70-640 Flashcards
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
Only one Active-Directory integrated zone has been configured in the ABC.com domain. ABC.com has requested that you configure DNS zone to automatically remove DNS records that are outdated.
What action should you consider?
A. You should consider running the netsh /Reset DNS command from the Command prompt.
B. You should consider enabling Scavenging in the DNS zone properties page.
C. You should consider reducing the TTL of the SOA record in the DNS zone properties page.
D. You should consider disabling updates in the DNS zone properties page.
Answer:
B. You should consider enabling Scavenging in the DNS zone properties page.
Explanation: In the scenario you should enable scavenging through the zone properties because scavenging removes the outdated DNS records from the DNS zone automatically. You should additionally note that patience would be required when enabling scavenging as there are some safety valves built into scavenging which takes long to pop.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has a server named ABC-SR15. You install the Active Directory Lightweight Directory Services (AD LDS) on ABC-SR15.
Which of the following options can be used for the creation of new Organizational Units (OU’s) in the application directory partition of the AD LDS?
A. You should run the net start command on ABC-SR15.
B. You should open the ADSI Edit Microsoft Management Console on ABC-SR15.
C. You should run the repadmin /dsaguid command on ABC-SR15.
D. You should open the Active Directory Users and Computers Console on ABC-SR15.
Answer:
B. You should open the ADSI Edit Microsoft Management Console on ABC-SR15.
Explanation: You need to use the ADSI Edit snap-in to create new OUs in the AD LDS application directory partition. You also need to add the snap-in in the Microsoft Management Console (MMC).
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has two domain controllers named ABC-DC01 and ABC-DC02. ABC-DC01 suffers a catastrophic failure. This failure is causing problems because ABC-DC01 was configured to host Schema Master Operations role. You log on to the ABC.com domain as a domain administrator but your attempts to transfer the Schema Master Operations role to ABC-DC02 are unsuccessful.
What action should you take to transfer the Schema Master Operations role to ABC-DC02?
A. Your best option would be to have the dcpromo /adv command executed on ABC-DC02.
B. Your best option would be to have the Schema Master role seized to ABC-DC02.
C. Your best option would be to have Schmmgmt.dll registered on ABC-DC02.
D. Your best option would be to add your user account to the Schema Administrators group.
Answer:
B. Your best option would be to have the Schema Master role seized to ABC-DC02.
Explanation: To ensure that ABC-DC02 holds the Schema Master role you need to seize the Schema Master role on ABC-DC02. Seizing the schema master role is a drastic step that should be considered only if the current operations master will never be available again. So to transfer the schema master operations role, you have to seize it on ABC-DC02.
You work as the network administrator at ABC.com. The ABC.com network has a single forest. The forest functional level is set at Windows Server 2008.
The ABC.com network has a Microsoft SQL Server 2005 database server named ABC-DB04 that hosts the Active Directory Rights Management Service (AD RMS).
You try to access the Active Directory Rights Management Services administration website but received an error message stating:
“SQL Server does not exist or access is denied.”
How can you access the AD RMS administration website?
A. You need to restart the Internet Information Server (IIS) service and the MSSQLSVC service on ABC-DB04.
B. You need to install the Active Directory Lightweight Directory Services (AD LDS) on ABC-DB04.
C. You need to reinstall the AD RMS instance on ABC-DB04.
D. You need to reinstall the SQL Server 2005 instance on ABC-DB04. E. You need to run the DCPRO command on ABC-SR04
Answer:
A. You need to restart the Internet Information Server (IIS) service and the MSSQLSVC service on ABC-DB04.
Explanation: You need to restart the internet information server (IIS) to correct the problem. The starting of the MSSQULSVC service will allow you to access the database from AD RMS administration website.
You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com. The ABC.com network has a Windows Server 2008 computer named ABC-SR03 that functions as an Enterprise Root certificate authority (CA).
A new ABC.com security policy requires that revoked certificate information should be available for examination at all times.
What action should you take adhere to the new policy?
A. This can be accomplished by having a list of trusted certificate authorities published to the ABC.com domain.
B. This can be accomplished by having the Online Certificate Status Protocol (OCSP) responder implemented.
C. This can be accomplished by having the OCSP Response Signing certificate imported.
D. This can be accomplished by having the Startup Type of the Certificate Propagation service set to Automatic.
E. This can be accomplished by having the computer account of ABC-SR03 added to the ABCCertificates group.
Answer:
B. This can be accomplished by having the Online Certificate Status Protocol (OCSP) responder implemented.
Explanation: You should use the network load balancing and publish an OCSP responder. This will ensure that the revoked certificate information will be available at all times. You do not need to download the entire CRL to check for revocation of a certificate; the OCSP is an online responder that can receive a request to check for revocation of a certificate. This will also speed up certificate revocation checking as well as reducing network bandwidth tremendously.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
You are responsible for managing two servers named ABC-SR01 and ABC-SR02. They are setup with the following configuration.
- ABC-SR01 running Enterprise Root certificate authority (CA)
- ABC-SR02 running Online Responder role service
What actions must you perform for the Online Responder to be supported on ABC-SR01?
A. You should enable the Dual Certificate List extension on ABC-SR01.
B. You should ensure that ABC-SR01 is a member of the CertPublishers group.
C. You should import the OCSP Response Signing certificate to ABC-SR01.
D. You should enable the Authority Information Access (AIA) extension on ABC-SR01.
E. You should run the CERTSRV command on ABC-SR01.
Answer:
D. You should enable the Authority Information Access (AIA) extension on ABC-SR01.
Explanation: In order to configure the online responder role service on ABC-SR01 you need to configure the AIA extension. The authority information access extension will indicate how to access CA information and services for the issuer of the certificate in which the extension appears. Information and services may include on-line validation services and CA policy data. This extension may be included in subject or CA certificates, and it MUST be non-critical
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 and all client computers run Windows Vista.
The ABC.com network has a client computer named ABC-WS640 that was last used six months ago. During the course of the day you attempt to log on to ABC-WS640 but you are unable to authenticate during the logon process.
What action should you consider in order to log on to ABC-WS640?
A. You should consider opening the command prompt on ABC-WS640 and running the netsh set machine command.
B. You should consider opening the command prompt on ABC-WS640 and running the repadmin command.
C. You should consider removing ABC-WS640 from the domain and then rejoining it.
D. You should consider deleting the computer account for ABC-WS640 in Active Directory Users and Computers, and then recreate the computer account.
Answer:
C. You should consider removing ABC-WS640 from the domain and then rejoining it.
Explanation: In the scenario you should have the computer disjoined from the domain and rejoined to the domain whilst having the computer account reset as well. You should additionally note that the long inactivity caused the computer to stop responding to the authentication query using the Active Directory records. You should note by disjoining and rejoining with the account being reset would refresh the computer account passwords.
You work as an enterprise administrator at ABC.com. The ABC.com network has a forest with a domain named ABC.com.
The ABC.com network has a Windows Server 2008 domain controller named ABC-DC01 that hosts the Directory Services Recovery Mode (DSRM) role.
What would be the best option to take to have the DSRM password reset?
A. The best option is to open the Active Directory Security for Computers snap-in. B. The best option is to run the ntdsutil command.
C. The best option is to run the Netsh command.
D. The best option is to open the Domain Controller security snap-in.
Answer:
B. The best option is to run the ntdsutil command.
Explanation: You should use the ntdsutil utility to reset the DSRM password. You can use Ntdsutil.exe to reset this password for the server on which you are working, or for another domain controller in the domain. Type ntdsutil and at the ntdsutil command prompt, type set dsrm password.
You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008. ABC.com has two offices in Chicago and Dallas.
The network has the following setup.
- Chicago Office - Domain Controller named ABC-DC01
- Dallas Office - Read-Only Domain Controller named ABC-DC02
How can you make sure that Dallas Office users use only ABC-DC02 for authentication?
A. You should consider having ABC-DC02 configured as a bridehead server in the Dallas office.
B. You should consider installing and configuring the Password Replication Policy on ABC-DC02.
C. You should consider having ABC-DC01 configured as a bridehead server in the Chicago office.
D. You should consider installing and configuring the Password Replication Policy on ABC-DC01.
E. You should consider having the Global Catalog installed on ABC-DC01.
Answer:
D. You should consider installing and configuring the Password Replication Policy on ABC-DC01.
Explanation: When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain controller that will be its replication partner.
The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached. The same account can then perform subsequent logons more efficiently.
You work as the network administrator at ABC.com. The ABC.com network has a domain named intl.ABC.com. All servers on the ABC.com network run Windows Server 2008. The domain controllers on the ABC.com domain are configured to function as DNS servers.
What action should you take to ensure that computers that are not part of the intl.ABC.com domain are not able to dynamically register their DNS registration information in the intl.ABC.com zone?
A. You should consider removing the .(root) zone from the intl.ABC.com zone.
B. You should consider running the dnscmd /AgeAllRecords command.
C. You should consider configuring Secure Only dynamic updates.
D. You should consider configuring the intl.ABC.com zone as an Active Directory integrated zone.
Answer:
C. You should consider configuring Secure Only dynamic updates.
Explanation: In order to ensure that only domain members are able to register their DNS records dynamically you need to set the option Secure only for Dynamic updates. This will only allow the domain members to register their DNS records dynamically.
You work as a network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has two servers named ABC-SR01 and ABC-SR02 that are configured as domain controllers and as DNS servers. Both servers have the following setup for the ABC.com domain.
- ABC-SR01 - Standard Primary zone
- ABC-SR02 - Standard Secondary zone.
You have to perform the following tasks
- Perform the replication of ABC.com Zone Data * Make sure that Zone Data maintains encryption
- Prevent the loss of Zone Data
How can you accomplish these goals. (Each correct answer presents part of the solution. (Choose TWO.)
A. You should consider having the zone transfer settings configured on ABC-SR01 and ABC- SR02.
B. You should consider having the primary zone on ABC-SR02 converted to an Active Directory- integrated stub zone.
C. You should consider having the primary zone on ABC-SR01 converted to an Active Directory- integrated zone.
D. You should consider having the secondary zone on ABC-SR02 deleted.
E. You should consider having the primary zone on ABC-SR01 deleted.
Answer: C,D
C. You should consider having the primary zone on ABC-SR01 converted to an Active Directory- integrated zone.
D. You should consider having the secondary zone on ABC-SR02 deleted.
Explanation: In the scenario you should have the ABC.com primary zone converted to an active directory-integrated zone and delete the secondary zone as this would ensure replication of the ABC.com zone is encrypted whilst preventing data loss.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
All master roles in the forest are maintained at a domain controller ABC-DC01. You have another domain controller in the network named ABC-DC02 which contains better hardware and can improve performance. ABC-DC01 is to be removed from the network.
Which option can you select in order to ensure that proper roles are transferred to ABC-DC02 without disrupting the forest wide operations?
A. You should consider transferring the RID Master role and the Schema master role.
B. You should consider transferring the Schema master role and the Domain naming master role.
C. You should consider transferring the Infrastructure master role and the PDC emulator role.
D. You should consider transferring the Infrastructure master role and the Domain naming master role.
E. You should consider transferring the RID Master role and the PDC emulator role.
Answer:
B. You should consider transferring the Schema master role and the Domain naming master role.
Explanation: In order to transfer all forest-wide operation master roles to another domain you need to transfer Domain naming master as well as the Schema master. Schema Master: The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest. Domain naming master: The domain naming master domain controller controls the addition or removal of domains in the forest. There can be only one domain naming master in the whole forest.
You work as the enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008. The ABC.com network has a domain controller named ABC-DC01 that has a single hard drive named Drive C. Drive C hosts the ntds.dit database. You have installed an additional hard drive named Drive D on ABC-DC01.
What would be the best option to take to transfer the ntds.dit database to Drive D?
A. The best option is to run the Ntdsutil command with the Files option.
B. The best option is to open the Windows Power Shell and use the Copy and Paste functions. C. The best option is to run the xcopy command.
D. The best option is to open the Windows Explorer and use the Cut and Paste functions.
Answer:
A. The best option is to run the Ntdsutil command with the Files option.
Explanation: The way you move the Active Directory database to a new volume, is to move the ntds.dit file to the new volume by opening the Files option in the ntdsutil utility. Use Ntdsutil.exe to move the database file, the log files, or both to a larger existing partition.
You work as the network administrator at ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has a server named ABC-SR01 that functions as an Enterprise Root certificate authority (CA).
What action should you take to configure ABC-SR01 to support key archival?
A. The Hisecdc security template should be applied to ABC-SR01.
B. The OCSP Response Signing certificate should be imported to ABC-SR01.
C. The private key on ABC-SR01 should be archived.
D. The Startup Type of the Certificate Propagation service on ABC-SR01 should be set to Automatic.
Answer:
C. The private key on ABC-SR01 should be archived.
You work as the enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com that operates at the Windows Server 2008 functional level.
How can you configure the network so that it allows the users of ABC.com to have multiple password policies?
A. You should consider creating multiple class schema objects in the Schema console.
B. You should consider creating multiple Group Policy objects in the Group Policy Management console.
C. You should consider creating multiple Password Setting objects in the ADSI Edit console.
D. You should consider creating multiple passwords in Active Directory Users and Computers.
Answer:
C. You should consider creating multiple Password Setting objects in the ADSI Edit console.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com Network contains a server which is configured as:
- Domain Controller
- DNS Server
What option can you use to ensure tracking of all DNS queries received by ABC-SR01?
A. You should consider having automatic logging for recursive queries enabled in the DNS Manager Console on ABC-SR01.
B. You should consider having debug logging enabled in the DNS Manager Console on ABC- SR01.
C. You should consider having event logging configured in the DNS Manager Console on ABC- SR01.
D. You should consider having system event logging configured in the Even Viewer on ABC- SR01.
Answer:
B. You should consider having debug logging enabled in the DNS Manager Console on ABC- SR01.
You work as an enterprise administrator at ABC.com. All servers on the ABC.com network run Windows Server 2008. ABC.com has its headquarters in Chicago and a branch office in Miami. The two offices are configured as separate sites.
The Miami site contains a domain controller named ABC-DC06. You receive an instruction from the CIO to install a new application at the Miami office. In order for the application to run a Global Catalog server is required.
What action should you consider to add a Global Catalog server to the Miami site?
A. You should consider running the DCPROMO command on ABC-DC06 to install the Global Catalog.
B. You should consider using the Server Manager console to configure ABC-DC06 as a Global Catalog server.
C. You should consider using the Active Directory Domains and Trusts console to configure ABC- DC06 as a Global Catalog server.
D. You should consider using the Active Directory Sites and Services console to configure the ABC-DC06 as a Global Catalog server.
Answer:
D. You should consider using the Active Directory Sites and Services console to configure the ABC-DC06 as a Global Catalog server.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The network contains two sites named London and Paris. The following configuration applies to each location.
London
* Single Domain Controller named ABC-DC01 * Separate Active Directory Site.
Paris
* Single Domain Controller named ABC-DC02 * Separate Active Directory Site.
Network Setup
* Both Active Directory Sites are using DEFAULTIPSITELINK object for connectivity.
What action should you take to reduce the delay during replication between ABC-DC01 and ABC- DC02?
A. You should consider having the replication interval for the DEFAULTIPSITELINK object decreased.
B. You should consider having the replication schedule for the DEFAULTIPSITELINK object increased.
C. You should consider having the cost for the DEFAULTIPSITELINK object decreased.
D. You should consider having a site link bridge installed between ABC-DC01 and ABC-DC02.
Answer:
A. You should consider having the replication interval for the DEFAULTIPSITELINK object decreased.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has two servers named ABC-SR01 and ABC-SR02.
- ABC-SR01 - Enterprise Root certificate authority (CA).
- ABC-SR02 - Hosts the Online Responder role.
What step you can perform to make sure that ABC-SR02 is issuing the certificate revocation lists (CRL).
A. You should enable the Dual Certificate List extension on ABC-SR02.
B. You should ensure that ABC-SR02 is a member of the CertPublishers group.
C. You should import the enterprise root CA certificate and the OCSP Response Signing certificate.
D. You should enable the Authority Information Access (AIA) extension on ABC-SR02.
E. You should run the CERTSRV command on ABC-SR02.
Answer:
C. You should import the enterprise root CA certificate and the OCSP Response Signing certificate.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008 and all client computers run Windows Vista.
During the course of the day a ABC.com user named Rory Allen complains that he cannot logon to the ABC.com domain from his client computer. When he attempt to, he receives an error message stating that his account has expired.
What action should you consider to have Rory Allen log on to the ABC.com domain from his client computer?
A. You should consider reducing the account lockout duration in the default domain policy.
B. You should consider resetting Rory Allen’s user account.
C. You should consider setting Rory Allen’s user account to never expire.
D. You should consider resetting the computer account for Rory Allen’s client computer.
Answer:
C. You should consider setting Rory Allen’s user account to never expire.
You work as the network administrator at ABC.com. ABC.com has its headquarters in London. The ABC.com network has a domain named ABC.com that consists of a single Active Directory site named LondonSite. The LondonSite contains a domain controller named ABC-DC01.
ABC.com opens a branch office in York and you create another Active Directory site named YorkSite.
How can you have Active Directory replication configured between the two sites?
A. You need to consider installing a new domain controller in YorkSite and creating a site link between the two sites. Then you should consider decreasing the site link cost.
B. You need to consider installing a new domain controller in the LondonSite and configuring it as a preferred bridgehead server.
C. You need to consider installing a new domain controller in the LondonSite and configuring a new site link bridge between the two sites.
D. You need to consider installing a new domain controller in the YorkSite and configuring a new IP subnet for the YorkSite.
Answer:
D. You need to consider installing a new domain controller in the YorkSite and configuring a new IP subnet for the YorkSite.
You work as the enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com. The ABC.com network has three domain controllers named ABC-DC01, ABC- DC02 and ABC-DC03 that run Windows Server 2003. ABC.com purchases a new Windows Server 2008 computer named ABC-SR04.
What is the first step you should take to install ABC-SR04 as a domain controller on the ABC.com network?
A. You should consider running the dconfig command on ABC-SR04.
B. You should consider running the adprep /forestprep command on ABC-DC01.
C. You should consider raising the domain functional level to Windows Server 2008.
D. You should consider running the adprep /domainprep command on ABC-DC01.
E. You should consider running the dcpromo /remove command on ABC-DB01, ABC-DB02 and ABC-DB03.
Answer:
B. You should consider running the adprep /forestprep command on ABC-DC01.
You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
A new ABC.com domain controller management policy states that replication errors need to be logged to a central server.
How would you implement this policy?
A. You should consider having the RepMonitor configured for central logging.
B. You should consider having the System Performance data collector set is started on each domain controller.
C. You should consider having event log subscriptions created on each domain controller.
D. You should consider having the RepAdmin Diagnostics data collector started on each domain controller.
Answer:
C. You should consider having event log subscriptions created on each domain controller.
You work as the network administrator at ABC.com. The ABC.com network has a domain named ABC.com. All servers on the ABC.com network run Windows Server 2008.
The ABC.com network has six domain controllers named ABC-DC01, ABC-DC02, ABC-DC03, ABC-DC04, ABC-DC05 and ABC-DC06. All six domain controllers function as DNS servers. You are in the process of implementing a new Active Directory-integrated DNS zone.
What action should you take first if you want the new zone replicated only to ABC-DC05 and ABC- DC06?
A. You should consider having the dnscmd /createdirectorypartition command executed on ABC- DC05 and ABC-DC06.
B. You should consider having the dnscmd /config command executed on ABC-DC05 and ABC- DC06.
C. You should consider having the .(root) zone is deleted from ABC-DC01, ABC-DC02, ABC- DC03 and ABC-DC04.
D. You should consider having BIND secondaries enabled on ABC-DC05 and ABC-DC06.
E. You should consider having the dnscmd /unenlistdirectorypartition command executed on ABC- DC01, ABC-DC02, ABC-DC03 and ABC-DC04.
Answer:
A. You should consider having the dnscmd /createdirectorypartition command executed on ABC- DC05 and ABC-DC06.