Act now and download your today! Do not waste time for the worthless tutorials. Download with real questions and answers and begin to learn with a classic professional.

Check 70-640 free dumps before getting the full version:

NEW QUESTION 1
Your network contains an Active Directory domain. The domain contains five sites. One of the sites contains a read-only domain controller (RODC) named RODC1.
You need to identify which user accounts can have their password cached on RODC1.
Which tool should you use?

  • A. Ntdsutil
  • B. Dcdiag
  • C. Repadmin
  • D. Get-ADAccountResultantPasswordReplicationPolicy

Answer: A

NEW QUESTION 2
Your network contains a server that has the Active Directory Lightweight Directory Services
(AD LDS) role installed.
You need to perform an automated installation of an AD LDS instance.
Which tool should you use?

  • A. Dism.exe
  • B. Servermanagercmd.exe
  • C. Adaminstall.exe
  • D. Ocsetup.exe

Answer: C

Explanation: http://technet.microsoft.com/en-us/library/cc816774.aspx To perform an unattended install of an AD LDS instance
1. Create a new text file by using any text editor.
2. Specify the installation parameters.
3. At a command prompt (or in a batch or script file), change to the drive and directory that contains the AD LDS setup files.
4. At the command prompt, type the following command, and then press ENTER: %systemroot%\ADAM
\adaminstall.exe /answer:drive:\<pathname>\<filename>.txt"

NEW QUESTION 3
Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2003.
You upgrade all domain controllers to Windows Server 2008.
You need to configure the Active Directory environment to support the application of multiple password policies.
What should you do?

  • A. Raise the functional level of the domain to Windows Server 2008.
  • B. On one domain controller, run dcpromo /ad
  • C. Create multiple Active Directory site
  • D. On all domain controllers, run dcpromo /ad

Answer: A

Explanation:
http://technet.microsoft.com/en-us/library/cc770842%28v=ws.10%29.aspx AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide This step-by-step guide provides instructions for configuring and applying fine-grained password and account lockout policies for different sets of users in Windows Server. 2008 domains. In Microsoft. Windows. 2000 and Windows Server 2003 Active Directory domains, you could apply only one password and account lockout policy, which is specified in the domain's Default Domain Policy, to all users in the domain. As a result, if you wanted different password and account lockout settings for different sets of users, you had to either create a password filter or deploy multiple domains. Both options were costly for different reasons. In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies and apply different password restrictions and account lockout policies to different sets of users within a single domain. Requirements and special considerations for fine-grained password and account lockout policies Domain functional level: The domain functional level must be set to Windows Server 2008 or higher.

NEW QUESTION 4
Your company has an Active Directory domain. All consultants belong to a global group named TempWorkers.
The TempWorkers group is not nested in any other groups.
You move the computer objects of three file servers to a new organizational unit named SecureServers. These file servers contain only confidential data in shared folders.
You need to prevent members of the TempWorkers group from accessing the confidential data on the file servers.
You must achieve this goal without affecting access to other domain resources.
What should you do?

  • A. Create a new GPO and link it to the SecureServers organizational uni
  • B. Assign the Deny access to this computer from the network user right to the TempWorkers global grou
  • C. Create a new GPO and link it to the domai
  • D. Assign the Deny access to this computer from the network user right to the TempWorkers global grou
  • E. Create a new GPO and link it to the domai
  • F. Assign the Deny log on locally user right to the TempWorkers global grou
  • G. Create a new GPO and link it to the SecureServers organizational uni
  • H. Assign the Deny log on locally user right to the TempWorkers global grou

Answer: A

Explanation:
Personal comment:
Basically, you need to create a GPO for the Secure Servers and deny the TempWorkers
access to the shared folders (implies access from the network).
"Deny log on locally" makes no sense in this instance, because we are reffering to shared
folder and supposedly physical access to servers should be highly restricted.
And best practices recommend that you link GPOs at the domain level only for domain
wide purposes.

NEW QUESTION 5
Exhibit:
70-640 dumps exhibit
Company servers run Windows Server 2008. It has a single Active Directory domain. A server called S4 has file services role installed. You install some disk for additional storage. The disks are configured as shown in the exhibit.
To support data stripping with parity, you have to create a new drive volume.
What should you do to achieve this objective?

  • A. Build a new spanned volume by combining Disk0 and Disk1
  • B. Create a new Raid-5 volume by adding another dis
  • C. Create a new virtual volume by combining Disk 1 and Disk 2
  • D. Build a new striped volume by combining Disk0 and Disk 2

Answer: B

Explanation:
https://sort.symantec.com/public/documents/sf/5.0/solaris/html/vxvm_admin/ag_ch_intro_v m17.html
70-640 dumps exhibit
C:\Documents and Settings\usernwz1\Desktop\1.PNG

NEW QUESTION 6
Your network contains an Active Directory domain named adatum.com. The functional level of the domain is Windows Server 2008. All domain controllers run Windows Server 2008 R2. All client computers run Windows 7 Enterprise.
You need to receive a notification when more than 50 Active Directory objects are deleted per second.
What should you do?

  • A. Run the Get-ADDomain cmdle
  • B. Run the dsget.exe comman
  • C. Run the ntdsutil.exe comman
  • D. Run the ocsetup.exe comman
  • E. Run the dsamain.exe comman
  • F. Run the eventcreate.exe comman
  • G. Create a Data Collector Set (DCS).
  • H. Create custom views from Event Viewe
  • I. Configure subscriptions from Event Viewe
  • J. Import the Active Directory module for Windows PowerShel

Answer: G

Explanation:
http://technet.microsoft.com/en-us/magazine/ff458614.aspx
Configure Windows Server 2008 to Notify you when Certain Events Occur
You can configure alerts to notify you when certain events occur or when certain performance thresholds are reached. You can send these alerts as network messages and as events that are logged in the application event log. You can also configure alerts to start applications and performance logs.
To configure an alert, follow these steps:
1. In Performance Monitor, under the Data Collector Sets node, right-click the User-Defined node in the left pane, point to New, and then choose Data Collector Set.
2. (...)
3. In the Performance Counters panel, select the first counter, and then use the Alert When Value Is text box to set the occasion when an alert for this counter is triggered. Alerts can be triggered when the counter is above or below a specific value. Select Above or Below, and then set the trigger value. The unit of measurement is whatever makes sense for the currently selected counter or counters. For example, to generate an alert if processor time is over 95 percent, select Over, and then type 95. Repeat this process to configure other counters you’ve selected.

NEW QUESTION 7
DRAG DROP
Your company has two domain controllers named DC1 and DC2. DC1 hosts all domain and forest operations master roles. DC1 fails.
You need to rebuild DC1 by reinstalling the operating system. You also need to rollback all operations master roles to their original state.
You perform a metadata cleanup and remove all Explanations of DC1.
Which three actions should you perform next?
(To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.)
70-640 dumps exhibit

    Answer:

    Explanation: 70-640 dumps exhibit

    NEW QUESTION 8
    Your network contains two Active Directory forests named contoso.com and fabrikam.com. Each forest contains one domain. A two-way forest trust exists between the forests.
    You plan to add users from fabrikam.com to groups in contoso.com.
    You need to identify which group you must use to assign users in fabrikam.com access to the shared folders in contoso.com.
    To which group should you add the users?

    • A. Group 1: Security Group - Domain Loca
    • B. Group 2: Distribution Group - Domain Loca
    • C. Group 3: Security Group - Globa
    • D. Group 4: Distribution Group - Globa
    • E. Group 5: Security Group - Universa
    • F. Group 6: Distribution Group - Universa

    Answer: C

    Explanation:
    http://technet.microsoft.com/en-us/library/cc772808.aspx
    Best practices for using security groups across forests
    By carefully using domain local, global, and universal groups, administrators can more effectively control access to resources located in other forests. Consider the following best practices:
    To represent the sets of users who need access to the same types of resources, create role-based global groups in every domain and forest that contains these users. For example, users in the Sales Department in ForestA require access to an order-entry application that is a resource in ForestB. Account Department users in ForestA require access to the same application, but these users are in a different domain. In ForestA, create the global group SalesOrder and add users in the Sales Department to the group.
    Create the global group AccountsOrder and add users in the Accounting Department to that group.
    To group the users from one forest who require similar access to the same resources in a different forest, create universal groups that correspond to the global group roles. For example, in ForestA, create a universal group called SalesAccountsOrders and add the global groups SalesOrder and AccountsOrder to the group.
    To assign permissions to resources that are to be accessed by users from a different forest, create resource-based domain local groups in every domain and use these groups to assign permissions on the resources in that domain. For example, in ForestB, create a domain local group called
    OrderEntryApp. Add this group to the access control list (ACL) that allows access to the order entry application, and assign appropriate permissions.
    To implement access to a resource across a forest, add universal groups from trusted forests to the domain local groups in the trusting forests. For example, add the SalesAccountsOrders universal group from ForestA to the OrderEntryApp domain local group in ForestB.

    NEW QUESTION 9
    You have an enterprise subordinate certification authority (CA).
    You have a custom Version 3 certificate template.
    Users can enroll for certificates based on the custom certificate template by using the
    Certificates console. The certificate template is unavailable for Web enrollment.
    You need to ensure that the certificate template is available on the Web enrollment pages.
    What should you do?

    • A. Run certutil.exe puls
    • B. Run certutil.exe installcer
    • C. Change the certificate template to a Version 2 certificate templat
    • D. On the certificate template, assign the Autoenroll permission to the user

    Answer: C

    Explanation:
    Explanation
    Identical to F/Q33. Explanation 1: http://technet.microsoft.com/en-us/library/cc732517.aspx Certificate Web enrollment cannot be used with version 3 certificate templates. Explanation 2: http://blogs.technet.com/b/ad/archive/2008/06/30/2008-web-enrollment-and-version-3-templates.aspx The reason for this blog post is that one of our customers called after noticing some unexpected behavior when they were trying to use the Server 2008 certificate web enrollment page to request a Version 3 Template based certificate. The problem was that no matter what they did the Version 3 Templates would not appear as certificates which could be requested via the web page. On the other hand, version 1 and 2 templates did appear in the page and requests could be done successfully using those templates.

    NEW QUESTION 10
    Your network contains an Active Directory forest named fabrikam.com. The forest contains the following domains:
    . Fabrikam.com
    Eu.fabrikam.com
    Na.fabrikam.com
    Eu.contoso.com
    Na.contoso.com
    You need to configure the forest to ensure that the administrators of any of the domains can specify a user principal name (UPN) suffix o contoso.com when they create user accounts from Active Directory Users and Computers.
    Which tool should you use?

    • A. Active Directory Users and Computers
    • B. Active Directory Administrative Center
    • C. Active Directory Domains and Trusts
    • D. Set-ADAccountControl

    Answer: C

    Explanation: To add UPN suffixes
    1. Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start , click Administrative Tools , and then click Active Directory Domains and Trusts .
    2. In the console tree, right-click Active Directory Domains and Trusts , and then click Properties .
    3. On the UPN Suffixes tab, type an alternative UPN suffix for the forest, and then click Add .

    NEW QUESTION 11
    Your network contains an Active Directory forest. The forest contains two domains named contoso.com and east.contoso.com.
    The contoso.com domain contains a domain controller named DC1. The east.contoso.com domain contains a domain controller namedDC2. DC1 and DC2 have the DNS Server server role installed.
    You need to create a DNS zone that is available on DC1 and DC2. The solution must ensure that zone transfers are encrypted. What should you do?

    • A. Create a primary zone on DC1 and store the zone in a zone fil
    • B. Configure IPSec on DC1 and DC2. Create a secondary zone on DC2 and select DC1 as the maste
    • C. Create a primary zone on DC1 and store the zone in the DC=DomainDNSZones,DC=Contoso,DC=com naming contex
    • D. Create a secondary zone on DC2 and select DC1 as the maste
    • E. Create a primary zone on DC1 and store the zone in a zone fil
    • F. Configure Encrypting File System (EFS) encryptio
    • G. Create a secondary zone on DC2 and select DC1 as the maste
    • H. Create a primary zone on DC1 and store the zone in the DC=Contoso,DC=com naming contex
    • I. Create a secondary zone on DC2 and select DC1 as the maste

    Answer: B

    Explanation: *DomainDnsZones DNS application directory partition for each domain in the forest. DNS zones stored in this application directory partition are replicated to all DNS servers running on domain controllers in the domain.

    NEW QUESTION 12
    Your company has an Active Directory forest. The company has branch offices in three locations. Each location has an organizational unit.
    You need to ensure that the branch office administrators are able to create and apply GPOs only to their respective organizational units.
    Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

    • A. Run the Delegation of Control wizard and delegate the right to link GPOs for their branch organizational units to the branch office administrator
    • B. Add the user accounts of the branch office administrators to the Group Policy Creator Owners Grou
    • C. Modify the Managed By tab in each organizational unit to add the branch office administrators to their respective organizational unit
    • D. Run the Delegation of Control wizard and delegate the right to link GPOs for the domain to the branch office administrator

    Answer: AB

    Explanation:
    Answer: Run the Delegation of Control wizard and delegate the right to link GPOs for their
    branch organizational units to the branch office administrators.
    Add the user accounts of the branch office administrators to the Group Policy Creator
    Owners Group.
    http://technet.microsoft.com/en-us/library/cc732524.aspx
    Delegate Control of an Organizational Unit
    1. To delegate control of an organizational unit
    2. To open Active Directory Users and Computers, click Start , click Control Panel , double-
    click Administrative
    Tools and then double-click Active Directory Users and Computers .
    3. In the console tree, right-click the organizational unit (OU) for which you want to delegate
    control.
    Where?
    Active Directory Users and Computers\ domain node \ organizational unit
    4. Click Delegate Control to start the Delegation of Control Wizard, and then follow the
    instructions in the wizard.
    http://technet.microsoft.com/en-us/library/cc781991%28v=ws.10%29.aspx
    Delegating Administration of Group Policy
    Your Group Policy design will probably call for delegating certain Group Policy
    administrative tasks.
    Determining to what degree to centralize or distribute administrative control of Group Policy
    is one of the most important factors to consider when assessing the needs of your
    organization. In organizations that use a centralized administration model, an IT group
    provides services, makes decisions, and sets standards for the entire company. In
    organizations that use a distributed administration model, each business unit manages its
    own IT group.
    You can delegate the following Group Policy tasks:
    Creating GPOs
    Managing individual GPOs (for example, granting Edit or Read access to a GPO) etc.
    Delegating Creation of GPOs The ability to create GPOs in a domain is a permission that is managed on a per-domain basis. By default, only Domain Administrators, Enterprise Administrators, Group Policy Creator Owners, and SYSTEM can create new Group Policy objects. If the domain administrator wants a non-administrator or non-administrative group to be able to create GPOs, that user or group can be added to the Group Policy Creator Owners security group. Alternatively, you can use the Delegation tab on the Group Policy Objects container in GPMC to delegate creation of GPOs. When a non-administrator who is a member of the Group Policy Creator Owners group creates a GPO, that user becomes the creator owner of the GPO and can edit the GPO and modify permissions on the GPO. However, members of the Group Policy Creator Owners group cannot link GPOs to containers unless they have been separately delegated the right to do so on a particular site, domain, or OU. Being a member of the Group Policy Creator Owners group gives the non-administrator full control of only those GPOs that the user creates. Group Policy Creator Owner members do not have permissions for GPOs that they do not create. Note: When an administrator creates a GPO, the Domain Administrators group becomes the Creator Owner of the Group Policy object. By default, Domain Administrators can edit all GPOs in the domain. The right to link GPOs is delegated separately from the right to create GPOs and the right to edit GPOs. Be sure to delegate both rights to those groups you want to be able to create and link GPOs. By default, non- Domain Admins cannot manage links, and this prevents them from being able to use GPMC to create and link a GPO. However, non-Domain Admins can create an unlinked GPO if they are members of the Group Policy Creator Owners group. After a non-Domain Admin creates an unlinked GPO, the Domain Admin or someone else who has been delegated permissions to link GPOs an a container can link the GPO as appropriate. Creation of GPOs can be delegated to any group or user. There are two methods of granting a group or user this permission: Add the group or user to the Group Policy Creator Owners group. This was the only method available prior to GPMC. Explicitly grant the group or user permission to create GPOs. This method is newly available with GPMC. You can manage this permission by using the Delegation tab on the Group Policy objects container for a given domain in GPMC. This tab shows the groups that have permission to create GPOs in the domain, including the Group Policy Creator Owners group. From this tab, you can modify the membership of existing groups that have this permission, or add new groups. Because the Group Policy Creator Owners group is a domain global group, it cannot contain members from outside the domain. Being able to grant users permissions to create GPOs without using Group Policy Creator Owners facilitates delegating GPO creation to users outside the domain. Without GPMC, this task cannot be delegated to members outside the domain. If you require that users outside the domain have the ability to create GPOs, create a new domain local group in the domain (for example, "GPCO – External"), grant that group GPO creation permissions in the domain, and then add domain global groups from external domains to that group. For users and groups in the domain, you should continue to use the Group Policy Creator Owners group to grant GPO-creation permissions. Adding a user to the membership of Group Policy Creator Owners and granting the user GPO-creation permissions directly using the new method available in GPMC are identical in terms of permissions.

    NEW QUESTION 13
    You create a standard primary zone for contoso.com.
    You need to specify a user named Admin1 as the person responsible for managing the
    zone.
    What should you do? (Each correct answer presents a complete solution. Choose two.)

    • A. Open the %Systemroot\System32\DNS\Contoso.com.dns file by using Notepad and change all instances of "hostmaster.contoso.com" to "admin1.contoso.com".
    • B. From DNS Manager, open the properties of the Start of Authority (SOA) record ofcontoso.com, Specify admin1.contoso.com as the responsible perso
    • C. Open the %Systemroot\System32\DNS\Contoso.com.dns file by using Notepad and change all instances of "hostmaster@contoso.com" to "admin1@contoso.com".
    • D. From DNS Manager, open the properties of the Start of Authority (SOA) record ofcontoso.com.Specify admin1@contoso.com as the responsible perso

    Answer: AB

    Explanation:
    Explanation 1: http://technet.microsoft.com/en-us/library/cc816941.aspx
    To modify the start of authority (SOA) resource record for a zone using the Windows interface
    1. Open DNS Manager.
    2. In the console tree, right-click the applicable zone, and then click Properties.
    3. Click the Start of Authority (SOA) tab.
    4. As needed, modify properties for the start of authority (SOA) resource record.
    5. Click OK to save the modified properties.
    Explanation 2:
    http://technet.microsoft.com/en-us/library/dd197495.aspx
    The SOA resource record contains the following information:
    SOA resource record fields
    Responsible person The e-mail address of the person responsible for administering the
    zone. A period (.) is used instead of an at sign (@) in this e-mail name.
    (...)

    NEW QUESTION 14
    You have an enterprise root certification authority (CA) that runs Windows Server 2008 R2.
    You need to ensure that you can recover the private key of a certificate issued to a Web server.
    What should you do?

    • A. From the CA, run the Get-PfxCertificate cmdle
    • B. From the Web server, run the Get-PfxCertificate cmdle
    • C. From the CA, run the certutil.exe tool and specify the -exportpfx paramete
    • D. From the Web server, run the certutil.exe tool and specify the -exportpfx paramete

    Answer: D

    Explanation:
    http://technet.microsoft.com/en-us/library/ee449471%28v=ws.10%29.aspx
    Manual Key Archival Manual key archival can be used in the following common scenarios
    that are not supported by automatic key archival:
    Secure/Multipurpose Internet Mail Extensions (S/MIME) certificates used by Microsoft.
    Office Outlook. Certificates issued by CAs that do not support key archival. Certificates installed on the Microsoft Windows. 2000 and Windows Millennium Edition operating systems. This topic includes procedures for exporting a private key by using the following programs and for importing a private key to a CA database: Certutil.exe Certificates snap-in Microsoft Office Outlook
    To export private keys by using Certutil.exe
    1. Open a Command Prompt window.
    2. Type the Certutil.exe –exportpfx command using the command-line options described in
    the following table.
    Certutil.exe [-p <Password>] –exportpfx <CertificateId> <OutputFileName>
    70-640 dumps exhibit
    C:\Documents and Settings\usernwz1\Desktop\1.PNG

    NEW QUESTION 15
    Your network contains an Active Directory forest named contoso.com. The forest contains two domains named contoso.com and child.contoso.com. All domain controllers run Windows Server 2008. All forest-wide operations master roles are in child.contoso.com.
    An administrator successfully runs adprep.exe /forestprep from the Windows Server 2008 R2 Service Pack 1 (SP1) installation media.
    You plan to run adprep.exe /domainprep in each domain.
    You need to ensure that you have the required user rights to run the command successfully in each domain.
    Of which groups should you be a member? (Each correct answer presents part of the solution.
    Choose two.)

    • A. Administrators in child.contoso.com
    • B. Enterprise Admins in contoso.com
    • C. Domain Admins in child.contoso.com
    • D. Domain Admins in contoso.com
    • E. Administrators in contoso.com
    • F. Schema Admins in contoso.com

    Answer: CD

    Explanation:
    http://technet.microsoft.com/de-de/library/cc731728.aspx
    Adprep /domainprep
    Prepares a domain for the introduction of a domain controller that runs Windows Server 2008. You run this command after the forestprep command finishes and after the changes replicate to all the domain controllers in the forest.
    Run this command in each domain where you plan to add a domain controller that runs Windows Server 2008.
    You must run this command on the domain controller that holds the infrastructure operations master role for the domain. You must be a member of the Domain Admins group to run this command.

    NEW QUESTION 16
    Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1 that runs Windows Server 2008 R2. Server1 has a file share named Share1.
    You plan to configure the audit policy settings of Server1 by using a Group Policy object (GPO).
    You need to ensure that entries are generated in the Event Log when the users in a group named Group1 successfully access or fail to access the files in Share1. The event entries must show the specific operation each user attempted. The solution must minimize the number of audit entries in the Event Log.
    Which Object Access audit policy should you configure?

    • A. Audit File Share
    • B. Audit Detailed File Share
    • C. Audit File System
    • D. Audit Other Object Access Events

    Answer: C

    NEW QUESTION 17
    Your network contains an Active Directory forest named contoso.com. The forest contains one domain. The domain contains three domain controllers. The domain controllers are configured as shown in the following table.
    70-640 dumps exhibit
    DC2 fails and cannot be recovered.
    Several weeks later, administrators report that they can no longer create new users and
    groups in the domain.
    You need to ensure that the administrators can create new users and groups.
    What should you add?

    • A. the RID master role to DC3
    • B. the schema master role to DC1
    • C. the infrastructure master role to DC1
    • D. the domain naming master role to DC3

    Answer: A

    NEW QUESTION 18
    Your company has an Active Directory domain.
    You plan to install the Active Directory Certificate Services (AD CS) server role on a member server that runs Windows Server 2008 R2.
    You need to ensure that members of the Account Operators group are able to issue smartcard credentials.They should not be able to revoke certificates.
    Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)

    • A. Create an Enrollment Agent certificat
    • B. Create a Smartcard logon certificat
    • C. Restrict enrollment agents for the Smartcard logon certificate to the Account Operator grou
    • D. Install the AD CS role and configure it as an Enterprise Root C
    • E. Install the AD CS role and configure it as a Standalone C
    • F. Restrict certificate managers for the Smartcard logon certificate to the Account Operator grou

    Answer: BCD

    Explanation:
    http://technet.microsoft.com/en-us/library/cc753800%28v=ws.10%29.aspx AD CS: Restricted Enrollment Agent The restricted enrollment agent is a new functionality in the Windows Server. 2008 Enterprise operating system that allows limiting the permissions that users designated as enrollment agents have for enrolling smart card certificates on behalf of other users.
    What does the restricted enrollment agent do? Enrollment agents are one or more authorized individuals within an organization. The enrollment agent needs to be issued an enrollment agent certificate, which enables the agent to enroll for smart card certificates on behalf of users. Enrollment agents are typically members of the corporate security, Information Technology (IT) security, or help desk teams because these individuals have already been trusted with safeguarding valuable resources. In some organizations, such as banks that have many branches, help desk and security workers might not be conveniently located to perform this task. In this case, designating a branch manager or other trusted employee to act as an enrollment agent is required to enable smart card credentials to be issued from multiple locations. On a Windows Server 2008 Enterprise-based certification authority (CA), the restricted enrollment agent features allow an enrollment agent to be used for one or many certificate templates. For each certificate template, you can choose which users or security groups the enrollment agent can enroll on behalf of. You cannot constrain an enrollment agent based on a certain Active Directory. organizational unit (OU) or container; you must use security groups instead. The restricted enrollment agent is not available on a Windows
    http://technet.microsoft.com/en-us/library/cc776874%28v=ws.10%29.aspx
    Enterprise certification authorities The Enterprise Administrator can install Certificate Services to create an enterprise certification authority (CA). Enterprise CAs can issue certificates for purposes such as digital signatures, secure e-mail using S/MIME (Secure Multipurpose Internet Mail Extensions), authentication to a secure Web server using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) and logging on to a Windows Server 2003 family domain using a smart card. An enterprise CA has the following features: An enterprise CA requires the Active Directory directory service. When you install an enterprise root CA, it uses Group Policy to propagate its certificate to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. You must be a Domain Administrator or be an administrator with write access to Active Directory to install an enterprise root CA. Certificates can be issued for logging on to a Windows Server 2003 family domain using smart cards. The enterprise exit module publishes user certificates and the certificate revocation list (CRL) to Active Directory. In order to publish certificates to Active Directory, the server that the CA is installed on must be a member of the Certificate Publishers group. This is automatic for the domain the server is in, but the server must be delegated the proper security permissions to publish certificates in other domains. For more information about the exit module, see Policy and exit modules.
    An enterprise CA uses certificate types, which are based on a certificate template. The following functionality is possible when you use certificate templates: Enterprise CAs enforce credential checks on users during certificate enrollment. Each certificate template has a security permission set in Active Directory that determines whether the certificate requester is authorized to receive the type of certificate they have requested. The certificate subject name can be generated automatically from the information in Active Directory or supplied explicitly by the requestor.
    The policy module adds a predefined list of certificate extensions to the issued certificate. The extensions are defined by the certificate template. This reduces the amount of information a certificate requester has to provide about the certificate and its intended use.
    http://technet.microsoft.com/en-us/library/cc780501%28WS.10%29.aspx
    Stand-alone certification authorities
    You can install Certificate Services to create a stand-alone certification authority (CA). Stand-alone CAs can issue certificates for purposes such as digital signatures, secure e-mail using S/MIME (Secure Multipurpose Internet Mail Extensions) and authentication to a secure Web server using Secure Sockets Layer (SSL) or Transport Layer Security (TLS). A stand-alone CA has the following characteristics: Unlike an enterprise CA, a stand-alone CA does not require the use of the Active Directory directory service. Stand-alone CAs are primarily intended to be used as Trusted Offline Root CAs in a CA hierarchy or when extranets and the Internet are involved. Additionally, if you want to use a custom policy module for a CA, you would first install a stand-alone CA and then replace the stand-alone policy module with your custom policy module. When submitting a certificate request to a stand-alone CA, a certificate requester must explicitly supply all identifying information about themselves and the type of certificate that is wanted in the certificate request. (This does not need to be done when submitting a request to an enterprise CA, since the enterprise user's information is already in Active Directory and the certificate type is described by a certificate template). The authentication information for requests is obtained from the local computer's Security Accounts Manager database. By default, all certificate requests sent to the stand-alone CA are set to Pending until the administrator of the stand-alone CA verifies the identity of the requester and approves the request. This is done for security reasons, because the certificate requester's credentials are not verified by the stand-alone CA. Certificate templates are not used. No certificates can be issued for logging on to a Windows Server 2003 family domain using smart cards, but other types of certificates can be issued and stored on a smart card. The administrator has to explicitly distribute the stand-alone CA's certificate to the domain user's trusted root store or users must perform that task themselves. When a stand-alone CA uses Active Directory, it has these additional features: If a member of the Domain Administrators group or an administrator with write access to Active Directory, installs a stand-alone root CA, it is automatically added to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. For this reason, if you install a stand-alone root CA in an Active Directory domain, you should not change the default action of the CA upon receiving certificate requests (which marks requests as Pending). Otherwise, you will have a trusted root CA that automatically issues certificates without verifying the identity of the certificate requester.
    If a stand-alone CA is installed by a member of the Domain Administrators group of the parent domain of a tree in the enterprise, or by an administrator with write access to Active Directory, then the stand-alone CA will publish its CA certificate and the certificate revocation list (CRL) to Active Directory.

    P.S. Easily pass 70-640 Exam with 631 Q&As 2passeasy Dumps & pdf Version, Welcome to Download the Newest 2passeasy 70-640 Dumps: https://www.2passeasy.com/dumps/70-640/ (631 New Questions)