Microsoft 70-640 Exam Questions and Answers 2021

NEW QUESTION 1
Your network contains an Active Directory domain. The domain is configured as shown in the following table.

Users in Branch2 sometimes authenticate to a domain controller in Branch1.
You need to ensure that users inBranch2 only authenticate to the domain controllers in
Main.
What should you do?

• A. On DC3, set the AutoSiteCoverage value to 0.
• B. On DC3, set the AutoSiteCoverage value to 1.
• C. On DC1 and DC2, set the AutoSiteCoverage value to 0.
• D. On DC1 and DC2, set the AutoSiteCoverage value to 1.

Answer: A

NEW QUESTION 2
HOTSPOT
You have a standard primary zone named contoso.com.
You need to configure how often the zone will be transferred to servers that host a
secondary copy of the zone.
Which tab should you use?
To answer, select the appropriate tab in the answer area.

Answer:

Explanation:

NEW QUESTION 3
Your company has a main office and 10 branch offices. Each branch office has an Active Directory site that contains one domain controller. Only domain controllers in the main office are configured as Global Catalog servers.
You need to deactivate the Universal Group Membership Caching (UGMC) option on the domain controllers in the branch offices.
At which level should you deactivate UGMC?

• A. Server
• B. Connection object
• C. Domain
• D. Site

Answer: D

Explanation:
http://www.ntweekly.com/?p=788
http://gallery.technet.microsoft.com/scriptcenter/c1bd08d2-1440-40f8-95be-ad2050674d91 Script to Disable Universal Group Membership Caching in all Sites How to Disable Universal Group Membership Caching in all Sites using a Script Starting with Windows Server 2003, a new feature called Universal Group Membership Caching (UGMC) caches a user’s membership in Universal Groups on domain controllers authenticating the user. This feature allows a domain controller to have knowledge of Universal Groups a user is member of rather than contacting a Global Catalog. Unlike Global group memberships, which are stored in each domain, Universal Group memberships are only stored in a Global Catalog. For example, when a user who belongs to a Universal Group logs on to a domain that is set to the Windows 2000 native domain functional level or higher, the Global Catalog provides Universal Group membership information for the user’s account at the time the user logs on to the domain to the authenticating domain controller. UGMC is generally a good idea for multiple domain forests when:
1. Universal Group membership does not change frequently.
2. Low WAN bandwidth between Domain Controllers in different sites.
It is also recommended to disable UGMC if all Domain Controllers in a forest are Global
Catalogs.

NEW QUESTION 4
Your network contains an Active Directory forest named contoso.com.
You plan to migrate all user accounts to a new forest named litwareinc.com.
The functional level of the contoso.com forest is Windows Server 2003. Contoso.com
contains four servers.
The servers are configured as shown in the following table.

The functional level of the litwareinc.com forest is Windows Server 2008. Litwareinc.com contains four servers.
The servers are configured as shown in the following table.

You need to identify on which server in the litwareinc.com forest you must install Active Directory Migration Tool version 3.2 (ADMT v3.2).
Which server should you identify?

• A. Litw_Srv4
• B. Litw_Srv1
• C. Litw_Srv2
• D. Litw_Srv3

Answer: D

Explanation:
http://technet.microsoft.com/en-us/library/cc974370.aspx
Prerequisites for installing ADMT v3.2
Although you can use ADMT v3.2 to migrate accounts and resources from Active Directory environments that have a domain functional level of Windows Server 2003 or later, you can install ADMT v3.2 only on a server running Windows Server 2008 R2.
In addition to running Windows Server 2008 R2, the server computer that you use to install ADMT v3.2 must not be installed under the Server Core installation option or be running as a read-only domain controller (RODC).

NEW QUESTION 5
DRAG DROP
Your network contains an Active Directory forest named contoso.com.
All client computers used by the sales department are in an organizational unit (OU) named Sales Computers. All user accounts for the sales department are in an OU named Sales Users.
You purchase a new application.
You need to ensure that every user in the domain who logs on to a sales department computer can use the application. The application must only be available from the sales department computers.
What should you do?
To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order.

Answer:

Explanation:

NEW QUESTION 6
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1. DC1 has the DNS Server server role installed and hosts the zone for contoso.com.
All host (A) records are registered in DNS by using dynamic updates.
You deploy a new server named dns.contoso.com.
You install the DNS Server server role on dns.contoso.com.
The Name Servers list is shown in the Name Server exhibit. (Click the Exhibit button.)

The Zone Transfers settings are shown in the Zone Transfers exhibit. (Click the Exhibit button.)

On dns.contoso.com, you create a secondary zone for contoso.com and you specify DC1 as the master server.
You discover that the zone fails to transfer to dns.contoso.com.
You open DNS Manager as shown in the DNS Manager exhibit. (Click the Exhibit button.)

You need to ensure that dns.contoso.com can transfer the contoso.com zone.
What should you do?

• A. Modify the name servers list for the contoso.com zon
• B. Change the A record for dns.contoso.com to use 10.0.0.2.
• C. Add an A record for contoso.com that has a value of 10.0.0.2.
• D. Allow zone transfers to the 10.0.0.2 IP addres
• E. Add a name server (NS) record for contoso.com that has a value of 10.0.0.2.

Answer: A

NEW QUESTION 7
Active Directory Rights Management Services (AD RMS) is deployed on your network.
You need to configure AD RMS to use Kerberos authentication.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

• A. Register a service principal name (SPN) for AD RM
• B. Register a service connection point (SCP) for AD RM
• C. Configure the identity setting of the _DRMSAppPool1 application poo
• D. Configure the useAppPoolCredentials attribute in the Internet Information Services (IIS) metabas

Answer: AD

Explanation:
http://technet.microsoft.com/en-us/library/dd759186.aspx
If you plan to use Active Directory Rights Management Services (AD RMS) with Kerberos authentication, you must take additional steps to configure the server running AD RMS after installing the AD RMS server role and provisioning the server. Specifically, you must perform these procedures:
Set the Internet Information Services (IIS) useAppPoolCredentials variable to True
Set the Service Principal Names (SPN) value for the AD RMS service account

NEW QUESTION 8
You have an enterprise subordinate certification authority (CA). You have a custom Version 3 certificate template.
Users can enroll for certificates based on the custom certificate template by using the
Certificates console. The certificate template is unavailable for Web enrollment.
You need to ensure that the certificate template is available on the Web enrollment pages.
What should you do?

• A. Run certutil.exe Cpuls
• B. Run certutil.exe Cinstallcer
• C. Change the certificate template to a Version 2 certificate templat
• D. On the certificate template, assign the Autoenroll permission to the user

Answer: C

Explanation:
Identical to F/Q12. Explanation 1: http://technet.microsoft.com/en-us/library/cc732517.aspx Certificate Web enrollment cannot be used with version 3 certificate templates. Explanation 2: http://blogs.technet.com/b/ad/archive/2008/06/30/2008-web-enrollment-and-version-3-templates.aspx The reason for this blog post is that one of our customers called after noticing some unexpected behavior when they were trying to use the Server 2008 certificate web enrollment page to request a Version 3 Template based certificate. The problem was that no matter what they did the Version 3 Templates would not appear as certificates which could be requested via the web page. On the other hand, version 1 and 2 templates did appear in the page and requests could be done successfully using those templates.

NEW QUESTION 9
A corporate network includes an Active Directory Domain Services (AD DS) forest that contains two domains. All servers run Windows Server 2008 R2. All domain controllers are configured as DNS servers.
A standard primary zone for dev.contoso.com is stored on a member server.
You need to ensure that all domain controllers can resolve names from the dev.contoso.com zone.
What should you do?

• A. On one domain controller, create a stub zon
• B. Configure the stub zone to replicate to all DNS servers in the fores
• C. On one domain controller, create a stub zon
• D. Configure the stub zone to replicate to all DNS servers in the domai
• E. On one domain controller, create a conditional forwarde
• F. Configure the conditional forwarder to replicate to all DNS servers in the domai
• G. On the member server, create a secondary zon

Answer: A

NEW QUESTION 10
Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1 has Active Directory Federation Services (AD FS) 2.0 installed.
Server1 is a member of an AD FS farm. The AD FS farm is configured to use a configuration database that is stored on a separate Microsoft SQL Server.
You install AD FS 2.0 on Server2.
You need to add Server2 to the existing AD FS farm.
What should you do?

• A. On Server1, run fsconfig.ex
• B. On Server1, run fsconfigwizard.ex
• C. On Server2, run fsconfig.ex
• D. On Server2, run fsconfigwizard.ex

Answer: C

Explanation:
http://technet.microsoft.com/en-us/library/adfs2-help-how-to-configure-a-new-federation-server.aspx
Configure a New Federation Server To configure a new federation server using the command line
1. Open a Command Prompt window.
2. Change the directory to the path where AD FS 2.0 was installed.
3. To configure this computer as a federation server, type the applicable syntax using either of the following command parameters, and then press ENTER: fsconfig.exe {StandAlone|CreateFarm| CreateSQLFarm|JoinFarm|JoinSQLFarm} [deployment specific parameters] Parameter JoinSQLFarm Joins this computer to an existing federation server farm that is using SQL Server.

NEW QUESTION 11
Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008 R2 Enterprise. All client computers run Windows 7 Professional.
The network contains an enterprise certification authority (CA).
You enable key archival on the CA. The CA is configured to use custom certificate
templates for Encrypted File System (EFS) certificates.
All users plan to encrypt files by using EFS.
You need to ensure that the private keys for all new EFS certificates are archived.
Which snap-in should you use?

• A. Share and Storage Management
• B. Security Configuration wizard
• C. Enterprise PKI
• D. Active Directory Administrative Center
• E. Certification Authority
• F. Group Policy Management
• G. Certificate Templates
• H. Authorization Manager
• I. Certificates

Answer: G

Explanation:
http://technet.microsoft.com/en-us/library/cc753826.aspx
Configure a Certificate Template for Key Archival
The key archival process takes place when a certificate is issued. Therefore, a certificate template must be modified to archive keys before any certificates are issued based on this template.
Key archival is strongly recommended for use with the Basic Encrypting File System (EFS) certificate template in order to protect users from data loss, but it can also be useful when applied to other types of certificates.
To configure a certificate template for key archival and recovery
1. Open the Certificate Templates snap-in.
2. In the details pane, right-click the certificate template that you want to change, and then click Duplicate Template.
3. In the Duplicate Template dialog box, click Windows Server 2003 Enterprise unless all of your certification authorities (CAs) and client computers are running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.
4. In Template, type a new template display name, and then modify any other optional properties as needed.
5. On the Security tab, click Add, type the name of the users or groups you want to issue the certificates to, and then click OK.
6. Under Group or user names, select the user or group names that you just added. Under Permissions, select the Read and Enroll check boxes, and if you want to automatically issue the certificate, also select the Autoenroll check box.
7. On the Request Handling tab, select the Archive subject's encryption private key check box.

NEW QUESTION 12
Your company security policy requires complex passwords.
You have a comma delimited file named import.csv that contains user account information.
You need to create user account in the domain by using the import.csv file.
You also need to ensure that the new user accounts are set to use default passwords and are disabled.
What should you do?

• A. Modify the userAccountControl attribute to disable
• B. Run the csvde i k f import.csv comman
• C. Run the DSMOD utility to set default passwords for the user account
• D. Modify the userAccountControl attribute to accounts disable
• E. Run the csvde -f import.csv comman
• F. Run the DSMOD utility to set default passwords for the user account
• G. Modify the userAccountControl attribute to disable
• H. Run the wscript import.csv comman
• I. Run the DSADD utility to set default passwords for the imported user account
• J. Modify the userAccountControl attribute to disable
• K. Run ldifde -i -f import.csv comman
• L. Run the DSADD utility to set passwords for the imported user account

Answer: A

Explanation:
Personal note:
The correct command should be:
csvde - i -k -f import.csv
http://support.microsoft.com/kb/305144
How to use the UserAccountControl flags to manipulate user account properties When you open the properties for a user account, click the Account tab, and then either select or clear the check boxes in the Account options dialog box, numerical values are assigned to the UserAccountControl attribute. The value that is assigned to the attribute tells Windows which options have been enabled.
You can view and edit these attributes by using either the Ldp.exe tool or the Adsiedit.msc snap-in.
The following table lists possible flags that you can assign. You cannot set some of the values on a user or computer object because these values can be set or reset only by the directory service. Note that Ldp.exe shows the values in hexadecimal. Adsiedit.msc displays the values in decimal. The flags are cumulative. To disable a user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In decimal, this is 514 (2 + 512).
http://technet.microsoft.com/en-us/library/cc732101%28v=ws.10%29.aspx
Csvde
Imports and exports data from Active Directory Domain Services (AD DS) using files that store data in the comma-separated value (CSV) format. You can also support batch operations based on the CSV file format standard.
Syntax:
Csvde [-i] [-f <FileName>] [-s <ServerName>] [-c <String1> <String2>] [-v] [-j <Path>] [-t <PortNumber>] [-d <BaseDN>] [-r <LDAPFilter>] [-p <Scope] [-l <LDAPAttributeList>] [-o <LDAPAttributeList>] [-g] [-m] [-n] [-k] [-a <UserDistinguishedName> {<Password> | *}] [-b <UserName> <Domain> {<Password> | *}] Parameters
Specifies import mode. If not specified, the default mode is export. -f <FileName> Identifies the import or export file name. -k Ignores errors during an import operation and continues processing. http://technet.microsoft.com/en-us/library/cc732954%28v=ws.10%29.aspx Dsmod user Modifies attributes of one or more existing users in the directory. Syntax: dsmod user <UserDN> ... [-upn <UPN>] [-fn <FirstName>] [-mi <Initial>] [-ln <LastName>] [-display<DisplayName>] [-empid <EmployeeID>] [-pwd (<Password> | *)] [-desc <Description>] [-office <Office>] [-tel <PhoneNumber>] [-email <E-mailAddress>] [-hometel <HomePhoneNumber>] [-pager <PagerNumber>] [-mobile <CellPhoneNumber>] [-fax <FaxNumber>] [-iptel <IPPhoneNumber>] [-webpg <WebPage>] [-title <Title>] [-dept <Department>] [-company <Company>] [-mgr <Manager>] [-hmdir <HomeDirectory>] [-hmdrv <DriveLetter>:] [-profile <ProfilePath>] [-loscr <ScriptPath>] [-mustchpwd {yes | no}] [-canchpwd {yes | no}] [-reversiblepwd {yes | no}] [-pwdneverexpires {yes | no}] [-acctexpires <NumberOfDays>] [-disabled {yes | no}] [{-s <Server> | -d <Domain>}] [-u <UserName>] [-p {<Password> | *}][-c] [-q] [{-uc | -uco | -uci}] Parameters <UserDN>Required. Specifies the distinguished names of the users that you want to modify. If values are omitted, they are obtained through standard input (stdin) to support piping of output from another command to input of this command.
-pwd {<Password> | *}
Resets the passwords for the users that you want to modify as Password or an asterisk (*).
If you type *, AD
DS prompts you for a user password.

NEW QUESTION 13
HOTSPOT
You need to modify the Password Replication Policy on a read-only domain controller (RODC).
Which tool should you use?
To answer, select the appropriate tool in the answer area.

Answer:

Explanation:

NEW QUESTION 14
Your network contains an Active Directory forest. The forest schema contains a custom attribute for user objects.
You need to give the human resources department a file that contains the last logon time and the custom attribute values for each user in the forest.
What should you use?

• A. the Dsquery tool
• B. the Export-CSV cmdlet
• C. the Get-ADUser cmdlet
• D. the Net.exe user command

Answer: C

Explanation:
http://technet.microsoft.com/en-us/library/cc771865.aspx
Adds or modifies user accounts, or displays user account information.
DSQUERY
Explanation 1:
http://technet.microsoft.com/en-us/library/cc754232.aspx
Parameters
{<StartNode> | forestroot | domainroot}
Specifies the node in the console tree where the search starts. You can specify the forest root (forestroot), domain root (domainroot), or distinguished name of a node as the start node <StartNode>. If you specify
forestroot, AD DS searches by using the global catalog.
-attr {<AttributeList> | *}
Specifies that the semicolon separated LDAP display names included in <AttributeList> for each entry in the result set. If you specify the value of this parameter as a wildcard character (*), this parameter displays all attributes that are present on the object in the result set. In addition, if you specify a *, this parameter uses the default output format (a list), regardless of whether you specify the -l parameter. The default <AttributeList> is a distinguished name.
Explanation 2:
http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/dda5fcd6-1a10-4d47-9379-02ca38aaa65b
Gives an example of how to find a user with certain attributes using Dsquery. Note that it uses domainroot as the startnode, instead of forestroot what we need.
Explanation 3:
http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/c6fc3826-78e1-48fd-ab6f-690378e0f787/
List all last login times for all users, regardless of whether they are disabled.
dsquery * -filter "(&(objectCategory=user)(objectClass=user))" -limit 0 -attr givenName sn sAMAccountName
lastLogon>>c:last_logon_for_all.txt

NEW QUESTION 15
You are one of two network administrators for your organization.
Your IT partner does most of the work in Active Directory.
While working in Active Directory, your partner accidently deleted a user from the Sales OU.
You recover the user from tape backup but you want to help prevent this from happening again in the future.
What can you do?

• A. Enable the Active Directory Recycle Bi
• B. Use ADSI Edit to restore the use
• C. Take away all rights from the other administrato
• D. Use the Directory Services Restore Mode Lockout comman

Answer: A

Explanation:
http://technet.microsoft.com/en-us/library/dd392261%28v=ws.10%29.aspx Active Directory Recycle Bin Step-by-Step Guide Active Directory Recycle Bin helps minimize directory service downtime by enhancing your ability to preserve and restore accidentally deleted Active Directory objects without restoring Active Directory data from backups, restarting Active Directory Domain Services (AD DS), or rebooting domain controllers. When you enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes of the deleted Active Directory objects are preserved and the objects are restored in their entirety to the same consistent logical state that they were in immediately before deletion. For example, restored user accounts automatically regain all group memberships and corresponding access rights that they had immediately before deletion, within and across domains.
Active Directory Recycle Bin is functional for both AD DS and Active Directory Lightweight Directory Services (AD LDS) environments.
Important By default, Active Directory Recycle Bin in Windows Server 2008 R2 is disabled. To enable it, you must first raise the forest functional level of your AD DS or AD LDS environment to Windows Server 2008 R2, which in turn requires all forest domain controllers or all servers that host instances of AD LDS configuration sets to be running Windows Server 2008 R2. After you set the forest functional level of your environment to Windows Server 2008 R2, you can use the instructions in this guide to enable Active Directory Recycle Bin. In this release of Windows Server 2008 R2, the process of enabling Active Directory Recycle Bin is irreversible. After you enable Active Directory Recycle Bin in your environment, you cannot disable it.

NEW QUESTION 16
Your company, Contoso, Ltd., has a main office and a branch office. The offices are
connected by a WAN link. Contoso has an Active Directory forest that contains a single domain named ad.contoso.com.
The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1 is configured as a DNS server for the ad.contoso.com DNS zone. This zone is configured as a standard primary zone.
You install a new domain controller named DC2 in the branch office. You install DNS on DC2.
You need to ensure that DC2 can resolve DNS queries for ad.contoso.com in the event that a WAN link fails. The solution must prevent DC2 from updating records in ad.contoso.com.
What should you do?

• A. Configure the DNS server on DC2 to forward requests to DC1.
• B. Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zon
• C. Create a new secondary zone named ad.contoso.com on DC2.
• D. Create a new stub zone named ad.contoso.com on DC2.

Answer: B

NEW QUESTION 17
Your network contains two forests named adatum.com and litwareinc.com. The functional level of all the domains is Windows Server 2003. The functional level of both forests is Windows 2000.
You need to create a forest trust between adatum.com and litwareinc.com.
What should you do first?

• A. Create an external trus
• B. Raise the functional level of both forest
• C. Configure SID filterin
• D. Raise the functional level of all the domain

Answer: B

Explanation:
http://technet.microsoft.com/en-us/library/cc771397.aspx
When to create a forest trust
You can create a forest trust between forest root domains if the forest functional level is Windows Server 2003 or higher.

NEW QUESTION 18
Your network contains an Active Directory forest. The forest contains one domain named contoso.com.
You attempt to create a new child domain and you receive the following error message: "An LDAP read of operational attributes failed."
You need to ensure that you can add a new child domain to the forest.
What should you do?

• A. Move the PDC emulator rol
• B. Move the RID master rol
• C. Move the infrastructure master rol
• D. Move the schema master rol
• E. Move the domain naming master rol
• F. Move the global catalog serve
• G. Move the bridgehead serve
• H. Install a read-only domain controller (RODC).
• I. Deploy an additional global catalog serve
• J. Restart the Active Directory Domain Services (AD DS) servic

Answer: E

Explanation:
http://technet.microsoft.com/en-us/library/bb727058.aspx
Troubleshooting Active Directory Installation Wizard Problems
Symptom or Error
An LDAP read of operational attributes failed.
Root Cause
The domain naming master for the forest is offline or cannot be contacted.
Solution Make the current domain naming master accessible. If necessary, see "Seizing
Operations Master Roles" in this guide.