Want to Pass 70-640 Exam In Next HOURS? Download Now →
February 21, 2017

Amazing microsoft 70-640 To Try


Free Instant Download NEW 70-640 Exam Dumps (PDF & VCE):
Available on: https://www.certshared.com/exam/70-640/


Top Quality of 70-640 exam topics materials and training tools for Microsoft certification for IT engineers, Real Success Guaranteed with Updated 70-640 pdf dumps vce Materials. 100% PASS TS: Windows Server 2008 Active Directory. Configuring exam Today!

2017 Feb ms 70-640:

Q101. Your company has an Active Directory forest that runs at the functional level of Windows Server 2008. 

You implement Active Directory Rights Management Services (AD RMS). 

You install Microsoft SQL Server 2005. When you attempt to open the AD RMS administration Web site, you receive the following error message: "SQL Server does not exist or access denied." 

You need to open the AD RMS administration Web site. 

Which two actions should you perform? (Each correct answer presents part of the solution. 

Choose two.) 

A. Restart IIS. 

B. Manually delete the Service Connection Point in AD DS and restart AD RMS. 

C. Install Message Queuing. 

D. Start the MSSQLSVC service. 

Answer: A,D 

Explanation: 

http://technet.microsoft.com/en-us/library/cc747605%28v=ws.10%29.aspx#BKMK_1 RMS Administration Issues "SQL Server does not exist or access denied" message received when attempting to open the RMS Administration Web site If you have installed RMS by using a new installation of SQL Server 2005 as your database server the SQL Server Service might not be started. In SQL Server 2005, the MSSQLSERVER service is not configured to automatically start when the server is started. If you have restarted your SQL Server since installing RMS and have not configured this service to automatically restart RMS will not be able to function and only the RMS Global Administration page will be accessible. After you have started the MSSQLSERVER service, you must restart IIS on each RMS server in the cluster to restore RMS functionality. 


Q102. Your company has an Active Directory domain. 

You log on to the domain controller. The Active Directory Schema snap-in is not available in the Microsoft Management Console (MMC). 

You need to access the Active Directory Schema snap-in. 

What should you do? 

A. Add the Active Directory Lightweight Directory Services (AD LDS) role to the domain controller by using Server Manager. 

B. Log off and log on again by using an account that is a member of the Schema Administrators group. 

C. Use the Ntdsutil.exe command to connect to the Schema Master operations master and open the schema for writing. 

D. Register Schmmgmt.dll. 

Answer:

Explanation: 

http://technet.microsoft.com/en-us/library/cc732110.aspx Install the Active Directory Schema Snap-In You can use this procedure to first register the dynamic-link library (DLL) that is required for the Active Directory Schema snap-in. You can then add the snap-in to Microsoft Management Console (MMC). To install the Active Directory Schema snap-in 

1. To open an elevated command prompt, click Start, type command prompt and then right-click Command Prompt when it appears in the Start menu. Next, click Run as administrator and then click OK. To open an elevated command prompt in Windows Server 2012, click Start, type cmd, right click cmd and then click Run as administrator. 

2. Type the following command, and then press ENTER: regsvr32 schmmgmt.dll 

3. Click Start, click Run, type mmc and then click OK. 

4. On the File menu, click Add/Remove Snap-in. 

5. Under Available snap-ins, click Active Directory Schema, click Add and then click OK. 

6. To save this console, on the File menu, click Save. 

7. In the Save As dialog box, do one of the following: 

* To place the snap-in in the Administrative Tools folder, in File name, type a name for the snap-in, and then click Save. 

* To save the snap-in to a location other than the Administrative Tools folder, in Save in navigate to a location for the snap-in. In File name, type a name for the snap-in, and then click Save 


Q103. Your network contains an Active Directory domain named contoso.com. 

You need to create a central store for the Group Policy Administrative templates. 

What should you do? 

A. Run dfsrmig.exe /createglobalobjects. 

B. Run adprep.exe /domainprep /gpprep. 

C. Copy the %SystemRoot%\\PolicyDefinitions folder to the\\\\contoso.com\\SYSVOL\\contoso.com\\Policiesfolder. 

D. Copy the %SystemRoot%\\System32\\GroupPolicy folder to the\\\\contoso.com\\SYSVOL\\contoso.com\\Policies folder. 

Answer:

Explanation: 

http://www.vmadmin.co.uk/microsoft/43-winserver2008/220-svr08admxcentralstore Creating an ADMX central store for group policies To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder. The Central Store is a location that is checked by GPMC. The GPMC will use .admx files that are in the Central Store. The files that are in the Central Store are replicated to all domain controllers in the domain. First on a domain controller (Windows Server 2008/2008 R2) the ADMX policy definitions and language template files in %SYSTEMROOT%\\PolicyDefinitions need copying to %SYSTEMROOT%\\SYSVOL\\domain \\Policies\\PolicyDefinitions. Run the following command to copy the entire folder contents to SYSVOL. This will then replicate to all domain controllers (the default ADMX policies and EN-US language templates (ADML) are about 6.5 MB in total). xcopy /E "%SYSTEMROOT%\\PolicyDefinitions" "%SYSTEMROOT%\\SYSVOL\\domain\\Policies \\PolicyDefinitions\\" 

C:\\Documents and Settings\\usernwz1\\Desktop\\1.PNG 

Next ensure you have remote server administration tools (RSAT) installed on your client computer you are using to edit the GPO's. This will need to be Windows Vista or Windows 7. 

For Windows Vista enable the RSAT feature (GPMC). 

For Windows 7 download and install RSAT then enable the RSAT feature (GPMC). 

When editing a GPO in the GMPC you will find that the Administrative Templates show as 

"Policy Definitions 

(ADMX files) retrieved from the central store". 

This confirms it is working as expected. 

C:\\Documents and Settings\\usernwz1\\Desktop\\1.PNG 

Further information: http://support.microsoft.com/kb/929841/en-us How to create the Central Store for Group Policy Administrative Template files in Windows Vista http://msdn.microsoft.com/en-us/library/bb530196.aspx Managing Group Policy ADMX Files Step-by-Step Guide http://technet.microsoft.com/en-us/library/cc748955%28v=ws.10%29.aspx Scenario 2: Editing Domain-Based GPOs Using ADMX Files 


Q104. Your company has an Active Directory domain. The company has two domain controllers named DC1 and DC2. DC1 holds the Schema Master role. 

DC1 fails. You log on to Active Directory by using the administrator account. You are not able to transfer the Schema Master operations role. 

You need to ensure that DC2 holds the Schema Master role. 

What should you do? 

A. Configure DC2 as a bridgehead server. 

B. On DC2, seize the Schema Master role. 

C. Log off and log on again to Active Directory by using an account that is a member of the Schema Administrators group. Start the Active Directory Schema snap-in. 

D. Register the Schmmgmt.dll. Start the Active Directory Schema snap-in. 

Answer:

Explanation: 

Answer: On DC2, seize the Schema Master role. 

http://technet.microsoft.com/en-us/library/cc816645%28v=ws.10%29.aspx Transfer the Schema Master You can use this procedure to transfer the schema operations master role if the domain controller that currently hosts the role is inadequate, has failed, or is being decommissioned. The schema master is a forest-wide operations master (also known as flexible single master operations or FSMO) role. 

Note: You perform this procedure by using a Microsoft Management Console (MMC) snap-in, although you can also transfer this role by using Ntdsutil.exe. Membership in Schema Admins, or equivalent, is the minimum required to complete this procedure. http://technet.microsoft.com/en-us/library/cc794853%28v=ws.10%29.aspx Seize the AD LDS Schema Master Role The schema master is responsible for performing updates to the Active Directory Lightweight Directory Services (AD LDS) schema. Each configuration set has only one schema master. All write operations to the AD LDS schema can be performed only when connected to the AD LDS instance that holds the schema master role within its configuration set. Those schema updates are replicated from the schema master to all other instances in the configuration set. Membership in the AD LDS Administrators group, or equivalent, is the minimum required to complete this procedure. Caution: Do not seize the schema master role if you can transfer it instead. Seizing the schema master role is a drastic step that should be considered only if the current operations master will never be available again. 


Q105. Your company has an Active Directory forest. Each branch office has an organizational unit and a child organizational unit named Sales. 

The Sales organizational unit contains all users and computers of the sales department. 

You need to install an Office 2007 application only on the computers in the Sales organizational unit. 

You create a GPO named SalesApp GPO. 

What should you do next? 

A. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the Sales organizational unit in each location. 

B. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the domain. 

C. Configure the GPO to publish the application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each location. 

D. Configure the GPO to assign the application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each location. 

Answer:


Rebirth mcitp 70-640 pdf:

Q106. Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1. The Active Directory Federation Services (AD FS) role is installed on Server1. Contoso.com is defined as an account store. 

A partner company has a Web-based application that uses AD FS authentication. The partner company plans to provide users from contoso.com access to the Web application. 

You need to configure AD FS on contoso.com to allow contoso.com users to be authenticated by the partner company. 

What should you create on Server1? 

A. a new application 

B. a resource partner 

C. an account partner 

D. an organization claim 

Answer:

Explanation: 

Since the account store has already been configured, what needs to be done is to use the account store to map an AD DS global security group to an organization claim (called group claim extraction). So that's what we need to create for authentication: an organization claim. 

Creating a resource/account partner is part of setting up the Federation Trust. 

Explanation 1: http://technet.microsoft.com/en-us/library/dd378957.aspx 

Configuring the Federation Servers [All the steps for setting up an AD FS environment are listed in an extensive step-by-step guide, too long to post here.] 

Explanation 2: http://technet.microsoft.com/en-us/library/cc732147.aspx 

Add an AD DS Account Store If user and computer accounts that require access to a resource that is protected by Active Directory Federation Services (AD FS) are stored in Active Directory Domain Services (AD DS), you must add AD DS as anaccount storeon a federation server in the Federation Service that authenticates the accounts. 

Explanation 3: http://technet.microsoft.com/en-us/library/cc731719.aspx 

Map an Organization Group Claim to an AD DS Group (Group Claim Extraction) When you use Active Directory Domain Services (AD DS) as the Active Directory Federation Services (AD FS)account storefor an account Federation Service, you mapan organization group claimto a security group in AD DS. This mapping is called a group claim extraction. 


Q107. Your company has a server that runs an instance of Active Directory Lightweight Directory Service (AD LDS). 

You need to create new organizational units in the AD LDS application directory partition. 

What should you do? 

A. Use the dsmod OU <OrganizationalUnitDN> command to create the organizational units. 

B. Use the Active Directory Users and Computers snap-in to create the organizational units on the AD LDS application directory partition. 

C. Use the dsadd OU <OrganizationalUnitDN> command to create the organizational units. 

D. Use the ADSI Edit snap-in to create the organizational units on the AD LDS application directory partition. 

Answer:

Explanation: 

Answer: Use the ADSI Edit snap-in to create the organizational units on the AD LDS application directory partition. 

http://technet.microsoft.com/en-us/library/cc773354%28v=ws.10%29.aspx ADSI Edit (adsiedit.msc) Active Directory. Service Interfaces Editor (ADSI Edit) is a Lightweight Directory Access Protocol (LDAP) editor that you can use to manage objects and attributes in Active Directory. ADSI Edit (adsiedit.msc) provides a view of every object and attribute in an Active Directory forest. You can use ADSI Edit to query, view, and edit attributes that are not exposed through other Active Directory Microsoft Management Console (MMC) snap-ins: Active Directory Users and Computers, Active Directory Sites and Services, Active Directory Domains and Trusts, and Active Directory Schema. http://technet.microsoft.com/en-us/library/cc730701%28v=ws.10%29.aspx#BKMK_1 Step 4: Practice Managing AD LDS Organizational Units, Groups, and Users Create an OU To keep your AD LDS users and groups organized, you may want to place users and groups in OUs. In Active Directory Domain Services (AD DS) and in AD LDS, as well as in other Lightweight Directory Access Protocol (LDAP)–based directories, OUs are most commonly used for keeping users and groups organized. To create an OU 

1. Click Start, point to Administrative Tools, and then click ADSI Edit. 

2. Connect and bind to the directory partition of the AD LDS instance to which you want to add an OU. 

3. In the console tree, double-click the o=Microsoft,c=US directory partition, right-click the container to which you want to add the OU, point to New, and then click Object. 

4. In Select a class, click organizationalUnit, and then click Next. 

5. In Value, type a name for the new OU, and then click Next. 

6. If you want to set values for additional attributes, click More attributes. Further information: http://technet.microsoft.com/en-us/library/cc754663%28v=ws.10%29.aspx Step 5: Practice Working with Application Directory Partitions The Active Directory Lightweight Directory Services (AD LDS) directory store is organized into logical directory partitions. There are three different types of directory partitions: Configuration directory partitions Schema directory partitions Application directory partitions Each AD LDS directory store must contain a single configuration directory partition and a single schema directory partition. The directory store can contain zero or more application directory partitions. Application directory partitions hold the data that your applications use. You can create an application directory partition during AD LDS setup or anytime after installation. 


Q108. Your company has an Active Directory domain. A user attempts to log on to a computer that was turned off for twelve weeks. The administrator receives an error message that authentication has failed. 

You need to ensure that the user is able to log on to the computer. 

What should you do? 

A. Run the netsh command with the set and machine options. 

B. Reset the computer account. Disjoin the computer from the domain, and then rejoin the computer to the domain. 

C. Run the netdom TRUST /reset command. 

D. Run the Active Directory Users and Computers console to disable, and then enable the computer account. 

Answer:

Explanation: 

Answer: Reset the computer account. Disjoin the computer from the domain, and then rejoin the computer to the domain. 

http://social.technet.microsoft.com/wiki/contents/articles/9157.trust-relationship-between-workstation-andprimary-domain-failed.aspx Trust Relationship between Workstation and Primary Domain failed What are the common causes which generates this message on client systems? There might be multiple reasons for this kind of behaviour. Below are listed a few of them: 

1. Single SID has been assigned to multiple computers. 

2. If the Secure Channel is Broken between Domain controller and workstations 

3. If there are no SPN or DNSHost Name mentioned in the computer account attributes 

4. Outdated NIC Drivers. How to Troubleshoot this behaviour? 

2. If the Secure Channel is Broken between Domain controller and workstations When a Computer account is joined to the domain, Secure Channel password is stored with computer account in domain controller. By default this password will change every 30 days (This is an automatic process, no manual intervention is required). Upon starting the computer, Netlogon attempts to discover a DC for the domain in which its machine account exists. After locating the appropriate DC, the machine account password from the workstation is authenticated against the password on the DC. If there are problems with system time, DNS configuration or other settings, secure channel’s password between Workstation and DCs may not synchronize with each other. A common cause of broken secure channel [machine account password] is that the secure channel password held by the domain member does not match that held by the AD. Often, this is caused by performing a Windows System Restore (or reverting to previous backup or snapshot) on the member machine, causing an old (previous) machine account password to be presented to the AD. Resolution: Most simple resolution would be unjoin/disjoin the computer from the domain and rejoin the computer account back to the domain. (this is a somewhat similar principle to performing a password reset for a user account) Or You can go ahead and reset the computer account using netdom.exe tool http://technet.microsoft.com/en-us/library/cc772217%28v=ws.10%29.aspx Netdom Enables administrators to manage Active Directory domains and trust relationships from the command prompt. Netdom is a command-line tool that is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the Active Directory Domain Services (AD DS) server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). 

You can use netdom to: 

Join a computer that runs Windows XP Professional, Windows Vista, or Windows 7 to a 

Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, 

or Windows NT 4.0 domain. Manage computer accounts for domain member workstations 

and member servers. Management operations include: 

Establish one-way or two-way trust relationships between domains, including the following 

kinds of trust relationships: 

Verify or reset the secure channel for the following configurations: 

* Member workstations and servers. 

* Backup domain controllers (BDCs) in a Windows NT 4.0 domain. 

* Specific Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, or 

Windows 2000 replicas. 

Manage trust relationships between domains. 

Syntax 

NetDom <Operation> [<Computer>] [{/d: | /domain:} <Domain>] [<Options>] 

http://technet.microsoft.com/en-us/library/cc788073%28v=ws.10%29.aspx 

Netdom reset Resets the secure connection between a workstation and a domain 

controller. 

Syntax netdom reset <Computer> {/d: | /domain:}<Domain> [{/s: | /server:}<Server>] [{/uo: | 

/usero:}<User> {/po: | / 

passwordo}{<Password>|*}] [{/help | /?}] 

Further information: 

http://technet.microsoft.com/en-us/library/cc835085%28v=ws.10%29.aspx 

Netdom trust 

Establishes, verifies, or resets a trust relationship between domains. 

Syntax netdom trust <TrustingDomainName> {/d: | /domain:} <TrustedDomainName> [{/ud: 

| /userd:}[<Domain>\\]<User> [{/pd: | /passwordd:}{<Password>|*}] [{/uo: | /usero:}<User>] 

[{/po: | /passwordo:}{<Password>|*}] [/verify] [/reset] 

[/passwordt:<NewRealmTrustPassword>] [/add [/realm]] [/remove [/force]] [/twoway] 

[/kerberos] [/transitive[:{YES|NO}]] [/oneside:{TRUSTED | TRUSTING}] [/force] 

[/quarantine[:{YES | NO}]] [/namesuffixes:<TrustName> [/togglesuffix:#]] 

[/EnableSIDHistory] [/ForestTRANsitive] 

[/SelectiveAUTH][/AddTLN][/AddTLNEX][/RemoveTLN] [/RemoveTLNEX][{/help | /?}] 


Q109. Your network contains two Active Directory forests named contoso.com and nwtraders.com. Active Directory Rights Management Services (AD RMS) is deployed in each forest. 

You need to ensure that users from the nwtraders.com forest can access AD RMS protected content in the contoso.com forest. 

What should you do? 

A. Add a trusted user domain to the AD RMS cluster in the nwtraders.com domain. 

B. Create an external trust from nwtraders.com to contoso.com. 

C. Add a trusted user domain to the AD RMS cluster in the contoso.com domain. 

D. Create an external trust from contoso.com to nwtraders.com. 

Answer:

Explanation: 

http://technet.microsoft.com/en-us/library/hh311036.aspx 

Using AD RMS trust 

It is not necessary to create trust or federation relationships between the Active Directory forests of organizations to be able to share rights-protected information between separate organizations. AD RMS provides two types of trust relationships that provide this kind of rights-protected information exchange. A trusted user domain (TUD) allows the AD RMS root cluster to process requests for client licensor certificates or use licenses from users whose rights account certificates (RACs) were issued by a different AD RMS root cluster. You add a trusted user domain by importing the server licensor certificate of the AD RMS cluster to trust. 


Q110. Your company network has an Active Directory forest that has one parent domain and one child domain. The child domain has two domain controllers that run Windows Server 2008. All user accounts from the child domain are migrated to the parent domain. The child domain is scheduled to be decommissioned. 

You need to remove the child domain from the Active Directory forest. 

What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.) 

A. Run the Computer Management console to stop the Domain Controller service on both domain controllers in the child domain. 

B. Delete the computer accounts for each domain controller in the child domain. Remove the trust relationship between the parent domain and the child domain. 

C. Use Server Manager on both domain controllers in the child domain to uninstall the Active Directory domain services role. 

D. Run the Dcpromo tool that has individual answer files on each domain controller in the child domain. 

Answer: C,D 

Explanation: 

http://technet.microsoft.com/en-us/library/cc755937%28v=ws.10%29.aspx Decommissioning a Domain Controller To complete this task, perform the following procedures: 

1. View the current operations master role holders 

2. Transfer the schema master 

3. Transfer the domain naming master 

4. Transfer the domain-level operations master roles 

5. Determine whether a domain controller is a global catalog server 

6. Verify DNS registration and functionality 

7. Verify communication with other domain controllers 

8. Verify the availability of the operations masters 

9. If the domain controller hosts encrypted documents, perform the following procedure before you remove Active Directory to ensure that the encrypted files can be recovered after Active Directory is removed: Export a certificate with the private key 10.Uninstall Active Directory 11.If the domain controller hosts encrypted documents and you backed up the certificate and private key before you remove Active Directory, perform the following procedure to re-import the certificate to the server: Import a certificate 

12. Determine whether a Server object has child objects 

13. Delete a Server object from a site 

http://technet.microsoft.com/en-us/library/cc737258%28v=ws.10%29.aspx Uninstall Active Directory To uninstall Active Directory 

1. Click Start, click Run, type dcpromo and then click OK. 



see more 70-640 dumps