[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 31-40



Your company purchases a new application to deploy on 200 computers. The application requires that you modify the registry on each target computer before you install the application.


The registry modifications are in a file that has an .adm extension.


You need to prepare the target computers for the application.


What should you do?


Import the .adm file into a new Group Policy Object (GPO). Edit the GPO and link it to an organizational unit that contains the target computers.


Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run the REDIRUsr CONTAINER-DN command on each target computer.


Create a Microsoft Windows PowerShell script to copy the .adm file to the startup folder of each target computer.


Create a Microsoft Windows PowerShell script to copy the .adm file to each computer. Run
the REDIRCmp CONTAINER-DN command on each target computer.


Correct Answer: A



Adding New Administrative Templates to a GPO

Adding .ADM files to the Administrative Templates in a GPO In order to add additional .ADM files to the existing Administrative Templates section in GPO please follow the next steps:

1. Open the Group Policy Management Console (or GPMC) from the Administrative Tools folder in the Stat menu, or by typing gpmc.msc in the Run command.

2. Right-click an existing GPO (or create an new GPO, then right-click on it) and select Edit.




Your company has a main office and three branch offices. Each office is configured as a separate Active Directory site that has its own domain controller.


You disable an account that has administrative rights.


You need to immediately replicate the disabled account information to all sites.


What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.)



From the Active Directory Sites and Services console, configure all domain controllers as global catalog servers.


From the Active Directory Sites and Services console, select the existing connection objects and force replication.


Use Repadmin.exe to force replication between the site connection objects.


Use Dsmod.exe to configure all domain controllers as global catalog servers.


Correct Answer: BC



Repadmin /syncall Synchronizes a specified domain controller with all of its replication partners.


How to force replication of Domain Controllers From time to time its necessary to kick off AD replication to speed up a task you may be doing, or just a good too to check the status of replication between DC’s.

Below is a command to replicate from a specified DC to all other DC’s.

Repadmin /syncall DC_name /Ape
d By running a repadmin /syncall with the /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished names) parameters, you have duplicated exactly what Replmon used to do in Windows 2003, except that you did it in one step, not many.And with the benefit of seeing immediate results on how the operations are proceeding.

If I am running it on the DC itself, I don’t even have to specify the server name.


Force replication over a connection

To force replication over a connection

1. Open Active Directory Sites and Services.






You create 200 new user accounts. The users are located in six different sites. New users report that they receive the following error message when they try to log on: “The username or password is incorrect.” You confirm that the user accounts exist and are enabled. You also confirm that the user name and password information supplied are correct.


You need to identify the cause of the failure. You also need to ensure that the new users are able to log on.


Which utility should you run?



Active Directory Domains and Trusts








Correct Answer: B


Repadmin allows us to check the replication status and also allows us to force a replication between domain controllers.





Repadmin /replsummary


Identifies domain controllers that are failing inbound replication or outbound replication, and summarizes the results in a report.


Repadmin /showrepl


Displays the replication status when the specified domain controller last attempted to perform inbound replication on Active Directory partitions.


Repadmin /syncall Synchronizes a specified domain controller with all replication partners.



Your network consists of a single Active Directory domain. You have a domain controller and a member server that run Windows Server 2008 R2. Both servers are configured as DNS servers. Client computers run either Windows XP Service Pack 3 or Windows 7.


You have a standard primary zone on the domain controller. The member server hosts a secondary copy of the zone.


You need to ensure that only authenticated users are allowed to update host (A) records in the DNS zone.


What should you do first?



On the member server, add a conditional forwarder.


On the member server, install Active Directory Domain Services.


Add all computer accounts to the DNS UpdateProxy group.


Convert the standard primary zone to an Active Directory-integrated zone.


Correct Answer: D



Understanding Active Directory Domain Services Integration

The DNS Server service is integrated into the design and implementation of Active Directory Domain Services (AD DS). AD DS provides an enterprise-level tool for organizing, managing, and locating resources in a network.

How DNS integrates with AD DS

When you install AD DS on a server, you promote the server to the role of a domain controller for a specified domain. As part of this process, you are prompted to specify a DNS domain name for the AD DS domain which you are joining and for which you are promoting the server, and you are offered the option to install the DNS Server role. This option is provided because a DNS server is required to locate this server or other domain controllers for members of an AD DS domain.

Benefits of AD DS integration

For networks that deploy DNS to support AD DS, directory-integrated primary zones are strongly recommended. They provide the following benefits:

DNS features multimaster data replication and enhanced security based on the capabilities of AD DS.

In a standard zone storage model, DNS updates are conducted based on a single-master update model. In this model, a single authoritative DNS server for a zone is designated as the primary source for the zone. This server maintains the master copy of the zone in a local file. With this model, the primary server for the zone represents a single fixed point of failure. If this server is not available, update requests from DNS clients are not processed for the zone.

With directory-integrated storage, dynamic updates to DNS are sent to any AD DS- integrated DNS server and are replicated
to all other AD DS-integrated DNS servers by means of AD DS replication. In this model, any AD DS-integrated DNS servercan accept dynamic updates for the zone. Because the master copy of the zone is maintained in the AD DS database, which is fully replicated to all domain controllers, the zone can be updated by the DNS servers operating at any domain controller for the domain. With the multimaster update model of AD DS, any of the primary servers for the directoryintegrated zone can process requests from DNS clients to update the zone as long as a domain controller is available and reachable on the network.

Also, when you use directory-integrated zones, you can use access control list (ACL) editing to secure a dnsZone object container in the directory tree. This feature provides detailed access to either the zone or a specified resource record in the zone. For example, an ACL for a zone resource record can be restricted so that dynamic updates are allowed only for a specified client computer or a secure group, such as a domain administrators group. This security feature is not available with standard primary zones.

Zones are replicated and synchronized to new domain controllers automatically whenever a new one is added to an AD DS domain.

By integrating storage of your DNS zone databases in AD DS, you can streamline database replication planning for your network.

Directory-integrated replication is faster and more efficient than standard DNS replication.




Contoso, Ltd. has an Active Directory domain named ad.contoso.com. Fabrikam, Inc. has an Active Directory domain named intranet.fabrikam.com. Fabrikam’s security policy prohibits the transfer of internal DNS zone data outside the Fabrikam network.


You need to ensure that the Contoso users are able to resolve names from the intranet.fabrikam.com domain.


What should you do?



Create a new stub zone for the intranet.fabrikam.com domain.


Configure conditional forwarding for the intranet.fabrikam.com domain.


Create a standard secondary zone for the intranet.fabrikam.com domain.


Create an Active DirectoryCintegrated zone for the intranet.fabrikam.com domain.


Correct Answer: B



Understanding Forwarders

A forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for external DNS names to DNS servers outside that network. You can also forward queries according to specific domain names using conditional forwarders. You designate a DNS server on a network as a forwarder by configuring the other DNS servers in the network to forward the queries that they cannot resolve locally to that DNS server. By using a forwarder, you can manage name resolution for names outside your network, such as names on the Internet, and improve the efficiency of name resolution for the computers in your network.

The following figure illustrates how external name queries are directed with forwarders.




Conditional forwarders

A conditional forwarder is a DNS server on a network that forwards DNS queries according to the DNS domain name in the query. For example, you can configure a DNS server to forward all the queries that it receives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers.

Further information:


Assign a Conditional Forwarder for a Domain Name


Configure a DNS Server to Use Forwarders




Your company has an Active Directory domain. You install a new domain controller in the domain. Twenty users report that they are unable to log on to the domain.


You need to register the SRV records.


Which command should you run on the new domain controller?



Run the netsh interface reset command.


Run the ipconfig /flushdns command.


Run the dnscmd /EnlistDirectoryPartition command.


Run the sc stop netlogon command followed by the sc start netlogon command.


Correct Answer: D


MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson IT Certification, 2010) page 62

The SRV resource records for a domain controller are important in enabling clients to locate the domain controller. The Netlogon service on domain controllers registers this resource record whenever a domain controller is restarted. You can also re-register a domain controller’s SRV resource records by restarting this service from the Services branch of Server Manager or by typing net start netlogon. An exam Question might ask you how to troubleshoot the nonregistration of SRV resource records.




Your company has a DNS server that has 10 Active Directory integrated zones.


You need to provide copies of the zone files of the DNS server to the security department.


What should you do?



Run the dnscmd /ZoneInfo command.


Run the ipconfig /registerdns command.


Run the dnscmd /ZoneExport command.


Run the ntdsutil > Partition Management > List commands.


Correct Answer: C



DNS Zone Export

In Non-AD Integrated DNS Zones

DNS zone file information is stored by default in the %systemroot%windowssystem32dns folder. When the DNS Server service starts it loads zones from these files. This behavior is limited to any primary and secondary zones that are not AD integrated. The files will be named as <ZoneFQDN>.dns.




In AD Integrated DNS Zones

AD-integrated zones are stored in the directory they do not have corresponding zone files i.e. they are not stored as .dns files. This makes sense because the zones are stored in, and loaded from, the directory. Now it is important task for us to take a backup of these AD integrated zones before making any changes to DNS infrastructure. Dnscmd.exe can be used to export the zone to a file. The syntax of the command is:

DnsCmd <ServerName> /ZoneExport <ZoneName> <ZoneExportFile> <ZoneName> — FQDN of zone to export

/Cache to export cache

As an example, let’s say we have an AD integrated zone named habib.local, our DC is server1. The command to export the file would be:

Dnscmd server1 /ZoneExport habib.local habib.local.bak





You can refer to a complete article on DNSCMD in Microsoft TechNet website http://technet.microsoft.com/en-us/library/cc772069(v=ws.10).aspx




You network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.


You need to reset the Directory Services Restore Mode (DSRM) password on a domain controller.


What tool should you use?



Active Directory Users and Computers snap-in




Local Users and Groups snap-in



Correct Answer: B




Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the ntdsutil commands to perform database maintenance of AD DS, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled. This tool is intended for use by ex
perienced administrators.


Commands set DSRM password – Resets the Directory Services Restore Mode (DSRM) administrator password.

Further information:


Set DSRM password

Resets the Directory Services Restore Mode (DSRM) password on a domain controller. At the Reset DSRM Administrator Password: prompt, type any of the parameters listed under “Syntax.”

This is a subcommand of Ntdsutil and Dsmgmt. Ntdsutil and Dsmgmt are command-line tools that are built into Windows Server 2008 and Windows Server 2008 R2. Ntdsutil is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed.

Dsmgmt is available if you have the AD LDS server role installed. These tools are also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT).




Your company has an Active Directory forest. The company has servers that run Windows Server 2008 R2 and client computers that run Windows 7. The domain uses a set of GPO administrative templates that have been approved to support regulatory compliance requirements.


Your partner company has an Active Directory forest that contains a single domain. The company has servers that run Windows Server 2008 R2 and client computers that run Windows 7.


You need to configure your partner company’s domain to use the approved set of administrative templates.


What should you do?



Use the Group Policy Management Console (GPMC) utility to back up the GPO to a file. In each site, import the GPO to the default domain policy.


Copy the ADMX files from your company’s PDC emulator to the PolicyDefinitions folder on the partner company’s PDC emulator.


Copy the ADML files from your company’s PDC emulator to the PolicyDefinitions folder on the partner company’s PDC emulator.


Download the conf.adm, system.adm, wuau.adm, and inetres.adm files from the Microsoft Updates Web site. Copy the ADM files to the PolicyDefinitions folder on thr partner company’s emulator.


Correct Answer: B



How to create the Central Store for Group Policy Administrative Template files in Windows Vista Windows Vista uses a new format to display registry-based policy settings. These registry-based policy settings appear under Administrative Templates in the Group Policy Object Editor. In Windows Vista, these registry-based policy settings are defined by standards-based XML files that have an .admx file name extension. The .admx file format replaces the legacy .adm file format. The .adm file format uses a proprietary markup language.

In Windows Vista, Administrative Template files are divided into .admx files and language- specific .adml files that are available to Group Policy administrators.


Administrative Template file storage

In earlier operating systems, all the default Administrative Template files are added to the ADM folder of a Group Policy object (GPO) on a domain controller. The GPOs are stored in the SYSVOL folder. The SYSVOL folder is automatically replicated to other domain controllers in the same domain. A policy file uses approximately 2 megabytes (MB) of hard disk space. Because each domain controller stores a distinct version of a policy, replication traffic is increased.

Windows Vista uses a Central Store to store Administrative Template files. In Windows Vista, the ADM folder is not created in a GPO as in earlier versions of Windows. Therefore, domain controllers do not store or replicate redundant copies of .adm files.

The Central Store

To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder on a domain controller. The Central Store is a file location that is checked by the Group Policy tools. The Group Policy tools use any .admx files that are in the Central Store. The files that are in the Central Store are later replicated to all domain controllers in the domain.

To create a Central Store for .admx and .adml files, create a folder that is named PolicyDefinitions in the following location:


Note: FQDN is a fully qualified domain name.



How can I export local Group Policy settings made in gpedit.msc? Mark Heitbrink, MVP for Group PolicyÂÂcame up with a good solution on how you can “export” the Group

Policy and SecurityÂÂsettings you made in on a machine with the Local Group Policy Editor (gpedit.msc) to other machines pretty easy:

Normal settings can be copied like this:

1.) Open %systemroot%system32grouppolicy

Within this folder, there are two folders – “machine” and “user”. Copy these to folders to the “%systemroot%

system32grouppolicy – folder on the target machine. All it needs now is a reboot or a “gpupdate /force”.

Note: If you cannot see the “grouppolicy” folder on either the source or the target machine, be sure to have your explorer folder options set to “Show hidden files and folders”…

For security settings:

1.) Open MMC and add t
he Snapin “Security Templates”

2.) Create your own customized template and save it as an “*inf” file.

3.) Copy the file to the target machine and import it via command line tool “secedit”: secedit/configure /db %temp%temp.sdb /cfg yourcreated.inf Further information on secedit can be found here:http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/secedit_cmds.mspx?mfr=true

If you’re building custom installations, you can pretty easy script the “overwriting” of the “machine”/”user”- folders or the import via secedit by copying these file to a share and copy and execute them with a script.




You need to validate whether Active Directory successfully replicated between two domain controllers.What should you do?



Run the DSget command.


Run the Dsquery command.


Run the RepAdmin command.


Run the W
indows System Resource Manager.


Correct Answer: C



You can use the repadmin /showrepl command to verify successful replication to a specific domain controller.


Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…