Microsoft 70-640 TS: Windows Server 2008 Active Directory, Configuring
Transcript of Microsoft 70-640 TS: Windows Server 2008 Active Directory, Configuring
Microsoft 70-640 Exam
Topic 1, Exam Set 1
QUESTION NO: 1
You have a single Active Directory domain. All domain controllers run Windows Server 2008 and
are configured as DNS servers. The domain contains one Active Directory-integrated DNS zone.
You need to ensure that outdated DNS records are automatically removed from the DNS zone.
What should you do?
A. From the properties of the zone, modify the TTL of the SOA record.
B. From the properties of the zone, enable scavenging.
C. From the command prompt, run ipconfig /flushdns.
D. From the properties of the zone, disable dynamic updates.
Answer: B
Explanation:
To remove the outdated DNS records from the DNS zone automatically, you should enable
Scavenging through Zone properties. Scavenging will help you clean up old unused records in
DNS. Since "clean up" really means "delete stuff" a good understanding of what you are doing and
a healthy respect for "delete stuff" will keep you out of the hot grease. Because deletion is involved
there are quite a few safety valves built into scavenging that take a long time to pop. When
enabling scavenging, patience is required.
Reference: http://www.gilham.org/Blog/Lists/Posts/Post.aspx?List=aab85845-88d2-4091-8088-
a6bbce0a4304&ID=211
QUESTION NO: 2
Your network consists of a single Active Directory domain. All domain controllers run Windows
Server 2008 R2. The Audit account management policy setting and Audit directory services
access setting are enabled for the entire domain.
You need to ensure that changes made to Active Directory objects can be logged. The logged
changes must include the old and new values of any attributes.
What should you do?
A. Run auditpol.exe and then configure the Security settings of the Domain Controllers OU.
B. From the Default Domain Controllers policy, enable the Audit directory service access setting
and enable directory service changes.
C. Enable the Audit account management policy in the Default Domain Controller Policy.
D. Run auditpol.exe and then enable the Audit directory service access setting in the Default
www.certify-me.co.uk 2
Microsoft 70-640 Exam
Domain policy.
Answer: A
Explanation:
To make sure the changes made to active directory objects are logged and the logs show the old
and new values of any attribute, you should run audipol.exe and configure the security settings for
the domain controllers Organizational Unit.
QUESTION NO: 3
Your company, Contoso, Ltd., has a main office and a branch office. The offices are connected by
a WAN link. Contoso has an Active Directory forest that contains a single domain named
ad.contoso.com.
The ad.contoso.com domain contains one domain controller named DC1 that is located in the
main office. DC1 is configured as a DNS server for the ad.contoso.com DNS zone. This zone is
configured as a standard primary zone.
You install a new domain controller named DC2 in the branch office. You install DNS on DC2.
You need to ensure that the DNS service can update records and resolve DNS queries in the
event that a WAN link fails.
What should you do?
A. Create a new stub zone named ad.contoso.com on DC2.
B. Create a new standard secondary zone named ad.contoso.com on DC2.
C. Configure the DNS server on DC2 to forward requests to DC1.
D. Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.
Answer: D
Explanation:
To make sure that the DNS service on TK2 can update records and resolve DNS queries in the
event of a MAN link failure, you should convert maks.contoso.com on TK1 to an Active Directory-
integrated zone. Active Directory-integrated DNS offers two pluses over traditional zones. For one,
the fault tolerance built into Active Directory eliminates the need for primary and secondary
nameservers. Effectively, all nameservers using Active Directory-integrated zones are primary
nameservers. This has a huge advantage for the use of dynamic DNS as well: namely, the wide
availability of nameservers that can accept registrations. Recall that domain controllers and
workstations register their locations and availability to the DNS zone using dynamic DNS. In a
www.certify-me.co.uk 3
Microsoft 70-640 Exam
traditional DNS setup, only one type of nameserver can accept these registrations—the primary
server, because it has the only read/write copy of a zone. By creating an Active Directory-
integrated zone, all Windows Server 2008 nameservers that store their zone data in Active
Directory can accept a dynamic registration, and the change will be propagated using Active
Directory multimaster replication.
Reference: http://safari.adobepress.com/9780596514112/active_directory-integrated_zones
QUESTION NO: 4
Your company has a server that runs an instance of Active Directory Lightweight Directory Service
(AD LDS).
You need to create new organizational units in the AD LDS application directory partition.
What should you do?
A. Use the dsmod OU <OrganizationalUnitDN> command to create the organizational units.
B. Use the Active Directory Users and Computers snap-in to create the organizational units on the
AD LDS application directory partition.
C. Use the dsadd OU <OrganizationalUnitDN> command to create the organizational units.
D. Use the ADSI Edit snap-in to create the organizational units on the AD LDS application
directory partition.
Answer: D
Explanation:
To create new OUs in the AD LDS application directory partition, you should use ADSI Edit snap-
in. ADSI Edit is a snap-in that runs in a Microsoft Management Console (MMC). The default
console containing ADSI Edit is AdsiEdit.msc. If this snap-in is not added in your MMC, you can do
it by adding through Add/Remove Snap-in menu option in the MMC or you can open AdsiEdit.msc
from a Windows Explorer.
QUESTION NO: 5
Your company has an Active Directory domain. The company has two domain controllers named
DC1 and DC2. DC1 holds the Schema Master role.
DC1 fails. You log on to Active Directory by using the administrator account.
You are not able to transfer the Schema Master operations role.
www.certify-me.co.uk 4
Microsoft 70-640 Exam
You need to ensure that DC2 holds the Schema Master role.
What should you do?
A. Configure DC2 as a bridgehead server.
B. On DC2, seize the Schema Master role.
C. Log off and log on again to Active Directory by using an account that is a member of the
Schema Administrators group. Start the Active Directory Schema snap-in.
D. Register the Schmmgmt.dll. Start the Active Directory Schema snap-in.
Answer: B
Explanation:
To ensure that DC2 holds the Schema Master role, you should seize the Schema Master role on
DC2. Seizing the schema master role is a drastic step that should be considered only if the current
operations master will never be available again. So to transfer the schema master operations role,
you have to seize it on DC2.
Reference: http://technet2.microsoft.com/windowsserver/en/library/d4301a14-dd18-4b3c-a3cc-
ec9a773f7ffb1033.mspx?mfr=true
QUESTION NO: 6
Your company has an Active Directory forest that runs at the functional level of Windows Server
2008.
You implement Active Directory Rights Management Services (AD RMS).
You install Microsoft SQL Server 2005. When you attempt to open the AD RMS administration
Web site, you receive the following error message: "SQL Server does not exist or access denied."
You need to open the AD RMS administration Web site.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A. Restart IIS.
B. Manually delete the Service Connection Point in AD DS and restart AD RMS.
C. Install Message Queuing.
D. Start the MSSQLSVC service.
Answer: A,D
www.certify-me.co.uk 5
Microsoft 70-640 Exam
Explanation:
To rectify the SQL server problem, you have to restart the internet information server (IIS). The IIS
server will be refreshed. Then you start the MSSQULSVC service to start the SQL server. This will
enable you to access the database from AD RMS administration website.
QUESTION NO: 7
Your network consists of an Active Directory forest that contains one domain named contoso.com.
All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. You have
two Active Directory-integrated zones: contoso.com and nwtraders.com.
You need to ensure a user is able to modify records in the contoso.com zone. You must prevent
the user from modifying the SOA record in the nwtraders.com zone.
What should you do?
A. From the Active Directory Users and Computers console, run the Delegation of Control Wizard.
B. From the Active Directory Users and Computers console, modify the permissions of the Domain
Controllers organizational unit (OU).
C. From the DNS Manager console, modify the permissions of the contoso.com zone.
D. From the DNS Manager console, modify the permissions of the nwtraders.com zone.
Answer: C
Explanation:
To allow the user to modify records in contoso.com and prevent him/her from modifying the SOA
record in contoso.com zone, you should set the permissions of contoso.com through DNS
Manager Console. You set the permissions for the users to modify the records in contoso.com. By
setting permission on one Active directory-integrated zone, you will be preventing the users from
modifying anything else on the other zones.
QUESTION NO: 8
Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your
company uses an Enterprise Root certificate authority (CA).
You need to ensure that revoked certificate information is highly available.
What should you do?
www.certify-me.co.uk 6
Microsoft 70-640 Exam
A. Implement an Online Certificate Status Protocol (OCSP) responder by using an Internet
Security and Acceleration Server array.
B. Publish the trusted certificate authorities list to the domain by using a Group Policy Object
(GPO).
C. Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load
Balancing.
D. Create a new Group Policy Object (GPO) that allows users to trust peer certificates. Link the
GPO to the domain.
Answer: C
Explanation:
To ensure that the revoked certificate information is available at all, you should use the network
load balancing and publish an OCSP responder. OCSP is an online responder that can receive a
request to check for revocation of a certificate without the client having to download the entire
CRL. This process speeds up certificate revocation checking and reduces network bandwidth
used for this process. This can be helpful especially when such checking is down over slow WAN
links.
QUESTION NO: 9
You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2.
Server1 is configured as an enterprise root certification authority (CA).
You install the Online Responder role service on Server2.
You need to configure Server1 to support the Online Responder.
What should you do?
A. Import the enterprise root CA certificate.
B. Configure the Certificate Revocation List Distribution Point extension.
C. Configure the Authority Information Access (AIA) extension.
D. Add the Server2 computer account to the CertPublishers group.
Answer: C
Explanation:
To configure online responder role service on S1, you should configure AIA extension. The
authority information access extension indicates how to access CA information and services for
the issuer of the certificate in which the extension appears. Information and services may include
on-line validation services and CA policy data. (The location of CRLs is not specified in this
extension; that information is provided by the cRLDistributionPoints extension.) This extension
www.certify-me.co.uk 7
Microsoft 70-640 Exam
may be included in subject or CA certificates, and it MUST be non-critical
Reference: datatracker.ietf.org/documents/LIAISON/file315.pdf
QUESTION NO: 10
Your company has an Active Directory domain. A user attempts to log on to a computer that was
turned off for twelve weeks. The administrator receives an error message that authentication has
failed. You need to ensure that the user is able to log on to the computer. What should you do?
A. Run the netsh command with the set and machine options.
B. Reset the computer account. Disjoin the computer from the domain, and then rejoin the
computer to the domain.
C. Run the netdom TRUST /reset command.
D. Run the Active Directory Users and Computers console to disable, and then enable the
computer account.
Answer: B
Explanation:
To ensure that the administrator can log on to the computer, you should disjoin the computer from
the domain and rejoin it again. Reset the computer account too. Due to long inactivity, the
computer was not responding to the authentication query using the Active Directory records. So
when you disjoin and rejoin the computer to the domain and reset the computer account, the
Active Directory refreshes the computer account password. After that the administrator can easily
log on to the computer.
QUESTION NO: 11
Your company has an Active Directory forest that contains a single domain. The domain member
server has an Active Directory Federation Services (AD FS) role installed. You need to configure
AD FS to ensure that AD FS tokens contain information from the Active Directory domain. What
should you do?
A. Add and configure a new account partner.
B. Add and configure a new resource partner.
C. Add and configure a new account store.
D. Add and configure a Claims-aware application.
Answer: C
Explanation: Explanation:
www.certify-me.co.uk 8
Microsoft 70-640 Exam
To configure the AD FS trust policy to populate AD FS tokens with employee’s information from
Active directory domain, you need to add and configure a new account store.
AD FS allows the secure sharing of identity information between trusted business partners across
an extranet. When a user needs to access a Web application from one of its federation partners,
the user's own organization is responsible for authenticating the user and providing identity
information in the form of "claims" to the partner that hosts the Web application. The hosting
partner uses its trust policy to map the incoming claims to claims that are understood by its Web
application, which uses the claims to make authorization decisions. Because claims originate from
an account store, you need to configure account store to configure the AD FS trust policy.
: Active Directory Federation Services
http://msdn2.microsoft.com/en-us/library/bb897402.aspx
QUESTION NO: 12
You network consists of a single Active Directory domain. All domain controllers run Windows
Server 2008 R2.
You need to reset the Directory Services Restore Mode (DSRM) password on a domain controller.
What tool should you use?
A. Active Directory Users and Computers snap-in
B. ntdsutil
C. Local Users and Groups snap-in
D. dsmod
Answer: B
Explanation:
To reset the DSRM password on a single domain controller, you should use ntdsutil utility. You
can use Ntdsutil.exe to reset this password for the server on which you are working, or for another
domain controller in the domain. Type ntdsutil and at the ntdsutil command prompt, type set dsrm
password.
Reference: http://support.microsoft.com/kb/322672
QUESTION NO: 13
www.certify-me.co.uk 9
Microsoft 70-640 Exam
Your company has a main office and a branch office. You deploy a read-only domain controller
(RODC) that runs Microsoft Windows Server 2008 to the branch office. You need to ensure that
users at the branch office are able to log on to the domain by using the RODC. What should you
do?
A. Add another RODC to the branch office.
B. Configure a new bridgehead server in the main office.
C. Decrease the replication interval for all connection objects by using the Active Directory Sites
and Services console.
D. Configure the Password Replication Policy on the RODC.
Answer: D
Explanation:
To ensure that the users at the branch office can log on to the domain using RODC, you should
use a Password Replication Policy. RODCs don’t cache any user or machine passwords. You can
change this by adding a policy through each RODC’s unique Password Replication Policy (PRP).
A policy would create a group for each branch office with a RODC and add users in that branch
office. An administrator, then, can allow password replication for the branch-office group.
QUESTION NO: 14
Your company has a single Active Directory domain named intranet.adatum.com. The domain
controllers run Windows Server 2008 and the DNS server role. All computers, including non-
domain members, dynamically register their DNS records. You need to configure the
intranet.adatum.com zone to allow only domain members to dynamically register DNS records.
What should you do?
A. Set dynamic updates to Secure Only.
B. Remove the Authenticated Users group.
C. Enable zone transfers to Name Servers.
D. Deny the Everyone group the Create All Child Objects permission.
Answer: A
Explanation:
To make sure only the domain members are able to register their DNS records dynamically, set
the option Secure only for Dynamic updates. This will let only the domain members to register their
DNS records dynamically.
Reference:
www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cncf_imp_afpf.mspx
www.certify-me.co.uk 10
Microsoft 70-640 Exam
QUESTION NO: 15
Your network consists of a single Active Directory domain. All domain controllers run Windows
Server 2008 R2 and are configured as DNS servers. A domain controller named DC1 has a
standard primary zone for contoso.com. A domain controller named DC2 has a standard
secondary zone for contoso.com.
You need to ensure that the replication of the contoso.com zone is encrypted. You must not lose
any zone data.
What should you do?
A. Convert the primary zone into an Active Directory-integrated stub zone. Delete the secondary
zone.
B. Convert the primary zone into an Active Directory-integrated zone. Delete the secondary zone.
C. Configure the zone transfer settings of the standard primary zone. Modify the Master Servers
lists on the secondary zone.
D. On both servers, modify the interface that the DNS server listens on.
Answer: B
Explanation:
To make sure that the replication of the contoso.com zone is encrypted to prevent data loss, you
should convert the primary zone into an active directory zone and delete the secondary zone
QUESTION NO: 16
You are decommissioning domain controllers that hold all forest-wide operations master roles. You
need to transfer all forest-wide operations master roles to another domain controller. Which two
roles should you transfer? (Each correct answer presents part of the solution. Choose two.)
A. Domain naming master
B. Infrastructure master
C. RID master
D. PDC emulator
E. Schema master
Answer: A,E
Explanation:
To transfer all forest-wide operation master roles to another domain, you should transfer Domain
www.certify-me.co.uk 11
Microsoft 70-640 Exam
naming master and Schema master. Schema Master: The schema master domain controller
controls all updates and modifications to the schema. To update the schema of a forest, you must
have access to the schema master. There can be only one schema master in the whole forest.
Domain naming master: The domain naming master domain controller controls the addition or
removal of domains in the forest. There can be only one domain naming master in the whole
forest.
Reference: http://support.microsoft.com/kb/324801
QUESTION NO: 17
Contoso, Ltd. has an Active Directory domain named ad.contoso.com. Fabrikam, Inc. has an
Active Directory domain named intranet.fabrikam.com. Fabrikam’s security policy prohibits the
transfer of internal DNS zone data outside the Fabrikam network.
You need to ensure that the Contoso users are able to resolve names from the
intranet.fabrikam.com domain.
What should you do?
A. Create a new stub zone for the intranet.fabrikam.com domain.
B. Configure conditional forwarding for the intranet.fabrikam.com domain.
C. Create a standard secondary zone for the intranet.fabrikam.com domain.
D. Create an Active DirectoryCintegrated zone for the intranet.fabrikam.com domain.
Answer: B
Explanation:
To enable a fabrikam.com user to resolve names from intranet.fabrikam.com domain, you should
set the conditional forwarding for the intranet.fabrikam.com domain. A conditional forwarding is a
DNS query setting that enables a DNS server to route a request for a particular name to another
DNS server by specifying a name and IP address.
QUESTION NO: 18
An Active Directory database is installed on the C volume of a domain controller. You need to
move the Active Directory database to a new volume. What should you do?
A. Copy the ntds.dit file to the new volume by using the ROBOCOPY command.
B. Move the ntds.dit file to the new volume by using Windows Explorer.
www.certify-me.co.uk 12
Microsoft 70-640 Exam
C. Move the ntds.dit file to the new volume by running the Move-item command in Microsoft
Windows PowerShell.
D. Move the ntds.dit file to the new volume by using the Files option in the Ntdsutil utility.
Answer: D
Explanation:
To move the Active Directory database to a new volume, you should move the ntds.dit file to the
new volume by opening the Files option in the ntdsutil utility. Use Ntdsutil.exe to move the
database file, the log files, or both to a larger existing partition. If you are not using Ntdsutil.exe
when moving files to a different partition, you will need to manually update the registry.
Reference: http://technet2.microsoft.com/windowsserver/en/library/af6646aa-2360-46e4-81ca-
d51707bf01eb1033.mspx?mfr=true
QUESTION NO: 19
Your company has file servers located in an organizational unit named Payroll. The file servers
contain payroll files located in a folder named Payroll. You create a GPO. You need to track which
employees access the Payroll files on the file servers. What should you do?
A. Enable the Audit process tracking option. Link the GPO to the Domain Controllers
organizational unit. On the file servers, configure Auditing for the Authenticated Users group in the
Payroll folder.
B. Enable the Audit object access option. Link the GPO to the Payroll organizational unit. On the
file servers, configure Auditing for the Everyone group in the Payroll folder.
C. Enable the Audit process tracking option. Link the GPO to the Payroll organizational unit. On
the file servers, configure Auditing for the Everyone group in the Payroll folder.
D. Enable the Audit object access option. Link the GPO to the domain. On the domain controllers,
configure Auditing for the Authenticated Users group in the Payroll folder.
Answer: B
Explanation:
QUESTION NO: 20
Your company uses a Windows 2008 Enterprise certificate authority (CA) to issue certificates. You
need to implement key archival. What should you do?
A. Configure the certificate for automatic enrollment for the computers that store encrypted files.
B. Install an Enterprise Subordinate CA and issue a user certificate to users of the encrypted files.
C. Apply the Hisecdc security template to the domain controllers.
D. Archive the private key on the server.
www.certify-me.co.uk 13
Microsoft 70-640 Exam
Answer: D
Explanation:
QUESTION NO: 21
Your company has an Active Directory domain that runs Windows Server 2008 R2. The Sales OU
contains an OU for Computers, an OU for Groups, and an OU for Users.
You perform nightly backups. An administrator deletes the Groups OU.
You need to restore the Groups OU without affecting users and computers in the Sales OU.
What should you do?
A. Perform an authoritative restore of the Sales OU.
B. Perform a non-authoritative restore of the Sales OU.
C. Perform an authoritative restore of the Groups OU.
D. Perform a non-authoritative restore of the Groups OU.
Answer: C
Explanation:
QUESTION NO: 22
Your network consists of a single Active Directory domain. The functional level of the forest is
Windows Server 2008 R2. You need to create multiple password policies for users in your domain.
What should you do?
A. From the Group Policy Management snap-in, create multiple Group Policy objects.
B. From the Schema snap-in, create multiple class schema objects.
C. From the ADSI Edit snap-in, create multiple Password Setting objects.
D. From the Security Configuration Wizard, create multiple security policies.
Answer: C
Explanation:
QUESTION NO: 23
You have a domain controller that runs Windows Server 2008 R2 and is configured as a DNS
server.
www.certify-me.co.uk 14
Microsoft 70-640 Exam
You need to record all inbound DNS queries to the server.
What should you configure in the DNS Manager console?
A. Enable debug logging.
B. Enable automatic testing for simple queries.
C. Configure event logging to log errors and warnings.
D. Enable automatic testing for recursive queries.
Answer: A
Explanation:
QUESTION NO: 24
Your company has a main office and a branch office. The company has a single-domain Active
Directory forest. The main office has two domain controllers named DC1 and DC2 that run
Windows Server 2008 R2. The branch office has a Windows Server 2008 R2 read-only domain
controller (RODC) named DC3. All domain controllers hold the DNS Server role and are
configured as Active Directory-integrated zones. The DNS zones only allow secure updates. You
need to enable dynamic DNS updates on DC3. What should you do?
A. Run the Dnscmd.exe /ZoneResetType command on DC3.
B. Reinstall Active Directory Domain Services on DC3 as a writable domain controller.
C. Create a custom application directory partition on DC1. Configure the partition to store Active
Directory-integrated zones.
D. Run the Ntdsutil.exe > DS Behavior commands on DC3.
Answer: B
Explanation:
QUESTION NO: 25
Your company has an Active Directory domain named ad.contoso.com. The domain has two
domain controllers named DC1 and DC2. Both domain controllers have the DNS server role
installed.
You install a new DNS server named DNS1.contoso.com on the perimeter network. You configure
DC1 to forward all unresolved name requests to DNS1.contoso.com.
You discover that the DNS forwarding option is unavailable on DC2.
www.certify-me.co.uk 15
Microsoft 70-640 Exam
You need to configure DNS forwarding on the DC2 server to point to the DNS1.contoso.com
server.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A. Clear the DNS cache on DC2.
B. Configure conditional forwarding on DC2.
C. Configure the Listen On address on DC2.
D. Delete the Root zone on DC2.
Answer: B,D
Explanation:
QUESTION NO: 26
Your company has an organizational unit named Production. The Production organizational unit
has a child organizational unit named R&D. You create a GPO named Software Deployment and
link it to the Production organizational unit.
You create a shadow group for the R&D organizational unit. You need to deploy an application to
users in the Production organizational unit.
You also need to ensure that the application is not deployed to users in the R&D organizational
unit.
What are two possible ways to achieve this goal? (Each correct answer presents a complete
solution. Choose two.)
A. Configure the Block Inheritance setting on the R&D organizational unit.
B. Configure the Enforce setting on the software deployment GPO.
C. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the
R&D security group.
D. Configure the Block Inheritance setting on the Production organizational unit.
Answer: A,C
Explanation:
QUESTION NO: 27
Your company has a branch office that is configured as a separate Active Directory site and has
www.certify-me.co.uk 16
Microsoft 70-640 Exam
an Active Directory domain controller.
The Active Directory site requires a local Global Catalog server to support a new application.
You need to configure the domain controller as a Global Catalog server.
Which tool should you use?
A. The Server Manager console
B. The Active Directory Sites and Services console
C. The Dcpromo.exe utility
D. The Computer Management console
E. The Active Directory Domains and Trusts console
Answer: B
Explanation:
QUESTION NO: 28
Your company has a main office and three branch offices. The company has an Active Directory
forest that has a single domain. Each office has one domain controller. Each office is configured
as an Active Directory site. All sites are connected with the DEFAULTIPSITELINK object. You
need to decrease the replication latency between the domain controllers. What should you do?
A. Decrease the replication schedule for the DEFAULTIPSITELINK object.
B. Decrease the replication interval for the DEFAULTIPSITELINK object.
C. Decrease the cost between the connection objects.
D. Decrease the replication interval for all connection objects.
Answer: B
Explanation:
QUESTION NO: 29
Your company has two Active Directory forests named contoso.com and fabrikam.com. Both
forests run only domain controllers that run Windows Server 2008. The domain functional level of
contoso.com is Windows Server 2008. The domain functional level of fabrikam.com is Windows
Server 2003 Native mode. You configure an external trust between contoso.com and
fabrikam.com. You need to enable the Kerberos AES encryption option. What should you do?
A. Raise the forest functional level of fabrikam.com to Windows Server 2008.
B. Raise the domain functional level of fabrikam.com to Windows Server 2008.
www.certify-me.co.uk 17
Microsoft 70-640 Exam
C. Raise the forest functional level of contoso.com to Windows Server 2008.
D. Create a new forest trust and enable forest-wide authentication.
Answer: B
Explanation:
QUESTION NO: 30
All consultants belong to a global group named TempWorkers.
You place three file servers in a new organizational unit named SecureServers. The three file
servers contain confidential data located in shared folders.
You need to record any failed attempts made by the consultants to access the confidential data.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A. Create and link a new GPO to the SecureServers organizational unit. Configure the Deny
access to this computer from the network user rights setting for the TempWorkers global group.
B. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit
privilege use Failure audit policy setting.
C. Create and link a new GPO to the SecureServers organizational unit. Configure the Audit object
access Failure audit policy setting.
D. On each shared folder on the three file servers, add the three servers to the Auditing tab.
Configure the Failed Full control setting in the Auditing Entry dialog box.
E. On each shared folder on the three file servers, add the TempWorkers global group to the
Auditing tab. Configure the Failed Full control setting in the Auditing Entry dialog box.
Answer: C,E
Explanation:
QUESTION NO: 31
You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2.
Server1 is configured as an Enterprise Root certification authority (CA).
You install the Online Responder role service on Server2.
You need to configure Server2 to issue certificate revocation lists (CRLs) for the enterprise root
CA.
www.certify-me.co.uk 18
Microsoft 70-640 Exam
Which two tasks should you perform? (Each correct answer presents part of the solution. Choose
two.)
A. Import the enterprise root CA certificate.
B. Import the OCSP Response Signing certificate.
C. Add the Server1 computer account to the CertPublishers group.
D. Set the Startup Type of the Certificate Propagation service to Automatic.
Answer: A,B
Explanation:
QUESTION NO: 32
Your company has an Active Directory forest. The forest includes organizational units
corresponding to the following four locations:
London
Chicago
New York
Madrid
Each location has a child organizational unit named Sales. The Sales organizational unit contains
all the users and computers from the sales department.
The offices in London, Chicago, and New York are connected by T1 connections. The office in
Madrid is connected by a 256-Kbps ISDN connection.
You need to install an application on all the computers in the sales department.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A. Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to users.
Link the GPO to each Sales organizational unit.
B. Disable the slow link detection setting in the Group Policy Object (GPO).
C. Configure the slow link detection threshold setting to 1,544 Kbps (T1) in the Group Policy
Object (GPO).
D. Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to the
computers. Link the GPO to each Sales organizational unit.
www.certify-me.co.uk 19
Microsoft 70-640 Exam
Answer: B,D
Explanation:
QUESTION NO: 33
Your company has a domain controller server that runs the Windows Server 2008 R2 operating
system. The server is a backup server. The server has a single 500-GB hard disk that has three
partitions for the operating system, applications, and data. You perform daily backups of the
server.
The hard disk fails. You replace the hard disk with a new hard disk of the same capacity. You
restart the computer on the installation media. You select the Repair your computer option.
You need to restore the operating system and all files.
What should you do?
A. Select the System Image Recovery option.
B. Run the Imagex utility at the command prompt.
C. Run the Wbadmin utility at the command prompt.
D. Run the Rollback utility at the command prompt.
Answer: C
Explanation:
QUESTION NO: 34
You need to remove the Active Directory Domain Services role from a domain controller named
DC1.
What should you do?
A. Run the netdom remove DC1 command.
B. Run the Dcpromo utility. Remove the Active Directory Domain Services role.
C. Run the nltest /remove_server: DC1 command.
D. Reset the Domain Controller computer account by using the Active Directory Users and
Computers utility.
Answer: B
Explanation:
www.certify-me.co.uk 20
Microsoft 70-640 Exam
QUESTION NO: 35
Your company has an Active Directory forest. The company has branch offices in three locations.
Each location has an organizational unit. You need to ensure that the branch office administrators
are able to create and apply GPOs only to their respective organizational units. Which two actions
should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Run the Delegation of Control wizard and delegate the right to link GPOs for their branch
organizational units to the branch office administrators.
B. Add the user accounts of the branch office administrators to the Group Policy Creator Owners
Group.
C. Modify the Managed By tab in each organizational unit to add the branch office administrators
to their respective organizational units.
D. Run the Delegation of Control wizard and delegate the right to link GPOs for the domain to the
branch office administrators.
Answer: A,B
Explanation:
QUESTION NO: 36
Your company has an Active Directory domain.
A user attempts to log on to the domain from a client computer and receives the following
message: "This user account has expired. Ask your administrator to reactivate the account."
You need to ensure that the user is able to log on to the domain. What should you do?
A. Modify the properties of the user account to set the account to never expire.
B. Modify the properties of the user account to extend the Logon Hours setting.
C. Modify the default domain policy to decrease the account lockout duration.
D. Modify the properties of the user account to set the password to never expire.
Answer: A
Explanation:
QUESTION NO: 37
You have an existing Active Directory site named Site1. You create a new Active Directory site
and name it Site2.
You need to configure Active Directory replication between Site1 and Site2. You install a new
www.certify-me.co.uk 21
Microsoft 70-640 Exam
domain controller.
You create the site link between Site1 and Site2.
What should you do next?
A. Use the Active Directory Sites and Services console to assign a new IP subnet to Site2. Move
the new domain controller object to Site2.
B. Use the Active Directory Sites and Services console to configure a new site link bridge object.
C. Use the Active Directory Sites and Services console to decrease the site link cost between
Site1 and Site2.
D. Use the Active Directory Sites and Services console to configure the new domain controller as
a preferred bridgehead server for Site1.
Answer: A
Explanation:
QUESTION NO: 38
Your company has an Active Directory forest. Each branch office has an organizational unit and a
child organizational unit named Sales. The Sales organizational unit contains all users and
computers of the sales department. You need to install an Office 2007 application only on the
computers in the Sales organizational unit. You create a GPO named SalesApp GPO. What
should you do next?
A. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO
to the Sales organizational unit in each location.
B. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO
to the domain.
C. Configure the GPO to publish the application to the user account. Link the SalesAPP GPO to
the Sales organizational unit in each location.
D. Configure the GPO to assign the application to the user account. Link the SalesAPP GPO to
the Sales organizational unit in each location.
Answer: A
Explanation:
QUESTION NO: 39
Your network consists of an Active Directory forest that contains one domain. All domain
controllers run Windows Server 2008 R2 and are configured as DNS servers. You have an Active
Directory- integrated zone.
www.certify-me.co.uk 22
Microsoft 70-640 Exam
You have two Active Directory sites. Each site contains five domain controllers.
You add a new NS record to the zone.
You need to ensure that all domain controllers immediately receive the new NS record.
What should you do?
A. From the DNS Manager console, reload the zone.
B. From the DNS Manager console, increase the version number of the SOA record.
C. From the command prompt, run repadmin /syncall.
D. From the Services snap-in, restart the DNS Server service.
Answer: C
Explanation:
QUESTION NO: 40
Your company has a single Active Directory domain named intranet.contoso.com. All domain
controllers run Windows Server 2008 R2. The domain functional level is Windows 2000 native and
the forest functional level is Windows 2000.
You need to ensure the UPN suffix for contoso.com is available for user accounts.
What should you do first?
A. Raise the intranet.contoso.com forest functional level to Windows Server 2003 or higher.
B. Raise the intranet.contoso.com domain functional level to Windows Server 2003 or higher.
C. Add the new UPN suffix to the forest.
D. Change the Primary DNS Suffix option in the Default Domain Controllers Group Policy Object
(GPO) to contoso.com.
Answer: C
Explanation:
QUESTION NO: 41
You have a Windows Server 2008 R2 Enterprise Root CA. Security policy prevents port 443 and
port 80 from being opened on domain controllers and on the issuing CA.
www.certify-me.co.uk 23
Microsoft 70-640 Exam
You need to allow users to request certificates from a Web interface. You install the Active
Directory Certificate Services (AD CS) server role.
What should you do next?
A. Configure the Online Responder Role Service on a member server.
B. Configure the Online Responder Role Service on a domain controller.
C. Configure the Certificate Enrollment Web Service role service on a member server.
D. Configure the Certificate Enrollment Web Service role service on a domain controller.
Answer: C
Explanation:
QUESTION NO: 42
You need to relocate the existing user and computer objects in your company to different
organizational units. What are two possible ways to achieve this goal? (Each correct answer
presents a complete solution. Choose two.)
A. Run the move-item command in the Microsoft Windows PowerShell utility.
B. Run the Active Directory Users and Computers utility.
C. Run the Dsmod utility.
D. Run the Active Directory Migration Tool (ADMT).
Answer: B,C
Explanation:
QUESTION NO: 43
Your network consists of an Active Directory forest named contoso.com. All servers run Windows
Server 2008 R2. All domain controllers are configured as DNS servers. The contoso.com DNS
zone is stored in the ForestDnsZones Active Directory application partition.
You have a member server that contains a standard primary DNS zone for dev.contoso.com.
You need to ensure that all domain controllers can resolve names for dev.contoso.com.
What should you do?
A. Modify the properties of the SOA record in the contoso.com zone.
B. Create a NS record in the contoso.com zone.
www.certify-me.co.uk 24
Microsoft 70-640 Exam
C. Create a delegation in the contoso.com zone.
D. Create a standard secondary zone on a Global Catalog server.
Answer: C
Explanation:
QUESTION NO: 44
Your company has a single Active Directory domain. All domain controllers run Windows Server
2003.
You install Windows Server 2008 R2 on a server.
You need to add the new server as a domain controller in your domain.
What should you do first?
A. On a domain controller run adprep /rodcprep.
B. On the new server, run dcpromo /adv.
C. On the new server, run dcpromo /createdcaccount.
D. On a domain controller, run adprep /forestprep.
Answer: D
Explanation:
QUESTION NO: 45
Your company has a main office and three branch offices. Each office is configured as a separate
Active Directory site that has its own domain controller. You disable an account that has
administrative rights. You need to immediately replicate the disabled account information to all
sites. What are two possible ways to achieve this goal? (Each correct answer presents a complete
solution. Choose two.)
A. From the Active Directory Sites and Services console, configure all domain controllers as global
catalog servers.
B. From the Active Directory Sites and Services console, select the existing connection objects
and force replication.
C. Use Repadmin.exe to force replication between the site connection objects.
D. Use Dsmod.exe to configure all domain controllers as global catalog servers.
Answer: B,C
Explanation:
www.certify-me.co.uk 25
Microsoft 70-640 Exam
QUESTION NO: 46
Your network consists of a single Active Directory domain. All domain controllers run Windows
Server 2008 R2. You need to capture all replication errors from all domain controllers to a central
location. What should you do?
A. Start the Active Directory Diagnostics data collector set.
B. Start the System Performance data collector set.
C. Install Network Monitor and create a new a new capture.
D. Configure event log subscriptions.
Answer: D
Explanation:
QUESTION NO: 47
Your company has an Active Directory forest that contains client computers that run Windows
Vista and Microsoft Windows XP. You need to ensure that users are able to install approved
application updates on their computers. Which two actions should you perform? (Each correct
answer presents part of the solution. Choose two.)
A. Set up Automatic Updates through Control Panel on the client computers.
B. Create a GPO and link it to the Domain Controllers organizational unit. Configure the GPO to
automatically search for updates on the Microsoft Update site.
C. Create a GPO and link it to the domain. Configure the GPO to direct the client computers to the
Windows Server Update Services (WSUS) server for approved updates.
D. Install the Windows Server Update Services (WSUS). Configure the server to search for new
updates on the Internet. Approve all required updates.
Answer: C,D
Explanation:
QUESTION NO: 48
Your company has an Active Directory domain that has an organizational unit named Sales. The
Sales organizational unit contains two global security groups named sales managers and sales
executives. You need to apply desktop restrictions to the sales executives group. You must not
apply these desktop restrictions to the sales managers group. You create a GPO named
DesktopLockdown and link it to the Sales organizational unit. What should you do next?
A. Configure the Deny Apply Group Policy permission for Authenticated Users on the
DesktopLockdown GPO.
www.certify-me.co.uk 26
Microsoft 70-640 Exam
B. Configure the Deny Apply Group Policy permission for the sales executives on the
DesktopLockdown GPO.
C. Configure the Allow Apply Group Policy permission for Authenticated Users on the
DesktopLockdown GPO.
D. Configure the Deny Apply Group Policy permission for the sales managers on the
DesktopLockdown GPO.
Answer: D
Explanation:
QUESTION NO: 49
Your company network has an Active Directory forest that has one parent domain and one child
domain. The child domain has two domain controllers that run Windows Server 2008. All user
accounts from the child domain are migrated to the parent domain. The child domain is scheduled
to be decommissioned. You need to remove the child domain from the Active Directory forest.
What are two possible ways to achieve this goal? (Each correct answer presents a complete
solution. Choose two.)
A. Run the Computer Management console to stop the Domain Controller service on both domain
controllers in the child domain.
B. Delete the computer accounts for each domain controller in the child domain. Remove the trust
relationship between the parent domain and the child domain.
C. Use Server Manager on both domain controllers in the child domain to uninstall the Active
Directory domain services role.
D. Run the Dcpromo tool that has individual answer files on each domain controller in the child
domain.
Answer: C,D
Explanation:
QUESTION NO: 50
Your network consists of a single Active Directory domain. The domain contains 10 domain
controllers. The domain controllers run Windows Server 2008 R2 and are configured as DNS
servers.
You plan to create a new Active Directory-integrated zone.
You need to ensure that the new zone is only replicated to four of your domain controllers.
What should you do first?
www.certify-me.co.uk 27
Microsoft 70-640 Exam
A. From the command prompt, run dnscmd and specify the /createdirectorypartition parameter.
B. Create a new delegation in the ForestDnsZones application directory partition.
C. From the command prompt, run dnscmd and specify the /enlistdirectorypartition parameter.
D. Create a new delegation in the DomainDnsZones application directory partition.
Answer: A
Explanation:
QUESTION NO: 51
You have a domain controller named DC1 that runs Windows Server 2008 R2. DC1 is configured
as a DNS Server for contoso.com.
You install the DNS Server role on a member server named Server1 and then you create a
standard secondary zone for contoso.com.
You configure DC1 as the master server for the zone.
You need to ensure that Server1 receives zone updates from DC1.
What should you do?
A. On DC1, modify the permissions of contoso.com zone.
B. On Server1, add a conditional forwarder.
C. On DC1, modify the zone transfer settings for the contoso.com zone.
D. Add the Server1 computer account to the DNSUpdateProxy group.
Answer: C
Explanation:
QUESTION NO: 52
Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your
company runs an Enterprise Root certification authority (CA).
You need to ensure that only administrators can sign code.
Which two tasks should you perform? (Each correct answer presents part of the solution. Choose
two.)
www.certify-me.co.uk 28
Microsoft 70-640 Exam
A. Edit the local computer policy of the Enterprise Root CA to allow only administrators to manage
Trusted Publishers.
B. Modify the security settings on the template to allow only administrators to request code signing
certificates.
C. Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certificates
and allow only administrators to apply the policy.
D. Publish the code signing template.
Answer: B,D
Explanation:
QUESTION NO: 53
Your company has an Active Directory forest. You plan to install an Enterprise certification
authority (CA) on a dedicated stand-alone server.
When you attempt to add the Active Directory Certificate Services (AD CS) server role, you find
that the Enterprise CA option is not available.
You need to install the AD CS (Certificate Services) server role as an Enterprise CA.
What should you do first?
A. Add the DNS Server role.
B. Add the Active Directory Lightweight Directory Service (AD LDS) role.
C. Add the Web server (IIS) role and the AD CS role.
D. Join the server to the domain.
Answer: D
Explanation:
QUESTION NO: 54
Your company has an Active Directory domain named contoso.com. The company network has
two DNS servers named DNS1 and DNS2.
The DNS servers are configured as shown in the following table.
www.certify-me.co.uk 29
Microsoft 70-640 Exam
Domain users, who are configured to use DNS2 as the preferred DNS server, are unable to
connect to Internet Web sites.
You need to enable Internet name resolution for all client computers.
What should you do?
A. Update the list of root hints servers on DNS2.
B. Create a copy of the .(root) zone on DNS1.
C. Delete the .(root) zone from DNS2. Configure conditional forwarding on DNS2.
D. Update the Cache.dns file on DNS2. Configure conditional forwarding on DNS1.
Answer: C
Explanation:
QUESTION NO: 55
Your network consists of a single Active Directory domain. All domain controllers run Windows
Server 2003. You upgrade all domain controllers to Windows Server 2008. You need to configure
the Active Directory environment to support the application of multiple password policies. What
should you do?
A. Raise the functional level of the domain to Windows Server 2008.
B. On one domain controller, run dcpromo /adv.
C. Create multiple Active Directory sites.
D. On all domain controllers, run dcpromo /adv.
Answer: A
Explanation:
QUESTION NO: 56
Your company has two Active Directory forests named contoso.com and fabrikam.com.
www.certify-me.co.uk 30
Microsoft 70-640 Exam
The company network has three DNS servers named DNS1, DNS2, and DNS3. The DNS servers
are configured as shown in the following table.
All computers that belong to the fabrikam.com domain have DNS3 configured as the preferred
DNS server. All other computers use DNS1 as the preferred DNS server.
Users from the fabrikam.com domain are unable to connect to the servers that belong to the
contoso.com domain.
You need to ensure users in the fabrikam.com domain are able to resolve all contoso.com queries.
What should you do?
A. Configure conditional forwarding on DNS1 and DNS2 to forward fabrikam.com queries to
DNS3.
B. Create a copy of the _msdcs.contoso.com zone on the DNS3 server.
C. Create a copy of the fabrikam.com zone on the DNS1 server and the DNS2 server.
D. Configure conditional forwarding on DNS3 to forward contoso.com queries to DNS1.
Answer: D
Explanation:
QUESTION NO: 57
Your company, Contoso, Ltd., has offices in North America and Europe. Contoso has an Active
Directory forest that has three domains. You need to reduce the time required to authenticate
users from the labs.eu.contoso.com domain when they access resources in the
eng.na.contoso.com domain. What should you do?
A. Decrease the replication interval for all Connection objects.
B. Decrease the replication interval for the DEFAULTIPSITELINK site link.
C. Set up a one-way shortcut trust from eng.na.contoso.com to labs.eu.contoso.com.
D. Set up a one-way shortcut trust from labs.eu.contoso.com to eng.na.contoso.com.
Answer: C
Explanation:
www.certify-me.co.uk 31
Microsoft 70-640 Exam
QUESTION NO: 58
Your company purchases a new application to deploy on 200 computers. The application requires
that you modify the registry on each target computer before you install the application. The registry
modifications are in a file that has an .adm extension. You need to prepare the target computers
for the application. What should you do?
A. Import the .adm file into a new Group Policy Object (GPO). Edit the GPO and link it to an
organizational unit that contains the target computers.
B. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the
REDIRUsr CONTAINER-DN command on each target computer.
C. Create a Microsoft Windows PowerShell script to copy the .adm file to the startup folder of each
target computer.
D. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the
REDIRCmp CONTAINER-DN command on each target computer.
Answer: A
Explanation:
QUESTION NO: 59
Your company has an Active Directory forest that contains eight linked Group Policy Objects
(GPOs). One of these GPOs publishes applications to user objects. A user reports that the
application is not available for installation. You need to identify whether the GPO has been
applied. What should you do?
A. Run the Group Policy Results utility for the user.
B. Run the GPRESULT /S <system name> /Z command at the command prompt.
C. Run the GPRESULT /SCOPE COMPUTER command at the command prompt.
D. Run the Group Policy Results utility for the computer.
Answer: A
Explanation:
QUESTION NO: 60
Your company has an Active Directory domain.
You plan to install the Active Directory Certificate Services (AD CS) server role on a member
server that runs Windows Server 2008 R2.
You need to ensure that members of the Account Operators group are able to issue smartcard
credentials.
www.certify-me.co.uk 32
Microsoft 70-640 Exam
They should not be able to revoke certificates. Which three actions should you perform? (Each
correct answer presents part of the solution. Choose three.)
A. Install the AD CS server role and configure it as an Enterprise Root CA .
B. Install the AD CS server role and configure it as a Standalone CA .
C. Restrict enrollment agents for the Smartcard logon certificate to the Account Operator group.
D. Restrict certificate managers for the Smartcard logon certificate to the Account Operator group.
E. Create a Smartcard logon certificate.
F. Create an Enrollment Agent certificate.
Answer: A,C,E
Explanation:
QUESTION NO: 61
You create 200 new user accounts. The users are located in six different sites. New users report
that they receive the following error message when they try to log on: "The username or password
is incorrect."
You confirm that the user accounts exist and are enabled. You also confirm that the user name
and password information supplied are correct.
You need to identify the cause of the failure. You also need to ensure that the new users are able
to log on.
Which utility should you run?
A. Active Directory Domains and Trusts
B. Repadmin
C. Rstools
D. Rsdiag
Answer: B
Explanation:
QUESTION NO: 62
Your network contains an Active Directory forest. All domain controllers run Windows Server 2008
R2 and are configured as DNS servers. You have an Active Directory-integrated zone for
contoso.com. You have a Unix-based DNS server. You need to configure your Windows Server
2008 R2 environment to allow zone transfers of the contoso.com zone to the Unix-based DNS
server. What should you do in the DNS Manager console?
www.certify-me.co.uk 33
Microsoft 70-640 Exam
A. Enable BIND secondaries
B. Create a stub zone
C. Disable recursion
D. Create a secondary zone
Answer: A
Explanation:
QUESTION NO: 63
Your company has an Active Directory domain. You log on to the domain controller. The Active
Directory Schema snap-in is not available in the Microsoft Management Console (MMC). You
need to access the Active Directory Schema snap-in. What should you do?
A. Add the Active Directory Lightweight Directory Services (AD LDS) role to the domain controller
by using Server Manager.
B. Log off and log on again by using an account that is a member of the Schema Administrators
group.
C. Use the Ntdsutil.exe command to connect to the Schema Master operations master and open
the schema for writing.
D. Register Schmmgmt.dll.
Answer: D
Explanation:
QUESTION NO: 64
Your company has a server that runs Windows Server 2008 R2. Active Directory Certificate
Services (AD CS) is configured as a standalone Certification Authority (CA) on the server.
You need to audit changes to the CA configuration settings and the CA security settings.
Which two tasks should you perform? (Each correct answer presents part of the solution. Choose
two.)
A. Configure auditing in the Certification Authority snap-in.
B. Enable auditing of successful and failed attempts to change permissions on files in the
%SYSTEM32%\CertSrv directory.
C. Enable auditing of successful and failed attempts to write to files in the %SYSTEM32%\CertLog
directory.
D. Enable the Audit object access setting in the Local Security Policy for the Active Directory
Certificate Services (AD CS) server.
www.certify-me.co.uk 34
Microsoft 70-640 Exam
Answer: A,D
Explanation:
QUESTION NO: 65
Your company has a single-domain Active Directory forest. The functional level of the domain is
Windows Server 2008.
You perform the following activities:
Create a global distribution group.
Add users to the global distribution group.
Create a shared folder on a Windows Server 2008 member server.
Place the global distribution group in a domain local group that has access to the shared folder.
You need to ensure that the users have access to the shared folder.
What should you do?
A. Add the global distribution group to the Domain Administrators group.
B. Change the group type of the global distribution group to a security group.
C. Change the scope of the global distribution group to a Universal distribution group.
D. Raise the forest functional level to Windows Server 2008.
Answer: B
Explanation:
QUESTION NO: 66
Your company hires 10 new employees. You want the new employees to connect to the main
office through a VPN connection. You create new user accounts and grant the new employees
they Allow Read and Allow Execute permissions to shared resources in the main office. The new
employees are unable to access shared resources in the main office. You need to ensure that
users are able to establish a VPN connection to the main office. What should you do?
A. Grant the new employees the Allow Access Dial-in permission.
B. Grant the new employees the Allow Full control permission.
C. Add the new employees to the Remote Desktop Users security group.
D. Add the new employees to the Windows Authorization Access security group.
www.certify-me.co.uk 35
Microsoft 70-640 Exam
Answer: A
Explanation:
QUESTION NO: 67
Your network consists of a single Active Directory domain. All domain controllers run Windows
Server 2008 R2.
You need to identify the Lightweight Directory Access Protocol (LDAP) clients that are using the
largest amount of available CPU resources on a domain controller.
What should you do?
A. Review performance data in Resource Monitor.
B. Review the Hardware Events log in the Event Viewer.
C. Run the Active Directory Diagnostics Data Collector Set. Review the Active Directory
Diagnostics report.
D. Run the LAN Diagnostics Data Collector Set. Review the LAN Diagnostics report.
Answer: C
Explanation:
QUESTION NO: 68
Your company has an Active Directory forest that contains only Windows Server 2008 domain
controllers.
You need to prepare the Active Directory domain to install Windows Server 2008 R2 domain
controllers.
Which two tasks should you perform? (Each correct answer presents part of the solution. Choose
two.)
A. Run the adprep /domainprep command.
B. Raise the forest functional level to Windows Server 2008.
C. Raise the domain functional level to Windows Server 2008.
D. Run the adprep /forestprep command.
Answer: A,D
Explanation:
www.certify-me.co.uk 36
Microsoft 70-640 Exam
QUESTION NO: 69
You need to identify all failed logon attempts on the domain controllers. What should you do?
A. View the Netlogon.log file.
B. View the Security tab on the domain controller computer object.
C. Run Event Viewer.
D. Run the Security and Configuration Wizard.
Answer: C
Explanation:
QUESTION NO: 70
Your company has a DNS server that has 10 Active DirectoryCintegrated zones. You need to
provide copies of the zone files of the DNS server to the security department. What should you
do?
A. Run the dnscmd /ZoneInfo command.
B. Run the ipconfig /registerdns command.
C. Run the dnscmd /ZoneExport command.
D. Run the ntdsutil > Partition Management > List commands.
Answer: C
Explanation:
QUESTION NO: 71
Your company has an Active Directory forest. The company has three locations. Each location has
an organizational unit and a child organizational unit named Sales. The Sales organizational unit
contains all users and computers of the sales department. The company plans to deploy a
Microsoft Office 2007 application on all computers within the three Sales organizational units. You
need to ensure that the Office 2007 application is installed only on the computers in the Sales
organizational units. What should you do?
A. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the
application to the computer account. Link the SalesAPP GPO to the domain.
B. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the
application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each
location.
C. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to assign the
application to the computer account. Link the SalesAPP GPO to the Sales organizational unit in
each location.
www.certify-me.co.uk 37
Microsoft 70-640 Exam
D. Create a Group Policy Object (GPO) named SalesAPP GPO. Configure the GPO to publish the
application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each
location.
Answer: C
Explanation:
QUESTION NO: 72
Your company has a main office and 10 branch offices. Each branch office has an Active Directory
site that contains one domain controller.
Only domain controllers in the main office are configured as Global Catalog servers.
You need to deactivate the Universal Group Membership Caching option on the domain
controllers in the branch offices.
At which level should you deactivate the Universal Group Membership Caching option?
A. Server
B. Connection object
C. Domain
D. Site
Answer: D
Explanation:
QUESTION NO: 73
Your network consists of a single Active Directory domain. All domain controllers run Windows
Server 2003. You upgrade all domain controllers to Windows Server 2008 R2.
You need to ensure that the Sysvol share replicates by using DFS Replication (DFS-R).
What should you do?
A. From the command prompt, run dfsutil /addroot:sysvol.
B. From the command prompt, run netdom /reset.
C. From the command prompt, run dcpromo /unattend:unattendfile.xml.
D. Raise the functional level of the domain to Windows Server 2008 R2.
Answer: D
Explanation:
www.certify-me.co.uk 38
Microsoft 70-640 Exam
QUESTION NO: 74
Your company has a main office and a branch office that are configured as a single Active
Directory forest. The functional level of the Active Directory forest is Windows Server 2003. There
are four Windows Server 2003 domain controllers in the main office. You need to ensure that you
are able to deploy a read-only domain controller (RODC) at the branch office. Which two actions
should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Raise the functional level of the forest to Windows Server 2008.
B. Deploy a Windows Server 2008 domain controller at the main office.
C. Raise the functional level of the domain to Windows Server 2008.
D. Run the adprep/rodcprep command.
Answer: B,D
Explanation:
QUESTION NO: 75
Your company has an Active Directory forest that contains Windows Server 2008 R2 domain
controllers and DNS servers. All client computers run Windows XP SP3.
You need to use your client computers to edit domain-based GPOs by using the ADMX files that
are stored in the ADMX central store.
What should you do?
A. Add your account to the Domain Admins group.
B. Upgrade your client computers to Windows 7.
C. Install .NET Framework 3.0 on your client computers.
D. Create a folder on PDC emulator for the domain in the PolicyDefinitions path. Copy the ADMX
files to the PolicyDefinitions folder.
Answer: B
Explanation:
QUESTION NO: 76 DRAG DROP
A server named DC1 has the Active Directory Domain Services (AD DS) role and the Active
Directory Lightweight Directory Services (AD LDS) role installed.
www.certify-me.co.uk 39
Microsoft 70-640 Exam
An AD LDS instance named LDS1 stores its data on the C: drive.
You need to relocate the LDS1 instance to the D: drive.
Which three actions should you perform in sequence? (To answer, move the three appropriate
actions from the list of actions to the answer area and arrange them in the correct order.)
Answer:
Explanation:
QUESTION NO: 77 DRAG DROP
www.certify-me.co.uk 40
Microsoft 70-640 Exam
You need to perform an offline defragmentation of an Active Directory database.
Which four actions should you perform in sequence? (To answer, move the appropriate four
actions from the list of actions to the answer area and arrange them in the correct order.)
Answer:
Explanation:
QUESTION NO: 78 DRAG DROP
Your company has an Active Directory forest that contains multiple domain controllers. The
domain controllers run Windows Server 2008.
You need to perform an authoritative restore of a deleted organizational unit and its child objects.
Which four actions should you perform in sequence? (To answer, move the appropriate four
actions from the list of actions to the answer area, and arrange them in the correct order.)
www.certify-me.co.uk 41
Microsoft 70-640 Exam
Answer:
Explanation:
QUESTION NO: 79
Your company has a domain controller that runs Windows Server 2008. The domain controller has
the backup features installed. You need to perform a non-authoritative restore of the domain
controller using an existing backup file. What should you do?
A. Boot into Directory Services Restore Mode and use wbadmin to restore critical volume
B. Boot into Directory Services Restore Mode and use the backup snap-in to restore critical
volume
www.certify-me.co.uk 42
Microsoft 70-640 Exam
C. Boot into Safe Mode and use wbadmin to restore critical volume
D. Boot into Safe Mode and use the backup snap-in to restore critical volume
Answer: A
Explanation:
QUESTION NO: 80
Your company has an Active Directory domain. All servers run Windows Server. You deploy a
Certification Authority (CA) server. You create a new global security group named CertIssuers.
You need to ensure that members of the CertIssuers group can issue, approve, and revoke
certificates.
What should you do?
A. Assign the Certificate Manager role to the CertIssuers group
B. Place CertIssuers group in the Certificate Publisher group
C. Run the certsrv -add CertIssuers command promt of the certificate server
D. Run the add -member-membertype memberset CertIssuers command by using Microsoft
Windows Powershell
Answer: A
Explanation:
QUESTION NO: 81
Your company has an Active Directory domain. The company has purchased 100 new computers.
You want to deploy the computers as members of the domain. You need to create the computer
accounts in an OU. What should you do?
A. Run the csvde -f computers.csv command
B. Run the ldifde -f computers.ldf command
C. Run the dsadd computer <computerdn> command
D. Run the dsmod computer <computerdn> command
Answer: C
Explanation: DSAdd is the command line utility that is used to add computers to a domain.
DSMod is a commandline utility that is designed to modify an already existing object.
QUESTION NO: 82
www.certify-me.co.uk 43
Microsoft 70-640 Exam
Your network consists of a single Active Directory domain. You have a domain controller and a
member server that run Windows Server 2008 R2. Both servers are configured as DNS servers.
Client computers run either Windows XP Service Pack 3 or Windows 7. You have a standard
primary zone on the domain controller. The member server hosts a secondary copy of the zone.
You need to ensure that only authenticated users are allowed to update host (A) records in the
DNS zone.
What should you do first?
A. On the member server, add a conditional forwarder.
B. On the member server, install Active Directory Domain Services.
C. Add all computer accounts to the DNS UpdateProxy group.
D. Convert the standard primary zone to an Active Directory-integrated zone.
Answer: D
Explanation:
QUESTION NO: 83
Your company has two domain controllers that are configured as internal DNS servers. All zones
on the DNS servers are Active Directory-integrated zones. The zones allow all dynamic updates.
You discover that the contoso.com zone has multiple entries for the host names of computers that
do not exist.
You need to configure the contoso.com zone to automatically remove expired records.
What should you do?
A. Enable only secure updates on the contoso.com zone,
B. Enable scavenging and configure the refresh interval on the contoso.com zone.
C. From the Start of Authority tab, decrease the default refresh interval on the contoso.com zone.
D. From the Start of Authority tab, increase the default expiration interval on the contoso.com zone
Answer: B
Explanation:
QUESTION NO: 84
You have an Active Directory domain that runs Windows Server 2008 R2.
www.certify-me.co.uk 44
Microsoft 70-640 Exam
You need to implement a certification authority (CA) server that meets the following requirements:
- Allows the certification authority to automatically issue certificates
- Integrates with Active Directory Domain Services
What should you do?
A. Install and configure the Active Directory Certificate Services server role as a Standalone Root
CA.
B. Install and configure the Active Directory Certificate Services server role as an Enterprise Root
CA.
C. Purchase a certificate from a third-party certification authority, Install and configure the Active
Directory Certificate Services server role as a Standalone Subordinate CA.
D. Purchase a certificate from a third-party certification authority, Import the certificate into the
computer store of the schema master.
Answer: B
Explanation:
QUESTION NO: 85
You have a Windows Server 2008 R2 Enterprise Root certification authority (CA).
You need to grant members of the Account Operators group the ability to only manage Basic EFS
certificates.
You grant the Account Operators group the Issue and Manage Certificates permission on the CA.
Which three tasks should you perform next? (Each correct answer presents part of the solution.
Choose three.)
A. Enable the Restrict Enrollment Agents option on the CA.
B. Enable the Restrict Certificate Managers option on the CA.
C. Add the Basic EFS certificate template for the Account Operators group.
D. Grant the Account Operators group the Manage CA permission on the CA.
E. Remove all unnecessary certificate templates that are assigned to the Account Operators
group.
Answer: B,C,E
Explanation:
www.certify-me.co.uk 45
Microsoft 70-640 Exam
QUESTION NO: 86
Your company has an Active Directory domain. You have a two-tier PKI infrastructure that
contains an offline root CA and an online issuing CA. The Enterprise certification authority is
running Windows Server 2008 R2.
You need to ensure users are able to enroll new certificates.
What should you do?
A. Renew the Certificate Revocation List (CRL) on the root CA. Copy the CRL to the CertEnroll
folder on the issuing CA.
B. Renew the Certificate Revocation List (CRL) on the issuing CA, Copy the CRL to the
SysternCertificates folder in the users' profile.
C. Import the root CA certificate into the Trusted Root Certification Authorities store on all client
workstations.
D. Import the issuing CA certificate into the Intermediate Certification Authorities store on all client
workstations,
Answer: A
Explanation:
QUESTION NO: 87
Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your
company uses an Enterprise Root certification authority (CA) and an Enterprise Intermediate CA.
The Enterprise Intermediate CA certificate expires.
You need to deploy a new Enterprise Intermediate CA certificate to all computers in the domain.
What should you do?
A. Import the new certificate into the Intermediate Certification Store on the Enterprise Root CA
server,
B. Import the new certificate into the Intermediate Certification Store on the Enterprise
Intermediate CA server,
C. Import the new certificate into the Intermediate Certification Store in the Default Domain
Controllers group policy object,
D. Import the new certificate into the Intermediate Certification Store in the Default Domain group
policy object.
www.certify-me.co.uk 46
Microsoft 70-640 Exam
Answer: D
Explanation:
QUESTION NO: 88
Your company has recently acquired a new subsidiary company in Quebec. The Active Directory
administrators of the subsidiary company must use the French-language version of the
administrative templates.
You create a folder on the PDC emulator for the subsidiary domain in the path
%systemroot%\SYSVOL\domain\Policies\PolicyDefinitions\FR .
You need to ensure that the French-language version of the templates is available.
What should you do?
A. Download the Conf.adm, System.adm, Wuau.adm, and Inetres.adm files from the Microsoft
Web site. Copy the ADM files to the FR folder.
B. Copy the ADML files from the French local installation media for Windows Server 2008 R2 to
the FR folder on the subsidiary PDC emulator.
C. Copy the Install.WIM file from the French local installation media for Windows Server 2008 R2
to the FR folder on the subsidiary PDC emulator.
D. Copy the ADMX files from the French local installation media for Windows Server 2008 R2 to
the FR folder on the subsidiary PDC emulator.
Answer: B
Explanation:
QUESTION NO: 89
A user in a branch office of your company attempts to join a computer to the domain, but the
attempt fails.
You need to enable the user to join a single computer to the domain.
You must ensure that the user is denied any additional rights beyond those required to complete
the task.
What should you do?
A. Prestage the computer account in the Active Directory domain.
www.certify-me.co.uk 47
Microsoft 70-640 Exam
B. Add the user to the Domain Administrators group for one day.
C. Add the user to the Server Operators group in the Active Directory domain,
D. Grant the user the right to log on locally by using a Group Policy Object (GPO).
Answer: A
Explanation:
QUESTION NO: 90
The default domain GPO in your company is configured by using the following account policy
settings:
- Minimum password length: 8 characters
- Maximum password age: 30 days
- Enforce password history: 12 passwords remembered
- Account lockout threshold: 3 invalid logon attempts
- Account lockout duration: 30 minutes
You install Microsoft SQL Server on a computer named Server1 that runs Windows Server 2008
R2. The SQL Server application uses a service account named SQLSrv. The SQLSrv account has
domain user rights.
The SQL Server computer fails after running successfully for several weeks. The SQLSrv user
account is not locked out.
You need to resolve the server failure and prevent recurrence of the failure. Which two actions
should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Reset the password of the SQLSrv user account.
B. Configure the local security policy on Serverl to grant the Logon as a service right on the
SQLSrv user account.
C. Configure the properties of the SQLSrv account to Password never expires.
D. Configure the properties of the SQLSrv account to User cannot change password.
E. Configure the local security policy on Serverl to explicitly grant the SQLSrv user account the
Allow logon locally user right.
Answer: A,C
Explanation:
QUESTION NO: 91
Your company has two Active Directory forests named Forestl and Forest2, The forest functional
www.certify-me.co.uk 48
Microsoft 70-640 Exam
level and the domain functional level of Forestl are set to Windows Server 2008.
The forest functional level of Forest2 is set to Windows 2000, and the domain functional levels in
Forest2 are set to Windows Server 2003.
You need to set up a transitive forest trust between Forestl and Forest2,
What should you do first?
A. Raise the forest functional level of Forest2 to Windows Server 2003 Interim mode,
B. Raise the forest functional level of Forest2 to Windows Server 2003.
C. Upgrade the domain controllers in Forest2 to Windows Server 2008.
D. Upgrade the domain controllers in Forest2 to Windows Server 2003,
Answer: B
Explanation:
QUESTION NO: 92
Your company has an Active Directory forest that contains two domains.
The forest has universal groups that contain members from each domain. A branch office has a
domain controller named DC1.
Users at the branch office report that the logon process takes too long.
You need to decrease the amount of time it takes for the branch office users to logon.
What should you do?
A. Configure DC1 as a Global Catalog server.
B. Configure DC1 as a bridgehead server for the branch office site.
C. Decrease the replication interval on the site link that connects the branch office to the corporate
network.
D. Increase the replication interval on the site link that connects the branch office to the corporate
network.
Answer: A
Explanation:
QUESTION NO: 93
Your company has an Active Directory domain. The main office has a DNS server named DNS1
www.certify-me.co.uk 49
Microsoft 70-640 Exam
that is configured with Active Directory-integrated DNS. The branch office has a DNS server
named DNS2 that contains a secondary copy of the zone from DNS1. The two offices are
connected with an unreliable WAN link.
You add a new server to the main office. Five minutes after adding the server, a user from the
branch office reports that he is unable to connect to the new server. You need to ensure that the
user is able to connect to the new server.
What should you do?
A. Clear the cache on DNS2.
B. Reload the zone on DNS1.
C. Refresh the zone on DNS2.
D. Export the zone from DNS1 and import the zone to DNS2,
Answer: C
Explanation:
QUESTION NO: 94
You need to validate whether Active Directory successfully replicated between two domain
controllers.
What should you do?
A. Run the DSget command.
B. Run the Dsquery command.
C. Run the RepAdmin command.
D. Run the Windows System Resource Manager.
Answer: C
Explanation:
QUESTION NO: 95
You have a domain controller that runs Windows Server 2008 R2. The Windows Server Backup
feature is installed on the domain controller.
You need to perform a non-authoritative restore of the domain controller by using an existing
backup file.
www.certify-me.co.uk 50
Microsoft 70-640 Exam
What should you do?
A. Restart the domain controller in Directory Services Restore Mode. Use the WBADMIN
command to perform a critical volume restore.
B. Restart the domain controller in Directory Services Restore Mode. Use the Windows Server
Backup snap-in to perform a critical volume restore.
C. Restart the domain controller in safe mode. Use the Windows Server Backup snap-in to
perform a critical volume restore.
D. Restart the domain controller in safe mode. Use the WBADMIN command to perform a critical
volume restore.
Answer: A
Explanation:
QUESTION NO: 96
Your company has an Active Directory forest. Not all domain controllers in the forest are
configured as Global Catalog Servers. Your domain structure contains one root domain and one
child domain. You modify the folder permissions on a file server that is in the child domain. You
discover that some Access Control entries start with S-1-5-21 and that no account name is listed.
You need to list the account names. What should you do?
A. Move the RID master role in the child domain to a domain controller that holds the Global
Catalog.
B. Modify the schema to enable replication of the friendlynames attribute to the Global Catalog.
C. Move the RID master role in the child domain to a domain controller that does not hold the
Global Catalog.
D. Move the infrastructure master role in the child domain to a domain controller that does not hold
the Global Catalog.
Answer: D
Explanation:
QUESTION NO: 97
Your company security policy requires complex passwords.
You have a comma delimited file named import.csv that contains user account information.
You need to create user account in the domain by using the import.csv file.
You also need to ensure that the new user accounts are set to use default passwords and are
www.certify-me.co.uk 51
Microsoft 70-640 Exam
disabled.
What shoulld you do?
A. Modify the userAccountControl attribute to disabled. Run the csvde -i -k -f import.csv command.
Run the DSMOD utility to set default passwords for the user accounts.
B. Modify the userAccountControl attribute to accounts disabled. Run the csvde -f import.csv
command. Run the DSMOD utility to set default passwords for the user accounts.
C. Modify the userAccountControl attribute to disabled. Run the wscript import.csv command. Run
the DSADD utility to set default passwords for the imported user accounts.
D. Modify the userAccountControl attribute to disabled. Run the ldifde -i -f import.csv command.
Run the DSADD utility to set passwords for the imported user accounts.
Answer: A
Explanation:
QUESTION NO: 98
You are installing an application on a computer that runs Windows Server 2008 R2. During
installation, the application will need to install new attributes and classes to the Active Directory
database. You need to ensure that you can install the application. What should you do?
A. Change the functional level of the forest to Windows Server 2008 R2.
B. Log on by using an account that has Server Operator rights.
C. Log on by using an account that has Schema Administrator rights and the appropriate rights to
install the application.
D. Log on by using an account that has the Enterprise Administrator rights and the appropriate
rights to install the application.
Answer: C
Explanation:
QUESTION NO: 99
Your company has an Active Directory forest. The company has servers that run Windows Server
2008 R2 and client computers that run Windows 7. The domain uses a set of GPO administrative
templates that have been approved to support regulatory compliance requirements. Your partner
company has an Active Directory forest that contains a single domain. The company has servers
that run Windows Server 2008 R2 and client computers that run Windows 7. You need to
configure your partner company's domain to use the approved set of administrative templates.
What should you do?
www.certify-me.co.uk 52
Microsoft 70-640 Exam
A. Use the Group Policy Management Console (GPMC) utility to back up the GPO to a file. In
each site, import the GPO to the default domain policy.
B. Copy the ADMX files from your company's PDC emulator to the PolicyDefinitions folder on the
partner company's PDC emulator
C. Copy the ADML files from your company's PDC emulator to the PolicyDefinitions folder on the
partner company's PDC emulator
D. Download the conf.adm, system.adm, wuau.adm, and inetres.adm files from the Microsoft
Updates Web site. Copy the ADM files to the PolicyDefinitions folder on thr partner company's
emulator.
Answer: B
Explanation:
QUESTION NO: 100
You need to ensure that users who enter three successive invalid passwords within 5 minutes are
locked out for 5 minutes.
Which three actions should you perform? (Each correct answer presents part of the solution.
Choose three.)
A. Set the Minimum password age setting to one day.
B. Set the Maximum password age setting to one day.
C. Set the Account lockout duration setting to 5 minutes.
D. Set the Reset account lockout counter after setting to 5 minutes.
E. Set the Account lockout threshold setting to 3 invalid logon attempts.
F. Set the Enforce password history setting to 3 passwords remembered.
Answer: C,D,E
Explanation:
QUESTION NO: 101
Your company has an Active Directory domain and an organizational unit. The organizational unit
is named Web. You configure and test new security settings for Internet Information Service (IIS)
Servers on a server named IISServerA. You need to deploy the new security settings only on the
IIS servers that are members of the Web organizational unit. What should you do?
A. Run secedit /configure /db iis.inf from the command prompt on IISServerA, then run secedit
/configure /db webou.inf from the comand prompt.
B. Export the settings on IISServerA to create a security template. Import the security template
into a GPO and link the GPO to the Web organizational unit.
C. Export the settings on IISServerA to create a security template. Run secedit /configure /db
www.certify-me.co.uk 53
Microsoft 70-640 Exam
webou.inf from the comand prompt.
D. Import the hisecws.inf file template into a GPO and link the GPO to the Web organizational unit.
Answer: B
Explanation:
QUESTION NO: 102
Your network consists of an Active Directory forest that contains two domains. All servers run
Windows Server 2008 R2. All domain controllers are configured as DNS Servers.
You have a standard primary zone for dev. contoso.com that is stored on a member server.
You need to ensure that all domain controllers can resolve names from the dev.contoso.com zone.
What should you do?
A. On the member server, create a stub zone.
B. On the member server, create a NS record for each domain controller.
C. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to
replicate to all DNS servers in the forest.
D. On one domain controller, create a conditional forwarder. Configure the conditional forwarder to
replicate to all DNS servers in the domain.
Answer: C
Explanation:
QUESTION NO: 103
Your company has an Active Directory domain. You install a new domain controller in the domain.
Twenty users report that they are unable to log on to the domain. You need to register the SRV
records. Which command should you run on the new domain controller?
A. Run the netsh interface reset command.
B. Run the ipconfig /flushdns command.
C. Run the dnscmd /EnlistDirectoryPartition command.
D. Run the sc stop netlogon command followed by the sc start netlogon command.
Answer: D
Explanation:
www.certify-me.co.uk 54
Microsoft 70-640 Exam
QUESTION NO: 104
You have a Windows Server 2008 R2 that has the Active Directory Certificate Services server role
installed.
You need to minimize the amount of time it takes for client computers to download a certificate
revocation list (CRL).
What should you do?
A. Install and configure an Online Responder.
B. Import the Issuing CA certificate into the Trusted Root Certification Authorities store on all client
workstations.
C. Install and configure an additional domain controller.
D. Import the Root CA certificate into the Trusted Root Certification Authorities store on all client
workstations.
Answer: A
Explanation:
QUESTION NO: 105
You want users to log on to Active Directory by using a new Principal Name (UPN).
You need to modify the UPN suffix for all user accounts.
Which tool should you use?
A. Dsmod
B. Netdom
C. Redirusr
D. Active Directory Domains and Trusts
Answer: A
Explanation:
QUESTION NO: 106
Your network consists of a single Active Directory domain. All domain controllers run Windows
Server 2008 R2. Auditing is configured to log changes made to the Managed By attribute on group
objects in an organizational unit named OU1.
www.certify-me.co.uk 55
Microsoft 70-640 Exam
You need to log changes made to the Description attribute on all group objects in OU1 only.
What should you do?
A. Run auditpol.exe.
B. Modify the auditing entry for OU1.
C. Modify the auditing entry for the domain.
D. Create a new Group Policy Object (GPO). Enable Audit account management policy setting.
Link the GPO to OU1.
Answer: B
Explanation:
QUESTION NO: 107
Your company uses shared folders. Users are granted access to the shared folders by using
domain local groups. One of the shared folders contains confidential data. You need to ensure that
unauthorized users are not able to access the shared folder that contains confidential data. What
should you do?
A. Enable the Do not trust this computer for delegation property on all the computers of
unauthorized users by using the Dsmod utility.
B. Instruct the unauthorized users to log on by using the Guest account. Configure the Deny Full
control permission on the shared folders that hold the confidential data for the Guest account.
C. Create a Global Group named Deny DLG. Place the global group that contains the
unauthorized users in to the Deny DLG group. Configure the Allow Full control permission on the
shared folder that hold the confidential data for the Deny DLG group.
D. Create a Domain Local Group named Deny DLG. Place the global group that contains the
unauthorized users in to the Deny DLG group. Configure the Deny Full control permission on the
shared folder that hold the confidential data for the Deny DLG group.
Answer: D
Explanation:
QUESTION NO: 108
Your company has an Active Directory domain.
You install an Enterprise Root certification authority (CA) on a member server named Server1.
You need to ensure that only the Security Manager is authorized to revoke certificates that are
supplied by Server1.
www.certify-me.co.uk 56
Microsoft 70-640 Exam
What should you do?
A. Remove the Request Certificates permission from the Domain Users group.
B. Remove the Request Certificates permission from the Authenticated Users group.
C. Assign the Allow - Manage CA permission to only the Security Manager User account.
D. Assign the Allow - Issue and Manage Certificates permission to only the Security Manager User
account.
Answer: D
Explanation:
QUESTION NO: 109
You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2.
What is the minimal forest functional level that you should use?
A. Windows Server 2008 R2
B. Windows Server 2008
C. Windows Server 2003
D. Windows 2000
Answer: C
Explanation:
QUESTION NO: 110
Your company has three Active Directory domains in a single forest. You install a new Active
Directory enabled application. The application ads new user attributes to the Active Directory
schema. You discover that the Active Directory replication traffic to the Global Catalogs has
increased. You need to prevent the new attributes from being replicated to the Global Catalog.
You must achieve this goal without affecting application functionality. What should you do?
A. Change the replication interval for the DEFAULTIPSITELINK object to 9990.
B. Change the cost for the DEFAULTIPSITELINK object to 9990.
C. Make the new attributes in the Active Directory as defunct.
D. Modify the properties in the Active Directory schema for the new attributes.
Answer: D
Explanation:
www.certify-me.co.uk 57
Microsoft 70-640 Exam
QUESTION NO: 111
You are decommissioning one of the domain controllers in a child domain. You need to transfer all
domain operations master roles within the child domain to a newly installed domain controller in
the same child domain.
Which three domain operations master roles should you transfer? (Each correct answer presents
part of the solution. Choose three.)
A. RID master
B. PDC emulator
C. Schema master
D. Infrastructure master
E. Domain naming master
Answer: A,B,D
Explanation:
QUESTION NO: 112
There are 100 server and 2000 computers present at your company's headquarters.
The DHCP service is installed on a two-node Microsoft failover cluster named CKMFO to ensure
the high availability of the service.
The nodes are named as CKMFON1 and CKMFON2.
The cluster on CKMFO has one physical shared disk of 400 GB capacity.
A 200GB single volume is configured on the shared disk.
Company has decided to host a Windows Internet Naming Service (WINS) on CKMFON1.
The DHCP and WINS services will be hosted on other nodes.
Using High Availability Wizard, you begin creating the WINS service group on cluster available on
CKMFON1 node.
The wizard shows an error "no disks are available" during configuration.
Which action should you perform to configure storage volumes on CKMFON1 to successfully add
the WINS Service group to CKMFON1?
A. Backup all data on the single volume on CKMFON1 and configure the disk with GUID partition
table and create two volumes. Restore the backed up data on one of the volumes and use the
www.certify-me.co.uk 58
Microsoft 70-640 Exam
other for WINS service group
B. Add a new physical shared disk to the CKMFON1 cluster and configure a new volume on it.
Use this volume to fix the error in the wizard.
C. Add new physical shared disks to CKMFON1 and EMBFON2. Configure the volumes on these
disk and direct CKMOFONI to use CKMFON2 volume for the WINS service group
D. Add and configure a new volume on the existing shared disk which has 400GB of space. Use
this volume to fix the error in the wizard
E. None of the above
Answer: B
Explanation:
QUESTION NO: 113
Exhibit:
Company servers run Windows Server 2008. It has a single Active Directory domain. A server
called S4 has file services role installed. You install some disk for additional storage. The disks are
configured as shown in the exhibit.
To support data stripping with parity, you have to create a new drive volume.
What should you do to achieve this objective?
A. Build a new spanned volume by combining Disk0 and Disk1
B. Create a new Raid-5 volume by adding another disk.
C. Create a new virtual volume by combining Disk 1 and Disk 2
D. Build a new striped volume by combining Disk0 and Disk 2
Answer: B
www.certify-me.co.uk 59
Microsoft 70-640 Exam
Explanation:
QUESTION NO: 114
Your company asks you to implement Windows Cardspace in the domain. You want to use
Windows Cardspace at your home. Your home and office computers run Windows Vista Ultimate.
What should you do to create a backup copy of Windows Cardspace cards to be used at home?
A. Log on with your administrator account and copy \Windows\ServiceProfiles folder to your USB
drive
B. Backup \Windows\Globalization folder by using backup status and save the folder on your USB
drive
C. Back up the system state data by using backup status tool on your USB drive
D. Employ Windows Cardspace application to backup the data on your USB drive.
E. Reformat the C: Drive
F. None of the above
Answer: D
Explanation:
QUESTION NO: 115
Company has servers on the main network that run Windows Server 2008. It also has two domain
controllers. Active Directory services are running on a domain controller named CKDC1. You have
to perform critical updates of Windows Server 2008 on CKDC1 without rebooting the server.
What should you do to perform offline critical updates on CKDC1 without rebooting the server?
A. Start the Active Directory Domain Services on CKDC1
B. Disconnect from the network and start the Windows update feature
C. Stop the Active Directory domain services and install the updates. Start the Active Directory
domain services after installing the updates.
D. Stop Active Directory domain services and install updates. Disconnect from the network and
then connect again
E. None of the above
Answer: C
Explanation:
www.certify-me.co.uk 60
Microsoft 70-640 Exam
QUESTION NO: 116
One of the remote branch offices of Company branch is running a Windows Server 2008 having
ready only domain controller (RODC) installed. For security reasons you don't want some critical
credentials like (passwords, encryption keys) to be stored on RODC.
What should you do so that these credentials are not replicated to any RODC's in the forest?
(Select 2)
A. Configure RODC filtered attribute set on the server
B. Configure RODC filtered set on the server that holds Schema Operations Master role.
C. Delegate local administrative permissions for an RODC to any domain user without granting
that user any user rights for the domain
D. Configure forest functional level server for Windows server 2008 to configure filtered attribute
set.
E. None of the above
Answer: B,D
Explanation:
QUESTION NO: 117
Company has a server with Active Directory Rights Management Services (AD RMS) server
installed. Users have computers with Windows Vista installed on them with an Active Directory
domain installed at Windows Server 2003 functional level. As an administrator at Company, you
discover that the users are unable to benefit from AD RMS to protect their documents. You need
to configure AD RMS to enable users to use it and protect their documents.
What should you do to achieve this functionality?
A. Configure an email account in Active Directory Domain Services (AD DS) for each user.
B. Add and configure ADRMSADMIN account in local administrators group on the user computers
C. Add and configure the ADRMSSRVC account in AD RMS server's local administrator group
D. Reinstall the Active Directory domain on user computers
E. All of the above
Answer: A
Explanation:
QUESTION NO: 118
Company has an active directory forest on a single domain.
www.certify-me.co.uk 61
Microsoft 70-640 Exam
Company needs a distributed application that employs a custom application. The application is
directory partition software named PARDAT. You need to implement this application for data
replication.
Which two tools should you use to achieve this task? (Choose two answers. Each answer is a part
of a complete solution)
A. Dnscmd.
B. Ntdsutil.
C. Ipconfig
D. Dnsutil
E. All of the above
Answer: A,B
Explanation:
QUESTION NO: 119
Company has an Active Directory forest with six domains. The company has 5 sites.
The company requires a new distributed application that uses a custom application directory
partition named ResData for data replication. The application is installed on one member server in
five sites.
You need to configure the five member servers to receive the ResData application directory
partition for data replication. What should you do?
A. Run the Dcpromo utility on the five member servers.
B. Run the Regsvr32 command on the five member servers
C. Run the Webadmin command on the five member servers
D. Run the RacAgent utility on the five member servers
Answer: A
Explanation:
QUESTION NO: 120
As an administrator at Company, you have installed an Active Directory forest that has a single
domain. You have installed an Active Directory Federation services (AD FS) on the domain
member server. What should you do to configure AD FS to make sure that AD FS token contains
information from the active directory domain?
www.certify-me.co.uk 62
Microsoft 70-640 Exam
A. Add a new account store and configure it.
B. Add a new resource partner and configure it
C. Add a new resource store and configure it
D. Add a new administrator account on AD FS and configure it
E. None of the above
Answer: A
Explanation:
QUESTION NO: 121
Company runs Window Server 2008 on all of its servers. It has a single Active Directory domain
and it uses Enterprise Certificate Authority. The security policy at ABC.com makes it necessary to
examine revoked certificate information.
You need to make sure that the revoked certificate information is available at all times. What
should you do to achieve that?
A. Add and configure a new GPO (Group Policy Object) that enables users to accept peer
certificates and link the GPO to the domain.
B. Configure and use a GPO to publish a list of trusted certificate authorities to the domain
C. Configure and publish an OCSP (Online certificate status protocol) responder through ISAS
(Internet Security and Acceleration Server) array.
D. Use network load balancing and publish an OCSP responder.
E. None of the above
Answer: D
Explanation:
QUESTION NO: 122
As the Company administrator you had installed a read-only domain controller (RODC) server at
remote location.
The remote location doesn't provide enough physical security for the server.
What should you do to allow administrative accounts to replicate authentication information to
Read-Only Domain Controllers?
A. Remove any administrative accounts from RODC's group
B. Add administrative accounts to the domain Allowed RODC Password Replication group
C. Set the Deny on Receive as permission for administrative accounts on the RODC computer
account Security tab for the Group Policy Object (GPO)
D. Configure a new Group Policy Object (GPO) with the Account Lockout settings enabled. Link
www.certify-me.co.uk 63
Microsoft 70-640 Exam
the GPO to the remote location. Activate the Read Allow and the Apply group policy Allow
permissions for the administrators on the Security tab for the GPO.
E. None of the above
Answer: B
Explanation:
QUESTION NO: 123
ABC.com boosts a two-node Network Load Balancing cluster which is called web. CK1.com. The
purpose of this cluster is to provide load balancing and high availability of the intranet website
only.
With monitoring the cluster, you discover that the users can view the Network Load Balancing
cluster in their Network Neighborhood and they can use it to connect to various services by using
the name web. CK1.com.
You also discover that there is only one port rule configured for Network Load Balancing cluster.
You have to configure web. CK1 .com NLB cluster to accept HTTP traffic only. Which two actions
should you perform to achieve this objective? (Choose two answers. Each answer is part of the
complete solution)
A. Create a new rule for TCP port 80 by using the Network Load Balancing Cluster console
B. Run the wlbs disable command on the cluster nodes
C. Assign a unique port rule for NLB cluster by using the NLB Cluster console
D. Delete the default port rules through Network Load Balancing Cluster console
Answer: A,D
Explanation:
QUESTION NO: 124
ABC.com has a main office and a branch office. ABC.com's network consists of a single Active
Directory forest. Some of the servers in the network run Windows Server 2008 and the rest run
Windows server 2003.
You are the administrator at ABC.com. You have installed Active Directory Domain Services (AD
DS) on a computer that runs Windows Server 2008. The branch office is located in a physically
insecure place. It has not IT personnel onsite and there are no administrators over there. You
need to setup a Read-Only Domain Controller (RODC) on the Server Core installation computer in
the branch office.
What should you do to setup RODC on the computer in branch office?
www.certify-me.co.uk 64
Microsoft 70-640 Exam
A. Execute an attended installation of AD DS
B. Execute an unattended installation of AD DS
C. Execute RODC through AD DS
D. Execute AD DS by using deploying the image of AD DS
E. none of the above
Answer: B
Explanation:
QUESTION NO: 125
You had installed an Active Directory Federation Services (AD FS) role on a Windows server 2008
in your organization.
Now you need to test the connectivity of clients in the network to ensure that they can successfully
reach the new Federation server and Federation server is operational.
What should you do? (Select all that apply)
A. Go to Services tab, and check if Active Directory Federation Services is running
B. In the event viewer, Applications, Event ID column look for event ID 674.
C. Open a browser window, and then type the Federation Service URL for the new federation
server.
D. None of the above
Answer: B,C
Explanation:
QUESTION NO: 126
ABC.com has purchased laptop computers that will be used to connect to a wireless network. You
create a laptop organizational unit and create a Group Policy Object (GPO) and configure user
profiles by utilizing the names of approved wireless networks. You link the GPO to the laptop
organizational unit. The new laptop users complain to you that they cannot connect to a wireless
network.
What should you do to enforce the group policy wireless settings to the laptop computers?
A. Execute gpupdate/target:computer command at the command prompt on laptop computers
B. Execute Add a network command and leave the SSID (service set identifier) blank
C. Execute gpupdate/boot command at the command prompt on laptops computers
D. Connect each laptop computer to a wired network and log off the laptop computer and then
login again.
E. None of the above
www.certify-me.co.uk 65
Microsoft 70-640 Exam
Answer: D
Explanation:
QUESTION NO: 127
The Company has a Windows 2008 domain controller server. This server is routinely backed up
over the network from a dedicated backup server that is running Windows 2003 OS.
You need to prepare the domain controller for disaster recovery apart from the routine backup
procedures. You are unable to launch the backup utility while attempting to back up the system
state data for the data controller.
You need to backup system state data from the Windows Server 2008 domain controller server.
What should you do?
A. Add your user account to the local Backup Operators group
B. Install the Windows Server backup feature using the Server Manager feature.
C. Install the Removable Storage Manager feature using the Server Manager feature
D. Deactivating the backup job that is configured to backup Windows 2008 server domain
controller on the Windows 2003 server.
E. None of the above
Answer: B
Explanation:
QUESTION NO: 128
You are an administrator at ABC.com. Company has a RODC (read-only domain controller) server
at a remote location. The remote location doesn't have proper physical security. You need to
activate nonadministrative accounts passwords on that RODC server. Which of the following
action should be considered to populate the RODC server with non-administrative accounts
passwords?
A. Delete all administrative accounts from the RODC's group
B. Configure the permission to Deny on Receive for administrative accounts on the security tab for
Group Policy Object (GPO)
C. Configure the administrative accounts to be added in the Domain RODC Password Replication
Denied group
D. Add a new GPO and enable Account Lockout settings. Link it to the remote RODC server and
on the security tab on GPO, check the Read Allow and the Apply group policy permissions for the
administrators.
E. None of the above
www.certify-me.co.uk 66
Microsoft 70-640 Exam
Answer: C
Explanation:
QUESTION NO: 129
ABC.com has a network that is comprise of a single Active Directory Domain.
As an administrator at ABC.com, you install Active Directory Lightweight Directory Services (AD
LDS) on a server that runs Windows Server 2008. To enable Secure Sockets Layer (SSL) based
connections to the AD LDS server, you install certificates from a trusted Certification Authority
(CA) on the AD LDS server and client computers.
Which tool should you use to test the certificate with AD LDS?
A. Ldp.exe
B. Active Directory Domain services
C. ntdsutil.exe
D. Lds.exe
E. wsamain.exe
F. None of the above
Answer: A
Explanation:
QUESTION NO: 130
ABC.com boosts a main office and 20 branch offices. Configured as a separate site, each branch
office has a Read-Only Domain Controller (RODC) server installed.
Users in remote offices complain that they are unable to log on to their accounts.
What should you do to make sure that the cached credentials for user accounts are only stored in
their local branch office RODC server?
A. Open the RODC computer account security tab and set Allow on the Receive as permission
only for the users that are unable to log on to their accounts
B. Add a password replication policy to the main Domain RODC and add user accounts in the
security group
C. Configure a unique security group for each branch office and add user accounts to the
respective security group. Add the security groups to the password replication allowed group on
the main RODC server
D. Configure and add a separate password replication policy on each RODC computer account
Answer: D
www.certify-me.co.uk 67
Microsoft 70-640 Exam
Explanation:
QUESTION NO: 131
The corporate network of Company consists of a Windows Server 2008 single Active Directory
domain. The domain has two servers named Company 1 and Company 2.
To ensure central monitoring of events you decided to collect all the events on one server,
Company
1. To collect events from Company
2. and transfer them to Company 1, you configured the required event subscriptions.
You selected the Normal option for the Event delivery optimization setting by using the HTTP
protocol.
However, you discovered that none of the subscriptions work.
Which of the following actions would you perform to configure the event collection and event
forwarding on the two servers? (Select three. Each answer is a part of the complete solution).
A. Through Run window execute the winrm quickconfig command on Company 2.
B. Through Run window execute the wecutil qc command on Company 2.
C. Add the Company 1 account to the Administrators group on Company 2.
D. Through Run window execute the winrm quickconfig command on Company 1.
E. Add the Company 2 account to the Administrators group on Company 1.
F. Through Run window execute the wecutil qc command on Company 1.
Answer: A,B,D
Explanation:
QUESTION NO: 132
Your company has a main office and 40 branch offices. Each branch office is configured as a
separate Active Directory site that has a dedicated read-only domain controller (RODC). An RODC
server is stolen from one of the branch offices.
You need to identify the user accounts that were cached on the stolen RODC server.
Which utility should you use?
www.certify-me.co.uk 68
Microsoft 70-640 Exam
A. Dsmod.exe
B. Ntdsutil.exe
C. Active Directory Sites and Services
D. Active Directory Users and Computers
Answer: D
Explanation:
QUESTION NO: 133
ABC.com has a software evaluation lab. There is a server in the evaluation lab named as CKT.
CKT runs Windows Server 2008 and Microsoft Virtual Server 2005 R2. CKT has 200 virtual
servers running on an isolated virtual segment to evaluate software. To connect to the internet, it
uses physical network interface card.
ABC.com requires every server in the company to access Internet.
ABC.com security policy dictates that the IP address space used by software evaluation lab must
not be used by other networks. Similarly, it states the IP address space used by other networks
should not be used by the evaluation lab network. As an administrator you find you that the
applications tested in the software evaluation lab need to access normal network to connect to the
vendors update servers on the internet. You need to configure all virtual servers on the CKT
server to access the internet. You also need to comply with company's security policy.
Which two actions should you perform to achieve this task? (Choose two answers. Each answer is
a part of the complete solution)
A. Trigger the Virtual DHCP server for the external virtual network and run ipconfig/renew
command on each virtual server.
B. On CKT's physical network interface, activate the Internet Connection Sharing (ICS)
C. Use ABC.com intranet IP addresses on all virtual servers on CKT.
D. Add and install a Microsoft Loopback Adapter network interface on CKT. Use a new network
interface and create a new virtual network.
E. None of the above.
Answer: A,D
Explanation:
QUESTION NO: 134
You are an administrator at ABC.com. Company has a network of 5 member servers acting as file
servers. It has an Active Directory domain. You have installed a software application on the
www.certify-me.co.uk 69
Microsoft 70-640 Exam
servers. As soon as the application is installed, one of the member servers shuts down itself. To
trace and rectify the problem, you create a Group Policy Object (GPO). You need to change the
domain security settings to trace the shutdowns and identify the cause of it.
What should you do to perform this task?
A. Link the GPO to the domain and enable System Events option
B. Link the GPO to the domain and enable Audit Object Access option
C. Link the GPO to the Domain Controllers and enable Audit Object Access option
D. Link the GPO to the Domain Controllers and enable Audit Process tracking option
E. Perform all of the above actions
Answer: A
Explanation:
QUESTION NO: 135
ABC.com has a network that consists of a single Active Directory domain. A technician has
accidently deleted an Organizational unit (OU) on the domain controller. As an administrator of
ABC.com, you are in process of restoring the OU. You need to execute a non-authoritative restore
before an authoritative restore of the OU. Which backup should you use to perform non-
authoritative restore of Active Directory Domain Services (AD DS) without disturbing other data
stored on domain controller?
A. Critical volume backup
B. Backup of all the volumes
C. Backup of the volume that hosts Operating system
D. Backup of AD DS folders
E. all of the above
Answer: A
Explanation:
QUESTION NO: 136 DRAG DROP
ABC.com has an Active Directory forest on a single domain. The domain operates Windows
Server 2008. A new administrator accidentally deletes the entire organizational unit in the Active
Directory database that hosts 6000 objects. You have backed up the system state data using
third-party backup software. To restore backup, you start the domain controller in the Directory
Services Restore Mode (DSRM). You need to perform an authoritative restore of the
organizational unit and restore the domain controller to its original state. Which three actions
should you perform?
www.certify-me.co.uk 70
Microsoft 70-640 Exam
The answer should be in a sequence.
Drag and drop the appropriate action into the sequential order.
Answer:
Explanation:
QUESTION NO: 137
ABC.com has a network that consists of a single Active Directory domain.Windows Server 2008 is
installed on all domain controllers in the network. You are instructed to capture all replication
errors from all domain controllers to a central location.
What should you do to achieve this task?
www.certify-me.co.uk 71
Microsoft 70-640 Exam
A. Initiate the Active Directory Diagnostics data collector set
B. Set event log subscriptions and configure it
C. Initiate the System Performance data collector set
D. Create a new capture in the Network Monitor
Answer: B
Explanation:
QUESTION NO: 138
Company has a single domain network with Windows 2000, Windows 2003, and Windows 2008
servers. Client computers running Windows XP and Windows Vista. All domain controllers are
running Windows server 2008.
Exhibit B
You need to deploy Active Directory Rights Management System (AD RMS) to secure all
documents, spreadsheets and to provide user authentication. What do you need to configure, in
order to complete the deployment of AD RMS?
A. Upgrade all client computers to Windows Vista. Install AD RMS on domain controller Company
_DC1
B. Ensure that all Windows XP computers have the latest service pack and install the RMS client
on all systems. Install AD RMS on domain controller Company _DC1
C. Upgrade all client computers to Windows Vista. Install AD RMS on Company _SRV5
D. Ensure that all Windows XP computers have the latest service pack and install the RMS client
on all systems. Install AD RMS on domain controller Company _SRV5
E. None of the above
Answer: D
Explanation:
QUESTION NO: 139
You are formulating the backup strategy for Active Directory Lightweight Directory Services (AD
LDS) to ensure that data and log files are backed up regularly. This will also ensure the continued
www.certify-me.co.uk 72
Microsoft 70-640 Exam
availability of data to applications and users in the event of a system failure. Because you have
limited media resources, you decided to backup only specific ADLDS instance instead of taking
backup of the entire volume.
What should you do to accomplish this task?
A. Use Windows Server backup utility and enable checkbox to take only backup of database and
log files of AD LDS
B. Use Dsdbutil.exe tool to create installation media that corresponds only to the ADLDS instance
C. Move AD LDS database and log files on a separate volume and use windows server backup
utility
D. None of the above
Answer: B
Explanation:
QUESTION NO: 140
You had installed Windows Server 2008 on a computer and configured it as a file server, named
FileSrv1. The FileSrv1 computer contains four hard disks, which are configured as basic disks. For
fault tolerance and performance you want to configure Redundant Array of Independent Disks
(RAID) 0 +1 on FileSrv1.
Which utility you will use to convert basic disks to dynamic disks on FileSrv1?
A. Diskpart.exe
B. Chkdsk.exe
C. Fsutil.exe
D. Fdisk.exe
E. None of the above
Answer: A
Explanation:
QUESTION NO: 141
ABC.com has a domain controller that runs Windows Server 2008. The ABC.com network boosts
40 Windows Vista client machines. As an administrator at ABC.com, you want to deploy Active
Directory Certificate service (AD CS) to authorize the network users by issuing digital certificates.
What should you do to manage certificate settings on all machines in a domain from one main
location?
www.certify-me.co.uk 73
Microsoft 70-640 Exam
A. Configure Enterprise CA certificate settings
B. Configure Enterprise trust certificate settings
C. Configure Advance CA certificate settings
D. Configure Group Policy certificate settings
E. All of the above
Answer: D
Explanation:
QUESTION NO: 142
A domain controller named DC12 runs critical services. Restructuring of the organizational unit
hierarchy for the domain has been completed and unnecessary objects have been deleted. You
need to perform an offline defragmentation of the Active Directory database on DC12. You also
need to ensure that the critical services remain online.
What should you do?
A. Start the domain controller in the Directory Services restore mode. Run the Defrag utility.
B. Start the domain controller in the Directory Services restore mode. Run the Ntdsutil utility.
C. Stop the Domain Controller service in the Services (local) Microsoft Management Console
(MMC). Run the Defrag utility.
D. Stop the Domain Controller service in the Services (local) Microsoft Management Console
(MMC). Run the Ntdsutil utility.
Answer: D
Explanation:
QUESTION NO: 143
Your company has a server that runs Windows Server 2008 R2. The server runs an instance of
Active Directory Lightweight Directory Services (AD LDS).
You need to replicate the AD LDS instance on a test computer that is located on the network.
What should you do?
A. Run the repadmin /kcc <servername> command on the test computer.
B. Create a naming context by running the Dsmgmt command on the test computer.
C. Create a new directory partition by running the Dsmgmt command on the test computer.
D. Create and install a replica by running the AD LDS Setup wizard on the test computer.
www.certify-me.co.uk 74
Microsoft 70-640 Exam
Answer: D
Explanation:
QUESTION NO: 144 DRAG DROP
Your company has two domain controllers named DC1 and DC2. DC1 host all domain and forest
operations master roles.
DC1 fails.
You need to rebuild DC1 by reinstalling the operating system. Youn also need to rollback all
operations master roles to their original state. You perform a metadate cleanup and remove all
references of DC1.
Which three actions should you perform next? (To answer, move the appropriate actions from the
list of actions to the answer area and arrange them in the correct order.)
Answer:
www.certify-me.co.uk 75
Microsoft 70-640 Exam
Explanation:
Topic 2, Exam Set 2
QUESTION NO: 145
Your network contains an Active Directory domain. The relevant servers in the domain are
configured as shown in the following table.
You need to ensure that all device certificate requests use the MD5 hash algorithm.
What should you do?
www.certify-me.co.uk 76
Microsoft 70-640 Exam
A. On Server2, run the Certutil tool.
B. On Server1, update the CEP Encryption certificate template.
C. On Server1, update the Exchange Enrollment Agent (Offline Request) template.
D. On Server3, set the value of the
HKLM\Software\Microsoft\Cryptography\MSCEP\HashAlgorithm\HashAlgorithm registry key.
Answer: D
Explanation:
QUESTION NO: 146
Your network contains an Active Directory domain.
You have a server named Server1 that runs Windows Server 2008 R2. Server1 is an enterprise
root certification authority (CA).
You have a client computer named Computer1 that runs Windows 7. You enable automatic
certificate enrollment for all client computers that run Windows 7. You need to verify that the
Windows 7 client computers can automatically enroll for certificates.
Which command should you run on Computer1?
A. certreq.exe retrieve
B. certreq.exe submit
C. certutil.exe getkey
D. certutil.exe pulse
Answer: D
Explanation:
QUESTION NO: 147
Your network contains two Active Directory forests named contoso.com and adatum.com. The
functional level of both forests is Windows Server 2008 R2. Each forest contains one domain.
Active Directory Certificate Services (AD CS) is configured in the contoso.com forest to allow
users from both forests to automatically enroll user certificates. You need to ensure that all users
in the adatum.com forest have a user certificate from the contoso.com certification authority (CA).
What should you configure in the adatum.com domain?
www.certify-me.co.uk 77
Microsoft 70-640 Exam
A. From the Default Domain Controllers Policy, modify the Enterprise Trust settings.
B. From the Default Domain Controllers Policy, modify the Trusted Publishers settings.
C. From the Default Domain Policy, modify the Certificate Enrollment policy.
D. From the Default Domain Policy, modify the Trusted Root Certification Authority settings.
Answer: C
Explanation:
QUESTION NO: 148
You have a server named Server1 that has the following Active Directory Certificate Services (AD
CS) role services installed:
- Enterprise root certification authority (CA)
- Certificate Enrollment Web Service
- Certificate Enrollment Policy Web Service
You create a new certificate template.
External users report that the new template is unavailable when they request a new certificate.
You verify that all other templates are available to the external users. You need to ensure that the
external users can request certificates by using the new template.
What should you do on Server1?
A. Run iisreset.exe /restart.
B. Run gpupdate.exe /force.
C. Run certutil.exe dspublish.
D. Restart the Active Directory Certificate Services service.
Answer: A
Explanation:
QUESTION NO: 149
Your network contains an enterprise root certification authority (CA). You need to ensure that a
certificate issued by the CA is valid.
What should you do?
www.certify-me.co.uk 78
Microsoft 70-640 Exam
A. Run syskey.exe and use the Update option.
B. Run sigverif.exe and use the Advanced option.
C. Run certutil.exe and specify the -verify parameter.
D. Run certreq.exe and specify the -retrieve parameter.
Answer: C
Explanation:
QUESTION NO: 150
You have an enterprise subordinate certification authority (CA). The CA issues smart card logon
certificates.
Users are required to log on to the domain by using a smart card. Your company's corporate
security policy states that when an employee resigns, his ability to log on to the network must be
immediately revoked. An employee resigns.
You need to immediately prevent the employee from logging on to the domain.
What should you do?
A. Revoke the employee's smart card certificate.
B. Disable the employee's Active Directory account.
C. Publish a new delta certificate revocation list (CRL).
D. Reset the password for the employee's Active Directory account.
Answer: B
Explanation:
QUESTION NO: 151
You add an Online Responder to an Online Responder Array.
You need to ensure that the new Online Responder resolves synchronization conflicts for all
members of the Array.
What should you do?
A. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 1.
B. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 32.
www.certify-me.co.uk 79
Microsoft 70-640 Exam
C. From the Online Responder Management Console, select the new Online Responder, and then
select Set as Array Controller.
D. From the Online Responder Management Console, select the new Online Responder, and then
select Synchronize Members with Array Controller.
Answer: C
Explanation:
QUESTION NO: 152
Your network contains a server that runs Windows Server 2008 R2. The server is configured as an
enterprise root certification authority (CA).
You have a Web site that uses x.509 certificates for authentication. The Web site is configured to
use a many-to-one mapping.
You revoke a certificate issued to an external partner.
You need to prevent the external partner from accessing the Web site.
What should you do?
A. Run certutil.exe -crl.
B. Run certutil.exe -delkey.
C. From Active Directory Users and Computers, modify the membership of the IIS_IUSRS group.
D. From Active Directory Users and Computers, modify the Contact object for the external partner.
Answer: A
Explanation:
QUESTION NO: 153
Your company has a main office and five branch offices that are connected by WAN links. The
company has an Active Directory domain named contoso.com. Each branch office has a member
server configured as a DNS server. All branch office DNS servers host a secondary zone for
contoso.com.
You need to configure the contoso.com zone to resolve client queries for at least four days in the
event that a WAN link fails.
www.certify-me.co.uk 80
Microsoft 70-640 Exam
What should you do?
A. Configure the Expires after option for the contoso.com zone to 4 days.
B. Configure the Retry interval option for the contoso.com zone to 4 days.
C. Configure the Refresh interval option for the contoso.com zone to 4 days.
D. Configure the Minimum (default) TTL option for the contoso.com zone to 4 days.
Answer: A
Explanation: Explanation/Reference:
http://technet.microsoft.com/en-us/library/bb727018.aspx
DNS Config
Expires After The period of time for which zone information is valid on the secondary server. If the
secondary server can't download data from a primary server within this period, the secondary
server lets the data in its cache expire and stops responding to DNS queries. Setting Expires After
to seven days allows the data on a secondary server to be valid for seven days.
QUESTION NO: 154
Your company has an Active Directory domain named contoso.com. FS1 is a member server in
contoso.com.
You add a second network interface card, NIC2, to FS1 and connect NIC2 to a subnet that
contains computers in a DNS domain named fabrikam.com. Fabrikam.com has a DHCP server
and a DNS server.
Users in fabrikam.com are unable to resolve FS1 by using DNS. You need to ensure that FS1 has
an A record in the fabrikam.com DNS zone. What are two possible ways to achieve this goal?
(Each correct answer presents a complete solution. Choose two.)
A. Configure the DHCP server in fabrikam.com with the scope option 044 WINS/NBNS Servers.
B. Configure the DHCP server in fabrikam.com by setting the scope option 015 DNS Domain
Name to the domain name fabrikam.com.
C. Configure NIC2 by configuring the Append these DNS suffixes (in order): option.
D. Configure NIC2 by configuring the Use this connection's DNS suffix in DNS registration option.
E. Configure the DHCP server in contoso.com by setting the scope option 015 DNS Domain Name
to the domain name fabrikam.com.
Answer: B,D
Explanation:
www.certify-me.co.uk 81
Microsoft 70-640 Exam
QUESTION NO: 155
Your company Datum Corporation, has a single Active Directory domain named
intranet.adatum.com. The domain has two domain controllers that run Windows Server 2008 R2
operating system. The domain controllers also run DNS servers.
The intranet.adatum.com DNS zone is configured as an Active Directory-integrated zone with the
Dynamic updates setting configured to Secure only.
A new corporate security policy requires that the intranet.adatum.com DNS zone must be updated
only by domain controllers or member servers.
You need to configure the intranet.adatum.com zone to meet the new security policy requirement.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A. Remove the Authenticated Users account from the Security tab of the intranet.adatum.com
DNS zone properties.
B. Assign the SELF Account Deny on Write permission on the Security tab of the
intranet.adatum.com DNS zone properties.
C. Assign the server computer accounts the Allow on Write All Properties permission on the
Security tab of the intranet.adatum.com DNS zone properties.
D. Assign the server computer accounts the Allow on Create All Child Objects permission on the
Security tab of the intranet.adatum.com DNS zone properties.
Answer: A,D
Explanation:
QUESTION NO: 156
Your company has two Active Directory forests as shown in the following table.
www.certify-me.co.uk 82
Microsoft 70-640 Exam
The forests are connected by using a two-way forest trust. Each trust direction is configured with
forest-wide authentication. The new security policy of the company prohibits users from the
eng.fabrikam.com domain to access resources in the contoso.com domain.
You need to configure the forest trust to meet the new security policy requirement.
What should you do?
A. Delete the outgoing forest trust in the contoso.com domain.
B. Delete the incoming forest trust in the contoso.com domain.
C. Change the properties of the existing incoming forest trust in the contoso.com domain from
Forest-wide authentication to Selective authentication.
D. Change the properties of the existing outgoing forest trust in the contoso.com domain to
exclude *.eng. fabrikam.com from the Name Suffix Routing trust properties.
Answer: D
Explanation:
QUESTION NO: 157
Your company has an Active Directory Rights Management Services (AD RMS) server. Users
have Windows Vista computers. An Active Directory domain is configured at the Windows Server
2003 functional level.
You need to configure AD RMS so that users are able to protect their documents.
What should you do?
A. Install the AD RMS client 2.0 on each client computer.
B. Add the RMS service account to the local administrators group on the AD RMS server.
C. Establish an e-mail account in Active Directory Domain Services (AD DS) for each RMS user.
D. Upgrade the Active Directory domain to the functional level of Windows Server 2008.
Answer: C
Explanation:
QUESTION NO: 158
Your company has an Active Directory domain. All consultants belong to a global group named
TempWorkers.
www.certify-me.co.uk 83
Microsoft 70-640 Exam
The TempWorkers group is not nested in any other groups. You move the computer objects of
three file servers to a new organizational unit named SecureServers. These file servers contain
only confidential data in shared folders. You need to prevent members of the TempWorkers group
from accessing the confidential data on the file servers. You must achieve this goal without
affecting access to other domain resources.
What should you do?
A. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny access
to this computer from the network user right to the TempWorkers global group.
B. Create a new GPO and link it to the domain. Assign the Deny access to this computer from the
network user right to the TempWorkers global group.
C. Create a new GPO and link it to the domain. Assign the Deny log on locally user right to the
TempWorkers global group.
D. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny log on
locally user right to the TempWorkers global group.
Answer: A
Explanation:
QUESTION NO: 159
Your network consists of a single Active Directory domain. User accounts for engineering
department are located in an OU named Engineering.
You need to create a password policy for the engineering department that is different from your
domain password policy.
What should you do?
A. Create a new GPO. Link the GPO to the Engineering OU.
B. Create a new GPO. Link the GPO to the domain. Block policy inheritance on all OUs except for
the Engineering OU.
C. Create a global security group and add all the user accounts for the engineering department to
the group. Create a new Password Policy Object (PSO) and apply it to the group.
D. Create a domain local security group and add all the user accounts for the engineering
department to the group. From the Active Directory Users and Computer console, select the group
and run the Delegation of Control Wizard.
Answer: C
Explanation:
www.certify-me.co.uk 84
Microsoft 70-640 Exam
QUESTION NO: 160
Your network contains an Active Directory domain. The domain contains two domain controllers
named DC1 and DC2.
DC1 hosts a standard primary DNS zone for the domain. Dynamic updates are enabled on the
zone. DC2 hosts a standard secondary DNS zone for the domain. You need to configure DNS to
allow only secure dynamic updates.
What should you do first?
A. On DC1 and DC2, configure a trust anchor.
B. On DC1 and DC2, configure a connection security rule.
C. On DC1, configure the zone transfer settings.
D. On DC1, configure the zone to be stored in Active Directory.
Answer: D
Explanation:
QUESTION NO: 161
Your network contains a domain controller that has two network connections named Internal and
Private.
Internal has an IP address of 192.168.0.20. Private has an IP address of 10.10.10.5.
You need to prevent the domain controller from registering Host (A) records for the 10.10.10.5 IP
address.
What should you do?
A. Modify the netlogon.dns file on the domain controller.
B. Modify the Name Server settings of the DNS zone for the domain.
C. Modify the properties of the Private network connection on the domain controller.
D. Disable netmask ordering on the DNS server that hosts the DNS zone for the domain.
Answer: C
Explanation:
QUESTION NO: 162
www.certify-me.co.uk 85
Microsoft 70-640 Exam
Your network contains an Active Directory forest named contoso.com. You plan to add a new
domain named nwtraders.com to the forest. All DNS servers are domain controllers.
You need to ensure that the computers in nwtraders.com can update their Host (A) records on any
of the DNS servers in the forest.
What should you do?
A. Add the computer accounts of all the domain controllers to the DnsAdmins group.
B. Add the computer accounts of all the domain controllers to the DnsUpdateProxy group.
C. Create a standard primary zone on a domain controller in the forest root domain.
D. Create an Active Directory-integrated zone on a domain controller in the forest root domain.
Answer: D
Explanation:
QUESTION NO: 163
Your network contains an Active Directory domain named contoso.com. The domain contains a
domain controller named DC1. DC1 hosts a standard primary zone for contoso.com.
You discover that non-domain member computers register records in the contoso.com zone.
You need to prevent the non-domain member computers from registering records in the
contoso.com zone.
All domain member computers must be allowed to register records in the contoso.com zone.
What should you do first?
A. Configure a trust anchor.
B. Run the Security Configuration Wizard (SCW).
C. Change the contoso.com zone to an Active Directory-integrated zone.
D. Modify the security settings of the %SystemRoot%\System32\Dns folder.
Answer: C
Explanation:
QUESTION NO: 164
www.certify-me.co.uk 86
Microsoft 70-640 Exam
Your network contains an Active Directory domain named contoso.com. You create a
GlobalNames zone. You add an alias (CNAME) resource record named Server1 to the zone. The
target host of the record is server2.contoso.com. When you ping Server1, you discover that the
name fails to resolve.
You successfully resolve server2.contoso.com.
You need to ensure that you can resolve names by using the GlobalNames zone.
What should you do?
A. From the command prompt, use the netsh tool.
B. From the command prompt, use the dnscmd tool.
C. From DNS Manager, modify the properties of the GlobalNames zone.
D. From DNS Manager, modify the advanced settings of the DNS server.
Answer: B
Explanation:
QUESTION NO: 165
Your company has a main office and a branch office.
The network contains an Active Directory domain named contoso.com. The DNS zone for
contoso.com is configured as an Active Directory-integrated zone and is replicated to all domain
controllers in the domain.
The main office contains a writable domain controller named DC1. The branch office contains a
read- only domain controller (RODC) named RODC1. All domain controllers run Windows Server
2008 R2 and are configured as DNS servers.
You uninstall the DNS server role from RODC1.
You need to prevent DNS records from replicating to RODC1.
What should you do?
A. Modify the replication scope for the contoso.com zone.
B. Flush the DNS cache and enable cache locking on RODC1.
C. Configure conditional forwarding for the contoso.com zone.
www.certify-me.co.uk 87
Microsoft 70-640 Exam
D. Modify the zone transfer settings for the contoso.com zone.
Answer: A
Explanation:
QUESTION NO: 166
Your network contains an Active Directory domain named contoso.com. The domain contains the
servers shown in the following table.
The functional level of the forest is Windows Server 2003. The functional level of the domain is
Windows Server 2003.
DNS1 and DNS2 host the contoso.com zone.
All client computers run Windows 7 Enterprise.
You need to ensure that all of the names in the contoso.com zone are secured by using DNSSEC.
What should you do first?
A. Change the functional level of the forest.
B. Change the functional level of the domain.
C. Upgrade DC1 to Windows Server 2008 R2.
D. Upgrade DNS1 to Windows Server 2008 R2.
Answer: D
Explanation:
QUESTION NO: 167
Your network contains a domain controller that is configured as a DNS server. The server hosts an
Active Directory-integrated zone for the domain.
www.certify-me.co.uk 88
Microsoft 70-640 Exam
You need to reduce how long it takes until stale records are deleted from the zone.
What should you do?
A. From the configuration directory partition of the forest, modify the tombstone lifetime.
B. From the configuration directory partition of the forest, modify the garbage collection interval.
C. From the aging properties of the zone, modify the no-refresh interval and the refresh interval.
D. From the start of authority (SOA) record of the zone, modify the refresh interval and the expire
interval.
Answer: C
Explanation:
QUESTION NO: 168
You have an Active Directory domain named contoso.com. You have a domain controller named
Server1 that is configured as a DNS server. Server1 hosts a standard primary zone for
contoso.com. The DNS configuration of Server1 is shown in the exhibit. (Click the Exhibit button.)
www.certify-me.co.uk 89
Microsoft 70-640 Exam
You discover that stale resource records are not automatically removed from the contoso.com
zone.
You need to ensure that the stale resource records are automatically removed from the
contoso.com zone.
What should you do?
A. Set the scavenging period of Server1 to 0 days.
B. Modify the Server Aging/Scavenging properties.
C. Configure the aging properties for the contoso.com zone.
D. Convert the contoso.com zone to an Active Directory-integrated zone.
Answer: C
www.certify-me.co.uk 90
Microsoft 70-640 Exam
Explanation:
QUESTION NO: 169
Your network contains an Active Directory domain named contoso.com.
You remove several computers from the network.
You need to ensure that the host (A) records for the removed computers are automatically deleted
from the contoso.com DNS zone.
What should you do?
A. Configure dynamic updates.
B. Configure aging and scavenging.
C. Create a scheduled task that runs the Dnscmd /ClearCache command.
D. Create a scheduled task that runs the Dnscmd /ZoneReload contoso.com command.
Answer: B
Explanation:
QUESTION NO: 170
You need to force a domain controller to register all service location (SRV) resource records in
DNS.
Which command should you run?
A. ipconfig.exe /registerdns
B. net.exe stop dnscache & net.exe start dnscache
C. net.exe stop netlogon & net.exe start netlogon
D. regsvr32.exe dnsrslvr.dll
Answer: C
Explanation:
www.certify-me.co.uk 91
Microsoft 70-640 Exam
QUESTION NO: 171
Your network contains an Active Directory domain named contoso.com.
You plan to deploy a child domain named sales.contoso.com.
The domain controllers in sales.contoso.com will be DNS servers for sales.contoso.com.
You need to ensure that users in contoso.com can connect to servers in sales.contoso.com by
using fully qualified domain names (FQDNs).
What should you do?
A. Create a DNS forwarder.
B. Create a DNS delegation.
C. Configure root hint servers.
D. Configure an alternate DNS server on all client computers.
Answer: B
Explanation:
QUESTION NO: 172
Your network contains a single Active Directory domain named contoso.com. The domain contains
two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. DC1 hosts a
primary zone for contoso.com.
DC2 hosts a secondary zone for contosto.com. On DC1, you change the zone to an Active
Directory-integrated zone and configure the zone to accept secure dynamic updates only.
You need to ensure that DC2 can accept secure dynamic updates to the contoso.com zone.
Which command should you run?
A. dnscmd.exe dc2.contoso.com /createdirectorypartition dns.contoso.com
B. dnscmd.exe dc2.contoso.com /zoneresettype contoso.com /dsprimary
C. dnslint.exe /ql
D. repadmin.exe /syncall /force
Answer: B
www.certify-me.co.uk 92
Microsoft 70-640 Exam
Explanation:
QUESTION NO: 173
Your network contains an Active Directory domain named contoso.com. You run nslookup.exe as
shown in the following Command Prompt window.
You need to ensure that you can use Nslookup to list all of the service location (SRV) resource
records for contoso.com.
What should you modify?
A. the root hints of the DNS server
B. the security settings of the zone
C. the Windows Firewall settings on the DNS server
D. the zone transfer settings of the zone
Answer: D
Explanation:
QUESTION NO: 174
Your network contains an Active Directory domain named contoso.com.
The contoso.com DNS zone is stored in Active Directory. All domain controllers run Windows
Server 2008 R2.
You need to identify if all of the DNS records used for Active Directory replication are correctly
registered.
What should you do?
www.certify-me.co.uk 93
Microsoft 70-640 Exam
A. From the command prompt, use netsh.exe.
B. From the command prompt, use dnslint.exe.
C. From the Active Directory Module for Windows PowerShell, run the Get-ADRootDSE cmdlet.
D. From the Active Directory Module for Windows PowerShell, run the Get-ADDomainController
cmdlet.
Answer: B
Explanation:
QUESTION NO: 175
Your network contains an Active Directory forest. The forest contains one domain and three sites.
Each site contains two domain controllers. All domain controllers are DNS servers.
You create a new Active Directory-integrated zone.
You need to ensure that the new zone is replicated to the domain controllers in only one of the
sites.
What should you do first?
A. Modify the NTDS Site Settings object for the site.
B. Modify the replication settings of the default site link.
C. Create an Active Directory connection object.
D. Create an Active Directory application directory partition.
Answer: D
Explanation:
QUESTION NO: 176
Your network contains a single Active Directory forest. The forest contains two domains named
contoso.com and sales.contoso.com. The domain controllers are configured as shown in the
following table.
www.certify-me.co.uk 94
Microsoft 70-640 Exam
All domain controllers run Windows Server 2008 R2. All zones are configured as Active Directory-
integrated zones.
You need to ensure that contoso.com records are available on DC3.
Which command should you run?
A. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com /domain
B. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com /forest
C. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com /domain
D. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com /forest
Answer: B
Explanation:
QUESTION NO: 177
You have a DNS zone that is stored in a custom application directory partition.
You install a new domain controller.
You need to ensure that the custom application directory partition replicates to the new domain
controller.
What should you use?
A. the Active Directory Administrative Center console
B. the Active Directory Sites and Services console
www.certify-me.co.uk 95
Microsoft 70-640 Exam
C. the DNS Manager console
D. the Dnscmd tool
Answer: D
Explanation:
QUESTION NO: 178
Your network contains an Active Directory domain named contoso.com. All domain controllers run
Windows Server 2008 R2. The functional level of the domain is Windows Server 2008 R2. The
functional level of the forest is Windows Server 2008.
You have a member server named Server1 that runs Windows Server 2008.
You need to ensure that you can add Server1 to contoso.com as a domain controller.
What should you run before you promote Server1?
A. dcpromo.exe /CreateDCAccount
B. dcpromo.exe /ReplicaOrNewDomain:replica
C. Set-ADDomainMode -Identity contoso.com -DomainMode Windows2008Domain
D. Set-ADForestMode -Identity contoso.com -ForestMode Windows2008R2Forest
Answer: C
Explanation:
QUESTION NO: 179
Your network contains an Active Directory forest. The forest contains a single domain. You want to
access resources in a domain that is located in another forest. You need to configure a trust
between the domain in your forest and the domain in the other forest.
What should you create?
A. an incoming external trust
B. an incoming realm trust
C. an outgoing external trust
D. an outgoing realm trust
Answer: A
www.certify-me.co.uk 96
Microsoft 70-640 Exam
Explanation:
QUESTION NO: 180
Your network contains two Active Directory forests. One forest contains two domains named
contoso.com and na.contoso.com. The other forest contains a domain named nwtraders.com. A
forest trust is configured between the two forests.
You have a user named User1 in the na.contoso.com domain. User1 reports that he fails to log on
to a computer in the nwtraders.com domain by using the user name NA\User1.
Other users from na.contoso.com report that they can log on to the computers in the
nwtraders.com domain.
You need to ensure that User1 can log on to the computer in the nwtraders.com domain.
What should you do?
A. Enable selective authentication over the forest trust.
B. Create an external one-way trust from na.contoso.com to nwtraders.com.
C. Instruct User1 to log on to the computer by using his user principal name (UPN).
D. Instruct User1 to log on to the computer by using the user name nwtraders\User1.
Answer: C
Explanation:
QUESTION NO: 181
Your company has a main office and a branch office. The main office contains two domain
controllers.
You create an Active Directory site named BranchOfficeSite. You deploy a domain controller in the
branch office, and then add the domain controller to the BranchOfficeSite site.
You discover that users in the branch office are randomly authenticated by either the domain
controller in the branch office or the domain controllers in the main office. You need to ensure that
the users in the branch office always attempt to authenticate to the domain controller in the branch
office first.
What should you do?
www.certify-me.co.uk 97
Microsoft 70-640 Exam
A. Create organizational units (OUs).
B. Create Active Directory subnet objects.
C. Modify the slow link detection threshold.
D. Modify the Location attribute of the computer objects.
Answer: B
Explanation:
QUESTION NO: 182
Your company has a main office and 50 branch offices. Each office contains multiple subnets.
You need to automate the creation of Active Directory subnet objects.
What should you use?
A. the Dsadd tool
B. the Netsh tool
C. the New-ADObject cmdlet
D. the New-Object cmdlet
Answer: C
Explanation:
QUESTION NO: 183
Your network contains an Active Directory forest. The forest contains multiple sites.
You need to enable universal group membership caching for a site.
What should you do?
A. From Active Directory Sites and Services, modify the NTDS Settings.
B. From Active Directory Sites and Services, modify the NTDS Site Settings.
C. From Active Directory Users and Computers, modify the properties of all universal groups used
in the site.
D. From Active Directory Users and Computers, modify the computer objects for the domain
controllers in the site.
Answer: B
Explanation:
www.certify-me.co.uk 98
Microsoft 70-640 Exam
QUESTION NO: 184
You need to ensure that domain controllers only replicate between domain controllers in adjacent
sites. What should you configure from Active Directory Sites and Services?
A. From the IP properties, select Ignore all schedules.
B. From the IP properties, select Disable site link bridging.
C. From the NTDS Settings object, manually configure the Active Directory Domain Services
connection objects.
D. From the properties of the NTDS Site Settings object, configure the Inter-Site Topology
Generator for each site.
Answer: B
Explanation:
QUESTION NO: 185
Your company has a main office and a branch office.
You discover that when you disable IPv4 on a computer in the branch office, the computer
authenticates by using a domain controller in the main office. You need to ensure that IPv6-only
computers authenticate to domain controllers in the same site.
What should you do?
A. Configure the NTDS Site Settings object.
B. Create Active Directory subnet objects.
C. Create Active Directory Domain Services connection objects.
D. Install an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router.
Answer: B
Explanation:
QUESTION NO: 186
Your network contains an Active Directory domain. The domain is configured as shown in the
following table.
www.certify-me.co.uk 99
Microsoft 70-640 Exam
Users in Branch2 sometimes authenticate to a domain controller in Branch1. You need to ensure
that users in Branch2 only authenticate to the domain controllers in Main.
What should you do?
A. On DC3, set the AutoSiteCoverage value to 0.
B. On DC3, set the AutoSiteCoverage value to 1.
C. On DC1 and DC2, set the AutoSiteCoverage value to 0.
D. On DC1 and DC2, set the AutoSiteCoverage value to 1.
Answer: A
Explanation:
QUESTION NO: 187
Your network contains a single Active Directory domain that has two sites named Site1 and Site2.
Site1 has two domain controllers named DC1 and DC2. Site2 has two domain controllers named
DC3 and DC4.
DC3 fails.
You discover that replication no longer occurs between the sites. You verify the connectivity
between DC4 and the domain controllers in Site1.
On DC4, you run repadmin.exe /kcc.
Replication between the sites continues to fail.
You need to ensure that Active Directory data replicates between the sites.
What should you do?
A. From Active Directory Sites and Services, modify the properties of DC3.
B. From Active Directory Sites and Services, modify the NTDS Site Settings of Site2.
C. From Active Directory Users and Computers, modify the location settings of DC4.
www.certify-me.co.uk 100
Microsoft 70-640 Exam
D. From Active Directory Users and Computers, modify the delegation settings of DC4.
Answer: A
Explanation:
QUESTION NO: 188
Your network contains an Active Directory domain. The functional level of the domain is Windows
Server 2003.
The domain contains five domain controllers that run Windows Server 2008 and five domain
controllers that run Windows Server 2008 R2.
You need to ensure that SYSVOL is replicated by using Distributed File System Replication
(DFSR).
What should you do first?
A. Run dfsrdiag.exe PollAD.
B. Run dfsrmig.exe /SetGlobalState 0.
C. Upgrade all domain controllers to Windows Server 2008 R2.
D. Raise the functional level of the domain to Windows Server 2008.
Answer: D
Explanation:
QUESTION NO: 189
Your network contains an Active Directory forest. The forest contains two domains named
contoso.com and woodgrovebank.com.
You have a custom attribute named Attibute1 in Active Directory. Attribute1 is associated to User
objects.
You need to ensure that Attribute1 is replicated to the global catalog.
What should you do?
A. In Active Directory Sites and Services, configure the NTDS Settings.
B. In Active Directory Sites and Services, configure the universal group membership caching.
C. From the Active Directory Schema snap-in, modify the properties of the User class schema
www.certify-me.co.uk 101
Microsoft 70-640 Exam
object.
D. From the Active Directory Schema snap-in, modify the properties of the Attribute1 class
schema attribute.
Answer: D
Explanation:
QUESTION NO: 190
Your network contains an Active Directory domain. The domain contains three domain controllers.
One of the domain controllers fails.
Seven days later, the help desk reports that it can no longer create user accounts. You need to
ensure that the help desk can create new user accounts.
Which operations master role should you seize?
A. domain naming master
B. infrastructure master
C. primary domain controller (PDC) emulator
D. RID master
E. schema master
Answer: D
Explanation:
QUESTION NO: 191
Your network contains two standalone servers named Server1 and Server2 that have Active
Directory Lightweight Directory Services (AD LDS) installed.
Server1 has an AD LDS instance.
You need to ensure that you can replicate the instance from Server1 to Server2.
What should you do on both servers?
A. Obtain a server certificate.
www.certify-me.co.uk 102
Microsoft 70-640 Exam
B. Import the MS-User.ldf file.
C. Create a service user account for AD LDS.
D. Register the service location (SRV) resource records.
Answer: C
Explanation:
QUESTION NO: 192
Your network contains a server named Server1 that runs Windows Server 2008 R2.
You create an Active Directory Lightweight Directory Services (AD LDS) instance on Server1.
You need to create an additional AD LDS application directory partition in the existing instance.
Which tool should you use?
A. Adaminstall
B. Dsadd
C. Dsmod
D. Ldp
Answer: D
Explanation:
QUESTION NO: 193
Your network contains a server named Server1 that runs Windows Server 2008 R2. On Server1,
you create an Active Directory Lightweight Directory Services (AD LDS) instance named
Instance1.
You connect to Instance1 by using ADSI Edit.
You run the Create Object wizard and you discover that there is no User object class.
You need to ensure that you can create user objects in Instance1.
What should you do?
www.certify-me.co.uk 103
Microsoft 70-640 Exam
A. Run the AD LDS Setup Wizard.
B. Modify the schema of Instance1.
C. Modify the properties of the Instance1 service.
D. Install the Remote Server Administration Tools (RSAT).
Answer: A
Explanation:
QUESTION NO: 194
Your network contains an Active Directory domain. The domain contains a server named Server1.
Server1 runs Windows Server 2008 R2.
You need to mount an Active Directory Lightweight Directory Services (AD LDS) snapshot from
Server1.
What should you do?
A. Run ldp.exe and use the Bind option.
B. Run diskpart.exe and use the Attach option.
C. Run dsdbutil.exe and use the snapshot option.
D. Run imagex.exe and specify the /mount parameter.
Answer: C
Explanation:
QUESTION NO: 195
Your network contains a single Active Directory domain. Active Directory Rights Management
Services (AD RMS) is deployed on the network.
A user named User1 is a member of only the AD RMS Enterprise Administrators group.
You need to ensure that User1 can change the service connection point (SCP) for the AD RMS
installation.
The solution must minimize the administrative rights of User1.
www.certify-me.co.uk 104
Microsoft 70-640 Exam
To which group should you add User1?
A. AD RMS Auditors
B. AD RMS Service Group
C. Domain Admins
D. Schema Admins
Answer: C
Explanation:
QUESTION NO: 196
Your network contains two Active Directory forests named contoso.com and adatum.com.
Active Directory Rights Management Services (AD RMS) is deployed in contoso.com. An AD RMS
trusted user domain (TUD) exists between contoso.com and adatum.com.
From the AD RMS logs, you discover that some clients that have IP addresses in the adatum.com
forest are authenticating as users from contoso.com.
You need to prevent users from impersonating contoso.com users.
What should you do?
A. Configure trusted e-mail domains.
B. Enable lockbox exclusion in AD RMS.
C. Create a forest trust between adatum.com and contoso.com.
D. Add a certificate from a third-party trusted certification authority (CA).
Answer: A
Explanation:
QUESTION NO: 197
Your network contains an Active Directory domain named contoso.com. The network contains
client computers that run either Windows Vista or Windows 7. Active Directory Rights
Management Services (AD RMS) is deployed on the network.
You create a new AD RMS template that is distributed by using the AD RMS pipeline. The
www.certify-me.co.uk 105
Microsoft 70-640 Exam
template is updated every month.
You need to ensure that all the computers can use the most up-to-date version of the AD RMS
template. You want to achieve this goal by using the minimum amount of administrative effort.
What should you do?
A. Upgrade all of the Windows Vista computers to Windows 7.
B. Upgrade all of the Windows Vista computers to Windows Vista Service Pack 2 (SP2).
C. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2
(SP2) to all users by using a Software Installation extension of Group Policy.
D. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2
(SP2) to all computers by using a Software Installation extension of Group Policy.
Answer: B
Explanation:
QUESTION NO: 198
Active Directory Rights Management Services (AD RMS) is deployed on your network. Users who
have Windows Mobile 6 devices report that they cannot access documents that are protected by
AD RMS.
You need to ensure that all users can access AD RMS protected content by using Windows
Mobile 6 devices.
What should you do?
A. Modify the security of the ServerCertification.asmx file.
B. Modify the security of the MobileDeviceCertification.asmx file.
C. Enable anonymous authentication for the _wmcs virtual directory.
D. Enable anonymous authentication for the certification virtual directory.
Answer: B
Explanation:
QUESTION NO: 199
Your network contains a server named Server1. The Active Directory Rights Management
www.certify-me.co.uk 106
Microsoft 70-640 Exam
Services (AD RMS) server role is installed on Server1.
An administrator changes the password of the user account that is used by AD RMS.
You need to update AD RMS to use the new password.
Which console should you use?
A. Active Directory Rights Management Services
B. Active Directory Users and Computers
C. Component Services
D. Services
Answer: A
Explanation:
QUESTION NO: 200
Your network contains an Active Directory Rights Management Services (AD RMS) cluster. You
have several custom policy templates. The custom policy templates are updated frequently.
Some users report that it takes as many as 30 days to receive the updated policy templates. You
need to ensure that users receive the updated custom policy templates within seven days.
What should you do?
A. Modify the registry on the AD RMS servers.
B. Modify the registry on the users computers.
C. Change the schedule of the AD RMS Rights Policy Template Management (Manual) scheduled
task.
D. Change the schedule of the AD RMS Rights Policy Template Management (Automated)
scheduled task.
Answer: B
Explanation:
QUESTION NO: 201
Your company has a main office and a branch office. The branch office contains a read-only
www.certify-me.co.uk 107
Microsoft 70-640 Exam
domain controller named RODC1.
You need to ensure that a user named Admin1 can install updates on RODC1. The solution must
prevent Admin1 from logging on to other domain controllers.
What should you do?
A. Run ntdsutil.exe and use the Roles option.
B. Run dsmgmt.exe and use the Local Roles option.
C. From Active Directory Sites and Services, modify the NTDS Site Settings.
D. From Active Directory Users and Computers, add the user to the Server Operators group.
Answer: B
Explanation:
QUESTION NO: 202
You install a read-only domain controller (RODC) named RODC1.
You need to ensure that a user named User1 can administer RODC1. The solution must minimize
the number of permissions assigned to User1.
Which tool should you use?
A. Active Directory Administrative Center
B. Active Directory Users and Computers
C. Dsadd
D. Dsmgmt
Answer: D
Explanation:
QUESTION NO: 203
Your network contains an Active Directory domain. The domain contains two sites named Site1
and Site2. Site1 contains four domain controllers. Site2 contains a read-only domain controller
(RODC). You add a user named User1 to the Allowed RODC Password Replication Group.
The WAN link between Site1 and Site2 fails.
www.certify-me.co.uk 108
Microsoft 70-640 Exam
User1 restarts his computer and reports that he is unable to log on to the domain.
The WAN link is restored and User1 reports that he is able to log on to the domain.
You need to prevent the problem from reoccurring if the WAN link fails.
What should you do?
A. Create a Password Settings object (PSO) and link the PSO to User1's user account.
B. Create a Password Settings object (PSO) and link the PSO to the Domain Users group.
C. Add the computer account of the RODC to the Allowed RODC Password Replication Group.
D. Add the computer account of User1's computer to the Allowed RODC Password Replication
Group.
Answer: D
Explanation:
QUESTION NO: 204
Your company has a main office and a branch office.
The network contains an Active Directory domain.
The main office contains a writable domain controller named DC1. The branch office contains a
read- only domain controller (RODC) named DC2.
You discover that the password of an administrator named Admin1 is cached on DC2. You need
to prevent Admin1's password from being cached on DC2.
What should you do?
A. Modify the NTDS Site Settings.
B. Modify the properties of the domain.
C. Create a Password Setting object (PSO).
D. Modify the properties of DC2's computer account.
Answer: D
Explanation:
www.certify-me.co.uk 109
Microsoft 70-640 Exam
QUESTION NO: 205
Your network contains an Active Directory domain named contoso.com. The network has a branch
office site that contains a read-only domain controller (RODC) named RODC1. RODC1 runs
Windows Server 2008 R2.
A user named User1 logs on to a computer in the branch office site. You discover that the
password of User1 is not stored on RODC1. You need to ensure that User1's password is stored
on RODC1.
What should you modify?
A. the Member Of properties of RODC1
B. the Member Of properties of User1
C. the Security properties of RODC1
D. the Security properties of User1
Answer: B
Explanation:
QUESTION NO: 206
Your company has a main office and a branch office. The branch office has an Active Directory
site that contains a read-only domain controller (RODC).
A user from the branch office reports that his account is locked out. From a writable domain
controller in the main office, you discover that the user's account is not locked out.
You need to ensure that the user can log on to the domain.
What should you do?
A. Modify the Password Replication Policy.
B. Reset the password of the user account.
C. Run the Knowledge Consistency Checker (KCC) on the RODC.
D. Restore network communication between the branch office and the main office.
Answer: D
Explanation:
www.certify-me.co.uk 110
Microsoft 70-640 Exam
QUESTION NO: 207
Your network contains a single Active Directory domain. The domain contains five read-only
domain controllers (RODCs) and five writable domain controllers. All servers run Windows Server
2008. You plan to install a new RODC that runs Windows Server 2008 R2. You need to ensure
that you can add the new RODC to the domain.
You want to achieve this goal by using the minimum amount of administrative effort.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A. At the command prompt, run adprep.exe /rodcprep.
B. At the command prompt, run adprep.exe /forestprep.
C. At the command prompt, run adprep.exe /domainprep.
D. From Active Directory Domains and Trusts, raise the functional level of the domain.
E. From Active Directory Users and Computers, pre-stage the RODC computer account.
Answer: B,C
Explanation:
QUESTION NO: 208
You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a server
named Server1.
You need to configure the Windows Firewall on Server1 to allow external users to authenticate by
using AD FS.
Which inbound TCP port should you allow on Server1?
A. 88
B. 135
C. 443
D. 445
Answer: C
Explanation:
QUESTION NO: 209
www.certify-me.co.uk 111
Microsoft 70-640 Exam
You deploy a new Active Directory Federation Services (AD FS) federation server. You request
new certificates for the AD FS federation server.
You need to ensure that the AD FS federation server can use the new certificates.
To which certificate store should you import the certificates?
A. Computer
B. IIS Admin Service service account
C. Local Administrator
D. World Wide Web Publishing Service service account
Answer: A
Explanation:
QUESTION NO: 210
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1. Server1 has the Active Directory Federation Services (AD FS) role
installed.
You have an application named App1 that is configured to use Server1 for AD FS authentication.
You deploy a new server named Server2. Server2 is configured as an AD FS 2.0 server.
You need to ensure that App1 can use Server2 for authentication.
What should you do on Server2?
A. Add an attribute store.
B. Create a relying party trust.
C. Create a claims provider trust.
D. Create a relaying provider trust.
Answer: B
Explanation:
QUESTION NO: 211
www.certify-me.co.uk 112
Microsoft 70-640 Exam
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1. The Active Directory Federation Services (AD FS) role is installed on
Server1. Contoso.com is defined as an account store.
A partner company has a Web-based application that uses AD FS authentication. The partner
company plans to provide users from contoso.com access to the Web application.
You need to configure AD FS on contoso.com to allow contoso.com users to be authenticated by
the partner company.
What should you create on Server1?
A. a new application
B. a resource partner
C. an account partner
D. an organization claim
Answer: B
Explanation:
QUESTION NO: 212
Your network contains two servers named Server1 and Server2 that run Windows Server 2008
R2. Server1 has the Active Directory Federation Services (AD FS) Federation Service role service
installed.
You plan to deploy AD FS 2.0 on Server2.
You need to export the token-signing certificate from Server1, and then import the certificate to
Server2.
Which format should you use to export the certificate?
A. Base-64 encoded X.509 (.cer)
B. Cryptographic Message Syntax Standard PKCS #7 (.p7b)
C. DER encoded binary X.509 (.cer)
D. Personal Information Exchange PKCS #12 (.pfx)
Answer: D
Explanation:
www.certify-me.co.uk 113
Microsoft 70-640 Exam
QUESTION NO: 213
Your network contains two servers named Server1 and Server2 that run Windows Server 2008
R2. Server1 has Active Directory Federation Services (AD FS) 2.0 installed. Server1 is a member
of an AD FS farm. The AD FS farm is configured to use a configuration database that is stored on
a separate Microsoft SQL Server.
You install AD FS 2.0 on Server2.
You need to add Server2 to the existing AD FS farm.
What should you do?
A. On Server1, run fsconfig.exe.
B. On Server1, run fsconfigwizard.exe.
C. On Server2, run fsconfig.exe.
D. On Server2, run fsconfigwizard.exe.
Answer: C
Explanation:
QUESTION NO: 214
Your network contains an Active Directory forest.
You set the Windows PowerShell execution policy to allow unsigned scripts on a domain controller
in the network. You create a Windows PowerShell script named new-users.ps1 that contains the
following lines:
New-aduser user1
New-aduser user2
New-aduser user3
New-aduser user4
New-aduser user5
On the domain controller, you double-click the script and the script runs. You discover that the
www.certify-me.co.uk 114
Microsoft 70-640 Exam
script fails to create the user accounts.
You need to ensure that the script creates the user accounts.
Which cmdlet should you add to the script?
A. Import-Module
B. Register-ObjectEvent
C. Set-ADDomain
D. Set-ADUser
Answer: A
Explanation:
QUESTION NO: 215
Your network contains an Active Directory forest. The forest schema contains a custom attribute
for user objects.
You need to modify the custom attribute value of 500 user accounts.
Which tool should you use?
A. Csvde
B. Dsmod
C. Dsrm
D. Ldifde
Answer: D
Explanation:
QUESTION NO: 216
Your network contains an Active Directory forest. The forest schema contains a custom attribute
for user objects.
You need to give the human resources department a file that contains the last logon time and the
custom attribute values for each user in the forest.
www.certify-me.co.uk 115
Microsoft 70-640 Exam
What should you use?
A. the Dsquery tool
B. the Export-CSV cmdlet
C. the Get-ADUser cmdlet
D. the Net.exe user command
Answer: C
Explanation:
QUESTION NO: 217
You have a Windows PowerShell script that contains the following code:
import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true -
AccountPassword $_.password}
When you run the script, you receive an error message indicating that the format of the password
is incorrect.
The script fails.
You need to run a script that successfully creates the user accounts by using the password
contained in accounts.csv.
Which script should you run?
A. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true –
AccountPassword (ConvertTo-SecureString "Password" -AsPlainText -force)}
B. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true –
AccountPassword (ConvertTo-SecureString $_.Password -AsPlainText -force)}
C. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true –
AccountPassword (Read-Host -AsSecureString "Password")}
D. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true –
AccountPassword (Read-Host -AsSecureString $_.Password)}
Answer: B
Explanation:
QUESTION NO: 218
www.certify-me.co.uk 116
Microsoft 70-640 Exam
Your network contains an Active Directory forest. The functional level of the forest is Windows
Server 2008 R2.
Your company's corporate security policy states that the password for each user account must be
changed at least every 45 days.
You have a user account named Service1. Service1 is used by a network application named
Application1.
Every 45 days, Application1 fails.
After resetting the password for Service1, Application1 runs properly.
You need to resolve the issue that causes Application1 to fail. The solution must adhere to the
corporate security policy.
What should you do?
A. Run the Set-ADAccountControl cmdlet.
B. Run the Set-ADServiceAccount cmdlet.
C. Create a new password policy.
D. Create a new Password Settings object (PSO).
Answer: B
Explanation:
QUESTION NO: 219
Your network contains an Active Directory forest.
You add an additional user principal name (UPN) suffix to the forest. You need to modify the UPN
suffix of all users. You want to achieve this goal by using the minimum amount of administrative
effort.
What should you use?
A. the Active Directory Domains and Trusts console
B. the Active Directory Users and Computers console
C. the Csvde tool
D. the Ldifde tool
www.certify-me.co.uk 117
Microsoft 70-640 Exam
Answer: D
Explanation:
QUESTION NO: 220
Your network contains a single Active Directory domain. All client computers run Windows Vista
Service Pack 2 (SP2).
You need to prevent all users from running an application named App1.exe.
Which Group Policy settings should you configure?
A. Application Compatibility
B. AppLocker
C. Software Installation
D. Software Restriction Policies
Answer: D
Explanation:
QUESTION NO: 221
Your network contains an Active Directory domain. All domain controllers run Windows Server
2008 R2. Client computers run either Windows XP Service Pack 3 (SP3) or Windows Vista. You
need to ensure that all client computers can apply Group Policy preferences.
What should you do?
A. Upgrade all Windows XP client computers to Windows 7.
B. Create a central store that contains the Group Policy ADMX files.
C. Install the Group Policy client-side extensions (CSEs) on all client computers.
D. Upgrade all Windows Vista client computers to Windows Vista Service Pack 2 (SP2).
Answer: C
Explanation:
QUESTION NO: 222
www.certify-me.co.uk 118
Microsoft 70-640 Exam
Your network contains an Active Directory domain. All domain controllers run Windows Server
2008 R2. Client computers run either Windows 7 or Windows Vista Service Pack 2 (SP2). You
need to audit user access to the administrative shares on the client computers.
What should you do?
A. Deploy a logon script that runs Icacls.exe.
B. Deploy a logon script that runs Auditpol.exe.
C. From the Default Domain Policy, modify the Advanced Audit Policy Configuration.
D. From the Default Domain Controllers Policy, modify the Advanced Audit Policy Configuration.
Answer: B
Explanation:
QUESTION NO: 223
Your network contains an Active Directory domain named contoso.com. You need to create a
central store for the Group Policy Administrative templates.
What should you do?
A. Run dfsrmig.exe /createglobalobjects.
B. Run adprep.exe /domainprep /gpprep.
C. Copy the %SystemRoot%\PolicyDefinitions folder to the
\\contoso.com\SYSVOL\contoso.com\Policies folder.
D. Copy the %SystemRoot%\System32\GroupPolicy folder to the
\\contoso.com\SYSVOL\contoso.com\Policies folder.
Answer: C
Explanation:
QUESTION NO: 224
You configure and deploy a Group Policy object (GPO) that contains AppLocker settings.
You need to identify whether a specific application file is allowed to run on a computer.
Which Windows PowerShell cmdlet should you use?
www.certify-me.co.uk 119
Microsoft 70-640 Exam
A. Get-AppLockerFileInformation
B. Get-GPOReport
C. Get-GPPermissions
D. Test-AppLockerPolicy
Answer: D
Explanation:
QUESTION NO: 225
You create a Password Settings object (PSO).
You need to apply the PSO to a domain user named User1.
What should you do?
A. Modify the properties of the PSO.
B. Modify the account options of the User1 account.
C. Modify the security settings of the User1 account.
D. Modify the password policy of the Default Domain Policy Group Policy object (GPO).
Answer: A
Explanation:
QUESTION NO: 226
You need to create a Password Settings object (PSO).
Which tool should you use?
A. Active Directory Users and Computers
B. ADSI Edit
C. Group Policy Management Console
D. Ntdsutil
Answer: B
Explanation:
QUESTION NO: 227
www.certify-me.co.uk 120
Microsoft 70-640 Exam
Your network contains an Active Directory domain. All servers run Windows Server 2008 R2.
You need to audit the deletion of registry keys on each server.
What should you do?
A. From Audit Policy, modify the Object Access settings and the Process Tracking settings.
B. From Audit Policy, modify the System Events settings and the Privilege Use settings.
C. From Advanced Audit Policy Configuration, modify the System settings and the Detailed
Tracking settings.
D. From Advanced Audit Policy Configuration, modify the Object Access settings and the Global
Object Access Auditing settings.
Answer: D
Explanation:
QUESTION NO: 228
Your network contains a single Active Directory domain. The functional level of the forest is
Windows Server 2008 R2.
You need to enable the Active Directory Recycle Bin.
What should you use?
A. the Dsmod tool
B. the Enable-ADOptionalFeature cmdlet
C. the Ntdsutil tool
D. the Set-ADDomainMode cmdlet
Answer: B
Explanation:
QUESTION NO: 229
Your network contains a single Active Directory domain.
You need to create an Active Directory Domain Services snapshot.
www.certify-me.co.uk 121
Microsoft 70-640 Exam
What should you do?
A. Use the Ldp tool.
B. Use the NTDSUtil tool.
C. Use the Wbadmin tool.
D. From Windows Server Backup, perform a full backup.
Answer: B
Explanation:
QUESTION NO: 230
Your network contains a single Active Directory domain.
A domain controller named DC2 fails.
You need to remove DC2 from Active Directory.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A. At the command prompt, run dcdiag.exe /fix.
B. At the command prompt, run netdom.exe remove dc2.
C. From Active Directory Sites and Services, delete DC2.
D. From Active Directory Users and Computers, delete DC2.
Answer: C,D
Explanation:
QUESTION NO: 231
Your network contains a single Active Directory domain. The functional level of the forest is
Windows Server 2008. The functional level of the domain is Windows Server 2008 R2.
All DNS servers run Windows Server 2008. All domain controllers run Windows Server 2008 R2.
You need to ensure that you can enable the Active Directory Recycle Bin.
What should you do?
www.certify-me.co.uk 122
Microsoft 70-640 Exam
A. Change the functional level of the forest.
B. Change the functional level of the domain.
C. Modify the Active Directory schema.
D. Modify the Universal Group Membership Caching settings.
Answer: A
Explanation:
QUESTION NO: 232
Your network contains an Active Directory domain. The domain contains several domain
controllers.
All domain controllers run Windows Server 2008 R2.
You need to restore the Default Domain Controllers Policy Group Policy object (GPO) to the
Windows Server 2008 R2 default settings.
What should you do?
A. Run dcgpofix.exe /target:dc.
B. Run dcgpofix.exe /target:domain.
C. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /sync.
D. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /force.
Answer: A
Explanation:
QUESTION NO: 233
A network contains an Active Directory Domain Services (AD DS) domain. Active Directory is
configure as shown in the following table.
The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is
Windows 2003.
www.certify-me.co.uk 123
Microsoft 70-640 Exam
Active Directory replication between Seatle site and the Chicago site occurs from 8:00 P.M. to
1:00 A.M. every day.
At 7:00 A.M. , an administrator deletes a user account while he is logged on to DC001.
You need to restore the deleted user account. You must achieve this goal by using the minimum
amount of administrative effort.
What should you do?
A. On DC006, stop AD DS, perform an authoritative restore, and then start AD DS.
B. On DC001, run the Restore-ADObject cmdlet.
C. On DC006, run the Restore-ADObject cmdlet.
D. On DC001, stop the AD DS, restore the System State, and then start AD DS.
Answer: A
Explanation:
QUESTION NO: 234
Your network contains an Active Directory domain. The domain contains two domain controllers
named DC1 and DC2.
You perform a full backup of the domain controllers every night by using Windows Server Backup.
You update a script in the SYSVOL folder.
You discover that the new script fails to run properly. You need to restore the previous version of
the script in the SYSVOL folder.
The solution must minimize the amount of time required to restore the script.
What should you do first?
A. Run the Restore-ADObject cmdlet.
B. Restore the system state to its original location.
C. Restore the system state to an alternate location.
D. Attach the VHD file created by Windows Server Backup.
Answer: D
www.certify-me.co.uk 124
Microsoft 70-640 Exam
Explanation:
QUESTION NO: 235
Your network contains an Active Directory domain.
You need to restore a deleted computer account from the Active Directory Recycle Bin.
What should you do?
A. From the command prompt, run recover.exe.
B. From the command prompt, run ntdsutil.exe.
C. From the Active Directory Module for Windows PowerShell, run the Restore-Computer cmdlet.
D. From the Active Directory Module for Windows PowerShell, run the Restore-ADObject cmdlet.
Answer: D
Explanation:
QUESTION NO: 236
You need to back up all of the group policies in a domain. The solution must minimize the size of
the backup.
What should you use?
A. the Add-WBSystemState cmdlet
B. the Group Policy Management console
C. the Wbadmin tool
D. the Windows Server Backup feature
Answer: B
Explanation:
QUESTION NO: 237
You have an enterprise root certification authority (CA) that runs Windows Server 2008 R2.
You need to ensure that you can recover the private key of a certificate issued to a Web server.
www.certify-me.co.uk 125
Microsoft 70-640 Exam
What should you do?
A. From the CA, run the Get-PfxCertificate cmdlet.
B. From the Web server, run the Get-PfxCertificate cmdlet.
C. From the CA, run the certutil.exe tool and specify the -exportpfx parameter.
D. From the Web server, run the certutil.exe tool and specify the -exportpfx parameter.
Answer: D
Explanation:
QUESTION NO: 238
Your company has a main office and a branch office.
The network contains a single Active Directory domain. The main office contains a domain
controller named DC1.
You need to install a domain controller in the branch office by using an offline copy of the Active
Directory database.
What should you do first?
A. From the Ntdsutil tool, create an IFM media set.
B. From the command prompt, run djoin.exe /loadfile.
C. From Windows Server Backup, perform a system state backup.
D. From Windows PowerShell, run the get-ADDomainController cmdlet.
Answer: A
Explanation:
QUESTION NO: 239
Your network contains an Active Directory domain. All domain controllers run Windows Server
2008. The functional level of the domain is Windows Server 2003. All client computers run
Windows 7.
You install Windows Server 2008 R2 on a server named Server1. You need to perform an offline
domain join of Server1.
www.certify-me.co.uk 126
Microsoft 70-640 Exam
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A. From Server1, run djoin.exe.
B. From Server1, run netdom.exe.
C. From a Windows 7 computer, run djoin.exe.
D. Upgrade one domain controller to Windows Server 2008 R2.
E. Raise the functional level of the domain to Windows Server 2008.
Answer: A,C
Explanation:
QUESTION NO: 240
You have an Active Directory snapshot.
You need to view the contents of the organizational units (OUs) in the snapshot.
Which tools should you run?
A. explorer.exe, netdom.exe, and dsa.msc
B. ntdsutil.exe, dsamain.exe, and dsa.msc
C. wbadmin.msc, dsamain.exe, and netdom.exe
D. wbadmin.msc, ntdsutil.exe, and explorer.exe
Answer: B
Explanation:
QUESTION NO: 241
Your network contains a domain controller that runs Windows Server 2008 R2. You run the
following command on the domain controller:
dsamain.exe dbpath
c:\$SNAP_201006170326_VOLUMEC$\Windows\NTDS\ntds.dit ldapport
389 - allowNonAdminAccess
www.certify-me.co.uk 127
Microsoft 70-640 Exam
The command fails.
You need to ensure that the command completes successfully.
How should you modify the command?
A. Include the path to Dsamain.
B. Change the value of the -dbpath parameter.
C. Change the value of the -ldapport parameter.
D. Remove the allowNonAdminAccess
Answer: C
Explanation:
QUESTION NO: 242
Your network contains an Active Directory domain. The domain contains five domain controllers.
A domain controller named DC1 has the DHCP role and the file server role installed.
You need to move the Active Directory database on DC1 to an alternate location. The solution
must minimize impact on the network during the database move.
What should you do first?
A. Restart DC1 in Safe Mode.
B. Restart DC1 in Directory Services Restore Mode.
C. Start DC1 from Windows PE.
D. Stop the Active Directory Domain Services service on DC1.
Answer: D
Explanation:
QUESTION NO: 243
Your company has a main office and a branch office.
The network contains an Active Directory forest. The forest contains three domains. The branch
office contains one domain controller named DC5. DC5 is configured as a global catalog server, a
www.certify-me.co.uk 128
Microsoft 70-640 Exam
DHCP server, and a file server.
You remove the global catalog from DC5.
You need to reduce the size of the Active Directory database on DC5. The solution must minimize
the impact on all users in the branch office.
What should you do first?
A. Start DC5 in Safe Mode.
B. Start DC5 in Directory Services Restore Mode.
C. On DC5, start the Protected Storage service.
D. On DC5, stop the Active Directory Domain Services service.
Answer: D
Explanation:
QUESTION NO: 244
Your network contains a domain controller that runs Windows Server 2008 R2. You need to
change the location of the Active Directory log files.
Which tool should you use?
A. Dsamain
B. Dsmgmt
C. Dsmove
D. Ntdsutil
Answer: D
Explanation:
Topic 3, Exam Set 3
QUESTION NO: 245
Your network contains a single Active Directory domain. All servers run Windows Server 2008 R2.
You deploy a new server that runs Windows Server 2008 R2. The server is not connected to the
internal network.
www.certify-me.co.uk 129
Microsoft 70-640 Exam
You need to ensure that the new server is already joined to the domain when it first connects to
the internal network.
What should you do?
A. From a domain controller, run sysprep.exe and specify the /oobe parameter. From the new
server, run sysprep.exe and specify the /generalize parameter.
B. From a domain controller, run sysprep.exe and specify the /generalize parameter. From the
new server, run sysprep.exe and specify the /oobe parameter.
C. From a domain-joined computer, run djoin.exe and specify the /provision parameter. From the
new server, run djoin.exe and specify the /requestodj parameter.
D. From a domain-joined computer, run djoin.exe and specify the /requestodj parameter. From the
new server, run djoin.exe and specify the /provision parameter.
Answer: C
Explanation:
QUESTION NO: 246
Your network contains an Active Directory domain. The domain contains four domain controllers.
You modify the Active Directory schema.
You need to verify that all the domain controllers received the schema modification.
Which command should you run?
A. dcdiag.exe /a
B. netdom.exe query fsmo
C. repadmin.exe /showrepl *
D. sc.exe query ntds
Answer: C
Explanation:
QUESTION NO: 247
You remotely monitor several domain controllers.
You run winrm.exe quickconfig on each domain controller. You need to create a WMI script query
www.certify-me.co.uk 130
Microsoft 70-640 Exam
to retrieve information from the bios of each domain controller.
Which format should you use to write the query?
A. XrML
B. XML
C. WQL
D. HTML
Answer: C
Explanation:
QUESTION NO: 248
Your network contains an Active Directory domain named contoso.com. The domain contains five
domain controllers.
You add a logoff script to an existing Group Policy object (GPO). You need to verify that each
domain controller successfully replicates the updated group policy. Which two objects should you
verify on each domain controller? (Each correct answer presents part of the solution. Choose two.)
A. \\servername\SYSVOL\contoso.com\Policies\{GUID}\gpt.ini
B. \\servername\SYSVOL\contoso.com\Policies\{GUID}\machine\registry.pol
C. the uSNChanged value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com
container
D. the versionNumber value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com
container
Answer: A,D
Explanation:
QUESTION NO: 249
Your network contains an Active Directory domain that contains five domain controllers.
You have a management computer that runs Windows 7.
From the Windows 7 computer, you need to view all account logon failures that occur in the
domain.
www.certify-me.co.uk 131
Microsoft 70-640 Exam
The information must be consolidated on one list.
Which command should you run on each domain controller?
A. Wecutil.exe qc
B. Wevtutil.exe gli
C. Winrm.exe quickconfig
D. Winrshost.exe
Answer: C
Explanation:
QUESTION NO: 250
You create a new Active Directory domain. The functional level of the domain is Windows Server
2008 R2. The domain contains five domain controllers. You need to monitor the replication of the
group policy template files.
Which tool should you use?
A. Dfsrdiag
B. Fsutil
C. Ntdsutil
D. Ntfrsutl
Answer: A
Explanation:
QUESTION NO: 251
You create a new Active Directory domain. The functional level of the domain is Windows Server
2003. The domain contains five domain controllers that run Windows Server 2008 R2. You need to
monitor the replication of the group policy template files.
Which tool should you use?
A. Dfsrdiag
B. Fsutil
C. Ntdsutil
D. Ntfrsutl
www.certify-me.co.uk 132
Microsoft 70-640 Exam
Answer: D
Explanation:
QUESTION NO: 252
You have a domain controller named Server1 that runs Windows Server 2008 R2. You need to
determine the size of the Active Directory database on Server1.
What should you do?
A. Run the Active Directory Sizer tool.
B. Run the Active Directory Diagnostics data collector set.
C. From Windows Explorer, view the properties of the %systemroot%\ntds\ntds.dit file.
D. From Windows Explorer, view the properties of the %systemroot%\sysvol\domain folder.
Answer: C
Explanation:
QUESTION NO: 253
You need to receive an e-mail message whenever a domain user account is locked out.
Which tool should you use?
A. Active Directory Administrative Center
B. Event Viewer
C. Resource Monitor
D. Security Configuration Wizard
Answer: B
Explanation:
QUESTION NO: 254
Your network contains an Active Directory domain named contoso.com.
You have a management computer named Computer1 that runs Windows 7.
www.certify-me.co.uk 133
Microsoft 70-640 Exam
You need to forward the logon events of all the domain controllers in contoso.com to Computer1.
All new domain controllers must be dynamically added to the subscription.
What should you do?
A. From Computer1, configure source-initiated event subscriptions. From a Group Policy object
(GPO) linked to the Domain Controllers organizational unit (OU), configure the Event Forwarding
node.
B. From Computer1, configure collector-initiated event subscriptions. From a Group Policy object
(GPO) linked to the Domain Controllers organizational unit (OU), configure the Event Forwarding
node.
C. From Computer1, configure source-initiated event subscriptions. Install a server authentication
certificate on Computer1. Implement autoenrollment for the Domain Controllers organizational unit
(OU).
D. From Computer1, configure collector-initiated event subscriptions. Install a server
authentication certificate on Computer1. Implement autoenrollment for the Domain Controllers
organizational unit (OU).
Answer: A
Explanation:
QUESTION NO: 255
Your network contains an Active Directory domain that has two sites.
You need to identify whether logon scripts are replicated to all domain controllers.
Which folder should you verify?
A. GroupPolicy
B. NTDS
C. SoftwareDistribution
D. SYSVOL
Answer: D
Explanation:
QUESTION NO: 256
You install a standalone root certification authority (CA) on a server named Server1.
www.certify-me.co.uk 134
Microsoft 70-640 Exam
You need to ensure that every computer in the forest has a copy of the root CA certificate installed
in the local computer's Trusted Root Certification Authorities store.
Which command should you run on Server1?
A. certreq.exe and specify the -accept parameter
B. certreq.exe and specify the -retrieve parameter
C. certutil.exe and specify the -dspublish parameter
D. certutil.exe and specify the -importcert parameter
Answer: C
Explanation:
QUESTION NO: 257
Your network contains an Active Directory forest. The forest contains two domains.
You have a standalone root certification authority (CA).
On a server in the child domain, you run the Add Roles Wizard and discover that the option to
select an enterprise CA is disabled.
You need to install an enterprise subordinate CA on the server.
What should you use to log on to the new server?
A. an account that is a member of the Certificate Publishers group in the child domain
B. an account that is a member of the Certificate Publishers group in the forest root domain
C. an account that is a member of the Schema Admins group in the forest root domain
D. an account that is a member of the Enterprise Admins group in the forest root domain
Answer: D
Explanation:
QUESTION NO: 258
You have an enterprise subordinate certification authority (CA).
You have a group named Group1.
www.certify-me.co.uk 135
Microsoft 70-640 Exam
You need to allow members of Group1 to publish new certificate revocation lists. Members of
Group1 must not be allowed to revoke certificates.
What should you do?
A. Add Group1 to the local Administrators group.
B. Add Group1 to the Certificate Publishers group.
C. Assign the Manage CA permission to Group1.
D. Assign the Issue and Manage Certificates permission to Group1.
Answer: C
Explanation:
QUESTION NO: 259
You have an enterprise subordinate certification authority (CA) configured for key archival. Three
key recovery agent certificates are issued.
The CA is configured to use two recovery agents.
You need to ensure that all of the recovery agent certificates can be used to recover all new
private keys.
What should you do?
A. Add a data recovery agent to the Default Domain Policy.
B. Modify the value in the Number of recovery agents to use box.
C. Revoke the current key recovery agent certificates and issue three new key recovery agent
certificates.
D. Assign the Issue and Manage Certificates permission to users who have the key recovery
agent certificates.
Answer: B
Explanation:
QUESTION NO: 260
You have an enterprise subordinate certification authority (CA). The CA is configured to use a
hardware security module. You need to back up Active Directory Certificate Services on the CA.
www.certify-me.co.uk 136
Microsoft 70-640 Exam
Which command should you run?
A. certutil.exe backup
B. certutil.exe backupdb
C. certutil.exe backupkey
D. certutil.exe store
Answer: B
Explanation:
QUESTION NO: 261
You have Active Directory Certificate Services (AD CS) deployed.
You create a custom certificate template.
You need to ensure that all of the users in the domain automatically enroll for a certificate based
on the custom certificate template.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A. In a Group Policy object (GPO), configure the autoenrollment settings.
B. In a Group Policy object (GPO), configure the Automatic Certificate Request Settings.
C. On the certificate template, assign the Read and Autoenroll permission to the Authenticated
Users group.
D. On the certificate template, assign the Read, Enroll, and Autoenroll permission to the Domain
Users group.
Answer: A,D
Explanation:
QUESTION NO: 262
You have an enterprise subordinate certification authority (CA).
You have a custom Version 3 certificate template.
Users can enroll for certificates based on the custom certificate template by using the Certificates
console. The certificate template is unavailable for Web enrollment. You need to ensure that the
certificate template is available on the Web enrollment pages.
www.certify-me.co.uk 137
Microsoft 70-640 Exam
What should you do?
A. Run certutil.exe pulse.
B. Run certutil.exe installcert.
C. Change the certificate template to a Version 2 certificate template.
D. On the certificate template, assign the Autoenroll permission to the users.
Answer: C
Explanation:
QUESTION NO: 263
You have an enterprise subordinate certification authority (CA). You have a custom certificate
template that has a key length of 1,024 bits. The template is enabled for autoenrollment.
You increase the template key length to 2,048 bits.
You need to ensure that all current certificate holders automatically enroll for a certificate that uses
the new template.
Which console should you use?
A. Active Directory Administrative Center
B. Certification Authority
C. Certificate Templates
D. Group Policy Management
Answer: C
Explanation:
QUESTION NO: 264
Your network contains an Active Directory forest. All domain controllers run Windows Server 2008
Standard.
The functional level of the domain is Windows Server 2003.
You have a certification authority (CA).
www.certify-me.co.uk 138
Microsoft 70-640 Exam
The relevant servers in the domain are configured as shown in the following table.
You need to ensure that you can install the Active Directory Certificate Services (AD CS)
Certificate Enrollment Web Service on the network.
What should you do?
A. Upgrade Server1 to Windows Server 2008 R2.
B. Upgrade Server2 to Windows Server 2008 R2.
C. Raise the functional level of the domain to Windows Server 2008.
D. Install the Windows Server 2008 R2 Active Directory Schema updates.
Answer: D
Explanation:
QUESTION NO: 265
You have a domain controller that runs the DHCP service.
You need to perform an offline defragmentation of the Active Directory database on the domain
controller. You must achieve this goal without affecting the availability of the DHCP service.
What should you do?
A. Restart the domain controller in Directory Services Restore Mode. Run the Disk Defragmenter
utility.
B. Restart the domain controller in Directory Services Restore Mode. Run the Ntdsutil utility.
C. Stop the Active Directory Domain Services service. Run the Ntdsutil utility.
D. Stop the Active Directory Domain Services service. Run the Disk Defragmenter utility.
Answer: C
Explanation:
www.certify-me.co.uk 139
Microsoft 70-640 Exam
QUESTION NO: 266
Your network contains two Active Directory forests named contoso.com and nwtraders.com. A
two-way forest trust exists between contoso.com and nwtraders.com. The forest trust is configured
to use selective authentication. Contoso.com contains a server named Server1.
Server1 contains a shared folder named Marketing. Nwtraders.com contains a global group
named G_Marketing. The Change share permission and the Modify NTFS permission for the
Marketing folder are assigned to the G_Marketing group. Members of G_Marketing report that
they cannot access the Marketing folder. You need to ensure that the G_Marketing members can
access the folder from the network.
What should you do?
A. From Windows Explorer, modify the NTFS permissions of the folder.
B. From Windows Explorer, modify the share permissions of the folder.
C. From Active Directory Users and Computers, modify the computer object for Server1.
D. From Active Directory Users and Computers, modify the group object for G_Marketing.
Answer: C
Explanation:
QUESTION NO: 267
Your network contains an Active Directory forest. You need to add a new user principal name
(UPN) suffix to the forest. Which tool should you use?
A. Active Directory Administrative Center
B. Active Directory Domains and Trusts
C. Active Directory Sites and Services
D. Active Directory Users and Computers
Answer: B
Explanation:
QUESTION NO: 268
Your network contains an Active Directory domain. The domain contains two sites named Site1
and Site2. Site 1 contains five domain controllers. Site2 contains one read-only domain controller
www.certify-me.co.uk 140
Microsoft 70-640 Exam
(RODC). Site1 and Site2 connect to each other by using a slow WAN link.
You discover that the cached password for a user named User1 is compromised on the RODC.
On a domain controller in Site1, you change the password for User1.
You need to replicate the new password for User1 to the RODC immediately. The solution must
not replicate other objects to the RODC. Which tool should you use?
A. Active Directory Sites and Services
B. Active Directory Users and Computers
C. Repadmin
D. Replmon
Answer: A
Explanation:
QUESTION NO: 269
Your network contains an Active Directory domain named contoso.com. The properties of the
contoso.com DNS zone are configured as shown in the exhibit. (Click the Exhibit button.)
www.certify-me.co.uk 141
Microsoft 70-640 Exam
You need to update all service location (SRV) records for a domain controller in the domain.
What should you do?
A. Restart the Netlogon service.
B. Restart the DNS Client service.
C. Run sc.exe and specify the triggerinfo parameter.
D. Run ipconfig.exe and specify the /registerdns parameter.
Answer: A
Explanation:
www.certify-me.co.uk 142
Microsoft 70-640 Exam
QUESTION NO: 270
Your network contains an Active Directory domain.
A user named User1 takes a leave of absence for one year.
You need to restrict access to the User1 user account while User1 is away.
What should you do?
A. From the Default Domain Policy, modify the account lockout settings.
B. From the Default Domain Controller Policy, modify the account lockout settings.
C. From the properties of the user account, modify the Account options.
D. From the properties of the user account, modify the Session settings.
Answer: C
Explanation:
QUESTION NO: 271
Your network contains an Active Directory domain. The domain contains 1,000 user accounts. You
have a list that contains the mobile phone number of each user.
You need to add the mobile number of each user to Active Directory.
What should you do?
A. Create a file that contains the mobile phone numbers, and then run ldifde.exe.
B. Create a file that contains the mobile phone numbers, and then run csvde.exe.
C. From Adsiedit, select the CN=Users container, and then modify the properties of the container.
D. From Active Directory Users and Computers, select all of the users, and then modify the
properties of the users.
Answer: A
Explanation:
QUESTION NO: 272
Your network contains an Active Directory domain named contoso.com. All domain controllers and
member servers run Windows Server 2008. All client computers run Windows 7.
From a client computer, you create an audit policy by using the Advanced Audit Policy
Configuration settings in the Default Domain Policy Group Policy object (GPO).
www.certify-me.co.uk 143
Microsoft 70-640 Exam
You discover that the audit policy is not applied to the member servers. The audit policy is applied
to the client computers. You need to ensure that the audit policy is applied to all member servers
and all client computers.
What should you do?
A. Add a WMI filter to the Default Domain Policy GPO.
B. Modify the security settings of the Default Domain Policy GPO.
C. Configure a startup script that runs auditpol.exe on the member servers.
D. Configure a startup script that runs auditpol.exe on the domain controllers.
Answer: B
Explanation:
QUESTION NO: 273
Your network contains an Active Directory domain. The domain contains a group named Group1.
The minimum password length for the domain is set to six characters. You need to ensure that the
passwords for all users in Group1 are at least 10 characters long. All other users must be able to
use passwords that are six characters long.
What should you do first?
A. Run the New-ADFineGrainedPasswordPolicy cmdlet.
B. Run the Add-ADFineGrainedPasswordPolicySubject cmdlet.
C. From the Default Domain Policy, modify the password policy.
D. From the Default Domain Controller Policy, modify the password policy.
Answer: A
Explanation:
QUESTION NO: 274
Your company uses an application that stores data in an Active Directory Lightweight Directory
Services (AD LDS) instance named Instance1. You attempt to create a snapshot of Instance1 as
shown in the exhibit. (Click the Exhibit button.)
www.certify-me.co.uk 144
Microsoft 70-640 Exam
You need to ensure that you can take a snapshot of Instance1. What should you do?
A. At the command prompt, run net start VSS.
B. At the command prompt, run net start Instance1.
C. Set the Startup Type for the Instance1 service to Disabled.
D. Set the Startup Type for the Volume Shadow Copy Service (VSS) to Manual.
Answer: A
Explanation:
QUESTION NO: 275
Your network contains 10 domain controllers that run Windows Server 2008 R2.
The network contains a member server that is configured to collect all of the events that occur on
the domain controllers.
You need to ensure that administrators are notified when a specific event occurs on any of the
domain controllers. You want to achieve this goal by using the minimum amount of administrative
effort.
What should you do?
A. From Event Viewer on the member server, create a subscription.
B. From Event Viewer on each domain controller, create a subscription.
C. From Event Viewer on the member server, run the Create Basic Task Wizard.
D. From Event Viewer on each domain controller, run the Create Basic Task Wizard.
www.certify-me.co.uk 145
Microsoft 70-640 Exam
Answer: C
Explanation:
QUESTION NO: 276
Your network contains an Active Directory domain controller named DC1. DC1 runs Windows
Server 2008 R2.
You need to defragment the Active Directory database on DC1. The solution must minimize
downtime on DC1.
What should you do first?
A. At the command prompt, run net stop ntds.
B. At the command prompt, run net stop netlogon.
C. Restart DC1 in Safe Mode.
D. Restart DC1 in Directory Services Restore Mode (DSRM).
Answer: A
Explanation:
QUESTION NO: 277
Your network contains a single Active Directory domain named contoso.com.
An administrator accidentally deletes the _msdsc.contoso.com zone.
You recreate the _msdsc.contoso.com zone.
You need to ensure that the _msdsc.contoso.com zone contains all of the required DNS records.
What should you do on each domain controller?
A. Restart the Netlogon service.
B. Restart the DNS Server service.
C. Run dcdiag.exe /fix.
D. Run ipconfig.exe /registerdns.
www.certify-me.co.uk 146
Microsoft 70-640 Exam
Answer: A
Explanation:
QUESTION NO: 278
Your network contains an Active Directory-integrated zone. All DNS servers that host the zone are
domain controllers. You add multiple DNS records to the zone. You need to ensure that the
records are replicated to all DNS servers. Which tool should you use?
A. Dnslint
B. Ldp
C. Nslookup
D. Repadmin
Answer: A
Explanation:
QUESTION NO: 279
Your network contains an Active Directory forest. The forest contains two domains named
contoso.com and eu.contoso.com. All domain controllers are DNS servers. The domain controllers
in contoso.com host the zone for contoso.com. The domain controllers in eu.contoso.com host the
zone for eu.contoso.com. The DNS zone for contoso.com is configured as shown in the exhibit.
(Click the Exhibit button.)
www.certify-me.co.uk 147
Microsoft 70-640 Exam
You need to ensure that all domain controllers in the forest host a writable copy of
_msdsc.contoso.com. Which two actions should you perform? (Each correct answer presents part
of the solution. Choose two.)
A. Create a zone delegation record in the contoso.com zone.
B. Create a zone delegation record in the eu.contoso.com zone.
C. Create an Active Directory-integrated zone for _msdsc.contoso.com.
D. Create a secondary zone named _msdsc.contoso.com in eu.contoso.com.
Answer: A,C
Explanation:
QUESTION NO: 280
You need to compact an Active Directory database on a domain controller that runs Windows
Server 2008 R2.
What should you do?
A. Run defrag.exe /a /c.
B. Run defrag.exe /c /u.
C. From Ntdsutil, use the Files option.
D. From Ntdsutil, use the Metadata cleanup option.
Answer: C
Explanation:
QUESTION NO: 281
Your network contains an Active Directory domain named contoso.com. Contoso.com contains
three servers. The servers are configured as shown in the following table.
You need to ensure that users can manually enroll and renew their certificates by using the
Certificate Enrollment Web Service.
www.certify-me.co.uk 148
Microsoft 70-640 Exam
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A. Configure the policy module settings.
B. Configure the issuance requirements for the certificate templates.
C. Configure the Certificate Services Client - Certificate Enrollment Policy Group Policy setting.
D. Configure the delegation settings for the Certificate Enrollment Web Service application pool
account.
Answer: B,C
Explanation:
QUESTION NO: 282
Your network contains an Active Directory domain named contoso.com. Contoso.com contains a
member server that runs Windows Server 2008 Standard.
You need to install an enterprise subordinate certification authority (CA) that supports private key
archival.
You must achieve this goal by using the minimum amount of administrative effort.
What should you do first?
A. Initialize the Trusted Platform Module (TPM).
B. Upgrade the member server to Windows Server 2008 R2 Standard.
C. Install the Certificate Enrollment Policy Web Service role service on the member server.
D. Run the Security Configuration Wizard (SCW) and select the Active Directory Certificate
Services - Certification Authority server role template check box.
Answer: B
Explanation:
QUESTION NO: 283
You have an enterprise subordinate certification authority (CA). You have a custom Version 3
certificate template. Users can enroll for certificates based on the custom certificate template by
using the Certificates console. The certificate template is unavailable for Web enrollment. You
need to ensure that the certificate template is available on the Web enrollment pages. What
should you do?
www.certify-me.co.uk 149
Microsoft 70-640 Exam
A. Run certutil.exe Cpulse.
B. Run certutil.exe Cinstallcert.
C. Change the certificate template to a Version 2 certificate template.
D. On the certificate template, assign the Autoenroll permission to the users.
Answer: C
Explanation:
QUESTION NO: 284
Your network contains an Active Directory domain. The domain contains a member server named
Server1 that runs Windows Server 2008 R2. You need to configure Server1 as a global catalog
server. What should you do?
A. Modify the Active Directory schema.
B. From Ntdsutil, use the Roles option.
C. Run the Active Directory Domain Services Installation Wizard on Server1.
D. Move the Server1 computer object to the Domain Controllers organizational unit (OU).
Answer: C
Explanation:
QUESTION NO: 285
Your network contains three Active Directory forests named Forest1, Forest2, and Forest3. Each
forest contains three domains.
A two-way forest trust exists between Forest1 and Forest2. A two-way forest trust exists between
Forest2 and Forest3.
You need to configure the forests to meet the following requirements:
- Users in Forest3 must be able to access resources in Forest1
- Users in Forest1 must be able to access resources in Forest3.
- The number of trusts must be minimized.
What should you do?
A. In Forest2, modify the name suffix routing settings.
B. In Forest1 and Forest3, configure selective authentication.
C. In Forest1 and Forest3, modify the name suffix routing settings.
D. Create a two-way forest trust between Forest1 and Forest3.
www.certify-me.co.uk 150
Microsoft 70-640 Exam
E. Create a shortcut trust in Forest1 and a shortcut trust in Forest3.
Answer: D
Explanation:
QUESTION NO: 286
Your network contains an Active Directory domain. All domain controller run Windows Server
2003.
You replace all domain controllers with domain controllers that run Windows Server 2008 R2.
You raise the functional level of the domain to Windows Server 2008 R2.
You need to minimize the amount of SYSVOL replication traffic on the network.
What should you do?
A. Raise the functional level of the forest to Windows Server 2008 R2.
B. Modify the path of the SYSVOL folder on all of the domain controllers.
C. On a global catalog server, run repadmin.exe and specify the KCC parameter.
D. On the domain controller that holds the primary domain controller (PDC) emulator FSMO role,
run dfsrmig.exe.
Answer: C
Explanation:
QUESTION NO: 287
Your network contains an Active Directory forest. The forest contains two domain controllers. The
domain controllers are configured as shown in the following table.
All client computers run Windows 7. You need to ensure that all client computers in the domain
www.certify-me.co.uk 151
Microsoft 70-640 Exam
keep the same time as an external time server. What should you do?
A. From DC1, run the time command.
B. From DC2, run the time command.
C. From DC1, run the w32tm.exe command.
D. From DC2, run the w32tm.exe command.
Answer: D
Explanation:
QUESTION NO: 288
Your network contains an Active Directory domain named contoso.com. Contoso.com contains
two domain controllers. The domain controllers are configured as shown in the following table.
All client computers have IP addresses in the 10.1.2.1 to 10.1.2.240 range. You need to minimize
the number of client authentication requests sent to DC2. What should you do?
A. Create a new site named Site1. Create a new subnet object that has the 10.1.1.0/24 prefix and
assign the subnet to Site1. Move DC1 to Site1.
B. Create a new site named Site1. Create a new subnet object that has the 10.1.1.1/32 prefix and
assign the subnet to Site1. Move DC1 to Site1.
C. Create a new site named Site1. Create a new subnet object that has the 10.1.1.2/32 prefix and
assign the subnet to Site1. Move DC2 to Site1.
D. Create a new site named Site1. Create a new subnet object that has the 10.1.2.0/24 prefix and
assign the subnet to Site1. Move DC2 to Site1.
Answer: C
Explanation:
QUESTION NO: 289
Active Directory Rights Management Services (AD RMS) is deployed on your network.
You need to configure AD RMS to use Kerberos authentication.
www.certify-me.co.uk 152
Microsoft 70-640 Exam
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A. Register a service principal name (SPN) for AD RMS.
B. Register a service connection point (SCP) for AD RMS.
C. Configure the identity setting of the _DRMSAppPool1 application pool.
D. Configure the useAppPoolCredentials attribute in the Internet Information Services (IIS)
metabase.
Answer: A,D
Explanation:
QUESTION NO: 290
Your network contains an Active Directory forest. The forest contains an Acitve Directory site for a
remote office. The remote site contains a read-only domain controller (RODC).
You need to configure the RODC to store only the password of users in the remote site.
What should you do?
A. Create a Password Settings object (PSO).
B. Modify the Partial-Attribute-Set attribute of the forest.
C. Add the users accounts of the remote site users to the Allowed RODC Password Replication
Group.
D. Add the users accounts of users who are not in the remote site to the Denied RODC Password
Replication Group.
Answer: C
Explanation:
QUESTION NO: 291
Your company has four offices. The network contains a single Active Directory domain. Each
office has a domain controller. Each office has an organizational unit (OU) that contains the user
accounts for the users in that office. In each office, support technicians perform basic
troubleshooting for the users in their respective office. You need to ensure that the support
technicians can reset the passwords for the user accounts in their respective office only. The
solution must prevent the technicians from creating user accounts. What should you do?
A. For each OU, run the Delegation of Control Wizard.
B. For the domain, run the Delegation of Control Wizard.
www.certify-me.co.uk 153
Microsoft 70-640 Exam
C. For each office, create an Active Directory group, and then modify the security settings for each
group.
D. For each office, create an Active Directory group, and then modify the controlAccessRights
attribute for each group.
Answer: A
Explanation:
QUESTION NO: 292
Your network contains a single Active Directory domain. Client computers run either Windows XP
Service Pack 3 (SP3) or Windows 7. All of the computer accounts for the client computers are
located in an organizational unit (OU) named OU1.
You link a new Group Policy object (GPO) named GPO10 to OU1.
You need to ensure that GPO10 is applied only to client computers that run Windows 7.
What should you do?
A. Create a new OU in OU1. Move the Windows XP computer accounts to the new OU.
B. Enable block inheritance on OU1.
C. Create a WMI filter and assign the filter to GPO10.
D. Modify the permissions of OU1.
Answer: C
Explanation: http://technet.microsoft.com/en-us/library/cc758471(v=WS.10).aspx
QUESTION NO: 293
Your network contains an Active Directory domain named contoso.com.
You need to audit changes to a service account. The solution must ensure that the audit logs
contain the before and after values of all the changes.
Which security policy setting should you configure?
A. Audit Sensitive Privilege Use
B. Audit User Account Management
C. Audit Directory Service Changes
www.certify-me.co.uk 154
Microsoft 70-640 Exam
D. Audit Other Account Management Events
Answer: C
Explanation:
QUESTION NO: 294
Your network contains two Active Directory forests named contoso.com and nwtraders.com.
Active Directory Rights Management Services (AD RMS) is deployed in each forest.
You need to ensure that users from the nwtraders.com forest can access AD RMS protected
content in the contoso.com forest.
What should you do?
A. Add a trusted user domain to the AD RMS cluster in the nwtraders.com domain.
B. Create an external trust from nwtraders.com to contoso.com.
C. Add a trusted user domain to the AD RMS cluster in the contoso.com domain.
D. Create an external trust from contoso.com to nwtraders.com.
Answer: C
Explanation:
QUESTION NO: 295
Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 is
configured as an Active Directory Federation Services (AD FS) 2.0 standalone server.
You plan to add a new token-signing certificate to Server1.
You import the certificate to the server as shown in the exhibit. (Click the Exhibit button.)
www.certify-me.co.uk 155
Microsoft 70-640 Exam
When you run the Add Token-Signing Certificate wizard, you discover that the new certificate is
unavailable.
You need to ensure that you can use the new certificate for AD FS.
What should you do?
A. From the properties of the certificate, modify the Certificate Policy OIDs setting.
B. Import the certificate to the AD FS 2.0 Windows Service personal certificate store.
C. From the properties of the certificate, modify the Certificate purposes setting.
D. Import the certificate to the local computer personal certificate store.
Answer: D
Explanation:
QUESTION NO: 296
You need to purge the list of user accounts that were authenticated on a read-only domain
controller (RODC).
What should you do?
A. Run the repadmin.exe command an specify the /prp parameter
B. From Active Directory Sites and Services, modify the properties of the RODC computer object.
C. From Active Directory Users and Computers, modify the properties of the RODC computer
object.
D. Run the dsrm.exe command and specify the -u parameter.
www.certify-me.co.uk 156
Microsoft 70-640 Exam
Answer: A
Explanation:
QUESTION NO: 297
Your company has a main office and four branch offices.
An Active Directory site exists for each office. Each site contains one domain controller. Each
branch office site has a site link to the main office site.
You discover that the domain controllers in the branch offices sometimes replicate directly to each
other.
You need to ensure that the domain controllers in the branch offices only replicate to the domain
controller in the main office.
What should you do?
A. Modify the firewall settings for the main office site.
B. Disable the Knowledge Consistency Checker (KCC) for each branch office site.
C. Disable site link bridging.
D. Modify the security settings for the main office site.
Answer: C
Explanation:
QUESTION NO: 298
Your network contains an Active Directory forest. The forest contains one domain. The domain
contains two domain controllers named DC1 and DC2 that run Windows Server 2008 R2.
DC1 was installed before DC2.
DC1 fails.
You need to ensure that you can add 1,000 new user accounts to the domain.
What should you do?
A. Modify the permissions of the DC2 computer account.
www.certify-me.co.uk 157
Microsoft 70-640 Exam
B. Seize the schema master FSMO role.
C. Configure DC2 as a global catalog server.
D. Seize the RID master FSMO role.
Answer: D
Explanation:
QUESTION NO: 299
Your network contains an Active Directory domain named contoso.com.
You need to identify whether the Active Directory Recycle Bin is enabled.
What should you do?
A. From Ldp, search for the Reanimate-Tombstones object.
B. From Ldp, search for the LostAndFound container.
C. From Windows PowerShell, run the Get-ADObject cmdlet.
D. From Windows PowerShell, run the Get-ADOptionalFeature cmdlet.
Answer: D
Explanation:
QUESTION NO: 300
Your Network contains an Active Directory domain. You create and mount an Active Directory
snapshot.
You run the following command on the domain controller:
dsamain.exe -dbpath C:\Windows\NTDS\ntds.dit -ldapport 54321 –allowNonAdminAccess and the
command fails as shown in the exhibit. ( Click the Exhibit button ).
You need to ensure that you can browse the contents of Active Directory snapshot. What should
you do?
www.certify-me.co.uk 158
Microsoft 70-640 Exam
You need to ensure that you can browse the contents of the Active Directory snapshot.
What should you?
A. Stop Active Directory Domain Services (AD DS), and then rerun dsamain.exe.
B. Change the value of the dbpath parameter, and then rerun dsamain.exe.
C. Change the value of the ldapport parameter, and then rerun dsamain.exe.
D. Restart the Volume Shadow Copy Service (VSS), and then rerun dsamain.exe.
Answer: B
Explanation:
QUESTION NO: 301
Your network contains an Active Directory domain.
You need to back up all of the Group Policy objects (GPOs), Group Policy permissions, and Group
Policy links for the domain.
What should you do?
A. From Group Policy Management Console (GPMC), back up the GPOs.
B. From Windows Explorer, copy the content of the %systemroot%\SYSVOL folder.
C. From Windows Server Backup, perform a system state backup.
D. From Windows PowerShell, run the Backup-GPO cmdlet.
Answer: A
www.certify-me.co.uk 159
Microsoft 70-640 Exam
Explanation:
QUESTION NO: 302
Your network contains a domain controller that runs Windows Server 2008 R2.
You need to reset the Directory Services Restore Mode (DSRM) password on the domain
controller.
Which tool should you use?
A. Ntdsutil
B. Dsamain
C. Active Directory Users and Computers
D. Local Users and Groups
Answer: A
Explanation:
QUESTION NO: 303
Your network contains an Active Directory forest. All client computers run Windows 7.
The network contains a high-volume enterprise certification authority (CA).
You need to minimize the amount of network bandwidth required to validate a certificate.
What should you do?
A. Configure an LDAP publishing point for the certificate revocation list (CRL).
B. Configure an Online Certification Status Protocol (OCSP) responder.
C. Modify the settings of the delta certificate revocation list (CRL).
D. Replicate the certificate revocation list (CRL) by using Distributed File System (DFS).
Answer: B
Explanation:
QUESTION NO: 304
www.certify-me.co.uk 160
Microsoft 70-640 Exam
Your network contains an Active Directory domain. You have five organizational units (OUs)
named Finance, HR, Marketing, Sales, and Dev. You link a Group Policy object named GPO1 to
the domain as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that GPO1 is applied to users in the Finance, HR, Marketing, and Sales OUs.
The solution must prevent GPO1 from being applied to users in the Dev OU. What should you do?
A. Enforce GPO1.
B. Modify the security settings of the Dev OU.
C. Link GPO1 to the Finance OU.
D. Modify the security settings of the Finance OU.
Answer: C
Explanation:
QUESTION NO: 305
Your network contains an Active Directory domain. The domain contains an organizational unit
(OU) named OU1. OU1 contains all managed service accounts in the domain.
You need to prevent the managed service accounts from being deleted accidentally from OU1.
Which cmdlet should you use?
A. Set-ADUser
B. Set-ADOrganizationalUnit
C. Set-ADServiceAccount
www.certify-me.co.uk 161
Microsoft 70-640 Exam
D. Set-ADObject
Answer: D
Explanation:
QUESTION NO: 306
Your network contains an Active Directory domain named contoso.com. Contoso.com contains a
writable domain controller named DC1 and a read-only domain controller (RODC) named DC2. All
domain controllers run Windows Server 2008 R2. You need to install a new writable domain
controller named DC3 in a remote site. The solution must minimize the amount of replication traffic
that occurs during the installation of Active Directory Domain Services (AD DS) on DC3.
What should you do first?
A. Run dcpromo.exe /createdcaccount on DC3.
B. Run ntdsutil.exe on DC2.
C. Run dcpromo.exe /adv on DC3.
D. Run ntdsutil.exe on DC1.
Answer: C
Explanation:
QUESTION NO: 307
Your network contains an Active Directory forest. The forest contains 10 domains. All domain
controllers are configured as global catalog servers.
You remove the global catalog role from a domain controller named DC5.
You need to reclaim the hard disk space used by the global catalog on DC5.
What should you do?
A. From Active Directory Sites and Services, run the Knowledge Consistency Checker (KCC).
B. From Active Directory Sites and Services, modify the general properties of DC5.
C. From Ntdsutil, use the Semantic database analysis option.
D. From Ntdsutil, use the Files option.
Answer: D
Explanation:
www.certify-me.co.uk 162
Microsoft 70-640 Exam
QUESTION NO: 308
A corporate network includes an Active Directory-integrated zone. All DNS servers that host the
zone are domain controllers.
You add multiple DNS records to the zone.
You need to ensure that the new records are available on all DNS servers as soon as possible.
Which tool should you use?
A. Ldp
B. Repadmin
C. Ntdsutil
D. Nslookup
E. Active Directory Sites And Services console
F. Active Directory Domains And Trusts console
G. Dnslint
H. Dnscmd
Answer: H
Explanation: http://technet.microsoft.com/en-us/library/cc778513(WS.10).aspx
QUESTION NO: 309
You have a DNS zone that is stored in a custom application partition.
You need to add a domain controller to the replication scope of the custom application partition.
Which tool should you use?
A. DNScmd
B. DNS Manager
C. Server Manager
D. Dsmod
Answer: A
Explanation:
www.certify-me.co.uk 163
Microsoft 70-640 Exam
QUESTION NO: 310
Your network contains a server named Server1 that runs Windows Server 2008 R2 Standard.
Server1 has the Active Directory Certificate Services (AD CS) role installed.
You configure a certificate template named Template1 for autoenrollment.
You discover that certificates are not being issued to any client computers. The event logs on the
client computers do not contain any autoenrollment errors.
You need to ensure that all of the client computers automatically receive certificates based on
Template1.
What should you do?
A. Modify the Default Domain Policy Group Policy object (GPO).
B. Modify the Default Domain Controllers Policy Group Policy object (GPO).
C. Upgrade Server1 to Windows Server 2008 R2 Enterprise.
D. Restart Certificate Services on Server1.
Answer: A
Explanation:
QUESTION NO: 311
Your network contains a server that has the Active Directory Lightweight Directory Services (AD
LDS) role installed.
You need to perform an automated installation of an AD LDS instance.
Which tool should you use?
A. Dism.exe
B. Servermanagercmd.exe
C. Adaminstall.exe
D. Ocsetup.exe
Answer: C
Explanation:
www.certify-me.co.uk 164
Microsoft 70-640 Exam
QUESTION NO: 312
Your network contains an Active Directory domain named contoso.com. A partner company has
an Active Directory domain named nwtraders.com.
The networks for contoso.com and nwtraders.com connect to each other by using a WAN link.
You need to ensure that users in contoso.com can access resources in nwtraders.com and
resources on the Internet.
What should you do first?
A. Modify the Trusted Root Certification Authorities store.
B. Modify the Intermediate Certification Authorities store.
C. Create conditional forwarders.
D. Add a root hint to the DNS server.
Answer: C
Explanation:
QUESTION NO: 313
Your network contains an Active Directory forest. The forest contains multiple domains.
You need to ensure that users in the human resources department can search for employees by
using the employeeNumber attribute.
What should you do?
A. From Active Directory Sites and Services, modify the properties of each global catalog server.
B. From the Active Directory Schema snap-in, modify the properties of the user object class.
C. From Active Directory Sites and Services, modify the NTDS Settings object of each global
catalog server.
D. From the Active Directory Schema snap-in, modify the properties of the employeeNumber
attribute.
Answer: D
Explanation:
QUESTION NO: 314
Your network contains a single Active Directory domain. The domain contains an enterprise
www.certify-me.co.uk 165
Microsoft 70-640 Exam
certification authority (CA).
You need to ensure that the encryption keys for e-mail certificates can be recovered from the CA
database.
You modify the e-mail certificate template to support key archival.
What should you do next?
A. Issue the key recovery agent certificate template.
B. Run certutil.exe -recoverkey.
C. Run certreq.exe-policy.
D. Modify the location of the Authority Information Access (AIA) distribution point.
Answer: A
Explanation: Not certutil.exe –recoverkey as this recovers archived keys but e-mail certificate
template does not have key archival by default.
QUESTION NO: 315
Your network contains an Active Directory-integrated DNS zone named contoso.com. You
discover that the zone includes DNS records for computers that were removed from the network.
You need to ensure that the DNS records are deleted automatically from the zone. What should
you do?
A. From DNS Manager, set the aging properties.
B. Create a scheduled task that runs dnslint.exe /v /d contoso.com.
C. From DNS Manager, modify the refresh interval of the start of authority (SOA) record.
D. Create a scheduled task that runs ipconfig.exe /flushdns.
Answer: A
Explanation:
QUESTION NO: 316
Your network contains a domain controller that runs Windows Server 2008 R2.
You run the following command on the domain controller:
www.certify-me.co.uk 166
Microsoft 70-640 Exam
Dsamain.exe C dbpath c:\$SNAP_201006170326_VOLUMEC$\Windows\NTDS\ntds.dit C
ldapport 389 - allowNonAdminAccess
The command fails.
You need to ensure that the command completes successfully.
How should you modify the command?
A. Change the value of the -dbpath parameter.
B. Include the path to Dsamain.
C. Change the value of the -ldapport parameter.
D. Remove the CallowNonAdminAccess parameter.
Answer: C
Explanation:
QUESTION NO: 317
Your network contains an Active Directory domain. The domain contains 10 domain controllers
that run Windows Server 2008 R2.
You need to monitor the following information on the domain controllers during the next five days:
- Memory usage
- Processor usage
- The number of LDAP queries
What should you do?
A. Create a User Defined Data Collector Set (DCS) that uses the Active Directory Diagnostics
template.
B. Use the System Performance Data Collector Set (DCS).
C. Create a User Defined Data Collector Set (DCS) that uses the System Performance template.
D. Use the Active Directory Diagnostics Data Collector Set (DCS).
Answer: A
Explanation:
QUESTION NO: 318
www.certify-me.co.uk 167
Microsoft 70-640 Exam
Your network contains an Active Directory domain named contoso.com.
Contoso.com contains a domain controller named DC1 and a read-only domain controller (RODC)
named RODC1.
You need to view the most recent user accounts authenticated by RODC1.
What should you do first?
A. From Active Directory Sites and Services, right-click the Connection object for DC1, and then
click Replicate Now.
B. From Active Directory Sites and Services, right-click the Connection object for DC2, and then
click Replicate Now.
C. From Active Directory Users and Computers, right-click contoso.com, click Change
DomainController, and then connect to DC1.
D. From Active Directory Users and Computers, right-click contoso.com, click Change Domain
Controller, and then connect to RODC1.
Answer: C
Explanation:
QUESTION NO: 319
Your network contains an Active Directory domain. The domain contains 3,000 client computers.
All of the client computers run Windows 7.
Users log on to their client computers by using standard user accounts.
You plan to deploy a new application named App1.
The vendor of App1 provides a Setup.exe file to install App1. Setup.exe requires administrative
rights to run.
You need to deploy App1 to all client computers. The solution must meet the following
requirements:
- App1 must automatically detect and replace corrupt application files.
- App1 must be available from the Start menu on each client computer.
What should you do first?
A. Create a logon script that calls Setup.exe for App1.
www.certify-me.co.uk 168
Microsoft 70-640 Exam
B. Create a .zap file.
C. Create a startup script that calls Setup.exe for App1.
D. Repackage App1 as a Windows Installer package.
Answer: D
Explanation:
QUESTION NO: 320
Your network contains an Active Directory domain named contoso.com.
Contoso.com contains two sites named Site1 and Site2. Site1 contains a domain controller named
DC1.
In Site1, you install a new domain controller named DC2. You ship DC2 to Site2. You discover that
certain users in Site2 authenticate to DC1.
You need to ensure that the users in Site2 always attempt to authenticate to DC2 first.
What should you do?
A. From Active Directory Users and Computers, modify the Location settings of
the DC2 computer object.
B. From Active Directory Sites and Services, modify the Location attribute for
Site2.
C. From Active Directory Sites and Services, move the DC2 server object.
D. From Active Directory Users and Computers, move the DC2 computer object.
Answer: C
Explanation:
QUESTION NO: 321
Your network contains an Active Directory domain named contoso.com.
Contoso.com contains a server named Server2. You open the System properties on Server2 as
shown in the exhibit. (Click the Exhibit button.)
www.certify-me.co.uk 169
Microsoft 70-640 Exam
When you attempt to configure Server2 as an enterprise subordinate certification authority (CA),
you discover that the enterprise subordinate CA option is unavailable.
You need to configure Server2 as an enterprise subordinate CA.
What should you do first?
A. Upgrade Server2 to Windows Server 2008 R2 Enterprise.
B. Log in as an administrator and run Server Manager.
C. Import the root CA certificate.
D. Join Server2 to the domain.
Answer: D
Explanation:
QUESTION NO: 322
Your network contains an Active Directory domain. The domain contains an enterprise certification
authority (CA).
You need to ensure that only members of a group named Admin1 can create certificate templates.
www.certify-me.co.uk 170
Microsoft 70-640 Exam
Which tool should you use to assign permissions to Admin1?
A. the Certification Authority console
B. Active Directory Users and Computers
C. the Certificates snap-in
D. Active Directory Sites and Services
Answer: B
Explanation:
QUESTION NO: 323
Your network contains an Active Directory domain. All DNS servers are domain controllers.
You view the properties of the DNS zone as shown in the exhibit. (Click the Exhibit button.)
www.certify-me.co.uk 171
Microsoft 70-640 Exam
You need to ensure that only domain members can register DNS records in the zone.
What should you do first?
A. Modify the zone type.
B. Create a trust anchor.
C. Modify the Advanced properties of the DNS server.
D. Modify the Dynamic updates setting.
Answer: A
Explanation:
QUESTION NO: 324
Your company has a single Active Directory forest with a single domain. Consultants in different
departments of the company require access to different network resources. The consultants
belong to a global group named TempWorkers.
Three file servers are placed in a new organizational unit named SecureServers. The file servers
contain confidential data in shared folders.
You need to prevent the consultants from accessing the confidential data.
What should you do?
A. Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit.
Assign the Deny access to this computer from the network user right to the TempWorkers global
group.
B. Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny access to
this computer from the network user right to the TempWorkers global group.
C. On the three file servers, create a share on the root of each hard disk. Configure the Deny Full
control permission for the TempWorkers global group on the share.
D. Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny log on
locally user right to the TempWorkers global group.
E. Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit.
Assign the Deny log on locally user right to the TempWorkers global group.
Answer: A
Explanation:
www.certify-me.co.uk 172
Microsoft 70-640 Exam
QUESTION NO: 325
Your network contains two Active Directory forests named contoso.com and nwtraders.com. The
functional level of both forests is Windows Server 2003. Contoso.com contains one domain.
Nwtraders.com contains two domains. You need to ensure that users in contoso.com can access
the resources in all domains. The solution must require the minimum number of trusts.
Which type of trust should you create?
A. external
B. forest
C. realm
D. shortcut
Answer: B
Explanation:
QUESTION NO: 326
You install an Active Directory domain in a test environment.
You need to reset the passwords of all the user accounts in the domain from a domain controller.
Which two Windows PowerShell commands should you run? (Each correct answer presents part
of the solution, choose two.)
A. $ newPassword = *
B. Import-Module ActiveDirectory
C. Import-Module WebAdministration
D. Get- AdUser -filter * | Set- ADAccountPossword - NewPassword $ newPassword - Reset
E. Set- ADAccountPossword - NewPassword - Reset
F. $ newPassword = (Read-Host - Prompt "New Password" - AsSecureString )
G. Import-Module ServerManager
Answer: D,F
Explanation:
QUESTION NO: 327 DRAG DROP
Your network contains an Active Directory forest named contoso.com. The forest contains a
www.certify-me.co.uk 173
Microsoft 70-640 Exam
domain controller named DC1 that runs Windows Server 2008 R2 Enterprise and a member
server named Server1 that runs Windows Server 2008 R2 Standard.
You have a computer named Computer1 that runs Windows 7. Computer1 is not connected to the
network. You need to join Computer1 to the contoso.com domain.
What should you do?
To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions
area and arrange them in the correct order.
Answer:
Explanation:
www.certify-me.co.uk 174
Microsoft 70-640 Exam
QUESTION NO: 328 HOTSPOT
Your network contains an Active Directory domain named contoso.com.
You need to ensure that IP addresses can be resolved to fully qualified domain names (FQDNs).
Under which node in the DNS snap-in should you add a zone?
To answer, select the appropriate node in the answer area.
Answer:
www.certify-me.co.uk 175
Microsoft 70-640 Exam
Explanation:
QUESTION NO: 329 HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains a
domain controller named Server1. Server1 has an IP address of 192.168.200.100.
You need to view the Pointer (PTR) record for Server1.
Which zone should you open in the DNS snap-in to view the record?
To answer, select the appropriate zone in the answer area.
www.certify-me.co.uk 176
Microsoft 70-640 Exam
Select “200.168.192.in-addr.arpa”
QUESTION NO: 330 HOTSPOT
Your network contains an Active Directory domain.
You need to create a new site link between two sites named Site1 and Site3. The site link must
support the replication of domain objects.
Under which node in Active Directory Sites and Services should you create the site link?
To answer, select the appropriate node in the answer area.
www.certify-me.co.uk 178
Microsoft 70-640 Exam
Answer:
Explanation:
Select the “IP” container under Inter-Site Transports.
www.certify-me.co.uk 179
Microsoft 70-640 Exam
QUESTION NO: 331 DRAG DROP
Your network contains an Active Directory forest named adatum.com. The forest contains four
child domains named europe.adatum.com, northamerica.adatum.com, asia.adatum.com, and
africa.adatum.com.
You need to create four new groups in the forest root domain. The groups must be configured as
shown in the following table.
What should you do?
To answer, drag the appropriate group type to the correct group name in the answer area.
www.certify-me.co.uk 180
Microsoft 70-640 Exam
Answer:
Explanation:
QUESTION NO: 332 HOTSPOT
You need to modify the Password Replication Policy on a read-only domain controller (RODC).
Which tool should you use?
To answer, select the appropriate tool in the answer area.
www.certify-me.co.uk 181
Microsoft 70-640 Exam
QUESTION NO: 333 HOTSPOT
Your network contains an Active Directory forest named contoso.com.
The password policy of the forest requires that the passwords for all of the user accounts be
changed every 30 days.
You need to create user accounts that will be used by services. The passwords for these accounts
must be changed automatically every 30 days.
Which tool should you use to create these accounts?
To answer, select the appropriate tool in the answer area.
Answer:
Explanation:
www.certify-me.co.uk 183
Microsoft 70-640 Exam
QUESTION NO: 334
Your network contains two forests named adatum.com and litwareinc.com. The functional level of
all the domains is Windows Server 2003. The functional level of both forests is Windows 2000.
You need to create a forest trust between adatum.com and litwareinc.com.
What should you do first?
A. Create an external trust.
B. Raise the functional level of both forests.
C. Configure SID filtering.
D. Raise the functional level of all the domains.
Answer: B
Explanation:
QUESTION NO: 335
Your network contains an Active Directory forest named adatum.com.
All client computers used by the marketing department are in an organizational unit (OU) named
Marketing Computers. All user accounts for the marketing department are in an OU named
Marketing Users.
www.certify-me.co.uk 184
Microsoft 70-640 Exam
You purchase a new application.
You need to ensure that every user in the domain who logs on to a marketing department
computer can use the application. The application must only be available from the marketing
department computers.
What should you do?
A. Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation
package to a shared folder on the network. Assign the application.
B. Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the
installation package to a shared folder on the network. Assign the application.
C. Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the
installation package to a local drive on each marketing department computer. Publish the
application.
D. Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation
package to a folder on each marketing department computer. Publish the application.
Answer: B
Explanation:
QUESTION NO: 336
Your network contains an Active Directory forest named adatum.com.
You need to create an Active Directory Rights Management Services (AD RMS) licensing-only
cluster.
What should you install before you create the AD RMS root cluster?
A. The Failover Cluster feature
B. The Active Directory Certificate Services (AD CS) role
C. Microsoft Exchange Server 2010
D. Microsoft SharePoint Server 2010
E. Microsoft SQL Server 2008
Answer: E
Explanation:
www.certify-me.co.uk 185
Microsoft 70-640 Exam
QUESTION NO: 337 HOTSPOT
Your network contains an Active Directory forest.
The DNS infrastructure fails.
You rebuild the DNS infrastructure.
You need to force the registration of the Active Directory Service Locator (SRV) records in DNS.
Which service should you restart on the domain controllers?
To answer, select the appropriate service in the answer area.
Answer:
www.certify-me.co.uk 186
Microsoft 70-640 Exam
QUESTION NO: 338
Your network contains an Active Directory domain named contoso.com. The contoso.com domain
contains a domain controller named DC1.
You create an Active Directory-integrated GlobalNames zone. You add an alias (CNAME)
resource record named Server1 to the zone. The target host of the record is server2.contoso.com.
When you ping Server1, you discover that the name fails to resolve. You are able to successfully
ping server2.contoso.com.
You need to ensure that you can resolve names by using the GlobalNames zone.
Which command should you run?
A. Dnscmd DCl.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /domain
B. Dnscmd DCl.contoso.com /config /Enableglobalnamessupport forest
C. Dnscmd DCl.contoso.com/config/Enableglobalnamessupport 1
D. Dnscmd DCl.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /forest
Answer: C
Explanation:
QUESTION NO: 339
Your network contains an Active Directory domain named contoso.com.
The network has a branch office site that contains a read-only domain controller (RODC) named
R0DC1. R0DC1 runs Windows Server 2008 R2.
A user logs on to a computer in the branch office site.
You discover that the user's password is not stored on R0DC1.
You need to ensure that the user's password is stored on RODC1 when he logs on to a branch
office site computer.
What should you do?
A. Modify the RODC s password replication policy by removing the entry for the Allowed RODC
www.certify-me.co.uk 188
Microsoft 70-640 Exam
Password Replication Group.
B. Modify the RODC's password replication policy by adding R0DC1's computer account to the list
of allowed users, groups, and computers.
C. Add the user's user account to the built-in Allowed RODC Password Replication Group on
R0DC1.
D. Add R0DC1's computer account to the built-in Allowed RODC Password Replication Group on
R0DC1.
Answer: C
Explanation:
QUESTION NO: 340
You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a server
named Server1.
You need to configure the Windows Firewall on Server1 to allow external users to authenticate by
using AD FS.
Which protocol should you allow on Server1?
A. Kerberos
B. SSL
C. SMB
D. RPC
Answer: B
Explanation:
QUESTION NO: 341
Your network contains an Active Directory domain named contoso.com. Contoso.com contains a
member server that runs Windows Server 2008 R2 Standard.
You need to create an enterprise subordinate certification authority (CA) that can issue certificates
based on version 3 certificate templates.
You must achieve this goal by using the minimum amount of administrative effort.
What should you do first?
www.certify-me.co.uk 189
Microsoft 70-640 Exam
A. Run the certutil.exe - addenrollmentserver command.
B. Install the Active Directory Certificate Services (AD CS) role on the member server.
C. Upgrade the member server to Windows Server 2008 R2 Enterprise.
D. Run the certutil.exe - installdefaulttemplates command.
Answer: C
Explanation:
QUESTION NO: 342
Your network contains a server named Server1. The Active Directory Rights Management
Services (AD RMS) server role is installed on Server1.
An administrator changes the password of the user account that is used by AD RMS. You need to
update AD RMS to use the new password.
Which console should you use?
A. Active Directory Rights Management Services
B. Active Directory Users and Computers
C. Local Users and Groups
D. Services
Answer: A
Explanation:
QUESTION NO: 343
Your company, Contoso, Ltd., has a main office and a branch office. The offices are connected by
a WAN link. Contoso has an Active Directory forest that contains a single domain named
ad.contoso.com.
The ad.contoso.com domain contains one domain controller named DC1 that is located in the
main office. DC1 is configured as a DNS server for the ad.contoso.com DNS zone. This zone is
configured as a standard primary zone.
You install a new domain controller named DC2 in the branch office. You install DNS on DC2.
You need to ensure that the DNS service can update records and resolve DNS queries in the
event that a WAN link fails.
www.certify-me.co.uk 190
Microsoft 70-640 Exam
What should you do?
A. Create a new secondary zone named ad.contoso.com on DC2.
B. Create a new stub zone named ad.contoso.com on DC2.
C. Configure the DNS server on DC2 to forward requests to DC1.
D. Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.
Answer: D
Explanation:
QUESTION NO: 344
Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2
Enterprise.
You enable key archival on the CA. The CA is configured to use custom certificate templates for
Encrypted File System (EFS) certificates.
You need to archive the private key for all new EFS certificates.
Which snap-in should you use?
A. Active Directory Users and Computers
B. Authorization Manager
C. Group Policy Management
D. Enterprise PKI
E. Security Templates
F. TPM Management
G. Certificates
H. Certification Authority
I. Certificate Templates
Answer: H
Explanation:
QUESTION NO: 345
Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2
Enterprise.
www.certify-me.co.uk 191
Microsoft 70-640 Exam
You need to ensure that all of the members of a group named Group1 can view the event log
entries for Certificate Services.
Which snap-in should you use?
A. Certificate Templates
B. Certification Authority
C. Authorization Manager
D. Active Directory Users and Computers
E. TPM Management
F. Security Templates
G. Group Policy Management
H. Enterprise PKI
I. Certificates
Answer: C
Explanation:
QUESTION NO: 346
Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2
Enterprise.
You need to ensure that users can enroll for certificates that use the IPSEC (Offline request)
certificate template.
Which snap-in should you use?
A. Enterprise PKI
B. TPM Management
C. Certificates
D. Active Directory Users and Computers
E. Authorization Manager
F. Certification Authority
G. Group Policy Management
H. Security Templates
I. Certificate Templates
Answer: I
Explanation:
www.certify-me.co.uk 192
Microsoft 70-640 Exam
QUESTION NO: 347
Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2
Enterprise.
You have a custom certificate template named Template 1. Template1 is published to the CA.
You need to ensure that all of the members of a group named Group1 can enroll for certificates
that use Template1.
Which snap-in should you use?
A. Security Templates
B. Enterprise PKI
C. Certification Authority
D. Certificate Templates
E. Certificates
F. TPM Management
G. Authorization Manager
H. Group Policy Management
I. Active Directory Users and Computers
Answer: D
Explanation:
QUESTION NO: 348
Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2
Enterprise.
You need to approve a pending certificate request.
Which snap-in should you use?
A. Active Directory Users and Computers
B. Authorization Manager
C. Certification Authority
D. Group Policy Management
E. Certificate Templates
www.certify-me.co.uk 193
Microsoft 70-640 Exam
F. TPM Management
G. Certificates
H. Enterprise PKI
I. Security Templates
Answer: C
Explanation:
QUESTION NO: 349 DRAG DROP
Your network contains an Active Directory domain named adatum.com.
You need to use Group Policies to deploy the line-of-business applications shown in the following
table.
What should you do?
To answer, drag the appropriate deployment method to the correct application in the answer area.
www.certify-me.co.uk 194
Microsoft 70-640 Exam
QUESTION NO: 350 DRAG DROP
Your network contains an Active Directory forest named contoso.com.
You need to create an Active Directory Rights Management Services (AD RMS) licensing-only
cluster.
What should you do?
To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions
area and arrange them in the correct order.
Answer:
Explanation:
www.certify-me.co.uk 196
Microsoft 70-640 Exam
QUESTION NO: 351 DRAG DROP
Your network contains two forests named contoso.com and fabrikam.com. The functional level of
all the domains is Windows Server 2003. The functional level of both forests is Windows 2000.
You need to create a trust between contoso.com and fabrikam.com. The solution must ensure that
users from contoso.com can only access the servers in fabrikam.com that have the Allowed to
Authenticate permission set.
What should you do?
To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions
area and arrange them in the correct order.
www.certify-me.co.uk 197
Microsoft 70-640 Exam
Answer:
Explanation:
QUESTION NO: 352
Your network contains an Active Directory domain named adatum.com.
You need to ensure that IP addresses can be resolved to fully qualified domain names (FQDNs).
Under which node in the DNS snap-in should you add a zone?
A. Reverse Lookup Zones
www.certify-me.co.uk 198
Microsoft 70-640 Exam
B. adatum.com
C. Forward Lookup Zones
D. Conditional Forwarders
E. _msdcs.adatum.com
Answer: A
Explanation:
QUESTION NO: 353 DRAG DROP
Your company has a main office and a branch office. All servers are located in the main office.
The network contains an Active Directory forest named adatum.com. The forest contains a domain
controller named MainDC that runs Windows Server 2008 R2 Enterprise and a member server
named FileServer that runs Windows Server 2008 R2 Standard.
You have a kiosk computer named Public_Computer that runs Windows 7. Public_Computer is not
connected to the network.
You need to join Public_Computer to the adatum.com domain.
What should you do?
To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions
area and arrange them in the correct order.
Answer:
www.certify-me.co.uk 199
Microsoft 70-640 Exam
Explanation:
QUESTION NO: 354
Your network contains an Active Directory domain named adatum.com. The domain contains a
domain controller named DC1. DC1 has an IP address of 192.168.200.100.
You need to identify the zone that contains the Pointer (PTR) record for 0C1.
Which zone should you identify?
A. adatum.com
B. _msdcs.adatum.com
C. 100.168.192.in-addr.arpa
D. 200.168.192.in-addr.arpa
www.certify-me.co.uk 200
Microsoft 70-640 Exam
Answer: D
Explanation:
QUESTION NO: 355
Your network contains an Active Directory forest named adatum.com.
The DNS infrastructure fails.
You rebuild the DNS infrastructure.
You need to force the registration of the Active Directory Service Locator (SRV) records in DNS.
Which service should you restart on the domain controllers?
A. Netlogon
B. DNS Server
C. Network Location Awareness
D. Network Store Interface Service
E. Online Responder Service
Answer: A
Explanation:
QUESTION NO: 356
Your network contains an Active Directory domain named adatum.com.
The password policy of the domain requires that the passwords for all user accounts be changed
every 50 days.
You need to create several user accounts that will be used by services. The passwords for these
accounts must be changed automatically every 50 days.
Which tool should you use to create the accounts?
A. Active Directory Administrative Center
B. Active Directory Users and Computers
C. Active Directory Module for Windows PowerShell
www.certify-me.co.uk 201
Microsoft 70-640 Exam
D. ADSI Edit
E. Active Directory Domains and Trusts
Answer: C
Explanation:
QUESTION NO: 357
Your network contains an Active Directory domain. The domain contains several domain
controllers. You need to modify the Password Replication Policy on a read-only domain controller
(RODC).
Which tool should you use?
A. Group Policy Management
B. Active Directory Domains and Trusts
C. Active Directory Users and Computers
D. Computer Management
E. Security Configuration Wizard
Answer: C
Explanation:
QUESTION NO: 358 HOTSPOT
Your network contains an Active Directory forest named contoso.com. All client computers run
Windows 7 Enterprise.
You need automatically to create a local group named PowerManagers on each client computer
that contains a battery. The solution must minimize the amount of administrative effort.
Which node in Group Policy Management Editor should you use?
To answer, select the appropriate node in the answer area.
www.certify-me.co.uk 202
Microsoft 70-640 Exam
Answer:
Explanation:
Select “Control Panel Settings” under Preferences.
QUESTION NO: 359
Your network contains an Active Directory forest. The forest contains domain controllers that run
Windows Server 2008 R2. The functional level of the forest is Windows Server 2003. The
functional level of the domain is Windows Server 2008.
From a domain controller, you need to perform an authoritative restore of an organizational unit
(OU).
What should you do first?
A. Raise the functional level of the forest
B. Modify the tombstone lifetime of the forest.
C. Restore the system state.
www.certify-me.co.uk 203
Microsoft 70-640 Exam
D. Raise the functional level of the domain.
Answer: C
Explanation:
QUESTION NO: 360
Your network contains an Active Directory forest. The forest contains two domains named
contoso.com and woodgrovebank.com.
You have a custom attribute named Attribute 1 in Active Directory. Attribute 1 is associated to
User objects.
You need to ensure that Attribute1 is included in the global catalog.
What should you do?
A. From the Active Directory Schema snap-in, modify the properties of the Attribute 1
attributeSchema object.
B. In Active Directory Users and Computers, configure the permissions on the Attribute 1 attribute
for User objects.
C. From the Active Directory Schema snap-in, modify the properties of the User classSchema
object.
D. In Active Directory Sites and Services, configure the Global Catalog settings for all domain
controllers in the forest.
Answer: A
Explanation:
QUESTION NO: 361
Your network contains a server named Server1. Server1 runs Windows Server 2008 R2 and has
the Active Directory Lightweight Directory Services (AD LDS) role installed. Server1 hosts two AD
LDS instances named Instance1 and Instance2.
You need to remove Instance2 from Server1 without affecting Instance1.
Which tool should you use?
www.certify-me.co.uk 204
Microsoft 70-640 Exam
A. NTDSUtil
B. Dsdbutil
C. Programs and Features in the Control Panel
D. Server Manager
Answer: C
Explanation:
QUESTION NO: 362
Your network contains an Active Directory domain. All domain controllers run Windows Server
2008 R2.
You need to compact the Active Directory database.
What should you do?
A. Run the Get-ADForest cmdlet.
B. Configure subscriptions from Event Viewer.
C. Run the eventcreate.exe command.
D. Configure the Active Directory Diagnostics Data Collector Set (OCS).
E. Create a Data Collector Set (DCS).
F. Run the repadmin.exe command.
G. Run the ntdsutil.exe command.
H. Run the dsquery.exe command.
I. Run the dsamain.exe command.
J. Create custom views from Event Viewer.
Answer: G
Explanation:
QUESTION NO: 363
Your network contains an Active Directory domain. All domain controllers run Windows Server
2008 R2.
You need to collect all of the Directory Services events from all of the domain controllers and store
the events in a single central computer.
www.certify-me.co.uk 205
Microsoft 70-640 Exam
What should you do?
A. Run the ntdsutil.exe command.
B. Run the repodmin.exe command.
C. Run the Get-ADForest cmdlet.
D. Run the dsamain.exe command.
E. Create custom views from Event Viewer.
F. Run the dsquery.exe command.
G. Configure the Active Directory Diagnostics Data Collector Set (DCS),
H. Configure subscriptions from Event Viewer.
I. Run the eventcreate.exe command.
J. Create a Data Collector Set (DCS).
Answer: H
Explanation:
QUESTION NO: 364
Your network contains an Active Directory domain. All domain controllers run Windows Server
2008 R2.
You need to receive a notification when more than 100 Active Directory objects are deleted per
second.
What should you do?
A. Create custom views from Event Viewer.
B. Run the Get-ADForest cmdlet.
C. Run the ntdsutil.exe command.
D. Configure the Active Directory Diagnostics Data Collector Set (DCS).
E. Create a Data Collector Set (DCS).
F. Run the dsamain.exe command.
G. Run the dsquery.exe command.
H. Run the repadmin.exe command.
I. Configure subscriptions from Event Viewer.
J. Run the eventcreate.exe command.
Answer: E
Explanation:
www.certify-me.co.uk 206
Microsoft 70-640 Exam
QUESTION NO: 365
Your network contains an Active Directory domain. All domain controllers run Windows Server
2008 R2.
You need to create a snapshot of Active Directory.
What should you do?
A. Run the dsquery.exe command.
B. Run the dsamain.exe command.
C. Create custom views from Event Viewer.
D. Configure subscriptions from Event Viewer.
E. Create a Data Collector Set (DCS).
F. Configure the Active Directory Diagnostics Data Collector Set (DCS).
G. Run the repadmin.exe command.
H. Run the ntdsutil.exe command.
I. Run the Get-ADForest cmdlet.
J. Run the eventcreate.exe command.
Answer: H
Explanation:
QUESTION NO: 366
Your network contains an Active Directory domain. All domain controllers run Windows Server
2008 R2.
You mount an Active Directory snapshot.
You need to ensure that you can query the snapshot by using LDAP.
What should you do?
A. Run the dsamain.exe command.
B. Create custom views from Event Viewer.
C. Run the ntdsutil.exe command.
D. Configure subscriptions from Event Viewer.
E. Run the Get-ADForest cmdlet.
F. Create a Data Collector Set (DCS).
G. Run the eventcreate.exe command.
www.certify-me.co.uk 207
Microsoft 70-640 Exam
H. Configure the Active Directory Diagnostics Data Collector Set (DCS).
I. Run the repadmin.exe command.
J. Run the dsquery.exe command.
Answer: A
Explanation:
QUESTION NO: 367
Your network contains an Active Directory domain named contoso.com.
The Administrator deletes an OU named OU1 accidentally.
You need to restore OU1. Which cmdlet should you use?
A. Set-ADObject cmdlet
B. Set-ADOrganizationalUnit cmdlet
C. Set-ADUser cmdlet
D. Set-ADGroup cmdlet
Answer: A
Explanation:
QUESTION NO: 368 DRAG DROP
Your company plans to open a new branch office.
The new office will have a low-speed connection to the Internet.
You plan to deploy a read-only domain controller (RODC) in the branch office.
You need to create an offline copy of the Active Directory database that can be used to install the
Active Directory on the new RODC.
Which commands should you run from Ntdsutil?
To answer, move the appropriate actions from the list of actions to the answer area and arrange
them in the correct order.
www.certify-me.co.uk 208
Microsoft 70-640 Exam
Answer:
Explanation:
QUESTION NO: 369
Your network contains an Active Directory forest.
All users have a value set for the Department attribute.
From Active Directory Users and Computers, you search a domain for all users who have a
www.certify-me.co.uk 209
Microsoft 70-640 Exam
Department attribute value of Marketing. The search returns 50 users.
From Active Directory Users and Computers, you search the entire directory for all users who
have the Department attribute value of Marketing. The search does not return any users.
You need to ensure that a search of the entire directory for users in marketing department returns
all of the users who have the Marketing Department attribute.
What should you do?
A. Install the Windows Search Service role service on a global catalogue server.
B. From the Active Directory Schema snap-in, modify the properties of the Department attribute.
C. Install the Indexing service role service on a global catalogue server.
D. From th Active Directory Schema snap-in, modify the properties of the user class.
Answer: B
Explanation:
QUESTION NO: 370
A corporate network includes a singe Active Directory Domain Services ( ADDS ) domain. The AD
DS infrastructure is shown in the following graphic. (See Exhibit)
When the Montreal Site domain controller is offline, authentication request for Montreal branch
www.certify-me.co.uk 210
Microsoft 70-640 Exam
office users are sent to the Toronto Site domain controller.
You need to ensure that when the Montreal Site domain controller is offline, authentication
requests for Montreal branch offices users are sent to Quebec City Site domain controller.
What should you do?
A. Create a site link bridge between the Montreal Site and the Quebec City Site.
B. Enable the global catalog role on the Montreal Site domain controller.
C. Modify the Default Domain Policy Group Policy Object
D. Delete the Toronto-Montreal Site Link
Answer: D
Explanation:
QUESTION NO: 371
A corporate environment includes two Active Directory Domain Service ( AD DS ) forests, as
shown in the following table:
You need to ensure that users in the contoso.com domain can access resources in the
eng.fabrikam.com domain.
What should you do?
A. Enable selective authentication.
B. Enable forest-wide authentication.
C. Create an external trust between contoso.com and eng.fabrikam.com
D. Enable domain-wide authentication
Answer: C
Explanation:
QUESTION NO: 372
www.certify-me.co.uk 211
Microsoft 70-640 Exam
Your network contains an Active Directory domain.
You need to activate the Active Directory Recycle Bin in the domain.
Which tool should you use?
A. Dsamain
B. Set-ADDomain
C. Add-WindowsFeature
D. Ldp
Answer: D
Explanation:
QUESTION NO: 373
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 and a domain controller named DC1.
On Server1, you configure a collector-initiated subscription for the Application of DC1. The
subscription is configured to collect all events.
After several days, you discover that Server1 failed to collect any events from DC1, although there
are more than 100 new events in the Application log of DC1.
You need to ensure that Server1 collects the events from DC1.
What should you do?
A. On Server1, run wecutil quick-config
B. On Server1, run winrm quick-config
C. On DC1, run wecutil quick-config
D. On DC1, run winrm quickconfig
Answer: D
Explanation:
QUESTION NO: 374
www.certify-me.co.uk 212
Microsoft 70-640 Exam
Your network contains an Active Directory domain. The domain is configured as shown in the
exhibit.
You have a Group Policy Object (GPO) linked to the domain.
You need to ensure that the settings in the GPO are not processed by user accounts or computer
accounts in the Finance organizational unit (OU). You must achieve this goal by using the
minimum amount of administrative effort.
What should you do?
A. Modify the Group Policy Permission
B. Configure WMI filtering
C. Enable block inheritance
D. Enable loopback processing in replace mode.
E. Configure the link order.
F. Configure Group Policy Preferences.
G. Link the GPO to the Human Resources OU.
H. Configure Restricted Groups.
I. Enable loopback processing in merge mode.
J. Link the GPO to the Finance OU.
Answer: C
Explanation:
QUESTION NO: 375
Your network contains an Active Directory domain named contoso.com.
You have an organizational unit (OU) named Sales and an OU named Engineering.
You have two Group Policy objects (GPOs) named GP01 and GPO2. GP01 and GP02 are linked
to the Sales OU and contain multiple settings.
You discover that GPO2 has a setting that conflicts with a setting in GP01. When the policies are
applied, the setting in GPO2 takes effect.
You need to ensure that the settings in GP01 supersede the settings in GP02. The solution must
ensure that all non-conflicting settings in both GPOs are applied.
www.certify-me.co.uk 213
Microsoft 70-640 Exam
A. Configure Restricted Groups.
B. Configure the link order.
C. Link the GPO to the Sales OU.
D. Link the GPO to the Engineering OU.
E. Enable loopback processing in merge mode.
F. Modify the Group Policy permissions.
G. Configure WMI Filtering.
H. Configure Group Policy Preferences.
I. Enable loopback processing in replace mode.
J. Enable block inheritance.
Answer: B
Explanation:
QUESTION NO: 376
All vendors belong to a global group named Vendors.
You place three file servers in a new organization unit (OU) named ConfidentialFileServers. The
three file servers contain confidential data located in shared folders.
You need to record any failed attempts made by the vendors to access the confidential data.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two)
A. Create a new Group Policy Object (GPO) and link it to the ConfidentialFileServers OU.
Configure the Audit object access Failure audit policy setting.
B. Create a new Group Policy Object (GPO) and link it to the ConfidentialFileServers OU.
Configure the Audit privilege use Failure audit policy setting.
C. On each shared folder on the three file servers, add the Vendors global group to the Auditing
tab. Configure the Failed Full control setting in the AuditingEntry dialog box.
D. On each shared folder on the three file servers, add the three servers to the Auditing tab.
Configure the Failed Full control setting in the AuditingEntry dialog box.
E. Create a new Group Policy Object (GPO) and link it to the ConfidentialFileServers OU.
Configure the Deny access to this computer from the network user rights setting for the Vendors
global group.
Answer: A,C
Explanation:
www.certify-me.co.uk 214
Microsoft 70-640 Exam
QUESTION NO: 377
A corporate network includes a single Active Directory Domain Services (AD DS) domain.
The HR department has a dedicated organization unit named HR. The HR has two sub-OUs: HR
Users and HR Computers. User accounts for the HR Department reside in the HR Users OU.
Computer accounts for the HR department reside in the HR Computers OU. All HR department
employees belong to a security group named HR Employees. All HR Department computers
belong to a security group named HR PCs.
Company policy requires that passwords are a minimum of six characters.
You need to ensure that, the next time HR Department employees change their passwords, the
passwords are required to have at least eight characters. The password length requirement should
not change for employees of any other department.
What should you do?
A. Modify the password policy in the GPO that is applied to the domain.
B. Create a new GPO, with the necessary password policy, and link it to the HR Users OU.
C. Create a fine-grained password policy and apply it to the HR Users OU.
D. Modify the password policy in the GPO that is applied to the domain controllers OU.
Answer: C
Explanation:
QUESTION NO: 378
A corporate network includes a single Active Directory Domain Services (AD DS) domain. All
regular user accounts reside in an organizational unit (OU) named Employees. All administrator
accounts reside in an OU named Admins.
You need to ensure that any time an administrator modifies an employee's name in AD DS, the
change is audited.
What should you do first?
A. Create a Group Policy Object with the Audit directory service access setting enabled and link it
to the Employees OU.
B. Modify the searchFlags property for the Name attribute in the schema.
www.certify-me.co.uk 215
Microsoft 70-640 Exam
C. Create a Group Policy Object with the Audit directory service access setting enabled and link it
to the Admins OU.
D. Use the Auditpol.exe command-line tool to enable the directoryserviceschanges auditing
subcategory.
Answer: C
Explanation:
QUESTION NO: 379
Your network contains an Active Directory forest named contoso.com.
You need to provide a user named User1 with the ability to create and manage subnet objects.
The solution must minimize the number of permissions assigned to User1.
What should you do?
A. From the Active Directory Users and Computers, run the Delegation of Control Wizard.
B. From the Active Directory Administrative Center, add User1 to the Schema Admins group.
C. From the Active Directory Sites and Services, run the Delegation of Control Wizard.
D. From Active Directory Administrative Center, add User1 to the Network Configuration Operators
group.
Answer: C
Explanation:
QUESTION NO: 380
A corporate network contains a Windows Server 2008 R2 Active Directory forest.
You need to add a user principal name (UPN) suffix to the forest.
Which tool should you use?
A. Dsmgmt
B. Active Directory Domains and Trusts console
C. Active Directory Users and Computers console
D. Active Directory Sites and Services console
www.certify-me.co.uk 216
Microsoft 70-640 Exam
Answer: B
Explanation: Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc772007.aspx
QUESTION NO: 381
Your network contains a single Active Directory domain that has two sites named Site1 and Site2.
Site1 has two domain controllers named DC1 and DC2. Site2 has two domain controllers named
DC3 and DC4.
DC3 fails.
You discover that replication no longer occurs between the sites.
You verify the connectivity between DC4 and the domain controllers in Site1.
On DC4, you run repadmin.exe /kcc.
Replication between the sites continues to fail.
You need to ensure that Active Directory data replicates between the sites.
What should you do?
A. From Active Directory Sites and Services, configure the NTDS Site Settings of Site2.
B. From Active Directory Sites and Services, configure DC3 so it is not a preferred bridgehead
server
C. From Active Directory users and Computers, configure the NTDS settings of DC4.
D. From Active Directory Users and Computers, configure the location settings of DC4.
Answer: B
Explanation:
QUESTION NO: 382
Your network contains an Active Directory domain named contoso.com.
www.certify-me.co.uk 217
Microsoft 70-640 Exam
All domain controllers were upgraded from Windows Server 2003 to Windows Server 2008 R2
Service Pack 1 (SP1). The functional level of the domain is Windows Server 2003.
You need to configure SYSVOL to use DFS Replication.
Which tools should you use? (Each correct answer presents part of the solution. Choose two.)
A. Dfsrmig
B. Frsdiag
C. Ntdsutil
D. Set- ADForest
E. Repadmin
F. Set- ADDomainMode
G. DFS Management
Answer: A,F
Explanation: Explanation/Reference:
First raise the Funcional level of the domain to 2008 to use DFS using: Set-ADDomainMode
Second configure sysvol to use dfs replication: Dfsrmig
(Use dfsrmig with Windows2008 R2, not repadamin.)
QUESTION NO: 383 DRAG DROP
You manage an Active Directory forest named contoso.com.
The forest contains an empty root domain named contoso.com and a child domain named
child.contoso.com.
All domain controllers run Windows Server 2008. The functional level of the forest is Windows
Server 2008.
You need to raise the functional level of the forest to Windows Server 2008 R2. You must achieve
this goal by using the minimum amount of administrative effort.
What should you do?
To answer, move the appropriate actions from the list of actions to the answer area and arrange
them in the correct order.
www.certify-me.co.uk 218
Microsoft 70-640 Exam
QUESTION NO: 384
Your network contains an Active Directory forest. The forest contains one domain named
contoso.com.
You attempt to run adprep /domainprep and the operation fails.
You discover that the first domain controller deployed to the forest failed.
You need to run adprep /domainprep successfully.
What should you do?
A. Move the PDC emulator role.
B. Move the global catalog server.
C. Deploy an additional global catalog server.
D. Move the infrastructure master role.
E. Restart the Active Directory Domain Services (AD DS) service.
F. Install a read-only domain controller (RODC)
G. Move the RID master role.
H. Move the domain naming master role.
I. Move the bridgehead server.
J. Move the schema master role.
Answer: D
Explanation:
www.certify-me.co.uk 220
Microsoft 70-640 Exam
QUESTION NO: 385
Your network contains an Active Directory forest. The forest contains one domain named
contoso.com.
You discover the following event in the Event log of client computers: "The time provider NtpClient
was unable to find a domain controller to use as a time source. NtpClient will try again in %1
minutes."
You need to ensure that the client computers can synchronize their clocks properly.
What should you do?
A. Move the domain naming master role.
B. Restart the Active Directory Domain Services (AD DS) service.
C. Move the PDC emulator role.
D. Move the infrastructure master role.
E. Move the global catalog server.
F. Move the RID master role.
G. Move the bridgehead server.
H. Move the schema master role.
I. Deploy an additional global catalog server.
J. Install a read-only domain controller (RODC)
Answer: C
Explanation:
QUESTION NO: 386
Your network contains an Active Directory forest named contoso.com. The functional level of the
forest is Windows Server 2008 R2.
The DNS zone for contoso.com is Active Directory-integrated.
You deploy a read-only domain controller (RODC) named RODC1.
You install the DNS Server server role on RODC1.
www.certify-me.co.uk 221
Microsoft 70-640 Exam
You discover that RODC1 does not have any DNS application directory partitions.
You need to ensure that RODC1 has a copy of the DNS application directory partition.
What should you do?
A. From DNS Manger, create secondary zones.
B. Run dnscmd.exe and specify the /enlistdirectorypartition parameter.
C. From DNS Manager, right- click RODC1 and click Update Server Data Files.
D. Run dnscmd.exe and specify the /createbuiltindirectorypartitions parameter
Answer: B
Explanation:
QUESTION NO: 387
Your network contains an Active Directory forest named contoso.com.
You need to identify whether a fine-grained password policy is applied to a specific group.
Which tool should you use?
A. Credential Manager
B. Group Policy Management Editor
C. Active Directory Users and Computers
D. Active Directory Sites and Services
Answer: C
Explanation:
QUESTION NO: 388
Your network contains an Active Directory domain named contoso.com.
You need to create one password policy for administrators and another password policy for all
users.
Which tool should you use?
www.certify-me.co.uk 222
Microsoft 70-640 Exam
A. Group Policy Management Editor
B. Group Policy Management Console (GPMC)
C. Authorization Manager
D. Ldifde
Answer: D
Explanation:
QUESTION NO: 389
Your network contains two Active Directory forests named contoso.com and fabrikam.com. Each
forest contains one domain. A two-way forest trust exists between the forests.
You plan to add users from fabrikam.com to groups in contoso.com.
You need to identify which group you must use to assign users in fabrikam.com access to the
shared folders in contoso.com.
To which group should you add the users? (See Exhibit)
A. Security Group - Domain Local
B. Distribution Group - Domain Local
C. Security Group - Global
D. Distribution Group - Global
E. Security Group - Universal
F. Distribution Group – Universal
Answer: E
Explanation:
www.certify-me.co.uk 223
Microsoft 70-640 Exam
QUESTION NO: 390
Your network contains an Active Directory domain. The domain contains 5,000 user accounts.
You need to disable all of the user accounts that have a description of Temp. You must achieve
this goal by using the minimum amount of administrative effort.
Which tools should you use? (Each correct answer presents part of the solution. Choose two.)
A. Find
B. Dsget
C. Dsmod
D. Dsadd
E. Net accounts
F. Dsquery
Answer: C,F
Explanation:
QUESTION NO: 391
Your network contains an Active Directory domain. The domain contains two file servers. The file
servers are configured as shown in the following table.
You create a Group Policy object (GPO) named GPO1 and you link GPO1 to OU1.
You configure the advanced audit policy as shown in the exhibit.
www.certify-me.co.uk 224
Microsoft 70-640 Exam
You discover that the settings are not applied to Server1. The settings are applied to Server2.
You need to ensure that access to the file shares on Server1 is audited.
What should you do?
A. From Active Directory Users and Computers, modify the permissions of the computer account
for Server1
B. From GPO1, configure the Security Options.
C. From Active Directory Users and Computers, add Server1 to the Event Log Readers group.
D. On Server1, run secedit.exe and specify the /configure parameter.
E. On Server1, run auditpol.exe and specify the /set parameter.
Answer: E
Explanation:
QUESTION NO: 392
www.certify-me.co.uk 225
Microsoft 70-640 Exam
Your network contains an Active Directory domain named contoso.com.
You have an organizational unit (OU) named Sales and an OU named Engineering. Each OU
contains over 200 user accounts.
The Sales OU and the Engineering OU contain several user accounts that are members of a
universal group named Group1.
You have a Group Policy object (GPO) linked to the domain.
You need to prevent the GPO from being applied to the members of Group1 only.
What should you do?
A. Modify the Group Policy permissions.
B. Configure Restricted Groups.
C. Configure WMI filtering.
D. Configure the fink order.
E. Enable loopback processing in merge mode.
F. Link the GPO to the Sales OU.
G. Configure Group Policy Preferences.
H. Link the GPO to the Engineering OU.
I. Enable block inheritance.
J. Enable loopback processing in replace mode.
Answer: A
Explanation:
QUESTION NO: 393
Your network contains an Active Directory domain. The domain is configured as shown in the
exhibit.
www.certify-me.co.uk 226
Microsoft 70-640 Exam
You have two Group Policy objects (GPOs) named GPO1 and GPO2. GPO1 and GPO2 are linked
to the Finance organizational unit (OU) and contain multiple settings.
You discover that GP02 has a setting that conflicts with a setting in GPO1. When the policies are
applied, the setting in GPO2 takes effect.
You need to ensure that the settings in GPO1 supersede the settings in GPO2. The solution must
ensure that all non-conflicting settings in both GPOs are applied.
What should you do?
A. Configure the link order.
B. Configure Restricted Groups.
C. Enable block inheritance.
D. Link the GPO to the Finance OU.
E. Enable loopback processing in merge mode.
F. Enable loopback processing in replace mode.
G. Link the GPO to the Human Resources OU.
H. Configure Group Policy Preferences.
I. Configure WMI filtering.
J. Modify the Group Policy permissions.
Answer: A
Explanation:
www.certify-me.co.uk 227
Microsoft 70-640 Exam
QUESTION NO: 394
A corporate network includes an Active Directory-integrated zone. All DNS servers that host the
zone are domain controllers.
You add multiple DNS records to the zone.
You need to ensure that the new records are available on aft DNS servers as soon as possible.
Which tool should you use?
A. Active Directory Sites And Services console
B. Ntdsutil
C. Dnslint
D. Nslookup
Answer: A
Explanation:
QUESTION NO: 395
Your network contains an Active Directory domain named contosocom. Contoso.com contains two
domain controllers named DC1 and DC2. DC1 and DC2 are configured as DNS servers and host
the Active Directoryintegrated zone for contoso.com.
From DNS Manager on DC1
You enable scavenging for the contosocom zone.
You discover stale DNS records in the zone.
You need to ensure that the stale DNS records are deleted from contoso.com.
What should you do?
A. From DNS Manager, enable scavenging on DC1
B. From DNS Manager, reload the zone.
C. Run dnscmd.exe and specify the ageallrecords parameter.
D. Run dnscmd.exe and specify the startscavenging parameter.
Answer: A
www.certify-me.co.uk 228
Microsoft 70-640 Exam
Explanation:
QUESTION NO: 396
Your network contains an Active Directory forest. The forest contains one domain named
contoso.com.
You discover the following event in the Event log of domain controllers: 'The request for a new
accountidentifier pool failed. The operation will be retried until the request succeeds. The error is "
%1 "
You need to ensure that the domain controllers can acquire e new account-identifier pools
successfully.
What should you do?
A. Move the domain naming master role.
B. Move the global catalog server.
C. Restart the Active Directory Domain Services (AD DS) service.
D. Deploy an additional global catalog server
E. Move the infrastructure master role.
F. Move the PDC emulator role.
G. Install a read-only domain controller (RODC).
H. Move the RID master role.
I. Move the bridgehead server.
J. Move the schema master role.
Answer: H
Explanation:
QUESTION NO: 397
Your network contains an Active Directory domain named adatum.com. All servers run Windows
Server 2008 R2 Enterprise. All client computers run Windows 7 Professional.
The network contains an enterprise certification authority (CA).
You have a custom certificate template named Sales_Temp. Sales_Temp is published to the CA.
www.certify-me.co.uk 229
Microsoft 70-640 Exam
You need to ensure that all of the members of a group named Sales can enroll for certificates that
use Sales_Temp.
Which snap-in should you use?
A. Enterprise PKI
B. Certification Authority
C. Share and Storage Management
D. Certificate Templates
E. Security Configuration Wizard
F. Authorization Manager
G. Group Policy Management
H. Certificates
I. Active Directory Administrative Center
Answer: D
Explanation:
QUESTION NO: 398
Your network contains an Active Directory forest named adatum.com. All domain controllers
currently run Windows Server 2003 Service Pack (SP2). The functional level of the forest and the
domain is Windows Server 2003.
You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2.
What should you do first?
A. Deploy a writable domain controller that runs Windows Server 2008 R2.
B. Raise the functional level of the forest to Windows Server 2008.
C. Run adprep.exe.
D. Raise the functional level of the domain to Windows Server 2008.
Answer: C
Explanation:
QUESTION NO: 399
Your network contains an Active Directory forest.
www.certify-me.co.uk 230
Microsoft 70-640 Exam
All users have a value set for the Department attribute.
From Active Directory Users and Computers, you search a domain for all users who have a
Department attribute value of Marketing. The search returns 50 users.
From Active Directory Users and Computers, you search the entire directory for all users who
have a Department attribute value of Marketing.
The search does not return any users.
You need to ensure that a search of the entire directory for users in the marketing department
returns all of the users who have the Marketing Department attribute.
What should you do?
A. Install the Windows Search Service role service on a global catalog server.
B. From the Active Directory Schema snap-in modify the properties of the Department attribute.
C. Install the Indexing Service role service on a global catalog server.
D. From the Active Directory Schema snap-in modify the properties of the user class.
Answer: B
Explanation:
QUESTION NO: 400
Your network contains an Active Directory domain named contoso.com.
You need to create a script that runs the Best Practices Analyzer (BPA) each week for all of the
server roles that BPA supports on each domain controller.
Which cmdlets should you include in the script? (Each correct answer presents part of the
solution. Choose three.)
A. Get- TroubleshootingPack | Invoke- TroubleshootingPack
B. Import-Module BestPractices
C. Get- BPAModel | Invoke- BPAModel
D. Import-Module TroubleshootingPack
E. Get- BPAResult
Answer: B,C,E
www.certify-me.co.uk 231
Microsoft 70-640 Exam
Explanation:
QUESTION NO: 401
Your network contains an Active Directory forest. The forest contains one domain named
contoso.com.
You discover the following event in the Event log of domain controllers: "The request for a new
account-identifier pool failed. The operation will be retried until the request succeeds. The error is "
%1 ""
You need to ensure that the domain controllers can acquire new account-identifier pools
successfully.
What should you do?
A. Move the PDC emulator role.
B. Move the schema master role.
C. Move the global catalog server.
D. Move the domain naming master role.
E. Move the infrastructure master role.
F. Move the RID master role.
G. Restart the Active Directory Domain Services (AD DS) service.
H. Deploy an additional global catalog server.
I. Move the bridgehead server.
J. Install a read-only domain controller (RODC).
Answer: F
Explanation: Ref: http://technet.microsoft.com/en-us/library/cc756699(v=ws.10)
QUESTION NO: 402 CORRECT TEXT
Your network contains an Active Directory domain. The domain contains a domain controller
named DC1 that runs windows Server 2008 R2 Service Pack 1 (SP1).
You need to implement a central store for domain policy templates.
What should you do?
www.certify-me.co.uk 232
Microsoft 70-640 Exam
To answer, select the source content that should be copied to the destination folder in the answer
area.
Answer: Copy “C:\Windows\PolicyDefinitions” to “C:\Windows\SYSVOL\domain\Policies”
Ref: http://www.petri.co.il/creating-group-policy-central-store.htm
QUESTION NO: 403
Your network contains an Active Directory domain named contoso.com.
You need to create one password policy for administrators and another password policy for all
other users.
Which tool should you use?
A. Ntdsutil
B. Active Directory Users and Computers
C. ADSI Edit
D. Group Policy Management Console (GPMC)
Answer: C
Explanation:
Ref: http://technet.microsoft.com/en-US/library/cc754461.aspx
QUESTION NO: 404
Your network contains an Active Directory forest named contoso.com.
You need to identify whether a fine-grained password policy is applied to a specific group.
www.certify-me.co.uk 233
Microsoft 70-640 Exam
Which tool should you use?
A. Active Directory Sites and Services
B. Authorization Manager
C. Local Security Policy
D. ADSI Edit
Answer: D
Explanation: The link below instructs you to access the “Attribute Editor” via Active Directory
Users and Computers. However the “Attribute Editor” can also be accessed by right-clicking on a
user or group in ADSI Edit.
Ref: http://technet.microsoft.com/en-US/library/cc770848.aspx
QUESTION NO: 405
A corporate network includes an Active Directory-integrated zone. All DNS servers that host the
zone are domain controllers.
You add multiple DNS records to the zone.
You need to ensure that the new records are available on all DNS servers as soon as possible.
Which tool should you use?
A. Repadmin
B. Active Directory Domains and Trusts console
C. Ldp
D. Ntdsutil
Answer: A
Explanation: Ref: http://technet.microsoft.com/en-us/library/cc835086(v=ws.10)
QUESTION NO: 406
Your network contains an Active Directory forest named contoso.com. The forest contains two
www.certify-me.co.uk 234
Microsoft 70-640 Exam
domains named contoso.com and child.contoso.com. The forest contains two sites named Seattle
and Denver. Both sites contain users, client computers, and domain controllers from both
domains.
The Seattle site contains the first domain controller deployed to the forest. The Seattle site also
contains the primary domain controller (PDC) emulator for both domains. All of the domain
controllers are configured as DNS servers. All DNS zones are replicated to all of the domain
controllers in the forest.
The users in the Denver site report that is takes a long time to log on to their client computer when
they use their user principal name (UPN). The users in the Seattle site do not experience the
same issue.
You need to reduce the amount of time it takes for the Denver users to log on to their client
computer by using their UPN.
What should you do?
A. Reduce the cost of the site link between the Denver site and the Seattle site.
B. Enable the global catalog on a domain controller in the Denver site.
C. Enable universal group membership caching in the Denver site.
D. Move a PDC emulator to the Denver site.
E. Reduce the replication interval of the site link between the Denver site and the Seattle site.
F. Add an additional domain controller to the Denver site.
Answer: B
Explanation:
QUESTION NO: 407
Your network contains an Active Directory domain named contoso.com.
The Active Directory sites are configured as shown in the Sites exhibit. (Click the Exhibit button.)
www.certify-me.co.uk 235
Microsoft 70-640 Exam
You need to ensure that DC1 and DC4 are the only servers that replicate Active Directory changes
between the sites.
What should you do?
A. Configure DC1 as a preferred bridgehead server for IP transport.
B. Configure DC4 as a preferred bridgehead server for IP transport.
C. From the DC4 server object, create a Connection object for DC1.
D. From the DC1 server object, create a Connection object for DC4.
Answer: C
Explanation:
QUESTION NO: 408
Your network contains two Active Directory forests named contoso.com and fabrikam.com. Each
forest contains a single domain.
A two-way forest trust exists between the forests. Selective authentication is enabled on the trust.
Contoso.com contains a group named Group 1.
www.certify-me.co.uk 236
Microsoft 70-640 Exam
Fabrikam.com contains a server named Server1.
You need to ensure that users in Group1 can access resources on Server1.
What should you modify?
A. the permissions of the Group1 group
B. the UPN suffixes of the contoso.com forest
C. the UPN suffixes of the fabrikam.com forest
D. the permissions of the Server1 computer account
Answer: A
Explanation:
QUESTION NO: 409 HOTSPOT
Your network contains an Active Directory forest named contoso.com. The forest contains two
sites named Seattle and Montreal. The Seattle site contains two domain controllers. The domain
controllers are configured as shown in the following table.
You need to enable universal group membership caching in the Seattle site.
Which object's properties should you modify?
To answer, select the appropriate object in the answer area.
www.certify-me.co.uk 237
Microsoft 70-640 Exam
QUESTION NO: 410
Your network contains an Active Directory domain named contoso.com.
You have an organizational unit (OU) named Sales and an OU named Engineering.
Users in the Sates OU frequently log on to client computers in the Engineering OU.
You need to meet the following requirements:
- All of the user settings in the Group Policy objects (GPOs) linked to both the Sales OU and the
Engineering OU must be applied to sales users when they log on to client computers in the
Engineering OU.
- Only the policy settings in the GPOs linked to the Sales OU must be applied to sales users when
they log on to client computers in the Sales OU.
- Policy settings in the GPOs linked to the Sales OU must not be applied to users in the
Engineering OU.
What should you do?
A. Modify the Group Policy permissions.
B. Enable block inheritance.
C. Configure the link order.
D. Enable loopback processing in merge mode.
www.certify-me.co.uk 239
Microsoft 70-640 Exam
E. Enable loopback processing in replace mode.
F. Configure WMI filtering.
G. Configure Restricted Groups.
H. Configure Group Policy Preferences.
I. Link the GPO to the Sales OU.
J. Link the GPO to the Engineering OU.
Answer: C
Explanation:
QUESTION NO: 411
Your network contains an Active Directory domain. The domain is configured as shown in the
exhibit. (Click the Exhibit button.)
You have a Group Policy object (GPO) linked to the domain. The GPO is used to deploy a number
of software packages.
You need to ensure that the GPO is applied only to client computers that have sufficient free disk
space.
What should you do?
A. Modify the Group Policy permissions.
www.certify-me.co.uk 240
Microsoft 70-640 Exam
B. Enable block inheritance.
C. Configure the link order.
D. Enable loopback processing in merge mode.
E. Enable loopback processing in replace mode.
F. Configure WMI filtering.
G. Configure Restricted Groups.
H. Configure Group Policy Preferences.
I. Link the GPO to the Finance organizational unit (OU).
J. Link the GPO to the Human Resources organizational unit (OU).
Answer: B
Explanation:
QUESTION NO: 412
You have an Active Directory domain named contoso.com.
You need to view the account lockout threshold and duration for the domain.
Which tool should you use?
A. Computer Management
B. Net Config
C. Active Directory Users and Computers
D. Gpresult
Answer: C
Explanation:
QUESTION NO: 413
Your network contains an Active Directory forest. The forest contains two domains named
contoso.com and east.contoso.com. The contoso.com domain contains a domain controller
named DC1. The east.contoso.com domain contains a domain controller named DC2. DC1 and
DC2 have the DNS Server server role installed.
You need to create a DNS zone that is available on DC1 and DC2. The solution must ensure that
zone transfers are encrypted.
www.certify-me.co.uk 241
Microsoft 70-640 Exam
What should you do?
A. Create a primary zone on DC1 and store the zone in a zone file. On DC1 and DC2, configure
inbound rules and outbound rules by using Windows Firewall with Advanced Security. Create a
secondary zone on DC2 and select DC1 as the master.
B. Create a primary zone on DC1 and store the zone in a DC=ForestDNSZones, DC=Contoso,
DC=com naming context.
C. Create a primary zone on DC2 and store the zone in a DC= DC=East, DC=Contoso/DC=com
naming context. Create a secondary zone on DC1 and select DC2 as the master.
D. Create a primary zone on DC1 and store the zone in a zone file. Configure DNSSEC for the
zone. Create a secondary zone on DC2 and select DC1 as the master,
Answer: D
Explanation:
QUESTION NO: 414
Your network contains an Active Directory domain named contoso.com. The domain contains a
domain controller named DC1. DC1 has the DNS Server server role installed and hosts an Active
Directory-integrated zone for contoso.com. The no-refresh interval and the refresh interval are
both set to three days.
The Advanced DNS settings of DC1 are shown in the Advanced DNS Settings exhibit. (Click the
Exhibit button.)
www.certify-me.co.uk 242
Microsoft 70-640 Exam
You open the properties of a static record named Server1 as shown in the Server1 Record exhibit.
(Click the Exhibit button.)
www.certify-me.co.uk 243
Microsoft 70-640 Exam
You discover that the scavenging process ran today, but the record for Server1 was not deleted.
You run dnscmd.exe and specify the ageallrecords parameter.
You need to identify when the record for Server1 will be deleted from the zone.
In how many days will the record be deleted?
A. 13
B. 10
C. 23
D. 7
Answer: D
www.certify-me.co.uk 244
Microsoft 70-640 Exam
Explanation:
QUESTION NO: 415
Your network contains an Active Directory domain named adatum.com. All servers run Windows
Server 2008 R2.
The network contains an enterprise certification authority (CA).
You need to ensure that all of the members of a group named Managers can view the event log
entries for Certificate Services.
Which snap-in should you use?
A. Active Directory Administrative Center
B. Authorization Manager
C. Certificate Templates
D. Certificates
E. Certification Authority
F. Enterprise PKI
G. Group Policy Management
H. Security Configuration Wizard
I. Share and Storage Management
Answer: G
Explanation:
QUESTION NO: 416
Your network contains an Active Directory domain named adatum.com. All servers run Windows
Server 2008 R2 Enterprise. All client computers run Windows 7 Professional.
The network contains an enterprise certification authority (CA).
You need to approve a pending certificate request.
Which snap-in should you use?
www.certify-me.co.uk 245
Microsoft 70-640 Exam
A. Active Directory Administrative Center
B. Authorization Manager
C. Certificate Templates
D. Certificates
E. Certification Authority
F. Enterprise PKI
G. Group Policy Management
H. Security Configuration Wizard
I. Share and Storage Management
Answer: E
Explanation:
QUESTION NO: 417
Your network contains an Active Directory domain. The domain is configured as shown in the
exhibit. (Click the Exhibit button.)
Each organizational unit (OU) contains over 500 user accounts.
The Finance OU and the Human Resources OU contain several user accounts that are members
of a universal group named Group1.
You have a Group Policy object (GPO) linked to the domain.
www.certify-me.co.uk 246
Microsoft 70-640 Exam
You need to prevent the GPO from being applied to the members of Group1 only.
What should you do?
A. Modify the Group Policy permissions.
B. Enable block inheritance.
C. Configure the link order.
D. Enable loopback processing in merge mode,
E. Enable loopback processing in replace mode.
F. Configure WMI filtering.
G. Configure Restricted Groups.
H. Configure Group Policy Preferences.
I. Link the GPO to the Finance OU.
J. Link the GPO to the Human Resources OU.
Answer: A
Explanation:
QUESTION NO: 418
Your network contains an Active Directory domain named contoso.com.
You have an organizational unit (OU) named Sales and an OU named Engineering.
You have a Group Policy object (GPO) linked to the domain.
You need to ensure that the settings in the GPO are not processed by user accounts or computer
accounts in the Sales OU. You must achieve this goal by using the minimum amount of
administrative effort.
What should you do?
A. Modify the Group Policy permissions.
B. Enable block inheritance.
C. Configure the link order.
D. Enable loopback processing in merge mode.
E. Enable loopback processing in replace mode.
F. Configure WMI filtering.
G. Configure Restricted Groups.
H. Configure Group Policy Preferences.
I. Link the GPO to the Sales OU.
www.certify-me.co.uk 247
Microsoft 70-640 Exam
J. Link the GPO to the Engineering OU.
Answer: B
Explanation:
QUESTION NO: 419
A corporate network includes a single Active Directory Domain Services (AD DS) domain. The
domain contains 10 domain controllers. The domain controllers run Windows Server 2008 R2 and
are configured as DNS servers.
You plan to create an Active Directory-integrated zone.
You need to ensure that the new zone is replicated to only four of the domain controllers.
What should you do first?
A. Use the ntdsutil tool to modify the DS behavior for the domain.
B. Use the ntdsutil tool to add a naming context.
C. Create a new delegation in the ForestDnsZones application directory partition.
D. Use the dnscmd tool with the /zoneadd parameter.
Answer: D
Explanation:
QUESTION NO: 420
Your network contains an Active Directory forest named contoso.com.
You plan to migrate all user accounts to a new forest named litwareinc.com.
The functional level of the contoso.com forest is Windows Server 2003. Contoso.com contains
four servers. The servers are configured as shown in the following table.
www.certify-me.co.uk 248
Microsoft 70-640 Exam
The functional level of the litwareinc.com forest is Windows Server 2008. Litwareinc.com contains
four servers. The servers are configured as shown in the following table.
You need to identify on which server in the litwareinc.com forest you must install Active Directory
Migration Tool version 3.2 (ADMT v3.2).
Which server should you identify?
A. Litw_Srv4
B. Litw_Srv1
C. Litw_Srv2
D. Litw_Srv3
Answer: D
Explanation:
QUESTION NO: 421
Your network contains an Active Directory forest named fabrikam.com. The forest contains the
following domains:
- Fabrikam.com
www.certify-me.co.uk 249
Microsoft 70-640 Exam
- Eu.fabrikam.com
- Na.fabrikam.com
- Eu.contoso.com
- Na.contoso.com
You need to configure the forest to ensure that the administrators of any of the domains can
specify a user principal name (UPN) suffix of contoso.com when they create user accounts from
Active Directory Users and Computers.
Which tool should you use?
A. Active Directory Sites and Services
B. Set-ADDomain
C. Set-ADForest
D. Active Directory Administrative Center
Answer: C
Explanation:
QUESTION NO: 422 HOTSPOT
Your network contains an Active Directory forest named contoso.com. The forest contains two
Active Directory sites named Seattle and Montreal. The Montreal site is a branch office that
contains only a single read-only domain controller (RODC).
You accidentally delete the site link between the two sites.
You recreate the site link while you are connected to a domain controller in Seattle.
You need to replicate the change to the RODC in Montreal.
Which node in Active Directory Sites and Services should you use?
To answer, select the appropriate node in the answer area.
www.certify-me.co.uk 250
Microsoft 70-640 Exam
C:\Users\Kamran\Desktop\image.JPG
QUESTION NO: 423
A corporate network includes a single Active Directory Domain Services (AD DS) domain and two
AD DS sites. The AD DS sites are named Toronto and Montreal. Each site has multiple domain
controllers.
You need to determine which domain controller holds the Inter-Site Topology Generator role for
the Toronto site.
What should you do?
A. Use the Active Directory Sites and Services console to view the NTDS Site Settings for the
Toronto site.
B. Use the Ntdsutil tool with the roles parameter.
C. Use the Ntdsutil tool with the LDAP policies parameter.
D. Use the Active Directory Sites and Services console to view the properties of each domain
controller in the Toronto site.
Answer: A
Explanation:
QUESTION NO: 424 HOTSPOT
Your network contains an Active Directory forest named contoso.com. The forest contains two
sites named Seattle and Montreal. The Seattle site contains two domain controllers. The domain
controllers are configured as shown in the following table.
The Montreal site contains a domain controller named DC3. DC3 is the only global catalog server
in the forest.
www.certify-me.co.uk 252
Microsoft 70-640 Exam
You need to configure DC2 as a global catalog server.
Which object's properties should you modify?
To answer, select the appropriate object in the answer area.
Answer:
Explanation:
www.certify-me.co.uk 253
Microsoft 70-640 Exam
C:\Users\Kamran\Desktop\image.JPG
QUESTION NO: 425
Your network contains an Active Directory domain. The domain contains five sites. One of the
sites contains a read-only domain controller (RODC) named RODC1.
You need to identify which user accounts can have their password cached on RODC1.
Which tool should you use?
A. Repadmin
B. Dcdiag
C. Get-ADDomainControllerPasswordReplicationPolicyUsage
D. Adtest
Answer: A
Explanation:
QUESTION NO: 426
A network contains an Active Directory forest. The forest contains three domains and two sites.
You remove the global catalog from a domain controller named DC2. DC2 is located in Site1.
www.certify-me.co.uk 254
Microsoft 70-640 Exam
You need to reduce the size of the Active Directory database on DC2. The solution must minimize
the impact on all users in Site1.
What should you do first?
A. On DC2, start the Protected Storage service.
B. On DC2, stop the Active Directory Domain Services service.
C. Start DC2 in Safe Mode.
D. Start DC2 in Directory Services Restore Mode.
Answer: B
Explanation:
QUESTION NO: 427
Your network contains an Active Directory domain named adatum.com. The functional level of the
domain is Windows Server 2008. All domain controllers run Windows Server 2008 R2. All client
computers run Windows 7 Enterprise.
You need to receive a notification when more than 50 Active Directory objects are deleted per
second.
What should you do?
A. Run the Get-ADDomain cmdlet.
B. Run the dsget.exe command.
C. Run the ntdsutil.exe command.
D. Run the ocsetup.exe command.
E. Run the dsamain.exe command.
F. Run the eventcreate.exe command.
G. Create a Data Collector Set (DCS).
H. Create custom views from Event Viewer.
I. Configure subscriptions from Event Viewer.
J. Import the Active Directory module for Windows PowerShell.
Answer: G
Explanation:
QUESTION NO: 428
www.certify-me.co.uk 255
Microsoft 70-640 Exam
You have an enterprise subordinate certification authority (CA).
You have a custom certificate template that has a key length of 1,024 bits. The template is
enabled for autoenrollment.
You increase the template key length to 2,048 bits.
You need to ensure that all current certificate holders automatically enroll for a certificate that uses
the new template.
Which console should you use?
A. Group Policy Management MMC Snap-In
B. Certificates MMC Snap-In on the Certificate Authority
C. Certificate Templates MMC Snap-In
D. Certification Authority MMC Snap-In
Answer: C
Explanation:
QUESTION NO: 429
Your network contains an Active Directory domain.
The password policy for the domain is configured as shown in the Current Policy exhibit, (Click the
Exhibit button.)
www.certify-me.co.uk 256
Microsoft 70-640 Exam
You change the password policy for the domain as shown in the New Policy exhibit. (Click the
Exhibit button.)
You need to provide users with examples of a valid password.
Which password examples should you provide to the users? (Each correct answer presents a
complete solution. Choose three.)
A. 123456!@#$%^
B. !@#$1234ABCD
C. passwordl234
D. 1-2-3-4-5-a-b-c-e
E. %%PASS1234%%
F. 111111aaaaaaa
Answer: A,B,D
Explanation:
QUESTION NO: 430 DRAG DROP
Your network contains an Active Directory forest named contoso.com.
You need to use Group Policies to deploy the applications shown in the following table.
www.certify-me.co.uk 257
Microsoft 70-640 Exam
What should you do?
To answer, drag the appropriate deployment method to the correct application in the answer area.
Answer:
Explanation:
C:\Users\Kamran\Desktop\image.JPG
www.certify-me.co.uk 258
Microsoft 70-640 Exam
QUESTION NO: 431
Your network contains an Active Directory forest. The forest contains one domain named
contoso.com.
You attempt to create a new child domain and you receive the following error message: "An LDAP
read of operational attributes failed."
You need to ensure that you can add a new child domain to the forest.
What should you do?
A. Move the PDC emulator role.
B. Move the RID master role.
C. Move the infrastructure master role.
D. Move the schema master role.
E. Move the domain naming master role.
F. Move the global catalog server.
G. Move the bridgehead server.
H. Install a read-only domain controller (RODC).
I. Deploy an additional global catalog server.
J. Restart the Active Directory Domain Services (AD DS) service.
Answer: E
Explanation:
QUESTION NO: 432
Your network contains an Active Directory domain named contoso.com.
The Active Directory sites are configured as shown in the Sites exhibit. (Click the Exhibit button.)
www.certify-me.co.uk 259
Microsoft 70-640 Exam
You need to ensure that DC1 and DC4 are the only servers that replicate Active Directory changes
between the sites.
What should you do?
A. Configure DC1 as a preferred bridgehead server for IP transport.
B. Configure DC4 as a preferred bridgehead server for IP transport.
C. From the DC4 server object, create a Connection object for DC1.
D. From the DC1 server object, create a Connection object for DC4.
Answer: A
Explanation:
QUESTION NO: 433 HOTSPOT
Your network contains two Active Directory forests named contoso.com and fabrikam.com.
A two-way forest trust exists between the forests. Selective authentication is enabled on the trust.
Fabrikam.com contains a server named Server1.
You assign Contoso\Domain Users the Manage documents permission and the Print permission to
a shared printer on Server1.
You discover that users from contoso.com cannot access the shared printer on Server1.
You need to ensure that the contoso.com users can access the shared printer on Server1.
Which permission should you assign to Contoso\Domain Users.
www.certify-me.co.uk 260
Microsoft 70-640 Exam
To answer, select the appropriate permission in the answer area.
Answer:
www.certify-me.co.uk 261
Microsoft 70-640 Exam
C:\Users\Kamran\Desktop\image.JPG
QUESTION NO: 434
Your network contains an Active Directory forest named contoso.com. The functional level of the
forest is Windows Server 2008 R2. The forest contains a single domain.
You need to ensure that objects can be restored from the Active Directory Recycle Bin.
Which tool should you use?
www.certify-me.co.uk 263
Microsoft 70-640 Exam
A. Ntdsutil
B. Set-ADDomain
C. Dsamain
D. Enable-ADOptionalFeature
Answer: C
Explanation:
QUESTION NO: 435
Your network contains an Active Directory domain named adatum.com. The functional level of the
domain is Windows Server 2003. All domain controllers run Windows Server 2008 R2.
You mount an Active Directory snapshot.
You need to ensure that you can connect to the snapshot by using LDAP.
What should you do?
A. Run the Get-ADDomain cmdlet.
B. Run the dsget.exe command.
C. Run the ntdsutil.exe command.
D. Run the ocsetup.exe command.
E. Run the dsamain.exe command.
F. Run the eventcreate.exe command,
G. Create a Data Collector Set (DCS).
H. Create custom views from Event Viewer.
I. Configure subscriptions from Event Viewer.
J. Import the Active Directory module for Windows PowerShell.
Answer: E
Explanation:
QUESTION NO: 436
Your network contains an Active Directory domain. The domain is configured as shown in the
exhibit. (Click the Exhibit button.)
www.certify-me.co.uk 264
Microsoft 70-640 Exam
Users in the Finance organizational unit (OU) frequently log on to client computers in the Human
Resources OU.
You need to meet the following requirements:
- All of the user settings in the Group Policy objects (GPOs) linked to both the Finance OU and
the Human Resources OU must be applied to finance users when they log on to client
computers in the Engineering OU.
- Only the policy settings in the GPOs linked to the Finance OU must be applied to finance users
when they log on to client computers in the Finance OU.
- Policy settings in the GPOs linked to the Finance OU must not be applied to users in the Human
Resources OU.
What should you do?
A. Modify the Group Policy permissions.
B. Enable block inheritance.
C. Configure the link order.
D. Enable loopback processing in merge mode.
E. Enable loopback processing in replace mode.
F. Configure WMI filtering.
G. Configure Restricted Groups.
H. Configure Group Policy Preferences.
I. Link the GPO to the Finance OU.
J. Link the GPO to the Human Resources OU.
Answer: D
Explanation:
www.certify-me.co.uk 265
Microsoft 70-640 Exam
QUESTION NO: 437
Your network contains an Active Directory domain named contoso.com.
You have an organizational unit (OU) named Sales and an OU named Engineering.
You need to ensure that when users log on to client computers, they are added automatically to
the local Administrators group. The users must be removed from the group when they log off of
the client computers.
What should you do?
A. Modify the Group Policy permissions.
B. Enable block inheritance.
C. Configure the link order.
D. Enable loopback processing in merge mode.
E. Enable loopback processing in replace mode.
F. Configure WMI filtering.
G. Configure Restricted Groups.
H. Configure Group Policy Preferences.
I. Link the Group Policy object (GPO) to the Sales OU.
J. Link the Group Policy object (GPO) to the Engineering OU.
Answer: H
Explanation:
QUESTION NO: 438
Your network contains an Active Directory domain. The domain contains two Active Directory sites
named Site1 and Site2. Site1 contains two domain controllers named DC1 and DC2. Site2
contains two domain controller named DC3 and DC4,
The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is
Windows Server 2003.
Active Directory replication between Site1 and Site2 occurs from 20:00 to 01:00 every day.
At 07:00, an administrator deletes a user account while he is logged on to DC1.
www.certify-me.co.uk 266
Microsoft 70-640 Exam
You need to restore the deleted user account. You want to achieve this goal by using the minimum
amount of administrative effort.
What should you do?
A. On DC3, stop Active Directory Domain Services, perform an authoritative restore, and then
start Active Directory Domain Services
B. On DC3, run the Restore-ADObject cmdlet.
C. On DC1, run the Restore-ADObject cmdlet.
D. On DC1, stop Active Directory Domain Services, restore the SystemState, and then start Active
Directory Domain Services.
Answer: A
Explanation:
QUESTION NO: 439
You create a standard primary zone for contoso.com.
You need to specify a user named Admin1 as the person responsible for managing the zone.
What should you do? (Each correct answer presents a complete solution. Choose two.)
A. Open the %Systemroot\System32\DNS\Contoso.com.dns file by using Notepad and change all
instances of "hostmaster.contoso.com" to "admin1.contoso.com",
B. From DNS Manager, open the properties of the Start of Authority (SOA) record ofcontoso.com,
Specify admin1.contoso.com as the responsible person.
C. Open the %Systemroot\System32\DNS\Contoso.com.dns file by using Notepad and change all
instances of "[email protected]" to "[email protected]" .
D. From DNS Manager, open the properties of the Start of Authority (SOA) record ofcontoso.com.
Specify [email protected] as the responsible person.
Answer: B,C
Explanation:
QUESTION NO: 440
Your network contains an Active Directory forest named contoso.com. The forest contains two
member servers named Server1 and Server2. Server1 and Server2 have the DNS Server server
www.certify-me.co.uk 267
Microsoft 70-640 Exam
role installed.
Server1 hosts a standard primary zone for contoso.com. Server2 is configured as a secondary
name server for contoso.com.
You experience issues with the copy of the zone on Server2,
You verify that both copies of the zone have the same serial number.
You need to transfer a complete copy of the zone from Server1 to Server2.
What should you do on Server2?
A. From DNS Manager, right-click contoso.com and click Transfer from Master.
B. From Services, right-click DNS Server and click Refresh.
C. From Services, right-click DNS Server and click Restart.
D. From DNS Manager, right-click contoso.com and click Reload.
E. From DNS Manager, right-click contoso.com and click Transfer a new copy of zone from
Master.
Answer: E
Explanation:
QUESTION NO: 441
Your network contains an Active Directory forest named contoso.com. The functional level of the
forest is Windows Server 2008 R2
The DNS zone for contoso.com is Active Directory-integrated.
You deploy a read-only domain controller (RODC) named R0DC1. You install the DNS Server
server role on R0DC1.
You discover that R0DC1 does not have any DNS application directory partitions.
You need to ensure that R0DC1 has a copy of the DNS application directory partition of
contoso.com.
What should you do? (Each correct answer presents a complete solution. Choose two.)
www.certify-me.co.uk 268
Microsoft 70-640 Exam
A. From DNS Manager, right-click RODC1 and click Create Default Application Directory
Partitions.
B. Run ntdsutil.exe. From the Partition Management context, run the create nc command.
C. Run dnscmd.exe and specify the /createbuiltindirectorypartitions parameter.
D. Run ntdsutil.exe. From the Partition Management context, run the add nc replica command.
E. Run dnscmd.exe and specify the /enlistdirectorypartition parameter.
Answer: A,D
Explanation:
QUESTION NO: 442
A corporate network includes an Active Directory-integrated zone. All DNS servers that host the
zone are domain controllers.
You add multiple DNS records to the zone.
You need to ensure that the new records are available on all DNS servers as soon as possible.
Which tool should you use?
A. Ntdsutil
B. Dnscmd
C. Repadmin
D. Nslookup
Answer: D
Explanation:
QUESTION NO: 443
Your network contains three servers named ADFS1, ADFS2, and ADFS3 that run Windows Server
2008 R2. ADFS1 has the Active Directory Federation Services (AD FS) Federation Service role
service installed.
You plan to deploy AD FS 2.0 on ADFS2 and ADFS3.
You need to export the token-signing certificate from ADFS1, and then import the certificate to
ADFS2 and ADFS3.
www.certify-me.co.uk 269
Microsoft 70-640 Exam
In which format should you export the certificate?
A. Personal Information Exchange PKCS #12 (.pfx)
B. DER encoded binary X.509 (.cer)
C. Cryptographic Message Syntax Standard PKCS #7 (.p7b)
D. Base-64 encoded X.S09 (.cer)
Answer: A
Explanation:
QUESTION NO: 444
You create a user account template for the marketing department.
When you copy the user account template, you discover that the Web page attribute is not copied.
You need to preserve the Web page attribute when you copy the user account template.
What should you do?
A. From Active Directory Administrative Center, modify the value of the wWWHomePage attribute
for the user account template.
B. From the Active Directory Schema snap-in, modify the properties of the user class.
C. From Active Directory Users and Computers, modify the value of the wWWHomePage attribute
for the user account template.
D. From ADSI Edit, modify the properties of the wWWHomePage attribute.
Answer: B
Explanation:
QUESTION NO: 445
Your network contains an Active Directory forest named contoso.com. The forest contains four
computers. The computers are configured as shown in the following table.
www.certify-me.co.uk 270
Microsoft 70-640 Exam
An administrator creates a script that contains the following commands:
You need to identity which computers can successfully run all of the commands in the script.
Which two computers should you identify? (Each correct answer presents part of the solution.
Choose two.)
A. Computer1
B. Server1
C. Computer2
D. Server2
Answer: B,D
Explanation:
QUESTION NO: 446
Your network contains an Active Directory domain. The domain is configured as shown in the
exhibit, (Click the Exhibit button.)
www.certify-me.co.uk 271
Microsoft 70-640 Exam
You need to ensure that when users log on to client computers, they are added automatically to
the local Administrators group. The users must be removed from the group when they log off of
the client computers.
What should you do?
A. Modify the Group Policy permissions.
B. Enable block inheritance.
C. Configure the link order.
D. Enable loopback processing in merge mode.
E. Enable loopback processing in replace mode.
F. Configure WMI filtering.
G. Configure Restricted Groups.
H. Configure Group Policy Preferences.
I. Link the Group Policy object (GPO) to the Finance organizational unit (OU).
J. Link the Group Policy object (GPO) to the Human Resources organizational unit (OU).
Answer: H
Explanation:
QUESTION NO: 447 HOTSPOT
Your network contains an Active Directory domain named contoso.com.
You need to view which password setting object is applied to a user.
www.certify-me.co.uk 272
Microsoft 70-640 Exam
Which filter option in Attribute Editor should you enable? To answer, select the appropriate filter
option in the answer area.
Answer:
Explanation:
www.certify-me.co.uk 273
Microsoft 70-640 Exam
C:\Users\Kamran\Desktop\image.JPG
QUESTION NO: 448
Your company has an Active Directory forest. Each regional office has an organizational unit (OU)
named Marketing. The Marketing OU contains all users and computers in the region's Marketing
department.
You need to install a Microsoft Office 2007 application only on the computers in the Marketing
OUs.
You create a GPO named MarketingApps.
What should you do next?
A. Configure the GPO to assign the application to the computer account. Link the GPO to the
domain.
B. Configure the GPO to assign the application to the user account. Link the GPO to each
Marketing OU.
C. Configure the GPO to assign the application to the computer account. Link the GPO to each
Marketing OU.
D. Configure the GPO to publish the application to the user account. Link the GPO to each
Marketing OU.
Answer: C
Explanation:
www.certify-me.co.uk 274
Microsoft 70-640 Exam
QUESTION NO: 449
Your network contains an Active Directory domain named contoso.com. The functional level of the
forest is Windows Server 2008 R2.
The Default Domain Controller Policy Group Policy object (GPO) contains audit policy settings.
On a domain controller named DC1, an administrator configures the Advanced Audit Policy
Configuration settings by using a local GPO.
You need to identify what will be audited on DC1.
Which tool should you use?
A. Get-ADObject
B. Secedit
C. Security Configuration and Analysis
D. Auditpol
Answer: D
Explanation:
QUESTION NO: 450
A network contains an Active Directory forest. The forest schema contains a custom attribute for
user objects.
You need to view the custom attribute value of 500 user accounts in a Microsoft Excel table.
Which tool should you use?
A. Dsmod
B. Csvde
C. Ldifde
D. Dsrm
Answer: B
Explanation:
www.certify-me.co.uk 275
Microsoft 70-640 Exam
QUESTION NO: 451
Your network contains an Active Directory forest named contoso.com. The forest contains two
domains named contoso.com and child.contoso.com. All domain controllers run Windows Server
2008. All forest-wide operations master roles are in child.contoso.com.
An administrator successfully runs adprep.exe /forestprep from the Windows Server 2008 R2
Service Pack 1 (SP1) installation media.
You plan to run adprep.exe /domainprep in each domain.
You need to ensure that you have the required user rights to run the command successfully in
each domain.
Of which groups should you be a member? (Each correct answer presents part of the solution.
Choose two.)
A. Administrators in child.contoso.com
B. Enterprise Admins in contoso.com
C. Domain Admins in child.contoso.com
D. Domain Admins in contoso.com
E. Administrators in contoso.com
F. Schema Admins in contoso.com
Answer: C,D
Explanation:
QUESTION NO: 452
Your network contains an Active Directory forest named contoso.com. The forest contains a single
domain and 10 domain controllers. All of the domain controllers run Windows Server 2008 R2
Service Pack 1 (SP1).
The forest contains an application directory partition named dc=app1, dc=contoso,dc=com. A
domain controller named DC1 has a copy of the application directory partition.
You need to configure a domain controller named DC2 to receive a copy of dc=app1, dc=contoso,
www.certify-me.co.uk 276
Microsoft 70-640 Exam
dc=corn.
Which tool should you use?
A. Active Directory Sites and Services
B. Dsmod
C. Dcpromo
D. Dsmgmt
Answer: B
Explanation:
QUESTION NO: 453
A corporate environment includes a Windows Server 2008 R2 Active Directory Domain Services
(AD DS) domain.
You need to enable Universal Group Membership Caching on several domain controllers in the
domain.
Which tool should you use?
A. Dsmod
B. Dscmd
C. Ntdsutil
D. Active Directory Sites and Services console
Answer: A
Explanation:
QUESTION NO: 454
Your network contains an Active Directory forest. The forest contains three domains. All domain
controllers have the DNS Server server role installed.
The forest contains three sites named Site1, Site2, and Site3. Each site contains the users, client
computers, and domain controllers of each domain. Site1 contains the first domain controller
deployed to the forest.
www.certify-me.co.uk 277
Microsoft 70-640 Exam
The sites connect to each other by using unreliable WAN links.
The users in Site2 and Site3 report that is takes a long time to log on to their client computer when
they use their user principal name (UPN). The users in Site1 do not experience the same issue.
You need to reduce the amount of time it takes for the Site2 users and the Site3 users to log on to
their client computer by using their UPN.
What should you do?
A. Configure a global catalog server in Site2 and a global catalog server in Site3.
B. Reduce the replication interval of the site links.
C. Move a primary domain controller (PDC) emulator to Site2 and to Site3.
D. Add additional domain controllers to Site2 and to Site3.
E. Reduce the cost of the site links.
F. Enable universal group membership caching in Site2 and in Site3.
Answer: A
Explanation:
QUESTION NO: 455
You have a client computer named Computer1 that runs Windows 7.
On Computer1, you configure a source-initiated subscription.
You configure the subscription to retrieve all events from the Windows logs of a domain controller
named DC1. The subscription is configured to use the HTTP protocol.
You discover that events from the Security log of DC1 are not collected on Computer1. Events
from the Application log of DC1 and the System log of DC1 are collected on Computer1.
You need to ensure that events from the Security log of DC1 are collected on Computer1.
What should you do?
A. Add the computer account of Computer1 to the Event Log Readers group on the domain
controller.
B. Add the Network Service security principal to the Event Log Readers group on the domain
www.certify-me.co.uk 278
Microsoft 70-640 Exam
controller.
C. Configure the subscription to use custom Event Delivery Optimization settings.
D. Configure the subscription to use the HTTPS protocol.
Answer: B
Explanation:
QUESTION NO: 456
Your network contains an Active Directory forest named contoso.com. The forest contains six
domains.
You need to ensure that the administrators of any of the domains can specify a user principal
name (UPN) suffix oflitwareinc.com when they create user accounts by using Active Directory
Users and Computers.
Which tool should you use?
A. Active Directory Administrative Center
B. Set-ADDomain
C. Active Directory Sites and Services
D. Set-ADForest
Answer: C
Explanation:
QUESTION NO: 457
Your network contains an Active Directory domain named litwareinc.com. The domain contains
two sites named Sitel and Site2. Site2 contains a read-only domain controller (RODC).
You need to identify which user accounts attempted to authenticate to the RODC.
Which tool should you use?
A. Active Directory Users and Computers
B. Ntdsutil
C. Get-ADAccountResultantPasswordReplicationPolicy
D. Adtest
www.certify-me.co.uk 279
Microsoft 70-640 Exam
Answer: A
Explanation:
QUESTION NO: 458
Your network contains an Active Directory forest. The forest schema contains a custom attribute
for user objects.
You need to generate a file that contains the last logon time and the custom attribute values for
each user in the forest.
What should you use?
A. the Get-ADUser cmdlet
B. the Export-CSV cmdlet
C. the Net User command
D. the Dsquery User tool
Answer: A
Explanation:
QUESTION NO: 459
You have an Active Directory domain named contoso.com.
You need to view the account lockout threshold and duration for the domain.
Which tool should you use?
A. Net User
B. Active Directory Users and Computers
C. Group Policy Management Console (GPMC)
D. Computer Management
Answer: C
Explanation:
www.certify-me.co.uk 280
Microsoft 70-640 Exam
QUESTION NO: 460
A domain controller named DC4 runs Windows Server 2008 R2. DC4 is configured as a DNS
server for fabrikam.com.
You install the DNS Server server role on a member server named DNS1 and then you create a
standard secondary zone for fabrikam.com. You configure DC4 as the master server for the zone.
You need to ensure that DNS1 receives zone updates from DC4.
What should you do?
A. Add the DNS1 computer account to the DNSUpdateProxy group.
B. On DC4, modify the permissions offabrikam.com zone.
C. On DNS1, add a conditional forwarder.
D. On DC4, modify the zone transfer settings for the fabrikam.com zone.
Answer: D
Explanation:
QUESTION NO: 461
A company has an Active Directory forest. You plan to install an offline Enterprise root certification
authority (CA) on a server named CA1. CA1 is a member of the PerimeterNetwork workgroup and
is attached to a hardware security module for private key storage.
You attempt to add the Active Directory Certificate Services (AD CS) server role to CA1. The
Enterprise CA option is not available.
You need to install the AD CS server role as an Enterprise CA on CA1.
What should you do first?
A. Add the DNS Server server role to CA1.
B. Add the Web Server (IIS) server role and the AD CS server role to CA1.
C. Add the Active Directory Lightweight Directory Services (AD LDS) server role to CA1.
D. Join CA1 to the domain.
Answer: D
Explanation:
www.certify-me.co.uk 281