Microsoft - Testking.70 646.v2012!04!09.by - Vcp5guy.129q

70-646 - Windows Server 2008, Server Administrator
Passing Score: 700 Time Limit: 210 min File Version: 1.0
Microsoft Exams - Just Another All in One TestKing Sites This practice exam has explanations for all questions so that you can understand all concepts. http://www.aiotestking.com/microsoft
Sections 1. Exam A 2. Exam B 3. Exam C 4. Exam D 5. Exam E 6. Exam F
Exam A QUESTION 1
You are an Enterprise administrator for TestKing.com. The corporate network of the company consists of 200 Windows Server 2008 servers. The company has recently decided to open a new branch office and moved 75 Windows Server 2008 servers from the existing office to the new network segment. Which of the following options would you choose to change the TCP/IP addresses on the 75 servers that have been moved to the new branch office by using the minimum amount of administrative effort?
A.
Use ServerManagerCMD tool and run it on the administrators client computer. B. Use the Netsh tool and run it on the administrators client computer. C. Use Remote Desktop to connect to each server to make the changes. D. Visit each server to make the changes.
Answer: B Section: Exam A Explanation/Reference:
To change the TCP/IP addresses on the 75 servers that have been moved to the new branch office by using the minimum amount of administrative effort, you need to run the Netsh tool from an administrators client computer. You can use NETSH to make dynamic IP address changes from a static IP address to DHCP simply by importing a file. NETSH can also bring in the entire Layer-3 configuration (TCP/IP Address, DNS settings, WINS settings, IP aliases, etc.). This can be handy when youre working on networks without DHCP and have a mobile computer that connects to multiple networks, some of which have DHCP. NETSH shortcuts will far exceed the capabilities of using Windows Automatic Public IP Addressing. Reference: 10 things you should know about the NETSH tool / #4: Using NETSH to dynamically change TCP/IP addresses
QUESTION 2
You are an Enterprise administrator for contoso.com. The corporate network of the company runs 28 Windows Server 2008 servers and two Windows Server 2003 servers. One of the Windows Server 2003 servers called contosoServer1 hosts an application called App1 and another Windows Server 2003 server called contosoServer2 hosts the application called App2. The App1application uses the 32-bit installation of Windows Server 2003 and App2 application uses the 64-bit installation of Windows Server 2003. You need to run both the applications on Windows Server 2008 server. Which of the following options would you choose for replacing the servers that host App1 and App2 in the minimum cost amount? (Select three. Each correct answer will present a part of the solution.)
A.
Install a new server that runs a 64-bit version of Windows Server 2008 Enterprise Edition.
B. C.
D. E. F. G.
Install two new servers that run 64-bit versions of Windows Server 2008 Enterprise Edition. Install two new servers. On one of the servers install the 32-bit version of Windows Server 2008 Enterprise Edition and install the 64-bit version of Windows Server 2008 Enterprise Edition on the other server. Install the Hyper-V feature on the server(s). Install Windows System Resource Manager (WSRM) on the server(s). Install App1 and App2 in separate child virtual machines. Install App1 on the 32-bit server. Install App2 on the 64-bit server.
Answer: ADF Section: Exam A Explanation/Reference:
For replacing the servers that host App1 and App2 in the minimum cost amount, you need to install a new server that runs a 64-bit version of Windows Server 2008 Enterprise Edition. Install the Hyper-V feature on the new server. Install App1 and App2 in separate child virtual machines. Hyper-V consists of a 64-bit hypervisor that can run 32-bit and 64-bit virtual machines concurrently. Therefore you need to install just one Windows Server 2008 to run these two applications. You can then install Hyper V feature that would allow you to create virtual machines and run both the applications as desired. Hyper-V virtualization works with single and multi-processor virtual machines and includes tools such as snapshots, which capture the state of a running virtual machine.
QUESTION 3
You are an Enterprise administrator for contoso.com. The corporate network of the company runs two Windows Server 2008 servers. You have been asked to configure the Windows Server 2008 servers in such a way that they support the installation of Microsoft SQL Server 2005 and provide redundancy for SQL services if a single server fails. Which of the following options would you choose to accomplish this task? (Select two. Each correct answer will present a part of the solution.)
A. B.
Install a full installation of Windows Server 2008 Standard Edition on the servers. Install a full installation of Windows Server 2008 Enterprise Edition on the servers. C. Install a Server Core installation of Windows Server 2008 Enterprise Edition on the servers. D. Configure Network Load Balancing on the servers. E. Configure failover clusters on the servers.
Answer: BE Section: Exam A Explanation/Reference:
To configure the Windows Server 2008 servers in such a way that they support the installation of Microsoft SQL Server 2005 and provide redundancy for SQL services if a single server fails, you need to install a full installation of Windows Server 2008
Enterprise Edition on the servers. Configure failover clusters on the servers. Failover clustering is a process in which the operating system and SQL Server 2008 work together to provide availability in the event of an application failure, hardware failure, or operating-system error. Failover clustering provides hardware redundancy through a configuration in which mission-critical resources are transferred from a failing machine to an equally configured server automatically. Reference: SQL Server 2008 Pricing and Licensing/ PASSIVE SERVERS / FAILOVER SUPPORT http://download.microsoft.com/download/1/e/6/1e68f92c-f334-4517-b610e4dee946ef91/2008%20SQL%20Licensing%20Overview%20final.docx.
QUESTION 4
You are an Enterprise administrator for contoso.com. The company has a head office and five branch offices. The corporate network of the company consists of a single Active Directory domain. Each office contains Windows 2000 Server domain controller and Windows Server 2008 member servers. The physical security of the member servers was not reliable and servers could be attacked. Therefore, you decided to implement Windows BitLocker Drive Encryption (BitLocker) on the member servers. Which of the following options would you choose to ensure that you can access the BitLocker volume even if the BitLocker keys are corrupted on the member servers and store the recovery information at a central location? (Select two. Each correct answer will present a part of the solution.)
A. B. C. D. E. F.
Upgrade all domain controllers to Windows Server 2008. Upgrade the domain controller that has the schema master role to Windows Server 2008. Upgrade the domain controller that has the primary domain controller (PDC) emulator role to Windows Server 2008. Use Group Policy to configure Public Key Policies. Use Group Policy to enable a Data Recovery Agent (DRA). Use Group Policy to enable Trusted Platform Module (TPM) backups to Active Directory.
Answer: AF Section: Exam A Explanation/Reference:
To ensure that you can access the BitLocker volume even if the BitLocker keys are corrupted on the member servers and store the recovery information at a central location, you need to upgrade all domain controllers to Windows Server 2008. Use Group Policy to enable Trusted Platform Module (TPM) backups to Active Directory. By default, no recovery information is backed up. Administrators can configure Group
Policy settings to enable backup of BitLocker or TPM recovery information. All user interfaces and programming interfaces within BitLocker and TPM Management features will adhere to your configured Group Policy settings. When these settings are enabled, recovery information (such as recovery passwords) will be automatically backed up to Active Directory whenever this information is created and changed. Reference: BitLocker Drive Encryption Configuration Guide: Backing Up BitLocker and TPM Recovery Information to Active Directory http://technet.microsoft.com/en-us/library/cc766015.aspx
QUESTION 5
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain that contain 100 Windows Server 2003 physical servers having 64-bit hardware. The company has given you the responsibility to consolidate the 100 physical servers into 30 Windows Server 2008 physical servers and send the remaining physical servers to the new branch office that plans to open shortly. Which of the following options would you choose to achieve the desired goal while ensuring the maximum resource utilization by using existing hardware and software? You also need to ensure that your solution would support 64-bit child virtual machines and maintain separate services among the servers.
A.
Install the Hyper-V feature on the existing hardware. Then convert the physical machines into virtual machines. B. Install the Microsoft Virtual PC. Then convert the physical machines into virtual machines. C. Create the necessary host (A) records after consolidating services across the physical machines. D. Install Microsoft Virtual Server 2005 R2 on the existing hardware after installing Windows Server 2008 on them. Then convert the physical machines into virtual machines.
Answer: A Section: Exam A Explanation/Reference:
To ensure the maximum resource utilization by using existing hardware and software and to ensure the support for 64-bit child virtual machines while maintaining separate services among the servers, you need to install the Hyper-V feature to convert the physical machines into virtual machines. The Hyper-V feature provides Physical-to-Virtual (P2V) Conversion Wizard that guides administrators through the process of creating a virtual version of a physical server, including creating images of physical hard disks, preparing the images for use in a VM, and creating the final VM. The wizard can create virtual servers from physical servers and can run on Windows Server 2003 with SP1 (32-bit only) and on Windows Server 2008 (without Hyper-V role enabled) besides many other Operating systems.
Reference: Virtual Machine Manager 2008 Supports Hyper-V / Other Features http://www.directionsonmicrosoft.com/sample/DOMIS/update/2008/07jul/0708vmm2sh. htm
QUESTION 6
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain that contains a Windows Server 2008 server called contosoServer1. The server runs the DHCP service on it for the network. Your company has decided to add a few Windows Vista computers and Windows Server 2008 servers on the network. You have been asked to prepare the network for the automated deployment of the above given operating systems with the use Pre-boot Execution Environment (PXE) network adapter. Which of the following options would you choose to accomplish this task?
A.
Install Windows Automated Installation Kit (WAIK) on a new server. B. Configure the Windows Deployment Services (WDS) server role on a new server. C. Install Windows Automated Installation Kit (WAIK) on contosoServer1. D. Configure the Windows Deployment Services (WDS) server role on contosoServer1.
Answer: D Section: Exam A Explanation/Reference:
To prepare the network for the automated deployment of the above given operating systems with the use Pre-boot Execution Environment (PXE) network adapter, you need to configure the Windows Deployment Services (WDS) server role on contosoServer1. Windows Deployment Services enables you to deploy Windows operating systems, particularly WindowsVista and Windows Server2008. You can use it to set up new computers by using a network-based installation. This means that you do not have to install each operating system directly from a CD or DVD. It is an extensible and higherperforming PXE server component. You must have a functioning DHCP server with an active scope. To utilize PXE WDS required a DHCP server. Therefore you need to configure WDS on contosoServer1. Reference: Step-by-Step Guide for Windows Deployment Services in Windows Server 2003 / What is Windows Deployment Services? http://technet.microsoft.com/en-us/library/cc766320.aspx#BKMK_1 Reference: Planning for PXE Initiated Operating System Deployments/ Windows Deployment Services (WDS) and DHCP http://technet.microsoft.com/en-us/library/bb680753.aspx
QUESTION 7
You are an Enterprise administrator for contoso.com. The company consists of a head office and a branch office. The corporate network of the company consists of a single Active Directory domain. Because the branch office was comparatively less secure, you decided to deploy a Readonly Domain Controller (RODC) in the branch office so that branch office support technicians cannot manage domain user accounts on the RODC. However, they should be able to maintain drivers and disks on the RODC. Which of the following options would you choose to manage the RODC to meet the desired goal?
A. B.
Configure Administrator Role Separation on the RODC. For the branch office support technicians, set NTFS permissions on the Active Directory database to Read & Execute. C. Configure the RODC to replicate the password for the branch office support technicians. D. For the branch office support technicians, set NTFS permissions on the Active Directory database to Deny Full Control.
To ensure that branch office support technicians would not manage domain user accounts on the RODC and should be able to maintain drivers and disks on the RODC, you need to configure the RODC for Administrator Role Separation. Administrator Role Separation specifies that any domain user or security group can be delegated to be the local administrator of an RODC without granting that user or group any rights for the domain or other domain controllers. Accordingly, a delegated administrator can log on to an RODC to perform maintenance work on the server such as upgrading a driver. But the delegated administrator would not be able to log on to any other domain controller or perform any other administrative task in the domain. Reference: RODC Features/ Administrator role separation http://technet.microsoft.com/en-us/library/cc753223.aspx#bkmk_separation
QUESTION 8
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. The company currently consists of a main office that has an Internet connection configured. The company plans to open a new branch office in near future and plans to connect the branch office to the main office by using a WAN link having a limited bandwidth. The branch office will not have access to the Internet and will contain 30 Windows Server 2008 servers. The installations of these servers must be automated and must be automatically activated. Besides the network traffic between the offices must be minimized.
Which of the following options would you include in your plan for the deployment of the servers in the branch office?
A.
Use Multiple Activation Key (MAK) Independent Activation on the servers. In the main office, implement a DHCP server and Windows Deployment Services (WDS). B. In the branch office, implement Key Management Service (KMS), a DHCP server, and Windows Deployment Services (WDS). C. In the main office, implement Windows Deployment Services (WDS). In the branch office, implement a DHCP server and implement the Key Management Service (KMS). D. Use Multiple Activation Key (MAK) Independent Activation on the servers. In the main office, implement a DHCP server. In the branch office, implement Windows Deployment Services (WDS).
QUESTION 9
You are an Enterprise administrator for contoso.com. The company has a head office and 250 branch offices. The corporate network of the company consists of a single Active Directory domain. All the domain controllers on the corporate network run Windows Server 2008. You have been asked to deploy Read-only Domain Controllers (RODCs) in each designated branch offices because the physical security at branch office locations cannot be guaranteed. While deploying the RODCs, you need to ensure that the RODC installation source files do not contain cached secrets and the bandwidth used during the initial synchronization of Active Directory Domain Services (AD DS) is minimized. Which of the following options would you choose to accomplish the given task?
A.
Backup of the critical volumes of an existing domain controller by using Windows Server Backup. Now build the new RODCs using the backup. B. Using one of the domain controllers on the network create a DFS namespace that contains the Active Directory database and then build the new RODCs using by using an answer file. C. Create an RODC installation media using ntdsutil ifm and the build the RODCs from the RODC installation media. D. Perform a full backup of an existing domain controller using Windows Server Backup and then use the backup to build the new RODCs.
Answer: C Section: Exam A Explanation/Reference:
The new ntdsutil ifm sub command can be used to create installation media. It can be used to remove secrets, such as passwords, from the AD DS database, so that you can install a read-only domain controller (RODC) without them. When you remove these
secrets, the RODC installation media is more secure if it must be transported to a branch office for an RODC installation. Ntbackup.exe cannot remove cached secrets from the installation media. Reference: Steps for Deploying an RODC/ Optional: Install RODC from media http:// technet.microsoft.com/en-us/library/cc754629.aspx
QUESTION 10
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. You have been asked to deploy file servers that run Windows Server 2008 and ensure that the file server support volumes larger than 2 terabytes. You also need to ensure that if a single server fails, access to all data is maintained and if a single disk fails, the data redundancy is maintained. You also need to maximize the disk throughput. Which of the following options would you choose to accomplish the assigned task? (Select 2. Each correct answer will present a part of the solution)
A.
Deploy a Windows Server 2008 server and connect an external storage subsystem to it that supports Microsoft Multipath I/O. B. Deploy a two-node failover cluster. Connect an external storage subsystem. C. Configure the external storage subsystem as a RAID 1 array and format the array as an MBR disk. D. Configure the external storage subsystem as a RAID 10 array and format the array as a GPT disk.
Answer: BD Section: Exam A Explanation/Reference:
To ensure that if a single server fails, access to all data is maintained and if a single disk fails, the data redundancy is maintained, you need to deploy a two-node failover cluster. Connect an external storage subsystem. Configure the external storage subsystem as a RAID 10 array. Format the array as a GPT disk. A combining the different RAID levels gives us the option of RAID10. RAID10 is equivalent to RAID1 + 0. So, you can have a few disks (at least 4 and always even numbers) and mirror the drives two at a time. This gives the redundancy. Then you take those mirrors and combine them into a RAID 0 stripe. This allows redundancy, faster read operations, and fast writes (avoiding a parity calculation). RAID1 is a mirror which is faster than a single disk, but not as fast for read operations as 3+ disks (RAID1 is just 2 disks). RAID5 is a stripe with parity which is faster on read operations than RAID1 but not ideal for write operations because it is required to calculate a parity block of data. Reference: Brad Kingsleys Blog http://blogs.orcsweb.com/brad/archive/2007/08/06/raid10.aspx
QUESTION 11
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. You have planned to install 10 new Windows Server 2008 servers on the network. You want to automate the installation of the servers and activate the servers automatically. Which of the following options would you choose to accomplish the desired goal?
A.
Implement Multiple Activation Key (MAK) Independent Activation and Deployment Services (WDS). B. Implement Key Management Service (KMS) and Windows Deployment Services (WDS). C. Use Multiple Activation Key (MAK) Independent Activation. D. Implement a DHCP server and the Key Management Service (KMS).
For the deployment of the servers in the branch office with the given requirements, you need to implement Key Management Service (KMS), and Windows Deployment Services (WDS). The KMS key is used to activate computers against a service that you can host in your environment, so you dont have to connect to Microsoft servers. To activate computers by using KMS, you must have a minimum number of physical computers. The KMS key is installed on the host computer only. To activate the KMS host, you must have at least 25 computers running Windows Vista or Windows Server 2008 that are connected together; for Windows Server 2008, the minimum is 5 computers. You need Windows Deployment Services (WDS) because it enables you to automate the deployment Windows operating systems. You can use it to set up new computers by using a network-based installation. This means that you do not have to install each operating system directly from a CD or DVD. Reference: Microsoft Product Activation http://www.microsoft.com/licensing/resources/vol/default.mspx Reference: Step-by-Step Guide for Windows Deployment Services in Windows Server 2003 / What is Windows Deployment Services? http://technet.microsoft.com/en-us/library/cc766320.aspx#BKMK_1
QUESTION 12
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. Which of the following options would you choose to consolidate the 50 physical Windows Server 2003 servers into 10 physical Windows Server 2008 servers?
While consolidation, you need to ensure that the existing hardware and software should be used and 64-bit child virtual machines can be created. Which of the following options would you choose to accomplish the desired task?
A.
Install Microsoft Virtual PC. B. Consolidate services across the physical machines and create the necessary host (A) records. C. Install the Hyper-V feature. D. Install Microsoft Virtual Server 2005 R2.
QUESTION 13
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. The company has decided to open 2 new branch offices and deploy 1,000 new Windows Vista Enterprise Edition computers. The Windows Vista installations need to be done using Pre-boot Execution Environment (PXE) network adapters that those 1000 computers already have. Which of the following options would you choose to ensure that 50 simultaneous installations of Windows Vista can be done in minimum amount of time and the impact of network operations during the deployment of the new computers is minimized?
A.
Install Windows Deployment Services (WDS) server role and configure all the routers with IP Helper tables. B. Install Windows Deployment Services (WDS) server role and configure each WDS server by using legacy mode. C. Install both Windows Deployment Services (WDS) server role and Transport Server role services and then configure the Transport Server with a static multicast address range. D. Install both Windows Deployment Services (WDS) server role and Transport Server role services and then configure the Transport Server to use a custom network profile.
To ensure that 50 simultaneous installations of Windows Vista in minimum amount of time in a Pre-boot Execution Environment, you need to deploy the Windows Deployment Services (WDS) server role and the Transport Server feature. You can install both the Deployment Server and Transport Server role services (which is the default installation) or only Transport Server role services. The Windows Deployment Services (WDS) enables you to automate the deployment of Windows operating systems. You can use it to set up new computers by using a networkbased installation. This means that you do not have to install each operating system directly from a CD or DVD.
You can configure Transport Server to enable you to boot from the network using PreBoot Execution Environment (PXE) and Trivial File Transfer Protocol (TFTP), a multicast server, or both. The Transport Server role service provides a subset of the functionality of Windows Deployment Services. It contains only the core networking parts. You can use Transport Server to create multicast namespaces that transmit data (including operating system images) from a stand-alone server. The stand-alone server does not need Active Directory, DHCP, or DNS. If multiple servers are using multicast functionality on a network (Transport Server, Deployment Server, or another solution), it is important that each server is configured so that the multicast IP addresses do not collide. Otherwise, you may encounter excessive traffic when you enable multicasting. Note that each Windows Deployment Services server will have the same default range. To work around this issue, specify static ranges that do not overlap to ensure that each server is using a unique IP address. Reference: Transport Server http://technet.microsoft.com/en-us/library/cc771645.aspx
QUESTION 14
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain that runs a 64-bit version of Windows Server 2008 server. The server has DHCP server role installed on it. The corporate network only uses IPv4. The company has decided to deploy 50 new Windows Server 2008 servers.The installations need to be done using Pre-boot Execution Environment (PXE) network adapters that is already supported by the new computers. Besides some of the new computers contain 64-bit hardware and some of the servers contain 32-bit hardware. Which of the following options would you choose to ensure the automated deployment of the new servers in minimum hardware cost?
A.
Deploy Windows Deployment Services (WDS) on two Windows Server 2008 servers, one for the 64-bit server and the other for 32-bit server. B. Deploy Remote Installation Services (RIS) on two Windows Server 2003 servers having Service Pack 2 installed, one for the 64-bit server and the other for 32-bit server. C. Deploy Windows Deployment Services (WDS) on the DHCP server. D. Deploy Remote Installation Services (RIS) on a 64-bit Windows Server 2003 server.
To ensure the automated deployment of the new servers in minimum hardware cost in the given scenario, you need to deploy Windows Deployment Services (WDS) on the DHCP server.
You must have a working DHCP server with an active scope on the network because Windows Deployment Services uses PXE, which relies on DHCP for IP addressing. Reference: Installing Windows Deployment Services http://technet.microsoft.com/en-us/ library/cc771670.aspx
QUESTION 15
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory forest having 20 domains configured under it. All the domain controllers on the network run Windows Server 2008 and have the DNS role installed on them. You company has decided to replace a legacy Windows Internet Name Service (WINS) environment with a DNS-only environment for the name resolution. Which of the following options would you choose to Support IPv4 and IPv6 environments, allow single-label name resolution across all domains, and minimize the amount of NetBT traffic on the network while replacing a legacy Windows Internet Name Service (WINS) environment?
A.
Configure all the DNS zones to perform a WINS forward lookup. B. Configure all the DNS zones to replicate as part of a custom Active Directory replication partition. C. Configure a GlobalNames zone on each domain controller. D. Configure all the DNS zones to replicate to each DNS server in the forest.
To Support IPv4 and IPv6 environments, allow single-label name resolution across all domains, and minimize the amount of NetBT traffic on the network while replacing a legacy Windows Internet Name Service (WINS) environment with a DNS-only environment, you need to configure a GlobalNames zone on each domain controller. The DNS Server Role in Windows Server 2008 now supports the GlobalNames Zone. This has been introduced to assist organizations to move away from WINS and allow organizations to move to an all-DNS environment. Unlike WINS, The GlobalNames zone is not intended to be used for peer-to-peer name resolution. The GlobalNames Zone (GNZ) is used to hold single-label names. The GlobalNames zone is most commonly used to hold CNAME resource records to map a single-label name to a Fully Qualified Domain Name (FQDN). GNZ provides single-label name resolution whereas WINS provides NetBIOS resolution. If you plan to retire WINS or plan to deploy IPv6 only in your environment, all name resolution will rely on DNS. It supports dual IPv4 and IPv6 environment and use only DNS for name resolution. Reference: Understanding the New GlobalNames Zone Functionality in Windows Server2008 http://johnpolicelli.wordpress.com/2008/01/15/understanding-the-new-globalnames-zone-
in-windows-server-2008/ Reference: DNS Server GlobalNames Zone Deployment / How GNZ Resolution Works
QUESTION 16
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All servers on the corporate network run Windows Server 2008 and all client computers run Windows Vista. The company has an enterprise certification authority (CA). You have been asked to install certificates automatically on each client computer and deploy the certificates to all users by using a new certificate template by using minimum amount of effort. You need to ensure that users have access to the new certificates when they log on to any client computer in the domain. Which of the following options would you choose to accomplish the given task? (Select two. Each correct answer will form a part of the solution)
A. B. C. D. E.
Configure auto enrollment of certificates. Deploy an enterprise subordinate CA. Configure roaming user profiles. Configure folder redirection. Configure Credential Roaming.
Answer: AE Section: Exam A Explanation/Reference:
To ensure that users have access to the new certificates when they log on to any client computer in the domain while meeting other requirements, you need to configure auto enrollment of certificates and Credential Roaming. The auto enrollment process grants certificates based on certificate templates that are supplied with Read, Enroll, and Auto Enroll permissions for the users, groups, or computers who require auto enrollment. With the credential roaming functionality, managed environments can now store X.509 certificates, certificate requests, and private keys specific to a user in Active Directory, independently from the profile. The credential roaming implementation in Windows Vista and Windows Server Longhorn is additionally able to roam stored user names and passwords. This would ensure that users have access to the new certificates when they log on to any client computer in the domain. With credential roaming, once a domain user chooses in a Windows authentication dialog box to cache or "remember" the current credentials, the user will have the same experience on any domain-joined computer that the user logs on to. http://windowsitpro.com/article/articleid/48665/how-can-i-enable-digital-certificateautoenrollment-in-windows-server-2003.html
QUESTION 17
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers on the network either run Windows Server 2003 or Windows Server 2008 and all client computers run Windows Vista or Windows XP SP2. You have been assigned the task to implement Encrypting File System (EFS) for all the client computers on the network and ensure that users must be able to access their EFS certificates on any client computers. You also need to ensure that if a client computers disk fails, the EFS certificates must be accessible and only the minimum amount of data that is transferred across the network when a user logs on to or off from a client computer. Which of the following options would you choose to accomplish the assigned task?
A.
Smart cards B. Credential roaming C. Roaming user profiles D. Data Recovery Agent
QUESTION 18
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. The network contains three servers that run Windows Server 2000 and a few custom applications. The applications on these servers are incompatible with each other, incompatible with Windows Server 2008, and consume less than 10 percent of the system resources. The company has decided to update all the servers to Windows Server 2008. As an Enterprise administrator of the company, you have been assigned the task to migrate the applications to new Windows Server 2008 servers in minimum hardware costs. Which of the following two options would you choose to accomplish the assigned task? (Select two. Each selected option will present a part of the answer.)
A. B. C. D. E. F. G.
Deploy one new server that runs Windows Server 2008 Enterprise Edition. Deploy three new servers that run Windows Server 2008 Standard Edition. Deploy one new server that runs Windows Server 2008 Datacenter Edition. Install the Windows System Resource Manager (WSRM) feature on the new server. Configure Windows 2000 compatibility mode for each application. Install the Hyper-V feature on the new server. Create three child virtual machines. Install the Desktop Experience feature.
Answer: AF Section: Exam A Explanation/Reference:
To migrate the applications to new Windows Server 2008 servers in minimum hardware costs, you need to deploy one new server that runs Windows Server 2008 Enterprise Edition, install the Hyper-V feature on the new server, and then create three child virtual machines for each application. Application virtualization of Hyper-V feature helps isolate the application running environment from the operating system install requirements by creating applicationspecific copies of all shared resources and helps reduce application to application incompatibility and testing needs. With Microsoft SoftGrid, desktop and network users can also reduce application installation time and eliminate potential conflicts between applications by giving each application a virtual environment thats not quite as extensive as an entire virtual machine. By providing an abstracted view of key parts of the system, application virtualization reduces the time and expense required to deploy and update applications. http://download.microsoft.com/download/4/2/b/42bea8d6-9c77-4db8-b405-6bffce59b157/ WS08%20Virtualization%20Product%20Overview.doc
QUESTION 19
You are an Enterprise administrator for contoso.com. The company consists of a head office and a branch office. The corporate network of the company consists of a single Active Directory domain and an Active Directory site exists for each office. All the domain controllers on the network run Windows Server 2008. You have been assigned the task to modify the DNS infrastructure in such a way that the DNS service is available even if a single server fails, the synchronization data that is sent between DNS servers is encrypted and dynamic updates are supported on all DNS servers. Which of the following options would you choose to accomplish the given task? (Select two. Each selected option will present a part of the answer.)
A. B. C. D. E. F. G.
Install the DNS server role on a domain controller in the head office and on a Read only Domain Controller (RODC) in the branch office. Install the DNS server role on a domain controller in the head office and on a domain controller in the branch office. Install the DNS server role on two servers. Create a primary zone on the DNS server in the head office. Configure DNS to use Active Directory integrated zones. Create a secondary zone on the DNS server in the branch office. Install the DNS server role on two servers. Create a primary zone and a GlobalNames zone on the DNS server in the head office. Create a GlobalNames zone on the DNS server in the branch office.
Answer: BD Section: Exam A
Explanation/Reference:
To modify the DNS infrastructure in such a way that the DNS service is available even if a single server fails, you need to install the DNS server role on a domain controller in the head office and on a domain controller in the branch office and then configure DNS to use Active Directory integrated zones. This would also ensure that the synchronization data that is sent between DNS servers is encrypted and dynamic updates are supported on all DNS servers. DNS servers running on domain controllers can store their zones in Active Directory. In this way, it is not necessary to configure a separate DNS replication topology that uses ordinary DNS zone transfers, because all zone data is replicated automatically by means of Active Directory replication. This simplifies the process of deploying DNS provides the following advantages: Multiple masters are created for DNS replication. Therefore, any domain controller in the domain running the DNS server service can write updates to the Active Directoryintegrated zones for the domain name for which they are authoritative. A separate DNS zone transfer topology is not needed. Secure dynamic updates are supported. Secure dynamic updates allow an administrator to control which computers update which names, and prevent unauthorized computers from overwriting existing names in DNS. ActiveDirectory-integrated DNS in Windows Server2008 stores zone data in application directory partitions. (There are no behavioral changes from WindowsServer2003-based DNS integration with ActiveDirectory.)
QUESTION 20
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the domain controllers on the network either run Windows Server 2008 and all client computers run Windows Vista. The company plan to collaborate on a project with an external partner company called TechKing.com. The TechKing.com domain also consists of an Active Directory domain that runs Windows Server 2008 domain controllers. You have been assigned the task to design a collaboration solution that allows the users of both the companies to prevent sensitive documents from being forwarded to untrusted recipients or from being printed. Besides, the users of TechKing.com should be allowed to access the protected content in contoso.com to which they have been granted rights. You need to ensure that all interorganizational traffic is sent over port 443. Which of the following options would you choose to accomplish the desired goal in a minimum amount of the administrative effort? (Select two. Each selected option will present a part of the answer.)
A.
Establish a federated trust between your company and the external partner. B. Establish an external forest trust between your company and the external partner.
C.
Deploy a Windows Server 2008 server that runs Microsoft Office SharePoint Server 2007 and that has the Active Directory Rights Management Services (AD RMS) role installed. D. Deploy a Windows Server 2008 server that has the Active Directory Rights Management Service (AD RMS) role installed and the Windows SharePoint Services role installed. E. Deploy a Windows Server 2008 server that has the Active Directory Certificate Services role installed. Implement Encrypting File System (EFS). F. Deploy a Windows Server 2008 server that has the Windows SharePoint Services role installed.
Answer: AC Section: Exam A Explanation/Reference:
To design a collaboration solution that allows the users of both the companies to prevent sensitive documents from being forwarded to untrusted recipients or from being printed, you need to establish a federated trust between your company and the external partner. Deploy a Windows Server 2008 server that runs Microsoft Office SharePoint Server 2007 and that has the Active Directory Rights Management Services (AD RMS) role installed. With a federation trust, you can extend Active Directory to allow for the sharing of resources securely in a B2B environment. Once the federation trust is established, authentication requests that are made to the Intranet server in the resource domain can flow through the federation trust from users who are located in the domain where the accounts are located without issue. Active Directory Rights Management Services (AD RMS) is an information protection technology that works with AD RMS-enabled applications to help safeguard digital information from unauthorized use. Content owners can define who can open, modify, print, forward, or take other actions with the information. Office SharePoint Server 2007 provides an easy way to collaborate on documents by posting them to an Office SharePoint Server 2007 site so that they can be accessed over the corporate network. The goal of integrating an Office SharePoint Server 2007 deployment with an ADRMS infrastructure is to be able to protect documents that are downloaded from the Office SharePoint Server 2007 server by users of any given organization. http://www.windowsnetworking.com/articles_tutorials/Window-Server-2003-R2-NewActive-Directory.html
QUESTION 21
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers on the network run Windows Server 2008. The network contains two Windows Server 2008 computers called contosoServer1 and contosoServer2 and two identical print devices. Which of the following options would you choose to plan a print services infrastructure that would allow you to manage the print queue from a central location and make the print services available, even if one of the print devices fails?
A. B.
Install and share a printer on contosoServer1 and enable printer pooling. Create a Network Load Balancing cluster and add contosoServer1 and contosoServer2 to it and then install a printer on each node of the cluster. C. Install and share one of the printer on contosoServer1 and the other printer on contosoServer2. Use Print Manager to install the printers on the client computers. D. Install the Terminal Services server role on both servers. Configure Terminal Services Session Broker (TS Session Broker).
To plan a print services infrastructure that would allow you to manage the print queue from a central location and make the print services available, even if one of the print devices fails, you need to install and share a printer on contosoServer1 and enable printer pooling. Printer pooling allows you to print to several printers at once. If you have a large print job you can submit it to the pool and the operating system will balance the load among the printers. This feature allows network administrators to configure and manage several printers as one, a process that can simplify printer administration. In addition, printer pooling provides some load-balancing. Thats because Windows 2000 Server directs print jobs to the connected printers based on jobs pending at each printer. A printer pool contains multiple printers, all configured as a single printer instance. Reference: Configure printer pooling to simplify printer management in Windows 2000 http://articles.techrepublic.com.com/5100-10878_11-5727870.html
QUESTION 22
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers on the network either run Windows Server 2003 or Windows Server 2008 and all client computers run Windows Vista. The company possesses a public key infrastructure (PKI) that consists of an offline root certification authority (CA) and two Enterprise Subordinate CAs that run Windows Server 2003. You publish the certificates to the user accounts and the computer accounts in Active Directory. Which of the following options would you choose to create a PKI solution for the Windows Vista client computers and the Windows Server 2008 servers in such a way that the certificates must support Suite B hashing and encryption algorithms and store private keys in Active Directory in minimum amount of administrative effort?
A.
Configure cross-certification between the CA hierarchies by creating a new PKI that uses Windows Server 2008 CAs. B. Install a new Windows Server 2008 enterprise subordinate CA. C. Install a new Windows Server 2008 stand-alone subordinate CA.
D.
Create a new Active Directory forest and configure one-way forest trusts between the two forests by deploying a new PKI that uses Windows Server 2008 CAs.
To create a PKI solution for the Windows Vista client computers and the Windows Server 2008 servers that meed the desired requirements, you need to install a new Windows Server 2008 enterprise subordinate CA. To use SuiteB algorithms for cryptographic operations, you first need a Windows Server 2008-based CA to issue certificates that are SuiteB-enabled. Suite B algorithms such as ECC are supported only on the Windows Vista and Windows Server 2008 operating systems. This means it is not possible to use those certificates on earlier versions of Windows such as Windows XP or Windows Server 2003. If you already have a PKI with CAs running Windows Server 2003 or where classic algorithms are being used to support existing applications, you can add a subordinate CA on a server running Windows Server 2008, but you must continue using classic algorithms. Reference: Cryptography Next Generation / How should I prepare to deploy this feature? http://technet.microsoft.com/en-us/library/cc730763.aspx
Exam B QUESTION 1
You are an Enterprise administrator for contoso.com. The company consists of a head office and a branch office. The corporate network of the company consists of a single Active Directory domain. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista. The branch office contains a Windows Server 2008 member server named BranchServer1 that has the File Services server role installed on it. The Active Directory contain an organizational unit (OU) called BranchOU to keep the computer objects for the servers in the Branch office. Besides the OU, a global group called Branch-adm also exists in AD to keep the user accounts for the administrators in the branch office. Till now the administrators on the corporate network manage the shared folders on the servers in the Branch office. However, you now want to ensure that the members of Branch-adm can create shared folders on BranchServer1. Which of the following options would you choose to accomplish this task?
A.
Assign Full Control permissions on the BranchOU. B. Add the Branch-adm group to the Power Users local group on BranchServer1. C. Create Shared Folders permissions on the BranchOU. D. Add the Branch-adm group to the Administrators local group on BranchServer1.
Answer: D Section: Exam B Explanation/Reference:
To ensure that the members of Branch-adm can create shared folders on BranchServer1, you need to add the Branch-adm group to the Administrators local group on BranchServer1. Administrators is a local group that provides full administrative access to an individual computer or a single domain, depending on its location. Because this account has complete access, you should be very careful about adding users to this group. To make someone an administrator for a local computer or domain, all you need to do is make that person a member of this group. Only members of the Administrators group can modify this account. http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-EveryDesktop.html
QUESTION 2
You are an Enterprise administrator for contoso.com. All the servers on the network run Windows Server 2008. The company has assigned you the task to plan a data storage solution for the company by utilizing the existing network infrastructure and ensuring that the storage space to the servers is allocated as needed. You also need to ensure the maximum performance and the maximum fault tolerance in your solution. To begin with, you decided to deploy eight file servers on the network and connect them
to Ethernet switches. Which of the following options will you include next in your plan to accomplish the desired goal? (Select two. Each selected option will present a part of the answer.)
A. B. C. D. E. F. G.
Install Windows Server 2008 Datacenter Edition on each server. Install Windows Server 2008 Enterprise Edition on each server. Install Windows Server 2008 Standard Edition on each server. Deploy the servers in a failover cluster and deploy an iSCSI storage area network (SAN). Deploy the servers in a Network Load Balancing (NLB) cluster and map a network drive on each server to an external storage array. Deploy the servers in a Network Load Balancing (NLB) cluster and implement RAID 5 on each server. Deploy the servers in a failover cluster and deploy a Fibre Channel (FC) storage area network (SAN).
Answer: AD Section: Exam B Explanation/Reference:
To plan a data storage solution for the company to ensure the maximum performance and the maximum fault tolerance, you need to install Windows Server 2008 Datacenter Edition on each server and deploy the servers in a failover cluster. Next deploy an iSCSI storage area network (SAN). The Datacenter Edition supports both iSCSI storage and failover clustering. The failover clustering will ensure the fault tolerance. A popular SAN protocol, iSCSI allows clients to send SCSI commands to storage devices on remote servers. Unlike Fibre Channel, which requires special-purpose cabling, iSCSI can be run over long distances using existing network infrastructure. The iSCSI is a protocol that allows two hosts to send SCSI commands over a TCP/IP network. By doing this, you can use SCSI but free yourself of the limitations of traditional SCSI cabling and, instead, use your LAN to connect your SCSI PCs and Server to your SCSI storage. iSCSI is a type of storage area network (SAN) and it is typically compared to Fibre Channel (FC) its much more expensive competitor. With iSCSI you have a client who needs access to the storage on the server. The client uses initiator software (making it the initiator) to connect to the storage server (called the target). http://www.windowsnetworking.com/articles_tutorials/Connect-Windows-Server-2008Windows-Vista-iSCSI-Server.html
QUESTION 3
You are an Enterprise administrator for contoso.com. The company consists of a head office and a branch office. The corporate network of the company consists of a single Active Directory domain, which run at the functional level of Windows Server 2008. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista.
You have been asked to design a file sharing strategy that ensures that the users in both the offices must be able to access the same files using the same Universal Naming Convention (UNC) path to access the files. The users must be able to access files even if a server fails. While designing your file sharing strategy, you need to take care youre your design must reduce the amount of bandwidth used to access files. To start with you deployed file servers on the network. Which of the following options would you choose next to accomplish this task?
A. B.
Domain-based DFS namespace using replication Stand-alone DFS namespace using replication C. Multi-site failover cluster having two servers, one located in the head office and another in the branch office D. Network Load Balancing cluster having two servers, one located in the head office and another in the branch office.
Answer: A Section: Exam B Explanation/Reference:
To design a file sharing strategy that meets the given requirements, you need to configure a domain-based DFS namespace that uses replication. The domain based namespaces require all servers to be members of an Active Directory domain. This environment support automatic synchronization of DFS targets. The domain-based DFS enables multiple replications that provides you with a degree of scalability. Rather than having every user in your organization access their files from the same server, you can distribute the user workload across multiple DFS replicas rather than over burdening a single server. This ensures that the users in both the offices must be able to access the same files using the same Universal Naming Convention (UNC) path to access the files in reduced bandwidth. Another reason for having multiple DFS replicas is because doing so provides you with a degree of fault tolerance.DFS can also provide fault tolerance from the standpoint of protecting you against network link failures.The fault tolerance ensures that users are able to access files even if a server fails.
QUESTION 4
You are an Enterprise administrator for contoso.com. The company has a head office and a branch office. The corporate network of the company consists of a single Active Directory domain. All the servers on the network run Windows Server 2008. The company has four domain administrators and two support technicians, which are located in the head office and the branch office respectively. Which of the following options would you choose to deploy a new Windows Server 2008 server in the branch office? You want to minimize the security privileges granted to the support technicians. However, you want to ensure that the support technicians are allowed to install server roles and are allowed to stop and start services.
A.
Configure the restricted enrollment agent on the new Windows Server 2008 server and then create a permissions list for the support technicians. B. Create a new organizational unit (OU) for the support technicians permission and then assign them the permissions to modify objects in the new OU. Put the new Windows Server 2008 server in the new OU. C. Add the support technicians to the Domain Admins group. D. Assign the support technicians to the Administrators group on the new Windows Server 2008 server.
"Administrators" is a local group that provides full administrative access to an individual computer or a single domain, depending on its location. Because this account has complete access, you should be very careful about adding users to this group. To make someone an administrator for a local computer or domain, all you need to do is make that person a member of this group. Only members of the Administrators group can modify this account. http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-EveryDesktop.html
QUESTION 5
You are an Enterprise administrator for contoso.com. The corporate network of the company contains two Windows Server 2008 computers and two identical print devices. Which of the following options would you choose to manage a large print job by balancing the load of print jobs on both the printers?
A.
Install and share a printer on one of the servers and enable printer pooling. B. Add both the servers to a Network Load Balancing cluster and install a printer on each node of the cluster. C. Install and share a printer on each server and then install the printers on the client computers using Print Manager. D. Install the Terminal Services server role on both servers and configure Terminal Services Session Broker (TS Session Broker).
To manage a large print job by balancing the load of print jobs on both the printers, you need to install and share a printer on contosoServer1 and enable printer pooling. Printer pooling allows you to print to several printers at once. If you have a large print job you can submit it to the pool and the operating system will balance the load among the printers. This feature allows network administrators to configure and manage several printers as one, a process that can simplify printer administration. In addition, printer pooling
provides some load-balancing. Thats because Windows 2000 Server directs print jobs to the connected printers based on jobs pending at each printer. A printer pool contains multiple printers, all configured as a single printer instance.
QUESTION 6
You are an Enterprise administrator for contoso.com. The company consists of a head office and a branch office. The corporate network of the company consists of a single Active Directory domain. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista. The branch office contains 50 Windows Server 2008 member servers. The Active Directory contain an organizational unit (OU) called BranchOU to keep the computer objects for the servers in the Branch office. A global group called Branch-adm also exists in the AD to keep the user accounts for the administrators in the branch office. The administrators on the corporate network manage all the servers in the Branch office. However, you now want to ensure that the members of Branch-adm group can Stop and start services and change registry settings on the member servers of the branch office. Which of the following options would you choose to accomplish this task?
A.
Assign Full Control permissions on the BranchOU to the Branch-adm group. B. Add the Branch-adm group to the Power Users local group on each server in the Branch office. C. Assign the Branch-adm group change permissions to the BranchOU and to all child objects. D. Add the Branch-adm group to the Administrators local group on each server in the Branch office.
To ensure that the members of add the Branch-adm group can Stop and start services and change registry settings on the member servers of the branch office, you need to add the Branch-adm group to the Administrators local group on each server in the Branch office. "Administrators" is a local group that provides full administrative access to an individual computer or a single domain, depending on its location. Because this account has complete access, you should be very careful about adding users to this group. To make someone an administrator for a local computer or domain, all you need to do is make that person a member of this group. Only members of the Administrators group can modify this account. http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-EveryDesktop.html
QUESTION 7
You are an Enterprise administrator for contoso.com. The company consists of a head
office and a branch office. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista. You plan to deploy the Server Core installation of Windows Server 2008 on 10 servers in the branch office. The servers will only be accessible by using TCP ports 80 and 443. You need to ensure that the administration of the Server Core servers must enable administrators to install and administer server roles remotely and fully manage the servers remotely from their Windows Vista computers / Windows Server 2008 servers. Which of the following options would you choose to accomplish the desired task?
A.
Enable Remote Desktop Connection (RDC) on the administrators computers. B. Enable Windows Remote Management (WinRM) on the administrators computers. C. Use Oclist.exe on the administrators computers. D. Use Ocsetup.exe on the administrators computers.
Answer: B Section: Exam B Explanation/Reference:
To ensure that the administration of the Server Core servers must enable administrators to install and administer server roles remotely and fully manage the servers remotely, you need to enable Windows Remote Management (WinRM) on each server. Windows Remote Management (known as WinRM) is a handy new remote management service for Windows Server 2003 R2, Windows Vista, and Windows Server 2008. WinRM & WinRS are very powerful new tools that Windows system administrators should learn about. With WinRM/WinRS, you can install programs, change settings, or do troubleshooting (as long as the network was up). You can even take it a step further and combine WinRS with a script to perform those tasks on a list of computers. http://www.windowsnetworking.com/articles_tutorials/How-Windows-Server-2008WinRM-WinRS.html
QUESTION 8
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of 50 DNS servers that run Windows Server 2003 and the client computers that run Windows Vista. A DNS server called contosoServer1 has Adminpak.msi installed. The administrators manage the DNS servers through contosoServer1. The administrators connect to contosoServer1 through Remote Desktop Connection (RDC). Recently, you have replaced Windows Server 2003 DNS servers with Server Core installation of Windows Server 2008 servers by installing DNS server role on the Server Core installation of Windows Server 2008. Which of the following options would you choose to administer the new DNS servers? You need to ensure that the administrators manage the DNS server role by using a Microsoft Management Console (MMC).
A. B.
Using a Group Policy, deploy Windows PowerShell to all administrators. Using a Group Policy, deploy the Windows Server 2003 Adminpak.msi file to all administrators. C. Provide remote access to the Windows Server 2008 Server Core servers. D. Install Remote Server Administration Tools (RSAT) to a Windows Server 2008 server and provide remote access to that server.
To administer the new DNS servers, you need to provide remote access to a Windows Server 2008 server that has the Remote Server Administration Tools (RSAT) installed RSAT is an excellent set of tools for IT Pros wanting to manage their Windows Server environment right from their desktop. RSAT also includes an updated Group Policy Management Console (GPMC), which was previously removed in Windows Vista SP1. RSAT is an updated version of what is called ADMINPAK.MSI and can be used by IT Pros to manage computers running Windows Server 2008. Because many of these tools also work for managing computers running Windows Server 2003, it is essentially the next version of ADMINPAK.MSI. http://windowsvistablog.com/blogs/windowsvista/archive/2008/03/25/remote-serveradministration-tools-rsat-now-available-for-windows-vista-sp1.aspx
QUESTION 9
You are an Enterprise administrator for contoso.com. The company consists of a head office and a branch office. The corporate network of the company consists of a single Active Directory domain. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista. The network contains five Windows Server 2008 servers that host Web applications. The administrators need to manage the Web servers remotely. You need to ensure that the web developers are allowed to configure features on the Web sites. However, they should not have full administrative rights on the Web servers. Which of the following options would you choose to accomplish the desired task?
A.
On each Web server, configure the authorization rules for Web developers. B. Add the Web developers to the Account Operators group in the domain. C. Configure request filtering on each Web server. D. For all Web developers, configure the security settings in Internet Explorer.
To ensure that the web developers are allowed to configure features on the Web sites without having full administrative rights on the Web servers. You need to configure authorization rules for Web developers on each Web server. By configuring Authorization rule, you can grant or deny specific computers, groups of
computers, or domains access to sites, applications, directories, or files on your server. For example, suppose your intranet server hosts content that is available to all employees, in addition to content that should be viewed only by members of specific groups, such as Finance or Human Resources. By configuring URL authorization rules, you can prevent employees who are not members of those specified groups from accessing restricted content.
QUESTION 10
You are an Enterprise administrator for contoso.com. The company consists of a head office and five branch offices. The corporate network of the company consists of a single Active Directory domain. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista. Each branch office contains a domain controller on which the DHCP Server role is also installed. Besides this, each branch office also contains a file server and posses its own branch office administrator. You need to delegate the administration of DHCP in such a way that the branch office administrators are allowed to manage DHCP scopes for their own office. You also need to ensure that the branch office administrators should not be allowed to manage the DHCP scopes in other offices. Which of the following options would you choose to accomplish the given task in minimum amount of administrative effort?
A. B. C. D. E.
Migrate the DHCP Server server role to the file server in each branch office. On each file server, add the branch office administrator to the DHCP Administrators local group. Add the branch office administrators to the Network Configuration Operators domain local group in the AD domain. Add the branch office administrators to the Server Operators domain local group in the AD domain. Add the branch office administrators to the DHCP Administrators domain local group in the AD domain.
Answer: AB Section: Exam B Explanation/Reference:
To delegate the administration of DHCP so that the branch office administrators are allowed to manage DHCP scopes for their own office you need to migrate the DHCP Server server role to the file server in each branch office. To ensure that branch office administrators are not allowed to manage the DHCP scopes in other offices you need to add the branch office administrator to the DHCP Administrators local group. While members of the Domain Admins group obviously have full power to configure DHCP on the server, you can also delegate limited power to users whose job is to manage DHCP servers on your network. To do this, open Active Directory Users and Computers and add the name of the user to the DHCP Administrators domain local group.
This gives the user the ability to manage DHCP servers on your network without giving him any unnecessary authority to perform other administrative tasks, which is an example of the well-known security best practice of least privilege.
QUESTION 11
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory (AD) domain. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista. The AD contains an organizational unit (OU) called EmployeesOU that contains all user accounts and a global group named HRAdmins that contains the accounts of the HR administrators? You have been asked to plan for the delegation of administrative authority in such a way that the HR Admins are allowed to create user accounts in the EmployeesOU and change the address attributes, the telephone number attributes, and the location attributes for existing user accounts. You also need to ensure that HRAdmins are not allowed to reset the passwords for the existing user accounts. Which of the following options would you choose to accomplish the desired goal?
A.
Run the Delegation of Control Wizard on the EmployeesOU. B. Create a new OU and move the HR Admins group to the new OU and then run the Delegation of Control Wizard on the new OU. C. Move the HRAdmins group to the Domain Controllers OU. D. Add the HRAdmins group to the Account Operators group.
To accomplish the desired goal o accomplish the desired goal, you need to Run the Delegation of Control Wizard on the EmployeesOU. A Delegation wizard can be used to facilitate the delegation of administrative rights over containers within Active Directory. The Delegation wizard dynamically creates access control entries on the target container object according to the options specified in the wizard. The Delegation of Control Wizard provides an additional level of granularity allowing for custom-built tasks to be assigned to specific users or groups.
QUESTION 12
You are an Enterprise administrator for contoso.com. The company consists of a head office and a branch office. The corporate network of the company consists of a single Active Directory domain. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista. Administrators manage the client computers and servers in the Branch office. Branch office of the company contains a Read-only Domain Controller (RODC) named contosoServer1.A global group called Branch-admins contains the user accounts for administrators. You have been asked to recommend a solution for delegating control of contosoServer1
in such as way that Branch-admins group has rights on contosoServer1 only and they should not be allowed to modify Active Directory objects. Besides, all the members of the Branch-admins group are allowed to administer contosoServer1; including, the change of device drivers and installation of operating system updates by using Windows Update. Which of the following options would you choose to accomplish the desired task?
A.
On contosoServer1, add the Branch-admins global group to the Administrators local group. B. Add the Branch-admins global group to the Server Operators domain local group. C. Create a new OU and move the contosoServer1 computer object to a new OU and then grant Full Control permission on the new OU to the Branch-admins group. D. On the contosoServer1 computer object in the domain Grant Full Control permission to the Branch-admins group.
To accomplish the desired task, you need to add the Branch1-admins global group to the Administrators local group of contosoServer1. Administrators is a local group that provides full administrative access to an individual computer or a single domain, depending on its location. Because this account has complete access, you should be very careful about adding users to this group. To make someone an administrator for a local computer or domain, all you need to do is make that person a member of this group. Only members of the Administrators group can modify this account. Domain Admins is a global group designed to help you administer all the computers in a domain. This group has administrative control over all computers in a domain because its a member of the Administrators group by default. To make someone an administrator for a domain, make that person a member of this group.
QUESTION 13
You are an Enterprise administrator for TestKing.com. The corporate network of the company consists of a single Active Directory domain. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista. The Active Directory domain contains a top-level organizational unit (OU) called AccountingOU, which contains all computer and user accounts for the accounting department. You have been asked to deploy an accounting application that can only be accessed by the accounting users. Which of the following options would you deploy to accomplish the desired task?
A.
Terminal Service Session Broker (TS Session Broker) role service B. Microsoft System Center Operations Manager (SCOM)
C. D.
Group Policy object (GPO) for the Accounting OU Windows Server Update Service (WSUS)
Answer: C Section: Exam B Explanation/Reference:
To deploy an accounting application that can only be accessed by the accounting users, you need to deploy a Group Policy object (GPO) for the AccountingOU. As you may already know, in an Active Directory environment, group policies are the main component of network security. Group policy objects can be applied either to users or to computers. Deploying applications through the Active Directory is also done through the use of group policies, and therefore applications are deployed either on a per user basis or on a per computer basis. http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Deploy-Applications. html
QUESTION 14
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory forest. The AD forest was running at the functional level of Windows Server 2008. The forest contains two domains named contoso.com and na.contoso.com. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista. The domain na.contoso.com contains an organizational unit (OU) called SecurityOU and the domain contoso.com contains a user called Ben. You have been asked to assign administrative rights to Ben so that he can manage Group Policies for the SecurityOU. While assigning administrative rights, you need to ensure that Ben must be granted the least administrative rights necessary to create and configure Group Policies in na.contoso.com and link Group Policies to the SecurityOU. Which of the following options would you choose to accomplish the desired goal? (Select two. Each selected option will present a part of the answer.)
A. B. C. D. E. F. G.
Run the Delegation of Control Wizard on na.contoso.com. Run the Delegation of Control Wizard on the SecurityOU. In the Group Policy Management Console, modify the permissions of the Group Policy Objects container in the contoso.com domain. In the Group Policy Management Console, modify the permissions of the Group Policy Objects container in the na.contoso.com domain. Add User1 to the Group Policy Creator Owners group in contoso.com. Add User1 to the Administrators group for na.contoso.com. Modify the permissions on the SecurityOU.
Answer: BD Section: Exam B
To ensure that Ben must be granted the least administrative rights necessary to create and configure Group Policies in na.contoso.com and link Group Policies to the SecurityOU, you need to run the Delegation of Control Wizard on the Security OU. In the Group Policy Management Console, modify the permissions of the Group Policy Objects container in the na.contoso.com domain. A Delegation wizard is used to facilitate the delegation of administrative rights over containers within Active Directory. Therefore it needs to be run on the SecurityOU. The Delegation wizard dynamically creates access control entries on the target container object according to the options specified in the wizard. The Delegation of Control Wizard provides an additional level of granularity allowing for custom-built tasks to be assigned to specific users or groups.
QUESTION 15
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory forest. The forest contains a root domain and two child domains named la.contoso.com and na.contoso.com. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista. The company has a corporate policy according to which, all local guest accounts must be renamed and disabled and all the local administrator accounts must be renamed. Which of the following options would you choose to implement the companys policy?
A. B.
On each domain, implement a GPO. On the root domain, implement a GPO. C. On the root domain controllers, deploy AD RMS. D. On all domain controllers in each domain, deploy NPAS.
To deploy the corporate policy of the company that states that all the local administrator accounts must be renamed and all the local guest accounts must be renamed and disabled, you need to implement a Group Policy object (GPO) for each domain. You can change the administrator account and guest account names by using Group Policy in Windows Server 2003. This may be useful if you want to change the name of the administrator or guest user accounts to minimize the chance of misuse of these accounts.
QUESTION 16
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the domain controllers on the network run Windows Server 2008 and all client computers run Windows Vista. The functional level of the domain is Windows Server 2008.
A corporate policy exists for the company. According to which, a legal notice should appear when any user logs on to the domain. Which of the following options would you choose to enforce the corporate policy by using the minimum amount of administrative effort?
A.
Run the Delegation of Control Wizard for the domain and modify the Default Domain Controller policy. B. Run the Delegation of Control Wizard for the domain and configure the Local Computer policy on a reference computer. C. Create a new organizational unit (OU), place all computer accounts in the new OU, and then run the Delegation of Control Wizard for the new OU. D. Create, link and enforce a new GPO to the domain.
To enforce the corporate policy by using the minimum amount of administrative effort, you need to create a GPO and link the GPO to the domain and then configure the GPO to be enforced. Group policy settings are an integral part of any Windows-based IT environment. The number of desktop lockdown settings available to group policy administrators is enormous. They can prevent you from doing anything from changing your desktop appearance and start menu to running certain applications. http://blogs.technet.com/markrussinovich/archive/2005/04/30/circumventing-group-policysettings.aspx
QUESTION 17
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers and the domain controllers on the domain run Windows Server 2008 and all client computers run Windows Vista. You have been assigned the task to generate a monthly report on the status of software updates for the client computers. You report should display all the updates including operating system and Microsoft application updates that are installed successfully. Your report should also display all the updates including the operating system and Microsoft application updates that are failed to install by putting minimum amount of administrative effort and in minimum cost. Which of the following options would you choose to accomplish the desired task? (Select two. Each correct answer will present a part of the solution.)
A. B. C. D. E. F.
Install Microsoft System Center Essentials (Essentials) 2007. Install Microsoft System Center Configuration Manager (SCCM) 2007. Install Windows Software Update Services (WSUS) 3.0. Deploy management agents on all client computers. Configure Windows Update by using a Group Policy object (GPO). Deploy Microsoft Baseline Security Analyzer (MBSA) 2.1 on the client computers.
G.
Run MBSA on each client computer, and save the report to a shared folder on the network.
Answer: CE Section: Exam B Explanation/Reference:
To generate the desired reports, you need to Install Windows Software Update Services (WSUS) 3.0. Configure Windows Update by using a Group Policy object (GPO). The easiest way to configure automatic updates is through the group policy, in environments where this is possible. If group policies (AD) are not available, you can use the registry file which has to be deployed to every machine. This registry file, or group policy template if youre using Active Directory, enables advanced features available with the new WSUS client. Reports can be easily generated, but unfortunately only the WSUS server administrator can generate them. ITSS can generate reports per groups, so if your clients are properly configured to report their group, you can ask ITSS to schedule generation of reports for your groups. You can also define the criteria of the report, so some events can be filtered. The criteria define status of updates for machines, so the following can be used: Installed lists updates which have been successfully installed on the client machines. Needed lists updates which are needed, but have not been installed yet. Not needed lists updates which are available on the server, but are not needed for this particular client. Unknown lists updates with unknown status. Failed lists updates which were downloaded by the client, but whose installation failed.
QUESTION 18
You are an Enterprise administrator for contoso.com. The company has a head office and two branch offices. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista. A server on the corporate network of the company run Windows Server Update Services (WSUS) and distributes updates to all computers on the internal network. The WSUS server is configured to store updates locally. The branch offices connect to the head office by using a dedicated WAN link. You need to design a patch management strategy for the corporate network that would ensure that the branch offices would get updates from the head office. However, the WSUS updates are approved independently for each branch office without increasing the Internet traffic too much. Which of the following options would you choose to accomplish the desired task?
A.
For each branch office, create organizational units (OUs). Create and link the Group Policy objects (GPOs) to the OUs. B. In each branch office, install a WSUS server. C. Configure each branch office WSUS server as a replica of the main office WSUS server.
D. E.
Configure each branch office WSUS server as an autonomous server. Configure different schedules to download updates from the main office WSUS server to the client computers in each branch office. F. Configure each branch office WSUS server to use the main office WSUS server as an upstream server.
Answer: BF Section: Exam B Explanation/Reference:
To design a patch management strategy for the corporate network that would ensure that the branch offices would get updates from the head office, you need to install a WSUS server in each branch office and configure each branch office WSUS server to use the head office WSUS server as an upstream server. A WSUS hierarchy supports two modes, autonomous mode (which we will discuss later) and replica mode. In replica mode, the upstream server is the only WSUS server that downloads its updates from Microsoft Update. It is also the only server that an administrator has to manually configure computer groups and update approvals on. All information downloaded and configured on to an upstream server is replicated directly to all of the devices configured as downstream servers. Using this method you will save a great deal of bandwidth as only one computer is constantly updating from the Internet. More importantly however, you will save a countless amount of time since you are only managing one server now from a software standpoint. Using autonomous mode, the upstream server transmits update files to the downstream servers, but nothing else. This means that individual computer groups and update approvals must be configured for each particular downstream server. In this deployment type, you get the benefit of optimized bandwidth usage with the flexibility of allowing individual site administrators to manage computer groups and update approvals themselves. http://www.windowsnetworking.com/articles_tutorials/Deploying-Microsoft-WindowsServer-Update-Services.html
QUESTION 19
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. The File Server role is installed on the 10 servers on the domain. You have been asked to monitor the file servers and ensure that the Administrators should be able to create reports that display folder usage by different Active Directory groups, receive automatic E-mail notifications if any volume has less than 500 MB of free space, and are able to enforce the file storage quotas. How would you configure each file server to accomplish the desired task?
A.
Configure Windows System Resource Manager (WSRM) feature and Event Subscriptions B. Configure NTFS quotas and Event Viewer tasks
C. D.
Configure NTFS quotas and Performance Monitor alerts Configure the File Server Resource Manager (FSRM) role service and Quota Management and Storage Reports Management
FSRM (File Server Resource Manager) is a service of the File Services role in Windows Server 2008. You can use FSRM to enhance your ability to manage and monitor storage activities on your file server. The main capabilities of FSRM include: Folder Quotas, File Screening, Storage Reports, Event Log Integration, E-mail Notifications, and Automated Scripts. You can use FSRM to perform Limit the size of a folder to 2GB and log an event when the Quota limit is reached, E-mail an administrator whenever a specific folder reaches 85% of its specified Quota. Besides, you can create a File Screen to prevent users from saving of video/audio files to a share and send notifications when users attempt to do that, and schedule and publish a periodic storage reports that shows how much space is being used by each user,. You can use it to automatically execute a script when a folder size exceeds 500 MB to clean up stale data in the folder. http://blogs.technet.com/josebda/archive/2008/08/20/the-basics-of-windows-server-2008fsrm-file-server-resource-manager.aspx
QUESTION 20
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory forest. All the servers in the forest run Windows Server 2008 and all client computers run Windows Vista. You have been assigned the task to monitor the performance of the servers of the sales department of the company that consists of 600 Windows Server 2008 servers. You need to generate alerts when the average processor usage is higher than 90 percent for 20 minutes and automatically adjust the processor monitoring threshold to allow for temporary changes in the workload. Which of the following options would you choose to accomplish the desired task?
A.
Use Microsoft System Center Configuration Manager (SCCM). B. Use Windows System Resource Manager (WSRM). C. Use Microsoft Windows Reliability and Performance Monitor. D. Use Microsoft System Center Operations Manager (SCOM).
To generate alerts when the average processor usage is higher than 90 percent for 20 minutes and automatically adjust the processor monitoring threshold to allow for temporary changes in the workload, you need to Deploy Microsoft System Center
Operations Manager (SCOM). System Center Operations Manager 2007(SCOM 2007) is a new version of Microsoft Operations Manager 2005(MoM). It is the end to end service monitoring solution that lets you monitor clients, events, services, applications, network devices rather than just servers. It provides integration with Active Directory for user authentication and agent discovery. It provides active directory integration, Service Oriented Monitoring, SelfTuning Threshold, Enhanced Reporting, windows computers monitoring and much more. http://blogs.technet.com/kevinholman/archive/2008/03/19/self-tuning-thresholds-loveand-hate.aspx
QUESTION 21
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers on the network either run Windows Server 2008 and all client computers run Windows Vista Service Pack 1. The corporate network is connected to the Internet through a firewall. Which of the following options would you choose to allow remote access to the servers on your network while ensure that all the remote connections and all remote authentication attempts to the servers are encrypted? You also need to ensure that only inbound connections to TCP port 80 and TCP port 443 are allowed on the firewall.
A.
Point-to-Point Tunneling Protocol (PPTP) and Microsoft Point-to-Point Encryption (MPPE) B. Microsoft Secure Socket Tunneling Protocol (SSTP) C. Internet Protocol security (IPsec) and network address translation traversal (NAT-T) D. Internet Protocol security (IPsec) and certificates
Answer: B Section: Exam B Explanation/Reference:
To allow remote access to the servers on your network while ensure that all the remote connections and all remote authentication attempts to the servers are encrypted and to ensure that only inbound connections to TCP port 80 and TCP port 443 are allowed on the firewall, you need to install Microsoft Secure Socket Tunneling Protocol (SSTP). The Microsoft Secure Socket Tunneling Protocol (SSTP), a mechanism to transport data-link layer (L2) frames on a Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS) connection. The protocol currently supports only the Point-to-Point Protocol (PPP) link layer. The SSTP server directly accepts the HTTPS connection, which is similar to a virtual private network (VPN) server positioned on the edge of a network. The Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate is deployed on the SSTP server. Reference: The Cable Guy The Secure Socket Tunneling Protocol SSTP in Windows http://technet.microsoft.com/en-us/magazine/cc162322.aspx
QUESTION 22
You are an Enterprise administrator for contoso.com. The corporate network of the company is configured with Perimeter network as shown in the exhibit:
The company uses an enterprise certification authority (CA) and a Microsoft Online Responder on the internal network. Which of the following options would you choose to implement a secure method for Internet users to verify the validity of individual certificates with the use of minimum network bandwidth? (Select two. Each correct answer will form a part of the answer.)
A. B. C. D. E. F. G.
Install a stand-alone CA on a server on the perimeter network. Deploy a subordinate CA on the perimeter network. Install Network Device Enrollment Service (NDES) on a server on the perimeter network. Install a Network Policy Server (NPS) on a server on the perimeter network. Redirect authentication requests to a server on the internal network. Install IIS on a server on the perimeter network. Configure IIS to redirect requests to the Online Responder on the internal network.
Answer: FG Section: Exam B Explanation/Reference:
To implement a secure method for Internet users to verify the validity of individual certificates with the use of minimum network bandwidth, you need to install IIS on a server on the perimeter network and configure IIS to redirect requests to the Online Responder on the internal network. Windows Vista and the Windows Server 2008 operating system will natively support both CRL and Online Certificate Status Protocol (OCSP) as a method of determining certificate status. The OCSP support includes both the client component as well as the Online Responder, which is the server component. The Online Responder Web proxy cache represents the service interface for the Online Responder. It is implemented as an Internet Server Application Programming Interface (ISAPI) extension hosted by Internet Information Services (IIS). When an application performs a certificate evaluation, the validation is performed on all certificates in that certificates chain. This includes every certificate from the end-entity certificate presented to the application to the root certificate. It is an online process and is designed to respond to single certificate status requests. Reference: Online Responder Installation, Configuration, and Troubleshooting Guide http://technet.microsoft.com/en-us/library/cc770413.aspx
Exam C QUESTION 1
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. The network consists of a server called contosoServer1 that has the Terminal Services role installed. You need to monitor contosoServer1 and prevent users from consuming more than 15 percent of the CPU resources in a day. You also need to ensure that the Administrators must not be limited by the amount of CPU resources that they can consume. Which of the following options would you choose to accomplish the desired task? (Select Two. Each correct answer will present a part of the answer.)
A. B. C. D. E. F.
Configure Reliability and Performance Create user-defined Data Collector Set Configure session policies Implement Windows System Resource Manager (WSRM) Configure user policies Create an Event Trace Session Data Collector Set
Answer: DE Section: Exam C Explanation/Reference:
To monitor contosoServer1 and prevent users from consuming more than 15 percent of the CPU resources in a day, you need to implement Windows System Resource Manager (WSRM), and configure user policies. Microsoft Windows System Resource Manager (WSRM) provides resource management and enables the allocation of resources, including processor and memory resources, among multiple applications based on business priorities. WSRM enables a system administrator to Set CPU and memory allocation policies on applications. This includes selecting processes to be managed, and setting resource usage targets or limits, Manage CPU utilization (percent CPU in use), Limit the process working set size (physical resident pages in use), apply policies to users or groups on a Terminal Services application server, apply policies on a date/time schedule and much more. WSRM maintains an updatable exclusion list of processes that shouldnt be managed because of the negative system impact such management could create. WSRM also applies limits to process working set size and committed memory consumption. WSRM does not manage address windowing extensions (AWE) memory, large page memory, locked memory, or OS pool memory.
QUESTION 2
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run
Windows Server 2008 and all client computers run Windows Vista. The network consists of a server called contosoServer1that has Windows SharePoint Services (WSS) role installed. The server hosts are 30 SharePoint sites. You have been asked to optimize the performance of contosoServer1 by allocating the equal amount of system resources to each SharePoint site when CPU utilization exceeds 70 percent. Which of the following options would you choose to accomplish the given task? (Select Two. Each correct answer will present a part of the answer.)
A. B.
Configure each SharePoint site to use a separate application pool. Configure each SharePoint site to use a separate IP address. C. Implement Windows System Resource Manager (WSRM). D. Implement File Server Resource Manager (FSRM).
Answer: AC Section: Exam C Explanation/Reference:
To optimize the performance of contosoServer1 by allocating the equal amount of system resources to each SharePoint site when CPU utilization exceeds 70 percent, you need to configure each SharePoint site to use a separate application pool. Implement Windows System Resource Manager (WSRM). Microsoft Windows System Resource Manager (WSRM) provides resource management and enables the allocation of resources, including processor and memory resources, among multiple applications based on business priorities. WSRM enables a system administrator to Manage CPU utilization (percent CPU in use), Limit the process working set size (physical resident pages in use) and Set CPU and memory allocation policies on applications. This includes selecting processes to be managed, and setting resource usage targets or limits. WSRM maintains an updatable exclusion list of processes that shouldnt be managed because of the negative system impact such management could create. WSRM also applies limits to process working set size and committed memory consumption. WSRM does not manage address windowing extensions (AWE) memory, large page memory, locked memory, or OS pool memory.
QUESTION 3
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. The functional level of the domain is Windows Server 2008. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. You need to plan a monitoring solution for 200 Windows Server 2008 servers and ensure that an e-mail notification is sent to an administrator if an application error occurs on any of the servers by using the minimum amount of administrative effort. Which of the following options would you choose to accomplish the desired task? (Select Two. Each correct answer will present a part of the answer.)
A. B. C. D. E. F. G.
On all servers, create event subscriptions for one server. On one server, create event subscriptions for each server. On one server, create an Event Trace Sessions Data Collector Set. On all servers, attach a task for the application error events. On the server, attach tasks to the application error events. On the servers, create a System Performance Data Collector Set. On the server, configure the report settings for the new Data Collector set.
Answer: BE Section: Exam C Explanation/Reference:
To plan a monitoring solution for 200 Windows Server 2008 servers and ensure that an e-mail notification is sent to an administrator if an application error occurs on any of the servers by using the minimum amount of administrative effort, you need to create event subscriptions for each server on one server and attach tasks to the application error events. Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue might require you to examine a set of events stored in multiple logs on multiple computers. Windows Vista includes the ability to collect copies of events from multiple remote computers and store them locally. To specify which events to collect, you create an event subscription. Among other details, the subscription specifies exactly which events will be collected and in which log they will be stored locally. Once a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events.
QUESTION 4
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. The functional level of the domain is Windows Server 2008. All the domain controllers on the domain run Windows Server 2008 and all client computers run Windows Vista. The network contains 1,000 client computers that are connected to managed switches. You have been asked to ensure that users on the corporate network are unable to bypass network access restrictions and only client computers that have up-to-date service packs and anti-malware software installed can access the network. Which of the following options would you choose to accomplish the desired task? (Select Two. Each correct answer will present a part of the answer.)
A. B. C. D. E.
Implement Network Access Protection (NAP) Implement a Network Policy Server (NPS) Use 802.1x enforcement Use DHCP enforcement. Enable IPsec on the domain controllers.
F.
Enable Remote Authentication Dial-In User Service (RADIUS) authentication on the managed switches.
Answer: AC Section: Exam C Explanation/Reference:
To ensure that users on the corporate network are unable to bypass network access restrictions and only client computers that have up-to-date service packs and antimalware software installed can access the network, you need to implement Network Access Protection (NAP) that uses 802.1x enforcement. Network Access Protection (NAP) is one of the most desired and highly anticipated features of Windows Server 2008. NAP is a new platform and solution that controls access to network resources based on a client computers identity and compliance with corporate governance policy. NAP allows network administrators to define granular levels of network access based on who a client is, the groups to which the client belongs, and the degree to which that client is compliant with corporate governance policy. If a client is not compliant, NAP provides a mechanism to automatically bring the client back into compliance and then dynamically increase its level of network access. With 802.1X enforcement, a computer must be compliant to obtain unlimited network access through an 802.1X-authenticated network connection. Administrators can create solutions for validating computers that connect to or communicate on their networks, provide needed updates or access to needed resources, and limit the network access of computers that are noncompliant. The validation and enforcement features of NAP can be integrated with software from other vendors or with custom programs. Note: NAP is not designed to protect a private network from malicious users. It is designed to help administrators maintain the system health of the computers on a private network. NAP is used in conjunction with authentication and authorization of network access, such as using IEEE 802.1X for wireless access.
QUESTION 5
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. The functional level of the domain is Windows Server 2008. All the domain controllers on the domain run Windows Server 2008 and all client computers run Windows Vista. The network contains three Network Policy Server (NPS) servers that are configured as Remote Authentication Dial-In User Service (RADIUS) servers. The servers are named as contosoServer1, contosoServer2, and contosoServer3. The network also contains 30 wireless access points that are configured as a RADIUS client. Which of the following options would you choose to audit all access to the wireless access points? You need to ensure that in a minimum amount of cost the audit data is stored at a central location and all RADIUS attributes and all RADIUS vendor-specific attributes are recorded.
Which of the following options would you choose to accomplish the desired task? (Select Two. Each correct answer will present a part of the answer.)
A. B. C. D. E. F. G. H.
Install Microsoft SQL Server 2005 Standard Edition on contosoServer1. Audit for account logon events on the domain controllers. Audit for logon events on the NPS servers. Configure RADIUS accounting by using local file logging on each server. Configure RADIUS accounting by using SQL logging on each server and use contosoServer1 as the data source. Configure RADIUS authentication. Forward all events from contosoServer2 and contosoServer3 to contosoServer1. Store the log files in an Internet Authentication Service (IAS) format on a shared folder on contosoServer1.
Answer: DH Section: Exam C Explanation/Reference:
To ensure that in a minimum amount of cost the audit data is stored at a central location and all RADIUS attributes and all RADIUS vendor-specific attributes are recorded, you need to Configure RADIUS accounting by using local file logging on each server. Store the log files in an Internet Authentication Service (IAS) format on a shared folder on contosoServer1. Rather than configuring network access policy at each network access server, such as wireless access points, 802.1X authenticating switches, VPN servers, and dial-up servers, you can create policies in a single location that specify all aspects of network connection requests, including who is allowed to connect, when they can connect, and the level of security they must use to connect to your network. When you create a new RADIUS client or modify the settings of an existing RADIUS client from the RADIUS Clients node of the Network Policy Server snap-in, there is a RADIUS client is NAP-capable check box .When this check box is selected, the NPS service sends NAP-specific RADIUS vendor-specific attributes (VSAs) in the AccessAccept message. When this check box is not selected, the NPS service does not send NAP-specific RADIUS VSAs in the RADIUS Access-Accept message.
QUESTION 6
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. The functional level of the domain is Windows Server 2008. All the servers and domain controllers in the domain run Windows Server 2008 and all client computers run Windows Vista. The network contains three Network Policy Server (NPS) servers that are configured as Remote Authentication Dial-In User Service (RADIUS) servers. The servers are named as contosoServer1, contosoServer2, and contosoServer3. The contosoServer1 runs Microsoft SQL Server 2005. The network also contains 30 wireless access points that are configured as a RADIUS client. Which of the following options would you choose to audit access to the wireless access points?
You need to ensure that the audit data is stored at a central location in a format that is simple to query and all RADIUS attributes and all RADIUS vendor-specific attributes are recorded. Which of the following options would you choose to accomplish the desired task? (Select Two. Each correct answer will present a part of the answer.)
A. B. C. D. E. F.
Audit for account logon events on the domain controllers Configure RADIUS accounting by using SQL logging on each server Use contosoServer1 as the database for RADIUS accounting Forward all security events from the NPS servers to contosoServer1 Audit for logon events on the NPS servers Forward all security events from contosoServer2 and contosoServer3 to contosoServer1
Answer: BC Section: Exam C Explanation/Reference:
To ensure that the audit data is stored at a central location in a format that is simple to query and all RADIUS attributes and all RADIUS vendor-specific attributes are recorded, you need to configure RADIUS accounting by using SQL logging on each server. Use contosoServer1 as the database for RADIUS accounting. The Internet Authentication Service (IAS) in Microsoft Windows Server is the Microsoft implementation of a RADIUS server and proxy server. As a RADIUS server, IAS performs centralized authentication, authorization, and accounting (AAA) of various types of network connections. As a RADIUS proxy server, IAS can forward RADIUS requests to another RADIUS server for AAA. IAS can log to text logs or Microsoft SQL Server databases. Text based logging of RADIUS authentication and accounting information is disabled by default in IAS. You need to use contosoServer1 as the database for RADIUS accounting because SQL server is installed on contosoServer1. http://www.microsoft.com/technet/security/prodtech/windowsserver2003/pkiwire/ PGCH05.mspx?mfr=true
QUESTION 7
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run either Windows Server 2003 or Windows Server 2008 and all client computers run Windows Vista. The network contains five Windows Server 2003 servers that have the Terminal Server component installed and a firewall server runs Microsoft Internet Security and Acceleration (ISA) Server 2006. You have been assigned the task to create a remote access strategy for the terminal server users and ensure that the access of the network is restricted to the specific users
only. You also need to ensure that only minimum number of ports should be opened on the firewall and all remote connections to the terminal servers are encrypted. Which of the following options would you choose to accomplish the desired task? (Select Two. Each correct answer will present a part of the answer.)
A. B. C. D. E. F.
Implement port forwarding on the ISA Server. Implement SSL bridging on the ISA Server. Require authentication on all inbound connections to the ISA Server. Upgrade a Windows Server 2003 server to Windows Server 2008. Configure the Terminal Services Gateway (TS Gateway) role and a Terminal Services connection authorization policy (TS CAP) on the server. Configure the Terminal Services Gateway (TS Gateway) role and a Terminal Services resource authorization policy (TS RAP) on the server.
Answer: DE Section: Exam C Explanation/Reference:
To create a remote access strategy with desired requirements for the terminal server users, you need to implement the Terminal Services Gateway (TS Gateway) role, and configure a Terminal Services connection authorization policy (TS CAP). For this you need to upgrade a Windows Server 2003 server to Windows Server 2008. TS Gateway feature is available in Windows Server 2008. It allows the connection to internal Terminal servers and RDP-enabled machines from the outside, but unlike the term gateway used in the previous scenario, the Windows Server 2008 TS Gateway is a dedicated Terminal server using a specific service role called TS Gateway. This enables the external vendors to connect to it via SSL, pass a certain authentication process and policy evaluation, and only if allowed, it passes the RDP traffic to specified internal machines. These machines return the required data, and the TS Gateway then encrypts the data with SSL and passes it back to the remote user. The benefits in this scenario include the ability to use SSL-based encryption, which easily passes through most firewalls without the need to open specific ports. For remote clients to successfully connect to internal network resources (computers) through a Terminal Services Gateway (TS Gateway) server, the TS Gateway server must be configured correctly. The TS Gateway server must be configured to use an appropriate Secure Sockets Layer (SSL)-compatible X.509 certificate, and authorization policy settings must be configured correctly. Terminal Services connection authorization policies (TS CAPs) specify who can connect to the TS Gateway server. The use of TS CAP will ensure that the access of the network is restricted to specific users only. http://www.petri.co.il/creating-secure-auditable-remote-access-managementenvironment-windows-server-security.htm http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-TerminalServices-Gateway-Part2.html
QUESTION 8
You are an Enterprise administrator for contoso.com. The corporate network of the
company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. The domain has 100 servers and 5,000 client computers. You have been assigned the task to recommend an application deployment strategy for the network. While designing the strategy, you need to ensure that the applications deployments must be scheduled to occur after office hours and must only be deployed to the client computers that meet the minimum hardware requirements. Besides, the detailed reports on the success or failure of the application deployments must be generated. Which of the following options would you choose to accomplish the desired goal?
A.
Use Microsoft System Center Operations Manager (SCOM) 2007 B. Use Microsoft System Center Configuration Manager (SCCM) 2007 C. Use Windows Software Update Services (WSUS) D. Deploy applications by using Group Policy
Answer: B Section: Exam C Explanation/Reference:
To recommend an application deployment strategy for the network, you need to implement Microsoft System Center Configuration Manager (SCCM) 2007. System Center Configuration Manager 2007 is the next version of Systems Management Server (SMS) 2003. Configuration Manager 2007 contributes to a more effective IT department by enabling secure and scalable operating system and application deployment and desired configuration management, enhancing system security, and providing comprehensive asset management of servers, desktops, and mobile devices. SCCM 2007s new maintenance, configuration-tracking and updated reporting features make it a must-have for large Windows sites. SCCM sports a new feature called Maintenance Windows that lets administrators schedule the best day and time for patches and updates for specific sets of computers and servers.
QUESTION 9
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. The servers on the network have the Terminal Services role enabled. You have been assigned the task to deploy a new line-of-business application to all client computers and ensure that the users must access the application from an icon on their desktops, even when they are not connected to the network. Which of the following options would you choose to accomplish the desired task?
A.
Publish the application as a TS RemoteApp. B. Assign the application to the terminal server by using a Group Policy object (GPO). C. Publish the application by using TS Web Access. D. Assign the application to all client computers by using a Group Policy object (GPO).
Answer: D Section: Exam C
There are two different ways that you can deploy an application through the Active Directory. You can either publish the application or you can assign the application. You can only publish applications to users, but you can assign applications to either users or to computers. Assigning an application is a group policy action, so the assignment wont take effect until the next time that the computer is rebooted. When the user does log in, they will see that the new application has been added to the Start menu and / or to the desktop. The deployment process actually installs the application rather than just the applications icon. You need to assign the application to all client computers and not to the terminal server because the application icon will be available to users on when it is installed on their client computers and not on terminal servers. http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Deploy-Applications. html
QUESTION 10
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. The network contains five servers on which Terminal Services role is installed. You have been assigned the task to create a Terminal Services server farm and ensure that the new users are automatically connected to the terminal server that has the fewest active sessions. You also need to ensure that the disconnected users are redirected to the server that contains their previous session. Which of the following options would you choose to accomplish the given task?
A.
Use Terminal Services Session Broker (TS Session Broker) B. Use Round-robin DNS C. Use Terminal Services Gateway (TS Gateway) D. Use Network Load Balancing (NLB)
Answer: A Section: Exam C Explanation/Reference:
To create a Terminal Services server farm with given requirements, you need to use Terminal Services Session Broker (TS Session Broker). Terminal Services Session Broker (TSSession Broker) is a role service in Windows Server 2008 that enables a user to reconnect to an existing session in a load-balanced terminal server farm. Additionally, Windows Server 2008 includes the new TSSession Broker Load Balancing feature. This feature enables you to distribute the session load between servers in a load-balanced terminal server farm. TSSession Broker stores session state information that includes session IDs and their
associated user names, and the name of the server where each session resides. In the second phase, the terminal server where the initial connection was made redirects the user to the terminal server that was specified by TSSession Broker. The redirection behavior is as follows: A user with an existing session will connect to the server where their session exists. A user without an existing session will connect to the terminal server that has the fewest sessions.
QUESTION 11
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and use internal storage only and all client computers run Windows Vista. The network contains a file server. You have been assigned the task to deploy a client/ server application in minimum cost in such as way that it is available even if a single server fails. Which of the following features would you deploy to accomplish the desired task?
A. B.
Terminal Services RemoteApp (TS RemoteApp) Failover cluster that uses Node and File Share Disk Majority C. Distributed File System (DFS) that uses replication D. Failover cluster that uses No Majority: Disk Only
To deploy a client/server application in minimum cost in such as way that it is available even if a single server fails, you need to deploy a failover cluster that uses Node and File Share Disk Majority. The quorum configuration in a failover cluster determines the number of failures that the cluster can sustain. If an additional failure occurs, the cluster must stop running. The relevant failures in this context are failures of nodes or, in some cases, of a witness disk (which contains a copy of the cluster configuration) or witness file share. It is essential that the cluster stop running if too many failures occur or if there is a problem with communication between the cluster nodes. Node and Disk Majority is (recommended for clusters with an even number of nodes) Can sustain failures of half the nodes (rounding up) if the witness disk remains online. For example, a six node cluster in which the witness disk is online could sustain three node failures. Can sustain failures of half the nodes (rounding up) minus one if the witness disk goes offline or fails. For example, a six node cluster with a failed witness disk could sustain two (3-1=2) node failures. Node and File Share Majority is (for clusters with special configurations) Works in a similar way to Node and Disk Majority, but instead of a witness disk, this cluster uses a witness file share.
Note: If you use Node and File Share Majority, at least one of the available cluster nodes must contain a current copy of the cluster configuration before you can start the cluster. Otherwise, you must force the starting of the cluster through a particular node.
QUESTION 12
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. The network contains five Windows Server 2008 servers that have the Terminal Server component installed. You have been assigned the task to create a remote access strategy for the terminal server users and ensure that the remote users can access only specific resources on the internal network. You also need to ensure that all remote connections to the terminal servers are encrypted. Which of the following options would you choose to accomplish the desired task? (Select Two. Each correct answer will present a part of the answer.)
A. B. C. D. E.
Configure the Terminal Services Gateway (TS Gateway) role and a Terminal Services resource authorization policy (TS RAP) on the server. Require authentication on all inbound connections to the Server. Upgrade a Windows Server 2003 server to Windows Server 2008. Configure the Terminal Services Gateway (TS Gateway) role and a Terminal Services connection authorization policy (TS CAP) on the server. Configure TS Gateway server to use an appropriate Secure Sockets Layer (SSL)compatible X.509 certificate.
Answer: AE Section: Exam C Explanation/Reference:
To create a remote access strategy for the terminal server users and ensure that the remote users can access only specific resources on the internal network, you need to configure the Terminal Services Gateway (TS Gateway) role and a Terminal Services resource authorization policy (TS RAP) on the server. You also need to configure TS Gateway server to use an appropriate Secure Sockets Layer (SSL)-compatible X.509 certificate. TS Gateway allows the connection to internal Terminal servers and RDP-enabled machines from the outside. For remote clients to successfully connect to internal network resources (computers) through a Terminal Services Gateway (TS Gateway) server, the TS Gateway server must be configured correctly. The TS Gateway server must be configured to use an appropriate Secure Sockets Layer (SSL)-compatible X.509 certificate, and authorization policy settings must be configured correctly. Terminal Services resource authorization policies (TS RAPs) specify the internal network resources that clients can connect to through a TS Gateway server. TS Gateway enables the external vendors to connect to it via SSL, pass a certain authentication process and policy evaluation, and only if allowed, it passes the RDP
traffic to specified internal machines. These machines return the required data, and the TS Gateway then encrypts the data with SSL and passes it back to the remote user. The benefits in this scenario include the ability to use SSL-based encryption. http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-TerminalServices-Gateway-Part2.html
QUESTION 13
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. The servers on the network have the Terminal Services role enabled. The Active Directory has two organizational units (OU) configured. One for all the user accounts called UserOU and other for all the client computer accounts called ClientsOU. You have been assigned the task to deploy a new application on the network and ensure that the users must access the application from an icon on the Start menu. Besides, you need to ensure that the application is available to remote users when they are offline. Which of the following options would you choose to accomplish the desired task?
A. B.
Publish the application to users in the ClientsOU as a TS RemoteApp. Assign the application to computers in the UsersOU by using a Group Policy object (GPO). C. Publish the application to users in the UsersOU by using a Group Policy object (GPO). D. Assign the application to computers in the ClientsOU by using a Group Policy object (GPO).
Answer: D Section: Exam C Explanation/Reference:
To deploy a new application on the network and ensure that the users must access the application from an icon on the Start menu, you need to assign the application to computers in the ClientsOU by using a Group Policy object (GPO). There are two different ways that you can deploy an application through the Active Directory. You can either publish the application or you can assign the application. You can only publish applications to users, but you can assign applications to either users or to computers. Assigning an application is a group policy action, so the assignment wont take effect until the next time that the computer is rebooted. When the user does log in, they will see that the new application has been added to the Start menu and / or to the desktop. The deployment process actually installs the application rather than just the applications icon. You need to assign the application to computers in the ClientsOU to link it to the computer rather than to the user. Assigning an application to a computer also differs from user assignments in that the deployment process actually installs the application rather
than just the applications icon. So the application is available to users in the ClientsOU even when they are offline. http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Deploy-Applications. html
QUESTION 14
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. The network contains five servers that form a Terminal Services server farm on the network. You have been assigned the task to ensure that the session load is equally distributed between the servers in a terminal server farm. Which of the following options would you choose to accomplish the given task?
A. B.
Implement Terminal Services Session Broker (TS Session Broker) feature Use Round-robin DNS Feature C. Use Terminal Services Gateway (TS Gateway) Feature D. Implement Network Load Balancing (NLB) Feature E. Implement TSASession Broker Load Balancing Feature
Answer: E Section: Exam C Explanation/Reference:
To ensure that the session load is equally distributed between the servers in a terminal server farm, you need to implement TSASession Broker Load Balancing Feature. Windows Server2008 includes the new TSSession Broker Load Balancing feature that enables you to distribute the session load between servers in a load-balanced terminal server farm.
QUESTION 15
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. Which of the following options would you choose to provide users of the network a collaboration solution that would allow them to remotely access the files by using a Web browser? They should be provided full-text indexing of all user content and a secure access to the files by assigning permissions. Besides, a support for the addition of more Web servers based on company growth is also available. Which of the following options would you choose to accomplish the desired task?
A. B.
The Application Server role Microsoft System Center Operations Manager (SCOM) C. The Web Server role
D. E.
The Terminal Services Server role Microsoft Office SharePoint Server 2007
Answer: E Section: Exam C Explanation/Reference:
To provide users of the network a collaboration solution that meets the given requirements, you need to use Microsoft Office SharePoint Server 2007. Microsoft Office SharePoint Server 2007 is a new server program that is part of the 2007 Microsoft Office system. Your organization can use Office SharePoint Server 2007 to facilitate collaboration, provide content management features, implement business processes, and supply Microsoft delivers a best-of-breed collaborative infrastructure that gives end users the tools to easily create their own workspaces and share assets across teams, departments, and organizations while maintaining IT control. In Office SharePoint Server 2007, content management is divided into three categories: document management records management Web content management Collect and validate information by using browser-based forms when you design form templates with Office InfoPath 2007 and deploy them to an Office SharePoint Server 2007 site, you can enable a setting that allows users to fill out forms by using a Web browser. That is because Office SharePoint Server 2007 employs InfoPath Forms Services technology, which- in addition to enabling the deployment of browser-based forms- provides a central location to store and manage form templates for your organization. When you publish a form template to an Office SharePoint Server 2007 site, you can distribute it not just on your corporate intranet, but also on external Web sites, such as extranet sites or corporate Web sites. Search in Office SharePoint Server 2007 provides new keyword syntax, including support for implicit industry standards for full text and property-based searching. Administration of security has also been greatly enhanced. Administrators can create user roles that determine the kind of information that can be viewed by users during a search. This access control can be broad or granular, as defined by the corporation. All of these tasks are administered through the Central Administration and SharePoint Services Portal interfaces, making security administration more usable and efficient.
QUESTION 16
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers and the domain controllers in the domain run Windows Server 2008 and all client computers run Windows XP Service Pack 2. The network contains 10 servers and 500 client computers. One of the servers has Terminal Services installed. You have been assigned the task to deploy a new line-ofbusiness application and enable the desktop themes, which is a requirement of the application.
Your deployment strategy must only allow authorized users to access the application from any client computer by performing minimum changes to the client computers and in minimum software cost. Which of the following options would you choose to accomplish the desired task?
A. B. C. D. E. F.
Upgrade all client computers to Windows Vista. Deploy the Remote Desktop Connection (RDC) 6.0 software to the client computers. Use Group Policy object (GPO) to deploy the application to all client computers. Use Group Policy object (GPO) to deploy the application to the authorized users. Enable the Desktop Experience feature on the terminal server and install the application on the terminal server. Install the application on the terminal server and implement Terminal Services Session Broker (TS Session Broker).
Answer: BE Section: Exam C Explanation/Reference:
To deploy a new line-of-business application with given requirements, you need to deploy the Remote Desktop Connection (RDC) 6.0 software to the client computers. Enable the Desktop Experience feature on the terminal server. Install the application on the terminal server. Due to lower maintenance costs, many companies prefer to install their LOB applications on a terminal server and make these applications available through RemoteApps or Remote Desktop. Single sign-on makes it possible to give users a better experience by eliminating the need for users to enter credentials every time they initiate a remote session. Remote Desktop Connection (RDC)6.0 and RDC6.1 reproduce the desktop that exists on the remote computer on the users client computer. To make the remote computer look and feel more like the users local WindowsVista desktop experience, you can install the Desktop Experience feature on your Windows Server2008 terminal server. Desktop Experience installs features of WindowsVista, such as Windows Media Player 11, desktop themes, and photo management.
QUESTION 17
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista Service Pack 1. Some employees of the company use laptop computers and work remotely from home. You have been assigned the task to suggest a data provisioning infrastructure to secure sensitive files on the network from being accessed by unauthorized remote users. In your plan you need to ensure that the sensitive files must be stored in an encrypted format and must be encrypted while they are transmitted over the Internet. They should however be accessible by remote users over the Internet. Which of the following options would you choose to accomplish the desired goal?
A.
Deploy a Windows SharePoint Services site that can be accessible to remote users by using a Secure Socket Transmission Protocol (SSTP) connection. B. Use Encrypting File System (EFS) to encrypt the folders that store sensitive files. Use Secure Socket Transmission Protocol (SSTP) to allow access to files to remote users. C. Configure a Network Policy and Access Server (NPAS) to act as a VPN server. Use IPsec connection to the VPN server to allow access to files to remote users. D. Deploy two Windows SharePoint Services sites, one site for internal users and other site for remote users. Publish the SharePoint sites by using HTTPS.
To ensure that the sensitive files must be stored in an encrypted format and must be encrypted while they are transmitted over the Internet, you need to store all sensitive files in folders that are encrypted by using Encrypting File System (EFS). Require remote users to access the files by using Secure Socket Transmission Protocol (SSTP). Microsoft EFS allows users to store confidential information on a computer when people who have physical access to a computer could otherwise compromise that information, intentionally or unintentionally. EFS is especially useful for securing sensitive data on portable computers or on computers shared by several users. Another layer of security is added by encrypting sensitive files by means of EFS. SSTP is a new kind of Virtual Private Networking (VPN) tunnel that is available in the Routing and Remote Access Server role in Windows Server 2008. SSTP allows for Pointto-Point Protocol (PPP) packets to be encapsulated over HTTP. This allows for a VPN connection to be more easily established through a firewall or through a Network Address Translation (NAT) device. Also, this allows for a VPN connection to be established through an HTTP proxy device. http://www.securitysoftwarezone.com/vista-and-windows-server-2008-encryption-brokenreview968-6.html
QUESTION 18
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. The network contains a server that has the Terminal Services server role installed. The server runs six custom applications that are configured as Terminal Services RemoteApps on it. Recently, some of the users have reported that when one of the applications is run by the remote users, the other applications become unresponsive and the server seems slow. To solve the problem, you decide to ensure that active user sessions receive equal access to system resources. Which of the following options would you choose to accomplish the desired goal?
A. B.
Reliability and Performance Monitor Terminal Services Session Broker C. Implement Terminal Services Web Access D. Implement Windows System Resource Manager
Answer: D Section: Exam C Explanation/Reference:
To ensure that active user sessions receive equal access to system resources, you need to implement Windows System Resource Manager. Microsoft Windows System Resource Manager (WSRM) provides resource management and enables the allocation of resources, including processor and memory resources, among multiple applications based on business priorities. WSRM applies limits to process working set size and committed memory consumption.
QUESTION 19
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. Most of the domain users are mobile and need to log on to the domain from multiple computers. You have been assigned the task to provide a data provisioning solution that ensures that user documents are not stored on the local client computer and users must have access to their Documents folder regardless of the client computer that they use. In your solution you also need to reduce the log on time to the domain. Which of the following options would you choose to accomplish the desired task?
A.
Logon scripts B. Roaming user profiles C. Folder redirection D. Configure offline files
Answer: C Section: Exam C Explanation/Reference:
To provide a data provisioning solution that ensures that user documents are not stored on the local client computer and users must have access to their Documents folder regardless of the client computer that they use, you need to configure folder redirection. Folder Redirection is a way to place data in a set of folders in the user profiles on the network. Folder Redirection is a Group Policy setting that allows you to configure a set of special folders, such as the My Documents folder, from the local computer on to the network. The My Documents folder is the location on the Windows 2000 desktop where the user can save their documents and graphic files. For example, you can redirect the My Documents folder, usually stored on the computers local hard disk, to a network location so that the documents in the folder are available to that user from any computer on the network.
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/ dseb_ovr_syul.mspx?mfr=true
QUESTION 20
You are an Enterprise administrator for contoso.com. The company has a head office and a branch office. The corporate network of the company consists of a single Active Directory domain. The functional level of the domain is Windows Server 2008. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. For both the head office and the branch office an Active Directory site is available. You have been assigned the task to deploy file servers in each office and design a file sharing strategy. Your file sharing strategy should ensure that the users in both offices must be able to access the same files using the same Universal Naming Convention (UNC) path to access files. You design must ensure the use of minimum amount of bandwidth used to access files and the availability of files even if a server fails. Which of the following options would you choose to accomplish the desired goal?
A.
A multi-site failover cluster having one of the servers located in the head office and the other located in the branch office. B. A stand-alone DFS namespace that uses replication. C. A domain-based DFS namespace that uses replication. D. A Network Load Balancing cluster having one of the servers located in the head office and the other located in the branch office.
To deploy file servers in each office and design a file sharing strategy with given requirements, you need to deploy a domain-based DFS namespace that uses replication. The domain based namespaces require all servers to be members of an Active Directory domain. These types of environments support automatic synchronization of DFS targets. The namespace root namespace is based on a combination of the servers NetBIOS name and a root name, and is listed in the DNS. In a domain environment, a server is capable of hosting multiple DFS roots. Using multiple replicas provides you with a degree of scalability. Rather than having every user in your organization access their files from the same server, you can distribute the user workload across multiple DFS replicas rather than over burdening a single server. Another reason for having multiple DFS replicas is because doing so provides you with a degree of fault tolerance. DFS can also provide fault tolerance from the standpoint of protecting you against network link failures.
QUESTION 21
You are an Enterprise administrator for contoso.com. Your company possesses a stand-
alone root certification authority (CA) for the corporate network. The corporate network contains a Windows Server 2008 server called contosoServer1. You issue a server certificate to contosoServer1 and deploy Secure Socket Tunneling Protocol (SSTP) on contosoServer1 for secure browsing. Which of the following options would you choose to ensure that the external partner computers would be allowed to access internal network resources by using SSTP?
A.
Terminal Services Session Broker role service B. Firewall to allow inbound traffic on TCP Port 1723 C. Root CA certificate on external computers D. Network Access Protection (NAP) on the network
To ensure that the external partner computers would be allowed to access internal network resources by using SSTP, you need to deploy the Root CA certificate to the external computers. SSTP is a new kind of Virtual Private Networking (VPN) tunnel that is available in the Routing and Remote Access server role in Windows Server 2008. SSTP allows for Pointto-Point Protocol (PPP) packets to be encapsulated over HTTP. This feature allows for a VPN connection to be more easily established through a firewall or through a Network Address Translation (NAT) device. Also, this feature allows for a VPN connection to be established through an HTTP proxy device. Generally, if the client computer is joined to the domain and if you use domain credentials to log on to the VPN server, the certificate is automatically installed in the Trusted Root Certification Authorities store. However, if the computer is not joined to the domain or if you use an alternative certificate chain, you may need to Root CA certificate to the external computers. Reference: How to troubleshoot Secure Socket Tunneling Protocol (SSTP)-based connection failures in Windows Server 2008 http://support.microsoft.com/kb/947031
QUESTION 22
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All domain controllers on the corporate network run Windows Server 2008 and all client computers run either Windows Vista or Windows XP Service Pack 1. The corporate network contains 100 servers and 5,000 client computers. Which of the following options would you choose to implement a VPN solution that allows you to store VPN passwords as encrypted text and provide support for Suite B cryptographic algorithms? Besides it should support client computers that are configured as members of a
workgroup and allow automatic enrollment of certificates. (Select three. Each correct answer will form a part of the answer.)
A. B. C. D. E. F.
Upgrade the client computers to Windows Vista. Upgrade the client computers to Windows XP Service Pack 2. Implement an enterprise certification authority (CA) that is based on Windows Server 2008. Implement a stand-alone certification authority (CA). Implement an IPsec VPN that uses pre-shared keys. Implement an IPsec VPN that uses certificate-based authentication.
Answer: ACF Section: Exam C Explanation/Reference:
To implement a VPN solution that allows you to store VPN passwords as encrypted text and provide support for Suite B cryptographic algorithms, you need to Upgrade the client computers to Windows Vista and implement an enterprise certification authority (CA) that is based on Windows Server 2008. Suite B cryptographic algorithms that was added in Windows Vista Service Pack 1 (SP1) and in Windows Server 2008. Suite B is a set of standards that are specified by the National Security Agency (NSA). Suite B includes Encryption algorithms. To support client computers that are configured as members of a workgroup and allow automatic enrollment of certificates, you need to Implement an IPsec VPN that uses certificate-based authentication. IPSec deployments can take advantage of certificate-based authentication via industrystandard x.509 digital certificates. ADCS in Windows Server 2008 provides customizable services for creating and managing the X.509 certificates that are used in software security systems that employ public key technologies. Organizations can use ADCS to enhance security by binding the identity of a person, device, or service to a corresponding public key. ADCS also includes features that allow you to manage certificate enrollment and revocation in a variety of scalable environments. Reference: Description of the support for Suite B cryptographic algorithms that was added in Windows Vista Service Pack 1 and in Windows Server 2008 http://support.microsoft.com/kb/949856 Reference: iPhone and Virtual Private Networks (VPN) http://images.apple.com/iphone/enterprise/docs/iPhone_VPN.pdf.
Exam D QUESTION 1
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. You have been assigned the task to ensue that all the users of the company can access their Documents folder regardless of the client computer that they use. Which of the following options would you choose to accomplish the desired task?
A.
Logon scripts B. Folder redirection C. Configure offline files D. Local User profiles
Answer: B Section: Exam D Explanation/Reference:
To provide a data provisioning solution that ensures that user documents are not stored on the local client computer and users must have access to their Documents folder regardless of the client computer that they use, you need to configure folder redirection. Folder Redirection is a way to place data in a set of folders in the user profiles on the network. Folder Redirection is a Group Policy setting that allows you to configure a set of special folders, such as the My Documents folder, from the local computer on to the network. The My Documents folder is the location on the Windows 2000 desktop where the user can save their documents and graphic files. For example, you can redirect the My Documents folder, usually stored on the computers local hard disk, to a network location so that the documents in the folder are available to that user from any computer on the network. http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/ dseb_ovr_syul.mspx?mfr=true
QUESTION 2
You are an Enterprise administrator for contoso.com. The company has a head office and a branch office. All the servers in the network run Windows Server 2008 and all client computers run Windows Vista. Each office has a domain controller and file servers. You have been asked to plan the deployment of Distributed File System (DFS) on the network and ensure that users can access the data locally and are allowed to see only the folders to which they have access permissions. You also need to ensure the use of minimum bandwidth while data replication. Which of the following options would you choose to accomplish the desired task?
A.
A stand-alone DFS namespace that uses DFS replication and has access-based enumeration enabled
B.
A stand-alone DFS namespace that uses File Replication Service (FRS) and have access-based enumeration enabled C. A domain-based DFS namespace that uses File Replication Service (FRS) and modify each share to be a hidden share D. A domain-based DFS namespace that uses DFS replication and modify each share to be a hidden share
Answer: A Section: Exam D Explanation/Reference:
To plan the deployment of Distributed File System (DFS) on the network and ensure that users can access the data locally and are allowed to see only the folders to which they have access permissions, you need to deploy a stand-alone DFS namespace and has access-based enumeration enabled. Rather than having every user in your organization access their files from the same server, you can distribute the user workload across multiple DFS replicas rather than over burdening a single server. Standalone namespaces do allow you to use multiple folder targets for fault tolerance purposes. In case you are not familiar with folder targets, the basic idea is that each folder target typically hosts a replica of the data thats associated with a DFS folder. Using multiple folder targets allows you to achieve a degree of fault tolerance, and offers better performance than if the data were only stored in a single location. Domain-based DFS namespace requires an Active directory domain, which is not available here. Access-based enumeration allows users to see only files and folders on a file server to which they have permission to access. This feature is not enabled by default for namespaces (though it is enabled by default on newly-created shared folders in Windows Server2008), and is only supported in a DFS namespace when the namespace is a standalone namespace hosted on a computer running Windows Server2008, or a domain-based namespace by using the Windows Server2008 mode.
QUESTION 3
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of servers that run Windows Server 2008 and client computers run Windows Vista. You have been asked to design a storage strategy so that a distributed database application can be deploy on the network that runs on multiple servers. While designing the storage strategy, you need to ensure that you use existing network infrastructure and standard Windows management tools. You also need to ensure that the storage space is allocated to servers as and when required and that the data is available if a single disk fails. Which of the following options would you choose to accomplish the desired goal? (Select two. Each correct answer will present a part of the solution.)
A.
A Fibre Channel (FC) disk storage subsystem that supports the Virtual Disk Service (VDS). B. A Fibre Channel (FC) disk storage subsystem that supports Microsoft Multipath I/O.
C. D.
An iSCSI disk storage subsystem that supports Microsoft Multipath I/O. An iSCSI disk storage subsystem that supports Virtual Disk Service (VDS). E. Configure the storage subsystem as a RAID 5 array. F. Configure the storage subsystem as a RAID 0 array.
Answer: DE Section: Exam D Explanation/Reference:
To design a storage strategy so that a distributed database application can be deploy on the network that runs on multiple servers with given requirements, you need to deploy an iSCSI disk storage subsystem that supports Virtual Disk Service (VDS) and configure the storage subsystem as a RAID 5 array. Microsoft iSCSI Software Target option enables you to implement an iSCSI SAN with storage provisioning and management capabilities. Managed via the Microsoft Management Console, administrators can create and manage iSCSI targets and iSCSI virtual disks, as well as schedule, export, and locally mount snapshots for use in backup and recovery operations. An iSCSI disk storage subsystem supports Virtual Disk Service (VDS) and Microsoft Multipath I/O. Virtual Disk Service (VDS) is a Windows service for managing volumes. Administrators now have a single interface that works with different vendors, if that vendor supplies a VDS hardware provider for their networked storage device. This same interface also works with directly attached storage, providing a unified view of all disks and volumes, regardless of being connected via SCSI, Fiber Channel, iSCSI or PCI RAID. VDS exposes the complex functionality provided by these storage hardware vendors and scales up to enterprise configurations. Multipath I/O cannot be used because it only provides ability to use more than one physical path to access a storage device, providing improved system reliability and availability via fault tolerance and/or load balancing of the I/O traffic. RAID 5 is the most powerful form of RAID that can be found in a desktop computer system. It provides increased storage array performance and Full data redundancy. RAID 0 cannot be used because it is the lowest designated level of RAID. It is actually not a valid type of RAID. It was given the designation of level 0 because it fails to provide any level of redundancy for the data stored in the array. Thus, if one of the drives fails, all the data is damaged. http://blogs.technet.com/josebda/archive/2007/10/25/the-basics-of-the-virtual-diskservices-vds.aspx
QUESTION 4
You are an Enterprise administrator for contoso.com. The company has a head office and two branch offices that connect with each other by using a WAN link. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. Each office contains a file server and the office users use the local file server to store data on it. The users also have access to data from the other offices.
You have been assigned that task to plan a data access solution and ensure that folders that are stored on the file servers must be available to users in both offices and users must be able to access all files even when the WAN link fails. Besides this the network bandwidth usage between offices is minimized. Which of the following options would you choose to accomplish the desired goal?
A.
Implement Distributed File System Replication (DFSR) on the file servers in both the offices. B. On one of the servers, configure Distributed File System (DFS) and on the other, configure the Background Intelligent Transfer Service (BITS). C. Configure File Server Resource Manager (FSRM) and File Replication Service (FRS) on both the servers. D. On one of the servers, configure File Server Resource Manager (FSRM) and on the other configure File Replication Service (FRS).
To plan a data access solution and ensure that folders that are stored on the file servers must be available to users in both offices and users must be able to access all files even when the WAN link fails, you need to implement Distributed File System Replication (DFSR) on the file servers in both the offices. Rather than having every user in your organization access their files from the same server, you can distribute the user workload across multiple DFS replicas rather than over burdening a single server. DFS Replication is an efficient, multiple-master replication engine that you can use to keep folders synchronized between servers across limited bandwidth network connections. It replaces the File Replication Service (FRS) as the replication engine for DFS Namespaces, as well as for replicating the SYSVOL folder in domains that use the Windows Server2008 domain functional level. DFS Replication service has a totally revamped replication engine that uses a new replication algorithm called Remote Differential Compression (RDC). This new algorithm replicates only the changes to files and not the files themselves, which means that DFS now works much better over slow WAN links than before. In addition, the new replication engine supports bandwidth throttling and replication scheduling, plus it operates on a multimaster replication model.
QUESTION 5
You are an Enterprise administrator for contoso.com. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. The network contains a Microsoft SQL Server 2005 that has two RAID 1 arrays and one RAID 5 array configured. You have been assigned the task to allocate hard disk space on the server and ensure maximum performance of the SQL Server application and minimum loss of write
performance if a hard disk drive fails. You also need to prevent the loss of data if a single hard disk drive fails. Which of the following options would you choose to achieve the desired goal?
A.
Use RAID 1 arrays to place OS files and SQL database files and RAID 5 array to place SQL transaction logs. B. Use RAID 5 array to place types of files. C. Use RAID 1 arrays to place OS files and SQL transaction logs and RAID 5 array to place SQL database files. D. Use RAID 5 arrays to place OS files and RAID 5 array to place SQL transaction logs and SQL database files.
Answer: C Section: Exam D Explanation/Reference:
To allocate hard disk space on the server and meet other requirements, you need to place the operating system files on one of the RAID 1 arrays. Place the SQL transaction logs on the other RAID 1 array and place the SQL database files on the RAID 5 array. RAID version 1 was the first real implementation of RAID. It provides a simple form of redundancy for data through a process called mirroring. This form typically requires two individual drives of similar capacity. One drive is the active drive and the secondary drive is the mirror. When data is written to the active drive, the same data is written to the mirror drive. This provides a full level of redundancy for the data on the system. If one of the drives fails, the other drive still has all the data that existed in the system. It is best to place OS files because it provides full redundancy of data. It does not increase performance therefore it is not fit to store SQL database files. For SQL database files you should use RAID 5 array because it is the most powerful form of RAID that can be found in a desktop computer system. This method uses a form of striping with parity to maintain data redundancy. The parity bit shifts between the drives to increase the performance and reliability of the data. The drive array will still have increased performance over a single drive because the multiple drives can write the data faster than a single drive. The data is also fully redundant because of the parity bits. In the case of drive 2 failing, the data can be rebuilt based on the data and parity bits on the two remaining drives. Data capacity is reduced due to the parity data blocks.
QUESTION 6
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. The company has recently merged with a partner company called TechKing.com and started using a Windows Server 2008 server of that company called TechKingServer1. The server has five internal SCSI hard disks that are connected to an onboard SCSI controller.
You have planned to deploy the TechkingServer1 as a file server and place it in your companys premises. You have to now plan for a storage strategy that ensures that the user data is physically separated from the operating system data and maximum disk space is available for the data storage. You also need to ensure that if disk fails, the integrity of the data is maintained on the server and the operating system server can start successfully. To achieve this, you only want to use the hardware that is available on the server. Which of the following options would you choose to accomplish the desired goal? (Select two. Each correct answer will present a part of the answer)
A. B. C. D. E. F. G.
Allocate three disks to a single RAID 5 volume for the user data. Allocate four disks to a single RAID 5 volume for the user data. Allocate three disks to a striped volume for the user data. Allocate two disks to a mirrored volume for the operating system data. Allocate one disk to a simple volume for the operating system data. Allocate three disks to a mirrored volume for the operating system data. Allocate all the disks to a single RAID 5 volume for the user data and for the operating system data.
Answer: AD Section: Exam D Explanation/Reference:
To ensure that if disk fails, the integrity of the data is maintained on the server and the operating system server can start successfully, you need to allocate three disks to a single RAID 5 volume for the user data and allocate two disks to a mirrored volume for the operating system data. Two disks to a mirrored volume for the operating system data are created using RAID version 1, which is the first real implementation of RAID. It provides a simple form of redundancy for data through a process called mirroring. This form typically requires two individual drives of similar capacity. One drive is the active drive and the secondary drive is the mirror. When data is written to the active drive, the same data is written to the mirror drive. This provides a full level of redundancy for the data on the system. If one of the drives fails, the other drive still has all the data that existed in the system. It is best to place OS files because it provides full redundancy of data. A single RAID 5 volume for the user data is best because it is the most powerful form of RAID that can be found in a desktop computer system. This method uses a form of striping with parity to maintain data redundancy. The parity bit shifts between the drives to increase the performance and reliability of the data. A minimum of three drives is required to build a RAID 5 array and they should be identical drives for the best performance. The drive array will still have increased performance over a single drive because the multiple drives can write the data faster than a single drive. The data is also fully redundant because of the parity bits. In the case of drive 2 failing, the data can be rebuilt based on the data and parity bits on the two remaining drives. Data capacity is reduced due to the parity data blocks.
QUESTION 7
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows XP Service Pack 1. You have been assigned the task to plan the deployment of Distributed File System (DFS) to provide redundancy in the event that a single server fails in the minimum cost. You also need to ensure that the client computers reconnect to their preferred server after a server failure is resolved. Which of the following options would you choose to accomplish the desired goal? (Select two. Each correct answer will present a part of the answer)
A.
Upgrade all client computers to Windows XP Service Pack 2. B. Upgrade all client computers to Windows Vista. C. Implement a stand-alone DFS namespace, create folders, add multiple targets, and enable the clients fail back to preferred targets option. D. Implement a domain-based DFS namespace, add a second namespace server, and enable the clients fail back to preferred targets option.
Answer: AD Section: Exam D Explanation/Reference:
To plan the deployment of Distributed File System (DFS) with the given requirements, you need to upgrade all client computers to Windows XP Service Pack 2 to use DFS and implement a domain-based DFS namespace. You need to then add a second namespace server and enable the Clients fail back to preferred targets option. Rather than having every user in your organization access their files from the same server, you can distribute the user workload across multiple DFS replicas rather than over burdening a single server. Domain based namespaces should be used here because Domain based namespaces require all servers to be members of an Active Directory domain. The DFS supports automatic synchronization of DFS targets. In a domain environment, a server is capable of hosting multiple DFS roots that provides you with a degree of scalability. Another reason for having multiple DFS replicas is because doing so provides you with a degree of fault tolerance.DFS can also provide fault tolerance from the standpoint of protecting you against network link failures. You should add a second namespace server and enable the Clients fail back to preferred targets option to ensure a client failback on the namespace (or on specific folders in your namespace). So, when the failed target comes back online the client will fail back to that target as its preferred target. If your WAN links are unreliable, you might find your clients frequently accessing different targets for the same folder. This can be a problem, for by default, DFS caches referrals for a period of time (300 seconds or 5 minutes) so if a target server suddenly goes down the client will keep trying to connect to the target and give an error instead of making the resource available to the client from a different target. To prevent this from happening
(especially non-optimal targets), you can configure a client failback to preferred targets option on the namespace. http://www.windowsnetworking.com/articles_tutorials/Configuring-DFS-Namespaces.html Reference: Planning a DFS Architecture, Part 1/ Planning a DFS Architecture, Part 2 / Domain-Based Namespaces http://www.petri.co.il/planning-dfs-architecture-part-one.htm
QUESTION 8
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory forest. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. The network contains a server that has the File Server role installed. The company has a few users who use portable computers that run Windows Vista Business Edition. These users sometimes access the corporate network from the remote locations. You have been asked to design a data storage solution that ensures that remote users are able to choose the documents that will be available when they are away from the network. You also need to ensure that users need to store only minimum number of documents on their portable computers and that time that users take to log in to the network is reduced. Which of the following options would you choose to accomplish the desired task? (Select two. Each correct answer will present a part of the answer)
A. B. C. D. E. F.
Configure offline files Deploy roaming profiles Use local profiles Implement folder redirection Enable automatic caching Enable manual caching
Answer: AF Section: Exam D Explanation/Reference:
To design a data storage solution that ensures that remote users are able to choose the documents that will be available when they are away from the network configure offline files and enable manual caching. Offline Files allows you to keep using network files, folders, and applications when disconnected from the network. The biggest beneficiaries of the Offline Files feature are users of mobile computers who frequently connect and disconnect from the network to use their computers at home or on the road. Now mobile users can be assured that they are working with the most up-to-date versions of network files, navigate through mapped network drives even when disconnected, and easily synchronize changes with the network when they plug back into the network. In Manual Caching For Documents option, the only documents that will be cached are those that the user specifically designates to be available offline.
The Automatic Caching For Documents cannot be used because with this option, when a user opens a file in this shared folder, it will be automatically downloaded and made available offline without the user specifying that it be an offline file. Older copies of a file will be deleted automatically to make room for files that have been accessed more recently. With this option, a file that the user has not opened while online will not be available offline.
QUESTION 9
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and use internal storage only and all client computers run Windows Vista. You have been assigned the task to deploy a six node cluster on the network. You need to ensure that the cluster services are available even if two nodes of the cluster fail. Which of the following features would you deploy to accomplish the desired task?
A. B.
Terminal Services RemoteApp (TS RemoteApp) Failover cluster that uses Node and File Share Disk Majority C. Distributed File System (DFS) that uses replication D. Failover cluster that uses No Majority: Disk Only
Answer: B Section: Exam D Explanation/Reference:
To ensure that the cluster services are available even if three nodes of the cluster fail, you need to deploy a failover cluster that uses Node and File Share Disk Majority. The quorum configuration in a failover cluster determines the number of failures that the cluster can sustain. If an additional failure occurs, the cluster must stop running. The relevant failures in this context are failures of nodes or, in some cases, of a witness disk (which contains a copy of the cluster configuration) or witness file share. It is essential that the cluster stop running if too many failures occur or if there is a problem with communication between the cluster nodes. Node and Disk Majority is (recommended for clusters with an even number of nodes) Can sustain failures of half the nodes (rounding up) if the witness disk remains online and can sustain failures of half the nodes (rounding up) minus one if the witness disk goes offline or fails. For example, a six node cluster with a failed witness disk could sustain two (3-1=2) node failures.
QUESTION 10
You are an Enterprise administrator for TestKing.com. The company has a head office and a branch office that connect with each other by using WAN links. The corporate network of the company consists of a single Active Directory domain and an Active Directory site exists for each office. All the servers in the domain run Windows Server 2008 Enterprise Edition and all client
computers run Windows Vista. You have been assigned the task to deploy a failover cluster solution to service users in both offices. The cluster must maintain the availability of services using minimum number of servers when a single server fails. Which of the following options would you choose to accomplish the desired task?
A.
Deploy a failover cluster that contains two nodes in each office, head office and branch office. B. Deploy a failover cluster that contains two nodes in the head office. C. Deploy a failover cluster that contains one node in the head office. D. Deploy a failover cluster that contains one node in each office head office and branch office.
Answer: D Section: Exam D Explanation/Reference:
To deploy a failover cluster solution to service users in both offices and maintain the availability of services using minimum number of servers when a single server fails, you need to deploy a failover cluster that contains one node in each office head office and branch office. Windows Server 2008 supports the shared-nothing cluster model, in which two or more independent servers, or nodes, share resources; each server owns and is responsible for managing its local resources and provides nonsharing services. In case of a node failure, the disks, resources, and services running on the failed node fail over to a surviving node in the cluster. For example, if an Exchange server is operating on node 1 of the cluster and it crashes, the Exchange application and services will automatically fail over to node 2 of the cluster. This model minimizes server outage and downtime. Only one node manages one particular set of disks, cluster resources and services at any given time.
QUESTION 11
You are an Enterprise administrator for contoso.com. The network of your company contains 4,000 client computers located on a single subnet and two DHCP servers. The DHCP servers are named DHCP1 and DHCP2. A router that has a single IP address on the internal interface separates the internal network from the Internet. DHCP1 has the following scope information: Starting IP address: 172.16.0.1 Ending IP address: 172.16.15.255 Subnet mask: 255.255.224.0 You need to configure DHCP2 in such a way that the network gets a fault-tolerant DHCP infrastructure and all client computers are be able to obtain a valid IP address if a DHCP server fails. Which of the following options would you choose to configure the DHCP2?
A.
Create a scope for the subnet 172.16.8.0/19. Configure the scope to use a starting IP address of 172.16.16.1 and an ending IP address of 172.16.31.254. B. Create a scope for the subnet 172.16.0.0/21. Configure the scope to use a starting IP address of 172.16.0.1 and an ending IP address of 172.16.15.254. C. Create a scope for the subnet 172.16.0.0/20. Configure the scope to use a starting IP address of 172.16.8.1 and an ending IP address of 172.16.15.254. D. Create a scope for the subnet 172.17.0.0/16. Configure the scope to use a starting IP address of 172.17.0.1 and an ending IP address of 172.17.255.254.
The subnet mask 255.255.224.0 means a /19 subnet. For load balancing you need to ensure that the DHCP2 should be configured on the same network therefore, you need to select answer A where the subnet is 172.16.0.0/19. The /19 network can contain IP address range from 172.16.0.1 to 172.16.31.255, which means 8190 total hosts can be configured. DHCP1 already contains the IP address range from 172.16.0.1 to 172.16.15.255 to serve 4000 hosts. In case of the failure of DHCP1, another IP address range is required for the 4000 computers that the network has. Therefore DHCP2 can contain the range of 172.16.16.1 to 172.16.31.254.
QUESTION 12
You are an Enterprise administrator for contoso.com. Which of the following options would you choose to configure a fault-tolerant DHCP infrastructure in your company where two DHCP servers exist? You need to ensure that all client computers are able to obtain a valid IP address if a single DHCP server fails. The corporate network of the company contains 1,000 DHCP client computers that are located on a single subnet. The DHCP servers are named as contosoDHCP1 and contosoDHCP2. A router having single IP address on the internal interface is also configured on the corporate network to separate the internal network from the Internet. The contosoDHCP1 is configured with following scope information: Starting IP address: 172.16.0.1 Ending IP address: 172.16.7.255 Subnet mask: 255.255.240.0 How should you configure contosoDHCP2?
A.
Create a scope for the subnet 172.16.0.0/20. Configure the scope to use a starting IP address of 172.16.8.1 and an ending IP address of 172.16.15.254. B. Create a scope for the subnet 172.16.8.0/21. Configure the scope to use a starting IP address of 172.16.8.1 and an ending IP address of 172.16.10.254. C. Create a scope for the subnet 172.16.0.0/21. Configure the scope to use a starting IP address of 172.16.0.1 and an ending IP address of 172.16.15.254.
D.
Create a scope for the subnet 172.17.0.0/16. Configure the scope to use a starting IP address of 172.17.0.1 and an ending IP address of 172.17.255.254.
The subnet mask 255.255.240.0 means a /20 subnet. For load balancing you need to ensure that the DHCP2 should be configured on the same network therefore, you need to select answer A where the subnet is 172.16.0.0/20. The /20 network can contain IP address range from 172.16.0.1 to 172.16.15.255, which means 4000 total hosts can be configured. DHCP1 already contains the IP address range from 172.16.0.1 to 172.16.7.255 to serve 1000 hosts. In case of the failure of DHCP1, another IP address range is required for the 1000 computers that the network has. Therefore DHCP2 can contain the range of 172.16.8.1 to 172.16.15.254.
QUESTION 13
You are an Enterprise administrator for contoso.com. The company consists of a branch office and a head office. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. The servers in both the offices are independent of each other and share resources. You want to deploy a clustering solution that ensures high availability minimum downtime for the servers on the network. You need to ensure that if a node fails, the disks, resources and services running on the failed node fail over to a surviving node in the cluster. Which of the following options would you choose to accomplish the desired task?
A. B.
Create a Network Load Balancing cluster. Create two application pools on each Web server. C. Configure a Web garden on each Web server. D. Configure a failover cluster.
To ensure that if a node fails, the disks, resources and services running on the failed node fail over to a surviving node in the cluster, you need to configure a failover cluster. Windows Server 2008 supports the shared-nothing cluster model, in which two or more independent servers, or nodes, share resources; each server owns and is responsible for managing its local resources and provides nonsharing services. In case of a node failure, the disks, resources and services running on the failed node fail over to a surviving node in the cluster. This model minimizes server outage and downtime. Only one node manages one particular set of disks, cluster resources and services at any given time.
QUESTION 14
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory forest that contains an Active Directory domain. All the servers in the domain run Windows Server 2003 and all client computers run Windows Vista. The domain contains eight domain controllers. You upgraded one of the domain controllers to Windows Server 2008 called contosoDC1. During the upgrade some of the Active Directory object gets deleted. You need to recover the deleted objects and plan for a recovery solution that ensures that allow deleted objects to be recovered for up to one year after the date of deletion. Which of the following options would you choose to accomplish the desired task?
A.
On contosoDC1, enable shadow copies of the drive that contains the Ntds.dit file. B. Configure daily backups of contosoDC1. C. Increase the interval of the garbage collection process for the forest. D. Increase the tombstone lifetime for the forest.
To recover the deleted objects and plan for a recovery solution that allow deleted objects to be recovered for up to one year after the date of deletion, you need to increase the tombstone lifetime for the forest If you need to restore your domain controller, or you need to make an authoritative restore of Active Directory, you need a backup which is younger than 60 days (by default). The objects that get deleted from Active Directory will remain as a tombstone. The Tombstone is the object with limited attributes, such as the GUID, Name and SID of the object, and the mark that its deleted. The garbage collection of Active Directory takes care to finally delete tombstones which are older than the tombstone-lifetime. To avoid inconsistencies in object deletion, the tombstone lifetime is configured to be many times larger than the worst-case replication latency. By default, the Active Directory tombstone lifetime is sixty days. This value can be changed if necessary.
QUESTION 15
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the domain controllers in the domain run Windows Server 2008 and all client computers run Windows Vista. You have been assigned the task to implement a backup and recovery plan that restores the domain controllers in the event of a catastrophic server failure. In your plan, you cannot use optical drives for backup because according to the companys policy, the domain controllers cannot contain optical drives for security reasons. Which of the following options would you choose to accomplish the desired goal? (Select two. Each correct answer will present a part of the solution.)
A.
Use Windows Server Backup to back up each domain controller to a local disk.
B.
Use Windows Server Backup to back up each domain controller to a remote network share. C. Create a Windows Recovery Environment (Windows RE) partition on each domain controller. D. Use Windows Deployment Services (WDS) to deploy the Windows Recovery Environment (Windows RE).
Answer: BD Section: Exam D Explanation/Reference:
To implement a backup and recovery plan that restores the domain controllers in the event of a catastrophic server failure, you need to use Windows Server Backup to back up each domain controller to a remote network share. You can use Windows Server Backup to back up a full server (all volumes), selected volumes, or the system state. In case of disasters like hard disk failures or catastrophic server failure you can perform a system recovery, which will restore your complete system onto the new hard disk, by using a full server backup and the Windows Recovery Environment. You need to use Windows Deployment Services (WDS) to deploy the Windows Recovery Environment (Windows RE). Windows Deployment Services enables you to deploy Windows operating systems by using a network-based installation. This means that you do not have to install each operating system directly from a CD or DVD. Therefore, you can avoid the use of optical drive for backup.
QUESTION 16
You are an Enterprise administrator for contoso.com. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. The network contains 3 file servers store user documents. You have been assigned the task to implement a data recovery strategy that ensures that ensures that all data volumes on the file server must be backed up daily without creating much impact on performance. The recovery strategy must also be able to restore individual files if a disk fails. Besides, the users must be able to retrieve previous versions of files without the intervention of an administrator. Which of the following options would you choose to accomplish the desired task? (Select two. Each correct answer will present a part of the solution.)
A. B. C. D. E. F.
Use Windows Server Backup to perform a daily backup to an external disk. Use Windows Server Backup to perform a daily backup to a remote network share. Deploy File Server Resource Manger (FSRM). Deploy Windows Automated Installation Kit (WAIK). Enable shadow copies for the volumes that contain shared user data. Store the shadow copies on a separate physical disk. Enable shadow copies for the volumes that contain shared user data. Store the shadow copies in the default location.
Answer: AE
Section: Exam D Explanation/Reference:
Use Windows Server Backup to perform a daily backup to an external disk. Enable shadow copies for the volumes that contain shared user data. Store the shadow copies on a separate physical disk. FSRM (File Server Resource Manager) is a service of the File Services role in Windows Server 2008. You can use FSRM to enhance your ability to manage and monitor storage activities on your file server. The main capabilities of FSRM include: Folder Quotas, File Screening, Storage Reports, Event Log Integration, E-mail Notifications, and Automated Scripts. You use a Quota function to manage disk usage on a volume in the File Server Resource Manager (FSRM) and then you can enable the Shadow Copies feature on the volume. Shadow Copies for Shared Folders uses the Volume Shadow Copy Service to provide point-in-time copies of files that are located on a shared network resource, such as a file server. With Shadow Copies for Shared Folders, users can quickly recover deleted or changed files that are stored on the network without administrator assistance, which can increase productivity and reduce administrative costs. Shadow copies allow users to retrieve previous versions of files on their own without the intervention of an administrator. By default shadow copies are stored on the same drive volume of shared folders being backed up. As a best practice, you should store the shadow copies on a separate physical disk as an extra fault tolerance measure. http://blogs.technet.com/josebda/archive/2008/08/20/the-basics-of-windows-server-2008fsrm-file-server-resource-manager.aspx
QUESTION 17
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the domain controllers in the domain run Windows Server 2008 and all client computers run Windows Vista. You have been assigned the task to implement a backup and recovery plan that restores the domain controllers and the client computers in the event of a catastrophic server failure. Besides recovering the domain controller, you also want a provision to restore items from client computers by choosing a backup and then selecting specific items from that backup to restore. You want to restore an item by choosing the date of the backup version for the item you want to restore. You want make sure that the backup is not taken on an optical drive. Which of the following options would you choose to accomplish the desired goal? (Select two. Each correct answer will present a part of the solution.)
A.
Use Windows Server Backup to back up each domain controller and the client computers to a local disk. B. Use Ntbackup.exe tool to back up each domain controller and the client computers to a local disk.
C.
Use Windows Server Backup to back up each domain controller to a remote network share. D. Create a Windows Recovery Environment (Windows RE) partition on each domain controller. E. Use Windows Deployment Services (WDS) to deploy the Windows Recovery Environment (Windows RE).
Answer: CE Section: Exam D Explanation/Reference:
To implement a backup and recovery plan that restores the domain controllers and the client computers in the event of a catastrophic server failure, you need to use Windows Server Backup to back up each domain controller to a remote network share. You can use Windows Server Backup to back up a full server (all volumes), selected volumes, or the system state. You can restore items by choosing a backup and then selecting specific items from that backup to restore. You can recover specific files from a folder or all the contents of a folder. In addition, previously, you needed to manually restore from multiple backups if choose the date of the backup version for the item you want to restore. In case of disasters like hard disk failures or catastrophic server failure you can perform a system recovery, which will restore your complete system onto the new hard disk, by using a full server backup and the Windows Recovery Environment. You need to use Windows Deployment Services (WDS) to deploy the Windows Recovery Environment (Windows RE). Windows Deployment Services enables you to deploy Windows operating systems by using a network-based installation. This means that you do not have to install each operating system directly from a CD or DVD. Therefore, you can avoid the use of optical drive for backup.
QUESTION 18
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. The network contains 20 file servers contains two volumes, one for operating system and the other for the data files. You have been assigned the task to plan a recovery strategy that ensures the server continuity in case of the server failures. The recovery strategy must ensure the operating system and the data files to be restored in the minimum amount of time. Which of the following options would you choose to accomplish the desired goal? (Select two. Each correct answer will present a part of the solution.)
A. B.
Windows Automated Installation Kit (WAIK) Windows Deployment Services (WDS) C. Windows Recover Disk feature D. Windows Server Backup feature
E. F.
Volume Shadow Copies Folder redirection G. Windows Complete PC Restore

Answer: DG Section: Exam D Explanation/Reference:
To plan a recovery strategy that ensures the server continuity in case of the server failures, you need to use the Windows Server Backup feature and Windows Complete PC Restore Complete PC Backup and Restore is a comprehensive, image-based backup tool to help you out of a tight spot if you need to recover your entire system.While file restore is useful in cases of file loss and data corruption, Windows Complete PC Restore is most useful for disaster recovery when your PC malfunctions. Complete PC Backup and Restore is capable of restoring your entire PC environment, including the operating system, installed programs, user settings, and data files. http://www.microsoft.com/singapore/windows/products/windowsvista/features/details/ completepcbackup
QUESTION 19
You are an Enterprise administrator for contoso.com. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. The network contains 3 servers, a file server, a database server, and a messaging server. You have been assigned the task to provide a backup infrastructure to create consistent backups of open files and applications, database server, and the messaging server. The solution must also be able to minimize the interruption to applications. Which of the following options would you choose to accomplish the desired task?
A.
Use Windows Server Backup to perform a daily backup to an external disk. B. Use Windows Server Backup to perform a daily backup to a remote network share. C. Enable volume shadow copy service for the volumes that needs to be backed up. D. Enable shadow copies for the volumes that contain shared user data.
To create consistent backups of open files and applications, database server, and the messaging server without interrupting the applications, you need to enable shadow copies for the volumes that need to be backed up. Applications that are running often keep their files open continuously. For backup, this can present a problem because this prevents backup applications from accessing and copying these files to backup media. Additionally, backing up servers that are running critical applications such as databases or messaging services presents a unique
challenge. These applications run in a volatile state as a result of extensive optimizations that deal with huge flows of transactions and messages. Because these applications keep their data in a constant flux between memory and disk, it is difficult to pinpoint the data that needs to be archived. The most straightforward solution is to interrupt the application during backup, which puts the data into a stable state, but might result in unacceptable amounts of downtime, particularly if the applications are large. For both problems, the Volume Shadow Copy Service provides a solution by enabling a snapshot of the data at a given point in time, while minimizing the interruption to applications.
QUESTION 20
You are an Enterprise administrator for contoso.com. The company has a head office and 20 branch offices. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. Each branch office contains a file server that stores users data. You have been assigned the task to design a strategy for backing up the file servers and ensure that the backups are scheduled, allow individual file recovery and a complete server recovery. Besides this, your backup strategy must provide decentralized control over backups and recovery in minimum administrative effort. Which of the following options would you choose to accomplish the desired task?
A.
Use Windows Server Backup to back up volumes to DVD. B. Configure Volume Shadow Copies. C. Use Windows Server Backup to back up to an external USB drive. D. Install the Windows Recovery Disc feature and then create a Scheduled task that runs recdisc.exe.
To design a strategy for backing up the file servers and ensure that the backups are scheduled, allow individual file recovery and a complete server recovery, you need to use Windows Server Backup to back up to an external USB drive. Backup to USB drives are easy and simple. It provides software and hardware features to make connecting any USB device just about as foolproof as possible. Most backup software now supports USB devices. External USB drives are highly portable and can be used to back up several computers on the same drive. You cannot use Windows Server Backup to back up volumes to DVD because Windows Server Backup doesnt support system state or file level backups and restores when using DVDs. And you cant schedule backups to DVD.
QUESTION 21
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory forest called contoso.com. The forest contains five domains. The domain controllers on the network run Windows Server 2008 and have the DNS server role installed. You company has decided to replace a legacy Windows Internet Name Service (WINS) environment with a DNS-only environment for name resolution. Which of the following options would you choose to plan the infrastructure for name resolution to support IPv4 and IPv6 environments, enable single-label name resolution across all domains, and minimizing the amount of NetBIOS over TCP/IP (NetBT) traffic on the network?
A.
Implement custom Active Directory replication partition and modify each DNS zone to replicate as part of it. B. Configure each DNS zone to perform a WINS forward lookup. C. Configure each DNS zone to replicate to each DNS server in the forest. D. Configure a GlobalNames zone on each domain controller.
To replace a legacy Windows Internet Name Service (WINS) environment with a DNSonly environment for name resolution with given requirements, you need to configure a GlobalNames zone on each domain controller. The DNS Server Role in Windows Server 2008 now supports the GlobalNames Zone. This has been introduced to assist organizations to move away from WINS and allow organizations to move to an all-DNS environment. Unlike WINS, The GlobalNames zone is not intended to be used for peer-to-peer name resolution. The GlobalNames Zone (GNZ) is used to hold single-label names. The GlobalNames zone is most commonly used to hold CNAME resource records to map a single-label name to a Fully Qualified Domain Name (FQDN). GNZ provides single-label name resolution whereas WINS provides NetBIOS resolution. If you plan to retire WINS or plan to deploy IPv6 only in your environment, all name resolution will rely on DNS. It supports dual IPv4 and IPv6 environment and use only DNS for name resolution. Reference: Understanding the New GlobalNames Zone Functionality in Windows Server 2008 http://johnpolicelli.wordpress.com/2008/01/15/understanding-the-new-globalnames-zonein-windows-server-2008/ Reference: DNS Server GlobalNames Zone Deployment / How GNZ Resolution Works http://download.microsoft.com/download/e/2/0/e2090852-3b7f-40a3-988307a427af1560/DNS-GlobalNames-Zone-Deployment.doc
Exam E QUESTION 1
You are an Enterprise administrator for contoso.com. All the servers on the network run either Windows Server 2008 or Windows Server 2003 servers and all client computers run Windows Vista. The network contains a Windows Server 2003 server that runs Web-based application called WebApp1. You have been assigned the task to migrate the Web-based application to Windows Server 2008. To migrate the WebApp1, you need to prepare the server for the application. The server must support the installation of .NET applications and the server configuration must ensure that the application is available to all users if a single server fails in the minimum software cost? (Select two. Each correct answer will present a part of the answer)
A. B. C. D. E. F.
Install the full installation of Windows Server 2008 Datacenter Edition on two servers. Install the Server Core installation of Windows Server 2008 Standard Edition on two servers. Install the full installation of Windows Server 2008 Enterprise Edition on two servers. Install the full installation of Windows Server 2008 Web Edition on two servers. Configure the servers in a failover cluster. Configure the servers in a Network Load Balancing cluster.
Answer: DF Section: Exam E Explanation/Reference:
To migrate the Web-based application to Windows Server 2008, you need to install the full installation of Windows Server 2008 Web Edition on two servers. Configure the servers in a Network Load Balancing cluster. Network load balancing is native to all editions of Windows Server 2008. Unlike failover clustering, NLB does not require any special hardware. Network load balancing (NLB), Windows Server 2008s other high-availability alternative, enables an organization to scale server and application performance by distributing TCP/ IP requests to multiple servers, also known as hosts, within a server farm. This scenario optimizes resource utilization, decreases computing time and ensures server availability. Typically, service providers should consider network load balancing if their customer situation includes, but is not limited to, Web server farms, Terminal Services farms, media servers or Exchange Outlook Web Access servers. Reference: Failover clustering, network load balancing drive high availability http:// searchsystemschannel.techtarget.com/tip/0,289483,sid99_gci1317355,00.html
QUESTION 2
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista.
The client computers in the company run many applications, all applications all of which are configured to save documents to the local Documents folder. You need to therefore plan a backup strategy for the Documents folder for all the users in minimum amount of administrative effort. Which of the following options would you choose to accomplish the desired goal?
A.
Deploy agents to all client computers using System Center Operations Manager. B. Create a shared folder on a file server and then configure scheduled backups on each client computer to store the backup files on the shared folder. C. Use Group Policy objects (GPO) to implement folder redirection and then back up the folder redirection target. D. Run Windows Server Backup from a server and connect to each client computer.
Answer: C Section: Exam E Explanation/Reference:
To plan a backup strategy for the Documents folder for all the users in minimum amount of administrative effort, you need to use Group Policy objects (GPO) to implement folder redirection and then back up the folder redirection target. Folder Redirection is a Group Policy feature which enables you to redirect the system folders containing the profile of a user on the network. Through the use of the Folder Redirection feature, you can configure that the system folders contents on the user remains the same, irrespective of the particular computer which the user utilizes to log on to the system. The system folders for which you can configure folder redirection include My Documents folder. Redirecting the My Documents folder ensures that users can access their data from any computer. Because redirected folder data is stored on a network server, you can back up the data to an offline storage media. Reference: Implementing Folder Redirection using Group Policy http://www.tech-faq.com/ implementing-folder-redirection-using-group-policy.shtml
QUESTION 3
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. You perform a full backup of the domain controllers every day. Which of the following options would allow you to implement an Active Directory recovery strategy that allows objects in a backup to be compared to objects in the live Active Directory database? (Select two. Each correct answer will present a part of the solution.)
A.
Restore the backup to a domain controller in a test forest. B. Restore the backup to an alternate location. C. Restore the backup to the original location. D. Mount the database using the Active Directory Database Mounting Tool (Dsamain. exe).
E. F.
Use the Activate Directory Installation wizard to create a new domain controller. Create a snapshot using the Active Directory Service Utilities (Ntdsutil.exe).
Answer: BD Section: Exam E Explanation/Reference:
To plan a recovery strategy for Active Directory objects, you need to restore the backup to an alternate location. Mount the database using the Active Directory Database Mounting Tool (Dsamain.exe). The Active Directory database mounting tool (Dsamain.exe) can improve recovery processes for your organizations by providing a means to compare data as it exists in snapshots that are taken at different times so that you can better decide which data to restore after data loss. This eliminates the need to restore multiple backups to compare the Active Directory data that they contain. You need to restore the backup to an alternate location so that you can compare the data. Reference: Active Directory Database Mounting Tool Step-by-Step Guide http://technet. microsoft.com/en-us/library/cc753609.aspx
QUESTION 4
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. The company has created a web site which requires a very high availability and a high scalability for the success of the company. You therefore publish the Web site on two Web servers. You have to now deploy an availability solution for your Web servers and ensure that the Web site is accessible even if a single server fails and the addition of more Web servers can be done for the website without interrupting client connections. Which of the following options would you choose to create to accomplish the desired task?
A. B.
A Network Load Balancing cluster A failover cluster C. Application pools on each Web server D. A Web farm on each Web server
Answer: A Section: Exam E Explanation/Reference:
To deploy an availability solution for your Web servers and ensure that the Web site is accessible even if a single server fails and the addition of more Web servers can be done for the website without interrupting client connections, you need to create a Network Load Balancing cluster. Network load balancing (NLB), Windows Server 2008s other high-availability alternative,
enables an organization to scale server and application performance by distributing TCP/ IP requests to multiple servers, also known as hosts, within a server farm. This scenario optimizes resource utilization, decreases computing time and ensures server availability. Typically, service providers should consider network load balancing if their customer situation includes, but is not limited to, Web server farms, Terminal Services farms, media servers or Exchange Outlook Web Access servers. When designing and implementing NLB server farms, its common to start off with two servers for scalability and high availability and then add additional nodes to the farm as Clearly, failover clustering and network load balancing with Windows Server 2008 provide service providers with options when designing and implementing high availability for their customers mission-critical servers and applications. Reference: Failover clustering, network load balancing drive high availability http:// searchsystemschannel.techtarget.com/tip/0,289483,sid99_gci1317355,00.html
QUESTION 5
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. The network contains two DHCP servers called contosoDHCP1 and contosoDHCP2 and 500 DHCP client computers that are located on a single subnet. A router that has a single IP address on the internal interface separates the internal network from the Internet. contosoDHCP1 server is configured with: Starting IP address: 172.16.0.1 Ending IP address: 172.16.3.254 Subnet mask: 255.255.248.0 Which of the following options would you choose to provide a fault-tolerant DHCP infrastructure for the company that supports the client computers on the internal network? You need to configure DHCP2 to ensure that all client computers must be able to obtain a valid IP address if a DHCP server fails.
A.
Create a scope for the subnet 172.17.0.0/16. Configure the scope to use a starting IP address of 172.17.0.1 and an ending IP address of 172.17.255.254. B. Create a scope for the subnet 172.16.0.0/20. Configure the scope to use a starting IP address of 172.16.0.1 and an ending IP address of 172.16.15.254. C. Create a scope for the subnet 172.16.0.0/20. Configure the scope to use a starting IP address of 172.16.8.1 and an ending IP address of 172.16.15.254. D. Create a scope for the subnet 172.16.0.0/21. Configure the scope to use a starting IP address of 172.16.4.1 and an ending IP address of 172.16.7.254.
Answer: D Section: Exam E Explanation/Reference:
The subnet mask 255.255.248.0 means a /21 subnet. For load balancing you need to ensure that the DHCP2 should be configured on the same network therefore, you need to select answer D where the subnet is 172.16.0.0/21.
The /21 network can contain IP address range from 172.16.0.1 to 172.16.7.255, which means 2048 total hosts can be configured. DHCP1 already contains the IP address range from 172.16.0.1 to 172.16.3.254 to serve 500 hosts. In case of the failure of DHCP1, another IP address range is required for the 500 computers that the network has. Therefore DHCP2 can contain the range of 172.16.4.1 to 172.16.7.254. Reference: Subnet Addressing http://www.networkcomputing.com/unixworld/tutorial/001.html Reference: Effects of Subnetting a Class B Network http://www.weird.com/~woods/ classb.html
QUESTION 6
You are an Enterprise administrator for contoso.com. The company has a head office and four branch offices. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. Your network is configured as shown in the following diagram. Each office contains a File Server that has a shared folder called SharedData. You have been assigned the task to ensure the data availability of the SharedData folder in all of the offices when a WAN link fails or a single server fails. You also need to ensure
that the users must be able to use existing drive mappings in case of WAN link or a server failure and minimum network traffic over the WAN links. Which of the following options would you choose to accomplish the desired goal? (Select two. Each correct answer will present a part of the answer)
A.
Stand-alone DFS namespace B. Domain-based DFS namespace C. Having DFS Replication in a hub and spoke topology D. Having DFS Replication in a full mesh topology
Answer: BC Section: Exam E Explanation/Reference:
To ensure the data availability of the SharedData folder in all of the offices when a WAN link fails or a single server fails, you need to implement a domain-based DFS namespace that uses DFS Replication in a hub and spoke topology. Domain based namespaces require all servers to be members of an Active Directory domain. These types of environments support automatic synchronization of DFS targets. In a domain environment, a server is capable of hosting multiple DFS roots. It allows you to distribute the user workload across multiple DFS replicas rather than over burdening a single server. In case a single server fails the other servers can take over. Two pre-defined topologies can be selected for DFS Replication. In this scenario DFS Replication in a hub and spoke topology should be used. In this topology every hub member replicates with the hub member, and if desired you can add a second hub member for fault tolerance (the two hub members replicate with each other). The hub and spoke topology is have a particular use for enterprises that have large headquarters where the companys permanent IT staff are located and multiple small branch offices with little or no on-site IT staff present. Full Mesh topology cannot be used because it will cause too much network traffic. This is because every member of the replication group replicates with every other member of the group. The full mesh topology is useful mainly in large LAN environments where all subnets have high speed connectivity and you are using DFS Namespaces together with DFS Replication to provide fault-tolerant shared file resources to users. Reference: Planning a DFS Architecture, Part 1/ Planning a DFS Architecture, Part 2 / Domain-Based Namespaces http://www.petri.co.il/planning-dfs-architecture-part-one.htm Reference: Configuring and Using DFS Replication http://www.windowsnetworking.com/articles_tutorials/Configuring-Using-DFS-Replication. html
QUESTION 7
You are an Enterprise administrator for contoso.com. The company has a head office and a branch office that connect with each other by using WAN links. The corporate
network of the company consists of a single Active Directory domain and an Active Directory site exists for each office. All the servers in the domain run Windows Server 2008 Enterprise Edition and all client computers run Windows Vista. You have been assigned the task to deploy a failover cluster solution to service users in both offices. Your failover cluster solution must use minimum number of servers and ensure that the availability of services if a single server fails. Which of the following options would you choose to accomplish the desired goal?
A.
Deploy a failover cluster that contains two nodes in each office, head office and branch office. B. Deploy a failover cluster that contains two nodes in the head office. C. Deploy a failover cluster that contains one node in the head office. D. Deploy a failover cluster that contains one node in each office head office and branch office.
To deploy a failover cluster solution to service users in both offices, you need to Deploy a failover cluster that contains one node in each office head office and branch office Windows Server 2008 supports the shared-nothing cluster model, in which two or more independent servers, or nodes, share resources; each server owns and is responsible for managing its local resources and provides nonsharing services. In case of a node failure, the disks, resources and services running on the failed node fail over to a surviving node in the cluster. For example, if an Exchange server is operating on node 1 of the cluster and it crashes, the Exchange application and services will automatically fail over to node 2 of the cluster. This model minimizes server outage and downtime. Only one node manages one particular set of disks, cluster resources and services at any given time. Failover clustering, network load balancing drive high availability. http://searchsystemschannel.techtarget.com/tip/0,289483,sid99_gci1317355,00.html
QUESTION 8
You are an Enterprise administrator for contoso.com. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista. You have been asked to deploy a distributed database application on a Windows Server 2008 server and design a storage strategy that allocates storage space to servers as required, isolates storage traffic from the existing network, and ensures that data is available if a single disk or a single storage controller fails. Which of the following options would you choose to accomplish the desired goal? (Select two. Each correct answer will present a part of the answer)
A.
A Fibre Channel (FC) disk storage subsystem that supports the Virtual Disk Service (VDS).
B.
A Fibre Channel (FC) disk storage subsystem that supports Microsoft Multipath I/O. An iSCSI disk storage subsystem that supports Microsoft Multipath I/O. D. An iSCSI disk storage subsystem that supports Virtual Disk Service (VDS). E. Configure the storage subsystem as a RAID 5 array. F. Configure the storage subsystem as a RAID 0 array.
C. Answer: BE Section: Exam E Explanation/Reference:
To deploy a distributed database application on a Windows Server 2008 server and design a storage strategy with given requirements, you need to implement a Fibre Channel (FC) disk storage subsystem that uses Microsoft Multipath I/O and configure a RAID 5 array. The fibre channel (FC) technology and FC switches between servers and storage to create a Storage Area Network (SAN). The connectivity the switches provide allows the connection of more than one server to a storage system. This reduces the number of storage systems required. This would allow a distributed database application multiple servers and design a storage strategy that allocates storage space to servers as required. Multipath I/O (MPIO) is a feature that provides support for using multiple data paths to a storage device. Multipathing increases availability by providing multiple paths (path failover) from a server or cluster to a storage subsystem. If a server supports Microsoft Multipath I/O (MPIO), Storage Manager for SANs can provide path failover by enabling multiple ports on the server for LUN I/O traffic. To prevent data loss in a Fibre Channel environment, make sure that the server supports MPIO before enabling multiple ports. (On an iSCSI subsystem, this is not needed: the Microsoft iSCSI initiator (version 2.0) that is installed on the server supports MPIO.) Reference: Support for Multipath I/O http://technet.microsoft.com/en-us/library/cc771719.aspx Reference: Using Fibre Channel to Reduce SCSI Storage Costs http://dothill.com/assets/pdfs/storage_costs.pdf
QUESTION 9
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. The network is not connected to the Internet. The network contains a file server that contains a shared folder in which remote network users save files. Which of the following options would you choose to design a data provisioning solution that ensure that only authorized remote users who are not connected to the corporate network must be able to access the files and the folders in the corporate network? (Select two. Each correct answer will present a part of the solution.)
A.
Configure caching on the shared folder B. Configure offline files to use encryption
C. D.
Implement a certification authority (CA) Configure Encrypting File System (EFS) for the drive that hosts the files E. Configure IPsec domain isolation F. Implement Windows SharePoint Services 3.0 G. Enable Secure Socket Layer (SSL) encryption
Answer: AB Section: Exam E Explanation/Reference:
To design a data provisioning solution that ensure that only authorized remote users who are not connected to the corporate network must be able to access the files and the folders in the corporate network, you need to configure caching on the shared folder. The caching feature of Shared Folders ensures that users have access to shared files even when they are working offline with no access to the network. Next you need to configure offline files to use encryption, so that only authorized users can access the files on the shared folder. Reference: Set Caching Options for Shared Folders http://technet.microsoft.com/en-us/ library/cc755136.aspx
QUESTION 10
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. The network contains 100 servers and 5,000 client computers. Microsoft Office Outlook 2007 is installed on all the client computers. Recently the marketing department has received a custom application needs to be run by all the employees of the department. The application requires access to Outlook 2003. Which of the following options would you choose to suggest an application deployment strategy for the network that would ensure that access to both Outlook 2003 and Outlook 2007 is provided without creating a conflict between Outlook 2003 and Outlook 2007 and the other applications installed on the computers? You also need to ensure that 50 concurrent sessions are supports and the additional training requirements are minimized.
A.
Use a Microsoft Application Compatibility Toolkit (ACT) application compatibility shim for all the computers in the marketing department. B. Install Outlook 2003 on a server and enable Remote Desktop on it. C. Configure the Terminal Services server role on a server, install Outlook 2003 on the terminal server, and publish Outlook 2003 as a TS RemoteApp. D. Use a Group Policy object (GPO) to assign Outlook 2003 to all computers in the marketing department.
Answer: C Section: Exam E
To suggest an application deployment strategy for the network to meet the given requirements, you need to configure the Terminal Services server role on a server. Install Outlook 2003 on the terminal server and Publish Outlook 2003 as a Terminal Services RemoteApp (TS RemoteApp). With Terminal Services, organizations can provide access to Windows-based programs from almost any location to almost any computing device. Terminal Services in Windows Server 2008 includes Terminal Services RemoteApp (TSRemoteApp). RemoteApp programs are programs that are accessed remotely through Terminal Services and appear as if they are running on the end users local computer. Instead of being presented to the user in the desktop of the remote terminal server, the RemoteApp program is integrated with the clients desktop, running in its own resizable window with its own entry in the taskbar. Users can run RemoteApp programs side-by-side with their local programs. If a user is running more than one RemoteApp program on the same terminal server, the RemoteApp programs will share the same Terminal Services session. With TSRemoteApp you do not have to deploy and maintain different versions of the same program for individual computers. If employees need to use multiple versions of a program, you can install those versions on one or more terminal servers, and users can access them through TSRemoteApp.
QUESTION 11
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. The functional level of the domain is Windows Server 2008. All the domain controllers on the domain run Windows Server 2008 and all client computers run Windows Vista. Which of the following options would you choose to plan a network access solution that ensure that only client computers that have the most up-to-date service packs can be granted general network access and all noncompliant client computers must be redirected to a specific Web site?
A. B.
Use Windows Server Update Service (WSUS) Use Active Directory Rights Management Services (AD RMS) C. Use Domain Isolation D. Use Network Access Protection (NAP)
Answer: Section: Exam E Explanation/Reference:
To plan a network access solution that ensure that only client computers that have the most up-to-date service packs can be granted general network access and all noncompliant client computers must be redirected to a specific Web site, you need to implement Network Access Protection (NAP). Network Access Protection (NAP) is one of the most desired and highly anticipated
features of Windows Server 2008. NAP is a new platform and solution that controls access to network resources based on a client computers identity and compliance with corporate governance policy. NAP allows network administrators to define granular levels of network access based on who a client is, the groups to which the client belongs, and the degree to which that client is compliant with corporate governance policy. If a client is not compliant, NAP provides a mechanism to automatically bring the client back into compliance and then dynamically increase its level of network access. With 802.1X enforcement, a computer must be compliant to obtain unlimited network access through an 802.1X-authenticated network connection Administrators can create solutions for validating computers that connect to or communicate on their networks, provide needed updates or access to needed resources, and limit the network access of computers that are noncompliant. The validation and enforcement features of NAP can be integrated with software from other vendors or with custom programs. Note NAP is not designed to protect a private network from malicious users. It is designed to help administrators maintain the system health of the computers on a private network. NAP is used in conjunction with authentication and authorization of network access, such as using IEEE 802.1X for wireless access. Reference: Network Access Protection Platform Overview http://technet.microsoft.com/hi-in/library/bb878083(en-us).aspx Reference: Security and Policy Enforcement http://www.microsoft.com/windowsserver2008/en/us/security-policy.aspx
QUESTION 12
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. You install an application on a Windows Server 2008 failover cluster that contains a node named contosoServer1. Which of the following options would you choose to ensure that 50 percent of the processor utilization and the memory utilization can be reserved for the application execution? (Select Two. Each correct answer will present a part of the answer.)
A. B. C. D. E. F. G.
Implement Windows System Resource Manager (WSRM) Implement File Server Resource Manager (FSRM) Implement Storage Manager for SANs (SMfS) Configure a resource-allocation policy for user-based management Configure a resource-allocation policy for process-based management Configure quotas Configure the LUN Management settings
Answer: AE Section: Exam E Explanation/Reference:
To ensure that 50 percent of the processor utilization and the memory utilization can be
reserved for the application execution, you need to implement Windows System Resource Manager (WSRM) and configure a resource-allocation policy for processbased management. Microsoft Windows System Resource Manager (WSRM) provides resource management and enables the allocation of resources, including processor and memory resources, among multiple applications based on business priorities. WSRM enables a system administrator to Manage CPU utilization (percent CPU in use), Limit the process working set size (physical resident pages in use) and Set CPU and memory allocation policies on applications. This includes selecting processes to be managed, and setting resource usage targets or limits. WSRM maintains an updatable exclusion list of processes that shouldnt be managed because of the negative system impact such management could create. WSRM also applies limits to process working set size and committed memory consumption. WSRM does not manage address windowing extensions (AWE) memory, large page memory, locked memory, or OS pool memory.
QUESTION 13
Which of the following options would you choose to monitor the performance of 200 Windows Server 2008 servers and generate alerts when the average processor usage is higher than 70 percent for 15 minutes and automatically adjust the processor monitoring threshold to allow for temporary changes in the workload?
A.
Deploy Microsoft System Center Configuration Manager (SCCM). B. Install Windows System Resource Manager (WSRM). C. Configure Microsoft Windows Reliability and Performance Monitor. D. Deploy Microsoft System Center Operations Manager (SCOM).
To generate alerts when the average processor usage is higher than 90 percent for 20 minutes and automatically adjust the processor monitoring threshold to allow for temporary changes in the workload, you need to Deploy Microsoft System Center Operations Manager (SCOM). System Center Operations Manager 2007(SCOM 2007) is a new version of Microsoft Operations Manager 2005(MoM). It is the end to end service monitoring solution that lets you monitor clients, events, services, applications, network devices rather than just servers. It provides integration with Active Directory for user authentication and agent discovery. It provides active directory integration, Service Oriented Monitoring, Self-Tuning Threshold, Enhanced Reporting, windows computers monitoring and much more. Reference: From MOM to SCOM http://pcquest.ciol.com/content/enterprise/2007/107070501.asp
Reference: Self Tuning Thresholds love and hate http://blogs.technet.com/kevinholman/archive/2008/03/19/self-tuning-thresholds-loveand-hate.aspx

QUESTION 14
You are an Enterprise administrator for contoso.com. All the servers in the domain run Windows Server 2008. The company consists of 10,000 computers. Which of the following options would you choose to design a storage architecture for Windows Server Update Services (WSUS) updates to ensure that the WSUS updates are highly available?
A.
Configure the WSUS servers to use a RAID 0 hardware controller and then store the WSUS updates on each WSUS server. B. Use a remote file share to store the WSUS updates. C. Store the WSUS updates on a multi-homed network file server. Create two host (A) resource records for the WSUS servers. D. Store the WSUS updates on a Distributed File System (DFS) link that uses multiple replicating targets.
Distributed File System (DFS) is a strategic storage management solution that gives administrators a more flexible way to centrally manage their distributed resources. With DFS, administrators can create simplified views of folders and files, that is, a virtual organization called a namespace, regardless of where those files physically reside in a network. You should create a single file location that is available to all the front-end WSUS servers. Even if you do not store updates locally, you will need a location for End User License Agreement files. You may wish to do so by storing them on a Distributed File System share. It is not necessary to use a DFS share with an NLB cluster. You can use a standard network share, and you can ensure redundancy by storing updates on a RAID controller. Reference: Step 4: Set up a DFS share http://technet.microsoft.com/en-us/library/cc708533.aspx
QUESTION 15
You are an Enterprise administrator for contoso.com. All the servers in the domain run Windows Server 2008. Several servers on the corporate network of the company run Windows Server Update Services (WSUS) and distribute updates to all computers on the internal network. The company has many remote users that connect the internal network from their personal computers using a split-tunnel VPN connection.
You need to deploy a patch management strategy to deploy updates on the remote users computers network. While deploying the solution, you need to ensure that the required updates are approved on the WSUS servers before they are installed on the client computers within minimum the bandwidth use?
A.
Implement client-side targeting by create a Group Policy object (GPO). B. Create and configure a computer group for the remote users computers to use the internal WSUS server. C. Deploy and configure an additional WSUS server to leave the updates on the Microsoft Update Web site and then configure the remote users to use the additional WSUS server. D. Use the Connection Manager Administration Kit (CMAK) to create a custom connection and deploy it to all of the remote users computers.
To deploy a patch management strategy that deploys updates on the remote users computers, you need to deploy an additional WSUS server. Configure the remote users computers to use the additional WSUS server. Configure the additional WSUS server to leave the updates on the Microsoft Update Web site. WSUS is a client-pull system, not a server-push. That is, the client initiates the connection and downloads, not the server. As long as they can communicate, they will. Also keep in mind that the connection is not continuous. The client only checks in once a day. It also uses BITS to transfer the downloads, so if the VPN connection is disconnected in the middle, it will automatically recover when it next connects to the server. BITS will also attempt to not saturate you bandwidth, but a problem with BITS is that it measures bandwidth by the connection at your network device (NIC, modem, etc), not the bandwidth along the entire path to the server. Of course, this may have changed in more recent version of BITS. Reference: WSUS Forums>Technical Support>WSUS 3 Server http://www.wsus.info/forums/index.php?showtopic=11464
QUESTION 16
You are an Enterprise administrator for contoso.com. All the servers on the network run Windows Server 2008. The corporate network contains a Windows Server 2008 server that runs Windows Server Update Services (WSUS), which was configured to store updates locally. The company has recently opened a few satellite offices that are connected to the main office using a dedicated WAN link. Which of the following options would you choose to design a patch management strategy to ensure that WSUS updates are approved from a central location and WAN traffic is minimized between the branch office and the satellite offices?
A. B. C. D. E. F.
For each satellite office, create organizational units (OUs). Create and link the Group Policy objects (GPOs) to the OUs. In each satellite office, install a WSUS server. Configure each satellite office WSUS server as a replica of the main office WSUS server. Configure each satellite office WSUS server as an autonomous server. Configure different schedules to download updates from the main office WSUS server to the client computers in each satellite office. Configure each satellite office WSUS server to use the main office WSUS server as an upstream server.
Answer: BF Section: Exam E Explanation/Reference:
To design a patch management strategy to ensure that WSUS updates are approved from a central location and WAN traffic is minimized between the branch office and the satellite offices, you need to install a WSUS server in each satellite office and configure each satellite office WSUS server as a replica of the branch office WSUS server. A WSUS hierarchy supports two modes, autonomous mode and replica mode. In replica mode, the upstream server is the only WSUS server that downloads its updates from Microsoft Update. It is also the only server that an administrator has to manually configure computer groups and update approvals on. All information downloaded and configured on to an upstream server is replicated directly to all of the devices configured as downstream servers. Using this method you will save a great deal of bandwidth as only one computer is constantly updating from the Internet. More importantly however, you will save a countless amount of time since you are only managing one server now from a software standpoint. Reference: Deploying Microsoft Windows Server Update Services http://www.windowsnetworking.com/articles_tutorials/Deploying-Microsoft-WindowsServer-Update-Services.html
QUESTION 17
You are an Enterprise administrator for contoso.com. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. A server on the corporate network of the company run Windows Server Update Services (WSUS) and distributes updates to all computers on the internal network after obtaining updates online from the Microsoft Update Web site. Recently a network segment of the corporate network is disconnected from the rest of the network. The users on the disconnected network segment reported that they cannot access the Internet and the WSUS server. Which of the following options would you choose to recommend a patch management strategy to deploy updates to the computers that are on the disconnected network segment?
A. B. C. D. E. F.
Deploy a WSUS server on the secure network. Download the wsusscn2.cab file from the Microsoft Update Web site. Copy the wsusscn2.cab file to a computer on the secure network. From the online WSUS server, copy the update metadata and the WSUS content to the WSUS server on the secure network. From the online WSUS server, regularly copy the web.config file and the default Web site home directory to the WSUS server on the secure network. Scan the entire secure network by running Microsoft Baseline Security Analyzer against the wsusscn2.cab file that you downloaded.
Answer: AD Section: Exam E Explanation/Reference:
To recommend a patch management strategy to deploy updates to the computers that are on the disconnected network segment, you need to deploy a WSUS server on the secure network. From the online WSUS server, copy the update metadata and the WSUS content to the WSUS server on the secure network. If your environment demands a network segment be disconnected from the Internet, or disconnected from the rest of your network altogether, dont think you need to resort to the sneaker net method of patch distribution. Simply build a stand-alone WSUS server and import updates from removable media such as tape or DVD-ROM. The process of exporting the updates from an Internet-connected server, and then importing them into your disconnected one is well documented in the WSUS Deployment Guide. However, here are the steps at a high level to give you an idea of the process: 1. Build your stand-alone WSUS server and configure its language and express installation options to match that of the Internet-connected WSUS server that will provide updates. 2. Copy the update content directory from the Internet-connected WSUS server to removable media. Remember that this content directory may be quite large (multigigabytes) so you may need to resort to tape, dual-layer DVD, or external USB hard drive. 3. Export and copy the update metadata from the Internet-connected WSUS servers database to removable media. 4. Copy the update content from removable media onto the disconnected WSUS server. 5. Import the update metadata from removable media into the disconnected WSUS servers database. Reference: Advanced Deployment Options / Offline Updates http://www.wsuswiki.com/AdvDeployOptions
QUESTION 18
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. Several servers on the corporate network of the company run Windows Server Update Services (WSUS) and distribute updates to all computers on the internal network. The WSUS server is configured to store updates locally.
The company has recently opened four new satellite offices that are connected to the main office by using a dedicated WAN link. Internet access to the users of the satellite office is provided through the main office. Which of the following options would you choose to design a strategy for patch management that ensures that the WSUS updates are approved independently for each satellite office with the use of minimum Internet traffic? (Select two. Each correct answer will present a part of the solution.)
A. B. C. D. E. F.
For each satellite office, create organizational units (OUs). Create and link the Group Policy objects (GPOs) to the OUs. In each satellite office, install a WSUS server. Configure each satellite office WSUS server as a replica of the main office WSUS server. Configure each satellite office WSUS server as an autonomous server. Configure different schedules to download updates from the main office WSUS server to the client computers in each satellite office. Configure each satellite office WSUS server to use the main office WSUS server as an upstream server.
Answer: BF Section: Exam E Explanation/Reference:
To design a strategy for patch management that ensures that the WSUS updates are approved independently for each satellite office and the minimum Internet traffic used, you need to install a WSUS server in each satellite office and then configure each satellite office WSUS server to use the main office WSUS server as an upstream server. A WSUS hierarchy supports two modes, autonomous mode and replica mode. In replica mode, the upstream server is the only WSUS server that downloads its updates from Microsoft Update. It is also the only server that an administrator has to manually configure computer groups and update approvals on. All information downloaded and configured on to an upstream server is replicated directly to all of the devices configured as downstream servers. Using this method you will save a great deal of bandwidth as only one computer is constantly updating from the Internet. More importantly however, you will save a countless amount of time since you are only managing one server now from a software standpoint. Using autonomous mode, the upstream server transmits update files to the downstream servers, but nothing else. This means that individual computer groups and update approvals must be configured for each particular downstream server. In this deployment type, you get the benefit of optimized bandwidth usage with the flexibility of allowing individual site administrators to manage computer groups and update approvals themselves.
QUESTION 19
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run
Windows Server 2008 and all client computers run Windows Vista. Which of the following options would you choose to design a Windows Server Update Services (WSUS) infrastructure that ensures that the updates are distributed from a central location and all computers must continue to receive updates in the event that a server fails? (Select two. Each correct answer will present a part of the solution.)
A. B. C. D. E. F. G.
Configure a single WSUS server to use multiple downstream servers. Configure two WSUS servers in a Microsoft SQL Server 2005 failover cluster. Configure a Microsoft SQL Server 2005 failover cluster. Configure each WSUS server to use a RAID 1 mirror and a local database. Configure each WSUS server to use a local database. Configure each WSUS server to use a RAID 5 array and a local database. Configure two WSUS servers in a Network Load Balancing cluster and then Configure WSUS to use the remote SQL Server 2005 database instance.
Answer: CG Section: Exam E Explanation/Reference:
To design a Windows Server Update Services (WSUS) infrastructure that ensures that the updates are distributed from a central location and all computers must continue to receive updates in the event that a server fails, you need to: Configure a Microsoft SQL Server 2005 failover cluster. Configure two WSUS servers in a Network Load Balancing cluster. Configure WSUS to use the remote SQL Server 2005 database instance. Network load balancing (NLB) is a strategy that can keep networks running even if one (or more) servers go offline. It can be used in conjunction with WSUS, but requires special steps at setup time. You should set up WSUS for NLB after configuring your SQL Server 2005 database as a failover cluster. Reference: Appendix C: Configure WSUS for Network Load Balancing http://technet. microsoft.com/en-us/library/cc708533.aspx
QUESTION 20
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. Several servers on the corporate network of the company run Windows Server Update Services (WSUS) and distribute updates to all computers on the internal network. The company has many remote users that connect the internal network from their personal computers using a split-tunnel VPN connection. Which of the following options would you choose to deploy a patch management strategy that deploys updates on the remote users computers? While deploying the solution, you need to ensure that the bandwidth use over the VPN connections is minimized and the required updates are approved on the WSUS servers before they are installed on the client computers?
A. B.
Perform client-side targeting using a GPO. Create and configure a computer group for the remote users computers to allow them to use the internal WSUS server. C. Deploy an additional WSUS server for the remote users computers. Configure the additional WSUS server to leave the updates on the Microsoft Update Web site. D. Use Connection Manager Administration Kit (CMAK) to create a custom connection and then deploy the custom connection to all of the remote users computers.
To deploy a patch management strategy that deploys updates on the remote users computers, you need to deploy an additional WSUS server. Configure the remote users computers to use the additional WSUS server. Configure the additional WSUS server to leave the updates on the Microsoft Update Web site. Microsoft Windows Server Update Services (WSUS) is the Microsoft provided solution for enterprise patch management. Using WSUS, network administrators can manage and deploy software updates for all of the Microsoft products in a network Using autonomous mode, the upstream server transmits update files to the downstream servers, but nothing else. This means that individual computer groups and update approvals must be configured for each particular downstream server. In this deployment type, you get the benefit of optimized bandwidth usage with the flexibility of allowing individual site administrators to manage computer groups and update approvals themselves. In a typical WAN scenario the bandwidth is a restriction. It is common that remote network locations will have a high speed connection to the internet but a rather low speed link back to the main office, such as through a VPN. In these cases, an upstream server can manage update approvals, but those remote downstream servers can be configured to download the approved updates directly from the Internet as opposed to the upstream server. Therefore you need to configure the additional WSUS server to leave the updates on the Microsoft Update Web site. Reference: Deploying Microsoft Windows Server Update Services http://www.windowsnetworking.com/articles_tutorials/Deploying-Microsoft-WindowsServer-Update-Services.html
QUESTION 21
You are an Enterprise administrator for contoso.com. The company consists of a head office and three branch offices. The corporate network of the company consists of a single Active Directory domain. Each office contains an Active Directory domain controller. Which of the following options would you choose to create a DNS infrastructure for the network that would allow the client computers in each office to register DNS names within their respective offices? You also need to ensure that the client computers must be able to resolve names for hosts in all offices.
A.
For each office site, create a standard primary zone.
B.
For the head office site, create a standard primary zone and for each branch office site, create an Active Directory-integrated stub zone. C. For the head office site, create a standard primary zone at the head office site and for each branch office site, create a secondary zone. D. Create an Active Directory-integrated zone at the head office site.
To create a DNS infrastructure for the network that would allow the client computers in each office to register DNS names within their respective offices and to ensure that the client computers must be able to resolve names for hosts in all offices, you need to create an Active Directory-integrated zone at the head office site. Active Directory Integrated zones, store their zone information within Active Directory instead of text files. This ensures that the client computers can resolve names for hosts in all offices. The advantages of this new type of zone included using Active Directory replication for zone transfers and allowing resource records to be added or modified on any domain controller running DNS. In other words, all Active Directory Integrated zones are always primary zones as they contain writable copies of the zone database. Reference: DNS Stub Zones in Windows Server 2003 http://www.windowsnetworking.com/articles_tutorials/DNS_Stub_Zones.html
Exam F QUESTION 1
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. The company consists of 30 database servers. An organizational unit (OU) called Data exists in AD domain that stores the computer accounts for these database servers. Another OU called Admin exists for the user accounts of the database administrators. The database administrators are also the members of a global group called Data_Admins. Which of the following options would you choose to allow the database administrators to perform administrative tasks on the database servers while preventing them from performing administrative tasks on other servers?
A.
For Admin OU, deploy a group policy. B. In the Domain Admins global group, add the Data_Admins users. C. In the Server Operators domain local group, add the Data_Admins users. D. Deploy a group policy to the Data OU.
Answer: D Section: Exam F Explanation/Reference:
To allow the database administrators to perform administrative tasks on the database servers while preventing them from performing administrative tasks on other servers, you need to deploy a group policy to the Data OU. Group Policy enables centralized, Active Directory based configuration and change management of computers running Windows Server 2008, Windows Vista, Windows XP and Windows Server 2003. The Group Policy settings you create are contained within a Group Policy Object (GPO) and associated with (or Linked to) a Domain, Site or Organizational Unity (OU) using the Group Policy Management Console (GPMC). By using the Group Policy Management Console to link a GPO to an object in Active Directory, you apply these settings to the Users and Computers contained therein. Reference: Windows Server 2008 Springboard Series Part 02: Deploying and Managing Group Policy http://71.203.223.220/files/WS08SBSprt02_GRPOL.docx
QUESTION 2
You are an Enterprise administrator for contoso.com. The company has a head office and a branch office. The corporate network of the company consists of a single Active Directory domain. All the domain controllers in the domain run Windows Server 2008 and all client computers run Windows Vista. The English language version of Windows Vista is installed in the head office use and the Spanish language version of Windows Vista is installed in the branch office. Which of the following options would you choose to configure custom application settings
by using a Group Policy object (GPO) to allow administrators to view and edit the GPO in their own language and minimize the number of GPOs deployed?
A. B.
Create an ADM file and then configure the GPO and link it to the domain. Configure and link a Starter GPO to the head office site. Backup and import the Starter GPO from the main office site and link it to the branch office site. C. Install the English language and the Spanish language on all domain controllers and then configure and link a GPO to the head office site. Backup the GPO from the head office site and import and link it to the branch office site. D. Create ADMX and ADML files and then configure and link the GPO to the domain.
To configure custom application settings by using a Group Policy object (GPO) to allow administrators to view and edit the GPO in their own language and minimize the number of GPOs deployed, you need to create ADMX and ADML files and then configure the GPO and link it to the domain. ADMX files are language neutral. This basically means that the descriptions of Group Policy settings are not part of the .admx files. They are stored in .adml files. Vista automatically loads the correct .adml files. This is a very useful feature for international companies. Administrators in different countries can work with the same templates, but always get the descriptions of the Group Policy settings in their own language. ADMX files are like ADM files only templates. The Group Policy settings are still populated to the clients thru registry.pol files. Thats the reason why ADMX files and ADM files can coexist. Reference: Group Policy templates in Windows Vista: ADMX files replace ADM files http://4sysops.com/archives/group-policy-templates-in-windows-vista-admx-files-replaceadm-files/
QUESTION 3
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers run Windows Server 2008 and all client computers run Windows Vista. All the servers have Terminal Services role enabled. Which of the following options would you choose to deploy of a new line-of-business application to all client computers while ensuring that the users must access the application from an icon on their desktops? And they should be able to access to the application even when they are not connected to the network.
A.
Publish the application as TS RemoteApp. B. Use GPO to assign the application to all client computers. C. Use GPO to assign the application to the terminal server. D. Use TS Web Access to publish the application.
Answer: B
Section: Exam F Explanation/Reference:
To ensure that the users must access the application from an icon on their desktops even when they are not connected to the network, you need to assign the application to all client computers by using a Group Policy object (GPO). As you may already know, in an Active Directory environment, group policies are the main component of network security. There are two different ways that you can deploy an application through the Active Directory. You can either publish the application or you can assign the application. Publishing an application doesnt actually install the application, but rather makes it available to users. Assigning an application to a user works differently than publishing an application. Again, assigning an application is a group policy action, so the assignment wont take effect until the next time that the user logs in. When the user does log in, they will see that the new application has been added to the Start menu and / or to the desktop. Although a menu option or an icon for the application exists, the software hasnt actually been installed though. To avoid overwhelming the server containing the installation package, the software is not actually installed until the user attempts to use it for the first time. Reference: Using Group Policy to Deploy Applications http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Deploy-Applications. html Reference: Planning and Deploying Group Policy 2008 http://www.scribd.com/doc/4716059/Planning-and-Deploying-Group-Policy-2008
QUESTION 4
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista. The functional level of the domain is Windows Server 2008. Which of the following options would you choose to ensure that administrators on the network are allowed to install USB drives on their computers and the non-administrative users are prevented from installing USB drives on their computers?
A. B.
Configure device installation restrictions using a GPO. Implement Windows BitLocker Drive Encryption. C. Use WSRM to configure a per user resource access policy. D. Implement the UDDI Services server role.
Answer: A Section: Exam F Explanation/Reference:
To ensure that administrators on the network are allowed to install USB drives on their computers and the non-administrative users are prevented from installing USB drives on their computers, you need to use a Group Policy object (GPO) to configure device
installation restrictions. You can find the group policy settings called Preventing Installation of Removable Devices and Prevent Installation of Devices Not Described By Other Policy Settings would enable you to achieve the desired goal. These policies can be found in the group policy tree at: Computer ConfigurationAdministrative TemplatesSystemDevice InstallationDevice Installation Restrictions. Preventing Installation of Removable Devices prevent Installation of Removable Devices setting prevents users from installing removable devices. The Prevent Installation of Devices Not Described By Other Policy Settings prevents the Installation of Devices Not Described by Other Policy Settings group policy setting is kind of a catch all setting. There are a couple of different ways that you can use this policy setting. One thing that you can do is to enable this setting, but not enable any other hardware installation related settings. In doing so, you will effectively prevent anyone from installing any hardware into systems to which the policy applies. Another thing that you can do with this group policy setting is to use other policy settings to allow specific devices based on device ID or class and then enable this policy setting. In doing so, you will prevent the installation of any device that you have not specifically allowed users to install. Reference: Windows Longhorn: Using Group Policy to Control Device Management (Part 2) http://www.windowsnetworking.com/articles_tutorials/Windows-Longhorn-Using-GroupPolicy-Control-Device-Management-Part2.html
QUESTION 5
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista. The functional level of
the domain is Windows Server 2008. The company consists of three departments: Sales, Finance, and Engineering. The Organizational Units (OU) called Employees, Managers, and Staff exists in the AD domain. The relevant portion of the Active Directory domain is shown in the diagram. The Staff OU contains all user accounts except for the managers user accounts. The ManagersOU contains the managers user accounts and the Sales, Finance, and Engineering global groups. You have recently created a new Group Policy object (GPO) named GPO1, and then link it to the Employees OU. After this configuration, the users from the Engineering global group report that they are unable to access the Run command on the Start menu. On troubleshooting, you discovered that the GPO1 settings are causing this problem. Which of the following options would you choose to ensure that the users from the Engineering global group are able to access the Run command on the Start menu?
A.
Under the Employees OU, create a new child OU for Engineering department and then move the Engineering global group to the new Engineering OU. B. On the Managers OU, configure Block Policy Inheritance. C. For the Engineering global group, configure Group Policy filtering on GPO1. D. Configure GPO1 to use the Enforce Policy option.
Answer: C Section: Exam F Explanation/Reference:
To ensure that the users from the Engineering global group are able to access the Run command on the Start menu, you need to configure Group Policy filtering on GPO1 for the Engineering global group. If youve been administering Group Policies for just a short period of time you have probably noticed that there is no search option for specific policy settings. Search is not referred to as search within GPME, its still called filtering like the limited functionality we had in previous versions but its much more advanced now. Youll be able to see that as soon as you select the Filter Options from the View menu. You can use filtering to access the Run command on the Start menu for specific global groups. Reference: Group Policy related changes in Windows Server 2008 Part 2: GPMC Version 2 Filtering to search http://www.windowsecurity.com/articles/Group-Policy-related-changes-Windows-Server2008-Part2.html
QUESTION 6
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the domain controllers on the network run Windows Server 2008 and all client computers run Windows Vista. The functional level of the domain is Windows Server 2008. The company consists of four departments: Sales, Research, Development, and
Marketing. The users of the Research department of the company contain sensitive information on their computers. Therefore the company requires that the users from the Research department have higher levels of account and password security than other users in the domain. Which of the following options would you choose to recommend a solution that meets the companys requirements in minimum hardware and software costs?
A.
Create a new Active Directory site for the research department users and deploy a Group Policy object (GPO) to the site. B. Create a new domain, add the research department user accounts to the new domain, and configure a new security policy for the new domain. C. For the research department users, create a new Password Settings Object (PSO). D. Create a new organizational unit (OU) in the domain for research department users called ResearchOU and deploy a GPO to the ResearchOU.
To recommend a solution that meets the companys requirements in minimum hardware and software costs, you need to create a new Password Settings Object (PSO) for the research departments users. Granular Password Settings or Fine-Grained Password Policy, is based on the introduction of two new object classes in the AD schema: the Password Settings Container and Password Setting objects. These objects basically provide us the option to introduce multiple password policies into a single AD domain. Create PSOs and assign them to users and/or groups hosting scenarios where multiple companies are present in a single AD domain, another more common reason is where we need stricter settings to apply to a specific group of people with privileged accounts (like domain administrators, help desk personnel etc.). Those privileged accounts can have a complexity requirement and a requirement of defining a minimum of 16 characters in their passwords and other, more limited accounts, can have more user friendly requirements although I would recommend everyone to use passwords of that strength. Reference: Configuring Granular Password Settings in Windows Server 2008, Part 2 http://www.windowsecurity.com/articles/Configuring-Granular-Password-SettingsWindows-Server-2008-Part2.html
QUESTION 7
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista. The domain contains three organizational units (OUs) named TestOU1, TestOU2, and TestOU3.
Which of the following options would you choose to redesign the layout of the OUs to ensure that the Group Policy objects (GPOs) that are linked to the domain from applying to computers located in the TestOU2 are prevented? You also need to minimize the number of GPOs and the number of OUs.
A.
On the TestOU2 Configure block inheritance. B. Create a WMI filter. C. Delegate permissions on the Application OU. D. Create a Starter GPO.
Typically, group policies are passed down from parent to child containers within a domain, which you can view with the Active Directory Users and Computers console. Group policy is not inherited from parent to child domains. If you assign a specific group policy setting to a high-level parent container, that setting applies to all containers beneath the parent container, including the user and computer objects in each container. However, if you explicitly specify a group policy setting for a child container, the child containers setting overrides the one for the parent container. The Block Policy inheritance option blocks Group Policy Objects that apply higher in the Active Directory hierarchy of sites, domains, and organizational units. It does not block GPOs whose No Override setting is enabled. You can block policy inheritance at the domain or organizational unit level. Reference: Inheriting a Meager Comprehension of Policy Inheritance http://www.informit. com/guides/content.aspx?g=windowsserver&seqNum=60
QUESTION 8
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista. The company has recently appointed 5 support technicians to provide support to network users. You have been asked to provide the support technicians a GPO that contains the preconfigured settings, which they can used to create new GPOs. Which of the following options would you choose to ensure that support technicians can create Group Policy objects (GPOs) in the domain using the preconfigured GPO? (Select two. Each selected option will present a part of the answer.)
A. B. C. D. E. F. G.
Add the support technicians to the Account Operators group. Add the support technicians to the Group Policy Creator Owners group. Delegate control on the Domain Controllers organizational unit (OU). Delegate control on the Users container. Assign permissions on the Sysvol folder. Create a new Starter GPO. Create an ADMX file.
H.
Create an ADML file.
Answer: BF Section: Exam F Explanation/Reference:
To ensure that support technicians can create Group Policy objects (GPOs) in the domain using the preconfigured GPO, you need to add the support technicians to the Group Policy Creator Owners group. Create a new Starter GPO. The GPMC 2.0 provides a new (empty) container called Starter GPOs. This new container can hold templates for creating new GPOs with the limitation that only Administrative Templates settings are available from both Computer Configuration and User Configuration. Settings like Software Settings (software installation) and Windows Settings (scripts, account policies, user rights, software restriction policies, etc.) are NOT available in Starter GPOs. The users who are added to Group Policy Creator Owners group would be allowed to use the Starter GPO to make required configurations. Reference: Group Policy related changes in Windows Server 2008 Part 1: What are Starter GPOs? http://www.windowsecurity.com/articles/Group-Policy-related-changes-Windows-Server2008-Part1.html
QUESTION 9
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista. Many users of the company store all of their files in their Documents folder. Mostly the files stored are large. You plan to implement roaming user profiles for all users by using Group Policy. However, the roaming user profiles will takes them a long time to log on and log off of the computers. Which of the following options would you choose to minimizes the amount of time that roaming users take to log on and log off of the computers?
A.
Include the Background Intelligent Transfer Service (BITS) settings in the Group Policy object (GPO). B. Enable caching on the profiles share on the server that hosts the roaming user profiles. C. Install and configure the Background Intelligent Transfer Service (BITS) server extensions on any server. D. Modify the Group Policy object (GPO) to include folder redirection.
To minimize the amount of time that roaming users take to log on and log off of the computers, you need to modify the Group Policy object (GPO) to include folder redirection.
The roaming profiles and folder redirections can make your life easier. With roaming profiles though, each users files and settings follow them from PC to PC, so there is no need to move anything. Now that you know what a profile looks like, lets talk about making the profile mobile. The basic technique behind creating a roaming profile involves creating a shared folder on the server, creating the user a folder within the share, and then defining the users profile location through the group policy, which is called folder redirection. Reference: Profile and Folder Redirection In Windows Server 2003 http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-RedirectionWindows-Server-2003.html
QUESTION 10
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista. Which of the following options would you choose to prevent users from being able to install removable devices on client computers while ensuring that the domain administrators and desktop support technicians are allowed to install removable devices on client computers? You need to achieve the desired goal in minimum amount of administrative effort.
A.
On all domain controllers, implement Windows System Resource Manager (WSRM). B. On all client computers, deploy Connection Manager Administration Kit (CMAK). C. On all client computers, configure a Group Policy object (GPO). D. On all client computers, configure User Account Control.
To prevent users from being able to install removable devices on client computers, you need to implement a Group Policy object (GPO) for all client computers. You can find the group policy settings called Preventing Installation of Removable Devices and Prevent Installation of Devices Not Described By Other Policy Settings would enable you to achieve the desired goal. These policies can be found in the group policy tree at: Computer ConfigurationAdministrative TemplatesSystemDevice InstallationDevice Installation Restrictions. Preventing Installation of Removable Devices prevent Installation of Removable Devices setting prevents users from installing removable devices. The Prevent Installation of Devices Not Described By Other Policy Settings prevents the Installation of Devices Not Described by Other Policy Settings group policy setting is kind of a catch all setting. There are a couple of different ways that you can use this policy setting. One thing that you can do is to enable this setting, but not enable any other hardware installation related settings. In doing so, you will effectively prevent anyone from installing any hardware into systems to which the policy applies.
Another thing that you can do with this group policy setting is to use other policy settings to allow specific devices based on device ID or class and then enable this policy setting. In doing so, you will prevent the installation of any device that you have not specifically allowed users to install. Reference: Windows Longhorn: Using Group Policy to Control Device Management (Part 2) http://www.windowsnetworking.com/articles_tutorials/Windows-Longhorn-Using-GroupPolicy-Control-Device-Management-Part2.html
QUESTION 11
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista. The AD domain consists of a top level OU called EmployeesOU that contains three OUs called ManagesOU, StaffOU, and IntersOU to store the accounts of Managers, Staff, and Interns respectively. The relevant portion of the Active Directory domain is configured as shown in the exhibit. Currently the EmployeeOU is configured in such a way that the users in the ManagersOU receive the Group Policy object (GPO) settings that are deployed to the EmployeesOU. Which of the following options would you choose to ensure that the user accounts in the ManagersOU are unaffected by the GPOs that are deployed to the EmployeesOU?
A.
On each GPO that links to the EmployeesOU, connect a Windows Management Instrumentation (WMI) filter. B. Move the ManagersOU to the StaffOU.
C. D.
On the ManagersOU, configure Block Policy Inheritance. Enforce the GPO link on the Employees OU.
To ensure that the user accounts in the ManagersOU are unaffected by the GPOs that are deployed to the EmployeesOU, you need to configure Block Policy Inheritance on the Managers OU. Typically, group policies are passed down from parent to child containers within a domain, which you can view with the Active Directory Users and Computers console. Group policy is not inherited from parent to child domains, for example, from cco.com to sales.cco.com. If you assign a specific group policy setting to a high-level parent container, that setting applies to all containers beneath the parent container, including the user and computer objects in each container. However, if you explicitly specify a group policy setting for a child container, the child containers setting overrides the one for the parent container. The Block Policy inheritance option blocks Group Policy Objects that apply higher in the Active Directory hierarchy of sites, domains, and organizational units. It does not block GPOs whose No Override setting is enabled. You can block policy inheritance at the domain or organizational unit level. In WS2K3 R2, you dont use Active Directory Users and Computers for this function like you used to; you now use the Group Policy Management console. Reference: Inheriting a Meager Comprehension of Policy Inheritance http://www.informit. com/guides/content.aspx?g=windowsserver&seqNum=60
QUESTION 12
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory Directory forest that contains a root domain and two child domains. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista. Which of the following options would you choose to deploy the corporate policy of the company that states that all the local administrator accounts must be renamed and all the local guest accounts must be renamed and disabled?
A.
In each domain, deploy Network Policy and Access Services (NPAS) on all domain controllers. B. Implement a Group Policy object (GPO) for each domain. C. On the root domain controllers, deploy Active Directory Rights Management Services (AD RMS). D. Implement a Group Policy object (GPO) for the root domain.
Answer: B Section: Exam F Explanation/Reference:
To deploy the corporate policy of the company that states that all the local administrator accounts must be renamed and all the local guest accounts must be renamed and disabled, you need to implement a Group Policy object (GPO) for each domain. You can change the administrator account and guest account names by using Group Policy in Windows Server 2003. This may be useful if you want to change the name of the administrator or guest user accounts to minimize the chance of misuse of these accounts. Reference: HOW TO: Rename the Administrator and Guest Account in Windows Server http://support.microsoft.com/kb/816109
QUESTION 13
You are an Enterprise administrator for contoso.com. The company consists of a head office and a branch office. The corporate network of the company consists of a single Active Directory domain. Branch office of the company contains a Read-only Domain Controller (RODC) named contosoServer1. A global group called GLB contains the user accounts for administrators. Which of the following options would you choose to ensure that GLB group has rights on contosoServer1 only and they should not be allowed to modify Active Directory objects? Which of the following options would you choose to accomplish the desired task?
A. B.
On contosoServer1, add the GLB global group to the Administrators local group. Add the GLB global group to the Server Operators domain local group. C. Create a new OU and move the contosoServer1 computer object to a new OU and then grant Full Control permission on the new OU to the GLB group. D. On the contosoServer1 computer object in the domain Grant Full Control permission to the GLB group.
To accomplish the desired task, you need to add the GLB global group to the Administrators local group of contosoServer1. Administrators is a local group that provides full administrative access to an individual computer or a single domain, depending on its location. Domain Admins is a global group designed to help you administer all the computers in a domain. This group has administrative control over all computers in a domain because its a member of the Administrators group by default. To make someone an administrator for a domain, make that person a member of this group. Reference: Using Default Group Accounts http://technet.microsoft.com/en-us/library/bb726982.aspx Reference: Securing the Local Administrators Group on Every Desktop http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-
Desktop.html
QUESTION 14
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista and Microsoft Office Outlook 2007. The corporate network run: File servers Database server Microsoft Exchange Server 2007 servers The company has many mobile users that can access the corporate network remotely by using HTTP and HTTPS connections only. Which of the following options would you choose to ensure that remote users are able to establish secure connections to the network and are able to access the database server and file servers and have access to e-mail? (Select two. Each selected option will present a part of the answer.)
A. B. C. D. E. F.
Upgrade all client computers to Windows Vista Service Pack 1. Implement a VPN solution that uses Layer Two Tunneling Protocol (L2TP). Deploy Connection Manager Administration Kit (CMAK) profiles to the client computers. Implement Outlook Anywhere for Exchange Server 2007. Implement a VPN solution that uses Secure Socket Tunneling Protocol (SSTP). Implement a VPN solution that uses Point-to-Point Tunneling Protocol (PPTP).
Answer: AE Section: Exam F Explanation/Reference:
To ensure that remote users are able to establish secure connections to the network and are able to access the database server and file servers and have access to e-mail, you need to upgrade all client computers to Windows Vista Service Pack 1 and implement a VPN solution that uses Secure Socket Tunneling Protocol (SSTP). Windows Vista Service Pack 1 and Windows Server 2008 now include a new VPN technology called Secure Socket Tunneling Protocol (SSTP), which is designed to make secure remote access very easy. SSTP is designed to enable VPN tunneling for virtually any scenario. You can use it behind a NAT, across a firewall, through a Web proxy as long as TCP port 443 is open (which it usually is for HTTPS traffic). SSTP is more than just another SSL-based VPN that only works with Web clients. Its fully integrated into the remote access architecture of Windows, which means you can use it with Winlogon authentication or with strong authentication such as smart card or RSA SecureID; or, you can create and manage CMAK profiles, remote access policies, and the like. Plus, it uses only one HTTPS channel between the SSTP client (Windows Vista) and the SSTP server (Windows Server 2008) for each SSTP VPN connection, which makes it straightforward to load-balance SSTP sessions across servers.
Reference: SSTP Makes Secure Remote Access Easier http://biztechmagazine.com/ article.asp?item_id=377

QUESTION 15
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a DNS server that runs a Server Core installation of Windows Server 2008. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista. Which of the following options would you choose to allow the administrators of the company to manage DNS server from their Windows Vista client computers?
A.
Set the Remote Access Connection Manager Service to automatic on the DNS server. B. Create a custom Microsoft Management Console on the Windows Vista client computers and then add the Component Services snap-in. C. Install Remote Server Administration Tools (RSAT) on the Windows Vista client computers. D. Run Setup.exe /u from the Windows Server 2008 installation media on the Windows Vista client computers.
To allow the administrators of the company to manage DNS server from their Windows Vista client computers, you need to install Remote Server Administration Tools (RSAT) on the Windows Vista client computers. RSAT is an excellent set of tools for IT Pros wanting to manage their Windows Server environment right from their desktop. RSAT also includes an updated Group Policy Management Console (GPMC), which was previously removed in Windows Vista SP1. RSAT is an updated version of what is called ADMINPAK.MSI and can be used by IT Pros to manage computers running Windows Server 2008. Reference: Remote Server Administration Tools (RSAT) Now Available for Windows Vista SP1 http://windowsvistablog.com/blogs/windowsvista/archive/2008/03/25/remote-serveradministration-tools-rsat-now-available-for-windows-vista-sp1.aspx
QUESTION 16
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers on the network run either Windows Server 2003 or Windows Server 2008 and all client computers run Windows Vista. All domain controllers on the network run Windows Server 2008 and a firewall server runs Microsoft Internet Security and Acceleration (ISA) Server 2006. The Windows Server 2003 servers have the Terminal Server component installed. You have been asked to give remote users access to the Terminal Server servers.
Which of the following options would you choose to accomplish the given task while ensuring that minimum number of ports open on the firewall server, all remote connections to the Terminal Server servers are encrypted, and access to client computers having Windows Firewall disabled are prevented? (Select two. Each selected option will present a part of the answer.)
A. B. C. D. E.
Upgrade a Windows Server 2003 server to Windows Server 2008. Implement the Terminal Services Gateway (TS Gateway) role and configure a Terminal Services resource authorization policy (TS RAP). Implement the Terminal Services Gateway (TS Gateway) role and Network Access Protection (NAP). Implement the Terminal Services Gateway (TS Gateway) role and configure a Terminal Services connection authorization policy (TS CAP). Implement port forwarding and Network Access Quarantine Control on the ISA Server.
Answer: AC Section: Exam F Explanation/Reference:
To accomplish the given task, you need to upgrade a Windows Server 2003 server to Windows Server 2008. On the Windows Server 2008 server, implement the Terminal Services Gateway (TS Gateway) role, and implement Network Access Protection (NAP). You need to upgrade Windows Server 2003 server to Windows Server 2008 because NAP is a feature of Windows Server 2008. Network Access Protection helps you ensure that the computers that connect to your network meet health status requirements, reducing the risk that theyll introduce viruses or serve as the conduit for attacks and exploits. (e.g., updated and protected by a firewall, antivirus, and anti-spyware software) can be connected to a remediation server, to be brought into compliance. Terminal Services Gateway (TS Gateway) is a role service that enables authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client. The network resources can be terminal servers, terminal servers running Terminal Services RemoteApp programs, or computers with Remote Desktop enabled TSGateway enables remote users to connect to internal network resources over the Internet, by using an encrypted connection, without needing to configure virtual private network (VPN) connections. TSGateway transmits RDP traffic to port 443 instead, by using an HTTP Secure Sockets Layer/Transport Layer Security (SSL/TLS) tunnel. Because most corporations open port 443 to enable Internet connectivity, TSGateway takes advantage of this network design to provide remote access connectivity across multiple firewalls.
QUESTION 17
You are an Enterprise administrator for contoso.com. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista. The corporate network of the company consists of two servers that run the Server Core installation of Windows Server 2008 as a part of a Network Load Balancing cluster. Which of the following options would you choose to allow the administrators to remotely
manage the Network Load Balancing cluster through their Windows Vista client computers? Your strategy must support automation.
A. B.
Enable Windows Remote Management (WinRM).on the client computers. Enable Windows Remote Management (WinRM) on the servers. C. Add the administrators to the remote Desktop Users group on the servers. D. Add the administrators to the remote Desktop Users group on the client computers.
To allow the administrators to remotely manage the Network Load Balancing cluster through their Windows Vista client computers, you need to enable Windows Remote Management (WinRM) on the servers. By using another computer running Windows Vista or Windows Server 2008, you can use Windows Remote Shell that uses Windows RM to run command-line tools and scripts on a server running a Server Core installation. Windows Remote Management (known as WinRM) is a handy new remote management service for Windows Server 2003 R2, Windows Vista, and Windows Server 2008. WinRM is the server component of this remote management application and WinRS (Windows Remote Shell) is the client for WinRM, which runs on the remote computer attempting to remotely manage the WinRM server. Reference: Server Core Installation Option of Windows Server 2008 Step-By-Step Guide http://technet.microsoft.com/en-us/library/cc753802.aspx#bkmk_managingservercore Reference: How can Windows Server 2008 WinRM & WinRS help you? http://www.windowsnetworking.com/articles_tutorials/How-Windows-Server-2008WinRM-WinRS.html
QUESTION 18
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory domain. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista and Microsoft Office Outlook 2007. The corporate network run two file servers, one database server on TCP port 47182, and Microsoft Exchange Server 2007 servers. The company has many mobile users and you have been asked to provide them the remote access to the corporate network. You have been told that the remote users work from locations that only support access to the Internet by using HTTP and HTTPS. Which of the following options would you choose to ensure that remote users are able to establish secure connections to the network and are able to access the database and file servers and e-mail ? (Select two. Each selected option will present a part of the answer.)
A.
Upgrade all client computers to Windows Vista Service Pack 1.
B.
Implement Outlook Anywhere for Exchange Server 2007. Deploy Connection Manager Administration Kit (CMAK) profiles to the client computers. D. Implement a VPN solution that uses Layer Two Tunneling Protocol (L2TP). E. Implement a VPN solution that uses Point-to-Point Tunneling Protocol (PPTP). F. Implement a VPN solution that uses Secure Socket Tunneling Protocol (SSTP).
C. Answer: AF Section: Exam F Explanation/Reference:
To ensure that remote users are able to establish secure connections to the network and are able to access the database server and file servers and have access to e-mail, you need to upgrade all client computers to Windows Vista Service Pack 1 and implement a VPN solution that uses Secure Socket Tunneling Protocol (SSTP). Windows Vista Service Pack 1 and Windows Server 2008 now include a new VPN technology called Secure Socket Tunneling Protocol (SSTP), which is designed to make secure remote access very easy. SSTP is designed to enable VPN tunneling for virtually any scenario. You can use it behind a NAT, across a firewall, through a Web proxy as long as TCP port 443 is open (which it usually is for HTTPS traffic). SSTP is more than just another SSL-based VPN that only works with Web clients. Its fully integrated into the remote access architecture of Windows, which means you can use it with Winlogon authentication or with strong authentication such as smart card or RSA SecurID; or, you can create and manage CMAK profiles, remote access policies, and the like. Plus, it uses only one HTTPS channel between the SSTP client (Windows Vista) and the SSTP server (Windows Server 2008) for each SSTP VPN connection, which makes it straightforward to load-balance SSTP sessions across servers. Reference: SSTP Makes Secure Remote Access Easier http://biztechmagazine.com/article.asp?item_id=377
QUESTION 19
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory forest, which contains three domains named contoso.com, region1.contoso.com, and region2.contoso.com. All the servers on the network run Windows Server 2008 and all client computers run Windows Vista. The functional level of the three domains is Windows Server The company contains a helpdesk team, which is a part of the Account Operators group in the contoso.com domain. The members of helpdesk team frequently join and leave the helpdesk team. The helpdesk employees have all the permissions to modify the properties of user objects in contoso.com. Which of the following options would you choose to minimize the administrative effort required to manage the frequent changes to the helpdesk staff and enable the helpdesk employees to manage the user objects in all the three domains. (Select two. Each selected option will present a part of the answer.)
A.
Add the respective helpdesk user accounts to the Account Operators group in both region1.contoso.com and region2.contoso.com. B. Create a new global group for helpdesk users in contoso.com. Add the helpdesk user accounts to the global group and to the Account Operators group in all three domains. C. Assign Full Control permissions to the Account Operators group in contoso.com for user accounts in all three domains. D. Create a new global group in contoso.com for helpdesk users in contoso.com. Add the helpdesk user accounts to the global group and then add the global group to the Accounts Operators group that is on every member server in all three domains.
To minimize the administrative effort required to manage the frequent changes to the helpdesk staff and enable the helpdesk employees to manage the user objects in all the three domains, you need to: Create a new global group in contoso.com named Helpdeskgroup. Add the helpdesk user accounts to Helpdesk-group. Add Helpdesk-group to the Account Operators group that is in all three domains. Helpdesk-group global group will help the helpdesk users to administer the domain tree or forest. Next when you add the Helpdesk-group to the Account Operators group that is in all three domains, you would limit the privileges of this group. Account Operators is a local group that grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups. They can also log on locally to domain controllers. However, Account Operators cant manage the Administrator user account, the user accounts of administrators, or the group accounts Administrators, Server Operators, Account Operators, Backup Operators, and Print Operators. Account Operators also cant modify user rights.
QUESTION 20
You are an Enterprise administrator for contoso.com. The corporate network of the company contains two Windows Server 2008 computers and two identical print devices. Which of the following options would you choose to manage the print queue from a central location and balance the load of print jobs on both the printers?
A. B.
Install and share a printer on one of the servers and enable printer pooling. Add both the servers to a Network Load Balancing cluster and install a printer on each node of the cluster. C. Install and share a printer on each server and then install the printers on the client computers using Print Manager. D. Install the Terminal Services server role on both servers and configure Terminal Services Session Broker (TS Session Broker).
To plan a print services infrastructure that would allow you to manage the print queue
from a central location and balance the load of print jobs on both the printers, you need to install and share a printer on contosoServer1 and enable printer pooling. Printer pooling allows you to print to several printers at once. If you have a large print job you can submit it to the pool and the operating system will balance the load among the printers. This feature allows network administrators to configure and manage several printers as one, a process that can simplify printer administration. In addition, printer pooling provides some load-balancing. Thats because Windows 2000 Server directs print jobs to the connected printers based on jobs pending at each printer. A printer pool contains multiple printers, all configured as a single printer instance. Reference: Configure printer pooling to simplify printer management in Windows 2000 http://articles.techrepublic.com.com/5100-10878_11-5727870.html
QUESTION 21
You are an Enterprise administrator for contoso.com. The corporate network of the company consists of a single Active Directory forest called contoso.com. The forest contains two domains. You want to configure another child domain called Branch3. contoso.com with two domain controllers having the DNS server role installed. You want to put all the users and computers in the new branch office in the Branch3. contoso.com domain.Which of the following options would you choose to implement a DNS infrastructure for the child domain to ensure resources in the root domain and child domains are accessible by fully qualified domain names? You solution must also provide name resolution services in the event that a single server fails for a prolonged period of time and automatically recognize when new DNS servers are added to or removed from the contoso.com domain.
A.
Add conditional forwarders for contoso.com on both the domain controllers of branch3.contoso.com domain. Next create a standard primary zone for branch. contoso.com. B. On one of the domain controllers of branch3.contoso.com domain, create a standard primary zone for contoso.com. On the other domain controller, create a standard secondary zone for contoso.com. C. On both the domain controllers of branch3.contoso.com domain, modify the root hints to include the domain controllers for contoso.com. On one of domain controllers, create an Active Directory integrated zone for branch.contoso.com. D. On one of the domain controllers of branch3.contoso.com domain, create an Active Directory Integrated zone for branch3.contoso.com and create an Active Directory Integrated stub zone for contoso.com.
To implement a DNS infrastructure for the child domain to ensure resources in the root domain and child domains are accessible by fully qualified domain names, you need to create an Active Directory Integrated zone for branch3.contoso.com on one of the domain controllers of branch3.contoso.com domain.
Active Directory Integrated zones, store their zone information within Active Directory instead of text files. The advantages of this new type of zone included using Active Directory replication for zone transfers and allowing resource records to be added or modified on any domain controller running DNS. In other words, all Active Directory Integrated zones are always primary zones as they contain writable copies of the zone database.This would ensure that the name resolution service will automatically recognize when new DNS servers are added to or removed from the contoso.com domain. You also need to create an Active Directory Integrated stub zone for contoso.com to ensure the name resolution services in the event that a single server fails for a prolonged period of time. It contains copies of all the resource records in the corresponding zone on the master name server. A stub zone is like a secondary zone in that it obtains its resource records from other name servers (one or more master name servers). Stub zones can be used instead of secondary zones to reduce the amount of zone transfer traffic over the WAN link connecting the two companies. When Active Directory-integrated stub zones are hosted in separate sites, you can update them using a local list of master servers in each site. Reference: DNS Stub Zones in Windows Server 2003 http://www.windowsnetworking.com/articles_tutorials/DNS_Stub_Zones.html Reference: Host Name Resolution Overview http://www.tech-faq.com/planning-and-implementing-a-dns-namespace.shtml

Microsoft - Testking.70 646.v2012!04!09.by - Vcp5guy.129q

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Microsoft - Testking.70 646.v2012!04!09.by - Vcp5guy.129q

Uploaded by

Copyright:

Available Formats

70-646 - Windows Server 2008, Server Administrator

Answer: ADF Section: Exam A Explanation/Reference:

Answer: AF Section: Exam A Explanation/Reference:

Answer: AE Section: Exam A Explanation/Reference:

Answer: AF Section: Exam A Explanation/Reference:

Answer: BD Section: Exam A

Answer: B Section: Exam A Explanation/Reference:

Answer: AD Section: Exam B Explanation/Reference:

Answer: AB Section: Exam B Explanation/Reference:

Answer: C Section: Exam B Explanation/Reference:

Answer: BD Section: Exam B

Answer: CE Section: Exam B Explanation/Reference:

Answer: D Section: Exam B Explanation/Reference:

Answer: FG Section: Exam B Explanation/Reference:

Answer: DE Section: Exam C Explanation/Reference:

Answer: BE Section: Exam C Explanation/Reference:

Answer: AC Section: Exam C Explanation/Reference:

Answer: DH Section: Exam C Explanation/Reference:

Answer: BC Section: Exam C Explanation/Reference:

Answer: DE Section: Exam C Explanation/Reference:

Answer: AE Section: Exam C Explanation/Reference:

Answer: E Section: Exam C Explanation/Reference:

Answer: BE Section: Exam C Explanation/Reference:

Answer: ACF Section: Exam C Explanation/Reference:

Answer: AD Section: Exam D Explanation/Reference:

Answer: AF Section: Exam D Explanation/Reference:

Answer: A Section: Exam D Explanation/Reference:

Section: Exam D Explanation/Reference:

Volume Shadow Copies Folder redirection G. Windows Complete PC Restore

Answer: DF Section: Exam E Explanation/Reference:

Answer: BD Section: Exam E Explanation/Reference:

Answer: AE Section: Exam E Explanation/Reference:

Reference: Self Tuning Thresholds love and hate http://blogs.technet.com/kevinholman/archive/2008/03/19/self-tuning-thresholds-loveand-hate.aspx

Answer: BF Section: Exam E Explanation/Reference:

Answer: AD Section: Exam E Explanation/Reference:

Answer: BF Section: Exam E Explanation/Reference:

Answer: CG Section: Exam E Explanation/Reference:

For each office site, create a standard primary zone.

Section: Exam F Explanation/Reference:

Create an ADML file.

Answer: BF Section: Exam F Explanation/Reference:

Answer: C Section: Exam F Explanation/Reference:

Answer: AE Section: Exam F Explanation/Reference:

Reference: SSTP Makes Secure Remote Access Easier http://biztechmagazine.com/ article.asp?item_id=377

Answer: AC Section: Exam F Explanation/Reference:

Upgrade all client computers to Windows Vista Service Pack 1.

You might also like