70-640 Exam Dumps Free Shared By Braindump2go For Instant Download Now! Download Latest 70-640 Exam Questions and pass 70-640 one time easily! Do you want to be a winner?
Vendor: Microsoft
Exam Code: 70-640
Exam Name: TS: Windows Server 2008 Active Directory, Configuring
QUESTION 11
Your company has a main office and a branch office.
The company has a single-domain Active Directory forest.
The main office has two domain controllers named DC1 and DC2 that run Windows Server 2008 R2.
The branch office has a Windows Server 2008 R2 read-only domain controller (RODC) named DC3.
All domain controllers hold the DNS Server role and are configured as Active Directory-integrated zones.
The DNS zones only allow secure updates.
You need to enable dynamic DNS updates on DC3.
What should you do?
A. Run the Dnscmd.exe /ZoneResetType command on DC3.
B. Reinstall Active Directory Domain Services on DC3 as a writable domain controller.
C. Create a custom application directory partition on DC1.
Configure the partition to store Active Directory-integrated zones.
D. Run the Ntdsutil.exe > DS Behavior commands on DC3.
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc754218%28WS.10%29.aspx#BKMK_DDNS
QUESTION 12
Your company has an Active Directory domain named ad.contoso.com.
The domain has two domain controllers named DC1 and DC2.
Both domain controllers have the DNS server role installed.
You install a new DNS server named DNS1.contoso.com on the perimeter network.
You configure DC1 to forward all unresolved name requests to DNS1.contoso.com.
You discover that the DNS forwarding option is unavailable on DC2.
You need to configure DNS forwarding on the DC2 server to point to the DNS1.contoso.com server.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Clear the DNS cache on DC2.
B. Configure conditional forwarding on DC2.
C. Configure the Listen On address on DC2.
D. Delete the Root zone on DC2.
Answer: BD
Explanation:
Delete the Root zone on DC2.
Configure conditional forwarding on DC2.
http://technet.microsoft.com/en-us/library/cc754941.aspx
Configure a DNS Server to Use Forwarders
A forwarder is a Domain Name System (DNS) server on a network that is used to forward DNS queries for external DNS names to DNS servers outside that network.
You can also configure your server to forward queries according to specific domain names using conditional forwarders.
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/0ca38ece-d76e-42f0-85d5-a342f9e169f5/
Deleting .root dns zone in 2008 DNS
Q: We have 2 domain controllers and .root zone is created in the DNS. Due to which the external name resolution is not possible. I had tried to add conditional forwarders but i get an error saying that conditional forwarders cannot be created on root DNS servers. A 1: If you have a “root” zone created in your DNS, and you no longer want that configuration, you can just simply delete that zone. There is no reason to have a root “.” zone hosted unless you want to make sure that the DNS server is authoritative for all queries and not allow the DNS server to go elsewhere for name resolution.
If you delete this zone, the DNS server will be able to use its root hints, or fowarders to resolve queries for zones its not authoritative for.
A 2: That was from the old 2000 days where DCPROMO would create it if it detected no internet access while promoting the first DC. Just remove it, and the Forwarders option reappear.
QUESTION 13
Your company has an organizational unit named Production.
The Production organizational unit has a child organizational unit named R&D.
You create a GPO named Software Deployment and link it to the Production organizational unit.
You create a shadow group for the R&D organizational unit.
You need to deploy an application to users in the Production organizational unit.
You also need to ensure that the application is not deployed to users in the R&D organizational unit.
What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)
A. Configure the Block Inheritance setting on the R&D organizational unit.
B. Configure the Enforce setting on the software deployment GPO.
C. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for
the R&D security group.
D. Configure the Block Inheritance setting on the Production organizational unit.
Answer: AC
Explanation:
Configure the Block Inheritance setting on the R&D organizational unit.
Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&D security group.
http://technet.microsoft.com/en-us/library/cc757050%28v=ws.10%29.aspx
Managing inheritance of Group Policy
Blocking Group Policy inheritance
You can block policy inheritance for a domain or organizational unit.
Using block inheritance prevents GPOs linked to higher sites, domains, or organizational units from being automatically inherited by the child-level. By default, children inherit all GPOs from the parent, but it is sometimes useful to block inheritance. For example, if you want to apply a single set of policies to an entire domain except for one organizational unit, you can link the required GPOs at the domain level (from which all organizational units inherit policies by default) and then block inheritance only on the organizational unit to which the policies should not be applied.
Enforcing a GPO link You can specify that the settings in a GPO link should take precedence over the settings of any child object by setting that link to Enforced. GPO-links that are enforced cannot be blocked from the parent container. Without enforcement from above, the settings of the GPO links at the higher level (parent) are overwritten by settings in GPOs linked to child organizational units, if the GPOs contain conflicting settings. With enforcement, the parent
GPO link always has precedence.
By default, GPO links are not enforced. In tools prior to GPMC, “enforced” was known as “No override.”
In addition to using GPO links to apply policies, you can also control how GPOs are applied by using security filters or WMI filters.
http://technet.microsoft.com/en-us/library/cc781988%28v=ws.10%29.aspx
Security filtering using GPMC
Security filtering Security filtering is a way of refining which users and computers will receive and apply the settings in a Group Policy object (GPO). Using security filtering, you can specify that only certain security principals within a container where the GPO is linked apply the GPO. Security group filtering determines whether the GPO as a whole applies to groups, users, or computers; it cannot be used selectively on different settings within a GPO.
QUESTION 14
Your company has a branch office that is configured as a separate Active Directory site and has an Active Directory domain controller.
The Active Directory site requires a local Global Catalog server to support a new application.
You need to configure the domain controller as a Global Catalog server.
Which tool should you use?
A. The Server Manager console
B. The Active Directory Sites and Services console
C. The Dcpromo.exe utility
D. The Computer Management console
E. The Active Directory Domains and Trusts console
Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc781329%28v=ws.10%29.aspx
QUESTION 15
Your company has a main office and three branch offices.
The company has an Active Directory forest that has a single domain.
Each office has one domain controller. Each office is configured as an Active Directory site.
All sites are connected with the DEFAULTIPSITELINK object.
You need to decrease the replication latency between the domain controllers.
What should you do?
A. Decrease the replication schedule for the DEFAULTIPSITELINK object.
B. Decrease the replication interval for the DEFAULTIPSITELINK object.
C. Decrease the cost between the connection objects.
D. Decrease the replication interval for all connection objects.
Answer: B
Explanation:
http://www.informit.com/articles/article.aspx?p=26866&seqNum=5
QUESTION 16
Your company has two Active Directory forests named contoso.com and fabrikam.com.
Both forests run only domain controllers that run Windows Server 2008.
The domain functional level of contoso.com is Windows Server 2008.
The domain functional level of fabrikam.com is Windows Server 2003 Native mode.
You configure an external trust between contoso.com and fabrikam.com.
You need to enable the Kerberos AES encryption option.
What should you do?
A. Raise the forest functional level of fabrikam.com to Windows Server 2008.
B. Raise the domain functional level of fabrikam.com to Windows Server 2008.
C. Raise the forest functional level of contoso.com to Windows Server 2008.
D. Create a new forest trust and enable forest-wide authentication.
Answer: B
Explanation:
Raise the domain functional level of fabrikam.com to Windows Server 2008.
http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels%28v=ws.10%29.aspx
Understanding Active Directory Domain Services (AD DS) Functional Levels
Functional levels determine the available Active Directory Domain Services (AD DS) domain or forest capabilities. They also determine which Windows Server operating systems you can run on domain controllers in the domain or forest.
However, functional levels do not affect which operating systems you can run on workstations and member servers that are joined to the domain or forest.
Features that are available at domain functional levels
Windows Server 2008
All of the default AD DS features, all of the features from the Windows Server 2003 domain functional level, and the following features are available:
– Advanced Encryption Standard (AES 128 and AES 256) support for the Kerberos protocol.
In order for TGTs to be issued using AES, the domain functional level must be Windows Server 2008 or higher and the domain password needs to be changed.
Further information:
http://technet.microsoft.com/en-us/library/cc749438%28WS.10%29.aspx
QUESTION 17
All consultants belong to a global group named TempWorkers.
You place three file servers in a new organizational unit named SecureServers.
The three file servers contain confidential data located in shared folders.
You need to record any failed attempts made by the consultants to access the confidential data. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Create and link a new GPO to the SecureServers organizational unit.
Configure the Deny access to this computer from the network user rights setting for the
TempWorkers global group.
B. Create and link a new GPO to the SecureServers organizational unit.
Configure the Audit privilege use Failure audit policy setting.
C. Create and link a new GPO to the SecureServers organizational unit.
Configure the Audit object access Failure audit policy setting.
D. On each shared folder on the three file servers, add the three servers to the Auditing tab.
Configure the Failed Full control setting in the Auditing Entry dialog box.
E. On each shared folder on the three file servers, add the TempWorkers global group to the
Auditing tab.
Configure the Failed Full control setting in the Auditing Entry dialog box.
Answer: CE
QUESTION 18
You have two servers named Server1 and Server2.
Both servers run Windows Server 2008 R2.
Server1 is configured as an Enterprise Root certification authority (CA).
You install the Online Responder role service on Server2.
You need to configure Server2 to issue certificate revocation lists (CRLs) for the enterprise root CA.
Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Import the enterprise root CA certificate.
B. Import the OCSP Response Signing certificate.
C. Add the Server1 computer account to the CertPublishers group.
D. Set the Startup Type of the Certificate Propagation service to Automatic.
Answer: AB
Explanation:
http://technet.microsoft.com/en-us/library/cc770413%28v=ws.10%29.aspx
QUESTION 19
Your company has an Active Directory forest.
The forest includes organizational units corresponding to the following four locations:
– London
– Chicago
– New York
– Madrid
Each location has a child organizational unit named Sales.
The Sales organizational unit contains all the users and computers from the sales department.
The offices in London, Chicago, and New York are connected by T1 connections.
The office in Madrid is connected by a 256-Kbps ISDN connection.
You need to install an application on all the computers in the sales department.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to users.
Link the GPO to each Sales organizational unit.
B. Disable the slow link detection setting in the Group Policy Object (GPO).
C. Configure the slow link detection threshold setting to 1,544 Kbps (T1) in the Group Policy
Object (GPO).
D. Create a Group Policy Object (GPO) named OfficeInstall that assigns the application to the
computers.
Link the GPO to each Sales organizational unit.
Answer: BD
Explanation:
http://technet.microsoft.com/en-us/library/cc781031%28v=ws.10%29.aspx
Specifying Group Policy for Slow Link Detection
Administrators can partially control which Group Policy extensions are processed over a slow link. By default, when processing over a slow link, not all components of Group Policy are processed.
Table 2.6 shows the default settings for processing Group Policy over slow links.
Administrators can use a Group Policy setting to define a slow link for the purposes of applying and updating Group Policy. The default value defines a rate slower than 500 Kbps as a slow link.
http://technet.microsoft.com/en-us/library/cc783635%28v=ws.10%29.aspx
Assigning and Publishing Software
Assigning software to computers
After you assign a software package to computers in a site, domain, or OU, the software is installed the next time the computer restarts or the user logs on.
Further information:
http://technet.microsoft.com/en-us/library/cc978717.aspx
Group Policy slow link detection
QUESTION 20
Your company has a domain controller server that runs the Windows Server 2008 R2 operating system.
The server is a backup server.
The server has a single 500-GB hard disk that has three partitions for the operating system, applications, and data.
You perform daily backups of the server.
The hard disk fails.
You replace the hard disk with a new hard disk of the same capacity.
You restart the computer on the installation media.
You select the Repair your computer option.
You need to restore the operating system and all files.
What should you do?
A. Select the System Image Recovery option.
B. Run the Imagex utility at the command prompt.
C. Run the Wbadmin utility at the command prompt.
D. Run the Rollback utility at the command prompt.
Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc755163.aspx
70-640 Updated Questions are 2015 Latest Released Which 100% will Meet in Your 70-640 Test! Braindump2go New Released 70-640 Exam Dumps Contain All New Added Questions Which Will Help you Have A Totally Success in 2015 New Tear! Download our 100% Pass Guaranteed 70-640 Exam Dumps Full Version, special 10% Off Discount enjoyed!