Microsoft 70-640 Free Practice Questions 2021

NEW QUESTION 1
You are an administrator at ABC.com. Company has a network of 5 member servers acting as file servers. It has an Active Directory domain.
You have installed a software application on the servers. As soon as the application is installed, one of the member servers shuts down itself. To trace and rectify the problem, you create a Group Policy Object (GPO).
You need to change the domain security settings to trace the shutdowns and identify the cause of it.
What should you do to perform this task?

• A. Link the GPO to the domain and enable System Events option
• B. Link the GPO to the domain and enable Audit Object Access option
• C. Link the GPO to the Domain Controllers and enable Audit Object Access option
• D. Link the GPO to the Domain Controllers and enable Audit Process tracking option
• E. Perform all of the above actions

Answer: A

Explanation:
http://msdn.microsoft.com/en-us/library/ms813610.aspx
Audit system events Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit Policy
Description Determines whether to audit when a user restarts or shuts down the computer;
or an event has occurred that affects either the system security or the security log.
By default, this value is set to No auditing in the Default Domain Controller Group Policy
object (GPO) and in the local policies of workstations and servers.
If you define this policy setting, you can specify whether to audit successes, audit failures,
or not to audit the event type at all. Success audits generate an audit entry when a system
event is successfully executed. Failure audits generate an audit entry when a system event
is unsuccessfully attempted. You can select No auditing by defining the policy setting and
unchecking Success and Failure.

NEW QUESTION 2
Your network contains an Active Directory domain. All servers run Windows Server 2008 R2.
You need to audit the deletion of registry keys on each server.
What should you do?

• A. From Audit Policy, modify the Object Access settings and the Process Tracking setting
• B. From Audit Policy, modify the System Events settings and the Privilege Use setting
• C. From Advanced Audit Policy Configuration, modify the System settings and the Detailed Tracking setting
• D. From Advanced Audit Policy Configuration, modify the Object Access settings and the Global Object Access Auditing setting

Answer: D

Explanation:
http://technet.microsoft.com/en-us/library/dd408940.aspx
Advanced Security Audit Policy Step-by-Step Guide
A global object access audit policy can be used to enforce object access audit policy for a computer, file share, or registry.

NEW QUESTION 3
Your network contains an Active Directory forest. The forest contains two domains named contoso.com and eu.contoso.com. All domain controllers are DNS servers.
The domain controllers in contoso.com host the zone for contoso.com. The domain controllers in eu.contoso.com host the zone for eu.contoso.com. The DNS zone for contoso.com is configured as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that all domain controllers in the forest host a writable copy of _msdsc.contoso.com.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

• A. Create a zone delegation record in the contoso.com zon
• B. Create a zone delegation record in the eu.contoso.com zon
• C. Create an Active Directory-integrated zone for _msdsc.contoso.co
• D. Create a secondary zone named _msdsc.contoso.com in eu.contoso.co

Answer: AC

Explanation:
Note that the question speaks of _msdSC, instead of _msdCS. Not sure if it means something, probably a typo.

NEW QUESTION 4
A company has an Active Directory forest. You plan to install an offline Enterprise root certification authority (CA) on a server named CA1. CA1 is a member of the PerimeterNetwork workgroup and is attached to a hardware security module for private key storage.
You attempt to add the Active Directory Certificate Services (AD CS) server role to CA1. The Enterprise CA option is not available.
You need to install the AD CS server role as an Enterprise CA on CA1.
What should you do first?

• A. Add the DNS Server server role to CA1.
• B. Add the Web Server (IIS) server role and the AD CS server role to CA1.
• C. Add the Active Directory Lightweight Directory Services (AD LDS) server role to CA1.
• D. Join CA1 to the domai

Answer: D

Explanation:
Explanation 1:
http://kazmierczak.eu/itblog/2012/09/23/enterprise-ca-option-is-greyed-out-unavailable/
Many times, administrators ask me what to do when installing Active Directory Certificate
Services they cannot choose to install Enterprise Certification Authority, because it’s
unavailable.
Well, you need to fulfill basic requirements:
1. Server machine has to be a member server (domain joined).
2. (...)
Explanation 2: http://social.technet.microsoft.com/Forums/en/w7itproSP/thread/34f95b81-b196-4211-9a99-a0610852128

NEW QUESTION 5
Your network contains an Active Directory domain named contoso.com.
You need to create a Group Policy object (GPO) that contains all of the settings included in the Windows Server 2008 R2 Security Baseline. The solution must minimize administrative effort.
Which three actions should you perform in sequence? (To answer, move the appropriate three actions from the list of actions to the answer area and arrange them in the correct order.)

Answer:

Explanation:

NEW QUESTION 6
Company has an Active Directory forest with six domains. The company has 5 sites. The company requires a new distributed application that uses a custom application directory partition named ResData for data replication.
The application is installed on one member server in five sites.
You need to configure the five member servers to receive the ResData application directory partition for data replication.
What should you do?

• A. Run the Dcpromo utility on the five member server
• B. Run the Regsvr32 command on the five member servers
• C. Run the Webadmin command on the five member servers
• D. Run the RacAgent utility on the five member servers

Answer: A

Explanation:
http://technet.microsoft.com/en-us/library/cc732887%28v=ws.10%29.aspx
Dcpromo Syntax dcpromo [/answer[:<filename>] | /unattend[:<filename>] | /unattend | /adv]
/uninstallBinaries [/CreateDCAccount | /UseExistingAccount:Attach] /? /?[:{Promotion |
CreateDCAccount | UseExistingAccount |Demotion}]dcpromo Promotion operation
parameters:
ApplicationPartitionsToReplicate:""
Specifies the application directory partitions that dcpromo will replicate. Use the following
format: "partition1" "partition2" "partitionN"
Use * to replicate all application directory partitions.

NEW QUESTION 7
Your network contains an Active Directory domain. The domain contains an organizational unit (OU) named OU1. OU1 contains all managed service accounts in the domain.
You need to prevent the managed service accounts from being deleted accidentally from OU1.
Which cmdlet should you use?

• A. Set-ADUser
• B. Set-ADOrganizationalUnit
• C. Set-ADServiceAccount
• D. Set-ADObject

Answer: D

Explanation: http://technet.microsoft.com/en-us/library/hh852326.aspx Set-ADObject Modifies an Active Directory object.
Parameter -ProtectedFromAccidentalDeletion <Boolean>Specifies whether to prevent the object from
being deleted. When this property is set to true, you cannot delete the corresponding object without changing the value of the property. Possible values for this parameter include: $false or 0 $true or 1 The following example shows how to set this parameter to true. -ProtectedFromAccidentalDeletion $true

NEW QUESTION 8
Active Directory Rights Management Services (AD RMS) is deployed on your network.
You need to configure AD RMS to use Kerberos authentication.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

• A. Register a service principal name (SPN) for AD RM
• B. Register a service connection point (SCP) for AD RM
• C. Configure the identity setting of the _DRMSAppPool1 application poo
• D. Configure the useAppPoolCredentials attribute in the Internet Information Services (IIS) metabas

Answer: AD

Explanation:
http://technet.microsoft.com/en-us/library/dd759186.aspx
If you plan to use Active Directory Rights Management Services (AD RMS) with Kerberos authentication, you must take additional steps to configure the server running AD RMS after installing the AD RMS server role and provisioning the server. Specifically, you must perform these procedures:
Set the Internet Information Services (IIS) useAppPoolCredentials variable to True
Set the Service Principal Names (SPN) value for the AD RMS service account

NEW QUESTION 9
Your network contains an Active Directory forest. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers.
You have an Active Directory-integrated zone for contoso.com.
You have a Unix-based DNS server.
You need to configure your Windows Server 2008 R2 environment to allow zone transfers
of the contoso.com zone to the Unix-based DNS server.
What should you do in the DNS Manager console?

• A. Enable BIND secondaries
• B. Create a stub zone
• C. Disable recursion
• D. Create a secondary zone

Answer: A

Explanation:
http://skibbz.com/understanding-of-advance-properties-settings-in-window-server-2003-and-2008-dns-serverbind-secondaries/ Understanding Of Advance Properties Settings In Window Server 2003 And 2008 DNS Server (BIND Secondaries) BIND Secondaries controls the zone transfer between different vendor DNS server. It help verifies the type of format used zone transfer, whether it is fast or slow transfer (zone transfer). The full mean of BIND is Berkeley Internet Name domain (BIND). BIND is a based on UNIX operating system. Two window servers do not required BIND. BIND is only required when transfer dns zone between two different dns server vendors (UNIX and Microsoft Window). If you are using only Window server for dns and zone transfer you will have to disable this option in the window dns server. However if you want the server to perform a slow zone transfer and uncompressed data transfer then you will have to enable BIND in the dns server. To reiterate, BIND only provide slow dns zone transfer and data compression mechanism for DNS server. BIND is understood to have been introduced in window server to support UNIX. System admin will normally disable this option if they want the data in their dns zone transfer to between primary and secondary dns server to be transfer faster in order to improve dns queries efficiency within their network environment Bind is used in a DNS window server, when the needs to configured zone transfer between window server and UNIX server or operative system. Bind is enabled when a window server is configured as a primary dns server and a UNIX computer is configured as a secondary dns server for zone transfer. BIND Secondaries need to be configured to mitigate, the problem of interoperability between the two server operating system since they are from different vendors. Note that old version of the BIND was noted to be very slow and uses an uncompressed zone transfer format. However, BIND in window server 2008 and later has improved this problem. This is because it was noted that BIND in window server 2008 and later uses faster, compressed format during zone transfer between primary and secondary DNS server configured in for different server operating system (UNIX and Window server).

NEW QUESTION 10
Your network contains an Active Directory domain named contoso.com. The functional level of the forest is Windows Server 2008 R2.
The Default Domain Controller Policy Group Policy object (GPO) contains audit policy settings.
On a domain controller named DC1, an administrator configures the Advanced Audit Policy Configuration settings by using a local GPO.
You need to identify what will be audited on DC1.
Which tool should you use?

• A. Get-ADObject
• B. Secedit
• C. Security Configuration and Analysis
• D. Auditpol

Answer: D

Explanation:
Explanation 1: http://technet.microsoft.com/en-us/library/cc772576.aspx Auditpol get
Retrieves the system policy, per-user policy, auditing options, and audit security descriptor
object.
Explanation 2:
Windows Server 2008 R2 Unleashed (SAMS, 2010) page 670
You can use the AUDITPOL command to get and set the audit categories and
subcategories. To retrieve a list of all the settings for the audit categories and
subcategories, use the following command:
auditpol /get /category:*

NEW QUESTION 11
Your network contains an Active Directory domain named contoso.com.
You have a comma separated value (CSV) file named Users.txt. Users.txt contains the information for 500 users and all of the attributes required to create user accounts.
You plan to automate the creation of user accounts by using the Users.txt file.
You need to identify which two cmdlets you must run. The solution must pipe the output from the first cmdlet to the second cmdlet.
What should you run from Windows PowerShell? To answer, configure the appropriate PowerShell command in the answer area.

Answer:

Explanation:

NEW QUESTION 12
Your network contains an Active Directory domain named fabrikam.com. The domain has one Active Directory site.
The domain contains an organizational unit (OU) named SalesOU. SalesOU contains all of the user accounts for the sales department. Some of the sales users are temporary employees.
You apply a Group Policy object (GPO) named SalesGPO to SalesOU.
You need to prevent SalesGPO from being applied to the temporary sales employees. All other sales employees must have SalesGPO applied to them.
What should you do?

• A. Configure the permissions on the user accounts of the temporary sales employee
• B. Configure the permissions of SalesGP
• C. Link SalesGPO to the site and remove the link for SalesGPO from SalesO
• D. Disable the computer configurations of SalesGP

Answer: B

NEW QUESTION 13
Your network contains an Active Directory domain. The domain contains 3,000 client computers. All of the client computers run Windows 7.
Users log on to their client computers by using standard user accounts.
You plan to deploy a new application named App1.
The vendor of App1 provides a Setup.exe file to install App1. Setup.exe requires administrative rights to run.
You need to deploy App1 to all client computers. The solution must meet the following requirements:
. App1 must automatically detect and replace corrupt application files.
. App1 must be available from the Start menu on each client computer.
What should you do first?

• A. Create a logon script that calls Setup.exe for App1.
• B. Create a .zap fil
• C. Create a startup script that calls Setup.exe for App1.
• D. Repackage App1 as a Windows Installer packag

Answer: D

Explanation:
http://technet.microsoft.com/en-us/library/cc739578.aspx
Windows Installer features Diagnoses and repairs corrupted applications--An application can query Windows Installer to determine whether an installed application has missing or corrupted files. If any are detected, Windows Installer repairs the application by recopying only those files found to be missing or corrupted.

NEW QUESTION 14
Your network contains an Active Directory forest named contoso.com. The forest contains six domains.
You need to ensure that the administrators of any of the domains can specify a user principal name (UPN) suffix of litwareinc.com when they create user accounts by using Active Directory Users and Computers.
Which tool should you use?

• A. New-ADObject
• B. Active Directory Sites and Services
• C. Active Directory Domains and Trusts
• D. Set-ADAccountControl

Answer: C

Explanation:
http://technet.microsoft.com/en-us/library/cc772007.aspx
To add UPN suffixes
1. Open Active Directory Domains and Trusts.
2. In the console tree, right-click Active Directory Domains and Trusts, and then click Properties.
3. On the UPN Suffixes tab, type an alternative UPN suffix for the forest, and then click Add.
4. Repeat step 3 to add additional alternative UPN suffixes.

NEW QUESTION 15
Your company has a main office and 40 branch offices. Each branch office is configured as a separate Active Directory site that has a dedicated read-only domain controller (RODC).
You need to identify the user accounts that can be cached on the RODC server.
Which utility should you use?

• A. Dsmod.exe
• B. Repadmin.exe
• C. Active Directory Domain and Trusts
• D. Active Directory Sites and Services

Answer: B

NEW QUESTION 16
Your network contains an Active Directory domain. The domain contains two Active Directory sites named Site1 and Site2. Site1 contains two domain controllers named DC1 and DC2. Site2 contains two domain controller named DC3 and DC4, The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is Windows Server 2003.
Active Directory replication between Site1 and Site2 occurs from 20:00 to 01:00 every day.
At 07:00, an administrator deletes a user account while he is logged on to DC1.
You need to restore the deleted user account. You want to achieve this goal by using the minimum amount of administrative effort.
What should you do?

• A. On DC3, stop Active Directory Domain Services, perform an authoritative restore, and then start Active Directory Domain Service
• B. On DC3, run the Restore-ADObject cmdle
• C. On DC1, run the Restore-ADObject cmdle
• D. On DC1, stop Active Directory Domain Services, restore the SystemState, and then start Active Directory Domain Service

Answer: A

Explanation:
We cannot use Restore-ADObject, because Restore-ADObject is a part of the Recycle Bin
feature, and you can only use Recycle Bin when the forest functional level is set to
Windows Server 2008 R2. In the question text it says "The functional level of the forest is
Windows Server 2003."
Seehttp://technet.microsoft.com/nl-nl/library/dd379481.aspx
Performing an authoritative restore on DC3 updates the Update Sequence Number (USN)
on that DC, which causes it to replicate the restored user account to other DC's.
Explanation 1:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) page 692
"An authoritative restore restores data that was lost and updates the Update Sequence
Number (USN) for the data to make it authoritative and ensure that it is replicated to all
other servers."
Explanation 2:
http://technet.microsoft.com/en-us/library/cc755296.aspx
Authoritative restore of AD DS has the following requirements:
(...)
You must stop the Active Directory Domain Services service before you run the ntdsutil
authoritative restore command and restart the service after the command is complete.

NEW QUESTION 17
Your network contains an Active Directory domain named contoso.com. Contoso.com contains three servers.
The servers are configured as shown in the following table.

You need to ensure that users can manually enroll and renew their certificates by using the Certificate Enrollment Web Service.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

• A. Configure the policy module setting
• B. Configure the issuance requirements for the certificate template
• C. Configure the Certificate Services Client - Certificate Enrollment Policy Group Policy settin
• D. Configure the delegation settings for the Certificate Enrollment Web Service application pool accoun

Answer: BD

Explanation: Explanation 1:
http://technet.microsoft.com/en-us/library/dd759245.aspx
The Certificate Enrollment Web Service can process enrollment requests for new certificates and for certificate renewal. In both cases, the client computer submits the request to the Web service and the Web service submits the request to the certification authority (CA) on behalf of the client computer. For this reason, the Web service account must be trusted for delegation in order to present the client identity to the CA.
Explanation 2: http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx
Delegation is required for the Certificate Enrollment Web Service account when all of the following are true: The CA is not on the same computer as the Certificate Enrollment Web Service Certificate Enrollment Web Service needs to be able to process initial enrollment requests, as opposed to only processing certificate renewal requeststhe authentication type is set to Windows Integrated Authentication or Client certificate authentication

NEW QUESTION 18
Your network contains two Active Directory forests named contoso.com and adatum.com. Active Directory Rights Management Services (AD RMS) is deployed in contoso.com. An AD RMS trusted user domain (TUD) exists between contoso.com and adatum.com.
From the AD RMS logs, you discover that some clients that have IP addresses in the adatum.com forest are authenticating as users from contoso.com.
You need to prevent users from impersonating contoso.com users.
What should you do?

• A. Configure trusted e-mail domain
• B. Enable lockbox exclusion in AD RM
• C. Create a forest trust between adatum.com and contoso.co
• D. Add a certificate from a third-party trusted certification authority (CA).

Answer: A

Explanation:
http://technet.microsoft.com/en-us/library/cc753930.aspx Add a Trusted User Domain By default, Active Directory Rights Management Services (AD RMS) does not service requests from users whose rights account certificate (RAC) was issued by a different AD RMS installation. However, you can add user domains to the list of trusted user domains (TUDs), which allows AD RMS to process such requests. For each trusted user domain (TUD), you can also add and remove specific users or groups of users. In addition, you can remove a TUD; however, you cannot remove the root cluster for this Active Directory forest from the list of TUDs. Every AD RMS server trusts the root cluster in its own forest. You can add TUDs as follows: To support external users in general, you can trust Windows Live ID. This allows an AD RMS cluster that is in your company to process licensing requests that include a RAC that was issued by Microsoft’s online RMS service. For more information about trusting Windows Live ID in your organization, see Use Windows Live ID to Establish RACs for Users. To trust external users from another organization’s AD RMS installation, you can add the organization to the list of TUDs. This allows an AD RMS cluster to process a licensing request that includes a RAC that was issued by an AD RMS server that is in the other organization. In the same manner, to process licensing requests from users within your own organization who reside in a different Active Directory forest, you can add the AD RMS installation in that forest to the list of TUDs. This allows an AD RMS cluster in the current forest to process a licensing request that includes a RAC that was issued by an AD RMS cluster in the other forest. For each TUD, you can specify which e-mail domains are trusted. For trusted Windows Live ID sites and services, you can specify which e-mail users or domains are not trusted.

NEW QUESTION 19
Your network contains an Active Directory domain. All domain controllers run Windows Server 2008. The functional level of the domain is Windows Server 2003. All client computers run Windows 7.
You install Windows Server 2008 R2 on a server named Server1.
You need to perform an offline domain join of Server1.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

• A. From Server1, run djoin.ex
• B. From Server1, run netdom.ex
• C. From a Windows 7 computer, run djoin.ex
• D. Upgrade one domain controller to Windows Server 2008 R2.
• E. Raise the functional level of the domain to Windows Server 2008.

Answer: AC

Explanation:
MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 217, 218
Offline Domain Join
Offline domain join is also useful when a computer is deployed in a lab or other disconnected environment.
When the computer is connected to the domain network and started for the first time, it will already be a member of the domain. This also helps to ensure that Group Policy settings are applied at the first startup.
Four major steps are required to join a computer to the domain by using offline domain join:
1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with an account that has permissions to join computers to the domain.
2. Use the DJoin command to provision a computer for offline domain join. This step prepopulates Active Directory with the information that Active Directory needs to join the computer to the domain, and exports the information called a blob to a text file.
3. At the offline computer that you want to join the domain use DJoin to import the blob into the Windows directory.
4. When you start or restart the computer, it will be a member of the domain.

NEW QUESTION 20
Your network contains an Active Directory domain. The domain is configured as shown in the following table.

Users in Branch2 sometimes authenticate to a domain controller in Branch1.
You need to ensure that users in Branch2 only authenticate to the domain controllers in Main.
What should you do?

• A. On DC3, set the AutoSiteCoverage value to 1.
• B. On DC1 and DC2, set the AutoSiteCoverage value to 0.
• C. On DC1 and DC2, set the AutoSiteCoverage value to 1.
• D. On DC3, set the AutoSiteCoverage value to 0.

Answer: D

Explanation:
http://technet.microsoft.com/en-us/library/cc787491%28v=ws.10%29.aspx ParametersAutoSiteCoverage HKLMSYSTEMCurrentControlSetServicesNetlogonParameters

C:Documents and Settingsusernwz1Desktop1.PNG
Description Specifies whether the system can add sites to the coverage area of this domain controller. Domain controllers cover, that is, provide services to, the site in which they reside and to other sites listed in the value of the entry SiteCoverage. In addition, when the value of AutoSiteCoverage is 1, the system can add sites that do not have domain controllers to this domain controller's coverage area.

C:Documents and Settingsusernwz1Desktop1.PNG
The sites added to the domain controller's coverage are stored in memory, and a new list is assembled each time the Net Logon service starts or when Netlogon is notified of the site object changes. While Net Logon runs, it updates this list at an interval specified by the value of the entry DnsRefreshInterval.
http://technet.microsoft.com/en-us/library/cc749944.aspx Planning Active Directory for Branch Office
Disabling AutoSiteCoverage Registration in DNS Another situation that requires configuration of SRV records results from not having a domain controller in a particular site. This may happen because there are no users needing constant logon access, or because replication to the site might be too expensive or too slow. To ensure that a domain controller can be located in the site closest to a client computer, if not the same site, Windows 2000 automatically attempts to register a domain controller in every site by using an "autositecoverage" algorithm. The algorithm determines how one site can "cover" another site when no domain controller exists in the second site. By default, the process uses the replication topology. The algorithm works as follows. Each domain controller checks all sites in the forest and then checks the replication cost matrix. A domain controller advertises itself (registers a site-related SRV record in DNS) in any site that does not have a domain controller for that domain and for which its site has the lowest-cost connections. This process ensures that every site has a domain controller even though its domain controller may not be located in that site. The domain controllers that are published in DNS are those from the closest site (as defined by the replication topology). In the branch office scenario, any computer from other sites should not discover branch office domain controllers. A client should always communicate with a local domain controller, and if that is not available, use a domain controller in the hub site. To achieve this:
1. Disable AutoSiteCoverage on all of the domain controllers, not only for the branch domain controllers, but also hub domain controllers.
2. Do not register generic records as described above. If both of these configurations (1. and 2.) are performed, then all-site clients will discover the local domain controller if it is available, or its hub domain controller (if no local domain controller is available). In the unusual scenario when a site with a domain controller for some domain is closer to another site than the central hub, the administrator has the ability to configure that domain controller with the specific ("close") sites to be covered using the following registry values: SiteCoverage, GcSiteCoverage. Alternatively, the administrator can use the following Group Policy settings: Sites Covered by the domain controller Locator DNS SRV Records Sites Covered by the global catalog server Locator DNS SRV Records Sites Covered by the NDNC Locator DNS SRV Records