70-640 Resources

innotech

hi there, i;m new on here, I recently took the 70-680 and passed. I have quite a good understanding of AD since working in a 2003 environment for 2 yrs..I wanna do 70-640 but need help finding some accurate resources to make learning a good experience b4 i take the exam

David Morson

Tanks for providing information and useful resources. I am looking for some exam preparation resources which are free. Have you any online realiable and free of cost resources for 70 640 and other 70 series exams preparation?

pentapaadu007

hey it is nice

camit34

Just getting started on this...book marked...!!! Thanks for taking the time to put this together!

SephStorm

What are good books for beginner, intermediate, and advanced server 2008 R2 books? I have mostly helpdesk level experience using server 2008, mostly dealing with AD, creating users, computers, groups, ect. no domain level group policy, WSUS, ect.

kriscamaro68

SephStorm wrote: »

What are good books for beginner, intermediate, and advanced server 2008 R2 books? I have mostly helpdesk level experience using server 2008, mostly dealing with AD, creating users, computers, groups, ect. no domain level group policy, WSUS, ect.

Amazon.com: Group Policy: Fundamentals, Security, and the Managed Desktop (978047058185: Jeremy Moskowitz: Books

Amazon.com: Windows Server 2008 R2 Unleashed (9780672330926): Rand Morimoto, Michael Noel, Omar Droubi, Ross Mistry, Chris Amaris: Books

damills

Hi anyone knows a good study guide out there. I have recently took my 70-640 and I failed it with a 593, I used ucertify. Has anyone used a study guide that help them passed it?

netsysllc

All of the resources in the thread have good stuff, setting up a lab and reviewing the technologies in technet are very helpful

sharpy56

Hi Claymore,

I was just wonder if there are any sites/books that you would recommend using to do labbing etc. Not knowing about the technology is difficult in some areas just to dive straight into a lab (what would you suggest in learning this?)

chicharito

Hi,
Please can i get suggestions on the best way to prepare for the 70-640 exam.I have a book for it.What do I need to use to simulate the environment where I can practice?I'd appreciate your suggestions.Thanks

RomBUS

Try following some CBT Nugget videos, really good for watching some lab material, and you can kind of follow along with the video as he talks

horusthesun

thank you for this!

kurosaki00

Anyone know if the 72 (student version) are still available?

crystalgeek

Hi All,

I'll be taking this exam today and thought I'd share my '**** Sheet' with you. It's basically a collection of notes etc I've made as I've studied on things I think are important to remember. Maybe we can add to it as a community

Command Line Tools


Tool
Description



Dsadd
Creates an object in the directory


Dsget
Return specified attributes of an object


Dsmod
Modifies specified attributes of an object
Modify the UPN for multiple users


Dsrm
Removes and object and all sub trees


Dsquery
Performs active directory query


CSVDE
Uses .CSV files for importing large number of accounts


LDIFDE
Uses ldif files for importing large number of accounts
Create a PSO


Dsmgmt
Configure roles/admin on RODC


Dnscmd
Configure dns partitions
Configure GlobalNames Zones


Dnslint
Test DNS records for AD Replication


NTDSUTIL
Seize FSMO
Create AD Partition


Dcdiag
Diagnose DC issues/replication


Diskpart
Basic disc conversion (i.e basic to dynamic)


Dsdbutil
Create installation media that corresponds only to the AD LDS instance for backup



MMC’s and Other Tools


Tool
Management Options


ADSIEdit
View, create, modify and delete AD LDS objects. Includes accounts, OU’s, groups.


Ldp.exe
General admin on any LDAP service (including AD DC and AD LDS)
Create a new application directory in existing instance


Active Director Schema snap-in (schmmgmt.mmc)
View and manage objects in the schema


Active Directory Sites and Services snap-in
Connect to AD LDS instance.
Admin directory data replication.
Configure GlobalCatalog Servers
Universal Group Membership Caching
Modify Intersite replication schedule
Configure sites and subnets


PKIView
Monitoring and troubleshooting multiple CA’s


Certificates Templates
Configure Cert Templates:-
Create/Duplicate
Modify Properties (Validity/key archival)
Configure Policies (enrolment/issuing)
Allowing autoenrollment
Create Template that allows Key Archiving


Certificate Authority
Enable use of Template
Enrollment Agents tab (Restrict Enrollment Agents)
Key Archival
Manage security/roles
Backup certificate database
Restore certificate database
Revoke Certificate
Configure CRL publication interval
Manage CRL Distribution Point/s (CDP)
Manage AIA


Certutil
Recover Archived Keys


Certificates (Console)
Backup Certificates (Machine/User)
Restore Certificates (Machine/User)


Online Responder Management snap-in
Configure Online Responder
Configure OR Array and Revocation Config


ADFS snap-in
Configure ADFS or ADFS server farm
Manage trust policies
Configure federation trusts
Creating claims/account stores
Enabling applications


Active Directory Users and Computers
RODC Password Replication Policy
Raise/View Domain Functional Level


Active Directory Domains and Trusts
Add UPN Suffix
Create and manage trusts
Raise/View Forest Functional Level


Security Configuration and Analysis
Allows comparing local settings against an imported ini


DNS Manager
DNS Stuff
Debug Logging


DFS Management
DFS Replication/Namespaces


Security Templates
Save custom security policies


Performance Monitor
Create server performance baseline
Identify bottlenecks
Alert to events



Notes:

• Server 2008 introduces V3 Certificate Templates
• Windows 2000/XP/2003 can only use V1 and V2 certs for web enrolment
• Network Device Enrollment Service
• Web Enrollment and Online Responder require IIS
• Certificate Enrollment Web Service is not real-time with changes made to templates. There is a 30 minute polling setting. To force this reset iis
• Certificate Templates include a discretionary access control list – defines users and groups that can read and configure template as well as enrol/auto-enrol cert’s based on template
• V1 Templates – read only
• V2 supported by XP/2003 and later – allow auto enrolment
• V3 supported on vista and later
• Key Recovery Agent
  • Cert Template snap-in – Key Recovery Agent Template (Enable Read/Enrol for KRA User)
  • Certificate Authority snap-in – Enable Template
  • Enrol (Web)
• Smart Cards require an enrolment agent and card-writer
  • Enrollment agent certificate required
• From certificates console use Certificate Export Wizard to backup certificates
• From certificates console use Certificate Import Wizard to restore certificates
• Wbadmin system state will backup certificate database
• To restore CA you must stop AD CS
• Vista/2008 introduced Online Responder
• AIA – Authority Information Access
  • Extension applied to CA
  • Points to URL for issuing CA’s certificate
  • Needed for Online Responder service
• Federation Services
  • Company hosting application – ‘resource partner’
  • Company being trusted – ‘account partner’
  • Applications involved – ‘federated applications’
• [IMG]file:///C:\DOCUME~1\ALEX~1.NIC\LOCALS~1\Temp\msohtmlclip1\02\clip_image002.jpg[/IMG]
• A ‘resource partner’ can have multiple account partners
• Federation services use tokens
• Federation services requires 2008 Ent or Datacentre
• A ‘claim’ is a statement made about a client (name/identity/key etc.)
• An account store stores user accounts that ADFS must authenticate for using federated applications
• Trust policies enable users to share documents protected in AD RMS
• AD FS snap-in
  • Administer account stores in AD DS or AD LDS
  • Manage partners that will trust your company
    • Account partners and resource partners
  • Mange claims and certificates used by federation servers and web applications (AD FS)
• AD FS Claims/Account Stores
  • Creating Claims
    • AD FS snap-in
    • Trust Policy
    • My Organization
  • Creating Account Stores
    • AD FS snap-in
    • Account Stores
    • New Account Store
  • Enabling Applications
    • AD FS snap-in
    • Applications
    • New Application
  • Federation Trusts
    • AD FS snap-in
    • Partner Organizations node
    • New Account Partner/New Resource Partner
• Csvde –f will export AD objects to .csv
• Csvde –I –f will import AD objects that don’t already exist (-k will process without error)
• Remove Roles Wizard can’t be used to remove AD DS. You must use dcpromo
• You can run AD LDS without a DC or DNS
• DNS Stores it’s data in an Application Partition in AD
• You can only install AD CS Enterprise on a DC
• AD RMS client required on Windows 2000 and XP
  • Windows 2000 must have SP4
  • Windows Vista must have SP2
  • Vista has client by default
• A RODC must have the following
  • Forest Functional Level at least 2003
  • PDC Emulator running on Server 2008
  • One 2008 DC Exists
  • If upgrading from 2003 run adprep /rodcprep
• RODC partnered with a writeable (200 DC
• RODC Password replication policy must be configured on writable DC
  • AD Users and Computers
  • RODC Properties
  • Password Replication Policy Tab
• You can use the above to pre-populate password cache
• Group Policy Applications
  • Assign
    • To User or Computer
    • Shows in Start Menu or File Association
  • Publish
    • To User
    • Shows in Control Panel or File Association
  • If Assigned :-
    • User - Installed on Login
    • Computer – Installed on Boot
• Configure DNS after RODC install – DNSCMD /enlistdirectorypartition
• Check AD Recycle Bin – Powershell (Get-ADOptionalFeature)
• Audit Before/After account changes – Audit Directory Services Changes – Auditpol (Tool)
• Add DC to replication scope – dnscmd /createdirectorypartition
• /resourcesACL only applies to Win 7/2008 R2 and above
• Forest trusts require 2003 forest functional level
• DSAmain command fails
  • Port needs to be 40000 or higher
• Use repadmin /syncall to replicate changes immediately
• UPN Suffix available at 2000 Forest Level
• DFSR only available in 2008 Domain functional level
• Administering ADMX files from client only available to Win 7 and higher
• If an Intermediate CA Cert expires, renew the certificate and import into Intermediate store on Intermediate CA.
• If you see SID on folder permissions instead of names
  • Move Infrastructure Master role. This is because the Infrastructure master refers to the global catalog.
• RODC can be deployed in a 2003 Forest Functional Level
• RAID 5 is data striping with parity
• To replicate AD LDS instance to another location – Create and Install a replica by running AD LDS Setup Wizard
• To ensure device certificate requests use MD5 – Modify registry on NDES server
• Global Names Zones only available after running DNSCMD
• Global Catalog Servers are required to validate Universal Group Memberships
• Global Catalog contains
  • Index of forest objects
  • Can be on any DC
  • Hosts multi-domain groups
  • Deals with UGMC
  • Needs at least one per domain
  • Removed via Active Directory Users and Computers
  • Required for UPN
• When creating a new tree or child domain the server must be able to contact the Domain Naming Master
• When creating new users or groups you must be able to contact the infrastructure master and have RID’s available.
• For server 2000 DNS to receive conditional forwarder replication you must choose ‘All Domain Controllers in This Domain’ option
• SMTP is used for Inter Domain replication. Requires a CA.
• Site Link Costs – Lower is a fast link
• The cost of a site link is the sum of all links contained within a bridge
• KCC replicates site topology
• Intersite replication default is 3 hours
• Minimum intrasite replication schedule is every 15 minutes
• Monitoring and Troubleshooting Replication Issues
  • Event Viewer
  • Active Directory Replication Monitor (replmon)
  • Active Directory Replication Administrator (repadmin)
• Each AD LDS can have it’s only schema
• AD LDS can be managed with the following tools
  • Active Directory Services Interface snap-in
  • LDP.exe
  • Active Directory Schema snap-in
  • Active Directory Sites and Services
• RID Master (Relative Identifier)
  • Allocates pools in 500’s
  • Is the sequential numbers used by SID’s
• PDC Emulator
  • Backwards compatibility for NT4 Domains
  • Time clock for domains
  • Final Authority on Passwords
  • Used by DFS for changes
  • Auto default for GPO Editing
• Infrastructure Master
  • Keeps changes to object references consistent across forest
  • Tracks changes and moves across all domains
• 2008 Domain Functional Level
  • Required for AES
  • Fine Grained Password policies
  • DFS replication for SYSVOL
• Forest level 2003 + allows domain name re-names
• External Trusts are used to connect to NT4
• Short SID’s are local accounts
• PSO are applied to Users and Groups and not OU’s
  • To apply to OU’s you’d have to use a shadow group
• PSO over-ride the default domain policy
• When using multiple PSO’s
  • Application order is determined by password settings precedence
    • This is a number of 1 or greater
      • Lowest number is used
      • Lowest GUID will be used
• Server 2008 Auditing Change
  • Active Directory Service Access
    • Can now record what has changed
• To enable Audit Changes – auditpol /set /subcategory…….
• To compare security settings (ini) with command line
  • Secedit /validate
• Group policy default refresh rate is 90 – 120 minutes – can be changed in GPO
• Group Policy Loopback Processing
  • Replace
    • GPO List for the user is replaced by the GPO list for the computer
  • Merge
    • Computer Settings are applied after user settings
• Group Policy loopback is used so that user settings can be applied to OU’s – ie apply printer only to certain computers.
• Starter Group Policy Objects
  • A template used to create new group policies
• Global Catalogs are also known as Partial Attribute Sets (PAS)
  • Are a replica of all objects in the forest
  • Read only
  • Changes in domain (AD) partition are copied to GC partiontion
  • GC is forest wide
• ADMT (Active Directory Migration Tool) – is supported on 2008 R2 only
• AD LDS – Ensure replication you must create a service user on each server
• AD LDS – Each instance runs as a separate computer service
• To use Filtered Attribute Set – Forest Functional Level must be 2008
  • FILTERED set on schema master not ‘filtered attribute set’
• DNSSEC is available with 2008 R2 (on the DNS Server not DC)
• To modify the UPN suffix for all users use DSMOD
• If auditing is configured already on an OU then ‘modify the auditing entry’
• UGMC is configured at – Active Directory Sites and Services > NTDS Site Settings
• To ensure DC’s only replicate between adjacent sites disable site link bridging
• AD RMS – To modify the password used by AD RMS User account use ‘ AD RMS Tool’

• Forest Trust Types
  • Transitive
    • Trust domains that your parent domain trusts
  • Forest Trust – used to share resources between forests. Transitive by default.
    • Two-way
      • Both domains can be authenticated in each other domain
    • One-way incoming
      • Users in your domain (creation domain) can be authenticated in the other domain
    • One-ware outgoing
      • Users in other domain can be authenticated in your domain
  • External Trust
    • One-way, non-transitive –used primarily with 2000 Domain Functionality
  • Realm Trust
    • Non-AD trust
  • Shortcut trust
    • Trust across forests one-to-one between 2 domains/sub domains (Bypass transitive links)
• Trust Authentication Scope
  • Domain-wide authentication—Available in the case of external trusts, this option permits unrestricted access by any users in the trusted domain to all available shared resources in the trusting domain, according to sharing and security permissions attached to the resources. It is the default option for external trusts.
  • Forest-wide authentication—Available in the case of forest trusts, this option permits unrestricted access by any users in the trusted forest to all available shared resources in any domain of the trusting forest, according to sharing and security permissions attached to the resources. It is the default option for forest trusts. Microsoft recommends the domain-wide and forest-wide options for trusts within the same organization only.
  • Selective authentication—This option does not create any default authentication. It enables you to specify the users and groups from a trusted forest who are permitted to authenticate to servers containing resources in the trusting forest. Microsoft recommends this option for trusts that involve separate organizations, such as contractor relationships.
    • It improves security by limiting the quantity of authentication
    • requests that can pass through the trust.

Chev Chellios

Nice summary there crystal geek, there is alot to go through for this exam it is a beast! Good luck with it dude and let us know how you get on

crystalgeek

Winner whoop - 792

Sintacks

Thanks CrystalGeek. Grats on passing. I will be writing mine at the end of next month. I'd love to know what other material you used to study and how long you studied for. I am thinking of ordering the MS Press books through our MS account manager at my office. Did you use the MS Press material or something else? TIA.... and thanks so much for the **** sheet!

Asif Dasl

Wiki Notes on 70-640

TheMontu

Really finding it hard to figure out which books to order....if you could only have two books to prepare which books would you get?

its so simple

TheMontu wrote: »

Really finding it hard to figure out which books to order....if you could only have two books to prepare which books would you get?

I was wondering the same. Any guidance would be appreciated. TIA.

conkistador

THANKS But i'm a newcomer in it plz can u advice me on the strategy to face those exams, i've just about 3 month to complete them really need u plz.take care

ClapDemCheeks

Are these resource supplemented with Train Signal/CBT Nuggets enough to pass 640?

SkyDiver069

For those who might be trying to cram in material for the 2008 R2 exams so that they can take advantage of the "2nd Shot" promo, so far I've found these videos to be pretty good! In my case, I had taken the first three 2008 training courses years back with members of a local MS Server group, and we all got burned when MS flipped the exams to R2 material on us. This is when I opted to put any MS courses on hold for a while, until I caught a couple agencies getting 'hot' for even a server MCP/MCITP on the cv. That's when I said what the heck, I might as well take another shot, if a backup exists. So, I've been cramming material in today because of that decision. https://www.youtube.com/playlist?list=PLBBA04BF566F0E0D6