[Free] Download New Updated (February 2016) Microsoft 70-640 Practice Tests 161-170



The Company has a Windows 2008 domain controller server. This server is routinely backed up over the network from a dedicated backup server that is running Windows 2003 OS.


You need to prepare the domain controller for disaster recovery apart from the routine backup procedures.


You are unable to launch the backup utility while attempting to back up the system state data for the data controller.


You need to backup system state data from the Windows Server 2008 domain controller server.


What should you do?



Add your user account to the local Backup Operators group


Install the Windows Server backup feature using the Server Manager feature.


Install the Removable Storage Manager feature using the Server Manager feature


Deactivating the backup job that is configured to backup Windows 2008 server domain controller on the Windows 2003 server.


None of the above


Correct Answer: B



Windows Server Backup Step-by-Step Guide for Windows Server 2008

The Windows Server Backup feature provides a basic backup and recovery solution for computers running the Windows Server?2008 operating system. Windows Server Backup introduces new backup and recovery technology and replaces the previous Windows Backup (Ntbackup.exe) feature that was available with earlier versions of the Windows operating system.

What is Windows Server Backup?

The Windows Server Backup feature in Windows Server 2008 consists of a Microsoft Management Console (MMC) snap-in and command-line tools that provide a complete solution for your day-to-day backup and recovery needs. You can use four wizards to guide you through running backups and recoveries. You can use Windows Server Backup to back up a full server (all volumes), selected volumes, or the system state. You can recover volumes, folders, files, certain applications, and the system state. And, in case of disasters like hard disk failures, you can perform a system recovery, which will restore your complete system onto the new hard disk, by using a full server backup and the Windows Recovery Environment.

You can use Windows Server Backup to create and manage backups for the local computer or a remote computer. You can also schedule backups to run automatically and you can perform one-time backups to augment the scheduled backups.




Your network contains an Active Directory domain. The relevant servers in the domain are config
ured as shown in the following table.




You need to ensure that all device certificate requests use the MD5 hash algorithm.


What should you do?



On Server2, run the Certutil tool.


On Server1, update the CEP Encryption certificate template.


On Server1, update the Exchange Enrollment Agent (Offline Request) template.


On Server3, set the value of the HKLMSoftwareMicrosoftCryptographyMSCEP HashAlgorithmHashAlgorithm registry key.


Correct Answer: D




Managing Network Device Enrollment Service


Configuring NDES


NDES stores its configuration in the registry key



To change NDES configuration, edit the NDES registry settings by using Regedit.exe or Reg.exe, then restart IIS. If necessary, create the key and value using the names and data types described in the following table.


Key name


HashAlgorithm HashAlgorithm


Value Data Type




Default value






Accepted values are SHA1 and MD5.




Your network contains an Active Directory domain. The domain contains two domain controllers named DC1 and DC2. DC1 hosts a standard primary DNS zone for the domain. Dynamic updates are enabled on the zone. DC2 hosts a standard secondary DNS zone for the domain.


You need to configure DNS to allow only secure dynamic updates.


What should you do first?



On DC1 and DC2, configure a trust anchor.


On DC1 and DC2, configure a connection security rule.


On DC1, configure the zone transfer settings.


On DC1, configure the zone to be stored in Active Directory.


Correct Answer: D



Configuring DNS Server for Secure Only Dynamic Updates

About Dynamic Updates

During the installation of Active Directory Domain Services on Windows Server 2008 R2, the installation process automatically installs the DNS server on the computer, in case it does not already exist in the network.

After the successful installation of Active Directory Domain Services, the DNS server is by default configured to automatically update the records of only the domain client computers as soon as it receives the registration request from them. This automatic update of DNS records in the DNS database is technically known as `Dynamic Updates’.

Types of DNS Updates

Dynamic updates that DNS server in Windows Server 2008 R2 supports include:

Nonsecure and Secure ?When this type of dynamic update is selected, any computer can send registration request to the DNS server. The DNS server in return automatically adds the record of the requesting computer in the DNS database, even if the computer does not belong to the same DNS domain.

Although this configuration remarkably reduces administrative overhead, this setting is not recommended for the organizations that have highly sensitive information available in the computers.

Secure only ?When this type of dynamic update is selected, only the computers that are members of the DNS domain can register themselves with the DNS server. The DNS server automatically rejects the requests from the computers that do not belong to the domain. This protects the DNS server from getting automatically populated with records of unwanted, suspicious and/or fake computers.

None ?When this option is selected, the DNS server does not accept any registration request from any computers whatsoever. In such cases, DNS administrators must manually add the IP addresses and the Fully Qualified Domain Names (FQDNs) of the client computers to the DNS database.

In most production environments, systems administrators configure Secure Only dynamic updates for DNS.

This remarkably reduces the security risks by allowing only the authentic domain client computers to register themselves with the DNS server automatically, and decreases the administrative overhead at the same time.

However in some scenarios, administrators choose to have non-Active Directory integrated zone to stay compliant with the policies of the organization. This configuration is not at all recommended because it does not allow administrators to configure DNS server for Secure only updates, and it does not allow the DNS database to get replicated automatically to the other DNS servers along with the Active Directory replication process. When DNS zone is not Active Directory integrated, DNS database replication process must be performed manually by the administrators.

Configure Secure Only Dynamic Updates in Windows Server 2008 R2 DNS Server To configure Secure Only dynamic DNS updates in Windows Server 2008 R2, administrators must follow the steps given as below:

1. Log on to Windows Server 2008 R2 DNS server computer with the domain admin or enterprise admin account on which ‘Secure only’ dynamic updates are to be configured.

2. On the desktop screen, click Start.

3. From the Start menu, go to Administrator Tools > DNS.

4. On DNS Manager snap-in, from the console tree in the left, double-click to expand the DNS server name.

5. From the expanded list, double-click Forward Lookup Zones.

6. From the displayed zones list, right-click the DNS zone on which secure only dynamic updates are to be configured.

7. From the displayed context menu, click Properties.




8. On the zone’s properties box, make sure that the General tab is selected.

9. On the selected tab, choose Secure only option from the Dynamic updates drop-down list.

Note: Secure only option is available only if the DNS zone is Active Directory integrated.




Secure Only Dynamic Update

10. Click OK to apply the modified changes.

11. Close DNS Manager snap-in when done.




Your network contains two Active Directory forests named contoso.com and adatum.com. The functional level of both forests is Windows Server 2008 R2. Each forest contains one domain. Active Directory Certificate Services (AD CS) is configured in the contoso.com forest to allow users from both forests to automatically enroll user certificates.


You need to ensure that all users in the adatum.com forest have a user certificate from the contoso.com certification authority (CA).


What should you configure in the adatum.com domain?



From the Default Domain Controllers Policy, modify the Enterprise Trust settings.


From the Default Domain Controllers Policy, modify the Trusted Publishers settings.


From the Default Domain Policy, modify the Certificate Enrollment policy.


From the Default Domain Policy, modify the Trusted Root Certification Authority settings.


Correct Answer: C



Manage Certificate Enrollment Policy by Using Group Policy Configuring certificate enrollment policy settings by using Group Policy




Your network consists of a single Active Directory domain. User accounts for engineering department are located in an OU named Engineering.


You need to create a password policy for the engineering department that is different from your domain password policy.


What should you do?



Create a new GPO. Link the GPO to the Engineering OU.


Create a new GPO. Link the GPO to the domain. Block policy inheritance on all OUs except for the Engineering OU.


Create a global security group and add all the user accounts for the engineering department to the group. Create a new Password Policy Object (PSO) and apply it to the group.


Create a domain local security group and add all the user accounts for the engineering department to the group. From the Active Directory Users and Computer console, select the group and run the Delegation of Control Wizard.


Correct Answer: C



Complex Password Policy on an OU

Q: Is it possible to apply a complex password policy to an OU instead of entire domain (Windows 2008 R2). I’m

under the impression it can only be applied to either a security group or an individual user.


I beleive you are referering to PSC and PSO.

The Password Settings Container (PSC) object class is created by default under the System container in the domain. It stores the Password Settings objects (PSOs) for that domain. You cannot rename, move, or delete this container.

PSOs cannot be applied to organizational units (OUs) directly. If your users are organized into OUs, consider creating global security groups that contain the users from these OUs and then applying the newly defined fine-grained password and account lockout policies to them. If you move a user from one OU to another, you must update user memberships in the corresponding global security groups.

Groups offer better flexibility for managing various sets of users than OUs. For the fine-grained password and account lockout policies to function properly in a given domain, the domain

functional level of that domain must be set to Windows Server 2008. Fine-grained password policies apply only to user objects and global security groups. They cannot be applied

to Computer objects.

For more info, please see below article:


AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide


Here is a link to how you setup find grain password policy… However you can only apply it to a Security Group.



In addition, for fine grated password policy ; you need DLF 2008 and you can apply that policy on a single user and only global security group.

Find the step by step info.



Tutorial: How to setup Default and Fine Grain Password Policy

One strange thing that still seems to catch a lot of people out is that you can only have one password policy for your user per domain. This catches a lot of people out as they appl
y a password policy to an OU in their AD thinking that it will apply to all the users in that OU…. but it doesn’t. Microsoft did introduce Fine Grain Password Policies with Windows Server 2008 however this can only be set based on a security group membership and you still need to use the very un-user-friendly ADSI edit tool to make the changes to the policy. Below I will go through how you change the default domain password policy and how you then apply a fine grain password policy to your environment. The Good news is setting the default password policy for a domain is really easy. The Bad news is that setting a fine grain password policy is really hard.

How to set a Default Domain Password Policy


Step 1

Create a new Group Policy Object at the top level of the domain (e.g. “Domain Password Policy”).




Note: I have elected to create a new GPO at the top of the domain in this case as I always try to avoid modifying the “Default Domain Policy”, see references below.





TechNet: Linking GPOs


If you need to modify some of the settings contained in the Default Domain Policy GPO, it is recommended that you create a new GPO for this purpose, link it to the domain, and set the Enforce option.




TechNet: Establishing Group Policy Operational Guidelines


Do not modify the default domain policy or default domain controller policy unless necessary. Instead, create a new GPO at the domain level and set it to override the default settings in the default policies.

Step 2

Edit the “Domain Password Policy” GPO and go to Computer Configurations>Policies>Windows


Settings>Security Settings>Account Policy>Password Policy and configured the password policies settings to the configuration you desire.


Step 3

Once you have configured the password policy settings make the “Domain Password Policy” GPO the highest in the Linked GPO processing order.


TIP: Make sure you inform all your users when you are going to do this as it may trigger them to change their password the next time they logon.


Done… told you it was easy….


Note: Even if you apply the password policies to the “Domain Controllers” OU it will not modify the domain’s password policy. As far as I know this is the only exception to the rule as to how GPO’s apply to objects. As you can see in the image below the “Minimum password length” in the “Domain Password Policy” GPO is still applied to the domain controller even though I have another GPO linking to the “Domain Controllers” OU configuration the same setting.


For a better explanation as to why the GPO that is linked to the Domain and not the Domain Controllers is used for the password policy for all users check out Jorge’s Quest for Knowledge! ?Why GPOs with Password and Account Lockout Policy Settings must be linked to the AD domain object to be affective on AD domain user accounts (http://blogs.dirteam.com/blogs/jorge/archive/2008/12/16/why-gpos-with-password-and- accountlockout- policy-settings-must-be-linked-to-the-ad-domain-object-to-be-affective-on- ad-domain-useraccounts.aspx)


How to set a Fine Grain Password Policy


Fine Grain Password Policies (FGPP) were introduced as a new feature of Windows Server 2008. Before this the only way to have different password polices for the users in your environment was to have separate domains… OUCH!




You domain must be Windows Server 2008 Native Mode, this means ALL of your domain controllers must be running Windows Server 2008 or later. You can check this by selection the “Raise domain functional level” on the top of the domain in Active Directory Users and Computers.





AD DS: Fine-Grained Password Policies


The domain functional level must be Windows Server 2008.


The other restriction with this option is that you can only apply FGPP to users object or users in global security groups (not computers).





AD DS: Fine-Grained Password Policies

Fine-grained password policies apply only to user objects … and global security groups.


TIP: If you setup an “Automatic Shadow Group

n-windows-server-2008/)” you can apply these password policies to users automatically to any users located in an OU.


Creating a Password Setting Object (PSO)


Step 1

Under Administrator Tools Open ADSI Edit and connect it to a domain and domain controller you want to setup the new password policy.


Note: If you do not see this option go to “Turn Windows Features On or Off” and make sure the “AD DS and AD LDS Tools” are installed. (You will need RSAT also installed if you are on Windows 7).


Step 2

Double click on the “CN=DomainName” then double click on “CN=System” and then double click on “CN=Password Settings Container”.


Step 3

Right click on “CN=Password Settings Container” and then click on “New” then “Object.


Step 4

Click on “Next”


Step 5

Type the name of the PSO in the “Value” field and then click “Next”


Note: With the exception of the password length the following values are all the same as the default values in the “Default Domain Policy”.


Step 6

Type in a number that will be the Precedence for this Password Policy then click “Next”.


Note: This is used if a users has multiple Password Settings Object (PSO) applied to them.


Step 7

Type “FALSE” in the value field and click “Next”


Note: You should almost never use “TRUE” for this setting.


Step 8

Type “24” in the “Value” field and click “Next”


Step 9

Type “TRUE” in the “Value” field and click “Next”


Step 10

Type “5” in the “Value” field and click “Next”


Step 11

Type “1:00:00:00” in the “Value” field and click “Next”


Step 12

Type “42:00:00:00” in the “Value” field and click “Next”

Step 13

Type “10” in the “Value” field and click “Next”


Step 14

Type “0:00:30:00” field and click “Next”


Step 15

Type “0:00:33:00” in the “Value” field and click “Next”


Step 16

Click “Finish”


You have now created the Password Settings Object (PSO) and you can close the ADSIEdit tool.


Now to apply the PSO to a users or group…


Step 17

Open Active Directory Users and Computers and navigate to “System > Password Settings Container”


Note: Advanced Mode needs to be enabled.


Step 18

Double click on the PSO you created then click on the “Attribute Editor” tab and then select the “msDS-PSOAppliedTo” attribute and click “Edit”


Step 19

Click “Add Windows Accounts….” button.


Step 20

Select the user or group you want to apply this PSO and click “OK”


Step 21

Click “OK”


Step 22

Click “OK”


And your are done… (told you it was hard).


Fine Grain Password Policies as you can see are very difficult to setup and manage so it is probably best you use them sparingly in your organisation… But if you really have to have a simple password or extra complicated password then at least it give you away to do this without having to spin up another domain.














Company servers run Windows Server 2008. It has a single Active Directory domain. A server called S4 has file services role installed. You install some disk for additional storage.


The disks are configured as shown in the exhibit.




To support data stripping with parity, you have to create a new drive volume.


What should you do to achieve this objective?



Build a new spanned volume by combining Disk0 and Disk1


Create a new Raid-5 volume by adding another disk.


Create a new virtual volume by combining Disk 1 and Disk 2


Build a new striped volume by combining Disk0 and Disk 2


Correct Answer: B


https://sort.symantec.com/public/documents/sf/5.0/solaris/html/vxvm_admin/ag_ch_intro_v m17.html











Your network contains a single Active Directory forest. The forest contains two domains named contoso.com and sales.contoso.com. The domain controllers are configured as shown in the following table.




All domain controllers run Windows Server 2008 R2. All zones are configured as Active Directory- integrated zones.


You need to ensure that contoso.com records are available on DC3.


Which command should you run?



dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com /domain


dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPartition contoso.com /forest


dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com /domain


< font style="font-size: 10pt" color="#000000">dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPartition contoso.com /forest


Correct Answer: B



Dnscmd A command-line interface for managing DNS servers. This utility is useful in scripting batch files to help automate routine DNS management tasks, or to perform simple unattended setup and configuration of new DNS servers on your network.

dnscmd /zonechangedirectorypartition

Changes the directory partition on which the specified zone resides.


dnscmd [<ServerName>] /zonechangedirectorypartition <ZoneName>] {[<NewPartitionName>] | [<ZoneType>]




Specifies the DNS server to manage, represented by IP address, FQDN, or host name. If this parameter is omitted, the local server is used. <ZoneName> The FQDN of the current directory partition on which the zone resides. <NewPartitionName> The FQDN of the directory partition that the zone will be moved to. <ZoneType> Specifies the type of directory partition that the zone will be moved to. /domain Moves the zone to the built-in domain directory partition. /forest Moves the zone to the built-in forest directory partition. /legacy Moves the zone to the directory partition that is created for pre-Active Directory domain controllers. These directory partitions are not necessary for native mode.











Your network contains an Active Directory domain. The functional level of the domain is Windows Server 2003.


The domain contains five domain controllers that run Windows Server 2008 and five domain controllers that run Windows Server 2008 R2.


You need to ensure that SYSVOL is replicated by using Distributed File System Replication (DFSR).


What should you do first?



Run dfsrdiag.exe PollAD.


Run dfsrmig.exe /SetGlobalState 0.


Upgrade all domain controllers to Windows Server 2008 R2.


Raise the functional level of the domain to Windows Server 2008.


Correct Answer: D



Distributed File System

Distributed File System (DFS) Namespaces and DFS Replication offer simplified, highly- available access to files, load sharing, and WAN-friendly replication. In the Windows ServerĀ® 2003 R2 operating system, Microsoft revised and renamed DFS Namespaces (formerly called DFS), replaced the Distributed File System snap-in with the DFS Management snap-in, and introduced the new DFS Replication feature. In the Windows ServerĀ® 2008 operating system, Microsoft added the Windows Server 2008 mode of domain-based namespaces and added a number of usability and performance improvements.

What does Distributed File System (DFS) do?

The Distributed File System (DFS) technologies offer wide area network (WAN)-friendly replication as well as simplified, highly-available access to geographically dispersed files.

The two technologies in DFS are the following:

DFS Namespaces. Enables you to group shared folders that are located on different servers into one or more logically structured namespaces. Each namespace appears to users as a single shared folder with a series of subfolders. This structure increases availability and automatically connects users to shared folders in the same Active Directory Domain Services site, when available, instead of routing them over WAN connections. DFS Replication. DFS Replication is an efficient, multiple-master replication engine that you can use to keep folders synchronized between servers across limited bandwidth network connections. It replaces the File Replication Service (FRS) as the replication engine for DFS Namespaces, as well as for replicating the AD DS SYSVOL folder in domains that use the Windows Server 2008 domain functional level.




Company runs Window Server 2008 on all of its servers. It has a single Active Directory domain and it uses Enterprise Certificate Authority. The security policy at ABC.com makes it necessary to examine revoked certificate information.


You need to make sure that t
he revoked certificate information is available at all times.


What should you do to achieve that?



Add and configure a new GPO (Group Policy Object) that enables users to accept peer certificates and link the GPO to the domain.


Configure and use a GPO to publish a list of trusted certificate authorities to the domain


Configure and publish an OCSP (Online certificate status protocol) responder through ISAS (Internet Security and Acceleration Server) array.


Use network load balancing and publish an OCSP responder.


None of the above


Correct Answer: D



How Certificate Revocation Works




You have an Active Directory domain named contoso.com.


You have a domain controller named Server1 that is configured as a DNS server.


Server1 hosts a standard primary zone for contoso.com. The DNS configuration of Server1 is shown in the exhibit. (Click the Exhibit button.)




You discover that stale resource records are not automatically removed from the contoso.com zone.


You need to ensure that the stale resource records are automatically removed from the contoso.com zone.


What should you do?



Set the scavenging period of Server1 to 0 days.


Modify the Server Aging/Scavenging properties.


Configure the aging properties for the contoso.com zone.


Convert the contoso.com zone to an Active Directory-integrated zone.


Correct Answer: C





Set Aging and Scavenging Properties for a Zone

The DNS Server service supports aging and scavenging features. These features are provided as a mechanism for performing cleanup and removal of stale resource records, which can accumulate in zone data over time.

You can use this procedure to set the aging and scavenging properties for a specific zone using either the DNS Manager snap-in or the dnscmd command-line tool.

To set aging and scavenging properties for a zone using the Windows interface

1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.

2. In the console tree, right-click the applicable zone, and then click Properties.

3. On the General tab, click Aging.

4. Select the Scavenge stale resource records check box.

5. Modify other aging and scavenging properties as needed.

To set aging and scavenging properties for a zone using a command line

1. Open a command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

2. At the command prompt, type the following command, and then press ENTER: dnscmd <ServerName> /Config <ZoneName> {/Aging <Value>|/RefreshInterval <Value>|/NoRefreshInterval <Value>}




Free VCE & PDF File for Microsoft 70-640 Real Exam

Instant Access to Free VCE Files: MCSE|MCSA|MCITP…
Instant Access to Free PDF Files: MCSE|MCSA|MCITP…