mcitp 70-640 pdf [Apr 2016]

100% Correct of 70-640 real exam materials and lab for Microsoft certification for IT engineers, Real Success Guaranteed with Updated 70-640 pdf dumps vce Materials. 100% PASS TS: Windows Server 2008 Active Directory. Configuring exam Today!

2016 Apr 70-640 Study Guide Questions:

Q76. You had installed Windows Server 2008 on a computer and configured it as a file server, named FileSrv1. The FileSrv1 computer contains four hard disks, which are configured as basic disks. 

For fault tolerance and performance you want to configure Redundant Array of Independent Disks (RAID) 0 +1 on FileSrv1. 

Which utility you will use to convert basic disks to dynamic disks on FileSrv1? 

A. Diskpart.exe 

B. Chkdsk.exe 

C. Fsutil.exe 

D. Fdisk.exe 

E. None of the above 

Answer: A 

Explanation: 

http://technet.microsoft.com/en-us/library/cc771534.aspx 

[Diskpart] Convert dynamic Converts a basic disk into a dynamic disk. 


Q77. Your company has an Active Directory domain that has an organizational unit named Sales. The Sales organizational unit contains two global security groups named sales managers and sales executives. 

You need to apply desktop restrictions to the sales executives group. 

You must not apply these desktop restrictions to the sales managers group. 

You create a GPO named DesktopLockdown and link it to the Sales organizational unit. 

What should you do next? 

A. Configure the Deny Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO. 

B. Configure the Deny Apply Group Policy permission for the sales executives on the DesktopLockdown GPO. 

C. Configure the Allow Apply Group Policy permission for Authenticated Users on the DesktopLockdown GPO. 

D. Configure the Deny Apply Group Policy permission for the sales managers on the DesktopLockdown GPO. 

Answer: D 

Explanation: 

http://support.microsoft.com/kb/816100 How to prevent domain Group Policies from applying to certain user or computer accounts Typically, if you want Group Policy to apply only to specific accounts (either user accounts, computer accounts, or both), you can put the accounts in an organizational unit, and then apply Group Policy at that organizational unit level. However, there may be situations where you want to apply Group Policy to a whole domain, although you may not want those policy settings to also apply to administrator accounts or to other specific users or groups. http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/ Best Practice: How to exclude individual users or computers from a Group Policy Object One of the common question I see on the forums from time to time is how to exclude a user and/or a computer from having a Group Policy Object (GPO) applied. This is a relatively straight forward process however I should stress this should be used sparingly and should always be done via group membership to avoid the administrative overhead of having to constantly update the security filtering on the GPO. Step 1. Open the Group Policy Object that you want to apply an exception and then click on the “Delegation” tab and then click on the “Advanced” button. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 2. Click on the “Add” button and select the group (recommended) that you want to exclude from having this policy applied. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Step 3. In this example I am excluding the “Users GPO Exceptions” group for this policy. Select this group in the “Group or user names” list and then scroll down the permission and tick the “Deny” option against the “Apply Group Policy” permission. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Now any members of this “User GPO Exceptions” security group will not have this Group Policy Object applied. Having a security group to control this exception makes it much easier to control as someone only needs to modify the group membership of the group to makes changes to who (or what) get the policy applied. This makes the delegation of this task to level 1 or level 2 support much more practical as you don’t need to grant them permission to the Group Policy Objects. 


Q78. Your network contains an Active Directory domain. All servers run Windows Server 2008 R2. 

You need to audit the deletion of registry keys on each server. 

What should you do? 

A. From Audit Policy, modify the Object Access settings and the Process Tracking settings. 

B. From Audit Policy, modify the System Events settings and the Privilege Use settings. 

C. From Advanced Audit Policy Configuration, modify the System settings and the Detailed Tracking settings. 

D. From Advanced Audit Policy Configuration, modify the Object Access settings and the Global Object Access Auditing settings. 

Answer: D 

Explanation: 

http://technet.microsoft.com/en-us/library/dd408940.aspx 

Advanced Security Audit Policy Step-by-Step Guide 

A global object access audit policy can be used to enforce object access audit policy for a computer, file share, or registry. 


Q79. You have a Windows Server 2008 R2 that has the Active Directory Certificate Services server role installed. 

You need to minimize the amount of time it takes for client computers to download a certificate revocation list (CRL). 

What should you do? 

A. Install and configure an Online Responder. 

B. Import the Issuing CA certificate into the Trusted Root Certification Authorities store on all client workstations. 

C. Install and configure an additional domain controller. 

D. Import the Root CA certificate into the Trusted Root Certification Authorities store on all client workstations. 

Answer: A 

Explanation: 

http://technet.microsoft.com/en-us/library/cc725958.aspx 

What Is an Online Responder? An Online Responder is a trusted server that receives and responds to individual client requests for information about the status of a certificate. The use of Online Responders is one of two common methods for conveying information about the validity of certificates. Unlike certificate revocation lists (CRLs), which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to individual requests from clients for information about the status of a certificate. The amount of data retrieved per request remains constant no matter how many revoked certificates there might be. In many circumstances, Online Responders can process certificate status requests more efficiently than by using CRLs. 


Q80. Your network contains an enterprise root certification authority (CA). You need to ensure that a certificate issued by the CA is valid. What should you do? 

A. Run syskey.exe and use the Update option. 

B. Run sigverif.exe and use the Advanced option. 

C. Run certutil.exe and specify the -verify parameter. 

D. Run certreq.exe and specify the -retrieve parameter. 

Answer: C 

Explanation: 

http://blogs.technet.com/b/pki/archive/2006/11/30/basic-crl-checking-with-certutil.aspx Basic CRL checking with certutil Certutil.exe is the command-line tool to verify certificates and CRLs. To get reliable verification results, you must use certutil.exe because the Certificate MMC Snap-In does not verify the CRL of certificates. A certificate might be wrongly shown in the MMC snap-in as valid but once you verify it with certutil.exe you will see that the certificate is actually invalid. 


70-640 torrent

Up to the minute pdf 70-640:

Q81. Your network contains an Active Directory forest named contoso.com. 

You plan to add a new domain named nwtraders.com to the forest. 

All DNS servers are domain controllers. 

You need to ensure that the computers in nwtraders.com can update their Host (A) records on any of the DNS servers in the forest. 

What should you do? 

A. Add the computer accounts of all the domain controllers to the DnsAdmins group. 

B. Add the computer accounts of all the domain controllers to the DnsUpdateProxy group. 

C. Create a standard primary zone on a domain controller in the forest root domain. 

D. Create an Active Directory-integrated zone on a domain controller in the forest root domain. 

Answer: D 


Q82. You need to validate whether Active Directory successfully replicated between two domain controllers.What should you do? 

A. Run the DSget command. 

B. Run the Dsquery command. 

C. Run the RepAdmin command. 

D. Run the Windows System Resource Manager. 

Answer: C 

Explanation: 

http://technet.microsoft.com/en-us/library/cc794749.aspx You can use the repadmin /showrepl command to verify successful replication to a specific domain controller. 


Q83. Your network contains an Active Directory domain named contoso.com. All domain controllers and member servers run Windows Server 2008. All client computers run Windows 7. 

From a client computer, you create an audit policy by using the Advanced Audit Policy Configuration settings in the Default Domain Policy Group Policy object (GPO). 

You discover that the audit policy is not applied to the member servers. The audit policy is applied to the client computers. 

You need to ensure that the audit policy is applied to all member servers and all client computers. 

What should you do? 

A. Add a WMI filter to the Default Domain Policy GPO. 

B. Modify the security settings of the Default Domain Policy GPO. 

C. Configure a startup script that runs auditpol.exe on the member servers. 

D. Configure a startup script that runs auditpol.exe on the domain controllers. 

Answer: C 

Explanation: 

Advanced audit policy settings cannot be applied using group policy to Windows Server 2008 servers. To circumvent that we have to use a logon script to apply the audit policy to the Windows Server 2008 member servers. 

Explanation1: http://technet.microsoft.com/en-us/library/ff182311.aspx Advanced Security Auditing FAQ The advanced audit policy settings were introduced in Windows Vista and Windows Server 2008. The advanced settings can only be used on computers running Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008. 

Note In Windows Vista and Windows Server 2008, advanced audit event settings were not integrated withGroup Policy and could only be deployed by using logon scripts generated with the Auditpol.exe command-line tool. In Windows Server 2008 R2 and Windows 7, all auditing capabilities are integrated with Group Policy. This allows administrators to 

configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). 


Q84. You have an existing Active Directory site named Site1. You create a new Active Directory site and name it Site2. 

You need to configure Active Directory replication between Site1 and Site2. You install a new domain controller. 

You create the site link between Site1 and Site2. 

What should you do next? 

A. Use the Active Directory Sites and Services console to assign a new IP subnet to Site2. Move the new domain controller object to Site2. 

B. Use the Active Directory Sites and Services console to configure a new site link bridge object. 

C. Use the Active Directory Sites and Services console to decrease the site link cost between Site1 and Site2. 

D. Use the Active Directory Sites and Services console to configure the new domain controller as a preferred bridgehead server for Site1. 

Answer: A 

Explanation: 

http://www.enterprisenetworkingplanet.com/netsysm/article.php/624411/Intersite-eplication.htm Inter-site Replication The process of creating a custom site link has five basic steps: 

1. Create the site link. 

2. Configure the site link's associated attributes. 

3. Create site link bridges. 

4. Configure connection objects. (This step is optional.) 

5. Designate a preferred bridgehead server. (This step is optional) 

http://technet.microsoft.com/en-us/library/cc759160%28v=ws.10%29.aspx Replication between sites 


Q85. ABC.com has a software evaluation lab. There is a server in the evaluation lab named as 

CKT. CKT runs Windows Server 2008 and Microsoft Virtual Server 2005 R2. CKT has 200 virtual servers running on an isolated virtual segment to evaluate software. To connect to the internet, it uses physical network interface card. 

ABC.com requires every server in the company to access Internet. ABC.com security policy dictates that the IP address space used by software evaluation lab must not be used by other networks. Similarly, it states the IP address space used by other networks should not be used by the evaluation lab network. 

As an administrator you find you that the applications tested in the software evaluation lab need to access normal network to connect to the vendors update servers on the internet. 

You need to configure all virtual servers on the CKT server to access the internet. You also need to comply with company's security policy. 

Which two actions should you perform to achieve this task? (Choose two answers. Each answer is a part of the complete solution) 

A. Trigger the Virtual DHCP server for the external virtual network and run ipconfig/renew command on each virtual server 

B. On CKT's physical network interface, activate the Internet Connection Sharing (ICS) 

C. Use ABC.com intranet IP addresses on all virtual servers on CKT. 

D. Add and install a Microsoft Loopback Adapter network interface on CKT. Use a new network interface and create a new virtual network. 

E. None of the above 

Answer: A,D 

Explanation: 

http://class10e.com/Microsoft/which-two-actions-should-you-perform-to-achieve-this-task-choose-two-answers/ To configure all virtual servers on the CKT server to access the internet and comply with company’s security policy, you should trigger the virtual DHCP server for the external virtual network and run ipconfig/renew command on each virtual server. Then add and install Microsoft Loopback adapter network interface on CKT. Create a virtual network using the new interface. When you configure the Virtual DHCP server for the external virtual network, a set of IP addresses are assigned to the virtual servers on CKT server. By running ipconfig/renew command, the new IP addresses will be renewed. The Microsoft Loopback adapter network interface will ensure that the IP address space used by other networks are not been used by the virtual servers on CKT server. You create a new virtual network on the new network interface which will enable you to access internet. 


70-640 free draindumps

100% Guarantee windows 2008 exam 70-640:

Q86. Company has a server with Active Directory Rights Management Services (AD RMS) server installed. Users have computers with Windows Vista installed on them with an Active Directory domain installed at Windows Server 2003 functional level. 

As an administrator at Company, you discover that the users are unable to benefit from AD RMS to protect their documents. 

You need to configure AD RMS to enable users to use it and protect their documents. 

What should you do to achieve this functionality? 

A. Configure an email account in Active Directory Domain Services (AD DS) for each user. 

B. Add and configure ADRMSADMIN account in local administrators group on the user computers 

C. Add and configure the ADRMSSRVC account in AD RMS server's local administrator group 

D. Reinstall the Active Directory domain on user computers 

E. All of the above 

Answer: A 

Explanation: 

http://technet.microsoft.com/en-us/library/cc753531%28v=ws.10%29.aspx AD RMS Step-by-Step Guide For each user account and group that you configure with AD RMS, you need to add an e-mail address and then assign the users to groups. 


Q87. Your company has a main office and a branch office. The branch office has an Active Directory site that contains a read-only domain controller (RODC). 

A user from the branch office reports that his account is locked out. 

From a writable domain controller in the main office, you discover that the user's account is not locked out. You need to ensure that the user can log on to the domain. 

What should you do? 

A. Modify the Password Replication Policy. 

B. Reset the password of the user account. 

C. Run the Knowledge Consistency Checker (KCC) on the RODC. 

D. Restore network communication between the branch office and the main office. 

Answer: D 

Explanation: 

Not sure if: 

Run the Knowledge Consistency Checker (KCC) on the RODC. 

or 

Restore network communication between the branch office and the main office. 


Q88. Your company has an Active Directory domain. All servers run Windows Server. 

You deploy a Certification Authority (CA) server. 

You create a new global security group named CertIssuers. 

You need to ensure that members of the CertIssuers group can issue, approve, and revoke certificates. 

What should you do? 

A. Assign the Certificate Manager role to the CertIssuers group 

B. Place CertIssuers group in the Certificate Publisher group 

C. Run the certsrv -add CertIssuers command promt of the certificate server 

D. Run the add -member-membertype memberset CertIssuers command by using Microsoft Windows Powershell 

Answer: A 

Explanation: 

http://technet.microsoft.com/en-us/library/cc779954%28v=ws.10%29.aspx 

Role-based administration 

Role explanation 

Role-based administration involves CA roles, users, and groups. To assign a role to a user or group, you must assign the role's corresponding security permissions, group memberships, or user rights to the user or group. 

These security permissions, group memberships, and user rights are used to distinguish which users have which roles. The following table describes the CA roles of role-based administration and the groups relevant to role-based administration. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG

Certificate Manager: 

Delete multiple rows in database (bulk deletion) 

Issue and approve certificates 

Deny certificates 

Revoke certificates 

Reactivate certificates placed on hold 

Renew certificates 

Recover archived key 

Read CA database 

Read CA configuration information 


Q89. Your company has an Active Directory domain. All servers run Windows Server 2008 R2. 

Your company uses an Enterprise Root certificate authority (CA). 

You need to ensure that revoked certificate information is highly available. 

What should you do? 

A. Implement an Online Certificate Status Protocol (OCSP) responder by using an Internet Security and Acceleration Server array. 

B. Publish the trusted certificate authorities list to the domain by using a Group Policy Object (GPO). 

C. Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing. 

D. Create a new Group Policy Object (GPO) that allows users to trust peer certificates. Link the GPO to the domain. 

Answer: C 

Explanation: 

Answer: Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing. 

http://technet.microsoft.com/en-us/library/cc731027%28v=ws.10%29.aspx AD CS: Online Certificate Status Protocol Support Certificate revocation is a necessary part of the process of managing certificates issued by certification authorities (CAs). The most common means of communicating certificate status is by distributing certificate revocation lists (CRLs). In the Windows Server. 2008 operating system, public key infrastructures (PKIs) where the use of conventional CRLs is not an optimal solution, an Online Responder based on the Online Certificate Status Protocol (OCSP) can be used to manage and distribute revocation status information. What does OCSP support do? The use of Online Responders that distribute OCSP responses, along with the use of CRLs, is one of two common methods for conveying information about the validity of certificates. Unlike CRLs, which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to requests from clients for information about the status of a single certificate. The amount of data retrieved per request remains constant no matter how many revoked certificates there might be. In many circumstances, Online Responders can process certificate status requests more efficiently than by using CRLs. 

Adding one or more Online Responders can significantly enhance the flexibility and scalability of an organization's PKI. 

Further information: http://blogs.technet.com/b/askds/archive/2009/08/20/implementing-an-ocsp-responder-part-v-highavailability.aspx Implementing an OCSP Responder: Part V High Availability There are two major pieces in implementing the High Availability Configuration. The first step is to add the OCSP Responders to what is called an Array. When OCSP Responders are configured in an Array, the configuration of the OCSP responders can be easily maintained, so that all Responders in the Array have the same configuration. The configuration of the Array Controller is used as the baseline configuration that is then applied to other members of the Array. The second piece is to load balance the OCSP Responders. Load balancing of the OCSP responders is what actually provides fault tolerance. 


Q90. Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site 1 contains five domain controllers. Site2 contains one read-only domain controller (RODC). Site1 and Site2 connect to each other by using a slow WAN link. 

You discover that the cached password for a user named User1 is compromised on the RODC. 

On a domain controller in Site1, you change the password for User1. 

You need to replicate the new password for User1 to the RODC immediately. The solution must not replicate other objects to the RODC. 

Which tool should you use? 

A. Active Directory Sites and Services 

B. Active Directory Users and Computers 

C. Repadmin 

D. Replmon 

Answer: C 

Explanation: 

http://technet.microsoft.com/en-us/library/cc742095.aspx 

Repadmin /rodcpwdrepl 

Triggers replication of passwords for the specified users from a writable Windows Server 2008 source domain controller to one or more read-only domain controllers (RODCs). 

Example: 

The following example triggers replication of the passwords for the user account named JaneOh from the source domain controller named source-dc01 to all RODCs that have the name prefix dest-rodc: 

repadmin /rodcpwdrepl dest-rodc* source-dc01 cn=JaneOh,ou=execs,dc=contoso,dc=com 



see more http://www.certshared.com/exam/70-640/

Microsoft 70-640 Certification Sample Questions and Answers: http://www.braindumpsall.net/70-640-dumps/

P.S. New 70-640 dumps PDF: http://www.4easydumps.com/70-640-dumps-download.html