70-640? Tips for success

It is more faster and easier to pass the Microsoft 70-640 exam by using Approved Microsoft TS: Windows Server 2008 Active Directory. Configuring questuins and answers. Immediate access to the Improve 70-640 Exam and find the same core area 70-640 questions with professionally verified answers, then PASS your exam with a high score now.

2021 Oct testking 70-640 pdf download:

Q31. You configure and deploy a Group Policy object (GPO) that contains AppLocker settings. You need to identify whether a specific application file is allowed to run on a computer. Which Windows PowerShell cmdlet should you use? 

A. Get-AppLockerFileInformation 

B. Get-GPOReport 

C. Get-GPPermissions 

D. Test-AppLockerPolicy 

Answer: D 

Explanation: Test-AppLockerPolicy Tests whether the input files are allowed to run for a given user based on the specified 

AppLocker policy. 

Q32. Your network contains an Active Directory domain. 

You have a server named Server1 that runs Windows Server 2008 R2. Server1 is an enterprise root certification authority (CA). 

You have a client computer named Computer1 that runs Windows 7. 

You enable automatic certificate enrollment for all client computers that run Windows 7. 

You need to verify that the Windows 7 client computers can automatically enroll for certificates. 

Which command should you run on Computer1? 

A. certreq.exe retrieve 

B. certreq.exe submit 

C. certutil.exe getkey 

D. certutil.exe pulse 

Answer: D 


What does "certutil -pulse" command do? 

Certutil -pulse will initiate autoenrollment requests. 

It is equivalent to doing the following in the CertMgr.msc console (in Vista and Windows 7) 

Right-click Certificates , point to All Tasks , click Automatically Enroll and Retrieve 


The command does require that 

-any autoenrollment GPO settings have already been applied to the target user or computer 

-a certificate template enables Read, Enroll and Autoenroll permissions for the user or a global or universal group containing the user 

-The group membership is recognized in the users Token (they have logged on after the membership was added Certutil Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains. When certutil is run on a certification authority without additional parameters, it displays the current certification authority configuration. When cerutil is run on a non-certification authority, the command defaults to running the certutil -dump verb. Verbs The following table describes the verbs that can be used with the certutil command. pulse Pulse auto enrollment events 

Q33. You have a Windows Server 2008 R2 Enterprise Root CA. 

Security policy prevents port 443 and port 80 from being opened on domain controllers and on the issuing CA. 

You need to allow users to request certificates from a Web interface. You install the Active Directory Certificate Services (AD CS) server role. 

What should you do next? 

A. Configure the Online Responder Role Service on a member server. 

B. Configure the Online Responder Role Service on a domain controller. 

C. Configure the Certificate Enrollment Web Service role service on a member server. 

D. Configure the Certificate Enrollment Web Service role service on a domain controller. 

Answer: C 

Explanation: Certificate Enrollment Web Service Overview The Certificate Enrollment Web Service is an Active Directory Certificate Services (AD CS) role service that enables users and computers to perform certificate enrollment by using the HTTPS protocol. Together with the Certificate Enrollment Policy Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain. Personal note: Since domain controllers are off-limits (regarding open ports), you are left to install the Certificate Enrollment Web Service role service on a plain member server 

Q34. Your company has an Active Directory forest. The company has servers that run Windows Server 2008 R2 and client computers that run Windows 7. The domain uses a set of GPO administrative templates that have been approved to support regulatory compliance requirements. 

Your partner company has an Active Directory forest that contains a single domain. The company has servers that run Windows Server 2008 R2 and client computers that run Windows 7. 

You need to configure your partner company's domain to use the approved set of administrative templates. 

What should you do? 

A. Use the Group Policy Management Console (GPMC) utility to back up the GPO to a file. In each site, import the GPO to the default domain policy. 

B. Copy the ADMX files from your company's PDC emulator to the PolicyDefinitions folder on the partner company's PDC emulator. 

C. Copy the ADML files from your company's PDC emulator to the PolicyDefinitions folder on the partner company's PDC emulator. 

D. Download the conf.adm, system.adm, wuau.adm, and inetres.adm files from the Microsoft Updates Web site. Copy the ADM files to the PolicyDefinitions folder on thr partner company's emulator. 

Answer: B 

Explanation: How to create the Central Store for Group Policy Administrative Template files in Windows Vista Windows Vista uses a new format to display registry-based policy settings. These registry-based policy settings appear under Administrative Templates in the Group Policy Object Editor. In Windows Vista, these registry-based policy settings are defined by standards-based XML files that have an .admx file name extension. The .admx file format replaces the legacy .adm file format. The .adm file format uses a proprietary markup language. In Windows Vista, Administrative Template files are divided into .admx files and language-specific .adml files that are available to Group Policy administrators. 

Administrative Template file storage In earlier operating systems, all the default Administrative Template files are added to the ADM folder of a Group Policy object (GPO) on a domain controller. The GPOs are stored in the SYSVOL folder. The SYSVOL folder is automatically replicated to other domain 

controllers in the same domain. A policy file uses approximately 2 megabytes (MB) of hard 

disk space. Because each domain controller stores a distinct version of a policy, replication 

traffic is increased. 

Windows Vista uses a Central Store to store Administrative Template files. In Windows 

Vista, the ADM folder is not created in a GPO as in earlier versions of Windows. Therefore, 

domain controllers do not store or replicate redundant copies of .adm files. 

The Central Store 

To take advantage of the benefits of .admx files, you must create a Central Store in the 

SYSVOL folder on a domain controller. The Central Store is a file location that is checked 

by the Group Policy tools. The Group Policy tools use any .admx files that are in the 

Central Store. The files that are in the Central Store are later replicated to all domain 

controllers in the domain. 

To create a Central Store for .admx and .adml files, create a folder that is named 

PolicyDefinitions in the following location: 


Note: FQDN is a fully qualified domain name. 

How can I export local Group Policy settings made in gpedit.msc? 

Mark Heitbrink, MVP for Group Policy... came up with a good solution on how you can 

“export” the Group 

Policy and Security... settings you made in on a machine with the Local Group Policy 

Editor (gpedit.msc) to other machines pretty easy: 

Normal settings can be copied like this: 

1.) Open %systemroot%system32grouppolicy 

Within this folder, there are two folders - “machine” and “user”. Copy these to folders to the 


system32grouppolicy - folder on the target machine. All it needs now is a reboot or a 

“gpupdate /force”. 

Note: If you cannot see the “grouppolicy” folder on either the source or the target machine, 

be sure to have your explorer folder options set to “Show hidden files and folders”… 

For security settings: 

1.) Open MMC and add the Snapin “Security Templates”. 

2.) Create your own customized template and save it as an “*inf” file. 

3.) Copy the file to the target machine and import it via command line tool “secedit”: secedit 

/configure /db %temp%temp.sdb /cfg yourcreated.inf 

Further information on secedit can be found 



If you’re building custom installations, you can pretty easy script the “overwriting” of the 

 “machine”/”user”- folders or the import via secedit by copying these file to a share and copy and execute them with a script. 

Q35. Your network contains an Active Directory domain that has two sites. 

You need to identify whether logon scripts are replicated to all domain controllers. 

Which folder should you verify? 

A. GroupPolicy 


C. SoftwareDistribution 


Answer: D 

Explanation: SYSVOL is a collection of folders that contain a copy of the domain’s public files, including 

system policies, logon scripts, and important elements of Group Policy objects (GPOs). 

70-640 real exam

Renovate microsoft official academic course 70-640 pdf:

Q36. Your company has a main office and a branch office. The company has a single-domain Active Directory forest. The main office has two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. The branch office has a Windows Server 2008 R2 read-only domain controller (RODC) named DC3. 

All domain controllers hold the DNS Server role and are configured as Active Directory-integrated zones. The DNS zones only allow secure updates. 

You need to enable dynamic DNS updates on DC3. 

What should you do? 

A. Run the Dnscmd.exe /ZoneResetType command on DC3. 

B. Reinstall Active Directory Domain Services on DC3 as a writable domain controller. 

C. Create a custom application directory partition on DC1. Configure the partition to store Active Directoryintegrated zones. 

D. Run the Ntdsutil.exe > DS Behavior commands on DC3. 

Answer: B 


Answer: Reinstall Active Directory Domain Services on DC3 as a writable domain controller. Appendix A: RODC Technical Explanation Topics DNS updates for clients that are located in an RODC site When a client attempts a dynamic update, it sends a start of authority (SOA) query to its preferred Domain Name System (DNS) server. Typically, clients are configured to use the DNS server in their branch site as their preferred DNS server. The RODC does not hold a writeable copy of the DNS zone. Therefore, when it is queried for the SOA record, it returns the name of a writable domain controller that runs Windows Server 2008 or later and hosts the Active Directory–integrated zone, just as a secondary DNS server handles updates for zones that are not Active Directory–integrated zones. After it receives the name of a writable domain controller that runs Windows Server 2008 or later, the client is then responsible for performing the DNS record registration against the writeable server. The RODC waits a certain amount of time, as explained below, and then it attempts to replicate the updated DNS object in Active Directory Domain Services (AD DS) from the DNS server that it referred the client to through an RSO operation. Note: For the DNS server on the RODC to perform an RSO operation of the DNS record update, a DNS server that runs Windows Server 2008 or later must host writeable copies of the zone that contains the record. That DNS server must register a name server (NS) resource record for the zone. The Windows Server 2003 Branch Office Guide recommended restricting name server (NS) resource record registration to a subset of the available DNS servers. If you followed those guidelines and you do not register at least one writable DNS server that runs Windows Server 2008 or later as a name server for the zone, the DNS server on the RODC attempts to perform the RSO operation with a DNS server that runs Windows Server 2003. That operation fails and generates a 4015 Error in the DNS event log of the RODC, and replication of the DNS record update will be delayed until the next scheduled replication cycle. Further information: Plan DNS Servers for Branch Office Environments This topic describes best practices for installing Domain Name System (DNS) servers to support Active Directory Domain Services (AD DS) in branch office environments. As a best practice, use Active Directory–integrated DNS zones, which are hosted in the application directory partitions named ForestDNSZones and DomainDNSZones. The following guidelines are based on the assumption that you are following this best practice. In branch offices that have a read-only domain controller (RODC), install a DNS server on each RODC so that client computers in the branch office can still perform DNS lookups when the wide area network (WAN) link to a DNS server in a hub site is not available. The best practice is to install the DNS server when you install AD DS, using Dcpromo.exe. Otherwise, you must use Dnscmd.exe to enlist the RODC in the DNS application directory partitions that host Active Directory–integrated DNS zones. Note: You also have to configure the DNS client’s setting for the RODC so that it points to itself as its preferred DNS server. To facilitate dynamic updates for DNS clients in branch offices that have an RODC, you should have at least one writeable Windows Server 2008 DNS server that hosts the corresponding DNS zone for which client computers in the branch office are attempting to make DNS updates. The writeable Windows Server 2008 DNS server must register name server (NS) resource records for that zone. By having the writeable Windows Server 2008 DNS server host the corresponding zone, client computers that are in branch offices that are serviced by RODCs can make dynamic updates more efficiently. This is because the updates replicate back to the RODCs in their respective branch offices by means of a replicate-singleobject (RSO) operation, rather than waiting for the next scheduled replication cycle. 

For example, suppose that you add a new member server in a branch office, Branch1, which includes an RODC. The member server hosts an application that you want client computers in Branch1 to locate by using a DNS query. When the member server attempts to register its host (A or AAAA) resource records for its IP address to a DNS zone, it performs a dynamic update on a writeable Windows Server 2008 or Windows Server 2008 R2 DNS server that the RODC tracks in Branch1. If a writeable Windows Server 2008 DNS server hosts the DNS zone, the RODC in Branch1 replicates the updated zone information as soon as possible from the writeable Windows Server 2008 DNS server. Then, client computers in Branch1 can successfully locate the new member server by querying the RODC in Branch1 for its IP address. If you do not have a writeable Windows Server 2008 DNS server that hosts the DNS zone, the update can still succeed against Windows Server 2003 DNS server if one is available but the updated record in the DNS zone will not replicate to the RODC in Branch1 until the next scheduled replication cycle, which can delay client computers that use the RODC DNS server for name resolution from locating the new member server. 

Q37. You have an Active Directory domain named 

You have a domain controller named Server1 that is configured as a DNS server. 

Server1 hosts a standard primary zone for The DNS configuration of Server1 

is shown in the exhibit. (Click the Exhibit button.) 

You discover that stale resource records are not automatically removed from the zone. 

You need to ensure that the stale resource records are automatically removed from the zone. 

What should you do? 

A. Set the scavenging period of Server1 to 0 days. 

B. Modify the Server Aging/Scavenging properties. 

C. Configure the aging properties for the zone. 

D. Convert the zone to an Active Directory-integrated zone. 

Answer: C 


C:Documents and Settingsusernwz1Desktop1.PNG Set Aging and Scavenging Properties for a Zone The DNS Server service supports aging and scavenging features. These features are provided as a mechanism for performing cleanup and removal of stale resource records, which can accumulate in zone data over time. You can use this procedure to set the aging and scavenging properties for a specific zone using either the DNS Manager snap-in or the dnscmd command-line tool. To set aging and scavenging properties for a zone using the Windows interface 

1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools, 

and then click DNS. 

2. In the console tree, right-click the applicable zone, and then click Properties. 

3. On the General tab, click Aging. 

4. Select the Scavenge stale resource records check box. 

5. Modify other aging and scavenging properties as needed. 

To set aging and scavenging properties for a zone using a command line 

1. Open a command prompt. To open an elevated Command Prompt window, click Start, 

point to All 

Programs, click Accessories, right-click Command Prompt, and then click Run as 


2. At the command prompt, type the following command, and then press ENTER: 

dnscmd <ServerName> /Config <ZoneName> {/Aging <Value>|/RefreshInterval <Value>|/ 

NoRefreshInterval <Value>} 

C:Documents and Settingsusernwz1Desktop1.PNG 

Q38. Your company has an Active Directory domain. All consultants belong to a global group named TempWorkers. 

The TempWorkers group is not nested in any other groups. 

You move the computer objects of three file servers to a new organizational unit named SecureServers. These file servers contain only confidential data in shared folders. 

You need to prevent members of the TempWorkers group from accessing the confidential data on the file servers. 

You must achieve this goal without affecting access to other domain resources. 

What should you do? 

A. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny access to this computer from the network user right to the TempWorkers global group. 

B. Create a new GPO and link it to the domain. Assign the Deny access to this computer from the network user right to the TempWorkers global group. 

C. Create a new GPO and link it to the domain. Assign the Deny log on locally user right to the TempWorkers global group. 

D. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny log on locally user right to the TempWorkers global group. 

Answer: A 


Personal comment: 

Basically, you need to create a GPO for the Secure Servers and deny the TempWorkers 

access to the shared folders (implies access from the network). 

"Deny log on locally" makes no sense in this instance, because we are reffering to shared 

folder and supposedly physical access to servers should be highly restricted. 

And best practices recommend that you link GPOs at the domain level only for domain 

wide purposes. 

Q39. You have an enterprise subordinate certification authority (CA). 

You have a group named Group1. 

You need to allow members of Group1 to publish new certificate revocation lists. Members of Group1 must not be allowed to revoke certificates. 

What should you do? 

A. Add Group1 to the local Administrators group. 

B. Add Group1 to the Certificate Publishers group. 

C. Assign the Manage CA permission to Group1. 

D. Assign the Issue and Manage Certificates permission to Group1. 

Answer: C 


Manage CA is a security permission belonging to the CA Administrator role. The CA Administrator can enable, publish, or configure certificate revocation list (CRL) schedules. 

Revoking certificates is an activity of the Certificate Manager role. 

Q40. Your company has a main office and a branch office. 

The network contains an Active Directory forest. The forest contains three domains. The branch office contains one domain controller named DC5. DC5 is configured as a global catalog server, a DHCP server, and a file server. 

You remove the global catalog from DC5. 

You need to reduce the size of the Active Directory database on DC5. 

The solution must minimize the impact on all users in the branch office. 

What should you do first? 

A. Start DC5 in Safe Mode. 

B. Start DC5 in Directory Services Restore Mode. 

C. On DC5, start the Protected Storage service. 

D. On DC5, stop the Active Directory Domain Services service. 

Answer: D 

Explanation: Windows Server 2008 R2 : Manage the Active Directory Database (part 2) - Defragment the Directory Database & Audit Active Directory Service 

3. Defragment the Directory Database A directory database gets fragmented as you add, change, and delete objects to your database. Like any file system–based storage, as the directory database is changed and updated, fragments of disk space will build up so it needs to be defragmented on a routine basis to maintain optimal operation. By default, Active Directory performs an online defragmentation of the directory database every 12 hours with the garbage collection process, an automated directory database cleanup, and IT pros should be familiar with it. However, online defragmentation does not decrease the size of the NTDS.DIT database file. Instead, it shuffles the data around for easier access. Depending on how much fragmentation you actually have in the database, running an offline defragmentation—which does decrease the size of the database—could have a significant effect on the overall size of your NTDS.DIT database file. There is a little problem associated with defragmenting databases. They have to be taken offline in order to have the fragments removed and the database resized. In Windows Server 2008 R2, there is a great feature that allows you to take the database offline without shutting down the server. It's called Restartable Active Directory, and it could not be much easier to stop and start your directory database than this. Figure 4 shows the Services tool and how you can use it to stop the Active Directory service. 

1. Start the Services tool from the Control Panel. 

2. Right-click Active Directory Domain Services, and select Stop.


C:Documents and Settingsusernwz1Desktop1.PNG 

Figure 4. You can use the Services tool to stop and restart Active Directory. That's it! Now when you stop Active Directory Domain Services, any other dependent services will also be stopped. Keep in mind that while the services are stopped, they cannot fulfill their assigned role in your network. The really cool thing about Restartable AD is that while the directory services and its dependent services are stopped, other services on the local machine are not. So, perhaps you have a shared printer running on your DC. Print services still run, and print operations do not stop. Nice! 

3.1. Offline Directory Defragmentation 

Now that you have stopped Active Directory services, it is time to get down to the business 

of offline defragmentation of the directory database: 

1. Back up the database. 

2. Open a command prompt, and type NTDSUTIL. 


4. Type FILES, and press Enter. 

5. Type INFO, and press Enter. This will tell you the current location of the directory 

database, its size, and the size of the associated log files. Write all this down. 

6. Make a folder location that has enough drive space for the directory to be stored. 

7. Type COMPACT TO DRIVE:DIRECTORY, and press Enter. The drive and directory are 

the locations you set up in step 5. If the drive path contains spaces, put the whole path in 

quotation marks, as in "C:database defrag". 

A new defragmented and compacted NTDS.DIT is created in the folder you specified. 

8. Type QUIT, and press Enter. 

9. Type QUIT again, and press Enter to return to the command prompt. 10.If defragmentation succeeds without errors, follow the NTDSUTIL prompts. 11.Delete all log files by typing DEL x:pathtologfiles*.log where x is the drive letter of your drive. 12.Overwrite the old NTDS.DIT file with the new one. Remember, you wrote down its location in step 4. 13.Close the command prompt. 14.Open the Services tool, and start Active Directory Domain Services. Defragmenting your directory database using the offline NTDSUTIL process can significantly reduce the size of your database depending on how long it has been since your last offline defrag. The hard thing about offline defrag is that every network is different, so making recommendations about how often to use the offline defrag process is somewhat spurious. I recommend you get to know your directory database. Monitor its size and growth. When you think it is appropriate to defragment offline, then do it. A pattern will emerge for you, and you will find yourself using offline defragmentation on a frequency that works well for your network and your directory database. One of the cool things about offline defragmentation is that if you should happen to have an error occur during the defragmentation process, you still have your original NTDS.DIT database in place and can continue using it with no problems until you can isolate and fix any issues. 

see more 70-640 dumps