Review 70-640

Question 1

What is the SOA

Answer 1

First record in any zone file, it identifies the primary name server within the domain. It also includes other properties such as an administrator email address and caching properties for the zone.

Question 2

What is the A and AAAA (host)

Answer 2

Contains the computer name to IPv4 (A) or IPv6 (AAAA) address mappings for all hosts found in the domain, thereby identifying these hostnames.

Question 3

NS (Name Server)

Answer 3

Contains the DNS servers that are authoritative in the domain. This includes both the primary DNS servers and any secondary DNS servers.

Question 4

What does DSmod do?

Answer 4

Dsmod is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. DSmod (commands) computer, contact, group, ou, server, user, quota, partition. Modifies attributes of one or more attributes in each of the above.

Question 5

Auditpol

Answer 5

Displays information about and performs functions to manipulate audit policies.
/get, /set, /list, /backup, /restore, /clear, /remove, /resourceSACL

Question 6

Certutil

Answer 6

Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.
When certutil is run on a certification authority without additional parameters, it displays the current certification authority configuration. When cerutil is run on a non-certification authority, the command defaults to running the certutil -dump verb.

Question 7

ntdsutil

Answer 7

Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the ntdsutil commands to perform database maintenance of AD DS, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. (authoritative restore, configurable settings, DS behavior, files, group membership evaluation, ifm, ldap policies, local roles, metadata cleanup, partition management, roles, security account management, semantic database analysis, set DSRM password, snapshot.

Question 8

dsmgmt

Answer 8

Facilitates managing Active Directory Lightweight Directory Services (AD LDS) application partitions, managing and controlling flexible single master operations (FSMO), and cleaning up metadata that is left behind by abandoned Active Directory domain controllers and AD LDS instances. (Abandoned domain controllers and AD LDS instances are those that are removed from the network without being uninstalled.), set DSRM password, roles, metadata cleanup, ldap policies, ds behavior (AD DS and AD LDS)

Question 9

gpfixup

Answer 9

Fix domain name dependencies in Group Policy Objects (GPOs) and Group Policy links after a domain rename operation

Question 10

Which of the following are components of the DNS namespace? Root Domains, Top level domains, second level domains, host names, netbios names.

Answer 10

Root domains, top level domains, second level domains, host names.

Question 11

Which of the following is most likely to cause a problem when installing a DNS server? The server is not configured as a domain controller; the server has only a single network adapter; the server is not configured with a static IP address, the server is not configured with the application server rol.

Answer 11

The server is not configured with a static IP address.

Question 12

What tool do you use to install DNS on a windows server 2008 R2 computer? add roles wizard; add features wizard, dns manager, control panel add or remove programs.

Answer 12

Add roles wizard

Question 13

What DNS zone type contains source information about authoritative name server for its zone only? primary zone, secondary zone, forwarding zone, stub zone, active directory-integrated zone.

Answer 13

Stub zone

Question 14

You set up two windows server 2008 R2 servers as domain controllers and configured them with Active Directory-integrated DNS zones. You have configured another windows server 2008 R2 computer as a DNS server. You do not intend to promote this server to domain controller, but you want it to include a backup cop of the DNS zone data for your domain. What DNS zone type should you configure.

Answer 14

Secondary zone

Question 15

Your network has several older servers that have static records with single-label names. Historically, you have used WINS for name resolution with these servers, but the WINS server is being removed as your network is being converted to IPv6. What zone type should you configure to support these servers.

Answer 15

primary zone

Question 16

You are configuring a reverse lookup zone for you network, which uses the Class C network address range of 192.168.5.0/24. Which of the following addresses should you use for the reverse lookup zone?

Answer 16

5.168.192.in-addr.arpa

Question 17

Which type of resource record would you use to specify a host name to IPv6 address mapping for a computer in your domain.

Answer 17

AAAA

Question 18

Your AD DS network contains a Windows Server 2008 R2 machine that hosts both a web server and an FTP server, which are configured two different FQDNs. You want to ensure that clients are directed properly to this machine. What typ of resource record should you specify.

Answer 18

PTR (Pointer.

Question 19

You are configuring DNS on your AD DS network and want to ensure that only computers with existing domain accounts can update DNS records. What option should you specify?

Answer 19

Make it an active directory integrated account.

Question 20

Your network is experiencing heavy traffic to and from the DNS server because of large numbers of client requests. On examining DNS server logs and talking to users on the network, you discover that many users are repeatedly accessing the same FQDNs. What should you do to reduce the DNS network traffic in this situation.

Answer 20

Increase the minimum default TTL value (so the records hang around longer and they don’t have to keep asking for them)

Question 21

You are configuring the properties of a secondary DNS server on your network. You want to ensure that the secondary DNS server is keptt up-to-date with respect to changes in resource records at the primary DNS server, so you access the Start of Authority (SOA) tab of your server’s Properties dialog box. What should you do?

Answer 21

Increase the refresh interval.

Question 22

You are responsible for administering DNS on your company’s AD DS domain. All domain controllers are configured as DNS servers with an Active Directory-integrated zone. When checking the configuration of a DNS server, you notice that the zone includes resource records for computers that were removed from the network several weeks ago. What should you do to ensure that these records are removed immediately?

Answer 22

X

Question 23

Which of the following are best practices that your should follow when planning an AD DS domain structure? Employ a test lab, prepare thorough documentation, keep everyone, including top managers, informed; understand toroughly the network’s TCP/IP infrastructure; develope and adhere to an adequate security policy, know the capabilities of your wan links

Answer 23

x

Question 24

On which editions of Windows Server 2008 R2 can you install the AD DS role?

Answer 24

Foundation, standard, enterprise, datacenter.

Question 25

Define “Publishing” software

Answer 25

Typically, after you publish a software package to users in a site, domain, or OU, the users can use Add or Remove Programs to install the software

Question 26

Define “Assigning” software

Answer 26

The application is fully installed by the user from the Start menu, from Add or Remove Programs, from a desktop shortcut, or by opening a document (on demand) that has a file name extension that is associated with the application. Only the local or network administrator can remove the software, though a user can repair the software, •If you assign many applications instead of publishing them, you can cause congestion between client computers and the software distribution point servers. Use DFS to distribute the server load among multiple servers

Question 27

Which of the following tools can you use to install AD DS on a server running Windows Server 2008 R2 (choose two): dcpromo.exe; manage your server tool; configure your server tool; add roles wizard; add features wizard.

Answer 27

dcpromo.exe, add roles wizard.

Question 28

Which of the following conditions would represent a problem when you are attempting to install the first domain controller in your domain? a dhcp server is not present, dns server not present, hard disk formated to fat32, hard disk of only 10gb free space.

Answer 28

hard disk formatted to fat32

Question 29

Which of the following is a new AD DS administrative tool included with Windows Server 2008 R2 and was not present in older versions.

Answer 29

ACtive directory administrative console. ADAC

Question 30

Your computer is running the server core edition of windows server 2008 r2. you want to promote this server to domain controller, what should you do.

Answer 30

reload everything from scratch. no upgrade path.

Question 31

What can a domain local group contain and how is it used

Answer 31

User account from any domain in forest; global or universal from any domain in forest; user accounts, global or universal groups from a trusted forest domain; other domain local groups from the same domain. Useage: Resources in local domain.

Question 32

What can a global group contain and how is it used

Answer 32

User account n same domain, other global groups from the same domain. Useage: Any domain in forest or trusted forests

Question 33

What can a universal group contain and how is it used

Answer 33

Users, global groups, or uniersal groups from any domain in forest. Useage: Any domain in forest or trusted forests.

Question 34

What does LDIFDE do?

Answer 34

draft internet standard for LDAP systems, block-based format, multiple operations separated by blank line, can modify or move existing objects, import and export active directory objects, export is default in command line, import with -i in command line, cannot import a user password (meaning all accounts are disabled at creation)

Question 35

What does CSVDE do?

Answer 35

Uses comma-delimited text file (CSV), first line defines attributes, data lines must have corresponding attributes, cannot modify or move existing objects, import and export actie directory objects, export is default in command line, import with -i incommand line, cannot import a user password (meaning all accounts are disabled at creation)

Question 36

What are the main points of the PDC emulator

Answer 36

Primary domain controller emulator is the password authority, the domain master browser, the master time source, acts as a PDC for NT4, always is the place where GPOs so there are no conflicts.

Question 37

What does IPSEC do?

Answer 37

Summary: Internet Protocol security (IPSec) is a protocol, not a service, that provides encryption, integrity, and authentication services for IP-based network traffic. Because IPSec provides server-to-server protection, you can use IPSec to counter internal threats to the network, including eavesdropping, tampering, man in the middle attacks, IP spoofing, and other password-based attacks. IPSec is completely transparent to applications because encryption, integrity, and authentication services are implemented at the transport level. Applications continue to communicate normally with one another using TCP and UDP ports.

Question 38

What are the main points of the RID

Answer 38

The Relative ID Master - Every domain in your forest has exactly one domain controller holding the RID Master role. The purpose of this role is to replenish the pool of unused relative IDs (RIDs) for the domain and prevent this pool from becoming exhausted. RIDs are used up whenever you create a new security principle (user or computer account) because the SID for the new security principle is constructed by combining the domain SID with a unique RID taken from the pool. So if you run out of RIDS, you won’t be able to create any new user or computer accounts, and to prevent this from happening the RID Master monitors the RID pool and generates new RIDs to replenish it when it falls beneath a certain level

Question 39

What are the main points of the Infrastructure Master.

Answer 39

The Infrastructure Master - The purpose of this role is to ensure that cross-domain object references are correctly handled. For example, if you add a user from one domain to a security group from a different domain, the Infrastructure Master makes sure this is done properly. As you can guess however, if your Active Directory deployment has only a single domain, then the Infrastructure Master role does no work at all, and even in a multi-domain environment it is rarely used except when complex user administration tasks are performed, so the machine holding this role doesn’t need to have much horsepower at all

Question 40

What are the main points of the schema master

Answer 40

There is one and only one Schema Master in a forest, and the purpose of this role is to replicate schema changes to all other domain controllers in the forest. Since the schema of Active Directory is rarely changed however, the Schema Master role will rarely do any work.

Question 41

What are the main points of the Domain Naming Master

Answer 41

The Domain Naming Master - The other forest-specific FSMO role is the Domain Naming Master, and this role also resides in the forest root domain. The Domain Naming Master role processes all changes to the namespace, for example adding the child domain vancouver.mycompany.com to the forest root domain mycompany.com requires that this role be available, so if you can’t add a new child domain or new domain tree, check to make sure this role is running properly

Question 42

What are the main points of the group policy management console.

Answer 42

Group Policy Management Console (GPMC) is a scriptable Microsoft Management Console (MMC) snap-in, providing a single administrative tool for managing Group Policy across the enterprise. GPMC is the standard tool for managing Group Policy.
•Edit, Filter, and Comment Policy Settings
•Configure, Target, and Comment Preference Items
•Back Up, Restore, Import, and Copy Group Policy Objects
•Control the Scope of Group Policy Objects
•Use Resultant Set of Policy to Manage Group Policy
•Delegate Permissions for Group Policy
•Use Windows PowerShell to Manage Group Policy

Question 43

What roles are installed on the first domain controller in the forest?

Answer 43

Forest: schema master and domain naming masterDomain: RID, infrastructure master and PDC emulator.

Question 44

What is the minimum disk space required for a domain controller?

Answer 44

500 mb for transaction logs500 mb for SYSVOL share1.5 to 2 gb for the Server 2008 OS files.4 gb for 1000 users on the NTDS.dit drive (main AD database)

Question 45

What are the memory requirements for setting up a domain controller

Answer 45

1-499 = 512 mb500 - 999 = 1 gb>1000 = 2 gb

Question 46

What is the difference between a site link and a site link bridge?

Answer 46

A site link is transitive (everyone can send to everyone along the connections). A site link bridge is non transitive. Only the two sites connected to the bridge can send to each other.

Question 47

What 5 things should be documented on each server

Answer 47

Configuration of the server hardwareLocation of the server and how to get to itWhen does the server have to be up. Availability scheduleServer rolesOperating system

Question 48

What are the four types of RAID

Answer 48

RAID 0=striping, not fault tolerant, fastest read and write, 3 disksRAID 1=mirroring, is fault tolerantRAID 5=striping with parity, is fault tolerantRAID 10=mirrored striping with parity, is fault tolerant

Question 49

What does DFSRdiag do?

Answer 49

Performs diagnostic tests of DFS Replication

Question 50

What does Ntdsutil do?

Answer 50

NTDSutil is a Windows utility for configuring the heart of Active Directory. Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory .Use Ntdsutil to perform database maintenance of Active Directory, to manage and control single master operations, and to remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. By default, Ntdsutil is installed in the Winnt\System32 folder. Authoritative restore, domain management, create naming contexts and add replicas to the application directory partition of DNS, Seize roles, reset DSRM password, check for duplicate SIDs

Question 51

What does dsmgmt do

Answer 51

acilitates managing Active Directory Lightweight Directory Services (AD LDS) application partitions, managing and controlling flexible single master operations (FSMO), and cleaning up metadata that is left behind by abandoned Active Directory domain controllers and AD LDS instances. (Abandoned domain controllers and AD LDS instances are those that are removed from the network without being uninstalled.)

Question 52

What does dcpromo do

Answer 52

Installs and removes Active Directory Domain Services (AD DS).

Question 53

What are remoteapp programs.

Answer 53

Remoteapp programs are programs run through terminal services which appear as if they are running directly on the desktop of the user

Question 54

What can group policies control

Answer 54

Printers, mapped drives, scheduled tasks, folder options, services, start menu settings.

Question 55

What are data collector sets

Answer 55

A Data Collector Set is the building block of performance monitoring and reporting in Windows Performance Monitor. It organizes multiple data collection points into a single component that can be used to review or log performance. A Data Collector Set can be created and then recorded individually, grouped with other Data Collector Set and incorporated into logs, viewed in Performance Monitor, configured to generate alerts when thresholds are reached, or used by other non-Microsoft applications. It can be associated with rules of scheduling for data collection at specific times. Windows Management Interface (WMI) tasks can be configured to run upon the completion of Data Collector Set collection. Performance counters, Event trace data, system configuration information (registry key values). comes with templates and can create user defined ones.

Question 56

What is DFS replication

Answer 56

The Distributed File System Replication (DFSR) service is a new multi-master replication engine that is used to keep folders synchronized on multiple servers

Question 57

What is the difference between assigning software and publishing software.

Answer 57

Publishing software to a computer puts the software on the computer and allows a user to install it. Assigning the software to the computer installs the software at bootup and allows it to finish when the user logs in.

Question 58

What is the difference between roaming profiles and folder redirection

Answer 58

X

Question 59

What is an iSCSI target

Answer 59

X

Question 60

What is file server resource manager FSRM.

Answer 60

File Server Resource Manager is a suite of tools that allows administrators to understand, control, and manage the quantity and type of data stored on their servers. By using File Server Resource Manager, administrators can place quotas on folders and volumes, actively screen files, and generate comprehensive storage reports. This set of advanced instruments not only helps the administrator to efficiently monitor existing storage resources but it also aids in the planning and implementation of future policy changes.

Question 61

What does DFS namespaces do?

Answer 61

DFS Namespaces. Enables you to group shared folders that are located on different servers into one or more logically structured namespaces. Each namespace appears to users as a single shared folder with a series of subfolders. This structure increases availability and automatically connects users to shared folders in the same Active Directory Domain Services site, when available, instead of routing them over WAN connections.

Question 62

What does DFS replication do?

Answer 62

DFS Replication. DFS Replication is an efficient, multiple-master replication engine that you can use to keep folders synchronized between servers across limited bandwidth network connections. It replaces the File Replication Service (FRS) as the replication engine for DFS Namespaces, as well as for replicating the AD DS SYSVOL folder in domains that use the Windows Server 2008 domain functional level.

Question 63

What does EFS do? Encrypting file system.

Answer 63

Offline copies of files from remote servers can also be encrypted by using EFS. When this option is enabled, each file in the offline cache is encrypted with a public key from the user who cached the file. Thus, only that user has access to the file, and even local administrators cannot read the file without having access to the user’s private keys.

Question 64

What does the remote access service role service do?

Answer 64

The remote access service provides VPN service so that users can access corporate networks over the VPN as if they were directly connected.

Question 65

What is storage manager for SANS

Answer 65

Storage Manager for SANs is a Microsoft Management Console (MMC) snap-in that helps you create and manage logical unit numbers (LUNs) on Fibre Channel and Internet SCSI (iSCSI) disk drive subsystems that support Virtual Disk Service (VDS) in your storage area network (SAN).

Question 66

What is the remote server administration tools pack do?

Answer 66

Microsoft Remote Server Administration Tools (RSAT) enables IT administrators to remotely manage roles and features in Windows Server 2008 from a computer that is running Windows Vista with Service Pack 1 (SP1). It includes support for remote management of computers that are running either a Server Core installation option or a full installation option of Windows Server 2008. It provides similar functionality to the Windows Server 2003 Administration Tools Pack

Question 67

What are the requirements for putting active directory certificate services AD CS certificate enrollment web service on the network.

Answer 67

A host computer as a domain member running Windows Server 2008 R2.An Active Directory forest with a Windows Server 2008 R2 schema.An enterprise certification authority (CA) running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003.

Question 68

What script can you use for creating PSOs

Answer 68

Ldifde -i -f pso.ldf

Question 69

What is the difference between a DNS primary zone, secondary zone, stub zone and integrated zone.

Answer 69

Create a new secondary zone named ad.contoso.com on DC2.This would create a read-only zone, so it couldn’t be updatedCreate a new stub zone named ad.contoso.com on DC2.This stub zone would contain source information about authoritative name servers for its zone only, being DC1, but that one would be unavailable in the WAN link fails.Configure the DNS server on DC2 to forward requests to DC1.This doesn’t help if the WAN link fails and DC1 is unavailable.

Question 70

What is the minimum forest functional level for an RODC

Answer 70

Server 2003

Question 71

How do you prepare your windows server 2008/2008 R2 for collection of security events.

Answer 71

Add the network service account to the built-in event log readers group

Question 72

How do you see the most recent authenticated accounts by an RODC.

Answer 72

Open active directory users and computers on a write able domain controller in the domain.

Question 73

You need to ensure that all of the members of a group named Group1 can view the event log entries for Certificate Services.

Answer 73

We can make the Group1 group a member of the Event Log Readers Group, giving them read access to all event logs, thus including the Certificate Services events. We can do that by using Group Policy Management.

Question 74

On a server in the child domain, you run the Add Roles Wizard and discover that the option to select an enterprise CA is disabled. You need to install an enterprise subordinate CA on the server. What should you use to log on to the new server?

Answer 74

an account that is a member of the Enterprise Admins group in the forest root domain. In order to install Enterprise CA you MUST have Enterprise Admins permissions, because Configuration naming context is replicated between domain controllers in the forest (not only current domain) and are writable for Enterprise Admins (domain admins permissions are insufficient).

Question 75

Where would you create a central store for the Group Policy Administrative templates.

Answer 75

Copy the %SystemRoot%\PolicyDefinitions folder to the \contoso.com\SYSVOL\contoso.com\Policies folder.

Question 76

What should you do to configure AD FS to make sure that AD FS token contains information from the active directory domain?

Answer 76

Add a new account store and configure it.

Question 77

What snap in would you use to approve a certificate request

Answer 77

Certification authority

Question 78

What does ntdsutil do?

Answer 78

Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the ntdsutil commands to perform database maintenance of AD DS, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled.

Question 79

What does dcpromo do?

Answer 79

Installs and removes Active Directory Domain Services (AD DS).

Question 80

What does repadmin do?

Answer 80

Repadmin.exe helps administrators diagnose Active Directory replication problems between domain controllers running Microsoft Windows operating systems. To use Repadmin.exe, you must run the ntdsutil command from an elevated command prompt. You can use Repadmin.exe to view the replication topology, as seen from the perspective of each domain controller. In addition, you can use Repadmin.exe to manually create the replication topology, to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors (UTDVECs). You can also use Repadmin.exe to monitor the relative health of an Active Directory Domain Services (AD DS) forest. Domain admins and Enterprise Admins can run repadmin.

Question 81

What does dnscmd do?

Answer 81

A command-line interface for managing DNS servers. This utility is useful in scripting batch files to help automate routine DNS management tasks, or to perform simple unattended setup and configuration of new DNS servers on your network. Some commands: ageallrecords, config, create(delete)directory partition, startscavenging, zoneadd(delete),

Question 82

What is significant about ldapport 389.

Answer 82

Ldapport needs to be above 40000 to not conflict with ad ds

Question 83

What is significant about the windows installer feature?

Answer 83

Diagnoses and repairs corrupt applications.