Microsoft 70-640 Latest Important Questions with Answers and Explanation Shared By Braindump2go (61-70)

Microsoft Official Exam Center New Released 70-640 Dumps Questions, Many New Questions added into it! Braindump2go Offer Free Sample Questions and Answers for Download Now! Visit Our Webiste, get the new updated Questions then pass Microsoft 70-640 at the first try!

Vendor: Microsoft
Exam Code: 70-640
Exam Name: TS: Windows Server 2008 Active Directory, Configuring

QUESTION 61
Your company has two Active Directory forests as shown in the following table.
The forests are connected by using a two-way forest trust.
Each trust direction is configured with forest-wide authentication.
The new security policy of the company prohibits users from the eng.fabrikam.com domain to access resources in the contoso.com domain.
You need to configure the forest trust to meet the new security policy requirement.
What should you do?


A.    Delete the outgoing forest trust in the contoso.com domain.
B.    Delete the incoming forest trust in the contoso.com domain.
C.    Change the properties of the existing incoming forest trust in the contoso.com domain from
Forest-wide authentication to Selective authentication.
D.    Change the properties of the existing outgoing forest trust in the contoso.com domain to
exclude *.eng.fabrikam.com from the Name Suffix Routing trust properties.

Answer: D
Explanation:
http://technet.microsoft.com/en-us/library/cc773178%28v=ws.10%29.aspx

QUESTION 62
Your company has an Active Directory Rights Management Services (AD RMS) server.
Users have Windows Vista computers.
An Active Directory domain is configured at the Windows Server 2003 functional level.
You need to configure AD RMS so that users are able to protect their documents.
What should you do?

A.    Install the AD RMS client 2.0 on each client computer.
B.    Add the RMS service account to the local administrators group on the AD RMS server.
C.    Establish an e-mail account in Active Directory Domain Services (AD DS) for each RMS user.
D.    Upgrade the Active Directory domain to the functional level of Windows Server 2008.

Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc753531%28v=ws.10%29.aspx
AD RMS Step-by-Step Guide
For each user account and group that you configure with AD RMS, you need to add an e-mail address and then assign the users to groups.

QUESTION 63
Your company has an Active Directory domain.
All consultants belong to a global group named TempWorkers.
The TempWorkers group is not nested in any other groups.
You move the computer objects of three file servers to a new organizational unit named SecureServers.
These file servers contain only confidential data in shared folders.
You need to prevent members of the TempWorkers group from accessing the confidential data on the file servers.
You must achieve this goal without affecting access to other domain resources.
What should you do?

A.    Create a new GPO and link it to the SecureServers organizational unit.
Assign the Deny access to this computer from the network user right to the TempWorkers
global group.
B.    Create a new GPO and link it to the domain.
Assign the Deny access to this computer from the network user right to the TempWorkers
global group.
C.    Create a new GPO and link it to the domain.
Assign the Deny log on locally user right to the TempWorkers global group.
D.    Create a new GPO and link it to the SecureServers organizational unit.
Assign the Deny log on locally user right to the TempWorkers global group.

Answer: A
Explanation:
Basically, you need to create a GPO for the Secure Servers and deny the TempWorkers access to the shared folders (implies access from the network).
“Deny log on locally” makes no sense in this instance, because we are reffering to shared folder and supposedly physical access to servers should be highly restricted.
And best practices recommend that you link GPOs at the domain level only for domain wide purposes.

QUESTION 64
Your network consists of a single Active Directory domain.
User accounts for engineering department are located in an OU named Engineering.
You need to create a password policy for the engineering department that is different you’re your domain password policy.
What should you do?

A.    Create a new GPO. Link the GPO to the Engineering OU.
B.    Create a new GPO. Link the GPO to the domain.
Block policy inheritance on all OUs except for the Engineering OU.
C.    Create a global security group and add all the user accounts for the engineering department
to the group.
Create a new Password Policy Object (PSO) and apply it to the group.
D.    Create a domain local security group and add all the user accounts for the engineering
department to the group.
From the Active Directory Users and Computer console, select the group and run the
Delegation of Control Wizard.

Answer: C
Explanation:
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/b3d11cd4-897b-4da1-bae1-f1b69441175b

QUESTION 65
Your network contains an Active Directory domain.
The domain contains two domain controllers named DC1 and DC2.
DC1 hosts a standard primary DNS zone for the domain.
Dynamic updates are enabled on the zone.
DC2 hosts a standard secondary DNS zone for the domain.
You need to configure DNS to allow only secure dynamic updates.
What should you do first?

A.    On DC1 and DC2, configure a trust anchor.
B.    On DC1 and DC2, configure a connection security rule.
C.    On DC1, configure the zone transfer settings.
D.    On DC1, configure the zone to be stored in Active Directory.

Answer: D
Explanation:
http://www.tutorialspoint.com/shorttutorials/configuring-dns-server-for-secure-only-dynamic-updates/

QUESTION 66
Your network contains a domain controller that has two network connections named Internal and Private.
Internal has an IP address of 192.168.0.20.
Private has an IP address of 10.10.10.5.
You need to prevent the domain controller from registering Host (A) records for the 10.10.10.5 IP address.
What should you do?

A.    Modify the netlogon.dns file on the domain controller.
B.    Modify the Name Server settings of the DNS zone for the domain.
C.    Modify the properties of the Private network connection on the domain controller.
D.    Disable netmask ordering on the DNS server that hosts the DNS zone for the domain.

Answer: C
Explanation:
http://support.microsoft.com/kb/2023004

QUESTION 67
Your network contains an Active Directory forest named contoso.com.
You plan to add a new domain named nwtraders.com to the forest.
All DNS servers are domain controllers.
You need to ensure that the computers in nwtraders.com can update their Host (A) records on any of the DNS servers in the forest.
What should you do?

A.    Add the computer accounts of all the domain controllers to the DnsAdmins group.
B.    Add the computer accounts of all the domain controllers to the DnsUpdateProxy group.
C.    Create a standard primary zone on a domain controller in the forest root domain.
D.    Create an Active Directory-integrated zone on a domain controller in the forest root domain.

Answer: D

QUESTION 68
Your network contains an Active Directory domain named contoso.com.
The domain contains a domain controller named DC1.
DC1 hosts a standard primary zone for contoso.com.
You discover that non-domain member computers register records in the contoso.com zone.
You need to prevent the non-domain member computers from registering records in the contoso.com zone.
All domain member computers must be allowed to register records in the contoso.com zone.
What should you do first?

A.    Configure a trust anchor.
B.    Run the Security Configuration Wizard (SCW).
C.    Change the contoso.com zone to an Active Directory-integrated zone.
D.    Modify the security settings of the %SystemRoot%\System32\Dns folder.

Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc772746%28v=ws.10%29.aspx
Active Directory-Integrated Zones
DNS servers running on domain controllers can store their zones in Active Directory. In this way, it is not necessary to configure a separate DNS replication topology that uses ordinary DNS zone transfers, because all zone data is replicated automatically by means of Active Directory replication.
This simplifies the process of deploying DNS and provides the following advantages:
Multiple masters are created for DNS replication. Therefore:
Any domain controller in the domain running the DNS server service can write updates to the Active Directory­integrated zones for the domain name for which they are authoritative. A separate DNS zone transfer topology is not needed.
Secure dynamic updates are supported. Secure dynamic updates allow an administrator to control which computers update which names, and prevent unauthorized computers from overwriting existing names in DNS

QUESTION 69
Your network contains an Active Directory domain named contoso.com.
You create a GlobalNames zone.
You add an alias (CNAME) resource record named Server1 to the zone.
The target host of the record is server2. contoso.com.
When you ping Server1, you discover that the name fails to resolve.
You successfully resolve server2.contoso.com.
You need to ensure that you can resolve names by using the GlobalNames zone.
What should you do?

A.    From the command prompt, use the netsh tool.
B.    From the command prompt, use the dnscmd tool.
C.    From DNS Manager, modify the properties of the GlobalNames zone.
D.    From DNS Manager, modify the advanced settings of the DNS server.

Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc731744.aspx
Enable GlobalNames zone support
The GlobalNames zone is not available to provide name resolution until GlobalNames zone support is explicitly enabled by using the following command on every authoritative DNS server in the forest:
dnscmd<ServerName> /config /enableglobalnamessupport 1

QUESTION 70
Your company has a main office and a branch office.
The network contains an Active Directory domain named contoso.com.
The DNS zone for contoso.com is configured as an Active Directory-integrated zone and is replicated to all domain controllers in the domain.
The main office contains a writable domain controller named DC1.
The branch office contains a read- only domain controller (RODC) named RODC1.
All domain controllers run Windows Server 2008 R2 and are configured as DNS servers.
You uninstall the DNS server role from RODC1.
You need to prevent DNS records from replicating to RODC1.
What should you do?

A.    Modify the replication scope for the contoso.com zone.
B.    Flush the DNS cache and enable cache locking on RODC1.
C.    Configure conditional forwarding for the contoso.com zone.
D.    Modify the zone transfer settings for the contoso.com zone.

Answer: A
Explanation:
http://technet.microsoft.com/en-us/library/cc754916.aspx
http://technet.microsoft.com/en-us/library/cc772101.aspx


Braindump2go New Released 70-640 Dump PDF Free Download, 651 Questions in all, Passing Your Exam 100% Easily!

 

http://www.braindump2go.com/70-640.html