microsoft official academic course 70-640 pdf [Jun 2016]

★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions

Free Instant Download NEW 70-640 Exam Dumps (PDF & VCE):
Available on: https://www.certleader.com/70-640-dumps.html


Relying on excellent technology, much better service for customers. Pass4sure offer Round the clock customer service for Microsoft examinee and you can get what you would like realize anytime. The fulfillment of our 70-640 is our service purpose, their combined improvement together with customers is our persistent pursuit in the large part. Thus please do not wait to make contact with us all if you have any questions associated with 70-640 examination.

2016 Jun 70-640 training

Q141. You have an enterprise subordinate certification authority (CA). The CA issues smart card logon certificates. 

Users are required to log on to the domain by using a smart card. 

Your company's corporate security policy states that when an employee resigns, his ability 

to log on to the network must be immediately revoked. 

An employee resigns. 

You need to immediately prevent the employee from logging on to the domain. 

What should you do? 

A. Revoke the employee's smart card certificate. 

B. Disable the employee's Active Directory account. 

C. Publish a new delta certificate revocation list (CRL). 

D. Reset the password for the employee's Active Directory account. 

Answer: B 

Explanation: 

http://blog.imanami.com/blog/bid/68864/Delete-or-disable-an-Active-Directory-account-One-best-practice Delete or disable an Active Directory account? One best practice. I was recently talking to a customer about the best practice for deprovisioning a terminated employee in Active Directory. Delete or disable? Microsoft doesn't give the clearest direction on this but common sense does. The case for deleting an account is that, BOOM, no more access. No ifs ands or buts, if there is no account it cannot do anything. The case for disabling an account is that all of the SIDs are still attached to the account and you can bring it back and get the same access right away. And then the reason for MSFT's lack of direction came into play. Individual needs of the customer. This particular customer is a public school system and they often lay off an employee and have to re-hire them the next month or semester. They need that account back. 


Q142. Your network contains an Active Directory forest. The forest contains one domain. The domain contains two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. 

DC1 was installed before DC2. 

DC1 fails. 

You need to ensure that you can add 1,000 new user accounts to the domain. 

What should you do? 

A. Modify the permissions of the DC2 computer account. 

B. Seize the schema master FSMO role. 

C. Configure DC2 as a global catalog server. 

D. Seize the RID master FSMO role. 

Answer: D 

Explanation: 

MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 536-537 

RID master failure 

A failed RID master eventually prevents domain controllers from creating new SIDs and, therefore, prevents you from creating new accounts for users, groups, or computers. However, domain controllers receive a sizable pool of RIDs from the RID master, so unless you are generating numerous new accounts, you can often go for some time without the RID master online while it is being repaired. Seizing this role to another domain controller is a significant action. After the RID master role has been seized, the domain controller that had been performing the role cannot be brought back online. 


Q143. Your company has an Active Directory forest. The company has branch offices in three locations. Each location has an organizational unit. 

You need to ensure that the branch office administrators are able to create and apply GPOs only to their respective organizational units. 

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) 

A. Run the Delegation of Control wizard and delegate the right to link GPOs for their branch organizational units to the branch office administrators. 

B. Add the user accounts of the branch office administrators to the Group Policy Creator Owners Group. 

C. Modify the Managed By tab in each organizational unit to add the branch office administrators to their respective organizational units. 

D. Run the Delegation of Control wizard and delegate the right to link GPOs for the domain to the branch office administrators. 

Answer: A,B 

Explanation: 

Answer: Run the Delegation of Control wizard and delegate the right to link GPOs for their 

branch organizational units to the branch office administrators. 

Add the user accounts of the branch office administrators to the Group Policy Creator 

Owners Group. 

http://technet.microsoft.com/en-us/library/cc732524.aspx 

Delegate Control of an Organizational Unit 

1. To delegate control of an organizational unit 

2. To open Active Directory Users and Computers, click Start , click Control Panel , double-

click Administrative 

Tools and then double-click Active Directory Users and Computers . 

3. In the console tree, right-click the organizational unit (OU) for which you want to delegate 

control. 

Where? 

Active Directory Users and Computers\ domain node \ organizational unit 

4. Click Delegate Control to start the Delegation of Control Wizard, and then follow the 

instructions in the wizard. 

http://technet.microsoft.com/en-us/library/cc781991%28v=ws.10%29.aspx 

Delegating Administration of Group Policy 

Your Group Policy design will probably call for delegating certain Group Policy 

administrative tasks. 

Determining to what degree to centralize or distribute administrative control of Group Policy 

is one of the most important factors to consider when assessing the needs of your 

organization. In organizations that use a centralized administration model, an IT group 

provides services, makes decisions, and sets standards for the entire company. In 

organizations that use a distributed administration model, each business unit manages its 

own IT group. 

You can delegate the following Group Policy tasks: 

Creating GPOs 

Managing individual GPOs (for example, granting Edit or Read access to a GPO) etc. 

Delegating Creation of GPOs The ability to create GPOs in a domain is a permission that is managed on a per-domain basis. By default, only Domain Administrators, Enterprise Administrators, Group Policy Creator Owners, and SYSTEM can create new Group Policy objects. If the domain administrator wants a non-administrator or non-administrative group to be able to create GPOs, that user or group can be added to the Group Policy Creator Owners security group. Alternatively, you can use the Delegation tab on the Group Policy Objects container in GPMC to delegate creation of GPOs. When a non-administrator who is a member of the Group Policy Creator Owners group creates a GPO, that user becomes the creator owner of the GPO and can edit the GPO and modify permissions on the GPO. However, members of the Group Policy Creator Owners group cannot link GPOs to containers unless they have been separately delegated the right to do so on a particular site, domain, or OU. Being a member of the Group Policy Creator Owners group gives the non-administrator full control of only those GPOs that the user creates. Group Policy Creator Owner members do not have permissions for GPOs that they do not create. Note: When an administrator creates a GPO, the Domain Administrators group becomes the Creator Owner of the Group Policy object. By default, Domain Administrators can edit all GPOs in the domain. The right to link GPOs is delegated separately from the right to create GPOs and the right to edit GPOs. Be sure to delegate both rights to those groups you want to be able to create and link GPOs. By default, non- Domain Admins cannot manage links, and this prevents them from being able to use GPMC to create and link a GPO. However, non-Domain Admins can create an unlinked GPO if they are members of the Group Policy Creator Owners group. After a non-Domain Admin creates an unlinked GPO, the Domain Admin or someone else who has been delegated permissions to link GPOs an a container can link the GPO as appropriate. Creation of GPOs can be delegated to any group or user. There are two methods of granting a group or user this permission: Add the group or user to the Group Policy Creator Owners group. This was the only method available prior to GPMC. Explicitly grant the group or user permission to create GPOs. This method is newly available with GPMC. You can manage this permission by using the Delegation tab on the Group Policy objects container for a given domain in GPMC. This tab shows the groups that have permission to create GPOs in the domain, including the Group Policy Creator Owners group. From this tab, you can modify the membership of existing groups that have this permission, or add new groups. Because the Group Policy Creator Owners group is a domain global group, it cannot contain members from outside the domain. Being able to grant users permissions to create GPOs without using Group Policy Creator Owners facilitates delegating GPO creation to users outside the domain. Without GPMC, this task cannot be delegated to members outside the domain. If you require that users outside the domain have the ability to create GPOs, create a new domain local group in the domain (for example, "GPCO – External"), grant that group GPO creation permissions in the domain, and then add domain global groups from external domains to that group. For users and groups in the domain, you should continue to use the Group Policy Creator Owners group to grant GPO-creation permissions. Adding a user to the membership of Group Policy Creator Owners and granting the user GPO-creation permissions directly using the new method available in GPMC are identical in terms of permissions. 


Q144. Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1 has Active Directory Federation Services (AD FS) 2.0 installed. 

Server1 is a member of an AD FS farm. The AD FS farm is configured to use a configuration database that is stored on a separate Microsoft SQL Server. 

You install AD FS 2.0 on Server2. 

You need to add Server2 to the existing AD FS farm. 

What should you do? 

A. On Server1, run fsconfig.exe. 

B. On Server1, run fsconfigwizard.exe. 

C. On Server2, run fsconfig.exe. 

D. On Server2, run fsconfigwizard.exe. 

Answer: C 

Explanation: 

http://technet.microsoft.com/en-us/library/adfs2-help-how-to-configure-a-new-federation-server.aspx 

Configure a New Federation Server To configure a new federation server using the command line 

1. Open a Command Prompt window. 

2. Change the directory to the path where AD FS 2.0 was installed. 

3. To configure this computer as a federation server, type the applicable syntax using either of the following command parameters, and then press ENTER: fsconfig.exe {StandAlone|CreateFarm| CreateSQLFarm|JoinFarm|JoinSQLFarm} [deployment specific parameters] Parameter JoinSQLFarm Joins this computer to an existing federation server farm that is using SQL Server. 


Q145. Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site 1 contains five domain controllers. Site2 contains one read-only domain controller (RODC). Site1 and Site2 connect to each other by using a slow WAN link. 

You discover that the cached password for a user named User1 is compromised on the RODC. 

On a domain controller in Site1, you change the password for User1. 

You need to replicate the new password for User1 to the RODC immediately. The solution must not replicate other objects to the RODC. 

Which tool should you use? 

A. Active Directory Sites and Services 

B. Active Directory Users and Computers 

C. Repadmin 

D. Replmon 

Answer: C 

Explanation: 

http://technet.microsoft.com/en-us/library/cc742095.aspx 

Repadmin /rodcpwdrepl 

Triggers replication of passwords for the specified users from a writable Windows Server 2008 source domain controller to one or more read-only domain controllers (RODCs). 

Example: 

The following example triggers replication of the passwords for the user account named JaneOh from the source domain controller named source-dc01 to all RODCs that have the name prefix dest-rodc: 

repadmin /rodcpwdrepl dest-rodc* source-dc01 cn=JaneOh,ou=execs,dc=contoso,dc=com 


70-640  practice test

Improved 70-640 windows server 2008 active directory:

Q146. Your network contains two Active Directory forests named contoso.com and nwtraders.com. Active Directory Rights Management Services (AD RMS) is deployed in each forest. 

You need to ensure that users from the nwtraders.com forest can access AD RMS protected content in the contoso.com forest. 

What should you do? 

A. Add a trusted user domain to the AD RMS cluster in the nwtraders.com domain. 

B. Create an external trust from nwtraders.com to contoso.com. 

C. Add a trusted user domain to the AD RMS cluster in the contoso.com domain. 

D. Create an external trust from contoso.com to nwtraders.com. 

Answer: C 

Explanation: 

http://technet.microsoft.com/en-us/library/hh311036.aspx 

Using AD RMS trust 

It is not necessary to create trust or federation relationships between the Active Directory forests of organizations to be able to share rights-protected information between separate organizations. AD RMS provides two types of trust relationships that provide this kind of rights-protected information exchange. A trusted user domain (TUD) allows the AD RMS root cluster to process requests for client licensor certificates or use licenses from users whose rights account certificates (RACs) were issued by a different AD RMS root cluster. You add a trusted user domain by importing the server licensor certificate of the AD RMS cluster to trust. 


Q147. Your company has an Active Directory domain. All servers run Windows Server 2008 R2. 

Your company uses an Enterprise Root certificate authority (CA). 

You need to ensure that revoked certificate information is highly available. 

What should you do? 

A. Implement an Online Certificate Status Protocol (OCSP) responder by using an Internet Security and Acceleration Server array. 

B. Publish the trusted certificate authorities list to the domain by using a Group Policy Object (GPO). 

C. Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing. 

D. Create a new Group Policy Object (GPO) that allows users to trust peer certificates. Link the GPO to the domain. 

Answer: C 

Explanation: 

Answer: Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing. 

http://technet.microsoft.com/en-us/library/cc731027%28v=ws.10%29.aspx AD CS: Online Certificate Status Protocol Support Certificate revocation is a necessary part of the process of managing certificates issued by certification authorities (CAs). The most common means of communicating certificate status is by distributing certificate revocation lists (CRLs). In the Windows Server. 2008 operating system, public key infrastructures (PKIs) where the use of conventional CRLs is not an optimal solution, an Online Responder based on the Online Certificate Status Protocol (OCSP) can be used to manage and distribute revocation status information. What does OCSP support do? The use of Online Responders that distribute OCSP responses, along with the use of CRLs, is one of two common methods for conveying information about the validity of certificates. Unlike CRLs, which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to requests from clients for information about the status of a single certificate. The amount of data retrieved per request remains constant no matter how many revoked certificates there might be. In many circumstances, Online Responders can process certificate status requests more efficiently than by using CRLs. 

Adding one or more Online Responders can significantly enhance the flexibility and scalability of an organization's PKI. 

Further information: http://blogs.technet.com/b/askds/archive/2009/08/20/implementing-an-ocsp-responder-part-v-highavailability.aspx Implementing an OCSP Responder: Part V High Availability There are two major pieces in implementing the High Availability Configuration. The first step is to add the OCSP Responders to what is called an Array. When OCSP Responders are configured in an Array, the configuration of the OCSP responders can be easily maintained, so that all Responders in the Array have the same configuration. The configuration of the Array Controller is used as the baseline configuration that is then applied to other members of the Array. The second piece is to load balance the OCSP Responders. Load balancing of the OCSP responders is what actually provides fault tolerance. 


Q148. A domain controller named DC12 runs critical services. Restructuring of the organizational unit hierarchy for the domain has been completed and unnecessary objects have been deleted. 

You need to perform an offline defragmentation of the Active Directory database on DC12. You also need to ensure that the critical services remain online. 

What should you do? 

A. Start the domain controller in the Directory Services restore mode. Run the Defrag utility. 

B. Start the domain controller in the Directory Services restore mode. Run the Ntdsutil utility. 

C. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the Defrag utility. 

D. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the Ntdsutil utility. 

Answer: D 

Explanation: 

http://support.microsoft.com/kb/232122 Performing offline defragmentation of the Active Directory database Active Directory automatically performs online defragmentation of the database at certain intervals (by default, every 12 hours) as part of the Garbage Collection process. Online defragmentation does not reduce the size of the database file (Ntds.dit), but instead optimizes data storage in the database and reclaims space in the directory for new objects. Performing an offline defragmentation creates a new, compacted version of the database file. Depending on how fragmented the original database file was, the new file may be considerably smaller. http://rickardnobel.se/when-to-offline-defrag-ntds-dit/ When to offline defrag the Active Directory database This article will show a simple way to determine if there is any gain to do an offline defrag of your Active Directory database. During normal operations the Active Directory service will do an online defragmentation of the Active Directory database (always called ntds.dit) each 12 hours. This online defrag will arrange all pages in an optimal way internal in the ntds.dit, however the file size will never shrink, sometimes even grow. During the years of operations of the ntds.dit the file size will increase as user accounts, organizational units, groups, computers, dns records and more are added and later removed. When deleted objects are finally removed (after the so called tombstone lifetime, typically 180 days) the space they have occupied will unfortunately not decrease. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

The actual size of the ntds.dit could be easily studied through Explorer, as above. The size of the database is in this example around 575 MB. Note that Active Directory does not use a file level replication, so the file could be of various size on each Domain Controller in your domain. If wanted there is the possibility to take the AD services offline on one DC and then do an offline defragmentation of ntds.dit. This would both arrange all pages the best possible way, and also to reclaim any empty space inside the database, which could make backup and restore faster and also possible increase AD performance. The offline defrag means “offline” from an Active Directory perspective. This means that on Windows 2000 and 2003 you will have to reboot into Directory Services Restore Mode, and on Windows 2008 and R2 you will have to stop the AD services by typing “net stop ntds” in the command prompt. So in Windows 2008 and later it is far easier, but still something that you do not want to do if not necessary. There are numerous article on the web how to do the actual offline defrag, so we will not cover that part here. However, we will see the perhaps most important information and that is to be able to see in advance the amount of space that we could reclaim. With this information we could make our decision based on fact and not guesses. This has been possible since at least Windows 2003, but is not well documented. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

To enable this you will have to alter a registry value on the Domain Controller you will investigate the reclaimable MBs. Use regedit and find the following key: HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ NTDS \ Diagnostics Change the value “6 Garbage Collection” from 0 to 1. This will increase the logging from the Garbage Collection process which runs together with the online defrag. So now wait for the next online defragmentation which runs twice a day and then study the Directory Service log in Event Viewer. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Search for event id 1646, usually together with event ids 700 and 701. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Here we can note the amount of space that would be reclaimed from an offline defrag. The top value is the number of MB that the offline defrag would recover, here almost half the database size. If the amount is negligible then do not worry about this any more, and if there is a considerable amount of MBs reported then you could plan to do the offline defrag. 


C:\Documents and Settings\usernwz1\Desktop\1.PNG 

Note that both the change of registry key and the actual offline defrag has to be done on 

each domain controller, since neither does replicate. 

As noted above we will not look at the commands for the offline defragmentation here, 

since they are well documented already. 


Q149. Your network contains an Active Directory domain named contoso.com. 

You need to identify whether the Active Directory Recycle Bin is enabled. 

What should you do? 

A. From Ldp, search for the Reanimate-Tombstones object. 

B. From Ldp, search for the LostAndFound container. 

C. From Windows PowerShell, run the Get-ADObject cmdlet. 

D. From Windows PowerShell, run the Get-ADOptionalFeature cmdlet. 

Answer: D 

Explanation: 

http://www.frickelsoft.net/blog/?p=224 

How can I check whether the AD Recycle-Bin is enabled in my R2 forest? 

[He shows how to use the PowerShell cmdlet Get- ADOptionalFeature to determine if the AD Recycle Bin is enabled.] 


Q150. You have a Windows Server 2008 R2 that has the Active Directory Certificate Services server role installed. 

You need to minimize the amount of time it takes for client computers to download a certificate revocation list (CRL). 

What should you do? 

A. Install and configure an Online Responder. 

B. Import the Issuing CA certificate into the Trusted Root Certification Authorities store on all client workstations. 

C. Install and configure an additional domain controller. 

D. Import the Root CA certificate into the Trusted Root Certification Authorities store on all client workstations. 

Answer: A 

Explanation: 

http://technet.microsoft.com/en-us/library/cc725958.aspx 

What Is an Online Responder? An Online Responder is a trusted server that receives and responds to individual client requests for information about the status of a certificate. The use of Online Responders is one of two common methods for conveying information about the validity of certificates. Unlike certificate revocation lists (CRLs), which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to individual requests from clients for information about the status of a certificate. The amount of data retrieved per request remains constant no matter how many revoked certificates there might be. In many circumstances, Online Responders can process certificate status requests more efficiently than by using CRLs. 



see more TS: Windows Server 2008 Active Directory. Configuring