Do you want to pass the 70-640 Examsavior exam? What are the new questions of the latest 70-640 exam? Examsavior 70-640 VCE dumps and 70-640 PDF dumps will tell you all about the 70-640 Examsavior exam.Here are the Examsavior newest and covered all new added questions and answers, which will help you 100% passing 70-640 Examsavior exam.Hurry up and get the free exam from here!
NOW FREE DOWNLOAD
Exam B
QUESTION 1
You have a domain controller named DC1 that runs Windows Server 2008 R2.
DC1 is configured as a DNS Server for contoso.com.
You install the DNS Server role on a member server named Server1 and then you create a standard
secondary zone for contoso.com.
You configure DC1 as the master server for the zone.
You need to ensure that Server1 receives zone updates from DC1.
What should you do?
A. On DC1, modify the permissions of contoso.com zone.
B. On Server1, add a conditional forwarder.
C. On DC1, modify the zone transfer settings for the contoso.com zone.
D. Add the Server1 computer account to the DNSUpdateProxy group.
Correct Answer: C
Explanation
Explanation/Reference:
Practically the same question as J/Q23 and K/Q45.
Reference:
http://technet.microsoft.com/en-us/library/cc771652.aspx
Modify Zone Transfer Settings
You can use the following procedure to control whether a zone will be transferred to other servers and
which servers can receive the zone transfer.
To modify zone transfer settings using the Windows interface
1. Open DNS Manager.
2. Right-click a DNS zone, and then click Properties.
3. On the Zone Transfers tab, do one of the following:
To disable zone transfers, clear the Allow zone transfers check box.
To allow zone transfers, select the Allow zone transfers check box.
4. If you allowed zone transfers, do one of the following:
To allow zone transfers to any server, click To any server.
To allow zone transfers only to the DNS servers that are listed on the Name Servers tab, click Only to
servers listed on the Name Servers tab.
To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add
the IP address of one or more DNS servers.
QUESTION 2
Your company has an Active Directory domain.
All servers run Windows Server 2008 R2.
Your company runs an Enterprise Root certification authority (CA).
You need to ensure that only administrators can sign code.
Which two tasks should you perform?
(Each correct answer presents part of the solution. Choose two.)
A. Edit the local computer policy of the Enterprise Root CA to allow only administrators to manage
Trusted Publishers.
B. Modify the security settings on the template to allow only administrators to request code signing
bbs.hh010.com
certificates.
C. Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certificates and
allow only administrators to apply the policy.
D. Publish the code signing template.
Correct Answer: BD
Explanation
Explanation/Reference:
http://techblog.mirabito.net.au/?p=297
Generating and working with code signing certificates
A code signing certificate is a security measure designed to assist in the prevention of malicious code
execution. The intention is that code must be “signed” with a certificate that is trusted by the machine on
which the code is executed. The trust is verified by contacting the certification authority for the certificate,
which could be either a local (on the machine itself, such as a self-signed certificate), internal (on the
domain, such as an enterprise certification authority) or external certification authority (third party, such as
Verisign or Thawte).
For an Active Directory domain with an enterprise root certification authority, the enterprise root
certification authority infrastructure is trusted by all machines that are a member of the Active Directory
domain, and therefore any certificates issued by this certification authority are automatically trusted.
In the case of code signing, it may be necessary also for the issued certificate to be in the “Trusted
Publishers” store of the local machine in order to avoid any prompts upon executing code, even if the
certificate was issued by a trusted certification authority. Therefore, it is required to ensure that certificates
are added to this store where user interaction is unavailable, such as running automated processes that
call signed code.
A certificate can be assigned to a user or a computer, which will then be the “publisher” of the code in
question. Generally, this should be the user, and the user will then become the trusted publisher. As an
example, members of the development team in your organisation will probably each have their own code
signing certificate, which would all be added to the “Trusted Publishers” store on the domain machines.
Alternatively, a special domain account might exist specifically for signing code, although one of the
advantages of code signing is to be able to determine the person who signed it.
…
QUESTION 3
Your company has an Active Directory forest.
You plan to install an Enterprise certification authority (CA) on a dedicated stand-alone server.
When you attempt to add the Active Directory Certificate Services (AD CS) role, you find that the
Enterprise CA option is not available.
You need to install the AD CS role as an Enterprise CA.
What should you do first?
A. Add the DNS Server role.
B. Add the Active Directory Lightweight Directory Service (AD LDS) role.
C. Add the Web server (IIS) role and the AD CS role.
D. Join the server to the domain.
Correct Answer: D
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc772393%28v=ws.10%29.aspx
Active Directory Certificate Services Step-by-Step Guide
bbs.hh010.com
http://kazmierczak.eu/itblog/2012/09/23/enterprise-ca-option-is-greyed-out-unavailable/
Enterprise CA option is greyed out / unavailable
Many times, administrators ask me what to do when installing Active Directory Certificate Services they
cannot choose to install Enterprise Certification Authority, because it’s unavailable as in following picture:
QUESTION 1
You have a domain controller named DC1 that runs Windows Server 2008 R2.
DC1 is configured as a DNS Server for contoso.com.
You install the DNS Server role on a member server named Server1 and then you create a standard
secondary zone for contoso.com.
You configure DC1 as the master server for the zone.
You need to ensure that Server1 receives zone updates from DC1.
What should you do?
A. On DC1, modify the permissions of contoso.com zone.
B. On Server1, add a conditional forwarder.
C. On DC1, modify the zone transfer settings for the contoso.com zone.
D. Add the Server1 computer account to the DNSUpdateProxy group.
Correct Answer: C
Explanation
Explanation/Reference:
Practically the same question as J/Q23 and K/Q45.
Reference:
http://technet.microsoft.com/en-us/library/cc771652.aspx
Modify Zone Transfer Settings
You can use the following procedure to control whether a zone will be transferred to other servers and
which servers can receive the zone transfer.
To modify zone transfer settings using the Windows interface
1. Open DNS Manager.
2. Right-click a DNS zone, and then click Properties.
3. On the Zone Transfers tab, do one of the following:
To disable zone transfers, clear the Allow zone transfers check box.
To allow zone transfers, select the Allow zone transfers check box.
4. If you allowed zone transfers, do one of the following:
To allow zone transfers to any server, click To any server.
To allow zone transfers only to the DNS servers that are listed on the Name Servers tab, click Only to
servers listed on the Name Servers tab.
To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add
the IP address of one or more DNS servers.
QUESTION 2
Your company has an Active Directory domain.
All servers run Windows Server 2008 R2.
Your company runs an Enterprise Root certification authority (CA).
You need to ensure that only administrators can sign code.
Which two tasks should you perform?
(Each correct answer presents part of the solution. Choose two.)
A. Edit the local computer policy of the Enterprise Root CA to allow only administrators to manage
Trusted Publishers.
B. Modify the security settings on the template to allow only administrators to request code signing
bbs.hh010.com
certificates.
C. Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certificates and
allow only administrators to apply the policy.
D. Publish the code signing template.
Correct Answer: BD
Explanation
Explanation/Reference:
http://techblog.mirabito.net.au/?p=297
Generating and working with code signing certificates
A code signing certificate is a security measure designed to assist in the prevention of malicious code
execution. The intention is that code must be “signed” with a certificate that is trusted by the machine on
which the code is executed. The trust is verified by contacting the certification authority for the certificate,
which could be either a local (on the machine itself, such as a self-signed certificate), internal (on the
domain, such as an enterprise certification authority) or external certification authority (third party, such as
Verisign or Thawte).
For an Active Directory domain with an enterprise root certification authority, the enterprise root
certification authority infrastructure is trusted by all machines that are a member of the Active Directory
domain, and therefore any certificates issued by this certification authority are automatically trusted.
In the case of code signing, it may be necessary also for the issued certificate to be in the “Trusted
Publishers” store of the local machine in order to avoid any prompts upon executing code, even if the
certificate was issued by a trusted certification authority. Therefore, it is required to ensure that certificates
are added to this store where user interaction is unavailable, such as running automated processes that
call signed code.
A certificate can be assigned to a user or a computer, which will then be the “publisher” of the code in
question. Generally, this should be the user, and the user will then become the trusted publisher. As an
example, members of the development team in your organisation will probably each have their own code
signing certificate, which would all be added to the “Trusted Publishers” store on the domain machines.
Alternatively, a special domain account might exist specifically for signing code, although one of the
advantages of code signing is to be able to determine the person who signed it.
…
QUESTION 3
Your company has an Active Directory forest.
You plan to install an Enterprise certification authority (CA) on a dedicated stand-alone server.
When you attempt to add the Active Directory Certificate Services (AD CS) role, you find that the
Enterprise CA option is not available.
You need to install the AD CS role as an Enterprise CA.
What should you do first?
A. Add the DNS Server role.
B. Add the Active Directory Lightweight Directory Service (AD LDS) role.
C. Add the Web server (IIS) role and the AD CS role.
D. Join the server to the domain.
Correct Answer: D
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc772393%28v=ws.10%29.aspx
Active Directory Certificate Services Step-by-Step Guide
bbs.hh010.com
http://kazmierczak.eu/itblog/2012/09/23/enterprise-ca-option-is-greyed-out-unavailable/
Enterprise CA option is greyed out / unavailable
Many times, administrators ask me what to do when installing Active Directory Certificate Services they
cannot choose to install Enterprise Certification Authority, because it’s unavailable as in following picture:
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_ubRDjI_T8IbxbEpplqXjqcDrcnT7gf8i9AMDXTT39qEQSP3yOlz6Cj4DTJSChy2-lnPRKEg_JVpsEp-aTbmnztlLZpxOdyBNuw9iauNYfhfraqngN4i0vcsjlz_8tuyRD3ugpx=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
Well, you need to fulfill basic requirements:
Server machine has to be a member server (domain joined).
You can run an Enterprise CA on the Standard, Enterprise, or Data Center Windows
Edition. The difference is the number of ADCS features and components that can be
enabled. To get full functionality, you need to run on Enterprise or Data Center
Windows Server 2008 /R2/ Editions. It includes functionality like Role separation,
Certificate manager restrictions, Delegated enrollment agent restrictions,
Certificate enrollment across forests, Online Responder, Network Device
Enrollment.
In order to install an Enterprise CA, you must be a member of either Enterprise
Admins or Domain Admins in the forest root domain (either directly or through a
group nesting).
If issue still persists, there is probably a problem with getting correct credentials of your
bbs.hh010.com
account. There are many thing that can cause it (network blockage, domain settings,
server configuration, and other issues). In all cases I got, this troubleshooting helped
perfectly:
First of all, carefully check all above requirements.
Secondly, install all available patches and Service Packs with Windows Update
before trying to install Enterprise CA.
Check network settings on the CA Server. If there is no DNS setting, Certificate
Authority Server cannot resolve and find domain.
Sufficient privileges for writing the Enterprise CA configuration information in AD
configuration partition are required. Determine if you are a member of the
Enterprise Admins or Domain Admins in the forest root domain. Think about the
account you are currently trying to install ADCS with. In fact, you may be sure, that
your account is in Enterprise Admins group, but check this how CA Server “sees” your
account membership by typing
whoami /groups.
You also need to be a member of local Administrators group. If you are not, you
wouldn’t be able to run Server Manager, but still needs to be checked.
View C:\windows\certocm.log file. There you can find helpful details on problems
with group membership. For example status of
ENUM_ENTERPRISE_UNAVAIL_REASON_NO_INSTALL_RIGHTS indicates that
needed memberships are not correct.
Don’t forget to check event viewer on CA Server side and look for red lines.
Verify that network devices or software&hardware firewalls are not blocking
access from/to server and Domain Controllers. If so, Certificate Authority Server may
not be communicating correctly with the domain. To check that, simply run
nltest /sc_verify:DomainName
Check also whether Server CA is connected to a writable Domain Controller.
Enterprise Admins groups is the most powerful group and has ADCS required full
control permissions, but who knows – maybe someone changed default permissions?
Run adsiedit.msc on Domain Controller, connect to default context and first of
all check if CN=Public Key
Service,CN=Services,CN=Configuration,DC=Your,DC=Domain,DC=Com
container does exist. If so, check permissions for all subcontainers under Public Key
Service if Enterprise Admins group has full control permissions. The main
subcontainers to verify are Certificate Templates, OID, KRA containers.
If no above tips help, disjoin the server from domain and join again. Ultimately
reinstall operation system on CA Server.
QUESTION 4
Your company has an Active Directory domain named contoso.com.
The company network has two DNS servers named DNS1 and DNS2.
The DNS servers are configured as shown in the following table.
Server machine has to be a member server (domain joined).
You can run an Enterprise CA on the Standard, Enterprise, or Data Center Windows
Edition. The difference is the number of ADCS features and components that can be
enabled. To get full functionality, you need to run on Enterprise or Data Center
Windows Server 2008 /R2/ Editions. It includes functionality like Role separation,
Certificate manager restrictions, Delegated enrollment agent restrictions,
Certificate enrollment across forests, Online Responder, Network Device
Enrollment.
In order to install an Enterprise CA, you must be a member of either Enterprise
Admins or Domain Admins in the forest root domain (either directly or through a
group nesting).
If issue still persists, there is probably a problem with getting correct credentials of your
bbs.hh010.com
account. There are many thing that can cause it (network blockage, domain settings,
server configuration, and other issues). In all cases I got, this troubleshooting helped
perfectly:
First of all, carefully check all above requirements.
Secondly, install all available patches and Service Packs with Windows Update
before trying to install Enterprise CA.
Check network settings on the CA Server. If there is no DNS setting, Certificate
Authority Server cannot resolve and find domain.
Sufficient privileges for writing the Enterprise CA configuration information in AD
configuration partition are required. Determine if you are a member of the
Enterprise Admins or Domain Admins in the forest root domain. Think about the
account you are currently trying to install ADCS with. In fact, you may be sure, that
your account is in Enterprise Admins group, but check this how CA Server “sees” your
account membership by typing
whoami /groups.
You also need to be a member of local Administrators group. If you are not, you
wouldn’t be able to run Server Manager, but still needs to be checked.
View C:\windows\certocm.log file. There you can find helpful details on problems
with group membership. For example status of
ENUM_ENTERPRISE_UNAVAIL_REASON_NO_INSTALL_RIGHTS indicates that
needed memberships are not correct.
Don’t forget to check event viewer on CA Server side and look for red lines.
Verify that network devices or software&hardware firewalls are not blocking
access from/to server and Domain Controllers. If so, Certificate Authority Server may
not be communicating correctly with the domain. To check that, simply run
nltest /sc_verify:DomainName
Check also whether Server CA is connected to a writable Domain Controller.
Enterprise Admins groups is the most powerful group and has ADCS required full
control permissions, but who knows – maybe someone changed default permissions?
Run adsiedit.msc on Domain Controller, connect to default context and first of
all check if CN=Public Key
Service,CN=Services,CN=Configuration,DC=Your,DC=Domain,DC=Com
container does exist. If so, check permissions for all subcontainers under Public Key
Service if Enterprise Admins group has full control permissions. The main
subcontainers to verify are Certificate Templates, OID, KRA containers.
If no above tips help, disjoin the server from domain and join again. Ultimately
reinstall operation system on CA Server.
QUESTION 4
Your company has an Active Directory domain named contoso.com.
The company network has two DNS servers named DNS1 and DNS2.
The DNS servers are configured as shown in the following table.
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_ugFTagAm9efnikj8ZbfXc_mQtZ6EhB92Rl5vYlwP5M0VA75UgQG-wMJW4S1a_0mRIMgIj0a9v0D9f-cQwhlhOTIX9mao92-fozUY5lulfFbgWe3Ia26qQrs7RAPvDsrSFoHiEX=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
Domain users, who are configured to use DNS2 as the preferred DNS server, are unable to connect
to Internet Web sites.
bbs.hh010.com
You need to enable Internet name resolution for all client computers.
What should you do?
A. Update the list of root hints servers on DNS2.
B. Create a copy of the .(root) zone on DNS1.
C. Delete the .(root) zone from DNS2. Configure conditional forwarding on DNS2.
D. Update the Cache.dns file on DNS2. Configure conditional forwarding on DNS1.
Correct Answer: C
Explanation
Explanation/Reference:
http://support.microsoft.com/kb/298148
How To Remove the Root Zone (Dot Zone)
When you install DNS on a Windows 2000 server that does not have a connection to the Internet, the
zone for the domain is created and a root zone, also known as a dot zone, is also created. This root zone
may prevent access to the Internet for DNS and for clients of the DNS. If there is a root zone, there are no
other zones other than those that are listed with DNS, and you cannot configure forwarders or root hint
servers. For these reasons, you may have to remove the root zone.
QUESTION 5
Your network consists of a single Active Directory domain.
All domain controllers run Windows Server 2003.
You upgrade all domain controllers to Windows Server 2008.
You need to configure the Active Directory environment to support the application of multiple
password policies.
What should you do?
A. Raise the functional level of the domain to Windows Server 2008.
B. On one domain controller, run dcpromo /adv.
C. Create multiple Active Directory sites.
D. On all domain controllers, run dcpromo /adv.
Correct Answer: A
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc770842%28v=ws.10%29.aspx
AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide
This step-by-step guide provides instructions for configuring and applying fine-grained password and
account lockout policies for different sets of users in Windows Server® 2008 domains.
In Microsoft® Windows® 2000 and Windows Server 2003 Active Directory domains, you could apply only
one password and account lockout policy, which is specified in the domain’s Default Domain Policy, to all
users in the domain. As a result, if you wanted different password and account lockout settings for different
sets of users, you had to either create a password filter or deploy multiple domains. Both options were
costly for different reasons.
In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies
and apply different password restrictions and account lockout policies to different sets of users within a
single domain.
bbs.hh010.com
Requirements and special considerations for fine-grained password and account lockout policies
Domain functional level: The domain functional level must be set to Windows Server 2008 or
higher.
etc…
QUESTION 6
Your company has two Active Directory forests named contoso.com and fabrikam.com.
The company network has three DNS servers named DNS1, DNS2, and DNS3.
The DNS servers are configured as shown in the following table:
to Internet Web sites.
bbs.hh010.com
You need to enable Internet name resolution for all client computers.
What should you do?
A. Update the list of root hints servers on DNS2.
B. Create a copy of the .(root) zone on DNS1.
C. Delete the .(root) zone from DNS2. Configure conditional forwarding on DNS2.
D. Update the Cache.dns file on DNS2. Configure conditional forwarding on DNS1.
Correct Answer: C
Explanation
Explanation/Reference:
http://support.microsoft.com/kb/298148
How To Remove the Root Zone (Dot Zone)
When you install DNS on a Windows 2000 server that does not have a connection to the Internet, the
zone for the domain is created and a root zone, also known as a dot zone, is also created. This root zone
may prevent access to the Internet for DNS and for clients of the DNS. If there is a root zone, there are no
other zones other than those that are listed with DNS, and you cannot configure forwarders or root hint
servers. For these reasons, you may have to remove the root zone.
QUESTION 5
Your network consists of a single Active Directory domain.
All domain controllers run Windows Server 2003.
You upgrade all domain controllers to Windows Server 2008.
You need to configure the Active Directory environment to support the application of multiple
password policies.
What should you do?
A. Raise the functional level of the domain to Windows Server 2008.
B. On one domain controller, run dcpromo /adv.
C. Create multiple Active Directory sites.
D. On all domain controllers, run dcpromo /adv.
Correct Answer: A
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc770842%28v=ws.10%29.aspx
AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide
This step-by-step guide provides instructions for configuring and applying fine-grained password and
account lockout policies for different sets of users in Windows Server® 2008 domains.
In Microsoft® Windows® 2000 and Windows Server 2003 Active Directory domains, you could apply only
one password and account lockout policy, which is specified in the domain’s Default Domain Policy, to all
users in the domain. As a result, if you wanted different password and account lockout settings for different
sets of users, you had to either create a password filter or deploy multiple domains. Both options were
costly for different reasons.
In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies
and apply different password restrictions and account lockout policies to different sets of users within a
single domain.
bbs.hh010.com
Requirements and special considerations for fine-grained password and account lockout policies
Domain functional level: The domain functional level must be set to Windows Server 2008 or
higher.
etc…
QUESTION 6
Your company has two Active Directory forests named contoso.com and fabrikam.com.
The company network has three DNS servers named DNS1, DNS2, and DNS3.
The DNS servers are configured as shown in the following table:
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vOt5go8eQnexOu45CGGyJnnNsYLfGe06R6kPzxGBByEE0qS8iwOw7LQjb11JroGKcX3HO1WfQblQDoQ5tp8aVdG-oj62lyMpQQDxnVkr6gjoEk1aU-0gHIJwt8T1M2SQU094d2=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
All computers that belong to the fabrikam.com domain have DNS3 configured as the preferred DNS
server.
All other computers use DNS1 as the preferred DNS server.
Users from the fabrikam.com domain are unable to connect to the servers that belong to the
contoso.com domain.
You need to ensure users in the fabrikam.com domain are able to resolve all contoso.com queries.
What should you do?
A. Configure conditional forwarding on DNS1 and DNS2 to forward fabrikam.com queries to DNS3.
B. Create a copy of the _msdcs.contoso.com zone on the DNS3 server.
C. Create a copy of the fabrikam.com zone on the DNS1 server and the DNS2 server.
D. Configure conditional forwarding on DNS3 to forward contoso.com queries to DNS1.
Correct Answer: D
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc730756.aspx
Understanding Forwarders
A forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for external
DNS names to DNS servers outside that network. You can also forward queries according to specific
domain names using conditional forwarders.
You designate a DNS server on a network as a forwarder by configuring the other DNS servers in the
network to forward the queries that they cannot resolve locally to that DNS server. By using a forwarder,
you can manage name resolution for names outside your network, such as names on the Internet, and
improve the efficiency of name resolution for the computers in your network.
The following figure illustrates how external name queries are directed with forwarders.
server.
All other computers use DNS1 as the preferred DNS server.
Users from the fabrikam.com domain are unable to connect to the servers that belong to the
contoso.com domain.
You need to ensure users in the fabrikam.com domain are able to resolve all contoso.com queries.
What should you do?
A. Configure conditional forwarding on DNS1 and DNS2 to forward fabrikam.com queries to DNS3.
B. Create a copy of the _msdcs.contoso.com zone on the DNS3 server.
C. Create a copy of the fabrikam.com zone on the DNS1 server and the DNS2 server.
D. Configure conditional forwarding on DNS3 to forward contoso.com queries to DNS1.
Correct Answer: D
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc730756.aspx
Understanding Forwarders
A forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for external
DNS names to DNS servers outside that network. You can also forward queries according to specific
domain names using conditional forwarders.
You designate a DNS server on a network as a forwarder by configuring the other DNS servers in the
network to forward the queries that they cannot resolve locally to that DNS server. By using a forwarder,
you can manage name resolution for names outside your network, such as names on the Internet, and
improve the efficiency of name resolution for the computers in your network.
The following figure illustrates how external name queries are directed with forwarders.
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_t1OJOX_WkKZrrBCD9zqc8zsCFVAJoFha-OLBEw7bb2iyXIK7YHQ7S9w1UaXBdunOj_T61k6cfwTjQL2p1b9SD8oj6oWMrb2oLxCofdoMBOsv_AyplaG5kwxOSzrVkauyr5Sb7l=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
…
Conditional forwarders
A conditional forwarder is a DNS server on a network that forwards DNS queries according to the DNS
domain name in the query. For example, you can configure a DNS server to forward all the queries that it
receives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IP
addresses of multiple DNS servers.
QUESTION 7
Your company, Contoso Ltd, has offices in North America and Europe.
Contoso has an Active Directory forest that has three domains.
You need to reduce the time required to authenticate users from the labs.eu.contoso.com domain
when they access resources in the eng.na.contoso.com domain.
What should you do?
A. Decrease the replication interval for all Connection objects.
B. Decrease the replication interval for the DEFAULTIPSITELINK site link.
C. Set up a one-way shortcut trust from eng.na.contoso.com to labs.eu.contoso.com.
D. Set up a one-way shortcut trust from labs.eu.contoso.com to eng.na.contoso.com.
Correct Answer: C
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc754538.aspx
Understanding When to Create a Shortcut Trust
When to create a shortcut trust
Shortcut trusts are one-way or two-way, transitive trusts that administrators can use to optimize the
authentication process.
Authentication requests must first travel a trust path between domain trees. In a complex forest this can
take time, which you can reduce with shortcut trusts. A trust path is the series of domain trust relationships
that authentication requests must traverse between any two domains. Shortcut trusts effectively shorten
the path that authentication requests travel between domains that are located in two separate domain
trees.
Shortcut trusts are necessary when many users in a domain regularly log on to other domains in a forest.
Using the following illustration as an example, you can form a shortcut trust between domain B and
domain D, between domain A and domain 1, and so on.
Conditional forwarders
A conditional forwarder is a DNS server on a network that forwards DNS queries according to the DNS
domain name in the query. For example, you can configure a DNS server to forward all the queries that it
receives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IP
addresses of multiple DNS servers.
QUESTION 7
Your company, Contoso Ltd, has offices in North America and Europe.
Contoso has an Active Directory forest that has three domains.
You need to reduce the time required to authenticate users from the labs.eu.contoso.com domain
when they access resources in the eng.na.contoso.com domain.
What should you do?
A. Decrease the replication interval for all Connection objects.
B. Decrease the replication interval for the DEFAULTIPSITELINK site link.
C. Set up a one-way shortcut trust from eng.na.contoso.com to labs.eu.contoso.com.
D. Set up a one-way shortcut trust from labs.eu.contoso.com to eng.na.contoso.com.
Correct Answer: C
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc754538.aspx
Understanding When to Create a Shortcut Trust
When to create a shortcut trust
Shortcut trusts are one-way or two-way, transitive trusts that administrators can use to optimize the
authentication process.
Authentication requests must first travel a trust path between domain trees. In a complex forest this can
take time, which you can reduce with shortcut trusts. A trust path is the series of domain trust relationships
that authentication requests must traverse between any two domains. Shortcut trusts effectively shorten
the path that authentication requests travel between domains that are located in two separate domain
trees.
Shortcut trusts are necessary when many users in a domain regularly log on to other domains in a forest.
Using the following illustration as an example, you can form a shortcut trust between domain B and
domain D, between domain A and domain 1, and so on.
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tZnramV7jDmFb9I9_YoiDk5QYnUFB9wbU8v2Ii9g-TskozqYoV6GyIUIhBM-EiV72hliSUyek1GN0nKHBDHWIs6RAXGqRdiew8Etz0aJafnSHqtRMoBwhCRBjQk-fYyEZ18wZS=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
Using one-way trusts
A one-way, shortcut trust that is established between two domains in separate domain trees can reduce
the time that is necessary to fulfill authentication requests—but in only one direction. For example, when a
one-way, shortcut trust is established between domain A and domain B, authentication requests that are
made in domain A to domain B can use the new one-way trust path. However, authentication requests that
are made in domain B to domain A must still travel the longer trust path.
Using two-way trusts
A two-way, shortcut trust that is established between two domains in separate domain trees reduces the
time that is necessary to fulfill authentication requests that originate in either domain. For example, when
a two-way trust is established between domain A and domain B, authentication requests that are made
from either domain to the other domain can use the new, two-way trust path.
QUESTION 8
Your company purchases a new application to deploy on 200 computers.
The application requires that you modify the registry on each target computer before you install the
application.
The registry modifications are in a file that has an .adm extension.
You need to prepare the target computers for the application.
What should you do?
A. Import the .adm file into a new Group Policy Object (GPO). Edit the GPO and link it to an
organizational unit that contains the target computers.
B. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the
REDIRUsr CONTAINER-DN command on each target computer.
C. Create a Microsoft Windows PowerShell script to copy the .adm file to the startup folder of each target
computer.
D. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the
REDIRCmp CONTAINER-DN command on each target computer.
Correct Answer: A
Explanation
Explanation/Reference:
http://www.petri.co.il/adding_new_administrative_templates_to_gpo.htm
Adding New Administrative Templates to a GPO
Adding .ADM files to the Administrative Templates in a GPO
In order to add additional .ADM files to the existing Administrative Templates section in GPO please follow
the next steps:
1. Open the Group Policy Management Console (or GPMC) from the Administrative Tools folder in the
Stat menu, or by typing gpmc.msc in the Run command.
2. Right-click an existing GPO (or create an new GPO, then right-click on it) and select Edit.
…
bbs.hh010.com
QUESTION 9
Your company has an Active Directory forest that contains eight linked Group Policy Objects
(GPOs).
One of these GPOs publishes applications to user objects.
A user reports that the application is not available for installation.
You need to identify whether the GPO has been applied.
What should you do?
A. Run the Group Policy Results utility for the user.
B. Run the GPRESULT /S <system name> /Z command at the command prompt.
C. Run the GPRESULT /SCOPE COMPUTER command at the command prompt.
D. Run the Group Policy Results utility for the computer.
Correct Answer: A
Explanation
Explanation/Reference:
Personal note:
you run the utility for the user and not for the computer because the application publishes to user objects
http://technet.microsoft.com/en-us/library/bb456989.aspx
How to Use the Group Policy Results (GPResult.exe) Command Line Tool
Intended for administrators, the Group Policy Results (GPResult.exe) command line tool verifies all policy
settings in effect for a specific user or computer. Administrators can run GPResult on any remote
computer within their scope of management. By default, GPResult returns settings in effect on the
computer on which GPResult is run.
To run GPResult on your own computer:
1. Click Start, Run, and enter cmd to open a command window.
2. Type gpresult and redirect the output to a text file as shown in Figure 1 below:
A one-way, shortcut trust that is established between two domains in separate domain trees can reduce
the time that is necessary to fulfill authentication requests—but in only one direction. For example, when a
one-way, shortcut trust is established between domain A and domain B, authentication requests that are
made in domain A to domain B can use the new one-way trust path. However, authentication requests that
are made in domain B to domain A must still travel the longer trust path.
Using two-way trusts
A two-way, shortcut trust that is established between two domains in separate domain trees reduces the
time that is necessary to fulfill authentication requests that originate in either domain. For example, when
a two-way trust is established between domain A and domain B, authentication requests that are made
from either domain to the other domain can use the new, two-way trust path.
QUESTION 8
Your company purchases a new application to deploy on 200 computers.
The application requires that you modify the registry on each target computer before you install the
application.
The registry modifications are in a file that has an .adm extension.
You need to prepare the target computers for the application.
What should you do?
A. Import the .adm file into a new Group Policy Object (GPO). Edit the GPO and link it to an
organizational unit that contains the target computers.
B. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the
REDIRUsr CONTAINER-DN command on each target computer.
C. Create a Microsoft Windows PowerShell script to copy the .adm file to the startup folder of each target
computer.
D. Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the
REDIRCmp CONTAINER-DN command on each target computer.
Correct Answer: A
Explanation
Explanation/Reference:
http://www.petri.co.il/adding_new_administrative_templates_to_gpo.htm
Adding New Administrative Templates to a GPO
Adding .ADM files to the Administrative Templates in a GPO
In order to add additional .ADM files to the existing Administrative Templates section in GPO please follow
the next steps:
1. Open the Group Policy Management Console (or GPMC) from the Administrative Tools folder in the
Stat menu, or by typing gpmc.msc in the Run command.
2. Right-click an existing GPO (or create an new GPO, then right-click on it) and select Edit.
…
bbs.hh010.com
QUESTION 9
Your company has an Active Directory forest that contains eight linked Group Policy Objects
(GPOs).
One of these GPOs publishes applications to user objects.
A user reports that the application is not available for installation.
You need to identify whether the GPO has been applied.
What should you do?
A. Run the Group Policy Results utility for the user.
B. Run the GPRESULT /S <system name> /Z command at the command prompt.
C. Run the GPRESULT /SCOPE COMPUTER command at the command prompt.
D. Run the Group Policy Results utility for the computer.
Correct Answer: A
Explanation
Explanation/Reference:
Personal note:
you run the utility for the user and not for the computer because the application publishes to user objects
http://technet.microsoft.com/en-us/library/bb456989.aspx
How to Use the Group Policy Results (GPResult.exe) Command Line Tool
Intended for administrators, the Group Policy Results (GPResult.exe) command line tool verifies all policy
settings in effect for a specific user or computer. Administrators can run GPResult on any remote
computer within their scope of management. By default, GPResult returns settings in effect on the
computer on which GPResult is run.
To run GPResult on your own computer:
1. Click Start, Run, and enter cmd to open a command window.
2. Type gpresult and redirect the output to a text file as shown in Figure 1 below:
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vpd8p7E44tll8OarUXR5o6nLZREv2ww6Et-JlrsmFq249NS1RTzdGONjfOcBF84yNAPbI2FEmJCwMxIh_VkvfpMJh2SdrIIED8LeMU34lv6tG0SQzuRQgHKmttN6OyLiOXtRQ=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
Figure 1. Directing GPResult data to a text file
3. Enter notepad gp.txt to open the file. Results appear as shown in the figure below.
3. Enter notepad gp.txt to open the file. Results appear as shown in the figure below.
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sfR8x507TBXSrZQ8JIoK1a-LtWUy0p8Bllilcb0nb0jySuSZ1VOY2VtGkWgd3FcPMS1PKtNA3YzB1CqEecdFOR88zR2o5tT4iv-iQ2Mh1oyClt5tKKq3_A3VL1mT1nJ95sOUdz=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
Figure 2. Verifying policies with GPResult
Administrators can also direct GPResult to other users and computers.
QUESTION 10
Your company has an Active Directory domain.
You plan to install the Active Directory Certificate Services (AD CS) server role on a member server
that runs Windows Server 2008 R2.
You need to ensure that members of the Account Operators group are able to issue smartcard
credentials.
They should not be able to revoke certificates.
Which three actions should you perform?
(Each correct answer presents part of the solution. Choose three.)
A. Create an Enrollment Agent certificate.
B. Create a Smartcard logon certificate.
C. Restrict enrollment agents for the Smartcard logon certificate to the Account Operator group.
D. Install the AD CS role and configure it as an Enterprise Root CA.
E. Install the AD CS role and configure it as a Standalone CA.
F. Restrict certificate managers for the Smartcard logon certificate to the Account Operator group.
Correct Answer: BCD
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc753800%28v=ws.10%29.aspx
AD CS: Restricted Enrollment Agent
The restricted enrollment agent is a new functionality in the Windows Server® 2008 Enterprise operating
system that allows limiting the permissions that users designated as enrollment agents have for enrolling
smart card certificates on behalf of other users.
What does the restricted enrollment agent do?
Enrollment agents are one or more authorized individuals within an organization. The enrollment agent
bbs.hh010.com
needs to be issued an enrollment agent certificate, which enables the agent to enroll for smart card
certificates on behalf of users. Enrollment agents are typically members of the corporate security,
Information Technology (IT) security, or help desk teams because these individuals have already been
trusted with safeguarding valuable resources. In some organizations, such as banks that have many
branches, help desk and security workers might not be conveniently located to perform this task. In this
case, designating a branch manager or other trusted employee to act as an enrollment agent is required to
enable smart card credentials to be issued from multiple locations.
On a Windows Server 2008 Enterprise-based certification authority (CA), the restricted enrollment agent
features allow an enrollment agent to be used for one or many certificate templates. For each certificate
template, you can choose which users or security groups the enrollment agent can enroll on behalf of. You
cannot constrain an enrollment agent based on a certain Active Directory® organizational unit (OU) or
container; you must use security groups instead. The restricted enrollment agent is not available on a
Windows Server® 2008 Standard-based CA.
http://technet.microsoft.com/en-us/library/cc776874%28v=ws.10%29.aspx
Enterprise certification authorities
The Enterprise Administrator can install Certificate Services to create an enterprise certification authority
(CA). Enterprise CAs can issue certificates for purposes such as digital signatures, secure e-mail using
S/MIME (Secure Multipurpose Internet Mail Extensions), authentication to a secure Web server using
Secure Sockets Layer (SSL) or Transport Layer Security (TLS) and logging on to a Windows Server
2003 family domain using a smart card.
An enterprise CA has the following features:
An enterprise CA requires the Active Directory directory service.
When you install an enterprise root CA, it uses Group Policy to propagate its certificate to the
Trusted Root Certification Authorities certificate store for all users and computers in the domain. You
must be a Domain Administrator or be an administrator with write access to Active Directory to install
an enterprise root CA.
Certificates can be issued for logging on to a Windows Server 2003 family domain using smart
cards.
The enterprise exit module publishes user certificates and the certificate revocation list (CRL) to
Active Directory. In order to publish certificates to Active Directory, the server that the CA is installed
on must be a member of the Certificate Publishers group. This is automatic for the domain the server
is in, but the server must be delegated the proper security permissions to publish certificates in other
domains. For more information about the exit module, see Policy and exit modules.
An enterprise CA uses certificate types, which are based on a certificate template. The following
functionality is possible when you use certificate templates:
Enterprise CAs enforce credential checks on users during certificate enrollment. Each certificate
template has a security permission set in Active Directory that determines whether the certificate
requester is authorized to receive the type of certificate they have requested.
The certificate subject name can be generated automatically from the information in Active Directory
or supplied explicitly by the requestor.
The policy module adds a predefined list of certificate extensions to the issued certificate. The
extensions are defined by the certificate template. This reduces the amount of information a certificate
requester has to provide about the certificate and its intended use.
http://technet.microsoft.com/en-us/library/cc780501%28WS.10%29.aspx
Stand-alone certification authorities
You can install Certificate Services to create a stand-alone certification authority (CA). Stand-alone CAs
can issue certificates for purposes such as digital signatures, secure e-mail using S/MIME (Secure
Multipurpose Internet Mail Extensions) and authentication to a secure Web server using Secure Sockets
Layer (SSL) or Transport Layer Security (TLS).
A stand-alone CA has the following characteristics:
Unlike an enterprise CA, a stand-alone CA does not require the use of the Active Directory directory
service. Stand-alone CAs are primarily intended to be used as Trusted Offline Root CAs in a CA
hierarchy or when extranets and the Internet are involved. Additionally, if you want to use a custom
bbs.hh010.com
policy module for a CA, you would first install a stand-alone CA and then replace the stand-alone policy
module with your custom policy module.
When submitting a certificate request to a stand-alone CA, a certificate requester must explicitly
supply all identifying information about themselves and the type of certificate that is wanted in the
certificate request. (This does not need to be done when submitting a request to an enterprise CA,
since the enterprise user’s information is already in Active Directory and the certificate type is
described by a certificate template). The authentication information for requests is obtained from the
local computer’s Security Accounts Manager database.
By default, all certificate requests sent to the stand-alone CA are set to Pending until the
administrator of the stand-alone CA verifies the identity of the requester and approves the request.
This is done for security reasons, because the certificate requester’s credentials are not verified by the
stand-alone CA.
Certificate templates are not used.
No certificates can be issued for logging on to a Windows Server 2003 family domain using smart
cards, but other types of certificates can be issued and stored on a smart card.
The administrator has to explicitly distribute the stand-alone CA’s certificate to the domain user’s
trusted root store or users must perform that task themselves.
When a stand-alone CA uses Active Directory, it has these additional features:
If a member of the Domain Administrators group or an administrator with write access to Active
Directory, installs a stand-alone root CA, it is automatically added to the Trusted Root Certification
Authorities certificate store for all users and computers in the domain. For this reason, if you install a
stand-alone root CA in an Active Directory domain, you should not change the default action of the CA
upon receiving certificate requests (which marks requests as Pending). Otherwise, you will have a
trusted root CA that automatically issues certificates without verifying the identity of the certificate
requester.
If a stand-alone CA is installed by a member of the Domain Administrators group of the parent
domain of a tree in the enterprise, or by an administrator with write access to Active Directory, then the
stand-alone CA will publish its CA certificate and the certificate revocation list (CRL) to Active
Directory.
QUESTION 11
You create 200 new user accounts.
The users are located in six different sites.
New users report that they receive the following error message when they try to log on: “The
username or password is incorrect.”
You confirm that the user accounts exist and are enabled.
You also confirm that the user name and password information supplied are correct.
You need to identify the cause of the failure.
You also need to ensure that the new users are able to log on.
Which utility should you run?
A. Active Directory Domains and Trusts
B. Repadmin
C. Rstools
D. Rsdiag
Correct Answer: B
Explanation
Explanation/Reference:
Repadmin allows us to check the replication status and also allows us to force a replication between
domain controllers.
Reference:
http://technet.microsoft.com/en-us/library/cc770963.aspx
Repadmin /replsummary
Identifies domain controllers that are failing inbound replication or outbound replication, and summarizes
bbs.hh010.com
the results in a report.
Repadmin /showrepl
Displays the replication status when the specified domain controller last attempted to perform inbound
replication on Active Directory partitions.
Repadmin /syncall
Synchronizes a specified domain controller with all replication partners.
QUESTION 12
Your network contains an Active Directory forest.
All domain controllers run Windows Server 2008 R2 and are configured as DNS servers.
You have an Active Directory-integrated zone for contoso.com.
You have a Unix-based DNS server.
You need to configure your Windows Server 2008 R2 environment to allow zone transfers of the
contoso.com zone to the Unix-based DNS server.
What should you do in the DNS Manager console?
A. Enable BIND secondaries
B. Create a stub zone
C. Disable recursion
D. Create a secondary zone
Correct Answer: A
Explanation
Explanation/Reference:
http://skibbz.com/understanding-of-advance-properties-settings-in-window-server-2003-and-2008-dnsserver-
bind-secondaries/
Understanding Of Advance Properties Settings In Window Server 2003 And 2008 DNS Server (BIND
Secondaries)
BIND Secondaries controls the zone transfer between different vendor DNS server. It help verifies
the type of format used zone transfer, whether it is fast or slow transfer (zone transfer). The full mean of
BIND is Berkeley Internet Name domain (BIND). BIND is a based on UNIX operating system.
Two window servers do not required BIND. BIND is only required when transfer dns zone between
two different dns server vendors (UNIX and Microsoft Window). If you are using only Window server
for dns and zone transfer you will have to disable this option in the window dns server. However if you
want the server to perform a slow zone transfer and uncompressed data transfer then you will have to
enable BIND in the dns server.
To reiterate, BIND only provide slow dns zone transfer and data compression mechanism for DNS server.
BIND is understood to have been introduced in window server to support UNIX.
System admin will normally disable this option if they want the data in their dns zone transfer to between
primary and secondary dns server to be transfer faster in order to improve dns queries efficiency within
their network environment
Bind is used in a DNS window server, when the needs to configured zone transfer between window server
and UNIX server or operative system.
Bind is enabled when a window server is configured as a primary dns server and a UNIX computer is
configured as a secondary dns server for zone transfer.
BIND Secondaries need to be configured to mitigate, the problem of interoperability between the two
server operating system since they are from different vendors.
Note that old version of the BIND was noted to be very slow and uses an uncompressed zone transfer
format. However, BIND in window server 2008 and later has improved this problem. This is because it was
noted that BIND in window server 2008 and later uses faster, compressed format during zone transfer
between primary and secondary DNS server configured in for different server operating system (UNIX and
Window server).
bbs.hh010.com
QUESTION 13
Your company has an Active Directory domain.
You log on to the domain controller.
The Active Directory Schema snap-in is not available in the Microsoft Management Console (MMC).
You need to access the Active Directory Schema snap-in.
What should you do?
A. Add the Active Directory Lightweight Directory Services (AD LDS) role to the domain controller by
using Server Manager.
B. Log off and log on again by using an account that is a member of the Schema Administrators group.
C. Use the Ntdsutil.exe command to connect to the Schema Master operations master and open the
schema for writing.
D. Register Schmmgmt.dll.
Correct Answer: D
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc732110.aspx
Install the Active Directory Schema Snap-In
You can use this procedure to first register the dynamic-link library (DLL) that is required for the Active
Directory Schema snap-in. You can then add the snap-in to Microsoft Management Console (MMC).
To install the Active Directory Schema snap-in
1. To open an elevated command prompt, click Start , type command prompt and then right-click
Command Prompt when it appears in the Start menu. Next, click Run as administrator and then click OK .
To open an elevated command prompt in Windows Server 2012, click Start , type cmd , right click
cmd and then click Run as administrator .
2. Type the following command, and then press ENTER:
regsvr32 schmmgmt.dll
3. Click Start , click Run , type mmc and then click OK .
4. On the File menu, click Add/Remove Snap-in .
5. Under Available snap-ins , click Active Directory Schema , click Add and then click OK .
6. To save this console, on the File menu, click Save .
7. In the Save As dialog box, do one of the following:
* To place the snap-in in the Administrative Tools folder, in File name , type a name for the snap-in,
and then click Save .
* To save the snap-in to a location other than the Administrative Tools folder, in Save in , navigate to
a location for the snap-in. In File name , type a name for the snap-in, and then click Save .
QUESTION 14
Your company has a server that runs Windows Server 2008 R2.
Active Directory Certificate Services (AD CS) is configured as a standalone Certification Authority
(CA) on the server.
You need to audit changes to the CA configuration settings and the CA security settings.
Which two tasks should you perform?
(Each correct answer presents part of the solution. Choose two.)
A. Configure auditing in the Certification Authority snap-in.
B. Enable auditing of successful and failed attempts to change permissions on files in the %SYSTEM32%
\CertSrv directory.
C. Enable auditing of successful and failed attempts to write to files in the %SYSTEM32%\CertLog
directory.
bbs.hh010.com
D. Enable the Audit object access setting in the Local Security Policy for the Active Directory Certificate
Services (AD CS) server.
Correct Answer: AD
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc772451.aspx
Configure CA Event Auditing
You can audit a variety of events relating to the management and activities of a certification authority
(CA):
Back up and restore the CA database.
Change the CA configuration.
Change CA security settings.
Issue and manage certificate requests.
Revoke certificates and publish certificate revocation lists (CRLs).
Store and retrieve archived keys.
Start and stop Active Directory Certificate Services (AD CS).
To configure CA event auditing
1. Open the Certification Authority snap-in.
2. In the console tree, click the name of the CA.
3. On the Action menu, click Properties.
4. On the Auditing tab, click the events that you want to audit, and then click OK.
5. On the Action menu, point to All Tasks, and then click Stop Service.
6. On the Action menu, point to All Tasks, and then click Start Service.
Additional considerations
To audit events, the computer must also be configured for auditing of object access. Audit policy
options can be viewed and managed in local or domain Group Policy under Computer Configuration
\Windows Settings\Security Settings\Local Policies.
QUESTION 15
Your company has a single-domain Active Directory forest.
The functional level of the domain is Windows Server 2008.
You perform the following activities:
Create a global distribution group.
Add users to the global distribution group.
Create a shared folder on a Windows Server 2008 member server.
Place the global distribution group in a domain local group that has access to the shared folder.
You need to ensure that the users have access to the shared folder.
What should you do?
A. Add the global distribution group to the Domain Administrators group.
B. Change the group type of the global distribution group to a security group.
C. Change the scope of the global distribution group to a Universal distribution group.
D. Raise the forest functional level to Windows Server 2008.
Correct Answer: B
Explanation
Explanation/Reference:
http://kb.iu.edu/data/ajlt.html
In Microsoft Active Directory, what are security and distribution groups?
In Microsoft Active Directory, when you create a new group, you must select a group type. The two group
types, security and distribution, are described below:
bbs.hh010.com
Security: Security groups allow you to manage user and computer access to shared resources. You
can also control who receives group policy settings. This simplifies administration by allowing you to
set permissions once on multiple computers, then to change the membership of the group as your
needs change. The change in group membership automatically takes effect everywhere. You can also
use these groups as email distribution lists.
Distribution: Distribution groups are intended to be used solely as email distribution lists. These
lists are for use with email applications such as Microsoft Exchange or Outlook. You can add and
remove contacts from the list so that they will or will not receive email sent to the distribution group.
You can’t use distribution groups to assign permissions on any objects, and you can’t use them to filter
group policy settings.
http://technet.microsoft.com/en-us/library/cc781446%28v=ws.10%29.aspx
Group types
QUESTION 16
Your company hires 10 new employees.
You want the new employees to connect to the main office through a VPN connection.
You create new user accounts and grant the new employees the Allow Read and Allow Execute
permissions to shared resources in the main office.
The new employees are unable to access shared resources in the main office.
You need to ensure that users are able to establish a VPN connection to the main office.
What should you do?
A. Grant the new employees the Allow Access Dial-in permission.
B. Grant the new employees the Allow Full control permission.
C. Add the new employees to the Remote Desktop Users security group.
D. Add the new employees to the Windows Authorization Access security group.
Correct Answer: A
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc738142%28v=ws.10%29.aspx
Dial-in properties of a user account
The dial-in properties for a user account are:
Remote Access Permission (Dial-in or VPN)
You can use this property to set remote access permission to be explicitly allowed, denied, or
determined through remote access policies. In all cases, remote access policies are used to
authorize the connection attempt. If access is explicitly allowed, remote access policy conditions,
user account properties, or profile properties can still deny the connection attempt.
…
QUESTION 17
Your network consists of a single Active Directory domain.
All domain controllers run Windows Server 2008 R2.
You need to identify the Lightweight Directory Access Protocol (LDAP) clients that are using the
largest amount of available CPU resources on a domain controller.
What should you do?
A. Review performance data in Resource Monitor.
B. Review the Hardware Events log in the Event Viewer.
C. Run the Active Directory Diagnostics Data Collector Set. Review the Active Directory Diagnostics
report.
bbs.hh010.com
D. Run the LAN Diagnostics Data Collector Set. Review the LAN Diagnostics report.
Correct Answer: C
Explanation
Explanation/Reference:
http://servergeeks.wordpress.com/2012/12/31/active-directory-diagnostics/
Active Directory Diagnostics
Prior to Windows Server 2008, troubleshooting Active Directory performance issues often required the
installation of SPA. SPA is helpful because the Active Directory data set collects performance data and it
generates XML based diagnostic reports that make analyzing AD performance issues easier by identifying
the IP addresses of the highest volume callers and the type of network traffic that is placing the most loads
on the CPU.
Download SPA tool: http://www.microsoft.com/en-us/download/details.aspx?id=15506
Now the same functionality has been built into Windows Server 2008 and Windows Server 2008 R2 and
you don’t have to install SPA anymore.
This performance feature is located in the Server Manager snap-in under the Diagnostics node and
when the Active Directory Domain Services Role is installed the Active Directory Diagnostics data
collector set is automatically created under System as shown here.
Administrators can also direct GPResult to other users and computers.
QUESTION 10
Your company has an Active Directory domain.
You plan to install the Active Directory Certificate Services (AD CS) server role on a member server
that runs Windows Server 2008 R2.
You need to ensure that members of the Account Operators group are able to issue smartcard
credentials.
They should not be able to revoke certificates.
Which three actions should you perform?
(Each correct answer presents part of the solution. Choose three.)
A. Create an Enrollment Agent certificate.
B. Create a Smartcard logon certificate.
C. Restrict enrollment agents for the Smartcard logon certificate to the Account Operator group.
D. Install the AD CS role and configure it as an Enterprise Root CA.
E. Install the AD CS role and configure it as a Standalone CA.
F. Restrict certificate managers for the Smartcard logon certificate to the Account Operator group.
Correct Answer: BCD
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc753800%28v=ws.10%29.aspx
AD CS: Restricted Enrollment Agent
The restricted enrollment agent is a new functionality in the Windows Server® 2008 Enterprise operating
system that allows limiting the permissions that users designated as enrollment agents have for enrolling
smart card certificates on behalf of other users.
What does the restricted enrollment agent do?
Enrollment agents are one or more authorized individuals within an organization. The enrollment agent
bbs.hh010.com
needs to be issued an enrollment agent certificate, which enables the agent to enroll for smart card
certificates on behalf of users. Enrollment agents are typically members of the corporate security,
Information Technology (IT) security, or help desk teams because these individuals have already been
trusted with safeguarding valuable resources. In some organizations, such as banks that have many
branches, help desk and security workers might not be conveniently located to perform this task. In this
case, designating a branch manager or other trusted employee to act as an enrollment agent is required to
enable smart card credentials to be issued from multiple locations.
On a Windows Server 2008 Enterprise-based certification authority (CA), the restricted enrollment agent
features allow an enrollment agent to be used for one or many certificate templates. For each certificate
template, you can choose which users or security groups the enrollment agent can enroll on behalf of. You
cannot constrain an enrollment agent based on a certain Active Directory® organizational unit (OU) or
container; you must use security groups instead. The restricted enrollment agent is not available on a
Windows Server® 2008 Standard-based CA.
http://technet.microsoft.com/en-us/library/cc776874%28v=ws.10%29.aspx
Enterprise certification authorities
The Enterprise Administrator can install Certificate Services to create an enterprise certification authority
(CA). Enterprise CAs can issue certificates for purposes such as digital signatures, secure e-mail using
S/MIME (Secure Multipurpose Internet Mail Extensions), authentication to a secure Web server using
Secure Sockets Layer (SSL) or Transport Layer Security (TLS) and logging on to a Windows Server
2003 family domain using a smart card.
An enterprise CA has the following features:
An enterprise CA requires the Active Directory directory service.
When you install an enterprise root CA, it uses Group Policy to propagate its certificate to the
Trusted Root Certification Authorities certificate store for all users and computers in the domain. You
must be a Domain Administrator or be an administrator with write access to Active Directory to install
an enterprise root CA.
Certificates can be issued for logging on to a Windows Server 2003 family domain using smart
cards.
The enterprise exit module publishes user certificates and the certificate revocation list (CRL) to
Active Directory. In order to publish certificates to Active Directory, the server that the CA is installed
on must be a member of the Certificate Publishers group. This is automatic for the domain the server
is in, but the server must be delegated the proper security permissions to publish certificates in other
domains. For more information about the exit module, see Policy and exit modules.
An enterprise CA uses certificate types, which are based on a certificate template. The following
functionality is possible when you use certificate templates:
Enterprise CAs enforce credential checks on users during certificate enrollment. Each certificate
template has a security permission set in Active Directory that determines whether the certificate
requester is authorized to receive the type of certificate they have requested.
The certificate subject name can be generated automatically from the information in Active Directory
or supplied explicitly by the requestor.
The policy module adds a predefined list of certificate extensions to the issued certificate. The
extensions are defined by the certificate template. This reduces the amount of information a certificate
requester has to provide about the certificate and its intended use.
http://technet.microsoft.com/en-us/library/cc780501%28WS.10%29.aspx
Stand-alone certification authorities
You can install Certificate Services to create a stand-alone certification authority (CA). Stand-alone CAs
can issue certificates for purposes such as digital signatures, secure e-mail using S/MIME (Secure
Multipurpose Internet Mail Extensions) and authentication to a secure Web server using Secure Sockets
Layer (SSL) or Transport Layer Security (TLS).
A stand-alone CA has the following characteristics:
Unlike an enterprise CA, a stand-alone CA does not require the use of the Active Directory directory
service. Stand-alone CAs are primarily intended to be used as Trusted Offline Root CAs in a CA
hierarchy or when extranets and the Internet are involved. Additionally, if you want to use a custom
bbs.hh010.com
policy module for a CA, you would first install a stand-alone CA and then replace the stand-alone policy
module with your custom policy module.
When submitting a certificate request to a stand-alone CA, a certificate requester must explicitly
supply all identifying information about themselves and the type of certificate that is wanted in the
certificate request. (This does not need to be done when submitting a request to an enterprise CA,
since the enterprise user’s information is already in Active Directory and the certificate type is
described by a certificate template). The authentication information for requests is obtained from the
local computer’s Security Accounts Manager database.
By default, all certificate requests sent to the stand-alone CA are set to Pending until the
administrator of the stand-alone CA verifies the identity of the requester and approves the request.
This is done for security reasons, because the certificate requester’s credentials are not verified by the
stand-alone CA.
Certificate templates are not used.
No certificates can be issued for logging on to a Windows Server 2003 family domain using smart
cards, but other types of certificates can be issued and stored on a smart card.
The administrator has to explicitly distribute the stand-alone CA’s certificate to the domain user’s
trusted root store or users must perform that task themselves.
When a stand-alone CA uses Active Directory, it has these additional features:
If a member of the Domain Administrators group or an administrator with write access to Active
Directory, installs a stand-alone root CA, it is automatically added to the Trusted Root Certification
Authorities certificate store for all users and computers in the domain. For this reason, if you install a
stand-alone root CA in an Active Directory domain, you should not change the default action of the CA
upon receiving certificate requests (which marks requests as Pending). Otherwise, you will have a
trusted root CA that automatically issues certificates without verifying the identity of the certificate
requester.
If a stand-alone CA is installed by a member of the Domain Administrators group of the parent
domain of a tree in the enterprise, or by an administrator with write access to Active Directory, then the
stand-alone CA will publish its CA certificate and the certificate revocation list (CRL) to Active
Directory.
QUESTION 11
You create 200 new user accounts.
The users are located in six different sites.
New users report that they receive the following error message when they try to log on: “The
username or password is incorrect.”
You confirm that the user accounts exist and are enabled.
You also confirm that the user name and password information supplied are correct.
You need to identify the cause of the failure.
You also need to ensure that the new users are able to log on.
Which utility should you run?
A. Active Directory Domains and Trusts
B. Repadmin
C. Rstools
D. Rsdiag
Correct Answer: B
Explanation
Explanation/Reference:
Repadmin allows us to check the replication status and also allows us to force a replication between
domain controllers.
Reference:
http://technet.microsoft.com/en-us/library/cc770963.aspx
Repadmin /replsummary
Identifies domain controllers that are failing inbound replication or outbound replication, and summarizes
bbs.hh010.com
the results in a report.
Repadmin /showrepl
Displays the replication status when the specified domain controller last attempted to perform inbound
replication on Active Directory partitions.
Repadmin /syncall
Synchronizes a specified domain controller with all replication partners.
QUESTION 12
Your network contains an Active Directory forest.
All domain controllers run Windows Server 2008 R2 and are configured as DNS servers.
You have an Active Directory-integrated zone for contoso.com.
You have a Unix-based DNS server.
You need to configure your Windows Server 2008 R2 environment to allow zone transfers of the
contoso.com zone to the Unix-based DNS server.
What should you do in the DNS Manager console?
A. Enable BIND secondaries
B. Create a stub zone
C. Disable recursion
D. Create a secondary zone
Correct Answer: A
Explanation
Explanation/Reference:
http://skibbz.com/understanding-of-advance-properties-settings-in-window-server-2003-and-2008-dnsserver-
bind-secondaries/
Understanding Of Advance Properties Settings In Window Server 2003 And 2008 DNS Server (BIND
Secondaries)
BIND Secondaries controls the zone transfer between different vendor DNS server. It help verifies
the type of format used zone transfer, whether it is fast or slow transfer (zone transfer). The full mean of
BIND is Berkeley Internet Name domain (BIND). BIND is a based on UNIX operating system.
Two window servers do not required BIND. BIND is only required when transfer dns zone between
two different dns server vendors (UNIX and Microsoft Window). If you are using only Window server
for dns and zone transfer you will have to disable this option in the window dns server. However if you
want the server to perform a slow zone transfer and uncompressed data transfer then you will have to
enable BIND in the dns server.
To reiterate, BIND only provide slow dns zone transfer and data compression mechanism for DNS server.
BIND is understood to have been introduced in window server to support UNIX.
System admin will normally disable this option if they want the data in their dns zone transfer to between
primary and secondary dns server to be transfer faster in order to improve dns queries efficiency within
their network environment
Bind is used in a DNS window server, when the needs to configured zone transfer between window server
and UNIX server or operative system.
Bind is enabled when a window server is configured as a primary dns server and a UNIX computer is
configured as a secondary dns server for zone transfer.
BIND Secondaries need to be configured to mitigate, the problem of interoperability between the two
server operating system since they are from different vendors.
Note that old version of the BIND was noted to be very slow and uses an uncompressed zone transfer
format. However, BIND in window server 2008 and later has improved this problem. This is because it was
noted that BIND in window server 2008 and later uses faster, compressed format during zone transfer
between primary and secondary DNS server configured in for different server operating system (UNIX and
Window server).
bbs.hh010.com
QUESTION 13
Your company has an Active Directory domain.
You log on to the domain controller.
The Active Directory Schema snap-in is not available in the Microsoft Management Console (MMC).
You need to access the Active Directory Schema snap-in.
What should you do?
A. Add the Active Directory Lightweight Directory Services (AD LDS) role to the domain controller by
using Server Manager.
B. Log off and log on again by using an account that is a member of the Schema Administrators group.
C. Use the Ntdsutil.exe command to connect to the Schema Master operations master and open the
schema for writing.
D. Register Schmmgmt.dll.
Correct Answer: D
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc732110.aspx
Install the Active Directory Schema Snap-In
You can use this procedure to first register the dynamic-link library (DLL) that is required for the Active
Directory Schema snap-in. You can then add the snap-in to Microsoft Management Console (MMC).
To install the Active Directory Schema snap-in
1. To open an elevated command prompt, click Start , type command prompt and then right-click
Command Prompt when it appears in the Start menu. Next, click Run as administrator and then click OK .
To open an elevated command prompt in Windows Server 2012, click Start , type cmd , right click
cmd and then click Run as administrator .
2. Type the following command, and then press ENTER:
regsvr32 schmmgmt.dll
3. Click Start , click Run , type mmc and then click OK .
4. On the File menu, click Add/Remove Snap-in .
5. Under Available snap-ins , click Active Directory Schema , click Add and then click OK .
6. To save this console, on the File menu, click Save .
7. In the Save As dialog box, do one of the following:
* To place the snap-in in the Administrative Tools folder, in File name , type a name for the snap-in,
and then click Save .
* To save the snap-in to a location other than the Administrative Tools folder, in Save in , navigate to
a location for the snap-in. In File name , type a name for the snap-in, and then click Save .
QUESTION 14
Your company has a server that runs Windows Server 2008 R2.
Active Directory Certificate Services (AD CS) is configured as a standalone Certification Authority
(CA) on the server.
You need to audit changes to the CA configuration settings and the CA security settings.
Which two tasks should you perform?
(Each correct answer presents part of the solution. Choose two.)
A. Configure auditing in the Certification Authority snap-in.
B. Enable auditing of successful and failed attempts to change permissions on files in the %SYSTEM32%
\CertSrv directory.
C. Enable auditing of successful and failed attempts to write to files in the %SYSTEM32%\CertLog
directory.
bbs.hh010.com
D. Enable the Audit object access setting in the Local Security Policy for the Active Directory Certificate
Services (AD CS) server.
Correct Answer: AD
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc772451.aspx
Configure CA Event Auditing
You can audit a variety of events relating to the management and activities of a certification authority
(CA):
Back up and restore the CA database.
Change the CA configuration.
Change CA security settings.
Issue and manage certificate requests.
Revoke certificates and publish certificate revocation lists (CRLs).
Store and retrieve archived keys.
Start and stop Active Directory Certificate Services (AD CS).
To configure CA event auditing
1. Open the Certification Authority snap-in.
2. In the console tree, click the name of the CA.
3. On the Action menu, click Properties.
4. On the Auditing tab, click the events that you want to audit, and then click OK.
5. On the Action menu, point to All Tasks, and then click Stop Service.
6. On the Action menu, point to All Tasks, and then click Start Service.
Additional considerations
To audit events, the computer must also be configured for auditing of object access. Audit policy
options can be viewed and managed in local or domain Group Policy under Computer Configuration
\Windows Settings\Security Settings\Local Policies.
QUESTION 15
Your company has a single-domain Active Directory forest.
The functional level of the domain is Windows Server 2008.
You perform the following activities:
Create a global distribution group.
Add users to the global distribution group.
Create a shared folder on a Windows Server 2008 member server.
Place the global distribution group in a domain local group that has access to the shared folder.
You need to ensure that the users have access to the shared folder.
What should you do?
A. Add the global distribution group to the Domain Administrators group.
B. Change the group type of the global distribution group to a security group.
C. Change the scope of the global distribution group to a Universal distribution group.
D. Raise the forest functional level to Windows Server 2008.
Correct Answer: B
Explanation
Explanation/Reference:
http://kb.iu.edu/data/ajlt.html
In Microsoft Active Directory, what are security and distribution groups?
In Microsoft Active Directory, when you create a new group, you must select a group type. The two group
types, security and distribution, are described below:
bbs.hh010.com
Security: Security groups allow you to manage user and computer access to shared resources. You
can also control who receives group policy settings. This simplifies administration by allowing you to
set permissions once on multiple computers, then to change the membership of the group as your
needs change. The change in group membership automatically takes effect everywhere. You can also
use these groups as email distribution lists.
Distribution: Distribution groups are intended to be used solely as email distribution lists. These
lists are for use with email applications such as Microsoft Exchange or Outlook. You can add and
remove contacts from the list so that they will or will not receive email sent to the distribution group.
You can’t use distribution groups to assign permissions on any objects, and you can’t use them to filter
group policy settings.
http://technet.microsoft.com/en-us/library/cc781446%28v=ws.10%29.aspx
Group types
QUESTION 16
Your company hires 10 new employees.
You want the new employees to connect to the main office through a VPN connection.
You create new user accounts and grant the new employees the Allow Read and Allow Execute
permissions to shared resources in the main office.
The new employees are unable to access shared resources in the main office.
You need to ensure that users are able to establish a VPN connection to the main office.
What should you do?
A. Grant the new employees the Allow Access Dial-in permission.
B. Grant the new employees the Allow Full control permission.
C. Add the new employees to the Remote Desktop Users security group.
D. Add the new employees to the Windows Authorization Access security group.
Correct Answer: A
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc738142%28v=ws.10%29.aspx
Dial-in properties of a user account
The dial-in properties for a user account are:
Remote Access Permission (Dial-in or VPN)
You can use this property to set remote access permission to be explicitly allowed, denied, or
determined through remote access policies. In all cases, remote access policies are used to
authorize the connection attempt. If access is explicitly allowed, remote access policy conditions,
user account properties, or profile properties can still deny the connection attempt.
…
QUESTION 17
Your network consists of a single Active Directory domain.
All domain controllers run Windows Server 2008 R2.
You need to identify the Lightweight Directory Access Protocol (LDAP) clients that are using the
largest amount of available CPU resources on a domain controller.
What should you do?
A. Review performance data in Resource Monitor.
B. Review the Hardware Events log in the Event Viewer.
C. Run the Active Directory Diagnostics Data Collector Set. Review the Active Directory Diagnostics
report.
bbs.hh010.com
D. Run the LAN Diagnostics Data Collector Set. Review the LAN Diagnostics report.
Correct Answer: C
Explanation
Explanation/Reference:
http://servergeeks.wordpress.com/2012/12/31/active-directory-diagnostics/
Active Directory Diagnostics
Prior to Windows Server 2008, troubleshooting Active Directory performance issues often required the
installation of SPA. SPA is helpful because the Active Directory data set collects performance data and it
generates XML based diagnostic reports that make analyzing AD performance issues easier by identifying
the IP addresses of the highest volume callers and the type of network traffic that is placing the most loads
on the CPU.
Download SPA tool: http://www.microsoft.com/en-us/download/details.aspx?id=15506
Now the same functionality has been built into Windows Server 2008 and Windows Server 2008 R2 and
you don’t have to install SPA anymore.
This performance feature is located in the Server Manager snap-in under the Diagnostics node and
when the Active Directory Domain Services Role is installed the Active Directory Diagnostics data
collector set is automatically created under System as shown here.
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vVnmJ6rYFrnfVNgOr9Z1yjfweTOnd7U5yCzF0LPj0aQzhHVRvLIx_6NrbM-FQkSFTRxqyVsOiO_jC6L6L4s7J30HU2Y-GQgIKNw05eL73SJ4fLZwKhXSfLh_wAniWtFrwt-vHR=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
When you will check the properties of the collector you will notice that the data is stored under %
systemdrive%\perflogs, only now it is under the \ADDS folder and when a data collection is run it creates
a new subfolder called YYYYMMDD-#### where YYYY = Year, MM = Month and DD=Day and #### starts
with 0001 . Active Directory Diagnostics data collector set runs for a default of 5 minutes. This
bbs.hh010.com
duration period cannot be modified for the built-in collector. However, the collection can be stopped
manually by clicking the Stop button or from the command line.
systemdrive%\perflogs, only now it is under the \ADDS folder and when a data collection is run it creates
a new subfolder called YYYYMMDD-#### where YYYY = Year, MM = Month and DD=Day and #### starts
with 0001 . Active Directory Diagnostics data collector set runs for a default of 5 minutes. This
bbs.hh010.com
duration period cannot be modified for the built-in collector. However, the collection can be stopped
manually by clicking the Stop button or from the command line.
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_t1fgOTrGKoZD_bkNYcUP0Y3aa9166cocAZ72zPxQXxH3ec6hObzGit-sOEiNsl2M1tJjYKM-5K6Z2Z2QYDUEknTo8YCSKXNWQiyUWoFUIOqO63ZZudo6BZhGrZGm2Q0BTE5n3E=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
To start the data collector set, you just have to right click on Active Directory Diagnostics data collector
set and select Start. Data will be stored at %systemdrive%\perflogs location.
set and select Start. Data will be stored at %systemdrive%\perflogs location.
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_v9Q9QlPjcSngYQZU0kubZssPx_7lfd0amhrNY3qL_2WBN5ihADp3ks2jTU_F0cJyJqNZYTLC7ULGNmx7nFxoUyAwHBykYQx-M2H3uNel5MoAdzDxIgYTFGDO32KGxrYMZwMws=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
Once you’ve gathered your data, you will have these interesting and useful reports under Report section,
to aid in your troubleshooting and server performance trending.
to aid in your troubleshooting and server performance trending.
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vIP3UoP-lKH0LdQCpcrAMWa4k4lEUHy5W9A11AFCqayU_hzbwTArF1Gh05sE5P1kAltqwrod9oDbeplNjAxWJCcEsno0a_jIVRgCDFIQcJtAzJckQ4b1xqtNaXDaGVWF7kl8FR=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
Further information:
http://technet.microsoft.com/en-us/library/dd736504%28v=ws.10%29.aspx
Monitoring Your Branch Office Environment
http://blogs.technet.com/b/askds/archive/2010/06/08/son-of-spa-ad-data-collector-sets-in-win2008-andbeyond.
aspx
Son of SPA: AD Data Collector Sets in Win2008 and beyond
QUESTION 18
Your company has an Active Directory forest that contains only Windows Server 2008 domain
controllers.
You need to prepare the Active Directory domain to install Windows Server 2008 R2 domain
controllers.
Which two tasks should you perform?
(Each correct answer presents part of the solution. Choose two.)
A. Run the adprep /domainprep command.
B. Raise the forest functional level to Windows Server 2008.
C. Raise the domain functional level to Windows Server 2008.
D. Run the adprep /forestprep command.
Correct Answer: AD
Explanation
Explanation/Reference:
http://www.petri.co.il/prepare-for-server-2008-r2-domain-controller.htm
Prepare your Domain for the Windows Server 2008 R2 Domain Controller
Before installing the first Windows Server 2008 R2 domain controller (DC) into an existing Windows 2000,
Windows Server 2003 or Windows Server 2008 domain, you must prepare the AD forest and domain. You
do so by running a tool called ADPREP.
http://technet.microsoft.com/en-us/library/dd736504%28v=ws.10%29.aspx
Monitoring Your Branch Office Environment
http://blogs.technet.com/b/askds/archive/2010/06/08/son-of-spa-ad-data-collector-sets-in-win2008-andbeyond.
aspx
Son of SPA: AD Data Collector Sets in Win2008 and beyond
QUESTION 18
Your company has an Active Directory forest that contains only Windows Server 2008 domain
controllers.
You need to prepare the Active Directory domain to install Windows Server 2008 R2 domain
controllers.
Which two tasks should you perform?
(Each correct answer presents part of the solution. Choose two.)
A. Run the adprep /domainprep command.
B. Raise the forest functional level to Windows Server 2008.
C. Raise the domain functional level to Windows Server 2008.
D. Run the adprep /forestprep command.
Correct Answer: AD
Explanation
Explanation/Reference:
http://www.petri.co.il/prepare-for-server-2008-r2-domain-controller.htm
Prepare your Domain for the Windows Server 2008 R2 Domain Controller
Before installing the first Windows Server 2008 R2 domain controller (DC) into an existing Windows 2000,
Windows Server 2003 or Windows Server 2008 domain, you must prepare the AD forest and domain. You
do so by running a tool called ADPREP.
ADPREP extends the Active Directory schema and updates permissions as necessary to prepare a forest
and domain for a domain controller that runs the Windows Server 2008 R2 operating system.
Note: You may remember that ADPREP was used on previous operating systems such as Windows
Server 2003, Windows Server 2003 R2 and Windows Server 2008. This article focuses on Windows
Server 2008 R2.
What does ADPREP do? ADPREP has parameters that perform a variety of operations that help prepare
an existing Active Directory environment for a domain controller that runs Windows Server 2008 R2. Not
all versions of ADPREP perform the same operations, but generally the different types of operations that
ADPREP can perform include the following:
Updating the Active Directory schema
Updating security descriptors
Modifying access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared
folder
Creating new objects, as needed
Creating new containers, as needed
To prepare the forest and domain for the installation of the first Windows Server 2008 R2 domain
controller please perform these tasks:
Lamer note: The following tasks are required ONLY before adding the first Windows Server 2008 R2
domain controller. If you plan on simply joining a Windows Server 2008 R2 Server to the domain and
configuring as a regular member server, none of the following tasks are required.
Another lamer note: Please make sure you read the system requirements for Windows Server 2008 R2.
For example, you cannot join a Windows Server 2008 R2 server to a Windows NT 4.0 domain, not can it
participate as a domain controller in a mixed domain. If any domain controllers in the forest are running
Windows 2000 Server, they must be running Service Pack 4 (SP4).
First, you should review and understand the schema updates and other changes that ADPREP makes as
part of the schema management process in Active Directory Domain Services (AD DS). You should test
the ADPREP schema updates in a lab environment to ensure that they will not conflict with any
applications that run in your environment.
You must make a system state backup for your domain controllers, including the schema master and at
least one other domain controller from each domain in the forest (you do have backups, don’t you?).
Also, make sure that you can log on to the schema master with an account that has sufficient credentials
to run adprep /forestprep. You must be a member of the Schema Admins group, the Enterprise Admins
group, and the Domain Admins group of the domain that hosts the schema master, which is, by default,
the forest root domain.
Next, insert the Windows Server 2008 R2 DVD media into your DVD drive. Note that if you do not have
the media handy, you may use the evaluation version that is available to download from Microsoft’s
website.
If you only have the ISO file and do not want to or cannot actually burn it to a physical DVD media, you
can mount it by using a virtual ISO mounting tool such as MagicIso (can Convert BIN to ISO, Create, Edit,
Burn, Extract ISO file, ISO/BIN converter/extractor/editor).
Browse to the X:\support\adprep folder, where X: is the drive letter of your DVD drive. Find a file called
adprep.exe or adprep32.exe.
Note: Unlike in Windows Server 2008 where you had to use either the 32-bit or 64-bit installation media to
get the right version of ADPREP, Windows Server 2008 R2 ADPREP is available in a 32-bit version and a
64-bit version. The 64-bit version runs by default. If you need to run ADPREP on a 32-bit computer, run
the 32-bit version (adprep32.exe).
and domain for a domain controller that runs the Windows Server 2008 R2 operating system.
Note: You may remember that ADPREP was used on previous operating systems such as Windows
Server 2003, Windows Server 2003 R2 and Windows Server 2008. This article focuses on Windows
Server 2008 R2.
What does ADPREP do? ADPREP has parameters that perform a variety of operations that help prepare
an existing Active Directory environment for a domain controller that runs Windows Server 2008 R2. Not
all versions of ADPREP perform the same operations, but generally the different types of operations that
ADPREP can perform include the following:
Updating the Active Directory schema
Updating security descriptors
Modifying access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared
folder
Creating new objects, as needed
Creating new containers, as needed
To prepare the forest and domain for the installation of the first Windows Server 2008 R2 domain
controller please perform these tasks:
Lamer note: The following tasks are required ONLY before adding the first Windows Server 2008 R2
domain controller. If you plan on simply joining a Windows Server 2008 R2 Server to the domain and
configuring as a regular member server, none of the following tasks are required.
Another lamer note: Please make sure you read the system requirements for Windows Server 2008 R2.
For example, you cannot join a Windows Server 2008 R2 server to a Windows NT 4.0 domain, not can it
participate as a domain controller in a mixed domain. If any domain controllers in the forest are running
Windows 2000 Server, they must be running Service Pack 4 (SP4).
First, you should review and understand the schema updates and other changes that ADPREP makes as
part of the schema management process in Active Directory Domain Services (AD DS). You should test
the ADPREP schema updates in a lab environment to ensure that they will not conflict with any
applications that run in your environment.
You must make a system state backup for your domain controllers, including the schema master and at
least one other domain controller from each domain in the forest (you do have backups, don’t you?).
Also, make sure that you can log on to the schema master with an account that has sufficient credentials
to run adprep /forestprep. You must be a member of the Schema Admins group, the Enterprise Admins
group, and the Domain Admins group of the domain that hosts the schema master, which is, by default,
the forest root domain.
Next, insert the Windows Server 2008 R2 DVD media into your DVD drive. Note that if you do not have
the media handy, you may use the evaluation version that is available to download from Microsoft’s
website.
If you only have the ISO file and do not want to or cannot actually burn it to a physical DVD media, you
can mount it by using a virtual ISO mounting tool such as MagicIso (can Convert BIN to ISO, Create, Edit,
Burn, Extract ISO file, ISO/BIN converter/extractor/editor).
Browse to the X:\support\adprep folder, where X: is the drive letter of your DVD drive. Find a file called
adprep.exe or adprep32.exe.
Note: Unlike in Windows Server 2008 where you had to use either the 32-bit or 64-bit installation media to
get the right version of ADPREP, Windows Server 2008 R2 ADPREP is available in a 32-bit version and a
64-bit version. The 64-bit version runs by default. If you need to run ADPREP on a 32-bit computer, run
the 32-bit version (adprep32.exe).
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sXcq4V3wCJ9vRXjew153ul8vsS3yyCJqxYtaRY0DqP4OPS_JknkggRIKViqxczwQCaDBYG8pQr0jHzWt95awC8s1-fzeSM4_OCnnlH5ykwBimJ8qNbyA99MiAhlwOD3yHc9SUZ=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
To perform this procedure, you must use an account that has membership in all of the following groups:
Enterprise Admins
Schema Admins
Domain Admins for the domain that contains the schema master
Open a Command Prompt window by typing CMD and pressing ENTER in the Run menu.
Drag the adprep.exe file from the Windows Explorer window to the Command Prompt window. Naturally,
if you want, you can always manually type the path of the file in the Command Prompt window if that
makes you feel better…
Note: You must run adprep.exe from an elevated command prompt. To open an elevated command
prompt, click Start, right-click Command Prompt, and then click Run as administrator.
Note: If your existing DCs are Windows Server 2008, dragging and dropping into a Command Prompt
window will not work, as that feature was intentionally disabled in windows Server 2008 and Windows
Vista.
In the Command Prompt window, type the following command:
adprep /forestprep
Enterprise Admins
Schema Admins
Domain Admins for the domain that contains the schema master
Open a Command Prompt window by typing CMD and pressing ENTER in the Run menu.
Drag the adprep.exe file from the Windows Explorer window to the Command Prompt window. Naturally,
if you want, you can always manually type the path of the file in the Command Prompt window if that
makes you feel better…
Note: You must run adprep.exe from an elevated command prompt. To open an elevated command
prompt, click Start, right-click Command Prompt, and then click Run as administrator.
Note: If your existing DCs are Windows Server 2008, dragging and dropping into a Command Prompt
window will not work, as that feature was intentionally disabled in windows Server 2008 and Windows
Vista.
In the Command Prompt window, type the following command:
adprep /forestprep
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_up_K-Zo3JJAgwFBRzbC0CkN7pK3ncyfAvf7yYlNsz-hivq6ur6eNCDnu-M4k90iCieOUI6y7DtxGg5zsbziLWrwrna1_eKjOxkKakFDEK2Q6ibq_ewt91wF8SkBa9KBOa9cCav=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
ADPREP will take several minutes to complete. During that time, several LDF files will be imported into
the AD Schema, and messages will be displayed in the Command Prompt window. File sch47.ldf seems to
be the largest one.
the AD Schema, and messages will be displayed in the Command Prompt window. File sch47.ldf seems to
be the largest one.
Note: As mentioned above, ADPREP should only be run on an existing DC. When trying to run it from a
non-DC, you will get this error:
Adprep cannot run on this platform because it is not an Active Directory Domain
Controller.
[Status/Consequence]
Adprep stopped without making any changes.
[User Action]
Run Adprep on a Active Directory Domain Controller.
Allow the operation to complete, and then allow the changes to replicate throughout the forest
before you prepare any domains for a domain controller that runs Windows Server 2008 R2.
bbs.hh010.com
In the Command Prompt window, type the following command:
adprep /domainprep
Process will take less than a second.
non-DC, you will get this error:
Adprep cannot run on this platform because it is not an Active Directory Domain
Controller.
[Status/Consequence]
Adprep stopped without making any changes.
[User Action]
Run Adprep on a Active Directory Domain Controller.
Allow the operation to complete, and then allow the changes to replicate throughout the forest
before you prepare any domains for a domain controller that runs Windows Server 2008 R2.
bbs.hh010.com
In the Command Prompt window, type the following command:
adprep /domainprep
Process will take less than a second.
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_vaOxGJNq7cHAHkhrmu9tl4YWKXChMvKRhYpgfAhEDc_XgH5TwJQQHW36Lk3kDiv5Y9mk2COjMBuUhbYfNaBbVOdLgQTmppj2AwEL1vS5Uvxp37AQNjtvbtRC5gRt2gtor2E20=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSUREADPREP must only be run in a Windows 2000 Native Mode or higher. If you attempt to run in Mixed Mode
you will get this error:
Adprep detected that the domain is not in native mode
[Status/Consequence]
Adprep has stopped without making changes.
[User Action]
Configure the domain to run in native mode and re-run domainprep
Allow the operation to complete, and then allow the changes to replicate throughout the forest
before you prepare any domains for a domain controller that runs Windows Server 2008 R2.
If you’re running a Windows 2008 Active Directory domain, that’s it, no additional tasks are needed.
If you’re running a Windows 2000 Active Directory domain, you must also the following command:
adprep /domainprep /gpprep
Allow the operation to complete, and then allow the changes to replicate throughout the forest before you
prepare any domains for a domain controller that runs Windows Server 2008 R2.
If you’re running a Windows 2003 Active Directory domain, that’s it, no additional tasks are needed.
However, if you’re planing to run Read Only Domain controllers (RODCs), you must also
type the following command:
adprep /rodcprep
If you already ran this command for Windows Server 2008, you do not need to run it again for Windows
Server 2008 R2.
Process will complete in less than a second.
you will get this error:
Adprep detected that the domain is not in native mode
[Status/Consequence]
Adprep has stopped without making changes.
[User Action]
Configure the domain to run in native mode and re-run domainprep
Allow the operation to complete, and then allow the changes to replicate throughout the forest
before you prepare any domains for a domain controller that runs Windows Server 2008 R2.
If you’re running a Windows 2008 Active Directory domain, that’s it, no additional tasks are needed.
If you’re running a Windows 2000 Active Directory domain, you must also the following command:
adprep /domainprep /gpprep
Allow the operation to complete, and then allow the changes to replicate throughout the forest before you
prepare any domains for a domain controller that runs Windows Server 2008 R2.
If you’re running a Windows 2003 Active Directory domain, that’s it, no additional tasks are needed.
However, if you’re planing to run Read Only Domain controllers (RODCs), you must also
type the following command:
adprep /rodcprep
If you already ran this command for Windows Server 2008, you do not need to run it again for Windows
Server 2008 R2.
Process will complete in less than a second.
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uYU-eJYuo8gi9WQCdRrinUYgF4yDSLeJqrjehVFeUT66KGhaiEZ9E92lztgXJ_ozUZGzXXxCzNU0JvGr5rCoq1HUfo8t2-uZIPsbnIrcjgDWK5tsh3zkwEm3uNZwAO6HI_OV9b=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
Allow the operation to complete, and then allow the changes to replicate throughout the forest
before you prepare any domains for a domain controller that runs Windows Server 2008 R2.
To verify that adprep /forestprep completed successfully please perform these steps:
1. Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default on
domain controllers that run Windows Server 2008 or Windows Server 2008 R2. On Windows Server 2003
you must install the Resource Kit Tools.
2. Click Start, click Run, type ADSIEdit.msc, and then click OK.
3. Click Action, and then click Connect to.
4. Click Select a well known Naming Context, select Configuration in the list of available naming contexts,
and then click OK.
5. Double-click Configuration, and then double-click CN=Configuration,DC=forest_root_domain where
forest_root_domain is the distinguished name of your forest root domain.
6. Double-click CN=ForestUpdates.
7. Right-click CN=ActiveDirectoryUpdate, and then click Properties.
before you prepare any domains for a domain controller that runs Windows Server 2008 R2.
To verify that adprep /forestprep completed successfully please perform these steps:
1. Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default on
domain controllers that run Windows Server 2008 or Windows Server 2008 R2. On Windows Server 2003
you must install the Resource Kit Tools.
2. Click Start, click Run, type ADSIEdit.msc, and then click OK.
3. Click Action, and then click Connect to.
4. Click Select a well known Naming Context, select Configuration in the list of available naming contexts,
and then click OK.
5. Double-click Configuration, and then double-click CN=Configuration,DC=forest_root_domain where
forest_root_domain is the distinguished name of your forest root domain.
6. Double-click CN=ForestUpdates.
7. Right-click CN=ActiveDirectoryUpdate, and then click Properties.
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_skKml069BcViyw9Dto7quXT5_a1dIW2s9bdjXOMpWU0MvDs0OrQT1edIzYbEKhZi5fxCXdpdBihx6omywcvTY7wURKeKvpVoms2dhAUcR-DhNBg3B3PZhMfm7jXCkn2E8fbu43=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
9. Click ADSI Edit, click Action, and then click Connect to.
10. Click Select a Well known naming context, select Schema in the list of available naming contexts, and
then click OK.
11. Double-click Schema.
12. Right-click CN=Schema,CN=Configuration,DC=forest_root_domain, and then click Properties.
10. Click Select a Well known naming context, select Schema in the list of available naming contexts, and
then click OK.
11. Double-click Schema.
12. Right-click CN=Schema,CN=Configuration,DC=forest_root_domain, and then click Properties.
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sy6ST0rIN15qhkTfUUjp5i__EBhbsQDZb4MGDvoT6pU-VlisuRnziUtY2Re4EfFdh93BHUCZ1-EQhd-CJk9JY3ru-Hof_siEh-Pc1_VGLVRQCxQpdpU_hJddlfT1tHDz_XMbE=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
QUESTION 19
You need to identify all failed logon attempts on the domain controllers.
What should you do?
A. View the Netlogon.log file.
B. View the Security tab on the domain controller computer object.
C. Run Event Viewer.
D. Run the Security and Configuration Wizard.
bbs.hh010.com
Correct Answer: C
Explanation
Explanation/Reference:
http://support.microsoft.com/kb/174074
Security Event Descriptions
This article contains descriptions of various security-related and auditing- related events, and tips for
interpreting them.
These events will all appear in the Security event log and will be logged with a source of “Security.”
Event ID: 529
Type: Failure Audit
Description: Logon Failure:
Reason: Unknown user name or bad password
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 530
Type: Failure Audit
Description: Logon Failure:
Reason: Account logon time restriction violation
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 531
Type: Failure Audit
Description: Logon Failure:
Reason: Account currently disabled
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 532
Type: Failure Audit
Description: Logon Failure:
Reason: The specified user account has expired
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 533
Type: Failure Audit
Description: Logon Failure:
Reason: User not allowed to logon at this computer
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 534
Type: Failure Audit
Description: Logon Failure:
Reason: The user has not been granted the requested logon
type at this machine
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 535
Type: Failure Audit
bbs.hh010.com
Description: Logon Failure:
Reason: The specified account’s password has expired
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 536
Type: Failure Audit
Description: Logon Failure:
Reason: The NetLogon component is not active
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 537
Type: Failure Audit
Description: Logon Failure:
Reason: An unexpected error occurred during logon
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
QUESTION 20
Your company has a DNS server that has 10 Active Directory integrated zones.
You need to provide copies of the zone files of the DNS server to the security department.
What should you do?
A. Run the dnscmd /ZoneInfo command.
B. Run the ipconfig /registerdns command.
C. Run the dnscmd /ZoneExport command.
D. Run the ntdsutil > Partition Management > List commands.
Correct Answer: C
Explanation
Explanation/Reference:
http://servergeeks.wordpress.com/2012/12/31/dns-zone-export/
DNS Zone Export
In Non-AD Integrated DNS Zones
DNS zone file information is stored by default in the %systemroot%\windows\system32\dns folder.
When the DNS Server service starts it loads zones from these files. This behavior is limited to any primary
and secondary zones that are not AD integrated. The files will be named as <ZoneFQDN>.dns.
You need to identify all failed logon attempts on the domain controllers.
What should you do?
A. View the Netlogon.log file.
B. View the Security tab on the domain controller computer object.
C. Run Event Viewer.
D. Run the Security and Configuration Wizard.
bbs.hh010.com
Correct Answer: C
Explanation
Explanation/Reference:
http://support.microsoft.com/kb/174074
Security Event Descriptions
This article contains descriptions of various security-related and auditing- related events, and tips for
interpreting them.
These events will all appear in the Security event log and will be logged with a source of “Security.”
Event ID: 529
Type: Failure Audit
Description: Logon Failure:
Reason: Unknown user name or bad password
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 530
Type: Failure Audit
Description: Logon Failure:
Reason: Account logon time restriction violation
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 531
Type: Failure Audit
Description: Logon Failure:
Reason: Account currently disabled
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 532
Type: Failure Audit
Description: Logon Failure:
Reason: The specified user account has expired
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 533
Type: Failure Audit
Description: Logon Failure:
Reason: User not allowed to logon at this computer
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 534
Type: Failure Audit
Description: Logon Failure:
Reason: The user has not been granted the requested logon
type at this machine
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 535
Type: Failure Audit
bbs.hh010.com
Description: Logon Failure:
Reason: The specified account’s password has expired
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 536
Type: Failure Audit
Description: Logon Failure:
Reason: The NetLogon component is not active
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
Event ID: 537
Type: Failure Audit
Description: Logon Failure:
Reason: An unexpected error occurred during logon
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6
QUESTION 20
Your company has a DNS server that has 10 Active Directory integrated zones.
You need to provide copies of the zone files of the DNS server to the security department.
What should you do?
A. Run the dnscmd /ZoneInfo command.
B. Run the ipconfig /registerdns command.
C. Run the dnscmd /ZoneExport command.
D. Run the ntdsutil > Partition Management > List commands.
Correct Answer: C
Explanation
Explanation/Reference:
http://servergeeks.wordpress.com/2012/12/31/dns-zone-export/
DNS Zone Export
In Non-AD Integrated DNS Zones
DNS zone file information is stored by default in the %systemroot%\windows\system32\dns folder.
When the DNS Server service starts it loads zones from these files. This behavior is limited to any primary
and secondary zones that are not AD integrated. The files will be named as <ZoneFQDN>.dns.
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_trqtphJfzkrw4P3CS7bC3rwN4B3vM2WfsCq9xbIck7u1vRG3VfEMGmuv0WpaF0HSjTQG2Z5Gv5kpZTF5rkX7ZcERi8RrQBKCDjJSQoFUsdXpC6IuBlPtiiMWKHKUXe8PZbqgb6=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
In AD Integrated DNS Zones
AD-integrated zones are stored in the directory they do not have corresponding zone files i.e. they are not
stored as .dns files. This makes sense because the zones are stored in, and loaded from, the directory.
Now it is important task for us to take a backup of these AD integrated zones before making any changes
to DNS infrastructure. Dnscmd.exe can be used to export the zone to a file. The syntax of the command
is:
DnsCmd <ServerName> /ZoneExport <ZoneName> <ZoneExportFile>
<ZoneName> — FQDN of zone to export
/Cache to export cache
As an example, let’s say we have an AD integrated zone named habib.local, our DC is server1. The
command to export the file would be:
Dnscmd server1 /ZoneExport habib.local habib.local.bak
AD-integrated zones are stored in the directory they do not have corresponding zone files i.e. they are not
stored as .dns files. This makes sense because the zones are stored in, and loaded from, the directory.
Now it is important task for us to take a backup of these AD integrated zones before making any changes
to DNS infrastructure. Dnscmd.exe can be used to export the zone to a file. The syntax of the command
is:
DnsCmd <ServerName> /ZoneExport <ZoneName> <ZoneExportFile>
<ZoneName> — FQDN of zone to export
/Cache to export cache
As an example, let’s say we have an AD integrated zone named habib.local, our DC is server1. The
command to export the file would be:
Dnscmd server1 /ZoneExport habib.local habib.local.bak
![2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tSNGDPeRNsGUEyTgKfDwHjyWY3OFXFR2zggA2kFuCEepwLgckAq6KzOgLVV6UFYx3QDVkCxUjVxlCN7MZw-LkPWxVA2SqpRng4uDwGGOwkEGhLfr2zs8PRnbSp4NEC6xtaGKO6=s0-d "2016NEW MICROSOFT 70-640 EXAM] Microsoft TS: Windows Server 2008 Active Directory, Configuring Exam B PART1 (1-20) VCE DUMPS FOR FREE DOWNLOAD WITH 100%PASS ENSURE")
You can refer to a complete article on DNSCMD in Microsoft TechNet website
Latest online browsing the 70-640 exam!
70-640PDF dumps & 70-640VCE dumps: http://examsavior.com/70-640
 |  |  |  |  | |
|---|---|---|---|---|---|
Test King
|
Pass4sure
|
Actual Tests
|
Other Brands
| ||
| Customer Reviews |  |  |  |  |  |
$89.99
|
$124.99
|
$125.99
|
$189.00
|
$29.99~$49.99
| |
| Up-To-Dated |  |  |  |  |  |
| Real Questions & Answers |  |  |  |  |  |
| Correct All Error |  |  |  |  |  |
| Premium VCE Dumps |  |  |  |  |  |
| Free VCE Simulator |  |  |  |  |  |
| Unlimited After One Time Purchasing |  |  |  |  |  |
| Instant Download |  |  |  |  |  |
| Printable PDF Dumps |  |  |  |  |  |
| 100% Pass Guarantee |  |  |  |  |  |
| 100% Money Back |  |  |  |  |  |
100% Pass:http://examsavior.com/
No comments:
Post a Comment