70-646 pro: windows server 2008, server administratorgattner.name/simon/public/microsoft/windows...
TRANSCRIPT
Microsoft 70-646
70-646 Pro: Windows Server 2008, Server
Administrator
Practice Test
Updated: Jan 19, 2010
Version
Actu
alTe
sts.
com
QUESTION NO: 1
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of 200 Windows Server 2008 servers. The company has recently decided to open a new
branch office and moved 75 Windows Server 2008 servers from the existing office to the new
network segment.
Which of the following options would you choose to change the TCP/IP addresses on the 75
servers that have been moved to the new branch office by using the minimum amount of
administrative effort?
A. Use ServerManagerCMD tool and run it on the administrator's client computer.
B. Use the Netsh tool and run it on the administrator's client computer.
C. Use Remote Desktop to connect to each server to make the changes.
D. Visit each server to make the changes.
E. None of the above
Answer: B
Explanation:
To change the TCP/IP addresses on the 75 servers that have been moved to the new branch
office by using the minimum amount of administrative effort, you need to run the Netsh tool from
an administrator's client computer.
You can use NETSH to make dynamic IP address changes from a static IP address to DHCP
simply by importing a file. NETSH can also bring in the entire Layer-3 configuration (TCP/IP
Address, DNS settings, WINS settings, IP aliases, etc.). This can be handy when you're working
on networks without DHCP and have a mobile computer that connects to multiple networks, some
of which have DHCP. NETSH shortcuts will far exceed the capabilities of using Windows
Automatic Public IP Addressing.
Reference: 10 things you should know about the NETSH tool
/ #4: Using NETSH to dynamically change TCP/IP addresses
http://www.builderau.com.au/program/windows/soa/10-things-you-should-know-about-the-NETSH-
tool/0,339024644,339272916,00.htm
Reference: 10 Windows Server 2008 Netsh commands you should know
http://www.windowsnetworking.com/articles_tutorials/10-Windows-Server-2008-Netsh-
commands.html
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 2
Actu
alTe
sts.
com
QUESTION NO: 2
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
runs 28 Windows Server 2008 servers and two Windows Server 2003 servers. One of the
Windows Server 2003 servers called CertKillerServer1 hosts an application called App1 and
another Windows Server 2003 server called CertKillerServer2 hosts the application called App2
The App1application uses the 32-bit installation of Windows Server 2003 and App2 application
uses the 64-bit installation of Windows Server 2003. You need to run both the applications on
Windows Server 2008 server.
Which of the following options would you choose for replacing the servers that host App1 and
App2 in the minimum cost amount? (Select three. Each correct answer will present a part of the
solution.)
A. Install a new server that runs a 64-bit version of Windows Server 2008 Enterprise Edition.
B. Install two new servers that run 64-bit versions of Windows Server 2008 Enterprise Edition.
C. Install two new servers. On one of the servers install the 32-bit version of Windows Server 2008
Enterprise Edition and install the 64-bit version of Windows Server 2008 Enterprise Edition on the
other server.
D. Install the Hyper-V feature on the server(s).
E. Install Windows System Resource Manager (WSRM) on the server(s).
F. Install App1 and App2 in separate child virtual machines
G. Install App1 on the 32-bit server. Install App2 on the 64-bit server.
Answer: A,D,F
Explanation:
For replacing the servers that host App1 and App2 in the minimum cost amount, you need to
install a new server that runs a 64-bit version of Windows Server 2008 Enterprise Edition. Install
the Hyper-V feature on the new server. Install App1 and App2 in separate child virtual machines
Hyper-V consists of a 64-bit hypervisor that can run 32-bit and 64-bit virtual machines
concurrently. Therefore you need to install just one Windows Server 2008 to run these two
applications. You can then install Hyper V feature that would allow you to create virtual machines
and run both the applications as desired. Hyper-V virtualization works with single and multi-
processor virtual machines and includes tools such as snapshots, which capture the state of a
running virtual machine.
Reference : Microsoft Hyper-V Guide
http://searchservervirtualization.techtarget.com/generic/0,295582,sid94_gci1318785,00.html
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 3
Actu
alTe
sts.
com
QUESTION NO: 3
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
runs two Windows Server 2008 servers.
You have been asked to configure the Windows Server 2008 servers in such a way that they
support the installation of Microsoft SQL Server 2005 and provide redundancy for SQL services if
a single server fails. (Select two. Each correct answer will present a part of the solution.)
Which of the following options would you choose to accomplish this task?
A. Install a full installation of Windows Server 2008 Standard Edition on the servers.
B. Install a full installation of Windows Server 2008 Enterprise Edition on the servers.
C. Install a Server Core installation of Windows Server 2008 Enterprise Edition on the servers.
D. Configure Network Load Balancing on the servers.
E. Configure failover clusters on the servers.
Answer: B,E
Explanation:
To configure the Windows Server 2008 servers in such a way that they support the installation of
Microsoft SQL Server 2005 and provide redundancy for SQL services if a single server fails, you
need to install a full installation of Windows Server 2008 Enterprise Edition on the servers.
Configure failover clusters on the servers.
Failover clustering is a process in which the operating system and SQL Server 2008 work together
to provide availability in the event of an application failure, hardware failure, or operating-system
error. Failover clustering provides hardware redundancy through a configuration in which mission-
critical resources are transferred from a failing machine to an equally configured server
automatically.
Reference : SQL Server 2008 Pricing and Licensing/ PASSIVE SERVERS / FAILOVER
SUPPORT
http://download.microsoft.com/download/1/e/6/1e68f92c-f334-4517-b610-
e4dee946ef91/2008%20SQL%20Licensing%20Overview%20final.docx .
QUESTION NO: 4
You are an Enterprise administrator for CertKiller.com. The company has a head office and five
branch offices. The corporate network of the company consists of a single Active Directory
domain.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 4
Actu
alTe
sts.
com
Each office contains Windows 2000 Server domain controller and Windows Server 2008 member
servers. The physical security of the member servers was not reliable and servers could be
attacked.
Therefore, you decided to implement Windows BitLocker Drive Encryption (BitLocker) on the
member servers.
Which of the following options would you choose to ensure that you can access the BitLocker
volume even if the BitLocker keys are corrupted on the member servers and store the recovery
information at a central location? (Select two. Each correct answer will present a part of the
solution.)
A. Upgrade all domain controllers to Windows Server 2008.
B. Upgrade the domain controller that has the schema master role to Windows Server 2008.
C. Upgrade the domain controller that has the primary domain controller (PDC) emulator role to
Windows Server 2008.
D. Use Group Policy to configure Public Key Policies.
E. Use Group Policy to enable a Data Recovery Agent (DRA).
F. Use Group Policy to enable Trusted Platform Module (TPM) backups to Active Directory.
Answer: A,F
Explanation:
To ensure that you can access the BitLocker volume even if the BitLocker keys are corrupted on
the member servers and store the recovery information at a central location, you need to upgrade
all domain controllers to Windows Server 2008. Use Group Policy to enable Trusted Platform
Module (TPM) backups to Active Directory.
By default, no recovery information is backed up. Administrators can configure Group Policy
settings to enable backup of BitLocker or TPM recovery information.
All user interfaces and programming interfaces within BitLocker and TPM Management features
will adhere to your configured Group Policy settings. When these settings are enabled, recovery
information (such as recovery passwords) will be automatically backed up to Active Directory
whenever this information is created and changed.
Reference : BitLocker Drive Encryption Configuration Guide: Backing Up BitLocker and TPM
Recovery Information to Active Directory
http://technet.microsoft.com/en-us/library/cc766015.aspx
QUESTION NO: 5
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 5
Actu
alTe
sts.
com
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain that contain 100 Windows Server 2003 physical
servers having 64-bit hardware.
The company has given you the responsibility to consolidate the 100 physical servers into 30
Windows Server 2008 physical servers and send the remaining physical servers to the new
branch office that plans to open shortly.
Which of the following options would you choose to achieve the desired goal while ensuring the
maximum resource utilization by using existing hardware and software? You also need to ensure
that your solution would support 64-bit child virtual machines and maintain separate services
among the servers.
A. Install the Hyper-V feature on the existing hardware. Then convert the physical machines into
virtual machines.
B. Install the Microsoft Virtual PC. Then convert the physical machines into virtual machines.
C. Create the necessary host (A) records after consolidating services across the physical
machines.
D. Install Microsoft Virtual Server 2005 R2 on the existing hardware after installing Windows
Server 2008 on them. Then convert the physical machines into virtual machines.
E. None of the above
Answer: A
Explanation:
To ensure the maximum resource utilization by using existing hardware and software and to
ensure the support for 64-bit child virtual machines while maintaining separate services among the
servers, you need to install the Hyper-V feature to convert the physical machines into virtual
machines.
The Hyper-V feature provides Physical-to-Virtual (P2V) Conversion Wizard that guides
administrators through the process of creating a virtual version of a physical server, including
creating images of physical hard disks, preparing the images for use in a VM, and creating the
final VM. The wizard can create virtual servers from physical servers and can run on Windows
Server 2003 with SP1 (32-bit only) and on Windows Server 2008 (without Hyper-V role enabled)
besides many other Operating systems.
Reference : Virtual Machine Manager 2008 Supports Hyper-V / Other Features
http://www.directionsonmicrosoft.com/sample/DOMIS/update/2008/07jul/0708vmm2sh.htm
Section 2, Plan for automated server deployment (9 Questions)
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 6
Actu
alTe
sts.
com
QUESTION NO: 6
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain that contains a Windows Server 2008 server called
CertKillerServer1. The server runs the DHCP service on it for the network.
Your company has decided to add a few Windows Vista computers and Windows Server 2008
servers on the network.
You have been asked to prepare the network for the automated deployment of the above given
operating systems with the use Pre-boot Execution Environment (PXE) network adapter.
Which of the following options would you choose to accomplish this task?
A. Install Windows Automated Installation Kit (WAIK) on a new server.
B. Configure the Windows Deployment Services (WDS) server role on a new server.
C. Install Windows Automated Installation Kit (WAIK) on CertKillerServer1.
D. Configure the Windows Deployment Services (WDS) server role on CertKillerServer1.
E. None of the above
Answer: D
Explanation:
To prepare the network for the automated deployment of the above given operating systems with
the use Pre-boot Execution Environment (PXE) network adapter, you need to configure the
Windows Deployment Services (WDS) server role on CertKillerServer1.
Windows Deployment Services enables you to deploy Windows operating systems, particularly
WindowsVista and Windows Server2008. You can use it to set up new computers by using a
network-based installation. This means that you do not have to install each operating system
directly from a CD or DVD. It is an extensible and higher-performing PXE server component.
You must have a functioning DHCP server with an active scope. To utilize PXE WDS required a
DHCP server. Therefore you need to configure WDS on CertKillerServer1
Reference : Step-by-Step Guide for Windows Deployment Services in Windows Server 2003 /
What is Windows Deployment Services?
http://technet.microsoft.com/en-us/library/cc766320.aspx#BKMK_1
Reference : Planning for PXE Initiated Operating System Deployments/ Windows Deployment
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 7
Actu
alTe
sts.
com
Services (WDS) and DHCP
http://technet.microsoft.com/en-us/library/bb680753.aspx
QUESTION NO: 7
You are an Enterprise administrator for CertKiller.com. The company consists of a head office and
a branch office. The corporate network of the company consists of a single Active Directory
domain.
Because the branch office was comparatively less secure, you decided to deploy a Read-only
Domain Controller (RODC) in the branch office so that branch office support technicians cannot
manage domain user accounts on the RODC. However, they should be able to maintain drivers
and disks on the RODC.
Which of the following options would you choose to manage the RODC to meet the desired goal?
A. Configure Administrator Role Separation on the RODC.
B. For the branch office support technicians, set NTFS permissions on the Active Directory
database to Read & Execute.
C. Configure the RODC to replicate the password for the branch office support technicians.
D. For the branch office support technicians, set NTFS permissions on the Active Directory
database to Deny Full Control.
E. None of the above
Answer: A
Explanation:
To ensure that branch office support technicians would not manage domain user accounts on the
RODC and should be able to maintain drivers and disks on the RODC, you need to configure the
RODC for Administrator Role Separation.
Administrator Role Separation specifies that any domain user or security group can be delegated
to be the local administrator of an RODC without granting that user or group any rights for the
domain or other domain controllers. Accordingly, a delegated administrator can log on to an
RODC to perform maintenance work on the server such as upgrading a driver. But the delegated
administrator would not be able to log on to any other domain controller or perform any other
administrative task in the domain.
Reference : RODC Features/ Administrator role separation
http://technet.microsoft.com/en-us/library/cc753223.aspx#bkmk_separation
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 8
Actu
alTe
sts.
com
QUESTION NO: 8
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain that contain.
The company currently consists of a main office that has an Internet connection configured. The
company plans to open a new branch office in near future and plans to connect the branch office
to the main office by using a WAN link having a limited bandwidth.
The branch office will not have access to the Internet and will contain 30 Windows Server 2008
servers. The installations of these servers must be automated and must be automatically
activated. Besides the network traffic between the offices must be minimized.
Which of the following options would you include in your plan for the deployment of the servers in
the branch office?
A. Use Multiple Activation Key (MAK) Independent Activation on the servers. In the main office,
implement a DHCP server and Windows Deployment Services (WDS).
B. In the branch office, implement Key Management Service (KMS), a DHCP server, and Windows
Deployment Services (WDS).
C. In the main office, implement Windows Deployment Services (WDS). In the branch office,
implement a DHCP server and implement the Key Management Service (KMS).
D. Use Multiple Activation Key (MAK) Independent Activation on the servers. In the main office,
implement a DHCP server. In the branch office, implement Windows Deployment Services (WDS).
E. None of the above
Answer: B
Explanation:
For the deployment of the servers in the branch office with the given requirements, you need to
implement Key Management Service (KMS), a DHCP server, and Windows Deployment Services
(WDS) in the branch office.
The KMS key is used to activate computers against a service that you can host in your
environment, so you don't have to connect to Microsoft servers. To activate computers by using
KMS, you must have a minimum number of physical computers. The KMS key is installed on the
host computer only.
To activate the KMS host, you must have at least 25 computers running Windows Vista or
Windows Server 2008 that are connected together; for Windows Server 2008, the minimum is 5
computers.
You need Windows Deployment Services (WDS) because it enables you to automate the
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 9
Actu
alTe
sts.
com
deployment Windows operating systems. You can use it to set up new computers by using a
network-based installation. This means that you do not have to install each operating system
directly from a CD or DVD.
You must have a functioning DHCP server with an active scope so that WDS will utilize PXE.
Reference : Microsoft Product Activation
http://www.microsoft.com/licensing/resources/vol/default.mspx
Reference : Step-by-Step Guide for Windows Deployment Services in Windows Server 2003 /
What is Windows Deployment Services?
http://technet.microsoft.com/en-us/library/cc766320.aspx#BKMK_1
Reference : Planning for PXE Initiated Operating System Deployments/ Windows Deployment
Services (WDS) and DHCP
http://technet.microsoft.com/en-us/library/bb680753.aspx
QUESTION NO: 9
You are an Enterprise administrator for CertKiller.com. The company has a head office and 250
branch offices. The corporate network of the company consists of a single Active Directory
domain.
All the domain controllers on the corporate network run Windows Server 2008. You have been
asked to deploy Read-only Domain Controllers (RODCs) in each designated branch offices
because the physical security at branch office locations cannot be guaranteed.
While deploying the RODCs, you need to ensure that the RODC installation source files do not
contain cached secrets and the bandwidth used during the initial synchronization of Active
Directory Domain Services (AD DS) is minimized.
Which of the following options would you choose to accomplish the given task?
A. Backup of the critical volumes of an existing domain controller by using Windows Server
Backup. Now build the new RODCs using the backup.
B. Using one of the domain controllers on the nework create a DFS Namespace that contains the
Active Directory database and then build the new RODCs using by using an answer file.
C. Create an RODC installation media using ntdsutil ifmand the build the RODCs from the RODC
installation media.
D. Perform a full backup of an existing domain controller using Windows Server Backup and then
use the backup to build the new RODCs.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 10
Actu
alTe
sts.
com
E. None of the above
Answer: C
Explanation:
:
The new ntdsutil ifm subcommand can be used to create installation media. It can be used to
remove secrets, such as passwords, from the AD DS database, so that you can install a read-only
domain controller (RODC) without them. When you remove these secrets, the RODC installation
media is more secure if it must be transported to a branch office for an RODC installation.
Ntbackup.exe cannot remove cached secrets from the installation media.
Reference : Steps for Deploying an RODC/ Optional: Install RODC from media
http://technet.microsoft.com/en-us/library/cc754629.aspx
QUESTION NO: 10
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. You have been asked to deploy file servers that run
Windows Server 2008 and ensure that the file server support volumes larger than 2 terabytes.
You also need to ensure that if a single server fails, access to all data is maintained and if a single
disk fails, the data redundancy is maintained. You also need to maximize the disk throughput
Which of the following options would you choose to accomplish the assigned task? (Select 2. Each
correct answer will present a part of the solution)
A. Deploy a Windows Server 2008 server and connect an external storage subsystem to it that
supports Microsoft Multipath I/O.
B. Deploy a two-node failover cluster. Connect an external storage subsystem.
C. Configure the external storage subsystem as a RAID 1 array and format the array as an MBR
disk.
D. Configure the external storage subsystem as a RAID 10 array and format the array as a GPT
disk.
Answer: B,D
Explanation:
To ensure that if a single server fails, access to all data is maintained and if a single disk fails, the
data redundancy is maintained, you need to deploy a two-node failover cluster. Connect an
external storage subsystem. Configure the external storage subsystem as a RAID 10 array.
Format the array as a GPT disk.
A combining the different RAID levels gives us the option of RAID10. RAID10 is equivalent
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 11
Actu
alTe
sts.
com
toRAID1 + 0. So, you can have a few disks (at least 4 and always even numbers) and mirror the
drives two at a time. This gives the redundancy. Then you take those mirrors and combine them
into a RAID 0 stripe. This allows redundancy, faster read operations, and fast writes (avoiding a
parity calculation).
RAID1 is a mirror which is faster than a single disk, but not as fast for read operations as 3+ disks
(RAID1 is just 2 disks). RAID5 is a stripe with parity which is faster on read operations than RAID1
but not ideal for write operations because it is required to calculate a parity block of data.
Reference : Brad Kingsley's Blog
http://blogs.orcsweb.com/brad/archive/2007/08/06/raid10.aspx
QUESTION NO: 11
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. You have planned to install 10 new Windows Server
2008 servers on the network.
You want to automate the installation of the servers and activate the servers automatically. Which
of the following options would you choose to accomplish the desired goal?
A. Implement Multiple Activation Key (MAK) Independent Activation and Deployment Services
(WDS).
B. Implement Key Management Service (KMS) and Windows Deployment Services (WDS).
C. Use Multiple Activation Key (MAK) Independent Activation.
D. Implement a DHCP server and the Key Management Service (KMS).
E. None of the above
Answer: B
Explanation:
For the deployment of the servers in the branch office with the given requirements, you need to
implement Key Management Service (KMS), and Windows Deployment Services (WDS).
The KMS key is used to activate computers against a service that you can host in your
environment, so you don't have to connect to Microsoft servers. To activate computers by using
KMS, you must have a minimum number of physical computers. The KMS key is installed on the
host computer only.
To activate the KMS host, you must have at least 25 computers running Windows Vista or
Windows Server 2008 that are connected together; for Windows Server 2008, the minimum is 5
computers.
You need Windows Deployment Services (WDS) because it enables you to automate the
deployment Windows operating systems. You can use it to set up new computers by using a
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 12
Actu
alTe
sts.
com
network-based installation. This means that you do not have to install each operating system
directly from a CD or DVD.
Reference : Microsoft Product Activation
http://www.microsoft.com/licensing/resources/vol/default.mspx
Reference : Step-by-Step Guide for Windows Deployment Services in Windows Server 2003 /
What is Windows Deployment Services?
http://technet.microsoft.com/en-us/library/cc766320.aspx#BKMK_1
QUESTION NO: 12
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain.
Which of the following options would you choose to consolidate the 50 physical Windows Server
2003 servers into 10 physical Windows Server 2008 servers?
While consolidation, you need to ensure that the existing hardware and software should be used
and 64-bit child virtual machines can be created. Which of the following options would you choose
to accomplish the desired task?
A. Install Microsoft Virtual PC.
B. Install the Hyper-V feature.
C. Consolidate services across the physical machines and create the necessary host (A) records.
D. Install Microsoft Virtual Server 2005 R2.
E. None of the above
Answer: B
Explanation:
To ensure that existing hardware and software is used and to ensure the support for 64-bit child
virtual machines, you need to install the Hyper-V feature to convert the physical machines into
virtual machines.
The Hyper-V feature provides Physical-to-Virtual (P2V) Conversion Wizard that guides
administrators through the process of creating a virtual version of a physical server, including
creating images of physical hard disks, preparing the images for use in a VM, and creating the
final VM. The wizard can create virtual servers from physical servers and can run on Windows
Server 2003 with SP1 (32-bit only) and on Windows Server 2008 (without Hyper-V role enabled)
besides many other Operating systems.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 13
Actu
alTe
sts.
com
Reference : Virtual Machine Manager 2008 Supports Hyper-V / Other Features
http://www.directionsonmicrosoft.com/sample/DOMIS/update/2008/07jul/0708vmm2sh.htm
QUESTION NO: 13
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. The company has decided to open 2 new branch
offices and deploy 1,000 new Windows Vista Enterprise Edition computers.
The Windows Vista installations need to be done using Pre-boot Execution Environment (PXE)
network adapters that those 1000 computers already have.
Which of the following options would you choose to ensure that 50 simultaneous installations of
Windows Vista can be done in minimum amount of time and the impact of network operations
during the deployment of the new computers is minimized?
A. Install Windows Deployment Services (WDS) server role and configure all the routers with IP
Helper tables.
B. Install Windows Deployment Services (WDS) server role and configure eachWDS server by
using legacy mode.
C. Install both Windows Deployment Services (WDS) server role and Transport Server role
services and then configure the Transport Server with a static multicast address range.
D. Install both Windows Deployment Services (WDS) server role and Transport Server role
services and then configure the Transport Server to use a custom network profile.
E. None of the above
Answer: C
Explanation:
To ensure that 50 simultaneous installations of Windows Vista in minimum amount of time in a
Pre-boot Execution Environment, you need to deploy the Windows Deployment Services (WDS)
server role and the Transport Server feature. You can install both the Deployment Server and
Transport Server role services (which is the default installation) or only Transport Server role
services.
The Windows Deployment Services (WDS) enables you to automate the deployment of Windows
operating systems. You can use it to set up new computers by using a network-based installation.
This means that you do not have to install each operating system directly from a CD or DVD
You can configure Transport Server to enable you to boot from the network using Pre-Boot
Execution Environment (PXE) and Trivial File Transfer Protocol (TFTP), a multicast server, or
both.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 14
Actu
alTe
sts.
com
The Transport Server role service provides a subset of the functionality of Windows Deployment
Services. It contains only the core networking parts. You can use Transport Server to create
multicast namespaces that transmit data (including operating system images) from a stand-alone
server. The stand-alone server does not need Active Directory, DHCP, or DNS. You can
If multiple servers are using multicast functionality on a network (Transport Server, Deployment
Server, or another solution), it is important that each server is configured so that the multicast IP
addresses do not collide. Otherwise, you may encounter excessive traffic when you enable
multicasting. Note that each Windows Deployment Services server will have the same default
range. To work around this issue, specify static ranges that do not overlap to ensure that each
server is using a unique IP address
Reference : Transport Server
http://technet.microsoft.com/en-us/library/cc771645.aspx
QUESTION NO: 14
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain that runs a 64-bit version of Windows Server 2008
server. The server has DHCP server role installed on it. The corporate network only uses IPv4.
The company has decided to deploy 50 new Windows Server 2008 servers.The installations need
to be done using Pre-boot Execution Environment (PXE) network adapters that is already
supported by the new computers. Besides some of the new computers contain 64-bit hardware
and some of the servers contain 32-bit hardware.
Which of the following options would you choose to ensure the automated deployment of the new
servers in minimum hardware cost?
A. Deploy Windows Deployment Services (WDS) on two Windows Server 2008 servers. One for
the 64-bit server and the other for 32-bit server
B. Deploy Remote Installation Services (RIS) on two Windows Server 2003 servers having Service
Pack 2 installed. One for the 64-bit server and the other for 32-bit server
C. Deploy Windows Deployment Services (WDS) on the DHCP server
D. Deploy Remote Installation Services (RIS) on a 64-bit Windows Server 2003 server.
E. None of the above
Answer: C
Explanation:
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 15
Actu
alTe
sts.
com
To ensure the automated deployment of the new servers in minimum hardware cost in the given
scenario, you need to deploy Windows Deployment Services (WDS) on the DHCP server.
You must have a working DHCP server with an active scope on the network because Windows
Deployment Services uses PXE, which relies on DHCP for IP addressing
Reference : Installing Windows Deployment Services
http://technet.microsoft.com/en-us/library/cc771670.aspx
Section 3, Plan infrastructure services server roles (10 Questions)
QUESTION NO: 15
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory forest having 20 domains configured under it.
All the domain controllers on the network run Windows Server 2008 and have the DNS role
installed on them. You company has decided to replace a legacy Windows Internet Name Service
(WINS) environment with a DNS-only environment for the name resolution.
Which of the following options would you choose to Support IPv4 and IPv6 environments, allow
single-label name resolution across all domains, and minimize the amount of NetBT traffic on the
network while replacing a legacy Windows Internet Name Service (WINS) environment?
A. Configure all the DNS zones to perform a WINS forward lookup.
B. Configure all the DNS zones to replicate as part of a custom Active Directory replication
partition.
C. Configure a GlobalNames zone on each domain controller.
D. Configure all the DNS zones to replicate to each DNS server in the forest.
E. None of the above
Answer: C
Explanation:
To Support IPv4 and IPv6 environments, allow single-label name resolution across all domains,
and minimize the amount of NetBT traffic on the network while replacing a legacy Windows
Internet Name Service (WINS) environment with a DNS-only environment, you need to configure a
GlobalNames zone on each domain controller.
The DNS Server Role in Windows Server 2008 now supports the GlobalNames Zone. This has
been introduced to assist organizations to move away from WINS and allow organizations to move
to an all-DNS environment. Unlike WINS, The GlobalNames zone is not intended to be used for
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 16
Actu
alTe
sts.
com
peer-to-peer name resolution.
The GlobalNames Zone (GNZ) is used to hold single-label names. The GlobalNames zone is most
commonly used to hold CNAME resource records to map a single-label name to a Fully Qualified
Domain Name (FQDN). GNZ provides single-label name resolution whereas WINS provides
NetBIOS resolution. If you plan to retire WINS or plan to deploy IPv6 only in your environment, all
name resolution will rely on DNS. It supports dual IPv4 and IPv6 environment and use only DNS
for name resolution.
Reference : Understanding the New GlobalNames Zone Functionality in Windows Server2008
http://johnpolicelli.wordpress.com/2008/01/15/understanding-the-new-globalnames-zone-in-
windows-server-2008/
Reference : DNS Server GlobalNames Zone Deployment /
How GNZ Resolution Works
http://download.microsoft.com/download/e/2/0/e2090852-3b7f-40a3-9883-07a427af1560/DNS-
GlobalNames-Zone-Deployment.doc .
QUESTION NO: 16
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All servers on the corporate network run Windows
Server 2008 and all client computers run Windows Vista. The company has an enterprise
certification authority (CA).
You have been asked to install certificates automatically on each client computer and deploy the
certificates to all users by using a new certificate template by using minimum amount of effort. You
need to ensure that users have access to the new certificates when they log on to any client
computer in the domain.
Which of the following options would you choose to accomplish the given task? (Select two. Each
correct answer will form a part of the solution)
A. Configure autoenrollment of certificates.
B. Deploy an enterprise subordinate CA
C. Configure roaming user profiles.
D. Configure folder redirection.
E. Configure Credential Roaming.
Answer: A,E
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 17
Actu
alTe
sts.
com
Explanation:
To ensure that users have access to the new certificates when they log on to any client computer
in the domain while meeting other requirements, you need to Configure autoenrollment of
certificates and Credential Roaming
The autoenrollment process grants certificates based on certificate templates that are supplied
with Read, Enroll, and Autoenroll permissions for the users, groups, or computers who require
autoenrollment.
With the credential roaming functionality, managed environments can now store X.509 certificates,
certificate requests, and private keys specific to a user in Active Directory, independently from the
profile.
The credential roaming implementation in Windows Vista and Windows Server "Longhorn" is
additionally able to roam stored user names and passwords. This would ensure that users have
access to the new certificates when they log on to any client computer in the domain
With credential roaming, once a domain user chooses in a Windows authentication dialog box to
cache or 'remember' the current credentials, the user will have the same experience on any
domain-joined computer that the user logs on to.
Reference : How can I enable digital certificate autoenrollment in Windows Server 2003?
http://windowsitpro.com/article/articleid/48665/how-can-i-enable-digital-certificate-autoenrollment-
in-windows-server-2003.html
Reference : About Credential Roaming
http://technet.microsoft.com/hi-in/library/cc700848(en-us).aspx
QUESTION NO: 17
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All domain controllers on the corporate network run
Windows Server 2008 and all client computers run either Windows Vista or Windows XP Service
Pack 1.
The corporate network contains 100 servers and 5,000 client computers. Which of the following
options would you choose to implement a VPN solution that allows you to store VPN passwords
as encrypted text and provide support for Suite B cryptographic algorithms?
Besides it should support client computers that are configured as members of a workgroup and
allow automatic enrollment of certificates. (Select three. Each correct answer will form a part of the
answer.)
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 18
Actu
alTe
sts.
com
A. Upgrade the client computers to Windows Vista.
B. Upgrade the client computers to Windows XP Service Pack 2.
C. Implement an enterprise certification authority (CA) that is based on Windows Server 2008.
D. Implement a stand-alone certification authority (CA).
E. Implement an IPsec VPN that uses pre-shared keys.
F. Implement an IPsec VPN that uses certificate-based authentication.
Answer: A,C,F
Explanation:
To implement a VPN solution that allows you to store VPN passwords as encrypted text and
provide support for Suite B cryptographic algorithms, you need to Upgrade the client computers to
Windows Vista and implement an enterprise certification authority (CA) that is based on Windows
Server 2008.
Suite B cryptographic algorithms that was added in Windows Vista Service Pack 1 (SP1) and in
Windows Server 2008. Suite B is a set of standards that are specified by the National Security
Agency (NSA). Suite B includes Encryption algorithms.
To support client computers that are configured as members of a workgroup and allow automatic
enrollment of certificates, you need to Implement an IPsec VPN that uses certificate-based
authentication.
IPSec deployments can take advantage of certificate-based authentication via
industry-standard x.509 digital certificates. ADCS in Windows Server2008 provides customizable
services for creating and managing the X.509 certificates that are used in software security
systems that employ public key technologies. Organizations can use ADCS to enhance security by
binding the identity of a person, device, or service to a corresponding public key. ADCS also
includes features that allow you to manage certificate enrollment and revocation in a variety of
scalable environments.
Reference : Description of the support for Suite B cryptographic algorithms that was added in
Windows Vista Service Pack 1 and in Windows Server 2008
http://support.microsoft.com/kb/949856
Reference : iPhone and Virtual Private Networks
(VPN)
http://images.apple.com/iphone/enterprise/docs/iPhone_VPN.pdf .
QUESTION NO: 18
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 19
Actu
alTe
sts.
com
You are an Enterprise administrator for CertKiller.com. The corporate network of the company is
configured with Perimeter network as shown in the exhibit.
Exhibit:
The company uses an enterprise certification authority (CA) and a Microsoft Online Responder on
the internal network.
Which of the following options would you choose to implement a secure method for Internet users
to verify the validity of individual certificates with the use of minimum network bandwidth? (Select
two. Each correct answer will form a part of the answer.)
A. Install a stand-alone CA on a server on the perimeter network
B. Deploy a subordinate CA on the perimeter network.
C. Install Network Device Enrollment Service (NDES) on a server on the perimeter network.
D. Install a Network Policy Server (NPS) on a server on the perimeter network.
E. Redirect authentication requests to a server on the internal network.
F. Install IIS on a server on the perimeter network
G. Configure IIS to redirect requests to the Online Responder on the internal network.
Answer: F,G
Explanation:
To implement a secure method for Internet users to verify the validity of individual certificates with
the use of minimum network bandwidth, you need to install IIS on a server on the perimeter
network and configure IIS to redirect requests to the Online Responder on the internal network.
Windows Vista and the WindowsServer®2008 operating system will natively support both CRL
and Online Certificate Status Protocol (OCSP) as a method of determining certificate status. The
OCSP support includes both the client component as well as the Online Responder, which is the
server component.
The Online Responder Web proxy cache represents the service interface for the Online
Responder. It is implemented as an Internet Server Application Programming Interface (ISAPI)
extension hosted by Internet Information Services (IIS)
When an application performs a certificate evaluation, the validation is performed on all certificates
in that certificate's chain. This includes every certificate from the end-entity certificate presented to
the application to the root certificate. It is an online process and is designed to respond to single
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 20
Actu
alTe
sts.
com
certificate status requests.
Reference : Online Responder Installation, Configuration, and Troubleshooting Guide
http://technet.microsoft.com/en-us/library/cc770413.aspx
QUESTION NO: 19
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers on the network either run Windows
Server 2003 or Windows Server 2008 and all client computers run Windows Vista.
The company possesses a public key infrastructure (PKI) that consists of an offline root
certification authority (CA) and two Enterprise Subordinate CAs that run Windows Server 2003.
You publish the certificates to the user accounts and the computer accounts in Active Directory.
Which of the following options would you choose to create a PKI solution for the Windows Vista
client computers and the Windows Server 2008 servers in such a way that the certificates must
support Suite B hashing and encryption algorithms and store private keys in Active Directory in
minimum amount of administrative effort?
A. Configure cross-certification between the CA hierarchies by creating a new PKI that uses
Windows Server 2008 CAs..
B. Install a new Windows Server 2008 enterprise subordinate CA.
C. Install a new Windows Server 2008 stand-alone subordinate CA.
D. Create a new Active Directory forest and configure one-way forest trusts between the two
forests by deploying a new PKI that uses Windows Server 2008 CAs.
E. None of the above.
Answer: B
Explanation:
To create a PKI solution for the Windows Vista client computers and the Windows Server 2008
servers that meed the desired requirements, you need to install a new Windows Server 2008
enterprise subordinate CA.
To use SuiteB algorithms for cryptographic operations, you first need a Windows Server2008-
based CA to issue certificates that are SuiteB-enabled
SuiteÂB algorithms such as ECC are supported only on the WindowsÂVista® and Windows
ServerÂ2008 operating systems. This means it is not possible to use those certificates on earlier
versions of Windows such as WindowsÂXP or WindowsÂServerÂ2003.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 21
Actu
alTe
sts.
com
If you already have a PKI with CAs running WindowsÂServerÂ2003 or where classic algorithms
are being used to support existing applications, you can add a subordinate CA on a server running
Windows ServerÂ2008, but you must continue using classic algorithms.
Reference : Cryptography Next Generation / How should I prepare to deploy this feature?
http://technet.microsoft.com/en-us/library/cc730763.aspx
QUESTION NO: 20
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory forest called CertKiller.com. The forest contains two domains.
You want to configure another child domain called Branch3.CertKiller.com with two domain
controllers having the DNS server role installed.
You want to put all the users and computers in the new branch office in the branch3.CertKiller.com
domain. Which of the following options would you choose to implement a DNS infrastructure for
the child domain to ensure resources in the root domain and child domains are accessible by fully
qualified domain names?
You solution must also provide name resolution services in the event that a single server fails for a
prolonged period of time and automatically recognize when new DNS servers are added to or
removed from the CertKiller.com domain.
A. Add conditional forwarders for CertKiller.com on both the domain controllers of
branch3.CertKiller.com domain. Next create a standard primary zone for branch.CertKiller.com.
B. On one of the domain controllers of branch3.CertKiller.com domain, create a standard primary
zone for CertKiller.com. On the other domain controller, create a standard secondary zone for
CertKiller.com.
C. On both the domain controllers of branch3.CertKiller.com domain, modify the root hints to
include the domain controllers for CertKiller.com. On one of domain controllers, create an Active
Directory integrated zone for branch.CertKiller.com.
D. On one of the domain controllers of branch3.CertKiller.com domain, create an Active Directory
Integrated zone for branch3.CertKiller.com and create an Active Directory Integrated stub zone for
CertKiller.com.
E. None of the above.
Answer: D
Explanation:
To implement a DNS infrastructure for the child domain to ensure resources in the root domain
and child domains are accessible by fully qualified domain names, you need to create an Active
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 22
Actu
alTe
sts.
com
Directory Integrated zone for branch3.CertKiller.com on one of the domain controllers of
branch3.CertKiller.com domain.
Active Directory Integrated zones, store their zone information within Active Directory instead of
text files. The advantages of this new type of zone included using Active Directory replication for
zone transfers and allowing resource records to be added or modified on any domain controller
running DNS. In other words, all Active Directory Integrated zones are always primary zones as
they contain writable copies of the zone database.This would ensure that the name resolution
service will automatically recognize when new DNS servers are added to or removed from the
CertKiller.com domain
You also need to create an Active Directory Integrated stub zone for CertKiller.com to ensure the
name resolution services in the event that a single server fails for a prolonged period of time. It
contains copies of all the resource records in the corresponding zone on the master name server.
A stub zone is like a secondary zone in that it obtains its resource records from other name
servers (one or more master name servers). Stub zones can be used instead of secondary zones
to reduce the amount of zone transfer traffic over the WAN link connecting the two companies.
When Active Directory-integrated stub zones are hosted in separate sites, you can update them
using a local list of master servers in each site.
Reference : DNS Stub Zones in Windows Server 2003
http://www.windowsnetworking.com/articles_tutorials/DNS_Stub_Zones.html
Reference: Host Name Resolution Overview
http://www.tech-faq.com/planning-and-implementing-a-dns-namespace.shtml
QUESTION NO: 21
You are an Enterprise administrator for CertKiller.com. The company consists of a head office and
three branch offices. The corporate network of the company consists of a single Active Directory
domain.
Each office contains an Active Directory domain controller. Which of the following options would
you choose to create a DNS infrastructure for the network that would allow the client computers in
each office to register DNS names within their respective offices? You also need to ensure that the
client computers must be able to resolve names for hosts in all offices.
A. For each office site, create a standard primary zone.
B. For the head office site, create a standard primary zone and for each branch office site, create
an Active Directory-integrated stub zone.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 23
Actu
alTe
sts.
com
C. For the head office site, create a standard primary zone at the head office site and for each
branch office site, create a secondary zone.
D. Create an Active Directory-integrated zone at the head office site.
E. None of the above.
Answer: D
Explanation:
To create a DNS infrastructure for the network that would allow the client computers in each office
to register DNS names within their respective offices and to ensure that the client computers must
be able to resolve names for hosts in all offices, you need to create an Active Directory-integrated
zone at the head office site
Active Directory Integrated zones, store their zone information within Active Directory instead of
text files. This ensures that the client computers can resolve names for hosts in all offices. The
advantages of this new type of zone included using Active Directory replication for zone transfers
and allowing resource records to be added or modified on any domain controller running DNS. In
other words, all Active Directory Integrated zones are always primary zones as they contain
writable copies of the zone database.
Reference : DNS Stub Zones in Windows Server 2003
http://www.windowsnetworking.com/articles_tutorials/DNS_Stub_Zones.html
QUESTION NO: 22
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory forest called CertKiller.com. The forest contains five domains.
The domain controllers on the network run Windows Server 2008 and have the DNS server role
installed.
You company has decided to replace a legacy Windows Internet Name Service (WINS)
environment with a DNS-only environment for name resolution.
Which of the following options would you choose to plan the infrastructure for name resolution to
support IPv4 and IPv6 environments, enable single-label name resolution across all domains, and
minimizing the amount of NetBIOS over TCP/IP (NetBT) traffic on the network?
A. Implement custom Active Directory replication partition and modify each DNS zone to replicate
as part of it
B. Configure each DNS zone to perform a WINS forward lookup.
C. Configure each DNS zone to replicate to each DNS server in the forest.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 24
Actu
alTe
sts.
com
D. Configure a GlobalNames zone on each domain controller.
E. None of the above.
Answer: D
Explanation:
To replace a legacy Windows Internet Name Service (WINS) environment with a DNS-only
environment for name resolution with given requirements, you need to configure a GlobalNames
zone on each domain controller.
The DNS Server Role in Windows Server 2008 now supports the GlobalNames Zone. This has
been introduced to assist organizations to move away from WINS and allow organizations to move
to an all-DNS environment. Unlike WINS, The GlobalNames zone is not intended to be used for
peer-to-peer name resolution.
The GlobalNames Zone (GNZ) is used to hold single-label names. The GlobalNames zone is most
commonly used to hold CNAME resource records to map a single-label name to a Fully Qualified
Domain Name (FQDN). GNZ provides single-label name resolution whereas WINS provides
NetBIOS resolution. If you plan to retire WINS or plan to deploy IPv6 only in your environment, all
name resolution will rely on DNS. It supports dual IPv4 and IPv6 environment and use only DNS
for name resolution.
Reference : Understanding the New GlobalNames Zone Functionality in Windows Server2008
http://johnpolicelli.wordpress.com/2008/01/15/understanding-the-new-globalnames-zone-in-
windows-server-2008/
Reference : DNS Server GlobalNames Zone Deployment /
How GNZ Resolution Works
http://download.microsoft.com/download/e/2/0/e2090852-3b7f-40a3-9883-07a427af1560/DNS-
GlobalNames-Zone-Deployment.doc .
QUESTION NO: 23
You are an Enterprise administrator for CertKiller.com. Your company possesses a stand-alone
root certification authority (CA) for the corporate network.
The corporate network contains a Windows Server 2008 server called CertKillerServer1. You
issue a server certificate to CertKillerServer1 and deploy Secure Socket Tunneling Protocol
(SSTP) on CertKillerServer1 for secure browsing.
Which of the following options would you choose to ensure that the external partner computers
would be allowed to access internal network resources by using SSTP?
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 25
Actu
alTe
sts.
com
A. Terminal Services Session Broker role service
B. Firewall to allow inbound traffic on TCP Port 1723
C. Root CA certificate on external computers
D. Network Access Protection (NAP) on the network
E. None of the above.
Answer: C
Explanation:
To ensure that the external partner computers would be allowed to access internal network
resources by using SSTP, you need to deploy the Root CA certificate to the external computers.
SSTP is a new kind of Virtual Private Networking (VPN) tunnel that is available in the Routing and
Remote Access server role in Windows Server 2008. SSTP allows for Point-to-Point Protocol
(PPP) packets to be encapsulated over HTTP. This feature allows for a VPN connection to be
more easily established through a firewall or through a Network Address Translation (NAT) device.
Also, this feature allows for a VPN connection to be established through an HTTP proxy device.
Generally, if the client computer is joined to the domain and if you use domain credentials to log
on to the VPN server, the certificate is automatically installed in the Trusted Root Certification
Authorities store. However, if the computer is not joined to the domain or if you use an alternative
certificate chain, you may need to Root CA certificate to the external computers.
Reference : How to troubleshoot Secure Socket Tunneling Protocol (SSTP)-based connection
failures in Windows Server 2008
http://support.microsoft.com/kb/947031
QUESTION NO: 24
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers on the network either run Windows
Server 2003 or Windows Server 2008 and all client computers run Windows Vista or Windows XP
SP2.
You have been assigned the task to implement Encrypting File System (EFS) for all the client
computers on the network and ensure that users must be able to access their EFS certificates on
any client computers.
You also need to ensure that if a client computers disk fails, the EFS certificates must be
accessible and only the minimum amount of data that is transferred across the network when a
user logs on to or off from a client computer.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 26
Actu
alTe
sts.
com
Which of the following options would you choose to accomplish the assigned task?
A. Smart cards
B. Credential roaming
C. Roaming user profiles
D. Data Recovery Agent
E. None of the above.
Answer: B
Explanation:
Since credential roaming is not part of Windows XP SP2, the feature is available as a separate
software update that can be deployed in Windows XP SP2 computers. The credential roaming
functionality is also implemented as a core feature in Windows Vista.
Credential roaming can enhance the use of Encrypting File System (EFS) in various ways, for
example, roaming EFS certificates that are signed by a CA or are self-signed. With the credential
roaming functionality in the CSC, managed environments can now store X.509 certificates,
certificate requests, and private keys specific to a user in Active Directory, independently from the
profile.
The credential roaming implementation in Windows Vista is additionally able to roam stored user
names and passwords. Users typically maintain stored user names and passwords of certain Web
sites or file servers that do not have a default trust relationship with the user's computer. With
credential roaming, once a domain user chooses in a Windows authentication dialog box to cache
or 'remember' the current credentials, the user will have the same experience on any domain-
joined computer that the user logs on to.
Reference : About Credential Roaming
http://technet.microsoft.com/hi-in/library/cc700848(en-us).aspx
Reference : Configuring and Troubleshooting Certificate Services Client-Credential Roaming /
Using Encrypting File System
http://technet.microsoft.com/en-us/library/cc700823.aspx
Section 4, Plan application servers and services (4 Questions)
QUESTION NO: 25
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. The network contains three servers that run Windows
Server 2000 and a few custom applications.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 27
Actu
alTe
sts.
com
The applications on these servers are incompatible with each other, incompatible with Windows
Server 2008, and consume less than 10 percent of the system resources. The company has
decided to update all the servers to Windows Server 2008.
As an Enterprise administrator of the company, you have been assigned the task to migrate the
applications to new Windows Server 2008 servers in minimum hardware costs.
Which of the following two options would you choose to accomplish the assigned task? (Select
two. Each selected option will present a part of the answer.)
A. Deploy one new server that runs Windows Server 2008 Enterprise Edition.
B. Deploy three new servers that run Windows Server 2008 Standard Edition.
C. Deploy one new server that runs Windows Server 2008 Datacenter Edition.
D. Install the Windows System Resource Manager (WSRM) feature on the new server.
E. Configure Windows 2000 compatibility mode for each application.
F. Install the Hyper-V feature on the new server. Create three child virtual machines.
G. Install the Desktop Experience feature.
Answer: A,F
Explanation:
To migrate the applications to new Windows Server 2008 servers in minimum hardware costs, you
need to deploy one new server that runs Windows Server 2008 Enterprise Edition, install the
Hyper-V feature on the new server, and then create three child virtual machines for each
application.
Application virtualization of Hyper-V feature helps isolate the application running environment from
the operating system install requirements by creating application-specific copies of all shared
resources and helps reduce application to application incompatibility and testing needs.
With Microsoft SoftGrid, desktop and network users can also reduce application installation time
and eliminate potential conflicts between applications by giving each application a virtual
environment that's not quite as extensive as an entire virtual machine. By providing an abstracted
view of key parts of the system, application virtualization reduces the time and expense required to
deploy and update applications.
Reference : Windows Server 2008 Hyper-V Product Overview - An Early look Application
Virtualization
http://download.microsoft.com/download/4/2/b/42bea8d6-9c77-4db8-b405-
6bffce59b157/WS08%20Virtualization%20Product%20Overview.doc
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 28
Actu
alTe
sts.
com
QUESTION NO: 26
You are an Enterprise administrator for CertKiller.com. The company consists of a head office and
a branch office. The corporate network of the company consists of a single Active Directory
domain and an Active Directory site exists for each office. All the domain controllers on the
network run Windows Server 2008.
You have been assigned the task to modify the DNS infrastructure in such a way that the DNS
service is available even if a single server fails, the synchronization data that is sent between DNS
servers is encrypted and dynamic updates are supported on all DNS servers.
Which of the following options would you choose to accomplish the given task? (Select two. Each
selected option will present a part of the answer.)
A. Install the DNS server role on a domain controller in the head office and on a Read only
Domain Controller (RODC) in the branch office.
B. Install the DNS server role on a domain controller in the head office and on a domain controller
in the branch office.
C. Install the DNS server role on two servers. Create a primary zone on the DNS server in the
head office.
D. Configure DNS to use Active Directory integrated zones.
E. Create a secondary zone on the DNS server in the branch office.
F. Install the DNS server role on two servers. Create a primary zone and a GlobalNames zone on
the DNS server in the head office.
G. Create a GlobalNames zone on the DNS server in the branch office.
Answer: B,D
Explanation:
To modify the DNS infrastructure in such a way that the DNS service is available even if a single
server fails, you need to install the DNS server role on a domain controller in the head office and
on a domain controller in the branch office and then configure DNS to use Active Directory
integrated zones.
This would also ensure that the synchronization data that is sent between DNS servers is
encrypted and dynamic updates are supported on all DNS servers.
DNS servers running on domain controllers can store their zones in Active Directory. In this way, it
is not necessary to configure a separate DNS replication topology that uses ordinary DNS zone
transfers, because all zone data is replicated automatically by means of Active Directory
replication. This simplifies the process of deploying DNS provides the following advantages:
Multiple masters are created for DNS replication. Therefore:
Any domain controller in the domain running the DNS server service can write updates to the
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 29
Actu
alTe
sts.
com
Active Directory-integrated zones for the domain name for which they are authoritative. A separate
DNS zone transfer topology is not needed.
Secure dynamic updates are supported. Secure dynamic updates allow an administrator to control
which computers update which names, and prevent unauthorized computers from overwriting
existing names in DNS.
ActiveDirectory-integrated DNS in Windows Server2008 stores zone data in application directory
partitions. (There are no behavioral changes from WindowsServer2003-based DNS integration
with ActiveDirectory.)
Reference : Active Directory-Integrated Zones
http://technet.microsoft.com/en-us/library/cc772746.aspx
QUESTION NO: 27
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers on the network either run Windows
Server 2008 and all client computers run Windows Vista Service Pack 1. The corporate network is
connected to the Internet through a firewall.
Which of the following options would you choose to allow remote access to the servers on your
network while ensure that all the remote connections and all remote authentication attempts to the
servers are encrypted? You also need to ensure that only inbound connections to TCP port 80 and
TCP port 443 are allowed on the firewall.
A. Point-to-Point Tunneling Protocol (PPTP) and Microsoft Point-to-Point Encryption (MPPE)
B. Microsoft Secure Socket Tunneling Protocol (SSTP)
C. Internet Protocol security (IPsec) and network address translation traversal (NAT-T).
D. Internet Protocol security (IPsec) and certificates
E. None of the above
Answer: B
Explanation:
To allow remote access to the servers on your network while ensure that all the remote
connections and all remote authentication attempts to the servers are encrypted and to ensure
that only inbound connections to TCP port 80 and TCP port 443 are allowed on the firewall, you
need to install Microsoft Secure Socket Tunneling Protocol (SSTP).
The Microsoft Secure Socket Tunneling Protocol (SSTP), a mechanism to transport data-link layer
(L2) frames on a Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS) connection.
The protocol currently supports only the Point-to-Point Protocol (PPP) link layer.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 30
Actu
alTe
sts.
com
The SSTP server directly accepts the HTTPS connection, which is similar to a virtual private
network (VPN) server positioned on the edge of a network. The Secure Sockets Layer/Transport
Layer Security (SSL/TLS) certificate is deployed on the SSTP server.
Introduction
http://msdn.microsoft.com/en-us/library/cc247339.aspx
Reference : The Cable Guy The Secure Socket Tunneling Protocol SSTP in Windows
http://technet.microsoft.com/en-us/magazine/cc162322.aspx
QUESTION NO: 28
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the domain controllers on the network either run
Windows Server 2008 and all client computers run Windows Vista.
The company plan to collaborate on a project with an external partner company called
TechKing.com. The TechKing.com domain also consists of an Active Directory domain that runs
Windows Server 2008 domain controllers.
You have been assigned the task to design a collaboration solution that allows the users of both
the companies to prevent sensitive documents from being forwarded to untrusted recipients or
from being printed.
Besides, the users of TechKing.com should be allowed to access the protected content in
CertKiller.com to which they have been granted rights. You need to ensure that all inter-
organizational traffic is sent over port 443.
Which of the following options would you choose to accomplish the desired goal in a minimum
amount of the administrative effort? (Select two. Each selected option will present a part of the
answer.)
A. Establish a federated trust between your company and the external partner.
B. Establish an external forest trust between your company and the external partner.
C. Deploy a Windows Server 2008 server that runs Microsoft Office SharePoint Server 2007 and
that has the Active Directory Rights Management Services (AD RMS) role installed.
D. Deploy a Windows Server 2008 server that has the Active Directory Rights Management
Service (AD RMS) role installed and the Windows SharePoint Services role installed.
E. Deploy a Windows Server 2008 server that has the Active Directory Certificate Services role
installed. Implement Encrypting File System (EFS).
F. Deploy a Windows Server 2008 server that has the Windows SharePoint Services role installed.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 31
Actu
alTe
sts.
com
Answer: A,C
Explanation:
To design a collaboration solution that allows the users of both the companies to prevent sensitive
documents from being forwarded to untrusted recipients or from being printed, you need to
establish a federated trust between your company and the external partner. Deploy a Windows
Server 2008 server that runs Microsoft Office SharePoint Server 2007 and that has the Active
Directory Rights Management Services (AD RMS) role installed
With a federation trust, you can extend Active Directory to allow for the sharing of resources
securely in a B2B environment. Once the federation trust is established, authentication requests
that are made to the Intranet server in the resource domain can flow through the federation trust
from users who are located in the domain where the accounts are located without issue.
Active Directory Rights Management Services (AD RMS) is an information protection technology
that works with AD RMS-enabled applications to help safeguard digital information from
unauthorized use. Content owners can define who can open, modify, print, forward, or take other
actions with the information.
Office SharePoint Server 2007 provides an easy way to collaborate on documents by posting
them to an Office SharePoint Server 2007 site so that they can be accessed over the corporate
network. The goal of integrating an Office SharePoint Server 2007 deployment with an ADRMS
infrastructure is to be able to protect documents that are downloaded from the Office SharePoint
Server 2007 server by users of any given organization.
Reference : Window Server 2003 R2, what's new with Active Directory? / Federation Trust
http://www.windowsnetworking.com/articles_tutorials/Window-Server-2003-R2-New-Active-
Directory.html
Reference : Windows Server 2008: Active Directory Rights Management Services (AD RMS)
http://www.keepingitreal.nu/2008/07/windows-server-2008-active-directory_7307.html
Reference : Deploying Active Directory Rights Management Services with Microsoft Office
SharePoint Server 2007 Step-By-Step Guide
http://technet.microsoft.com/en-us/library/cc753046.aspx
Section 5, Plan file and print server roles (9 Questions)
QUESTION NO: 29
You are an Enterprise administrator for CertKiller.com. The company consists of a head office and
a branch office. The corporate network of the company consists of a single Active Directory
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 32
Actu
alTe
sts.
com
domain. All the servers on the network run Windows Server 2008 and all client computers run
Windows Vista.
The branch office contains a Windows Server 2008 member server named BranchServer1 that
has the File Services server role installed on it. The Active Directory contain an organizational unit
(OU) called BranchOU to keep the computer objects for the servers in the Branch office.
Besides the OU, a global group called Branch-adm also exists in AD to keep the user accounts for
the administrators in the branch office. Till now the administrators on the corporate network
manage the shared folders on the servers in the Branch office.
However, you now want to ensure that the members of Branch-adm can create shared folders on
BranchServer1. Which of the following options would you choose to accomplish this task?
A. Assign Full Control permissions on the BranchOU.
B. Add the Branch-adm group to the Power Users local group on BranchServer1.
C. Create Shared Folders permissions on the BranchOU.
D. Add the Branch-adm group to the Administrators local group on BranchServer1.
E. None of the above
Answer: D
Explanation:
To ensure that the members of Branch-adm can create shared folders on BranchServer1, you
need to add the Branch-adm group to the Administrators local group on BranchServer1
Administrators is a local group that provides full administrative access to an individual computer or
a single domain, depending on its location. Because this account has complete access, you
should be very careful about adding users to this group. To make someone an administrator for a
local computer or domain, all you need to do is make that person a member of this group. Only
members of the Administrators group can modify this account.
Reference : Using Default Group Accounts
http://technet.microsoft.com/en-us/library/bb726982.aspx
Reference : Securing the Local Administrators Group on Every Desktop
http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html
QUESTION NO: 30
You are an Enterprise administrator for CertKiller.com. All the servers on the network run Windows
Server 2008.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 33
Actu
alTe
sts.
com
The company has assigned you the task to plan a data storage solution for the company by
utilizing the existing network infrastructure and ensuring that the storage space to the servers is
allocated as needed. You also need to ensure the maximum performance and the maximum fault
tolerance in your solution.
To begin with, you decided to deploy eight file servers on the network and connect them to
Ethernet switches. Which of the following options will you include next in your plan to accomplish
the desired goal? (Select two. Each selected option will present a part of the answer.)
A. Install Windows Server 2008 Datacenter Edition on each server.
B. Install Windows Server 2008 Enterprise Edition on each server.
C. Install Windows Server 2008 Standard Edition on each server.
D. Deploy the servers in a failover cluster and deploy an iSCSI storage area network (SAN).
E. Deploy the servers in a Network Load Balancing (NLB) cluster and map a network drive on
each server to an external storage array.
F. Deploy the servers in a Network Load Balancing (NLB) cluster and implement RAID 5 on each
server.
G. Deploy the servers in a failover cluster and deploy a Fibre Channel (FC) storage area network
(SAN).
Answer: A,D
Explanation:
To plan a data storage solution for the company to ensure the maximum performance and the
maximum fault tolerance, you need to i nstall Windows Server 2008 Datacenter Edition on each
server and deploy the servers in a failover cluster. Next deploy an iSCSI storage area network
(SAN).
The Datacenter Edition supports both iSCSI storage and failover clustering. The failover clustering
will ensure the fault tolerance. A popular SAN protocol, iSCSI allows clients to send SCSI
commands to storage devices on remote servers. Unlike Fibre Channel, which requires special-
purpose cabling, iSCSI can be run over long distances using existing network infrastructure
The iSCSI is a protocol that allows two hosts to send SCSI commands over a TCP/IP network. By
doing this, you can use SCSI but free yourself of the limitations of traditional SCSI cabling and,
instead, use your LAN to connect your SCSI PCs and Server to your SCSI storage.
iSCSI is a type of storage area network (SAN) and it is typically compared to Fibre Channel (FC) -
its much more expensive competitor.
With iSCSI you have a client who needs access to the storage on the server. The client uses
initiator software (making it the initiator) to connect to the storage server (called the target).
Reference : What is iSCSI?
http://www.windowsnetworking.com/articles_tutorials/Connect-Windows-Server-2008-Windows-
Vista-iSCSI-Server.html
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 34
Actu
alTe
sts.
com
QUESTION NO: 31
You are an Enterprise administrator for CertKiller.com. The company consists of a head office and
a branch office. The corporate network of the company consists of a single Active Directory
domain, which run at the functional level of Windows Server 2008. All the servers on the network
run Windows Server 2008 and all client computers run Windows Vista.
You have been asked to design a file sharing strategy that ensures that the users in both the
offices must be able to access the same files using the same Universal Naming Convention (UNC)
path to access the files.
The users must be able to access files even if a server fails. While designing your file sharing
strategy, you need to take care you're your design must reduce the amount of bandwidth used to
access files.
To start with you deployed file servers on the network. Which of the following options would you
choose next to accomplish this task?
A. Domain-based DFS namespace using replication
B. Stand-alone DFS namespace using replication
C. Multi-site failover cluster having two servers, one located in the head office and another in the
branch office
D. Network Load Balancing cluster having two servers, one located in the head office and another
in the branch office.
E. None of the above
Answer: A
Explanation:
To design a file sharing strategy that meets the given requirements, you need to configure a
domain-based DFS namespace that uses replication.
The domain based namespaces require all servers to be members of an Active Directory domain.
This environment support automatic synchronization of DFS targets.
The domain-based DFS enables multiple replications that provides you with a degree of
scalability. Rather than having every user in your organization access their files from the same
server, you can distribute the user workload across multiple DFS replicas rather than over
burdening a single server. This ensures that the users in both the offices must be able to access
the same files using the same Universal Naming Convention (UNC) path to access the files in
reduced bandwidth.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 35
Actu
alTe
sts.
com
Another reason for having multiple DFS replicas is because doing so provides you with a degree
of fault tolerance.DFS can also provide fault tolerance from the standpoint of protecting you
against network link failures.The fault tolerance ensures that users are able to access files even if
a server fails.
Reference : Planning a DFS Architecture, Part 1, Planning a DFS Architecture, Part 2 / Domain-
Based Namespaces
http://www.petri.co.il/planning-dfs-architecture-part-one.htm
QUESTION NO: 32
You are an Enterprise administrator for CertKiller.com. The company has a head office and a
branch office. The corporate network of the company consists of a single Active Directory domain.
All the servers on the network run Windows Server 2008.
The company has four domain administrators and two support technicians, which are located in
the head office and the branch office respectively.
Which of the following options would you choose to deploy a new Windows Server 2008 server in
the branch office? You want to minimize the security privileges granted to the support technicians.
However, you want to ensure that the support technicians are allowed to install server roles and
are allowed to stop and start services.
A. Configure the restricted enrollment agent on the new Windows Server 2008 server and then
create a permissions list for the support technicians.
B. Create a new organizational unit (OU) for the support technicians permission and then assign
them the permissions to modify objects in the new OU. Put the new Windows Server 2008 server
in the new OU.
C. Add the support technicians to the Domain Admins group.
D. Assign the support technicians to the Administrators group on the new Windows Server 2008
server.
E. None of the above
Answer: D
Explanation:
'Administrators' is a local group that provides full administrative access to an individual computer
or a single domain, depending on its location. Because this account has complete access, you
should be very careful about adding users to this group. To make someone an administrator for a
local computer or domain, all you need to do is make that person a member of this group. Only
members of the Administrators group can modify this account.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 36
Actu
alTe
sts.
com
Reference: Using Default Group Accounts
http://technet.microsoft.com/en-us/library/bb726982.aspx
Reference: Securing the Local Administrators Group on Every Desktop
http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html
QUESTION NO: 33
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers on the network run Windows Server
2008. The network contains two Windows Server 2008 computers called CertKillerServer1 and
CertKillerServer2 and two identical print devices.
Which of the following options would you choose to plan a print services infrastructure that would
allow you to manage the print queue from a central location and make the print services available,
even if one of the print devices fails?
A. Install and share a printer on CertKillerServer1 and enable printer pooling.
B. Create a Network Load Balancing cluster and add CertKillerServer1 and CertKillerServer2 to it
and then install a printer on each node of the cluster.
C. Install and share one of the printer on CertKillerServer1 and the other printer on
CertKillerServer2. Use Print Manager to install the printers on the client computers.
D. Install the Terminal Services server role on both servers. Configure Terminal Services Session
Broker (TS Session Broker).
E. None of the above
Answer: A
Explanation:
To plan a print services infrastructure that would allow you to manage the print queue from a
central location and make the print services available, even if one of the print devices fails, you
need to install and share a printer on CertKillerServer1 and enable printer pooling.
Printer pooling allows you to print to several printers at once. If you have a large print job you can
submit it to the pool and the operating system will balance the load among the printers.
This feature allows network administrators to configure and manage several printers as one, a
process that can simplify printer administration.
In addition, printer pooling provides some load-balancing. That's because Windows 2000 Server
directs print jobs to the connected printers based on jobs pending at each printer.
A printer pool contains multiple printers, all configured as a single printer instance.
Reference : Configure printer pooling to simplify printer management in Windows 2000
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 37
Actu
alTe
sts.
com
http://articles.techrepublic.com.com/5100-10878_11-5727870.html
QUESTION NO: 34
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
contains two Windows Server 2008 computers and two identical print devices.
Which of the following options would you choose to manage the print queue from a central location
and balance the load of print jobs on both the printers?
A. Install and share a printer on one of the servers and enable printer pooling.
B. Add both the servers to a Network Load Balancing cluster and install a printer on each node of
the cluster.
C. Install and share a printer on each server and then install the printers on the client computers
using Print Manager
D. Install the Terminal Services server role on both servers and configure Terminal Services
Session Broker (TS Session Broker).
E. None of the above
Answer: A
Explanation:
To plan a print services infrastructure that would allow you to manage the print queue from a
central location and balance the load of print jobs on both the printers, you need to install and
share a printer on CertKillerServer1 and enable printer pooling.
Printer pooling allows you to print to several printers at once. If you have a large print job you can
submit it to the pool and the operating system will balance the load among the printers.
This feature allows network administrators to configure and manage several printers as one, a
process that can simplify printer administration.
In addition, printer pooling provides some load-balancing. That's because Windows 2000 Server
directs print jobs to the connected printers based on jobs pending at each printer.
A printer pool contains multiple printers, all configured as a single printer instance.
Reference : Configure printer pooling to simplify printer management in Windows 2000
http://articles.techrepublic.com.com/5100-10878_11-5727870.html
QUESTION NO: 35
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
contains two Windows Server 2008 computers and two identical print devices.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 38
Actu
alTe
sts.
com
Which of the following options would you choose to manage a large print job by balancing the load
of print jobs on both the printers?
A. Install and share a printer on one of the servers and enable printer pooling.
B. Add both the servers to a Network Load Balancing cluster and install a printer on each node of
the cluster.
C. Install and share a printer on each server and then install the printers on the client computers
using Print Manager
D. Install the Terminal Services server role on both servers and configure Terminal Services
Session Broker (TS Session Broker).
E. None of the above
Answer: A
Explanation:
To manage a large print job by balancing the load of print jobs on both the printers, you need to
install and share a printer on CertKillerServer1 and enable printer pooling.
Printer pooling allows you to print to several printers at once. If you have a large print job you can
submit it to the pool and the operating system will balance the load among the printers.
This feature allows network administrators to configure and manage several printers as one, a
process that can simplify printer administration.
In addition, printer pooling provides some load-balancing. That's because Windows 2000 Server
directs print jobs to the connected printers based on jobs pending at each printer.
A printer pool contains multiple printers, all configured as a single printer instance.
Reference : Configure printer pooling to simplify printer management in Windows 2000
http://articles.techrepublic.com.com/5100-10878_11-5727870.html
QUESTION NO: 36
You are an Enterprise administrator for CertKiller.com. The company consists of a head office and
a branch office. The corporate network of the company consists of a single Active Directory
domain. All the servers on the network run Windows Server 2008 and all client computers run
Windows Vista.
The branch office contains 50 Windows Server 2008 member servers. The Active Directory
contain an organizational unit (OU) called BranchOU to keep the computer objects for the servers
in the Branch office.
A global group called Branch-adm also exists in the AD to keep the user accounts for the
administrators in the branch office. The administrators on the corporate network manage all the
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 39
Actu
alTe
sts.
com
servers in the Branch office.
However, you now want to ensure that the members of Branch-adm group can Stop and start
services and change registry settings on the member servers of the branch office. Which of the
following options would you choose to accomplish this task?
A. Assign Full Control permissions on the BranchOU to the Branch-adm group.
B. Add the Branch-adm group to the Power Users local group on each server in the Branch office.
C. Assign the Branch-adm group change permissions to the BranchOU and to all child objects.
D. Add the Branch-adm group to the Administrators local group on each server in the Branch
office.
E. None of the above
Answer: D
Explanation:
To ensure that the members of add the Branch-adm group can Stop and start services and
change registry settings on the member servers of the branch office, you need to add the Branch-
adm group to the Administrators local group on each server in the Branch office.
'Administrators' is a local group that provides full administrative access to an individual computer
or a single domain, depending on its location. Because this account has complete access, you
should be very careful about adding users to this group. To make someone an administrator for a
local computer or domain, all you need to do is make that person a member of this group. Only
members of the Administrators group can modify this account.
Reference : Using Default Group Accounts
http://technet.microsoft.com/en-us/library/bb726982.aspx
Reference : Securing the Local Administrators Group on Every Desktop
http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html
QUESTION NO: 37
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory forest, which contains three domains named CertKiller.com,
region1.CertKiller.com, and region2.CertKiller.com.
All the servers on the network run Windows Server 2008 and all client computers run Windows
Vista. The functional level of the three domains is Windows Server 2008
The company contains a helpdesk team, which is a part of the Account Operators group in the
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 40
Actu
alTe
sts.
com
CertKiller.com domain. The members of helpdesk team frequently join and leave the helpdesk
team. The helpdesk employees have all the permissions to modify the properties of user objects in
CertKiller.com.
Which of the following options would you choose to minimize the administrative effort required to
manage the frequent changes to the helpdesk staff and enable the helpdesk employees to
manage the user objects in all the three domains. (Select two. Each selected option will present a
part of the answer.)
A. Add the respective helpdesk user accounts to the Account Operators group in both
region1.CertKiller.com and region2.CertKiller.com.
B. Create a new global group for helpdesk users in CertKiller.com. Add the helpdesk user
accounts to the global group and to the Account Operators group in all three domains.
C. Assign Full Control permissions to the Account Operators group in CertKiller.com for user
accounts in all three domains.
D. Create a new global group in CertKiller.com for helpdesk users in CertKiller.com. Add the
helpdesk user accounts to the global group and then add the global group to the Accounts
Operators group that is on every member server in all three domains.
E. None of the above
Answer: B
Explanation:
To minimize the administrative effort required to manage the frequent changes to the helpdesk
staff and enable the helpdesk employees to manage the user objects in all the three domains, you
need to: Create a new global group in CertKiller.com named Helpdesk-group. Add the helpdesk
user accounts to Helpdesk-group. Add Helpdesk-group to the Account Operators group that is in
all three domains
Helpdesk-group global group will help the helpdesk users to administer the domain tree or forest.
Next when you add the Helpdesk-group to the Account Operators group that is in all three
domains, you would limit the privileges of this group. Account Operators is a local group that
grants limited account creation privileges to a user. Members of this group can create and modify
most types of accounts, including those of users, local groups, and global groups. They can also
log on locally to domain controllers. However, Account Operators can't manage the Administrator
user account, the user accounts of administrators, or the group accounts Administrators, Server
Operators, Account Operators, Backup Operators, and Print Operators. Account Operators also
can't modify user rights.
Reference : Using Default Group Accounts
http://technet.microsoft.com/en-us/library/bb726982.aspx
Reference : Securing the Local Administrators Group on Every Desktop
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 41
Actu
alTe
sts.
com
http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html
QUESTION NO: 38
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers on the network run Windows Server
2008 and all client computers run Windows Vista and Microsoft Office Outlook 2007.
The corporate network run two file servers, one database server on TCP port 47182, and
Microsoft Exchange Server 2007 servers. The company has many mobile users and you have
been asked to provide them the remote access to the corporate network.
You have been told that the remote users work from locations that only support access to the
Internet by using HTTP and HTTPS.
Which of the following options would you choose to ensure that remote users are able to establish
secure connections to the network and are able to access the database and file servers and e-mail
? (Select two. Each selected option will present a part of the answer.)
A. Upgrade all client computers to Windows Vista Service Pack 1.
B. Implement Outlook Anywhere for Exchange Server 2007.
C. Deploy Connection Manager Administration Kit (CMAK) profiles to the client computers
D. Implement a VPN solution that uses Layer Two Tunneling Protocol (L2TP).
E. Implement a VPN solution that uses Point-to-Point Tunneling Protocol (PPTP).
F. Implement a VPN solution that uses Secure Socket Tunneling Protocol (SSTP).
Answer: A,F
Explanation:
To ensure that remote users are able to establish secure connections to the network and are able
to access the database server and file servers and have access to e-mail, you need to upgrade all
client computers to Windows Vista Service Pack 1 and implement a VPN solution that uses
Secure Socket Tunneling Protocol (SSTP)
Windows Vista Service Pack 1 and Windows Server 2008 now include a new VPN technology
called Secure Socket Tunneling Protocol (SSTP), which is designed to make secure remote
access very easy. SSTP is designed to enable VPN tunneling for virtually any scenario. You can
use it behind a NAT, across a firewall, through a Web proxy - as long as TCP port 443 is open
(which it usually is for HTTPS traffic).
SSTP is more than just another SSL-based VPN that only works with Web clients. It's fully
integrated into the remote access architecture of Windows, which means you can use it with
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 42
Actu
alTe
sts.
com
Winlogon authentication or with strong authentication such as smart card or RSA SecurID; or, you
can create and manage CMAK profiles, remote access policies, and the like. Plus, it uses only one
HTTPS channel between the SSTP client (Windows Vista) and the SSTP server (Windows Server
2008) for each SSTP VPN connection, which makes it straightforward to load-balance SSTP
sessions across servers.
Reference : SSTP Makes Secure Remote Access Easier
http://biztechmagazine.com/article.asp?item_id=377
QUESTION NO: 39
You are an Enterprise administrator for CertKiller.com. All the servers on the network run Windows
Server 2008 and all client computers run Windows Vista. The corporate network of the company
consists of two servers that run the Server Core installation of Windows Server 2008 as a part of a
Network Load Balancing cluster.
Which of the following options would you choose to allow the administrators to remotely manage
the Network Load Balancing cluster through their Windows Vista client computers? Your strategy
must support automation.
A. Enable Windows Remote Management (WinRM).on the client computers
B. Enable Windows Remote Management (WinRM) on the servers
C. Add the administrators to the remote Desktop Users group on the servers.
D. Add the administrators to the remote Desktop Users group on the client computers.
E. None of the above
Answer: B
Explanation:
To allow the administrators to remotely manage the Network Load Balancing cluster through their
Windows Vista client computers, you need to enable Windows Remote Management (WinRM) on
the servers.
By using another computer running WindowsVista or Windows Server2008, you can use Windows
Remote Shell that uses Windows RM to run command-line tools and scripts on a server running a
Server Core installation.
Windows Remote Management (known as WinRM) is a handy new remote management service
for Windows Server 2003 R2, Windows Vista, and Windows Server 2008. WinRM is the "server"
component of this remote management application and WinRS (Windows Remote Shell) is the
"client" for WinRM, which runs on the remote computer attempting to remotely manage the WinRM
server.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 43
Actu
alTe
sts.
com
Reference : Server Core Installation Option of Windows Server 2008 Step-By-Step Guide
http://technet.microsoft.com/en-us/library/cc753802.aspx#bkmk_managingservercore
Reference : How can Windows Server 2008 WinRM & WinRS help you?
http://www.windowsnetworking.com/articles_tutorials/How-Windows-Server-2008-WinRM-
WinRS.html
QUESTION NO: 40
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers on the network run either Windows
Server 2003 or Windows Server 2008 and all client computers run Windows Vista.
All domain controllers on the network run Windows Server 2008 and a firewall server runs
Microsoft Internet Security and Acceleration (ISA) Server 2006. The Windows Server 2003 servers
have the Terminal Server component installed. You have been asked to give remote users access
to the Terminal Server servers.
Which of the following options would you choose to accomplish the given task while ensuring that
minimum number of ports open on the firewall server, all remote connections to the Terminal
Server servers are encrypted, and access to client computers having Windows Firewall disabled
are prevented? (Select two. Each selected option will present a part of the answer.)
A. Upgrade a Windows Server 2003 server to Windows Server 2008.
B. Implement the Terminal Services Gateway (TS Gateway) role and configure a Terminal
Services resource authorization policy (TS RAP).
C. Implement the Terminal Services Gateway (TS Gateway) role and Network Access Protection
(NAP).
D. Implement the Terminal Services Gateway (TS Gateway) role and configure a Terminal
Services connection authorization policy (TS CAP).
E. Implement port forwarding and Network Access Quarantine Control on the ISA Server.
Answer: A,C
Explanation:
To accomplish the given task, you need to upgrade a Windows Server 2003 server to Windows
Server 2008. On the Windows Server 2008 server, implement the Terminal Services Gateway (TS
Gateway) role, and implement Network Access Protection (NAP).
You need to upgrade Windows Server 2003 server to Windows Server 2008 because NAP is a
feature of Windows Server 2008. Network Access Protection helps you ensure that the computers
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 44
Actu
alTe
sts.
com
that connect to your network meet health status requirements, reducing the risk that they'll
introduce viruses or serve as the conduit for attacks and exploits. (e.g., updated and protected by
a firewall, antivirus, and anti-spyware software) can be connected to a remediation server, to be
brought into compliance.
Terminal Services Gateway (TS Gateway) is a role service that enables authorized remote users
to connect to resources on an internal corporate or private network, from any Internet-connected
device that can run the Remote Desktop Connection (RDC) client. The network resources can be
terminal servers, terminal servers running Terminal Services RemoteApp programs, or computers
with Remote Desktop enabled
TSGateway enables remote users to connect to internal network resources over the Internet, by
using an encrypted connection, without needing to configure virtual private network (VPN)
connections.
TSGateway transmits RDP traffic to port 443 instead, by using an HTTP Secure Sockets
Layer/Transport Layer Security (SSL/TLS) tunnel. Because most corporations open port 443 to
enable Internet connectivity, TSGateway takes advantage of this network design to provide remote
access connectivity across multiple firewalls.
Reference : Security and Policy Enforcement
http://www.microsoft.com/windowsserver2008/en/us/security-policy.aspx
Reference : Vista 's Network Access Protection (NAP) helps keep 'unhealthy' computers off your
LAN
http://articles.techrepublic.com.com/5100-10878_11-6153295.html
Reference : TS Gateway Overview
http://technet.microsoft.com/en-us/library/cc732122.aspx
QUESTION NO: 41
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a DNS server that runs a Server Core installation of Windows Server 2008. All the
servers on the network run Windows Server 2008 and all client computers run Windows Vista.
Which of the following options would you choose to allow the administrators of the company to
manage DNS server from their Windows Vista client computers?
A. Set the Remote Access Connection Manager Service to automatic on the DNS server.
B. Create a custom Microsoft Management Console on the Windows Vista client computers and
then add the Component Services snap-in.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 45
Actu
alTe
sts.
com
C. Install Remote Server Administration Tools (RSAT) on the Windows Vista client computers,
D. Run Setup.exe /u from the Windows Server 2008 installation media on the Windows Vista client
computers.
Answer: C
Explanation:
To allow the administrators of the company to manage DNS server from their Windows Vista client
computers, you need to install Remote Server Administration Tools (RSAT) on the Windows Vista
client computers.
RSAT is an excellent set of tools for IT Pros wanting to manage their Windows Server
environment right from their desktop. RSAT also includes an updated Group Policy Management
Console (GPMC), which was previously removed in Windows Vista SP1.
RSAT is an updated version of what is called ADMINPAK.MSI and can be used by IT Pros to
manage computers running Windows Server 2008.
Reference : Remote Server Administration Tools (RSAT) Now Available for Windows Vista SP1
http://windowsvistablog.com/blogs/windowsvista/archive/2008/03/25/remote-server-administration-
tools-rsat-now-available-for-windows-vista-sp1.aspx
QUESTION NO: 42
You are an Enterprise administrator for CertKiller.com. The company consists of a head office and
a branch office. All the servers on the network run Windows Server 2008 and all client computers
run Windows Vista.
You plan to deploy the Server Core installation of Windows Server 2008 on 10 servers in the
branch office. The servers will only be accessible by using TCP ports 80 and 443.
You need to ensure that the administration of the Server Core servers must enable administrators
to install and administer server roles remotely and fully manage the servers remotely from their
Windows Vista computers / Windows Server 2008 servers.
Which of the following options would you choose to accomplish the desired task?
A. Enable Remote Desktop Connection (RDC) on the administrator's server computers.
B. Enable Windows Remote Management (WinRM) on the administrator's computers.
C. Use Oclist.exe on the administrator's computers.
D. Use Ocsetup.exe on the administrator's computers.
E. None of the above
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 46
Actu
alTe
sts.
com
Answer: B
Explanation:
To ensure that the administration of the Server Core servers must enable administrators to install
and administer server roles remotely and fully manage the servers remotely, you need to enable
Windows Remote Management (WinRM) on each server.
Windows Remote Management (known as WinRM) is a handy new remote management service
for Windows Server 2003 R2, Windows Vista, and Windows Server 2008. WinRM & WinRS are
very powerful new tools that Windows system administrators should learn about. With
WinRM/WinRS, you can install programs, change settings, or do troubleshooting (as long as the
network was up). You can even take it a step further and combine WinRS with a script to perform
those tasks on a list of computers
Reference : How can Windows Server 2008 WinRM & WinRS help you
http://www.windowsnetworking.com/articles_tutorials/How-Windows-Server-2008-WinRM-
WinRS.html
QUESTION NO: 43
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers on the network run Windows Server
2008 and all client computers run Windows Vista and Microsoft Office Outlook 2007.
The corporate network run:
File servers
Database server
Microsoft Exchange Server 2007 servers
The company has many mobile users that can access the corporate network remotely by using
HTTP and HTTPS connections only.
Which of the following options would you choose to ensure that remote users are able to establish
secure connections to the network and are able to access the database server and file servers
and have access to e-mail? (Select two. Each selected option will present a part of the answer.)
A. Upgrade all client computers to Windows Vista Service Pack 1.
B. Implement a VPN solution that uses Layer Two Tunneling Protocol (L2TP).
C. Deploy Connection Manager Administration Kit (CMAK) profiles to the client computers.
D. Implement Outlook Anywhere for Exchange Server 2007.
E. Implement a VPN solution that uses Secure Socket Tunneling Protocol (SSTP).
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 47
Actu
alTe
sts.
com
F. Implement a VPN solution that uses Point-to-Point Tunneling Protocol (PPTP).
Answer: A,E
Explanation:
To ensure that remote users are able to establish secure connections to the network and are able
to access the database server and file servers and have access to e-mail, you need to upgrade all
client computers to Windows Vista Service Pack 1 and implement a VPN solution that uses
Secure Socket Tunneling Protocol (SSTP)
Windows Vista Service Pack 1 and Windows Server 2008 now include a new VPN technology
called Secure Socket Tunneling Protocol (SSTP), which is designed to make secure remote
access very easy. SSTP is designed to enable VPN tunneling for virtually any scenario. You can
use it behind a NAT, across a firewall, through a Web proxy - as long as TCP port 443 is open
(which it usually is for HTTPS traffic).
SSTP is more than just another SSL-based VPN that only works with Web clients. It's fully
integrated into the remote access architecture of Windows, which means you can use it with
Winlogon authentication or with strong authentication such as smart card or RSA SecurID; or, you
can create and manage CMAK profiles, remote access policies, and the like. Plus, it uses only one
HTTPS channel between the SSTP client (Windows Vista) and the SSTP server (Windows Server
2008) for each SSTP VPN connection, which makes it straightforward to load-balance SSTP
sessions across servers.
Reference : SSTP Makes Secure Remote Access Easier
http://biztechmagazine.com/article.asp?item_id=377
QUESTION NO: 44
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of 50 DNS servers that run Windows Server 2003 and the client computers that run
Windows Vista.
A DNS server called CertKillerServer1 has Adminpak.msi installed. The administrators manage
the DNS servers through CertKillerServer1. The administrators connect to CertKillerServer1
through Remote Desktop Connection (RDC).
Recently, you have replaced Windows Server 2003 DNS servers with Server Core installation of
Windows Server 2008 servers by installing DNS server role on the Server Core installation of
Windows Server 2008.
Which of the following options would you choose to administer the new DNS servers? You need to
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 48
Actu
alTe
sts.
com
ensure that the administrators manage the DNS server role by using a Microsoft Management
Console (MMC).
A. Using a Group Policy, deploy Windows PowerShell to all administrators.
B. Using a Group Policy, deploy the Windows Server 2003 Adminpak.msi file to all administrators.
C. Provide remote access to the Windows Server 2008 Server Core servers.
D. Install Remote Server Administration Tools (RSAT) to a Windows Server 2008 server and
provide remote access to that server.
E. None of the above
Answer: D
Explanation:
To administer the new DNS servers, you need to provide remote access to a Windows Server
2008 server that has the Remote Server Administration Tools (RSAT) installed
RSAT is an excellent set of tools for IT Pros wanting to manage their Windows Server
environment right from their desktop. RSAT also includes an updated Group Policy Management
Console (GPMC), which was previously removed in Windows Vista SP1.
RSAT is an updated version of what is called ADMINPAK.MSI and can be used by IT Pros to
manage computers running Windows Server 2008. Because many of these tools also work for
managing computers running Windows Server 2003, it is essentially "the next version" of
ADMINPAK.MSI.
Reference: Remote Server Administration Tools (RSAT) Now Available for Windows Vista SP1
http://windowsvistablog.com/blogs/windowsvista/archive/2008/03/25/remote-server-administration-
tools-rsat-now-available-for-windows-vista-sp1.aspx
QUESTION NO: 45
You are an Enterprise administrator for CertKiller.com. The company consists of a head office and
a branch office. The corporate network of the company consists of a single Active Directory
domain. All the servers on the network run Windows Server 2008 and all client computers run
Windows Vista.
The network contains five Windows Server 2008 servers that host Web applications. The
administrators need to manage the Web servers remotely. You need to ensure that the web
developers are allowed to configure features on the Web sites. However, they should not have full
administrative rights on the Web servers.
Which of the following options would you choose to accomplish the desired task?
A. On each Web server, configure the authorization rules for Web developers.
B. Add the Web developers to the Account Operators group in the domain.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 49
Actu
alTe
sts.
com
C. Configure request filtering on each Web server.
D. For all Web developers, configure the security settings in Internet Explorer.
E. None of the above
Answer: A
Explanation:
To ensure that the web developers are allowed to configure features on the Web sites without
having full administrative rights on the Web servers. You need to configure authorization rules for
Web developers on each Web server.
By configuring Authorization rule, you can grant or deny specific computers, groups of computers,
or domains access to sites, applications, directories, or files on your server. For example, suppose
your intranet server hosts content that is available to all employees, in addition to content that
should be viewed only by members of specific groups, such as Finance or Human Resources. By
configuring URL authorization rules, you can prevent employees who are not members of those
specified groups from accessing restricted content.
Reference : IIS 7.0: Configuring URL Authorization Rules in IIS 7.0
http://technet.microsoft.com/en-us/library/cc772206.aspx
Section 2, Plan for delegated administration (4 Questions)
QUESTION NO: 46
You are an Enterprise administrator for CertKiller.com. The company consists of a head office and
five branch offices. The corporate network of the company consists of a single Active Directory
domain. All the servers on the network run Windows Server 2008 and all client computers run
Windows Vista.
Each branch office contains a domain controller on which the DHCP Server role is also installed.
Besides this, each branch office also contains a file server and posses its own branch office
administrator.
You need to delegate the administration of DHCP in such a way that the branch office
administrators are allowed to manage DHCP scopes for their own office. You also need to ensure
that the branch office administrators should not be allowed to manage the DHCP scopes in other
offices.
Which of the following options would you choose to accomplish the given task in minimum amount
of administrative effort?
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 50
Actu
alTe
sts.
com
A. Migrate the DHCP Server server role to the file server in each branch office.
B. On each file server, add the branch office administrator to the DHCP Administrators local group.
C. Add the branch office administrators to the Network Configuration Operators domain local
group in the AD domain.
D. Add the branch office administrators to the Server Operators domain local group in the AD
domain.
E. Add the branch office administrators to the DHCP Administrators domain local group in the AD
domain.
Answer: A,B
Explanation:
To delegate the administration of DHCP so that the branch office administrators are allowed to
manage DHCP scopes for their own office you need to migrate the DHCP Server server role to the
file server in each branch office.
To ensure that branch office administrators are not allowed to manage the DHCP scopes in other
offices you need to add the branch office administrator to the DHCP Administrators local group.
While members of the Domain Admins group obviously have full power to configure DHCP on the
server, you can also delegate limited power to users whose job is to manage DHCP servers on
your network. To do this, open Active Directory Users and Computers and add the name of the
user to the DHCP Administrators domain local group.
This gives the user the ability to manage DHCP servers on your network without giving him any
unnecessary authority to perform other administrative tasks, which is an example of the well-
known security best practice of least privilege.
Reference : DHCP Server Security (Part 2)
http://www.windowsecurity.com/articles/DHCP-Security-Part2.html
QUESTION NO: 47
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory (AD) domain. All the servers on the network run Windows
Server 2008 and all client computers run Windows Vista.
The AD contains an organizational unit (OU) called EmployeesOU that contains all user accounts
and a global group named HRAdmins that contains the accounts of the HR administrators?
You have been asked to plan for the delegation of administrative authority in such a way that the
HR Admins are allowed to create user accounts in the EmployeesOU and change the address
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 51
Actu
alTe
sts.
com
attributes, the telephone number attributes, and the location attributes for existing user accounts.
You also need to ensure that HRAdmins are not allowed to reset the passwords for the existing
user accounts.
Which of the following options would you choose to accomplish the desired goal?
A. Run the Delegation of Control Wizard on the EmployeesOU.
B. Create a new OUand move the HR Admins group to the new OU and then run the Delegation of
Control Wizard on the new OU.
C. Move the HRAdmins group to the Domain Controllers OU.
D. Add the HRAdmins group to the Account Operators group.
E. None of the above.
Answer: A
Explanation:
To accomplish the desired goal o accomplish the desired goal, you need to Run the Delegation of
Control Wizard on the EmployeesOU. A Delegation wizard can be used to facilitate the delegation
of administrative rights over containers within Active Directory. The Delegation wizard dynamically
creates access control entries on the target container object according to the options specified in
the wizard.
The Delegation of Control Wizard provides an additional level of granularity allowing for custom-
built tasks to be assigned to specific users or groups.
Reference : Default security concerns in Active Directory delegation
http://support.microsoft.com/kb/235531
QUESTION NO: 48
You are an Enterprise administrator for CertKiller.com. The company consists of a head office and
a branch office. The corporate network of the company consists of a single Active Directory
domain. All the servers on the network run Windows Server 2008 and all client computers run
Windows Vista. Administrators manage the client computers and servers in the Branch office.
Branch office of the company contains a Read-only Domain Controller (RODC) named
CertKillerServer1.A global group called Branch-admins contains the user accounts for
administrators.
You have been asked to recommend a solution for delegating control of CertKillerServer1 in such
as way that Branch-admins group has rights on CertKillerServer1 only and they should not be
allowed to modify Active Directory objects.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 52
Actu
alTe
sts.
com
Besides, all the members of the Branch-admins group are allowed to administer CertKillerServer1;
including, the change of device drivers and installation of operating system updates by using
Windows Update.
Which of the following options would you choose to accomplish the desired task?
A. On CertKillerServer1, add the Branch-admins global group to the Administrators local group.
B. Add the Branch-admins global group to the Server Operators domain local group.
C. Create a new OU and move the CertKillerServer1 computer object to a new OU and then grant
Full Control permission on the new OU to the Branch-admins group.
D. On the CertKillerServer1 computer object in the domain Grant Full Control permission to the
Branch-admins group.
E. None of the above
Answer: A
Explanation:
To accomplish the desired task, you need to add the Branch1-admins global group to the
Administrators local group of CertKillerServer1.
Administrators is a local group that provides full administrative access to an individual computer or
a single domain, depending on its location. Because this account has complete access, you
should be very careful about adding users to this group. To make someone an administrator for a
local computer or domain, all you need to do is make that person a member of this group. Only
members of the Administrators group can modify this account.
Domain Admins is a global group designed to help you administer all the computers in a domain.
This group has administrative control over all computers in a domain because it's a member of the
Administrators group by default. To make someone an administrator for a domain, make that
person a member of this group.
Reference : Using Default Group Accounts
http://technet.microsoft.com/en-us/library/bb726982.aspx
Reference : Securing the Local Administrators Group on Every Desktop
http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html
QUESTION NO: 49
You are an Enterprise administrator for CertKiller.com. The company consists of a head office and
a branch office. The corporate network of the company consists of a single Active Directory
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 53
Actu
alTe
sts.
com
domain..
Branch office of the company contains a Read-only Domain Controller (RODC) named
CertKillerServer1. A global group called GLB contains the user accounts for administrators.
Which of the following options would you choose to ensure that GLB group has rights on
CertKillerServer1 only and they should not be allowed to modify Active Directory objects?
Which of the following options would you choose to accomplish the desired task?
A. On CertKillerServer1, add the GLB global group to the Administrators local group.
B. Add the GLB global group to the Server Operators domain local group.
C. Create a new OU and move the CertKillerServer1 computer object to a new OU and then grant
Full Control permission on the new OU to the GLB group.
D. On the CertKillerServer1 computer object in the domain Grant Full Control permission to the
GLB group.
E. None of the above
Answer: A
Explanation:
To accomplish the desired task, you need to add the GLB global group to the Administrators local
group of CertKillerServer1.
Administrators is a local group that provides full administrative access to an individual computer or
a single domain, depending on its location.
Domain Admins is a global group designed to help you administer all the computers in a domain.
This group has administrative control over all computers in a domain because it's a member of the
Administrators group by default. To make someone an administrator for a domain, make that
person a member of this group.
Reference : Using Default Group Accounts
http://technet.microsoft.com/en-us/library/bb726982.aspx
Reference : Securing the Local Administrators Group on Every Desktop
http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html
Section 3, Plan and implement group policy strategy (16 Questions)
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 54
Actu
alTe
sts.
com
QUESTION NO: 50
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory Directory forest that contains a root domain and two child
domains. All the servers on the network run Windows Server 2008 and all client computers run
Windows Vista.
Which of the following options would you choose to deploy the corporate policy of the company
that states that all the local administrator accounts must be renamed and all the local guest
accounts must be renamed and disabled?
A. In each domain, deploy Network Policy and Access Services (NPAS) on all domain controllers.
B. Implement a Group Policy object (GPO) for each domain.
C. On the root domain controllers, deploy Active Directory Rights Management Services (AD
RMS)
D. Implement a Group Policy object (GPO) for the root domain.
E. None of the above.
Answer: B
Explanation:
To deploy the corporate policy of the company that states that all the local administrator accounts
must be renamed and all the local guest accounts must be renamed and disabled, you need to
implement a Group Policy object (GPO) for each domain.
You can change the administrator account and guest account names by using Group Policy in
Windows Server 2003. This may be useful if you want to change the name of the administrator or
guest user accounts to minimize the chance of misuse of these accounts
Reference : HOW TO: Rename the Administrator and Guest Account in Windows Server 2003
http://support.microsoft.com/kb/816109
QUESTION NO: 51
Exhibit:
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 55
Actu
alTe
sts.
com
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers on the network run Windows Server
2008 and all client computers run Windows Vista.
The AD domain consists of a top level OU called EmployeesOU that contains three OUs called
ManagesOU, StaffOU, and IntersOU to store the accounts of Managers, Staff, and Interns
respectively. The relevant portion of the Active Directory domain is configured as shown in the
exhibit.
Currently the EmployeeOU is configured in such a way that the users in the ManagersOU receive
the Group Policy object (GPO) settings that are deployed to the EmployeesOU.
Which of the following options would you choose to ensure that the user accounts in the
ManagersOU are unaffected by the GPOs that are deployed to the EmployeesOU?
A. On each GPO that links to the EmployeesOU, connect a Windows Management
Instrumentation (WMI) filter.
B. Move the ManagersOU to the StaffOU.
C. On the ManagersOU, configure Block Policy Inheritance.
D. Enforce the GPO link on the Employees OU.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 56
Actu
alTe
sts.
com
E. None of the above
Answer: C
Explanation:
To ensure that the user accounts in the ManagersOU are unaffected by the GPOs that are
deployed to the EmployeesOU, you need to configure Block Policy Inheritance on the Managers
OU.
Typically, group policies are passed down from parent to child containers within a domain, which
you can view with the Active Directory Users and Computers console. Group policy is not inherited
from parent to child domains, for example, from cco.com to sales.cco.com. If you assign a specific
group policy setting to a high-level parent container, that setting applies to all containers beneath
the parent container, including the user and computer objects in each container. However, if you
explicitly specify a group policy setting for a child container, the child container's setting overrides
the one for the parent container.
The Block Policy inheritance option blocks Group Policy Objects that apply higher in the Active
Directory hierarchy of sites, domains, and organizational units. It does not block GPOs whose No
Override setting is enabled.
You can block policy inheritance at the domain or organizational unit level. In WS2K3 R2, you
don't use Active Directory Users and Computers for this function like you used to; you now use the
Group Policy Management console.
Reference : Inheriting a Meager Comprehension of Policy Inheritance
http://www.informit.com/guides/content.aspx?g=windowsserver&seqNum=60
QUESTION NO: 52
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers on the network run Windows Server
2008 and all client computers run Windows Vista.
The Active Directory domain contains a top-level organizational unit (OU) called AccountingOU,
which contains all computer and user accounts for the accounting department.
You have been asked to deploy an accounting application that can only be accessed by the
accounting users. Which of the following options would you deploy to accomplish the desired
task?
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 57
Actu
alTe
sts.
com
A. Terminal Service Session Broker (TS Session Broker) role service
B. Microsoft System Center Operations Manager (SCOM)
C. Group Policy object (GPO) for the Accounting OU
D. Windows Server Update Service (WSUS)
E. None of the above
Answer: C
Explanation:
To deploy an accounting application that can only be accessed by the accounting users, you need
to deploy a Group Policy object (GPO) for the AccountingOU.
As you may already know, in an Active Directory environment, group policies are the main
component of network security. Group policy objects can be applied either to users or to
computers. Deploying applications through the Active Directory is also done through the use of
group policies, and therefore applications are deployed either on a per user basis or on a per
computer basis.
Reference : Using Group Policy to Deploy Applications
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Deploy-Applications.html
Reference : Planning and Deploying Group Policy 2008
http://www.scribd.com/doc/4716059/Planning-and-Deploying-Group-Policy-2008
QUESTION NO: 53
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers on the network run Windows Server
2008 and all client computers run Windows Vista.
Which of the following options would you choose to prevent users from being able to install
removable devices on client computers while ensuring that the domain administrators and desktop
support technicians are allowed to install removable devices on client computers?
You need to achieve the desired goal in minimum amount of administrative effort?
A. On all domain controllers, implement Windows System Resource Manager (WSRM).
B. On all client computers, deploy Connection Manager Administration Kit (CMAK).
C. On all client computers, configure a Group Policy object (GPO).
D. On all client computers, configure User Account Control.
E. None of the above
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 58
Actu
alTe
sts.
com
Answer: C
Explanation:
To prevent users from being able to install removable devices on client computers, you need to
implement a Group Policy object (GPO) for all client computers.
You can find the group policy settings called Preventing Installation of Removable Devices and
Prevent Installation of Devices Not Described By Other Policy Settings would enable you to
achieve the desired goal. These policies can be found in the group policy tree at: Computer
Configuration\Administrative Templates\System\Device Installation\Device Installation
Restrictions.
Preventing Installation of Removable Devices prevent Installation of Removable Devices setting
prevents users from installing removable devices. The Prevent Installation of Devices Not
Described By Other Policy Settings prevents the Installation of Devices Not Described by Other
Policy Settings group policy setting is kind of a catch all setting.
There are a couple of different ways that you can use this policy setting. One thing that you can do
is to enable this setting, but not enable any other hardware installation related settings. In doing
so, you will effectively prevent anyone from installing any hardware into systems to which the
policy applies.
Another thing that you can do with this group policy setting is to use other policy settings to allow
specific devices based on device ID or class and then enable this policy setting. In doing so, you
will prevent the installation of any device that you have not specifically allowed users to install.
Reference : Windows Longhorn: Using Group Policy to Control Device Management (Part 2)
http://www.windowsnetworking.com/articles_tutorials/Windows-Longhorn-Using-Group-Policy-
Control-Device-Management-Part2.html
QUESTION NO: 54
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers on the network run Windows Server
2008 and all client computers run Windows Vista.
Many users of the company store all of their files in their Documents folder. Mostly the files stored
are large. You plan to implement roaming user profiles for all users by using Group Policy.
However, the roaming user profiles will takes them a long time to log on and log off of the
computers.
Which of the following options would you choose to minimizes the amount of time that roaming
users take to log on and log off of the computers?
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 59
Actu
alTe
sts.
com
A. Include the Background Intelligent Transfer Service (BITS) settings in the Group Policy object
(GPO).
B. Enable caching on the profiles share on the server that hosts the roaming user profiles.
C. Install and configure the Background Intelligent Transfer Service (BITS) server extensions on
any server.
D. Modify the Group Policy object (GPO) to include folder redirection.
E. None of the above
Answer: D
Explanation:
To minimize the amount of time that roaming users take to log on and log off of the computers,
you need to modify the Group Policy object (GPO) to include folder redirection.
The roaming profiles and folder redirections can make your life easier. With roaming profiles
though, each user's files and settings follow them from PC to PC, so there is no need to move
anything.
Now that you know what a profile looks like, let's talk about making the profile mobile. The basic
technique behind creating a roaming profile involves creating a shared folder on the server,
creating the user a folder within the share, and then defining the user's profile location through the
group policy, which is called folder redirection.
Reference : Profile and Folder Redirection In Windows Server 2003
http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-
2003.html
QUESTION NO: 55
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory forest. The AD forest was running at the functional level of
Windows Server 2008.
The forest contains two domains named CertKiller.com and na.CertKiller.com. All the servers on
the network run Windows Server 2008 and all client computers run Windows Vista.
The domain na.CertKiller.com contains an organizational unit (OU) called SecurityOU and the
domain CertKiller.com contains a user called Ben.
You have been asked to assign administrative rights to Ben so that he can manage Group Policies
for the SecurityOU. While assigning administrative rights, you need to ensure that Ben must be
granted the least administrative rights necessary to create and configure Group Policies in
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 60
Actu
alTe
sts.
com
na.CertKiller.com and link Group Policies to the SecurityOU.
Which of the following options would you choose to accomplish the desired goal? (Select two.
Each selected option will present a part of the answer.)
A. Run the Delegation of Control Wizard on na.CertKiller.com.
B. Run the Delegation of Control Wizard on the SecurityOU.
C. In the Group Policy Management Console, modify the permissions of the Group Policy Objects
container in the CertKiller.com domain.
D. In the Group Policy Management Console, modify the permissions of the Group Policy Objects
container in the na.CertKiller.com domain.
E. Add User1 to the Group Policy Creator Owners group in CertKiller.com.
F. Add User1 to the Administrators group for na.CertKiller.com.
G. Modify the permissions on the SecurityOU.
Answer: B,D
Explanation:
To ensure that Ben must be granted the least administrative rights necessary to create and
configure Group Policies in na.CertKiller.com and link Group Policies to the SecurityOU, you need
to run the Delegation of Control Wizard on the Security OU. In the Group Policy Management
Console, modify the permissions of the Group Policy Objects container in the na.CertKiller.com
domain.
A Delegation wizard is used to facilitate the delegation of administrative rights over containers
within Active Directory. Therefore it needs to be run on the SecurityOU. The Delegation wizard
dynamically creates access control entries on the target container object according to the options
specified in the wizard.
The Delegation of Control Wizard provides an additional level of granularity allowing for custom-
built tasks to be assigned to specific users or groups.
Reference : Default security concerns in Active Directory delegation
http://support.microsoft.com/kb/235531
QUESTION NO: 56
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory forest. The forest contains a root domain and two child
domains named la.CertKiller.com and na.CertKiller.com.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 61
Actu
alTe
sts.
com
All the servers on the network run Windows Server 2008 and all client computers run Windows
Vista. The company has a corporate policy according to which, all local guest accounts must be
renamed and disabled and all the local administrator accounts must be renamed.
Which of the following options would you choose to implement the company's policy?
A. On each domain, implement a GPO.
B. On the root domain, implement a GPO.
C. On the root domain controllers, deploy AD RMS
D. On all domain controllers in each domain, deploy NPAS
E. None of the above
Answer: A
Explanation:
To deploy the corporate policy of the company that states that all the local administrator accounts
must be renamed and all the local guest accounts must be renamed and disabled, you need to
implement a Group Policy object (GPO) for each domain.
You can change the administrator account and guest account names by using Group Policy in
Windows Server 2003. This may be useful if you want to change the name of the administrator or
guest user accounts to minimize the chance of misuse of these accounts
Reference : HOW TO: Rename the Administrator and Guest Account in Windows Server 2003
http://support.microsoft.com/kb/816109
QUESTION NO: 57
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers on the network run Windows Server
2008 and all client computers run Windows Vista.
The company has recently appointed 5 support technicians to provide support to network users.
You have been asked to provide the support technicians a GPO that contains the preconfigured
settings, which they can used to create new GPOs.
Which of the following options would you choose to ensure that support technicians can create
Group Policy objects (GPOs) in the domain using the preconfigured GPO? (Select two. Each
selected option will present a part of the answer.)
A. Add the support technicians to the Account Operators group.
B. Add the support technicians to the Group Policy Creator Owners group.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 62
Actu
alTe
sts.
com
C. Delegate control on the Domain Controllers organizational unit (OU).
D. Delegate control on the Users container.
E. Assign permissions on the Sysvol folder.
F. Create a new Starter GPO.
G. Create an ADMX file.
H. Create an ADML file.
Answer: B,F
Explanation:
To ensure that support technicians can create Group Policy objects (GPOs) in the domain using
the preconfigured GPO, you need to add the support technicians to the Group Policy Creator
Owners group. Create a new Starter GPO.
The GPMC 2.0 provides a new (empty) container called "Starter GPOs". This new container can
hold "templates" for creating new GPOs - with the limitation that only " Administrative Templates"
settings are available - from both 'Computer Configuration' and 'User Configuration'. Settings like
"Software Settings" (software installation) and "Windows Settings" (scripts, account policies, user
rights, software restriction policies, etc.) are NOT available in Starter GPOs. The users who are
added to Group Policy Creator Owners group would be allowed to use the Starter GPO to make
required configurations.
Reference : Group Policy related changes in Windows Server 2008 - Part 1: What are Starter
GPOs?
http://www.windowsecurity.com/articles/Group-Policy-related-changes-Windows-Server-2008-
Part1.html
QUESTION NO: 58
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain.
All the servers on the network run Windows Server 2008 and all client computers run Windows
Vista. The domain contains three organizational units (OUs) named TestOU1, TestOU2, and
TestOU3.
Which of the following options would you choose to redesign the layout of the OUs to ensure that
the Group Policy objects (GPOs) that are linked to the domain from applying to computers located
in the TestOU2 are prevented? You also need to minimize the number of GPOs and the number of
OUs.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 63
Actu
alTe
sts.
com
A. On the TestOU2Configure block inheritance.
B. Create a WMI filter.
C. Delegate permissions on the Application OU
D. Create a Starter GPO.
E. None of the above
Answer: A
Explanation:
Typically, group policies are passed down from parent to child containers within a domain, which
you can view with the Active Directory Users and Computers console. Group policy is not inherited
from parent to child domains. If you assign a specific group policy setting to a high-level parent
container, that setting applies to all containers beneath the parent container, including the user
and computer objects in each container. However, if you explicitly specify a group policy setting for
a child container, the child container's setting overrides the one for the parent container.
The Block Policy inheritance option blocks Group Policy Objects that apply higher in the Active
Directory hierarchy of sites, domains, and organizational units. It does not block GPOs whose No
Override setting is enabled. You can block policy inheritance at the domain or organizational unit
level..
Reference : Inheriting a Meager Comprehension of Policy Inheritance
http://www.informit.com/guides/content.aspx?g=windowsserver&seqNum=60
QUESTION NO: 59
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the domain controllers on the network run
Windows Server 2008 and all client computers run Windows Vista. The functional level of the
domain is Windows Server 2008.
The company consists of four departments: Sales, Research, Development, and Marketing. The
users of the Research department of the company contain sensitive information on their
computers. Therefore the company requires that the users from the Research department have
higher levels of account and password security than other users in the domain.
Which of the following options would you choose to recommend a solution that meets the
company's requirements in minimum hardware and software costs?
A. Create a new Active Directory site for the research department users and deploy a Group
Policy object (GPO) to the site.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 64
Actu
alTe
sts.
com
B. Create a new domain, add the research department user accounts to the new domain, and
configure a new security policy for the new domain.
C. For the research department users, create a new Password Settings Object (PSO).
D. Create a new organizational unit (OU) in the domain for research department users called
ResearchOU and deploy a GPO to the ResearchOU.
E. None of the above
Answer: C
Explanation:
To recommend a solution that meets the company's requirements in minimum hardware and
software costs, you need to create a new Password Settings Object (PSO) for the research
departments users.
Granular Password Settings" or "Fine-Grained Password Policy", is based on the introduction of
two new object classes in the AD schema: the "Password Settings Container" and "Password
Setting" objects. These objects basically provide us the option to introduce multiple password
policies into a single AD domain.
Create PSOs and assign them to users and/or groups hosting scenarios where multiple
companies are present in a single AD domain, another more common reason is where we need
stricter settings to apply to a specific group of people with privileged accounts (like domain
administrators, help desk personnel etc.).
Those privileged accounts can have a complexity requirement and a requirement of defining a
minimum of 16 characters in their passwords and other, more limited accounts, can have more
"user friendly" requirements - although I would recommend everyone to use passwords of that
strength.
Reference : Configuring Granular Password Settings in Windows Server 2008, Part 2
http://www.windowsecurity.com/articles/Configuring-Granular-Password-Settings-Windows-
Server-2008-Part2.html
QUESTION NO: 60
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the domain controllers on the network run
Windows Server 2008 and all client computers run Windows Vista. The functional level of the
domain is Windows Server 2008.
A corporate policy exists for the company. According to which, a legal notice should appear when
any user logs on to the domain. Which of the following options would you choose to enforce the
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 65
Actu
alTe
sts.
com
corporate policy by using the minimum amount of administrative effort?
A. Run the Delegation of Control Wizard for the domain and modify the Default Domain Controller
policy.
B. Run the Delegation of Control Wizard for the domain and configure the Local Computer policy
on a reference computer.
C. Create a new organizational unit (OU), place all computer accounts in the new OU, and then
run the Delegation of Control Wizard for the new OU.
D. Create, link and enforce a new GPO to the domain.
E. None of the above
Answer: D
Explanation:
To enforce the corporate policy by using the minimum amount of administrative effort, you need to
create a GPO and link the GPO to the domain and then configure the GPO to be enforced.
Group policy settings are an integral part of any Windows-based IT environment. The number of
desktop lockdown settings available to group policy administrators is enormous. They can prevent
you from doing anything from changing your desktop appearance and start menu to running
certain applications.
Reference : Circumventing Group Policy Settings
http://blogs.technet.com/markrussinovich/archive/2005/04/30/circumventing-group-policy-
settings.aspx
QUESTION NO: 61
Exhibit:
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 66
Actu
alTe
sts.
com
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers on the network run Windows Server
2008 and all client computers run Windows Vista. The functional level of the domain is Windows
Server 2008.
The company consists of three departments: Sales, Finance, and Engineering. The Organizational
Units (OU) called Employees, Managers, and Staff exists in the AD domain. The relevant portion
of the Active Directory domain is shown in the diagram.
The Staff OU contains all user accounts except for the managers user accounts. The
ManagersOU contains the managers user accounts and the Sales, Finance, and Engineering
global groups. You have recently created a new Group Policy object (GPO) named GPO1, and
then link it to the Employees OU.
After this configuration, the users from the Engineering global group report that they are unable to
access the Run command on the Start menu. On troubleshooting, you discovered that the GPO1
settings are causing this problem.
Which of the following options would you choose to ensure that the users from the Engineering
global group are able to access the Run command on the Start menu?
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 67
Actu
alTe
sts.
com
A. Under the Employees OU, create a new child OU for Engineering department and then move
the Engineering global group to the new Engineering OU.
B. On the Managers OU, configure Block Policy Inheritance.
C. For the Engineering global group, configure Group Policy filtering on GPO1.
D. Configure GPO1 to use the Enforce Policy option.
E. None of the above
Answer: C
Explanation:
To ensure that the users from the Engineering global group are able to access the Run command
on the Start menu, you need to configure Group Policy filtering on GPO1 for the Engineering
global group
If you've been administering Group Policies for just a short period of time you have probably
noticed that there is no search option for specific policy settings.
Search is not referred to as "search" within GPME, it's still called "filtering" like the limited
functionality we had in previous versions - but it's much more advanced now. You'll be able to see
that as soon as you select the "Filter Options" from the View menu. You can use filtering to access
the Run command on the Start menu for specific global groups.
Reference : Group Policy related changes in Windows Server 2008 - Part 2: GPMC Version 2
Filtering to search
http://www.windowsecurity.com/articles/Group-Policy-related-changes-Windows-Server-2008-
Part2.html
QUESTION NO: 62
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers on the network run Windows Server
2008 and all client computers run Windows Vista. The functional level of the domain is Windows
Server 2008.
Which of the following options would you choose to ensure that administrators on the network are
allowed to install USB drives on their computers and the non-administrative users are prevented
from installing USB drives on their computers?
A. Configure device installation restrictions using a GPO.
B. Implement Windows BitLocker Drive Encryption.
C. Use WSRM to configure a per user resource access policy.
D. Implement the UDDI Services server role.
E. None of the above
Answer: A
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 68
Actu
alTe
sts.
com
Explanation:
To ensure that administrators on the network are allowed to install USB drives on their computers
and the non-administrative users are prevented from installing USB drives on their computers, you
need to use a Group Policy object (GPO) to configure device installation restrictions.
You can find the group policy settings called Preventing Installation of Removable Devices and
Prevent Installation of Devices Not Described By Other Policy Settings would enable you to
achieve the desired goal. These policies can be found in the group policy tree at: Computer
Configuration\Administrative Templates\System\Device Installation\Device Installation
Restrictions.
Preventing Installation of Removable Devices prevent Installation of Removable Devices setting
prevents users from installing removable devices. The Prevent Installation of Devices Not
Described By Other Policy Settings prevents the Installation of Devices Not Described by Other
Policy Settings group policy setting is kind of a catch all setting.
There are a couple of different ways that you can use this policy setting. One thing that you can do
is to enable this setting, but not enable any other hardware installation related settings. In doing
so, you will effectively prevent anyone from installing any hardware into systems to which the
policy applies.
Another thing that you can do with this group policy setting is to use other policy settings to allow
specific devices based on device ID or class and then enable this policy setting. In doing so, you
will prevent the installation of any device that you have not specifically allowed users to install.
Reference : Windows Longhorn: Using Group Policy to Control Device Management (Part 2)
http://www.windowsnetworking.com/articles_tutorials/Windows-Longhorn-Using-Group-Policy-
Control-Device-Management-Part2.html
QUESTION NO: 63
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers run Windows Server 2008 and all
client computers run Windows Vista. All the servers have Terminal Services role enabled.
Which of the following options would you choose to deploy of a new line-of-business application to
all client computers while ensuring that the users must access the application from an icon on their
desktops? And they should be able to access to the application even when they are not connected
to the network.
A. Publish the application as TS RemoteApp.
B. Use GPO to assign the application to all client computers
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 69
Actu
alTe
sts.
com
C. Use GPO to assign the application to the terminal server
D. Use TS Web Access to publish the application.
E. None of the above
Answer: B
Explanation:
To ensure that the users must access the application from an icon on their desktops even when
they are not connected to the network, you need to assign the application to all client computers
by using a Group Policy object (GPO).
As you may already know, in an Active Directory environment, group policies are the main
component of network security. There are two different ways that you can deploy an application
through the Active Directory. You can either publish the application or you can assign the
application. Publishing an application doesn't actually install the application, but rather makes it
available to users.
Assigning an application to a user works differently than publishing an application. Again,
assigning an application is a group policy action, so the assignment won't take effect until the next
time that the user logs in. When the user does log in, they will see that the new application has
been added to the Start menu and / or to the desktop.
Although a menu option or an icon for the application exists, the software hasn't actually been
installed though. To avoid overwhelming the server containing the installation package, the
software is not actually installed until the user attempts to use it for the first time.
Reference : Using Group Policy to Deploy Applications
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Deploy-Applications.html
Reference : Planning and Deploying Group Policy 2008
http://www.scribd.com/doc/4716059/Planning-and-Deploying-Group-Policy-2008
QUESTION NO: 64
You are an Enterprise administrator for CertKiller.com. The company has a head office and a
branch office. The corporate network of the company consists of a single Active Directory domain.
All the domain controllers in the domain run Windows Server 2008 and all client computers run
Windows Vista.
The English language version of Windows Vista is installed in the head office use and the Spanish
language version of Windows Vista is installed in the branch office.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 70
Actu
alTe
sts.
com
Which of the following options would you choose to configure custom application settings by using
a Group Policy object (GPO) to allow administrators to view and edit the GPO in their own
language and minimize the number of GPOs deployed?
A. Create an ADM file and then configure the GPO and link it to the domain.
B. Configure and link a Starter GPO to the head office site. Backup and import the Starter GPO
from the main office site and link it to the branch office site.
C. Install the English language and the Spanish language on all domain controllers and then
configure and link a GPO to the head office site. Backup the GPO from the head office site and
import and link it to the branch office site.
D. Create ADMX and ADML files and then configure and link the GPO to the domain.
E. None of the above
Answer: D
Explanation:
To configure custom application settings by using a Group Policy object (GPO) to allow
administrators to view and edit the GPO in their own language and minimize the number of GPOs
deployed, you need to create ADMX and ADML files and then configure the GPO and link it to the
domain.
ADMX files are language neutral. This basically means that the descriptions of Group Policy
settings are not part of the .admx files. They are stored in .adml files. Vista automatically loads the
correct .adml files. This is a very useful feature for international companies. Administrators in
different countries can work with the same templates, but always get the descriptions of the Group
Policy settings in their own language.
ADMX files are like ADM files only templates. The Group Policy settings are still populated to the
clients thru registry.pol files. That's the reason why ADMX files and ADM files can coexist.
Reference : Group Policy templates in Windows Vista: ADMX files replace ADM files
http://4sysops.com/archives/group-policy-templates-in-windows-vista-admx-files-replace-adm-files/
QUESTION NO: 65
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista.
The company consists of 30 database servers. An organizational unit (OU) called Data exists in
AD domain that stores the computer accounts for these database servers. Another OU called
Admin exists for the user accounts of the database administrators. The database administrators
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 71
Actu
alTe
sts.
com
are also the members of a global group called Data_Admins.
Which of the following options would you choose to allow the database administrators to perform
administrative tasks on the database servers while preventing them from performing administrative
tasks on other servers?
A. For Admin OU, deploy a group policy.
B. In the Domain Admins global group, add the Data_Admins users.
C. In the Server Operators domain local group, add the Data_Admins users.
D. Deploy a group policy to the Data OU.
E. None of the above
Answer: D
Explanation:
To allow the database administrators to perform administrative tasks on the database servers
while preventing them from performing administrative tasks on other servers, you need to deploy a
group policy to the Data OU.
Group Policy enables centralized, Active Directory based configuration and change management
of computers running Windows Server 2008, Windows Vista, Windows XP and Windows Server
2003. The Group Policy settings you create are contained within a Group Policy Object (GPO) and
associated with (or Linked to) a Domain, Site or Organizational Unity (OU) using the Group Policy
Management Console (GPMC). By using the Group Policy Management Console to link a GPO to
an object in Active Directory, you apply these settings to the Users and Computers contained
therein.
Reference : Windows Server 2008 Springboard Series Part 02: Deploying and Managing Group
Policy
http://71.203.223.220/files/WS08SBSprt02_GRPOL.docx
QUESTION NO: 66
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista.
One of the servers on the corporate network of the company runs Windows Server Update
Services (WSUS) that obtains updates online from the Microsoft Update Web site.
To meet the security requirements of the company, you have recently deployed a secure network
for the company. After which, the users on the network are unable to access the Internet and the
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 72
Actu
alTe
sts.
com
network that contains the online WSUS server.
Which of the following options would you choose to recommend a patch management solution to
deploy updates to the computers that are on the secure network? (Select two. Each correct
answer will present a part of the solution.)
A. Deploy a WSUS server on the secure network.
B. Download the wsusscn2.cab file from the Microsoft Update Web site
C. Copy the wsusscn2.cab file to a computer on the secure network.
D. From the online WSUS server, copy the update metadata and the WSUS content to the WSUS
server on the secure network.
E. From the online WSUS server, regularly copy the web.config file and the default Web site home
directory to the WSUS server on the secure network.
F. Scan the entire secure network by running Microsoft Baseline Security Analyzer against the
wsusscn2.cab file that you downloaded.
Answer: A,D
Explanation:
To recommend a patch management solution to deploy updates to the computers that are on the
secure network, you need to deploy a WSUS server on the secure network. From the online
WSUS server, copy the update metadata and the WSUS content to the WSUS server on the
secure network.
If your environment demands a network segment be disconnected from the Internet, or
disconnected from the rest of your network altogether, don't think you need to resort to the
"sneaker net" method of patch distribution. Simply build a stand-alone WSUS server and import
updates from removable media such as tape or DVD-ROM.
The process of exporting the updates from an Internet-connected server, and then importing them
into your disconnected one is well documented in the WSUS Deployment Guide. However, here
are the steps at a high level to give you an idea of the process.
1. Build your stand-alone WSUS server and configure its language and express installation
options to match that of the Internet-connected WSUS server that will provide updates.
2. Copy the update content directory from the Internet-connected WSUS server to removable
media. Remember that this content directory may be quite large (multi-gigabytes) so you may
need to resort to tape, dual-layer DVD, or external USB hard drive.
3. Export and copy the update metadata from the Internet-connected WUS server's database to
removable media.
4. Copy the update content from removable media onto the disconnected WSUS server.
5. Import the update metadata from removable media into the disconnected WUS server's
database.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 73
Actu
alTe
sts.
com
Reference : Advanced Deployment Options / Offline Updates
http://www.wsuswiki.com/AdvDeployOptions
QUESTION NO: 67
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista.
Several servers on the corporate network of the company run Windows Server Update Services
(WSUS) and distribute updates to all computers on the internal network.
The company has many remote users that connect the internal network from their personal
computers using a split-tunnel VPN connection.
Which of the following options would you choose to deploy a patch management strategy that
deploys updates on the remote user's computers? While deploying the solution, you need to
ensure that the bandwidth use over the VPN connections is minimized and the required updates
are approved on the WSUS servers before they are installed on the client computers?
A. Perform client-side targeting using a GPO.
B. Create and configure a computer group for the remote users computers to allow them to use
the internal WSUS server.
C. Deploy an additional WSUS server for the remote users computers. Configure the additional
WSUS server to leave the updates on the Microsoft Update Web site.
D. Use Connection Manager Administration Kit (CMAK) to create a custom connection and then
deploy the custom connection to all of the remote users computers.
E. None of the above
Answer: C
Explanation:
To deploy a patch management strategy that deploys updates on the remote user's computers,
you need to deploy an additional WSUS server. Configure the remote users computers to use the
additional WSUS server. Configure the additional WSUS server to leave the updates on the
Microsoft Update Web site.
Microsoft Windows Server Update Services (WSUS) is the Microsoft provided solution for
enterprise patch management. Using WSUS, network administrators can manage and deploy
software updates for all of the Microsoft products in a network
Using autonomous mode, the upstream server transmits update files to the downstream servers,
but nothing else. This means that individual computer groups and update approvals must be
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 74
Actu
alTe
sts.
com
configured for each particular downstream server. In this deployment type, you get the benefit of
optimized bandwidth usage with the flexibility of allowing individual site administrators to manage
computer groups and update approvals themselves.
In a typical WAN scenario the bandwidth is a restriction. It is common that remote network
locations will have a high speed connection to the internet but a rather low speed link back to the
main office, such as through a VPN. In these cases, an upstream server can manage update
approvals, but those remote downstream servers can be configured to download the approved
updates directly from the Internet as opposed to the upstream server. Therefore you need to c
configure the additional WSUS server to leave the updates on the Microsoft Update Web site
Reference : Deploying Microsoft Windows Server Update Services
http://www.windowsnetworking.com/articles_tutorials/Deploying-Microsoft-Windows-Server-
Update-Services.html
QUESTION NO: 68
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista.
Which of the following options would you choose to design a Windows Server Update Services
(WSUS) infrastructure that ensures that the updates are distributed from a central location and all
computers must continue to receive updates in the event that a server fails? (Select two. Each
correct answer will present a part of the solution.)
A. Configure a single WSUS server to use multiple downstream servers.
B. Configure two WSUS servers in a Microsoft SQL Server 2005 failover cluster.
C. Configure a Microsoft SQL Server 2005 failover cluster.
D. Configure each WSUS server to use a RAID 1 mirror and a local database.
E. Configure each WSUS server to use a local database
F. Configure each WSUS server to use a RAID 5 array and a local database
G. Configure two WSUS servers in a Network Load Balancing cluster and then Configure WSUS
to use the remote SQL Server 2005 database instance.
Answer: C,G
Explanation:
To design a Windows Server Update Services (WSUS) infrastructure that ensures that the
updates are distributed from a central location and all computers must continue to receive updates
in the event that a server fails, you need to:
Configure a Microsoft SQL Server 2005 failover cluster. Configure two WSUS servers in a
Network Load Balancing cluster. Configure WSUS to use the remote SQL Server 2005 database
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 75
Actu
alTe
sts.
com
instance.
Network load balancing (NLB) is a strategy that can keep networks running even if one (or more)
servers go offline. It can be used in conjunction with WSUS, but requires special steps at setup
time. You should set up WSUS for NLB after configuring your SQL Server2005 database as a
failover cluster.
Reference : Appendix C: Configure WSUS for Network Load Balancing
http://technet.microsoft.com/en-us/library/cc708533.aspx
QUESTION NO: 69
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers and the domain controllers on the
domain run Windows Server 2008 and all client computers run Windows Vista.
You have been assigned the task to generate a monthly report on the status of software updates
for the client computers. You report should display all the updates including operating system and
Microsoft application updates that are installed successfully.
Your report should also display all the updates including the operating system and Microsoft
application updates that are failed to install by putting minimum amount of administrative effort and
in minimum cost.
Which of the following options would you choose to accomplish the desired task? (Select two.
Each correct answer will present a part of the solution.)
A. Install Microsoft System Center Essentials (Essentials) 2007.
B. Install Microsoft System Center Configuration Manager (SCCM) 2007.
C. Install Windows Software Update Services (WSUS) 3.0.
D. Deploy management agents on all client computers.
E. Configure Windows Update by using a Group Policy object (GPO).
F. Deploy Microsoft Baseline Security Analyzer (MBSA) 2.1 on the client computers.
G. Run MBSA on each client computer, and save the report to a shared folder on the network.
Answer: C,E
Explanation:
To generate the desired reports, you need to Install Windows Software Update Services (WSUS)
3.0. Configure Windows Update by using a Group Policy object (GPO).
The easiest way to configure automatic updates is through the group policy, in environments
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 76
Actu
alTe
sts.
com
where this is possible. If group policies (AD) are not available, you can use the registry file which
has to be deployed to every machine. This registry file, or group policy template if you're using
Active Directory, enables advanced features available with the new WSUS client.
Reports can be easily generated, but unfortunately only the WSUS server administrator can
generate them. ITSS can generate reports per groups, so if your clients are properly configured to
report their group, you can ask ITSS to schedule generation of reports for your groups.
You can also define the criteria of the report, so some events can be filtered. The criteria define
status of updates for machines, so the following can be used:
Installed - lists updates which have been successfully installed on the client machines.
Needed - lists updates which are needed, but have not been installed yet.
Not needed - lists updates which are available on the server, but are not needed for this particular
client.
Unknown - lists updates with unknown status.
Failed - lists updates which were downloaded by the client, but whose installation failed.
Reference : Microsoft Windows Server Update Services
http://www.auckland.ac.nz/security/MicrosoftWSUSGuidelines.htm
QUESTION NO: 70
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista.
Several servers on the corporate network of the company run Windows Server Update Services
(WSUS) and distribute updates to all computers on the internal network. The WSUS server is
configured to store updates locally.
The company has recently opened four new satellite offices that are connected to the main office
by using a dedicated WAN link. Internet access to the users of the satellite office is provided
through the main office.
Which of the following options would you choose to design a strategy for patch management that
ensures that the WSUS updates are approved independently for each satellite office with the use
of minimum Internet traffic? (Select two. Each correct answer will present a part of the solution.)
A. For each satellite office, create organizational units (OUs). Create and link the Group Policy
objects (GPOs) to the OUs.
B. In each satellite office, install a WSUS server.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 77
Actu
alTe
sts.
com
C. Configure each satellite office WSUS server as a replica of the main office WSUS server.
D. Configure each satellite office WSUS server as an autonomous server.
E. Configure different schedules to download updates from the main office WSUS server to the
client computers in each satellite office.
F. Configure each satellite office WSUS server to use the main office WSUS server as an
upstream server.
Answer: B,F
Explanation:
To design a strategy for patch management that ensures that the WSUS updates are approved
independently for each satellite office and the minimum Internet traffic used, you need to install a
WSUS server in each satellite office and then configure each satellite office WSUS server to use
the main office WSUS server as an upstream server.
A WSUS hierarchy supports two modes, autonomous mode and replica mode. In replica mode,
the upstream server is the only WSUS server that downloads its updates from Microsoft Update. It
is also the only server that an administrator has to manually configure computer groups and
update approvals on.
All information downloaded and configured on to an upstream server is replicated directly to all of
the devices configured as downstream servers. Using this method you will save a great deal of
bandwidth as only one computer is constantly updating from the Internet. More importantly
however, you will save a countless amount of time since you are only managing one server now
from a software standpoint.
Using autonomous mode, the upstream server transmits update files to the downstream servers,
but nothing else. This means that individual computer groups and update approvals must be
configured for each particular downstream server. In this deployment type, you get the benefit of
optimized bandwidth usage with the flexibility of allowing individual site administrators to manage
computer groups and update approvals themselves.
Reference : Deploying Microsoft Windows Server Update Services
http://www.windowsnetworking.com/articles_tutorials/Deploying-Microsoft-Windows-Server-
Update-Services.html
QUESTION NO: 71
You are an Enterprise administrator for CertKiller.com. All the servers in the domain run Windows
Server 2008 and all client computers run Windows Vista.
A server on the corporate network of the company run Windows Server Update Services (WSUS)
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 78
Actu
alTe
sts.
com
and distributes updates to all computers on the internal network after obtaining updates online
from the Microsoft Update Web site.
Recently a network segment of the corporate network is disconnected from the rest of the network.
The users on the disconnected network segment reported that they cannot access the Internet
and the WSUS server.
Which of the following options would you choose to recommend a patch management strategy to
deploy updates to the computers that are on the disconnected network segment?
A. Deploy a WSUS server on the secure network.
B. Download the wsusscn2.cab file from the Microsoft Update Web site
C. Copy the wsusscn2.cab file to a computer on the secure network.
D. From the online WSUS server, copy the update metadata and the WSUS content to the WSUS
server on the secure network.
E. From the online WSUS server, regularly copy the web.config file and the default Web site home
directory to the WSUS server on the secure network.
F. Scan the entire secure network by running Microsoft Baseline Security Analyzer against the
wsusscn2.cab file that you downloaded.
Answer: A,D
Explanation:
To recommend a patch management strategy to deploy updates to the computers that are on the
disconnected network segment, you need to deploy a WSUS server on the secure network. From
the online WSUS server, copy the update metadata and the WSUS content to the WSUS server
on the secure network.
If your environment demands a network segment be disconnected from the Internet, or
disconnected from the rest of your network altogether, don't think you need to resort to the
"sneaker net" method of patch distribution. Simply build a stand-alone WSUS server and import
updates from removable media such as tape or DVD-ROM.
The process of exporting the updates from an Internet-connected server, and then importing them
into your disconnected one is well documented in the WSUS Deployment Guide. However, here
are the steps at a high level to give you an idea of the process.
1. Build your stand-alone WSUS server and configure its language and express installation
options to match that of the Internet-connected WSUS server that will provide updates.
2. Copy the update content directory from the Internet-connected WSUS server to removable
media. Remember that this content directory may be quite large (multi-gigabytes) so you may
need to resort to tape, dual-layer DVD, or external USB hard drive.
3. Export and copy the update metadata from the Internet-connected WUS server's database to
removable media.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 79
Actu
alTe
sts.
com
4. Copy the update content from removable media onto the disconnected WSUS server.
5. Import the update metadata from removable media into the disconnected WUS server's
database.
Reference : Advanced Deployment Options / Offline Updates
http://www.wsuswiki.com/AdvDeployOptions
QUESTION NO: 72
You are an Enterprise administrator for CertKiller.com. The company has a head office and two
branch offices. All the servers on the network run Windows Server 2008 and all client computers
run Windows Vista.
A server on the corporate network of the company run Windows Server Update Services (WSUS)
and distributes updates to all computers on the internal network.
The WSUS server is configured to store updates locally.
The branch offices connect to the head office by using a dedicated WAN link.
You need to design a patch management strategy for the corporate network that would ensure
that the branch offices would get updates from the head office. However, the WSUS updates are
approved independently for each branch office without increasing the Internet traffic too much.
Which of the following options would you choose to accomplish the desired task?
A. For each branch office, create organizational units (OUs). Create and link the Group Policy
objects (GPOs) to the OUs.
B. In each branch office, install a WSUS server.
C. Configure each branch office WSUS server as a replica of the main office WSUS server.
D. Configure each branch office WSUS server as an autonomous server.
E. Configure different schedules to download updates from the main office WSUS server to the
client computers in each branch office.
F. Configure each branch office WSUS server to use the main office WSUS server as an upstream
server.
Answer: B,F
Explanation:
To design a patch management strategy for the corporate network that would ensure that the
branch offices would get updates from the head office, you need to install a WSUS server in each
branch office and configure each branch office WSUS server to use the head office WSUS server
as an upstream server.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 80
Actu
alTe
sts.
com
A WSUS hierarchy supports two modes, autonomous mode (which we will discuss later) and
replica mode. In replica mode, the upstream server is the only WSUS server that downloads its
updates from Microsoft Update. It is also the only server that an administrator has to manually
configure computer groups and update approvals on. All information downloaded and configured
on to an upstream server is replicated directly to all of the devices configured as downstream
servers. Using this method you will save a great deal of bandwidth as only one computer is
constantly updating from the Internet. More importantly however, you will save a countless amount
of time since you are only managing one server now from a software standpoint.
Using autonomous mode, the upstream server transmits update files to the downstream servers,
but nothing else. This means that individual computer groups and update approvals must be
configured for each particular downstream server. In this deployment type, you get the benefit of
optimized bandwidth usage with the flexibility of allowing individual site administrators to manage
computer groups and update approvals themselves.
Reference : Deploying Microsoft Windows Server Update Services
http://www.windowsnetworking.com/articles_tutorials/Deploying-Microsoft-Windows-Server-
Update-Services.html
QUESTION NO: 73
You are an Enterprise administrator for CertKiller.com. All the servers on the network run Windows
Server 2008.
The corporate network contains a Windows Server 2008 server that runs Windows Server Update
Services (WSUS), which was configured to store updates locally.
The company has recently opened a few satellite offices that are connected to the main office
using a dedicated WAN link.
Which of the following options would you choose to design a patch management strategy to
ensure that WSUS updates are approved from a central location and WAN traffic is minimized
between the branch office and the satellite offices?
A. For each satellite office, create organizational units (OUs). Create and link the Group Policy
objects (GPOs) to the OUs.
B. In each satellite office, install a WSUS server.
C. Configure each satellite office WSUS server as a replica of the main office WSUS server.
D. Configure each satellite office WSUS server as an autonomous server.
E. Configure different schedules to download updates from the main office WSUS server to the
client computers in each satellite office.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 81
Actu
alTe
sts.
com
F. Configure each satellite office WSUS server to use the main office WSUS server as an
upstream server.
Answer: B,F
Explanation:
To design a patch management strategy to ensure that WSUS updates are approved from a
central location and WAN traffic is minimized between the branch office and the satellite offices,
you need to install a WSUS server in each satellite office and configure each satellite office WSUS
server as a replica of the branch office WSUS server.
A WSUS hierarchy supports two modes, autonomous mode and replica mode. In replica mode,
the upstream server is the only WSUS server that downloads its updates from Microsoft Update. It
is also the only server that an administrator has to manually configure computer groups and
update approvals on. All information downloaded and configured on to an upstream server is
replicated directly to all of the devices configured as downstream servers.
Using this method you will save a great deal of bandwidth as only one computer is constantly
updating from the Internet. More importantly however, you will save a countless amount of time
since you are only managing one server now from a software standpoint.
Reference : Deploying Microsoft Windows Server Update Services
http://www.windowsnetworking.com/articles_tutorials/Deploying-Microsoft-Windows-Server-
Update-Services.html
QUESTION NO: 74
You are an Enterprise administrator for CertKiller.com. All the servers in the domain run Windows
Server 2008.
Several servers on the corporate network of the company run Windows Server Update Services
(WSUS) and distribute updates to all computers on the internal network.
The company has many remote users that connect the internal network from their personal
computers using a split-tunnel VPN connection.
You need to deploy a patch management strategy to deploy updates on the remote user's
computers network. While deploying the solution, you need to ensure that the required updates
are approved on the WSUS servers before they are installed on the client computers within
minimum the bandwidth use?
A. Implement client-side targeting by create a Group Policy object (GPO).
B. Create and configure a computer group for the remote users computers to use the internal
WSUS server.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 82
Actu
alTe
sts.
com
C. Deploy and configure an additional WSUS server to leave the updates on the Microsoft Update
Web site and then configure the remote users to use the additional WSUS server.
D. Use the Connection Manager Administration Kit (CMAK) to create a custom connection and
deploy it to all of the remote users computers.
E. None of the above
Answer: C
Explanation:
To deploy a patch management strategy that deploys updates on the remote user's computers,
you need to deploy an additional WSUS server. Configure the remote users computers to use the
additional WSUS server. Configure the additional WSUS server to leave the updates on the
Microsoft Update Web site.
WSUS is a client-pull system, not a server-push. That is, the client initiates the connection and
downloads, not the server. As long as they can communicate, they will. Also keep in mind that the
connection is not continuous. The client only checks in once a day. It also uses BITS to transfer
the downloads, so if the VPN connection is disconnected in the middle, it will automatically recover
when it next connects to the server. BITS will also attempt to not saturate you bandwidth, but a
problem with BITS is that it measures bandwidth by the connection at your network device (NIC,
modem, etc), not the bandwidth along the entire path to the server. Of course, this may have
changed in more recent version of BITS.
Reference : WSUS Forums>Technical Support>WSUS 3 Server
http://www.wsus.info/forums/index.php?showtopic=11464
QUESTION NO: 75
You are an Enterprise administrator for CertKiller.com. All the servers in the domain run Windows
Server 2008. The company consists of 10,000 computers.
Which of the following options would you choose to design a storage architecture for Windows
Server Update Services (WSUS) updates to ensure that the WSUS updates are highly available?
A. Configure the WSUS servers to use a RAID 0 hardware controller and then store the WSUS
updates on each WSUS server.
B. Use a remote file share to store the WSUS updates.
C. Store the WSUS updates on a multihomed network file server. Create two host (A) resource
records for the WSUS servers.
D. Store the WSUS updates on a Distributed File System (DFS) link that uses multiple replicating
targets.
E. None of the above
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 83
Actu
alTe
sts.
com
Answer: D
Explanation:
Distributed File System (DFS) is a strategic storage management solution that gives
administrators a more flexible way to centrally manage their distributed resources. With DFS,
administrators can create simplified views of folders and files, that is, a virtual organization called a
namespace, regardless of where those files physically reside in a network.
You should create a single file location that is available to all the front-end WSUS servers. Even if
you do not store updates locally, you will need a location for End User License Agreement files.
You may wish to do so by storing them on a Distributed File System share.
It is not necessary to use a DFS share with an NLB cluster. You can use a standard network
share, and you can ensure redundancy by storing updates on a RAID controller.
Reference : Step 4: Set up a DFS share
http://technet.microsoft.com/en-us/library/cc708533.aspx
Section 2, Monitor servers for performance evaluation and optimization (7 Questions)
QUESTION NO: 76
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista.
The File Server role is installed on the 10 servers on the domain. You have been asked to monitor
the file servers and ensure that the Administrators should be able to create reports that display
folder usage by different Active Directory groups, receive automatic E-mail notifications if any
volume has less than 500 MB of free space, and are able to enforce the File storage quotas.
How would you configure each File server to accomplish the desired task?
A. Configure Windows System Resource Manager (WSRM) feature and Event Subscriptions
B. Configure NTFS quotas and Event Viewer tasks
C. Configure NTFS quotas and Performance Monitor alerts
D. Configure the File Server Resource Manager (FSRM) role service and Quota Management and
Storage Reports Management
E. None of the above.
Answer: D
Explanation:
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 84
Actu
alTe
sts.
com
FSRM (File Server Resource Manager) is a service of the File Services role in Windows Server
2008. You can use FSRM to enhance your ability to manage and monitor storage activities on
your file server.
The main capabilities of FSRM include: Folder Quotas, File Screening, Storage Reports, Event
Log Integration, E-mail Notifications, and Automated Scripts.
You can use FSRM to perform Limit the size of a folder to 2GB and log an event when the Quota
limit is reached, E-mail an administrator whenever a specific folder reaches 85% of its specified
Quota. Besides, you can create a File Screen to prevent users from saving of video/audio files to a
share and send notifications when users attempt to do that, and schedule and publish a periodic
storage reports that shows how much space is being used by each user,. You can use it to
automatically execute a script when a folder size exceeds 500 MB to clean up stale data in the
folder.
Reference : The Basics of Windows Server 2008 FSRM (File Server Resource Manager)
http://blogs.technet.com/josebda/archive/2008/08/20/the-basics-of-windows-server-2008-fsrm-file-
server-resource-manager.aspx
QUESTION NO: 77
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory forest. All the servers in the forest run Windows Server 2008
and all client computers run Windows Vista.
You have been assigned the task to monitor the performance of the servers of the sales
department of the company that consists of 600 Windows Server 2008 servers.
You need to generate alerts when the average processor usage is higher than 90 percent for 20
minutes and automatically adjust the processor monitoring threshold to allow for temporary
changes in the workload.
Which of the following options would you choose to accomplish the desired task?
A. Use Microsoft System Center Configuration Manager (SCCM).
B. Use Windows System Resource Manager (WSRM).
C. Use Microsoft Windows Reliability and Performance Monitor.
D. Use Microsoft System Center Operations Manager (SCOM).
E. None of the above
Answer: D
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 85
Actu
alTe
sts.
com
Explanation:
To generate alerts when the average processor usage is higher than 90 percent for 20 minutes
and automatically adjust the processor monitoring threshold to allow for temporary changes in the
workload, you need to Deploy Microsoft System Center Operations Manager (SCOM).
System Center Operations Manager 2007(SCOM 2007) is a new version of Microsoft Operations
Manager 2005(MoM). It is the end - to - end service monitoring solution that lets you monitor
clients, events, services, applications, network devices rather than just servers. It provides
integration with Active Directory for user authentication and agent discovery.
It provides active directory integration, Service Oriented Monitoring, Self-Tuning Threshold,
Enhanced Reporting, windows computers monitoring and much more.
Reference : From MOM to SCOM
http://pcquest.ciol.com/content/enterprise/2007/107070501.asp
Reference : Self Tuning Thresholds - love and hate
http://blogs.technet.com/kevinholman/archive/2008/03/19/self-tuning-thresholds-love-and-
hate.aspx
QUESTION NO: 78
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista.
The network consists of a server called CertKillerServer1 that has the Terminal Services role
installed. You need to monitor CertKillerServer1 and prevent users from consuming more than 15
percent of the CPU resources in a day.
You also need to ensure that the Administrators must not be limited by the amount of CPU
resources that they can consume. Which of the following options would you choose to accomplish
the desired task? (Select Two. Each correct answer will present a part of the answer.)
A. Configure Reliability and Performance
B. Create user-defined Data Collector Set.
C. Configure session policies.
D. Implement Windows System Resource Manager (WSRM)
E. Configure user policies.
F. Create an Event Trace Session Data Collector Set.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 86
Actu
alTe
sts.
com
Answer: D,E
Explanation:
To monitor CertKillerServer1 and prevent users from consuming more than 15 percent of the CPU
resources in a day, you need to implement Windows System Resource Manager (WSRM), and
configure user policies.
Microsoft Windows System Resource Manager (WSRM) provides resource management and
enables the allocation of resources, including processor and memory resources, among multiple
applications based on business priorities.
WSRM enables a system administrator to Set CPU and memory allocation policies on
applications. This includes selecting processes to be managed, and setting resource usage
targets or limits, Manage CPU utilization (percent CPU in use), Limit the process working set size
(physical resident pages in use), apply policies to users or groups on a Terminal Services
application server, apply policies on a date/time schedule and much more.
WSRM maintains an updatable exclusion list of processes that shouldn't be managed because of
the negative system impact such management could create. WSRM also applies limits to process
working set size and committed memory consumption. WSRM does not manage address
windowing extensions (AWE) memory, large page memory, locked memory, or OS pool memory.
Reference : Windows System Resource Manager Fast Facts
http://www.microsoft.com/windowsserver2003/techinfo/overview/wsrmfastfacts.mspx
QUESTION NO: 79
Which of the following options would you choose to monitor the performance of 200 Windows
Server 2008 servers and generate alerts when the average processor usage is higher than 70
percent for 15 minutes and automatically adjust the processor monitoring threshold to allow for
temporary changes in the workload?
A. Deploy Microsoft System Center Configuration Manager (SCCM).
B. Install Windows System Resource Manager (WSRM).
C. Configure Microsoft Windows Reliability and Performance Monitor.
D. Deploy Microsoft System Center Operations Manager (SCOM).
E. None of the above
Answer: D
Explanation:
To generate alerts when the average processor usage is higher than 90 percent for 20 minutes
and automatically adjust the processor monitoring threshold to allow for temporary changes in the
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 87
Actu
alTe
sts.
com
workload, you need to Deploy Microsoft System Center Operations Manager (SCOM).
System Center Operations Manager 2007(SCOM 2007) is a new version of Microsoft Operations
Manager 2005(MoM). It is the end - to - end service monitoring solution that lets you monitor
clients, events, services, applications, network devices rather than just servers. It provides
integration with Active Directory for user authentication and agent discovery.
It provides active directory integration, Service Oriented Monitoring, Self-Tuning Threshold,
Enhanced Reporting, windows computers monitoring and much more.
Reference : From MOM to SCOM
http://pcquest.ciol.com/content/enterprise/2007/107070501.asp
Reference : Self Tuning Thresholds - love and hate
http://blogs.technet.com/kevinholman/archive/2008/03/19/self-tuning-thresholds-love-and-
hate.aspx
QUESTION NO: 80
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista.
The network consists of a server called CertKillerServer1that has Windows SharePoint Services
(WSS) role installed. The server hosts are 30 SharePoint sites.
You have been asked to optimize the performance of CertKillerServer1 by allocating the equal
amount of system resources to each SharePoint site when CPU utilization exceeds 70 percent.
Which of the following options would you choose to accomplish the given task? (Select Two. Each
correct answer will present a part of the answer.)
A. Configure each SharePoint site to use a separate application pool.
B. Configure each SharePoint site to use a separate IP address.
C. Implement Windows System Resource Manager (WSRM).
D. Implement File Server Resource Manager (FSRM).
Answer: A,C
Explanation:
To optimize the performance of CertKillerServer1 by allocating the equal amount of system
resources to each SharePoint site when CPU utilization exceeds 70 percent, you need to
configure each sharePoint site to use a separate application pool. Implement Windows System
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 88
Actu
alTe
sts.
com
Resource Manager (WSRM).
Microsoft Windows System Resource Manager (WSRM) provides resource management and
enables the allocation of resources, including processor and memory resources, among multiple
applications based on business priorities.
WSRM enables a system administrator to Manage CPU utilization (percent CPU in use), Limit the
process working set size (physical resident pages in use) and Set CPU and memory allocation
policies on applications. This includes selecting processes to be managed, and setting resource
usage targets or limits.
WSRM maintains an updatable exclusion list of processes that shouldn't be managed because of
the negative system impact such management could create. WSRM also applies limits to process
working set size and committed memory consumption. WSRM does not manage address
windowing extensions (AWE) memory, large page memory, locked memory, or OS pool memory.
Reference : Windows System Resource Manager Fast Facts
http://www.microsoft.com/windowsserver2003/techinfo/overview/wsrmfastfacts.mspx
QUESTION NO: 81
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista.
You install an application on a Windows Server 2008 failover cluster that contains a node named
CertKillerServer1.
Which of the following options would you choose to ensure that 50 percent of the processor
utilization and the memory utilization can be reserved for the application execution? (Select Two.
Each correct answer will present a part of the answer.)
A. Implement Windows System Resource Manager (WSRM)
B. Implement File Server Resource Manager (FSRM)
C. Implement Storage Manager for SANs (SMfS)
D. Configure a resource-allocation policy for user-based management.
E. Configure a resource-allocation policy for process-based management.
F. Configure quotas.
G. Configure the LUN Management settings.
Answer: A,E
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 89
Actu
alTe
sts.
com
Explanation:
To ensure that 50 percent of the processor utilization and the memory utilization can be reserved
for the application execution, you need to implement Windows System Resource Manager
(WSRM) and configure a resource-allocation policy for process-based management.
Microsoft Windows System Resource Manager (WSRM) provides resource management and
enables the allocation of resources, including processor and memory resources, among multiple
applications based on business priorities.
WSRM enables a system administrator to Manage CPU utilization (percent CPU in use), Limit the
process working set size (physical resident pages in use) and Set CPU and memory allocation
policies on applications. This includes selecting processes to be managed, and setting resource
usage targets or limits.
WSRM maintains an updatable exclusion list of processes that shouldn't be managed because of
the negative system impact such management could create. WSRM also applies limits to process
working set size and committed memory consumption. WSRM does not manage address
windowing extensions (AWE) memory, large page memory, locked memory, or OS pool memory.
Reference : Windows System Resource Manager Fast Facts
http://www.microsoft.com/windowsserver2003/techinfo/overview/wsrmfastfacts.mspx
QUESTION NO: 82
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. The functional level of the domain is Windows Server
2008. All the servers in the domain run Windows Server 2008 and all client computers run
Windows Vista.
You need to plan a monitoring solution for 200 Windows Server 2008 servers and ensure that an
e-mail notification is sent to an administrator if an application error occurs on any of the servers by
using the minimum amount of administrative effort.
Which of the following options would you choose to accomplish the desired task? (Select Two.
Each correct answer will present a part of the answer.)
A. On all servers, create event subscriptions for one server.
B. On one server, create event subscriptions for each server.
C. On one server, create an Event Trace Sessions Data Collector Set.
D. On all servers, attach a task for the application error events.
E. On the server, attach tasks to the application error events.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 90
Actu
alTe
sts.
com
F. On the servers, create a System Performance Data Collector Set.
G. On the server, configure the report settings for the new Data Collector set.
Answer: B,E
Explanation:
To plan a monitoring solution for 200 Windows Server 2008 servers and ensure that an e-mail
notification is sent to an administrator if an application error occurs on any of the servers by using
the minimum amount of administrative effort, you need to create event subscriptions for each
server on one server and attach tasks to the application error events.
Event Viewer enables you to view events on a single remote computer. However, troubleshooting
an issue might require you to examine a set of events stored in multiple logs on multiple
computers.
Windows Vista includes the ability to collect copies of events from multiple remote computers and
store them locally. To specify which events to collect, you create an event subscription. Among
other details, the subscription specifies exactly which events will be collected and in which log they
will be stored locally. Once a subscription is active and events are being collected, you can view
and manipulate these forwarded events as you would any other locally stored events.
Reference : Event Subscriptions
http://technet.microsoft.com/en-us/library/cc749183.aspx
Section 3, Monitor and maintain security and policies (4 Questions)
QUESTION NO: 83
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. The functional level of the domain is Windows Server
2008. All the domain controllers on the domain run Windows Server 2008 and all client computers
run Windows Vista.
The network contains 1,000 client computers that are connected to managed switches. You have
been asked to ensure that users on the corporate network are unable to bypass network access
restrictions and only client computers that have up-to-date service packs and anti-malware
software installed can access the network.
Which of the following options would you choose to accomplish the desired task? (Select Two.
Each correct answer will present a part of the answer.)
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 91
Actu
alTe
sts.
com
A. Implement Network Access Protection (NAP)
B. Implement a Network Policy Server (NPS)
C. Use 802.1x enforcement
D. Use DHCP enforcement.
E. Enable IPsec on the domain controllers
F. Enable Remote Authentication Dial-In User Service (RADIUS) authentication on the managed
switches.
Answer: A,C
Explanation:
To ensure that users on the corporate network are unable to bypass network access restrictions
and only client computers that have up-to-date service packs and anti-malware software installed
can access the network, you need to implement Network Access Protection (NAP) that uses
802.1x enforcement
Network Access Protection (NAP) is one of the most desired and highly anticipated features of
Windows Server 2008. NAP is a new platform and solution that controls access to network
resources based on a client computer's identity and compliance with corporate governance policy.
NAP allows network administrators to define granular levels of network access based on who a
client is, the groups to which the client belongs, and the degree to which that client is compliant
with corporate governance policy. If a client is not compliant, NAP provides a mechanism to
automatically bring the client back into compliance and then dynamically increase its level of
network access.
With 802.1X enforcement, a computer must be compliant to obtain unlimited network access
through an 802.1X-authenticated network connection
Administrators can create solutions for validating computers that connect to or communicate on
their networks, provide needed updates or access to needed resources, and limit the network
access of computers that are noncompliant. The validation and enforcement features of NAP can
be integrated with software from other vendors or with custom programs.
Note NAP is not designed to protect a private network from malicious users. It is designed to help
administrators maintain the system health of the computers on a private network. NAP is used in
conjunction with authentication and authorization of network access, such as using IEEE 802.1X
for wireless access.
Reference : Network Access Protection Platform Overview
http://technet.microsoft.com/hi-in/library/bb878083(en-us).aspx
Reference : Security and Policy Enforcement
http://www.microsoft.com/windowsserver2008/en/us/security-policy.aspx
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 92
Actu
alTe
sts.
com
QUESTION NO: 84
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. The functional level of the domain is Windows Server
2008. All the domain controllers on the domain run Windows Server 2008 and all client computers
run Windows Vista.
The network contains three Network Policy Server (NPS) servers that are configured as Remote
Authentication Dial-In User Service (RADIUS) servers. The servers are named as
CertKillerServer1, CertKillerServer2, and CertKillerServer3.
The network also contains 30 wireless access points that are configured as a RADIUS client.
Which of the following options would you choose to audit all access to the wireless access points?
You need to ensure that in a minimum amount of cost the audit data is stored at a central location
and all RADIUS attributes and all RADIUS vendor-specific attributes are recorded.
Which of the following options would you choose to accomplish the desired task? (Select Two.
Each correct answer will present a part of the answer.)
A. Install Microsoft SQL Server 2005 Standard Edition on CertKillerServer1.
B. Audit for account logon events on the domain controllers.
C. Audit for logon events on the NPS servers.
D. Configure RADIUS accounting by using local file logging on each server
E. Configure RADIUS accounting by using SQL logging on each server and use
CertKillerServer1as the data source
F. Configure RADIUS authentication.
G. Forward all events from CertKillerServer2 and CertKillerServer3 to CertKillerServer1.
H. Store the log files in an Internet Authentication Service (IAS) format on a shared folder on
CertKillerServer1.
Answer: D,H
Explanation:
To ensure that in a minimum amount of cost the audit data is stored at a central location and all
RADIUS attributes and all RADIUS vendor-specific attributes are recorded, you need to Configure
RADIUS accounting by using local file logging on each server. Store the log files in an Internet
Authentication Service (IAS) format on a shared folder on CertKillerServer1
Rather than configuring network access policy at each network access server, such as wireless
access points, 802.1X authenticating switches, VPN servers, and dial-up servers, you can create
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 93
Actu
alTe
sts.
com
policies in a single location that specify all aspects of network connection requests, including who
is allowed to connect, when they can connect, and the level of security they must use to connect
to your network.
When you create a new RADIUS client or modify the settings of an existing RADIUS client from
the RADIUS Clients node of the Network Policy Server snap-in, there is a RADIUS client is NAP-
capable check box .When this check box is selected, the NPS service sends NAP-specific
RADIUS vendor-specific attributes (VSAs) in the Access-Accept message. When this check box is
not selected, the NPS service does not send NAP-specific RADIUS VSAs in the RADIUS Access-
Accept message.
Reference : What is the NAP client doing /The "RADIUS client is NAP-capable" check box
http://blogs.technet.com/nap/default.aspx
QUESTION NO: 85
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. The functional level of the domain is Windows Server
2008. All the domain controllers on the domain run Windows Server 2008 and all client computers
run Windows Vista.
Which of the following options would you choose to plan a network access solution that ensure
that only client computers that have the most up-to-date service packs can be granted general
network access and all noncompliant client computers must be redirected to a specific Web site?
A. Use Windows Server Update Service (WSUS)
B. Use Active Directory Rights Management Services (AD RMS)
C. Use Domain Isolation
D. Use Network Access Protection (NAP)
E. None of the above
Answer: D
Explanation:
To plan a network access solution that ensure that only client computers that have the most up-to-
date service packs can be granted general network access and all noncompliant client computers
must be redirected to a specific Web site, you need to implement Network Access Protection
(NAP).
Network Access Protection (NAP) is one of the most desired and highly anticipated features of
Windows Server 2008. NAP is a new platform and solution that controls access to network
resources based on a client computer's identity and compliance with corporate governance policy.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 94
Actu
alTe
sts.
com
NAP allows network administrators to define granular levels of network access based on who a
client is, the groups to which the client belongs, and the degree to which that client is compliant
with corporate governance policy. If a client is not compliant, NAP provides a mechanism to
automatically bring the client back into compliance and then dynamically increase its level of
network access.
With 802.1X enforcement, a computer must be compliant to obtain unlimited network access
through an 802.1X-authenticated network connection
Administrators can create solutions for validating computers that connect to or communicate on
their networks, provide needed updates or access to needed resources, and limit the network
access of computers that are noncompliant. The validation and enforcement features of NAP can
be integrated with software from other vendors or with custom programs.
Note NAP is not designed to protect a private network from malicious users. It is designed to help
administrators maintain the system health of the computers on a private network. NAP is used in
conjunction with authentication and authorization of network access, such as using IEEE 802.1X
for wireless access.
Reference : Network Access Protection Platform Overview
http://technet.microsoft.com/hi-in/library/bb878083(en-us).aspx
Reference : Security and Policy Enforcement
http://www.microsoft.com/windowsserver2008/en/us/security-policy.aspx
QUESTION NO: 86
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. The functional level of the domain is Windows Server
2008. All the servers and domain controllers in the domain run Windows Server 2008 and all client
computers run Windows Vista.
The network contains three Network Policy Server (NPS) servers that are configured as Remote
Authentication Dial-In User Service (RADIUS) servers. The servers are named as
CertKillerServer1, CertKillerServer2, and CertKillerServer3. The CertKillerServer1 runs Microsoft
SQL Server 2005.
The network also contains 30 wireless access points that are configured as a RADIUS client.
Which of the following options would you choose to audit access to the wireless access points?
You need to ensure that the audit data is stored at a central location in a format that is simple to
query and all RADIUS attributes and all RADIUS vendor-specific attributes are recorded.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 95
Actu
alTe
sts.
com
Which of the following options would you choose to accomplish the desired task? (Select Two.
Each correct answer will present a part of the answer.)
A. Audit for account logon events on the domain controllers
B. Configure RADIUS accounting by using SQL logging on each server
C. Use CertKillerServer1 as the database for RADIUS accounting.
D. Forward all security events from the NPS servers to CertKillerServer1.
E. Audit for logon events on the NPS servers
F. Forward all security events from CertKillerServer2 and CertKillerServer3 to CertKillerServer1.
Answer: B,C
Explanation:
To ensure that the audit data is stored at a central location in a format that is simple to query and
all RADIUS attributes and all RADIUS vendor-specific attributes are recorded, you need to
configure RADIUS accounting by using SQL logging on each server. Use CertKillerServer1 as the
database for RADIUS accounting
The Internet Authentication Service (IAS) in Microsoft Windows Server is the Microsoft
implementation of a RADIUS server and proxy server. As a RADIUS server, IAS performs
centralized authentication, authorization, and accounting (AAA) of various types of network
connections. As a RADIUS proxy server, IAS can forward RADIUS requests to another RADIUS
server for AAA.
IAS can log to text logs or Microsoft SQL Server databases. Text based logging of RADIUS
authentication and accounting information is disabled by default in IAS.
You need to use CertKillerServer1 as the database for RADIUS accounting because SQL server is
installed on CertKillerServer1.
Reference : Chapter 5: Designing the RADIUS Infrastructure for Wireless LAN Security
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/pkiwire/PGCH05.mspx?m
fr=true
QUESTION NO: 87
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run either Windows
Server 2003 or Windows Server 2008 and all client computers run Windows Vista.
The network contains five Windows Server 2003 servers that have the Terminal Server
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 96
Actu
alTe
sts.
com
component installed and a firewall server runs Microsoft Internet Security and Acceleration (ISA)
Server 2006.
You have been assigned the task to create a remote access strategy for the terminal server users
and ensure that the access of the network is restricted to the specific users only. You also need to
ensure that only minimum number of ports should be opened on the firewall and all remote
connections to the terminal servers are encrypted.
Which of the following options would you choose to accomplish the desired task? (Select Two.
Each correct answer will present a part of the answer.)
A. Implement port forwarding on the ISA Server.
B. Implement SSL bridging on the ISA Server.
C. Require authentication on all inbound connections to the ISA Server.
D. Upgrade a Windows Server 2003 server to Windows Server 2008.
E. Configure the Terminal Services Gateway (TS Gateway) role and a Terminal Services
connection authorization policy (TS CAP) on the server.
F. Configure the Terminal Services Gateway (TS Gateway) role and a Terminal Services resource
authorization policy (TS RAP) on the server.
Answer: D,E
Explanation:
To create a remote access strategy with desired requirements for the terminal server users, you
need to implement the Terminal Services Gateway (TS Gateway) role, and configure a Terminal
Services connection authorization policy (TS CAP). For this you need to upgrade a Windows
Server 2003 server to Windows Server 2008.
TS Gateway feature is available in Windows Server 2008. It allows the connection to internal
Terminal servers and RDP-enabled machines from the outside, but unlike the term "gateway"
used in the previous scenario, the Windows Server 2008 TS Gateway is a dedicated Terminal
server using a specific service role called TS Gateway
This enables the external vendors to connect to it via SSL, pass a certain authentication process
and policy evaluation, and only if allowed, it passes the RDP traffic to specified internal machines.
These machines return the required data, and the TS Gateway then encrypts the data with SSL
and passes it back to the remote user. The benefits in this scenario include the ability to use SSL-
based encryption, which easily passes through most firewalls without the need to open specific
ports.
For remote clients to successfully connect to internal network resources (computers) through a
Terminal Services Gateway (TS Gateway) server, the TS Gateway server must be configured
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 97
Actu
alTe
sts.
com
correctly. The TS Gateway server must be configured to use an appropriate Secure Sockets Layer
(SSL)-compatible X.509 certificate, and authorization policy settings must be configured correctly.
Terminal Services connection authorization policies (TS CAPs) specify who can connect to the TS
Gateway server. The use of TS CAP will ensure that the access of the network is restricted to
specific users only.
Reference : Creating a Secure and Auditable Remote Access and Management Environment /
Remote access and management of servers from a remote network via a dedicated RDP gateway
http://www.petri.co.il/creating-secure-auditable-remote-access-management-environment-
windows-server-security.htm
Reference : TS Gateway Server Configuration
http://technet.microsoft.com/en-us/library/cc727371.aspx
Reference : Configuring the Windows Server 2008 Terminal Services Gateway (Part 2)
http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Terminal-Services-
Gateway-Part2.html
QUESTION NO: 88
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista.
The domain has 100 servers and 5,000 client computers. You have been assigned the task to
recommend an application deployment strategy for the network. While designing the strategy, you
need to ensure that the applications deployments must be scheduled to occur after office hours
and must only be deployed to the client computers that meet the minimum hardware requirements.
Besides, the detailed reports on the success or failure of the application deployments must be
generated. Which of the following options would you choose to accomplish the desired goal?
A. Use Microsoft System Center Operations Manager (SCOM) 2007
B. Use Microsoft System Center Configuration Manager (SCCM) 2007
C. Use Windows Software Update Services (WSUS)
D. Deploy applications by using Group Policy
E. None of the above
Answer: B
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 98
Actu
alTe
sts.
com
Explanation:
To recommend an application deployment strategy for the network, you need to implement
Microsoft System Center Configuration Manager (SCCM) 2007.
System Center Configuration Manager 2007 is the next version of Systems Management Server
(SMS) 2003. Configuration Manager 2007 contributes to a more effective IT department by
enabling secure and scalable operating system and application deployment and desired
configuration management, enhancing system security, and providing comprehensive asset
management of servers, desktops, and mobile devices.
SCCM 2007's new maintenance, configuration-tracking and updated reporting features make it a
must-have for large Windows sites
SCCM sports a new feature called Maintenance Windows that lets administrators schedule the
best day and time for patches and updates for specific sets of computers and servers.
Reference : System Center Configuration Manager
http://technet.microsoft.com/en-us/configmgr/default.aspx
Reference : Big Efficiencies for Big Environments
http://redmondmag.com/features/article.asp?editorialsid=2518
QUESTION NO: 89
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista. The servers on the network have the Terminal
Services role enabled.
You have been assigned the task to deploy a new line-of-business application to all client
computers and ensure that the users must access the application from an icon on their desktops,
even when they are not connected to the network.
Which of the following options would you choose to accomplish the desired task?
A. Publish the application as a TS RemoteApp.
B. Assign the application to the terminal server by using a Group Policy object (GPO).
C. Publish the application by using TS Web Access.
D. Assign the application to all client computers by using a Group Policy object (GPO).
E. None of the above
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 99
Actu
alTe
sts.
com
Answer: D
Explanation:
There are two different ways that you can deploy an application through the Active Directory. You
can either publish the application or you can assign the application. You can only publish
applications to users, but you can assign applications to either users or to computers
Assigning an application is a group policy action, so the assignment won't take effect until the next
time that the computer is rebooted. When the user does log in, they will see that the new
application has been added to the Start menu and / or to the desktop. The deployment process
actually installs the application rather than just the application's icon.
You need to assign the application to all client computers and not to the terminal server because
the application icon will be available to users on when it is installed on their client computers and
not on terminal servers.
Reference : Using Group Policy to Deploy Applications
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Deploy-Applications.html
QUESTION NO: 90
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista.
The network contains 100 servers and 5,000 client computers. Microsoft Office Outlook 2007 is
installed on all the client computers.
Recently the marketing department has received a custom application needs to be run by all the
employees of the department. The application requires access to Outlook 2003.
Which of the following options would you choose to suggest an application deployment strategy for
the network that would ensure that access to both Outlook 2003 and Outlook 2007 is provided
without creating a conflict between Outlook 2003 and Outlook 2007 and the other applications
installed on the computers?
You also need to ensure that 50 concurrent sessions are supports and the additional training
requirements are minimized.
A. Use a Microsoft Application Compatibility Toolkit (ACT) application compatibility shim for all the
computers in the marketing department.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 100
Actu
alTe
sts.
com
B. Install Outlook 2003 on a server and enable Remote Desktop on it.
C. Configure the Terminal Services server role on a server, install Outlook 2003 on the terminal
server, and publish Outlook 2003 as a TS RemoteApp.
D. Use a Group Policy object (GPO) to assign Outlook 2003 to all computers in the marketing
department
E. None of the above
Answer: C
Explanation:
To suggest an application deployment strategy for the network to meet the given requirements,
you need to configure the Terminal Services server role on a server. Install Outlook 2003 on the
terminal server and Publish Outlook 2003 as a Terminal Services RemoteApp (TS RemoteApp).
With Terminal Services, organizations can provide access to Windows-based programs from
almost any location to almost any computing device. Terminal Services in WindowsServer2008
includes Terminal Services RemoteApp (TSRemoteApp).
RemoteApp programs are programs that are accessed remotely through Terminal Services and
appear as if they are running on the end user's local computer. Instead of being presented to the
user in the desktop of the remote terminal server, the RemoteApp program is integrated with the
client's desktop, running in its own resizable window with its own entry in the taskbar.
Users can run RemoteApp programs side-by-side with their local programs. If a user is running
more than one RemoteApp program on the same terminal server, the RemoteApp programs will
share the same Terminal Services session.
With TSRemoteApp you do not have to deploy and maintain different versions of the same
program for individual computers. If employees need to use multiple versions of a program, you
can install those versions on one or more terminal servers, and users can access them through
TSRemoteApp.
Reference : TS RemoteApp Step-by-Step Guide
http://technet.microsoft.com/en-us/library/cc730673.aspx
QUESTION NO: 91
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista.
The network contains five servers on which Terminal Services role is installed. You have been
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 101
Actu
alTe
sts.
com
assigned the task to create a Terminal Services server farm and ensure that the new users are
automatically connected to the terminal server that has the fewest active sessions.
You also need to ensure that the disconnected users are redirected to the server that contains
their previous session. Which of the following options would you choose to accomplish the given
task?
A. Use Terminal Services Session Broker (TS Session Broker)
B. Use Round-robin DNS
C. Use Terminal Services Gateway (TS Gateway)
D. Use Network Load Balancing (NLB)
E. None of the above
Answer: A
Explanation:
To create a Terminal Services server farm with given requirements, you need to use Terminal
Services Session Broker (TS Session Broker).
Terminal Services Session Broker (TSSession Broker) is a role service in WindowsServer®2008
that enables a user to reconnect to an existing session in a load-balanced terminal server farm.
Additionally, Windows Server2008 includes the new TSSession Broker Load Balancing feature.
This feature enables you to distribute the session load between servers in a load-balanced
terminal server farm.
TSSession Broker stores session state information that includes session IDs and their associated
user names, and the name of the server where each session resides.
In the second phase, the terminal server where the initial connection was made redirects the user
to the terminal server that was specified by TSSession Broker. The redirection behavior is as
follows:
A user with an existing session will connect to the server where their session exists.
A user without an existing session will connect to the terminal server that has the fewest sessions.
Reference : Terminal Services Session Broker (TS Session Broker)
http://technet.microsoft.com/en-us/library/cc731045.aspx
QUESTION NO: 92
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and use internal storage only and all client computers run Windows Vista.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 102
Actu
alTe
sts.
com
The network contains a file server. You have been assigned the task to deploy a client/server
application in minimum cost in such as way that it is available even if a single server fails.
Which of the following features would you deploy to accomplish the desired task?
A. Terminal Services RemoteApp (TS RemoteApp)
B. Failover cluster that uses Node and File Share Disk Majority
C. Distributed File System (DFS) that uses replication
D. Failover cluster that uses No Majority: Disk Only
E. None of the above
Answer: B
Explanation:
To deploy a client/server application in minimum cost in such as way that it is available even if a
single server fails, you need to deploy a failover cluster that uses Node and File Share Disk
Majority.
The quorum configuration in a failover cluster determines the number of failures that the cluster
can sustain. If an additional failure occurs, the cluster must stop running. The relevant failures in
this context are failures of nodes or, in some cases, of a witness disk (which contains a copy of the
cluster configuration) or witness file share. It is essential that the cluster stop running if too many
failures occur or if there is a problem with communication between the cluster nodes.
Node and Disk Majority is (recommended for clusters with an even number of nodes) Can sustain
failures of half the nodes (rounding up) if the witness disk remains online. For example, a six node
cluster in which the witness disk is online could sustain three node failures. Can sustain failures of
half the nodes (rounding up) minus one if the witness disk goes offline or fails. For example, a six
node cluster with a failed witness disk could sustain two (3-1=2) node failures.
Node and File Share Majority is (for clusters with special configurations) Works in a similar way to
Node and Disk Majority, but instead of a witness disk, this cluster uses a witness file share. Note
that if you use Node and File Share Majority, at least one of the available cluster nodes must
contain a current copy of the cluster configuration before you can start the cluster. Otherwise, you
must force the starting of the cluster through a particular node.
Reference : Understanding Quorum Configurations in a Failover Cluster
http://technet.microsoft.com/en-us/library/cc731739.aspx
QUESTION NO: 93
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 103
Actu
alTe
sts.
com
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista.
The network contains five Windows Server 2008 servers that have the Terminal Server
component installed.
You have been assigned the task to create a remote access strategy for the terminal server users
and ensure that the remote users can access only specific resources on the internal network. You
also need to ensure that all remote connections to the terminal servers are encrypted.
Which of the following options would you choose to accomplish the desired task? (Select Two.
Each correct answer will present a part of the answer.)
A. Configure the Terminal Services Gateway (TS Gateway) role and a Terminal Services resource
authorization policy (TS RAP) on the server.
B. Require authentication on all inbound connections to the Server.
C. Upgrade a Windows Server 2003 server to Windows Server 2008.
D. Configure the Terminal Services Gateway (TS Gateway) role and a Terminal Services
connection authorization policy (TS CAP) on the server.
E. Configure TS Gateway server to use an appropriate Secure Sockets Layer (SSL)-compatible
X.509 certificate
Answer: A,E
Explanation:
To create a remote access strategy for the terminal server users and ensure that the remote users
can access only specific resources on the internal network, you need to configure the Terminal
Services Gateway (TS Gateway) role and a Terminal Services resource authorization policy (TS
RAP) on the server. You also need to configure TS Gateway server to use an appropriate Secure
Sockets Layer (SSL)-compatible X.509 certificate.
TS Gateway allows the connection to internal Terminal servers and RDP-enabled machines from
the outside. For remote clients to successfully connect to internal network resources (computers)
through a Terminal Services Gateway (TS Gateway) server, the TS Gateway server must be
configured correctly. The TS Gateway server must be configured to use an appropriate Secure
Sockets Layer (SSL)-compatible X.509 certificate, and authorization policy settings must be
configured correctly. Terminal Services resource authorization policies (TS RAPs) specify the
internal network resources that clients can connect to through a TS Gateway server.
TS Gateway enables the external vendors to connect to it via SSL, pass a certain authentication
process and policy evaluation, and only if allowed, it passes the RDP traffic to specified internal
machines.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 104
Actu
alTe
sts.
com
These machines return the required data, and the TS Gateway then encrypts the data with SSL
and passes it back to the remote user. The benefits in this scenario include the ability to use SSL-
based encryption.
Reference : TS Gateway Server Configuration
http://technet.microsoft.com/en-us/library/cc727371.aspx
Reference : Configuring the Windows Server 2008 Terminal Services Gateway (Part 2)
http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Terminal-Services-
Gateway-Part2.html
QUESTION NO: 94
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista. The servers on the network have the Terminal
Services role enabled.
The Active Directory has two organizational units (OU) configured. One for all the user accounts
called UserOU and other for all the client computer accounts called ClientsOU.
You have been assigned the task to deploy a new application on the network and ensure that the
users must access the application from an icon on the Start menu. Besides, you need to ensure
that the application is available to remote users when they are offline.
Which of the following options would you choose to accomplish the desired task?
A. Publish the application to users in the ClientsOU as a TS RemoteApp.
B. Assign the application to computers in the UsersOU by using a Group Policy object (GPO).
C. Publish the application to users in the UsersOU by using a Group Policy object (GPO).
D. Assign the application to computers in the ClientsOU by using a Group Policy object (GPO).
E. None of the above
Answer: D
Explanation:
To deploy a new application on the network and ensure that the users must access the application
from an icon on the Start menu, you need to assign the application to computers in the ClientsOU
by using a Group Policy object (GPO).
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 105
Actu
alTe
sts.
com
There are two different ways that you can deploy an application through the Active Directory. You
can either publish the application or you can assign the application. You can only publish
applications to users, but you can assign applications to either users or to computers
Assigning an application is a group policy action, so the assignment won't take effect until the next
time that the computer is rebooted. When the user does log in, they will see that the new
application has been added to the Start menu and / or to the desktop. The deployment process
actually installs the application rather than just the application's icon.
You need to assign the application to computers in the ClientsOU to link it to the computer rather
than to the user. Assigning an application to a computer also differs from user assignments in that
the deployment process actually installs the application rather than just the application's icon. So
the application is available to users in the ClientsOU even when they are offline.
Reference : Using Group Policy to Deploy Applications
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Deploy-Applications.html
QUESTION NO: 95
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista.
The network contains five servers that form a Terminal Services server farm on the network. You
have been assigned the task to ensure that the session load is equally distributed between the
servers in a terminal server farm.
Which of the following options would you choose to accomplish the given task?
A. Implement Terminal Services Session Broker (TS Session Broker) feature
B. Use Round-robin DNS Feature
C. Use Terminal Services Gateway (TS Gateway) Feature
D. Implement Network Load Balancing (NLB) Feature
E. Implement TSASession Broker Load Balancing Feature
F. None of the above
Answer: E
Explanation:
To ensure that the session load is equally distributed between the servers in a terminal server
farm, you need to implement TSASession Broker Load Balancing Feature.
Windows Server2008 includes the new TSSession Broker Load Balancing feature that enables
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 106
Actu
alTe
sts.
com
you to distribute the session load between servers in a load-balanced terminal server farm.
Reference : Terminal Services Session Broker (TS Session Broker)
http://technet.microsoft.com/en-us/library/cc731045.aspx
QUESTION NO: 96
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista.
Which of the following options would you choose to provide users of the network a collaboration
solution that would allow them to remotely access the files by using a Web browser? They should
be provided full-text indexing of all user content and a secure access to the files by assigning
permissions. Besides, a support for the addition of more Web servers based on company growth
is also available.
Which of the following options would you choose to accomplish the desired task?
A. The Application Server role
B. Microsoft System Center Operations Manager (SCOM)
C. The Web Server role
D. The Terminal Services Server role
E. Microsoft Office SharePoint Server 2007
F. None of the above
Answer: E
Explanation:
To provide users of the network a collaboration solution that meets the given requirements, you
need to use Microsoft Office SharePoint Server 2007.
Microsoft Office SharePoint Server 2007 is a new server program that is part of the 2007 Microsoft
Office system. Your organization can use Office SharePoint Server 2007 to facilitate collaboration,
provide content management features, implement business processes, and supply Microsoft
delivers a best-of-breed collaborative infrastructure that gives end users the tools to easily create
their own workspaces and share assets across teams, departments, and organizations while
maintaining IT control.
In Office SharePoint Server 2007, content management is divided into three categories: document
management, records management, and Web content management.
Collect and validate information by using browser-based formsWhen you design form templates
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 107
Actu
alTe
sts.
com
with Office InfoPath 2007 and deploy them to an Office SharePoint Server 2007 site, you can
enable a setting that allows users to fill out forms by using a Web browser. That is because Office
SharePoint Server 2007 employs InfoPath Forms Services technology, which- in addition to
enabling the deployment of browser-based forms- provides a central location to store and manage
form templates for your organization.
When you publish a form template to an Office SharePoint Server 2007 site, you can distribute it
not just on your corporate intranet, but also on external Web sites, such as extranet sites or
corporate Web sites.
Search in Office SharePoint Server 2007 provides new keyword syntax, including support for
implicit industry standards for full text and property-based searching.
Administration of security has also been greatly enhanced. Administrators can create user "roles"
that determine the kind of information that can be viewed by users during a search. This access
control can be broad or granular, as defined by the corporation. All of these tasks are administered
through the Central Administration and SharePoint Services Portal interfaces, making security
administration more usable and efficient
Reference : Introduction to Microsoft Office SharePoint Server 2007
http://office.microsoft.com/en-us/sharepointserver/HA101732171033.aspx
Reference : Search in Microsoft® Office SharePoint® Server 2007 Evaluation Guide
http://office.microsoft.com/download/afile.aspx?AssetID=AM102140171033 .
QUESTION NO: 97
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers and the domain controllers in the
domain run Windows Server 2008 and all client computers run Windows XP Service Pack 2.
The network contains 10 servers and 500 client computers. One of the servers has Terminal
Services installed. You have been assigned the task to deploy a new line-of-business application
and enable the desktop themes, which is a requirement of the application.
Your deployment strategy must only allow authorized users to access the application from any
client computer by performing minimum changes to the client computers and in minimum software
cost.
Which of the following options would you choose to accomplish the desired task?
A. Upgrade all client computers to Windows Vista.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 108
Actu
alTe
sts.
com
B. Deploy the Remote Desktop Connection (RDC) 6.0 software to the client computers.
C. Use Group Policy object (GPO) to deploy the application to all client computers
D. Use Group Policy object (GPO) to deploy the application to the authorized users.
E. Enable the Desktop Experience feature on the terminal server and install the application on the
terminal server.
F. Install the application on the terminal server and implement Terminal Services Session Broker
(TS Session Broker).
Answer: B,E
Explanation:
To deploy a new line-of-business application with given requirements, you need to deploy the
Remote Desktop Connection (RDC) 6.0 software to the client computers. Enable the Desktop
Experience feature on the terminal server. Install the application on the terminal server
Due to lower maintenance costs, many companies prefer to install their LOB applications on a
terminal server and make these applications available through RemoteApps or Remote Desktop.
Single sign-on makes it possible to give users a better experience by eliminating the need for
users to enter credentials every time they initiate a remote session.
Remote Desktop Connection (RDC)6.0 and RDC6.1 reproduce the desktop that exists on the
remote computer on the user's client computer. To make the remote computer look and feel more
like the user's local WindowsVista desktop experience, you can install the Desktop Experience
feature on your Windows Server2008 terminal server. Desktop Experience installs features of
WindowsVista, such as Windows Media® Player11, desktop themes, and photo management.
Reference : Terminal Services Core Functionality / Desktop Experience/ Single sign-on
http://technet.microsoft.com/en-us/library/cc753097.aspx#BKMK_RDC
Section 2, Provision data (7 Questions)
QUESTION NO: 98
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain, which is not connected to the Internet. All the servers
in the domain run Windows Server 2008. All client computers, which are laptops, run Windows
Vista.
The network contains a file server. The network users use a shared folder on the server to save
the files that they want to share. Which of the following options would you choose to allow users to
access the shared files from their laptops when they are disconnected from the corporate
network?
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 109
Actu
alTe
sts.
com
A. On the file server configure Background Intelligent Transfer Service (BITS) server extensions.
B. On the file server configure Windows SharePoint Services 3.0.
C. On the file server configure caching on the shared folder.
D. Configure the Distributed File System (DFS) role service on the file server and host the shared
folder through it.
E. None of the above
Answer: C
Explanation:
To allow users to access the shared files from their laptops when they are disconnected from the
corporate network, you need to configure caching on the shared folder
The caching feature of Shared Folders ensures that users have access to shared files even when
they are working offline with no access to the network.
Reference : Set Caching Options for Shared Folders
http://technet.microsoft.com/en-us/library/cc755136.aspx
QUESTION NO: 99
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista Service Pack 1.
Some employees of the company use laptop computers and work remotely from home. You have
been assigned the task to suggest a data provisioning infrastructure to secure sensitive files on
the network from being accessed by unauthorized remote users.
In your plan you need to ensure that the sensitive files must be stored in an encrypted format and
must be encrypted while they are transmitted over the Internet. They should however be
accessible by remote users over the Internet.
Which of the following options would you choose to accomplish the desired goal?
A. Deploy a Windows SharePoint Services site that can be accessible to remote users by using a
Secure Socket Transmission Protocol (SSTP) connection.
B. Use Encrypting File System (EFS) to encrypt the folders that store sensitive files. Use Secure
Socket Transmission Protocol (SSTP) to allow access to files to remote users.
C. Configure a Network Policy and Access Server (NPAS) to act as a VPN server. Use IPsec
connection to the VPN server to allow access to files to remote users.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 110
Actu
alTe
sts.
com
D. Deploy two Windows SharePoint Services sites, one site for internal users and other site for
remote users. Publish the SharePoint sites by using HTTPS.
E. None of the above
Answer: B
Explanation:
To ensure that the sensitive files must be stored in an encrypted format and must be encrypted
while they are transmitted over the Internet, you need to store all sensitive files in folders that are
encrypted by using Encrypting File System (EFS). Require remote users to access the files by
using Secure Socket Transmission Protocol (SSTP).
Microsoft EFS allows users to store confidential information on a computer when people who have
physical access to a computer could otherwise compromise that information, intentionally or
unintentionally. EFS is especially useful for securing sensitive data on portable computers or on
computers shared by several users. Another layer of security is added by encrypting sensitive files
by means of EFS.
SSTP is a new kind of Virtual Private Networking (VPN) tunnel that is available in the Routing and
Remote Access Server role in Windows Server 2008. SSTP allows for Point-to-Point Protocol
(PPP) packets to be encapsulated over HTTP. This allows for a VPN connection to be more easily
established through a firewall or through a Network Address Translation (NAT) device. Also, this
allows for a VPN connection to be established through an HTTP proxy device.
Reference : Vista and Windows Server 2008 Encryption Broken by Advanced EFS Data Recovery
http://www.securitysoftwarezone.com/vista-and-windows-server-2008-encryption-broken-
review968-6.html
Reference : How to configure a Secure Socket Tunneling Protocol (SSTP)-based VPN server
behind a NAT device in Windows Server 2008
http://support.microsoft.com/kb/947032
QUESTION NO: 100
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista.
The network contains a server that has the Terminal Services server role installed. The server
runs six custom applications that are configured as Terminal Services RemoteApps on it.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 111
Actu
alTe
sts.
com
Recently, some of the users have reported that when one of the applications is run by the remote
users, the other applications become unresponsive and the server seems slow. To solve the
problem, you decide to ensure that active user sessions receive equal access to system
resources.
Which of the following options would you choose to accomplish the desired goal?
A. Reliability and Performance Monitor
B. Terminal Services Session Broker
C. Implement Terminal Services Web Access
D. Implement Windows System Resource Manager
E. None of the above
Answer: D
Explanation:
To ensure that active user sessions receive equal access to system resources, you need to
implement Windows System Resource Manager,
Microsoft Windows System Resource Manager (WSRM) provides resource management and
enables the allocation of resources, including processor and memory resources, among multiple
applications based on business priorities. WSRM applies limits to process working set size and
committed memory consumption.
Reference : Windows System Resource Manager Fast Facts
http://www.microsoft.com/windowsserver2003/techinfo/overview/wsrmfastfacts.mspx
QUESTION NO: 101
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista.
Most of the domain users are mobile and need to log on to the domain from multiple computers.
You have been assigned the task to provide a data provisioning solution that ensures that user
documents are not stored on the local client computer and users must have access to their
Documents folder regardless of the client computer that they use.
In your solution you also need to reduce the log on time to the domain. Which of the following
options would you choose to accomplish the desired task?
A. Logon scripts
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 112
Actu
alTe
sts.
com
B. Roaming user profiles
C. Folder redirection
D. Configure offline files
E. None of the above
Answer: C
Explanation:
To provide a data provisioning solution that ensures that user documents are not stored on the
local client computer and users must have access to their Documents folder regardless of the
client computer that they use, you need to configure folder redirection.
Folder Redirection is a way to place data in a set of folders in the user profiles on the network.
Folder Redirection is a Group Policy setting that allows you to configure a set of special folders,
such as the My Documents folder, from the local computer on to the network. (The My Documents
folder is the location on the Windows2000 desktop where the user can save their documents and
graphic files.) For example, you can redirect the My Documents folder, usually stored on the
computer's local hard disk, to a network location so that the documents in the folder are available
to that user from any computer on the network.
Reference : Folder Redirection
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dseb_ovr_syul.mspx
?mfr=true
QUESTION NO: 102
You are an Enterprise administrator for CertKiller.com. The company has a head office and a
branch office. The corporate network of the company consists of a single Active Directory domain.
The functional level of the domain is Windows Server 2008. All the servers in the domain run
Windows Server 2008 and all client computers run Windows Vista.
For both the head office and the branch office an Active Directory site is available. You have been
assigned the task to deploy file servers in each office and design a file sharing strategy.
Your file sharing strategy should ensure that the users in both offices must be able to access the
same files using the same Universal Naming Convention (UNC) path to access files. You design
must ensure the use of minimum amount of bandwidth used to access files and the availability of
files even if a server fails.
Which of the following options would you choose to accomplish the desired goal?
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 113
Actu
alTe
sts.
com
A. A multi-site failover cluster having one of the servers located in the head office and the other
located in the branch office.
B. A stand-alone DFS namespace that uses replication.
C. A domain-based DFS namespace that uses replication.
D. A Network Load Balancing cluster having one of the servers located in the head office and the
other located in the branch office.
E. None of the above
Answer: C
Explanation:
To deploy file servers in each office and design a file sharing strategy with given requirements,
you need to deploy a domain-based DFS namespace that uses replication.
The domain based namespaces require all servers to be members of an Active Directory domain.
These types of environments support automatic synchronization of DFS targets. The namespace
root namespace is based on a combination of the server's NetBIOS name and a root name, and is
listed in the DNS.
Ina domain environment, a server is capable of hosting multiple DFS roots. Using multiple replicas
provides you with a degree of scalability. Rather than having every user in your organization
access their files from the same server, you can distribute the user workload across multiple DFS
replicas rather than over burdening a single server.
Another reason for having multiple DFS replicas is because doing so provides you with a degree
of fault tolerance.DFS can also provide fault tolerance from the standpoint of protecting you
against network link failures.
Reference : Planning a DFS Architecture, Part 1, Planning a DFS Architecture, Part 2 / Domain-
Based Namespaces
http://www.petri.co.il/planning-dfs-architecture-part-one.htm
QUESTION NO: 103
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista.
You have been assigned the task to ensue that all the users of the company can access their
Documents folder regardless of the client computer that they use.
Which of the following options would you choose to accomplish the desired task?
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 114
Actu
alTe
sts.
com
A. Logon scripts
B. Folder redirection
C. Configure offline files
D. Local User profiles
E. None of the above
Answer: B
Explanation:
To provide a data provisioning solution that ensures that user documents are not stored on the
local client computer and users must have access to their Documents folder regardless of the
client computer that they use, you need to configure folder redirection.
Folder Redirection is a way to place data in a set of folders in the user profiles on the network.
Folder Redirection is a Group Policy setting that allows you to configure a set of special folders,
such as the My Documents folder, from the local computer on to the network. (The My Documents
folder is the location on the Windows2000 desktop where the user can save their documents and
graphic files.) For example, you can redirect the My Documents folder, usually stored on the
computer's local hard disk, to a network location so that the documents in the folder are available
to that user from any computer on the network.
Reference : Folder Redirection
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dseb_ovr_syul.mspx
?mfr=true
QUESTION NO: 104
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista.
The network is not connected to the Internet. The network contains a file server that contains a
shared folder in which remote network users save files.
Which of the following options would you choose to design a data provisioning solution that ensure
that only authorized remote users who are not connected to the corporate network must be able to
access the files and the folders in the corporate network? (Select two. Each correct answer will
present a part of the solution.)
A. Configure caching on the shared folder
B. Configure offline files to use encryption.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 115
Actu
alTe
sts.
com
C. Implement a certification authority (CA)
D. Configure Encrypting File System (EFS) for the drive that hosts the files.
E. Configure IPsec domain isolation
F. Implement Windows SharePoint Services 3.0.
G. Enable Secure Socket Layer (SSL) encryption
Answer: A,B
Explanation:
To design a data provisioning solution that ensure that only authorized remote users who are not
connected to the corporate network must be able to access the files and the folders in the
corporate network, you need to configure caching on the shared folder.
The caching feature of Shared Folders ensures that users have access to shared files even when
they are working offline with no access to the network.
Next you need to configure offline files to use encryption, so that only authorized users can access
the files on the shared folder.
Reference : Set Caching Options for Shared Folders
http://technet.microsoft.com/en-us/library/cc755136.aspx
QUESTION NO: 105
You are an Enterprise administrator for CertKiller.com. The company has a head office and a
branch office. All the servers in the network run Windows Server 2008 and all client computers run
Windows Vista. Each office has a domain controller and file servers.
You have been asked to plan the deployment of Distributed File System (DFS) on the network and
ensure that users can access the data locally and are allowed to see only the folders to which they
have access permissions. You also need to ensure the use of minimum bandwidth while data
replication.
Which of the following options would you choose to accomplish the desired task?
A. A stand-alone DFS namespace that uses DFS replication and has access-based enumeration
enabled
B. A stand-alone DFS namespace that uses File Replication Service (FRS) and have access-
based enumeration enabled
C. A domain-based DFS namespace that uses File Replication Service (FRS) and modify each
share to be a hidden share
D. A domain-based DFS namespace that uses DFS replication and modify each share to be a
hidden share
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 116
Actu
alTe
sts.
com
E. None of the above
Answer: A
Explanation:
To plan the deployment of Distributed File System (DFS) on the network and ensure that users
can access the data locally and are allowed to see only the folders to which they have access
permissions, you need to deploy a stand-alone DFS namespace and has access-based
enumeration enabled.
Rather than having every user in your organization access their files from the same server, you
can distribute the user workload across multiple DFS replicas rather than over burdening a single
server.
Standalone namespaces do allow you to use multiple folder targets for fault tolerance purposes. In
case you are not familiar with folder targets, the basic idea is that each folder target typically hosts
a replica of the data that's associated with a DFS folder. Using multiple folder targets allows you to
achieve a degree of fault tolerance, and offers better performance than if the data were only stored
in a single location.
Domain-based DFS namespace requires an Active directory domain, which is not available here.
Access-based enumeration allows users to see only files and folders on a file server to which they
have permission to access. This feature is not enabled by default for namespaces (though it is
enabled by default on newly-created shared folders in Windows Server2008), and is only
supported in a DFS namespace when the namespace is a standalone namespace hosted on a
computer running Windows Server2008, or a domain-based namespace by using the Windows
Server2008 mode.
Reference : Planning a DFS Architecture, Part 2
http://www.petri.co.il/planning-dfs-architecture-part-two.htm
Reference : Distributed File System
http://technet.microsoft.com/en-us/library/cc753479.aspx
QUESTION NO: 106
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of servers that run Windows Server 2008 and client computers run Windows Vista.
You have been asked to design a storage strategy so that a distributed database application can
be deploy on the network that runs on multiple servers. While designing the storage strategy, you
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 117
Actu
alTe
sts.
com
need to ensure that you use existing network infrastructure and standard Windows management
tools.
You also need to ensure that the storage space is allocated to servers as and when required and
that the data is available if a single disk fails. Which of the following options would you choose to
accomplish the desired goal? (Select two. Each correct answer will present a part of the solution.)
A. A Fibre Channel (FC) disk storage subsystem that supports the Virtual Disk Service (VDS).
B. A Fibre Channel (FC) disk storage subsystem that supports Microsoft Multipath I/O.
C. An iSCSI disk storage subsystem that supports Microsoft Multipath I/O.
D. An iSCSI disk storage subsystem that supports Virtual Disk Service (VDS).
E. Configure the storage subsystem as a RAID 5 array.
F. Configure the storage subsystem as a RAID 0 array.
Answer: D,E
Explanation:
To design a storage strategy so that a distributed database application can be deploy on the
network that runs on multiple servers with given requirements, you need to deploy an iSCSI disk
storage subsystem that supports Virtual Disk Service (VDS) and configure the storage subsystem
as a RAID 5 array
Microsoft iSCSI Software Target option enables you to implement an iSCSI SAN with storage
provisioning and management capabilities. Managed via the Microsoft Management Console,
administrator's can create and manage iSCSI targets and iSCSI virtual disks, as well as schedule,
export, and locally mount snapshots for use in backup and recovery operations.
An iSCSI disk storage subsystem supports Virtual Disk Service (VDS) and Microsoft Multipath I/O.
Virtual Disk Service (VDS) is a Windows service for managing volumes. Administrators now have
a single interface that works with different vendors, if that vendor supplies a VDS hardware
provider for their networked storage device. This same interface also works with directly attached
storage, providing a unified view of all disks and volumes, regardless of being connected via SCSI,
Fiber Channel, iSCSI or PCI RAID. VDS exposes the complex functionality provided by these
storage hardware vendors and scales up to enterprise configurations.
Multipath I/O cannot be used because it only provides ability to use more than one physical path to
access a storage device, providing improved system reliability and availability via fault tolerance
and/or load balancing of the I/O traffic.
RAID 5 is the most powerful form of RAID that can be found in a desktop computer system. It
provides increased storage array performance and Full data redundancy. RAID 0 cannot be used
because it is the lowest designated level of RAID. It is actually not a valid type of RAID. It was
given the designation of level 0 because it fails to provide any level of redundancy for the data
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 118
Actu
alTe
sts.
com
stored in the array. Thus, if one of the drives fails, all the data is damaged.
Reference : The Basics of the Virtual Disk Services (VDS)
http://blogs.technet.com/josebda/archive/2007/10/25/the-basics-of-the-virtual-disk-services-
vds.aspx
Reference : Reference: What is RAID?
http://compreviews.about.com/od/storage/l/aaRAIDPage1.htm
QUESTION NO: 107
You are an Enterprise administrator for CertKiller.com. The company has a head office and two
branch offices that connect with each other by using a WAN link. The corporate network of the
company consists of a single Active Directory domain.
All the servers in the domain run Windows Server 2008 and all client computers run Windows
Vista. Each office contains a file server and the office users use the local file server to store data
on it. The users also have access to data from the other offices.
You have been assigned that task to plan a data access solution and ensure that folders that are
stored on the file servers must be available to users in both offices and users must be able to
access all files even when the WAN link fails. Besides this the network bandwidth usage between
offices is minimized.
Which of the following options would you choose to accomplish the desired goal?
A. Implement Distributed File System Replication (DFSR) on the file servers in both the offices.
B. On one of the servers, configure Distributed File System (DFS) and on the other, configure the
Background Intelligent Transfer Service (BITS).
C. Configure File Server Resource Manager (FSRM) and File Replication Service (FRS) on both
the servers
D. On one of the servers, configure File Server Resource Manager (FSRM) and on the other
configure File Replication Service (FRS).
E. None of the above
Answer: A
Explanation:
To plan a data access solution and ensure that folders that are stored on the file servers must be
available to users in both offices and users must be able to access all files even when the WAN
link fails, you need to implement Distributed File System Replication (DFSR) on the file servers in
both the offices.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 119
Actu
alTe
sts.
com
Rather than having every user in your organization access their files from the same server, you
can distribute the user workload across multiple DFS replicas rather than over burdening a single
server.
DFS Replication is an efficient, multiple-master replication engine that you can use to keep folders
synchronized between servers across limited bandwidth network connections. It replaces the File
Replication Service (FRS) as the replication engine for DFS Namespaces, as well as for
replicating the SYSVOL folder in domains that use the Windows Server2008 domain functional
level.
DFS Replication service has a totally revamped replication engine that uses a new replication
algorithm called Remote Differential Compression (RDC). This new algorithm replicates only the
changes to files and not the files themselves, which means that DFS now works much better over
slow WAN links than before. In addition, the new replication engine supports bandwidth throttling
and replication scheduling, plus it operates on a multimaster replication model.
Reference : Distributed File System
http://technet.microsoft.com/en-us/library/cc753479.aspx
Reference : Top Reasons to Deploy Distributed File Services in Windows Server 2003 R2
http://www.microsoft.com/windowsserver2003/technologies/storage/dfs/topdeploy.mspx
QUESTION NO: 108
You are an Enterprise administrator for CertKiller.com. All the servers in the domain run Windows
Server 2008 and all client computers run Windows Vista.
The network contains a Microsoft SQL Server 2005 that has two RAID 1 arrays and one RAID 5
array configured.
You have been assigned the task to allocate hard disk space on the server and ensure maximum
performance of the SQL Server application and minimum loss of write performance if a hard disk
drive fails. You also need to prevent the loss of data if a single hard disk drive fails.
Which of the following options would you choose to achieve the desired goal?
A. Use RAID 1 arrays to place OS files and SQL database files and RAID 5 array to place SQL
transaction logs
B. Use RAID 5 array to place types of files.
C. Use RAID 1 arrays to place OS files and SQL transaction logs and RAID 5 array to place SQL
database files
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 120
Actu
alTe
sts.
com
D. Use RAID 5 arrays to place OS files and RAID 5 array to place SQL transaction logs and SQL
database files.
E. None of the above
Answer: C
Explanation:
To allocate hard disk space on the server and meet other requirements, you need to place the
operating system files on one of the RAID 1 arrays. Place the SQL transaction logs on the other
RAID 1 array and place the SQL database files on the RAID 5 array.
RAID version 1 was the first real implementation of RAID. It provides a simple form of redundancy
for data through a process called mirroring. This form typically requires two individual drives of
similar capacity. One drive is the active drive and the secondary drive is the mirror. When data is
written to the active drive, the same data is written to the mirror drive.
This provides a full level of redundancy for the data on the system. If one of the drives fails, the
other drive still has all the data that existed in the system. It is best to place OS files because it
provides full redundancy of data. It does not increase performance therefore it is not fit to store
SQL database files.
For SQL database files you should use RAID 5 array because it is the most powerful form of RAID
that can be found in a desktop computer system. This method uses a form of striping with parity to
maintain data redundancy. The parity bit shifts between the drives to increase the performance
and reliability of the data. The drive array will still have increased performance over a single drive
because the multiple drives can write the data faster than a single drive. The data is also fully
redundant because of the parity bits. In the case of drive 2 failing, the data can be rebuilt based on
the data and parity bits on the two remaining drives. Data capacity is reduced due to the parity
data blocks.
Reference : What is RAID?
http://compreviews.about.com/od/storage/l/aaRAIDPage1.htm
QUESTION NO: 109
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista.
The company has recently merged with a partner company called TechKing.com and started using
a Windows Server 2008 server of that company called TechKingServer1. The server has five
internal SCSI hard disks that are connected to an onboard SCSI controller.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 121
Actu
alTe
sts.
com
You have planned to deploy the TechkingServer1 as a file server and place it in your company's
premises. You have to now plan for a storage strategy that ensures that the user data is physically
separated from the operating system data and maximum disk space is available for the data
storage.
You also need to ensure that if disk fails, the integrity of the data is maintained on the server and
the operating system server can start successfully. To achieve this, you only want to use the
hardware that is available on the server.
Which of the following options would you choose to accomplish the desired goal? (Select two.
Each correct answer will present a part of the answer)
A. Allocate three disks to a single RAID 5 volume for the user data.
B. Allocate four disks to a single RAID 5 volume for the user data.
C. Allocate three disks to a striped volume for the user data.
D. Allocate two disks to a mirrored volume for the operating system data.
E. Allocate one disk to a simple volume for the operating system data.
F. Allocate three disks to a mirrored volume for the operating system data.
G. Allocate all the disks to a single RAID 5 volume for the user data and for the operating system
data.
Answer: A,D
Explanation:
To ensure that if disk fails, the integrity of the data is maintained on the server and the operating
system server can start successfully, you need to allocate three disks to a single RAID 5 volume
for the user data and allocate two disks to a mirrored volume for the operating system data.
Two disks to a mirrored volume for the operating system data are created using RAID version 1,
which is the first real implementation of RAID. It provides a simple form of redundancy for data
through a process called mirroring. This form typically requires two individual drives of similar
capacity. One drive is the active drive and the secondary drive is the mirror. When data is written
to the active drive, the same data is written to the mirror drive.
This provides a full level of redundancy for the data on the system. If one of the drives fails, the
other drive still has all the data that existed in the system. It is best to place OS files because it
provides full redundancy of data.
A single RAID 5 volume for the user data is best because it is the most powerful form of RAID that
can be found in a desktop computer system. This method uses a form of striping with parity to
maintain data redundancy. The parity bit shifts between the drives to increase the performance
and reliability of the data. A minimum of three drives is required to build a RAID 5 array and they
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 122
Actu
alTe
sts.
com
should be identical drives for the best performance. The drive array will still have increased
performance over a single drive because the multiple drives can write the data faster than a single
drive. The data is also fully redundant because of the parity bits. In the case of drive 2 failing, the
data can be rebuilt based on the data and parity bits on the two remaining drives. Data capacity is
reduced due to the parity data blocks.
Reference : What is RAID?
http://compreviews.about.com/od/storage/l/aaRAIDPage1.htm
Reference : Planning the Layout and RAID Level of Volumes
http://technet.microsoft.com/en-us/library/cc786889.aspx
QUESTION NO: 110
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows XP Service Pack 1.
You have been assigned the task to plan the deployment of Distributed File System (DFS) to
provide redundancy in the event that a single server fails in the minimum cost. You also need to
ensure that the client computers reconnect to their preferred server after a server failure is
resolved.
Which of the following options would you choose to accomplish the desired goal? (Select two.
Each correct answer will present a part of the answer)
A. Upgrade all client computers to Windows XP Service Pack 2.
B. Upgrade all client computers to Windows Vista.
C. Implement a stand-alone DFS namespace, create folders, add multiple targets, and enable the
clients fail back to preferred targets option.
D. Implement a domain-based DFS namespace, add a second namespace server, and enable the
clients fail back to preferred targets option.
Answer: A,D
Explanation:
To plan the deployment of Distributed File System (DFS) with the given requirements, you need to
upgrade all client computers to Windows XP Service Pack 2 to use DFS and implement a domain-
based DFS namespace. You need to then add a second namespace server and enable the
Clients fail back to preferred targets option.
Rather than having every user in your organization access their files from the same server, you
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 123
Actu
alTe
sts.
com
can distribute the user workload across multiple DFS replicas rather than over burdening a single
server. Domain based namespaces should be used here because Domain based namespaces
require all servers to be members of an Active Directory domain. The DFS supports automatic
synchronization of DFS targets. Ina domain environment, a server is capable of hosting multiple
DFS roots that provides you with a degree of scalability.
Another reason for having multiple DFS replicas is because doing so provides you with a degree
of fault tolerance.DFS can also provide fault tolerance from the standpoint of protecting you
against network link failures.
You should add a second namespace server and enable the Clients fail back to preferred targets
option to ensure a client failback on the namespace (or on specific folders in your namespace).
So, when the failed target comes back online the client will fail back to that target as its preferred
target.
If your WAN links are unreliable, you might find your clients frequently accessing different targets
for the same folder. This can be a problem, for by default, DFS caches referrals for a period of
time (300 seconds or 5 minutes) so if a target server suddenly goes down the client will keep
trying to connect to the target and give an error instead of making the resource available to the
client from a different target. To prevent this from happening (especially non-optimal targets), you
can configure a client failback to preferred targets option on the namespace.
Reference : Configuring DFS Namespaces
http://www.windowsnetworking.com/articles_tutorials/Configuring-DFS-Namespaces.html
Reference : Planning a DFS Architecture, Part 1/ Planning a DFS Architecture, Part 2 / Domain-
Based Namespaces
http://www.petri.co.il/planning-dfs-architecture-part-one.htm
QUESTION NO: 111
You are an Enterprise administrator for CertKiller.com. All the servers on the network run Windows
Server 2008 and all client computers run Windows Vista.
You have been asked to deploy a distributed database application on a Windows Server 2008
server and design a storage strategy that allocates storage space to servers as required, isolates
storage traffic from the existing network, and ensures that data is available if a single disk or a
single storage controller fails
Which of the following options would you choose to accomplish the desired goal? (Select two.
Each correct answer will present a part of the answer)
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 124
Actu
alTe
sts.
com
A. A Fibre Channel (FC) disk storage subsystem that supports the Virtual Disk Service (VDS).
B. A Fibre Channel (FC) disk storage subsystem that supports Microsoft Multipath I/O.
C. An iSCSI disk storage subsystem that supports Microsoft Multipath I/O.
D. An iSCSI disk storage subsystem that supports Virtual Disk Service (VDS).
E. Configure the storage subsystem as a RAID 5 array.
F. Configure the storage subsystem as a RAID 0 array.
Answer: B,E
Explanation:
To deploy a distributed database application on a Windows Server 2008 server and design a
storage strategy with given requirements, you need to implement a Fibre Channel (FC) disk
storage subsystem that uses Microsoft Multipath I/O and configure a RAID 5 array.
The fibre channel (FC) technology and FC switches between servers and storage to create a
Storage Area Network (SAN). The connectivity the switches provide allows the connection of more
than one server to a storage system. This reduces the number of storage systems required. This
would allow a distributed database application multiple servers and design a storage strategy that
allocates storage space to servers as required.
Multipath I/O (MPIO) is a feature that provides support for using multiple data paths to a storage
device. Multipathing increases availability by providing multiple paths (path failover) from a server
or cluster to a storage subsystem.
If a server supports Microsoft Multipath I/O (MPIO), Storage Manager for SANs can provide path
failover by enabling multiple ports on the server for LUN I/O traffic. To prevent data loss in aFibre
Channel environment, make sure that the server supports MPIO before enabling multiple ports.
(On an iSCSI subsystem, this is not needed: the Microsoft iSCSI initiator (version 2.0) that is
installed on the server supportsMPIO.)
Reference : Support for Multipath I/O
http://technet.microsoft.com/en-us/library/cc771719.aspx
Reference : Using Fibre Channel to Reduce SCSI Storage Costs
http://dothill.com/assets/pdfs/storage_costs.pdf
QUESTION NO: 112
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory forest. All the servers in the domain run Windows Server 2008
and all client computers run Windows Vista.
The network contains a server that has the File Server role installed. The company has a few
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 125
Actu
alTe
sts.
com
users who use portable computers that run Windows Vista Business Edition. These users
sometimes access the corporate network from the remote locations.
You have been asked to design a data storage solution that ensures that remote users are able to
choose the documents that will be available when they are away from the network. You also need
to ensure that users need to store only minimum number of documents on their portable
computers and that time that users take to log in to the network is reduced.
Which of the following options would you choose to accomplish the desired task? (Select two.
Each correct answer will present a part of the answer)
A. Configure offline files
B. Deploy roaming profiles
C. Use local profiles
D. Implement folder redirection.
E. Enable automatic caching.
F. Enable manual caching.
Answer: A,F
Explanation:
To design a data storage solution that ensures that remote users are able to choose the
documents that will be available when they are away from the network configure offline files and
enable manual caching.
Offline Files allows you to keep using network files, folders, and applications when disconnected
from the network. The biggest beneficiaries of the Offline Files feature are users of mobile
computers who frequently connect and disconnect from the network to use their computers at
home or on the road. Now mobile users can be assured that they are working with the most up-to-
date versions of network files, navigate through mapped network drives even when disconnected,
and easily synchronize changes with the network when they plug back into the network.
In Manual Caching For Documents option, the only documents that will be cached are those that
the user specifically designates to be available offline.
The Automatic Caching For Documents cannot be used because with this option, when a user
opens a file in this shared folder, it will be automatically downloaded and made available offline
without the user specifying that it be an offline file. Older copies of a file will be deleted
automatically to make room for files that have been accessed more recently. With this option, a file
that the user has not opened while online will not be available offline.
Reference : Using Offline Files in Windows 2000
http://articles.techrepublic.com.com/5100-10878_11-5031596.html
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 126
Actu
alTe
sts.
com
Section 2, Plan high availability (10 Questions)
QUESTION NO: 113
You are an Enterprise administrator for CertKiller.com. All the servers on the network run either
Windows Server 2008 or Windows Server 2003 servers and all client computers run Windows
Vista.
The network contains a Windows Server 2003 server that runs Web-based application called
WebApp1. You have been assigned the task to migrate the Web-based application to Windows
Server 2008
To migrate the WebApp1, you need to prepare the server for the application. The server must
support the installation of .NET applications and the server configuration must ensure that the
application is available to all users if a single server fails in the minimum software cost? (Select
two. Each correct answer will present a part of the answer)
A. Install the full installation of Windows Server 2008 Datacenter Edition on two servers.
B. Install the Server Core installation of Windows Server 2008 Standard Edition on two servers.
C. Install the full installation of Windows Server 2008 Enterprise Edition on two servers.
D. Install the full installation of Windows Server 2008 Web Edition on two servers.
E. Configure the servers in a failover cluster.
F. Configure the servers in a Network Load Balancing cluster.
G. None of the above
Answer: D,F
Explanation:
To migrate the Web-based application to Windows Server 2008, you need to i nstall the full
installation of Windows Server 2008 Web Edition on two servers. Configure the servers in a
Network Load Balancing cluster.
Network load balancing is native to all editions of Windows Server 2008. Unlike failover clustering,
NLB does not require any special hardware,
Network load balancing (NLB), Windows Server 2008's other high-availability alternative, enables
an organization to scale server and application performance by distributing TCP/IP requests to
multiple servers, also known as hosts, within a server farm. This scenario optimizes resource
utilization, decreases computing time and ensures server availability. Typically, service providers
should consider network load balancing if their customer situation includes, but is not limited to,
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 127
Actu
alTe
sts.
com
Web server farms, Terminal Services farms, media servers or Exchange Outlook Web Access
servers.
Reference : Failover clustering, network load balancing drive high availability
http://searchsystemschannel.techtarget.com/tip/0,289483,sid99_gci1317355,00.html
QUESTION NO: 114
You are an Enterprise administrator for CertKiller.com. The company has a head office and a
branch office that connect with each other by using WAN links. The corporate network of the
company consists of a single Active Directory domain and an Active Directory site exists for each
office.
All the servers in the domain run Windows Server 2008 Enterprise Edition and all client computers
run Windows Vista. You have been assigned the task to deploy a failover cluster solution to
service users in both offices.
Your failover cluster solution must use minimum number of servers and ensure that the availability
of services if a single server fails
Which of the following options would you choose to accomplish the desired goal?
A. Deploy a failover cluster that contains two nodes in each office, head office and branch office.
B. Deploy a failover cluster that contains two nodes in the head office.
C. Deploy a failover cluster that contains one node in the head office.
D. Deploy a failover cluster that contains one node in each office head office and branch office.
E. None of the above
Answer: D
Explanation:
To deploy a failover cluster solution to service users in both offices, you need to Deploy a failover
cluster that contains one node in each office head office and branch office
Windows Server 2008 supports the shared-nothing cluster model, in which two or more
independent servers, or nodes, share resources; each server owns and is responsible for
managing its local resources and provides nonsharing services. In case of a node failure, the
disks, resources and services running on the failed node fail over to a surviving node in the
cluster. For example, if an Exchange server is operating on node 1 of the cluster and it crashes,
the Exchange application and services will automatically fail over to node 2 of the cluster. This
model minimizes server outage and downtime. Only one node manages one particular set of
disks, cluster resources and services at any given time.
Failover clustering, network load balancing drive high availability
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 128
Actu
alTe
sts.
com
http://searchsystemschannel.techtarget.com/tip/0,289483,sid99_gci1317355,00.html
QUESTION NO: 115
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and use internal storage only and all client computers run Windows Vista.
You have been assigned the task to deploy a six node cluster on the network. You need to ensure
that the cluster services are available even if two nodes of the cluster fail.
Which of the following features would you deploy to accomplish the desired task?
A. Terminal Services RemoteApp (TS RemoteApp)
B. Failover cluster that uses Node and File Share Disk Majority
C. Distributed File System (DFS) that uses replication
D. Failover cluster that uses No Majority: Disk Only
E. None of the above
Answer: B
Explanation:
To ensure that the cluster services are available even if three nodes of the cluster fail, you need to
deploy a failover cluster that uses Node and File Share Disk Majority.
The quorum configuration in a failover cluster determines the number of failures that the cluster
can sustain. If an additional failure occurs, the cluster must stop running. The relevant failures in
this context are failures of nodes or, in some cases, of a witness disk (which contains a copy of the
cluster configuration) or witness file share. It is essential that the cluster stop running if too many
failures occur or if there is a problem with communication between the cluster nodes.
Node and Disk Majority is (recommended for clusters with an even number of nodes) Can sustain
failures of half the nodes (rounding up) if the witness disk remains online and can sustain failures
of half the nodes (rounding up) minus one if the witness disk goes offline or fails. For example, a
six node cluster with a failed witness disk could sustain two (3-1=2) node failures.
Reference : Understanding Quorum Configurations in a Failover Cluster
http://technet.microsoft.com/en-us/library/cc731739.aspx
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 129
Actu
alTe
sts.
com
QUESTION NO: 116
Exhibit:
You are an Enterprise administrator for CertKiller.com. The company has a head office and four
branch offices. The corporate network of the company consists of a single Active Directory
domain. All the servers in the domain run Windows Server 2008 and all client computers run
Windows Vista.
Your network is configured as shown in the following diagram. Each office contains a File Server
that has a shared folder called SharedData.
You have been assigned the task to ensure the data availability of the SharedData folder in all of
the offices when a WAN link fails or a single server fails. You also need to ensure that the users
must be able to use existing drive mappings in case of WAN link or a server failure and minimum
network traffic over the WAN links.
Which of the following options would you choose to accomplish the desired goal? (Select two.
Each correct answer will present a part of the answer)
A. Stand-alone DFS namespace
B. Domain-based DFS namespace
C. Having DFS Replication in a hub and spoke topology
D. Having DFS Replication in a full mesh topology
Answer: B,C
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 130
Actu
alTe
sts.
com
Explanation:
To ensure the data availability of the SharedData folder in all of the offices when a WAN link fails
or a single server fails, you need to implement a domain-based DFS namespace that uses DFS
Replication in a hub and spoke topology
Domain based namespaces require all servers to be members of an Active Directory domain.
These types of environments support automatic synchronization of DFS targets. Ina domain
environment, a server is capable of hosting multiple DFS roots. It allows you to distribute the user
workload across multiple DFS replicas rather than over burdening a single server. In case a single
server fails the other servers can take over.
Two pre-defined topologies can be selected for DFS Replication. In this scenario DFS Replication
in a hub and spoke topology should be used. In this topology every hub member replicates with
the hub member, and if desired you can add a second hub member for fault tolerance (the two hub
members replicate with each other).
The hub and spoke topology is have a particular use for enterprises that havelarge headquarters
where the company's permanent IT staff are located and multiple small branch offices with little or
no on-site IT staff present.
Full Mesh topology cannot be used because it will cause too much network traffic. This is because
every member of the replication group replicates with every other member of the group. The full
mesh topology is useful mainly in large LAN environments where all subnets have high speed
connectivity and you are using DFS Namespaces together with
DFS Replication to provide fault-tolerant shared file resources to users.
Reference : Planning a DFS Architecture, Part 1/ Planning a DFS Architecture, Part 2 / Domain-
Based Namespaces
http://www.petri.co.il/planning-dfs-architecture-part-one.htm
Reference : Configuring and Using DFS Replication
http://www.windowsnetworking.com/articles_tutorials/Configuring-Using-DFS-Replication.html
QUESTION NO: 117
You are an Enterprise administrator for CertKiller.com. The company has a head office and a
branch office that connect with each other by using WAN links. The corporate network of the
company consists of a single Active Directory domain and an Active Directory site exists for each
office.
All the servers in the domain run Windows Server 2008 Enterprise Edition and all client computers
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 131
Actu
alTe
sts.
com
run Windows Vista.
You have been assigned the task to deploy a failover cluster solution to service users in both
offices. The cluster must maintain the availability of services using minimum number of servers
when a single server fails.
Which of the following options would you choose to accomplish the desired task?
A. Deploy a failover cluster that contains two nodes in each office, head office and branch office.
B. Deploy a failover cluster that contains two nodes in the head office.
C. Deploy a failover cluster that contains one node in the head office.
D. Deploy a failover cluster that contains one node in each office head office and branch office.
E. None of the above
Answer: D
Explanation:
To deploy a failover cluster solution to service users in both offices and maintain the availability of
services using minimum number of servers when a single server fails, you need to deploy a
failover cluster that contains one node in each office head office and branch office.
Windows Server 2008 supports the shared-nothing cluster model, in which two or more
independent servers, or nodes, share resources; each server owns and is responsible for
managing its local resources and provides nonsharing services.
In case of a node failure, the disks, resources, and services running on the failed node fail over to
a surviving node in the cluster. For example, if an Exchange server is operating on node 1 of the
cluster and it crashes, the Exchange application and services will automatically fail over to node 2
of the cluster. This model minimizes server outage and downtime. Only one node manages one
particular set of disks, cluster resources and services at any given time .
Reference: Failover clustering, network load balancing drive high availability
http://searchsystemschannel.techtarget.com/tip/0,289483,sid99_gci1317355,00.html
QUESTION NO: 118
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain.
The network contains two DHCP servers called CertKillerDHCP1 and CertKillerDHCP2 and 500
DHCP client computers that are located on a single subnet. A router that has a single IP address
on the internal interface separates the internal network from the Internet.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 132
Actu
alTe
sts.
com
CertKillerDHCP1 server is configured with:
Starting IP address: 172.16.0.1
Ending IP address: 172.16.3.254
Subnet mask: 255.255.248.0
Which of the following options would you choose to provide a fault-tolerant DHCP infrastructure for
the company that supports the client computers on the internal network? You need to configure
DHCP2 to ensure that all client computers must be able to obtain a valid IP address if a DHCP
server fails.
A. Create a scope for the subnet 172.17.0.0/16. Configure the scope to use a starting IP address
of 172.17.0.1 and an ending IP address of 172.17.255.254.
B. Create a scope for the subnet 172.16.0.0/20. Configure the scope to use a starting IP address
of 172.16.0.1 and an ending IP address of 172.16.15.254.
C. Create a scope for the subnet 172.16.0.0/20. Configure the scope to use a starting IP address
of 172.16.8.1 and an ending IP address of 172.16.15.254.
D. Create a scope for the subnet 172.16.0.0/21. Configure the scope to use a starting IP address
of 172.16.4.1 and an ending IP address of 172.16.7.254.
E. None of the above
Answer: D
Explanation:
The subnet mask 255.255.248.0 means a /21 subnet. For load balancing you need to ensure that
the DHCP2 should be configured on the same network therefore, you need to select answer D
where the subnet is 172.16.0.0/21.
The /21 network can contain IP address range from 172.16.0.1 to 172.16.7.255, which means
2048 total hosts can be configured. DHCP1 already contains the IP address range from
172.16.0.1 to 172.16.3.254 to serve 500 hosts.
In case of the failure of DHCP1, another IP address range is required for the 500 computers that
the network has. Therefore DHCP2 can contain the range of 172.16.4.1 to 172.16.7.254
Reference : Subnet Addressing
http://www.networkcomputing.com/unixworld/tutorial/001.html
Reference : Effects of Subnetting a Class B Network
http://www.weird.com/~woods/classb.html
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 133
Actu
alTe
sts.
com
QUESTION NO: 119
You are an Enterprise administrator for CertKiller.com. The network of your company contains
4,000 client computers located on a single subnet and two DHCP servers. The DHCP servers are
named DHCP1 and DHCP2. A router that has a single IP address on the internal interface
separates the internal network from the Internet.
DHCP1 has the following scope information.
Starting IP address: 172.16.0.1
Ending IP address: 172.16.15.255
Subnet mask: 255.255.224.0
You need to configure DHCP2 in such a way that the network gets a fault-tolerant DHCP
infrastructure and all client computers are be able to obtain a valid IP address if a DHCP server
fails.
Which of the following options would you choose to configure the DHCP2?
A. Create a scope for the subnet 172.16.8.0/19. Configure the scope to use a starting IP address
of 172.16.16.1 and an ending IP address of 172.16.31.254.
B. Create a scope for the subnet 172.16.0.0/21. Configure the scope to use a starting IP address
of 172.16.0.1 and an ending IP address of 172.16.15.254.
C. Create a scope for the subnet 172.16.0.0/20. Configure the scope to use a starting IP address
of 172.16.8.1 and an ending IP address of 172.16.15.254.
D. Create a scope for the subnet 172.17.0.0/16. Configure the scope to use a starting IP address
of 172.17.0.1 and an ending IP address of 172.17.255.254.
E. None of the above
Answer: A
Explanation:
The subnet mask 255.255.224.0 means a /19 subnet. For load balancing you need to ensure that
the DHCP2 should be configured on the same network therefore, you need to select answer A
where the subnet is 172.16.0.0/19.
The /19 network can contain IP address range from 172.16.0.1 to 172.16.31.255, which means
8190 total hosts can be configured. DHCP1 already contains the IP address range from
172.16.0.1 to 172.16.15.255 to serve 4000 hosts.
In case of the failure of DHCP1, another IP address range is required for the 4000 computers that
the network has. Therefore DHCP2 can contain the range of 172.16.16.1 to 172.16.31.254
Reference : Subnet Addressing
http://www.networkcomputing.com/unixworld/tutorial/001.html
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 134
Actu
alTe
sts.
com
Reference : Effects of Subnetting a Class B Network
http://www.weird.com/~woods/classb.html
QUESTION NO: 120
You are an Enterprise administrator for CertKiller.com. Which of the following options would you
choose to configure a fault-tolerant DHCP infrastructure in your company where two DHCP
servers exist? You need to ensure that all client computers are able to obtain a valid IP address if
a single DHCP server fails. The corporate network of the company contains 1,000 DHCP client
computers that are located on a single subnet
The DHCP servers are named as CertKillerDHCP1 and CertKillerDHCP2. A router having single
IP address on the internal interface is also configured on the corporate network to separate the
internal network from the Internet.
The CertKillerDHCP1 is configured with following scope information.
Starting IP address: 172.16.0.1
Ending IP address: 172.16.7.255
Subnet mask: 255.255.240.0
How should you configure CertKillerDHCP2?
A. Create a scope for the subnet 172.16.0.0/20. Configure the scope to use a starting IP address
of 172.16.8.1 and an ending IP address of 172.16.15.254.
B. Create a scope for the subnet 172.16.8.0/21. Configure the scope to use a starting IP address
of 172.16.8.1 and an ending IP address of 172.16.10.254.
C. Create a scope for the subnet 172.16.0.0/21. Configure the scope to use a starting IP address
of 172.16.0.1 and an ending IP address of 172.16.15.254.
D. Create a scope for the subnet 172.17.0.0/16. Configure the scope to use a starting IP address
of 172.17.0.1 and an ending IP address of 172.17.255.254.
E. None of the above
Answer: A
Explanation:
The subnet mask 255.255.240.0 means a /20 subnet. For load balancing you need to ensure that
the DHCP2 should be configured on the same network therefore, you need to select answer A
where the subnet is 172.16.0.0/20.
The /20 network can contain IP address range from 172.16.0.1 to 172.16.15.255, which means
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 135
Actu
alTe
sts.
com
4000 total hosts can be configured. DHCP1 already contains the IP address range from
172.16.0.1 to 172.16.7.255 to serve 1000 hosts.
In case of the failure of DHCP1, another IP address range is required for the 1000 computers that
the network has. Therefore DHCP2 can contain the range of 172.16.8.1 to 172.16.15.254
Reference : Subnet Addressing
http://www.networkcomputing.com/unixworld/tutorial/001.html
Reference : Effects of Subnetting a Class B Network
http://www.weird.com/~woods/classb.html
QUESTION NO: 121
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista.
The company has created a web site which requires a very high availability and a high scalability
for the success of the company. You therefore publish the Web site on two Web servers.
You have to now deploy an availability solution for your Web servers and ensure that the Web site
is accessible even if a single server fails and the addition of more Web servers can be done for the
website without interrupting client connections
Which of the following options would you choose to create to accomplish the desired task?
A. A Network Load Balancing cluster
B. A failover cluster
C. application pools on each Web server
D. A Web farm on each Web server.
E. None of the above
Answer: A
Explanation:
To deploy an availability solution for your Web servers and ensure that the Web site is accessible
even if a single server fails and the addition of more Web servers can be done for the website
without interrupting client connections, you need to create a Network Load Balancing cluster.
Network load balancing (NLB), Windows Server 2008's other high-availability alternative, enables
an organization to scale server and application performance by distributing TCP/IP requests to
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 136
Actu
alTe
sts.
com
multiple servers, also known as hosts, within a server farm. This scenario optimizes resource
utilization, decreases computing time and ensures server availability. Typically, service providers
should consider network load balancing if their customer situation includes, but is not limited to,
Web server farms, Terminal Services farms, media servers or Exchange Outlook Web Access
servers.
When designing and implementing NLB server farms, it's common to start off with two servers for
scalability and high availability and then add additional nodes to the farm as Clearly, failover
clustering and network load balancing with Windows Server 2008 provide service providers with
options when designing and implementing high availability for their customers' mission-critical
servers and applications.
Reference : Failover clustering, network load balancing drive high availability
http://searchsystemschannel.techtarget.com/tip/0,289483,sid99_gci1317355,00.html
QUESTION NO: 122
You are an Enterprise administrator for CertKiller.com. The company consists of a branch office
and a head office. The corporate network of the company consists of a single Active Directory
domain. All the servers in the domain run Windows Server 2008 and all client computers run
Windows Vista.
The servers in both the offices are independent of each other and share resources. You want to
deploy a clustering solution that ensures high availability minimum downtime for the servers on the
network. You need to ensure that if a node fails, the disks, resources and services running on the
failed node fail over to a surviving node in the cluster.
Which of the following options would you choose to accomplish the desired task?
A. Create a Network Load Balancing cluster.
B. Create two application pools on each Web server.
C. Configure a Web garden on each Web server.
D. Configure a failover cluster.
E. None of the above
Answer: D
Explanation:
To ensure that if a node fails, the disks, resources and services running on the failed node fail over
to a surviving node in the cluster, you need to configure a failover cluster.
Windows Server 2008 supports the shared-nothing cluster model, in which two or more
independent servers, or nodes, share resources; each server owns and is responsible for
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 137
Actu
alTe
sts.
com
managing its local resources and provides nonsharing services.
In case of a node failure, the disks, resources and services running on the failed node fail over to a
surviving node in the cluster. This model minimizes server outage and downtime. Only one node
manages one particular set of disks, cluster resources and services at any given time.
Reference : Failover clustering, network load balancing drive high availability
http://searchsystemschannel.techtarget.com/tip/0,289483,sid99_gci1317355,00.html
Section 3, Plan for backup and recovery (10 Questions)
QUESTION NO: 123
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista.
The domain contains three domain controllers for which a full backup is performed each day.
Which of the following options would you choose to plan a recovery strategy for Active Directory
objects that allow objects in a backup to be compared to objects in the live Active Directory
database in the minimum administrative effort? (Select two. Each correct answer will present a
part of the solution.)
A. Restore the backup to a domain controller in a test forest.
B. Restore the backup to an alternate location.
C. Restore the backup to the original location.
D. Mount the database using the Active Directory Database Mounting Tool (Dsamain.exe).
E. Use the Activate Directory Installation wizard to create a new domain controller.
F. Create a snapshot using the Active Directory Service Utilities (Ntdsutil.exe).
Answer: B,D
Explanation:
To plan a recovery strategy for Active Directory objects, you need to restore the backup to an
alternate location. Mount the database using the Active Directory Database Mounting Tool
(Dsamain.exe).
The Active Directory database mounting tool (Dsamain.exe) can improve recovery processes for
your organizations by providing a means to compare data as it exists in snapshots that are taken
at different times so that you can better decide which data to restore after data loss. This
eliminates the need to restore multiple backups to compare the ActiveDirectory data that they
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 138
Actu
alTe
sts.
com
contain. You need to restore the backup to an alternate location so that you can compare the data.
Reference : Active Directory Database Mounting Tool Step-by-Step Guide
http://technet.microsoft.com/en-us/library/cc753609.aspx
QUESTION NO: 124
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista.
You perform a full backup of the domain controllers every day.
Which of the following options would allow you to implement an Active Directory recovery strategy
that allows objects in a backup to be compared to objects in the live Active Directory database?
(Select two. Each correct answer will present a part of the solution.)
A. Restore the backup to a domain controller in a test forest.
B. Restore the backup to an alternate location.
C. Restore the backup to the original location.
D. Mount the database using the Active Directory Database Mounting Tool (Dsamain.exe).
E. Use the Activate Directory Installation wizard to create a new domain controller.
F. Create a snapshot using the Active Directory Service Utilities (Ntdsutil.exe).
Answer: B,D
Explanation:
To plan a recovery strategy for Active Directory objects, you need to restore the backup to an
alternate location. Mount the database using the Active Directory Database Mounting Tool
(Dsamain.exe).
The Active Directory database mounting tool (Dsamain.exe) can improve recovery processes for
your organizations by providing a means to compare data as it exists in snapshots that are taken
at different times so that you can better decide which data to restore after data loss. This
eliminates the need to restore multiple backups to compare the ActiveDirectory data that they
contain. You need to restore the backup to an alternate location so that you can compare the data.
Reference : Active Directory Database Mounting Tool Step-by-Step Guide
http://technet.microsoft.com/en-us/library/cc753609.aspx
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 139
Actu
alTe
sts.
com
QUESTION NO: 125
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory forest that contains an Active Directory domain. All the servers
in the domain run Windows Server 2003 and all client computers run Windows Vista.
The domain contains eight domain controllers. You upgraded one of the domain controllers to
Windows Server 2008 called CertKillerDC1. During the upgrade some of the Active Directory
object gets deleted.
You need to recover the deleted objects and plan for a recovery solution that ensures that allow
deleted objects to be recovered for up to one year after the date of deletion. Which of the following
options would you choose to accomplish the desired task?
A. On CertKillerDC1, enable shadow copies of the drive that contains the Ntds.dit file.
B. Configure daily backups of CertKillerDC1.
C. Increase the interval of the garbage collection process for the forest.
D. Increase the tombstone lifetime for the forest.
E. None of the above
Answer: D
Explanation:
To recover the deleted objects and plan for a recovery solution that allow deleted objects to be
recovered for up to one year after the date of deletion, you need to increase the tombstone lifetime
for the forest
If you need to restore your domain controller, or you need to make an authoritative restore of
Active Directory, you need a backup which is younger than 60 days (by default). The objects that
get deleted from Active Directory will remain as a tombstone.
The Tombstone is the object with limited attributes, such as the GUID, Name and SID of the
object, and the mark that it's deleted. The garbage collection of Active Directory takes care to
finally delete tombstones which are older than the tombstone-lifetime.
To avoid inconsistencies in object deletion, the tombstone lifetime is configured to be many times
larger than the worst-case replication latency. By default, the Active Directory tombstone lifetime is
sixty days. This value can be changed if necessary.
Reference : Active Directory Backup? Don't rush - you'll get more time
http://msmvps.com/blogs/UlfBSimonWeidner/archive/2005/03/26/39806.aspx
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 140
Actu
alTe
sts.
com
Reference : Changing the Tombstone Lifetime Attribute in Active Directory
http://www.petri.co.il/changing_the_tombstone_lifetime_windows_ad.htm
QUESTION NO: 126
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the domain controllers in the domain run Windows
Server 2008 and all client computers run Windows Vista.
You have been assigned the task to implement a backup and recovery plan that restores the
domain controllers in the event of a catastrophic server failure. In your plan, you cannot use optical
drives for backup because according to the company's policy, the domain controllers cannot
contain optical drives for security reasons.
Which of the following options would you choose to accomplish the desired goal? (Select two.
Each correct answer will present a part of the solution.)
A. Use Windows Server Backup to back up each domain controller to a local disk.
B. Use Windows Server Backup to back up each domain controller to a remote network share.
C. Create a Windows Recovery Environment (Windows RE) partition on each domain controller.
D. Use Windows Deployment Services (WDS) to deploy the Windows Recovery Environment
(Windows RE).
Answer: B,D
Explanation:
To implement a backup and recovery plan that restores the domain controllers in the event of a
catastrophic server failure, you need to use Windows Server Backup to back up each domain
controller to a remote network share. You can use Windows Server Backup to back up a full
server (all volumes), selected volumes, or the system state.
In case of disasters like hard disk failures or catastrophic server failure you can perform a system
recovery, which will restore your complete system onto the new hard disk, by using a full server
backup and the Windows Recovery Environment.
You need to use Windows Deployment Services (WDS) to deploy the Windows Recovery
Environment (Windows RE). Windows Deployment Services enables you to deploy Windows
operating systems by using a network-based installation. This means that you do not have to
install each operating system directly from a CD or DVD. Therefore, you can avoid the use of
optical drive for backup.
Reference : Windows Server Backup Step-by-Step Guide for Windows Server 2008
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 141
Actu
alTe
sts.
com
http://technet.microsoft.com/en-us/library/cc770266.aspx
Reference : Step-by-Step Guide for Windows Deployment Services in Windows Server 2003
http://technet.microsoft.com/en-us/library/cc766320.aspx
QUESTION NO: 127
You are an Enterprise administrator for CertKiller.com. All the servers in the domain run Windows
Server 2008 and all client computers run Windows Vista.
The network contains 3 file servers store user documents. You have been assigned the task to
implement a data recovery strategy that ensures that ensures that all data volumes on the file
server must be backed up daily without creating much impact on performance.
The recovery strategy must also be able to restore individual files if a disk fails. Besides, the users
must be able to retrieve previous versions of files without the intervention of an administrator.
Which of the following options would you choose to accomplish the desired task? (Select two.
Each correct answer will present a part of the solution.)
A. Use Windows Server Backup to perform a daily backup to an external disk.
B. Use Windows Server Backup to perform a daily backup to a remote network share.
C. Deploy File Server Resource Manger (FSRM).
D. Deploy Windows Automated Installation Kit (WAIK).
E. Enable shadow copies for the volumes that contain shared user data. Store the shadow copies
on a separate physical disk.
F. Enable shadow copies for the volumes that contain shared user data. Store the shadow copies
in the default location.
Answer: A,E
Explanation:
Use Windows Server Backup to perform a daily backup to an external disk.
Enable shadow copies for the volumes that contain shared user data. Store the shadow copies on
a separate physical disk.
FSRM (File Server Resource Manager) is a service of the File Services role in Windows Server
2008. You can use FSRM to enhance your ability to manage and monitor storage activities on
your file server.
The main capabilities of FSRM include: Folder Quotas, File Screening, Storage Reports, Event
Log Integration, E-mail Notifications, and Automated Scripts.
You use a Quota function to manage disk usage on a volume in the File Server Resource
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 142
Actu
alTe
sts.
com
Manager (FSRM) and then you can enable the Shadow Copies feature on the volume
Shadow Copies for Shared Folders uses the Volume Shadow Copy Service to provide point-in-
time copies of files that are located on a shared network resource, such as a file server. With
Shadow Copies for Shared Folders, users can quickly recover deleted or changed files that are
stored on the network without administrator assistance, which can increase productivity and
reduce administrative costs. Shadow copies allow users to retrieve previous versions of files on
their own without the intervention of an administrator.
By default shadow copies are stored on the same drive volume of shared folders being backed up.
As a best practice, you should store the shadow copies on a separate physical disk as an extra
fault tolerance measure.
Reference : The Basics of Windows Server 2008 FSRM (File Server Resource Manager)
http://blogs.technet.com/josebda/archive/2008/08/20/the-basics-of-windows-server-2008-fsrm-file-
server-resource-manager.aspx
Reference : What Is Volume Shadow Copy Service?
http://technet.microsoft.com/en-us/library/cc757854.aspx
QUESTION NO: 128
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the domain controllers in the domain run Windows
Server 2008 and all client computers run Windows Vista.
You have been assigned the task to implement a backup and recovery plan that restores the
domain controllers and the client computers in the event of a catastrophic server failure.
Besides recovering the domain controller, you also want a provision to restore items from client
computers by choosing a backup and then selecting specific items from that backup to restore.
You want to restore an item by choosing the date of the backup version for the item you want to
restore. You want make sure that the backup is not taken on an optical drive.
Which of the following options would you choose to accomplish the desired goal? (Select two.
Each correct answer will present a part of the solution.)
A. Use Windows Server Backup to back up each domain controller and the client computers to a
local disk.
B. Use Ntbackup.exe tool to back up each domain controller and the client computers to a local
disk.
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 143
Actu
alTe
sts.
com
C. Use Windows Server Backup to back up each domain controller to a remote network share.
D. Create a Windows Recovery Environment (Windows RE) partition on each domain controller.
E. Use Windows Deployment Services (WDS) to deploy the Windows Recovery Environment
(Windows RE).
Answer: C,E
Explanation:
To implement a backup and recovery plan that restores the domain controllers and the client
computers in the event of a catastrophic server failure, you need to use Windows Server Backup
to back up each domain controller to a remote network share. You can use Windows Server
Backup to back up a full server (all volumes), selected volumes, or the system state.
You can restore items by choosing a backup and then selecting specific items from that backup to
restore. You can recover specific files from a folder or all the contents of a folder. In addition,
previously, you needed to manually restore from multiple backups if the item was stored on an
incremental backup. But this is no longer trueâ"you can now choose the date of the backup
version for the item you want to restore
In case of disasters like hard disk failures or catastrophic server failure you can perform a system
recovery, which will restore your complete system onto the new hard disk, by using a full server
backup and the Windows Recovery Environment.
You need to use Windows Deployment Services (WDS) to deploy the Windows Recovery
Environment (Windows RE). Windows Deployment Services enables you to deploy Windows
operating systems by using a network-based installation. This means that you do not have to
install each operating system directly from a CD or DVD. Therefore, you can avoid the use of
optical drive for backup.
Reference : Windows Server Backup Step-by-Step Guide for Windows Server 2008
http://technet.microsoft.com/en-us/library/cc770266.aspx
Reference : Step-by-Step Guide for Windows Deployment Services in Windows Server 2003
http://technet.microsoft.com/en-us/library/cc766320.aspx
QUESTION NO: 129
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista.
The network contains 20 file servers contains two volumes, one for operating system and the other
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 144
Actu
alTe
sts.
com
for the data files. You have been assigned the task to plan a recovery strategy that ensures the
server continuity in case of the server failures. The recovery strategy must ensure the operating
system and the data files to be restored in the minimum amount of time.
Which of the following options would you choose to accomplish the desired goal? (Select two.
Each correct answer will present a part of the solution.)
A. Windows Automated Installation Kit (WAIK)
B. Windows Deployment Services (WDS)
C. Windows Recover Disk feature
D. Windows Server Backup feature
E. Volume Shadow Copies
F. Folder redirection
G. Windows Complete PC Restore
Answer: D,G
Explanation:
To plan a recovery strategy that ensures the server continuity in case of the server failures, you
need to use the Windows Server Backup feature and Windows Complete PC Restore
Complete PC Backup and Restore is a comprehensive, image-based backup tool to help you out
of a tight spot if you need to recover your entire system.While file restore is useful in cases of file
loss and data corruption, Windows Complete PC Restore is most useful for disaster recovery
when your PC malfunctions. Complete PC Backup and Restore is capable of restoring your entire
PC environment, including the operating system, installed programs, user settings, and data files.
Reference : Windows Complete PC Backup and Restore
http://www.microsoft.com/singapore/windows/products/windowsvista/features/details/completepcb
ackup.mspx
QUESTION NO: 130
You are an Enterprise administrator for CertKiller.com. All the servers in the domain run Windows
Server 2008 and all client computers run Windows Vista.
The network contains 3 servers, a file server, a database server, and a messaging server. You
have been assigned the task to provide a backup infrastructure to create consistent backups of
open files and applications, database server, and the messaging server.
The solution must also be able to minimize the interruption to applications.
Which of the following options would you choose to accomplish the desired task?
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 145
Actu
alTe
sts.
com
A. Use Windows Server Backup to perform a daily backup to an external disk.
B. Use Windows Server Backup to perform a daily backup to a remote network share.
C. Enable volume shadow copy service for the volumes that needs to be backed up.
D. Enable shadow copies for the volumes that contain shared user data.
E. None of the above
Answer: C
Explanation:
To create consistent backups of open files and applications, database server, and the messaging
server without interrupting the applications, you need to enable shadow copies for the volumes
that need to be backed up.
Applications that are running often keep their files open continuously. For backup, this can present
a problem because this prevents backup applications from accessing and copying these files to
backup media. Additionally, backing up servers that are running critical applications such as
databases or messaging services presents a unique challenge. These applications run in a volatile
state as a result of extensive optimizations that deal with huge flows of transactions and
messages.
Because these applications keep their data in a constant flux between memory and disk, it is
difficult to pinpoint the data that needs to be archived. The most straightforward solution is to
interrupt the application during backup, which puts the data into a stable state, but might result in
unacceptable amounts of downtime, particularly if the applications are large.
For both problems, the Volume Shadow Copy Service provides a solution by enabling a snapshot
of the data at a given point in time, while minimizing the interruption to applications.
Reference : What Is Volume Shadow Copy Service?
http://technet.microsoft.com/en-us/library/cc757854.aspx
QUESTION NO: 131
You are an Enterprise administrator for CertKiller.com. The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows Server
2008 and all client computers run Windows Vista.
The client computers in the company run many applications, all applications all of which are
configured to save documents to the local Documents folder. You need to therefore plan a backup
strategy for the Documents folder for all the users in minimum amount of administrative effort
Which of the following options would you choose to accomplish the desired goal?
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 146
Actu
alTe
sts.
com
A. Deploy agents to all client computers using System Center Operations Manager
B. Create a shared folder on a file server and then configure scheduled backups on each client
computer to store the backup files on the shared folder.
C. Use Group Policy objects (GPO) to implement folder redirection and then back up the folder
redirection target.
D. Run Windows Server Backup from a server and connect to each client computer.
E. None of the above
Answer: C
Explanation:
To plan a backup strategy for the Documents folder for all the users in minimum amount of
administrative effort, you need to use Group Policy objects (GPO) to implement folder redirection
and then back up the folder redirection target.
Folder Redirection is a Group Policy feature which enables you to redirect the system folders
containing the profile of a user on the network. Through the use of the Folder Redirection feature,
you can configure that the system folders' contents on the user remains the same, irrespective of
the particular computer which the user utilizes to log on to the system. The system folders for
which you can configure folder redirection include My Documents folder
Redirecting the My Documents folder ensures that users can access their data from any computer.
Because redirected folder data is stored on a network server, you can back up the data to an
offline storage media.
Reference : Implementing Folder Redirection using Group Policy
http://www.tech-faq.com/implementing-folder-redirection-using-group-policy.shtml
QUESTION NO: 132
You are an Enterprise administrator for CertKiller.com. The company has a head office and 20
branch offices. The corporate network of the company consists of a single Active Directory
domain. All the servers in the domain run Windows Server 2008 and all client computers run
Windows Vista.
Each branch office contains a file server that stores users' data. You have been assigned the task
to design a strategy for backing up the file servers and ensure that the backups are scheduled,
allow individual file recovery and a complete server recovery.
Besides this, your backup strategy must provide decentralized control over backups and recovery
in minimum administrative effort. Which of the following options would you choose to accomplish
the desired task?
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 147
Actu
alTe
sts.
com
A. Use Windows Server Backup to back up volumes to DVD.
B. Configure Volume Shadow Copies.
C. Use Windows Server Backup to back up to an external USB drive.
D. Install the Windows Recovery Disc feature and then create a Scheduled task that runs
recdisc.exe.
E. None of the above
Answer: C
Explanation:
To design a strategy for backing up the file servers and ensure that the backups are scheduled,
allow individual file recovery and a complete server recovery, you need to use Windows Server
Backup to back up to an external USB drive.
Backup to USB drives are easy and simple. It provides software and hardware features to make
connecting any USB device just about as foolproof as possible. Most backup software now
supports USB devices. External USB drives are highly portable and can be used to back up
several computers on the same drive.
You cannot use Windows Server Backup to back up volumes to DVD because Windows Server
Backup doesn't support system state or file level backups and restores when using DVDs. And
you can't schedule backups to DVD.
Reference : USB drive backup: Pros and cons
http://searchwindowsserver.techtarget.com/tip/0,289483,sid68_gci1215078,00.html
Reference : Active Directory Backup and Restore in Windows Server 2008
http://technet.microsoft.com/en-us/magazine/cc462796.aspx
Microsoft 70-646: Practice Exam
"Pass Any Exam. Any Time." - www.actualtests.com 148