Do you want to pass Microsoft 70-640 Exam ? If you answered YES, then look no further. Braindump2go offers you the best 70-640 exam questions which cover all core test topics and certification requirements. All REAL questions and answers from Microsoft Exam Center will help you be a 70-640 certified!
Vendor: Microsoft
Exam Code: 70-640
Exam Name: TS: Windows Server 2008 Active Directory, Configuring
QUESTION 51
Your network contains an Active Directory domain.
You have a server named Server1 that runs Windows Server 2008 R2. Server1 is an enterprise root certification authority (CA).
You have a client computer named Computer1 that runs Windows 7.
You enable automatic certificate enrollment for all client computers that run Windows 7.
You need to verify that the Windows 7 client computers can automatically enroll for certificates.
Which command should you run on Computer1?
A. certreq.exe retrieve
B. certreq.exe submit
C. certutil.exe getkey
D. certutil.exe pulse
Answer: D
Explanation:
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/795f209d-b056-4de8-8dcf-7c7f80529aab/
QUESTION 52
Your network contains two Active Directory forests named contoso.com and adatum.com.
The functional level of both forests is Windows Server 2008 R2.
Each forest contains one domain.
Active Directory Certificate Services (AD CS) is configured in the contoso.com forest to allow users from both forests to automatically enroll user certificates.
You need to ensure that all users in the adatum.com forest have a user certificate from the contoso.com certification authority (CA).
What should you configure in the adatum.com domain?
A. From the Default Domain Controllers Policy, modify the Enterprise Trust settings.
B. From the Default Domain Controllers Policy, modify the Trusted Publishers settings.
C. From the Default Domain Policy, modify the Certificate Enrollment policy.
D. From the Default Domain Policy, modify the Trusted Root Certification Authority settings.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/dd851772.aspx
Manage Certificate Enrollment Policy by Using Group Policy
Configuring certificate enrollment policy settings by using Group Policy
QUESTION 53
You have a server named Server1 that has the following Active Directory Certificate Services (AD CS) role services installed:
– Enterprise root certification authority (CA)
– Certificate Enrollment Web Service
– Certificate Enrollment Policy Web Service
You create a new certificate template.
External users report that the new template is unavailable when they request a new certificate. You verify that all other templates are available to the external users.
You need to ensure that the external users can request certificates by using the new template.
What should you do on Server1?
A. Run iisreset.exe /restart.
B. Run gpupdate.exe /force.
C. Run certutil.exe dspublish.
D. Restart the Active Directory Certificate Services service.
Answer: A
Explanation:
http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-activedirectory-certificate-services.aspx
Certificate Enrollment Web Services in Active Directory Certificate Services
Troubleshooting
Managing Certificate Enrollment Policy Web Service Polling for Certificate Templates Certificate Templates are stored in AD DS, and the Certificate Enrollment Policy Web Service polls the AD DS periodically for template changes. Changes made to templates are not reflected in real time on the Certificate Enrollment Policy Web Service. When administrators duplicate or modify templates, there can be a lag between the time at which the change is made and when the new templates are available. By default, the Certificate Enrollment Policy Web Service polls the directory every 30 minutes for changes. The Certificate Enrollment Policy Web Service can be manually forced to refresh its template cache by recycling IIS using the command iisreset.
QUESTION 54
Your network contains an enterprise root certification authority (CA).
You need to ensure that a certificate issued by the CA is valid.
What should you do?
A. Run syskey.exe and use the Update option.
B. Run sigverif.exe and use the Advanced option.
C. Run certutil.exe and specify the -verify parameter.
D. Run certreq.exe and specify the -retrieve parameter.
Answer: C
Explanation:
http://blogs.technet.com/b/pki/archive/2006/11/30/basic-crl-checking-with-certutil.aspx
Basic CRL checking with certutil
Certutil.exe is the command-line tool to verify certificates and CRLs. To get reliable verification results, you must use certutil.exe because the Certificate MMC Snap-In does not verify the CRL of certificates. A certificate might be wrongly shown in the MMC snap-in as valid but once you verify it with certutil.exe you will see that the certificate is actually invalid.
QUESTION 55
You have an enterprise subordinate certification authority (CA).
The CA issues smart card logon certificates.
Users are required to log on to the domain by using a smart card.
Your company’s corporate security policy states that when an employee resigns, his ability to log on to the network must be immediately revoked.
An employee resigns.
You need to immediately prevent the employee from logging on to the domain.
What should you do?
A. Revoke the employee’s smart card certificate.
B. Disable the employee’s Active Directory account.
C. Publish a new delta certificate revocation list (CRL).
D. Reset the password for the employee’s Active Directory account.
Answer: B
Explanation:
http://blog.imanami.com/blog/bid/68864/Delete-or-disable-an-Active-Directory-account-One-best-practice
Delete or disable an Active Directory account?
One best practice.
I was recently talking to a customer about the best practice for deprovisioning a terminated employee in Active Directory. Delete or disable? Microsoft doesn’t give the clearest direction on this but common sense does.
The case for deleting an account is that, BOOM, no more access. No ifs ands or buts, if there is no account it cannot do anything. The case for disabling an account is that all of the SIDs are still attached to the account and you can bring it back and get the same access right away.
And then the reason for MSFT’s lack of direction came into play. Individual needs of the customer. This particular customer is a public school system and they often lay off an employee and have to re-hire them the next month or semester. They need that account back.
QUESTION 56
You add an Online Responder to an Online Responder Array.
You need to ensure that the new Online Responder resolves synchronization conflicts for all members of the Array.
What should you do?
A. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 1.
B. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 32.
C. From the Online Responder Management Console, select the new Online Responder, and
then select Set as Array Controller.
D. From the Online Responder Management Console, select the new Online Responder, and
then select Synchronize Members with Array Controller.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc770413.aspx
Managing Array members
For each Array, one member is defined as the Array controller; the role of the Array controller is to help resolve synchronization conflicts and to apply updated revocation configuration information to all Array members.
http://technet.microsoft.com/en-us/library/cc771281.aspx
QUESTION 57
Your network contains a server that runs Windows Server 2008 R2.
The server is configured as an enterprise root certification authority (CA).
You have a Web site that uses x.509 certificates for authentication.
The Web site is configured to use a many-to-one mapping.
You revoke a certificate issued to an external partner.
You need to prevent the external partner from accessing the Web site.
What should you do?
A. Run certutil.exe -crl.
B. Run certutil.exe -delkey.
C. From Active Directory Users and Computers, modify the membership of the IIS_IUSRS group.
D. From Active Directory Users and Computers, modify the Contact object for the external partner.
Answer: A
Explanation:
http://technet.microsoft.com/library/cc732443.aspx
QUESTION 58
Your company has a main office and five branch offices that are connected by WAN links.
The company has an Active Directory domain named contoso.com.
Each branch office has a member server configured as a DNS server.
All branch office DNS servers host a secondary zone for contoso.com.
You need to configure the contoso.com zone to resolve client queries for at least four days in the event that a WAN link fails.
What should you do?
A. Configure the Expires after option for the contoso.com zone to 4 days.
B. Configure the Retry interval option for the contoso.com zone to 4 days.
C. Configure the Refresh interval option for the contoso.com zone to 4 days.
D. Configure the Minimum (default) TTL option for the contoso.com zone to 4 days.
Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc816704%28v=ws.10%29.aspx
Adjust the Expire Interval for a Zone
You can use this procedure to adjust the expire interval for a Domain Name System (DNS) zone. Other DNS servers that are configured to load and host the zone use the expire interval to determine when zone data expires if it is not successfully transferred. By default, the expire interval for each zone is set to one day.
You can complete this procedure using either the DNS Manager snap-in or the dnscmd command-line tool.
To adjust the expire interval for a zone using the Windows interface
QUESTION 59
Your company has an Active Directory domain named contoso.com.
FS1 is a member server in contoso.com.
You add a second network interface card, NIC2, to FS1 and connect NIC2 to a subnet that contains computers in a DNS domain named fabrikam.com.
Fabrikam.com has a DHCP server and a DNS server.
Users in fabrikam.com are unable to resolve FS1 by using DNS.
You need to ensure that FS1 has an A record in the fabrikam.com DNS zone.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)
A. Configure the DHCP server in fabrikam.com with the scope option 044 WINS/NBNS Servers.
B. Configure the DHCP server in fabrikam.com by setting the scope option 015 DNS Domain
Name to the domain name fabrikam.com.
C. Configure NIC2 by configuring the Append these DNS suffixes (in order): option.
D. Configure NIC2 by configuring the Use this connection’s DNS suffix in DNS registration
option.
E. Configure the DHCP server in contoso.com by setting the scope option 015 DNS Domain
Name to the domain name fabrikam.com.
Answer: BD
QUESTION 60
Your company Datum Corporation, has a single Active Directory domain named intranet.adatum.com.
The domain has two domain controllers that run Windows Server 2008 R2 operating system.
The domain controllers also run DNS servers.
The intranet.adatum.com DNS zone is configured as an Active Directory-integrated zone with the Dynamic updates setting configured to Secure only.
A new corporate security policy requires that the intranet.adatum.com DNS zone must be updated only by domain controllers or member servers.
You need to configure the intranet.adatum.com zone to meet the new security policy requirement.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Remove the Authenticated Users account from the Security tab of the intranet.adatum.com
DNS zone properties.
B. Assign the SELF Account Deny on Write permission on the Security tab of the
intranet.adatum.com DNS zone properties.
C. Assign the server computer accounts the Allow on Write All Properties permission on the
Security tab of the intranet.adatum.com DNS zone properties.
D. Assign the server computer accounts the Allow on Create All Child Objects permission on the
Security tab of the intranet.adatum.com DNS zone properties.
Answer: AD
Explanation:
http://www.advicehow.com/managing-dns-dynamic-updates-in-windows-server-2008-r2/
http://www.windowsecurity.com/articles-tutorials/windows_server_2008_security/DNS-Security-Part2.html
http://www.tutorialspoint.com/shorttutorials/configuring-dns-server-for-secure-only-dynamic-updates/
100% Full Money Back Guarantee Promised By Braindump2go to All 70-640 Exam Candiates: Braindump2go is confident that our NEW UPDATED 70-640 Exam Questions and Answers are changed with Microsoft Official Exam Center, If you cannot PASS 70-640 Exam, nevermind, we will return your full money back! Visit Braindump2go exam dumps collection website now and download 70-640 Exam Dumps Instantly Today!