Microsoft 70-640 Dumps Questions 2021

NEW QUESTION 1
A corporate network includes a single Active Directory Domain Services (AD D5) domain. The AD DS infrastructure is shown in the following graphic.

When the Montreal Site domain controller is offline, authentication requests for Montreal branch office users are sent to the Toronto Site domain controller.
You need to ensure that when the Montreal Site domain controller is offline, authentication requests for Montreal branch office users are sent to the Quebec City Site domain controller.
What should you do?

• A. Create a site link bridge between the Montreal Site and the Quebec City Sit
• B. Create a registry entry on each client computer in the Montreal branch office,
• C. Enable the global catalog role on the Montreal Site domain controller
• D. Delete the Toronto-Montreal Site Lin

Answer: A

NEW QUESTION 2
Your network contains an Active Directory forest named adatum.com. The DNS
infrastructure fails.
You rebuild the DNS infrastructure.
You need to force the registration of the Active Directory Service Locator (SRV) records in DNS.
Which service should you restart on the domain controllers?

• A. Netlogon
• B. DNS Server
• C. Network Location Awareness
• D. Network Store Interface Service
• E. Online Responder Service

Answer: A

Explanation:
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62
The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller’s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam question might ask you how to troubleshoot the nonregistration of SRV resource records.

NEW QUESTION 3
Your company has an Active Directory forest that contains eight linked Group Policy Objects (GPOs). One of these GPOs publishes applications to user objects. A user reports that the application is not available for installation.
You need to identify whether the GPO has been applied.
What should you do?

• A. Run the Group Policy Results utility for the use
• B. Run the GPRESULT /S <system name> /Z command at the command promp
• C. Run the GPRESULT /SCOPE COMPUTER command at the command promp
• D. Run the Group Policy Results utility for the compute

Answer: A

Explanation:
Personal note: You run the utility for the user and not for the computer because the application publishes to user objects http://technet.microsoft.com/en-us/library/bb456989.aspx How to Use the Group Policy Results (GPResult.exe) Command Line Tool Intended for administrators, the Group Policy Results (GPResult.exe) command line tool verifies all policy settings in effect for a specific user or computer. Administrators can run GPResult on any remote computer within their scope of management. By default, GPResult returns settings in effect on the computer on which GPResult is run. To run GPResult on your own computer:
1. Click Start, Run, and enter cmd to open a command window.
2. Type gpresult and redirect the output to a text file as shown in Figure 1 below:

C:Documents and Settingsusernwz1Desktop1.PNG
3. Enter notepad gp.txt to open the file. Results appear as shown in the figure below.

C:Documents and Settingsusernwz1Desktop1.PNG

NEW QUESTION 4
Your network contains an Active Directory domain. The domain contains a group named Group1.
The minimum password length for the domain is set to six characters.
You need to ensure that the passwords for all users in Group1 are at least 10 characters long. All other users must be able to use passwords that are six characters long.
What should you do first?

• A. Run the New-ADFineGrainedPasswordPolicy cmdle
• B. Run the Add-ADFineGrainedPasswordPolicySubject cmdle
• C. From the Default Domain Policy, modify the password polic
• D. From the Default Domain Controller Policy, modify the password polic

Answer: A

Explanation:
http://technet.microsoft.com/en-us/library/ee617238.aspx
New-ADFineGrainedPasswordPolicy
Creates a new Active Directory fine grained password policy.

NEW QUESTION 5
Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1 has the Active Directory Federation Services (AD FS) Federation Service role service installed.
You plan to deploy AD FS 2.0 on Server2.
You need to export the token-signing certificate from Server1, and then import the certificate to Server2.
Which format should you use to export the certificate?

• A. Base-64 encoded X.509 (.cer)
• B. Cryptographic Message Syntax Standard PKCS #7 (.p7b)
• C. DER encoded binary X.509 (.cer)
• D. Personal Information Exchange PKCS #12 (.pfx)

Answer: D

Explanation:
Explanation 1: http://technet.microsoft.com/en-us/library/ff678038.aspx
Checklist: Migrating Settings in the AD FS 1.x Federation Service to AD FS 2.0 If the AD FS 1.x Federation Service has a token-signing certificate that was issued by a trusted certification authority (CA) and you want to reuse it, you will have to export it from AD FS 1.x.
[The site provides also a link for instructions on how to export the token-signing certificate. That link point to the site mentioned in Explanation 2.]
Explanation 2: http://technet.microsoft.com/en-us/library/cc784075.aspx
Export the private key portion of a token-signing certificate
To export the private key of a token-signing certificate Click Start, point to Administrative Tools, and then click Active Directory Federation Services. Right-click Federation Service, and then click Properties. On the General tab, click View. In the Certificate dialog box, click the Details tab. On the Details tab, click Copy to File. On the Welcome to the Certificate Export Wizard page, click Next. On the Export Private Key page, select Yes, export the private key, and then click Next. On the Export File Format page, selectPersonal Information Exchange = PKCS #12 (.PFX), and then click Next. (...)

NEW QUESTION 6
Your network contains an Active Directory domain.
The password policy for the domain is configured as shown in the Current Policy exhibit, (Click the Exhibit button.)

You change the password policy for the domain as shown in the New Policy exhibit. (Click the Exhibit button.)

You need to provide users with examples of a valid password.
Which password examples should you provide to the users? (Each correct answer presents a complete solution. Choose three.)

• A. 123456!@#$%^
• B. !@#$1234ABCD
• C. passwordl234
• D. 1-2-3-4-5-a-b-c-e
• E. %%PASS1234%%
• F. 111111aaaaaaa

Answer: BDE

Explanation:
http://technet.microsoft.com/en-us/library/cc786468.aspx
Passwords must meet complexity requirements
This security setting determines whether passwords must meet complexity requirements. Complexity requirements are enforced when passwords are changed or created.
If this policy is enabled, passwords must meet the following minimum requirements when they are changed or created:
1. Passwords must not contain the user's entire samAccountName (Account Name) value or entire displayName (Full Name) value.
2. Passwords must contain characters from three of the following five categories:
Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
Base 10 digits (0 through 9)
Nonalphanumeric characters:~!@#$%^&*_-+=`|(){}[]:;"'<>,.?/Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase.
This includes Unicode characters from Asian languages.

NEW QUESTION 7
Your company has an Active Directory domain. You install a new domain controller in the
domain. Twenty users report that they are unable to log on to the domain.
You need to register the SRV records.
Which command should you run on the new domain controller?

• A. Run the netsh interface reset comman
• B. Run the ipconfig /flushdns comman
• C. Run the dnscmd /EnlistDirectoryPartition comman
• D. Run the sc stop netlogon command followed by the sc start netlogon comman

Answer: D

Explanation:
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62 The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller’s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam Question might ask you how to troubleshoot the nonregistration of SRV resource records.

NEW QUESTION 8
Your network contains an Active Directory domain named contoso.com. All domain controllers run a Server Core installation of Windows Server 2008 R2.
You need to identify which domain controller holds the PDC emulator role.
Which tool should you run?

• A. Get-AdForest
• B. Netdom.exe
• C. Get-AdOptionalFeature
• D. Query.exe

Answer: B

NEW QUESTION 9
Your network consists of an Active Directory forest named contoso.com. All servers run Windows Server 2008 R2. All domain controllers are configured as DNS servers. The contoso.com DNS zone is stored in the ForestDnsZones Active Directory application partition.
You have a member server that contains a standard primary DNS zone for dev.contoso.com.
You need to ensure that all domain controllers can resolve names for dev.contoso.com.
What should you do?

• A. Modify the properties of the SOA record in the contoso.com zon
• B. Create a NS record in the contoso.com zon
• C. Create a delegation in the contoso.com zon
• D. Create a standard secondary zone on a Global Catalog serve

Answer: C

Explanation:
http://technet.microsoft.com/en-us/library/cc771640.aspx
Understanding Zone Delegation
Domain Name System (DNS) provides the option of dividing up the namespace into one or
more zones, which can then be stored, distributed, and replicated to other DNS servers.
When you are deciding whether to divide your DNS namespace to make additional zones,
consider the following reasons to use additional zones:
You want to delegate management of part of your DNS namespace to another location or
department in your organization.
You want to divide one large zone into smaller zones to distribute traffic loads among
multiple servers, improve DNS name resolution performance, or create a more-fault-tolerant DNS environment.
You want to extend the namespace by adding numerous subdomains at once, for example,
to accommodate the opening of a new branch or site.
When you delegate zones within your namespace, remember that for each new zone that
you create, you need delegation records in other zones that point to the authoritative DNS
servers for the new zone. This is necessary both to transfer authority and to provide correct
referral to other DNS servers and clients of the new servers that are being made
authoritative for the new zone.
Example: Delegating a subdomain to a new zone As shown in the following illustration, when a new zone for a subdomain (example.microsoft.com) is created, delegation from the parent zone (microsoft.com) is needed.

C:Documents and Settingsusernwz1Desktop1.PNG

NEW QUESTION 10
You have a domain controller named DC1 that runs Windows Server 2008 R2. DC1 is configured as a DNS server for contoso.com.
You install the DNS server server role on a member server named server1 and then you create a standard secondary zone for contoso.com. You configure DC1 as the master server for the zone.
You need to ensure that Server1 receives zone updates from DC1.
What should you do?

• A. On DC1, modify the permissions of contoso.com zon
• B. On Server1, add a conditional forwarde
• C. Add the Server1 computer account to the DNsUpdateProxy grou
• D. On DC1, modify the zone transfer settings for the contoso.com zon

Answer: D

Explanation:
http://technet.microsoft.com/en-us/library/cc771652.aspx
Modify Zone Transfer Settings You can use the following procedure to control whether a zone will be transferred to other servers and which servers can receive the zone transfer.
To modify zone transfer settings using the Windows interface
1. Open DNS Manager.
2. Right-click a DNS zone, and then click Properties.
3. On the Zone Transfers tab, do one of the following:
To disable zone transfers, clear the Allow zone transfers check box.
To allow zone transfers, select the Allow zone transfers check box.
4. If you allowed zone transfers, do one of the following:
To allow zone transfers to any server, click To any server.
To allow zone transfers only to the DNS servers that are listed on the Name Servers tab,
click Only to servers listed on the Name Servers tab.
To allow zone transfers only to specific DNS servers, click Only to the following servers,
and then add the IP address of one or more DNS servers.

NEW QUESTION 11
Your network contains an Active Directory domain named adatum.com. The functional level of the domain is Windows Server 2008. All domain controllers run Windows Server 2008 R2. All client computers run Windows 7 Enterprise.
You need to create a snapshot of Active Directory.
What should you do?

• A. Run the Get-ADDomain cmdle
• B. Run the dsget.exe comman
• C. Run the ntdsutil.exe comman
• D. Run the ocsetup.exe comman
• E. Run the dsamain.exe command
• F. Run the eventcreate.exe comman
• G. Create a Data Collector Set (DCS).
• H. Create custom views from Event Viewe
• I. Configure subscriptions from Event Viewe
• J. Import the Active Directory module for Windows PowerShel

Answer: C

NEW QUESTION 12
You have a domain controller named Server1 that runs Windows Server 2008 R2.
You need to determine the size of the Active Directory database on Server1.
What should you do?

• A. Run the Active Directory Sizer too
• B. Run the Active Directory Diagnostics data collector se
• C. From Windows Explorer, view the properties of the %systemroot%ntdsntds.dit fil
• D. From Windows Explorer, view the properties of the %systemroot%sysvoldomain folde

Answer: C

Explanation:
http://technet.microsoft.com/en-us/library/cc961761.aspx Directory Data Store Active Directory data is stored in the Ntds.dit ESE database file. Two copies of Ntds.dit are present in separate locations on a given domain controller: %SystemRoot%NTDSNtds.dit This file stores the database that is in use on the domain controller. It contains the values for the domain and a replica of the values for the forest (the Configuration container data). %SystemRoot%System32Ntds.dit This file is the distribution copy of the default directory that is used when you promote a Windows 2000 – based computer to a domain controller. The availability of this file allows you to run the Active Directory Installation Wizard (Dcpromo.exe) without your having to use the Windows 2000 Server operating system CD. During the promotion process, Ntds.dit is copied from the %SystemRoot% System32 directory into the %SystemRoot%NTDS directory. Active Directory is then started from this new copy of the file, and replication updates the file from other domain controllers.

NEW QUESTION 13
Your network contains an Active Directory domain named contoso.com.
A portion of the Group Policy object (GPO) settings for a computer in the contoso.com domain is configured as shown in the following exhibit. (Click the Exhibit button.)

To answer, complete each statement according to the information presented in the exhibit.

Answer:

Explanation:

NEW QUESTION 14
Your network contains an Active Directory domain. The domain contains a group named Group1. The minimum password length for the domain is set to six characters.
You need to ensure that the passwords for all users in Group1 are at least 10 characters
long. All other users must be able to use passwords that are six characters long.
You create an Active Directory Fine Grained Password Policy.
What should you do next?

• A. From the Default Domain Policy, modify the password polic
• B. Run the Add-ADFineGrainedPasswordPolicySubject cmdle
• C. Run the Set-ADDomain cmdle
• D. From the Default Domain Controller Policy, modify the password polic

Answer: B

NEW QUESTION 15
You have a DNS zone that is stored in a custom application directory partition. You install a new domain controller.
You need to ensure that the custom application directory partition replicates to the new domain controller.
What should you use?

• A. the Active Directory Administrative Center console
• B. the Active Directory Sites and Services console
• C. the DNS Manager console
• D. the Dnscmd tool

Answer: D

Explanation:
http://technet.microsoft.com/en-us/library/cc772069.aspx
dnscmd /enlistdirectorypartition Adds the DNS server to the specified directory partition's replica set.

NEW QUESTION 16
Your network contains an Active Directory domain named contoso.com.
You need to ensure that when computers are joined manually to the domain by using the System Properties, the computer account of the computers is created automatically in an organizational unit (OU) named NewComputers.
Which command should you run?

• A. dsmgmt.exe
• B. redircmp.exe
• C. csvde.exe
• D. computerdefaults.exe

Answer: B

NEW QUESTION 17
Your company has an Active Directory forest that contains two domains, The forest has universal groups that contain members from each domain. A branch office has a domain controller named DC1, Users at the branch office report that the logon process takes too long.
You need to decrease the amount of time it takes for the branch office users to logon.
What should you do?

• A. Configure DC1 as a Global Catalog serve
• B. Configure DC1 as a bridgehead server for the branch office sit
• C. Decrease the replication interval on the site link that connects the branch office to the corporate networ
• D. Increase the replication interval on the site link that connects the branch office to the corporate networ

Answer: A

Explanation:
http://technet.microsoft.com/en-us/library/cc728188.aspx What Is the Global Catalog? The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers. In addition to configuration and schema directory partition replicas, every domain controller in a forest stores a full, writable replica of a single domain directory partition. Therefore, a domain controller can locate only the objects in its domain. Locating an object in a different domain would require the user or application to provide the domain of the requested object. The global catalog provides the ability to locate objects from any domain without having to know the domain name. A global catalog server is a domain controller that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest. The additional domain directory partitions are partial because only a limited set of attributes is included for each object. By including only the attributes that are most used for searching, every object in every domain in even the largest forest can be represented in the database of a single global catalog server.

NEW QUESTION 18
Your company has a main office and 40 branch offices. Each branch office is configured as a separate Active Directory site that has a dedicated read-only domain controller (RODC).
An RODC server is stolen from one of the branch offices.
You need to identify the user accounts that were cached on the stolen RODC server.
Which utility should you use?

• A. Dsmod.exe
• B. Ntdsutil.exe
• C. Active Directory Sites and Services
• D. Active Directory Users and Computers

Answer: D

Explanation:
http://technet.microsoft.com/en-us/library/cc835486%28v=ws.10%29.aspx Securing Accounts After an RODC Is Stolen If you become aware of a stolen or otherwise compromised read-only domain controller (RODC), you should act quickly to delete the RODC account from the domain and to reset the passwords of the accounts whose current passwords are stored on the RODC. An efficient tool for removing the RODC computer account and resetting all the passwords for the accounts that were authenticated to it is the Active Directory Users and Computers snap-in.

NEW QUESTION 19
HOTSPOT
Your network contains two Active Directory forests named contoso.com and fabrikam.com. A two-way forest trust exists between the forests. Selective authentication is enabled on the trust. Fabrikam.com contains a server named Server1.
You assign ContosoDomain Users the Manage documents permission and the Print
permission to a shared printer on Server1.
You discover that users from contoso.com cannot access the shared printer on Server1.
You need to ensure that the contoso.com users can access the shared printer on Server1.
Which permission should you assign to ContosoDomain Users.
To answer, select the appropriate permission in the answer area.

Answer:

Explanation:

NEW QUESTION 20
Your network contains an Active Directory domain. The domain contains five sites. One of the sites contains a read-only domain controller (RODC) named RODC1.
You need to identify which user accounts can have their password cached on RODC1.
Which tool should you use?

• A. Repadmin
• B. Dcdiag
• C. Get-ADDomainControllerPasswordReplicationPolicyUsage
• D. Adtest

Answer: A

Explanation:
http://technet.microsoft.com/en-us/library/cc835090.aspx
Repadmin /prp
Lists and modifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs).
Syntax
repadmin /prp view <RODC> {<List_Name>|<User>}
Displays the security principals in the specified list or displays the current PRP setting
(allowed or denied) for a specified user.
Parameters
<RODC>
Specifies the host name of the RODC. You can specify the single-label host name or the
fully qualified domain name. In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain.
<List_Name>
Specifies all the security principals that are in the list that you want to view. The valid list
names are as follows:
auth2: The list of security principals that the RODC has authenticated.
reveal: The list of security principals for which the RODC has cached passwords.
allow: The list of security principals in the msDS-RevealOnDemandGroup attribute. The
RODC can cache
passwords for this list of security principals only.
deny: The list of security principals in the msDS-NeverRevealGroup attribute. The RODC
cannot cache
passwords for any security principals in this list.
Original explanation for answer C:
The Get-ADDomainControllerPasswordReplicationPolicyUsage gets the user or computer accounts that are authenticated by a read-only domain controller (RODC) or that have passwords that are stored on that RODC. The list of accounts that are stored on a RODC is known as the revealed list.
http://technet.microsoft.com/en-us/library/ee617194.aspx