Lesson Plans
LabSim for Microsoft’s Configuring
Windows Server 2008 Active Directory
(Exam 70-640)
Table of Contents
Course Overview ................................................................................................................ 3
Section 0.1: Active Directory Organization........................................................................ 5
Section 0.2: Active Directory Features ............................................................................... 7
Section 0.3: New 2008 and 2008 R2 Features .................................................................... 8
Section 1.1: Organizational Units ..................................................................................... 10
Section 1.2: User Accounts ............................................................................................... 12
Section 1.3: Computer Accounts ...................................................................................... 14
Section 1.4: Service Accounts .......................................................................................... 16
Section 1.5: Groups ........................................................................................................... 17
Section 1.6: Group Strategy .............................................................................................. 19
Section 1.7: Object Management Tools ............................................................................ 21
Section 2.1: DNS Concepts............................................................................................... 23
Section 2.2: Installation .................................................................................................... 24
Section 2.3: Zones ............................................................................................................. 25
Section 2.4: Resource Records ......................................................................................... 27
Section 2.5: Zone Transfers .............................................................................................. 29
Section 2.6: Advanced Zone Configuration...................................................................... 31
Section 2.7: Root Hints ..................................................................................................... 33
Section 2.8: Round Robin ................................................................................................. 34
Section 2.9: Directory Partitions ....................................................................................... 35
Section 2.10: DNS Features .............................................................................................. 36
Section 3.1: Preparation .................................................................................................... 37
Section 3.2: Installation .................................................................................................... 39
Section 3.3: Removal ........................................................................................................ 41
Section 4.1: Functional Levels .......................................................................................... 42
Section 4.2: Sites and Subnets .......................................................................................... 44
Section 4.3: Global Catalog Servers ................................................................................. 46
Section 4.4: Operations Master Roles ............................................................................... 47
Section 4.5: Trusts ............................................................................................................ 49
Section 5.1: RODC Concepts ........................................................................................... 51
Section 5.2: RODC Installation ........................................................................................ 52
Section 5.3: RODC Administration .................................................................................. 54
Section 5.4: RODC Removal ............................................................................................ 56
Section 6.1: Group Policy ................................................................................................. 57
Section 6.2: GPO Management......................................................................................... 59
Section 6.3: GPO Application........................................................................................... 61
Section 6.4: Software Deployment ................................................................................... 63
Section 6.5: Application Restriction ................................................................................. 65
Section 6.6: Password Policies ......................................................................................... 67
Section 6.7: Auditing ........................................................................................................ 69
Section 7.1: Certificate Services ....................................................................................... 71
Section 7.2: AD CS Installation ........................................................................................ 73
Section 7.3: Certificate Templates .................................................................................... 74
Section 7.4: Certificate Requests ...................................................................................... 76
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
1
Section 7.5: Certificate Revocation .................................................................................. 78
Section 7.6: CA Management ........................................................................................... 80
Section 7.7: Certificate Implementations .......................................................................... 82
Section 8.1: Lightweight Directory Services (AD LDS) .................................................. 84
Section 8.2: Federation Services (AD FS) ........................................................................ 86
Section 8.3: Rights Management Services (AD RMS) ..................................................... 88
Section 9.1: Recovery and Availability ............................................................................ 91
Section 9.2: Windows Server Backup .............................................................................. 92
Section 9.3: Active Directory Backup and Restore .......................................................... 94
Section 9.4: Maintenance and Monitoring ........................................................................ 96
Practice Exams .................................................................................................................. 98
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
2
Course Overview
This course prepares students for Microsoft’s Configuring Windows Server 2008 Active
Directory Exam: 70-640. It focuses on configuring, managing and troubleshooting the
computing environment of medium to large companies.
Module 0 – Active Directory Overview
This module provides an overview of the organization and features of Active Directory.
Module 1 – Objects and Accounts
This module discusses the basics of using the following objects and accounts to organize
network resources; organizational units (OUs), user accounts, computer accounts, service
accounts, and groups. Students will also learn about group strategies for assigning
members to groups and tools used to manage Active Directory objects.
Module 2 – DNS
This module examines the following details about DNS; the role and components of
DNS, facts about installing DNS, configuration of DNS zones, common resource records,
configuration of zone transfers, configuration of advanced zones, root hints,
configuration of DNS round robin for load balancing, application directory partitions, and
new Windows Server 2008 DNS features.
Module 3 – Installation
In this module students will learn the following facts about installing Windows Server
2008; preparing forest and domain support for Windows Server 2008, requirements and
methods for installing Active Directory Domain Services (AD DS), tools and scenarios to
remove a domain controller.
Module 4 – Infrastructure
This module teaches the students about configuring the infrastructure by raising forest
functional levels and configuring sites and subnets, global catalog servers, operations
master roles, and trusts.
Module 5 – Read-only Domain Controller
This module discusses configuring and installing a read-only controller (RODC).
Module 6 – Group Policy
This module examines creating and applying Group Policy objects (GPOs). This includes
the following; management and application of GPOs, the software deployment lifecycle,
software, Password Policy and Account Lockout Policy settings, and audit policies
configurable through Group Policy.
Module 7 – Certificate Services
In this module students will learn facts about installing Active Directory certificate
services and services roles and managing certificate templates.
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
3
Module 8 – Active Directory Roles
This module teaches the students about the following Active Directory roles; Lightweight
Directory Services (AD LDS), Federation Service (AD FS), and Rights Management
Services (AD RMS).
Module 9 – Maintenance
This module examines the following maintenance facts; tools for managing disaster
recovery and availability, managing backup and recovery for Windows Server 2008 and
Windows Server 2008 R2, managing backup and restore of Active Directory, and tools
to view and monitor system events and information.
Practice Exams
In Practice Exams students will have the opportunity to test themselves and verify that
they understand the concepts and are ready to take the certification exam.
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
4
Section 0.1: Active Directory Organization
Summary
This section discusses the organization of the Active Directory database. The Active
Directory structure is a hierarchical framework consisting of the following components:







Domain
Objects
Organizational Unit (OU)
Generic Containers
Trees and Forests
Domain Controller
Sites and Subnets
The Active Directory database file called NTDS.dit consists of three internal tables:



Data table
Link table
Security descriptor (SD)
Students will learn how to:

Use management tools to view the Active Directory structure and objects.
Lecture Focus Questions:





Why is DNS important for Active Directory?
What is the purpose of the schema?
What are the advantages of using organizational units over generic containers?
What is the difference between a tree and a forest? How can you tell when a new
domain starts a new tree?
How does a site differ from a domain?
Video/Demo
Time
0.1.1 Active Directory
7:25
0.1.2 Active Directory Structure
4:59
0.1.3 Networking Terms
3:34
0.1.4 Viewing Active Directory
2:39
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
5
Total Time
About 25 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
6
Section 0.2: Active Directory Features
Summary
This section teaches the students about the following features of Active Directory:





Global Catalog
Operations Master Roles
Time Service
Functional Level
Group Policy
Lecture Focus Questions:




What is the purpose of a global catalog server?
Which operation master roles are forest-wide roles?
Why is the domain or forest functional level important? How does the functional
level relate to the operating system versions you run on domain controllers in the
domain?
How does Group Policy simplify network administration?
Video/Demo
Time
0.2.1 Global Catalog
2:49
0.2.2 Operations Master Roles
4:28
0.2.3 Time Service
5:20
Total Time
About 20 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
7
Section 0.3: New 2008 and 2008 R2 Features
Summary
This section discusses features available in Windows 2008 and 2008 R2. Concepts
presented include:
The function of:
 An Active Directory server role
 A role
 Role services
 A feature
The following Active Directory server roles are described:





Active Directory Domain Services (AD DS)
Active Directory Lightweight Directory Service (AD LDS)
Active Directory Federation Services (AD FS)
Active Directory Rights Management Service (AD RMS)
Active Directory certificate Services (AD CS)
Server core, a minimal server installation, provides a low-maintenance version of
Windows 2008 and Windows Server 2008 R2. Details include:




Limitations of using the server core interface
Limited set of server roles
Features currently available in Windows Server 2008 R2 server
Managing a server core system
Students will learn how to:

Use Server Manager to add and mange roles and features.
Lecture Focus Questions:





What is the difference between a role, a role service, and a feature?
Which Active Directory role helps you control access to digital documents?
Which role do you use to create a custom directory service?
What are the advantages of using a Server Core installation over a regular
installation?
How does management of a Server Core system differ from managing a regular
version of Windows?
Which server roles cannot run on a Server Core system?
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
8
Video/Demo
Time
0.3.1 New 2008 Features
7:24
0.3.2 New 2008 R2 Features
3:45
0.3.3 Using Server Manager
2:03
0.3.4 Using PowerShell Cmdlets
7:12
0.3.5 New 2008 Features Tour
3:30
0.3.6 Using Best Practice Analyzer
3:56
Total Time
About 35 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
9
Section 1.1: Organizational Units
Summary
This section provides the basics of using organizational units (OUs) to organize network
resources within a domain. Details include:






An OU can contain other OUs
OUs can be nested
OUs are typically organized by:
o Physical location
o Organizational structure
o Object type
o Hybrid of location, organizational structure, and object type
Considerations for managing OUs:
o Group Policy
o Preventing accidental deletion
o Delegating authority
Default containers and OUs automatically created when Active Directory is
installed:
o Builtin
o Computers
o Domain Controllers
o ForeignSecurityPrincipals
o LostAndFound
o NTDS Quotas
o Program Data
o System
o Users
Managing default containers
Students will learn how to:


Create organizational units using Active Directory Users and Computers or Server
Manager.
Use the Delegation of Control wizard to allow administrators to manage objects
and object properties.
Configuring Windows Server 2008 Active Directory Objectives

402. Maintain Active Directory accounts.
Lecture Focus Questions:

What objects can an organizational unit contain?
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
10



How is an organizational unit different than a generic container?
How does inheritance affect child organizational units?
How does object-based delegation differ from task-based delegation?
Video/Demo
Time
1.1.1 Organizational Units (OUs)
5:39
1.1.2 Managing OUs
3:57
1.1.3 Delegating Authority
2:12
Lab/Activity

Create OUs
Number of Exam Questions
5 questions
Total Time
About 30 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
11
Section 1.2: User Accounts
Summary
This section discusses how to create and manage user accounts. Details include:



Types of Windows user accounts:
o Local
o Domain
Name types used by Active Directory to recognize each objects:
o User or Logon Name
o User Principal Name (UPN)
o LDAP Distinguished Name (DN)
o Relative Distinguished Name (RDN)
Recommendations for managing user accounts.
Students will learn how to:





Create domain user accounts.
Modify user account properties, including changing logon and password settings
in the user account.
Rename a user account.
Reset a user account password and unlock the account.
Enable and disable an account.
Configuring Windows Server 2008 Active Directory Objectives


401. Automate creation of Active Directory accounts.
402. Maintain Active Directory accounts.
Lecture Focus Questions:






How is a domain user account different from a local user account?
What is the purpose of a contact object? How is it similar and different from a
user account?
What is the difference between a disabled, locked out, or expired user account?
What is the best way to handle a user’s account when an employee quits the
company and will be replaced by a new employee in the near future?
What are the recommendations for using a template user account?
What properties of a user account do not get duplicated when you copy the user?
Video/Demo
1.2.1 User Accounts
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
Time
7:37
12
1.2.3 Creating User Accounts
3:13
1.2.4 Managing User Account Properties
13:20
1.2.5 Managing User Accounts with PowerShell
7:55
Lab/Activity


Create User Accounts
Manage User Accounts
Number of Exam Questions
13 questions
Total Time
About 60 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
13
Section 1.3: Computer Accounts
Summary
This section explores using computer accounts to identify network computers. Details
include:



Methods to perform the processes that are required to identify a specific
computer:
o Manual join
o Prestage accounts
o Offline domain join
Facts about computer accounts and joining a domain.
Facts about computer passwords that are automatically-generated when a
computer joins the domain.
Students will learn how to:

Create computer accounts and manage computer account properties.
Configuring Windows Server 2008 Active Directory Objectives

402. Maintain Active Directory accounts.
Lecture Focus Questions:




What can the administrator do to allow a user to join a computer to a domain
during installation?
How can you control where a computer account is placed when it joins a domain?
What are the things to consider if a computer account has been created on a
domain but doesn’t seem to be able to join the domain?
What must you do after resetting a computer account?
Video/Demo
Time
1.3.1 Creating Computer Accounts
3:05
1.3.2 Offline Domain Join
4:07
1.3.3 Using Offline Domain Join
4:39
Lab/Activity

Create Computer Accounts
Number of Exam Questions
8 questions
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
14
Total Time
About 30 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
15
Section 1.4: Service Accounts
Summary
This section discusses how service accounts are used to interact with operating systems.

Categories of service accounts include:
o Built-in local user account
o Domain user account
o Managed service account
o Virtual account
Configuring Windows Server 2008 Active Directory Objectives

402. Maintain Active Directory accounts.
Lecture Focus Questions:




What are the differences between a managed service account and a virtual service
account?
Which operating system is required to manage a service with a managed service
account?
Which Windows PowerShell cmdlet will create a new managed service account?
If you have a domain controller running Windows Server 2003, how can you still
use a virtual account?
Video/Demo
Time
1.4.1 Service Accounts
3:55
1.4.2 Creating Service Accounts
4:39
Number of Exam Questions
2 questions
Total Time
About 15 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
16
Section 1.5: Groups
Summary
In this section students will learn about using groups to organize user accounts, computer
accounts, and other group accounts into manageable units to simplify network
maintenance and administration. Details include






Security group scopes
o Global
o Domain Local
o Universal
Types of groups:
o Security
o Distribution
Facts about managing groups:
o Best practices for user and group security
o Converting the group’s security and or type
o Methods to add or remove members of a group
o Deleting and recovering a group
Default local groups:
o Administrators
o Backup Operators
o Users
o Power Users
o Guests
Default domain groups that are created in the Builtin folder:
o Administrators
o Server Operators
o Backup Operators
o Account Operators
o Guests
o Network Configuration Operators
o Print Operators
o Users
Domain groups created in the User folder in Active Directory:
o Domain Admins
o Domain Computers
o Domain Controllers
o Domain Guests
o Domain Users
o Enterprise Admins
o Schema Admins
o Read-only Domain Controllers
o DHCP Administrators
o Cert Publishers
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
17
Students will learn how to:



Create security and distribution groups.
Add members to groups.
Change the group type or scope.
Configuring Windows Server 2008 Active Directory Objectives


401. Automate creation of Active Directory accounts.
402. Maintain Active Directory accounts.
Lecture Focus Questions:




What are the advantages of using groups when setting permissions?
What is the difference between a security group and a distribution group?
What type of objects can be made members of a universal group? A domain local
group?
What happens to user accounts when a group is deleted?
Video/Demo
Time
1.5.1 Groups
13:35
1.5.2 Managing Groups
4:20
Lab/Activity



Create Global Groups
Create a Distribution Group
Change the Group Scope
Number of Exam Questions
4 questions
Total Time
About 40 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
18
Section 1.6: Group Strategy
Summary
This section discusses strategies for assigning members to groups. Details include:


Approaches to managing user, groups, and permissions:
o AGDLP
o AGUDLP
o ALP
When and how to use universal groups
Students will learn how to:

Implement a group strategy following Microsoft's recommendations for group
membership and nesting.
Configuring Windows Server 2008 Active Directory Objectives

402. Maintain Active Directory accounts.
Lecture Focus Questions:



Based on Microsoft's recommendations, which group scope is added to the ACL
for an object and assigned the permissions?
Based on Microsoft's recommendations, which group scope type would you use to
add user accounts as members?
When is it appropriate to use universal groups? In which scenarios are they
unnecessary?
Video/Demo
Time
1.6.1 Group Strategy
2:46
1.6.2 Implementing AGDLP
2:29
Lab/Activity


Implement a Group Strategy 1
Implement a Group Strategy 2
Number of Exam Questions
6 questions
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
19
Total Time
About 25 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
20
Section 1.7: Object Management Tools
Summary
This section examines using the following tools to manage Active Directory objects:












Active Directory Users and Computers
ADSI Edit
Command Prompt
Csvde command
Ldifde command
PowerShell
Visual Basic scripts (VBscripts)
Ldp utility
Active Directory Migration Tool (ADMT)
Active Directory Administrative Center
Active Directory Web Services (ADWS)
Active Directory Management Gateway
Configuring Windows Server 2008 Active Directory Objectives

401. Automate creation of Active Directory accounts.
Lecture Focus Questions:





What tools are available when managing Active Directory objects on a Server
Core installation?
When would you use ADSI Edit to manage objects instead of Active Directory
Users and Computers?
When would you choose Csvde over Ldifde when managing objects?
What are cmdlets and how can they manage Active Directory objects?
How can you provide the same functionality as Active Directory Web Services
(ADWS) on a Windows Server 2003 domain controller?
Video/Demo
Time
1.7.1 Object Management Tools
3:51
1.7.2 Using Administrative Center
6:57
1.7.3 Using PowerShell
5:31
1.7.4 Web Service and Management Gateway
5:44
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
21
Number of Exam Questions
9 questions
Total Time
About 35 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
22
Section 2.1: DNS Concepts
Summary
This section examines using the DNS database to map logical host names to IP addresses.
Concepts discussed include the:










The role of the DNS server
Components of the DNS hierarchy
Fully qualified domain name (FQDN)
DNS is a distributed database
The role of a forward lookup and a reverse lookup
Record types in the zone database:
o A record
o PTR record
o CNAME record
o SRV record
The role of Dynamic DNS (DDNS)
The process for a client computer to find the IP address for a host name
The process when a DNS server receives a name resolution request from a client
The role of a caching-only DNS server
Configuring Windows Server 2008 Active Directory Objectives

101. Configure zones.
Lecture Focus Questions:






What is the purpose of DNS?
How does an FQDN identify a host?
What is the difference between a forward lookup zone and a reverse lookup zone?
What is the purpose of PTR records?
How does DDNS simplify DNS management?
What is the difference between forwarding and recursion?
Video/Demo
2.1.1 DNS Concepts
Time
9:41
Total Time
About 15 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
23
Section 2.2: Installation
Summary
This section provides fundamental facts about installing DNS in Windows Server 2008.
Concepts include:




To install DNS you must be a member of the Domain Admins group
Install DNS on all Windows Server 2008 versions except for the Windows Server
2008 Web Server edition.
Tools to install DNS on a server:
o Use Server Manager and add the DNS roll
o At a command prompt use start /w ocsetup DNS-Server-Core-Role to
add the DNS role
o Use the oclist command to view a list of services installed on a server
Manage DNS using DNS snap-in or the dnscmd command
Students will learn how to:

Add the DNS server role to a server.
Lecture Focus Questions:



Which Windows Server 2008 versions do not support the DNS server role?
How should the DNS server get its IP address?
How do you install DNS on a Server Core system?
Video/Demo
Time
2.2.1 DNS Installation
1:42
2.2.2 Installing DNS
2:08
Total Time
About 5 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
24
Section 2.3: Zones
Summary
This section discusses the roles of DNS zones and configuring different types of zones.
Concepts discussed include the:





Types of DNS zones:
o Primary
o Secondary
o Active Directory-integrated
o Stub
o GlobalNames
Classifications of zones:
o Forward lookup zone
o Reverse lookup zone
Details about Active Directory-integrated zones
Replication scopes:
o All domain controllers in this domain
o All DNS servers in this domain
o All DNS servers in this forest
o Application partition
IP versions:
o IPv4
o IPv6
Students will learn how to:


Create primary, secondary, and reverse lookup zones.
Create an Active Directory-integrated zone and configure the replication scope.
Configuring Windows Server 2008 Active Directory Objectives


101. Configure zones.
103. Configure zone transfers and replication.
Lecture Focus Questions:




How is an Active Directory-integrated zone different from a primary zone?
What type of zone would you create if you wanted to use secure dynamic
updates?
What is the impact on network traffic of the All domain controllers in this
domain versus the All DNS servers in this forest replication scope?
What type of name resolution is performed by reverse lookup zones?
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
25

What is the zone name format for the reverse lookup network of
1375:2614:DDAB:EE21?
Video/Demo
Time
2.3.1 Zones
6:03
2.3.3 Configuring Zones
6:44
Lab/Activity




Create a Primary Zone
Create a Secondary Zone
Create an Active Directory-integrated Zone
Create a Reverse Lookup Zone
Number of Exam Questions
9 questions
Total Time
About 50 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
26
Section 2.4: Resource Records
Summary
This section presents information about resource records. Details include:



Common resource records:
o SOA (Start of Authority)
o NS (name server)
o A (host address)
o AAAA (quad-A)
o MX (Mail Exchanger)
o CNAME (canonial name)
o DNAME (Domain Alias)
o SRV (service locator)
o PTR (pointer)
o WINS and WINS-R resource records
The role of Dynamic DNS (DDNS)
The default configuration for Dynamic DNS
Students will learn how to:

Create common resource records.
Configuring Windows Server 2008 Active Directory Objectives


101. Configure zones.
103. Configure zone transfers and replication.
Lecture Focus Questions:






What information does an SOA record contain?
What is the difference between an A and a quad-A record?
How is the DNAME record similar to a CNAME record?
How does Windows Server 2008 handle the creation of SRV records?
How does the use of DDNS facilitate record management?
What is the difference in the default state of dynamic updates between primary
and Active Directory-integrated zones?
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
27
Video/Demo
Time
2.4.1 DNS Records
3:21
2.4.4 Creating DNS Records
4:47
Lab/Activity


Create a Zone and Add Records
Create A and CNAME Records
Number of Exam Questions
3 questions
Total Time
About 25 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
28
Section 2.5: Zone Transfers
Summary
This section examines the function of zone transfers in the replication of zone data
between primary and secondary zones. Details include:


The role of a:
o Master server
o Zone serial number
o Full zone transfer (AXFR)
o Partial (or incremental) zone transfer (IXFR)
o DNS Notify
DNS console actions to refresh zone data manually
o Reload
o Transfer from Master
o Reload from Master
Students will learn how to:



Add authoritative name servers.
Restrict zone transfers to name servers or specific servers only.
Modify zone properties and enable or disable zone transfers.
Configuring Windows Server 2008 Active Directory Objectives

103. Configure zone transfers and replication.
Lecture Focus Questions:







How is secondary zone data changed?
What is the significance of the serial number during zone transfers?
What is the difference between AXFR and IXFR zone transfers?
What are the methods for restricting zone transfers?
What happens if the serial number is greater on the secondary server?
How can you use multiple DNS servers to improve DNS performance?
What is the difference between a reload and a reload from master operation?
Video/Demo
Time
2.5.1 Zone Transfers
2:10
2.5.2 Configuring Zone Transfers
4:15
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
29
Lab/Activity



Allow Zone Transfers to Name Servers
Allow Zone Transfers to Listed Servers
Disable Zone Transfers
Number of Exam Questions
11 questions
Total Time
About 35 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
30
Section 2.6: Advanced Zone Configuration
Summary
In this section students will explore information about configuration of advanced zones.
This includes information about a:




The role of a forwarder
Methods to control the server’s use of forwarders:
o Secondary zone
o Stub zone
o Conditional forwarder
o Disable recursion
The role of zone delegation
The role of a GlobalNames zone
Students will learn how to:



Create a stub zone.
Configure forwarders and conditional forwarding.
Create delegated zones.
Configuring Windows Server 2008 Active Directory Objectives


101. Configure zones.
102. Configure DNS server settings.
Lecture Focus Questions:







How does a stub zone differ from a secondary zone?
How does conditional forwarding differ from standard forwarding?
How is a stub zone dynamic? What records are copied to the zone when you
create a stub zone?
Why isn't a stub zone authoritative for the zone?
Why might you decide to implement zone delegation?
What records does the delegation contain?
When can you use the GlobalNames zone to replace WINS servers on your
network? When should you continue to use a WINS server?
Video/Demo
2.6.4 Delegating Zones
Time
4:13
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
31
Lab/Activity




Configure a Stub Zone
Configure Conditional Forwarding
Delegate Zones
Create a Delegated Zone
Number of Exam Questions
15 questions
Total Time
About 40 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
32
Section 2.7: Root Hints
Summary
This section discusses how root hints are used to point to top level DNS servers on the
Internet. This includes facts about:




The function of the Cache.dns file
The location of the Cache.dns file
Configuring the root hints
The role of a root zone server
Students will learn how to:


Configure or delete a root zone.
Configure other DNS servers to point to your server via root hints.
Configuring Windows Server 2008 Active Directory Objectives

102. Configure DNS server settings.
Lecture Focus Questions:




Why would you want to create a zone named . (dot)?
What is the purpose of the root hints file?
Why would you delete the root hints?
What is the name and location(s) of the root hints file on a Windows 2008 server?
Video/Demo
Time
2.7.1 Root Hints
1:46
2.7.2 Configuring Root Hints
1:23
Lab/Activity

Configure Root Hints
Number of Exam Questions
3 questions
Total Time
About 10 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
33
Section 2.8: Round Robin
Summary
This section examines facts about using DNS round robin for load balancing to share and
distribute network resource loads.
Students will learn how to:

Configure DNS round robin.
Configuring Windows Server 2008 Active Directory Objectives

102. Configure DNS server settings.
Lecture Focus Questions:



Why do round robin servers use different IP addresses?
What type of resource record do you create in the DNS database when using
round robin?
Why does round robin provide load balancing but not fault tolerance?
Video/Demo
Time
2.8.1 DNS Round Robin
1:07
2.8.2 Configuring Round Robin
1:07
Lab/Activity

Configure DNS Round Robin
Number of Exam Questions
1 question
Total Time
About 10 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
34
Section 2.9: Directory Partitions
Summary
This section discusses the role and use of application directory partitions.
Configuring Windows Server 2008 Active Directory Objectives

103. Configure zone transfers and replication.
Lecture Focus Questions:



How do application directory partitions control the scope of replication?
Which group memberships allow users to create application directory partitions
manually?
What tool would you use to create an application directory partition?
Video/Demo
2.9.1 Directory Partitions
Time
1:32
Number of Exam Questions
3 questions
Total Time
About 5 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
35
Section 2.10: DNS Features
Summary
This section examines the following new Windows Server 2008 DNS features:











Background zone loading
Read-only Domain Controller (RODC)
IPv6 DNS Support
Domain controller search (DC Locator)
Link-Local Multicast Name Resolution (LLMNR)
GlobalNames Zone
Global Query Block List
Conditional Forwarding
DNSSEC Support
Controlling aging and scavenging
Configuring debug logging
Configuring Windows Server 2008 Active Directory Objectives

101. Configure zones.
Lecture Focus Questions:





How does background loading have a positive effect on name resolution?
How do stale records affect DNS server performance?
When is a DNS record considered stale?
How does the no-refresh interval affect scavenging?
When should you activate debug logging? For what period of time?
Number of Exam Questions
5 questions
Total Time
About 10 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
36
Section 3.1: Preparation
Summary
In this section students will learn facts about preparing to install Windows Server 2008
and Windows Server 2008 R2. Details will include:


Tools to prepare forest and domain support for Windows Server 2008:
o Adprep /forestprep
o Adprep /domainprep
o Adprep /rodcprep
Installation scenarios when installing Active Directory Domain Services (AD DS)
for Windows Server 2008 or Windows Server 2008 R2:
o Installing a new Windows Server 2008 or Windows Server 2008 R2
Forest
o Installing a new Windows Server 2008 or Windows Server 2008R2
domain controller to create a new domain in existing Windows 2000
Server or Windows Server 2003 forest
o Installing a new Windows Server 2008 or Windows Server 2008 R2
domain controller in an existing Windows 2000 Server or Windows Server
2003 domain
Students will learn how to:

Prepare an existing forest and domain for installation of a Windows Server 2008
domain controller.
Configuring Windows Server 2008 Active Directory Objectives


201. Configure a forest or a domain.
303. Configure the read-only domain controller (RODC).
Lecture Focus Questions:




Which forest and domain functional levels are required before installing a
Windows Server 2008 domain controller?
When do you use the adprep /domainprep /gpprep command instead of the
adprep /domainprep command?
On which domain controller should you run the adprep /domainprep command?
What command would you run to prepare for installing a read-only domain
controller (RODC)?
Video/Demo
3.1.1 Installation Requirements
Time
1:53
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
37
3.1.2 Schema Preparation
3:53
3.1.3 Extending the Schema
8:55
Number of Exam Questions
3 questions
Total Time
About 25 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
38
Section 3.2: Installation
Summary
This section discusses installing Active Directory Domain Services. The following
concepts are covered:





Requirements for installing Active Directory Domain Services (AD DS)
Methods to install Active Directory Domain Services:
o Active Directory Domain Services Installation Wizard
o Command line dcpromo command
o Answer file
o AD DS installation from media
Basics about installing a RODC
Details about using an answer file:
o Parameters
o Key answer file settings
Methods to verify an AD DS installation
o Determine whether a Server object has child objects
o Check the status of the shared SYSVOL
o Verify domain membership for a new domain controller
o Verify communication with other domain controllers
o Verify replication with other domain controllers
Students will learn how to:

Install a new domain controller using GUI and command-line tools.
Configuring Windows Server 2008 Active Directory Objectives

201. Configure a forest or a domain.
Lecture Focus Questions:






What is the difference between a forest and a tree?
How does an installation from media reduce network traffic?
What tools can you use to create the installation media for installing a domain
controller?
How can you easily create an answer file for use with Dcpromo?
When using an answer file for domain controller installation, what is the
difference between a new domain and a replica?
How can you verify that Active Directory is installed?
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
39
Video/Demo
Time
3.2.1 AD DS Installation
5:39
3.2.2 Installing AD DS
8:29
3.2.3 Creating an Answer File
4:13
Number of Exam Questions
3 questions
Total Time
About 35 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
40
Section 3.3: Removal
Summary
This section provides information about removing a domain controller. Concepts covered
include:



Tools to remove a domain controller
Actions to take for specific uninstall scenarios:
o Removing a domain controller from a domain
o Removing the last domain controller from a domain
o Removing the last domain controller from a forest
o Forcing a removal of a domain controller
Actions to uninstall binary files
Students will learn how to:


Uninstall a domain controller and remove Active Directory binaries.
Force removal of Active Directory from a domain controller.
Configuring Windows Server 2008 Active Directory Objectives

201. Configure a forest or a domain.
Lecture Focus Questions:




What does the IsLastDCInDomain parameter in an answer file do?
When should you forcefully remove a domain controller? What should you try
before doing so?
What are the results of removing the last domain controller from a domain?
How do you remove the Active Directory binaries from a system?
Video/Demo
Time
3.3.1 AD DS Removal
3:45
3.3.2 Removing AD DS
2:11
Number of Exam Questions
4 questions
Total Time
About 15 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
41
Section 4.1: Functional Levels
Summary
In this section students will learn about domain and forest functional levels. Facts that are
discussed include:






The role of functional levels
Features that are available for each of the different domain functional levels
Features that are available for each of the different forest functional levels
Guidelines to management of functional levels
o Set the domain and forest functional levels to the highest value the
environment can support
o In most cases, you cannot reverse the operation of raising the functional
level, two exceptions are presented.
Guidelines to raising the domain and forest functional levels
Circumstances that might prevent you from raising the functional level to
Windows Server 2008 or Windows Server 2008 R2
Students will learn how to:


Identify the current domain and forest functional levels.
Raise the functional levels of domains and forests.
Configuring Windows Server 2008 Active Directory Objectives

201. Configure a forest or a domain.
Lecture Focus Questions:





Which functional level is required to enable selective authentication?
What forest functional level(s) let you rename domains?
What features do you get by enabling a Windows Server 2008 functional level?
When would you raise the domain functional level?
What are the domain controller operating system requirements for raising a
domain functional level to Windows Server 2008?
Video/Demo
Time
4.1.1 Functional Levels
2:49
4.1.3 Configuring Functional Levels
3:40
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
42
Lab/Activity


Raise Functional Levels
Raise the Domain and/or Forest Levels
Number of Exam Questions
3 questions
Total Time
About 25 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
43
Section 4.2: Sites and Subnets
Summary
This section covers how Active Directory uses sites and subnets to optimize and
customize replication traffic. The following concepts are covered:






Objects that Active Directory uses to represent the physical structure of the
network and control replication traffic:
o Subnet
o Site
o Site link
o Site link bridge
o Bridgehead server
o Connection
Sites and Services distinguishes between two types of replication:
o Intrasite
o Intersite
Replication uses the following types of transport protocols:
o Directory Services Remote Procedure Call (DS-RPC)
o Inter-Site Messaging—Simple Mail Transfer Protocol (ISM-SMTP)
Intrasite replication occurs between domain controllers within a site
Intersite replication occurs between bridgehead servers between sites. Steps you
can take when managing intersite replication include:
o Preferred bridgehead server
o Replication schedule
o Replication frequency
o Site link cost
o Bridged site replication
o Forced replication
Using the Distributed File System (DFS) engine to replicate the contents of the
SYSVOL folder
Students will learn how to:




Create sites and subnets. Move servers into sites.
Create site links and configure site link properties to customize replication.
Customize intersite and intrasite replication frequencies and schedules.
Designate preferred bridgehead servers.
Configuring Windows Server 2008 Active Directory Objectives


203. Configure sites.
204. Configure Active Directory replication.
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
44
Lecture Focus Questions:








What is the purpose of a site link?
What is the purpose of a site link bridge?
Why would you typically not create a connection object?
What are the differences between intrasite and intersite replication?
What does a site link cost do?
When would you use the SMTP protocol for replication?
What is the function of the bridgehead server?
How is a preferred bridgehead server determined?
Video/Demo
Time
4.2.1 Sites and Subnets
9:04
4.2.2 Replication
2:07
4.2.4 Configuring Sites and Subnets
8:01
Lab/Activity



Manage Sites and Subnets
Configure Intersite Replication
Configure Intrasite Replication
Number of Exam Questions
18 questions
Total Time
About 60 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
45
Section 4.3: Global Catalog Servers
Summary
This section discusses using global catalog servers. The following concepts are discussed:




The role of the Global Catalog (GC)
The role of the Universal Group Membership Caching (UGMC)
When to select a Global Catalog server or Universal Group Membership Caching
Details about Lightweight Directory Access Protocol (LDAP)
Students will learn how to:


Add or remove the global catalog from a domain controller.
Enable Universal Group Membership Caching for a site.
Configuring Windows Server 2008 Active Directory Objectives

205. Configure the global catalog.
Lecture Focus Questions:




What are the advantages of having more than one Global Catalog server?
Why does a single domain network not need a Global Catalog server?
What is the function of Universal Group Membership caching?
When should Universal Group Membership caching be implemented? When
would you use global catalog servers instead?
Video/Demo
4.3.1 Global Catalog Servers
Time
3:56
4.3.2 Managing Global Catalog Servers 1:39
Lab/Activity


Configure Global Catalog Servers
Enable Universal Group Membership Caching
Number of Exam Questions
10 questions
Total Time
About 25 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
46
Section 4.4: Operations Master Roles
Summary
In this section students will learn the functions of operations master roles. Students will
learn about the following:


Operation master roles at the forest levels:
o Schema Master
o Domain Naming Master
Operation master roles at the domain levels:
o Relative ID (RID) Master
o Primary Domain Controller (PDC) Emulator
o Infrastructure Master
Students will learn how to:



Transfer operation master roles among domain controllers.
Troubleshoot operation master roles to diagnose network problems.
Seize an operation master role in the case of a failed role operations master.
Configuring Windows Server 2008 Active Directory Objectives

206. Configure operations masters.
Lecture Focus Questions:








What is the purpose of an operation master role server?
What is the function of a PDC emulator? What does the infrastructure master do?
Which operations master roles are located at the forest level? How many of these
roles are there in a forest?
How many domain operations masters are in a forest?
You are installing a new domain controller in a new domain in an existing forest.
How many operation master roles will that server hold?
What might happen if the RID master becomes unavailable?
Which role(s) should be placed on a global catalog server? Which roles should
not?
What is the difference between transferring a role and seizing a role?
Video/Demo
Time
4.4.1 Operations Master Roles
10:18
4.4.3 Operations Master Roles Facts
10:48
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
47
Lab/Activity



Transfer RID and PDC Masters
Transfer the Infrastructure Master
Troubleshoot Operations Masters
Number of Exam Questions
9 questions
Total Time
About 50 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
48
Section 4.5: Trusts
Summary
This section provides the basics of using trusts to establish mutual authentication,
communication, and access to resources between domains. Students will learn:





Properties of a trust:
o Direction of trust
o Direction of resource access
o Transitivity
Types of trusts:
o Parent/child
o Tree root
o External
o Realm
o Forest
o Shortcut
Facts about configuring trusts
Authentication security settings that can be applied to trust:
o Selective authentication
o Domain-wide authentication
o Forest-wide authentication
The role of the Security Identifier (SID)
o SID filter quarantining
o Configuring SID filters
Students will learn how to:

Create external, shortcut, and forest root trusts.
Configuring Windows Server 2008 Active Directory Objectives

202. Configure trusts.
Lecture Focus Questions:





What is the difference between a one-way trust and a two-way trust?
Domain A trusts domain B. Users in which domain will be able to access
resources in which domain? What is the relationship between the direction of trust
and the direction of access?
What is a transitive trust? Which trust types are transitive by default?
When are trusts created automatically? What are the properties of those trusts?
When should you use a shortcut trust?
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
49

What are the domain and forest functional level requirements for creating a forest
root trust? What type of trust would you use if you couldn't create a forest root
trust?
Video/Demo
Time
4.5.1 Trusts
4:00
4.5.4 Configuring Trusts
6:32
Lab/Activity




Create a Shortcut Trust
Create External Trusts
Create a Forest Root Trust
Design Trusts
Number of Exam Questions
12 questions
Total Time
About 45 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
50
Section 5.1: RODC Concepts
Summary
This section discusses using a read-only domain controller (RODC) for a domain that
hosts read-only partitions of the Active Directory database. The following RODC’s
features are discussed:





Administrator role separation
Unidirectional replication
Read-only data
Password replication
DNS Server service
Configuring Windows Server 2008 Active Directory Objectives

303. Configure the read-only domain controller (RODC).
Lecture Focus Questions:




What is the purpose of administrator role separation?
How does unidirectional replication protect your network?
How does using an RODC allow for domain logon in the event of a WAN link
failure?
How do DNS zones work differently on an RODC?
Video/Demo
5.1.1 RODC Concepts
Time
5:04
Number of Exam Questions
2 questions
Time
About 10 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
51
Section 5.2: RODC Installation
Summary
This section explores the following details about RODC installation:





Requirements to install RODCs in a domain
Details about deploying an RODC
General steps to install a RODC
Additional facts about an RODC installation
Performing a staged installation of an RODC
o First stage
o Second stage
Students will learn how to:


Pre-create RODC accounts in Active Directory.
Install an RODC.
Configuring Windows Server 2008 Active Directory Objectives

303. Configure the read-only domain controller (RODC).
Lecture Focus Questions:





What are the domain and forest functional level requirements for installing an
RODC?
What operating system versions must run on the PDC emulator?
What permissions do you need to install an RODC?
What are two ways to replicate the installation source files to the RODC?
How does BitLocker increase the security of an RODC?
Video/Demo
Time
5.2.1 RODC Installation
3:03
5.2.2 Installing RODC
5:51
Lab/Activity

Create RODC Accounts
Number of Exam Questions
3 questions
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
52
Total Time
About 20 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
53
Section 5.3: RODC Administration
Summary
This section examines the following facts about the administration of RODCs:









The role of a password replication policy
New built-in groups for Windows Server 2008 AD to support password
replication:
o Allowed RODC Password Replication Group
o Denied RODC Password Replication Group
Details about password replication policies
Administrative models to manage password replication policies:
No accounts cached
Most accounts cached
Few accounts cached
Managing RODC password replication with Windows Power Shell
Considerations to implement to increase the security of a RODC:
o Administrator role separation
o BitLocker
o Read-only SYSVOL
Students will learn how to:

Configure password caching and replication for an RODC.
Configuring Windows Server 2008 Active Directory Objectives

303. Configure the read-only domain controller (RODC).
Lecture Focus Questions:





How does password replication make user logons more efficient? What
advantages are there to allowing password caching?
When would you want to prevent password caching?
Why does the Denied RODC Password Replication group contain default
members?
What are two ways you can allow a user password to be cached on an RODC?
Which security feature would encrypt operating system files, swap files,
hibernation files, and all user files on an RODC?
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
54
Video/Demo
Time
5.3.1 Administering Password Caching 3:09
5.3.4 BitLocker
4:53
Lab/Activity

Edit the Password Replication Policy
Number of Exam Questions
6 questions
Total Time
About 30 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
55
Section 5.4: RODC Removal
Summary
This section provides information about removing the RODC account in the event of a
security breach. Three possible choices are presented on how to handle the passwords
under these circumstances.
Students will learn how to:


Delete an RODC from your site.
Generate a list of passwords cached on an RODC.
Configuring Windows Server 2008 Active Directory Objectives

303. Configure the read-only domain controller (RODC).
Lecture Focus Questions:



What is the effect of resetting computer account passwords cached on the RODC?
Why would you want a list of the accounts cached on the RODC?
Why is it necessary to reset the user account passwords on a stolen RODC?
Video/Demo
Time
5.4.1 RODC Removal
1:25
5.4.2 Removing RODC
2:46
Number of Exam Questions
1 question
Total Time
About 5 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
56
Section 6.1: Group Policy
Summary
This section provides an overview of Group Policy. Details include:







GPO categories:
o Computer configuration
o User configuration
Windows Server 2008 Group Policy enhancements:
o ADMX and ADML files
o Network Location Awareness
o Group Policy preferences
The role of Administrative Templates
The role of starter GPOs
The role of Group Policy preferences
A comparison of Group Policy preferences vs. Group Policy settings
Group Policy preferences described:
o Drive maps
o Environment
o Files Folders
o Ini Files
o Network share
o Registry
o Shortcuts
o Devices
o Folder options
o Internet settings
o Local users and groups
o Network connections
o Power options
o Printers
o Regional opt ions
o Scheduled tasks
o Services
o Start menu
Students will learn how to:

Enable the central Administrative Templates store and create a starter GPO.
Configuring Windows Server 2008 Active Directory Objectives

403. Create and apply Group Policy objects (GPOs).
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
57
Lecture Focus Questions:






What is the difference between policies set in computer configuration and policies
set in user configuration?
How does network location awareness enhance Group Policy?
How does inheritance affect Group Policy settings?
To which Active Directory objects can GPOs be linked?
What are the advantages of the .admx file format?
What is the Administrative Template central store? What advantages do you gain
by enabling the central store?
Video/Demo
Time
6.1.1 Group Policy
5:04
6.1.3 Group Policy Settings
6:16
6.1.4 Configuring Starter GPOs
4:30
6.1.7 Configuring Preferences
11:39
Lab/Activity

Create a Starter GPO
Number of Exam Questions
6 questions
Total Time
About 45 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
58
Section 6.2: GPO Management
Summary
In this section students will learn concepts about management of GPOs.






Details about managing Group Policy objects
Details about configuring specific GPO settings
Using Gpupdate to manually refresh group policy settings
Methods to create a GPO with the same settings as an existing GPO:
o Copy
o Backup and import
o Starter GPO
The role of Group Policy cmdlets:
o New-GPO
o Copy-GPO
o Get-GPO
o Backup-GPO
o Remove-GPO
o Restore-GPO
o Import-GPO
o New-GPLink
o Set-GPLink
o Remove-GPLink
o New-GPStarterGPO
Common GPO setting categories:
o Account Policies
o Local Policies/Audit Policy
o Local Policies/User Rights Assignment
o Local Policies/Security Options
o Event Log
o Restricted Groups
o System Services
o Registry
o File System
o Wireless Network
o Public Key Policies
o Software Restriction Policies
Students will learn how to:



Create and link GPOs.
Edit GPOs settings.
Enable or disable computer or user portions in a GPO.
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
59
Configuring Windows Server 2008 Active Directory Objectives

403. Create and apply Group Policy objects (GPOs).
Lecture Focus Questions:







What is the difference between a user right and a security option?
What is the difference between using a starter GPO and copying an existing
GPO?
What is the difference between deleting a GPO and deleting a GPO link?
What is an undefined GPO setting? How does this affect the effective settings for
a user or computer?
When are computer configuration settings applied? When are user configuration
settings applied?
How can you copy a GPO from one domain to another? How can you copy starter
GPOs?
What is the difference between restore and import when working with GPO
backups?
Video/Demo
6.2.1 Managing GPOs
Time
12:44
6.2.2 Managing GPOs with PowerShell 8:44
6.2.3 Linking and Enforcing GPOs
5:35
Lab/Activity




Configure User Rights
Configure Security Options
Configure Restricted Groups
Modify GPO Links
Number of Exam Questions
10 questions
Total Time
About 60 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
60
Section 6.3: GPO Application
Summary
This section discusses the order in which GPOs are applied. The following concepts are
presented:


GPO inheritance
Methods to customize how GPO settings are applied:
o Block inheritance
o GPO permissions
o WMI filtering
o Loopback processing
Students will learn how to:




Link GPOs to appropriate objects to take advantage of inheritance.
Customize Group Policy application using block inheritance and no override.
Use GPO permissions to limit the application of GPOs.
Configure WMI filters and loopback processing.
Configuring Windows Server 2008 Active Directory Objectives

403. Create and apply Group Policy objects (GPOs).
Lecture Focus Questions:






If a setting is configured in a GPO linked to the domain and a GPO linked to an
OU, which setting will be in effect?
If there is more than one group policy linked to a domain, what controls the order
of application?
How is the Block Inheritance setting affected by the No Override setting?
How can you apply Group Policy settings to specific users or groups?
How can you apply Group Policy settings to specific computers?
How does loopback processing affect computer settings?
Video/Demo
Time
6.3.1 Controlling GPO Inheritance
2:53
6.3.2 GPO Application Methods
3:02
6.3.3 Configuring GPO Permissions
4:34
6.3.4 Configuring WMI Filters and Loopback Processing
4:51
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
61
Lab/Activity


Control GPO Inheritance
Configure GPO Permissions
Number of Exam Questions
7 questions
Total Time
About 35 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
62
Section 6.4: Software Deployment
Summary
This section examines the following details about software deployment:


Steps in the software deployment lifecycle:
o Plan
o Deploy
o Manage (upgrade)
o Remove
Configuration options for assigning or publishing software
Students will learn how to:


Assign and publish software installer packages.
Configure software installation packages to customize deployment and removal.
Configuring Windows Server 2008 Active Directory Objectives

405. Configure software deployment GPOs.
Lecture Focus Questions:




What is the difference between assigned and published software?
Why should you use the UNC path to an installer package rather than the local
path?
What is file invocation?
What does it mean when a user or computer is outside of the scope of
management for a software installation package? What happens to the software
when this condition exists?
Video/Demo
Time
6.4.1 Software Deployment
4:59
6.4.2 Deploying Software
9:25
6.4.3 Removing Software
3:00
Lab/Activity



Assign Software
Deploy Software 1
Deploy Software 2
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
63
Number of Exam Questions
14 questions
Total Time
About 45 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
64
Section 6.5: Application Restriction
Summary
In this section students will learn the following details about the role of software
restriction policies:



Application restriction rules (listed from more specific to least specific):
o Hash
o Certificate
o Path
o Network zone
o Default
Operating systems that software restriction policies can be applied to:
Enforcement policies options
Students will learn how to:



Configure a software restriction policy for a specific user.
Create a path rule for an application.
Create a hash rule to create software restrictions.
Configuring Windows Server 2008 Active Directory Objectives

405. Configure software deployment GPOs.
Lecture Focus Questions:




How are software restriction policies managed, and in what order are they
applied?
How does a hash rule identify one application from another? Does the same hash
value always apply after the application receives a software update?
What are the advantages of using AppLocker over software restriction policies?
If software restriction policies and AppLocker policies are configured on the same
object, which rules take precedence?
Video/Demo
Time
6.5.1 Software Restriction Policies
8:12
6.5.2 Implementing Software Restriction Policies
7:22
6.5.4 AppLocker Overview
8:16
6.5.5 Implementing AppLocker
12:21
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
65
Number of Exam Questions
9 questions
Total Time
About 50 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
66
Section 6.6: Password Policies
Summary
This section discusses using password policy settings to control characteristics enforced
for user passwords and Account Lockout Policies to control what happens when an
incorrect password is entered. The following details are discussed:








Password Policy settings:
o Enforce password history
o Maximum password age
o Minimum password age
o Minimum password length
o Password must meet complexity requirements
o Store passwords using reversible encryption
Account Lockout Policy settings:
o Account lockout duration
o Account lockout threshold
o Reset account lockout after
Managing account policies
Granular password policies
The role of a Password Settings Object (PSO)
The role of a Password Settings Container (PSC)
Using ADSI Edit to create a PSO
The Active Directory module consolidates a group of cmdlets needed to manage
granular password:
o New-ADFineGrainedPasswordPolicy
o Set-ADFineGrainedPasswordPolicy
o Remove-ADFineGrainedPasswordPolicy
o Get-ADFineGrainedPasswordPolicy
o Add-ADFineGrainedPasswordPolicySubject
o Get-ADFineGrainedPasswordPolicySubject
o Remove-ADFineGrainedPassworPolicySubject
Students will learn how to:


Configure and manage Account Policy settings.
Use ADSI Edit to configure granular password policy settings.
Configuring Windows Server 2008 Active Directory Objectives

406. Configure account policies
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
67
Lecture Focus Questions:








Users in a network have to change their passwords every 30 days, but many users
have reported that they simply enter the same password to make the change.
Which policy can you configure to prevent this?
What is the effect of setting the minimum password age account policy to 5 days?
How can you prevent users from creating passwords like desk, mom, chair, or
office?
What is the effect of setting the account lockout policy to 0?
What happens when you configure Account Policies settings in a GPO linked to
an OU?
How can you configure different account policy settings for different users?
Which object types can you associate with a granular password policy?
A user has a granular password policy applied directly to the user account, and a
different policy applied to a group of which the user is a member. Which policy
will be in effect?
Video/Demo
Time
6.6.1 Managing Account Policies
5:39
6.6.5 Granular Password Policies
2:06
6.6.6 Using ADSIEDIT
3:27
6.6.7 Using Third-party Tools
2:59
Lab/Activity


Configure Account Policies
Modify Account Lockout
Number of Exam Questions
15 questions
Time
About 45 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
68
Section 6.7: Auditing
Summary
This section provides details about using auditing to record system events. Facts
discussed include:






Types of events to log when an audit policy is enabled:
o Audit Success
o Audit Failure
Audit policies configurable through Group Policy:
o Account logon
o Account management
o Directory service access
o Logon
o Object access
o Policy change
o Privilege use
o Process tracking
o System
Details about configuring auditing
Steps to design an audit policy
Guidelines to use when designing auditing
Categories of the 53 new auditing policy settings:
o Account Logon events
o Account Management settings
o Detailed Tracking events
o DS Access events
o Logon/Logoff events
o Object Access events
o Policy Change events
o Privilege Use events
o System events
o Global Object Access Auditing settings
Students will learn how to:

Use Group Policy to enforce auditing and secure audit logs.
Configuring Windows Server 2008 Active Directory Objectives

407. Configure audit policy by using GPOs.
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
69
Lecture Focus Questions:






What is the difference between auditing for success and auditing for failure?
What is the difference between Account Logon and Logon auditing?
What additional step must you complete in order to audit NTFS file access?
How can you configure auditing to track changes to Active Directory objects?
What are the results of excessive auditing?
Why should you design periodic reviews of the logs?
Video/Demo
Time
6.7.1 Audit Policies
5:10
6.7.4 Advanced Audit Policies
5:27
6.7.5 Configuring Advanced Audit Policies
7:43
6.7.6 Global Object Access auditing and Reason for Access
3:25
6.7.7 Configuring Global Object Access Auditing and Reason
for Access Reporting
10:10
Lab/Activity

Configure Auditing
Number of Exam Questions
16 questions
Total Time
About 60 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
70
Section 7.1: Certificate Services
Summary
This section explores encryption and certificate services. Details include:







The role of a:
o Cipher or algorithm
o Key
Methods of encryption:
o Symmetric (secret key) encryption
o Asymmetric encryption
The role of a:
o Certificate
o Public Key Infrastructure (PKI)
o Certification Authorities (CAs)
o Certification revocation list (CRL)
o Root CA
o Subordinate CA
o Public CA
o Third-party CA
Typical information in a certificate
CA types you choose from when you install Active Directory Certificate Services
(AD CS) on a server:
o Enterprise root CA
o Enterprise subordinate CA
o Standalone root CA
o Standalone subordinate CA
Role services you choose from when you install AD CS on a server:
o Certification Authority
o Certification Authority Web Enrollment
o Online Responder
o Network Device Enrollment Service
o Certificate Enrollment Web Service and Certificate Enrollment Policy
Web Service
Additional features available through Active Directory Certificate Services:
o Certificate templates
o Autoenrollment
o Web enrollment
o Credential roaming
o Certificate enrollment across forests
o High-volume CA support
Configuring Windows Server 2008 Active Directory Objectives

601. Install Active Directory Certificate Services.
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
71
Lecture Focus Questions:






What is the difference between symmetric and asymmetric encryption?
How do certificates prove identity?
What kinds of information do certificates hold?
What is the relationship of a CA to a PKI?
How can you ensure that users outside your organization trust your certificate?
What are the advantages of using an enterprise CA over a standalone CA?
Video/Demo
Time
7.1.1 Certificate Concepts
10:09
7.1.3 Active Directory Certificate Services
7:56
Number of Exam Questions
2 questions
Total Time
About 30 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
72
Section 7.2: AD CS Installation
Summary
This section discusses guidelines for installing Active Directory Certificate Services.








Creating a Certificate Practice Statement (CPS)
Creating a PKI
Strategies of when to take the root CA offline
Configuring how the CA receives its certificate
What operating systems that AD CS cannot be installed on
When an enterprise CA is required
Who can install a standalone CA, an enterprise CA
What tool to use to install Certificate Services
Students will learn how to:

Install and configure the Active Directory Certificate Services role.
Configuring Windows Server 2008 Active Directory Objectives

601. Install Active Directory Certificate Services.
Lecture Focus Questions:





What is the advantage of taking the root CA offline?
Why shouldn't you take an enterprise CA offline? How can you use an offline
root CA but still use enterprise CAs?
How do you request a CA certificate if the root CA is offline?
What permissions do you need to install a standalone CA?
When would you use a self-signed certificate for a CA? When should the CA get
its certificate from another source?
Video/Demo
7.2.2 Installing Certificate Services
Time
3:11
Number of Exam Questions
6 questions
Total Time
About 10 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
73
Section 7.3: Certificate Templates
Summary
This section provides information about using certificate templates to request and issue
certificates. Details discussed include:




Managing certificate templates
Certificate template permissions:
o Full Control
o Read
o Write
o Enroll
o Autoenroll
Managing certificate template permissions
Common settings you can modify for Version 2 and 3 templates:
o Validity period
o Publish in Active Directory
o Key type
o Cryptographic Service Provider (CSP)
o Subject name
o Issuance requirement
o Extensions
Students will learn how to:


Duplicate and edit certificate templates.
Issue (publish) certificate templates on a CA.
Configuring Windows Server 2008 Active Directory Objectives

603. Manage certificate templates.
Lecture Focus Questions:







Why shouldn't you modify a default template?
What does issuing a template accomplish?
What is the effect of removing a template from the list of issued templates?
What are the minimum permissions necessary for a user to request a certificate?
What is the role of the Certificate Publishers group?
What do you need to do in order to edit the subject name information in a version
1 template?
What setting do you modify to require an administrator to approve certificate
requests?
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
74
Video/Demo
Time
7.3.1 Certificate Templates
5:27
7.3.2 Managing Certificate Templates
8:49
Lab/Activity


Modify Issued Certificate Templates
Modify a Certificate Template
Number of Exam Questions
5 questions
Total Time
About 35 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
75
Section 7.4: Certificate Requests
Summary
This section explores the following details about certificate requests and autoenrollment:




Methods of requesting a certificate:
o Web enrollment pages
o Certificate Request Wizard through the Certificates snam-in
o Autoenrollment
o Command line
Details about certificate requests
The role of autoenrollment
Steps to configuring autoenrollment
o Edit the certificate template
o Publish the certificate template on the CA
o Edit Group Policy and enable autoenrollment
Students will learn how to:




Prepare an offline certificate request. After receiving the certificate, import it.
Use the Web enrollment pages to request and install a certificate.
On the CA, approve a pending certificate request.
Configure a certificate template, the CA, and Group Policy for autoenrollment.
Configuring Windows Server 2008 Active Directory Objectives


602. Configure CA server settings.
603. Manage certificate templates.
Lecture Focus Questions:





How does Web enrollment differ from autoenrollment?
What type of certificates can users request through Web enrollment? What
reasons might prevent a certificate from appearing in the list of certificates that
can be requested?
How do standalone CAs handle certificate requests?
What permissions are required to enable autoenrollment? What additional tasks
are required for autoenrollment to work?
What certificate template settings might cause autoenrollment to fail?
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
76
Video/Demo
Time
7.4.1 Certificate Requests
4:58
7.4.2 Requesting a Certificate
8:32
7.4.4 Configuring AutoEnrollment
3:42
Lab/Activity


Configure Templates for Autoenrollment
Enable Autoenrollment for the Domain
Number of Exam Questions
10 questions
Total Time
About 40 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
77
Section 7.5: Certificate Revocation
Summary
This section examines details about revoking a digital certificate.




The role of the Online Responder
Configuring the Online Responder:
o Install the Online Responder role service
o Configure the OCSP Response Signing certificate
o Configure each CA to issue the OCSP Response Signing template
o Configure each CA to include the online responder
o Configure revocation configurations on the online responder
Additional features that can be configured for the Revocation Configuration on
an online responder:
o Nonce/no-nonce request support
o Advanced cryptography
o Kerberos protocol integration
Configuring a single CA with multiple online responders
Students will learn how to:





Revoke and unrevoke certificates.
Configure CRL distribution point locations.
Manage and publish CRLs.
Install and configure the Online Responder role service.
Configure a CA to support an online responder.
Configuring Windows Server 2008 Active Directory Objectives


602. Configure CA server settings.
605. Manage certificate revocations.
Lecture Focus Questions:








What circumstances might cause you to need to revoke a certificate?
When can a certificate in the Revoked Certificates folder be unrevoked?
What is the relationship between the CRL and the CDP?
What is the advantage of using delta CRLs?
How is a CRL used by an online responder?
What two certificates must the online responder have?
How does the online responder use the OCSP Response Signing certificate? How
many of these certificates should the online responder have?
What is the difference between the CDP extensions and the AIA extensions?
When would you use both?
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
78
Video/Demo
Time
7.5.1 Certificate Revocation
7:47
7.5.2 Managing Certificate Revocation
2:48
7.5.5 Configuring an Online Responder 3:11
Lab/Activity

Manage Certificate Revocation
Number of Exam Questions
13 questions
Total Time
About 35 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
79
Section 7.6: CA Management
Summary
This section provides facts managing CAs. Details include:




Permissions to manage the CA and its configuration:
o Read
o Issue and manage certificates
o Manage CA
o Request certificates
Common CA management tasks:
o Certificate Manage Delegation
o Enrollment Agent Delegation
o Key Archival
o Certificate Request Handling
o Auditing
o Backup and Restore
Certutil parameters:
o -Verify
o -VerifyStore
o -VerifyKeys
o -RecoverKey
o -oid
Steps to move a CA from one server to another, back up the CA and CA-related
registry settings on the source CA.
Students will learn how to:



Configure administrative permissions to a CA.
Restrict certificate managers and enrollment agents on a CA.
Configure CA auditing.
Configuring Windows Server 2008 Active Directory Objectives

602. Configure CA server settings.
Lecture Focus Questions:



What permissions are required for an administrator to approve certificates?
Which types of templates does key archival work with?
You have a certificate template that is configured to issue the certificate without
CA manager approval. On the CA, manager approval is required. How does the
certificate request get approved?
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
80

In addition to selecting auditing events on the CA, what else must you do to
enable auditing for CAs?
Video/Demo
7.6.1 Managing CAs
Time
4:53
Number of Exam Questions
9 questions
Total Time
About 15 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
81
Section 7.7: Certificate Implementations
Summary
This section discusses the following details about implementing certificates:















The role of a smart card
Certificate template types:
o Enrollment Agent
o Enrollment Agent (computer)
o Smart Card Logon
o Smart Card User
Appropriate permissions are required to request a certificate of a specific type
Enforcing the use of smart cards using Group Policy and Active Directory
The role of authentication mechanism assurance (AMA)
The role of key archival (key escrow or centralized key management)
Methods to back up private keys on a Windows CA
Configuring key archival
The role of Network Device Enrollment Service (NDES)
Components the NDES uses:
o Network device
o Device administrator
o Registration authority (RA)
The process for obtaining a certificate for the network device
Configuring NDES
Certificate template types:
o Exchange Enrollment Agent (Offline request)
o CEP Encryption
o IPsec (Offline request)
Details about using NDES
Certificate roles to manage Active Directory Certificate Services:
o Certificate template creator
o Certificate template manager
o CA manager
o CA certificate manager
o Enrollment agent
o Recovery agent
Students will learn how to:

Configure certificate templates and CAs for smartcard deployment.
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
82
Configuring Windows Server 2008 Active Directory Objectives


602. Configure CA server settings.
603. Manage certificate templates.
Lecture Focus Questions:









What is the difference between a Smartcard Logon and a Smartcard User
certificate?
How is the enrollment agent used with smartcards?
What Group Policy settings control smartcard use?
What is the purpose of key archival?
What is the role of the recovery agent in key archival?
What certificate template and CA settings are required to configure key archival?
With NDES, what functions are performed by the registration authority?
What is the certsrv/mscep_admin virtual directory used for?
Your registration authority has 5 pending requests and will not issue any more
passwords for device certificate requests. What options do you have if you need to
get a request password immediately?
Video/Demo
7.7.1 Authentication Mechanism Assurance (AMA)
Time
3:06
Lab/Activity


Create Certificates for Smart Cards
Require Smart Cards for Logon
Number of Exam Questions
14 questions
Total Time
About 40 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
83
Section 8.1: Lightweight Directory Services (AD LDS)
Summary
This section presents information about using Lightweight Directory Services (AD LDS)
to create a directory store (database) for use by directory-enabled applications.











The role of Active Directory Lightweight Directory Services (AD LDS)
Configuring AD LDS
Tools to manage AD LDS instances:
Active Directory Lightweight Directory Services console
o Adaminstall.exe
o ADSI Edit
o Ldp.exe
o Ldifde
o Active Directory Schema snap-in
o Active Directory Sites and Services snap-in
o ADSchemaAnalyzer
o Dsacls
Methods of AD LDS instance configuration:
Move an instance
Import data into an instance
Create a replication schedule
Synchronize data
Binding an AD LDS instance
Configuring security principles and binding
Students will learn how to:

Install and configure an AD LDS instance.
Configuring Windows Server 2008 Active Directory Objectives

301. Configure Active Directory Lightweight Directory Service (AD LDS).
Lecture Focus Questions:






What is an AD LDS instance? What is a configuration set?
How does AD LDS replicate?
Which port numbers would you not use if AD LDS and AD DS are running on the
same system?
What tools do you use to create an instance?
What tools can you use to import or modify the schema of an AD LDS instance?
How can you synchronize data between AD DS and AD LDS?
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
84
Video/Demo
Time
8.1.1 AD LDS
8:50
8.1.3 Installing and Configuring AD LDS
7:44
Number of Exam Questions
9 questions
Total Time
About 30 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
85
Section 8.2: Federation Services (AD FS)
Summary
This section examines implementing Federation Services (AD FS). Details include:






The role of Active Directory Federation Services (AD FS)
Terms to understand for AD FS:
o Claim
o Security token
o Security Token Service (STS)
o Federation server
o Federation trust
o Trust policy
o AD FS-enabled Web server
Implementing AD FS
Role service to install during installation:
o Federation Service
o Federation Proxy
o Claims-aware Agent
o Windows NT Token-based Agent
Elements of the trust policy you configure for the Federation Service:
o Organization Claims
o Account Stores
o Applications
o Partner Organizations
The basic process for configuring AD FS
Students will learn how to:



Install the AD FS role.
Configure claims, applications, and account partners.
Map claims to directory service attributes.
Configuring Windows Server 2008 Active Directory Objectives

304. Configure Active Directory Federation Services (AD FS).
Lecture Focus Questions:



You have users that need to access a Web application in a partner domain. Which
domain is the account domain, and which is the resource domain?
What are the differences between the Federation Service and Federation Service
Proxy?
What is a claim? What type of information can be included in a claim?
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
86



Which directory services can AD FS use?
What is the difference between a claims-aware application and a token-based
application?
You have users that need to access a Web application in a partner domain. What
type of partner would you configure?
Video/Demo
Time
8.2.1 AD FS
6:35
8.2.3 Configuring AD FS
9:11
Number of Exam Questions
7 questions
Total Time
About 30 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
87
Section 8.3: Rights Management Services (AD RMS)
Summary
This section provides the following details about Active Directory Rights Management
Services (AD RMS):










The role of Active Directory Rights Management Services (AD RMS)
The function of usage policies
Rights that administrators can use to define usage policy templates:
o Full Control
o View
o Edit
o Save
o Export
o Print
o Forward
o Reply
o Reply All
o Extract
o Allow Macros
o View Rights
o Edit Rights
Types of licenses:
o Client license
o Publishing license
o Use license
Components of an AD RMS system:
o AD RMS server
o Database server
o AD DS
o AD RMS-enabled application
o AD RMS client
o AD RMS Add-on for IE
AD RMS supports trust hierarchies:
o ISV hierarchy
o Production hierarchy
AD RMS consists of the following services
o Logging services
o Web services
Requirements for Windows Mobile 6 clients
Hardware and software requirements for AD RMS
Configuration values to choose during an AD RMS installation:
o Cluster
o Database location
o Service account
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
88



o Cluster key
o Cluster address
o Service connection point (SCP)
Facts regarding AD RMS installation
Windows PowerShell cmdlets modules that support AD RMS server role in
Windows Server 2008 R2:
o AD RMS deployment
o AD RMS administration
Certificates and licenses that are used by AD RMS:
o Server Licensor Certificate (SLC)
o Rights Account Certificate (RAC)
o Client Licensor Certificate (CLC)
o Machine Certificate
o Publishing License
o Use License
Students will learn how to:


Install the AD RMS server role.
Protect content from within an AD RMS-aware application.
Configuring Windows Server 2008 Active Directory Objectives

302. Configure Active Directory Rights Management Service (AD RMS).
Lecture Focus Questions:






What are the basic system components necessary for AD RMS?
Which component in an AD RMS implementation is responsible for encrypting
documents and enforcing the usage policies?
What is the difference between a root cluster and a licensing-only cluster?
When should you use the Windows Internal Database for AD RMS? When can
you not use it?
Why should you not use the AD RMS server name as the cluster address?
Which certificate establishes a user's identity and which certificate specifies rights
to protected content?
Video/Demo
Time
8.3.1 AD RMS
5:31
8.3.3 Installing and Configuring AD RMS
8:44
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
89
Number of Exam Questions
12 questions
Total Time
About 35 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
90
Section 9.1: Recovery and Availability
This section discusses tools that are available for managing disaster recovery and
availability.





Windows Server Backup
Windows Recovery Environment
Shadow Copies
Clustering
Network Load Balancing
Configuring Windows Server 2008 Active Directory Objectives

501. Configure backup and recovery.
Lecture Focus Questions:



What are the components of the Windows Recovery Environment?
How does clustering optimize your network service availability?
What happens when a server in an NLB configuration fails?
Video/Demo
9.1.1 Recovery and Availability
Time
2:40
Total Time
About 5 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
91
Section 9.2: Windows Server Backup
Summary
This section examines using Windows Server Backup to provide backup and recovery for
Windows Server 2008 or Windows Server 2008 R2. Details covered include:





The role of Windows Server Backup
Windows Server Backup provides ways to run backups:
o Using the Windows Server Backup MMC snap-in to run wizards for
scheduling backups.
o Using Wbadmin from the command prompt
o Using PowerShell cmdlets to write scripts to perform backups
Options available in Windows Server Backup:
o Full Server
o Critical volumes/Bare metal recovery
o System state
o Individual volumes
o Folders or files
Storage types that Windows Server Backup can save backups to:
o Internal disk
o External disk
o Shared folder
o DVD, other optical, or removable media
Types of backup that can be performed:
o Automatic backup
o Manual backup
o Scheduled backup
o System state backup
Students will learn how to:



Install Windows Server Backup.
Create a backup schedule.
Perform a Backup Once operation.
Configuring Windows Server 2008 Active Directory Objectives

501. Configure backup and recovery.
Lecture Focus Questions:

Which backup storage type(s) would you choose if you wanted to be able to
restore individual folders or files?
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
92





What volumes are always included in scheduled backups? How can you create a
backup to exclude these volumes?
What storage types are available when using automatic backups?
What happens to a local disk when you designate it for use by Windows Server
Backup?
How can you create automatic backups with a frequency less than once a day?
Which backup type can only be performed from the command prompt?
Video/Demo
Time
9.2.1 Windows Server Backup
5:27
9.2.2 Using Windows Server Backup
7:22
Lab/Activity

Back Up a Server
Number of Exam Questions
2 questions
Total Time
About 35 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
93
Section 9.3: Active Directory Backup and Restore
Summary
In this section students will learn the following about backing up and restoring Active
Directory data:









Details about a system state backup
Types of restore when restoring Active Directory:
o Nonauthoritative
o Authoritative
Methods for performing a domain controller restore:
o Dcpromo
o Restore system state
o Critical volume or full server restore
Setting or changing the recovery mode password
The role of the Active Directory Recycle Bin
Enabling the Recycle Bin in an existing forest
Methods to restore lost Active Directory data:
o LostAndFound container
o Authoritative restore
o Active Directory Recycle Bin
o Database snapshot
o Default Active Directory policies
Restoring group memberships
Backing up and restoring Group Policy data
Students will learn to:



Perform an authoritative and nonauthoritative restore using Ntdsutil.
Reset the Directory Services Restore Mode (DSRM) password.
Create AD DS snapshots.
Configuring Windows Server 2008 Active Directory Objectives

501. Configure backup and recovery.
Lecture Focus Questions:





Which backup type should you perform if you want to protect Active Directory?
What are the requirements for performing a system state backup?
What is the difference between an authoritative and a nonauthoritative restore?
What is replicated to a restored domain controller after a restore system state
operation?
What is the disadvantage of using the dcpromo /forceremoval command?
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
94



Why might group membership not be restored with an authoritative restore?
When would this problem exist, and how can you overcome it?
Which forest functional level is required for the Active Directory Recycle Bin?
What are the differences when a deleted object lifetime expires versus when a
recycled object lifetime expires?
Video/Demo
Time
9.3.1 Active Directory Restore
4:44
9.3.2 Using ADRM and Ntdsutil
3:18
9.3.4 Active Directory Recycle Bin
4:56
9.3.5 Using Active Directory Recycle Bin
5:58
9.3.7 Taking and Mounting Database Snapshots 6:41
Number of Exam Questions
17 questions
Total Time
About 45 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
95
Section 9.4: Maintenance and Monitoring
Summary
This section examines tools for maintaining and monitoring a system. Students will learn:




The role of the Restartable Active Directory
The three domain controller states that Restartable AD DS provides:
o AD DS Started
o AD DS Stopped
o Directory Services Restore Mode
The role of Offline Defragmentation
The tools to view and monitor system events and information:
o Event Viewer
o Network Monitor
o Task Manager
o Windows System Resource Manager
o Performance Monitor
o Data Collector Sets (DCS)
o Reliability Monitor
o Resource Monitor
Students will learn how to:



Monitor Active Directory using Server Manager, Event Viewer, and Performance
Monitor
Start and stop AD DS to perform offline maintenance tasks.
Control Group Policy by determining the RSoP.
Configuring Windows Server 2008 Active Directory Objectives


502. Perform offline maintenance
503. Monitor Active Directory.
Lecture Focus Questions:





What additional tasks are performed during an offline defragmentation when
compared to an online defragmentation? Which can be performed using
restartable Active Directory?
What are the advantages of using restartable Active Directory?
When would you use Performance Monitor instead of Network Monitor?
What is the relationship of counters to objects?
What is the difference between ReplMon and RepAdmin?
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
96

What is the difference between Group Policy Modeling and Group Policy
Results? Which would you use if you wanted to see the effects of changing group
membership or OU location?
Video/Demo
Time
9.4.1 Using Restartable Active Directory 2:04
9.4.4 Using Monitoring Tools
6:40
9.4.5 Using Reliability Monitor
4:46
9.4.6 Using Resource Monitor
3:27
9.4.8 Analyzing Group Policy
7:03
Number of Exam Questions
10 questions
Total Time
About 40 minutes
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
97
Practice Exams
Summary
This section provides information to help prepare students to take the exam and to
register for the exam.
Students will also have the opportunity of testing their mastery of the concepts presented
in this course to reaffirm that they are ready for the certification exam. For example, all
questions that apply to Objective 100: Configuring Domain Name System (DNS) for
Active Directory are grouped together and presented in practice exam Objective 100:
DNS, All Questions. Students will typically take about 60-90 minutes to complete each
of the following practice exams.
Objective 100: DNS, All Questions (50 questions)
Objective 200: Infrastructure, All Questions (68 questions)
Objective 300: Server Roles, All Questions (41 questions)
Objective 400: Objects, All Questions (122 questions)
Objective 500: Maintenance, All Questions (28 questions)
Objective 600: Certificate Services, All Questions (59 questions)
The Certification Practice Exam consists of 42 questions that are randomly selected from
the above practice exams. Each time the Certification Practice Exam is accessed different
questions may be presented. The Certification Practice Exam has a time limit of 180
minutes -- just like the real certification exam. A passing score of 95% should verify that
the student has mastered the concepts and is ready to take the real certification exam.
©2011 TestOut Corporation (Rev 5/11)
Configuring Windows Server 2008 Active Directory (70-640)
98