Exam Profile: MCTS: Windows Server 2008 Active Directory, Configuring (70-640)
Date: Sep 29, 2010
The TS: Windows Server 2008 Active Directory, Configuring (70-640) exam covers Microsoft Active Directory. By passing this exam, you are certified as a Microsoft Certified Technology Specialist (MCTS): Windows Server 2008 Active Directory, Configuration. It also counts as part of the higher-level certifications Microsoft Certified IT Professional (MCITP): Enterprise Administrator and Microsoft Certified IT Professional (MCITP): Server Administrator.
Corporations that use Windows as their standard operating system are most likely using Active Directory to provide authentication, which is a major part of most security systems along with authorization and auditing. Therefore, if you are going to support these Windows users, you can benefit greatly by thoroughly understanding Active Directory.
The 70-640 exam covers logically organizing your network resources including users, groups, computers, and printers. This may include defining sites, assigning users and computers to groups, and creating and managing shared printers published in Active Directory. However, some of greatest abilities come from the advanced features included in Active Directory such as group policies and assigning and managing digital certificates.
Exam Details
- 65 questions (Note: Microsoft does not publish this information and may change the number of questions without notice.)
- Multiple choice and simulations
- Passing score 700 out of 1000.
- 90-120 minutes
- You can take the exam at Prometric.
- The complete listing of exam objectives appears on page 2 of this article.
Trouble Spots
For those users who have taken or studied for the Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure (70-294) exam, Active Directory has not changed significantly. Of course, the updated Active Directory has been expanded with new group policy settings including adding Preferences and introduced read-only domain controllers, Active Directory Rights Management Service, and Active Directory Federation Services.
While many help desk personnel may manage users, groups, computers, and printers, few will be exposed to creating and managing group policies and certificate services. Group policies are one of the most powerful tools included with Active Directory and allow you to customize the Windows environment, enforce security settings, and install software. Unfortunately, group policies have so many settings that many thorough books will set aside multiple chapters to cover this feature.
Certificate services allow you to assign digital certificates to be used with computer authentication and IPSec encryption. However, to get the most out of certificate services, you will need to setup a server with Windows Server 2008 Enterprise edition. The Enterprise edition is necessary if you want to set up auto-enrollment and auto-renewal of digital certificates.
Preparation Hints
For any exam, always go to the source, which in this case is the Microsoft 70-640 exam page. The exam objectives are listed later in this article as well as posted at the Microsoft site. You need to look at the objectives and rank them for what you think you know and what you think you need to learn. If the objectives are totally foreign to you, don’t be discouraged. You have a lot of work ahead of you, but remember that everyone in Information Technology had to start somewhere.
If you want to learn the material, you need to create a network (virtual or physical) with a server running Windows Server 2008 Enterprise Edition and at least one Windows 7 client. After you create organizational units, users, computers and groups, and printers, you will need to implement group policies and install certificate services and push out digital certificates. You also need to practice the maintenance and recovery commands associated with Active Director including ntdsutil.exe, replmon.exe, and RepAdmin and know how to restore Active Directory from backup.
Next, don’t be afraid to get on the Internet and research some of the topics. Again, take smaller steps so that you are not overwhelmed. Whenever possible, you want to use Microsoft websites because the exam comes from Microsoft.
Also look at your local schools. Many schools have excellent programs and include hands-on classes. Remember, that most people in the technical field learn best hands-on.
Recommended Study Resources
MCTS 70-640 Cert Flash Cards Online: Windows Server 2008 Active Directory, Configuring by Patrick Regan, published March 2009 by Pearson IT Certification.
MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring by Don Poulton, publishing January 2011 by Pearson IT Certification.
MCTS 70-640 Exam Objectives
These exam objectives are reprinted with permission from Microsoft. Please check the Microsoft website to get the most up-to-date information.
This exam measures your ability to accomplish the technical tasks listed below. The percentages indicate the relative weight of each major topic area on the exam.
Configuring Domain Name System (DNS) for Active Directory (17%)
- Configure zones.
May include but is not limited to: Dynamic DNS (DDNS), Non-dynamic DNS (NDDNS), and Secure Dynamic DNS (SDDNS); Time to Live (TTL); GlobalNames; Primary, Secondary, Active Directory Integrated, Stub; SOA; zone scavenging; forward lookup; reverse lookup - Configure DNS server settings.
May include but is not limited to: forwarding; root hints; configure zone delegation; round robin; disable recursion; debug logging; server scavenging - Configure zone transfers and replication.
May include but is not limited to: configure replication scope (forestDNSzone; domainDNSzone); incremental zone transfers; DNS Notify; secure zone transfers; configure name servers; application directory partitions
Configuring the Active Directory infrastructure (17 percent)
- Configure a forest or a domain.
May include but is not limited to: remove a domain; perform an unattended installation; Active Directory Migration Tool (ADMT) ; change forest and domain functional levels; interoperability with previous versions of Active Directory; multiple user principal name (UPN) suffixes; forestprep; domainprep - Configure trusts.
May include but is not limited to: forest trust; selective authentication vs. forest-wide authentication; transitive trust; external trust; shortcut trust; SID filtering - Configure sites.
May include but is not limited to: create Active Directory subnets; configure site links; configure site link costing; configure sites infrastructure - Configure Active Directory replication.
May include but is not limited to: DFSR; one-way replication; Bridgehead server; replication scheduling; configure replication protocols; force intersite replication - Configure the global catalog.
May include but is not limited to: Universal Group Membership Caching (UGMC); partial attribute set; promote to global catalog - Configure operations masters.
May include but is not limited to: seize and transfer; backup operations master; operations master placement; Schema Master; extending the schema; time service
Configuring Active Directory Roles and Services (14 percent)
- Configure Active Directory Lightweight Directory Service (AD LDS).
May include but is not limited to: migration to AD LDS; configure data within AD LDS; configure an authentication server; Server Core Installation - Configure Active Directory Rights Management Service (AD RMS).
May include but is not limited to: certificate request and installation; self-enrollments; delegation; create RMS templates; RMS administrative roles; RM Add-on for IE - Configure the read-only domain controller (RODC).
May include but is not limited to: replication; Administrator role separation; read-only DNS; BitLocker; credential caching; password replication; syskey; read-only SYSVOL; staged install - Configure Active Directory Federation Services (AD FSv2).
May include but is not limited to: install AD FS server role; exchange certificate with AD FS agents; configure trust policies; configure user and group claim mapping; import and export trust policies
Creating and maintaining Active Directory objects (18 percent)
- Automate creation of Active Directory accounts.
May include but is not limited to: bulk import; configure the UPN; create computer, user, and group accounts (scripts, import, migration); template accounts; contacts; distribution lists; offline domain join - Maintain Active Directory accounts.
May include but is not limited to: manage computer accounts; configure group membership; account resets; delegation; AGDLP/AGGUDLP; deny domain local group; local vs. domain; Protected Admin; disabling accounts vs. deleting accounts; deprovisioning; contacts; creating organizational units (OUs); delegation of control; protecting AD objects from deletion; managed service accounts - Create and apply Group Policy objects (GPOs).
May include but is not limited to: enforce, OU hierarchy, block inheritance, and enabling user objects; group policy processing priority; WMI; group policy filtering; group policy loopback; Group Policy Preferences (GPP) - Configure GPO templates.
May include but is not limited to: user rights; ADMX Central Store; administrative templates; security templates; restricted groups; security options; starter GPOs; shell access policies - Deploy and manage software by using GPOs.
May include but is not limited to: publishing to users; assigning software to users; assigning to computers; software removal; software restriction policies; AppLocker - Configure account policies.
May include but is not limited to: domain password policy; account lockout policy; fine-grain password policies - Configure audit policy by using GPOs.
May include but is not limited to: audit logon events; audit account logon events; audit policy change; audit access privilege use; audit directory service access; audit object access; advanced audit policies; global object access auditing; “Reason for Access” reporting
Maintaining the Active Directory environment (18 percent)
- Configure backup and recovery.
May include but is not limited to: using Windows Server Backup; back up files and system state data to media; backup and restore by using removable media; perform an authoritative or non-authoritative restores; linked value replication; Directory Services Recovery Mode (DSRM); backup and restore GPOs; configure AD recycle bin - Perform offline maintenance.
May include but is not limited to: offline defragmentation and compaction; Restartable Active Directory; Active Directory database mounting tool - Monitor Active Directory.
May include but is not limited to: event viewer subscriptions; data collector sets; real-time monitoring; analyzing logs; WMI queries; PowerShell
Configuring Active Directory Certificate Services (15 percent)
- Install Active Directory Certificate Services.
May include but is not limited to: certificate authority (CA) types, including standalone, enterprise, root, and subordinate; role services; prepare for multiple-forest deployments - Configure CA server settings.
May include but is not limited to: key archival; certificate database backup and restore; assigning administration roles; high-volume CAs; auditing - Manage certificate templates.
May include but is not limited to: certificate template types; securing template permissions; managing different certificate template versions; key recovery agent - Manage enrollments.
May include but is not limited to: network device enrollment service (NDES); auto enrollment; Web enrollment; extranet enrollment; smart card enrollment; authentication mechanism assurance; creating enrollment agents; deploying multiple-forest certificates; x.509 certificate mapping - Manage certificate revocations.
May include but is not limited to: configure Online Responders; Certificate Revocation List (CRL); CRL Distribution Point (CDP); Authority Information Access (AIA)
Where to Go from Here
If you are taking the 70-640 exam, you are most likely planning to take additional exams to complete the MCITP: Server Administrator or the MCITP: Enterprise Administrator.
Have you taken the TS: Windows Server 2008 Active Directory, Configuring exam? Share your experiences by posting to the MCTS thread in our forums.