[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 271-280



Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site1 contains four domain controllers. Site2 contains a read-only domain controller (RODC).


You add a user named User1 to the Allowed RODC Password Replication Group.


The WAN link between Site1 and Site2 fails. User1 restarts his computer and reports that he is unable to log on to the domain.


The WAN link is restored and User1 reports that he is able to log on to the domain.


You need to prevent the problem from reoccurring if the WAN link fails.


What should you do?



Create a Password Settings object (PSO) and link the PSO to User1’s user account.


Create a Password Settings object (PSO) and link the PSO to the Domain Users group.


Add the computer account of the RODC to the Allowed RODC Password Replication Group.


Add the computer account of User1’s computer to the Allowed RODC Password Replication Group.


Correct Answer: D




You have an enterprise subordinate certification authority (CA). The CA is configured to use a hardware security module.


You need to back up Active Directory Certificate Services on the CA.


Which command should you run?



certutil.exe backup


certutil.exe backupdb


certutil.exe backupkey


certutil.exe store


Correct Answer: B


Because a hardware security module (HSM) is used that stores the private keys, the command certutil. exe -backup would fail, since we cannot extract the private keys from the module. The HSM should have a proprietary procedure for that.

The given commands are:

certutil -backup

Backup set includes certificate database, CA certificate an the CA key pair certutil -backupdb

Backup set only includes certificate database

certutil -backupkey

Backup set only includes CA certificate and the CA key pair certutil -store Provides a dump of the certificate store onscreen.

Since we cannot extract the keys from the HSM we have to use backupdb.

Reference 1:

Microsoft Windows Server(TM) 2003 PKI and Certificate Security (Microsoft Press, 2004) page 215

For the commands listed above.

Reference 2:


Certutil.exe is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains.


Certutil <-parameter> [-parameter]



Backup the Active Directory Certificate Services database Reference 3:





Your network contains an Active Directory domain.


A user named User1 takes a leave of absence for one year.


You need to restrict access to the User1 user account while User1 is away.


What should you do?



From the Default Domain Policy, modify the account lockout settings.


From the Default Domain Controller Policy, modify the account lockout settings.


From the properties of the user account, modify the Account options.


From the properties of the user account, modify the Session settings.


Correct Answer: C


Account lockout settings deal with logon security, like how many times a wrong password can be entered before an account gets locked out, or after how many minutes a locked out user can try again.


To really restrict access to the User1 account it has to be disabled, by modifying the account options.





Disabling a user account prevents user access to e-mail and Microsoft SharePoi
nt Online data, but retains the user’s data. Disabling a user account also keeps the user license associated with that account. This is the best option to utilize when a person leaves an organization temporarily.








You have a Windows PowerShell script that contains the following code:


import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true – AccountPassword $_. password}


When you run the script, you receive an error message indicating that the format of the password is incorrect.The script fails.


You need to run a script that successfully creates the user accounts by using the password contained in accounts.csv.


Which script should you run?



import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true -AccountPassword(ConvertTo-SecureString “Password” -AsPlainText -force)}


import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true -AccountPassword(ConvertTo-SecureString $_.Password -AsPlainText -force)}


import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true – AccountPassword(Read-Host -AsSecureString “Password”)}


import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true -AccountPassword(Read-Host -AsSecureString $_.Password)}


Correct Answer: B


import-csv Accounts.csv |

Foreach {

New-ADUser -Name $_.Name -Enabled $true – AccountPassword (ConvertTo- SecureString $_.Password –

AsPlainText -force)}

Personal comment:

import comma separated values file (most probably containing a column for Name and one for Password) for each line of values create a new AD user with the name contained in the Name column enable the account and set the password with the value contained in the Password column; import the password from plain text as a secure string and ignore warnings/errors

http://technet.microsoft.com/en-us/library/hh849818.aspx ConvertTo-SecureString




Specifies a plain text string to convert to a secure string. The secure string cmdlets help protect confidential text. The text is encrypted for privacy and is deleted from computer memory after it is used. If you use this parameter to provide plain text as input, the system cannot protect that input in this manner. To use this parameter, you must also specify the Force parameter.

-Force Confirms that you understand the implications of using the AsPlainText parameter and still want to use it.












Your network contains an Active Directory domain. The domain contains several domain controllers.All domain controllers run Windows Server 2008 R2.


You need to restore the Default Domain Controllers Policy Group Policy object (GPO) to the Windows Server 2008 R2 default settings.


What should you do?



Run dcgpofix.exe /target:dc.


Run dcgpofix.exe /target:domain.


Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /sync.


Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /force.


Correct Answer: A




Dcgpofix Recreates the default Group Policy Objects (GPOs) for a domain.



DCGPOFix [/ignoreschema] [/target: {Domain | DC | Both}] [/?]


/ignoreschema Ignores the version of the Active Directory?schema when you run this command. Otherwise, the command only
works on the same schema version as the Windows version in which the command was shipped.


/target {Domain | DC | Both} Specifies which GPO to restore. You can restore the Default Domain Policy GPO, the Default Domain Controllers GPO, or both.



Restore the Default Domain Controllers Policy GPO to its original state. You will lose any changes that you have made to this GPO. dcgpofix /ignoreschema /target:DC




Your network contains an Active Directory domain that has two sites.


You need to identify whether logon scripts are replicated to all domain controllers.


Which folder should you verify?











Correct Answer: D



SYSVOL is a collection of folders that contain a copy of the domain’s public files, including system policies, logon scripts, and important elements of Group Policy objects (GPOs).





Your network contains a single Active Directory domain. The domain contains five read- only domain controllers (RODCs) and five writable domain controllers. All servers run Windows Server 2008.


You plan to install a new read-only domain controllerRODC that runs Windows Server 2008 R2.


You need to ensure that you can add the new RODC to the domain.You want to achieve this goal by using the minimum amount of administrative effort.


Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)



At the command prompt, run adprep.exe /rodcprep.


At the command prompt, run adprep.exe /forestprep.


At the command prompt, run adprep.exe /domainprep.


From Active Directory Domains and Trusts, raise the functional level of the domain.


From Active Directory Users and Computers, pre-stage the RODC computer account.


Correct Answer: BC



N 278

Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site 1 contains five domain controllers. Site2 contains one read-only domain controller (RODC). Site1 and Site2 connect to each other by using a slow WAN link.


You discover that the cached password for a user named User1 is compromised on the RODC.


On a domain controller in Site1, you change the password for User1.


You need to replicate the new password for User1 to the RODC immediately. The solution must not replicate other objects to the RODC.


Which tool should you use?



Active Directory Sites and Services


Active Directory Users and Computers






Correct Answer: C




Repadmin /rodcpwdrepl

Triggers replication of passwords for the specified users from a writable Windows Server 2008 source domain controller to one or more read-only domain controllers (RODCs).



The following example triggers replication of the passwords for the user account named JaneOh from the source domain controller named source-dc01 to all RODCs that have the name prefix dest-rodc:


repadmin /rodcpwdrepl dest-rodc* source-dc01 cn=JaneOh,ou=execs,dc=contoso,dc=com




Your company has a main office and a branch office. The branch office has an Active Directory site that contains a read-only domain controller (RODC).


A user from the branch office reports that his account is locked out.


From a writable domain controller in the main office, you discover that the user’s account is not locked out. You need to ensure that the user can log on to the domain.


What should you do?



Modify the Password Replication Policy.


Reset the password of the user account.


Run the Knowledge Consistency Checker (KCC) on the RODC.


Restore network communication between the branch office and the main office.


Correct Answer: D


Not sure if:

Run the Knowledge Consistency Checker (KCC) on the RODC.


Restore network communication between the branch office and the main office.




Your company has a main office and a branch office.


The network contains an Active Directory forest. The forest contains three domains. The branch office contains one domain controller named DC5. DC5 is configured as a global catalog server, a DHCP server, and a file server.


You remove the global catalog from DC5.


You need to reduce the size of the Active Directory database on DC5.


The solution must minimize the impact on all users in the branch office.


What should you do first?



Start DC5 in Safe Mode.


Start DC5 in Directory Services Restore Mode.


On DC5, start the Protected Storage service.


On DC5, stop the Active Directory Domain Services service.


Correct Answer: D


http://allcomputers.us/windows_server/windows-server-2008-r2-manage-the-active- directory-database-%28part-2%29-defragment-the-directory-database-audit-active- directory-service.aspx

Windows Server 2008 R2 : Manage the Active Directory Database (part 2) – Defragment the Directory Database & Audit Active Directory Service

3. Defragment the Directory Database

A directory database gets fragmented as you add, change, and delete objects to your database. Like any file system-based storage, as the directory database is changed and updated, fragments of disk space will build up so it needs to be defragmented on a routine basis to maintain optimal operation. By default, Active Directory performs an online defragmentation of the directory database every 12 hours with the garbage collection process, an automated directory database cleanup, and IT pros should be familiar with it. However, online defragmentation does not decrease the size of the NTDS.DIT database file. Instead, it shuffles the data around for easier access. Depending on how much fragmentation you actually have in the database, running an offline defragmentation–which does decrease the size of the database–could have a significant effect on the overall size of your NTDS.DIT database file. There is a little problem associated with defragmenting databases. They have to be taken offline in order to have the fragments removed and the database resized. In Windows Server 2008 R2, there is a great feature that allows you to take the database offline without shutting down the server. It’s called Restartable Active Directory, and it could not be much easier to stop and start your directory database than this. Figure 4 shows the Services tool and how you can use it to stop the Active Directory service.


1. Start the Services tool from the Control Panel.

2. Right-click Active Directory Domain Services, and select Stop.




Figure 4. You can use the Services tool to stop and restart Active Directory. That’s it! Now when you stop Active Directory Domain Services, any other dependent services will also be stopped. Keep in mind that while the services are stopped, they cannot fulfill their assigned role in your network. The really cool thing about Restartable AD is that while the directory services and its dependent services are stopped, other services on the local machine are not. So, perhaps you have a shared printer running on your DC. Print services still run, and print operations do not stop. Nice!


3.1. Offline Directory Defragmentation

Now that you have stopped Active Directory services, it is time to get down to the business of offline defragmentation of the directory database:

1. Back up the database.

2. Open a command prompt, and type NTDSUTIL.


4. Type FILES, and press Enter.

5. Type INFO, and press Enter. This will tell you the current location of the directory database, its size, and the size of the associated log files. Write all this down.

6. Make a folder location that has enough drive space for the directory to be stored.

7. Type COMPACT TO DRIVE:DIRECTORY, and press Enter. The drive and directory are the locations you set up in step 5. If the drive path contains spaces, put the whole path in quotation marks, as in “C:database defrag”. A new defragmented and compacted NTDS.DIT is created in the folder you specified.

8. Type QUIT, and press Enter.

9. Type QUIT again, and press Enter to return to the command prompt.

10.If defragmentation succeeds without errors, follow the NTDSUTIL prompts.

11.Delete all log files by typing DEL x:pathtologfiles*.log where x is the drive letter of your drive.

12.Overwrite the old NTDS.DIT file with the new one. Remember, you wrote down its location in step 4.

13.Close the command prompt.

14.Open the Services tool, and start Active Directory Domain Services.

Defragmenting your directory database using the offline NTDSUTIL process can significantly reduce the size of your database depending on how long it has been since your last offline defrag. The hard thing about offline defrag is that every network is different, so making recommendations about how often to use the offline defrag process is somewhat spurious. I recommend you get to know your directory database. Monitor its size and growth. When you think it is appropriate to defragment offline, then do it. A pattern will emerge for you, and you will find yourself using offline defragmentation on a frequency that works well for your network and your directory database. One of the cool things about offline defragmentation is that if you should happen to have an error occur during the defragmentation process, you still have your original NTDS.DIT database in place and can continue using it with no problems until you can isolate and fix any issues.


Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…