windows server 2008 exam 70-640 answers : Jul 2021 Edition

Downloadable of 70-640 free practice questions materials and braindumps for Microsoft certification for IT candidates, Real Success Guaranteed with Updated 70-640 pdf dumps vce Materials. 100% PASS TS: Windows Server 2008 Active Directory. Configuring exam Today!

2021 Jul testking 70-640 pdf:

Q131. Your network contains a single Active Directory domain that has two sites named Site1 and 

Site2. Site1 has two domain controllers named DC1 and DC2. Site2 has two domain controllers named DC3 and DC4. 

DC3 fails. 

You discover that replication no longer occurs between the sites. 

You verify the connectivity between DC4 and the domain controllers in Site1. 

On DC4, you run repadmin.exe /kcc. 

Replication between the sites continues to fail. 

You need to ensure that Active Directory data replicates between the sites. 

What should you do? 

A. From Active Directory Sites and Services, modify the properties of DC3. 

B. From Active Directory Sites and Services, modify the NTDS Site Settings of Site2. 

C. From Active Directory Users and Computers, modify the location settings of DC4. 

D. From Active Directory Users and Computers, modify the delegation settings of DC4. 

Answer: A 


MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) pages 193, 194 

Bridgehead Servers 

A bridgehead server is the domain controller designated by each site’s KCC to take control of intersite replication. The bridgehead server receives information replicated from other sites and replicates it to its site’s other domain controllers. It ensures that the greatest portion of replication occurs within sites rather than between them. 

In most cases, the KCC automatically decides which domain controller acts as the bridgehead server. 

However, you can use Active Directory Sites and Services to specify which domain controller will be the preferred bridgehead server by using the following steps: 

1. In Active Directory Sites and Services, expand the site in which you want to specify the preferred bridgehead server. 

2. Expand the Servers folder to locate the desired server, right-click it, and then choose Properties. 

3. From the list labeled Transports available for intersite data transfer, select the protocol(s) for which you want to designate this server as a preferred bridgehead server and then click Add. 

Q132. Your company has an Active Directory domain named The company network has two DNS servers named DNS1 and DNS2. 

The DNS servers are configured as shown in the following table. 

Domain users, who are configured to use DNS2 as the preferred DNS server, are unable to connect to Internet Web sites. 

You need to enable Internet name resolution for all client computers. 

What should you do? 

A. Update the list of root hints servers on DNS2. 

B. Create a copy of the .(root) zone on DNS1. 

C. Delete the .(root) zone from DNS2. Configure conditional forwarding on DNS2. 

D. Update the Cache.dns file on DNS2. Configure conditional forwarding on DNS1. 

Answer: C 

Explanation: How To Remove the Root Zone (Dot Zone) When you install DNS on a Windows 2000 server that does not have a connection to the Internet, the zone for the domain is created and a root zone, also known as a dot zone, is also created. This root zone may prevent access to the Internet for DNS and for clients of the DNS. If there is a root zone, there are no other zones other than those that are listed with DNS, and you cannot configure forwarders or root hint servers. For these reasons, you may have to remove the root zone. 

Q133. You have an enterprise subordinate certification authority (CA) configured for key archival. Three key recovery agent certificates are issued. The CA is configured to use two recovery agents. 

You need to ensure that all of the recovery agent certificates can be used to recover all new private keys. 

What should you do? 

A. Add a data recovery agent to the Default Domain Policy. 

B. Modify the value in the Number of recovery agents to use box. 

C. Revoke the current key recovery agent certificates and issue three new key recovery agent certificates. 

D. Assign the Issue and Manage Certificates permission to users who have the key recovery agent certificates. 

Answer: B 


MS Press - Self-Paced Training Kit (Exams 70-648 & 70-649) (Microsoft Press, 2009) page 357 

You enable key archival on the Recovery Agents tab of the CA Properties in the CA console by selecting the Archive The Key option and specifying a key recovery agent. In the number of recovery agents to use, select the number of key recovery agent (KRA) certificates you have added to the CA. This ensures that each KRA can be used to recover a private key. If you specify a smaller number than the number of KRA certificates installed, the CA will randomly select that number of KRA certificates from the available total and encrypt the private key, using those certificates. This complicates recovery because you then have to figure out which recovery agent certificate was used to encrypt the private key before beginning recovery. 

Q134. Your network contains a server that runs Windows Server 2008 R2. The server is configured as an enterprise root certification authority (CA). 

You have a Web site that uses x.509 certificates for authentication. The Web site is configured to use a manyto-one mapping. 

You revoke a certificate issued to an external partner. You need to prevent the external partner from accessing the Web site. 

What should you do? 

A. Run certutil.exe -crl. 

B. Run certutil.exe -delkey. 

C. From Active Directory Users and Computers, modify the membership of the IIS_IUSRS group. 

D. From Active Directory Users and Computers, modify the Contact object for the external partner. 

Answer: A 

Explanation: Certutil Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains. Verbs -CRL Publish new certificate revocation lists (CRLs) [or only delta CRLs] Requesting Offline Domain Controller Certificates (Advanced Certificate Enrollment and Management) If you have determined the keycontainername for a specific certificate, you can delete the key container with the following command. certutil.exe -delkey <KeyContainerName> The -delkey option is supported only with the Windows Server 2003 version of certutil. On Windows 2000, you must add a prefix to the commands. The prefix is the path you have copied the Windows Server 2003 version of certutil to. In this white paper, the %HOMEDRIVE%W2K3AdmPak path is used. 

Q135. Your company has an organizational unit named Production. The Production organizational unit has a child organizational unit named R&D. You create a GPO named Software Deployment and link it to the Production organizational unit. 

You create a shadow group for the R&D organizational unit. You need to deploy an application to users in the Production organizational unit. 

You also need to ensure that the application is not deployed to users in the R&D organizational unit. 

What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.) 

A. Configure the Block Inheritance setting on the R&D organizational unit. 

B. Configure the Enforce setting on the software deployment GPO. 

C. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&D security group. 

D. Configure the Block Inheritance setting on the Production organizational unit. 

Answer: A,C 


Answer: Configure the Block Inheritance setting on the R&D organizational unit. Configure security filtering on the Software Deployment GPO to Deny Apply group policy for the R&D security group. Managing inheritance of Group Policy 

Blocking Group Policy inheritance You can block policy inheritance for a domain or organizational unit. Using block inheritance prevents GPOs linked to higher sites, domains, or organizational units from being automatically inherited by the child-level. By default, children inherit all GPOs from the parent, but it is sometimes useful to block inheritance. For example, if you want to apply a single set of policies to an entire domain except for one organizational unit, you can link the required GPOs at the domain level (from which all organizational units inherit policies 

by default) and then block inheritance only on the organizational unit to which the policies 

should not be applied. 

Enforcing a GPO link You can specify that the settings in a GPO link should take 

precedence over the settings of any child object by setting that link to Enforced. GPO-links 

that are enforced cannot be blocked from the parent container. Without enforcement from 

above, the settings of the GPO links at the higher level (parent) are overwritten by settings 

in GPOs linked to child organizational units, if the GPOs contain conflicting settings. With 

enforcement, the parent 

GPO link always has precedence. By default, GPO links are not enforced. In tools prior to 

GPMC, "enforced" was known as "No override." 

In addition to using GPO links to apply policies, you can also control how GPOs are applied 

by using security filters or WMI filters. 

Security filtering using GPMC 

Security filtering Security filtering is a way of refining which users and computers will 

receive and apply the settings in a Group Policy object (GPO). Using security filtering, you 

can specify that only certain security principals within a container where the GPO is linked 

apply the GPO. Security group filtering determines whether the GPO as a whole applies to 

groups, users, or computers; it cannot be used selectively on different settings within a 



GPOs cannot be linked directly to users, computers, or security groups. They can only be 

linked to sites, domains and organizational units. However, by using security filtering, you 

can narrow the scope of a GPO so that it applies only to a single group, user, or computer. 

The location of a security group in Active Directory is irrelevant to security group filtering 

and, more generally, irrelevant to Group Policy processing. 

Further information: 

Block Inheritance 

Active Directory 

Shadow groups 

In Microsoft's Active Directory, OUs do not confer access permissions, and objects placed 

within OUs are not automatically assigned access privileges based on their containing OU. 

This is a design limitation specific to Active Directory. Other competing directories such as 

Novell NDS are able to assign access privileges through object placement within an OU. 

Active Directory requires a separate step for an administrator to assign an object in an OU 

as a member of a group also within that OU. Relying on OU location alone to determine access permissions is unreliable, because the object may not have been assigned to the group object for that OU. A common workaround for an Active Directory administrator is to write a custom PowerShell or Visual Basic script to automatically create and maintain a user group for each OU in their directory. The scripts are run periodically to update the group to match the OU's account membership, but are unable to instantly update the security groups anytime the directory changes, as occurs in competing directories where security is directly implemented into the directory itself. Such groups are known as Shadow Groups. Once created, these shadow groups are selectable in place of the OU in the administrative tools. Microsoft refers to shadow groups in the Server 2008 Explanation documentation, but does not explain how to create them. There are no built-in server methods or console snap-ins for managing shadow groups.[5] The division of an organization's information infrastructure into a hierarchy of one or more domains and toplevel OUs is a key decision. Common models are by business unit, by geographical location, by IT Service, or by object type and hybrids of these. OUs should be structured primarily to facilitate administrative delegation, and secondarily, to facilitate group policy application. Although OUs form an administrative boundary, the only true security boundary is the forest itself and an administrator of any domain in the forest must be trusted across all domains in the forest.[6] 

70-640 exam question

Improved windows server 2008 active directory configuring 70-640:

Q136. Your network contains an Active Directory forest. The forest contains an Active Directory site for a remote office. The remote site contains a read-only domain controller (RODC). 

You need to configure the RODC to store only the passwords of users in the remote site. 

What should you do? 

A. Create a Password Settings object (PSO). 

B. Modify the Partial-Attribute-Set attribute of the forest. 

C. Add the user accounts of the remote site users to the Allowed RODC Password Replication Group. 

D. Add the user accounts of users who are not in the remote site to the Denied RODC Password Replication Group. 

Answer: C 

Explanation: Password Replication Policy Allowed and Denied lists Two new built-in groups are introduced in Windows Server 2008 Active Directory domains 

to support RODC operations. These are the Allowed RODC Password Replication Group and Denied RODC Password Replication Group. 

These groups help implement a default Allowed List and Denied List for the RODC Password Replication Policy. By default, the two groups are respectively added to the msDS-RevealOnDemandGroup and msDSNeverRevealGroup 

Active Directory attributes mentioned earlier. 

Q137. has a software evaluation lab. There is a server in the evaluation lab named as 

CKT. CKT runs Windows Server 2008 and Microsoft Virtual Server 2005 R2. CKT has 200 virtual servers running on an isolated virtual segment to evaluate software. To connect to the internet, it uses physical network interface card. requires every server in the company to access Internet. security policy dictates that the IP address space used by software evaluation lab must not be used by other networks. Similarly, it states the IP address space used by other networks should not be used by the evaluation lab network. 

As an administrator you find you that the applications tested in the software evaluation lab need to access normal network to connect to the vendors update servers on the internet. 

You need to configure all virtual servers on the CKT server to access the internet. You also need to comply with company's security policy. 

Which two actions should you perform to achieve this task? (Choose two answers. Each answer is a part of the complete solution) 

A. Trigger the Virtual DHCP server for the external virtual network and run ipconfig/renew command on each virtual server 

B. On CKT's physical network interface, activate the Internet Connection Sharing (ICS) 

C. Use intranet IP addresses on all virtual servers on CKT. 

D. Add and install a Microsoft Loopback Adapter network interface on CKT. Use a new network interface and create a new virtual network. 

E. None of the above 

Answer: A,D 

Explanation: To configure all virtual servers on the CKT server to access the internet and comply with company’s security policy, you should trigger the virtual DHCP server for the external virtual network and run ipconfig/renew command on each virtual server. Then add and install Microsoft Loopback adapter network interface on CKT. Create a virtual network using the new interface. When you configure the Virtual DHCP server for the external virtual network, a set of IP addresses are assigned to the virtual servers on CKT server. By running ipconfig/renew command, the new IP addresses will be renewed. The Microsoft Loopback adapter network interface will ensure that the IP address space used by other networks are not been used by the virtual servers on CKT server. You create a new virtual network on the new network interface which will enable you to access internet. 

Q138. Your network contains an Active Directory domain. The domain contains five domain controllers. A domain controller named DC1 has the DHCP role and the file server role installed. 

You need to move the Active Directory database on DC1 to an alternate location.The solution must minimize impact on the network during the database move. 

What should you do first? 

A. Restart DC1 in Safe Mode. 

B. Restart DC1 in Directory Services Restore Mode. 

C. Start DC1 from Windows PE. 

D. Stop the Active Directory Domain Services service on DC1. 

Answer: D 

Explanation: Relocating the Active Directory Database Files Applies To: Windows Server 2008, Windows Server 2008 R2 Relocating Active Directory database files usually involves moving files to a temporary location while hardware updates are being performed and then moving the files to a permanent location. On domain controllers that are running versions of Windows 2000 Server and Windows Server 2003, moving database files requires restarting the domain controller in Directory Services Restore Mode (DSRM). Windows Server 2008 introduces restartable Active Directory Domain Services (AD DS), which you can use to perform database management tasks without restarting the domain controller in DSRM. Before you move database files, you must stop AD DS as a service. 

Q139. Your network contains two Active Directory forests named and 

The functional level of both forests is Windows Server 2008 R2. Each forest contains one 

domain. Active Directory Certificate Services (AD CS) is configured in the forest to allow users from both forests to automatically enroll user certificates. 

You need to ensure that all users in the forest have a user certificate from the certification authority (CA). 

What should you configure in the domain? 

A. From the Default Domain Controllers Policy, modify the Enterprise Trust settings. 

B. From the Default Domain Controllers Policy, modify the Trusted Publishers settings. 

C. From the Default Domain Policy, modify the Certificate Enrollment policy. 

D. From the Default Domain Policy, modify the Trusted Root Certification Authority settings. 

Answer: C 

Explanation: Manage Certificate Enrollment Policy by Using Group Policy Configuring certificate enrollment policy settings by using Group Policy 

Q140. Your network contains a single Active Directory domain. Active Directory Rights Management Services (AD RMS) is deployed on the network. 

A user named User1 is a member of only the AD RMS Enterprise Administrators group. You need to ensure that User1 can change the service connection point (SCP) for the AD RMS installation.The solution must minimize the administrative rights of User1. 

To which group should you add User1? 

A. AD RMS Auditors 

B. AD RMS Service Group 

C. Domain Admins 

D. Schema Admins 

Answer: C 

Explanation: The AD RMS Service Connection Point The Active Directory Rights Management Services (AD RMS) Service Connection Point (SCP) is an object in Active Directory that holds the web address of the AD RMS certification cluster. AD RMS-enabled applications use the SCP to discover the AD RMS service; it is the first connection point for users to discover the AD RMS web services. The AD RMS SCP can be registered automatically during AD RMS installation, or it can be registered after installation has completed. To register the SCP you must be a member of the local AD RMS Enterprise Administrators group and the Active Directory Domain Services (AD DS) Enterprise Admins group, or you must have been given the appropriate authority. 

see more 70-640 dumps