2015 Microsoft 70-640 Certification Exam is coming! Getting a Laest 70-640 Practice Test is very important for an Exam Candiate! Braindump2go New Updated 70-640 Exam Questions Well Formatted in PDF and VCE versions, providing you convenience and excellence both at the same time! Free Questions and Answer are provided Following:
Vendor: Microsoft
Exam Code: 70-640
Exam Name: TS: Windows Server 2008 Active Directory, Configuring
Keywords: 70-640 Exam Dumps,70-640 Practice Tests,70-640 Practice Exams,70-640 Exam Questions,70-640 Dumps,70-640 Dumps PDF,Microsoft 70-640 Exam Dumps,70-640 Questions and Answers,TS: Windows Server 2008 Active Directory, Configuring
QUESTION 381
Drag and Drop Question
ABC.com has an Active Directory forest on a single domain.
The domain operates Windows Server 2008.
A new administrator accidentally deletes the entire organizational unit in the Active Directory database that hosts 6000 objects.
You have backed up the system state data using third-party backup software.
To restore backup, you start the domain controller in the Directory Services Restore Mode (DSRM).
You need to perform an authoritative restore of the organizational unit and restore the domain controller to its original state.
Which three actions should you perform?
Answer:
QUESTION 382
You have a single Active Directory domain.
All domain controllers run Windows Server 2008 and are configured as DNS servers.
The domain contains one Active Directory-integrated DNS zone.
You need to ensure that outdated DNS records are automatically removed from the DNS zone.
What should you do?
A. From the properties of the zone, modify the TTL of the SOA record.
B. From the properties of the zone, enable scavenging.
C. From the command prompt, run ipconfig /flushdns.
D. From the properties of the zone, disable dynamic updates.
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc753217.aspx
Set Aging and Scavenging Properties for the DNS Server
The DNS Server service supports aging and scavenging features. These features are provided as a mechanism for performing cleanup and removal of stale resource records, which can accumulate in zone data over time. You can use this procedure to set the default aging and scavenging properties for the zones on a server.
Further information:
http://technet.microsoft.com/en-us/library/cc771677.aspx
Understanding Aging and Scavenging
QUESTION 383
Your network consists of a single Active Directory domain.
All domain controllers run Windows Server 2008 R2.
The Audit account management policy setting and Audit directory services access setting are enabled for the entire domain.
You need to ensure that changes made to Active Directory objects can be logged.
The logged changes must include the old and new values of any attributes.
What should you do?
A. Run auditpol.exe and then configure the Security settings of the Domain Controllers OU.
B. From the Default Domain Controllers policy, enable the Audit directory service access
setting and enable directory service changes.
C. Enable the Audit account management policy in the Default Domain Controller Policy.
D. Run auditpol.exe and then enable the Audit directory service access setting in the Default
Domain policy.
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc731607%28v=ws.10%29.aspx
QUESTION 384
Your company, Contoso Ltd has a main office and a branch office.
The offices are connected by a WAN link.
Contoso has an Active Directory forest that contains a single domain named ad.contoso.com.
The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office.
DC1 is configured as a DNS server for the ad.contoso.com DNS zone.
This zone is configured as a standard primary zone.
You install a new domain controller named DC2 in the branch office.
You install DNS on DC2.
You need to ensure that the DNS service can update records and resolve DNS queries in the event that a WAN link fails.
What should you do?
A. Create a new stub zone named ad.contoso.com on DC2.
B. Create a new standard secondary zone named ad.contoso.com on DC2.
C. Configure the DNS server on DC2 to forward requests to DC1.
D. Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.
Answer: D
Explanation:
Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.
http://technet.microsoft.com/en-us/library/cc726034.aspx
Understanding Active Directory Domain Services Integration
The DNS Server service is integrated into the design and implementation of Active Directory Domain Services (AD DS). AD DS provides an enterprise-level tool for organizing, managing, and locating resources in a network.
How DNS integrates with AD DS
When you install AD DS on a server, you promote the server to the role of a domain controller for a specified domain. As part of this process, you are prompted to specify a DNS domain name for the AD DS domain which you are joining and for which you are promoting the server, and you are offered the option to install the DNS Server role. This option is provided because a DNS server is required to locate this server or other domain controllers for members of an AD DS domain.
Benefits of AD DS integration
For networks that deploy DNS to support AD DS, directory-integrated primary zones are strongly recommended. They provide the following benefits:
DNS features multimaster data replication and enhanced security based on the capabilities of AD DS.
In a standard zone storage model, DNS updates are conducted based on a single-master update model. In this model, a single authoritative DNS server for a zone is designated as the primary source for the zone. This server maintains the master copy of the zone in a local file. With this model, the primary server for the zone represents a single fixed point of failure. If this server is not available, update requests from DNS clients are not processed for the zone.
With directory-integrated storage, dynamic updates to DNS are sent to any AD DS- integrated DNS server and are replicated to all other AD DS-integrated DNS servers by means of AD DS replication. In this model, any AD DS-integrated DNS servercan accept dynamic updates for the zone. Because the master copy of the zone is maintained in the AD DS database, which is fully replicated to all domain controllers, the zone can be updated by the DNS servers operating at any domain controller for the domain. With the multimaster update model of AD DS, any of the primary servers for the directoryintegrated zone can process requests from DNS clients to update the zone as long as a domain controller is available and reachable on the network.
Also, when you use directory-integrated zones, you can use access control list (ACL) editing to secure a dnsZone object container in the directory tree. This feature provides detailed access to either the zone or a specified resource record in the zone. For example, an ACL for a zone resource record can be restricted so that dynamic updates are allowed only for a specified client computer or a secure group, such as a domain administrators group. This security feature is not available with standard primary zones.
Zones are replicated and synchronized to new domain controllers automatically whenever a new one is added to an AD DS domain.
By integrating storage of your DNS zone databases in AD DS, you can streamline database replication planning for your network.
Directory-integrated replication is faster and more efficient than standard DNS replication.
QUESTION 385
Your company has a server that runs an instance of Active Directory Lightweight Directory Service (AD LDS).
You need to create new organizational units in the AD LDS application directory partition.
What should you do?
A. Use the dsmod OU <OrganizationalUnitDN> command to create the organizational units.
B. Use the Active Directory Users and Computers snap-in to create the organizational units on
the AD LDS application directory partition.
C. Use the dsadd OU <OrganizationalUnitDN> command to create the organizational units.
D. Use the ADSI Edit snap-in to create the organizational units on the AD LDS application
directory partition.
Answer: D
Explanation:
Use the ADSI Edit snap-in to create the organizational units on the AD LDS application directory partition.
http://technet.microsoft.com/en-us/library/cc773354%28v=ws.10%29.aspx
QUESTION 386
Your company has an Active Directory domain.
The company has two domain controllers named DC1 and DC2.
DC1 holds the Schema Master role. DC1 fails.
You log on to Active Directory by using the administrator account.
You are not able to transfer the Schema Master operations role.
You need to ensure that DC2 holds the Schema Master role.
What should you do?
A. Configure DC2 as a bridgehead server.
B. On DC2, seize the Schema Master role.
C. Log off and log on again to Active Directory by using an account that is a member of the
Schema Administrators group.
Start the Active Directory Schema snap-in.
D. Register the Schmmgmt.dll.
Start the Active Directory Schema snap-in.
Answer: B
Explanation:
On DC2, seize the Schema Master role.
http://technet.microsoft.com/en-us/library/cc816645%28v=ws.10%29.aspx
Transfer the Schema Master
You can use this procedure to transfer the schema operations master role if the domain controller that currently hosts the role is inadequate, has failed, or is being decommissioned. The schema master is a forest-wide operations master (also known as flexible single master operations or FSMO) role.
Note: You perform this procedure by using a Microsoft Management Console (MMC) snap- in, although you can also transfer this role by using Ntdsutil.exe.
Membership in Schema Admins, or equivalent, is the minimum required to complete this procedure.
http://technet.microsoft.com/en-us/library/cc794853%28v=ws.10%29.aspx
Seize the AD LDS Schema Master Role
The schema master is responsible for performing updates to the Active Directory Lightweight Directory Services (AD LDS) schema. Each configuration set has only one schema master. All write operations to the ADLDS schema can be performed only when connected to the AD LDS instance that holds the schema master role within its configuration set. Those schema updates are replicated from the schema master to all other instances in the configuration set.
Membership in the AD LDS Administrators group, or equivalent, is the minimum required to complete this procedure.
Caution: Do not seize the schema master role if you can transfer it instead. Seizing the schema master role is a drastic step that should be considered only if the current operations master will never be available again.
QUESTION 387
Your company has an Active Directory forest that runs at the functional level of Windows Server 2008.
You implement Active Directory Rights Management Services (AD RMS).
You install Microsoft SQL Server 2005.
When you attempt to open the AD RMS administration Web site, you receive the following error message:
“SQL Server does not exist or access denied.”
You need to open the AD RMS administration Web site.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Restart IIS.
B. Manually delete the Service Connection Point in AD DS and restart AD RMS.
C. Install Message Queuing.
D. Start the MSSQLSVC service.
Answer: AD
Explanation:
http://technet.microsoft.com/en-us/library/cc747605%28v=ws.10%29.aspx#BKMK_1
RMS Administration Issues
“SQL Server does not exist or access denied” message received when attempting to open the RMS Administration Web site
If you have installed RMS by using a new installation of SQL Server 2005 as your database server the SQL Server Service might not be started. In SQL Server 2005, the MSSQLSERVER service is not configured to automatically start when the server is started. If you have restarted your SQL Server since installing RMS and have not configured this service to automatically restart RMS will not be able to function and only the RMS Global Administration page will be accessible.
After you have started the MSSQLSERVER service, you must restart IIS on each RMS server in the cluster to restore RMS functionality.
QUESTION 388
Your network consists of an Active Directory forest that contains one domain named contoso.com.
All domain controllers run Windows Server 2008 R2 and are configured as DNS servers.
You have two Active Directory-integrated zones: contoso.com and nwtraders.com.
You need to ensure a user is able to modify records in the contoso.com zone.
You must prevent the user from modifying the SOA record in the nwtraders.com zone.
What should you do?
A. From the Active Directory Users and Computers console, run the Delegation of Control
Wizard.
B. From the Active Directory Users and Computers console, modify the permissions of the
Domain Controllers organizational unit (OU).
C. From the DNS Manager console, modify the permissions of the contoso.com zone.
D. From the DNS Manager console, modify the permissions of the nwtraders.com zone.
Answer: C
Explanation:
From the DNS Manager console, modify the permissions of the contoso.com zone.
http://technet.microsoft.com/en-us/library/cc753213.aspx
Modify Security for a Directory-Integrated Zone
You can manage the discretionary access control list (DACL) on the DNS zones that are stored in Active Directory Domain Services (AD DS). You can use the DACL to control the permissions for the Active Directory users and groups that may control the DNS zones.
Membership in DnsAdmins or Domain Admins in AD DS, or the equivalent, is the minimum required to complete this procedure.
QUESTION 389
Your company has an Active Directory domain.
All servers run Windows Server 2008 R2.
Your company uses an Enterprise Root certificate authority (CA).
You need to ensure that revoked certificate information is highly available.
What should you do?
A. Implement an Online Certificate Status Protocol (OCSP) responder by using an Internet
Security and Acceleration Server array.
B. Publish the trusted certificate authorities list to the domain by using a Group Policy Object
(GPO).
C. Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load
Balancing.
D. Create a new Group Policy Object (GPO) that allows users to trust peer certificates.
Link the GPO to the domain.
Answer: C
Explanation:
Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing.
http://technet.microsoft.com/en-us/library/cc731027%28v=ws.10%29.aspx
AD CS: Online Certificate Status Protocol Support
Certificate revocation is a necessary part of the process of managing certificates issued by certification authorities (CAs). The most common means of communicating certificate status is by distributing certificate revocation lists (CRLs). In the Windows ServerĀ® 2008 operating system, public key infrastructures (PKIs) where the use of conventional CRLs is not an optimal solution, an Online Responder based on the Online Certificate Status Protocol (OCSP) can be used to manage and distribute revocation status information.
What does OCSP support do?
The use of Online Responders that distribute OCSP responses, along with the use of CRLs, is one of two common methods for conveying information about the validity of certificates. Unlike CRLs, which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to requests from clients for information about the status of a single certificate. The amount of data retrieved per request remains constant no matter how many revoked certificates there might be.
In many circumstances, Online Responders can process certificate status requests more efficiently than by using CRLs.
Adding one or more Online Responders can significantly enhance the flexibility and scalability of an organization’s PKI.
QUESTION 390
You have two servers named Server1 and Server2.
Both servers run Windows Server 2008 R2.
Server1 is configured as an enterprise root certification authority (CA).
You install the Online Responder role service on Server2.
You need to configure Server1 to support the Online Responder.
What should you do?
A. Import the enterprise root CA certificate.
B. Configure the Certificate Revocation List Distribution Point extension.
C. Configure the Authority Information Access (AIA) extension.
D. Add the Server2 computer account to the CertPublishers group.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc732526.aspx
Configure a CA to Support OCSP Responders
To function properly, an Online Responder must have a valid Online Certificate Status Protocol (OCSP)Response Signing certificate. This OCSP Response Signing certificate is also needed if you are using a non-Microsoft OCSP responder.
100% 70-640 Complete Success & Money Back Guarantee!
By utilizing Braindump2go high quality Microsoft 70-640 Exam Dumps Products, You can surely pass 70-640 certification 100%! Braindump2go also offers 100% money back guarantee to individuals in case they fail to pass Microsoft 70-640 in one attempt.