How to pass 70-640 exam at the first time? PassLeader now is offering the free new version of 70-640 exam dumps. The new 651q 70-640 exam questions cover all the new added questions, which will help you to get well prepared for the exam 70-640, our premium 70-640 PDF dumps and VCE dumps are the best study materials for preparing the 70-640 exam. Come to passleader.com to get the valid 651q 70-640 braindumps with free version VCE Player, you will get success in the real 70-640 exam for your first try.
keywords: 70-640 exam,651q 70-640 exam dumps,651q 70-640 exam questions,70-640 pdf dumps,70-640 practice test,70-640 vce dumps,70-640 study guide,70-640 braindumps,TS: Windows Server 2008 Active Directory, Configuring Exam
QUESTION 51
Your network contains an Active Directory domain. You have a server named Server1 that runs Windows Server 2008 R2. Server1 is an enterprise root certification authority (CA). You have a client computer named Computer1 that runs Windows 7. You enable automatic certificate enrollment for all client computers that run Windows 7. You need to verify that the Windows 7 client computers can automatically enroll for certificates. Which command should you run on Computer1?
A. certreq.exe retrieve
B. certreq.exe submit
C. certutil.exe getkey
D. certutil.exe pulse
QUESTION 52
Your network contains two Active Directory forests named contoso.com and adatum.com. The functional level of both forests is Windows Server 2008 R2. Each forest contains one domain. Active Directory Certificate Services (AD CS) is configured in the contoso.com forest to allow users from both forests to automatically enroll user certificates. You need to ensure that all users in the adatum.com forest have a user certificate from the contoso.com certification authority (CA). What should you configure in the adatum.com domain?
A. From the Default Domain Controllers Policy, modify the Enterprise Trust settings.
B. From the Default Domain Controllers Policy, modify the Trusted Publishers settings.
C. From the Default Domain Policy, modify the Certificate Enrollment policy.
D. From the Default Domain Policy, modify the Trusted Root Certification Authority settings.
Answer: C
QUESTION 53
You have a server named Server1 that has the following Active Directory Certificate Services (AD CS) role services installed:
– Enterprise root certification authority (CA)
– Certificate Enrollment Web Service
– Certificate Enrollment Policy Web Service
You create a new certificate template. External users report that the new template is unavailable when they request a new certificate. You verify that all other templates are available to the external users. You need to ensure that the external users can request certificates by using the new template. What should you do on Server1?
A. Run iisreset.exe /restart.
B. Run gpupdate.exe /force.
C. Run certutil.exe dspublish.
D. Restart the Active Directory Certificate Services service.
Answer: A
QUESTION 54
Your network contains an enterprise root certification authority (CA). You need to ensure that a certificate issued by the CA is valid. What should you do?
A. Run syskey.exe and use the Update option.
B. Run sigverif.exe and use the Advanced option.
C. Run certutil.exe and specify the -verify parameter.
D. Run certreq.exe and specify the -retrieve parameter.
Answer: C
QUESTION 55
You have an enterprise subordinate certification authority (CA). The CA issues smart card logon certificates. Users are required to log on to the domain by using a smart card. Your company’s corporate security policy states that when an employee resigns, his ability to log on to the network must be immediately revoked. An employee resigns. You need to immediately prevent the employee from logging on to the domain. What should you do?
A. Revoke the employee’s smart card certificate.
B. Disable the employee’s Active Directory account.
C. Publish a new delta certificate revocation list (CRL).
D. Reset the password for the employee’s Active Directory account.
Answer: B
QUESTION 56
You add an Online Responder to an Online Responder Array. You need to ensure that the new Online Responder resolves synchronization conflicts for all members of the Array. What should you do?
A. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 1.
B. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 32.
C. From the Online Responder Management Console, select the new Online Responder, and then select Set as Array Controller.
D. From the Online Responder Management Console, select the new Online Responder, and then select Synchronize Members with Array Controller.
Answer: C
QUESTION 57
Your network contains a server that runs Windows Server 2008 R2. The server is configured as an enterprise root certification authority (CA). You have a Web site that uses x.509 certificates for authentication. The Web site is configured to use a many-to-one mapping. You revoke a certificate issued to an external partner. You need to prevent the external partner from accessing the Web site. What should you do?
A. Run certutil.exe -crl.
B. Run certutil.exe -delkey.
C. From Active Directory Users and Computers, modify the membership of the IIS_IUSRS group.
D. From Active Directory Users and Computers, modify the Contact object for the external partner.
Answer: A
QUESTION 58
Your company has a main office and five branch offices that are connected by WAN links. The company has an Active Directory domain named contoso.com. Each branch office has a member server configured as a DNS server. All branch office DNS servers host a secondary zone for contoso.com. You need to configure the contoso.com zone to resolve client queries for at least four days in the event that a WAN link fails. What should you do?
A. Configure the Expires after option for the contoso.com zone to 4 days.
B. Configure the Retry interval option for the contoso.com zone to 4 days.
C. Configure the Refresh interval option for the contoso.com zone to 4 days.
D. Configure the Minimum (default) TTL option for the contoso.com zone to 4 days.
Answer: A
QUESTION 59
Your company has an Active Directory domain named contoso.com. FS1 is a member server in contoso.com. You add a second network interface card, NIC2, to FS1 and connect NIC2 to a subnet that contains computers in a DNS domain named fabrikam.com. Fabrikam.com has a DHCP server and a DNS server. Users in fabrikam.com are unable to resolve FS1 by using DNS. You need to ensure that FS1 has an A record in the fabrikam.com DNS zone. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)
A. Configure the DHCP server in fabrikam.com with the scope option 044 WINS/NBNS Servers.
B. Configure the DHCP server in fabrikam.com by setting the scope option 015 DNS Domain Name to the domain name fabrikam.com.
C. Configure NIC2 by configuring the Append these DNS suffixes (in order): option.
D. Configure NIC2 by configuring the Use this connection’s DNS suffix in DNS registration option.
E. Configure the DHCP server in contoso.com by setting the scope option 015 DNS Domain Name to the domain name fabrikam.com.
Answer: BD
QUESTION 60
Your company Datum Corporation, has a single Active Directory domain named intranet.adatum.com. The domain has two domain controllers that run Windows Server 2008 R2 operating system. The domain controllers also run DNS servers. The intranet.adatum.com DNS zone is configured as an Active Directory-integrated zone with the Dynamic updates setting configured to Secure only. A new corporate security policy requires that the intranet.adatum.com DNS zone must be updated only by domain controllers or member servers. You need to configure the intranet.adatum.com zone to meet the new security policy requirement. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Remove the Authenticated Users account from the Security tab of the intranet.adatum.com DNS zone properties.
B. Assign the SELF Account Deny on Write permission on the Security tab of the intranet.adatum.com DNS zone properties.
C. Assign the server computer accounts the Allow on Write All Properties permission on the Security tab of the intranet.adatum.com DNS zone properties.
D. Assign the server computer accounts the Allow on Create All Child Objects permission on the Security tab of the intranet.adatum.com DNS zone properties.
Answer: AD
http://www.passleader.com/70-640.html
QUESTION 61
Your company has two Active Directory forests as shown in the following table.
The forests are connected by using a two-way forest trust. Each trust direction is configured with forest-wide authentication. The new security policy of the company prohibits users from the eng.fabrikam.com domain to access resources in the contoso.com domain. You need to configure the forest trust to meet the new security policy requirement. What should you do?
A. Delete the outgoing forest trust in the contoso.com domain.
B. Delete the incoming forest trust in the contoso.com domain.
C. Change the properties of the existing incoming forest trust in the contoso.com domain from Forest-wide authentication to Selective authentication.
D. Change the properties of the existing outgoing forest trust in the contoso.com domain to exclude *.eng.fabrikam.com from the Name Suffix Routing trust properties.
Answer: D
QUESTION 62
Your company has an Active Directory Rights Management Services (AD RMS) server. Users have Windows Vista computers. An Active Directory domain is configured at the Windows Server 2003 functional level. You need to configure AD RMS so that users are able to protect their documents. What should you do?
A. Install the AD RMS client 2.0 on each client computer.
B. Add the RMS service account to the local administrators group on the AD RMS server.
C. Establish an e-mail account in Active Directory Domain Services (AD DS) for each RMS user.
D. Upgrade the Active Directory domain to the functional level of Windows Server 2008.
Answer: C
QUESTION 63
Your company has an Active Directory domain. All consultants belong to a global group named TempWorkers. The TempWorkers group is not nested in any other groups. You move the computer objects of three file servers to a new organizational unit named SecureServers. These file servers contain only confidential data in shared folders. You need to prevent members of the TempWorkers group from accessing the confidential data on the file servers. You must achieve this goal without affecting access to other domain resources. What should you do?
A. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny access to this computer from the network user right to the TempWorkers global group.
B. Create a new GPO and link it to the domain. Assign the Deny access to this computer from the network user right to the TempWorkers global group.
C. Create a new GPO and link it to the domain. Assign the Deny log on locally user right to the TempWorkers global group.
D. Create a new GPO and link it to the SecureServers organizational unit. Assign the Deny log on locally user right to the TempWorkers global group.
Answer: A
QUESTION 64
Your network consists of a single Active Directory domain. User accounts for engineering department are located in an OU named Engineering. You need to create a password policy for the engineering department that is different from your domain password policy. What should you do?
A. Create a new GPO. Link the GPO to the Engineering OU.
B. Create a new GPO. Link the GPO to the domain. Block policy inheritance on all OUs except for the Engineering OU.
C. Create a global security group and add all the user accounts for the engineering department to the group. Create a new Password Policy Object (PSO) and apply it to the group.
D. Create a domain local security group and add all the user accounts for the engineering department to the group. From the Active Directory Users and Computer console, select the group and run the Delegation of Control Wizard.
Answer: C
QUESTION 65
Your network contains an Active Directory domain. The domain contains two domain controllers named DC1 and DC2. DC1 hosts a standard primary DNS zone for the domain. Dynamic updates are enabled on the zone. DC2 hosts a standard secondary DNS zone for the domain. You need to configure DNS to allow only secure dynamic updates. What should you do first?
A. On DC1 and DC2, configure a trust anchor.
B. On DC1 and DC2, configure a connection security rule.
C. On DC1, configure the zone transfer settings.
D. On DC1, configure the zone to be stored in Active Directory.
Answer: D
QUESTION 66
Your network contains a domain controller that has two network connections named Internal and Private. Internal has an IP address of 192.168.0.20. Private has an IP address of 10.10.10.5. You need to prevent the domain controller from registering Host (A) records for the 10.10.10.5 IP address. What should you do?
A. Modify the netlogon.dns file on the domain controller.
B. Modify the Name Server settings of the DNS zone for the domain.
C. Modify the properties of the Private network connection on the domain controller.
D. Disable netmask ordering on the DNS server that hosts the DNS zone for the domain.
Answer: C
QUESTION 67
Your network contains an Active Directory forest named contoso.com. You plan to add a new domain named nwtraders.com to the forest. All DNS servers are domain controllers. You need to ensure that the computers in nwtraders.com can update their Host (A) records on any of the DNS servers in the forest. What should you do?
A. Add the computer accounts of all the domain controllers to the DnsAdmins group.
B. Add the computer accounts of all the domain controllers to the DnsUpdateProxy group.
C. Create a standard primary zone on a domain controller in the forest root domain.
D. Create an Active Directory-integrated zone on a domain controller in the forest root domain.
Answer: D
QUESTION 68
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1. DC1 hosts a standard primary zone for contoso.com. You discover that non-domain member computers register records in the contoso.com zone. You need to prevent the non-domain member computers from registering records in the contoso.com zone. All domain member computers must be allowed to register records in the contoso.com zone. What should you do first?
A. Configure a trust anchor.
B. Run the Security Configuration Wizard (SCW).
C. Change the contoso.com zone to an Active Directory-integrated zone.
D. Modify the security settings of the %SystemRoot%\System32\Dns folder.
Answer: C
QUESTION 69
Your network contains an Active Directory domain named contoso.com. You create a GlobalNames zone. You add an alias (CNAME) resource record named Server1 to the zone. The target host of the record is server2. contoso.com. When you ping Server1, you discover that the name fails to resolve. You successfully resolve server2.contoso.com. You need to ensure that you can resolve names by using the GlobalNames zone. What should you do?
A. From the command prompt, use the netsh tool.
B. From the command prompt, use the dnscmd tool.
C. From DNS Manager, modify the properties of the GlobalNames zone.
D. From DNS Manager, modify the advanced settings of the DNS server.
Answer: B
QUESTION 70
Your company has a main office and a branch office. The network contains an Active Directory domain named contoso.com. The DNS zone for contoso.com is configured as an Active Directory-integrated zone and is replicated to all domain controllers in the domain. The main office contains a writable domain controller named DC1. The branch office contains a read- only domain controller (RODC) named RODC1. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. You uninstall the DNS server role from RODC1. You need to prevent DNS records from replicating to RODC1. What should you do?
A. Modify the replication scope for the contoso.com zone.
B. Flush the DNS cache and enable cache locking on RODC1.
C. Configure conditional forwarding for the contoso.com zone.
D. Modify the zone transfer settings for the contoso.com zone.
Answer: A