transcender practice exam 70-640 [Apr 2016]

Real of 70-640 answers materials and practice for Microsoft certification for IT examinee, Real Success Guaranteed with Updated 70-640 pdf dumps vce Materials. 100% PASS TS: Windows Server 2008 Active Directory. Configuring exam Today!

2016 Apr 70-640 Study Guide Questions:

Q106. Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2. 

You need to identify the Lightweight Directory Access Protocol (LDAP) clients that are using the largest amount of available CPU resources on a domain controller. 

What should you do? 

A. Review performance data in Resource Monitor. 

B. Review the Hardware Events log in the Event Viewer. 

C. Run the Active Directory Diagnostics Data Collector Set. Review the Active Directory Diagnostics report. 

D. Run the LAN Diagnostics Data Collector Set. Review the LAN Diagnostics report. 

Answer: C 

Explanation: 

http://servergeeks.wordpress.com/2012/12/31/active-directory-diagnostics/ Active Directory Diagnostics Prior to Windows Server 2008, troubleshooting Active Directory performance issues often required the installation of SPA. SPA is helpful because the Active Directory data set collects performance data and it generates XML based diagnostic reports that make analyzing AD performance issues easier by identifying the IP addresses of the highest volume callers and the type of network traffic that is placing the most loads on the CPU. Download SPA tool:http://www.microsoft.com/en-us/download/details.aspx?id=15506 Now the same functionality has been built into Windows Server 2008 and Windows Server 2008 R2 and you don’t have to install SPA anymore. 

This performance feature is located in the Server Manager snap-in under the Diagnostics node and when the Active Directory Domain Services Role is installed the Active Directory Diagnostics data collector set is automatically created under System as shown here. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

When you will check the properties of the collector you will notice that the data is stored under %systemdrive %\perflogs, only now it is under the \ADDS folder and when a data collection is run it creates a new subfolder called YYYYMMDD-#### where YYYY = Year, MM = Month and DD=Day and #### starts with 0001 . Active Directory Diagnostics data collector set runs for a default of 5 minutes. This duration period cannot be modified for the built-in collector. However, the collection can be stopped manually by clicking the Stop button or from the command line. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

To start the data collector set, you just have to right click on Active Directory Diagnostics data collector set and select Start. Data will be stored at %systemdrive%\perflogs location. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Once you’ve gathered your data, you will have these interesting and useful reports under Report section, to aid in your troubleshooting and server performance trending. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Further information: http://technet.microsoft.com/en-us/library/dd736504%28v=ws.10%29.aspx 

Monitoring Your Branch Office Environment 

http://blogs.technet.com/b/askds/archive/2010/06/08/son-of-spa-ad-data-collector-sets-in-win2008-andbeyond.aspx 

Son of SPA: AD Data Collector Sets in Win2008 and beyond 


Q107. The Company has a Windows 2008 domain controller server. This server is routinely backed up over the network from a dedicated backup server that is running Windows 2003 OS. 

You need to prepare the domain controller for disaster recovery apart from the routine backup procedures. 

You are unable to launch the backup utility while attempting to back up the system state data for the data controller. 

You need to backup system state data from the Windows Server 2008 domain controller server. 

What should you do? 

A. Add your user account to the local Backup Operators group 

B. Install the Windows Server backup feature using the Server Manager feature. 

C. Install the Removable Storage Manager feature using the Server Manager feature 

D. Deactivating the backup job that is configured to backup Windows 2008 server domain controller on the Windows 2003 server. 

E. None of the above 

Answer: B 

Explanation: 

http://technet.microsoft.com/en-us/library/cc770266%28v=ws.10%29.aspx Windows Server Backup Step-by-Step Guide for Windows Server 2008 The Windows Server Backup feature provides a basic backup and recovery solution for computers running the Windows Server. 2008 operating system. Windows Server Backup introduces new backup and recovery technology and replaces the previous Windows Backup (Ntbackup.exe) feature that was available with earlier versions of the Windows operating system. What is Windows Server Backup? The Windows Server Backup feature in Windows Server 2008 consists of a Microsoft Management Console (MMC) snap-in and command-line tools that provide a complete solution for your day-to-day backup and recovery needs. You can use four wizards to guide you through running backups and recoveries. You can use Windows Server Backup to back up a full server (all volumes), selected volumes, or the system state. You can recover volumes, folders, files, certain applications, and the system state. And, in case of disasters like hard disk failures, you can perform a system recovery, which will restore your complete system onto the new hard disk, by using a full server backup and the Windows Recovery 

Environment. 

You can use Windows Server Backup to create and manage backups for the local 

computer or a remote computer. You can also schedule backups to run automatically and 

you can perform one-time backups to augment the scheduled backups. 


Q108. Your company has an Active Directory Rights Management Services (AD RMS) server. Users have Windows Vista computers. An Active Directory domain is configured at the Windows Server 2003 functional level. 

You need to configure AD RMS so that users are able to protect their documents. 

What should you do? 

A. Install the AD RMS client 2.0 on each client computer. 

B. Add the RMS service account to the local administrators group on the AD RMS server. 

C. Establish an e-mail account in Active Directory Domain Services (AD DS) for each RMS user. 

D. Upgrade the Active Directory domain to the functional level of Windows Server 2008. 

Answer: C 

Explanation: 

http://technet.microsoft.com/en-us/library/cc753531%28v=ws.10%29.aspx AD RMS Step-by-Step Guide For each user account and group that you configure with AD RMS, you need to add an e-mail address and then assign the users to groups. 


Q109. Your network contains an Active Directory domain controller named DC1. DC1 runs Windows Server 2008 R2. 

You need to defragment the Active Directory database on DC1. The solution must minimize downtime on DC1. 

What should you do first? 

A. At the command prompt, run net stop ntds. 

B. At the command prompt, run net stop netlogon. 

C. Restart DC1 in Safe Mode. 

D. Restart DC1 in Directory Services Restore Mode (DSRM). 

Answer: A 

Explanation: 

We don't need to restart the server to defragment the AD database. We only need to stop 

AD DS in order to defragment the database, using ntdsutil. 

Explanation: 

http://technet.microsoft.com/en-us/library/cc794920.aspx 

To perform offline defragmentation of the directory database 

1. Open a Command Prompt as an administrator. 

2. At the command prompt, type the following command, and then press ENTER: net stop ntds 

3. Type Y to agree to stop additional services, and then press ENTER. 

4. At the command prompt, type ntdsutil, and then press ENTER. 


Q110. Your network contains an Active Directory domain. The domain contains three domain 

controllers. 

One of the domain controllers fails. 

Seven days later, the help desk reports that it can no longer create user accounts. You need to ensure that the help desk can create new user accounts. 

Which operations master role should you seize? 

A. domain naming master 

B. infrastructure master 

C. primary domain controller (PDC) emulator 

D. RID master 

E. schema master 

Answer: D 

Explanation: 

http://technet.microsoft.com/en-us/library/cc773108%28v=ws.10%29.aspx Operations master roles Active Directory supports multimaster replication of the directory data store between all domain controllers (DC) in the domain, so all domain controllers in a domain are essentially peers. However, some changes are impractical to perform in using multimaster replication, so, for each of these types of changes, one domain controller, called the operations master, accepts requests for such changes. In every forest, there are at least five operations master roles that are assigned to one or more domain controllers. Forest-wide operations master roles must appear only once in every forest. Domain-wide operations master roles must appear once in every domain in the forest. 

RID master The RID master allocates sequences of relative IDs (RIDs) to each of the various domain controllers in its domain. At any time, there can be only one domain controller acting as the RID master in each domain in the forest. Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security ID (SID). The SID consists of a domain SID, which is the same for all SIDs created in the domain, and a RID, which is unique for each SID created in the domain. To move an object between domains (using Movetree.exe), you must initiate the move on the domain controller acting as the RID master of the domain that currently contains the object. 

http://www.techrepublic.com/article/step-by-step-learn-how-to-transfer-and-seize-fsmo-roles-in-activedirectory/ 5081138 Step-By-Step: Learn how to transfer and seize FSMO roles in Active Directory http://www.petri.co.il/seizing_fsmo_roles.htm Seizing FSMO Roles 


70-640 practice question

Update 70-640 audio book:

Q111. Your company network has an Active Directory forest that has one parent domain and one child domain. The child domain has two domain controllers that run Windows Server 2008. All user accounts from the child domain are migrated to the parent domain. The child domain is scheduled to be decommissioned. 

You need to remove the child domain from the Active Directory forest. 

What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.) 

A. Run the Computer Management console to stop the Domain Controller service on both domain controllers in the child domain. 

B. Delete the computer accounts for each domain controller in the child domain. Remove the trust relationship between the parent domain and the child domain. 

C. Use Server Manager on both domain controllers in the child domain to uninstall the Active Directory domain services role. 

D. Run the Dcpromo tool that has individual answer files on each domain controller in the child domain. 

Answer: C,D 

Explanation: 

http://technet.microsoft.com/en-us/library/cc755937%28v=ws.10%29.aspx Decommissioning a Domain Controller To complete this task, perform the following procedures: 

1. View the current operations master role holders 

2. Transfer the schema master 

3. Transfer the domain naming master 

4. Transfer the domain-level operations master roles 

5. Determine whether a domain controller is a global catalog server 

6. Verify DNS registration and functionality 

7. Verify communication with other domain controllers 

8. Verify the availability of the operations masters 

9. If the domain controller hosts encrypted documents, perform the following procedure before you remove Active Directory to ensure that the encrypted files can be recovered after Active Directory is removed: Export a certificate with the private key 10.Uninstall Active Directory 11.If the domain controller hosts encrypted documents and you backed up the certificate and private key before you remove Active Directory, perform the following procedure to re-import the certificate to the server: Import a certificate 

12. Determine whether a Server object has child objects 

13. Delete a Server object from a site 

http://technet.microsoft.com/en-us/library/cc737258%28v=ws.10%29.aspx Uninstall Active Directory To uninstall Active Directory 

1. Click Start, click Run, type dcpromo and then click OK. 


Q112. Your network contains two Active Directory forests named contoso.com and nwtraders.com. Active Directory Rights Management Services (AD RMS) is deployed in each forest. 

You need to ensure that users from the nwtraders.com forest can access AD RMS protected content in the contoso.com forest. 

What should you do? 

A. Add a trusted user domain to the AD RMS cluster in the nwtraders.com domain. 

B. Create an external trust from nwtraders.com to contoso.com. 

C. Add a trusted user domain to the AD RMS cluster in the contoso.com domain. 

D. Create an external trust from contoso.com to nwtraders.com. 

Answer: C 

Explanation: 

http://technet.microsoft.com/en-us/library/hh311036.aspx 

Using AD RMS trust 

It is not necessary to create trust or federation relationships between the Active Directory forests of organizations to be able to share rights-protected information between separate organizations. AD RMS provides two types of trust relationships that provide this kind of rights-protected information exchange. A trusted user domain (TUD) allows the AD RMS root cluster to process requests for client licensor certificates or use licenses from users whose rights account certificates (RACs) were issued by a different AD RMS root cluster. You add a trusted user domain by importing the server licensor certificate of the AD RMS cluster to trust. 


Q113. Your network contains an Active Directory domain named contoso.com. You run nslookup.exe as shown in the following Command Prompt window. 


You need to ensure that you can use Nslookup to list all of the service location (SRV) resource records for contoso.com. 

What should you modify? 

A. the root hints of the DNS server 

B. the security settings of the zone 

C. the Windows Firewall settings on the DNS server 

D. the zone transfer settings of the zone 

Answer: D 

Explanation: 

http://www.c3.hu/docs/oreilly/tcpip/dnsbind/ch11_07.htm 

11.7 Troubleshooting nslookup Problems 

11.7.4 Query Refused Refused queries can cause problems at startup, and they can cause lookup failures during a session. Here's what it looks like when nslookup exits on startup because of a refused query: % nslookup *** Can't find server name for address 192.249.249.3: Query refused *** Default servers are not available % This one has two possible causes. Either your name server does not support inverse queries (older nslookups only), or zone security is stopping the lookup. Zone security is not limited to causing nslookup to fail to start up. It can also cause lookups and zone transfers to fail in the middle of a session when you point nslookup to a remote name server. This is what you will see: % nslookup Default Server: hp.com 

Address: 15.255.152.4 > server terminator.movie.edu Default Server: terminator.movie.edu Address: 192.249.249.3 > carrie.movie.edu. Server: terminator.movie.edu Address: 192.249.249.3 *** terminator.movie.edu can't find carrie.movie.edu.: Query refused > ls movie.edu - This attempts a zone transfer [terminator.movie.edu] *** Can't list domain movie.edu: Query refused 


Q114. Your company has two Active Directory forests named contoso.com and fabrikam.com. 

The company network has three DNS servers named DNS1, DNS2, and DNS3. The DNS servers are configured as shown in the following table. 


All computers that belong to the fabrikam.com domain have DNS3 configured as the preferred DNS server. All other computers use DNS1 as the preferred DNS server. 

Users from the fabrikam.com domain are unable to connect to the servers that belong to the contoso.com domain. 

You need to ensure users in the fabrikam.com domain are able to resolve all contoso.com queries. 

What should you do? 

A. Configure conditional forwarding on DNS1 and DNS2 to forward fabrikam.com queries to DNS3. 

B. Create a copy of the _msdcs.contoso.com zone on the DNS3 server. 

C. Create a copy of the fabrikam.com zone on the DNS1 server and the DNS2 server. 

D. Configure conditional forwarding on DNS3 to forward contoso.com queries to DNS1. 

Answer: D 

Explanation: 

http://technet.microsoft.com/en-us/library/cc730756.aspx Understanding Forwarders A forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for external DNS names to DNS servers outside that network. You can also forward queries according to specific domain names using conditional forwarders. You designate a DNS server on a network as a forwarder by configuring the other DNS servers in the network to forward the queries that they cannot resolve locally to that DNS server. By using a forwarder, you can manage name resolution for names outside your network, such as names on the Internet, and improve the efficiency of name resolution for the computers in your network. The following figure illustrates how external name queries are directed with forwarders. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Conditional forwarders A conditional forwarder is a DNS server on a network that forwards DNS queries according to the DNS domain name in the query. For example, you can configure a DNS server to forward all the queries that it receives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers. 


Q115. You have a Windows PowerShell script that contains the following code: 

import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true -AccountPassword $_. password} 

When you run the script, you receive an error message indicating that the format of the password is incorrect.The script fails. 

You need to run a script that successfully creates the user accounts by using the password contained in accounts.csv. 

Which script should you run? 

A. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true – AccountPassword(ConvertTo-SecureString "Password" -AsPlainText -force)} 

B. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true – AccountPassword(ConvertTo-SecureString $_.Password -AsPlainText -force)} 

C. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true -AccountPassword(Read-Host -AsSecureString "Password")} 

D. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true – AccountPassword(Read-Host -AsSecureString $_.Password)} 

Answer: B 

Explanation: 

import-csv Accounts.csv | Foreach { New-ADUser -Name $_.Name -Enabled $true - AccountPassword (ConvertTo-SecureString $_.Password -AsPlainText -force)} Personal comment: import comma separated values file (most probably containing a column for Name and one for Password) for each line of values create a new AD user with the name contained in the Name column enable the account and set the password with the value contained in the Password column; import the password from plain text as a secure string and ignore warnings/errors http://technet.microsoft.com/en-us/library/hh849818.aspx ConvertTo-SecureString 

Parameters -AsPlainText Specifies a plain text string to convert to a secure string. The secure string cmdlets help protect confidential text. The text is encrypted for privacy and is deleted from computer memory after it is used. If you use this parameter to provide plain text as input, the system cannot protect that input in this manner. To use this parameter, you must also specify the Force parameter. -Force Confirms that you understand the implications of using the AsPlainText parameter and still want to use it. 


70-640 answers

Exact microsoft official academic course 70-640 pdf:

Q116. Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. A domain controller named DC1 has a standard primary zone for contoso.com. A domain controller named DC2 has a standard secondary zone for contoso.com. 

You need to ensure that the replication of the contoso.com zone is encrypted. 

You must not lose any zone data. 

What should you do? 

A. Convert the primary zone into an Active Directory-integrated stub zone. Delete the secondary zone. 

B. Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone. 

C. Configure the zone transfer settings of the standard primary zone. Modify the Master Servers lists on the secondary zone. 

D. On both servers, modify the interface that the DNS server listens on. 

Answer: B 

Explanation: 

Answer: Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone. http://technet.microsoft.com/en-us/library/cc771150.aspx Change the Zone Type You can use this procedure to change make a zone a primary, secondary, or stub zone. You can also use it to integrate a zone with Active Directory Domain Services (AD DS). 

http://technet.microsoft.com/en-us/library/cc726034.aspx Understanding Active Directory Domain Services Integration The DNS Server service is integrated into the design and implementation of Active Directory Domain Services (AD DS). AD DS provides an enterprise-level tool for organizing, managing, and locating resources in a network. Benefits of AD DS integration For networks that deploy DNS to support AD DS, directory-integrated primary zones are strongly recommended. They provide the following benefits: DNS features multimaster data replication and enhanced security based on the capabilities of AD DS. In a standard zone storage model, DNS updates are conducted based on a single-master update model. In this model, a single authoritative DNS server for a zone is designated as the primary source for the zone. This server maintains the master copy of the zone in a local file. With this model, the primary server for the zone represents a single fixed point of failure. If this server is not available, update requests from DNS clients are not processed for the zone. With directory-integrated storage, dynamic updates to DNS are sent to any AD DS-integrated DNS server and are replicated to all other AD DS-integrated DNS servers by means of AD DS replication. In this model, any AD DS-integrated DNS servercan accept dynamic updates for the zone. Because the master copy of the zone is maintained in the AD DS database, which is fully replicated to all domain controllers, the zone can be updated by the DNS servers operating at any domain controller for the domain. With the multimaster update model of AD DS, any of the primary servers for the directoryintegrated zone can process requests from DNS clients to update the zone as long as a domain controller is available and reachable on the network. 

Zones are replicated and synchronized to new domain controllers automatically whenever a new one is added to an AD DS domain. By integrating storage of your DNS zone databases in AD DS, you can streamline database replication planning for your network. Directory-integrated replication is faster and more efficient than standard DNS replication. 

http://technet.microsoft.com/en-us/library/ee649124%28v=ws.10%29.aspx Deploy IPsec Policy to DNS Servers You can deploy IPsec rules through one of the following mechanisms: Domain Controllers organizational unit (OU): If the DNS servers in your domain are Active Directoryintegrated, you can deploy IPsec policy settings using the Domain Controllers OU. This option is recommended to make configuration and deployment easier. DNS Server OU or security group: If you have DNS servers that are not domain controllers, then consider creating a separate OU or a security group with the computer accounts of your DNS servers. Local firewall configuration: Use this option if you have DNS servers that are not domain members or if you have a small number of DNS servers that you want to configure locally. http://technet.microsoft.com/en-us/library/cc772661%28v=ws.10%29.aspx Deploying Secure DNS Protecting DNS Servers When the integrity of the responses of a DNS server are compromised or corrupted, or when the DNS data is tampered with, clients can be misdirected to unauthorized locations without their knowledge. After the clients start communicating with these unauthorized locations, attempts can be made to gain access to information that is stored on the client computers. Spoofing and cache pollution are examples of this type of attack. Another type of attack, the denial-of-service attack, attempts to incapacitate a DNS server to make DNS infrastructure unavailable in an enterprise. To protect your DNS servers from these types of attacks: Use IPsec between DNS clients and servers. Monitor network activity. Close all unused firewall ports. Implementing IPsec Between DNS Clients and Servers IPsec encrypts all traffic over a network connection. Encryption minimizes the risk that data that is sent between the DNS clients and the DNS servers can be scanned for sensitive information or tampered with by anyone attempting to collect information by monitoring traffic on the network. When IPsec is enabled, both ends of a connection are validated before communication begins. A client can be certain that the DNS server with which it is communicating is a valid server. Also, all communication over the connection is encrypted, thereby eliminating the possibility of tampering with client communication. Encryption prevents spoofing attacks, which are false responses to DNS client queries by unauthorized sources that act like a DNS server. Further information: http://technet.microsoft.com/en-us/library/cc771898.aspx Understanding Zone Types The DNS Server service provides for three types of zones: Primary zone Secondary zone Stub zone Note: If the DNS server is also an Active Directory Domain Services (AD DS) domain controller, primary zones and stub zones can be stored in AD DS. The following sections describe each of these zone types: Primary zone When a zone that this DNS server hosts is a primary zone, the DNS server is the primary source for information about this zone, and it stores the master copy of zone data in a local file or in AD DS. When the zone is stored in a file, by default the primary zone file is named zone_name.dns and it is located in the % windir%\System32\Dns folder on the server. Secondary zone When a zone that this DNS server hosts is a secondary zone, this DNS server is a secondary source for information about this zone. The zone at this server must be obtained from another remote DNS server computer that also hosts the zone. This DNS server must have network access to the remote DNS server that supplies this server with updated information about the zone. Because a secondary zone is merely a copy of a primary zone that is hosted on another server, it cannot be stored in AD DS. Stub zone When a zone that this DNS server hosts is a stub zone, this DNS server is a source only for information about the authoritative name servers for this zone. The zone at this server must be obtained from another DNS server that hosts the zone. This DNS server must have network access to the remote DNS server to copy the authoritative name server information about the zone. You can use stub zones to: Keep delegated zone information current. By updating a stub zone for one of its child zones regularly, the DNS server that hosts both the parent zone and the stub zone will maintain a current list of authoritative DNS servers for the child zone. Improve name resolution. Stub zones enable a DNS server to perform recursion using the stub zone's list of name servers, without having to query the Internet or an internal root server for the DNS namespace. Simplify DNS administration. By using stub zones throughout your DNS infrastructure, you can distribute a list of the authoritative DNS servers for a zone without using secondary zones. However, stub zones do not serve the same purpose as secondary zones, and they are not an alternative for enhancing redundancy and load sharing. There are two lists of DNS servers involved in the loading and maintenance of a stub zone: The list of master servers from which the DNS server loads and updates a stub zone. A master server may be a primary or secondary DNS server for the zone. In both cases, it will have a complete list of the DNS servers for the zone. The list of the authoritative DNS servers for a zone. This list is contained in the stub zone using name server (NS) resource records. When a DNS server loads a stub zone, such as widgets.tailspintoys.com, it queries the master servers, which can be in different locations, for the necessary resource records of the authoritative servers for the zone widgets.tailspintoys.com. The list of master servers may contain a single server or multiple servers, and it can be changed anytime. 

http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/d352966e-b1ec-46b6-a8b4-317c2c3388c3/ Answered what is non-standard dns secondary zone? 

Q: While passing through 70-291 exam prep questions, I encountered the term "standard 

secondary zone". 

From the context of other questions I understood that "standard", in context of primary 

zone, mean "non-ADintegrated". 

A: Standard means it is not an AD integrated zone. AD integrated zones are stored in the 

AD database and not in a text file. 

Q: What does "standard" mean in context of DNS secondary zone? 

A: It means the same thing in context of a Standard Primary Zone. Simply stated, 

"Standard" means the zone data is stored in a text file, which can be found in 

system32\dns. 


Q117. You have an enterprise subordinate certification authority (CA). The CA is configured to use a hardware security module. 

You need to back up Active Directory Certificate Services on the CA. 

Which command should you run? 

A. certutil.exe backup 

B. certutil.exe backupdb 

C. certutil.exe backupkey 

D. certutil.exe store 

Answer: B 

Explanation: 

Because a hardware security module (HSM) is used that stores the private keys, the command certutil. exe -backup would fail, since we cannot extract the private keys from the module. The HSM should have a proprietary procedure for that. The given commands are: certutil -backup Backup set includes certificate database, CA certificate an the CA key pair certutil -backupdb Backup set only includes certificate database certutil -backupkey Backup set only includes CA certificate and the CA key pair certutil –store Provides a dump of the certificate store onscreen. 

Since we cannot extract the keys from the HSM we have to use backupdb. Explanation 1: Microsoft Windows Server(TM) 2003 PKI and Certificate Security (Microsoft Press, 2004) page 215 For the commands listed above. Explanation 2: http://technet.microsoft.com/en-us/library/cc732443.aspx Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains. Syntax Certutil <-parameter> [-parameter] Parameter -backupdb Backup the Active Directory Certificate Services database Explanation 3: http://poweradmin.se/blog/2010/01/11/backup-and-restore-for-active-directory-certificate-services/ 


Q118. our company, Contoso Ltd, has offices in North America and Europe. Contoso has an Active Directory forest that has three domains. 

You need to reduce the time required to authenticate users from the labs.eu.contoso.com domain when they access resources in the eng.na.contoso.com domain. 

What should you do? 

A. Decrease the replication interval for all Connection objects. 

B. Decrease the replication interval for the DEFAULTIPSITELINK site link. 

C. Set up a one-way shortcut trust from eng.na.contoso.com to labs.eu.contoso.com. 

D. Set up a one-way shortcut trust from labs.eu.contoso.com to eng.na.contoso.com. 

Answer: C 

Explanation: 

http://technet.microsoft.com/en-us/library/cc754538.aspx 

Understanding When to Create a Shortcut Trust 

When to create a shortcut trust 

Shortcut trusts are one-way or two-way, transitive trusts that administrators can use to optimize the authentication process. 

Authentication requests must first travel a trust path between domain trees. In a complex forest this can take time, which you can reduce with shortcut trusts. A trust path is the series of domain trust relationships that authentication requests must traverse between any two domains. Shortcut trusts effectively shorten the path that authentication requests travel between domains that are located in two separate domain trees. 

Shortcut trusts are necessary when many users in a domain regularly log on to other domains in a forest. 

Using the following illustration as an example, you can form a shortcut trust between domain B and domain D, between domain A and domain 1, and so on. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Using one-way trusts 

A one-way, shortcut trust that is established between two domains in separate domain trees can reduce the time that is necessary to fulfill authentication requests—but in only one direction. For example, when a oneway, shortcut trust is established between domain A and domain B, authentication requests that are made in domain A to domain B can use the new one-way trust path. However, authentication requests that are made in domain B to domain A must still travel the longer trust path. 

Using two-way trusts 

A two-way, shortcut trust that is established between two domains in separate domain trees reduces the time that is necessary to fulfill authentication requests that originate in either domain. For example, when a two-way trust is established between domain A and domain B, authentication requests that are made from either domain to the other domain can use the new, two-way trust path. 


Q119. Your network contains an Active Directory domain. The domain contains two domain controllers named DC1 and DC2. 

You perform a full backup of the domain controllers every night by using Windows Server Backup. 

You update a script in the SYSVOL folder. 

You discover that the new script fails to run properly. You need to restore the previous version of the script in the SYSVOL folder. The solution must minimize the amount of time required to restore the script. 

What should you do first? 

A. Run the Restore-ADObject cmdlet. 

B. Restore the system state to its original location. 

C. Restore the system state to an alternate location. 

D. Attach the VHD file created by Windows Server Backup. 

Answer: D 

Explanation: 

http://technet.microsoft.com/en-us/magazine/2008.05.adbackup.aspx Active Directory Backup and Restore in Windows Server 2008 NTBACKUP vs. Windows Server Backup As an added bonus, Windows Server Backup stores its backup images in Microsoft. Virtual Hard Disk (VHD) format. You can actually take a backup image and mount it as a volume in a virtual machine running under Microsoft Virtual Server 2005. You can simply mount the VHDs in a virtual machine and browse for a particular file rather than having to perform test restores of tapes to see which one has the file is on it. (A note of caution: you can't take a backup image and boot a virtual machine from it. Since the backed-up hardware configuration doesn't correspond to the virtual machine's configuration, you can't use Windows Server Backup as a physical-to-virtual migration tool.) 


Q120. Your network contains an Active Directory forest. The forest contains two domains. You have a standalone root certification authority (CA). 

On a server in the child domain, you run the Add Roles Wizard and discover that the option to select an enterprise CA is disabled. 

You need to install an enterprise subordinate CA on the server. 

What should you use to log on to the new server? 

A. an account that is a member of the Certificate Publishers group in the child domain 

B. an account that is a member of the Certificate Publishers group in the forest root domain 

C. an account that is a member of the Schema Admins group in the forest root domain 

D. an account that is a member of the Enterprise Admins group in the forest root domain 

Answer: D 

Explanation: 

http://social.technet.microsoft.com/Forums/uk/winserversecurity/thread/887f4cec-12f6-4c15-a506-568ddb21d46b 

In order to install Enterprise CA you MUST have Enterprise Admins permissions, because Configuration naming context is replicated between domain controllers in the forest (not only current domain) and are writable for Enterprise Admins (domain admins permissions are insufficient). 



see more http://www.certshared.com/exam/70-640/

Microsoft 70-640 Certification Sample Questions and Answers: http://www.braindumpsall.net/70-640-dumps/

P.S. New 70-640 dumps PDF: http://www.4easydumps.com/70-640-dumps-download.html