2015 New Updated 70-640 Exam Dumps Questions and Answers are all from Microsoft Official Exam Center! Some new questions added into this new released 70-640 Dumps! Download 70-640 Exam Dumps Full Version Now and Pass one time!
Vendor: Microsoft
Exam Code: 70-640
Exam Name: TS: Windows Server 2008 Active Directory, Configuring
QUESTION 131
Your network consists of a single Active Directory domain.
All domain controllers run Windows Server 2003.
You upgrade all domain controllers to Windows Server 2008.
You need to configure the Active Directory environment to support the application of multiple password policies.
What should you do?
A. Raise the functional level of the domain to Windows Server 2008.
B. On one domain controller, run dcpromo /adv.
C. Create multiple Active Directory sites.
D. On all domain controllers, run dcpromo /adv.
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc770842%28v=ws.10%29.aspx
AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide
This step-by-step guide provides instructions for configuring and applying fine-grained password and account lockout policies for different sets of users in Windows Server® 2008 domains.
In Microsoft® Windows® 2000 and Windows Server 2003 Active Directory domains, you could apply only one password and account lockout policy, which is specified in the domain’s Default Domain Policy, to all users in the domain. As a result, if you wanted different password and account lockout settings for different sets of users, you had to either create a password filter or deploy multiple domains. Both options were costly for different reasons.
In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies and apply different password restrictions and account lockout policies to different sets of users within a single domain.
Requirements and special considerations for fine-grained password and account lockout policies
Domain functional level:
The domain functional level must be set to Windows Server 2008 or higher.
QUESTION 132
Your company purchases a new application to deploy on 200 computers.
The application requires that you modify the registry on each target computer before you install the application.
The registry modifications are in a file that has an .adm extension.
You need to prepare the target computers for the application.
What should you do?
A. Import the .adm file into a new Group Policy Object (GPO).
Edit the GPO and link it to an organizational unit that contains the target computers.
B. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer.
Run the REDIRUsr CONTAINER-DN command on each target computer.
C. Create a Microsoft Windows PowerShell script to copy the .adm file to the startup folder of
each target computer.
D. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer.
Run the REDIRCmp CONTAINER-DN command on each target computer.
Answer: A
Explanation:
http://www.petri.co.il/adding_new_administrative_templates_to_gpo.htm
QUESTION 133
Your company has an Active Directory forest that contains eight linked Group Policy Objects (GPOs).
One of these GPOs publishes applications to user objects.
A user reports that the application is not available for installation.
You need to identify whether the GPO has been applied.
What should you do?
A. Run the Group Policy Results utility for the user.
B. Run the GPRESULT /S <system name> /Z command at the command prompt.
C. Run the GPRESULT /SCOPE COMPUTER command at the command prompt.
D. Run the Group Policy Results utility for the computer.
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/bb456989.aspx
QUESTION 134
Your company has an Active Directory domain.
You plan to install the Active Directory Certificate Services (AD CS) server role on a member server that runs Windows Server 2008 R2.
You need to ensure that members of the Account Operators group are able to issue smartcard credentials.
They should not be able to revoke certificates.
Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)
A. Create an Enrollment Agent certificate.
B. Create a Smartcard logon certificate.
C. Restrict enrollment agents for the Smartcard logon certificate to the Account Operator group.
D. Install the AD CS role and configure it as an Enterprise Root CA.
E. Install the AD CS role and configure it as a Standalone CA.
F. Restrict certificate managers for the Smartcard logon certificate to the Account Operator
group.
Answer: BCD
Explanation:
http://technet.microsoft.com/en-us/library/cc753800%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc776874%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc780501%28WS.10%29.aspx
QUESTION 135
You create 200 new user accounts.
The users are located in six different sites.
New users report that they receive the following error message when they try to log on:
“The username or password is incorrect.”
You confirm that the user accounts exist and are enabled.
You also confirm that the user name and password information supplied are correct.
You need to identify the cause of the failure.
You also need to ensure that the new users are able to log on.
Which utility should you run?
A. Active Directory Domains and Trusts
B. Repadmin
C. Rstools
D. Rsdiag
Answer: B
Explanation:
Repadmin allows us to check the replication status and also allows us to force a replication between domain controllers.
http://technet.microsoft.com/en-us/library/cc770963.aspx
Repadmin /replsummary
Identifies domain controllers that are failing inbound replication or outbound replication, and summarizes the results in a report.
Repadmin /showrepl
Displays the replication status when the specified domain controller last attempted to perform inbound replication on Active Directory partitions.
Repadmin /syncall Synchronizes a specified domain controller with all replication partners.
QUESTION 136
Your network contains an Active Directory forest.
All domain controllers run Windows Server 2008 R2 and are configured as DNS servers.
You have an Active Directory-integrated zone for contoso.com.
You have a Unix-based DNS server.
You need to configure your Windows Server 2008 R2 environment to allow zone transfers of the contoso.com zone to the Unix-based DNS server.
What should you do in the DNS Manager console?
A. Enable BIND secondaries
B. Create a stub zone
C. Disable recursion
D. Create a secondary zone
Answer: A
Explanation:
http://skibbz.com/understanding-of-advance-properties-settings-in-window-server-2003-and-2008-dns-serverbind-secondaries/
QUESTION 137
Your company has an Active Directory domain.
You log on to the domain controller.
The Active Directory Schema snap-in is not available in the Microsoft Management Console (MMC).
You need to access the Active Directory Schema snap-in.
What should you do?
A. Add the Active Directory Lightweight Directory Services (AD LDS) role to the domain
controller by using Server Manager.
B. Log off and log on again by using an account that is a member of the Schema
Administrators group.
C. Use the Ntdsutil.exe command to connect to the Schema Master operations master and
open the schema for writing.
D. Register Schmmgmt.dll.
Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc732110.aspx
QUESTION 138
Your company has a server that runs Windows Server 2008 R2.
Active Directory Certificate Services (AD CS) is configured as a standalone Certification Authority (CA) on the server.
You need to audit changes to the CA configuration settings and the CA security settings.
Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Configure auditing in the Certification Authority snap-in.
B. Enable auditing of successful and failed attempts to change permissions on files in the
%SYSTEM32%\CertSrv directory.
C. Enable auditing of successful and failed attempts to write to files in the
%SYSTEM32%\CertLog directory.
D. Enable the Audit object access setting in the Local Security Policy for the Active Directory
Certificate Services (AD CS) server.
Answer: AD
Explanation:
http://technet.microsoft.com/en-us/library/cc772451.aspx
QUESTION 139
Your company has a single-domain Active Directory forest.
The functional level of the domain is Windows Server 2008.
You perform the following activities:
– Create a global distribution group.
– Add users to the global distribution group.
– Create a shared folder on a Windows Server 2008 member server.
– Place the global distribution group in a domain local group that has access to the shared folder.
You need to ensure that the users have access to the shared folder.
What should you do?
A. Add the global distribution group to the Domain Administrators group.
B. Change the group type of the global distribution group to a security group.
C. Change the scope of the global distribution group to a Universal distribution group.
D. Raise the forest functional level to Windows Server 2008.
Answer: B
Explanation:
http://kb.iu.edu/data/ajlt.html
In Microsoft Active Directory, what are security and distribution groups?
In Microsoft Active Directory, when you create a new group, you must select a group type.
The two group types, security and distribution, are described below:
Security: Security groups allow you to manage user and computer access to shared resources. You can also control who receives group policy settings. This simplifies administration by allowing you to set permissions once on multiple computers, then to change the membership of the group as your needs change. The change in group membership automatically takes effect everywhere. You can also use these groups as email distribution lists.
Distribution: Distribution groups are intended to be used solely as email distribution lists.
These lists are for use with email applications such as Microsoft Exchange or Outlook.
You can add and remove contacts from the list so that they will or will not receive email sent to the distribution group. You can’t use distribution groups to assign permissions on any objects, and you can’t use them to filter group policy settings.
http://technet.microsoft.com/en-us/library/cc781446%28v=ws.10%29.aspx
QUESTION 140
Your company hires 10 new employees.
You want the new employees to connect to the main office through a VPN connection.
You create new user accounts and grant the new employees they Allow Read and Allow Execute permissions to shared resources in the main office.
The new employees are unable to access shared resources in the main office.
You need to ensure that users are able to establish a VPN connection to the main office.
What should you do?
A. Grant the new employees the Allow Access Dial-in permission.
B. Grant the new employees the Allow Full control permission.
C. Add the new employees to the Remote Desktop Users security group.
D. Add the new employees to the Windows Authorization Access security group.
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc738142%28v=ws.10%29.aspx
Dial-in properties of a user account
The dial-in properties for a user account are:
Remote Access Permission (Dial-in or VPN)
You can use this property to set remote access permission to be explicitly allowed, denied, or determined through remote access policies. In all cases, remote access policies are used to authorize the connection attempt. If access is explicitly allowed, remote access policy conditions, user account properties, or profile properties can still deny the connection attempt.
Guaranteed 100% Microsoft 70-640 Exam Pass OR Full Money Back! Braindump2go Provides you the latest 70-640 Dumps PDF & VCE for Instant Download!