[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 61-70

Ensurepass

QUESTION 61

Your network consists of an Active Directory forest that contains two domains. All servers run Windows Server 2008 R2. All domain controllers are configured as DNS Servers.

 

You have a standard primary zone for dev.contoso.com that is stored on a member server.

 

You need to ensure that all domain controllers can resolve names from the dev.contoso.com zone.

 

What should you do?

 

A.

On the member server, create a stub zone.

B.

On the member server, create a NS record for each domain controller.

C.

On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to all DNS servers in the forest.

D.

On one domain controller, create a conditional forwarder. Configure the conditional forwarder to replicate to all DNS servers in the domain.

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/cc730756.aspx

Understanding Forwarders

A forwarder is a Domain Name System (DNS) server on a network that forwards DNS queries for external DNS names to DNS servers outside that network. You can also forward queries according to specific domain names using conditional forwarders. You designate a DNS server on a network as a forwarder by configuring the other DNS servers in the network to forward the queries that they cannot resolve locally to that DNS server. By using a forwarder, you can manage name resolution for names outside your network, such as names on the Internet, and improve the efficiency of name resolution for the computers in your network.

The following figure illustrates how external name queries are directed with forwarders.

 

clip_image002

 

Conditional forwarders

A conditional forwarder is a DNS server on a network that forwards DNS queries according to the DNS domain name in the query. For example, you can configure a DNS server to forward all the queries that it receives for names ending with corp.contoso.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS servers.

Further information:

http://technet.microsoft.com/en-us/library/cc794735%28v=ws.10%29.aspx

Assign a Conditional Forwarder for a Domain Name

http://technet.microsoft.com/en-us/library/cc754941.aspx

Configure a DNS Server to Use Forwarders

 

 

QUESTION 62

Your company hires 10 new employees.

 

You want the new employees to connect to the main office through a VPN connection.

 

You create new user accounts and grant the new employees they Allow Read and Allow Execute permissions to shared resources in the main office.

 

The new employees are unable to access shared resources in the main office.

 

You need to ensure that users are able to establish a VPN connection to the main office.

What should you do?

 

A.

Grant the new employees the Allow Access Dial-in permission.

B.

Grant the new employees the Allow Full control permission.

C.

Add the new employees to the Remote Desktop Users security group.

D.

Add the new employees to the Windows Authorization Access security group.

 

Correct Answer: A

Explanation:

http://technet.microsoft.com/en-us/library/cc738142%28v=ws.10%29.aspx

Dial-in properties of a user account

The dial-in properties for a user account are:

Remote Access Permission (Dial-in or VPN)

You can use this property to set remote access permission to be explicitly allowed, denied, or determined through remote access policies. In all cases, remote access policies are used to authorize the connection attempt. If access is explicitly allowed, remote access policy conditions, user account properties, or profile properties can still deny the connection attempt.

 

 

QUESTION 63

Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2003.

 

You upgrade all domain controllers to Windows Server 2008.

 

You need to configure the Active Directory environment to support the application of multiple password policies.

 

What should you do?

 

A.

Raise the functional level of the domain to Windows Server 2008.

B.

On one domain controller, run dcpromo /adv.

C.

Create multiple Active Directory sites.

D.

On all domain controllers, run dcpromo /adv.

 

Correct Answer: A

Explanation:

http://technet.microsoft.com/en-us/library/cc770842%28v=ws.10%29.aspx

AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide This step-by-step guide provides instructions for configuring and applying fine-grained password and account lockout policies for different sets of users in Windows Server® 2008 domains.

In Microsoft® Windows® 2000 and Windows Server 2003 Active Directory domains, you could a
pply only one password and account lockout policy, which is specified in the domain’s Default Domain Policy, to all users in the domain. As a result, if you wanted different password and account lockout settings for different sets of users, you had to either create a password filter or deploy multiple domains. Both options were costly for different reasons.

In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies and apply different password restrictions and account lockout policies to different sets of users within a single domain.

Requirements and special considerations for fine-grained password and account lockout policies.

Domain functional level: The domain functional level must be set to Windows Server 2008 or higher.

 

 

 

QUESTION 64

Your company has an Active Directory forest. Each branch office has an organizational unit and a child organizational unit named Sales.

 

The Sales organizational unit contains all users and computers of the sales department.

 

You need to install an Office 2007 application only on the computers in the Sales organizational unit.

 

You create a GPO named SalesApp GPO.

 

What should you do next?

 

A.

Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the Sales organizational unit in each location.

B.

Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the domain.

C.

Configure the GPO to publish the application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each location.

D.

Configure the GPO to assign the application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each location.

 

Correct Answer: A

 

 

QUESTION 65

Your network consists of an Active Directory forest that contains one domain named contoso.com. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. You have two Active Directory-integrated zones: contoso.com and nwtraders.com.

 

You need to ensure a user is able to modify records in the contoso.com zone. You must prevent the user from modifying the SOA record in the nwtraders.com zone.

 

What should you do?

 

A.

From the Active Directory Users and Computers console, run the Delegation of Control Wizard.

B.

From the Active Directory Users and Computers console, modify the permissions of the Domain Controllers organizational unit (OU).

C.

From the DNS Manager console, modify the permissions of the contoso.com zone.

D.

From the DNS Manager console, modify the permissions of the nwtraders.com zone.

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/cc753213.aspx

Modify Security for a Directory-Integrated Zone

You can manage the discretionary access control list (DACL) on the DNS zones that are stored in Active Directory Domain Services (AD DS). You can use the DACL to control the permissions for the Active Directory users and groups that may control the DNS zones.

 

Membersh
ip in DnsAdmins or Domain Admins in AD DS, or the equivalent, is the minimum required to complete this procedure.

To modify security for a directory-integrated zone:

1. Open DNS Manager.

2. In the console tree, click the applicable zone.

Where?

DNS/applicable DNS server/Forward Lookup Zones (or Reverse Lookup Zones)/applicable zone

3. On the Action menu, click Properties.

4. On the General tab, verify that the zone type is Active Directory-integrated.

5. On the Security tab, modify the list of member users or groups that are allowed to securely update the applicable zone and reset their permissions as needed.

Further information:

http://support.microsoft.com/kb/163971

The Structure of a DNS SOA Record

The first resource record in any Domain Name System (DNS) Zone file should be a Start of Authority (SOA) resource record. The SOA resource record indicates that this DNS name server is the best source of information for the data within this DNS domain.

The SOA resource record contains the following information:

Source host – The host where the file was created.

Contact e-mail – The e-mail address of the person responsible for administering the domain’s zone file. Note that a “.” is used instead of an “@” in the e-mail name.

Serial number – The revision number of this zone file. Increment this number each time the zone file is changed. It is important to increment this value each time a change is made, so that the changes will be distributed to any secondary DNS servers.

Refresh Time – The time, in seconds, a secondary DNS server waits before querying the primary DNS server’s SOA record to check for changes. When the refresh time expires, the secondary DNS server requests a copy of the current SOA record from the primary. The primary DNS server complies with this request. The secondary DNS server compares the serial number of the primary DNS server’s current SOA record and the serial number in it’s own SOA record. If they are different, the secondary DNS server will request a zone transfer from the primary DNS server. The default value is 3,600.

Retry time – The time, in seconds, a secondary server waits before retrying a failed zone transfer. Normally, the retry time is less than the refresh time. The default value is 600.

Expire time – The time, in seconds, that a secondary server will keep trying to complete a zone transfer. If this time expires prior to a successful zone transfer, the secondary server will expire its zone file. This means the secondary will stop answering queries, as it considers its data too old to be reliable. The default value is 86,400.

Minimum TTL – The minimum time-to-live value applies to all resource records in the zone file. This value is supplied in query responses to inform other servers how long they should keep the data in cache. The default value is 3,600.

http://technet.microsoft.com/en-us/library/cc787600%28v=ws.10%29.aspx

Modify the start of authority (SOA) record for a zone

 

Notes: To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

 

 

QUESTION 66

Your company has an Active Directory forest that contains only Windows Server 2008 domain controllers.

 

You need to prepare the Active Directory domain to install Windows Server 2008 R2 domain controllers.

 

Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)

 

A.

Run the adprep /domainprep command.

B.

Raise the forest functional level to Windows Server 2008.

C.

Raise the domain functional level to Windows Server 2008.

D.

Run the adprep /forestprep command.

 

Correct Answer: AD

Explanation:

http://www.petri.co.il/prepare-for-server-2008-r2-domain-controller.htm

Prepare your Domain for the Windows Server 2008 R2 Domain Controller Before installing the first Windows Server 2008 R2 domain controller (DC) into an existing Windows 2000, Windows Server 2003 or Windows Server 2008 domain, you must prepare the AD forest and domain. You do so by running a tool called ADPREP. ADPREP extends the Active Directory schema and updates permissions as necessary to prepare a forest and domain for a domain controller that runs the Windows Server 2008 R2 operating system.

Note: You may remember that ADPREP was used on previous operating systems such as Windows Server 2003, Windows Server 2003 R2 and Windows Server 2008. This article focuses on Windows Server 2008 R2.

What does ADPREP do?

ADPREP has parameters that perform a variety of operations that help prepare an existing Active Directory environment for a domain controller that runs Windows Server 2008 R2. Not all versions of ADPREP perform the same operations, but generally the different types of operations that ADPREP can perform include the following:

Updating the Active Directory schema

Updating security descriptors

Modifying access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared folder

Creating new objects, as needed

Creating new containers, as needed

To prepare the forest and domain for the installation of the first Windows Server 2008 R2 domain controller please perform these tasks:

Lamer note: The following tasks are required ONLY before adding the first Windows Server 2008 R2 domain controller. If you plan on simply joining a Windows Server 2008 R2 Server to the domain and configuring as a regular member server, none of the following tasks are required.

Another lamer note: Please make sure you read the system requirements for Windows Server 2008 R2. For example, you cannot join a Windows Server 2008 R2 server to a Windows NT 4.0 domain, not can it participate as a domain controller in a mixed domain. If any domain controllers in the forest are running Windows 2000 Server, they must be running Service Pack 4 (SP4).

First, you should review and understand the schema updates and other changes that ADPREP makes as part of the schema management process in Active Directory Domain Services (AD DS). You should test the ADPREP schema updates in a lab environment to ensure that they will not conflict with any applications that run in your environment.

You must make a system state backup for your domain controllers, including the schema master and at least one other domain controller from each domain in the forest (you do have backups, don’t you?). Also, make sure that you can log on to the schema master with an account that has sufficient credentials to run adprep /forestprep. You must be a member of the Schema Admins group, the Enterprise Admins group, and the Domain Admins group of the domain that hosts the schema master, which is, by default, the forest root domain. Next, insert the Windows Server 2008 R2 DVD media into your DVD drive. Note that if you do not have the media handy, you may use the evaluation version that is available to download from Microsoft’s website.

If you only have the ISO file and do not want to or cannot actually burn it to a physical DVD media, you can mount it by using a virtual ISO mounting tool such as MagicIso (can Convert BIN to ISO, Create, Edit, Burn, Extract ISO file, ISO/BIN converter/extractor/editor).

Browse to the X:supportadprep folder, where X: is the drive letter of your DVD drive. Find a file called adprep.exe or adprep32.exe.

Note: Unlike in Windows Server 2008 where you had to use either the 32-bit or 64-bit installation media to get the right version of ADPREP, Windows Server 2008 R2 ADPREP is available in a 32-bit version and a 64-bit version. The 64-bit version runs by default. If you need to run ADPREP on a 32-bit computer, run the 32-bit version (adprep32.exe).

clip_image004

 

To perform this procedure, you must use an account that has membership in all of the following groups:

Enterprise Admins

Schema Admins

Domain Admins for the domain that contains the schema master Open a Command Prompt window by typing CMD and pressing ENTER in the Run menu. Drag the adprep.exe file from the Windows Explorer window to the Command Prompt window. Naturally, if yo
u want, you can always manually type the path of the file in the Command Prompt window if that makes you feel better…

Note: You must run adprep.exe from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

Note: If your existing DCs are Windows Server 2008, dragging and dropping into a Command Prompt window will not work, as that feature was intentionally disabled in windows Server 2008 and Windows Vista.

In the Command Prompt window, type the following command: adprep /forestprep

 

clip_image006

 

You will be prompted to type the letter “c” and then press ENTER. After doing so, process will begin.

 

clip_image008

 

ADPREP will take several minutes to complete. During that time, several LDF files will be imported into the AD Schema, and messages will be displayed in the Command Prompt window. File sch47.ldf seems to be the largest one.

 

clip_image010

 

When completed, you will receive a success message.

 

clip_image012

 

Note: As mentioned above, ADPREP should only be run on an existing DC. When trying to run it from a non-DC, you will get this error:

Adprep cannot run on this platform because it is not an Active Directory Domain Controller.

[Status/Consequence]

Adprep stopped without making any changes.

[User Action]

Run Adprep on a Active Directory Domain Controller. Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2.

In the Command Prompt window, type the following command: adprep /domainprep Process will take less than a second.

 

clip_image014

 

ADPREP must only be run in a Windows 2000 Native Mode or higher. If you attempt to run in Mixed Mode you will get this error:

Adprep detected that the domain is not in native mode [Status/Consequence]

Adprep has stopped without making changes.

[User Action]

Configure the domain to run in native mode and re-run domainprep Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2.

If you’re running a Windows 2008 Active Directory domain, that’s it, no additional tasks are needed.

If you’re running a Windows 2000 Active Directory domain, you must also the following command: adprep /domainprep /gpprep

Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2.

If you’re running a Windows 2003 Active Directory domain, that’s it, no additional tasks are needed. However, if you’re planing to run Read Only Domain controllers (RODCs), you must also type the following
command: adprep /rodcprep If you already ran this command for Windows Server 2008, you do not need to run it again for Windows Server 2008 R2.

Process will complete in less than a second.

 

clip_image016

 

Allow the operation to complete, and then allow the changes to replicate throughout the forest before you prepare any domains for a domain controller that runs Windows Server 2008 R2.

To verify that adprep /forestprep completed successfully please perform these steps:

 

1. Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default on domain controllers that run Windows Server 2008 or Windows Server 2008 R2. On Windows Server 2003 you must install the Resource Kit Tools.

2. Click Start, click Run, type ADSIEdit.msc, and then click OK.

3. Click Action, and then click Connect to.

4. Click Select a well known Naming Context, select Configuration in the list of available naming contexts, and then click OK.

5. Double-click Configuration, and then double-click CN=Configuration, DC=forest_root_domain where forest_root_domain is the distinguished name of your forest root domain.

6. Double-click CN=ForestUpdates.

7. Right-click CN=ActiveDirectoryUpdate, and then click Properties.

 

clip_image018

 

8. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the Revision attribute value is 5, and then click OK.

 

clip_image020

 

9. Click ADSI Edit, click Action, and then click Connect to.

10. Click Select a Well known naming context, select Schema in the list of available naming contexts, and then click OK.

11. Double-click Schema.

12. Right-click CN=Schema,CN=Configuration,DC=forest_root_domain, and then click Properties.

clip_image022

 

13. If you ran adprep /forestprep for Windows Server 2008 R2, confirm that the objectVersion attribute value is set to 47, and then click OK.

 

clip_image024

 

 

 

 

 

 

 

QUESTION 67

Your network consists of an Active Directory forest named contoso.com. All servers run Windows Server 2008 R2. All domain controllers are configured as DNS servers. The contoso.com DNS zone is stored in the ForestDnsZones Active Directory application par
tition.

 

You have a member server that contains a standard primary DNS zone for dev.contoso.com.

 

You need to ensure that all domain controllers can resolve names for dev.contoso.com.

 

What should you do?

 

A.

Modify the properties of the SOA record in the contoso.com zone.

B.

Create a NS record in the contoso.com zone.

C.

Create a delegation in the contoso.com zone.

D.

Create a standard secondary zone on a Global Catalog server.

 

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/cc771640.aspx

Understanding Zone Delegation

Domain Name System (DNS) provides the option of dividing up the namespace into one or more zones, which can then be stored, distributed, and replicated to other DNS servers. When you are deciding whether to divide your DNS namespace to make additional zones, consider the following reasons to use additional zones:

You want to delegate management of part of your DNS namespace to another location or department in your organization.

You want to divide one large zone into smaller zones to distribute traffic loads among multiple servers, improve DNS name resolution performance, or create a more-fault- tolerant DNS environment.

You want to extend the namespace by adding numerous subdomains at once, for example, to accommodate the opening of a new branch or site.

 

When you delegate zones within your namespace, remember that for each new zone that you create, you need delegation records in other zones that point to the authoritative DNS servers for the new zone. This is necessary both to transfer authority and to provide correct referral to other DNS servers and clients of the new servers that are being made authoritative for the new zone.

 

Example:

Delegating a subdomain to a new zone

As shown in the following illustration, when a new zone for a subdomain (example.microsoft.com) is created, delegation from the parent zone (microsoft.com) is needed.

 

clip_image026

 

 

QUESTION 68

Your company has a main office and a branch office. The compan
y has a single-domain Active Directory forest. The main office has two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. The branch office has a Windows Server 2008 R2 read- only domain controller (RODC) named DC3.

 

All domain controllers hold the DNS Server role and are configured as Active Directory- integrated zones. The DNS zones only allow secure updates.

 

You need to enable dynamic DNS updates on DC3.

 

What should you do?

 

A.

Run the Dnscmd.exe /ZoneResetType command on DC3.

B.

Reinstall Active Directory Domain Services on DC3 as a writable domain controller.

C.

Create a custom application directory partition on DC1. Configure the partition to store Active Directoryintegrated zones.

D.

Run the Ntdsutil.exe > DS Behavior commands on DC3.

 

Correct Answer: B

Explanation:

http://technet.microsoft.com/en-us/library/cc754218%28WS.10%29.aspx#BKMK_DDNS

Appendix A: RODC Technical Reference Topics

DNS updates for clients that are located in an RODC site

When a client attempts a dynamic update, it sends a start of authority (SOA) query to its preferred Domain Name System (DNS) server. Typically, clients are configured to use the DNS server in their branch site as their preferred DNS server. The RODC does not hold a writeable copy of the DNS zone. Therefore, when it is queried for the SOA record, it returns the name of a writable domain controller that runs Windows Server 2008 or later and hosts the Active Directory-integrated zone, just as a secondary DNS server handles updates for zones that are not Active Directory-integrated zones. After it receives the name of a writable domain controller that runs Windows Server 2008 or later, the client is then responsible for performing the DNS record registration against the writeable server. The RODC waits a certain amount of time, as explained below, and then it attempts to replicate the updated DNS object in Active Directory Domain Services (AD DS) from the DNS server that it referred the client to through an RSO operation.

Note:

For the DNS server on the RODC to perform an RSO operation of the DNS record update, a DNS server that runs Windows Server 2008 or later must host writeable copies of the zone that contains the record. That DNS server must register a name server (NS) resource record for the zone. The Windows Server 2003 Branch Office Guide recommended restricting name server (NS) resource record registration to a subset of the available DNS servers. If you followed those guidelines and you do not register at least one writable DNS server that runs Windows Server 2008 or later as a name server for the zone, the DNS server on the RODC attempts to perform the RSO operation with a DNS server that runs Windows Server 2003. That operation fails and generates a 4015 Error in the DNS event log of the RODC, and replication of the DNS record update will be delayed until the next scheduled replication cycle.

Further information:

http://technet.microsoft.com/en-us/library/dd737255%28v=ws.10%29.aspx

Plan DNS Servers for Branch Office Environments

This topic describes best practices for installing Domain Name System (DNS) servers to support Active Directory Domain Services (AD DS) in branch office environments. As a best practice, use Active Directory-integrated DNS zones, which are hosted in the application directory partitions named ForestDNSZones and DomainDNSZones. The following guidelines are based on the assumption that you are following this best practice. In branch offices that have a read-only domain controller (RODC), install a DNS server on each RODC so that client computers in the branch office can still perform DNS lookups when the wide area network (WAN) link to a DNS server in a hub site is not available. The best practice is to install the DNS server when you install AD DS, using Dcpromo.exe. Otherwise, you must use Dnscmd.exe to enlist the RODC in the DNS application directory partitions that host Active Directory-integrated DNS zones.

Note: You also have to configure the DNS client’s setting for the RODC so that it points to itself as its preferred DNS server.

To facilitate dynamic updates for DNS clients in branch offices that have an RODC, you should have at least one writeable Windows Server 2008 DNS server that hosts the correspo
nding DNS zone for which client computers in the branch office are attempting to make DNS updates. The writeable Windows Server 2008 DNS server must register name server (NS) resource records for that zone.

By having the writeable Windows Server 2008 DNS server host the corresponding zone, client computers that are in branch offices that are serviced by RODCs can make dynamic updates more efficiently. This is because the updates replicate back to the RODCs in their respective branch offices by means of a replicate-singleobject (RSO) operation, rather than waiting for the next scheduled replication cycle.

 

For example, suppose that you add a new member server in a branch office, Branch1, which includes an RODC. The member server hosts an application that you want client computers in Branch1 to locate by using a DNS query. When the member server attempts to register its host (A or AAAA) resource records for its IP address to a DNS zone, it performs a dynamic update on a writeable Windows Server 2008 or Windows Server 2008 R2 DNS server that the RODC tracks in Branch1. If a writeable Windows Server 2008 DNS server hosts the DNS zone, the RODC in Branch1 replicates the updated zone information as soon as possible from the writeable Windows Server 2008 DNS server. Then, client computers in Branch1 can successfully locate the new member server by querying the RODC in Branch1 for its IP address.

If you do not have a writeable Windows Server 2008 DNS server that hosts the DNS zone, the update can still succeed against Windows Server 2003 DNS server if one is available but the updated record in the DNS zone will not replicate to the RODC in Branch1 until the next scheduled replication cycle, which can delay client computers that use the RODC DNS server for name resolution from locating the new member server.

 

 

QUESTION 69

Your company uses a Windows 2008 Enterprise certificate authority (CA) to issue certificates.

 

You need to implement key archival.

 

What should you do?

 

A.

Configure the certificate for automatic enrollment for the computers that store encrypted files.

B.

Install an Enterprise Subordinate CA and issue a user certificate to users of the encrypted files.

C.

Apply the Hisecdc security template to the domain controllers.

D.

Archive the private key on the server.

 

Correct Answer: D

Explanation:

http://technet.microsoft.com/en-us/library/cc753011.aspx

Enable Key Archival for a CA

Before a key recovery agent can use a key recovery certificate, the key recovery agent must have enrolled for the key recovery certificate and be registered as the recovery agent for the certification authority (CA).

You must be a CA administrator to complete this procedure.

To enable key archival for a CA:

1. Open the Certification Authority snap-in.

2. In the console tree, click the name of the CA.

3. On the Action menu, click Properties.

4. Click the Recovery Agents tab, and then click Archive the key.

5. In Number of recovery agents to use, type the number of key
recovery agents that will be used to encrypt the archived key.

The Number of recovery agents to use must be between one and the number of key recovery agent certificates that have been configured.

6. Click Add. Then, in Key Recovery Agent Selection, click the key recovery certificates that are displayed, and click OK.

7. The certificates should appear in the Key recovery agent certificates list, but their status is listed as Not loaded.

8. Click OK or Apply. When prompted to restart the CA, click Yes. When the CA has restarted, the status of the certificates should be listed as Valid.

Further information:

http://technet.microsoft.com/en-us/library/ee449489%28v=ws.10%29.aspx

Key Archival and Management in Windows Server 2008

http://technet.microsoft.com/en-us/library/cc730721.aspx

Managing Key Archival and Recovery

 

 

QUESTION 70

You have a single Active Directory domain. All domain controllers run Windows Server 2008 and are configured as DNS servers.

 

The domain contains one Active Directory-integrated DNS zone.

 

You need to ensure that outdated DNS records are automatically removed from the DNS zone.

 

What should you do?

 

A.

From the properties of the zone, modify the TTL of the SOA record.

B.

From the properties of the zone, enable scavenging.

C.

From the command prompt, run ipconfig /flushdns.

D.

From the properties of the zone, disable dynamic updates.

 

Correct Answer: B

Explanation:

http://technet.microsoft.com/en-us/library/cc753217.aspx

Set Aging and Scavenging Properties for the DNS Server The DNS Server service supports aging and scavenging features. These features are provided as a mechanism for performing cleanup and removal of stale resource records, which can accumulate in zone data over time. You can use this procedure to set the default aging and scavenging properties for the zones on a server.

Further information:

http://technet.microsoft.com/en-us/library/cc771677.aspx

Understanding Aging and Scavenging

 

Free VCE & PDF File for Microsof
t 70-640 Real Exam


Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…