[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 241-250



Your network contains an Active Directory forest.


You need to add a new user principal name (UPN) suffix to the forest.


Which tool should you use?



Active Directory Administrative Center


Active Directory Domains and Trusts


Active Directory Sites and Services


Active Directory Users and Computers


Correct Answer: B




Demonstration adding a UPN Suffix

To add or modify a UPN suffix for your forest, open Active Directory Domains and Trusts from the start menu. Right click Active Directory Domains and Trusts at the top and open the properties. From here you can add and remove additional domain UPN suffixes for the forest.




Your network contains an Active Directory domain named contoso.com. The domain contains five domain controllers.


You add a logoff script to an existing Group Policy object (GPO).


You need to verify that each domain controller successfully replicates the updated group policy.


Which two objects should you verify on each domain controller? (Each correct answer presents part of the solution. Choose two.)







the uSNChanged value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com container


the versionNumber value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com container


Correct Answer: AD




How Core Group Policy Works

The Gpt.ini File

The Gpt.ini file is located at the root of each Group Policy template. Each Gpt.ini file contains GPO version information. Except for the Gpt.ini files created for the default GPOs, a display name value is also written to the file.

Each Gpt.ini file contains the GPO version number of the Group Policy template.



Normally, this is identical to the version-number property of the corresponding GroupPolicyContainer object. It is encoded in the same way — as a decimal representation of a 4 byte hexadecimal number, the upper two bytes of which contain the GPO user settings version and the lower two bytes contain the computer settings version. In this example the version is equal to 10003 hexadecimal giving a user settings version of 1 and a computer settings version of 3.

Storing this version number in the Gpt.ini allows the CSEs to check if the client is out of date to the last processing of policy settings or if the currently applied policy settings (cached policies) are up-to-date. If the cached version is different from the version in the Group Policy template or Group Policy container, then policy settings will be reprocessed.




Your company has four offices. The network contains a single Active Directory domain. Each office has a domain controller. Each office has an organizational unit (OU) that contains the user accounts for the users in that office. In each office, support technicians perform basic troubleshooting for the users in their respective office.


You need to ensure that the support technicians can reset the passwords for the user accounts in their respective office only. The solution must prevent the technicians from creating user accounts.


What should you do?



For each OU, run the Delegation of Control Wizard.


For the domain, run the Delegation of Control Wizard.


For each office, create an Active Directory group, and then modify the security settings for each group.


For each office, create an Active Directory group, and then modify the controlAccessRights attribute for each group.


Correct Answer: A


Reference 1:


To delegate control of an organizational unit

1. To open Active Directory Users and Computers, click Start, click Control Panel, doubleclick Administrative Tools, and then double-click Active Directory Users and Computers.

2. To open Active Directory Users and Computers in Windows Server?2012, click Start, type dsa.msc.

3. In the console tree, right-click the organizational unit (OU) for which you want to delegate control.

4. Click Delegate Control to start the Delegation of Control Wizard, and then follow the instructions in the wizard.

Reference 2:


Delegate the following common tasks

The following are common tasks that you can select to delegate control of them:

Reset user passwords and force password change at next logon


Your network contains an Active Directory domain named contoso.com. Contoso.com contains a member server that runs Windows Server 2008 Standard.


You need to install an enterprise subordinate certification authority (CA) that supports private key archival.


You must achieve this goal by using the minimum amount of administrative effort.


What should you do first?



Initialize the Trusted Platform Module (TPM).


Upgrade the member server to Windows Server 2008 R2 Standard.


Install the Certificate Enrollment Policy Web Service role service on the member server.


Run the Security Configuration Wizard (SCW) and select the Active Directory Certificate Services – Certification Authority server role template check box.


Correct Answer: B


Not sure about this one. See my thoughts below.

to MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) key archival is not available in the Windows Server 2008 R2 Standard edition, so that would leave out answer B.




Another dump gives the following for answer B:

“Upgrade the menber [sic] server to Windows Server 2008 R2 Enterprise.” Should the actual exam mention to upgrade to the Enterprise edition for answer B, I’d go for that. In this VCE it doesn’t seem to make sense to go for B as it shouldn’t work, I think. Certificate Enrollment Policy Web Service role of answer C was introduced in Windows Server 2008 R2, so that would not be an option on the mentioned Windows Server 2008 machine.

Trusted Platform Module is “a secure cryptographic integrated circuit (IC), provides a hardware-based approach to manage user authentication, network access, data protection and more that takes security to higher level than software-based security.” (http://www.trustedcomputinggroup.org/resources/how_to_use_the_tpm_a_guide_to_hardwarebased_endpoint_security/)

Pfff… I’m bothered that answer B speaks of the Standard edition, and not the Enterprise edition. Hope the VCE is wrong.




Your network contains a single Active Directory domain. All client computers run Windows Vista Service Pack 2 (SP2).


You need to prevent all users from running an application named App1.exe.


Which Group Policy settings should you configure?



Application Compatibility




Software Installation


Software Restriction Policies


Correct Answer: D



How-to: Using Software Restriction Policies

Using SRP is not that common today and what I will write here is a small how-to so that you can start trying it today and maybe even sometime soon apply it in your production environment.




First thing to notice is that SRP is a very powerful tool so try in a test-environment before you apply it to users in production.

First you need to choose your default level which you do at Security Levels:




Default when you start using this, the default level is “Unrestricted” which allows all programs to run. Which means you can use SRP to block specific programs but the power is that you can change this so “Disallowed” is the default level which means you specify which programs you can run (all others are blocked) instead of blocking specific programs. So to start with change so “Disallowed” is default. Double-click on “Disallowed” and press the button “Set as Default”



This means that all clients affected by this policy now would be able to run anything except what you define as exclusions which you do at “Additional rules”:




As you can see in the above picture you have two default values already included. These two values are registry paths which makes all programs defined in these two registry paths to unrestricted which of course makes them available to run even if you selected “Disallowed” as your default choice in the above selection at “Security Levels”. There are four different choices on how to enable/disable programs to run:



Network zone-rule


The normal ones to use is HASH or PATH. HASH is always something you should prefer to use since if the user tries to run a program it looks at the hash-value and evaluates if you can run the program or not.

Sometimes when you have different versions of a program for example it might be a problem to use HASH, then you use PATH instead. Also if you don’t have the program installed in the same location on each computer but you know somewhere in the registry where it types the path to the program you can use PATH and use the registry location instead.

I will show you the two ways of allowing Windows Live Messenger to run Hash:




As what you can see above is that it takes the values from the executable and stores the hash-value of the file.

When someone tries to run the program the system evaluates this hash-value and compare it with the one you defined and then selecting if you can run the program or not.





As you can see above is that you need to select the path to the executable. This path needs to be same on each computer you would like to use this on but of course you can use environment variables as I have done in the above picture. You could also use a registry location if you did know where the path to the program where stored. You can of course also use this to block programs instead of allowing them. This is not really the preferred method on how to use SRP but fully functional. On my computer I have “Unrestricted” as my default and I added an application on my desktop named radio.exe as “Disallowed”




So the result if I’m trying to run the file is:




As conclusion you can see that this is a powerful way of giving your users minimal rights in the system with the result that your users will have a large problem messing up the computer 🙂

This only covers some parts of SRP. For example local administrators also get these rules but that you can exclude in the “Enforcement” choice and also dll-files are excluded by default but you can change that too.

Make sure to try this in a safe environment before applying it to production as you might get a big headache if you have made some wrong turns in setting this up. 🙂








Your company has a main office and a branch office.


The network contains a single Active Directory domain.


The main office contains a domain controller named DC1.


You need to install a domain controller in the branch office by using an offline copy of the Active Directory database.


What should you do first?



From the Ntdsutil tool, create an IFM media set.


From the command prompt, run djoin.exe /loadfile.


From Windows Server Backup, perform a system state backup.


From Windows PowerShell, run the get-ADDomainController cmdlet.


Correct Answer: A




Installing an Additional Domain Controller by Using IFM

When you install Active Directory Domain Services (AD DS) by using the install from media (IFM) method, you can reduce the replication traffic that is initiated during the installation of an additional domain controller in
an Active Directory domain. Reducing the replication traffic reduces the time that is necessary to install the additional domain controller. Windows Server 2008 and Windows Server 2008 R2 include an improved version of the Ntdsutil tool that you can use to create installation media for an additional domain controller. You can use Ntdsutil.exe to create installation media for additional domain controllers that you are creating in a domain. The IFM method uses the data in the installation media to install AD DS, which eliminates the need to replicate every object from a partner domain controller. However, objects that were modified, added, or deleted since the installation media was created must be replicated. If the installation media was created recently, the amount of replication that is required is considerably less than the amount of replication that is required for a regular AD DS installation.




You install a standalone root certification authority (CA) on a server named Server1.


You need to ensure that every computer in the forest has a copy of the root CA certificate installed in the local computer’s Trusted Root Certification Authorities store.


Which command should you run on Server1?



certreq.exe and specify the -accept parameter


certreq.exe and specify the -retrieve parameter


certutil.exe and specify the -dspublish parameter


certutil.exe and specify the -importcert parameter


Correct Answer: C




Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains.




Certutil <-parameter> [-parameter]






Publish a certificate or certificate revocation list (CRL) to Active Directory




Your network contains an Active Directory domain named contoso.com. All domain controllers and member servers run Windows Server 2008. All client computers run Windows 7.


From a client computer, you create an audit policy by using the Advanced Audit Policy Configuration settings in the Default Domain Policy Group Policy object (GPO).


You discover that the audit policy is not applied to the member servers. The audit policy is applied to the client computers.


You need to ensure that the audit policy is applied to all member servers and all client computers.


What should you do?



Add a WMI filter to the Default Domain Policy GPO.


Modify the security settings of the Default Domain Policy GPO.


Configure a startup script that runs auditpol.exe on the member servers.


Configure a startup script that runs auditpol.exe on the domain controllers.


Correct Answer: C


Advanced audit policy settings cannot be applied using group policy to Windows Server 2008 servers. To circumvent that we have to use a logon script to apply the audit policy to the Windows Server 2008 member servers.




Advanced Security Auditing FAQ

The advanced audit policy settings were introduced in Windows Vista and Windows Server 2008. The advanced settings can only be used on computers running Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008.



In Windows Vista and Windows Server 2008, advanced audit event settings were not integrated withGroup Policy and could only be deployed by using logon scripts generated with the Auditpol.exe command-line tool. In Windows Server 2008 R2 and Windows 7, all auditing capabilities are integrated with Group Policy. This allows administrators to configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).




You deploy a new Active Directory Federation Services (AD FS) federation server.


You request new certificates for the AD FS federation server.


You need to ensure that the AD FS federation server can use the new certificates.


To which certificate store should you import the certificates?





IIS Admin Service service account


Local Administrator


World Wide Web Publishing Service service account


Correct Answer: A



Step 2: Installing AD FS Role Services and Configu
ring Certificates

To import the server authentication certificate for adfsresource to adfsweb

1. Click Start, click Run, type mmc, and then click OK.

2. Click File, and then click Add/Remove Snap-in.

3. Select Certificates, click Add, click Computer account, and then click Next.

4. Click Local computer: (the computer this console is running on), click Finish, and then click OK.

5. In the console tree, double-click the Certificates (Local Computer) icon, double-click the Trusted Root Certification Authorities folder, right-click Certificates, point to All Tasks, and then click Import.

6. On the Welcome to the Certificate Import Wizard page, click Next.

7. On the File to Import page, type \adfsresourced$adfsresource.pfx, and then click Next.

8. On the Password page, type the password for the adfsresource.pfx file, and then click Next.

9. On the Certificate Store page, click Place all certificates in the following store, and then click Next.

10. On the Completing the Certificate Import Wizard page, verify that the information you provided is accurate, and then click Finish.




You have an enterprise subordinate certification authority (CA).


You have a group named Group1.


You need to allow members of Group1 to publish new certificate revocation lists. Members of Group1 must not be allowed to revoke certificates.


What should you do?



Add Group1 to the local Administrators group.


Add Group1 to the Certificate Publishers group.


Assign the Manage CA permission to Group1.


Assign the Issue and Manage Certificates permission to Group1.


Correct Answer: C



Manage CA is a security permission belonging to the CA Administrator role. The CA Administrator can enable, publish, or configure certificate revocation list (CRL) schedules.

Revoking certificates is an activity of the Certificate Manager role.


Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…