should you run?

• A. Get-AdFineGrainedPasswordPolicy
• B. Get-AdFineGrainedPasswordPolicySubject
• C. Get- AdUserResultantPasswordPolicy
• D. Get-AdDefaultDomainPasswordPolicy

Answer: C

NEW QUESTION 6
Your network contains an Active Directory forest named contoso.com.
The forest contains an enterprise certification authority (CA). The enterprise CA is inaccessible from the internet.
You have a server named Server1 that runs Windows Server 2008 R2. Server1 is accessible from the Internet. Server1 can communicate with the enterprise CA.
You need to ensure that laptops that are joined to the domain can renew their certificates automatically from the Internet.
Which two role services should you install on Server1? (To answer, select the two appropriate role services in the answer area.)

Answer:

Explanation:

NEW QUESTION 7
Your network contains a single Active Directory domain named contoso.com.
An administrator accidentally deletes the _msdsc.contoso.com zone. You recreate the _msdsc.contoso.com zone.
You need to ensure that the _msdsc.contoso.com zone contains all of the required DNS records.
What should you do on each domain controller?

• A. Restart the Netlogon servic
• B. Restart the DNS Server servic
• C. Run dcdiag.exe /fi
• D. Run ipconfig.exe /registerdn

Answer: A

Explanation:
Explanation 1: http://support.microsoft.com/kb/817470 To register the required records to the single root domain controller, restart the Net Logon service on all the domain controllers. The replication works correctly if the replication window is not less than the default DNS Time to Live (TTL) entry. To restart the Net Logon service, follow these steps:
1. Click Start, click Run, type cmd in the Open box, and then press ENTER.
2. At the command prompt, type the following command, and then press ENTER: net stop netlogon
3. Type net start netlogon, and then press ENTER.
Explanation 2:
http://serverfault.com/questions/383915/how-do-i-manually-create-the-msdcs-dns-zone-for-a-domain-that-wascreated-pre-s
Be sure to restart the Netlogon services on all DC's when the zone has been replicated to them. This forces the DC's to register their SRV records in the _msdcs zone.

NEW QUESTION 8
You create a new Active Directory domain. The functional level of the domain is Windows Server 2003. The domain contains five domain controllers that run Windows Server 2008 R2.
You need to monitor the replication of the group policy template files.
Which tool should you use?

• A. Dfsrdiag
• B. Fsutil
• C. Ntdsutil
• D. Ntfrsutl

Answer: D

Explanation:
With domain functional level 2008 you have available dfs-r sysvol replication. So with
DFL2008 you can use the DFSRDIAG tool. It is not available with domain functional level
2003.
With domain functional level 2003 you can only use Ntfrsutl.

NEW QUESTION 9
A corporate network contains a Windows Server 2008 R2 Active Directory forest.
You need to add a User Principle Name (UPN) suffix to the forest.
What tool should you use?

• A. Dsmgm
• B. Active Directory Domains and Trusts consol
• C. Active Directory Users and Computers consol
• D. Active Directory Sites and Services consol

Answer: B

Explanation:
http://www.kassapoglou.com/windows-server-2008-lesson-23-video-creating-a-user/
Demonstration adding a UPN Suffix
To add or modify a UPN suffix for your forest, open Active Directory Domains and Trusts from the start menu.
Right click Active Directory Domains and Trusts at the top and open the properties. From here you can add and remove additional domain UPN suffixes for the forest.

NEW QUESTION 10
Your network contains an Active Directory domain named adatum.com. The functional level of the domain is Windows Server 2003. All domain controllers run Windows Server 2008 R2.
You mount an Active Directory snapshot.
You need to ensure that you can connect to the snapshot by using LDAP.
What should you do?

• A. Run the Get-ADDomain cmdle
• B. Run the dsget.exe comman
• C. Run the ntdsutil.exe comman
• D. Run the ocsetup.exe comman
• E. Run the dsamain.exe comman
• F. Run the eventcreate.exe command,
• G. Create a Data Collector Set (DCS).
• H. Create custom views from Event Viewe
• I. Configure subscriptions from Event Viewe
• J. Import the Active Directory module for Windows PowerShel

Answer: E

Explanation:
http://technet.microsoft.com/en-us/library/cc753609.aspx
The Active Directory database mounting tool (Dsamain.exe) can improve recovery processes for your organization by providing a means to compare data as it exists in snapshots that are taken at different times so that you can better decide which data to restore after data loss. This eliminates the need to restore multiple backups to compare the Active Directory data that they contain.
Requirements for using the Active Directory database mounting tool
You do not need any additional software to use the Active Directory database mounting tool. All the tools that are required to use this feature are built into Windows Server 2008 and are available if you have the AD DS or the AD LDS server role installed. These tools include the following: (...)
Dsamain.exe, which you can use to expose the snapshot data as an LDAP server
Existing LDAP tools, such as Ldp.exe and Active Directory Users and Computers

NEW QUESTION 11
Your network contains a single Active Directory domain. Active Directory Rights Management Services (AD RMS) is deployed on the network.
A user named User1 is a member of only the AD RMS Enterprise Administrators group. You need to ensure that User1 can change the service connection point (SCP) for the AD RMS installation.The solution must minimize the administrative rights of User1.
To which group should you add User1?

• A. AD RMS Auditors
• B. AD RMS Service Group
• C. Domain Admins
• D. Schema Admins

Answer: C

Explanation:
http://social.technet.microsoft.com/wiki/contents/articles/710.the-ad-rms-service-connection-point.aspx The AD RMS Service Connection Point The Active Directory Rights Management Services (AD RMS) Service Connection Point (SCP) is an object in Active Directory that holds the web address of the AD RMS certification cluster. AD RMS-enabled applications use the SCP to discover the AD RMS service; it is the first connection point for users to discover the AD RMS web services. The AD RMS SCP can be registered automatically during AD RMS installation, or it can be registered after installation has completed. To register the SCP you must be a member of the local AD RMS Enterprise Administrators group and the Active Directory Domain Services (AD DS) Enterprise Admins group, or you must have been given the appropriate authority.

NEW QUESTION 12
Your network contains an Active Directory domain. The domain contains two domain controllers named DC1 and DC2.
You perform a full backup of the domain controllers every night by using Windows Server Backup.
You update a script in the SYSVOL folder.
You discover that the new script fails to run properly. You need to restore the previous version of the script in the SYSVOL folder. The solution must minimize the amount of time required to restore the script.
What should you do first?

• A. Run the Restore-ADObject cmdle
• B. Restore the system state to its original locatio
• C. Restore the system state to an alternate locatio
• D. Attach the VHD file created by Windows Server Backu

Answer: D

Explanation:
http://technet.microsoft.com/en-us/magazine/2008.05.adbackup.aspx Active Directory Backup and Restore in Windows Server 2008 NTBACKUP vs. Windows Server Backup As an added bonus, Windows Server Backup stores its backup images in Microsoft. Virtual Hard Disk (VHD) format. You can actually take a backup image and mount it as a volume in a virtual machine running under Microsoft Virtual Server 2005. You can simply mount the VHDs in a virtual machine and browse for a particular file rather than having to perform test restores of tapes to see which one has the file is on it. (A note of caution: you can't take a backup image and boot a virtual machine from it. Since the backed-up hardware configuration doesn't correspond to the virtual machine's configuration, you can't use Windows Server Backup as a physical-to-virtual migration tool.)

NEW QUESTION 13
Your company has a main office and 10 branch offices. Each branch office has an Active Directory site that contains one domain controller. Only domain controllers in the main office are configured as Global Catalog servers.
You need to deactivate the Universal Group Membership Caching (UGMC) option on the domain controllers in the branch offices.
At which level should you deactivate UGMC?

• A. Server
• B. Connection object
• C. Domain
• D. Site

Answer: D

Explanation:
http://www.ntweekly.com/?p=788
http://gallery.technet.microsoft.com/scriptcenter/c1bd08d2-1440-40f8-95be-ad2050674d91 Script to Disable Universal Group Membership Caching in all Sites How to Disable Universal Group Membership Caching in all Sites using a Script Starting with Windows Server 2003, a new feature called Universal Group Membership Caching (UGMC) caches a user’s membership in Universal Groups on domain controllers authenticating the user. This feature allows a domain controller to have knowledge of Universal Groups a user is member of rather than contacting a Global Catalog. Unlike Global group memberships, which are stored in each domain, Universal Group memberships are only stored in a Global Catalog. For example, when a user who belongs to a Universal Group logs on to a domain that is set to the Windows 2000 native domain functional level or higher, the Global Catalog provides Universal Group membership information for the user’s account at the time the user logs on to the domain to the authenticating domain controller. UGMC is generally a good idea for multiple domain forests when:
1. Universal Group membership does not change frequently.
2. Low WAN bandwidth between Domain Controllers in different sites.
It is also recommended to disable UGMC if all Domain Controllers in a forest are Global
Catalogs.

NEW QUESTION 14
Your network contains an Active Directory domain that has two sites.
You need to identify whether logon scripts are replicated to all domain controllers.
Which folder should you verify?

• A. GroupPolicy
• B. NTDS
• C. SoftwareDistribution
• D. SYSVOL

Answer: D

Explanation: http://technet.microsoft.com/en-us/library/cc794837.aspx SYSVOL is a collection of folders that contain a copy of the domain’s public files, including
system policies, logon scripts, and important elements of Group Policy objects (GPOs).

NEW QUESTION 15
Your company has a main office and three branch offices. Each office is configured as a separate Active Directory site that has its own domain controller.
You disable an account that has administrative rights.
You need to immediately replicate the disabled account information to all sites.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)

• A. From the Active Directory Sites and Services console, configure all domain controllers as global catalog server
• B. From the Active Directory Sites and Services console, select the existing connection objects and force replicatio
• C. Use Repadmin.exe to force replication between the site connection object
• D. Use Dsmod.exe to configure all domain controllers as global catalog server

Answer: BC

Explanation:
http://technet.microsoft.com/en-us/library/cc835086%28v=ws.10%29.aspx Repadmin /syncall Synchronizes a specified domain controller with all of its replication partners. http://ivan.dretvic.com/2012/01/how-to-force-replication-of-domain-controllers/ How to force replication of Domain Controllers From time to time its necessary to kick off AD replication to speed up a task you may be doing, or just a good too to check the status of replication between DC’s. Below is a command to replicate from a specified DC to all other DC’s. Repadmin /syncall DC_name /Aped By running a repadmin /syncall with the /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished names) parameters, you have duplicated exactly what Replmon used to do in Windows 2003, except that you did it in one step, not many.And with the benefit of seeing immediate results on how the operations are proceeding. If I am running it on the DC itself, I don’t even have to specify the server name. http://technet.microsoft.com/en-us/library/cc776188%28v=ws.10%29.aspx Force replication over a connection To force replication over a connection
1. Open Active Directory Sites and Services.

C:Documents and Settingsusernwz1Desktop1.PNG

NEW QUESTION 16
Your network contains an Active Directory domain. The functional level of the domain is Windows Server 2003.
The domain contains five domain controllers that run Windows Server 2008 and five domain controllers that run Windows Server 2008 R2.
You need to ensure that SYSVOL is replicated by using Distributed File System Replication (DFSR).
What should you do first?

• A. Run dfsrdiag.exe PollA
• B. Run dfsrmig.exe /SetGlobalState 0.
• C. Upgrade all domain controllers to Windows Server 2008 R2.
• D. Raise the functional level of the domain to Windows Server 2008.

Answer: D

Explanation:
http://technet.microsoft.com/en-us/library/cc753479%28v=ws.10%29.aspx Distributed File System Distributed File System (DFS) Namespaces and DFS Replication offer simplified, highly-available access to files, load sharing, and WAN-friendly replication. In the Windows Server. 2003 R2 operating system, Microsoft revised and renamed DFS Namespaces (formerly called DFS), replaced the Distributed File System snap-in with the DFS Management snap-in, and introduced the new DFS Replication feature. In the Windows Server. 2008 operating system, Microsoft added the Windows Server 2008 mode of domain-based namespaces and added a number of usability and performance improvements. What does Distributed File System (DFS) do? The Distributed File System (DFS) technologies offer wide area network (WAN)-friendly replication as well as simplified, highly-available access to geographically dispersed files. The two technologies in DFS are the following: DFS Namespaces. Enables you to group shared folders that are located on different servers into one or more logically structured namespaces. Each namespace appears to users as a single shared folder with a series of subfolders. This structure increases availability and automatically connects users to shared folders in the same Active Directory Domain Services site, when available, instead of routing them over WAN connections. DFS Replication. DFS Replication is an efficient, multiple-master replication engine that you can use to keep folders synchronized between servers across limited bandwidth network connections. It replaces the File Replication Service (FRS) as the replication engine for DFS Namespaces, as well as for replicating the AD DS SYSVOL folder in domains that use the Windows Server 2008 domain functional level.

NEW QUESTION 17
Your network contains an Active Directory domain named contoso.com.
You have an organizational unit (OU) named Sales and an OU named Engineering.
You have two Group Policy Objects (GPOs) named GPO1 and GPO2. GPO1 and GPO2 are linked to theSales OU and contain multiple settings. You discover that GPO2 has a setting that conflicts with a setting in GPO1. When the policies are applied, the setting in GPO2 takes effect.
You need to ensure that the settings in GPO1 supersede the settings in GPO2. The solution must ensure that all non-conflicting settings in both GPOs are applied.
What should you do?

• A. Configure Restricted Group
• B. Configure the link orde
• C. Link the GPO to the Sales O
• D. Link the GPO to the Engineer O
• E. Enable loopback processing in merge mod
• F. Modify the Group Policy permission
• G. Configure WMI filterin
• H. Configure Group Policy Permission
• I. Enable loopback processing in replace mod
• J. Enable block inheritanc

Answer: B

Explanation:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 283
Precedence of Multiple Linked GPOs.
An OU, domain, or site can have more than one GPO linked to it. In the event of multiple GPOs, the GPOs’ link order determines their precedence. In Figure 6-10, two GPOs are linked to the People OU.
Figure 6-10 GPO link order
The object higher on the list, with a link order of 1, has the highest precedence. Therefore, settings that are enabled or disabled in the Power User Configuration GPO have precedence over these same settings in the Standard User Configuration GPO.
To change the precedence of a GPO link:
1. Select the OU, site, or domain in the GPMC console tree.
2. Click the Linked Group Policy Objects tab in the details pane.
3. Select the GPO.
4. Use the Up, Down, Move To Top, and Move To Bottom arrow icons to change the link order of the selected GPO.

NEW QUESTION 18
You have an enterprise subordinate certification authority (CA). You have a custom Version 3 certificate template.
Users can enroll for certificates based on the custom certificate template by using the
Certificates console. The certificate template is unavailable for Web enrollment.
You need to ensure that the certificate template is available on the Web enrollment pages.
What should you do?

• A. Run certutil.exe Cpuls
• B. Run certutil.exe Cinstallcer
• C. Change the certificate template to a Version 2 certificate templat
• D. On the certificate template, assign the Autoenroll permission to the user

Answer: C

Explanation:
Identical to F/Q12. Explanation 1: http://technet.microsoft.com/en-us/library/cc732517.aspx Certificate Web enrollment cannot be used with version 3 certificate templates. Explanation 2: http://blogs.technet.com/b/ad/archive/2008/06/30/2008-web-enrollment-and-version-3-templates.aspx The reason for this blog post is that one of our customers called after noticing some unexpected behavior when they were trying to use the Server 2008 certificate web enrollment page to request a Version 3 Template based certificate. The problem was that no matter what they did the Version 3 Templates would not appear as certificates which could be requested via the web page. On the other hand, version 1 and 2 templates did appear in the page and requests could be done successfully using those templates.

NEW QUESTION 19
A corporate network includes a single Active Directory Domain Services (AD D5) domain.
The HR department has a dedicated organization unit (OU) named HR. The HR OU has two sub-OUs: HR Users and HR Computers. User accounts for the HR department reside in the HR Users OU. Computer accounts for the HR department reside in the HR Computers OU. All HR department employees belong to a security group named HR Employees. All HR department computers belong to a security group named HR PCs.
Company policy requires that passwords are a minimum of six characters.
You need to ensure that, the next time HR department employees change their passwords, the passwords are required to have at least eight characters. The password length requirement should not change for employees of any other department.
What should you do?

• A. Create a fine-grained password policy and apply it to the HR Computers O
• B. Modify the password policy in the GPO that is applied to the domain controllers O
• C. Create a fine-grained password policy and apply it to the HR Employees grou
• D. Modify the password policy in the GPO that is applied to the domai

Answer: C

NEW QUESTION 20
Your network contains an Active Directory domain named litwareinc.com. The domain contains two sites named Site1 and Site2. Site2 contains a read-only domain controller (RODC).
You need to identify which user accounts attempted to authenticate to the RODC.
Which tool should you use?

• A. Repadmin
• B. Get-ADAccountResultantPasswordReplicationPolicy
• C. Active Directory Sites and Services
• D. Get-ADFineGrainedPasswordPolicy

Answer: A