[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 151-160



Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2008 R2. The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is Windows Server 2008.


You have a member server named Server1 that runs Windows Server 2008.


You need to ensure that you can add Server1 to contoso.com as a domain controller.


What should you run before you promote Server1?



dcpromo.exe /CreateDCAccount


dcpromo.exe /ReplicaOrNewDomain:replica


Set-ADDomainMode -Identity contoso.com -DomainMode Windows2008Domain


Set-ADForestMode -Identity contoso.com -ForestMode Windows2008R2Forest


Correct Answer: C



After you set the domain functional level to a certain value in Windows Server 2008 R2, you cannot roll back or lower the domain functional level, with one exception: when you raise the domain functional level to Windows Server 2008 R2 and if the forest functional level is Windows Server 2008 or lower, you have the option of rolling the domain functional level back to Windows Server 2008. You can lower the domain functional level only from Windows Server 2008 R2 to Windows Server 2008. If the domain functional level is set to Windows Server 2008 R2, it cannot be rolled back, for example, to Windows Server 2003.




ABC.com has a network that is comprise of a single Active Directory Domain.


As an administrator at ABC.com, you install Active Directory Lightweight Directory Services (AD LDS) on a server that runs Windows Server 2008. To enable Secure Sockets Layer (SSL) based connections to the AD LDS server, you install certificates from a trusted Certification Authority (CA) on the AD LDS server and client computers.


Which tool should you use to test the certificate with AD LDS?





Active Directory Domain services








None of the above


Correct Answer: A



Appendix A: Configuring LDAP over SSL Requirements for AD LDS The Lightweight Directory Access Protocol (LDAP) is used to read from and write to Active Directory

Lightweight Directory Services (AD LDS). By default, LDAP traffic is not transmitted securely. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology.

Step 3: Connect to the AD LDS instanc
e over LDAPS using Ldp.exe

To test your server authentication certificate, you can open Ldp.exe on the computer that is running the AD LDS instance and then connect to this AD LDS instance that has the SSL option enabled.




ABC.com has a network that consists of a single Active Directory domain.Windows Server 2008 is installed on all domain controllers in the network.


You are instructed to capture all replication errors from all domain controllers to a central location.


What should you do to achieve this task?



Initiate the Active Directory Diagnostics data collector set


Set event log subscriptions and configure it


Initiate the System Performance data collector set


Create a new capture in the Network Monitor


Correct Answer: B



Configure Computers to Forward and Collect Events

Before you can create a subscription to collect events on a computer, you must configure both the collecting computer (collector) and each computer from which events will be collected (source).


Event Subscriptions

Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue might require you to examine a set of events stored in multiple logs on multiple computers.

Windows Vista includes the ability to collect copies of events from multiple remote computers and store them locally. To specify which events to collect, you create an event subscription. Among other details, the subscription specifies exactly which events will be collected and in which log they will be stored locally. Once a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events.

Using the event collecting feature requires that you configure both the forwarding and the collecting computers.

The functionality depends on the Windows Remote Management (WinRM) service and the Windows Event Collector (Wecsvc) service. Both of these services must be running on computers participating in the forwarding and collecting process.


Replication Issues




Your network contains a domain controller that has two network connections named Inter
nal and Private.


Internal has an IP address of Private has an IP address of You need to prevent the domain controller from registering Host (A) records for the IP address.


What should you do?



Modify the netlogon.dns file on the domain controller.


Modify the Name Server settings of the DNS zone for the domain.


Modify the properties of the Private network connection on the domain controller.


Disable netmask ordering on the DNS server that hosts the DNS zone for the domain.


Correct Answer: C



Steps to avoid registering unwanted NIC(s) in DNS on a Mulithomed Domain Controller Symptoms On Domain Controllers with more than one NIC where each NIC is connected to separate Network, there is a possibility that the Host A DNS registration can occur for unwanted NIC(s).

If the client queries for DC’s DNS records and gets an unwanted record or the record of a different network which is not reachable to client, the client will fail to contact the DC causing authentication and many other issues.



The DNS server will respond to the query in a round robin fashion. If the DC has multiple NICs registered in DNS. The DNS will serve the client with all the records available for that DC.

To prevent this, we need to make sure the unwanted NIC address is not registered in DNS. Below are the services that are responsible for Host A record registration on a DC

1. Netlogon service

2. DNS server service (if the DC is running DNS server service)

3. DHCP client /DNS client (2003/2008)

If the NIC card is configured to register the connection address in DNS, then the DHCP /DNS client service will Register the record in DNS. Unwanted NIC should be configured not to register the connection address in DNS

If the DC is running DNS server service, then the DNS service will register the interface Host A record that it has set to listen on. The Zone properties, “Name server” tab list out the IP addresses of interfaces present on the DC. If it has listed both the IPs, then DNS server will register Host A record for both the IP addresses. We need to make sure only the required interface listens for DNS and the zone properties, name server tab has required IP address information

Resolution To avoid this problem perform the following 3 steps (It is important that you follow all the steps to avoid the issue).


1. Under Network Connections Properties: On the Unwanted NIC TCP/IP Properties -> Advanced -> DNS -> Uncheck “Register this connections Address in DNS”

2. Open the DNS server console: highlight the server on the left pane Action-> Properties and on the “Interfaces” tab select “listen on only the following IP addresses”. Remove unwanted IP address from the list

3. On the Zone properties, select Name server tab. Along with FQDN of the DC, you will see the IP address associated with the DC. Remove unwanted IP address if it is listed. After performing this delete the existing unwanted Host A record of the DC.

















Your network contains an Active Directory forest named contoso.com. The forest contains two sites named Seattle and Montreal. The Seattle site contains two domain controllers. The domain controllers are configured as shown in the following table.




You need to enable universal group membership caching in the Seattle site.


Which object’s properties should you modify?


To answer, select the appropriate object in the answer area.




Correct Answer:





Company has an Active Directory forest with six domains. The company has 5 sites. The company requires a new distributed application that uses a custom application directory partition named ResData for data replication.


The application is installed on one member server in five sites.


You need to configure the five member servers to receive the ResData application directory partition for data replication.


What should you do?



Run the Dcpromo utility on the five member servers.


Run the Regsvr32 command on the five member servers


Run the Webadmin command on the five member servers


Run the RacAgent utility on the five member servers


Correct Answer: A



Dcpromo Syntax dcpromo [/answer[:<filename>] | /unattend[:<filename>] | /unattend | /adv] /uninstallBinaries [/CreateDCAccount | /UseExistingAccount:Attach] /? /?[:{Promotion | CreateDCAccount | UseExistingAccount |Demotion}]dcpromo Promotion operation parameters:


Specifies the application directory partitions that dcpromo will replicate. Use the following format: “partition1” “partition2” “partitionN”

Use * to replicate all application directory partitions.







Your network contains two Active Directory forests named contoso.com and adatum.com. Active Directory Rights Management Services (AD RMS) is deployed in contoso.com. An AD RMS trusted user domain (TUD) exists between contoso.com and adatum.com.


From the AD RMS logs, you discover that some clients that have IP addresses in the adatum.com forest are authenticating as users from contoso.com.


You need to prevent users from impersonating contoso.com users.


What should you do?



Configure trusted e-mail domains.


Enable lockbox exclusion in AD RMS.


Create a forest trust between adatum.com and contoso.com.


Add a certificate from a third-party trusted certification authority (CA).


Correct Answer: A



Add a Trusted User Domain

By default, Active Directory Rights Management Services (AD RMS) does not service requests from users whose rights account certificate (RAC) was issued by a different AD RMS installation. However, you can add user domains to the list of trusted user domains (TUDs), which allows AD RMS to process such requests.

For each trusted user domain (TUD), you can also add and remove specific users or groups of users. In addition, you can remove a TUD; however, you cannot remove the root cluster for this Active Directory forest from the list of TUDs. Every AD RMS server trusts the root cluster in its own forest.

You can add TUDs as follows:

To support external users in general, you can trust Windows Live ID. This allows an AD RMS cluster that is in your company to process licensing requests that include a RAC that was issued by Microsoft’s online RMS service. For more information about trusting Windows Live ID in your organization, see Use Windows Live ID to Establish RACs for Users.

To trust external users from another organization’s AD RMS installation, you can add the organization to the list of TUDs. This allows an AD RMS cluster to process a licensing request that includes a RAC that was issued by an AD RMS server that is in the other organization.

In the same manner, to process licensing requests from users within your own organization who reside in a different Active Directory forest, you can add the AD RMS installation in that forest to the list of TUDs. This allows an AD RMS cluster in the current forest to process a licensing request that includes a RAC that was issued by an AD RMS cluster in the other forest.

For each TUD, you can specify which e-mail domains are trusted. For trusted Windows Live ID sites and services, you can specify which e-mail users or domains are not trusted.




You are an administrator at ABC.com. Company has a RODC (read-only domain controller
) server at a remote location. The remote location doesn’t have proper physical security.


You need to activate nonadministrative accounts passwords on that RODC server.


Which of the following action should be considered to populate the RODC server with non- administrative accounts passwords?



Delete all administrative accounts from the RODC’s group


Configure the permission to Deny on Receive for administrative accounts on the security tab for Group Policy Object (GPO)


Configure the administrative accounts to be added in the Domain RODC Password Replication Denied group


Add a new GPO and enable Account Lockout settings. Link it to the remote RODC server and on the security tab on GPO, check the Read Allow and the Apply group policy permissions for the administrators.


None of the above


Correct Answer: C





Advantages That an RODC Can Provide to an Existing Deployment Branch office server administration. RODCs provide Administrator Role Separation (ARS), which you can use to delegate administration of an RODC to a nonadministrative user or group. This means that it is not necessary for a highly privileged administrator to log on to the domain controller in the branch office to perform routine server maintenance.


Password Replication Policy

When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain controller that will be its replication partner.

The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached. The same account can then perform subsequent logons more efficiently.

The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that are explicitly denied from being cached. The list of user and computer accounts that are permitted to be cached does not imply that the RODC has necessarily cached the passwords for those accounts. An administrator can, for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticate those accounts, even if the WAN link to the hub site is offline. Password Replication Policy Allowed and Denied lists Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODC operations. These are the Allowed RODC Password Replication Group and Denied RODC Password Replication Group.

The combination of the Allowed List and Denied List attributes for each RODC and the domain-wide Denied RODC Password Replication Group and Allowed RODC Password Replication Group give administrators great flexibility. They can decide precisely which accounts can be cached on specific RODCs.












Your network contains two standalone servers named Server1 and Server2 that have Active Directory Lightweight Directory Services (AD LDS) installed.


Server1 has an AD LDS instance.


You need to ensure that you can replicate the instance from Server1 to Server2.


What should you do on both servers?



Obtain a server certificate.


Import the MS-User.ldf file.


Create a service user account for AD LDS.


Register the service location (SRV) resource records.


Correct Answer: C



Administering AD LDS Instances

Each AD LDS instance runs as an independent–and separately administered–service on a computer. You can configure the account under which an AD LDS instance runs, stop and restart an AD LDS instance, and change the AD LDS instance service display name and service description. In addition, you can enable Secure Sockets Layer (SSL) connections in AD LDS by installing certificates. In Active Directory environments, each AD LDS instance attempts to create a Service Principal Name (SPN) object in the directory to be used for replication authentication. Depending on the network environment into which you install AD LDS, you may have to create SPNs manually.

AD LDS service account

The service account that an AD LDS instance uses determines the access that the AD LDS instance has on the local computer and on other computers in the network. AD LDS instances also use the service account to authenticate other AD LDS instances in their configuration set, to ensure replication security. You determine the AD LDS service account during AD LDS installation.




Your company has three Active Directory domains in a single forest. You install a new Active Directory enabled application. The application ads new user attributes to the Active Directory schema.


You discover that the Active Directory replication traffic to the Global Catalogs has increased.


You need to prevent the new attributes from being replicated to the Global Catalog.


You must achieve this goal without affecting application functionality.


What should you do?



Change the replication interval for the DEFAULTIPSITELINK object to 9990.


Change the cost for the DEFAULTIPSITELINK object to 9990.


Make the new attributes in the Active Directory as defunct.


Modify the properties in the Active Directory schema for the new attributes.


Correct Answer: D



How to Modify Attributes That Replicate to the Global Catalog

The Global Catalog (GC) contains a partial replica of every object in the enterprise. This article discusses how to manipulate the attributes which make up the set values replicated to the GC. Deciding which attributes will replicate (in addition to the default attributes) requires careful planning with consideration for network traffic and necessary disk space. Before describing how to set an attribute to replicate in the GC, it is important to note the effects this has on network replication traffic.

After an attributeSchema object is created, marking an additional attribute to replicate to the GC causes a full replication (also known as a “full sync”) of all objects to the GC as described below. This behavior occurs on the versions of Windows 2000 listed in this article.

Every server has a full and write-able copy of its own domain. If that server is also a GC, the remaining domains in the forest are held as read-only, partial copies. “Partial” means that only a subset of the attributes is kept.

When an attribute is added to the GC, it is added to the partial copy subset (partial attribute set). This causes the GC to perform a “full sync” of all the read-only copies again to repopulate itself with only the partial attributes that it needs to hold. This full sync occurs even if the attribute property isMemberOfPartialAttributeSet is set to “True.” Thus, it only does a full sync on the read-only partial copy domains and not its own write-able domain, the configuration directory partition or schema directory partition. In order to modify the attributes that replicate to the Active Directory GC, you must modify the schema. To modify the schema, an administrator must be made a member of the “Schema Admins” group. In addition to being a member of this group, a registry key must be set on the Schema master.


Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…