70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows...

Microsoft 70-646

70-646 Pro: Windows Server 2008, Server

Administrator

Practice Test

Updated: Jan 19, 2010

Version

Actu

alTe

sts.

com

QUESTION NO: 1

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of 200 Windows Server 2008 servers. The company has recently decided to open a new

branch office and moved 75 Windows Server 2008 servers from the existing office to the new

network segment.

Which of the following options would you choose to change the TCP/IP addresses on the 75

servers that have been moved to the new branch office by using the minimum amount of

administrative effort?

A. Use ServerManagerCMD tool and run it on the administrator's client computer.

B. Use the Netsh tool and run it on the administrator's client computer.

C. Use Remote Desktop to connect to each server to make the changes.

D. Visit each server to make the changes.

E. None of the above

Answer: B

Explanation:

To change the TCP/IP addresses on the 75 servers that have been moved to the new branch

office by using the minimum amount of administrative effort, you need to run the Netsh tool from

an administrator's client computer.

You can use NETSH to make dynamic IP address changes from a static IP address to DHCP

simply by importing a file. NETSH can also bring in the entire Layer-3 configuration (TCP/IP

Address, DNS settings, WINS settings, IP aliases, etc.). This can be handy when you're working

on networks without DHCP and have a mobile computer that connects to multiple networks, some

of which have DHCP. NETSH shortcuts will far exceed the capabilities of using Windows

Automatic Public IP Addressing.

Reference: 10 things you should know about the NETSH tool

/ #4: Using NETSH to dynamically change TCP/IP addresses

http://www.builderau.com.au/program/windows/soa/10-things-you-should-know-about-the-NETSH-

tool/0,339024644,339272916,00.htm

Reference: 10 Windows Server 2008 Netsh commands you should know

http://www.windowsnetworking.com/articles_tutorials/10-Windows-Server-2008-Netsh-

commands.html

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 2

Actu

alTe

sts.

com

QUESTION NO: 2


runs 28 Windows Server 2008 servers and two Windows Server 2003 servers. One of the

Windows Server 2003 servers called CertKillerServer1 hosts an application called App1 and

another Windows Server 2003 server called CertKillerServer2 hosts the application called App2

The App1application uses the 32-bit installation of Windows Server 2003 and App2 application

uses the 64-bit installation of Windows Server 2003. You need to run both the applications on

Windows Server 2008 server.

Which of the following options would you choose for replacing the servers that host App1 and

App2 in the minimum cost amount? (Select three. Each correct answer will present a part of the

solution.)

A. Install a new server that runs a 64-bit version of Windows Server 2008 Enterprise Edition.

B. Install two new servers that run 64-bit versions of Windows Server 2008 Enterprise Edition.

C. Install two new servers. On one of the servers install the 32-bit version of Windows Server 2008

Enterprise Edition and install the 64-bit version of Windows Server 2008 Enterprise Edition on the

other server.

D. Install the Hyper-V feature on the server(s).

E. Install Windows System Resource Manager (WSRM) on the server(s).

F. Install App1 and App2 in separate child virtual machines

G. Install App1 on the 32-bit server. Install App2 on the 64-bit server.

Answer: A,D,F

Explanation:

For replacing the servers that host App1 and App2 in the minimum cost amount, you need to

install a new server that runs a 64-bit version of Windows Server 2008 Enterprise Edition. Install

the Hyper-V feature on the new server. Install App1 and App2 in separate child virtual machines

Hyper-V consists of a 64-bit hypervisor that can run 32-bit and 64-bit virtual machines

concurrently. Therefore you need to install just one Windows Server 2008 to run these two

applications. You can then install Hyper V feature that would allow you to create virtual machines

and run both the applications as desired. Hyper-V virtualization works with single and multi-

processor virtual machines and includes tools such as snapshots, which capture the state of a

running virtual machine.

Reference : Microsoft Hyper-V Guide

http://searchservervirtualization.techtarget.com/generic/0,295582,sid94_gci1318785,00.html



Actu

alTe

sts.

com

QUESTION NO: 3


runs two Windows Server 2008 servers.

You have been asked to configure the Windows Server 2008 servers in such a way that they

support the installation of Microsoft SQL Server 2005 and provide redundancy for SQL services if

a single server fails. (Select two. Each correct answer will present a part of the solution.)

Which of the following options would you choose to accomplish this task?

A. Install a full installation of Windows Server 2008 Standard Edition on the servers.

B. Install a full installation of Windows Server 2008 Enterprise Edition on the servers.

C. Install a Server Core installation of Windows Server 2008 Enterprise Edition on the servers.

D. Configure Network Load Balancing on the servers.

E. Configure failover clusters on the servers.

Answer: B,E

Explanation:

To configure the Windows Server 2008 servers in such a way that they support the installation of

Microsoft SQL Server 2005 and provide redundancy for SQL services if a single server fails, you

need to install a full installation of Windows Server 2008 Enterprise Edition on the servers.

Configure failover clusters on the servers.

Failover clustering is a process in which the operating system and SQL Server 2008 work together

to provide availability in the event of an application failure, hardware failure, or operating-system

error. Failover clustering provides hardware redundancy through a configuration in which mission-

critical resources are transferred from a failing machine to an equally configured server

automatically.

Reference : SQL Server 2008 Pricing and Licensing/ PASSIVE SERVERS / FAILOVER

SUPPORT

http://download.microsoft.com/download/1/e/6/1e68f92c-f334-4517-b610-

e4dee946ef91/2008%20SQL%20Licensing%20Overview%20final.docx .

QUESTION NO: 4

You are an Enterprise administrator for CertKiller.com. The company has a head office and five

branch offices. The corporate network of the company consists of a single Active Directory

domain.



Actu

alTe

sts.

com

Each office contains Windows 2000 Server domain controller and Windows Server 2008 member

servers. The physical security of the member servers was not reliable and servers could be

attacked.

Therefore, you decided to implement Windows BitLocker Drive Encryption (BitLocker) on the

member servers.

Which of the following options would you choose to ensure that you can access the BitLocker

volume even if the BitLocker keys are corrupted on the member servers and store the recovery

information at a central location? (Select two. Each correct answer will present a part of the

solution.)

A. Upgrade all domain controllers to Windows Server 2008.

B. Upgrade the domain controller that has the schema master role to Windows Server 2008.

C. Upgrade the domain controller that has the primary domain controller (PDC) emulator role to

Windows Server 2008.

D. Use Group Policy to configure Public Key Policies.

E. Use Group Policy to enable a Data Recovery Agent (DRA).

F. Use Group Policy to enable Trusted Platform Module (TPM) backups to Active Directory.

Answer: A,F

Explanation:

To ensure that you can access the BitLocker volume even if the BitLocker keys are corrupted on

the member servers and store the recovery information at a central location, you need to upgrade

all domain controllers to Windows Server 2008. Use Group Policy to enable Trusted Platform

Module (TPM) backups to Active Directory.

By default, no recovery information is backed up. Administrators can configure Group Policy

settings to enable backup of BitLocker or TPM recovery information.

All user interfaces and programming interfaces within BitLocker and TPM Management features

will adhere to your configured Group Policy settings. When these settings are enabled, recovery

information (such as recovery passwords) will be automatically backed up to Active Directory

whenever this information is created and changed.

Reference : BitLocker Drive Encryption Configuration Guide: Backing Up BitLocker and TPM

Recovery Information to Active Directory

http://technet.microsoft.com/en-us/library/cc766015.aspx

QUESTION NO: 5



Actu

alTe

sts.

com


consists of a single Active Directory domain that contain 100 Windows Server 2003 physical

servers having 64-bit hardware.

The company has given you the responsibility to consolidate the 100 physical servers into 30

Windows Server 2008 physical servers and send the remaining physical servers to the new

branch office that plans to open shortly.

Which of the following options would you choose to achieve the desired goal while ensuring the

maximum resource utilization by using existing hardware and software? You also need to ensure

that your solution would support 64-bit child virtual machines and maintain separate services

among the servers.

A. Install the Hyper-V feature on the existing hardware. Then convert the physical machines into

virtual machines.

B. Install the Microsoft Virtual PC. Then convert the physical machines into virtual machines.

C. Create the necessary host (A) records after consolidating services across the physical

machines.

D. Install Microsoft Virtual Server 2005 R2 on the existing hardware after installing Windows

Server 2008 on them. Then convert the physical machines into virtual machines.


Answer: A

Explanation:

To ensure the maximum resource utilization by using existing hardware and software and to

ensure the support for 64-bit child virtual machines while maintaining separate services among the

servers, you need to install the Hyper-V feature to convert the physical machines into virtual

machines.

The Hyper-V feature provides Physical-to-Virtual (P2V) Conversion Wizard that guides

administrators through the process of creating a virtual version of a physical server, including

creating images of physical hard disks, preparing the images for use in a VM, and creating the

final VM. The wizard can create virtual servers from physical servers and can run on Windows

Server 2003 with SP1 (32-bit only) and on Windows Server 2008 (without Hyper-V role enabled)

besides many other Operating systems.

Reference : Virtual Machine Manager 2008 Supports Hyper-V / Other Features

http://www.directionsonmicrosoft.com/sample/DOMIS/update/2008/07jul/0708vmm2sh.htm

Section 2, Plan for automated server deployment (9 Questions)



Actu

alTe

sts.

com

QUESTION NO: 6


consists of a single Active Directory domain that contains a Windows Server 2008 server called

CertKillerServer1. The server runs the DHCP service on it for the network.

Your company has decided to add a few Windows Vista computers and Windows Server 2008

servers on the network.

You have been asked to prepare the network for the automated deployment of the above given

operating systems with the use Pre-boot Execution Environment (PXE) network adapter.

Which of the following options would you choose to accomplish this task?

A. Install Windows Automated Installation Kit (WAIK) on a new server.

B. Configure the Windows Deployment Services (WDS) server role on a new server.

C. Install Windows Automated Installation Kit (WAIK) on CertKillerServer1.

D. Configure the Windows Deployment Services (WDS) server role on CertKillerServer1.


Answer: D

Explanation:

To prepare the network for the automated deployment of the above given operating systems with

the use Pre-boot Execution Environment (PXE) network adapter, you need to configure the

Windows Deployment Services (WDS) server role on CertKillerServer1.

Windows Deployment Services enables you to deploy Windows operating systems, particularly

WindowsVista and Windows Server2008. You can use it to set up new computers by using a

network-based installation. This means that you do not have to install each operating system

directly from a CD or DVD. It is an extensible and higher-performing PXE server component.

You must have a functioning DHCP server with an active scope. To utilize PXE WDS required a

DHCP server. Therefore you need to configure WDS on CertKillerServer1

Reference : Step-by-Step Guide for Windows Deployment Services in Windows Server 2003 /

What is Windows Deployment Services?

http://technet.microsoft.com/en-us/library/cc766320.aspx#BKMK_1

Reference : Planning for PXE Initiated Operating System Deployments/ Windows Deployment



Actu

alTe

sts.

com

Services (WDS) and DHCP

http://technet.microsoft.com/en-us/library/bb680753.aspx

QUESTION NO: 7

You are an Enterprise administrator for CertKiller.com. The company consists of a head office and

a branch office. The corporate network of the company consists of a single Active Directory

domain.

Because the branch office was comparatively less secure, you decided to deploy a Read-only

Domain Controller (RODC) in the branch office so that branch office support technicians cannot

manage domain user accounts on the RODC. However, they should be able to maintain drivers

and disks on the RODC.

Which of the following options would you choose to manage the RODC to meet the desired goal?

A. Configure Administrator Role Separation on the RODC.

B. For the branch office support technicians, set NTFS permissions on the Active Directory

database to Read & Execute.

C. Configure the RODC to replicate the password for the branch office support technicians.

D. For the branch office support technicians, set NTFS permissions on the Active Directory

database to Deny Full Control.


Answer: A

Explanation:

To ensure that branch office support technicians would not manage domain user accounts on the

RODC and should be able to maintain drivers and disks on the RODC, you need to configure the

RODC for Administrator Role Separation.

Administrator Role Separation specifies that any domain user or security group can be delegated

to be the local administrator of an RODC without granting that user or group any rights for the

domain or other domain controllers. Accordingly, a delegated administrator can log on to an

RODC to perform maintenance work on the server such as upgrading a driver. But the delegated

administrator would not be able to log on to any other domain controller or perform any other

administrative task in the domain.

Reference : RODC Features/ Administrator role separation

http://technet.microsoft.com/en-us/library/cc753223.aspx#bkmk_separation



Actu

alTe

sts.

com

QUESTION NO: 8


consists of a single Active Directory domain that contain.

The company currently consists of a main office that has an Internet connection configured. The

company plans to open a new branch office in near future and plans to connect the branch office

to the main office by using a WAN link having a limited bandwidth.

The branch office will not have access to the Internet and will contain 30 Windows Server 2008

servers. The installations of these servers must be automated and must be automatically

activated. Besides the network traffic between the offices must be minimized.

Which of the following options would you include in your plan for the deployment of the servers in

the branch office?

A. Use Multiple Activation Key (MAK) Independent Activation on the servers. In the main office,

implement a DHCP server and Windows Deployment Services (WDS).

B. In the branch office, implement Key Management Service (KMS), a DHCP server, and Windows

Deployment Services (WDS).

C. In the main office, implement Windows Deployment Services (WDS). In the branch office,

implement a DHCP server and implement the Key Management Service (KMS).

D. Use Multiple Activation Key (MAK) Independent Activation on the servers. In the main office,

implement a DHCP server. In the branch office, implement Windows Deployment Services (WDS).


Answer: B

Explanation:

For the deployment of the servers in the branch office with the given requirements, you need to

implement Key Management Service (KMS), a DHCP server, and Windows Deployment Services

(WDS) in the branch office.

The KMS key is used to activate computers against a service that you can host in your

environment, so you don't have to connect to Microsoft servers. To activate computers by using

KMS, you must have a minimum number of physical computers. The KMS key is installed on the

host computer only.

To activate the KMS host, you must have at least 25 computers running Windows Vista or

Windows Server 2008 that are connected together; for Windows Server 2008, the minimum is 5

computers.

You need Windows Deployment Services (WDS) because it enables you to automate the



Actu

alTe

sts.

com

deployment Windows operating systems. You can use it to set up new computers by using a


directly from a CD or DVD.

You must have a functioning DHCP server with an active scope so that WDS will utilize PXE.

Reference : Microsoft Product Activation

http://www.microsoft.com/licensing/resources/vol/default.mspx




Reference : Planning for PXE Initiated Operating System Deployments/ Windows Deployment

Services (WDS) and DHCP


QUESTION NO: 9

You are an Enterprise administrator for CertKiller.com. The company has a head office and 250

branch offices. The corporate network of the company consists of a single Active Directory

domain.

All the domain controllers on the corporate network run Windows Server 2008. You have been

asked to deploy Read-only Domain Controllers (RODCs) in each designated branch offices

because the physical security at branch office locations cannot be guaranteed.

While deploying the RODCs, you need to ensure that the RODC installation source files do not

contain cached secrets and the bandwidth used during the initial synchronization of Active

Directory Domain Services (AD DS) is minimized.

Which of the following options would you choose to accomplish the given task?

A. Backup of the critical volumes of an existing domain controller by using Windows Server

Backup. Now build the new RODCs using the backup.

B. Using one of the domain controllers on the nework create a DFS Namespace that contains the

Active Directory database and then build the new RODCs using by using an answer file.

C. Create an RODC installation media using ntdsutil ifmand the build the RODCs from the RODC

installation media.

D. Perform a full backup of an existing domain controller using Windows Server Backup and then

use the backup to build the new RODCs.



Actu

alTe

sts.

com


Answer: C

Explanation:

:

The new ntdsutil ifm subcommand can be used to create installation media. It can be used to

remove secrets, such as passwords, from the AD DS database, so that you can install a read-only

domain controller (RODC) without them. When you remove these secrets, the RODC installation

media is more secure if it must be transported to a branch office for an RODC installation.

Ntbackup.exe cannot remove cached secrets from the installation media.

Reference : Steps for Deploying an RODC/ Optional: Install RODC from media


QUESTION NO: 10


consists of a single Active Directory domain. You have been asked to deploy file servers that run

Windows Server 2008 and ensure that the file server support volumes larger than 2 terabytes.

You also need to ensure that if a single server fails, access to all data is maintained and if a single

disk fails, the data redundancy is maintained. You also need to maximize the disk throughput

Which of the following options would you choose to accomplish the assigned task? (Select 2. Each

correct answer will present a part of the solution)

A. Deploy a Windows Server 2008 server and connect an external storage subsystem to it that

supports Microsoft Multipath I/O.

B. Deploy a two-node failover cluster. Connect an external storage subsystem.

C. Configure the external storage subsystem as a RAID 1 array and format the array as an MBR

disk.

D. Configure the external storage subsystem as a RAID 10 array and format the array as a GPT

disk.

Answer: B,D

Explanation:

To ensure that if a single server fails, access to all data is maintained and if a single disk fails, the

data redundancy is maintained, you need to deploy a two-node failover cluster. Connect an

external storage subsystem. Configure the external storage subsystem as a RAID 10 array.

Format the array as a GPT disk.

A combining the different RAID levels gives us the option of RAID10. RAID10 is equivalent



Actu

alTe

sts.

com

toRAID1 + 0. So, you can have a few disks (at least 4 and always even numbers) and mirror the

drives two at a time. This gives the redundancy. Then you take those mirrors and combine them

into a RAID 0 stripe. This allows redundancy, faster read operations, and fast writes (avoiding a

parity calculation).

RAID1 is a mirror which is faster than a single disk, but not as fast for read operations as 3+ disks

(RAID1 is just 2 disks). RAID5 is a stripe with parity which is faster on read operations than RAID1

but not ideal for write operations because it is required to calculate a parity block of data.

Reference : Brad Kingsley's Blog

http://blogs.orcsweb.com/brad/archive/2007/08/06/raid10.aspx

QUESTION NO: 11


consists of a single Active Directory domain. You have planned to install 10 new Windows Server

2008 servers on the network.

You want to automate the installation of the servers and activate the servers automatically. Which

of the following options would you choose to accomplish the desired goal?

A. Implement Multiple Activation Key (MAK) Independent Activation and Deployment Services

(WDS).

B. Implement Key Management Service (KMS) and Windows Deployment Services (WDS).

C. Use Multiple Activation Key (MAK) Independent Activation.

D. Implement a DHCP server and the Key Management Service (KMS).


Answer: B

Explanation:

For the deployment of the servers in the branch office with the given requirements, you need to

implement Key Management Service (KMS), and Windows Deployment Services (WDS).

The KMS key is used to activate computers against a service that you can host in your

environment, so you don't have to connect to Microsoft servers. To activate computers by using

KMS, you must have a minimum number of physical computers. The KMS key is installed on the

host computer only.

To activate the KMS host, you must have at least 25 computers running Windows Vista or

Windows Server 2008 that are connected together; for Windows Server 2008, the minimum is 5

computers.

You need Windows Deployment Services (WDS) because it enables you to automate the

deployment Windows operating systems. You can use it to set up new computers by using a



Actu

alTe

sts.

com


directly from a CD or DVD.

Reference : Microsoft Product Activation

http://www.microsoft.com/licensing/resources/vol/default.mspx




QUESTION NO: 12


consists of a single Active Directory domain.

Which of the following options would you choose to consolidate the 50 physical Windows Server

2003 servers into 10 physical Windows Server 2008 servers?

While consolidation, you need to ensure that the existing hardware and software should be used

and 64-bit child virtual machines can be created. Which of the following options would you choose

to accomplish the desired task?

A. Install Microsoft Virtual PC.

B. Install the Hyper-V feature.

C. Consolidate services across the physical machines and create the necessary host (A) records.

D. Install Microsoft Virtual Server 2005 R2.


Answer: B

Explanation:

To ensure that existing hardware and software is used and to ensure the support for 64-bit child

virtual machines, you need to install the Hyper-V feature to convert the physical machines into

virtual machines.

The Hyper-V feature provides Physical-to-Virtual (P2V) Conversion Wizard that guides

administrators through the process of creating a virtual version of a physical server, including

creating images of physical hard disks, preparing the images for use in a VM, and creating the

final VM. The wizard can create virtual servers from physical servers and can run on Windows

Server 2003 with SP1 (32-bit only) and on Windows Server 2008 (without Hyper-V role enabled)

besides many other Operating systems.



Actu

alTe

sts.

com

Reference : Virtual Machine Manager 2008 Supports Hyper-V / Other Features

http://www.directionsonmicrosoft.com/sample/DOMIS/update/2008/07jul/0708vmm2sh.htm

QUESTION NO: 13


consists of a single Active Directory domain. The company has decided to open 2 new branch

offices and deploy 1,000 new Windows Vista Enterprise Edition computers.

The Windows Vista installations need to be done using Pre-boot Execution Environment (PXE)

network adapters that those 1000 computers already have.

Which of the following options would you choose to ensure that 50 simultaneous installations of

Windows Vista can be done in minimum amount of time and the impact of network operations

during the deployment of the new computers is minimized?

A. Install Windows Deployment Services (WDS) server role and configure all the routers with IP

Helper tables.

B. Install Windows Deployment Services (WDS) server role and configure eachWDS server by

using legacy mode.

C. Install both Windows Deployment Services (WDS) server role and Transport Server role

services and then configure the Transport Server with a static multicast address range.

D. Install both Windows Deployment Services (WDS) server role and Transport Server role

services and then configure the Transport Server to use a custom network profile.


Answer: C

Explanation:

To ensure that 50 simultaneous installations of Windows Vista in minimum amount of time in a

Pre-boot Execution Environment, you need to deploy the Windows Deployment Services (WDS)

server role and the Transport Server feature. You can install both the Deployment Server and

Transport Server role services (which is the default installation) or only Transport Server role

services.

The Windows Deployment Services (WDS) enables you to automate the deployment of Windows

operating systems. You can use it to set up new computers by using a network-based installation.

This means that you do not have to install each operating system directly from a CD or DVD

You can configure Transport Server to enable you to boot from the network using Pre-Boot

Execution Environment (PXE) and Trivial File Transfer Protocol (TFTP), a multicast server, or

both.



Actu

alTe

sts.

com

The Transport Server role service provides a subset of the functionality of Windows Deployment

Services. It contains only the core networking parts. You can use Transport Server to create

multicast namespaces that transmit data (including operating system images) from a stand-alone

server. The stand-alone server does not need Active Directory, DHCP, or DNS. You can

If multiple servers are using multicast functionality on a network (Transport Server, Deployment

Server, or another solution), it is important that each server is configured so that the multicast IP

addresses do not collide. Otherwise, you may encounter excessive traffic when you enable

multicasting. Note that each Windows Deployment Services server will have the same default

range. To work around this issue, specify static ranges that do not overlap to ensure that each

server is using a unique IP address

Reference : Transport Server


QUESTION NO: 14


consists of a single Active Directory domain that runs a 64-bit version of Windows Server 2008

server. The server has DHCP server role installed on it. The corporate network only uses IPv4.

The company has decided to deploy 50 new Windows Server 2008 servers.The installations need

to be done using Pre-boot Execution Environment (PXE) network adapters that is already

supported by the new computers. Besides some of the new computers contain 64-bit hardware

and some of the servers contain 32-bit hardware.

Which of the following options would you choose to ensure the automated deployment of the new

servers in minimum hardware cost?

A. Deploy Windows Deployment Services (WDS) on two Windows Server 2008 servers. One for

the 64-bit server and the other for 32-bit server

B. Deploy Remote Installation Services (RIS) on two Windows Server 2003 servers having Service

Pack 2 installed. One for the 64-bit server and the other for 32-bit server

C. Deploy Windows Deployment Services (WDS) on the DHCP server

D. Deploy Remote Installation Services (RIS) on a 64-bit Windows Server 2003 server.


Answer: C

Explanation:



Actu

alTe

sts.

com

To ensure the automated deployment of the new servers in minimum hardware cost in the given

scenario, you need to deploy Windows Deployment Services (WDS) on the DHCP server.

You must have a working DHCP server with an active scope on the network because Windows

Deployment Services uses PXE, which relies on DHCP for IP addressing

Reference : Installing Windows Deployment Services


Section 3, Plan infrastructure services server roles (10 Questions)

QUESTION NO: 15


consists of a single Active Directory forest having 20 domains configured under it.

All the domain controllers on the network run Windows Server 2008 and have the DNS role

installed on them. You company has decided to replace a legacy Windows Internet Name Service

(WINS) environment with a DNS-only environment for the name resolution.

Which of the following options would you choose to Support IPv4 and IPv6 environments, allow

single-label name resolution across all domains, and minimize the amount of NetBT traffic on the

network while replacing a legacy Windows Internet Name Service (WINS) environment?

A. Configure all the DNS zones to perform a WINS forward lookup.

B. Configure all the DNS zones to replicate as part of a custom Active Directory replication

partition.

C. Configure a GlobalNames zone on each domain controller.

D. Configure all the DNS zones to replicate to each DNS server in the forest.


Answer: C

Explanation:

To Support IPv4 and IPv6 environments, allow single-label name resolution across all domains,

and minimize the amount of NetBT traffic on the network while replacing a legacy Windows

Internet Name Service (WINS) environment with a DNS-only environment, you need to configure a

GlobalNames zone on each domain controller.

The DNS Server Role in Windows Server 2008 now supports the GlobalNames Zone. This has

been introduced to assist organizations to move away from WINS and allow organizations to move

to an all-DNS environment. Unlike WINS, The GlobalNames zone is not intended to be used for



Actu

alTe

sts.

com

peer-to-peer name resolution.

The GlobalNames Zone (GNZ) is used to hold single-label names. The GlobalNames zone is most

commonly used to hold CNAME resource records to map a single-label name to a Fully Qualified

Domain Name (FQDN). GNZ provides single-label name resolution whereas WINS provides

NetBIOS resolution. If you plan to retire WINS or plan to deploy IPv6 only in your environment, all

name resolution will rely on DNS. It supports dual IPv4 and IPv6 environment and use only DNS

for name resolution.

Reference : Understanding the New GlobalNames Zone Functionality in Windows Server2008

http://johnpolicelli.wordpress.com/2008/01/15/understanding-the-new-globalnames-zone-in-

windows-server-2008/

Reference : DNS Server GlobalNames Zone Deployment /

How GNZ Resolution Works

http://download.microsoft.com/download/e/2/0/e2090852-3b7f-40a3-9883-07a427af1560/DNS-

GlobalNames-Zone-Deployment.doc .

QUESTION NO: 16


consists of a single Active Directory domain. All servers on the corporate network run Windows

Server 2008 and all client computers run Windows Vista. The company has an enterprise

certification authority (CA).

You have been asked to install certificates automatically on each client computer and deploy the

certificates to all users by using a new certificate template by using minimum amount of effort. You

need to ensure that users have access to the new certificates when they log on to any client

computer in the domain.

Which of the following options would you choose to accomplish the given task? (Select two. Each

correct answer will form a part of the solution)

A. Configure autoenrollment of certificates.

B. Deploy an enterprise subordinate CA

C. Configure roaming user profiles.

D. Configure folder redirection.

E. Configure Credential Roaming.

Answer: A,E



Actu

alTe

sts.

com

Explanation:

To ensure that users have access to the new certificates when they log on to any client computer

in the domain while meeting other requirements, you need to Configure autoenrollment of

certificates and Credential Roaming

The autoenrollment process grants certificates based on certificate templates that are supplied

with Read, Enroll, and Autoenroll permissions for the users, groups, or computers who require

autoenrollment.

With the credential roaming functionality, managed environments can now store X.509 certificates,

certificate requests, and private keys specific to a user in Active Directory, independently from the

profile.

The credential roaming implementation in Windows Vista and Windows Server "Longhorn" is

additionally able to roam stored user names and passwords. This would ensure that users have

access to the new certificates when they log on to any client computer in the domain

With credential roaming, once a domain user chooses in a Windows authentication dialog box to

cache or 'remember' the current credentials, the user will have the same experience on any

domain-joined computer that the user logs on to.

Reference : How can I enable digital certificate autoenrollment in Windows Server 2003?

http://windowsitpro.com/article/articleid/48665/how-can-i-enable-digital-certificate-autoenrollment-

in-windows-server-2003.html

Reference : About Credential Roaming

http://technet.microsoft.com/hi-in/library/cc700848(en-us).aspx

QUESTION NO: 17


consists of a single Active Directory domain. All domain controllers on the corporate network run

Windows Server 2008 and all client computers run either Windows Vista or Windows XP Service

Pack 1.

The corporate network contains 100 servers and 5,000 client computers. Which of the following

options would you choose to implement a VPN solution that allows you to store VPN passwords

as encrypted text and provide support for Suite B cryptographic algorithms?

Besides it should support client computers that are configured as members of a workgroup and

allow automatic enrollment of certificates. (Select three. Each correct answer will form a part of the

answer.)



Actu

alTe

sts.

com

A. Upgrade the client computers to Windows Vista.

B. Upgrade the client computers to Windows XP Service Pack 2.

C. Implement an enterprise certification authority (CA) that is based on Windows Server 2008.

D. Implement a stand-alone certification authority (CA).

E. Implement an IPsec VPN that uses pre-shared keys.

F. Implement an IPsec VPN that uses certificate-based authentication.

Answer: A,C,F

Explanation:

To implement a VPN solution that allows you to store VPN passwords as encrypted text and

provide support for Suite B cryptographic algorithms, you need to Upgrade the client computers to

Windows Vista and implement an enterprise certification authority (CA) that is based on Windows

Server 2008.

Suite B cryptographic algorithms that was added in Windows Vista Service Pack 1 (SP1) and in

Windows Server 2008. Suite B is a set of standards that are specified by the National Security

Agency (NSA). Suite B includes Encryption algorithms.

To support client computers that are configured as members of a workgroup and allow automatic

enrollment of certificates, you need to Implement an IPsec VPN that uses certificate-based

authentication.

IPSec deployments can take advantage of certificate-based authentication via

industry-standard x.509 digital certificates. ADCS in Windows Server2008 provides customizable

services for creating and managing the X.509 certificates that are used in software security

systems that employ public key technologies. Organizations can use ADCS to enhance security by

binding the identity of a person, device, or service to a corresponding public key. ADCS also

includes features that allow you to manage certificate enrollment and revocation in a variety of

scalable environments.

Reference : Description of the support for Suite B cryptographic algorithms that was added in

Windows Vista Service Pack 1 and in Windows Server 2008

http://support.microsoft.com/kb/949856

Reference : iPhone and Virtual Private Networks

(VPN)

http://images.apple.com/iphone/enterprise/docs/iPhone_VPN.pdf .

QUESTION NO: 18



Actu

alTe

sts.

com

You are an Enterprise administrator for CertKiller.com. The corporate network of the company is

configured with Perimeter network as shown in the exhibit.

Exhibit:

The company uses an enterprise certification authority (CA) and a Microsoft Online Responder on

the internal network.

Which of the following options would you choose to implement a secure method for Internet users

to verify the validity of individual certificates with the use of minimum network bandwidth? (Select

two. Each correct answer will form a part of the answer.)

A. Install a stand-alone CA on a server on the perimeter network

B. Deploy a subordinate CA on the perimeter network.

C. Install Network Device Enrollment Service (NDES) on a server on the perimeter network.

D. Install a Network Policy Server (NPS) on a server on the perimeter network.

E. Redirect authentication requests to a server on the internal network.

F. Install IIS on a server on the perimeter network

G. Configure IIS to redirect requests to the Online Responder on the internal network.

Answer: F,G

Explanation:

To implement a secure method for Internet users to verify the validity of individual certificates with

the use of minimum network bandwidth, you need to install IIS on a server on the perimeter

network and configure IIS to redirect requests to the Online Responder on the internal network.

Windows Vista and the WindowsServer2008 operating system will natively support both CRL

and Online Certificate Status Protocol (OCSP) as a method of determining certificate status. The

OCSP support includes both the client component as well as the Online Responder, which is the

server component.

The Online Responder Web proxy cache represents the service interface for the Online

Responder. It is implemented as an Internet Server Application Programming Interface (ISAPI)

extension hosted by Internet Information Services (IIS)

When an application performs a certificate evaluation, the validation is performed on all certificates

in that certificate's chain. This includes every certificate from the end-entity certificate presented to

the application to the root certificate. It is an online process and is designed to respond to single



Actu

alTe

sts.

com

certificate status requests.

Reference : Online Responder Installation, Configuration, and Troubleshooting Guide


QUESTION NO: 19


consists of a single Active Directory domain. All the servers on the network either run Windows

Server 2003 or Windows Server 2008 and all client computers run Windows Vista.

The company possesses a public key infrastructure (PKI) that consists of an offline root

certification authority (CA) and two Enterprise Subordinate CAs that run Windows Server 2003.

You publish the certificates to the user accounts and the computer accounts in Active Directory.

Which of the following options would you choose to create a PKI solution for the Windows Vista

client computers and the Windows Server 2008 servers in such a way that the certificates must

support Suite B hashing and encryption algorithms and store private keys in Active Directory in

minimum amount of administrative effort?

A. Configure cross-certification between the CA hierarchies by creating a new PKI that uses

Windows Server 2008 CAs..

B. Install a new Windows Server 2008 enterprise subordinate CA.

C. Install a new Windows Server 2008 stand-alone subordinate CA.

D. Create a new Active Directory forest and configure one-way forest trusts between the two

forests by deploying a new PKI that uses Windows Server 2008 CAs.

E. None of the above.

Answer: B

Explanation:

To create a PKI solution for the Windows Vista client computers and the Windows Server 2008

servers that meed the desired requirements, you need to install a new Windows Server 2008

enterprise subordinate CA.

To use SuiteB algorithms for cryptographic operations, you first need a Windows Server2008-

based CA to issue certificates that are SuiteB-enabled

SuiteB algorithms such as ECC are supported only on the WindowsVista and Windows

Server2008 operating systems. This means it is not possible to use those certificates on earlier

versions of Windows such as WindowsXP or WindowsServer2003.



Actu

alTe

sts.

com

If you already have a PKI with CAs running WindowsServer2003 or where classic algorithms

are being used to support existing applications, you can add a subordinate CA on a server running

Windows Server2008, but you must continue using classic algorithms.

Reference : Cryptography Next Generation / How should I prepare to deploy this feature?


QUESTION NO: 20


consists of a single Active Directory forest called CertKiller.com. The forest contains two domains.

You want to configure another child domain called Branch3.CertKiller.com with two domain

controllers having the DNS server role installed.

You want to put all the users and computers in the new branch office in the branch3.CertKiller.com

domain. Which of the following options would you choose to implement a DNS infrastructure for

the child domain to ensure resources in the root domain and child domains are accessible by fully

qualified domain names?

You solution must also provide name resolution services in the event that a single server fails for a

prolonged period of time and automatically recognize when new DNS servers are added to or

removed from the CertKiller.com domain.

A. Add conditional forwarders for CertKiller.com on both the domain controllers of

branch3.CertKiller.com domain. Next create a standard primary zone for branch.CertKiller.com.

B. On one of the domain controllers of branch3.CertKiller.com domain, create a standard primary

zone for CertKiller.com. On the other domain controller, create a standard secondary zone for

CertKiller.com.

C. On both the domain controllers of branch3.CertKiller.com domain, modify the root hints to

include the domain controllers for CertKiller.com. On one of domain controllers, create an Active

Directory integrated zone for branch.CertKiller.com.

D. On one of the domain controllers of branch3.CertKiller.com domain, create an Active Directory

Integrated zone for branch3.CertKiller.com and create an Active Directory Integrated stub zone for

CertKiller.com.


Answer: D

Explanation:

To implement a DNS infrastructure for the child domain to ensure resources in the root domain

and child domains are accessible by fully qualified domain names, you need to create an Active



Actu

alTe

sts.

com

Directory Integrated zone for branch3.CertKiller.com on one of the domain controllers of

branch3.CertKiller.com domain.

Active Directory Integrated zones, store their zone information within Active Directory instead of

text files. The advantages of this new type of zone included using Active Directory replication for

zone transfers and allowing resource records to be added or modified on any domain controller

running DNS. In other words, all Active Directory Integrated zones are always primary zones as

they contain writable copies of the zone database.This would ensure that the name resolution

service will automatically recognize when new DNS servers are added to or removed from the

CertKiller.com domain

You also need to create an Active Directory Integrated stub zone for CertKiller.com to ensure the

name resolution services in the event that a single server fails for a prolonged period of time. It

contains copies of all the resource records in the corresponding zone on the master name server.

A stub zone is like a secondary zone in that it obtains its resource records from other name

servers (one or more master name servers). Stub zones can be used instead of secondary zones

to reduce the amount of zone transfer traffic over the WAN link connecting the two companies.

When Active Directory-integrated stub zones are hosted in separate sites, you can update them

using a local list of master servers in each site.

Reference : DNS Stub Zones in Windows Server 2003

http://www.windowsnetworking.com/articles_tutorials/DNS_Stub_Zones.html

Reference: Host Name Resolution Overview

http://www.tech-faq.com/planning-and-implementing-a-dns-namespace.shtml

QUESTION NO: 21


three branch offices. The corporate network of the company consists of a single Active Directory

domain.

Each office contains an Active Directory domain controller. Which of the following options would

you choose to create a DNS infrastructure for the network that would allow the client computers in

each office to register DNS names within their respective offices? You also need to ensure that the

client computers must be able to resolve names for hosts in all offices.

A. For each office site, create a standard primary zone.

B. For the head office site, create a standard primary zone and for each branch office site, create

an Active Directory-integrated stub zone.



Actu

alTe

sts.

com

C. For the head office site, create a standard primary zone at the head office site and for each

branch office site, create a secondary zone.

D. Create an Active Directory-integrated zone at the head office site.


Answer: D

Explanation:

To create a DNS infrastructure for the network that would allow the client computers in each office

to register DNS names within their respective offices and to ensure that the client computers must

be able to resolve names for hosts in all offices, you need to create an Active Directory-integrated

zone at the head office site

Active Directory Integrated zones, store their zone information within Active Directory instead of

text files. This ensures that the client computers can resolve names for hosts in all offices. The

advantages of this new type of zone included using Active Directory replication for zone transfers

and allowing resource records to be added or modified on any domain controller running DNS. In

other words, all Active Directory Integrated zones are always primary zones as they contain

writable copies of the zone database.

Reference : DNS Stub Zones in Windows Server 2003

http://www.windowsnetworking.com/articles_tutorials/DNS_Stub_Zones.html

QUESTION NO: 22


consists of a single Active Directory forest called CertKiller.com. The forest contains five domains.

The domain controllers on the network run Windows Server 2008 and have the DNS server role

installed.

You company has decided to replace a legacy Windows Internet Name Service (WINS)

environment with a DNS-only environment for name resolution.

Which of the following options would you choose to plan the infrastructure for name resolution to

support IPv4 and IPv6 environments, enable single-label name resolution across all domains, and

minimizing the amount of NetBIOS over TCP/IP (NetBT) traffic on the network?

A. Implement custom Active Directory replication partition and modify each DNS zone to replicate

as part of it

B. Configure each DNS zone to perform a WINS forward lookup.

C. Configure each DNS zone to replicate to each DNS server in the forest.



Actu

alTe

sts.

com

D. Configure a GlobalNames zone on each domain controller.


Answer: D

Explanation:

To replace a legacy Windows Internet Name Service (WINS) environment with a DNS-only

environment for name resolution with given requirements, you need to configure a GlobalNames

zone on each domain controller.

The DNS Server Role in Windows Server 2008 now supports the GlobalNames Zone. This has

been introduced to assist organizations to move away from WINS and allow organizations to move

to an all-DNS environment. Unlike WINS, The GlobalNames zone is not intended to be used for

peer-to-peer name resolution.

The GlobalNames Zone (GNZ) is used to hold single-label names. The GlobalNames zone is most

commonly used to hold CNAME resource records to map a single-label name to a Fully Qualified

Domain Name (FQDN). GNZ provides single-label name resolution whereas WINS provides

NetBIOS resolution. If you plan to retire WINS or plan to deploy IPv6 only in your environment, all

name resolution will rely on DNS. It supports dual IPv4 and IPv6 environment and use only DNS

for name resolution.

Reference : Understanding the New GlobalNames Zone Functionality in Windows Server2008

http://johnpolicelli.wordpress.com/2008/01/15/understanding-the-new-globalnames-zone-in-

windows-server-2008/

Reference : DNS Server GlobalNames Zone Deployment /

How GNZ Resolution Works

http://download.microsoft.com/download/e/2/0/e2090852-3b7f-40a3-9883-07a427af1560/DNS-

GlobalNames-Zone-Deployment.doc .

QUESTION NO: 23

You are an Enterprise administrator for CertKiller.com. Your company possesses a stand-alone

root certification authority (CA) for the corporate network.

The corporate network contains a Windows Server 2008 server called CertKillerServer1. You

issue a server certificate to CertKillerServer1 and deploy Secure Socket Tunneling Protocol

(SSTP) on CertKillerServer1 for secure browsing.

Which of the following options would you choose to ensure that the external partner computers

would be allowed to access internal network resources by using SSTP?



Actu

alTe

sts.

com

A. Terminal Services Session Broker role service

B. Firewall to allow inbound traffic on TCP Port 1723

C. Root CA certificate on external computers

D. Network Access Protection (NAP) on the network


Answer: C

Explanation:

To ensure that the external partner computers would be allowed to access internal network

resources by using SSTP, you need to deploy the Root CA certificate to the external computers.

SSTP is a new kind of Virtual Private Networking (VPN) tunnel that is available in the Routing and

Remote Access server role in Windows Server 2008. SSTP allows for Point-to-Point Protocol

(PPP) packets to be encapsulated over HTTP. This feature allows for a VPN connection to be

more easily established through a firewall or through a Network Address Translation (NAT) device.

Also, this feature allows for a VPN connection to be established through an HTTP proxy device.

Generally, if the client computer is joined to the domain and if you use domain credentials to log

on to the VPN server, the certificate is automatically installed in the Trusted Root Certification

Authorities store. However, if the computer is not joined to the domain or if you use an alternative

certificate chain, you may need to Root CA certificate to the external computers.

Reference : How to troubleshoot Secure Socket Tunneling Protocol (SSTP)-based connection

failures in Windows Server 2008

http://support.microsoft.com/kb/947031

QUESTION NO: 24



Server 2003 or Windows Server 2008 and all client computers run Windows Vista or Windows XP

SP2.

You have been assigned the task to implement Encrypting File System (EFS) for all the client

computers on the network and ensure that users must be able to access their EFS certificates on

any client computers.

You also need to ensure that if a client computers disk fails, the EFS certificates must be

accessible and only the minimum amount of data that is transferred across the network when a

user logs on to or off from a client computer.



Actu

alTe

sts.

com

Which of the following options would you choose to accomplish the assigned task?

A. Smart cards

B. Credential roaming

C. Roaming user profiles

D. Data Recovery Agent


Answer: B

Explanation:

Since credential roaming is not part of Windows XP SP2, the feature is available as a separate

software update that can be deployed in Windows XP SP2 computers. The credential roaming

functionality is also implemented as a core feature in Windows Vista.

Credential roaming can enhance the use of Encrypting File System (EFS) in various ways, for

example, roaming EFS certificates that are signed by a CA or are self-signed. With the credential

roaming functionality in the CSC, managed environments can now store X.509 certificates,

certificate requests, and private keys specific to a user in Active Directory, independently from the

profile.

The credential roaming implementation in Windows Vista is additionally able to roam stored user

names and passwords. Users typically maintain stored user names and passwords of certain Web

sites or file servers that do not have a default trust relationship with the user's computer. With

credential roaming, once a domain user chooses in a Windows authentication dialog box to cache

or 'remember' the current credentials, the user will have the same experience on any domain-

joined computer that the user logs on to.

Reference : About Credential Roaming

http://technet.microsoft.com/hi-in/library/cc700848(en-us).aspx

Reference : Configuring and Troubleshooting Certificate Services Client-Credential Roaming /

Using Encrypting File System


Section 4, Plan application servers and services (4 Questions)

QUESTION NO: 25


consists of a single Active Directory domain. The network contains three servers that run Windows

Server 2000 and a few custom applications.



Actu

alTe

sts.

com

The applications on these servers are incompatible with each other, incompatible with Windows

Server 2008, and consume less than 10 percent of the system resources. The company has

decided to update all the servers to Windows Server 2008.

As an Enterprise administrator of the company, you have been assigned the task to migrate the

applications to new Windows Server 2008 servers in minimum hardware costs.

Which of the following two options would you choose to accomplish the assigned task? (Select

two. Each selected option will present a part of the answer.)

A. Deploy one new server that runs Windows Server 2008 Enterprise Edition.

B. Deploy three new servers that run Windows Server 2008 Standard Edition.

C. Deploy one new server that runs Windows Server 2008 Datacenter Edition.

D. Install the Windows System Resource Manager (WSRM) feature on the new server.

E. Configure Windows 2000 compatibility mode for each application.

F. Install the Hyper-V feature on the new server. Create three child virtual machines.

G. Install the Desktop Experience feature.

Answer: A,F

Explanation:

To migrate the applications to new Windows Server 2008 servers in minimum hardware costs, you

need to deploy one new server that runs Windows Server 2008 Enterprise Edition, install the

Hyper-V feature on the new server, and then create three child virtual machines for each

application.

Application virtualization of Hyper-V feature helps isolate the application running environment from

the operating system install requirements by creating application-specific copies of all shared

resources and helps reduce application to application incompatibility and testing needs.

With Microsoft SoftGrid, desktop and network users can also reduce application installation time

and eliminate potential conflicts between applications by giving each application a virtual

environment that's not quite as extensive as an entire virtual machine. By providing an abstracted

view of key parts of the system, application virtualization reduces the time and expense required to

deploy and update applications.

Reference : Windows Server 2008 Hyper-V Product Overview - An Early look Application

Virtualization

http://download.microsoft.com/download/4/2/b/42bea8d6-9c77-4db8-b405-

6bffce59b157/WS08%20Virtualization%20Product%20Overview.doc



Actu

alTe

sts.

com

QUESTION NO: 26



domain and an Active Directory site exists for each office. All the domain controllers on the

network run Windows Server 2008.

You have been assigned the task to modify the DNS infrastructure in such a way that the DNS

service is available even if a single server fails, the synchronization data that is sent between DNS

servers is encrypted and dynamic updates are supported on all DNS servers.

Which of the following options would you choose to accomplish the given task? (Select two. Each

selected option will present a part of the answer.)

A. Install the DNS server role on a domain controller in the head office and on a Read only

Domain Controller (RODC) in the branch office.

B. Install the DNS server role on a domain controller in the head office and on a domain controller

in the branch office.

C. Install the DNS server role on two servers. Create a primary zone on the DNS server in the

head office.

D. Configure DNS to use Active Directory integrated zones.

E. Create a secondary zone on the DNS server in the branch office.

F. Install the DNS server role on two servers. Create a primary zone and a GlobalNames zone on

the DNS server in the head office.

G. Create a GlobalNames zone on the DNS server in the branch office.

Answer: B,D

Explanation:

To modify the DNS infrastructure in such a way that the DNS service is available even if a single

server fails, you need to install the DNS server role on a domain controller in the head office and

on a domain controller in the branch office and then configure DNS to use Active Directory

integrated zones.

This would also ensure that the synchronization data that is sent between DNS servers is

encrypted and dynamic updates are supported on all DNS servers.

DNS servers running on domain controllers can store their zones in Active Directory. In this way, it

is not necessary to configure a separate DNS replication topology that uses ordinary DNS zone

transfers, because all zone data is replicated automatically by means of Active Directory

replication. This simplifies the process of deploying DNS provides the following advantages:

Multiple masters are created for DNS replication. Therefore:

Any domain controller in the domain running the DNS server service can write updates to the



Actu

alTe

sts.

com

Active Directory-integrated zones for the domain name for which they are authoritative. A separate

DNS zone transfer topology is not needed.

Secure dynamic updates are supported. Secure dynamic updates allow an administrator to control

which computers update which names, and prevent unauthorized computers from overwriting

existing names in DNS.

ActiveDirectory-integrated DNS in Windows Server2008 stores zone data in application directory

partitions. (There are no behavioral changes from WindowsServer2003-based DNS integration

with ActiveDirectory.)

Reference : Active Directory-Integrated Zones


QUESTION NO: 27



Server 2008 and all client computers run Windows Vista Service Pack 1. The corporate network is

connected to the Internet through a firewall.

Which of the following options would you choose to allow remote access to the servers on your

network while ensure that all the remote connections and all remote authentication attempts to the

servers are encrypted? You also need to ensure that only inbound connections to TCP port 80 and

TCP port 443 are allowed on the firewall.

A. Point-to-Point Tunneling Protocol (PPTP) and Microsoft Point-to-Point Encryption (MPPE)

B. Microsoft Secure Socket Tunneling Protocol (SSTP)

C. Internet Protocol security (IPsec) and network address translation traversal (NAT-T).

D. Internet Protocol security (IPsec) and certificates


Answer: B

Explanation:

To allow remote access to the servers on your network while ensure that all the remote

connections and all remote authentication attempts to the servers are encrypted and to ensure

that only inbound connections to TCP port 80 and TCP port 443 are allowed on the firewall, you

need to install Microsoft Secure Socket Tunneling Protocol (SSTP).

The Microsoft Secure Socket Tunneling Protocol (SSTP), a mechanism to transport data-link layer

(L2) frames on a Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS) connection.

The protocol currently supports only the Point-to-Point Protocol (PPP) link layer.



Actu

alTe

sts.

com

The SSTP server directly accepts the HTTPS connection, which is similar to a virtual private

network (VPN) server positioned on the edge of a network. The Secure Sockets Layer/Transport

Layer Security (SSL/TLS) certificate is deployed on the SSTP server.

Introduction

http://msdn.microsoft.com/en-us/library/cc247339.aspx

Reference : The Cable Guy The Secure Socket Tunneling Protocol SSTP in Windows

http://technet.microsoft.com/en-us/magazine/cc162322.aspx

QUESTION NO: 28


consists of a single Active Directory domain. All the domain controllers on the network either run

Windows Server 2008 and all client computers run Windows Vista.

The company plan to collaborate on a project with an external partner company called

TechKing.com. The TechKing.com domain also consists of an Active Directory domain that runs

Windows Server 2008 domain controllers.

You have been assigned the task to design a collaboration solution that allows the users of both

the companies to prevent sensitive documents from being forwarded to untrusted recipients or

from being printed.

Besides, the users of TechKing.com should be allowed to access the protected content in

CertKiller.com to which they have been granted rights. You need to ensure that all inter-

organizational traffic is sent over port 443.

Which of the following options would you choose to accomplish the desired goal in a minimum

amount of the administrative effort? (Select two. Each selected option will present a part of the

answer.)

A. Establish a federated trust between your company and the external partner.

B. Establish an external forest trust between your company and the external partner.

C. Deploy a Windows Server 2008 server that runs Microsoft Office SharePoint Server 2007 and

that has the Active Directory Rights Management Services (AD RMS) role installed.

D. Deploy a Windows Server 2008 server that has the Active Directory Rights Management

Service (AD RMS) role installed and the Windows SharePoint Services role installed.

E. Deploy a Windows Server 2008 server that has the Active Directory Certificate Services role

installed. Implement Encrypting File System (EFS).

F. Deploy a Windows Server 2008 server that has the Windows SharePoint Services role installed.



Actu

alTe

sts.

com

Answer: A,C

Explanation:

To design a collaboration solution that allows the users of both the companies to prevent sensitive

documents from being forwarded to untrusted recipients or from being printed, you need to

establish a federated trust between your company and the external partner. Deploy a Windows

Server 2008 server that runs Microsoft Office SharePoint Server 2007 and that has the Active

Directory Rights Management Services (AD RMS) role installed

With a federation trust, you can extend Active Directory to allow for the sharing of resources

securely in a B2B environment. Once the federation trust is established, authentication requests

that are made to the Intranet server in the resource domain can flow through the federation trust

from users who are located in the domain where the accounts are located without issue.

Active Directory Rights Management Services (AD RMS) is an information protection technology

that works with AD RMS-enabled applications to help safeguard digital information from

unauthorized use. Content owners can define who can open, modify, print, forward, or take other

actions with the information.

Office SharePoint Server 2007 provides an easy way to collaborate on documents by posting

them to an Office SharePoint Server 2007 site so that they can be accessed over the corporate

network. The goal of integrating an Office SharePoint Server 2007 deployment with an ADRMS

infrastructure is to be able to protect documents that are downloaded from the Office SharePoint

Server 2007 server by users of any given organization.

Reference : Window Server 2003 R2, what's new with Active Directory? / Federation Trust

http://www.windowsnetworking.com/articles_tutorials/Window-Server-2003-R2-New-Active-

Directory.html

Reference : Windows Server 2008: Active Directory Rights Management Services (AD RMS)

http://www.keepingitreal.nu/2008/07/windows-server-2008-active-directory_7307.html

Reference : Deploying Active Directory Rights Management Services with Microsoft Office

SharePoint Server 2007 Step-By-Step Guide


Section 5, Plan file and print server roles (9 Questions)

QUESTION NO: 29





Actu

alTe

sts.

com

domain. All the servers on the network run Windows Server 2008 and all client computers run

Windows Vista.

The branch office contains a Windows Server 2008 member server named BranchServer1 that

has the File Services server role installed on it. The Active Directory contain an organizational unit

(OU) called BranchOU to keep the computer objects for the servers in the Branch office.

Besides the OU, a global group called Branch-adm also exists in AD to keep the user accounts for

the administrators in the branch office. Till now the administrators on the corporate network

manage the shared folders on the servers in the Branch office.

However, you now want to ensure that the members of Branch-adm can create shared folders on

BranchServer1. Which of the following options would you choose to accomplish this task?

A. Assign Full Control permissions on the BranchOU.

B. Add the Branch-adm group to the Power Users local group on BranchServer1.

C. Create Shared Folders permissions on the BranchOU.

D. Add the Branch-adm group to the Administrators local group on BranchServer1.


Answer: D

Explanation:

To ensure that the members of Branch-adm can create shared folders on BranchServer1, you

need to add the Branch-adm group to the Administrators local group on BranchServer1

Administrators is a local group that provides full administrative access to an individual computer or

a single domain, depending on its location. Because this account has complete access, you

should be very careful about adding users to this group. To make someone an administrator for a

local computer or domain, all you need to do is make that person a member of this group. Only

members of the Administrators group can modify this account.

Reference : Using Default Group Accounts


Reference : Securing the Local Administrators Group on Every Desktop

http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html

QUESTION NO: 30

You are an Enterprise administrator for CertKiller.com. All the servers on the network run Windows

Server 2008.



Actu

alTe

sts.

com

The company has assigned you the task to plan a data storage solution for the company by

utilizing the existing network infrastructure and ensuring that the storage space to the servers is

allocated as needed. You also need to ensure the maximum performance and the maximum fault

tolerance in your solution.

To begin with, you decided to deploy eight file servers on the network and connect them to

Ethernet switches. Which of the following options will you include next in your plan to accomplish

the desired goal? (Select two. Each selected option will present a part of the answer.)

A. Install Windows Server 2008 Datacenter Edition on each server.

B. Install Windows Server 2008 Enterprise Edition on each server.

C. Install Windows Server 2008 Standard Edition on each server.

D. Deploy the servers in a failover cluster and deploy an iSCSI storage area network (SAN).

E. Deploy the servers in a Network Load Balancing (NLB) cluster and map a network drive on

each server to an external storage array.

F. Deploy the servers in a Network Load Balancing (NLB) cluster and implement RAID 5 on each

server.

G. Deploy the servers in a failover cluster and deploy a Fibre Channel (FC) storage area network

(SAN).

Answer: A,D

Explanation:

To plan a data storage solution for the company to ensure the maximum performance and the

maximum fault tolerance, you need to i nstall Windows Server 2008 Datacenter Edition on each

server and deploy the servers in a failover cluster. Next deploy an iSCSI storage area network

(SAN).

The Datacenter Edition supports both iSCSI storage and failover clustering. The failover clustering

will ensure the fault tolerance. A popular SAN protocol, iSCSI allows clients to send SCSI

commands to storage devices on remote servers. Unlike Fibre Channel, which requires special-

purpose cabling, iSCSI can be run over long distances using existing network infrastructure

The iSCSI is a protocol that allows two hosts to send SCSI commands over a TCP/IP network. By

doing this, you can use SCSI but free yourself of the limitations of traditional SCSI cabling and,

instead, use your LAN to connect your SCSI PCs and Server to your SCSI storage.

iSCSI is a type of storage area network (SAN) and it is typically compared to Fibre Channel (FC) -

its much more expensive competitor.

With iSCSI you have a client who needs access to the storage on the server. The client uses

initiator software (making it the initiator) to connect to the storage server (called the target).

Reference : What is iSCSI?

http://www.windowsnetworking.com/articles_tutorials/Connect-Windows-Server-2008-Windows-

Vista-iSCSI-Server.html



Actu

alTe

sts.

com

QUESTION NO: 31



domain, which run at the functional level of Windows Server 2008. All the servers on the network

run Windows Server 2008 and all client computers run Windows Vista.

You have been asked to design a file sharing strategy that ensures that the users in both the

offices must be able to access the same files using the same Universal Naming Convention (UNC)

path to access the files.

The users must be able to access files even if a server fails. While designing your file sharing

strategy, you need to take care you're your design must reduce the amount of bandwidth used to

access files.

To start with you deployed file servers on the network. Which of the following options would you

choose next to accomplish this task?

A. Domain-based DFS namespace using replication

B. Stand-alone DFS namespace using replication

C. Multi-site failover cluster having two servers, one located in the head office and another in the

branch office

D. Network Load Balancing cluster having two servers, one located in the head office and another

in the branch office.


Answer: A

Explanation:

To design a file sharing strategy that meets the given requirements, you need to configure a

domain-based DFS namespace that uses replication.

The domain based namespaces require all servers to be members of an Active Directory domain.

This environment support automatic synchronization of DFS targets.

The domain-based DFS enables multiple replications that provides you with a degree of

scalability. Rather than having every user in your organization access their files from the same

server, you can distribute the user workload across multiple DFS replicas rather than over

burdening a single server. This ensures that the users in both the offices must be able to access

the same files using the same Universal Naming Convention (UNC) path to access the files in

reduced bandwidth.



Actu

alTe

sts.

com

Another reason for having multiple DFS replicas is because doing so provides you with a degree

of fault tolerance.DFS can also provide fault tolerance from the standpoint of protecting you

against network link failures.The fault tolerance ensures that users are able to access files even if

a server fails.

Reference : Planning a DFS Architecture, Part 1, Planning a DFS Architecture, Part 2 / Domain-

Based Namespaces

http://www.petri.co.il/planning-dfs-architecture-part-one.htm

QUESTION NO: 32

You are an Enterprise administrator for CertKiller.com. The company has a head office and a

branch office. The corporate network of the company consists of a single Active Directory domain.

All the servers on the network run Windows Server 2008.

The company has four domain administrators and two support technicians, which are located in

the head office and the branch office respectively.

Which of the following options would you choose to deploy a new Windows Server 2008 server in

the branch office? You want to minimize the security privileges granted to the support technicians.

However, you want to ensure that the support technicians are allowed to install server roles and

are allowed to stop and start services.

A. Configure the restricted enrollment agent on the new Windows Server 2008 server and then

create a permissions list for the support technicians.

B. Create a new organizational unit (OU) for the support technicians permission and then assign

them the permissions to modify objects in the new OU. Put the new Windows Server 2008 server

in the new OU.

C. Add the support technicians to the Domain Admins group.

D. Assign the support technicians to the Administrators group on the new Windows Server 2008

server.


Answer: D

Explanation:

'Administrators' is a local group that provides full administrative access to an individual computer

or a single domain, depending on its location. Because this account has complete access, you

should be very careful about adding users to this group. To make someone an administrator for a

local computer or domain, all you need to do is make that person a member of this group. Only

members of the Administrators group can modify this account.



Actu

alTe

sts.

com

Reference: Using Default Group Accounts


Reference: Securing the Local Administrators Group on Every Desktop

http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html

QUESTION NO: 33


consists of a single Active Directory domain. All the servers on the network run Windows Server

2008. The network contains two Windows Server 2008 computers called CertKillerServer1 and

CertKillerServer2 and two identical print devices.

Which of the following options would you choose to plan a print services infrastructure that would

allow you to manage the print queue from a central location and make the print services available,

even if one of the print devices fails?

A. Install and share a printer on CertKillerServer1 and enable printer pooling.

B. Create

70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows...

Documents

Transcript of 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows...

Windows Server 2008 Server Administrator · Dear Reader, Thank you for choosing MCITP: Windows Server 2008 Server Administrator Study Guide (70-646). This book is part of a family

MOAC Migration Kit · 70-643: Windows Server 2008 Applications Infrastructure Configuration, Package 70-646: Windows Server 2008 Administrator, Package 70-647: Windows Server 2008

Sybex mcitp windows server 2008 server administrator study guide exam 70-646 (2008)

Purchase select Microsoft Press books at a discount ... Information Services Internet Information Services ... 70-643, 70-646): Windows Server ... Deploying Web Applications and Services

MLC at a glance poster · 70-647 (Enterprise Administrator) IT Professional Enterprise Administrator Systems Administrator Exam #1 70-648 (Upgrade) Exam #2 70-646 (Server Admin) IT

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 8 Managing Windows Server 2008 Network Services.

Microsoft Cert Kit - nova-learning.com · 70-642 X Windows Server 2008 Network Infrastructure, Configuring (R2) 70-646 X Windows Server 2008, Server Administrator MCSA Server 2008

Microsoft Windows Server IT... · 6433 Planning and Implementing Windows Server 2008 Servers SBL KHAS 5 3500 70-646 6435 Designing a Windows Server 2008 Network Infrastructure SBL

70-646 testinsides

NCSP Video Training Catalog · 2020-05-08 · Certified Professional Ethical Hacker (CPEH) ... 70-646 - Windows Server 2008 Administration Series ..... 30 70-647 - Windows Server

MCITP Exam 70-646: Windows Server 2008 Server Administrator, 2E

Windows Server 2008 Server Administrator - MCITP Exam 70-646

70-646 exam

MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)

A_Self Test-70-646

70-646 Microsoft Certifications

Academic All Technology Library - daskalo.comCollection 10274: MCITP (Exam 70-646): Windows Server 2008, Server Administrator Collection 10276: Microsoft SharePoint 2010, Application

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646)

70-646 Real Exam Questions - Guaranteed · 70-646 Real Exam Questions - Guaranteed Exam Name: ... C. Install a full installation of Windows Server 2008 R2 Enterprise on two servers.

70-646: Windows Server 2008 Administration Course 01 · PDF file70-646: Windows Server 2008 Administration Course 01 - Preparing for Windows 2008 Installation