100% candidates have passed the MCM 70-640 exam by the help of CertBus pass guaranteed MCM 70-640 preparation materials. The CertBus Microsoft PDF and VCEs are the latest and cover every knowledge points of MCM 70-640 Windows Server 2008 Active Directory. Configuring certifications. You can try the Q and As for an undeniable success in 70-640 exam.
We CertBus has our own expert team. They selected and published the latest 70-640 preparation materials from Microsoft Official Exam-Center: http://www.certgod.com/70-640.html
QUESTION NO:36
Your company has an Active Directory domain. A user attempts to log on to the domain from a client computer and receives the following message: “This user
account has expired. Ask your administrator to reactivate the account.”
You need to ensure that the user is able to log on to the domain.
What should you do?
A. Modify the properties of the user account to set the account to never expire.
B. Modify the properties of the user account to extend the Logon Hours setting.
C. Modify the default domain policy to decrease the account lockout duration.
D. Modify the properties of the user account to set the password to never expire.
Correct Answer: A
Explanation
Explanation/Reference:
Explanation:
Further information:
http://technet.microsoft.com/en-us/library/dd145547.aspx User Properties – Account Tab
Account expires
Sets the account expiration policy for this user. You can select between the following options:
Use Never to specify that the selected account will never expire. This option is the default for new users.
Select End of and then select a date if you want to have the user\’s account expire on a specified date.
QUESTION NO:22
Your network consists of a single Active Directory domain. The functional level of the forest is Windows Server 2008 R2.
You need to create multiple password policies for users in your domain.
What should you do?
A. From the Group Policy Management snap-in, create multiple Group Policy objects.
B. From the Schema snap-in, create multiple class schema objects.
C. From the ADSI Edit snap-in, create multiple Password Setting objects.
D. From the Security Configuration Wizard, create multiple security policies.
Correct Answer: C
Explanation
Explanation/Reference:
Explanation:
Answer: From the ADSI Edit snap-in, create multiple Password Setting objects.
Explanation:
http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide ..
In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies and apply different password restrictions and account
lockout policies to different sets of users within a single domain.
..
To store fine-grained password policies, Windows Server 2008 includes two new object classes in the Active
Directory Domain Services (AD DS) schema:
Password Settings Container
Password Settings The Password Settings Container (PSC) object class is created by default under the System container in the domain. It stores the Password
Settings objects (PSOs) for that domain. You cannot rename, move, or delete this container.
…
Steps to configure fine-grained password and account lockout policies When the group structure of your organization is defined and implemented, you can
configure and apply finegrained password and account lockout policies to users and global security groups. Configuring fine-grained password and account
lockout policies involves the following steps:
Step 1: Create a PSO
Step 2: Apply PSOs to Users and Global Security Groups
Step 3: Manage a PSO
Step 4: View a Resultant PSO for a User or a Global Security Group http://technet.microsoft.com/en-us/library/cc754461(v=ws.10).aspx Step 1: Create a
PSO
You can create Password Settings objects (PSOs):
Creating a PSO using the Active Directory module for Windows PowerShell Creating a PSO using ADSI Edit
Creating a PSO using ldifde
QUESTION NO:17
Contoso, Ltd. has an Active Directory domain named ad.contoso.com. Fabrikam, Inc. has an Active Directory domain named intranet.fabrikam.com. Fabrikam\’s
security policy prohibits the transfer of internal DNS zone data outside the Fabrikam network.
You need to ensure that the Contoso users are able to resolve names from the intranet.fabrikam.com domain.
What should you do?
A. Create a new stub zone for the intranet.fabrikam.com domain.
B. Configure conditional forwarding for the intranet.fabrikam.com domain.
C. Create a standard secondary zone for the intranet.fabrikam.com domain.
D. Create an Active DirectoryCintegrated zone for the intranet.fabrikam.com domain.
Correct Answer: B
Explanation
Explanation/Reference:
Explanation:
Answer: Configure conditional forwarding for the intranet.fabrikam.com domain.
Explanation:
http://technet.microsoft.com/en-us/library/cc730756.aspx Understanding Forwarders
A forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for external DNS names to DNS servers outside that network. You
can also forward queries according to specific domain names using conditional forwarders.
You designate a DNS server on a network as a forwarder by configuring the other DNS servers in the network to forward the queries that they cannot resolve
locally to that DNS server. By using a forwarder, you can manage name resolution for names outside your network, such as names on the Internet, and improve
the efficiency of name resolution for the computers in your network. The following figure illustrates how external name queries are directed with forwarders.
Conditional forwarders
A conditional forwarder is a DNS server on a network that forwards DNS queries according to the DNS domain name in the query. For example, you can configure
a DNS server to forward all the queries that it receives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IP addresses
of multiple DNS servers.
Further information:
http://technet.microsoft.com/en-us/library/cc794735(v=ws.10).aspx Assign a Conditional Forwarder for a Domain Name
http://technet.microsoft.com/en-us/library/cc754941.aspx Configure a DNS Server to Use Forwarders
QUESTION NO:26
Your company has an organizational unit named Production. The Production organizational unit has a child organizational unit named RandD. You create a GPO
named Software Deployment and link it to the Production organizational unit.
You create a shadow group for the RandD organizational unit. You need to deploy an application to users in the Production organizational unit.
You also need to ensure that the application is not deployed to users in the RandD organizational unit.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution.
Choose two.)
A. Configure the Block Inheritance setting on the RandD organizational unit.
B. Configure the Enforce setting on the software deployment GPO.
C. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the RandD security group.
D. Configure the Block Inheritance setting on the Production organizational unit.
Correct Answer: AC
Explanation
Explanation/Reference:
Explanation:
Answer: Configure the Block Inheritance setting on the RandD organizational unit. Configure security filtering on the Software Deployment GPO to Deny Apply group
policy for the RandD security group.
Explanation:
http://technet.microsoft.com/en-us/library/cc757050(v=ws.10).aspx Managing inheritance of Group Policy
..
Blocking Group Policy inheritance
You can block policy inheritance for a domain or organizational unit. Using block inheritance prevents GPOs linked to higher sites, domains, or organizational units
from being automatically inherited by the child-level. By default, children inherit all GPOs from the parent, but it is sometimes useful to block inheritance. For
example, if you want to apply a single set of policies to an entire domain except for one organizational unit, you can link the required GPOs at the domain level
(from which all organizational units inherit policies by default) and then block inheritance only on the organizational unit to which the policies should not be applied.
Enforcing a GPO link You can specify that the settings in a GPO link should take precedence over the settings of any child object by setting that link to Enforced.
GPO-links that are enforced cannot be blocked from the parent container. Without enforcement from above, the settings of the GPO links at the higher level
(parent) are overwritten by settings in GPOs linked to child organizational units, if the GPOs contain conflicting settings. With enforcement, the parent GPO link
always has precedence. By default, GPO links are not enforced. In tools prior to GPMC, “enforced” was known as “No override.”
..
In addition to using GPO links to apply policies, you can also control how GPOs are applied by using security filters or WMI filters.
http://technet.microsoft.com/en-us/library/cc781988(v=ws.10).aspx Security filtering using GPMC
Security filtering Security filtering is a way of refining which users and computers will receive and apply the settings in a Group Policy object (GPO). Using security
filtering, you can specify that only certain security principals within a container where the GPO is linked apply the GPO. Security group filtering determines whether
the GPO as a whole applies to groups, users, or computers; it cannot be used selectively on different settings within a GPO.
..
Notes:
GPOs cannot be linked directly to users, computers, or security groups. They can only be linked to sites, domains and organizational units. However, by using
security filtering, you can narrow the scope of a GPO so that it applies only to a single group, user, or computer.
..
The location of a security group in Active Directory is irrelevant to security group filtering and, more generally, irrelevant to Group Policy processing.
Further information:
http://technet.microsoft.com/en-us/library/cc731076.aspx Block Inheritance
http://en.wikipedia.org/wiki/Active_Directory#Shadow_groups Active Directory
Shadow groups
In Microsoft\’s Active Directory, OUs do not confer access permissions, and objects placed within OUs are not automatically assigned access privileges based on
their containing OU. This is a design limitation specific to Active Directory. Other competing directories such as Novell NDS are able to assign access privileges
through object placement within an OU. Active Directory requires a separate step for an administrator to assign an object in an OU as a member of a group also
within that OU. Relying on OU location alone to determine access permissions is unreliable, because the object may not have been assigned to the group object
for that OU. A common workaround for an Active Directory administrator is to write a custom PowerShell or Visual Basic script to automatically create and maintain
a user group for each OU in their directory. The scripts are run periodically to update the group to match the OU\’s account membership, but are unable to instantly
update the security groups anytime the directory changes, as occurs in competing directories where security is directly implemented into the directory itself. Such
groups are known as Shadow Groups. Once created, these shadow groups are selectable in place of the OU in the administrative tools. Microsoft refers to
shadow groups in the Server 2008 Reference documentation, but does not explain how to create them. There are no built-in server methods or console snap-ins
for managing shadow groups.[5]
The division of an organization\’s information infrastructure into a hierarchy of one or more domains and toplevel OUs is a key decision. Common models are by
business unit, by geographical location, by IT Service, or by object type and hybrids of these. OUs should be structured primarily to facilitate administrative
delegation, and secondarily, to facilitate group policy application. Although OUs form an administrative boundary, the only true security boundary is the forest itself
and an administrator of any domain in the forest must be trusted across all domains in the forest.[6]
QUESTION NO:7
Your network consists of an Active Directory forest that contains one domain named contoso.com. All domain controllers run Windows Server 2008 R2 and are
configured as DNS servers. You have two Active Directory-integrated zones: contoso.com and nwtraders.com.
You need to ensure a user is able to modify records in the contoso.com zone. You must prevent the user from modifying the SOA record in the nwtraders.com
zone.
What should you do?
A. From the Active Directory Users and Computers console, run the Delegation of Control Wizard.
B. From the Active Directory Users and Computers console, modify the permissions of the Domain Controllers organizational unit (OU).
C. From the DNS Manager console, modify the permissions of the contoso.com zone.
D. From the DNS Manager console, modify the permissions of the nwtraders.com zone.
Correct Answer: C
Explanation
Explanation/Reference:
Explanation:
Answer: From the DNS Manager console, modify the permissions of the contoso.com zone.
Explanation:
http://technet.microsoft.com/en-us/library/cc753213.aspx Modify Security for a Directory-Integrated Zone
You can manage the discretionary access control list (DACL) on the DNS zones that are stored in Active Directory Domain Services (AD DS). You can use the
DACL to control the permissions for the Active Directory users and groups that may control the DNS zones.
Membership in DnsAdmins or Domain Admins in AD DS, or the equivalent, is the minimum required to complete this procedure.
To modify security for a directory-integrated zone:
1. Open DNS Manager.
2. In the console tree, click the applicable zone.
Where?
DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable zone
3. On the Action menu, click Properties.
4. On the General tab, verify that the zone type is Active Directory-integrated.
5. On the Security tab, modify the list of member users or groups that are allowed to securely update the applicable zone and reset their permissions as needed.
Further information:
http://support.microsoft.com/kb/163971
The Structure of a DNS SOA Record
The first resource record in any Domain Name System (DNS) Zone file should be a Start of Authority (SOA) resource record. The SOA resource record indicates
that this DNS name server is the best source of information for the data within this DNS domain.
The SOA resource record contains the following information:
Source host – The host where the file was created.
Contact e-mail – The e-mail address of the person responsible for administering the domain\’s zone file. Note that a “.” is used instead of an “@” in the e-mail name.
Serial number – The revision number of this zone file. Increment this number each time the zone file is changed. It is important to increment this value each time a
change is made, so that the changes will be distributed to any secondary DNS servers.
Refresh Time – The time, in seconds, a secondary DNS server waits before querying the primary DNS server\’s SOA record to check for changes. When the
refresh time expires, the secondary DNS server requests a copy of the current SOA record from the primary. The primary DNS server complies with this request.
The secondary DNS server compares the serial number of the primary DNS server\’s current SOA record and the serial number in it\’s own SOA record. If they are
different, the secondary DNS server will request a zone transfer from the primary DNS server. The default value is 3,600.
Retry time – The time, in seconds, a secondary server waits before retrying a failed zone transfer. Normally, the retry time is less than the refresh time. The default
value is 600. Expire time – The time, in seconds, that a secondary server will keep trying to complete a zone transfer. If this time expires prior to a successful zone
transfer, the secondary server will expire its zone file. This means the secondary will stop answering queries, as it considers its data too old to be reliable. The
default value is 86,400.
Minimum TTL – The minimum time-to-live value applies to all resource records in the zone file. This value is supplied in query responses to inform other servers
how long they should keep the data in cache. The default value is 3,600.
http://technet.microsoft.com/en-us/library/cc787600(v=ws.10).aspx Modify the start of authority (SOA) record for a zone
..
Notes: To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate
authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice,
consider using Run as to perform this procedure.
QUESTION NO:20
Your company uses a Windows 2008 Enterprise certificate authority (CA) to issue certificates.
You need to implement key archival.
What should you do?
A. Configure the certificate for automatic enrollment for the computers that store encrypted files.
B. Install an Enterprise Subordinate CA and issue a user certificate to users of the encrypted files.
C. Apply the Hisecdc security template to the domain controllers.
D. Archive the private key on the server.
Correct Answer: D
Explanation
Explanation/Reference:
Explanation:
Answer: Archive the private key on the server.
Explanation:
http://technet.microsoft.com/en-us/library/cc753011.aspx Enable Key Archival for a CA
Before a key recovery agent can use a key recovery certificate, the key recovery agent must have enrolled for the key recovery certificate and be registered as the
recovery agent for the certification authority (CA).
You must be a CA administrator to complete this procedure.
To enable key archival for a CA:
1. Open the Certification Authority snap-in.
2. In the console tree, click the name of the CA.
3. On the Action menu, click Properties.
4. Click the Recovery Agents tab, and then click Archive the key.
5. In Number of recovery agents to use, type the number of key recovery agents that will be used to encrypt the archived key.
The Number of recovery agents to use must be between one and the number of key recovery agent certificates that have been configured.
6. Click Add. Then, in Key Recovery Agent Selection, click the key recovery certificates that are displayed, and click OK.
7. The certificates should appear in the Key recovery agent certificates list, but their status is listed as Not loaded.
8. Click OK or Apply. When prompted to restart the CA, click Yes. When the CA has restarted, the status of the certificates should be listed as Valid.
Further information:
http://technet.microsoft.com/en-us/library/ee449489(v=ws.10).aspx Key Archival and Management in Windows Server 2008
http://technet.microsoft.com/en-us/library/cc730721.aspx Managing Key Archival and Recovery
QUESTION NO:25
Your company has an Active Directory domain named ad.contoso.com. The domain has two domain controllers named DC1 and DC2. Both domain controllers
have the DNS server role installed.
You install a new DNS server named DNS1.contoso.com on the perimeter network. You configure DC1 to forward all unresolved name requests to
DNS1.contoso.com. You discover that the DNS forwarding option is unavailable on DC2.
You need to configure DNS forwarding on the DC2 server to point to the DNS1.contoso.com server.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A. Clear the DNS cache on DC2.
B. Configure conditional forwarding on DC2.
C. Configure the Listen On address on DC2.
D. Delete the Root zone on DC2.
Correct Answer: BD
Explanation
Explanation/Reference:
Explanation:
Answer: Delete the Root zone on DC2.
Configure conditional forwarding on DC2.
Explanation:
http://technet.microsoft.com/en-us/library/cc754941.aspx Configure a DNS Server to Use Forwarders
A forwarder is a Domain Name System (DNS) server on a network that is used to forward DNS queries for external DNS names to DNS servers outside that
network. You can also configure your server to forward queries according to specific domain names using conditional forwarders. http://
social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/0ca38ece-d76e-42f0-85d5- a342f9e169f5/
Deleting .root dns zone in 2008 DNS
Q: We have 2 domain controllers and .root zone is created in the DNS. Due to which the external name resolution is not possible. I had tried to add conditional
forwarders but i get an error saying that conditional forwarders cannot be created on root DNS servers. A 1: If you have a “root” zone created in your DNS, and
you no longer want that configuration, you can just simply delete that zone. There is no reason to have a root “.” zone hosted unless you want to make sure that
the DNS server is authoritative for all queries and not allow the DNS server to go elsewhere for name resolution.
If you delete this zone, the DNS server will be able to use its root hints, or fowarders to resolve queries for zones its not authoritative for.
A 2: That was from the old 2000 days where DCPROMO would create it if it detected no internet access while promoting the first DC. Jut remove it, and the
Forwarders option reappear.
Further information:
http://support.microsoft.com/kb/298148
How To Remove the Root Zone (Dot Zone)
http://technet.microsoft.com/en-us/library/cc731879(v=ws.10).aspx Reviewing DNS Concepts
Delegation For a DNS server to answer queries about any name, it must have a direct or indirect path to every zone in the namespace. These paths are created
by means of delegation. A delegation is a record in a parent zone that lists a name server that is authoritative for the zone in the next level of the hierarchy.
Delegations make it possible for servers in one zone to refer clients to servers in other zones. The following illustration shows one example of delegation.
The DNS root server hosts the root zone represented as a dot ( . ). The root zone contains a delegation to a zone in the next level of the hierarchy, the com zone.
The delegation in the root zone tells the DNS root server that, to find the com zone, it must contact the Com server. Likewise, the delegation in the com zone tells
the Com server that, to find the contoso.com zone, it must contact the Contoso server. Note: A delegation uses two types of records. The name server (NS)
resource record provides the name of an authoritative server. Host (A) and host (AAAA) resource records provide IP version 4 (IPv4) and IP version 6 (IPv6)
addresses of an authoritative server. This system of zones and delegations creates a hierarchical tree that represents the DNS namespace. Each zone represents
a layer in the hierarchy, and each delegation represents a branch of the tree. By using the hierarchy of zones and delegations, a DNS root server can find any
name in the DNS namespace.
The root zone includes delegations that lead directly or indirectly to all other zones in the hierarchy. Any server that can query the DNS root server can use the
information in the delegations to find any name in the namespace.
QUESTION NO:6
Your company has an Active Directory forest that runs at the functional level of Windows Server 2008. You implement Active Directory Rights Management
Services (AD RMS). You install Microsoft SQL Server 2005. When you attempt to open the AD RMS administration Web site, you receive the following error
message: “SQL Server does not exist or access denied.” You need to open the AD RMS administration Web site.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A. Restart IIS.
B. Manually delete the Service Connection Point in AD DS and restart AD RMS.
C. Install Message Queuing.
D. Start the MSSQLSVC service.
Correct Answer: AD
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc747605(v=ws.10).aspx#BKMK_1 RMS Administration Issues
“SQL Server does not exist or access denied” message received when attempting to open the RMS Administration Web site
If you have installed RMS by using a new installation of SQL Server 2005 as your database server the SQL Server Service might not be started. In SQL Server
2005, the MSSQLSERVER service is not configured to automatically start when the server is started. If you have restarted your SQL Server since installing RMS
and have not configured this service to automatically restart RMS will not be able to function and only the RMS Global Administration page will be accessible. After
you have started the MSSQLSERVER service, you must restart IIS on each RMS server in the cluster to restore RMS functionality.
QUESTION NO:14
Your company has a single Active Directory domain named intranet.adatum.com. The domain controllers run Windows Server 2008 and the DNS server role. All
computers, including non-domain members, dynamically register their DNS records.
You need to configure the intranet.adatum.com zone to allow only domain members to dynamically register DNS records.
What should you do?
A. Set dynamic updates to Secure Only.
B. Remove the Authenticated Users group.
C. Enable zone transfers to Name Servers.
D. Deny the Everyone group the Create All Child Objects permission.
Correct Answer: A
Explanation
Explanation/Reference:
Explanation:
Answer: Set dynamic updates to Secure Only.
http://technet.microsoft.com/en-us/library/cc753751.aspx Allow Only Secure Dynamic Updates
Domain Name System (DNS) client computers can use dynamic update to register and dynamically update their resource records with a DNS server whenever
changes occur. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use Dynamic
Host Configuration Protocol (DHCP) to obtain an IP address. Dynamic updates can be secure or nonsecure. DNS update security is available only for zones that
are integrated into Active Directory Domain Services (AD DS). After you directory-integrate a zone, access control list (ACL) editing features are available in DNS
Manager so that you can add or remove users or groups from the ACL for a specified zone or resource record.
Further information:
http://technet.microsoft.com/en-us/library/cc771255.aspx Understanding Dynamic Update
QUESTION NO:11
Your company has an Active Directory forest that contains a single domain. The domain member server has an Active Directory Federation Services (AD FS) role
installed.
You need to configure AD FS to ensure that AD FS tokens contain information from the Active Directory domain.
What should you do?
A. Add and configure a new account partner.
B. Add and configure a new resource partner.
C. Add and configure a new account store.
D. Add and configure a Claims-aware application.
Correct Answer: C
Explanation
Explanation/Reference:
Explanation:
http://technet.microsoft.com/en-us/library/cc732095.aspx Understanding Account Stores
Active Directory Federation Services (AD FS) uses account stores to log on users and extract security claims for those users. You can configure multiple account
stores for a single Federation Service. You can also define their priority. The Federation Service uses Lightweight Directory Access Protocol (LDAP) to
communicate with account stores. AD FS supports the following two account stores:
Active Directory Domain Services (AD DS)
Active Directory Lightweight Directory Services (AD LDS)
CertBus exam braindumps are pass guaranteed. We guarantee your pass for the 70-640 exam successfully with our Microsoft materials. CertBus Windows Server 2008 Active Directory. Configuring exam PDF and VCE are the latest and most accurate. We have the best Microsoft in our team to make sure CertBus Windows Server 2008 Active Directory. Configuring exam questions and answers are the most valid. CertBus exam Windows Server 2008 Active Directory. Configuring exam dumps will help you to be the Microsoft specialist, clear your 70-640 exam and get the final success.
70-640 Latest questions and answers on Google Drive(100% Free Download): https://drive.google.com/file/d/0B_3QX8HGRR1mVl9KSnc1OEg0LXc/view?usp=sharing
70-640 Microsoft exam dumps (100% Pass Guaranteed) from CertBus: http://www.certgod.com/70-640.html [100% Exam Pass Guaranteed]
Why select/choose CertBus?
Millions of interested professionals can touch the destination of success in exams by certgod.com. products which would be available, affordable, updated and of really best quality to overcome the difficulties of any course outlines. Questions and Answers material is updated in highly outclass manner on regular basis and material is released periodically and is available in testing centers with whom we are maintaining our relationship to get latest material.