70-640 pdf : Aug 2016 Edition
Act now and download your Microsoft 70-640 test today! Do not waste time for the worthless Microsoft 70-640 tutorials. Download Updated Microsoft TS: Windows Server 2008 Active Directory. Configuring exam with real questions and answers and begin to learn Microsoft 70-640 with a classic professional.
2016 Aug 70-640 exam:
Q131. Your company has an Active Directory domain. All consultants belong to a global group named TempWorkers.
The TempWorkers group is not nested in any other groups.
You move the computer objects of three file servers to a new organizational unit named SecureServers. These file servers contain only confidential data in shared folders.
You need to prevent members of the TempWorkers group from accessing the confidential data on the file servers.
You must achieve this goal without affecting access to other domain resources.
What should you do?
A. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny access to this computer from the network user right to the TempWorkers global group.
B. Create a new GPO and link it to the domain. Assign the Deny access to this computer from the network user right to the TempWorkers global group.
C. Create a new GPO and link it to the domain. Assign the Deny log on locally user right to the TempWorkers global group.
D. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny log on locally user right to the TempWorkers global group.
Basically, you need to create a GPO for the Secure Servers and deny the TempWorkers
access to the shared folders (implies access from the network).
"Deny log on locally" makes no sense in this instance, because we are reffering to shared
folder and supposedly physical access to servers should be highly restricted.
And best practices recommend that you link GPOs at the domain level only for domain
Q132. Your company has a main office and four branch offices. An Active Directory site exists for each office. Each site contains one domain controller. Each branch office site has a site link to the main office site.
You discover that the domain controllers in the branch offices sometimes replicate directly to each other.
You need to ensure that the domain controllers in the branch offices only replicate to the domain controller in the main office.
What should you do?
A. Modify the firewall settings for the main office site.
B. Disable the Knowledge Consistency Checker (KCC) for each branch office site.
C. Disable site link bridging.
D. Modify the security settings for the main office site.
Configuring site link bridges
By default, all site links are bridged, or transitive. This allows any two sites that are not connected by an explicit site link to communicate directly, through a chain of intermediary site links and sites. One advantage to bridging all site links is that your network is easier to maintain because you do not need to create a site link to describe every possible path between pairs of sites.
Generally, you can leave automatic site link bridging enabled. However, you might want to disable automatic site link bridging and create site link bridges manually just for specific site links, in the following cases:
You have a network routing or security policy in place that prevents every domain controller from being able to directly communicate with every other domain controller.
Q133. You add an Online Responder to an Online Responder Array.
You need to ensure that the new Online Responder resolves synchronization conflicts for all members of the Array.
What should you do?
A. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 1.
B. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 32.
C. From the Online Responder Management Console, select the new Online Responder, and then select Set as Array Controller.
D. From the Online Responder Management Console, select the new Online Responder, and then selectSynchronize Members with Array Controller.
Explanation 1: http://technet.microsoft.com/en-us/library/cc770413.aspx Managing Array members For each Array, one member is defined as the Array controller; the role of the Array controller is to help resolve synchronization conflicts and to apply updated revocation configuration information to all Array members.
Explanation 2: http://technet.microsoft.com/en-us/library/cc771281.aspx To designate an Array controller
1. Open the Online Responder snap-in.
2. In the console tree, click Array Configuration Members.
3. Select the Online Responder that you want to designate as the Array controller.
4. In the Actions pane, click Set as Array Controller.
Q134. Your company has an Active Directory domain that runs Windows Server 2008 R2. The Sales OU contains an OU for Computers, an OU for Groups, and an OU for Users.
You perform nightly backups. An administrator deletes the Groups OU.
You need to restore the Groups OU without affecting users and computers in the Sales OU.
What should you do?
A. Perform an authoritative restore of the Sales OU.
B. Perform a non-authoritative restore of the Sales OU.
C. Perform an authoritative restore of the Groups OU.
D. Perform a non-authoritative restore of the Groups OU.
Answer: Perform an authoritative restore of the Groups OU.
Performing Authoritative Restore of Active Directory Objects
An authoritative restore process returns a designated, deleted Active Directory object or container of objects to its predeletion state at the time when it was backed up. For example, you might have to perform an authoritative restore if an administrator inadvertently deletes an organizational unit (OU) that contains a large number of users. In most cases, there are two parts to the authoritative restore process: a nonauthoritative restore from backup, followed by an authoritative restore of the deleted objects. If you perform a nonauthoritative restore from backup only, the deleted OU is not restored because the restored domain controller is updated after the restore process to the current status of its replication partners, which have deleted the OU. To recover the deleted OU, after you perform nonauthoritative restore from backup and before allowing replication to occur, you must perform an authoritative restore procedure. During the authoritative restore procedure, you mark the OU as authoritative and let the replication process restore it to all the other domain controllers in the domain. After an authoritative restore, you also restore group memberships, if necessary.
Q135. You had installed Windows Server 2008 on a computer and configured it as a file server, named FileSrv1. The FileSrv1 computer contains four hard disks, which are configured as basic disks.
For fault tolerance and performance you want to configure Redundant Array of Independent Disks (RAID) 0 +1 on FileSrv1.
Which utility you will use to convert basic disks to dynamic disks on FileSrv1?
E. None of the above
[Diskpart] Convert dynamic Converts a basic disk into a dynamic disk.
Down to date braindump 70-640:
Q136. You have an enterprise root certification authority (CA) that runs Windows Server 2008 R2.
You need to ensure that you can recover the private key of a certificate issued to a Web server.
What should you do?
A. From the CA, run the Get-PfxCertificate cmdlet.
B. From the Web server, run the Get-PfxCertificate cmdlet.
C. From the CA, run the certutil.exe tool and specify the -exportpfx parameter.
D. From the Web server, run the certutil.exe tool and specify the -exportpfx parameter.
Manual Key Archival Manual key archival can be used in the following common scenarios
that are not supported by automatic key archival:
Secure/Multipurpose Internet Mail Extensions (S/MIME) certificates used by Microsoft.
Office Outlook. Certificates issued by CAs that do not support key archival. Certificates installed on the Microsoft Windows. 2000 and Windows Millennium Edition operating systems. This topic includes procedures for exporting a private key by using the following programs and for importing a private key to a CA database: Certutil.exe Certificates snap-in Microsoft Office Outlook
To export private keys by using Certutil.exe
1. Open a Command Prompt window.
2. Type the Certutil.exe –exportpfx command using the command-line options described in
the following table.
Certutil.exe [-p <Password>] –exportpfx <CertificateId> <OutputFileName>
C:\Documents and Settings\usernwz1\Desktop\1.PNG
Q137. Your company has a server that runs Windows Server 2008 R2. The server runs an instance of ActiveDirectory Lightweight Directory Services (AD LDS).
You need to replicate the AD LDS instance on a test computer that is located on the network.
What should you do?
A. Run the repadmin /kcc <servername> command on the test computer.
B. Create a naming context by running the Dsmgmt command on the test computer.
C. Create a new directory partition by running the Dsmgmt command on the test computer.
D. Create and install a replica by running the AD LDS Setup wizard on the test computer.
Create a Replica AD LDS Instance
To create an AD LDS instance and join it to an existing configuration set, use the Active Directory Lightweight Directory Services Set Wizard to create a replica AD LDS instance. To create a replica AD LDS instance
1. Click Start, point to Administrative Tools, and then click Active Directory Lightweight Directory Services Setup Wizard.
2. On the Welcome to the Active Directory Lightweight Directory Services Setup Wizard page, click Next.
3. On the Setup Options page, click A replica of an existing instance, and then click Next.
4. Finish creating the new instance by following the wizard instructions.
Q138. All consultants belong to a global group named TempWorkers. You place three file servers in a new organizational unit named SecureServers. The three file servers contain confidential data located in shared folders.
You need to record any failed attempts made by the consultants to access the confidential data.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Create and link a new GPO to the SecureServers organizational unit. Configure the Deny access to this computer from the network user rights setting for the TempWorkers global group.
B. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit privilege use Failure audit policy setting.
C. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit object access Failure audit policy setting.
D. On each shared folder on the three file servers, add the three servers to the Auditing tab. Configure the Failed Full control setting in the Auditing Entry dialog box.
E. On each shared folder on the three file servers, add the TempWorkers global group to the Auditing tab. Configure the Failed Full control setting in the Auditing Entry dialog box.
Windows Server 2008 R2 Unleashed (SAMS, 2010) page 671
Auditing Resource Access
Object access can be audited, although it is not one of the recommended settings. Auditing object access can place a significant load on the servers, so it should only be enabled when it is specifically needed. Auditing object access is a two-step process: Step one is enabling “Audit object access” and step two is selecting the objects to be audited. When enabling Audit object access, you need to decide if both failure and success events will be logged. The two options are as follows:
Audit object access failure enables you to see if users are attempting to access objects to which they have no rights. This shows unauthorized attempts.
Audit object access success enables you to see usage patterns. This shows misuse of privilege.
After object access auditing is enabled, you can easily monitor access to resources such as folders, files, and printers.
Auditing Files and Folders
The network administrator can tailor the way Windows Server 2008 R2 audits files and folders through the property pages for those files or folders. Keep in mind that the more files and folders that are audited, the more events that can be generated, which can increase administrative overhead and system resource requirements.
Therefore, choose wisely which files and folders to audit. To audit a file or folder, do the following:
1. In Windows Explorer, right-click the file or folder to audit and select Properties.
2. Select the Security tab and then click the Advanced button.
3. In the Advanced Security Settings window, select the Auditing tab and click the Edit button.
4. Click the Add button to display the Select User or Group window.
5. Enter the name of the user or group to audit when accessing the file or folder. Click the Check Names button to verify the name.
Q139. Your network contains an Active Directory domain named contoso.com. Contoso.com contains two domain controllers. The domain controllers are configured as shown in the following table.
All client computers have IP addresses in the 10.1.2.1 to 10.1.2.240 range.
You need to minimize the number of client authentication requests sent to DC2.
What should you do?
A. Create a new site named Site1. Create a new subnet object that has the 10.1.1.0/24 prefix and assign the subnet to Site1. Move DC1 to Site1.
B. Create a new site named Site1. Create a new subnet object that has the 10.1.1.1/32 prefix and assign the subnet to Site1. Move DC1 to Site1.
C. Create a new site named Site1. Create a new subnet object that has the 10.1.1.2/32 prefix and assign the subnet to Site1. Move DC2 to Site1.
D. Create a new site named Site1. Create a new subnet object that has the 10.1.2.0/24 prefix and assign the subnet to Site1. Move DC2 to Site1.
Creating a new site and assigning a subnet of 10.1.1.2 with subnet mask of 255.255.255.255, it means only ONE ip (the DC2 ip) will be included on the site1 subnet coverage. Therefore all the request will be processed from the DC1 in the default-first-site and dc2 will authenticate only itself.
Q140. Your network contains an Active Directory domain. The domain contains 1,000 user accounts.
You have a list that contains the mobile phone number of each user. You need to add the mobile number of each user to Active Directory.
What should you do?
A. Create a file that contains the mobile phone numbers, and then run ldifde.exe.
B. Create a file that contains the mobile phone numbers, and then run csvde.exe.
C. From Adsiedit, select the CN=Users container, and then modify the properties of the container.
D. From Active Directory Users and Computers, select all of the users, and then modify the properties of the users.
CSVDE can only import and export data from AD DS.
http://technet.microsoft.com/en-us/library/cc732101.aspx Explanation: http://technet.microsoft.com/en-us/library/cc731033.aspx Ldifde Creates, modifies, and deletes directory objects.
see more 70-640 dumps