70-646 pro: windows server 2008, server administratorgattner.name/simon/public/microsoft/windows...

148
Microsoft 70-646 70-646 Pro: Windows Server 2008, Server Administrator Practice Test Updated: Jan 19, 2010 Version

Upload: vubao

Post on 13-Mar-2018

233 views

Category:

Documents


3 download

TRANSCRIPT

Page 1: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Microsoft 70-646

70-646 Pro: Windows Server 2008, Server

Administrator

Practice Test

Updated: Jan 19, 2010

Version

Page 2: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

QUESTION NO: 1

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of 200 Windows Server 2008 servers. The company has recently decided to open a new

branch office and moved 75 Windows Server 2008 servers from the existing office to the new

network segment.

Which of the following options would you choose to change the TCP/IP addresses on the 75

servers that have been moved to the new branch office by using the minimum amount of

administrative effort?

A. Use ServerManagerCMD tool and run it on the administrator's client computer.

B. Use the Netsh tool and run it on the administrator's client computer.

C. Use Remote Desktop to connect to each server to make the changes.

D. Visit each server to make the changes.

E. None of the above

Answer: B

Explanation:

To change the TCP/IP addresses on the 75 servers that have been moved to the new branch

office by using the minimum amount of administrative effort, you need to run the Netsh tool from

an administrator's client computer.

You can use NETSH to make dynamic IP address changes from a static IP address to DHCP

simply by importing a file. NETSH can also bring in the entire Layer-3 configuration (TCP/IP

Address, DNS settings, WINS settings, IP aliases, etc.). This can be handy when you're working

on networks without DHCP and have a mobile computer that connects to multiple networks, some

of which have DHCP. NETSH shortcuts will far exceed the capabilities of using Windows

Automatic Public IP Addressing.

Reference: 10 things you should know about the NETSH tool

/ #4: Using NETSH to dynamically change TCP/IP addresses

http://www.builderau.com.au/program/windows/soa/10-things-you-should-know-about-the-NETSH-

tool/0,339024644,339272916,00.htm

Reference: 10 Windows Server 2008 Netsh commands you should know

http://www.windowsnetworking.com/articles_tutorials/10-Windows-Server-2008-Netsh-

commands.html

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 2

Page 3: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

QUESTION NO: 2

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

runs 28 Windows Server 2008 servers and two Windows Server 2003 servers. One of the

Windows Server 2003 servers called CertKillerServer1 hosts an application called App1 and

another Windows Server 2003 server called CertKillerServer2 hosts the application called App2

The App1application uses the 32-bit installation of Windows Server 2003 and App2 application

uses the 64-bit installation of Windows Server 2003. You need to run both the applications on

Windows Server 2008 server.

Which of the following options would you choose for replacing the servers that host App1 and

App2 in the minimum cost amount? (Select three. Each correct answer will present a part of the

solution.)

A. Install a new server that runs a 64-bit version of Windows Server 2008 Enterprise Edition.

B. Install two new servers that run 64-bit versions of Windows Server 2008 Enterprise Edition.

C. Install two new servers. On one of the servers install the 32-bit version of Windows Server 2008

Enterprise Edition and install the 64-bit version of Windows Server 2008 Enterprise Edition on the

other server.

D. Install the Hyper-V feature on the server(s).

E. Install Windows System Resource Manager (WSRM) on the server(s).

F. Install App1 and App2 in separate child virtual machines

G. Install App1 on the 32-bit server. Install App2 on the 64-bit server.

Answer: A,D,F

Explanation:

For replacing the servers that host App1 and App2 in the minimum cost amount, you need to

install a new server that runs a 64-bit version of Windows Server 2008 Enterprise Edition. Install

the Hyper-V feature on the new server. Install App1 and App2 in separate child virtual machines

Hyper-V consists of a 64-bit hypervisor that can run 32-bit and 64-bit virtual machines

concurrently. Therefore you need to install just one Windows Server 2008 to run these two

applications. You can then install Hyper V feature that would allow you to create virtual machines

and run both the applications as desired. Hyper-V virtualization works with single and multi-

processor virtual machines and includes tools such as snapshots, which capture the state of a

running virtual machine.

Reference : Microsoft Hyper-V Guide

http://searchservervirtualization.techtarget.com/generic/0,295582,sid94_gci1318785,00.html

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 3

Page 4: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

QUESTION NO: 3

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

runs two Windows Server 2008 servers.

You have been asked to configure the Windows Server 2008 servers in such a way that they

support the installation of Microsoft SQL Server 2005 and provide redundancy for SQL services if

a single server fails. (Select two. Each correct answer will present a part of the solution.)

Which of the following options would you choose to accomplish this task?

A. Install a full installation of Windows Server 2008 Standard Edition on the servers.

B. Install a full installation of Windows Server 2008 Enterprise Edition on the servers.

C. Install a Server Core installation of Windows Server 2008 Enterprise Edition on the servers.

D. Configure Network Load Balancing on the servers.

E. Configure failover clusters on the servers.

Answer: B,E

Explanation:

To configure the Windows Server 2008 servers in such a way that they support the installation of

Microsoft SQL Server 2005 and provide redundancy for SQL services if a single server fails, you

need to install a full installation of Windows Server 2008 Enterprise Edition on the servers.

Configure failover clusters on the servers.

Failover clustering is a process in which the operating system and SQL Server 2008 work together

to provide availability in the event of an application failure, hardware failure, or operating-system

error. Failover clustering provides hardware redundancy through a configuration in which mission-

critical resources are transferred from a failing machine to an equally configured server

automatically.

Reference : SQL Server 2008 Pricing and Licensing/ PASSIVE SERVERS / FAILOVER

SUPPORT

http://download.microsoft.com/download/1/e/6/1e68f92c-f334-4517-b610-

e4dee946ef91/2008%20SQL%20Licensing%20Overview%20final.docx .

QUESTION NO: 4

You are an Enterprise administrator for CertKiller.com. The company has a head office and five

branch offices. The corporate network of the company consists of a single Active Directory

domain.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 4

Page 5: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Each office contains Windows 2000 Server domain controller and Windows Server 2008 member

servers. The physical security of the member servers was not reliable and servers could be

attacked.

Therefore, you decided to implement Windows BitLocker Drive Encryption (BitLocker) on the

member servers.

Which of the following options would you choose to ensure that you can access the BitLocker

volume even if the BitLocker keys are corrupted on the member servers and store the recovery

information at a central location? (Select two. Each correct answer will present a part of the

solution.)

A. Upgrade all domain controllers to Windows Server 2008.

B. Upgrade the domain controller that has the schema master role to Windows Server 2008.

C. Upgrade the domain controller that has the primary domain controller (PDC) emulator role to

Windows Server 2008.

D. Use Group Policy to configure Public Key Policies.

E. Use Group Policy to enable a Data Recovery Agent (DRA).

F. Use Group Policy to enable Trusted Platform Module (TPM) backups to Active Directory.

Answer: A,F

Explanation:

To ensure that you can access the BitLocker volume even if the BitLocker keys are corrupted on

the member servers and store the recovery information at a central location, you need to upgrade

all domain controllers to Windows Server 2008. Use Group Policy to enable Trusted Platform

Module (TPM) backups to Active Directory.

By default, no recovery information is backed up. Administrators can configure Group Policy

settings to enable backup of BitLocker or TPM recovery information.

All user interfaces and programming interfaces within BitLocker and TPM Management features

will adhere to your configured Group Policy settings. When these settings are enabled, recovery

information (such as recovery passwords) will be automatically backed up to Active Directory

whenever this information is created and changed.

Reference : BitLocker Drive Encryption Configuration Guide: Backing Up BitLocker and TPM

Recovery Information to Active Directory

http://technet.microsoft.com/en-us/library/cc766015.aspx

QUESTION NO: 5

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 5

Page 6: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain that contain 100 Windows Server 2003 physical

servers having 64-bit hardware.

The company has given you the responsibility to consolidate the 100 physical servers into 30

Windows Server 2008 physical servers and send the remaining physical servers to the new

branch office that plans to open shortly.

Which of the following options would you choose to achieve the desired goal while ensuring the

maximum resource utilization by using existing hardware and software? You also need to ensure

that your solution would support 64-bit child virtual machines and maintain separate services

among the servers.

A. Install the Hyper-V feature on the existing hardware. Then convert the physical machines into

virtual machines.

B. Install the Microsoft Virtual PC. Then convert the physical machines into virtual machines.

C. Create the necessary host (A) records after consolidating services across the physical

machines.

D. Install Microsoft Virtual Server 2005 R2 on the existing hardware after installing Windows

Server 2008 on them. Then convert the physical machines into virtual machines.

E. None of the above

Answer: A

Explanation:

To ensure the maximum resource utilization by using existing hardware and software and to

ensure the support for 64-bit child virtual machines while maintaining separate services among the

servers, you need to install the Hyper-V feature to convert the physical machines into virtual

machines.

The Hyper-V feature provides Physical-to-Virtual (P2V) Conversion Wizard that guides

administrators through the process of creating a virtual version of a physical server, including

creating images of physical hard disks, preparing the images for use in a VM, and creating the

final VM. The wizard can create virtual servers from physical servers and can run on Windows

Server 2003 with SP1 (32-bit only) and on Windows Server 2008 (without Hyper-V role enabled)

besides many other Operating systems.

Reference : Virtual Machine Manager 2008 Supports Hyper-V / Other Features

http://www.directionsonmicrosoft.com/sample/DOMIS/update/2008/07jul/0708vmm2sh.htm

Section 2, Plan for automated server deployment (9 Questions)

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 6

Page 7: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

QUESTION NO: 6

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain that contains a Windows Server 2008 server called

CertKillerServer1. The server runs the DHCP service on it for the network.

Your company has decided to add a few Windows Vista computers and Windows Server 2008

servers on the network.

You have been asked to prepare the network for the automated deployment of the above given

operating systems with the use Pre-boot Execution Environment (PXE) network adapter.

Which of the following options would you choose to accomplish this task?

A. Install Windows Automated Installation Kit (WAIK) on a new server.

B. Configure the Windows Deployment Services (WDS) server role on a new server.

C. Install Windows Automated Installation Kit (WAIK) on CertKillerServer1.

D. Configure the Windows Deployment Services (WDS) server role on CertKillerServer1.

E. None of the above

Answer: D

Explanation:

To prepare the network for the automated deployment of the above given operating systems with

the use Pre-boot Execution Environment (PXE) network adapter, you need to configure the

Windows Deployment Services (WDS) server role on CertKillerServer1.

Windows Deployment Services enables you to deploy Windows operating systems, particularly

WindowsVista and Windows Server2008. You can use it to set up new computers by using a

network-based installation. This means that you do not have to install each operating system

directly from a CD or DVD. It is an extensible and higher-performing PXE server component.

You must have a functioning DHCP server with an active scope. To utilize PXE WDS required a

DHCP server. Therefore you need to configure WDS on CertKillerServer1

Reference : Step-by-Step Guide for Windows Deployment Services in Windows Server 2003 /

What is Windows Deployment Services?

http://technet.microsoft.com/en-us/library/cc766320.aspx#BKMK_1

Reference : Planning for PXE Initiated Operating System Deployments/ Windows Deployment

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 7

Page 8: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Services (WDS) and DHCP

http://technet.microsoft.com/en-us/library/bb680753.aspx

QUESTION NO: 7

You are an Enterprise administrator for CertKiller.com. The company consists of a head office and

a branch office. The corporate network of the company consists of a single Active Directory

domain.

Because the branch office was comparatively less secure, you decided to deploy a Read-only

Domain Controller (RODC) in the branch office so that branch office support technicians cannot

manage domain user accounts on the RODC. However, they should be able to maintain drivers

and disks on the RODC.

Which of the following options would you choose to manage the RODC to meet the desired goal?

A. Configure Administrator Role Separation on the RODC.

B. For the branch office support technicians, set NTFS permissions on the Active Directory

database to Read & Execute.

C. Configure the RODC to replicate the password for the branch office support technicians.

D. For the branch office support technicians, set NTFS permissions on the Active Directory

database to Deny Full Control.

E. None of the above

Answer: A

Explanation:

To ensure that branch office support technicians would not manage domain user accounts on the

RODC and should be able to maintain drivers and disks on the RODC, you need to configure the

RODC for Administrator Role Separation.

Administrator Role Separation specifies that any domain user or security group can be delegated

to be the local administrator of an RODC without granting that user or group any rights for the

domain or other domain controllers. Accordingly, a delegated administrator can log on to an

RODC to perform maintenance work on the server such as upgrading a driver. But the delegated

administrator would not be able to log on to any other domain controller or perform any other

administrative task in the domain.

Reference : RODC Features/ Administrator role separation

http://technet.microsoft.com/en-us/library/cc753223.aspx#bkmk_separation

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 8

Page 9: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

QUESTION NO: 8

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain that contain.

The company currently consists of a main office that has an Internet connection configured. The

company plans to open a new branch office in near future and plans to connect the branch office

to the main office by using a WAN link having a limited bandwidth.

The branch office will not have access to the Internet and will contain 30 Windows Server 2008

servers. The installations of these servers must be automated and must be automatically

activated. Besides the network traffic between the offices must be minimized.

Which of the following options would you include in your plan for the deployment of the servers in

the branch office?

A. Use Multiple Activation Key (MAK) Independent Activation on the servers. In the main office,

implement a DHCP server and Windows Deployment Services (WDS).

B. In the branch office, implement Key Management Service (KMS), a DHCP server, and Windows

Deployment Services (WDS).

C. In the main office, implement Windows Deployment Services (WDS). In the branch office,

implement a DHCP server and implement the Key Management Service (KMS).

D. Use Multiple Activation Key (MAK) Independent Activation on the servers. In the main office,

implement a DHCP server. In the branch office, implement Windows Deployment Services (WDS).

E. None of the above

Answer: B

Explanation:

For the deployment of the servers in the branch office with the given requirements, you need to

implement Key Management Service (KMS), a DHCP server, and Windows Deployment Services

(WDS) in the branch office.

The KMS key is used to activate computers against a service that you can host in your

environment, so you don't have to connect to Microsoft servers. To activate computers by using

KMS, you must have a minimum number of physical computers. The KMS key is installed on the

host computer only.

To activate the KMS host, you must have at least 25 computers running Windows Vista or

Windows Server 2008 that are connected together; for Windows Server 2008, the minimum is 5

computers.

You need Windows Deployment Services (WDS) because it enables you to automate the

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 9

Page 10: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

deployment Windows operating systems. You can use it to set up new computers by using a

network-based installation. This means that you do not have to install each operating system

directly from a CD or DVD.

You must have a functioning DHCP server with an active scope so that WDS will utilize PXE.

Reference : Microsoft Product Activation

http://www.microsoft.com/licensing/resources/vol/default.mspx

Reference : Step-by-Step Guide for Windows Deployment Services in Windows Server 2003 /

What is Windows Deployment Services?

http://technet.microsoft.com/en-us/library/cc766320.aspx#BKMK_1

Reference : Planning for PXE Initiated Operating System Deployments/ Windows Deployment

Services (WDS) and DHCP

http://technet.microsoft.com/en-us/library/bb680753.aspx

QUESTION NO: 9

You are an Enterprise administrator for CertKiller.com. The company has a head office and 250

branch offices. The corporate network of the company consists of a single Active Directory

domain.

All the domain controllers on the corporate network run Windows Server 2008. You have been

asked to deploy Read-only Domain Controllers (RODCs) in each designated branch offices

because the physical security at branch office locations cannot be guaranteed.

While deploying the RODCs, you need to ensure that the RODC installation source files do not

contain cached secrets and the bandwidth used during the initial synchronization of Active

Directory Domain Services (AD DS) is minimized.

Which of the following options would you choose to accomplish the given task?

A. Backup of the critical volumes of an existing domain controller by using Windows Server

Backup. Now build the new RODCs using the backup.

B. Using one of the domain controllers on the nework create a DFS Namespace that contains the

Active Directory database and then build the new RODCs using by using an answer file.

C. Create an RODC installation media using ntdsutil ifmand the build the RODCs from the RODC

installation media.

D. Perform a full backup of an existing domain controller using Windows Server Backup and then

use the backup to build the new RODCs.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 10

Page 11: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

E. None of the above

Answer: C

Explanation:

:

The new ntdsutil ifm subcommand can be used to create installation media. It can be used to

remove secrets, such as passwords, from the AD DS database, so that you can install a read-only

domain controller (RODC) without them. When you remove these secrets, the RODC installation

media is more secure if it must be transported to a branch office for an RODC installation.

Ntbackup.exe cannot remove cached secrets from the installation media.

Reference : Steps for Deploying an RODC/ Optional: Install RODC from media

http://technet.microsoft.com/en-us/library/cc754629.aspx

QUESTION NO: 10

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. You have been asked to deploy file servers that run

Windows Server 2008 and ensure that the file server support volumes larger than 2 terabytes.

You also need to ensure that if a single server fails, access to all data is maintained and if a single

disk fails, the data redundancy is maintained. You also need to maximize the disk throughput

Which of the following options would you choose to accomplish the assigned task? (Select 2. Each

correct answer will present a part of the solution)

A. Deploy a Windows Server 2008 server and connect an external storage subsystem to it that

supports Microsoft Multipath I/O.

B. Deploy a two-node failover cluster. Connect an external storage subsystem.

C. Configure the external storage subsystem as a RAID 1 array and format the array as an MBR

disk.

D. Configure the external storage subsystem as a RAID 10 array and format the array as a GPT

disk.

Answer: B,D

Explanation:

To ensure that if a single server fails, access to all data is maintained and if a single disk fails, the

data redundancy is maintained, you need to deploy a two-node failover cluster. Connect an

external storage subsystem. Configure the external storage subsystem as a RAID 10 array.

Format the array as a GPT disk.

A combining the different RAID levels gives us the option of RAID10. RAID10 is equivalent

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 11

Page 12: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

toRAID1 + 0. So, you can have a few disks (at least 4 and always even numbers) and mirror the

drives two at a time. This gives the redundancy. Then you take those mirrors and combine them

into a RAID 0 stripe. This allows redundancy, faster read operations, and fast writes (avoiding a

parity calculation).

RAID1 is a mirror which is faster than a single disk, but not as fast for read operations as 3+ disks

(RAID1 is just 2 disks). RAID5 is a stripe with parity which is faster on read operations than RAID1

but not ideal for write operations because it is required to calculate a parity block of data.

Reference : Brad Kingsley's Blog

http://blogs.orcsweb.com/brad/archive/2007/08/06/raid10.aspx

QUESTION NO: 11

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. You have planned to install 10 new Windows Server

2008 servers on the network.

You want to automate the installation of the servers and activate the servers automatically. Which

of the following options would you choose to accomplish the desired goal?

A. Implement Multiple Activation Key (MAK) Independent Activation and Deployment Services

(WDS).

B. Implement Key Management Service (KMS) and Windows Deployment Services (WDS).

C. Use Multiple Activation Key (MAK) Independent Activation.

D. Implement a DHCP server and the Key Management Service (KMS).

E. None of the above

Answer: B

Explanation:

For the deployment of the servers in the branch office with the given requirements, you need to

implement Key Management Service (KMS), and Windows Deployment Services (WDS).

The KMS key is used to activate computers against a service that you can host in your

environment, so you don't have to connect to Microsoft servers. To activate computers by using

KMS, you must have a minimum number of physical computers. The KMS key is installed on the

host computer only.

To activate the KMS host, you must have at least 25 computers running Windows Vista or

Windows Server 2008 that are connected together; for Windows Server 2008, the minimum is 5

computers.

You need Windows Deployment Services (WDS) because it enables you to automate the

deployment Windows operating systems. You can use it to set up new computers by using a

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 12

Page 13: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

network-based installation. This means that you do not have to install each operating system

directly from a CD or DVD.

Reference : Microsoft Product Activation

http://www.microsoft.com/licensing/resources/vol/default.mspx

Reference : Step-by-Step Guide for Windows Deployment Services in Windows Server 2003 /

What is Windows Deployment Services?

http://technet.microsoft.com/en-us/library/cc766320.aspx#BKMK_1

QUESTION NO: 12

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain.

Which of the following options would you choose to consolidate the 50 physical Windows Server

2003 servers into 10 physical Windows Server 2008 servers?

While consolidation, you need to ensure that the existing hardware and software should be used

and 64-bit child virtual machines can be created. Which of the following options would you choose

to accomplish the desired task?

A. Install Microsoft Virtual PC.

B. Install the Hyper-V feature.

C. Consolidate services across the physical machines and create the necessary host (A) records.

D. Install Microsoft Virtual Server 2005 R2.

E. None of the above

Answer: B

Explanation:

To ensure that existing hardware and software is used and to ensure the support for 64-bit child

virtual machines, you need to install the Hyper-V feature to convert the physical machines into

virtual machines.

The Hyper-V feature provides Physical-to-Virtual (P2V) Conversion Wizard that guides

administrators through the process of creating a virtual version of a physical server, including

creating images of physical hard disks, preparing the images for use in a VM, and creating the

final VM. The wizard can create virtual servers from physical servers and can run on Windows

Server 2003 with SP1 (32-bit only) and on Windows Server 2008 (without Hyper-V role enabled)

besides many other Operating systems.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 13

Page 14: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Reference : Virtual Machine Manager 2008 Supports Hyper-V / Other Features

http://www.directionsonmicrosoft.com/sample/DOMIS/update/2008/07jul/0708vmm2sh.htm

QUESTION NO: 13

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. The company has decided to open 2 new branch

offices and deploy 1,000 new Windows Vista Enterprise Edition computers.

The Windows Vista installations need to be done using Pre-boot Execution Environment (PXE)

network adapters that those 1000 computers already have.

Which of the following options would you choose to ensure that 50 simultaneous installations of

Windows Vista can be done in minimum amount of time and the impact of network operations

during the deployment of the new computers is minimized?

A. Install Windows Deployment Services (WDS) server role and configure all the routers with IP

Helper tables.

B. Install Windows Deployment Services (WDS) server role and configure eachWDS server by

using legacy mode.

C. Install both Windows Deployment Services (WDS) server role and Transport Server role

services and then configure the Transport Server with a static multicast address range.

D. Install both Windows Deployment Services (WDS) server role and Transport Server role

services and then configure the Transport Server to use a custom network profile.

E. None of the above

Answer: C

Explanation:

To ensure that 50 simultaneous installations of Windows Vista in minimum amount of time in a

Pre-boot Execution Environment, you need to deploy the Windows Deployment Services (WDS)

server role and the Transport Server feature. You can install both the Deployment Server and

Transport Server role services (which is the default installation) or only Transport Server role

services.

The Windows Deployment Services (WDS) enables you to automate the deployment of Windows

operating systems. You can use it to set up new computers by using a network-based installation.

This means that you do not have to install each operating system directly from a CD or DVD

You can configure Transport Server to enable you to boot from the network using Pre-Boot

Execution Environment (PXE) and Trivial File Transfer Protocol (TFTP), a multicast server, or

both.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 14

Page 15: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

The Transport Server role service provides a subset of the functionality of Windows Deployment

Services. It contains only the core networking parts. You can use Transport Server to create

multicast namespaces that transmit data (including operating system images) from a stand-alone

server. The stand-alone server does not need Active Directory, DHCP, or DNS. You can

If multiple servers are using multicast functionality on a network (Transport Server, Deployment

Server, or another solution), it is important that each server is configured so that the multicast IP

addresses do not collide. Otherwise, you may encounter excessive traffic when you enable

multicasting. Note that each Windows Deployment Services server will have the same default

range. To work around this issue, specify static ranges that do not overlap to ensure that each

server is using a unique IP address

Reference : Transport Server

http://technet.microsoft.com/en-us/library/cc771645.aspx

QUESTION NO: 14

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain that runs a 64-bit version of Windows Server 2008

server. The server has DHCP server role installed on it. The corporate network only uses IPv4.

The company has decided to deploy 50 new Windows Server 2008 servers.The installations need

to be done using Pre-boot Execution Environment (PXE) network adapters that is already

supported by the new computers. Besides some of the new computers contain 64-bit hardware

and some of the servers contain 32-bit hardware.

Which of the following options would you choose to ensure the automated deployment of the new

servers in minimum hardware cost?

A. Deploy Windows Deployment Services (WDS) on two Windows Server 2008 servers. One for

the 64-bit server and the other for 32-bit server

B. Deploy Remote Installation Services (RIS) on two Windows Server 2003 servers having Service

Pack 2 installed. One for the 64-bit server and the other for 32-bit server

C. Deploy Windows Deployment Services (WDS) on the DHCP server

D. Deploy Remote Installation Services (RIS) on a 64-bit Windows Server 2003 server.

E. None of the above

Answer: C

Explanation:

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 15

Page 16: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

To ensure the automated deployment of the new servers in minimum hardware cost in the given

scenario, you need to deploy Windows Deployment Services (WDS) on the DHCP server.

You must have a working DHCP server with an active scope on the network because Windows

Deployment Services uses PXE, which relies on DHCP for IP addressing

Reference : Installing Windows Deployment Services

http://technet.microsoft.com/en-us/library/cc771670.aspx

Section 3, Plan infrastructure services server roles (10 Questions)

QUESTION NO: 15

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory forest having 20 domains configured under it.

All the domain controllers on the network run Windows Server 2008 and have the DNS role

installed on them. You company has decided to replace a legacy Windows Internet Name Service

(WINS) environment with a DNS-only environment for the name resolution.

Which of the following options would you choose to Support IPv4 and IPv6 environments, allow

single-label name resolution across all domains, and minimize the amount of NetBT traffic on the

network while replacing a legacy Windows Internet Name Service (WINS) environment?

A. Configure all the DNS zones to perform a WINS forward lookup.

B. Configure all the DNS zones to replicate as part of a custom Active Directory replication

partition.

C. Configure a GlobalNames zone on each domain controller.

D. Configure all the DNS zones to replicate to each DNS server in the forest.

E. None of the above

Answer: C

Explanation:

To Support IPv4 and IPv6 environments, allow single-label name resolution across all domains,

and minimize the amount of NetBT traffic on the network while replacing a legacy Windows

Internet Name Service (WINS) environment with a DNS-only environment, you need to configure a

GlobalNames zone on each domain controller.

The DNS Server Role in Windows Server 2008 now supports the GlobalNames Zone. This has

been introduced to assist organizations to move away from WINS and allow organizations to move

to an all-DNS environment. Unlike WINS, The GlobalNames zone is not intended to be used for

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 16

Page 17: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

peer-to-peer name resolution.

The GlobalNames Zone (GNZ) is used to hold single-label names. The GlobalNames zone is most

commonly used to hold CNAME resource records to map a single-label name to a Fully Qualified

Domain Name (FQDN). GNZ provides single-label name resolution whereas WINS provides

NetBIOS resolution. If you plan to retire WINS or plan to deploy IPv6 only in your environment, all

name resolution will rely on DNS. It supports dual IPv4 and IPv6 environment and use only DNS

for name resolution.

Reference : Understanding the New GlobalNames Zone Functionality in Windows Server2008

http://johnpolicelli.wordpress.com/2008/01/15/understanding-the-new-globalnames-zone-in-

windows-server-2008/

Reference : DNS Server GlobalNames Zone Deployment /

How GNZ Resolution Works

http://download.microsoft.com/download/e/2/0/e2090852-3b7f-40a3-9883-07a427af1560/DNS-

GlobalNames-Zone-Deployment.doc .

QUESTION NO: 16

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All servers on the corporate network run Windows

Server 2008 and all client computers run Windows Vista. The company has an enterprise

certification authority (CA).

You have been asked to install certificates automatically on each client computer and deploy the

certificates to all users by using a new certificate template by using minimum amount of effort. You

need to ensure that users have access to the new certificates when they log on to any client

computer in the domain.

Which of the following options would you choose to accomplish the given task? (Select two. Each

correct answer will form a part of the solution)

A. Configure autoenrollment of certificates.

B. Deploy an enterprise subordinate CA

C. Configure roaming user profiles.

D. Configure folder redirection.

E. Configure Credential Roaming.

Answer: A,E

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 17

Page 18: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Explanation:

To ensure that users have access to the new certificates when they log on to any client computer

in the domain while meeting other requirements, you need to Configure autoenrollment of

certificates and Credential Roaming

The autoenrollment process grants certificates based on certificate templates that are supplied

with Read, Enroll, and Autoenroll permissions for the users, groups, or computers who require

autoenrollment.

With the credential roaming functionality, managed environments can now store X.509 certificates,

certificate requests, and private keys specific to a user in Active Directory, independently from the

profile.

The credential roaming implementation in Windows Vista and Windows Server "Longhorn" is

additionally able to roam stored user names and passwords. This would ensure that users have

access to the new certificates when they log on to any client computer in the domain

With credential roaming, once a domain user chooses in a Windows authentication dialog box to

cache or 'remember' the current credentials, the user will have the same experience on any

domain-joined computer that the user logs on to.

Reference : How can I enable digital certificate autoenrollment in Windows Server 2003?

http://windowsitpro.com/article/articleid/48665/how-can-i-enable-digital-certificate-autoenrollment-

in-windows-server-2003.html

Reference : About Credential Roaming

http://technet.microsoft.com/hi-in/library/cc700848(en-us).aspx

QUESTION NO: 17

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All domain controllers on the corporate network run

Windows Server 2008 and all client computers run either Windows Vista or Windows XP Service

Pack 1.

The corporate network contains 100 servers and 5,000 client computers. Which of the following

options would you choose to implement a VPN solution that allows you to store VPN passwords

as encrypted text and provide support for Suite B cryptographic algorithms?

Besides it should support client computers that are configured as members of a workgroup and

allow automatic enrollment of certificates. (Select three. Each correct answer will form a part of the

answer.)

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 18

Page 19: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

A. Upgrade the client computers to Windows Vista.

B. Upgrade the client computers to Windows XP Service Pack 2.

C. Implement an enterprise certification authority (CA) that is based on Windows Server 2008.

D. Implement a stand-alone certification authority (CA).

E. Implement an IPsec VPN that uses pre-shared keys.

F. Implement an IPsec VPN that uses certificate-based authentication.

Answer: A,C,F

Explanation:

To implement a VPN solution that allows you to store VPN passwords as encrypted text and

provide support for Suite B cryptographic algorithms, you need to Upgrade the client computers to

Windows Vista and implement an enterprise certification authority (CA) that is based on Windows

Server 2008.

Suite B cryptographic algorithms that was added in Windows Vista Service Pack 1 (SP1) and in

Windows Server 2008. Suite B is a set of standards that are specified by the National Security

Agency (NSA). Suite B includes Encryption algorithms.

To support client computers that are configured as members of a workgroup and allow automatic

enrollment of certificates, you need to Implement an IPsec VPN that uses certificate-based

authentication.

IPSec deployments can take advantage of certificate-based authentication via

industry-standard x.509 digital certificates. ADCS in Windows Server2008 provides customizable

services for creating and managing the X.509 certificates that are used in software security

systems that employ public key technologies. Organizations can use ADCS to enhance security by

binding the identity of a person, device, or service to a corresponding public key. ADCS also

includes features that allow you to manage certificate enrollment and revocation in a variety of

scalable environments.

Reference : Description of the support for Suite B cryptographic algorithms that was added in

Windows Vista Service Pack 1 and in Windows Server 2008

http://support.microsoft.com/kb/949856

Reference : iPhone and Virtual Private Networks

(VPN)

http://images.apple.com/iphone/enterprise/docs/iPhone_VPN.pdf .

QUESTION NO: 18

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 19

Page 20: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

You are an Enterprise administrator for CertKiller.com. The corporate network of the company is

configured with Perimeter network as shown in the exhibit.

Exhibit:

The company uses an enterprise certification authority (CA) and a Microsoft Online Responder on

the internal network.

Which of the following options would you choose to implement a secure method for Internet users

to verify the validity of individual certificates with the use of minimum network bandwidth? (Select

two. Each correct answer will form a part of the answer.)

A. Install a stand-alone CA on a server on the perimeter network

B. Deploy a subordinate CA on the perimeter network.

C. Install Network Device Enrollment Service (NDES) on a server on the perimeter network.

D. Install a Network Policy Server (NPS) on a server on the perimeter network.

E. Redirect authentication requests to a server on the internal network.

F. Install IIS on a server on the perimeter network

G. Configure IIS to redirect requests to the Online Responder on the internal network.

Answer: F,G

Explanation:

To implement a secure method for Internet users to verify the validity of individual certificates with

the use of minimum network bandwidth, you need to install IIS on a server on the perimeter

network and configure IIS to redirect requests to the Online Responder on the internal network.

Windows Vista and the WindowsServer®2008 operating system will natively support both CRL

and Online Certificate Status Protocol (OCSP) as a method of determining certificate status. The

OCSP support includes both the client component as well as the Online Responder, which is the

server component.

The Online Responder Web proxy cache represents the service interface for the Online

Responder. It is implemented as an Internet Server Application Programming Interface (ISAPI)

extension hosted by Internet Information Services (IIS)

When an application performs a certificate evaluation, the validation is performed on all certificates

in that certificate's chain. This includes every certificate from the end-entity certificate presented to

the application to the root certificate. It is an online process and is designed to respond to single

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 20

Page 21: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

certificate status requests.

Reference : Online Responder Installation, Configuration, and Troubleshooting Guide

http://technet.microsoft.com/en-us/library/cc770413.aspx

QUESTION NO: 19

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers on the network either run Windows

Server 2003 or Windows Server 2008 and all client computers run Windows Vista.

The company possesses a public key infrastructure (PKI) that consists of an offline root

certification authority (CA) and two Enterprise Subordinate CAs that run Windows Server 2003.

You publish the certificates to the user accounts and the computer accounts in Active Directory.

Which of the following options would you choose to create a PKI solution for the Windows Vista

client computers and the Windows Server 2008 servers in such a way that the certificates must

support Suite B hashing and encryption algorithms and store private keys in Active Directory in

minimum amount of administrative effort?

A. Configure cross-certification between the CA hierarchies by creating a new PKI that uses

Windows Server 2008 CAs..

B. Install a new Windows Server 2008 enterprise subordinate CA.

C. Install a new Windows Server 2008 stand-alone subordinate CA.

D. Create a new Active Directory forest and configure one-way forest trusts between the two

forests by deploying a new PKI that uses Windows Server 2008 CAs.

E. None of the above.

Answer: B

Explanation:

To create a PKI solution for the Windows Vista client computers and the Windows Server 2008

servers that meed the desired requirements, you need to install a new Windows Server 2008

enterprise subordinate CA.

To use SuiteB algorithms for cryptographic operations, you first need a Windows Server2008-

based CA to issue certificates that are SuiteB-enabled

SuiteÂB algorithms such as ECC are supported only on the WindowsÂVista® and Windows

ServerÂ2008 operating systems. This means it is not possible to use those certificates on earlier

versions of Windows such as WindowsÂXP or WindowsÂServerÂ2003.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 21

Page 22: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

If you already have a PKI with CAs running WindowsÂServerÂ2003 or where classic algorithms

are being used to support existing applications, you can add a subordinate CA on a server running

Windows ServerÂ2008, but you must continue using classic algorithms.

Reference : Cryptography Next Generation / How should I prepare to deploy this feature?

http://technet.microsoft.com/en-us/library/cc730763.aspx

QUESTION NO: 20

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory forest called CertKiller.com. The forest contains two domains.

You want to configure another child domain called Branch3.CertKiller.com with two domain

controllers having the DNS server role installed.

You want to put all the users and computers in the new branch office in the branch3.CertKiller.com

domain. Which of the following options would you choose to implement a DNS infrastructure for

the child domain to ensure resources in the root domain and child domains are accessible by fully

qualified domain names?

You solution must also provide name resolution services in the event that a single server fails for a

prolonged period of time and automatically recognize when new DNS servers are added to or

removed from the CertKiller.com domain.

A. Add conditional forwarders for CertKiller.com on both the domain controllers of

branch3.CertKiller.com domain. Next create a standard primary zone for branch.CertKiller.com.

B. On one of the domain controllers of branch3.CertKiller.com domain, create a standard primary

zone for CertKiller.com. On the other domain controller, create a standard secondary zone for

CertKiller.com.

C. On both the domain controllers of branch3.CertKiller.com domain, modify the root hints to

include the domain controllers for CertKiller.com. On one of domain controllers, create an Active

Directory integrated zone for branch.CertKiller.com.

D. On one of the domain controllers of branch3.CertKiller.com domain, create an Active Directory

Integrated zone for branch3.CertKiller.com and create an Active Directory Integrated stub zone for

CertKiller.com.

E. None of the above.

Answer: D

Explanation:

To implement a DNS infrastructure for the child domain to ensure resources in the root domain

and child domains are accessible by fully qualified domain names, you need to create an Active

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 22

Page 23: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Directory Integrated zone for branch3.CertKiller.com on one of the domain controllers of

branch3.CertKiller.com domain.

Active Directory Integrated zones, store their zone information within Active Directory instead of

text files. The advantages of this new type of zone included using Active Directory replication for

zone transfers and allowing resource records to be added or modified on any domain controller

running DNS. In other words, all Active Directory Integrated zones are always primary zones as

they contain writable copies of the zone database.This would ensure that the name resolution

service will automatically recognize when new DNS servers are added to or removed from the

CertKiller.com domain

You also need to create an Active Directory Integrated stub zone for CertKiller.com to ensure the

name resolution services in the event that a single server fails for a prolonged period of time. It

contains copies of all the resource records in the corresponding zone on the master name server.

A stub zone is like a secondary zone in that it obtains its resource records from other name

servers (one or more master name servers). Stub zones can be used instead of secondary zones

to reduce the amount of zone transfer traffic over the WAN link connecting the two companies.

When Active Directory-integrated stub zones are hosted in separate sites, you can update them

using a local list of master servers in each site.

Reference : DNS Stub Zones in Windows Server 2003

http://www.windowsnetworking.com/articles_tutorials/DNS_Stub_Zones.html

Reference: Host Name Resolution Overview

http://www.tech-faq.com/planning-and-implementing-a-dns-namespace.shtml

QUESTION NO: 21

You are an Enterprise administrator for CertKiller.com. The company consists of a head office and

three branch offices. The corporate network of the company consists of a single Active Directory

domain.

Each office contains an Active Directory domain controller. Which of the following options would

you choose to create a DNS infrastructure for the network that would allow the client computers in

each office to register DNS names within their respective offices? You also need to ensure that the

client computers must be able to resolve names for hosts in all offices.

A. For each office site, create a standard primary zone.

B. For the head office site, create a standard primary zone and for each branch office site, create

an Active Directory-integrated stub zone.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 23

Page 24: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

C. For the head office site, create a standard primary zone at the head office site and for each

branch office site, create a secondary zone.

D. Create an Active Directory-integrated zone at the head office site.

E. None of the above.

Answer: D

Explanation:

To create a DNS infrastructure for the network that would allow the client computers in each office

to register DNS names within their respective offices and to ensure that the client computers must

be able to resolve names for hosts in all offices, you need to create an Active Directory-integrated

zone at the head office site

Active Directory Integrated zones, store their zone information within Active Directory instead of

text files. This ensures that the client computers can resolve names for hosts in all offices. The

advantages of this new type of zone included using Active Directory replication for zone transfers

and allowing resource records to be added or modified on any domain controller running DNS. In

other words, all Active Directory Integrated zones are always primary zones as they contain

writable copies of the zone database.

Reference : DNS Stub Zones in Windows Server 2003

http://www.windowsnetworking.com/articles_tutorials/DNS_Stub_Zones.html

QUESTION NO: 22

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory forest called CertKiller.com. The forest contains five domains.

The domain controllers on the network run Windows Server 2008 and have the DNS server role

installed.

You company has decided to replace a legacy Windows Internet Name Service (WINS)

environment with a DNS-only environment for name resolution.

Which of the following options would you choose to plan the infrastructure for name resolution to

support IPv4 and IPv6 environments, enable single-label name resolution across all domains, and

minimizing the amount of NetBIOS over TCP/IP (NetBT) traffic on the network?

A. Implement custom Active Directory replication partition and modify each DNS zone to replicate

as part of it

B. Configure each DNS zone to perform a WINS forward lookup.

C. Configure each DNS zone to replicate to each DNS server in the forest.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 24

Page 25: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

D. Configure a GlobalNames zone on each domain controller.

E. None of the above.

Answer: D

Explanation:

To replace a legacy Windows Internet Name Service (WINS) environment with a DNS-only

environment for name resolution with given requirements, you need to configure a GlobalNames

zone on each domain controller.

The DNS Server Role in Windows Server 2008 now supports the GlobalNames Zone. This has

been introduced to assist organizations to move away from WINS and allow organizations to move

to an all-DNS environment. Unlike WINS, The GlobalNames zone is not intended to be used for

peer-to-peer name resolution.

The GlobalNames Zone (GNZ) is used to hold single-label names. The GlobalNames zone is most

commonly used to hold CNAME resource records to map a single-label name to a Fully Qualified

Domain Name (FQDN). GNZ provides single-label name resolution whereas WINS provides

NetBIOS resolution. If you plan to retire WINS or plan to deploy IPv6 only in your environment, all

name resolution will rely on DNS. It supports dual IPv4 and IPv6 environment and use only DNS

for name resolution.

Reference : Understanding the New GlobalNames Zone Functionality in Windows Server2008

http://johnpolicelli.wordpress.com/2008/01/15/understanding-the-new-globalnames-zone-in-

windows-server-2008/

Reference : DNS Server GlobalNames Zone Deployment /

How GNZ Resolution Works

http://download.microsoft.com/download/e/2/0/e2090852-3b7f-40a3-9883-07a427af1560/DNS-

GlobalNames-Zone-Deployment.doc .

QUESTION NO: 23

You are an Enterprise administrator for CertKiller.com. Your company possesses a stand-alone

root certification authority (CA) for the corporate network.

The corporate network contains a Windows Server 2008 server called CertKillerServer1. You

issue a server certificate to CertKillerServer1 and deploy Secure Socket Tunneling Protocol

(SSTP) on CertKillerServer1 for secure browsing.

Which of the following options would you choose to ensure that the external partner computers

would be allowed to access internal network resources by using SSTP?

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 25

Page 26: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

A. Terminal Services Session Broker role service

B. Firewall to allow inbound traffic on TCP Port 1723

C. Root CA certificate on external computers

D. Network Access Protection (NAP) on the network

E. None of the above.

Answer: C

Explanation:

To ensure that the external partner computers would be allowed to access internal network

resources by using SSTP, you need to deploy the Root CA certificate to the external computers.

SSTP is a new kind of Virtual Private Networking (VPN) tunnel that is available in the Routing and

Remote Access server role in Windows Server 2008. SSTP allows for Point-to-Point Protocol

(PPP) packets to be encapsulated over HTTP. This feature allows for a VPN connection to be

more easily established through a firewall or through a Network Address Translation (NAT) device.

Also, this feature allows for a VPN connection to be established through an HTTP proxy device.

Generally, if the client computer is joined to the domain and if you use domain credentials to log

on to the VPN server, the certificate is automatically installed in the Trusted Root Certification

Authorities store. However, if the computer is not joined to the domain or if you use an alternative

certificate chain, you may need to Root CA certificate to the external computers.

Reference : How to troubleshoot Secure Socket Tunneling Protocol (SSTP)-based connection

failures in Windows Server 2008

http://support.microsoft.com/kb/947031

QUESTION NO: 24

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers on the network either run Windows

Server 2003 or Windows Server 2008 and all client computers run Windows Vista or Windows XP

SP2.

You have been assigned the task to implement Encrypting File System (EFS) for all the client

computers on the network and ensure that users must be able to access their EFS certificates on

any client computers.

You also need to ensure that if a client computers disk fails, the EFS certificates must be

accessible and only the minimum amount of data that is transferred across the network when a

user logs on to or off from a client computer.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 26

Page 27: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Which of the following options would you choose to accomplish the assigned task?

A. Smart cards

B. Credential roaming

C. Roaming user profiles

D. Data Recovery Agent

E. None of the above.

Answer: B

Explanation:

Since credential roaming is not part of Windows XP SP2, the feature is available as a separate

software update that can be deployed in Windows XP SP2 computers. The credential roaming

functionality is also implemented as a core feature in Windows Vista.

Credential roaming can enhance the use of Encrypting File System (EFS) in various ways, for

example, roaming EFS certificates that are signed by a CA or are self-signed. With the credential

roaming functionality in the CSC, managed environments can now store X.509 certificates,

certificate requests, and private keys specific to a user in Active Directory, independently from the

profile.

The credential roaming implementation in Windows Vista is additionally able to roam stored user

names and passwords. Users typically maintain stored user names and passwords of certain Web

sites or file servers that do not have a default trust relationship with the user's computer. With

credential roaming, once a domain user chooses in a Windows authentication dialog box to cache

or 'remember' the current credentials, the user will have the same experience on any domain-

joined computer that the user logs on to.

Reference : About Credential Roaming

http://technet.microsoft.com/hi-in/library/cc700848(en-us).aspx

Reference : Configuring and Troubleshooting Certificate Services Client-Credential Roaming /

Using Encrypting File System

http://technet.microsoft.com/en-us/library/cc700823.aspx

Section 4, Plan application servers and services (4 Questions)

QUESTION NO: 25

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. The network contains three servers that run Windows

Server 2000 and a few custom applications.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 27

Page 28: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

The applications on these servers are incompatible with each other, incompatible with Windows

Server 2008, and consume less than 10 percent of the system resources. The company has

decided to update all the servers to Windows Server 2008.

As an Enterprise administrator of the company, you have been assigned the task to migrate the

applications to new Windows Server 2008 servers in minimum hardware costs.

Which of the following two options would you choose to accomplish the assigned task? (Select

two. Each selected option will present a part of the answer.)

A. Deploy one new server that runs Windows Server 2008 Enterprise Edition.

B. Deploy three new servers that run Windows Server 2008 Standard Edition.

C. Deploy one new server that runs Windows Server 2008 Datacenter Edition.

D. Install the Windows System Resource Manager (WSRM) feature on the new server.

E. Configure Windows 2000 compatibility mode for each application.

F. Install the Hyper-V feature on the new server. Create three child virtual machines.

G. Install the Desktop Experience feature.

Answer: A,F

Explanation:

To migrate the applications to new Windows Server 2008 servers in minimum hardware costs, you

need to deploy one new server that runs Windows Server 2008 Enterprise Edition, install the

Hyper-V feature on the new server, and then create three child virtual machines for each

application.

Application virtualization of Hyper-V feature helps isolate the application running environment from

the operating system install requirements by creating application-specific copies of all shared

resources and helps reduce application to application incompatibility and testing needs.

With Microsoft SoftGrid, desktop and network users can also reduce application installation time

and eliminate potential conflicts between applications by giving each application a virtual

environment that's not quite as extensive as an entire virtual machine. By providing an abstracted

view of key parts of the system, application virtualization reduces the time and expense required to

deploy and update applications.

Reference : Windows Server 2008 Hyper-V Product Overview - An Early look Application

Virtualization

http://download.microsoft.com/download/4/2/b/42bea8d6-9c77-4db8-b405-

6bffce59b157/WS08%20Virtualization%20Product%20Overview.doc

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 28

Page 29: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

QUESTION NO: 26

You are an Enterprise administrator for CertKiller.com. The company consists of a head office and

a branch office. The corporate network of the company consists of a single Active Directory

domain and an Active Directory site exists for each office. All the domain controllers on the

network run Windows Server 2008.

You have been assigned the task to modify the DNS infrastructure in such a way that the DNS

service is available even if a single server fails, the synchronization data that is sent between DNS

servers is encrypted and dynamic updates are supported on all DNS servers.

Which of the following options would you choose to accomplish the given task? (Select two. Each

selected option will present a part of the answer.)

A. Install the DNS server role on a domain controller in the head office and on a Read only

Domain Controller (RODC) in the branch office.

B. Install the DNS server role on a domain controller in the head office and on a domain controller

in the branch office.

C. Install the DNS server role on two servers. Create a primary zone on the DNS server in the

head office.

D. Configure DNS to use Active Directory integrated zones.

E. Create a secondary zone on the DNS server in the branch office.

F. Install the DNS server role on two servers. Create a primary zone and a GlobalNames zone on

the DNS server in the head office.

G. Create a GlobalNames zone on the DNS server in the branch office.

Answer: B,D

Explanation:

To modify the DNS infrastructure in such a way that the DNS service is available even if a single

server fails, you need to install the DNS server role on a domain controller in the head office and

on a domain controller in the branch office and then configure DNS to use Active Directory

integrated zones.

This would also ensure that the synchronization data that is sent between DNS servers is

encrypted and dynamic updates are supported on all DNS servers.

DNS servers running on domain controllers can store their zones in Active Directory. In this way, it

is not necessary to configure a separate DNS replication topology that uses ordinary DNS zone

transfers, because all zone data is replicated automatically by means of Active Directory

replication. This simplifies the process of deploying DNS provides the following advantages:

Multiple masters are created for DNS replication. Therefore:

Any domain controller in the domain running the DNS server service can write updates to the

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 29

Page 30: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Active Directory-integrated zones for the domain name for which they are authoritative. A separate

DNS zone transfer topology is not needed.

Secure dynamic updates are supported. Secure dynamic updates allow an administrator to control

which computers update which names, and prevent unauthorized computers from overwriting

existing names in DNS.

ActiveDirectory-integrated DNS in Windows Server2008 stores zone data in application directory

partitions. (There are no behavioral changes from WindowsServer2003-based DNS integration

with ActiveDirectory.)

Reference : Active Directory-Integrated Zones

http://technet.microsoft.com/en-us/library/cc772746.aspx

QUESTION NO: 27

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers on the network either run Windows

Server 2008 and all client computers run Windows Vista Service Pack 1. The corporate network is

connected to the Internet through a firewall.

Which of the following options would you choose to allow remote access to the servers on your

network while ensure that all the remote connections and all remote authentication attempts to the

servers are encrypted? You also need to ensure that only inbound connections to TCP port 80 and

TCP port 443 are allowed on the firewall.

A. Point-to-Point Tunneling Protocol (PPTP) and Microsoft Point-to-Point Encryption (MPPE)

B. Microsoft Secure Socket Tunneling Protocol (SSTP)

C. Internet Protocol security (IPsec) and network address translation traversal (NAT-T).

D. Internet Protocol security (IPsec) and certificates

E. None of the above

Answer: B

Explanation:

To allow remote access to the servers on your network while ensure that all the remote

connections and all remote authentication attempts to the servers are encrypted and to ensure

that only inbound connections to TCP port 80 and TCP port 443 are allowed on the firewall, you

need to install Microsoft Secure Socket Tunneling Protocol (SSTP).

The Microsoft Secure Socket Tunneling Protocol (SSTP), a mechanism to transport data-link layer

(L2) frames on a Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS) connection.

The protocol currently supports only the Point-to-Point Protocol (PPP) link layer.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 30

Page 31: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

The SSTP server directly accepts the HTTPS connection, which is similar to a virtual private

network (VPN) server positioned on the edge of a network. The Secure Sockets Layer/Transport

Layer Security (SSL/TLS) certificate is deployed on the SSTP server.

Introduction

http://msdn.microsoft.com/en-us/library/cc247339.aspx

Reference : The Cable Guy The Secure Socket Tunneling Protocol SSTP in Windows

http://technet.microsoft.com/en-us/magazine/cc162322.aspx

QUESTION NO: 28

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the domain controllers on the network either run

Windows Server 2008 and all client computers run Windows Vista.

The company plan to collaborate on a project with an external partner company called

TechKing.com. The TechKing.com domain also consists of an Active Directory domain that runs

Windows Server 2008 domain controllers.

You have been assigned the task to design a collaboration solution that allows the users of both

the companies to prevent sensitive documents from being forwarded to untrusted recipients or

from being printed.

Besides, the users of TechKing.com should be allowed to access the protected content in

CertKiller.com to which they have been granted rights. You need to ensure that all inter-

organizational traffic is sent over port 443.

Which of the following options would you choose to accomplish the desired goal in a minimum

amount of the administrative effort? (Select two. Each selected option will present a part of the

answer.)

A. Establish a federated trust between your company and the external partner.

B. Establish an external forest trust between your company and the external partner.

C. Deploy a Windows Server 2008 server that runs Microsoft Office SharePoint Server 2007 and

that has the Active Directory Rights Management Services (AD RMS) role installed.

D. Deploy a Windows Server 2008 server that has the Active Directory Rights Management

Service (AD RMS) role installed and the Windows SharePoint Services role installed.

E. Deploy a Windows Server 2008 server that has the Active Directory Certificate Services role

installed. Implement Encrypting File System (EFS).

F. Deploy a Windows Server 2008 server that has the Windows SharePoint Services role installed.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 31

Page 32: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Answer: A,C

Explanation:

To design a collaboration solution that allows the users of both the companies to prevent sensitive

documents from being forwarded to untrusted recipients or from being printed, you need to

establish a federated trust between your company and the external partner. Deploy a Windows

Server 2008 server that runs Microsoft Office SharePoint Server 2007 and that has the Active

Directory Rights Management Services (AD RMS) role installed

With a federation trust, you can extend Active Directory to allow for the sharing of resources

securely in a B2B environment. Once the federation trust is established, authentication requests

that are made to the Intranet server in the resource domain can flow through the federation trust

from users who are located in the domain where the accounts are located without issue.

Active Directory Rights Management Services (AD RMS) is an information protection technology

that works with AD RMS-enabled applications to help safeguard digital information from

unauthorized use. Content owners can define who can open, modify, print, forward, or take other

actions with the information.

Office SharePoint Server 2007 provides an easy way to collaborate on documents by posting

them to an Office SharePoint Server 2007 site so that they can be accessed over the corporate

network. The goal of integrating an Office SharePoint Server 2007 deployment with an ADRMS

infrastructure is to be able to protect documents that are downloaded from the Office SharePoint

Server 2007 server by users of any given organization.

Reference : Window Server 2003 R2, what's new with Active Directory? / Federation Trust

http://www.windowsnetworking.com/articles_tutorials/Window-Server-2003-R2-New-Active-

Directory.html

Reference : Windows Server 2008: Active Directory Rights Management Services (AD RMS)

http://www.keepingitreal.nu/2008/07/windows-server-2008-active-directory_7307.html

Reference : Deploying Active Directory Rights Management Services with Microsoft Office

SharePoint Server 2007 Step-By-Step Guide

http://technet.microsoft.com/en-us/library/cc753046.aspx

Section 5, Plan file and print server roles (9 Questions)

QUESTION NO: 29

You are an Enterprise administrator for CertKiller.com. The company consists of a head office and

a branch office. The corporate network of the company consists of a single Active Directory

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 32

Page 33: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

domain. All the servers on the network run Windows Server 2008 and all client computers run

Windows Vista.

The branch office contains a Windows Server 2008 member server named BranchServer1 that

has the File Services server role installed on it. The Active Directory contain an organizational unit

(OU) called BranchOU to keep the computer objects for the servers in the Branch office.

Besides the OU, a global group called Branch-adm also exists in AD to keep the user accounts for

the administrators in the branch office. Till now the administrators on the corporate network

manage the shared folders on the servers in the Branch office.

However, you now want to ensure that the members of Branch-adm can create shared folders on

BranchServer1. Which of the following options would you choose to accomplish this task?

A. Assign Full Control permissions on the BranchOU.

B. Add the Branch-adm group to the Power Users local group on BranchServer1.

C. Create Shared Folders permissions on the BranchOU.

D. Add the Branch-adm group to the Administrators local group on BranchServer1.

E. None of the above

Answer: D

Explanation:

To ensure that the members of Branch-adm can create shared folders on BranchServer1, you

need to add the Branch-adm group to the Administrators local group on BranchServer1

Administrators is a local group that provides full administrative access to an individual computer or

a single domain, depending on its location. Because this account has complete access, you

should be very careful about adding users to this group. To make someone an administrator for a

local computer or domain, all you need to do is make that person a member of this group. Only

members of the Administrators group can modify this account.

Reference : Using Default Group Accounts

http://technet.microsoft.com/en-us/library/bb726982.aspx

Reference : Securing the Local Administrators Group on Every Desktop

http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html

QUESTION NO: 30

You are an Enterprise administrator for CertKiller.com. All the servers on the network run Windows

Server 2008.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 33

Page 34: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

The company has assigned you the task to plan a data storage solution for the company by

utilizing the existing network infrastructure and ensuring that the storage space to the servers is

allocated as needed. You also need to ensure the maximum performance and the maximum fault

tolerance in your solution.

To begin with, you decided to deploy eight file servers on the network and connect them to

Ethernet switches. Which of the following options will you include next in your plan to accomplish

the desired goal? (Select two. Each selected option will present a part of the answer.)

A. Install Windows Server 2008 Datacenter Edition on each server.

B. Install Windows Server 2008 Enterprise Edition on each server.

C. Install Windows Server 2008 Standard Edition on each server.

D. Deploy the servers in a failover cluster and deploy an iSCSI storage area network (SAN).

E. Deploy the servers in a Network Load Balancing (NLB) cluster and map a network drive on

each server to an external storage array.

F. Deploy the servers in a Network Load Balancing (NLB) cluster and implement RAID 5 on each

server.

G. Deploy the servers in a failover cluster and deploy a Fibre Channel (FC) storage area network

(SAN).

Answer: A,D

Explanation:

To plan a data storage solution for the company to ensure the maximum performance and the

maximum fault tolerance, you need to i nstall Windows Server 2008 Datacenter Edition on each

server and deploy the servers in a failover cluster. Next deploy an iSCSI storage area network

(SAN).

The Datacenter Edition supports both iSCSI storage and failover clustering. The failover clustering

will ensure the fault tolerance. A popular SAN protocol, iSCSI allows clients to send SCSI

commands to storage devices on remote servers. Unlike Fibre Channel, which requires special-

purpose cabling, iSCSI can be run over long distances using existing network infrastructure

The iSCSI is a protocol that allows two hosts to send SCSI commands over a TCP/IP network. By

doing this, you can use SCSI but free yourself of the limitations of traditional SCSI cabling and,

instead, use your LAN to connect your SCSI PCs and Server to your SCSI storage.

iSCSI is a type of storage area network (SAN) and it is typically compared to Fibre Channel (FC) -

its much more expensive competitor.

With iSCSI you have a client who needs access to the storage on the server. The client uses

initiator software (making it the initiator) to connect to the storage server (called the target).

Reference : What is iSCSI?

http://www.windowsnetworking.com/articles_tutorials/Connect-Windows-Server-2008-Windows-

Vista-iSCSI-Server.html

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 34

Page 35: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

QUESTION NO: 31

You are an Enterprise administrator for CertKiller.com. The company consists of a head office and

a branch office. The corporate network of the company consists of a single Active Directory

domain, which run at the functional level of Windows Server 2008. All the servers on the network

run Windows Server 2008 and all client computers run Windows Vista.

You have been asked to design a file sharing strategy that ensures that the users in both the

offices must be able to access the same files using the same Universal Naming Convention (UNC)

path to access the files.

The users must be able to access files even if a server fails. While designing your file sharing

strategy, you need to take care you're your design must reduce the amount of bandwidth used to

access files.

To start with you deployed file servers on the network. Which of the following options would you

choose next to accomplish this task?

A. Domain-based DFS namespace using replication

B. Stand-alone DFS namespace using replication

C. Multi-site failover cluster having two servers, one located in the head office and another in the

branch office

D. Network Load Balancing cluster having two servers, one located in the head office and another

in the branch office.

E. None of the above

Answer: A

Explanation:

To design a file sharing strategy that meets the given requirements, you need to configure a

domain-based DFS namespace that uses replication.

The domain based namespaces require all servers to be members of an Active Directory domain.

This environment support automatic synchronization of DFS targets.

The domain-based DFS enables multiple replications that provides you with a degree of

scalability. Rather than having every user in your organization access their files from the same

server, you can distribute the user workload across multiple DFS replicas rather than over

burdening a single server. This ensures that the users in both the offices must be able to access

the same files using the same Universal Naming Convention (UNC) path to access the files in

reduced bandwidth.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 35

Page 36: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Another reason for having multiple DFS replicas is because doing so provides you with a degree

of fault tolerance.DFS can also provide fault tolerance from the standpoint of protecting you

against network link failures.The fault tolerance ensures that users are able to access files even if

a server fails.

Reference : Planning a DFS Architecture, Part 1, Planning a DFS Architecture, Part 2 / Domain-

Based Namespaces

http://www.petri.co.il/planning-dfs-architecture-part-one.htm

QUESTION NO: 32

You are an Enterprise administrator for CertKiller.com. The company has a head office and a

branch office. The corporate network of the company consists of a single Active Directory domain.

All the servers on the network run Windows Server 2008.

The company has four domain administrators and two support technicians, which are located in

the head office and the branch office respectively.

Which of the following options would you choose to deploy a new Windows Server 2008 server in

the branch office? You want to minimize the security privileges granted to the support technicians.

However, you want to ensure that the support technicians are allowed to install server roles and

are allowed to stop and start services.

A. Configure the restricted enrollment agent on the new Windows Server 2008 server and then

create a permissions list for the support technicians.

B. Create a new organizational unit (OU) for the support technicians permission and then assign

them the permissions to modify objects in the new OU. Put the new Windows Server 2008 server

in the new OU.

C. Add the support technicians to the Domain Admins group.

D. Assign the support technicians to the Administrators group on the new Windows Server 2008

server.

E. None of the above

Answer: D

Explanation:

'Administrators' is a local group that provides full administrative access to an individual computer

or a single domain, depending on its location. Because this account has complete access, you

should be very careful about adding users to this group. To make someone an administrator for a

local computer or domain, all you need to do is make that person a member of this group. Only

members of the Administrators group can modify this account.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 36

Page 37: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Reference: Using Default Group Accounts

http://technet.microsoft.com/en-us/library/bb726982.aspx

Reference: Securing the Local Administrators Group on Every Desktop

http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html

QUESTION NO: 33

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers on the network run Windows Server

2008. The network contains two Windows Server 2008 computers called CertKillerServer1 and

CertKillerServer2 and two identical print devices.

Which of the following options would you choose to plan a print services infrastructure that would

allow you to manage the print queue from a central location and make the print services available,

even if one of the print devices fails?

A. Install and share a printer on CertKillerServer1 and enable printer pooling.

B. Create a Network Load Balancing cluster and add CertKillerServer1 and CertKillerServer2 to it

and then install a printer on each node of the cluster.

C. Install and share one of the printer on CertKillerServer1 and the other printer on

CertKillerServer2. Use Print Manager to install the printers on the client computers.

D. Install the Terminal Services server role on both servers. Configure Terminal Services Session

Broker (TS Session Broker).

E. None of the above

Answer: A

Explanation:

To plan a print services infrastructure that would allow you to manage the print queue from a

central location and make the print services available, even if one of the print devices fails, you

need to install and share a printer on CertKillerServer1 and enable printer pooling.

Printer pooling allows you to print to several printers at once. If you have a large print job you can

submit it to the pool and the operating system will balance the load among the printers.

This feature allows network administrators to configure and manage several printers as one, a

process that can simplify printer administration.

In addition, printer pooling provides some load-balancing. That's because Windows 2000 Server

directs print jobs to the connected printers based on jobs pending at each printer.

A printer pool contains multiple printers, all configured as a single printer instance.

Reference : Configure printer pooling to simplify printer management in Windows 2000

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 37

Page 38: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

http://articles.techrepublic.com.com/5100-10878_11-5727870.html

QUESTION NO: 34

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

contains two Windows Server 2008 computers and two identical print devices.

Which of the following options would you choose to manage the print queue from a central location

and balance the load of print jobs on both the printers?

A. Install and share a printer on one of the servers and enable printer pooling.

B. Add both the servers to a Network Load Balancing cluster and install a printer on each node of

the cluster.

C. Install and share a printer on each server and then install the printers on the client computers

using Print Manager

D. Install the Terminal Services server role on both servers and configure Terminal Services

Session Broker (TS Session Broker).

E. None of the above

Answer: A

Explanation:

To plan a print services infrastructure that would allow you to manage the print queue from a

central location and balance the load of print jobs on both the printers, you need to install and

share a printer on CertKillerServer1 and enable printer pooling.

Printer pooling allows you to print to several printers at once. If you have a large print job you can

submit it to the pool and the operating system will balance the load among the printers.

This feature allows network administrators to configure and manage several printers as one, a

process that can simplify printer administration.

In addition, printer pooling provides some load-balancing. That's because Windows 2000 Server

directs print jobs to the connected printers based on jobs pending at each printer.

A printer pool contains multiple printers, all configured as a single printer instance.

Reference : Configure printer pooling to simplify printer management in Windows 2000

http://articles.techrepublic.com.com/5100-10878_11-5727870.html

QUESTION NO: 35

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

contains two Windows Server 2008 computers and two identical print devices.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 38

Page 39: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Which of the following options would you choose to manage a large print job by balancing the load

of print jobs on both the printers?

A. Install and share a printer on one of the servers and enable printer pooling.

B. Add both the servers to a Network Load Balancing cluster and install a printer on each node of

the cluster.

C. Install and share a printer on each server and then install the printers on the client computers

using Print Manager

D. Install the Terminal Services server role on both servers and configure Terminal Services

Session Broker (TS Session Broker).

E. None of the above

Answer: A

Explanation:

To manage a large print job by balancing the load of print jobs on both the printers, you need to

install and share a printer on CertKillerServer1 and enable printer pooling.

Printer pooling allows you to print to several printers at once. If you have a large print job you can

submit it to the pool and the operating system will balance the load among the printers.

This feature allows network administrators to configure and manage several printers as one, a

process that can simplify printer administration.

In addition, printer pooling provides some load-balancing. That's because Windows 2000 Server

directs print jobs to the connected printers based on jobs pending at each printer.

A printer pool contains multiple printers, all configured as a single printer instance.

Reference : Configure printer pooling to simplify printer management in Windows 2000

http://articles.techrepublic.com.com/5100-10878_11-5727870.html

QUESTION NO: 36

You are an Enterprise administrator for CertKiller.com. The company consists of a head office and

a branch office. The corporate network of the company consists of a single Active Directory

domain. All the servers on the network run Windows Server 2008 and all client computers run

Windows Vista.

The branch office contains 50 Windows Server 2008 member servers. The Active Directory

contain an organizational unit (OU) called BranchOU to keep the computer objects for the servers

in the Branch office.

A global group called Branch-adm also exists in the AD to keep the user accounts for the

administrators in the branch office. The administrators on the corporate network manage all the

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 39

Page 40: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

servers in the Branch office.

However, you now want to ensure that the members of Branch-adm group can Stop and start

services and change registry settings on the member servers of the branch office. Which of the

following options would you choose to accomplish this task?

A. Assign Full Control permissions on the BranchOU to the Branch-adm group.

B. Add the Branch-adm group to the Power Users local group on each server in the Branch office.

C. Assign the Branch-adm group change permissions to the BranchOU and to all child objects.

D. Add the Branch-adm group to the Administrators local group on each server in the Branch

office.

E. None of the above

Answer: D

Explanation:

To ensure that the members of add the Branch-adm group can Stop and start services and

change registry settings on the member servers of the branch office, you need to add the Branch-

adm group to the Administrators local group on each server in the Branch office.

'Administrators' is a local group that provides full administrative access to an individual computer

or a single domain, depending on its location. Because this account has complete access, you

should be very careful about adding users to this group. To make someone an administrator for a

local computer or domain, all you need to do is make that person a member of this group. Only

members of the Administrators group can modify this account.

Reference : Using Default Group Accounts

http://technet.microsoft.com/en-us/library/bb726982.aspx

Reference : Securing the Local Administrators Group on Every Desktop

http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html

QUESTION NO: 37

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory forest, which contains three domains named CertKiller.com,

region1.CertKiller.com, and region2.CertKiller.com.

All the servers on the network run Windows Server 2008 and all client computers run Windows

Vista. The functional level of the three domains is Windows Server 2008

The company contains a helpdesk team, which is a part of the Account Operators group in the

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 40

Page 41: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

CertKiller.com domain. The members of helpdesk team frequently join and leave the helpdesk

team. The helpdesk employees have all the permissions to modify the properties of user objects in

CertKiller.com.

Which of the following options would you choose to minimize the administrative effort required to

manage the frequent changes to the helpdesk staff and enable the helpdesk employees to

manage the user objects in all the three domains. (Select two. Each selected option will present a

part of the answer.)

A. Add the respective helpdesk user accounts to the Account Operators group in both

region1.CertKiller.com and region2.CertKiller.com.

B. Create a new global group for helpdesk users in CertKiller.com. Add the helpdesk user

accounts to the global group and to the Account Operators group in all three domains.

C. Assign Full Control permissions to the Account Operators group in CertKiller.com for user

accounts in all three domains.

D. Create a new global group in CertKiller.com for helpdesk users in CertKiller.com. Add the

helpdesk user accounts to the global group and then add the global group to the Accounts

Operators group that is on every member server in all three domains.

E. None of the above

Answer: B

Explanation:

To minimize the administrative effort required to manage the frequent changes to the helpdesk

staff and enable the helpdesk employees to manage the user objects in all the three domains, you

need to: Create a new global group in CertKiller.com named Helpdesk-group. Add the helpdesk

user accounts to Helpdesk-group. Add Helpdesk-group to the Account Operators group that is in

all three domains

Helpdesk-group global group will help the helpdesk users to administer the domain tree or forest.

Next when you add the Helpdesk-group to the Account Operators group that is in all three

domains, you would limit the privileges of this group. Account Operators is a local group that

grants limited account creation privileges to a user. Members of this group can create and modify

most types of accounts, including those of users, local groups, and global groups. They can also

log on locally to domain controllers. However, Account Operators can't manage the Administrator

user account, the user accounts of administrators, or the group accounts Administrators, Server

Operators, Account Operators, Backup Operators, and Print Operators. Account Operators also

can't modify user rights.

Reference : Using Default Group Accounts

http://technet.microsoft.com/en-us/library/bb726982.aspx

Reference : Securing the Local Administrators Group on Every Desktop

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 41

Page 42: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html

QUESTION NO: 38

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers on the network run Windows Server

2008 and all client computers run Windows Vista and Microsoft Office Outlook 2007.

The corporate network run two file servers, one database server on TCP port 47182, and

Microsoft Exchange Server 2007 servers. The company has many mobile users and you have

been asked to provide them the remote access to the corporate network.

You have been told that the remote users work from locations that only support access to the

Internet by using HTTP and HTTPS.

Which of the following options would you choose to ensure that remote users are able to establish

secure connections to the network and are able to access the database and file servers and e-mail

? (Select two. Each selected option will present a part of the answer.)

A. Upgrade all client computers to Windows Vista Service Pack 1.

B. Implement Outlook Anywhere for Exchange Server 2007.

C. Deploy Connection Manager Administration Kit (CMAK) profiles to the client computers

D. Implement a VPN solution that uses Layer Two Tunneling Protocol (L2TP).

E. Implement a VPN solution that uses Point-to-Point Tunneling Protocol (PPTP).

F. Implement a VPN solution that uses Secure Socket Tunneling Protocol (SSTP).

Answer: A,F

Explanation:

To ensure that remote users are able to establish secure connections to the network and are able

to access the database server and file servers and have access to e-mail, you need to upgrade all

client computers to Windows Vista Service Pack 1 and implement a VPN solution that uses

Secure Socket Tunneling Protocol (SSTP)

Windows Vista Service Pack 1 and Windows Server 2008 now include a new VPN technology

called Secure Socket Tunneling Protocol (SSTP), which is designed to make secure remote

access very easy. SSTP is designed to enable VPN tunneling for virtually any scenario. You can

use it behind a NAT, across a firewall, through a Web proxy - as long as TCP port 443 is open

(which it usually is for HTTPS traffic).

SSTP is more than just another SSL-based VPN that only works with Web clients. It's fully

integrated into the remote access architecture of Windows, which means you can use it with

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 42

Page 43: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Winlogon authentication or with strong authentication such as smart card or RSA SecurID; or, you

can create and manage CMAK profiles, remote access policies, and the like. Plus, it uses only one

HTTPS channel between the SSTP client (Windows Vista) and the SSTP server (Windows Server

2008) for each SSTP VPN connection, which makes it straightforward to load-balance SSTP

sessions across servers.

Reference : SSTP Makes Secure Remote Access Easier

http://biztechmagazine.com/article.asp?item_id=377

QUESTION NO: 39

You are an Enterprise administrator for CertKiller.com. All the servers on the network run Windows

Server 2008 and all client computers run Windows Vista. The corporate network of the company

consists of two servers that run the Server Core installation of Windows Server 2008 as a part of a

Network Load Balancing cluster.

Which of the following options would you choose to allow the administrators to remotely manage

the Network Load Balancing cluster through their Windows Vista client computers? Your strategy

must support automation.

A. Enable Windows Remote Management (WinRM).on the client computers

B. Enable Windows Remote Management (WinRM) on the servers

C. Add the administrators to the remote Desktop Users group on the servers.

D. Add the administrators to the remote Desktop Users group on the client computers.

E. None of the above

Answer: B

Explanation:

To allow the administrators to remotely manage the Network Load Balancing cluster through their

Windows Vista client computers, you need to enable Windows Remote Management (WinRM) on

the servers.

By using another computer running WindowsVista or Windows Server2008, you can use Windows

Remote Shell that uses Windows RM to run command-line tools and scripts on a server running a

Server Core installation.

Windows Remote Management (known as WinRM) is a handy new remote management service

for Windows Server 2003 R2, Windows Vista, and Windows Server 2008. WinRM is the "server"

component of this remote management application and WinRS (Windows Remote Shell) is the

"client" for WinRM, which runs on the remote computer attempting to remotely manage the WinRM

server.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 43

Page 44: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Reference : Server Core Installation Option of Windows Server 2008 Step-By-Step Guide

http://technet.microsoft.com/en-us/library/cc753802.aspx#bkmk_managingservercore

Reference : How can Windows Server 2008 WinRM & WinRS help you?

http://www.windowsnetworking.com/articles_tutorials/How-Windows-Server-2008-WinRM-

WinRS.html

QUESTION NO: 40

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers on the network run either Windows

Server 2003 or Windows Server 2008 and all client computers run Windows Vista.

All domain controllers on the network run Windows Server 2008 and a firewall server runs

Microsoft Internet Security and Acceleration (ISA) Server 2006. The Windows Server 2003 servers

have the Terminal Server component installed. You have been asked to give remote users access

to the Terminal Server servers.

Which of the following options would you choose to accomplish the given task while ensuring that

minimum number of ports open on the firewall server, all remote connections to the Terminal

Server servers are encrypted, and access to client computers having Windows Firewall disabled

are prevented? (Select two. Each selected option will present a part of the answer.)

A. Upgrade a Windows Server 2003 server to Windows Server 2008.

B. Implement the Terminal Services Gateway (TS Gateway) role and configure a Terminal

Services resource authorization policy (TS RAP).

C. Implement the Terminal Services Gateway (TS Gateway) role and Network Access Protection

(NAP).

D. Implement the Terminal Services Gateway (TS Gateway) role and configure a Terminal

Services connection authorization policy (TS CAP).

E. Implement port forwarding and Network Access Quarantine Control on the ISA Server.

Answer: A,C

Explanation:

To accomplish the given task, you need to upgrade a Windows Server 2003 server to Windows

Server 2008. On the Windows Server 2008 server, implement the Terminal Services Gateway (TS

Gateway) role, and implement Network Access Protection (NAP).

You need to upgrade Windows Server 2003 server to Windows Server 2008 because NAP is a

feature of Windows Server 2008. Network Access Protection helps you ensure that the computers

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 44

Page 45: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

that connect to your network meet health status requirements, reducing the risk that they'll

introduce viruses or serve as the conduit for attacks and exploits. (e.g., updated and protected by

a firewall, antivirus, and anti-spyware software) can be connected to a remediation server, to be

brought into compliance.

Terminal Services Gateway (TS Gateway) is a role service that enables authorized remote users

to connect to resources on an internal corporate or private network, from any Internet-connected

device that can run the Remote Desktop Connection (RDC) client. The network resources can be

terminal servers, terminal servers running Terminal Services RemoteApp programs, or computers

with Remote Desktop enabled

TSGateway enables remote users to connect to internal network resources over the Internet, by

using an encrypted connection, without needing to configure virtual private network (VPN)

connections.

TSGateway transmits RDP traffic to port 443 instead, by using an HTTP Secure Sockets

Layer/Transport Layer Security (SSL/TLS) tunnel. Because most corporations open port 443 to

enable Internet connectivity, TSGateway takes advantage of this network design to provide remote

access connectivity across multiple firewalls.

Reference : Security and Policy Enforcement

http://www.microsoft.com/windowsserver2008/en/us/security-policy.aspx

Reference : Vista 's Network Access Protection (NAP) helps keep 'unhealthy' computers off your

LAN

http://articles.techrepublic.com.com/5100-10878_11-6153295.html

Reference : TS Gateway Overview

http://technet.microsoft.com/en-us/library/cc732122.aspx

QUESTION NO: 41

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a DNS server that runs a Server Core installation of Windows Server 2008. All the

servers on the network run Windows Server 2008 and all client computers run Windows Vista.

Which of the following options would you choose to allow the administrators of the company to

manage DNS server from their Windows Vista client computers?

A. Set the Remote Access Connection Manager Service to automatic on the DNS server.

B. Create a custom Microsoft Management Console on the Windows Vista client computers and

then add the Component Services snap-in.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 45

Page 46: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

C. Install Remote Server Administration Tools (RSAT) on the Windows Vista client computers,

D. Run Setup.exe /u from the Windows Server 2008 installation media on the Windows Vista client

computers.

Answer: C

Explanation:

To allow the administrators of the company to manage DNS server from their Windows Vista client

computers, you need to install Remote Server Administration Tools (RSAT) on the Windows Vista

client computers.

RSAT is an excellent set of tools for IT Pros wanting to manage their Windows Server

environment right from their desktop. RSAT also includes an updated Group Policy Management

Console (GPMC), which was previously removed in Windows Vista SP1.

RSAT is an updated version of what is called ADMINPAK.MSI and can be used by IT Pros to

manage computers running Windows Server 2008.

Reference : Remote Server Administration Tools (RSAT) Now Available for Windows Vista SP1

http://windowsvistablog.com/blogs/windowsvista/archive/2008/03/25/remote-server-administration-

tools-rsat-now-available-for-windows-vista-sp1.aspx

QUESTION NO: 42

You are an Enterprise administrator for CertKiller.com. The company consists of a head office and

a branch office. All the servers on the network run Windows Server 2008 and all client computers

run Windows Vista.

You plan to deploy the Server Core installation of Windows Server 2008 on 10 servers in the

branch office. The servers will only be accessible by using TCP ports 80 and 443.

You need to ensure that the administration of the Server Core servers must enable administrators

to install and administer server roles remotely and fully manage the servers remotely from their

Windows Vista computers / Windows Server 2008 servers.

Which of the following options would you choose to accomplish the desired task?

A. Enable Remote Desktop Connection (RDC) on the administrator's server computers.

B. Enable Windows Remote Management (WinRM) on the administrator's computers.

C. Use Oclist.exe on the administrator's computers.

D. Use Ocsetup.exe on the administrator's computers.

E. None of the above

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 46

Page 47: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Answer: B

Explanation:

To ensure that the administration of the Server Core servers must enable administrators to install

and administer server roles remotely and fully manage the servers remotely, you need to enable

Windows Remote Management (WinRM) on each server.

Windows Remote Management (known as WinRM) is a handy new remote management service

for Windows Server 2003 R2, Windows Vista, and Windows Server 2008. WinRM & WinRS are

very powerful new tools that Windows system administrators should learn about. With

WinRM/WinRS, you can install programs, change settings, or do troubleshooting (as long as the

network was up). You can even take it a step further and combine WinRS with a script to perform

those tasks on a list of computers

Reference : How can Windows Server 2008 WinRM & WinRS help you

http://www.windowsnetworking.com/articles_tutorials/How-Windows-Server-2008-WinRM-

WinRS.html

QUESTION NO: 43

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers on the network run Windows Server

2008 and all client computers run Windows Vista and Microsoft Office Outlook 2007.

The corporate network run:

File servers

Database server

Microsoft Exchange Server 2007 servers

The company has many mobile users that can access the corporate network remotely by using

HTTP and HTTPS connections only.

Which of the following options would you choose to ensure that remote users are able to establish

secure connections to the network and are able to access the database server and file servers

and have access to e-mail? (Select two. Each selected option will present a part of the answer.)

A. Upgrade all client computers to Windows Vista Service Pack 1.

B. Implement a VPN solution that uses Layer Two Tunneling Protocol (L2TP).

C. Deploy Connection Manager Administration Kit (CMAK) profiles to the client computers.

D. Implement Outlook Anywhere for Exchange Server 2007.

E. Implement a VPN solution that uses Secure Socket Tunneling Protocol (SSTP).

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 47

Page 48: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

F. Implement a VPN solution that uses Point-to-Point Tunneling Protocol (PPTP).

Answer: A,E

Explanation:

To ensure that remote users are able to establish secure connections to the network and are able

to access the database server and file servers and have access to e-mail, you need to upgrade all

client computers to Windows Vista Service Pack 1 and implement a VPN solution that uses

Secure Socket Tunneling Protocol (SSTP)

Windows Vista Service Pack 1 and Windows Server 2008 now include a new VPN technology

called Secure Socket Tunneling Protocol (SSTP), which is designed to make secure remote

access very easy. SSTP is designed to enable VPN tunneling for virtually any scenario. You can

use it behind a NAT, across a firewall, through a Web proxy - as long as TCP port 443 is open

(which it usually is for HTTPS traffic).

SSTP is more than just another SSL-based VPN that only works with Web clients. It's fully

integrated into the remote access architecture of Windows, which means you can use it with

Winlogon authentication or with strong authentication such as smart card or RSA SecurID; or, you

can create and manage CMAK profiles, remote access policies, and the like. Plus, it uses only one

HTTPS channel between the SSTP client (Windows Vista) and the SSTP server (Windows Server

2008) for each SSTP VPN connection, which makes it straightforward to load-balance SSTP

sessions across servers.

Reference : SSTP Makes Secure Remote Access Easier

http://biztechmagazine.com/article.asp?item_id=377

QUESTION NO: 44

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of 50 DNS servers that run Windows Server 2003 and the client computers that run

Windows Vista.

A DNS server called CertKillerServer1 has Adminpak.msi installed. The administrators manage

the DNS servers through CertKillerServer1. The administrators connect to CertKillerServer1

through Remote Desktop Connection (RDC).

Recently, you have replaced Windows Server 2003 DNS servers with Server Core installation of

Windows Server 2008 servers by installing DNS server role on the Server Core installation of

Windows Server 2008.

Which of the following options would you choose to administer the new DNS servers? You need to

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 48

Page 49: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

ensure that the administrators manage the DNS server role by using a Microsoft Management

Console (MMC).

A. Using a Group Policy, deploy Windows PowerShell to all administrators.

B. Using a Group Policy, deploy the Windows Server 2003 Adminpak.msi file to all administrators.

C. Provide remote access to the Windows Server 2008 Server Core servers.

D. Install Remote Server Administration Tools (RSAT) to a Windows Server 2008 server and

provide remote access to that server.

E. None of the above

Answer: D

Explanation:

To administer the new DNS servers, you need to provide remote access to a Windows Server

2008 server that has the Remote Server Administration Tools (RSAT) installed

RSAT is an excellent set of tools for IT Pros wanting to manage their Windows Server

environment right from their desktop. RSAT also includes an updated Group Policy Management

Console (GPMC), which was previously removed in Windows Vista SP1.

RSAT is an updated version of what is called ADMINPAK.MSI and can be used by IT Pros to

manage computers running Windows Server 2008. Because many of these tools also work for

managing computers running Windows Server 2003, it is essentially "the next version" of

ADMINPAK.MSI.

Reference: Remote Server Administration Tools (RSAT) Now Available for Windows Vista SP1

http://windowsvistablog.com/blogs/windowsvista/archive/2008/03/25/remote-server-administration-

tools-rsat-now-available-for-windows-vista-sp1.aspx

QUESTION NO: 45

You are an Enterprise administrator for CertKiller.com. The company consists of a head office and

a branch office. The corporate network of the company consists of a single Active Directory

domain. All the servers on the network run Windows Server 2008 and all client computers run

Windows Vista.

The network contains five Windows Server 2008 servers that host Web applications. The

administrators need to manage the Web servers remotely. You need to ensure that the web

developers are allowed to configure features on the Web sites. However, they should not have full

administrative rights on the Web servers.

Which of the following options would you choose to accomplish the desired task?

A. On each Web server, configure the authorization rules for Web developers.

B. Add the Web developers to the Account Operators group in the domain.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 49

Page 50: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

C. Configure request filtering on each Web server.

D. For all Web developers, configure the security settings in Internet Explorer.

E. None of the above

Answer: A

Explanation:

To ensure that the web developers are allowed to configure features on the Web sites without

having full administrative rights on the Web servers. You need to configure authorization rules for

Web developers on each Web server.

By configuring Authorization rule, you can grant or deny specific computers, groups of computers,

or domains access to sites, applications, directories, or files on your server. For example, suppose

your intranet server hosts content that is available to all employees, in addition to content that

should be viewed only by members of specific groups, such as Finance or Human Resources. By

configuring URL authorization rules, you can prevent employees who are not members of those

specified groups from accessing restricted content.

Reference : IIS 7.0: Configuring URL Authorization Rules in IIS 7.0

http://technet.microsoft.com/en-us/library/cc772206.aspx

Section 2, Plan for delegated administration (4 Questions)

QUESTION NO: 46

You are an Enterprise administrator for CertKiller.com. The company consists of a head office and

five branch offices. The corporate network of the company consists of a single Active Directory

domain. All the servers on the network run Windows Server 2008 and all client computers run

Windows Vista.

Each branch office contains a domain controller on which the DHCP Server role is also installed.

Besides this, each branch office also contains a file server and posses its own branch office

administrator.

You need to delegate the administration of DHCP in such a way that the branch office

administrators are allowed to manage DHCP scopes for their own office. You also need to ensure

that the branch office administrators should not be allowed to manage the DHCP scopes in other

offices.

Which of the following options would you choose to accomplish the given task in minimum amount

of administrative effort?

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 50

Page 51: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

A. Migrate the DHCP Server server role to the file server in each branch office.

B. On each file server, add the branch office administrator to the DHCP Administrators local group.

C. Add the branch office administrators to the Network Configuration Operators domain local

group in the AD domain.

D. Add the branch office administrators to the Server Operators domain local group in the AD

domain.

E. Add the branch office administrators to the DHCP Administrators domain local group in the AD

domain.

Answer: A,B

Explanation:

To delegate the administration of DHCP so that the branch office administrators are allowed to

manage DHCP scopes for their own office you need to migrate the DHCP Server server role to the

file server in each branch office.

To ensure that branch office administrators are not allowed to manage the DHCP scopes in other

offices you need to add the branch office administrator to the DHCP Administrators local group.

While members of the Domain Admins group obviously have full power to configure DHCP on the

server, you can also delegate limited power to users whose job is to manage DHCP servers on

your network. To do this, open Active Directory Users and Computers and add the name of the

user to the DHCP Administrators domain local group.

This gives the user the ability to manage DHCP servers on your network without giving him any

unnecessary authority to perform other administrative tasks, which is an example of the well-

known security best practice of least privilege.

Reference : DHCP Server Security (Part 2)

http://www.windowsecurity.com/articles/DHCP-Security-Part2.html

QUESTION NO: 47

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory (AD) domain. All the servers on the network run Windows

Server 2008 and all client computers run Windows Vista.

The AD contains an organizational unit (OU) called EmployeesOU that contains all user accounts

and a global group named HRAdmins that contains the accounts of the HR administrators?

You have been asked to plan for the delegation of administrative authority in such a way that the

HR Admins are allowed to create user accounts in the EmployeesOU and change the address

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 51

Page 52: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

attributes, the telephone number attributes, and the location attributes for existing user accounts.

You also need to ensure that HRAdmins are not allowed to reset the passwords for the existing

user accounts.

Which of the following options would you choose to accomplish the desired goal?

A. Run the Delegation of Control Wizard on the EmployeesOU.

B. Create a new OUand move the HR Admins group to the new OU and then run the Delegation of

Control Wizard on the new OU.

C. Move the HRAdmins group to the Domain Controllers OU.

D. Add the HRAdmins group to the Account Operators group.

E. None of the above.

Answer: A

Explanation:

To accomplish the desired goal o accomplish the desired goal, you need to Run the Delegation of

Control Wizard on the EmployeesOU. A Delegation wizard can be used to facilitate the delegation

of administrative rights over containers within Active Directory. The Delegation wizard dynamically

creates access control entries on the target container object according to the options specified in

the wizard.

The Delegation of Control Wizard provides an additional level of granularity allowing for custom-

built tasks to be assigned to specific users or groups.

Reference : Default security concerns in Active Directory delegation

http://support.microsoft.com/kb/235531

QUESTION NO: 48

You are an Enterprise administrator for CertKiller.com. The company consists of a head office and

a branch office. The corporate network of the company consists of a single Active Directory

domain. All the servers on the network run Windows Server 2008 and all client computers run

Windows Vista. Administrators manage the client computers and servers in the Branch office.

Branch office of the company contains a Read-only Domain Controller (RODC) named

CertKillerServer1.A global group called Branch-admins contains the user accounts for

administrators.

You have been asked to recommend a solution for delegating control of CertKillerServer1 in such

as way that Branch-admins group has rights on CertKillerServer1 only and they should not be

allowed to modify Active Directory objects.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 52

Page 53: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Besides, all the members of the Branch-admins group are allowed to administer CertKillerServer1;

including, the change of device drivers and installation of operating system updates by using

Windows Update.

Which of the following options would you choose to accomplish the desired task?

A. On CertKillerServer1, add the Branch-admins global group to the Administrators local group.

B. Add the Branch-admins global group to the Server Operators domain local group.

C. Create a new OU and move the CertKillerServer1 computer object to a new OU and then grant

Full Control permission on the new OU to the Branch-admins group.

D. On the CertKillerServer1 computer object in the domain Grant Full Control permission to the

Branch-admins group.

E. None of the above

Answer: A

Explanation:

To accomplish the desired task, you need to add the Branch1-admins global group to the

Administrators local group of CertKillerServer1.

Administrators is a local group that provides full administrative access to an individual computer or

a single domain, depending on its location. Because this account has complete access, you

should be very careful about adding users to this group. To make someone an administrator for a

local computer or domain, all you need to do is make that person a member of this group. Only

members of the Administrators group can modify this account.

Domain Admins is a global group designed to help you administer all the computers in a domain.

This group has administrative control over all computers in a domain because it's a member of the

Administrators group by default. To make someone an administrator for a domain, make that

person a member of this group.

Reference : Using Default Group Accounts

http://technet.microsoft.com/en-us/library/bb726982.aspx

Reference : Securing the Local Administrators Group on Every Desktop

http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html

QUESTION NO: 49

You are an Enterprise administrator for CertKiller.com. The company consists of a head office and

a branch office. The corporate network of the company consists of a single Active Directory

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 53

Page 54: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

domain..

Branch office of the company contains a Read-only Domain Controller (RODC) named

CertKillerServer1. A global group called GLB contains the user accounts for administrators.

Which of the following options would you choose to ensure that GLB group has rights on

CertKillerServer1 only and they should not be allowed to modify Active Directory objects?

Which of the following options would you choose to accomplish the desired task?

A. On CertKillerServer1, add the GLB global group to the Administrators local group.

B. Add the GLB global group to the Server Operators domain local group.

C. Create a new OU and move the CertKillerServer1 computer object to a new OU and then grant

Full Control permission on the new OU to the GLB group.

D. On the CertKillerServer1 computer object in the domain Grant Full Control permission to the

GLB group.

E. None of the above

Answer: A

Explanation:

To accomplish the desired task, you need to add the GLB global group to the Administrators local

group of CertKillerServer1.

Administrators is a local group that provides full administrative access to an individual computer or

a single domain, depending on its location.

Domain Admins is a global group designed to help you administer all the computers in a domain.

This group has administrative control over all computers in a domain because it's a member of the

Administrators group by default. To make someone an administrator for a domain, make that

person a member of this group.

Reference : Using Default Group Accounts

http://technet.microsoft.com/en-us/library/bb726982.aspx

Reference : Securing the Local Administrators Group on Every Desktop

http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html

Section 3, Plan and implement group policy strategy (16 Questions)

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 54

Page 55: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

QUESTION NO: 50

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory Directory forest that contains a root domain and two child

domains. All the servers on the network run Windows Server 2008 and all client computers run

Windows Vista.

Which of the following options would you choose to deploy the corporate policy of the company

that states that all the local administrator accounts must be renamed and all the local guest

accounts must be renamed and disabled?

A. In each domain, deploy Network Policy and Access Services (NPAS) on all domain controllers.

B. Implement a Group Policy object (GPO) for each domain.

C. On the root domain controllers, deploy Active Directory Rights Management Services (AD

RMS)

D. Implement a Group Policy object (GPO) for the root domain.

E. None of the above.

Answer: B

Explanation:

To deploy the corporate policy of the company that states that all the local administrator accounts

must be renamed and all the local guest accounts must be renamed and disabled, you need to

implement a Group Policy object (GPO) for each domain.

You can change the administrator account and guest account names by using Group Policy in

Windows Server 2003. This may be useful if you want to change the name of the administrator or

guest user accounts to minimize the chance of misuse of these accounts

Reference : HOW TO: Rename the Administrator and Guest Account in Windows Server 2003

http://support.microsoft.com/kb/816109

QUESTION NO: 51

Exhibit:

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 55

Page 56: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers on the network run Windows Server

2008 and all client computers run Windows Vista.

The AD domain consists of a top level OU called EmployeesOU that contains three OUs called

ManagesOU, StaffOU, and IntersOU to store the accounts of Managers, Staff, and Interns

respectively. The relevant portion of the Active Directory domain is configured as shown in the

exhibit.

Currently the EmployeeOU is configured in such a way that the users in the ManagersOU receive

the Group Policy object (GPO) settings that are deployed to the EmployeesOU.

Which of the following options would you choose to ensure that the user accounts in the

ManagersOU are unaffected by the GPOs that are deployed to the EmployeesOU?

A. On each GPO that links to the EmployeesOU, connect a Windows Management

Instrumentation (WMI) filter.

B. Move the ManagersOU to the StaffOU.

C. On the ManagersOU, configure Block Policy Inheritance.

D. Enforce the GPO link on the Employees OU.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 56

Page 57: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

E. None of the above

Answer: C

Explanation:

To ensure that the user accounts in the ManagersOU are unaffected by the GPOs that are

deployed to the EmployeesOU, you need to configure Block Policy Inheritance on the Managers

OU.

Typically, group policies are passed down from parent to child containers within a domain, which

you can view with the Active Directory Users and Computers console. Group policy is not inherited

from parent to child domains, for example, from cco.com to sales.cco.com. If you assign a specific

group policy setting to a high-level parent container, that setting applies to all containers beneath

the parent container, including the user and computer objects in each container. However, if you

explicitly specify a group policy setting for a child container, the child container's setting overrides

the one for the parent container.

The Block Policy inheritance option blocks Group Policy Objects that apply higher in the Active

Directory hierarchy of sites, domains, and organizational units. It does not block GPOs whose No

Override setting is enabled.

You can block policy inheritance at the domain or organizational unit level. In WS2K3 R2, you

don't use Active Directory Users and Computers for this function like you used to; you now use the

Group Policy Management console.

Reference : Inheriting a Meager Comprehension of Policy Inheritance

http://www.informit.com/guides/content.aspx?g=windowsserver&seqNum=60

QUESTION NO: 52

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers on the network run Windows Server

2008 and all client computers run Windows Vista.

The Active Directory domain contains a top-level organizational unit (OU) called AccountingOU,

which contains all computer and user accounts for the accounting department.

You have been asked to deploy an accounting application that can only be accessed by the

accounting users. Which of the following options would you deploy to accomplish the desired

task?

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 57

Page 58: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

A. Terminal Service Session Broker (TS Session Broker) role service

B. Microsoft System Center Operations Manager (SCOM)

C. Group Policy object (GPO) for the Accounting OU

D. Windows Server Update Service (WSUS)

E. None of the above

Answer: C

Explanation:

To deploy an accounting application that can only be accessed by the accounting users, you need

to deploy a Group Policy object (GPO) for the AccountingOU.

As you may already know, in an Active Directory environment, group policies are the main

component of network security. Group policy objects can be applied either to users or to

computers. Deploying applications through the Active Directory is also done through the use of

group policies, and therefore applications are deployed either on a per user basis or on a per

computer basis.

Reference : Using Group Policy to Deploy Applications

http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Deploy-Applications.html

Reference : Planning and Deploying Group Policy 2008

http://www.scribd.com/doc/4716059/Planning-and-Deploying-Group-Policy-2008

QUESTION NO: 53

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers on the network run Windows Server

2008 and all client computers run Windows Vista.

Which of the following options would you choose to prevent users from being able to install

removable devices on client computers while ensuring that the domain administrators and desktop

support technicians are allowed to install removable devices on client computers?

You need to achieve the desired goal in minimum amount of administrative effort?

A. On all domain controllers, implement Windows System Resource Manager (WSRM).

B. On all client computers, deploy Connection Manager Administration Kit (CMAK).

C. On all client computers, configure a Group Policy object (GPO).

D. On all client computers, configure User Account Control.

E. None of the above

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 58

Page 59: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Answer: C

Explanation:

To prevent users from being able to install removable devices on client computers, you need to

implement a Group Policy object (GPO) for all client computers.

You can find the group policy settings called Preventing Installation of Removable Devices and

Prevent Installation of Devices Not Described By Other Policy Settings would enable you to

achieve the desired goal. These policies can be found in the group policy tree at: Computer

Configuration\Administrative Templates\System\Device Installation\Device Installation

Restrictions.

Preventing Installation of Removable Devices prevent Installation of Removable Devices setting

prevents users from installing removable devices. The Prevent Installation of Devices Not

Described By Other Policy Settings prevents the Installation of Devices Not Described by Other

Policy Settings group policy setting is kind of a catch all setting.

There are a couple of different ways that you can use this policy setting. One thing that you can do

is to enable this setting, but not enable any other hardware installation related settings. In doing

so, you will effectively prevent anyone from installing any hardware into systems to which the

policy applies.

Another thing that you can do with this group policy setting is to use other policy settings to allow

specific devices based on device ID or class and then enable this policy setting. In doing so, you

will prevent the installation of any device that you have not specifically allowed users to install.

Reference : Windows Longhorn: Using Group Policy to Control Device Management (Part 2)

http://www.windowsnetworking.com/articles_tutorials/Windows-Longhorn-Using-Group-Policy-

Control-Device-Management-Part2.html

QUESTION NO: 54

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers on the network run Windows Server

2008 and all client computers run Windows Vista.

Many users of the company store all of their files in their Documents folder. Mostly the files stored

are large. You plan to implement roaming user profiles for all users by using Group Policy.

However, the roaming user profiles will takes them a long time to log on and log off of the

computers.

Which of the following options would you choose to minimizes the amount of time that roaming

users take to log on and log off of the computers?

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 59

Page 60: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

A. Include the Background Intelligent Transfer Service (BITS) settings in the Group Policy object

(GPO).

B. Enable caching on the profiles share on the server that hosts the roaming user profiles.

C. Install and configure the Background Intelligent Transfer Service (BITS) server extensions on

any server.

D. Modify the Group Policy object (GPO) to include folder redirection.

E. None of the above

Answer: D

Explanation:

To minimize the amount of time that roaming users take to log on and log off of the computers,

you need to modify the Group Policy object (GPO) to include folder redirection.

The roaming profiles and folder redirections can make your life easier. With roaming profiles

though, each user's files and settings follow them from PC to PC, so there is no need to move

anything.

Now that you know what a profile looks like, let's talk about making the profile mobile. The basic

technique behind creating a roaming profile involves creating a shared folder on the server,

creating the user a folder within the share, and then defining the user's profile location through the

group policy, which is called folder redirection.

Reference : Profile and Folder Redirection In Windows Server 2003

http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-

2003.html

QUESTION NO: 55

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory forest. The AD forest was running at the functional level of

Windows Server 2008.

The forest contains two domains named CertKiller.com and na.CertKiller.com. All the servers on

the network run Windows Server 2008 and all client computers run Windows Vista.

The domain na.CertKiller.com contains an organizational unit (OU) called SecurityOU and the

domain CertKiller.com contains a user called Ben.

You have been asked to assign administrative rights to Ben so that he can manage Group Policies

for the SecurityOU. While assigning administrative rights, you need to ensure that Ben must be

granted the least administrative rights necessary to create and configure Group Policies in

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 60

Page 61: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

na.CertKiller.com and link Group Policies to the SecurityOU.

Which of the following options would you choose to accomplish the desired goal? (Select two.

Each selected option will present a part of the answer.)

A. Run the Delegation of Control Wizard on na.CertKiller.com.

B. Run the Delegation of Control Wizard on the SecurityOU.

C. In the Group Policy Management Console, modify the permissions of the Group Policy Objects

container in the CertKiller.com domain.

D. In the Group Policy Management Console, modify the permissions of the Group Policy Objects

container in the na.CertKiller.com domain.

E. Add User1 to the Group Policy Creator Owners group in CertKiller.com.

F. Add User1 to the Administrators group for na.CertKiller.com.

G. Modify the permissions on the SecurityOU.

Answer: B,D

Explanation:

To ensure that Ben must be granted the least administrative rights necessary to create and

configure Group Policies in na.CertKiller.com and link Group Policies to the SecurityOU, you need

to run the Delegation of Control Wizard on the Security OU. In the Group Policy Management

Console, modify the permissions of the Group Policy Objects container in the na.CertKiller.com

domain.

A Delegation wizard is used to facilitate the delegation of administrative rights over containers

within Active Directory. Therefore it needs to be run on the SecurityOU. The Delegation wizard

dynamically creates access control entries on the target container object according to the options

specified in the wizard.

The Delegation of Control Wizard provides an additional level of granularity allowing for custom-

built tasks to be assigned to specific users or groups.

Reference : Default security concerns in Active Directory delegation

http://support.microsoft.com/kb/235531

QUESTION NO: 56

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory forest. The forest contains a root domain and two child

domains named la.CertKiller.com and na.CertKiller.com.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 61

Page 62: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

All the servers on the network run Windows Server 2008 and all client computers run Windows

Vista. The company has a corporate policy according to which, all local guest accounts must be

renamed and disabled and all the local administrator accounts must be renamed.

Which of the following options would you choose to implement the company's policy?

A. On each domain, implement a GPO.

B. On the root domain, implement a GPO.

C. On the root domain controllers, deploy AD RMS

D. On all domain controllers in each domain, deploy NPAS

E. None of the above

Answer: A

Explanation:

To deploy the corporate policy of the company that states that all the local administrator accounts

must be renamed and all the local guest accounts must be renamed and disabled, you need to

implement a Group Policy object (GPO) for each domain.

You can change the administrator account and guest account names by using Group Policy in

Windows Server 2003. This may be useful if you want to change the name of the administrator or

guest user accounts to minimize the chance of misuse of these accounts

Reference : HOW TO: Rename the Administrator and Guest Account in Windows Server 2003

http://support.microsoft.com/kb/816109

QUESTION NO: 57

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers on the network run Windows Server

2008 and all client computers run Windows Vista.

The company has recently appointed 5 support technicians to provide support to network users.

You have been asked to provide the support technicians a GPO that contains the preconfigured

settings, which they can used to create new GPOs.

Which of the following options would you choose to ensure that support technicians can create

Group Policy objects (GPOs) in the domain using the preconfigured GPO? (Select two. Each

selected option will present a part of the answer.)

A. Add the support technicians to the Account Operators group.

B. Add the support technicians to the Group Policy Creator Owners group.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 62

Page 63: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

C. Delegate control on the Domain Controllers organizational unit (OU).

D. Delegate control on the Users container.

E. Assign permissions on the Sysvol folder.

F. Create a new Starter GPO.

G. Create an ADMX file.

H. Create an ADML file.

Answer: B,F

Explanation:

To ensure that support technicians can create Group Policy objects (GPOs) in the domain using

the preconfigured GPO, you need to add the support technicians to the Group Policy Creator

Owners group. Create a new Starter GPO.

The GPMC 2.0 provides a new (empty) container called "Starter GPOs". This new container can

hold "templates" for creating new GPOs - with the limitation that only " Administrative Templates"

settings are available - from both 'Computer Configuration' and 'User Configuration'. Settings like

"Software Settings" (software installation) and "Windows Settings" (scripts, account policies, user

rights, software restriction policies, etc.) are NOT available in Starter GPOs. The users who are

added to Group Policy Creator Owners group would be allowed to use the Starter GPO to make

required configurations.

Reference : Group Policy related changes in Windows Server 2008 - Part 1: What are Starter

GPOs?

http://www.windowsecurity.com/articles/Group-Policy-related-changes-Windows-Server-2008-

Part1.html

QUESTION NO: 58

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain.

All the servers on the network run Windows Server 2008 and all client computers run Windows

Vista. The domain contains three organizational units (OUs) named TestOU1, TestOU2, and

TestOU3.

Which of the following options would you choose to redesign the layout of the OUs to ensure that

the Group Policy objects (GPOs) that are linked to the domain from applying to computers located

in the TestOU2 are prevented? You also need to minimize the number of GPOs and the number of

OUs.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 63

Page 64: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

A. On the TestOU2Configure block inheritance.

B. Create a WMI filter.

C. Delegate permissions on the Application OU

D. Create a Starter GPO.

E. None of the above

Answer: A

Explanation:

Typically, group policies are passed down from parent to child containers within a domain, which

you can view with the Active Directory Users and Computers console. Group policy is not inherited

from parent to child domains. If you assign a specific group policy setting to a high-level parent

container, that setting applies to all containers beneath the parent container, including the user

and computer objects in each container. However, if you explicitly specify a group policy setting for

a child container, the child container's setting overrides the one for the parent container.

The Block Policy inheritance option blocks Group Policy Objects that apply higher in the Active

Directory hierarchy of sites, domains, and organizational units. It does not block GPOs whose No

Override setting is enabled. You can block policy inheritance at the domain or organizational unit

level..

Reference : Inheriting a Meager Comprehension of Policy Inheritance

http://www.informit.com/guides/content.aspx?g=windowsserver&seqNum=60

QUESTION NO: 59

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the domain controllers on the network run

Windows Server 2008 and all client computers run Windows Vista. The functional level of the

domain is Windows Server 2008.

The company consists of four departments: Sales, Research, Development, and Marketing. The

users of the Research department of the company contain sensitive information on their

computers. Therefore the company requires that the users from the Research department have

higher levels of account and password security than other users in the domain.

Which of the following options would you choose to recommend a solution that meets the

company's requirements in minimum hardware and software costs?

A. Create a new Active Directory site for the research department users and deploy a Group

Policy object (GPO) to the site.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 64

Page 65: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

B. Create a new domain, add the research department user accounts to the new domain, and

configure a new security policy for the new domain.

C. For the research department users, create a new Password Settings Object (PSO).

D. Create a new organizational unit (OU) in the domain for research department users called

ResearchOU and deploy a GPO to the ResearchOU.

E. None of the above

Answer: C

Explanation:

To recommend a solution that meets the company's requirements in minimum hardware and

software costs, you need to create a new Password Settings Object (PSO) for the research

departments users.

Granular Password Settings" or "Fine-Grained Password Policy", is based on the introduction of

two new object classes in the AD schema: the "Password Settings Container" and "Password

Setting" objects. These objects basically provide us the option to introduce multiple password

policies into a single AD domain.

Create PSOs and assign them to users and/or groups hosting scenarios where multiple

companies are present in a single AD domain, another more common reason is where we need

stricter settings to apply to a specific group of people with privileged accounts (like domain

administrators, help desk personnel etc.).

Those privileged accounts can have a complexity requirement and a requirement of defining a

minimum of 16 characters in their passwords and other, more limited accounts, can have more

"user friendly" requirements - although I would recommend everyone to use passwords of that

strength.

Reference : Configuring Granular Password Settings in Windows Server 2008, Part 2

http://www.windowsecurity.com/articles/Configuring-Granular-Password-Settings-Windows-

Server-2008-Part2.html

QUESTION NO: 60

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the domain controllers on the network run

Windows Server 2008 and all client computers run Windows Vista. The functional level of the

domain is Windows Server 2008.

A corporate policy exists for the company. According to which, a legal notice should appear when

any user logs on to the domain. Which of the following options would you choose to enforce the

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 65

Page 66: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

corporate policy by using the minimum amount of administrative effort?

A. Run the Delegation of Control Wizard for the domain and modify the Default Domain Controller

policy.

B. Run the Delegation of Control Wizard for the domain and configure the Local Computer policy

on a reference computer.

C. Create a new organizational unit (OU), place all computer accounts in the new OU, and then

run the Delegation of Control Wizard for the new OU.

D. Create, link and enforce a new GPO to the domain.

E. None of the above

Answer: D

Explanation:

To enforce the corporate policy by using the minimum amount of administrative effort, you need to

create a GPO and link the GPO to the domain and then configure the GPO to be enforced.

Group policy settings are an integral part of any Windows-based IT environment. The number of

desktop lockdown settings available to group policy administrators is enormous. They can prevent

you from doing anything from changing your desktop appearance and start menu to running

certain applications.

Reference : Circumventing Group Policy Settings

http://blogs.technet.com/markrussinovich/archive/2005/04/30/circumventing-group-policy-

settings.aspx

QUESTION NO: 61

Exhibit:

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 66

Page 67: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers on the network run Windows Server

2008 and all client computers run Windows Vista. The functional level of the domain is Windows

Server 2008.

The company consists of three departments: Sales, Finance, and Engineering. The Organizational

Units (OU) called Employees, Managers, and Staff exists in the AD domain. The relevant portion

of the Active Directory domain is shown in the diagram.

The Staff OU contains all user accounts except for the managers user accounts. The

ManagersOU contains the managers user accounts and the Sales, Finance, and Engineering

global groups. You have recently created a new Group Policy object (GPO) named GPO1, and

then link it to the Employees OU.

After this configuration, the users from the Engineering global group report that they are unable to

access the Run command on the Start menu. On troubleshooting, you discovered that the GPO1

settings are causing this problem.

Which of the following options would you choose to ensure that the users from the Engineering

global group are able to access the Run command on the Start menu?

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 67

Page 68: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

A. Under the Employees OU, create a new child OU for Engineering department and then move

the Engineering global group to the new Engineering OU.

B. On the Managers OU, configure Block Policy Inheritance.

C. For the Engineering global group, configure Group Policy filtering on GPO1.

D. Configure GPO1 to use the Enforce Policy option.

E. None of the above

Answer: C

Explanation:

To ensure that the users from the Engineering global group are able to access the Run command

on the Start menu, you need to configure Group Policy filtering on GPO1 for the Engineering

global group

If you've been administering Group Policies for just a short period of time you have probably

noticed that there is no search option for specific policy settings.

Search is not referred to as "search" within GPME, it's still called "filtering" like the limited

functionality we had in previous versions - but it's much more advanced now. You'll be able to see

that as soon as you select the "Filter Options" from the View menu. You can use filtering to access

the Run command on the Start menu for specific global groups.

Reference : Group Policy related changes in Windows Server 2008 - Part 2: GPMC Version 2

Filtering to search

http://www.windowsecurity.com/articles/Group-Policy-related-changes-Windows-Server-2008-

Part2.html

QUESTION NO: 62

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers on the network run Windows Server

2008 and all client computers run Windows Vista. The functional level of the domain is Windows

Server 2008.

Which of the following options would you choose to ensure that administrators on the network are

allowed to install USB drives on their computers and the non-administrative users are prevented

from installing USB drives on their computers?

A. Configure device installation restrictions using a GPO.

B. Implement Windows BitLocker Drive Encryption.

C. Use WSRM to configure a per user resource access policy.

D. Implement the UDDI Services server role.

E. None of the above

Answer: A

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 68

Page 69: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Explanation:

To ensure that administrators on the network are allowed to install USB drives on their computers

and the non-administrative users are prevented from installing USB drives on their computers, you

need to use a Group Policy object (GPO) to configure device installation restrictions.

You can find the group policy settings called Preventing Installation of Removable Devices and

Prevent Installation of Devices Not Described By Other Policy Settings would enable you to

achieve the desired goal. These policies can be found in the group policy tree at: Computer

Configuration\Administrative Templates\System\Device Installation\Device Installation

Restrictions.

Preventing Installation of Removable Devices prevent Installation of Removable Devices setting

prevents users from installing removable devices. The Prevent Installation of Devices Not

Described By Other Policy Settings prevents the Installation of Devices Not Described by Other

Policy Settings group policy setting is kind of a catch all setting.

There are a couple of different ways that you can use this policy setting. One thing that you can do

is to enable this setting, but not enable any other hardware installation related settings. In doing

so, you will effectively prevent anyone from installing any hardware into systems to which the

policy applies.

Another thing that you can do with this group policy setting is to use other policy settings to allow

specific devices based on device ID or class and then enable this policy setting. In doing so, you

will prevent the installation of any device that you have not specifically allowed users to install.

Reference : Windows Longhorn: Using Group Policy to Control Device Management (Part 2)

http://www.windowsnetworking.com/articles_tutorials/Windows-Longhorn-Using-Group-Policy-

Control-Device-Management-Part2.html

QUESTION NO: 63

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers run Windows Server 2008 and all

client computers run Windows Vista. All the servers have Terminal Services role enabled.

Which of the following options would you choose to deploy of a new line-of-business application to

all client computers while ensuring that the users must access the application from an icon on their

desktops? And they should be able to access to the application even when they are not connected

to the network.

A. Publish the application as TS RemoteApp.

B. Use GPO to assign the application to all client computers

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 69

Page 70: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

C. Use GPO to assign the application to the terminal server

D. Use TS Web Access to publish the application.

E. None of the above

Answer: B

Explanation:

To ensure that the users must access the application from an icon on their desktops even when

they are not connected to the network, you need to assign the application to all client computers

by using a Group Policy object (GPO).

As you may already know, in an Active Directory environment, group policies are the main

component of network security. There are two different ways that you can deploy an application

through the Active Directory. You can either publish the application or you can assign the

application. Publishing an application doesn't actually install the application, but rather makes it

available to users.

Assigning an application to a user works differently than publishing an application. Again,

assigning an application is a group policy action, so the assignment won't take effect until the next

time that the user logs in. When the user does log in, they will see that the new application has

been added to the Start menu and / or to the desktop.

Although a menu option or an icon for the application exists, the software hasn't actually been

installed though. To avoid overwhelming the server containing the installation package, the

software is not actually installed until the user attempts to use it for the first time.

Reference : Using Group Policy to Deploy Applications

http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Deploy-Applications.html

Reference : Planning and Deploying Group Policy 2008

http://www.scribd.com/doc/4716059/Planning-and-Deploying-Group-Policy-2008

QUESTION NO: 64

You are an Enterprise administrator for CertKiller.com. The company has a head office and a

branch office. The corporate network of the company consists of a single Active Directory domain.

All the domain controllers in the domain run Windows Server 2008 and all client computers run

Windows Vista.

The English language version of Windows Vista is installed in the head office use and the Spanish

language version of Windows Vista is installed in the branch office.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 70

Page 71: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Which of the following options would you choose to configure custom application settings by using

a Group Policy object (GPO) to allow administrators to view and edit the GPO in their own

language and minimize the number of GPOs deployed?

A. Create an ADM file and then configure the GPO and link it to the domain.

B. Configure and link a Starter GPO to the head office site. Backup and import the Starter GPO

from the main office site and link it to the branch office site.

C. Install the English language and the Spanish language on all domain controllers and then

configure and link a GPO to the head office site. Backup the GPO from the head office site and

import and link it to the branch office site.

D. Create ADMX and ADML files and then configure and link the GPO to the domain.

E. None of the above

Answer: D

Explanation:

To configure custom application settings by using a Group Policy object (GPO) to allow

administrators to view and edit the GPO in their own language and minimize the number of GPOs

deployed, you need to create ADMX and ADML files and then configure the GPO and link it to the

domain.

ADMX files are language neutral. This basically means that the descriptions of Group Policy

settings are not part of the .admx files. They are stored in .adml files. Vista automatically loads the

correct .adml files. This is a very useful feature for international companies. Administrators in

different countries can work with the same templates, but always get the descriptions of the Group

Policy settings in their own language.

ADMX files are like ADM files only templates. The Group Policy settings are still populated to the

clients thru registry.pol files. That's the reason why ADMX files and ADM files can coexist.

Reference : Group Policy templates in Windows Vista: ADMX files replace ADM files

http://4sysops.com/archives/group-policy-templates-in-windows-vista-admx-files-replace-adm-files/

QUESTION NO: 65

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista.

The company consists of 30 database servers. An organizational unit (OU) called Data exists in

AD domain that stores the computer accounts for these database servers. Another OU called

Admin exists for the user accounts of the database administrators. The database administrators

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 71

Page 72: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

are also the members of a global group called Data_Admins.

Which of the following options would you choose to allow the database administrators to perform

administrative tasks on the database servers while preventing them from performing administrative

tasks on other servers?

A. For Admin OU, deploy a group policy.

B. In the Domain Admins global group, add the Data_Admins users.

C. In the Server Operators domain local group, add the Data_Admins users.

D. Deploy a group policy to the Data OU.

E. None of the above

Answer: D

Explanation:

To allow the database administrators to perform administrative tasks on the database servers

while preventing them from performing administrative tasks on other servers, you need to deploy a

group policy to the Data OU.

Group Policy enables centralized, Active Directory based configuration and change management

of computers running Windows Server 2008, Windows Vista, Windows XP and Windows Server

2003. The Group Policy settings you create are contained within a Group Policy Object (GPO) and

associated with (or Linked to) a Domain, Site or Organizational Unity (OU) using the Group Policy

Management Console (GPMC). By using the Group Policy Management Console to link a GPO to

an object in Active Directory, you apply these settings to the Users and Computers contained

therein.

Reference : Windows Server 2008 Springboard Series Part 02: Deploying and Managing Group

Policy

http://71.203.223.220/files/WS08SBSprt02_GRPOL.docx

QUESTION NO: 66

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista.

One of the servers on the corporate network of the company runs Windows Server Update

Services (WSUS) that obtains updates online from the Microsoft Update Web site.

To meet the security requirements of the company, you have recently deployed a secure network

for the company. After which, the users on the network are unable to access the Internet and the

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 72

Page 73: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

network that contains the online WSUS server.

Which of the following options would you choose to recommend a patch management solution to

deploy updates to the computers that are on the secure network? (Select two. Each correct

answer will present a part of the solution.)

A. Deploy a WSUS server on the secure network.

B. Download the wsusscn2.cab file from the Microsoft Update Web site

C. Copy the wsusscn2.cab file to a computer on the secure network.

D. From the online WSUS server, copy the update metadata and the WSUS content to the WSUS

server on the secure network.

E. From the online WSUS server, regularly copy the web.config file and the default Web site home

directory to the WSUS server on the secure network.

F. Scan the entire secure network by running Microsoft Baseline Security Analyzer against the

wsusscn2.cab file that you downloaded.

Answer: A,D

Explanation:

To recommend a patch management solution to deploy updates to the computers that are on the

secure network, you need to deploy a WSUS server on the secure network. From the online

WSUS server, copy the update metadata and the WSUS content to the WSUS server on the

secure network.

If your environment demands a network segment be disconnected from the Internet, or

disconnected from the rest of your network altogether, don't think you need to resort to the

"sneaker net" method of patch distribution. Simply build a stand-alone WSUS server and import

updates from removable media such as tape or DVD-ROM.

The process of exporting the updates from an Internet-connected server, and then importing them

into your disconnected one is well documented in the WSUS Deployment Guide. However, here

are the steps at a high level to give you an idea of the process.

1. Build your stand-alone WSUS server and configure its language and express installation

options to match that of the Internet-connected WSUS server that will provide updates.

2. Copy the update content directory from the Internet-connected WSUS server to removable

media. Remember that this content directory may be quite large (multi-gigabytes) so you may

need to resort to tape, dual-layer DVD, or external USB hard drive.

3. Export and copy the update metadata from the Internet-connected WUS server's database to

removable media.

4. Copy the update content from removable media onto the disconnected WSUS server.

5. Import the update metadata from removable media into the disconnected WUS server's

database.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 73

Page 74: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Reference : Advanced Deployment Options / Offline Updates

http://www.wsuswiki.com/AdvDeployOptions

QUESTION NO: 67

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista.

Several servers on the corporate network of the company run Windows Server Update Services

(WSUS) and distribute updates to all computers on the internal network.

The company has many remote users that connect the internal network from their personal

computers using a split-tunnel VPN connection.

Which of the following options would you choose to deploy a patch management strategy that

deploys updates on the remote user's computers? While deploying the solution, you need to

ensure that the bandwidth use over the VPN connections is minimized and the required updates

are approved on the WSUS servers before they are installed on the client computers?

A. Perform client-side targeting using a GPO.

B. Create and configure a computer group for the remote users computers to allow them to use

the internal WSUS server.

C. Deploy an additional WSUS server for the remote users computers. Configure the additional

WSUS server to leave the updates on the Microsoft Update Web site.

D. Use Connection Manager Administration Kit (CMAK) to create a custom connection and then

deploy the custom connection to all of the remote users computers.

E. None of the above

Answer: C

Explanation:

To deploy a patch management strategy that deploys updates on the remote user's computers,

you need to deploy an additional WSUS server. Configure the remote users computers to use the

additional WSUS server. Configure the additional WSUS server to leave the updates on the

Microsoft Update Web site.

Microsoft Windows Server Update Services (WSUS) is the Microsoft provided solution for

enterprise patch management. Using WSUS, network administrators can manage and deploy

software updates for all of the Microsoft products in a network

Using autonomous mode, the upstream server transmits update files to the downstream servers,

but nothing else. This means that individual computer groups and update approvals must be

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 74

Page 75: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

configured for each particular downstream server. In this deployment type, you get the benefit of

optimized bandwidth usage with the flexibility of allowing individual site administrators to manage

computer groups and update approvals themselves.

In a typical WAN scenario the bandwidth is a restriction. It is common that remote network

locations will have a high speed connection to the internet but a rather low speed link back to the

main office, such as through a VPN. In these cases, an upstream server can manage update

approvals, but those remote downstream servers can be configured to download the approved

updates directly from the Internet as opposed to the upstream server. Therefore you need to c

configure the additional WSUS server to leave the updates on the Microsoft Update Web site

Reference : Deploying Microsoft Windows Server Update Services

http://www.windowsnetworking.com/articles_tutorials/Deploying-Microsoft-Windows-Server-

Update-Services.html

QUESTION NO: 68

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista.

Which of the following options would you choose to design a Windows Server Update Services

(WSUS) infrastructure that ensures that the updates are distributed from a central location and all

computers must continue to receive updates in the event that a server fails? (Select two. Each

correct answer will present a part of the solution.)

A. Configure a single WSUS server to use multiple downstream servers.

B. Configure two WSUS servers in a Microsoft SQL Server 2005 failover cluster.

C. Configure a Microsoft SQL Server 2005 failover cluster.

D. Configure each WSUS server to use a RAID 1 mirror and a local database.

E. Configure each WSUS server to use a local database

F. Configure each WSUS server to use a RAID 5 array and a local database

G. Configure two WSUS servers in a Network Load Balancing cluster and then Configure WSUS

to use the remote SQL Server 2005 database instance.

Answer: C,G

Explanation:

To design a Windows Server Update Services (WSUS) infrastructure that ensures that the

updates are distributed from a central location and all computers must continue to receive updates

in the event that a server fails, you need to:

Configure a Microsoft SQL Server 2005 failover cluster. Configure two WSUS servers in a

Network Load Balancing cluster. Configure WSUS to use the remote SQL Server 2005 database

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 75

Page 76: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

instance.

Network load balancing (NLB) is a strategy that can keep networks running even if one (or more)

servers go offline. It can be used in conjunction with WSUS, but requires special steps at setup

time. You should set up WSUS for NLB after configuring your SQL Server2005 database as a

failover cluster.

Reference : Appendix C: Configure WSUS for Network Load Balancing

http://technet.microsoft.com/en-us/library/cc708533.aspx

QUESTION NO: 69

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers and the domain controllers on the

domain run Windows Server 2008 and all client computers run Windows Vista.

You have been assigned the task to generate a monthly report on the status of software updates

for the client computers. You report should display all the updates including operating system and

Microsoft application updates that are installed successfully.

Your report should also display all the updates including the operating system and Microsoft

application updates that are failed to install by putting minimum amount of administrative effort and

in minimum cost.

Which of the following options would you choose to accomplish the desired task? (Select two.

Each correct answer will present a part of the solution.)

A. Install Microsoft System Center Essentials (Essentials) 2007.

B. Install Microsoft System Center Configuration Manager (SCCM) 2007.

C. Install Windows Software Update Services (WSUS) 3.0.

D. Deploy management agents on all client computers.

E. Configure Windows Update by using a Group Policy object (GPO).

F. Deploy Microsoft Baseline Security Analyzer (MBSA) 2.1 on the client computers.

G. Run MBSA on each client computer, and save the report to a shared folder on the network.

Answer: C,E

Explanation:

To generate the desired reports, you need to Install Windows Software Update Services (WSUS)

3.0. Configure Windows Update by using a Group Policy object (GPO).

The easiest way to configure automatic updates is through the group policy, in environments

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 76

Page 77: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

where this is possible. If group policies (AD) are not available, you can use the registry file which

has to be deployed to every machine. This registry file, or group policy template if you're using

Active Directory, enables advanced features available with the new WSUS client.

Reports can be easily generated, but unfortunately only the WSUS server administrator can

generate them. ITSS can generate reports per groups, so if your clients are properly configured to

report their group, you can ask ITSS to schedule generation of reports for your groups.

You can also define the criteria of the report, so some events can be filtered. The criteria define

status of updates for machines, so the following can be used:

Installed - lists updates which have been successfully installed on the client machines.

Needed - lists updates which are needed, but have not been installed yet.

Not needed - lists updates which are available on the server, but are not needed for this particular

client.

Unknown - lists updates with unknown status.

Failed - lists updates which were downloaded by the client, but whose installation failed.

Reference : Microsoft Windows Server Update Services

http://www.auckland.ac.nz/security/MicrosoftWSUSGuidelines.htm

QUESTION NO: 70

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista.

Several servers on the corporate network of the company run Windows Server Update Services

(WSUS) and distribute updates to all computers on the internal network. The WSUS server is

configured to store updates locally.

The company has recently opened four new satellite offices that are connected to the main office

by using a dedicated WAN link. Internet access to the users of the satellite office is provided

through the main office.

Which of the following options would you choose to design a strategy for patch management that

ensures that the WSUS updates are approved independently for each satellite office with the use

of minimum Internet traffic? (Select two. Each correct answer will present a part of the solution.)

A. For each satellite office, create organizational units (OUs). Create and link the Group Policy

objects (GPOs) to the OUs.

B. In each satellite office, install a WSUS server.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 77

Page 78: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

C. Configure each satellite office WSUS server as a replica of the main office WSUS server.

D. Configure each satellite office WSUS server as an autonomous server.

E. Configure different schedules to download updates from the main office WSUS server to the

client computers in each satellite office.

F. Configure each satellite office WSUS server to use the main office WSUS server as an

upstream server.

Answer: B,F

Explanation:

To design a strategy for patch management that ensures that the WSUS updates are approved

independently for each satellite office and the minimum Internet traffic used, you need to install a

WSUS server in each satellite office and then configure each satellite office WSUS server to use

the main office WSUS server as an upstream server.

A WSUS hierarchy supports two modes, autonomous mode and replica mode. In replica mode,

the upstream server is the only WSUS server that downloads its updates from Microsoft Update. It

is also the only server that an administrator has to manually configure computer groups and

update approvals on.

All information downloaded and configured on to an upstream server is replicated directly to all of

the devices configured as downstream servers. Using this method you will save a great deal of

bandwidth as only one computer is constantly updating from the Internet. More importantly

however, you will save a countless amount of time since you are only managing one server now

from a software standpoint.

Using autonomous mode, the upstream server transmits update files to the downstream servers,

but nothing else. This means that individual computer groups and update approvals must be

configured for each particular downstream server. In this deployment type, you get the benefit of

optimized bandwidth usage with the flexibility of allowing individual site administrators to manage

computer groups and update approvals themselves.

Reference : Deploying Microsoft Windows Server Update Services

http://www.windowsnetworking.com/articles_tutorials/Deploying-Microsoft-Windows-Server-

Update-Services.html

QUESTION NO: 71

You are an Enterprise administrator for CertKiller.com. All the servers in the domain run Windows

Server 2008 and all client computers run Windows Vista.

A server on the corporate network of the company run Windows Server Update Services (WSUS)

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 78

Page 79: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

and distributes updates to all computers on the internal network after obtaining updates online

from the Microsoft Update Web site.

Recently a network segment of the corporate network is disconnected from the rest of the network.

The users on the disconnected network segment reported that they cannot access the Internet

and the WSUS server.

Which of the following options would you choose to recommend a patch management strategy to

deploy updates to the computers that are on the disconnected network segment?

A. Deploy a WSUS server on the secure network.

B. Download the wsusscn2.cab file from the Microsoft Update Web site

C. Copy the wsusscn2.cab file to a computer on the secure network.

D. From the online WSUS server, copy the update metadata and the WSUS content to the WSUS

server on the secure network.

E. From the online WSUS server, regularly copy the web.config file and the default Web site home

directory to the WSUS server on the secure network.

F. Scan the entire secure network by running Microsoft Baseline Security Analyzer against the

wsusscn2.cab file that you downloaded.

Answer: A,D

Explanation:

To recommend a patch management strategy to deploy updates to the computers that are on the

disconnected network segment, you need to deploy a WSUS server on the secure network. From

the online WSUS server, copy the update metadata and the WSUS content to the WSUS server

on the secure network.

If your environment demands a network segment be disconnected from the Internet, or

disconnected from the rest of your network altogether, don't think you need to resort to the

"sneaker net" method of patch distribution. Simply build a stand-alone WSUS server and import

updates from removable media such as tape or DVD-ROM.

The process of exporting the updates from an Internet-connected server, and then importing them

into your disconnected one is well documented in the WSUS Deployment Guide. However, here

are the steps at a high level to give you an idea of the process.

1. Build your stand-alone WSUS server and configure its language and express installation

options to match that of the Internet-connected WSUS server that will provide updates.

2. Copy the update content directory from the Internet-connected WSUS server to removable

media. Remember that this content directory may be quite large (multi-gigabytes) so you may

need to resort to tape, dual-layer DVD, or external USB hard drive.

3. Export and copy the update metadata from the Internet-connected WUS server's database to

removable media.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 79

Page 80: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

4. Copy the update content from removable media onto the disconnected WSUS server.

5. Import the update metadata from removable media into the disconnected WUS server's

database.

Reference : Advanced Deployment Options / Offline Updates

http://www.wsuswiki.com/AdvDeployOptions

QUESTION NO: 72

You are an Enterprise administrator for CertKiller.com. The company has a head office and two

branch offices. All the servers on the network run Windows Server 2008 and all client computers

run Windows Vista.

A server on the corporate network of the company run Windows Server Update Services (WSUS)

and distributes updates to all computers on the internal network.

The WSUS server is configured to store updates locally.

The branch offices connect to the head office by using a dedicated WAN link.

You need to design a patch management strategy for the corporate network that would ensure

that the branch offices would get updates from the head office. However, the WSUS updates are

approved independently for each branch office without increasing the Internet traffic too much.

Which of the following options would you choose to accomplish the desired task?

A. For each branch office, create organizational units (OUs). Create and link the Group Policy

objects (GPOs) to the OUs.

B. In each branch office, install a WSUS server.

C. Configure each branch office WSUS server as a replica of the main office WSUS server.

D. Configure each branch office WSUS server as an autonomous server.

E. Configure different schedules to download updates from the main office WSUS server to the

client computers in each branch office.

F. Configure each branch office WSUS server to use the main office WSUS server as an upstream

server.

Answer: B,F

Explanation:

To design a patch management strategy for the corporate network that would ensure that the

branch offices would get updates from the head office, you need to install a WSUS server in each

branch office and configure each branch office WSUS server to use the head office WSUS server

as an upstream server.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 80

Page 81: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

A WSUS hierarchy supports two modes, autonomous mode (which we will discuss later) and

replica mode. In replica mode, the upstream server is the only WSUS server that downloads its

updates from Microsoft Update. It is also the only server that an administrator has to manually

configure computer groups and update approvals on. All information downloaded and configured

on to an upstream server is replicated directly to all of the devices configured as downstream

servers. Using this method you will save a great deal of bandwidth as only one computer is

constantly updating from the Internet. More importantly however, you will save a countless amount

of time since you are only managing one server now from a software standpoint.

Using autonomous mode, the upstream server transmits update files to the downstream servers,

but nothing else. This means that individual computer groups and update approvals must be

configured for each particular downstream server. In this deployment type, you get the benefit of

optimized bandwidth usage with the flexibility of allowing individual site administrators to manage

computer groups and update approvals themselves.

Reference : Deploying Microsoft Windows Server Update Services

http://www.windowsnetworking.com/articles_tutorials/Deploying-Microsoft-Windows-Server-

Update-Services.html

QUESTION NO: 73

You are an Enterprise administrator for CertKiller.com. All the servers on the network run Windows

Server 2008.

The corporate network contains a Windows Server 2008 server that runs Windows Server Update

Services (WSUS), which was configured to store updates locally.

The company has recently opened a few satellite offices that are connected to the main office

using a dedicated WAN link.

Which of the following options would you choose to design a patch management strategy to

ensure that WSUS updates are approved from a central location and WAN traffic is minimized

between the branch office and the satellite offices?

A. For each satellite office, create organizational units (OUs). Create and link the Group Policy

objects (GPOs) to the OUs.

B. In each satellite office, install a WSUS server.

C. Configure each satellite office WSUS server as a replica of the main office WSUS server.

D. Configure each satellite office WSUS server as an autonomous server.

E. Configure different schedules to download updates from the main office WSUS server to the

client computers in each satellite office.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 81

Page 82: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

F. Configure each satellite office WSUS server to use the main office WSUS server as an

upstream server.

Answer: B,F

Explanation:

To design a patch management strategy to ensure that WSUS updates are approved from a

central location and WAN traffic is minimized between the branch office and the satellite offices,

you need to install a WSUS server in each satellite office and configure each satellite office WSUS

server as a replica of the branch office WSUS server.

A WSUS hierarchy supports two modes, autonomous mode and replica mode. In replica mode,

the upstream server is the only WSUS server that downloads its updates from Microsoft Update. It

is also the only server that an administrator has to manually configure computer groups and

update approvals on. All information downloaded and configured on to an upstream server is

replicated directly to all of the devices configured as downstream servers.

Using this method you will save a great deal of bandwidth as only one computer is constantly

updating from the Internet. More importantly however, you will save a countless amount of time

since you are only managing one server now from a software standpoint.

Reference : Deploying Microsoft Windows Server Update Services

http://www.windowsnetworking.com/articles_tutorials/Deploying-Microsoft-Windows-Server-

Update-Services.html

QUESTION NO: 74

You are an Enterprise administrator for CertKiller.com. All the servers in the domain run Windows

Server 2008.

Several servers on the corporate network of the company run Windows Server Update Services

(WSUS) and distribute updates to all computers on the internal network.

The company has many remote users that connect the internal network from their personal

computers using a split-tunnel VPN connection.

You need to deploy a patch management strategy to deploy updates on the remote user's

computers network. While deploying the solution, you need to ensure that the required updates

are approved on the WSUS servers before they are installed on the client computers within

minimum the bandwidth use?

A. Implement client-side targeting by create a Group Policy object (GPO).

B. Create and configure a computer group for the remote users computers to use the internal

WSUS server.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 82

Page 83: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

C. Deploy and configure an additional WSUS server to leave the updates on the Microsoft Update

Web site and then configure the remote users to use the additional WSUS server.

D. Use the Connection Manager Administration Kit (CMAK) to create a custom connection and

deploy it to all of the remote users computers.

E. None of the above

Answer: C

Explanation:

To deploy a patch management strategy that deploys updates on the remote user's computers,

you need to deploy an additional WSUS server. Configure the remote users computers to use the

additional WSUS server. Configure the additional WSUS server to leave the updates on the

Microsoft Update Web site.

WSUS is a client-pull system, not a server-push. That is, the client initiates the connection and

downloads, not the server. As long as they can communicate, they will. Also keep in mind that the

connection is not continuous. The client only checks in once a day. It also uses BITS to transfer

the downloads, so if the VPN connection is disconnected in the middle, it will automatically recover

when it next connects to the server. BITS will also attempt to not saturate you bandwidth, but a

problem with BITS is that it measures bandwidth by the connection at your network device (NIC,

modem, etc), not the bandwidth along the entire path to the server. Of course, this may have

changed in more recent version of BITS.

Reference : WSUS Forums>Technical Support>WSUS 3 Server

http://www.wsus.info/forums/index.php?showtopic=11464

QUESTION NO: 75

You are an Enterprise administrator for CertKiller.com. All the servers in the domain run Windows

Server 2008. The company consists of 10,000 computers.

Which of the following options would you choose to design a storage architecture for Windows

Server Update Services (WSUS) updates to ensure that the WSUS updates are highly available?

A. Configure the WSUS servers to use a RAID 0 hardware controller and then store the WSUS

updates on each WSUS server.

B. Use a remote file share to store the WSUS updates.

C. Store the WSUS updates on a multihomed network file server. Create two host (A) resource

records for the WSUS servers.

D. Store the WSUS updates on a Distributed File System (DFS) link that uses multiple replicating

targets.

E. None of the above

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 83

Page 84: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Answer: D

Explanation:

Distributed File System (DFS) is a strategic storage management solution that gives

administrators a more flexible way to centrally manage their distributed resources. With DFS,

administrators can create simplified views of folders and files, that is, a virtual organization called a

namespace, regardless of where those files physically reside in a network.

You should create a single file location that is available to all the front-end WSUS servers. Even if

you do not store updates locally, you will need a location for End User License Agreement files.

You may wish to do so by storing them on a Distributed File System share.

It is not necessary to use a DFS share with an NLB cluster. You can use a standard network

share, and you can ensure redundancy by storing updates on a RAID controller.

Reference : Step 4: Set up a DFS share

http://technet.microsoft.com/en-us/library/cc708533.aspx

Section 2, Monitor servers for performance evaluation and optimization (7 Questions)

QUESTION NO: 76

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista.

The File Server role is installed on the 10 servers on the domain. You have been asked to monitor

the file servers and ensure that the Administrators should be able to create reports that display

folder usage by different Active Directory groups, receive automatic E-mail notifications if any

volume has less than 500 MB of free space, and are able to enforce the File storage quotas.

How would you configure each File server to accomplish the desired task?

A. Configure Windows System Resource Manager (WSRM) feature and Event Subscriptions

B. Configure NTFS quotas and Event Viewer tasks

C. Configure NTFS quotas and Performance Monitor alerts

D. Configure the File Server Resource Manager (FSRM) role service and Quota Management and

Storage Reports Management

E. None of the above.

Answer: D

Explanation:

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 84

Page 85: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

FSRM (File Server Resource Manager) is a service of the File Services role in Windows Server

2008. You can use FSRM to enhance your ability to manage and monitor storage activities on

your file server.

The main capabilities of FSRM include: Folder Quotas, File Screening, Storage Reports, Event

Log Integration, E-mail Notifications, and Automated Scripts.

You can use FSRM to perform Limit the size of a folder to 2GB and log an event when the Quota

limit is reached, E-mail an administrator whenever a specific folder reaches 85% of its specified

Quota. Besides, you can create a File Screen to prevent users from saving of video/audio files to a

share and send notifications when users attempt to do that, and schedule and publish a periodic

storage reports that shows how much space is being used by each user,. You can use it to

automatically execute a script when a folder size exceeds 500 MB to clean up stale data in the

folder.

Reference : The Basics of Windows Server 2008 FSRM (File Server Resource Manager)

http://blogs.technet.com/josebda/archive/2008/08/20/the-basics-of-windows-server-2008-fsrm-file-

server-resource-manager.aspx

QUESTION NO: 77

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory forest. All the servers in the forest run Windows Server 2008

and all client computers run Windows Vista.

You have been assigned the task to monitor the performance of the servers of the sales

department of the company that consists of 600 Windows Server 2008 servers.

You need to generate alerts when the average processor usage is higher than 90 percent for 20

minutes and automatically adjust the processor monitoring threshold to allow for temporary

changes in the workload.

Which of the following options would you choose to accomplish the desired task?

A. Use Microsoft System Center Configuration Manager (SCCM).

B. Use Windows System Resource Manager (WSRM).

C. Use Microsoft Windows Reliability and Performance Monitor.

D. Use Microsoft System Center Operations Manager (SCOM).

E. None of the above

Answer: D

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 85

Page 86: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Explanation:

To generate alerts when the average processor usage is higher than 90 percent for 20 minutes

and automatically adjust the processor monitoring threshold to allow for temporary changes in the

workload, you need to Deploy Microsoft System Center Operations Manager (SCOM).

System Center Operations Manager 2007(SCOM 2007) is a new version of Microsoft Operations

Manager 2005(MoM). It is the end - to - end service monitoring solution that lets you monitor

clients, events, services, applications, network devices rather than just servers. It provides

integration with Active Directory for user authentication and agent discovery.

It provides active directory integration, Service Oriented Monitoring, Self-Tuning Threshold,

Enhanced Reporting, windows computers monitoring and much more.

Reference : From MOM to SCOM

http://pcquest.ciol.com/content/enterprise/2007/107070501.asp

Reference : Self Tuning Thresholds - love and hate

http://blogs.technet.com/kevinholman/archive/2008/03/19/self-tuning-thresholds-love-and-

hate.aspx

QUESTION NO: 78

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista.

The network consists of a server called CertKillerServer1 that has the Terminal Services role

installed. You need to monitor CertKillerServer1 and prevent users from consuming more than 15

percent of the CPU resources in a day.

You also need to ensure that the Administrators must not be limited by the amount of CPU

resources that they can consume. Which of the following options would you choose to accomplish

the desired task? (Select Two. Each correct answer will present a part of the answer.)

A. Configure Reliability and Performance

B. Create user-defined Data Collector Set.

C. Configure session policies.

D. Implement Windows System Resource Manager (WSRM)

E. Configure user policies.

F. Create an Event Trace Session Data Collector Set.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 86

Page 87: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Answer: D,E

Explanation:

To monitor CertKillerServer1 and prevent users from consuming more than 15 percent of the CPU

resources in a day, you need to implement Windows System Resource Manager (WSRM), and

configure user policies.

Microsoft Windows System Resource Manager (WSRM) provides resource management and

enables the allocation of resources, including processor and memory resources, among multiple

applications based on business priorities.

WSRM enables a system administrator to Set CPU and memory allocation policies on

applications. This includes selecting processes to be managed, and setting resource usage

targets or limits, Manage CPU utilization (percent CPU in use), Limit the process working set size

(physical resident pages in use), apply policies to users or groups on a Terminal Services

application server, apply policies on a date/time schedule and much more.

WSRM maintains an updatable exclusion list of processes that shouldn't be managed because of

the negative system impact such management could create. WSRM also applies limits to process

working set size and committed memory consumption. WSRM does not manage address

windowing extensions (AWE) memory, large page memory, locked memory, or OS pool memory.

Reference : Windows System Resource Manager Fast Facts

http://www.microsoft.com/windowsserver2003/techinfo/overview/wsrmfastfacts.mspx

QUESTION NO: 79

Which of the following options would you choose to monitor the performance of 200 Windows

Server 2008 servers and generate alerts when the average processor usage is higher than 70

percent for 15 minutes and automatically adjust the processor monitoring threshold to allow for

temporary changes in the workload?

A. Deploy Microsoft System Center Configuration Manager (SCCM).

B. Install Windows System Resource Manager (WSRM).

C. Configure Microsoft Windows Reliability and Performance Monitor.

D. Deploy Microsoft System Center Operations Manager (SCOM).

E. None of the above

Answer: D

Explanation:

To generate alerts when the average processor usage is higher than 90 percent for 20 minutes

and automatically adjust the processor monitoring threshold to allow for temporary changes in the

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 87

Page 88: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

workload, you need to Deploy Microsoft System Center Operations Manager (SCOM).

System Center Operations Manager 2007(SCOM 2007) is a new version of Microsoft Operations

Manager 2005(MoM). It is the end - to - end service monitoring solution that lets you monitor

clients, events, services, applications, network devices rather than just servers. It provides

integration with Active Directory for user authentication and agent discovery.

It provides active directory integration, Service Oriented Monitoring, Self-Tuning Threshold,

Enhanced Reporting, windows computers monitoring and much more.

Reference : From MOM to SCOM

http://pcquest.ciol.com/content/enterprise/2007/107070501.asp

Reference : Self Tuning Thresholds - love and hate

http://blogs.technet.com/kevinholman/archive/2008/03/19/self-tuning-thresholds-love-and-

hate.aspx

QUESTION NO: 80

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista.

The network consists of a server called CertKillerServer1that has Windows SharePoint Services

(WSS) role installed. The server hosts are 30 SharePoint sites.

You have been asked to optimize the performance of CertKillerServer1 by allocating the equal

amount of system resources to each SharePoint site when CPU utilization exceeds 70 percent.

Which of the following options would you choose to accomplish the given task? (Select Two. Each

correct answer will present a part of the answer.)

A. Configure each SharePoint site to use a separate application pool.

B. Configure each SharePoint site to use a separate IP address.

C. Implement Windows System Resource Manager (WSRM).

D. Implement File Server Resource Manager (FSRM).

Answer: A,C

Explanation:

To optimize the performance of CertKillerServer1 by allocating the equal amount of system

resources to each SharePoint site when CPU utilization exceeds 70 percent, you need to

configure each sharePoint site to use a separate application pool. Implement Windows System

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 88

Page 89: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Resource Manager (WSRM).

Microsoft Windows System Resource Manager (WSRM) provides resource management and

enables the allocation of resources, including processor and memory resources, among multiple

applications based on business priorities.

WSRM enables a system administrator to Manage CPU utilization (percent CPU in use), Limit the

process working set size (physical resident pages in use) and Set CPU and memory allocation

policies on applications. This includes selecting processes to be managed, and setting resource

usage targets or limits.

WSRM maintains an updatable exclusion list of processes that shouldn't be managed because of

the negative system impact such management could create. WSRM also applies limits to process

working set size and committed memory consumption. WSRM does not manage address

windowing extensions (AWE) memory, large page memory, locked memory, or OS pool memory.

Reference : Windows System Resource Manager Fast Facts

http://www.microsoft.com/windowsserver2003/techinfo/overview/wsrmfastfacts.mspx

QUESTION NO: 81

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista.

You install an application on a Windows Server 2008 failover cluster that contains a node named

CertKillerServer1.

Which of the following options would you choose to ensure that 50 percent of the processor

utilization and the memory utilization can be reserved for the application execution? (Select Two.

Each correct answer will present a part of the answer.)

A. Implement Windows System Resource Manager (WSRM)

B. Implement File Server Resource Manager (FSRM)

C. Implement Storage Manager for SANs (SMfS)

D. Configure a resource-allocation policy for user-based management.

E. Configure a resource-allocation policy for process-based management.

F. Configure quotas.

G. Configure the LUN Management settings.

Answer: A,E

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 89

Page 90: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Explanation:

To ensure that 50 percent of the processor utilization and the memory utilization can be reserved

for the application execution, you need to implement Windows System Resource Manager

(WSRM) and configure a resource-allocation policy for process-based management.

Microsoft Windows System Resource Manager (WSRM) provides resource management and

enables the allocation of resources, including processor and memory resources, among multiple

applications based on business priorities.

WSRM enables a system administrator to Manage CPU utilization (percent CPU in use), Limit the

process working set size (physical resident pages in use) and Set CPU and memory allocation

policies on applications. This includes selecting processes to be managed, and setting resource

usage targets or limits.

WSRM maintains an updatable exclusion list of processes that shouldn't be managed because of

the negative system impact such management could create. WSRM also applies limits to process

working set size and committed memory consumption. WSRM does not manage address

windowing extensions (AWE) memory, large page memory, locked memory, or OS pool memory.

Reference : Windows System Resource Manager Fast Facts

http://www.microsoft.com/windowsserver2003/techinfo/overview/wsrmfastfacts.mspx

QUESTION NO: 82

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. The functional level of the domain is Windows Server

2008. All the servers in the domain run Windows Server 2008 and all client computers run

Windows Vista.

You need to plan a monitoring solution for 200 Windows Server 2008 servers and ensure that an

e-mail notification is sent to an administrator if an application error occurs on any of the servers by

using the minimum amount of administrative effort.

Which of the following options would you choose to accomplish the desired task? (Select Two.

Each correct answer will present a part of the answer.)

A. On all servers, create event subscriptions for one server.

B. On one server, create event subscriptions for each server.

C. On one server, create an Event Trace Sessions Data Collector Set.

D. On all servers, attach a task for the application error events.

E. On the server, attach tasks to the application error events.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 90

Page 91: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

F. On the servers, create a System Performance Data Collector Set.

G. On the server, configure the report settings for the new Data Collector set.

Answer: B,E

Explanation:

To plan a monitoring solution for 200 Windows Server 2008 servers and ensure that an e-mail

notification is sent to an administrator if an application error occurs on any of the servers by using

the minimum amount of administrative effort, you need to create event subscriptions for each

server on one server and attach tasks to the application error events.

Event Viewer enables you to view events on a single remote computer. However, troubleshooting

an issue might require you to examine a set of events stored in multiple logs on multiple

computers.

Windows Vista includes the ability to collect copies of events from multiple remote computers and

store them locally. To specify which events to collect, you create an event subscription. Among

other details, the subscription specifies exactly which events will be collected and in which log they

will be stored locally. Once a subscription is active and events are being collected, you can view

and manipulate these forwarded events as you would any other locally stored events.

Reference : Event Subscriptions

http://technet.microsoft.com/en-us/library/cc749183.aspx

Section 3, Monitor and maintain security and policies (4 Questions)

QUESTION NO: 83

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. The functional level of the domain is Windows Server

2008. All the domain controllers on the domain run Windows Server 2008 and all client computers

run Windows Vista.

The network contains 1,000 client computers that are connected to managed switches. You have

been asked to ensure that users on the corporate network are unable to bypass network access

restrictions and only client computers that have up-to-date service packs and anti-malware

software installed can access the network.

Which of the following options would you choose to accomplish the desired task? (Select Two.

Each correct answer will present a part of the answer.)

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 91

Page 92: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

A. Implement Network Access Protection (NAP)

B. Implement a Network Policy Server (NPS)

C. Use 802.1x enforcement

D. Use DHCP enforcement.

E. Enable IPsec on the domain controllers

F. Enable Remote Authentication Dial-In User Service (RADIUS) authentication on the managed

switches.

Answer: A,C

Explanation:

To ensure that users on the corporate network are unable to bypass network access restrictions

and only client computers that have up-to-date service packs and anti-malware software installed

can access the network, you need to implement Network Access Protection (NAP) that uses

802.1x enforcement

Network Access Protection (NAP) is one of the most desired and highly anticipated features of

Windows Server 2008. NAP is a new platform and solution that controls access to network

resources based on a client computer's identity and compliance with corporate governance policy.

NAP allows network administrators to define granular levels of network access based on who a

client is, the groups to which the client belongs, and the degree to which that client is compliant

with corporate governance policy. If a client is not compliant, NAP provides a mechanism to

automatically bring the client back into compliance and then dynamically increase its level of

network access.

With 802.1X enforcement, a computer must be compliant to obtain unlimited network access

through an 802.1X-authenticated network connection

Administrators can create solutions for validating computers that connect to or communicate on

their networks, provide needed updates or access to needed resources, and limit the network

access of computers that are noncompliant. The validation and enforcement features of NAP can

be integrated with software from other vendors or with custom programs.

Note NAP is not designed to protect a private network from malicious users. It is designed to help

administrators maintain the system health of the computers on a private network. NAP is used in

conjunction with authentication and authorization of network access, such as using IEEE 802.1X

for wireless access.

Reference : Network Access Protection Platform Overview

http://technet.microsoft.com/hi-in/library/bb878083(en-us).aspx

Reference : Security and Policy Enforcement

http://www.microsoft.com/windowsserver2008/en/us/security-policy.aspx

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 92

Page 93: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

QUESTION NO: 84

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. The functional level of the domain is Windows Server

2008. All the domain controllers on the domain run Windows Server 2008 and all client computers

run Windows Vista.

The network contains three Network Policy Server (NPS) servers that are configured as Remote

Authentication Dial-In User Service (RADIUS) servers. The servers are named as

CertKillerServer1, CertKillerServer2, and CertKillerServer3.

The network also contains 30 wireless access points that are configured as a RADIUS client.

Which of the following options would you choose to audit all access to the wireless access points?

You need to ensure that in a minimum amount of cost the audit data is stored at a central location

and all RADIUS attributes and all RADIUS vendor-specific attributes are recorded.

Which of the following options would you choose to accomplish the desired task? (Select Two.

Each correct answer will present a part of the answer.)

A. Install Microsoft SQL Server 2005 Standard Edition on CertKillerServer1.

B. Audit for account logon events on the domain controllers.

C. Audit for logon events on the NPS servers.

D. Configure RADIUS accounting by using local file logging on each server

E. Configure RADIUS accounting by using SQL logging on each server and use

CertKillerServer1as the data source

F. Configure RADIUS authentication.

G. Forward all events from CertKillerServer2 and CertKillerServer3 to CertKillerServer1.

H. Store the log files in an Internet Authentication Service (IAS) format on a shared folder on

CertKillerServer1.

Answer: D,H

Explanation:

To ensure that in a minimum amount of cost the audit data is stored at a central location and all

RADIUS attributes and all RADIUS vendor-specific attributes are recorded, you need to Configure

RADIUS accounting by using local file logging on each server. Store the log files in an Internet

Authentication Service (IAS) format on a shared folder on CertKillerServer1

Rather than configuring network access policy at each network access server, such as wireless

access points, 802.1X authenticating switches, VPN servers, and dial-up servers, you can create

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 93

Page 94: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

policies in a single location that specify all aspects of network connection requests, including who

is allowed to connect, when they can connect, and the level of security they must use to connect

to your network.

When you create a new RADIUS client or modify the settings of an existing RADIUS client from

the RADIUS Clients node of the Network Policy Server snap-in, there is a RADIUS client is NAP-

capable check box .When this check box is selected, the NPS service sends NAP-specific

RADIUS vendor-specific attributes (VSAs) in the Access-Accept message. When this check box is

not selected, the NPS service does not send NAP-specific RADIUS VSAs in the RADIUS Access-

Accept message.

Reference : What is the NAP client doing /The "RADIUS client is NAP-capable" check box

http://blogs.technet.com/nap/default.aspx

QUESTION NO: 85

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. The functional level of the domain is Windows Server

2008. All the domain controllers on the domain run Windows Server 2008 and all client computers

run Windows Vista.

Which of the following options would you choose to plan a network access solution that ensure

that only client computers that have the most up-to-date service packs can be granted general

network access and all noncompliant client computers must be redirected to a specific Web site?

A. Use Windows Server Update Service (WSUS)

B. Use Active Directory Rights Management Services (AD RMS)

C. Use Domain Isolation

D. Use Network Access Protection (NAP)

E. None of the above

Answer: D

Explanation:

To plan a network access solution that ensure that only client computers that have the most up-to-

date service packs can be granted general network access and all noncompliant client computers

must be redirected to a specific Web site, you need to implement Network Access Protection

(NAP).

Network Access Protection (NAP) is one of the most desired and highly anticipated features of

Windows Server 2008. NAP is a new platform and solution that controls access to network

resources based on a client computer's identity and compliance with corporate governance policy.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 94

Page 95: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

NAP allows network administrators to define granular levels of network access based on who a

client is, the groups to which the client belongs, and the degree to which that client is compliant

with corporate governance policy. If a client is not compliant, NAP provides a mechanism to

automatically bring the client back into compliance and then dynamically increase its level of

network access.

With 802.1X enforcement, a computer must be compliant to obtain unlimited network access

through an 802.1X-authenticated network connection

Administrators can create solutions for validating computers that connect to or communicate on

their networks, provide needed updates or access to needed resources, and limit the network

access of computers that are noncompliant. The validation and enforcement features of NAP can

be integrated with software from other vendors or with custom programs.

Note NAP is not designed to protect a private network from malicious users. It is designed to help

administrators maintain the system health of the computers on a private network. NAP is used in

conjunction with authentication and authorization of network access, such as using IEEE 802.1X

for wireless access.

Reference : Network Access Protection Platform Overview

http://technet.microsoft.com/hi-in/library/bb878083(en-us).aspx

Reference : Security and Policy Enforcement

http://www.microsoft.com/windowsserver2008/en/us/security-policy.aspx

QUESTION NO: 86

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. The functional level of the domain is Windows Server

2008. All the servers and domain controllers in the domain run Windows Server 2008 and all client

computers run Windows Vista.

The network contains three Network Policy Server (NPS) servers that are configured as Remote

Authentication Dial-In User Service (RADIUS) servers. The servers are named as

CertKillerServer1, CertKillerServer2, and CertKillerServer3. The CertKillerServer1 runs Microsoft

SQL Server 2005.

The network also contains 30 wireless access points that are configured as a RADIUS client.

Which of the following options would you choose to audit access to the wireless access points?

You need to ensure that the audit data is stored at a central location in a format that is simple to

query and all RADIUS attributes and all RADIUS vendor-specific attributes are recorded.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 95

Page 96: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Which of the following options would you choose to accomplish the desired task? (Select Two.

Each correct answer will present a part of the answer.)

A. Audit for account logon events on the domain controllers

B. Configure RADIUS accounting by using SQL logging on each server

C. Use CertKillerServer1 as the database for RADIUS accounting.

D. Forward all security events from the NPS servers to CertKillerServer1.

E. Audit for logon events on the NPS servers

F. Forward all security events from CertKillerServer2 and CertKillerServer3 to CertKillerServer1.

Answer: B,C

Explanation:

To ensure that the audit data is stored at a central location in a format that is simple to query and

all RADIUS attributes and all RADIUS vendor-specific attributes are recorded, you need to

configure RADIUS accounting by using SQL logging on each server. Use CertKillerServer1 as the

database for RADIUS accounting

The Internet Authentication Service (IAS) in Microsoft Windows Server is the Microsoft

implementation of a RADIUS server and proxy server. As a RADIUS server, IAS performs

centralized authentication, authorization, and accounting (AAA) of various types of network

connections. As a RADIUS proxy server, IAS can forward RADIUS requests to another RADIUS

server for AAA.

IAS can log to text logs or Microsoft SQL Server databases. Text based logging of RADIUS

authentication and accounting information is disabled by default in IAS.

You need to use CertKillerServer1 as the database for RADIUS accounting because SQL server is

installed on CertKillerServer1.

Reference : Chapter 5: Designing the RADIUS Infrastructure for Wireless LAN Security

http://www.microsoft.com/technet/security/prodtech/windowsserver2003/pkiwire/PGCH05.mspx?m

fr=true

QUESTION NO: 87

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run either Windows

Server 2003 or Windows Server 2008 and all client computers run Windows Vista.

The network contains five Windows Server 2003 servers that have the Terminal Server

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 96

Page 97: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

component installed and a firewall server runs Microsoft Internet Security and Acceleration (ISA)

Server 2006.

You have been assigned the task to create a remote access strategy for the terminal server users

and ensure that the access of the network is restricted to the specific users only. You also need to

ensure that only minimum number of ports should be opened on the firewall and all remote

connections to the terminal servers are encrypted.

Which of the following options would you choose to accomplish the desired task? (Select Two.

Each correct answer will present a part of the answer.)

A. Implement port forwarding on the ISA Server.

B. Implement SSL bridging on the ISA Server.

C. Require authentication on all inbound connections to the ISA Server.

D. Upgrade a Windows Server 2003 server to Windows Server 2008.

E. Configure the Terminal Services Gateway (TS Gateway) role and a Terminal Services

connection authorization policy (TS CAP) on the server.

F. Configure the Terminal Services Gateway (TS Gateway) role and a Terminal Services resource

authorization policy (TS RAP) on the server.

Answer: D,E

Explanation:

To create a remote access strategy with desired requirements for the terminal server users, you

need to implement the Terminal Services Gateway (TS Gateway) role, and configure a Terminal

Services connection authorization policy (TS CAP). For this you need to upgrade a Windows

Server 2003 server to Windows Server 2008.

TS Gateway feature is available in Windows Server 2008. It allows the connection to internal

Terminal servers and RDP-enabled machines from the outside, but unlike the term "gateway"

used in the previous scenario, the Windows Server 2008 TS Gateway is a dedicated Terminal

server using a specific service role called TS Gateway

This enables the external vendors to connect to it via SSL, pass a certain authentication process

and policy evaluation, and only if allowed, it passes the RDP traffic to specified internal machines.

These machines return the required data, and the TS Gateway then encrypts the data with SSL

and passes it back to the remote user. The benefits in this scenario include the ability to use SSL-

based encryption, which easily passes through most firewalls without the need to open specific

ports.

For remote clients to successfully connect to internal network resources (computers) through a

Terminal Services Gateway (TS Gateway) server, the TS Gateway server must be configured

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 97

Page 98: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

correctly. The TS Gateway server must be configured to use an appropriate Secure Sockets Layer

(SSL)-compatible X.509 certificate, and authorization policy settings must be configured correctly.

Terminal Services connection authorization policies (TS CAPs) specify who can connect to the TS

Gateway server. The use of TS CAP will ensure that the access of the network is restricted to

specific users only.

Reference : Creating a Secure and Auditable Remote Access and Management Environment /

Remote access and management of servers from a remote network via a dedicated RDP gateway

http://www.petri.co.il/creating-secure-auditable-remote-access-management-environment-

windows-server-security.htm

Reference : TS Gateway Server Configuration

http://technet.microsoft.com/en-us/library/cc727371.aspx

Reference : Configuring the Windows Server 2008 Terminal Services Gateway (Part 2)

http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Terminal-Services-

Gateway-Part2.html

QUESTION NO: 88

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista.

The domain has 100 servers and 5,000 client computers. You have been assigned the task to

recommend an application deployment strategy for the network. While designing the strategy, you

need to ensure that the applications deployments must be scheduled to occur after office hours

and must only be deployed to the client computers that meet the minimum hardware requirements.

Besides, the detailed reports on the success or failure of the application deployments must be

generated. Which of the following options would you choose to accomplish the desired goal?

A. Use Microsoft System Center Operations Manager (SCOM) 2007

B. Use Microsoft System Center Configuration Manager (SCCM) 2007

C. Use Windows Software Update Services (WSUS)

D. Deploy applications by using Group Policy

E. None of the above

Answer: B

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 98

Page 99: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Explanation:

To recommend an application deployment strategy for the network, you need to implement

Microsoft System Center Configuration Manager (SCCM) 2007.

System Center Configuration Manager 2007 is the next version of Systems Management Server

(SMS) 2003. Configuration Manager 2007 contributes to a more effective IT department by

enabling secure and scalable operating system and application deployment and desired

configuration management, enhancing system security, and providing comprehensive asset

management of servers, desktops, and mobile devices.

SCCM 2007's new maintenance, configuration-tracking and updated reporting features make it a

must-have for large Windows sites

SCCM sports a new feature called Maintenance Windows that lets administrators schedule the

best day and time for patches and updates for specific sets of computers and servers.

Reference : System Center Configuration Manager

http://technet.microsoft.com/en-us/configmgr/default.aspx

Reference : Big Efficiencies for Big Environments

http://redmondmag.com/features/article.asp?editorialsid=2518

QUESTION NO: 89

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista. The servers on the network have the Terminal

Services role enabled.

You have been assigned the task to deploy a new line-of-business application to all client

computers and ensure that the users must access the application from an icon on their desktops,

even when they are not connected to the network.

Which of the following options would you choose to accomplish the desired task?

A. Publish the application as a TS RemoteApp.

B. Assign the application to the terminal server by using a Group Policy object (GPO).

C. Publish the application by using TS Web Access.

D. Assign the application to all client computers by using a Group Policy object (GPO).

E. None of the above

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 99

Page 100: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Answer: D

Explanation:

There are two different ways that you can deploy an application through the Active Directory. You

can either publish the application or you can assign the application. You can only publish

applications to users, but you can assign applications to either users or to computers

Assigning an application is a group policy action, so the assignment won't take effect until the next

time that the computer is rebooted. When the user does log in, they will see that the new

application has been added to the Start menu and / or to the desktop. The deployment process

actually installs the application rather than just the application's icon.

You need to assign the application to all client computers and not to the terminal server because

the application icon will be available to users on when it is installed on their client computers and

not on terminal servers.

Reference : Using Group Policy to Deploy Applications

http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Deploy-Applications.html

QUESTION NO: 90

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista.

The network contains 100 servers and 5,000 client computers. Microsoft Office Outlook 2007 is

installed on all the client computers.

Recently the marketing department has received a custom application needs to be run by all the

employees of the department. The application requires access to Outlook 2003.

Which of the following options would you choose to suggest an application deployment strategy for

the network that would ensure that access to both Outlook 2003 and Outlook 2007 is provided

without creating a conflict between Outlook 2003 and Outlook 2007 and the other applications

installed on the computers?

You also need to ensure that 50 concurrent sessions are supports and the additional training

requirements are minimized.

A. Use a Microsoft Application Compatibility Toolkit (ACT) application compatibility shim for all the

computers in the marketing department.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 100

Page 101: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

B. Install Outlook 2003 on a server and enable Remote Desktop on it.

C. Configure the Terminal Services server role on a server, install Outlook 2003 on the terminal

server, and publish Outlook 2003 as a TS RemoteApp.

D. Use a Group Policy object (GPO) to assign Outlook 2003 to all computers in the marketing

department

E. None of the above

Answer: C

Explanation:

To suggest an application deployment strategy for the network to meet the given requirements,

you need to configure the Terminal Services server role on a server. Install Outlook 2003 on the

terminal server and Publish Outlook 2003 as a Terminal Services RemoteApp (TS RemoteApp).

With Terminal Services, organizations can provide access to Windows-based programs from

almost any location to almost any computing device. Terminal Services in WindowsServer2008

includes Terminal Services RemoteApp (TSRemoteApp).

RemoteApp programs are programs that are accessed remotely through Terminal Services and

appear as if they are running on the end user's local computer. Instead of being presented to the

user in the desktop of the remote terminal server, the RemoteApp program is integrated with the

client's desktop, running in its own resizable window with its own entry in the taskbar.

Users can run RemoteApp programs side-by-side with their local programs. If a user is running

more than one RemoteApp program on the same terminal server, the RemoteApp programs will

share the same Terminal Services session.

With TSRemoteApp you do not have to deploy and maintain different versions of the same

program for individual computers. If employees need to use multiple versions of a program, you

can install those versions on one or more terminal servers, and users can access them through

TSRemoteApp.

Reference : TS RemoteApp Step-by-Step Guide

http://technet.microsoft.com/en-us/library/cc730673.aspx

QUESTION NO: 91

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista.

The network contains five servers on which Terminal Services role is installed. You have been

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 101

Page 102: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

assigned the task to create a Terminal Services server farm and ensure that the new users are

automatically connected to the terminal server that has the fewest active sessions.

You also need to ensure that the disconnected users are redirected to the server that contains

their previous session. Which of the following options would you choose to accomplish the given

task?

A. Use Terminal Services Session Broker (TS Session Broker)

B. Use Round-robin DNS

C. Use Terminal Services Gateway (TS Gateway)

D. Use Network Load Balancing (NLB)

E. None of the above

Answer: A

Explanation:

To create a Terminal Services server farm with given requirements, you need to use Terminal

Services Session Broker (TS Session Broker).

Terminal Services Session Broker (TSSession Broker) is a role service in WindowsServer®2008

that enables a user to reconnect to an existing session in a load-balanced terminal server farm.

Additionally, Windows Server2008 includes the new TSSession Broker Load Balancing feature.

This feature enables you to distribute the session load between servers in a load-balanced

terminal server farm.

TSSession Broker stores session state information that includes session IDs and their associated

user names, and the name of the server where each session resides.

In the second phase, the terminal server where the initial connection was made redirects the user

to the terminal server that was specified by TSSession Broker. The redirection behavior is as

follows:

A user with an existing session will connect to the server where their session exists.

A user without an existing session will connect to the terminal server that has the fewest sessions.

Reference : Terminal Services Session Broker (TS Session Broker)

http://technet.microsoft.com/en-us/library/cc731045.aspx

QUESTION NO: 92

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and use internal storage only and all client computers run Windows Vista.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 102

Page 103: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

The network contains a file server. You have been assigned the task to deploy a client/server

application in minimum cost in such as way that it is available even if a single server fails.

Which of the following features would you deploy to accomplish the desired task?

A. Terminal Services RemoteApp (TS RemoteApp)

B. Failover cluster that uses Node and File Share Disk Majority

C. Distributed File System (DFS) that uses replication

D. Failover cluster that uses No Majority: Disk Only

E. None of the above

Answer: B

Explanation:

To deploy a client/server application in minimum cost in such as way that it is available even if a

single server fails, you need to deploy a failover cluster that uses Node and File Share Disk

Majority.

The quorum configuration in a failover cluster determines the number of failures that the cluster

can sustain. If an additional failure occurs, the cluster must stop running. The relevant failures in

this context are failures of nodes or, in some cases, of a witness disk (which contains a copy of the

cluster configuration) or witness file share. It is essential that the cluster stop running if too many

failures occur or if there is a problem with communication between the cluster nodes.

Node and Disk Majority is (recommended for clusters with an even number of nodes) Can sustain

failures of half the nodes (rounding up) if the witness disk remains online. For example, a six node

cluster in which the witness disk is online could sustain three node failures. Can sustain failures of

half the nodes (rounding up) minus one if the witness disk goes offline or fails. For example, a six

node cluster with a failed witness disk could sustain two (3-1=2) node failures.

Node and File Share Majority is (for clusters with special configurations) Works in a similar way to

Node and Disk Majority, but instead of a witness disk, this cluster uses a witness file share. Note

that if you use Node and File Share Majority, at least one of the available cluster nodes must

contain a current copy of the cluster configuration before you can start the cluster. Otherwise, you

must force the starting of the cluster through a particular node.

Reference : Understanding Quorum Configurations in a Failover Cluster

http://technet.microsoft.com/en-us/library/cc731739.aspx

QUESTION NO: 93

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 103

Page 104: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista.

The network contains five Windows Server 2008 servers that have the Terminal Server

component installed.

You have been assigned the task to create a remote access strategy for the terminal server users

and ensure that the remote users can access only specific resources on the internal network. You

also need to ensure that all remote connections to the terminal servers are encrypted.

Which of the following options would you choose to accomplish the desired task? (Select Two.

Each correct answer will present a part of the answer.)

A. Configure the Terminal Services Gateway (TS Gateway) role and a Terminal Services resource

authorization policy (TS RAP) on the server.

B. Require authentication on all inbound connections to the Server.

C. Upgrade a Windows Server 2003 server to Windows Server 2008.

D. Configure the Terminal Services Gateway (TS Gateway) role and a Terminal Services

connection authorization policy (TS CAP) on the server.

E. Configure TS Gateway server to use an appropriate Secure Sockets Layer (SSL)-compatible

X.509 certificate

Answer: A,E

Explanation:

To create a remote access strategy for the terminal server users and ensure that the remote users

can access only specific resources on the internal network, you need to configure the Terminal

Services Gateway (TS Gateway) role and a Terminal Services resource authorization policy (TS

RAP) on the server. You also need to configure TS Gateway server to use an appropriate Secure

Sockets Layer (SSL)-compatible X.509 certificate.

TS Gateway allows the connection to internal Terminal servers and RDP-enabled machines from

the outside. For remote clients to successfully connect to internal network resources (computers)

through a Terminal Services Gateway (TS Gateway) server, the TS Gateway server must be

configured correctly. The TS Gateway server must be configured to use an appropriate Secure

Sockets Layer (SSL)-compatible X.509 certificate, and authorization policy settings must be

configured correctly. Terminal Services resource authorization policies (TS RAPs) specify the

internal network resources that clients can connect to through a TS Gateway server.

TS Gateway enables the external vendors to connect to it via SSL, pass a certain authentication

process and policy evaluation, and only if allowed, it passes the RDP traffic to specified internal

machines.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 104

Page 105: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

These machines return the required data, and the TS Gateway then encrypts the data with SSL

and passes it back to the remote user. The benefits in this scenario include the ability to use SSL-

based encryption.

Reference : TS Gateway Server Configuration

http://technet.microsoft.com/en-us/library/cc727371.aspx

Reference : Configuring the Windows Server 2008 Terminal Services Gateway (Part 2)

http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Terminal-Services-

Gateway-Part2.html

QUESTION NO: 94

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista. The servers on the network have the Terminal

Services role enabled.

The Active Directory has two organizational units (OU) configured. One for all the user accounts

called UserOU and other for all the client computer accounts called ClientsOU.

You have been assigned the task to deploy a new application on the network and ensure that the

users must access the application from an icon on the Start menu. Besides, you need to ensure

that the application is available to remote users when they are offline.

Which of the following options would you choose to accomplish the desired task?

A. Publish the application to users in the ClientsOU as a TS RemoteApp.

B. Assign the application to computers in the UsersOU by using a Group Policy object (GPO).

C. Publish the application to users in the UsersOU by using a Group Policy object (GPO).

D. Assign the application to computers in the ClientsOU by using a Group Policy object (GPO).

E. None of the above

Answer: D

Explanation:

To deploy a new application on the network and ensure that the users must access the application

from an icon on the Start menu, you need to assign the application to computers in the ClientsOU

by using a Group Policy object (GPO).

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 105

Page 106: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

There are two different ways that you can deploy an application through the Active Directory. You

can either publish the application or you can assign the application. You can only publish

applications to users, but you can assign applications to either users or to computers

Assigning an application is a group policy action, so the assignment won't take effect until the next

time that the computer is rebooted. When the user does log in, they will see that the new

application has been added to the Start menu and / or to the desktop. The deployment process

actually installs the application rather than just the application's icon.

You need to assign the application to computers in the ClientsOU to link it to the computer rather

than to the user. Assigning an application to a computer also differs from user assignments in that

the deployment process actually installs the application rather than just the application's icon. So

the application is available to users in the ClientsOU even when they are offline.

Reference : Using Group Policy to Deploy Applications

http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Deploy-Applications.html

QUESTION NO: 95

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista.

The network contains five servers that form a Terminal Services server farm on the network. You

have been assigned the task to ensure that the session load is equally distributed between the

servers in a terminal server farm.

Which of the following options would you choose to accomplish the given task?

A. Implement Terminal Services Session Broker (TS Session Broker) feature

B. Use Round-robin DNS Feature

C. Use Terminal Services Gateway (TS Gateway) Feature

D. Implement Network Load Balancing (NLB) Feature

E. Implement TSASession Broker Load Balancing Feature

F. None of the above

Answer: E

Explanation:

To ensure that the session load is equally distributed between the servers in a terminal server

farm, you need to implement TSASession Broker Load Balancing Feature.

Windows Server2008 includes the new TSSession Broker Load Balancing feature that enables

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 106

Page 107: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

you to distribute the session load between servers in a load-balanced terminal server farm.

Reference : Terminal Services Session Broker (TS Session Broker)

http://technet.microsoft.com/en-us/library/cc731045.aspx

QUESTION NO: 96

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista.

Which of the following options would you choose to provide users of the network a collaboration

solution that would allow them to remotely access the files by using a Web browser? They should

be provided full-text indexing of all user content and a secure access to the files by assigning

permissions. Besides, a support for the addition of more Web servers based on company growth

is also available.

Which of the following options would you choose to accomplish the desired task?

A. The Application Server role

B. Microsoft System Center Operations Manager (SCOM)

C. The Web Server role

D. The Terminal Services Server role

E. Microsoft Office SharePoint Server 2007

F. None of the above

Answer: E

Explanation:

To provide users of the network a collaboration solution that meets the given requirements, you

need to use Microsoft Office SharePoint Server 2007.

Microsoft Office SharePoint Server 2007 is a new server program that is part of the 2007 Microsoft

Office system. Your organization can use Office SharePoint Server 2007 to facilitate collaboration,

provide content management features, implement business processes, and supply Microsoft

delivers a best-of-breed collaborative infrastructure that gives end users the tools to easily create

their own workspaces and share assets across teams, departments, and organizations while

maintaining IT control.

In Office SharePoint Server 2007, content management is divided into three categories: document

management, records management, and Web content management.

Collect and validate information by using browser-based formsWhen you design form templates

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 107

Page 108: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

with Office InfoPath 2007 and deploy them to an Office SharePoint Server 2007 site, you can

enable a setting that allows users to fill out forms by using a Web browser. That is because Office

SharePoint Server 2007 employs InfoPath Forms Services technology, which- in addition to

enabling the deployment of browser-based forms- provides a central location to store and manage

form templates for your organization.

When you publish a form template to an Office SharePoint Server 2007 site, you can distribute it

not just on your corporate intranet, but also on external Web sites, such as extranet sites or

corporate Web sites.

Search in Office SharePoint Server 2007 provides new keyword syntax, including support for

implicit industry standards for full text and property-based searching.

Administration of security has also been greatly enhanced. Administrators can create user "roles"

that determine the kind of information that can be viewed by users during a search. This access

control can be broad or granular, as defined by the corporation. All of these tasks are administered

through the Central Administration and SharePoint Services Portal interfaces, making security

administration more usable and efficient

Reference : Introduction to Microsoft Office SharePoint Server 2007

http://office.microsoft.com/en-us/sharepointserver/HA101732171033.aspx

Reference : Search in Microsoft® Office SharePoint® Server 2007 Evaluation Guide

http://office.microsoft.com/download/afile.aspx?AssetID=AM102140171033 .

QUESTION NO: 97

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers and the domain controllers in the

domain run Windows Server 2008 and all client computers run Windows XP Service Pack 2.

The network contains 10 servers and 500 client computers. One of the servers has Terminal

Services installed. You have been assigned the task to deploy a new line-of-business application

and enable the desktop themes, which is a requirement of the application.

Your deployment strategy must only allow authorized users to access the application from any

client computer by performing minimum changes to the client computers and in minimum software

cost.

Which of the following options would you choose to accomplish the desired task?

A. Upgrade all client computers to Windows Vista.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 108

Page 109: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

B. Deploy the Remote Desktop Connection (RDC) 6.0 software to the client computers.

C. Use Group Policy object (GPO) to deploy the application to all client computers

D. Use Group Policy object (GPO) to deploy the application to the authorized users.

E. Enable the Desktop Experience feature on the terminal server and install the application on the

terminal server.

F. Install the application on the terminal server and implement Terminal Services Session Broker

(TS Session Broker).

Answer: B,E

Explanation:

To deploy a new line-of-business application with given requirements, you need to deploy the

Remote Desktop Connection (RDC) 6.0 software to the client computers. Enable the Desktop

Experience feature on the terminal server. Install the application on the terminal server

Due to lower maintenance costs, many companies prefer to install their LOB applications on a

terminal server and make these applications available through RemoteApps or Remote Desktop.

Single sign-on makes it possible to give users a better experience by eliminating the need for

users to enter credentials every time they initiate a remote session.

Remote Desktop Connection (RDC)6.0 and RDC6.1 reproduce the desktop that exists on the

remote computer on the user's client computer. To make the remote computer look and feel more

like the user's local WindowsVista desktop experience, you can install the Desktop Experience

feature on your Windows Server2008 terminal server. Desktop Experience installs features of

WindowsVista, such as Windows Media® Player11, desktop themes, and photo management.

Reference : Terminal Services Core Functionality / Desktop Experience/ Single sign-on

http://technet.microsoft.com/en-us/library/cc753097.aspx#BKMK_RDC

Section 2, Provision data (7 Questions)

QUESTION NO: 98

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain, which is not connected to the Internet. All the servers

in the domain run Windows Server 2008. All client computers, which are laptops, run Windows

Vista.

The network contains a file server. The network users use a shared folder on the server to save

the files that they want to share. Which of the following options would you choose to allow users to

access the shared files from their laptops when they are disconnected from the corporate

network?

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 109

Page 110: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

A. On the file server configure Background Intelligent Transfer Service (BITS) server extensions.

B. On the file server configure Windows SharePoint Services 3.0.

C. On the file server configure caching on the shared folder.

D. Configure the Distributed File System (DFS) role service on the file server and host the shared

folder through it.

E. None of the above

Answer: C

Explanation:

To allow users to access the shared files from their laptops when they are disconnected from the

corporate network, you need to configure caching on the shared folder

The caching feature of Shared Folders ensures that users have access to shared files even when

they are working offline with no access to the network.

Reference : Set Caching Options for Shared Folders

http://technet.microsoft.com/en-us/library/cc755136.aspx

QUESTION NO: 99

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista Service Pack 1.

Some employees of the company use laptop computers and work remotely from home. You have

been assigned the task to suggest a data provisioning infrastructure to secure sensitive files on

the network from being accessed by unauthorized remote users.

In your plan you need to ensure that the sensitive files must be stored in an encrypted format and

must be encrypted while they are transmitted over the Internet. They should however be

accessible by remote users over the Internet.

Which of the following options would you choose to accomplish the desired goal?

A. Deploy a Windows SharePoint Services site that can be accessible to remote users by using a

Secure Socket Transmission Protocol (SSTP) connection.

B. Use Encrypting File System (EFS) to encrypt the folders that store sensitive files. Use Secure

Socket Transmission Protocol (SSTP) to allow access to files to remote users.

C. Configure a Network Policy and Access Server (NPAS) to act as a VPN server. Use IPsec

connection to the VPN server to allow access to files to remote users.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 110

Page 111: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

D. Deploy two Windows SharePoint Services sites, one site for internal users and other site for

remote users. Publish the SharePoint sites by using HTTPS.

E. None of the above

Answer: B

Explanation:

To ensure that the sensitive files must be stored in an encrypted format and must be encrypted

while they are transmitted over the Internet, you need to store all sensitive files in folders that are

encrypted by using Encrypting File System (EFS). Require remote users to access the files by

using Secure Socket Transmission Protocol (SSTP).

Microsoft EFS allows users to store confidential information on a computer when people who have

physical access to a computer could otherwise compromise that information, intentionally or

unintentionally. EFS is especially useful for securing sensitive data on portable computers or on

computers shared by several users. Another layer of security is added by encrypting sensitive files

by means of EFS.

SSTP is a new kind of Virtual Private Networking (VPN) tunnel that is available in the Routing and

Remote Access Server role in Windows Server 2008. SSTP allows for Point-to-Point Protocol

(PPP) packets to be encapsulated over HTTP. This allows for a VPN connection to be more easily

established through a firewall or through a Network Address Translation (NAT) device. Also, this

allows for a VPN connection to be established through an HTTP proxy device.

Reference : Vista and Windows Server 2008 Encryption Broken by Advanced EFS Data Recovery

http://www.securitysoftwarezone.com/vista-and-windows-server-2008-encryption-broken-

review968-6.html

Reference : How to configure a Secure Socket Tunneling Protocol (SSTP)-based VPN server

behind a NAT device in Windows Server 2008

http://support.microsoft.com/kb/947032

QUESTION NO: 100

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista.

The network contains a server that has the Terminal Services server role installed. The server

runs six custom applications that are configured as Terminal Services RemoteApps on it.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 111

Page 112: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Recently, some of the users have reported that when one of the applications is run by the remote

users, the other applications become unresponsive and the server seems slow. To solve the

problem, you decide to ensure that active user sessions receive equal access to system

resources.

Which of the following options would you choose to accomplish the desired goal?

A. Reliability and Performance Monitor

B. Terminal Services Session Broker

C. Implement Terminal Services Web Access

D. Implement Windows System Resource Manager

E. None of the above

Answer: D

Explanation:

To ensure that active user sessions receive equal access to system resources, you need to

implement Windows System Resource Manager,

Microsoft Windows System Resource Manager (WSRM) provides resource management and

enables the allocation of resources, including processor and memory resources, among multiple

applications based on business priorities. WSRM applies limits to process working set size and

committed memory consumption.

Reference : Windows System Resource Manager Fast Facts

http://www.microsoft.com/windowsserver2003/techinfo/overview/wsrmfastfacts.mspx

QUESTION NO: 101

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista.

Most of the domain users are mobile and need to log on to the domain from multiple computers.

You have been assigned the task to provide a data provisioning solution that ensures that user

documents are not stored on the local client computer and users must have access to their

Documents folder regardless of the client computer that they use.

In your solution you also need to reduce the log on time to the domain. Which of the following

options would you choose to accomplish the desired task?

A. Logon scripts

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 112

Page 113: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

B. Roaming user profiles

C. Folder redirection

D. Configure offline files

E. None of the above

Answer: C

Explanation:

To provide a data provisioning solution that ensures that user documents are not stored on the

local client computer and users must have access to their Documents folder regardless of the

client computer that they use, you need to configure folder redirection.

Folder Redirection is a way to place data in a set of folders in the user profiles on the network.

Folder Redirection is a Group Policy setting that allows you to configure a set of special folders,

such as the My Documents folder, from the local computer on to the network. (The My Documents

folder is the location on the Windows2000 desktop where the user can save their documents and

graphic files.) For example, you can redirect the My Documents folder, usually stored on the

computer's local hard disk, to a network location so that the documents in the folder are available

to that user from any computer on the network.

Reference : Folder Redirection

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dseb_ovr_syul.mspx

?mfr=true

QUESTION NO: 102

You are an Enterprise administrator for CertKiller.com. The company has a head office and a

branch office. The corporate network of the company consists of a single Active Directory domain.

The functional level of the domain is Windows Server 2008. All the servers in the domain run

Windows Server 2008 and all client computers run Windows Vista.

For both the head office and the branch office an Active Directory site is available. You have been

assigned the task to deploy file servers in each office and design a file sharing strategy.

Your file sharing strategy should ensure that the users in both offices must be able to access the

same files using the same Universal Naming Convention (UNC) path to access files. You design

must ensure the use of minimum amount of bandwidth used to access files and the availability of

files even if a server fails.

Which of the following options would you choose to accomplish the desired goal?

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 113

Page 114: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

A. A multi-site failover cluster having one of the servers located in the head office and the other

located in the branch office.

B. A stand-alone DFS namespace that uses replication.

C. A domain-based DFS namespace that uses replication.

D. A Network Load Balancing cluster having one of the servers located in the head office and the

other located in the branch office.

E. None of the above

Answer: C

Explanation:

To deploy file servers in each office and design a file sharing strategy with given requirements,

you need to deploy a domain-based DFS namespace that uses replication.

The domain based namespaces require all servers to be members of an Active Directory domain.

These types of environments support automatic synchronization of DFS targets. The namespace

root namespace is based on a combination of the server's NetBIOS name and a root name, and is

listed in the DNS.

Ina domain environment, a server is capable of hosting multiple DFS roots. Using multiple replicas

provides you with a degree of scalability. Rather than having every user in your organization

access their files from the same server, you can distribute the user workload across multiple DFS

replicas rather than over burdening a single server.

Another reason for having multiple DFS replicas is because doing so provides you with a degree

of fault tolerance.DFS can also provide fault tolerance from the standpoint of protecting you

against network link failures.

Reference : Planning a DFS Architecture, Part 1, Planning a DFS Architecture, Part 2 / Domain-

Based Namespaces

http://www.petri.co.il/planning-dfs-architecture-part-one.htm

QUESTION NO: 103

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista.

You have been assigned the task to ensue that all the users of the company can access their

Documents folder regardless of the client computer that they use.

Which of the following options would you choose to accomplish the desired task?

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 114

Page 115: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

A. Logon scripts

B. Folder redirection

C. Configure offline files

D. Local User profiles

E. None of the above

Answer: B

Explanation:

To provide a data provisioning solution that ensures that user documents are not stored on the

local client computer and users must have access to their Documents folder regardless of the

client computer that they use, you need to configure folder redirection.

Folder Redirection is a way to place data in a set of folders in the user profiles on the network.

Folder Redirection is a Group Policy setting that allows you to configure a set of special folders,

such as the My Documents folder, from the local computer on to the network. (The My Documents

folder is the location on the Windows2000 desktop where the user can save their documents and

graphic files.) For example, you can redirect the My Documents folder, usually stored on the

computer's local hard disk, to a network location so that the documents in the folder are available

to that user from any computer on the network.

Reference : Folder Redirection

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dseb_ovr_syul.mspx

?mfr=true

QUESTION NO: 104

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista.

The network is not connected to the Internet. The network contains a file server that contains a

shared folder in which remote network users save files.

Which of the following options would you choose to design a data provisioning solution that ensure

that only authorized remote users who are not connected to the corporate network must be able to

access the files and the folders in the corporate network? (Select two. Each correct answer will

present a part of the solution.)

A. Configure caching on the shared folder

B. Configure offline files to use encryption.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 115

Page 116: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

C. Implement a certification authority (CA)

D. Configure Encrypting File System (EFS) for the drive that hosts the files.

E. Configure IPsec domain isolation

F. Implement Windows SharePoint Services 3.0.

G. Enable Secure Socket Layer (SSL) encryption

Answer: A,B

Explanation:

To design a data provisioning solution that ensure that only authorized remote users who are not

connected to the corporate network must be able to access the files and the folders in the

corporate network, you need to configure caching on the shared folder.

The caching feature of Shared Folders ensures that users have access to shared files even when

they are working offline with no access to the network.

Next you need to configure offline files to use encryption, so that only authorized users can access

the files on the shared folder.

Reference : Set Caching Options for Shared Folders

http://technet.microsoft.com/en-us/library/cc755136.aspx

QUESTION NO: 105

You are an Enterprise administrator for CertKiller.com. The company has a head office and a

branch office. All the servers in the network run Windows Server 2008 and all client computers run

Windows Vista. Each office has a domain controller and file servers.

You have been asked to plan the deployment of Distributed File System (DFS) on the network and

ensure that users can access the data locally and are allowed to see only the folders to which they

have access permissions. You also need to ensure the use of minimum bandwidth while data

replication.

Which of the following options would you choose to accomplish the desired task?

A. A stand-alone DFS namespace that uses DFS replication and has access-based enumeration

enabled

B. A stand-alone DFS namespace that uses File Replication Service (FRS) and have access-

based enumeration enabled

C. A domain-based DFS namespace that uses File Replication Service (FRS) and modify each

share to be a hidden share

D. A domain-based DFS namespace that uses DFS replication and modify each share to be a

hidden share

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 116

Page 117: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

E. None of the above

Answer: A

Explanation:

To plan the deployment of Distributed File System (DFS) on the network and ensure that users

can access the data locally and are allowed to see only the folders to which they have access

permissions, you need to deploy a stand-alone DFS namespace and has access-based

enumeration enabled.

Rather than having every user in your organization access their files from the same server, you

can distribute the user workload across multiple DFS replicas rather than over burdening a single

server.

Standalone namespaces do allow you to use multiple folder targets for fault tolerance purposes. In

case you are not familiar with folder targets, the basic idea is that each folder target typically hosts

a replica of the data that's associated with a DFS folder. Using multiple folder targets allows you to

achieve a degree of fault tolerance, and offers better performance than if the data were only stored

in a single location.

Domain-based DFS namespace requires an Active directory domain, which is not available here.

Access-based enumeration allows users to see only files and folders on a file server to which they

have permission to access. This feature is not enabled by default for namespaces (though it is

enabled by default on newly-created shared folders in Windows Server2008), and is only

supported in a DFS namespace when the namespace is a standalone namespace hosted on a

computer running Windows Server2008, or a domain-based namespace by using the Windows

Server2008 mode.

Reference : Planning a DFS Architecture, Part 2

http://www.petri.co.il/planning-dfs-architecture-part-two.htm

Reference : Distributed File System

http://technet.microsoft.com/en-us/library/cc753479.aspx

QUESTION NO: 106

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of servers that run Windows Server 2008 and client computers run Windows Vista.

You have been asked to design a storage strategy so that a distributed database application can

be deploy on the network that runs on multiple servers. While designing the storage strategy, you

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 117

Page 118: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

need to ensure that you use existing network infrastructure and standard Windows management

tools.

You also need to ensure that the storage space is allocated to servers as and when required and

that the data is available if a single disk fails. Which of the following options would you choose to

accomplish the desired goal? (Select two. Each correct answer will present a part of the solution.)

A. A Fibre Channel (FC) disk storage subsystem that supports the Virtual Disk Service (VDS).

B. A Fibre Channel (FC) disk storage subsystem that supports Microsoft Multipath I/O.

C. An iSCSI disk storage subsystem that supports Microsoft Multipath I/O.

D. An iSCSI disk storage subsystem that supports Virtual Disk Service (VDS).

E. Configure the storage subsystem as a RAID 5 array.

F. Configure the storage subsystem as a RAID 0 array.

Answer: D,E

Explanation:

To design a storage strategy so that a distributed database application can be deploy on the

network that runs on multiple servers with given requirements, you need to deploy an iSCSI disk

storage subsystem that supports Virtual Disk Service (VDS) and configure the storage subsystem

as a RAID 5 array

Microsoft iSCSI Software Target option enables you to implement an iSCSI SAN with storage

provisioning and management capabilities. Managed via the Microsoft Management Console,

administrator's can create and manage iSCSI targets and iSCSI virtual disks, as well as schedule,

export, and locally mount snapshots for use in backup and recovery operations.

An iSCSI disk storage subsystem supports Virtual Disk Service (VDS) and Microsoft Multipath I/O.

Virtual Disk Service (VDS) is a Windows service for managing volumes. Administrators now have

a single interface that works with different vendors, if that vendor supplies a VDS hardware

provider for their networked storage device. This same interface also works with directly attached

storage, providing a unified view of all disks and volumes, regardless of being connected via SCSI,

Fiber Channel, iSCSI or PCI RAID. VDS exposes the complex functionality provided by these

storage hardware vendors and scales up to enterprise configurations.

Multipath I/O cannot be used because it only provides ability to use more than one physical path to

access a storage device, providing improved system reliability and availability via fault tolerance

and/or load balancing of the I/O traffic.

RAID 5 is the most powerful form of RAID that can be found in a desktop computer system. It

provides increased storage array performance and Full data redundancy. RAID 0 cannot be used

because it is the lowest designated level of RAID. It is actually not a valid type of RAID. It was

given the designation of level 0 because it fails to provide any level of redundancy for the data

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 118

Page 119: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

stored in the array. Thus, if one of the drives fails, all the data is damaged.

Reference : The Basics of the Virtual Disk Services (VDS)

http://blogs.technet.com/josebda/archive/2007/10/25/the-basics-of-the-virtual-disk-services-

vds.aspx

Reference : Reference: What is RAID?

http://compreviews.about.com/od/storage/l/aaRAIDPage1.htm

QUESTION NO: 107

You are an Enterprise administrator for CertKiller.com. The company has a head office and two

branch offices that connect with each other by using a WAN link. The corporate network of the

company consists of a single Active Directory domain.

All the servers in the domain run Windows Server 2008 and all client computers run Windows

Vista. Each office contains a file server and the office users use the local file server to store data

on it. The users also have access to data from the other offices.

You have been assigned that task to plan a data access solution and ensure that folders that are

stored on the file servers must be available to users in both offices and users must be able to

access all files even when the WAN link fails. Besides this the network bandwidth usage between

offices is minimized.

Which of the following options would you choose to accomplish the desired goal?

A. Implement Distributed File System Replication (DFSR) on the file servers in both the offices.

B. On one of the servers, configure Distributed File System (DFS) and on the other, configure the

Background Intelligent Transfer Service (BITS).

C. Configure File Server Resource Manager (FSRM) and File Replication Service (FRS) on both

the servers

D. On one of the servers, configure File Server Resource Manager (FSRM) and on the other

configure File Replication Service (FRS).

E. None of the above

Answer: A

Explanation:

To plan a data access solution and ensure that folders that are stored on the file servers must be

available to users in both offices and users must be able to access all files even when the WAN

link fails, you need to implement Distributed File System Replication (DFSR) on the file servers in

both the offices.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 119

Page 120: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Rather than having every user in your organization access their files from the same server, you

can distribute the user workload across multiple DFS replicas rather than over burdening a single

server.

DFS Replication is an efficient, multiple-master replication engine that you can use to keep folders

synchronized between servers across limited bandwidth network connections. It replaces the File

Replication Service (FRS) as the replication engine for DFS Namespaces, as well as for

replicating the SYSVOL folder in domains that use the Windows Server2008 domain functional

level.

DFS Replication service has a totally revamped replication engine that uses a new replication

algorithm called Remote Differential Compression (RDC). This new algorithm replicates only the

changes to files and not the files themselves, which means that DFS now works much better over

slow WAN links than before. In addition, the new replication engine supports bandwidth throttling

and replication scheduling, plus it operates on a multimaster replication model.

Reference : Distributed File System

http://technet.microsoft.com/en-us/library/cc753479.aspx

Reference : Top Reasons to Deploy Distributed File Services in Windows Server 2003 R2

http://www.microsoft.com/windowsserver2003/technologies/storage/dfs/topdeploy.mspx

QUESTION NO: 108

You are an Enterprise administrator for CertKiller.com. All the servers in the domain run Windows

Server 2008 and all client computers run Windows Vista.

The network contains a Microsoft SQL Server 2005 that has two RAID 1 arrays and one RAID 5

array configured.

You have been assigned the task to allocate hard disk space on the server and ensure maximum

performance of the SQL Server application and minimum loss of write performance if a hard disk

drive fails. You also need to prevent the loss of data if a single hard disk drive fails.

Which of the following options would you choose to achieve the desired goal?

A. Use RAID 1 arrays to place OS files and SQL database files and RAID 5 array to place SQL

transaction logs

B. Use RAID 5 array to place types of files.

C. Use RAID 1 arrays to place OS files and SQL transaction logs and RAID 5 array to place SQL

database files

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 120

Page 121: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

D. Use RAID 5 arrays to place OS files and RAID 5 array to place SQL transaction logs and SQL

database files.

E. None of the above

Answer: C

Explanation:

To allocate hard disk space on the server and meet other requirements, you need to place the

operating system files on one of the RAID 1 arrays. Place the SQL transaction logs on the other

RAID 1 array and place the SQL database files on the RAID 5 array.

RAID version 1 was the first real implementation of RAID. It provides a simple form of redundancy

for data through a process called mirroring. This form typically requires two individual drives of

similar capacity. One drive is the active drive and the secondary drive is the mirror. When data is

written to the active drive, the same data is written to the mirror drive.

This provides a full level of redundancy for the data on the system. If one of the drives fails, the

other drive still has all the data that existed in the system. It is best to place OS files because it

provides full redundancy of data. It does not increase performance therefore it is not fit to store

SQL database files.

For SQL database files you should use RAID 5 array because it is the most powerful form of RAID

that can be found in a desktop computer system. This method uses a form of striping with parity to

maintain data redundancy. The parity bit shifts between the drives to increase the performance

and reliability of the data. The drive array will still have increased performance over a single drive

because the multiple drives can write the data faster than a single drive. The data is also fully

redundant because of the parity bits. In the case of drive 2 failing, the data can be rebuilt based on

the data and parity bits on the two remaining drives. Data capacity is reduced due to the parity

data blocks.

Reference : What is RAID?

http://compreviews.about.com/od/storage/l/aaRAIDPage1.htm

QUESTION NO: 109

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista.

The company has recently merged with a partner company called TechKing.com and started using

a Windows Server 2008 server of that company called TechKingServer1. The server has five

internal SCSI hard disks that are connected to an onboard SCSI controller.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 121

Page 122: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

You have planned to deploy the TechkingServer1 as a file server and place it in your company's

premises. You have to now plan for a storage strategy that ensures that the user data is physically

separated from the operating system data and maximum disk space is available for the data

storage.

You also need to ensure that if disk fails, the integrity of the data is maintained on the server and

the operating system server can start successfully. To achieve this, you only want to use the

hardware that is available on the server.

Which of the following options would you choose to accomplish the desired goal? (Select two.

Each correct answer will present a part of the answer)

A. Allocate three disks to a single RAID 5 volume for the user data.

B. Allocate four disks to a single RAID 5 volume for the user data.

C. Allocate three disks to a striped volume for the user data.

D. Allocate two disks to a mirrored volume for the operating system data.

E. Allocate one disk to a simple volume for the operating system data.

F. Allocate three disks to a mirrored volume for the operating system data.

G. Allocate all the disks to a single RAID 5 volume for the user data and for the operating system

data.

Answer: A,D

Explanation:

To ensure that if disk fails, the integrity of the data is maintained on the server and the operating

system server can start successfully, you need to allocate three disks to a single RAID 5 volume

for the user data and allocate two disks to a mirrored volume for the operating system data.

Two disks to a mirrored volume for the operating system data are created using RAID version 1,

which is the first real implementation of RAID. It provides a simple form of redundancy for data

through a process called mirroring. This form typically requires two individual drives of similar

capacity. One drive is the active drive and the secondary drive is the mirror. When data is written

to the active drive, the same data is written to the mirror drive.

This provides a full level of redundancy for the data on the system. If one of the drives fails, the

other drive still has all the data that existed in the system. It is best to place OS files because it

provides full redundancy of data.

A single RAID 5 volume for the user data is best because it is the most powerful form of RAID that

can be found in a desktop computer system. This method uses a form of striping with parity to

maintain data redundancy. The parity bit shifts between the drives to increase the performance

and reliability of the data. A minimum of three drives is required to build a RAID 5 array and they

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 122

Page 123: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

should be identical drives for the best performance. The drive array will still have increased

performance over a single drive because the multiple drives can write the data faster than a single

drive. The data is also fully redundant because of the parity bits. In the case of drive 2 failing, the

data can be rebuilt based on the data and parity bits on the two remaining drives. Data capacity is

reduced due to the parity data blocks.

Reference : What is RAID?

http://compreviews.about.com/od/storage/l/aaRAIDPage1.htm

Reference : Planning the Layout and RAID Level of Volumes

http://technet.microsoft.com/en-us/library/cc786889.aspx

QUESTION NO: 110

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows XP Service Pack 1.

You have been assigned the task to plan the deployment of Distributed File System (DFS) to

provide redundancy in the event that a single server fails in the minimum cost. You also need to

ensure that the client computers reconnect to their preferred server after a server failure is

resolved.

Which of the following options would you choose to accomplish the desired goal? (Select two.

Each correct answer will present a part of the answer)

A. Upgrade all client computers to Windows XP Service Pack 2.

B. Upgrade all client computers to Windows Vista.

C. Implement a stand-alone DFS namespace, create folders, add multiple targets, and enable the

clients fail back to preferred targets option.

D. Implement a domain-based DFS namespace, add a second namespace server, and enable the

clients fail back to preferred targets option.

Answer: A,D

Explanation:

To plan the deployment of Distributed File System (DFS) with the given requirements, you need to

upgrade all client computers to Windows XP Service Pack 2 to use DFS and implement a domain-

based DFS namespace. You need to then add a second namespace server and enable the

Clients fail back to preferred targets option.

Rather than having every user in your organization access their files from the same server, you

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 123

Page 124: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

can distribute the user workload across multiple DFS replicas rather than over burdening a single

server. Domain based namespaces should be used here because Domain based namespaces

require all servers to be members of an Active Directory domain. The DFS supports automatic

synchronization of DFS targets. Ina domain environment, a server is capable of hosting multiple

DFS roots that provides you with a degree of scalability.

Another reason for having multiple DFS replicas is because doing so provides you with a degree

of fault tolerance.DFS can also provide fault tolerance from the standpoint of protecting you

against network link failures.

You should add a second namespace server and enable the Clients fail back to preferred targets

option to ensure a client failback on the namespace (or on specific folders in your namespace).

So, when the failed target comes back online the client will fail back to that target as its preferred

target.

If your WAN links are unreliable, you might find your clients frequently accessing different targets

for the same folder. This can be a problem, for by default, DFS caches referrals for a period of

time (300 seconds or 5 minutes) so if a target server suddenly goes down the client will keep

trying to connect to the target and give an error instead of making the resource available to the

client from a different target. To prevent this from happening (especially non-optimal targets), you

can configure a client failback to preferred targets option on the namespace.

Reference : Configuring DFS Namespaces

http://www.windowsnetworking.com/articles_tutorials/Configuring-DFS-Namespaces.html

Reference : Planning a DFS Architecture, Part 1/ Planning a DFS Architecture, Part 2 / Domain-

Based Namespaces

http://www.petri.co.il/planning-dfs-architecture-part-one.htm

QUESTION NO: 111

You are an Enterprise administrator for CertKiller.com. All the servers on the network run Windows

Server 2008 and all client computers run Windows Vista.

You have been asked to deploy a distributed database application on a Windows Server 2008

server and design a storage strategy that allocates storage space to servers as required, isolates

storage traffic from the existing network, and ensures that data is available if a single disk or a

single storage controller fails

Which of the following options would you choose to accomplish the desired goal? (Select two.

Each correct answer will present a part of the answer)

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 124

Page 125: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

A. A Fibre Channel (FC) disk storage subsystem that supports the Virtual Disk Service (VDS).

B. A Fibre Channel (FC) disk storage subsystem that supports Microsoft Multipath I/O.

C. An iSCSI disk storage subsystem that supports Microsoft Multipath I/O.

D. An iSCSI disk storage subsystem that supports Virtual Disk Service (VDS).

E. Configure the storage subsystem as a RAID 5 array.

F. Configure the storage subsystem as a RAID 0 array.

Answer: B,E

Explanation:

To deploy a distributed database application on a Windows Server 2008 server and design a

storage strategy with given requirements, you need to implement a Fibre Channel (FC) disk

storage subsystem that uses Microsoft Multipath I/O and configure a RAID 5 array.

The fibre channel (FC) technology and FC switches between servers and storage to create a

Storage Area Network (SAN). The connectivity the switches provide allows the connection of more

than one server to a storage system. This reduces the number of storage systems required. This

would allow a distributed database application multiple servers and design a storage strategy that

allocates storage space to servers as required.

Multipath I/O (MPIO) is a feature that provides support for using multiple data paths to a storage

device. Multipathing increases availability by providing multiple paths (path failover) from a server

or cluster to a storage subsystem.

If a server supports Microsoft Multipath I/O (MPIO), Storage Manager for SANs can provide path

failover by enabling multiple ports on the server for LUN I/O traffic. To prevent data loss in aFibre

Channel environment, make sure that the server supports MPIO before enabling multiple ports.

(On an iSCSI subsystem, this is not needed: the Microsoft iSCSI initiator (version 2.0) that is

installed on the server supportsMPIO.)

Reference : Support for Multipath I/O

http://technet.microsoft.com/en-us/library/cc771719.aspx

Reference : Using Fibre Channel to Reduce SCSI Storage Costs

http://dothill.com/assets/pdfs/storage_costs.pdf

QUESTION NO: 112

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory forest. All the servers in the domain run Windows Server 2008

and all client computers run Windows Vista.

The network contains a server that has the File Server role installed. The company has a few

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 125

Page 126: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

users who use portable computers that run Windows Vista Business Edition. These users

sometimes access the corporate network from the remote locations.

You have been asked to design a data storage solution that ensures that remote users are able to

choose the documents that will be available when they are away from the network. You also need

to ensure that users need to store only minimum number of documents on their portable

computers and that time that users take to log in to the network is reduced.

Which of the following options would you choose to accomplish the desired task? (Select two.

Each correct answer will present a part of the answer)

A. Configure offline files

B. Deploy roaming profiles

C. Use local profiles

D. Implement folder redirection.

E. Enable automatic caching.

F. Enable manual caching.

Answer: A,F

Explanation:

To design a data storage solution that ensures that remote users are able to choose the

documents that will be available when they are away from the network configure offline files and

enable manual caching.

Offline Files allows you to keep using network files, folders, and applications when disconnected

from the network. The biggest beneficiaries of the Offline Files feature are users of mobile

computers who frequently connect and disconnect from the network to use their computers at

home or on the road. Now mobile users can be assured that they are working with the most up-to-

date versions of network files, navigate through mapped network drives even when disconnected,

and easily synchronize changes with the network when they plug back into the network.

In Manual Caching For Documents option, the only documents that will be cached are those that

the user specifically designates to be available offline.

The Automatic Caching For Documents cannot be used because with this option, when a user

opens a file in this shared folder, it will be automatically downloaded and made available offline

without the user specifying that it be an offline file. Older copies of a file will be deleted

automatically to make room for files that have been accessed more recently. With this option, a file

that the user has not opened while online will not be available offline.

Reference : Using Offline Files in Windows 2000

http://articles.techrepublic.com.com/5100-10878_11-5031596.html

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 126

Page 127: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Section 2, Plan high availability (10 Questions)

QUESTION NO: 113

You are an Enterprise administrator for CertKiller.com. All the servers on the network run either

Windows Server 2008 or Windows Server 2003 servers and all client computers run Windows

Vista.

The network contains a Windows Server 2003 server that runs Web-based application called

WebApp1. You have been assigned the task to migrate the Web-based application to Windows

Server 2008

To migrate the WebApp1, you need to prepare the server for the application. The server must

support the installation of .NET applications and the server configuration must ensure that the

application is available to all users if a single server fails in the minimum software cost? (Select

two. Each correct answer will present a part of the answer)

A. Install the full installation of Windows Server 2008 Datacenter Edition on two servers.

B. Install the Server Core installation of Windows Server 2008 Standard Edition on two servers.

C. Install the full installation of Windows Server 2008 Enterprise Edition on two servers.

D. Install the full installation of Windows Server 2008 Web Edition on two servers.

E. Configure the servers in a failover cluster.

F. Configure the servers in a Network Load Balancing cluster.

G. None of the above

Answer: D,F

Explanation:

To migrate the Web-based application to Windows Server 2008, you need to i nstall the full

installation of Windows Server 2008 Web Edition on two servers. Configure the servers in a

Network Load Balancing cluster.

Network load balancing is native to all editions of Windows Server 2008. Unlike failover clustering,

NLB does not require any special hardware,

Network load balancing (NLB), Windows Server 2008's other high-availability alternative, enables

an organization to scale server and application performance by distributing TCP/IP requests to

multiple servers, also known as hosts, within a server farm. This scenario optimizes resource

utilization, decreases computing time and ensures server availability. Typically, service providers

should consider network load balancing if their customer situation includes, but is not limited to,

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 127

Page 128: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Web server farms, Terminal Services farms, media servers or Exchange Outlook Web Access

servers.

Reference : Failover clustering, network load balancing drive high availability

http://searchsystemschannel.techtarget.com/tip/0,289483,sid99_gci1317355,00.html

QUESTION NO: 114

You are an Enterprise administrator for CertKiller.com. The company has a head office and a

branch office that connect with each other by using WAN links. The corporate network of the

company consists of a single Active Directory domain and an Active Directory site exists for each

office.

All the servers in the domain run Windows Server 2008 Enterprise Edition and all client computers

run Windows Vista. You have been assigned the task to deploy a failover cluster solution to

service users in both offices.

Your failover cluster solution must use minimum number of servers and ensure that the availability

of services if a single server fails

Which of the following options would you choose to accomplish the desired goal?

A. Deploy a failover cluster that contains two nodes in each office, head office and branch office.

B. Deploy a failover cluster that contains two nodes in the head office.

C. Deploy a failover cluster that contains one node in the head office.

D. Deploy a failover cluster that contains one node in each office head office and branch office.

E. None of the above

Answer: D

Explanation:

To deploy a failover cluster solution to service users in both offices, you need to Deploy a failover

cluster that contains one node in each office head office and branch office

Windows Server 2008 supports the shared-nothing cluster model, in which two or more

independent servers, or nodes, share resources; each server owns and is responsible for

managing its local resources and provides nonsharing services. In case of a node failure, the

disks, resources and services running on the failed node fail over to a surviving node in the

cluster. For example, if an Exchange server is operating on node 1 of the cluster and it crashes,

the Exchange application and services will automatically fail over to node 2 of the cluster. This

model minimizes server outage and downtime. Only one node manages one particular set of

disks, cluster resources and services at any given time.

Failover clustering, network load balancing drive high availability

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 128

Page 129: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

http://searchsystemschannel.techtarget.com/tip/0,289483,sid99_gci1317355,00.html

QUESTION NO: 115

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and use internal storage only and all client computers run Windows Vista.

You have been assigned the task to deploy a six node cluster on the network. You need to ensure

that the cluster services are available even if two nodes of the cluster fail.

Which of the following features would you deploy to accomplish the desired task?

A. Terminal Services RemoteApp (TS RemoteApp)

B. Failover cluster that uses Node and File Share Disk Majority

C. Distributed File System (DFS) that uses replication

D. Failover cluster that uses No Majority: Disk Only

E. None of the above

Answer: B

Explanation:

To ensure that the cluster services are available even if three nodes of the cluster fail, you need to

deploy a failover cluster that uses Node and File Share Disk Majority.

The quorum configuration in a failover cluster determines the number of failures that the cluster

can sustain. If an additional failure occurs, the cluster must stop running. The relevant failures in

this context are failures of nodes or, in some cases, of a witness disk (which contains a copy of the

cluster configuration) or witness file share. It is essential that the cluster stop running if too many

failures occur or if there is a problem with communication between the cluster nodes.

Node and Disk Majority is (recommended for clusters with an even number of nodes) Can sustain

failures of half the nodes (rounding up) if the witness disk remains online and can sustain failures

of half the nodes (rounding up) minus one if the witness disk goes offline or fails. For example, a

six node cluster with a failed witness disk could sustain two (3-1=2) node failures.

Reference : Understanding Quorum Configurations in a Failover Cluster

http://technet.microsoft.com/en-us/library/cc731739.aspx

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 129

Page 130: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

QUESTION NO: 116

Exhibit:

You are an Enterprise administrator for CertKiller.com. The company has a head office and four

branch offices. The corporate network of the company consists of a single Active Directory

domain. All the servers in the domain run Windows Server 2008 and all client computers run

Windows Vista.

Your network is configured as shown in the following diagram. Each office contains a File Server

that has a shared folder called SharedData.

You have been assigned the task to ensure the data availability of the SharedData folder in all of

the offices when a WAN link fails or a single server fails. You also need to ensure that the users

must be able to use existing drive mappings in case of WAN link or a server failure and minimum

network traffic over the WAN links.

Which of the following options would you choose to accomplish the desired goal? (Select two.

Each correct answer will present a part of the answer)

A. Stand-alone DFS namespace

B. Domain-based DFS namespace

C. Having DFS Replication in a hub and spoke topology

D. Having DFS Replication in a full mesh topology

Answer: B,C

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 130

Page 131: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Explanation:

To ensure the data availability of the SharedData folder in all of the offices when a WAN link fails

or a single server fails, you need to implement a domain-based DFS namespace that uses DFS

Replication in a hub and spoke topology

Domain based namespaces require all servers to be members of an Active Directory domain.

These types of environments support automatic synchronization of DFS targets. Ina domain

environment, a server is capable of hosting multiple DFS roots. It allows you to distribute the user

workload across multiple DFS replicas rather than over burdening a single server. In case a single

server fails the other servers can take over.

Two pre-defined topologies can be selected for DFS Replication. In this scenario DFS Replication

in a hub and spoke topology should be used. In this topology every hub member replicates with

the hub member, and if desired you can add a second hub member for fault tolerance (the two hub

members replicate with each other).

The hub and spoke topology is have a particular use for enterprises that havelarge headquarters

where the company's permanent IT staff are located and multiple small branch offices with little or

no on-site IT staff present.

Full Mesh topology cannot be used because it will cause too much network traffic. This is because

every member of the replication group replicates with every other member of the group. The full

mesh topology is useful mainly in large LAN environments where all subnets have high speed

connectivity and you are using DFS Namespaces together with

DFS Replication to provide fault-tolerant shared file resources to users.

Reference : Planning a DFS Architecture, Part 1/ Planning a DFS Architecture, Part 2 / Domain-

Based Namespaces

http://www.petri.co.il/planning-dfs-architecture-part-one.htm

Reference : Configuring and Using DFS Replication

http://www.windowsnetworking.com/articles_tutorials/Configuring-Using-DFS-Replication.html

QUESTION NO: 117

You are an Enterprise administrator for CertKiller.com. The company has a head office and a

branch office that connect with each other by using WAN links. The corporate network of the

company consists of a single Active Directory domain and an Active Directory site exists for each

office.

All the servers in the domain run Windows Server 2008 Enterprise Edition and all client computers

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 131

Page 132: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

run Windows Vista.

You have been assigned the task to deploy a failover cluster solution to service users in both

offices. The cluster must maintain the availability of services using minimum number of servers

when a single server fails.

Which of the following options would you choose to accomplish the desired task?

A. Deploy a failover cluster that contains two nodes in each office, head office and branch office.

B. Deploy a failover cluster that contains two nodes in the head office.

C. Deploy a failover cluster that contains one node in the head office.

D. Deploy a failover cluster that contains one node in each office head office and branch office.

E. None of the above

Answer: D

Explanation:

To deploy a failover cluster solution to service users in both offices and maintain the availability of

services using minimum number of servers when a single server fails, you need to deploy a

failover cluster that contains one node in each office head office and branch office.

Windows Server 2008 supports the shared-nothing cluster model, in which two or more

independent servers, or nodes, share resources; each server owns and is responsible for

managing its local resources and provides nonsharing services.

In case of a node failure, the disks, resources, and services running on the failed node fail over to

a surviving node in the cluster. For example, if an Exchange server is operating on node 1 of the

cluster and it crashes, the Exchange application and services will automatically fail over to node 2

of the cluster. This model minimizes server outage and downtime. Only one node manages one

particular set of disks, cluster resources and services at any given time .

Reference: Failover clustering, network load balancing drive high availability

http://searchsystemschannel.techtarget.com/tip/0,289483,sid99_gci1317355,00.html

QUESTION NO: 118

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain.

The network contains two DHCP servers called CertKillerDHCP1 and CertKillerDHCP2 and 500

DHCP client computers that are located on a single subnet. A router that has a single IP address

on the internal interface separates the internal network from the Internet.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 132

Page 133: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

CertKillerDHCP1 server is configured with:

Starting IP address: 172.16.0.1

Ending IP address: 172.16.3.254

Subnet mask: 255.255.248.0

Which of the following options would you choose to provide a fault-tolerant DHCP infrastructure for

the company that supports the client computers on the internal network? You need to configure

DHCP2 to ensure that all client computers must be able to obtain a valid IP address if a DHCP

server fails.

A. Create a scope for the subnet 172.17.0.0/16. Configure the scope to use a starting IP address

of 172.17.0.1 and an ending IP address of 172.17.255.254.

B. Create a scope for the subnet 172.16.0.0/20. Configure the scope to use a starting IP address

of 172.16.0.1 and an ending IP address of 172.16.15.254.

C. Create a scope for the subnet 172.16.0.0/20. Configure the scope to use a starting IP address

of 172.16.8.1 and an ending IP address of 172.16.15.254.

D. Create a scope for the subnet 172.16.0.0/21. Configure the scope to use a starting IP address

of 172.16.4.1 and an ending IP address of 172.16.7.254.

E. None of the above

Answer: D

Explanation:

The subnet mask 255.255.248.0 means a /21 subnet. For load balancing you need to ensure that

the DHCP2 should be configured on the same network therefore, you need to select answer D

where the subnet is 172.16.0.0/21.

The /21 network can contain IP address range from 172.16.0.1 to 172.16.7.255, which means

2048 total hosts can be configured. DHCP1 already contains the IP address range from

172.16.0.1 to 172.16.3.254 to serve 500 hosts.

In case of the failure of DHCP1, another IP address range is required for the 500 computers that

the network has. Therefore DHCP2 can contain the range of 172.16.4.1 to 172.16.7.254

Reference : Subnet Addressing

http://www.networkcomputing.com/unixworld/tutorial/001.html

Reference : Effects of Subnetting a Class B Network

http://www.weird.com/~woods/classb.html

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 133

Page 134: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

QUESTION NO: 119

You are an Enterprise administrator for CertKiller.com. The network of your company contains

4,000 client computers located on a single subnet and two DHCP servers. The DHCP servers are

named DHCP1 and DHCP2. A router that has a single IP address on the internal interface

separates the internal network from the Internet.

DHCP1 has the following scope information.

Starting IP address: 172.16.0.1

Ending IP address: 172.16.15.255

Subnet mask: 255.255.224.0

You need to configure DHCP2 in such a way that the network gets a fault-tolerant DHCP

infrastructure and all client computers are be able to obtain a valid IP address if a DHCP server

fails.

Which of the following options would you choose to configure the DHCP2?

A. Create a scope for the subnet 172.16.8.0/19. Configure the scope to use a starting IP address

of 172.16.16.1 and an ending IP address of 172.16.31.254.

B. Create a scope for the subnet 172.16.0.0/21. Configure the scope to use a starting IP address

of 172.16.0.1 and an ending IP address of 172.16.15.254.

C. Create a scope for the subnet 172.16.0.0/20. Configure the scope to use a starting IP address

of 172.16.8.1 and an ending IP address of 172.16.15.254.

D. Create a scope for the subnet 172.17.0.0/16. Configure the scope to use a starting IP address

of 172.17.0.1 and an ending IP address of 172.17.255.254.

E. None of the above

Answer: A

Explanation:

The subnet mask 255.255.224.0 means a /19 subnet. For load balancing you need to ensure that

the DHCP2 should be configured on the same network therefore, you need to select answer A

where the subnet is 172.16.0.0/19.

The /19 network can contain IP address range from 172.16.0.1 to 172.16.31.255, which means

8190 total hosts can be configured. DHCP1 already contains the IP address range from

172.16.0.1 to 172.16.15.255 to serve 4000 hosts.

In case of the failure of DHCP1, another IP address range is required for the 4000 computers that

the network has. Therefore DHCP2 can contain the range of 172.16.16.1 to 172.16.31.254

Reference : Subnet Addressing

http://www.networkcomputing.com/unixworld/tutorial/001.html

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 134

Page 135: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Reference : Effects of Subnetting a Class B Network

http://www.weird.com/~woods/classb.html

QUESTION NO: 120

You are an Enterprise administrator for CertKiller.com. Which of the following options would you

choose to configure a fault-tolerant DHCP infrastructure in your company where two DHCP

servers exist? You need to ensure that all client computers are able to obtain a valid IP address if

a single DHCP server fails. The corporate network of the company contains 1,000 DHCP client

computers that are located on a single subnet

The DHCP servers are named as CertKillerDHCP1 and CertKillerDHCP2. A router having single

IP address on the internal interface is also configured on the corporate network to separate the

internal network from the Internet.

The CertKillerDHCP1 is configured with following scope information.

Starting IP address: 172.16.0.1

Ending IP address: 172.16.7.255

Subnet mask: 255.255.240.0

How should you configure CertKillerDHCP2?

A. Create a scope for the subnet 172.16.0.0/20. Configure the scope to use a starting IP address

of 172.16.8.1 and an ending IP address of 172.16.15.254.

B. Create a scope for the subnet 172.16.8.0/21. Configure the scope to use a starting IP address

of 172.16.8.1 and an ending IP address of 172.16.10.254.

C. Create a scope for the subnet 172.16.0.0/21. Configure the scope to use a starting IP address

of 172.16.0.1 and an ending IP address of 172.16.15.254.

D. Create a scope for the subnet 172.17.0.0/16. Configure the scope to use a starting IP address

of 172.17.0.1 and an ending IP address of 172.17.255.254.

E. None of the above

Answer: A

Explanation:

The subnet mask 255.255.240.0 means a /20 subnet. For load balancing you need to ensure that

the DHCP2 should be configured on the same network therefore, you need to select answer A

where the subnet is 172.16.0.0/20.

The /20 network can contain IP address range from 172.16.0.1 to 172.16.15.255, which means

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 135

Page 136: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

4000 total hosts can be configured. DHCP1 already contains the IP address range from

172.16.0.1 to 172.16.7.255 to serve 1000 hosts.

In case of the failure of DHCP1, another IP address range is required for the 1000 computers that

the network has. Therefore DHCP2 can contain the range of 172.16.8.1 to 172.16.15.254

Reference : Subnet Addressing

http://www.networkcomputing.com/unixworld/tutorial/001.html

Reference : Effects of Subnetting a Class B Network

http://www.weird.com/~woods/classb.html

QUESTION NO: 121

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista.

The company has created a web site which requires a very high availability and a high scalability

for the success of the company. You therefore publish the Web site on two Web servers.

You have to now deploy an availability solution for your Web servers and ensure that the Web site

is accessible even if a single server fails and the addition of more Web servers can be done for the

website without interrupting client connections

Which of the following options would you choose to create to accomplish the desired task?

A. A Network Load Balancing cluster

B. A failover cluster

C. application pools on each Web server

D. A Web farm on each Web server.

E. None of the above

Answer: A

Explanation:

To deploy an availability solution for your Web servers and ensure that the Web site is accessible

even if a single server fails and the addition of more Web servers can be done for the website

without interrupting client connections, you need to create a Network Load Balancing cluster.

Network load balancing (NLB), Windows Server 2008's other high-availability alternative, enables

an organization to scale server and application performance by distributing TCP/IP requests to

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 136

Page 137: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

multiple servers, also known as hosts, within a server farm. This scenario optimizes resource

utilization, decreases computing time and ensures server availability. Typically, service providers

should consider network load balancing if their customer situation includes, but is not limited to,

Web server farms, Terminal Services farms, media servers or Exchange Outlook Web Access

servers.

When designing and implementing NLB server farms, it's common to start off with two servers for

scalability and high availability and then add additional nodes to the farm as Clearly, failover

clustering and network load balancing with Windows Server 2008 provide service providers with

options when designing and implementing high availability for their customers' mission-critical

servers and applications.

Reference : Failover clustering, network load balancing drive high availability

http://searchsystemschannel.techtarget.com/tip/0,289483,sid99_gci1317355,00.html

QUESTION NO: 122

You are an Enterprise administrator for CertKiller.com. The company consists of a branch office

and a head office. The corporate network of the company consists of a single Active Directory

domain. All the servers in the domain run Windows Server 2008 and all client computers run

Windows Vista.

The servers in both the offices are independent of each other and share resources. You want to

deploy a clustering solution that ensures high availability minimum downtime for the servers on the

network. You need to ensure that if a node fails, the disks, resources and services running on the

failed node fail over to a surviving node in the cluster.

Which of the following options would you choose to accomplish the desired task?

A. Create a Network Load Balancing cluster.

B. Create two application pools on each Web server.

C. Configure a Web garden on each Web server.

D. Configure a failover cluster.

E. None of the above

Answer: D

Explanation:

To ensure that if a node fails, the disks, resources and services running on the failed node fail over

to a surviving node in the cluster, you need to configure a failover cluster.

Windows Server 2008 supports the shared-nothing cluster model, in which two or more

independent servers, or nodes, share resources; each server owns and is responsible for

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 137

Page 138: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

managing its local resources and provides nonsharing services.

In case of a node failure, the disks, resources and services running on the failed node fail over to a

surviving node in the cluster. This model minimizes server outage and downtime. Only one node

manages one particular set of disks, cluster resources and services at any given time.

Reference : Failover clustering, network load balancing drive high availability

http://searchsystemschannel.techtarget.com/tip/0,289483,sid99_gci1317355,00.html

Section 3, Plan for backup and recovery (10 Questions)

QUESTION NO: 123

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista.

The domain contains three domain controllers for which a full backup is performed each day.

Which of the following options would you choose to plan a recovery strategy for Active Directory

objects that allow objects in a backup to be compared to objects in the live Active Directory

database in the minimum administrative effort? (Select two. Each correct answer will present a

part of the solution.)

A. Restore the backup to a domain controller in a test forest.

B. Restore the backup to an alternate location.

C. Restore the backup to the original location.

D. Mount the database using the Active Directory Database Mounting Tool (Dsamain.exe).

E. Use the Activate Directory Installation wizard to create a new domain controller.

F. Create a snapshot using the Active Directory Service Utilities (Ntdsutil.exe).

Answer: B,D

Explanation:

To plan a recovery strategy for Active Directory objects, you need to restore the backup to an

alternate location. Mount the database using the Active Directory Database Mounting Tool

(Dsamain.exe).

The Active Directory database mounting tool (Dsamain.exe) can improve recovery processes for

your organizations by providing a means to compare data as it exists in snapshots that are taken

at different times so that you can better decide which data to restore after data loss. This

eliminates the need to restore multiple backups to compare the ActiveDirectory data that they

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 138

Page 139: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

contain. You need to restore the backup to an alternate location so that you can compare the data.

Reference : Active Directory Database Mounting Tool Step-by-Step Guide

http://technet.microsoft.com/en-us/library/cc753609.aspx

QUESTION NO: 124

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista.

You perform a full backup of the domain controllers every day.

Which of the following options would allow you to implement an Active Directory recovery strategy

that allows objects in a backup to be compared to objects in the live Active Directory database?

(Select two. Each correct answer will present a part of the solution.)

A. Restore the backup to a domain controller in a test forest.

B. Restore the backup to an alternate location.

C. Restore the backup to the original location.

D. Mount the database using the Active Directory Database Mounting Tool (Dsamain.exe).

E. Use the Activate Directory Installation wizard to create a new domain controller.

F. Create a snapshot using the Active Directory Service Utilities (Ntdsutil.exe).

Answer: B,D

Explanation:

To plan a recovery strategy for Active Directory objects, you need to restore the backup to an

alternate location. Mount the database using the Active Directory Database Mounting Tool

(Dsamain.exe).

The Active Directory database mounting tool (Dsamain.exe) can improve recovery processes for

your organizations by providing a means to compare data as it exists in snapshots that are taken

at different times so that you can better decide which data to restore after data loss. This

eliminates the need to restore multiple backups to compare the ActiveDirectory data that they

contain. You need to restore the backup to an alternate location so that you can compare the data.

Reference : Active Directory Database Mounting Tool Step-by-Step Guide

http://technet.microsoft.com/en-us/library/cc753609.aspx

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 139

Page 140: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

QUESTION NO: 125

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory forest that contains an Active Directory domain. All the servers

in the domain run Windows Server 2003 and all client computers run Windows Vista.

The domain contains eight domain controllers. You upgraded one of the domain controllers to

Windows Server 2008 called CertKillerDC1. During the upgrade some of the Active Directory

object gets deleted.

You need to recover the deleted objects and plan for a recovery solution that ensures that allow

deleted objects to be recovered for up to one year after the date of deletion. Which of the following

options would you choose to accomplish the desired task?

A. On CertKillerDC1, enable shadow copies of the drive that contains the Ntds.dit file.

B. Configure daily backups of CertKillerDC1.

C. Increase the interval of the garbage collection process for the forest.

D. Increase the tombstone lifetime for the forest.

E. None of the above

Answer: D

Explanation:

To recover the deleted objects and plan for a recovery solution that allow deleted objects to be

recovered for up to one year after the date of deletion, you need to increase the tombstone lifetime

for the forest

If you need to restore your domain controller, or you need to make an authoritative restore of

Active Directory, you need a backup which is younger than 60 days (by default). The objects that

get deleted from Active Directory will remain as a tombstone.

The Tombstone is the object with limited attributes, such as the GUID, Name and SID of the

object, and the mark that it's deleted. The garbage collection of Active Directory takes care to

finally delete tombstones which are older than the tombstone-lifetime.

To avoid inconsistencies in object deletion, the tombstone lifetime is configured to be many times

larger than the worst-case replication latency. By default, the Active Directory tombstone lifetime is

sixty days. This value can be changed if necessary.

Reference : Active Directory Backup? Don't rush - you'll get more time

http://msmvps.com/blogs/UlfBSimonWeidner/archive/2005/03/26/39806.aspx

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 140

Page 141: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Reference : Changing the Tombstone Lifetime Attribute in Active Directory

http://www.petri.co.il/changing_the_tombstone_lifetime_windows_ad.htm

QUESTION NO: 126

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the domain controllers in the domain run Windows

Server 2008 and all client computers run Windows Vista.

You have been assigned the task to implement a backup and recovery plan that restores the

domain controllers in the event of a catastrophic server failure. In your plan, you cannot use optical

drives for backup because according to the company's policy, the domain controllers cannot

contain optical drives for security reasons.

Which of the following options would you choose to accomplish the desired goal? (Select two.

Each correct answer will present a part of the solution.)

A. Use Windows Server Backup to back up each domain controller to a local disk.

B. Use Windows Server Backup to back up each domain controller to a remote network share.

C. Create a Windows Recovery Environment (Windows RE) partition on each domain controller.

D. Use Windows Deployment Services (WDS) to deploy the Windows Recovery Environment

(Windows RE).

Answer: B,D

Explanation:

To implement a backup and recovery plan that restores the domain controllers in the event of a

catastrophic server failure, you need to use Windows Server Backup to back up each domain

controller to a remote network share. You can use Windows Server Backup to back up a full

server (all volumes), selected volumes, or the system state.

In case of disasters like hard disk failures or catastrophic server failure you can perform a system

recovery, which will restore your complete system onto the new hard disk, by using a full server

backup and the Windows Recovery Environment.

You need to use Windows Deployment Services (WDS) to deploy the Windows Recovery

Environment (Windows RE). Windows Deployment Services enables you to deploy Windows

operating systems by using a network-based installation. This means that you do not have to

install each operating system directly from a CD or DVD. Therefore, you can avoid the use of

optical drive for backup.

Reference : Windows Server Backup Step-by-Step Guide for Windows Server 2008

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 141

Page 142: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

http://technet.microsoft.com/en-us/library/cc770266.aspx

Reference : Step-by-Step Guide for Windows Deployment Services in Windows Server 2003

http://technet.microsoft.com/en-us/library/cc766320.aspx

QUESTION NO: 127

You are an Enterprise administrator for CertKiller.com. All the servers in the domain run Windows

Server 2008 and all client computers run Windows Vista.

The network contains 3 file servers store user documents. You have been assigned the task to

implement a data recovery strategy that ensures that ensures that all data volumes on the file

server must be backed up daily without creating much impact on performance.

The recovery strategy must also be able to restore individual files if a disk fails. Besides, the users

must be able to retrieve previous versions of files without the intervention of an administrator.

Which of the following options would you choose to accomplish the desired task? (Select two.

Each correct answer will present a part of the solution.)

A. Use Windows Server Backup to perform a daily backup to an external disk.

B. Use Windows Server Backup to perform a daily backup to a remote network share.

C. Deploy File Server Resource Manger (FSRM).

D. Deploy Windows Automated Installation Kit (WAIK).

E. Enable shadow copies for the volumes that contain shared user data. Store the shadow copies

on a separate physical disk.

F. Enable shadow copies for the volumes that contain shared user data. Store the shadow copies

in the default location.

Answer: A,E

Explanation:

Use Windows Server Backup to perform a daily backup to an external disk.

Enable shadow copies for the volumes that contain shared user data. Store the shadow copies on

a separate physical disk.

FSRM (File Server Resource Manager) is a service of the File Services role in Windows Server

2008. You can use FSRM to enhance your ability to manage and monitor storage activities on

your file server.

The main capabilities of FSRM include: Folder Quotas, File Screening, Storage Reports, Event

Log Integration, E-mail Notifications, and Automated Scripts.

You use a Quota function to manage disk usage on a volume in the File Server Resource

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 142

Page 143: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

Manager (FSRM) and then you can enable the Shadow Copies feature on the volume

Shadow Copies for Shared Folders uses the Volume Shadow Copy Service to provide point-in-

time copies of files that are located on a shared network resource, such as a file server. With

Shadow Copies for Shared Folders, users can quickly recover deleted or changed files that are

stored on the network without administrator assistance, which can increase productivity and

reduce administrative costs. Shadow copies allow users to retrieve previous versions of files on

their own without the intervention of an administrator.

By default shadow copies are stored on the same drive volume of shared folders being backed up.

As a best practice, you should store the shadow copies on a separate physical disk as an extra

fault tolerance measure.

Reference : The Basics of Windows Server 2008 FSRM (File Server Resource Manager)

http://blogs.technet.com/josebda/archive/2008/08/20/the-basics-of-windows-server-2008-fsrm-file-

server-resource-manager.aspx

Reference : What Is Volume Shadow Copy Service?

http://technet.microsoft.com/en-us/library/cc757854.aspx

QUESTION NO: 128

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the domain controllers in the domain run Windows

Server 2008 and all client computers run Windows Vista.

You have been assigned the task to implement a backup and recovery plan that restores the

domain controllers and the client computers in the event of a catastrophic server failure.

Besides recovering the domain controller, you also want a provision to restore items from client

computers by choosing a backup and then selecting specific items from that backup to restore.

You want to restore an item by choosing the date of the backup version for the item you want to

restore. You want make sure that the backup is not taken on an optical drive.

Which of the following options would you choose to accomplish the desired goal? (Select two.

Each correct answer will present a part of the solution.)

A. Use Windows Server Backup to back up each domain controller and the client computers to a

local disk.

B. Use Ntbackup.exe tool to back up each domain controller and the client computers to a local

disk.

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 143

Page 144: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

C. Use Windows Server Backup to back up each domain controller to a remote network share.

D. Create a Windows Recovery Environment (Windows RE) partition on each domain controller.

E. Use Windows Deployment Services (WDS) to deploy the Windows Recovery Environment

(Windows RE).

Answer: C,E

Explanation:

To implement a backup and recovery plan that restores the domain controllers and the client

computers in the event of a catastrophic server failure, you need to use Windows Server Backup

to back up each domain controller to a remote network share. You can use Windows Server

Backup to back up a full server (all volumes), selected volumes, or the system state.

You can restore items by choosing a backup and then selecting specific items from that backup to

restore. You can recover specific files from a folder or all the contents of a folder. In addition,

previously, you needed to manually restore from multiple backups if the item was stored on an

incremental backup. But this is no longer trueâ"you can now choose the date of the backup

version for the item you want to restore

In case of disasters like hard disk failures or catastrophic server failure you can perform a system

recovery, which will restore your complete system onto the new hard disk, by using a full server

backup and the Windows Recovery Environment.

You need to use Windows Deployment Services (WDS) to deploy the Windows Recovery

Environment (Windows RE). Windows Deployment Services enables you to deploy Windows

operating systems by using a network-based installation. This means that you do not have to

install each operating system directly from a CD or DVD. Therefore, you can avoid the use of

optical drive for backup.

Reference : Windows Server Backup Step-by-Step Guide for Windows Server 2008

http://technet.microsoft.com/en-us/library/cc770266.aspx

Reference : Step-by-Step Guide for Windows Deployment Services in Windows Server 2003

http://technet.microsoft.com/en-us/library/cc766320.aspx

QUESTION NO: 129

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista.

The network contains 20 file servers contains two volumes, one for operating system and the other

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 144

Page 145: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

for the data files. You have been assigned the task to plan a recovery strategy that ensures the

server continuity in case of the server failures. The recovery strategy must ensure the operating

system and the data files to be restored in the minimum amount of time.

Which of the following options would you choose to accomplish the desired goal? (Select two.

Each correct answer will present a part of the solution.)

A. Windows Automated Installation Kit (WAIK)

B. Windows Deployment Services (WDS)

C. Windows Recover Disk feature

D. Windows Server Backup feature

E. Volume Shadow Copies

F. Folder redirection

G. Windows Complete PC Restore

Answer: D,G

Explanation:

To plan a recovery strategy that ensures the server continuity in case of the server failures, you

need to use the Windows Server Backup feature and Windows Complete PC Restore

Complete PC Backup and Restore is a comprehensive, image-based backup tool to help you out

of a tight spot if you need to recover your entire system.While file restore is useful in cases of file

loss and data corruption, Windows Complete PC Restore is most useful for disaster recovery

when your PC malfunctions. Complete PC Backup and Restore is capable of restoring your entire

PC environment, including the operating system, installed programs, user settings, and data files.

Reference : Windows Complete PC Backup and Restore

http://www.microsoft.com/singapore/windows/products/windowsvista/features/details/completepcb

ackup.mspx

QUESTION NO: 130

You are an Enterprise administrator for CertKiller.com. All the servers in the domain run Windows

Server 2008 and all client computers run Windows Vista.

The network contains 3 servers, a file server, a database server, and a messaging server. You

have been assigned the task to provide a backup infrastructure to create consistent backups of

open files and applications, database server, and the messaging server.

The solution must also be able to minimize the interruption to applications.

Which of the following options would you choose to accomplish the desired task?

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 145

Page 146: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

A. Use Windows Server Backup to perform a daily backup to an external disk.

B. Use Windows Server Backup to perform a daily backup to a remote network share.

C. Enable volume shadow copy service for the volumes that needs to be backed up.

D. Enable shadow copies for the volumes that contain shared user data.

E. None of the above

Answer: C

Explanation:

To create consistent backups of open files and applications, database server, and the messaging

server without interrupting the applications, you need to enable shadow copies for the volumes

that need to be backed up.

Applications that are running often keep their files open continuously. For backup, this can present

a problem because this prevents backup applications from accessing and copying these files to

backup media. Additionally, backing up servers that are running critical applications such as

databases or messaging services presents a unique challenge. These applications run in a volatile

state as a result of extensive optimizations that deal with huge flows of transactions and

messages.

Because these applications keep their data in a constant flux between memory and disk, it is

difficult to pinpoint the data that needs to be archived. The most straightforward solution is to

interrupt the application during backup, which puts the data into a stable state, but might result in

unacceptable amounts of downtime, particularly if the applications are large.

For both problems, the Volume Shadow Copy Service provides a solution by enabling a snapshot

of the data at a given point in time, while minimizing the interruption to applications.

Reference : What Is Volume Shadow Copy Service?

http://technet.microsoft.com/en-us/library/cc757854.aspx

QUESTION NO: 131

You are an Enterprise administrator for CertKiller.com. The corporate network of the company

consists of a single Active Directory domain. All the servers in the domain run Windows Server

2008 and all client computers run Windows Vista.

The client computers in the company run many applications, all applications all of which are

configured to save documents to the local Documents folder. You need to therefore plan a backup

strategy for the Documents folder for all the users in minimum amount of administrative effort

Which of the following options would you choose to accomplish the desired goal?

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 146

Page 147: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

A. Deploy agents to all client computers using System Center Operations Manager

B. Create a shared folder on a file server and then configure scheduled backups on each client

computer to store the backup files on the shared folder.

C. Use Group Policy objects (GPO) to implement folder redirection and then back up the folder

redirection target.

D. Run Windows Server Backup from a server and connect to each client computer.

E. None of the above

Answer: C

Explanation:

To plan a backup strategy for the Documents folder for all the users in minimum amount of

administrative effort, you need to use Group Policy objects (GPO) to implement folder redirection

and then back up the folder redirection target.

Folder Redirection is a Group Policy feature which enables you to redirect the system folders

containing the profile of a user on the network. Through the use of the Folder Redirection feature,

you can configure that the system folders' contents on the user remains the same, irrespective of

the particular computer which the user utilizes to log on to the system. The system folders for

which you can configure folder redirection include My Documents folder

Redirecting the My Documents folder ensures that users can access their data from any computer.

Because redirected folder data is stored on a network server, you can back up the data to an

offline storage media.

Reference : Implementing Folder Redirection using Group Policy

http://www.tech-faq.com/implementing-folder-redirection-using-group-policy.shtml

QUESTION NO: 132

You are an Enterprise administrator for CertKiller.com. The company has a head office and 20

branch offices. The corporate network of the company consists of a single Active Directory

domain. All the servers in the domain run Windows Server 2008 and all client computers run

Windows Vista.

Each branch office contains a file server that stores users' data. You have been assigned the task

to design a strategy for backing up the file servers and ensure that the backups are scheduled,

allow individual file recovery and a complete server recovery.

Besides this, your backup strategy must provide decentralized control over backups and recovery

in minimum administrative effort. Which of the following options would you choose to accomplish

the desired task?

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 147

Page 148: 70-646 Pro: Windows Server 2008, Server Administratorgattner.name/simon/public/microsoft/Windows Server 2008/70-646... · Microsoft 70-646 70-646 Pro: Windows Server 2008, Server

Actu

alTe

sts.

com

A. Use Windows Server Backup to back up volumes to DVD.

B. Configure Volume Shadow Copies.

C. Use Windows Server Backup to back up to an external USB drive.

D. Install the Windows Recovery Disc feature and then create a Scheduled task that runs

recdisc.exe.

E. None of the above

Answer: C

Explanation:

To design a strategy for backing up the file servers and ensure that the backups are scheduled,

allow individual file recovery and a complete server recovery, you need to use Windows Server

Backup to back up to an external USB drive.

Backup to USB drives are easy and simple. It provides software and hardware features to make

connecting any USB device just about as foolproof as possible. Most backup software now

supports USB devices. External USB drives are highly portable and can be used to back up

several computers on the same drive.

You cannot use Windows Server Backup to back up volumes to DVD because Windows Server

Backup doesn't support system state or file level backups and restores when using DVDs. And

you can't schedule backups to DVD.

Reference : USB drive backup: Pros and cons

http://searchwindowsserver.techtarget.com/tip/0,289483,sid68_gci1215078,00.html

Reference : Active Directory Backup and Restore in Windows Server 2008

http://technet.microsoft.com/en-us/magazine/cc462796.aspx

Microsoft 70-646: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 148