Exam 70-648 TS: Upgrading from Windows Server 2003 MCSA to, Windows Server … · 2019-11-02 · A....

straight_evil - 426q (2013-04-18)

Number: 70-648Passing Score: 700Time Limit: 170 minFile Version: 2.0

http://www.gratisexam.com/

Exam 70-648

TS: Upgrading from Windows Server 2003 MCSA to, Windows Server 2008,Technology Specializations

Brought to you by

v2013-04-19straight_evil

About This Exam

Q. What is the 70-648 exam?

A. Exam 70-648 is an upgrade exam that is a composite of two stand-alone exams: 70-640 and 70-642. Exam70-648 validates skills related to the core technology features and functionality of Windows Server 2008 basedon the existing knowledge set of a Microsoft Certified Systems Administrator (MCSA) on Windows Server 2003.

Q. What are the prerequisites for the 70-648 exam?

A. The MCSA on Windows Server 2003 certification is a prerequisite for this exam.

Q. What credit does the 70-648 exam provide?

A. Passing the Exam 70-648 earns you the MCTS certifications that count as credit toward the followingProfessional Series certifications:

MCITP: Server Administrator MCITP: Enterprise Administrator

Q. What certificate does it provide?

A. Passing the Exam 70-648 fulfills the requirements for the following certifications:

Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure Configuration

Q. How many questions are asked in the test?

A. You will be required to attempt 32 questions in each of 2 sections, for a total of approximately 64 questions

Q. What is the duration of the test?

A. Users are required to attempt all questions in 170 minutes.

Q. Which type of test is it? (Adaptive/Linear)

A. This test consists of Multiple Choice, Hot Area, Drag and Drop, Build list and reorder, and Build a Treequestions. The test can be adaptive, and simulation questions might be asked. There are no case study typequestions.

Q. What is the passing score?

A. You need a score of 700 out of 1000 to pass the exam. Each section is scored separately, and your finalscore is the lowest score of the 2 sections. This means every question is weighted very heavily!

Q. What is the test retake policy?

A. If you do not pass test 70-648 the first time, you may retake it at any time. If you do not achieve a passingscore the second time, you must wait at least 14 days to retake the test a third time. A 14-day waiting period willbe imposed for all subsequent exam retakes. If you have passed an exam, you cannot take it again.

Q. Is the 70-648 exam right for me?

A. If you currently hold an MCSA on Windows Server 2003 certification and work in a complex computingenvironment of mid-sized to large companies, this exam is intended for you.

Q. Where can I take the test?

A. Microsoft exams can be taken at Prometric testing facilities.

Change Log

This dump is derived from Microsoft.Pass4Sures.70-648.v2013-02-10.by.kazi.491q.vce with the followingenhancements:

Modified exam properties (passing score / time limit) to reflect actual test parameters. Added the wonderfulexam description you are presented with as well.Organized questions into multiple exams, based on their relevant sections, so they better reflect theMicrosoft objectives. Created exams for questions not immediately relevant to Microsoft objectives.

The "Same Choices" exam allows you to practice the sets of questions that come up with the same dozenanswers for each of 5 questions in a row. I was not prepared for these the first time I took the exam andfailed, since I was certain 'ntdsutil' was the answer to everything :)The "Out-of-Scope" exam allows you to practice (or, more importantly, not practice!) questions out of theprimary exam scope, but that can still be asked because they come from the original 70-640/70-642.

I updated questions to more accurately reflect the "Skills Measured" by the exam - https://www.microsoft.com/learning/en/us/exam.aspx?id=70-648 This involved the following edits:

1) Removed all duplicate questions I could find2) Removed many questions for topics like DNS/WINS, file/print services, FSMO roles, forests andtrusts, GPOs, - things likely to be asked only of 1st timers on the 70-640/70-642. I consider these "Out-of-scope", and only kept questions here if they were related to new features in 2008. In my experience,this type of material does show up on the exam, but makes up 1 or 2 questions out of the 64 you'll get,so you will not fail if you skip these. 3) Imported other questions from 70-640 and 70-642 dumps that seemed relevant or involved newfeatures in Server 2008. I also imported a few that showed up on my exams. This included many more"Exhibit" or "Select/Place" questions where possible, for a more accurate exam feel :)

Cleaned up spelling, paragraph format, spacing, hyphens and other formatting issues. Also helped makecommands distinguishable from their surrounding text so questions were more readable. No, I did not useMicrosoft's official formatting (bolding a command), I used a format I thought was easiest to read :)Converted all questions with an "Exhibit" into the proper format in VCE, so the Exhibit button can be clickedand the image examined in a separate window. This makes the question easier to read, and provides amore accurate exam experience. Previously, the images were simply pasted below the question.Converted all "Select/Place" and "Hot Area" questions into the corresponding VCE question type, so theycould actually be answered and count towards your score. Previously, only snapshots were available of theright answers, but the questions were multiple-choice with no correct answer specified. In VCE this is thesame as missing the question!!!Made sure all questions provided an answer, except for Out-of-Scope questions (it's a time consumingprocess and these questions only rarely come up!). I tried to make sure answers for all questions were morethorough, but to-the-point (not Copy/Paste half an article from Technet). This includes not only saying whycertain answers are right, but pointing out why others are wrong. I also referenced explanations as best aspossible with relevant MS links. In my experience, being able to study this kind of stuff makes it much easierto remember the right answers - because you will be able to learn what all these other weird / obscurecommands are that pop up in the multiple choices!Reviewed all questions for accuracy of answers and fixed all wrong answers. Many were already correctedin other dumps but not in the one I borrowed from. It was amazing how many wrong answers were there,too - enough to make a difference in my pass/fail when I took the exam. I failed using many of the "wrong"answers, but passed the next week after I correcting them and re-learning the material.

In summary, it looks like I went to very much trouble over an almost expired exam. But consider my efforts a"proof-of-concept" - this VCE file is an example of what VCE files can look like, if people spend a little moretime with them and a little less time doing...well, whatever is it that distracts people from checking answers andproviding more detailed information! I would love to see other VCEs be as equally helpful and hope as I writemore, that others will be inspired.

At the very least, my answers for questions should be helpful to 70-640/70-642 dumps for another year!

Sections1. 70-648 Configuring Additional Active Directory Server Roles2. 70-648 Maintaining the Active Directory Environment3. 70-648 Configuring Active Directory Certificate Services4. 70-648 Configuring IP Addressing and Services5. 70-648 Configuring Network Access6. 70-648 Monitoring and Managing A Network Infrastructure7. 70-640 Configuring Domain Name System (DNS) for Active Directory8. 70-640 Configuring the Active Directory Infrastructure9. 70-642 Creating and Maintaining Active Directory Objects10.70-642 Configuring Names Resolution11.70-642 Configuring File and Print Services

Active Directory, Configuring

QUESTION 1A server named DC1 has the Active Directory Domain Services (AD DS) role and the Active DirectoryLightweight Directory Services (AD LDS) role installed.

An AD LDS instance named LDS1 stores its data on the C: drive.

You need to relocate the LDS1 instance to the D: drive.

Which three actions should you perform in sequence? (To answer, move the three appropriate actions from thelist of actions to the answer area and arrange them in the correct order.)

Select and Place:

Correct Answer:

Section: 70-648 Configuring Additional Active Directory Server RolesExplanation

Explanation/Reference:Explanation:

To relocate AD LDS directory partition, use the NTDSUTIL tool. Take the following steps:

Stop the LDS by using the net stop command. (MY NOTE: The LDS instance runs on a servicenamed after the instance, similar to SQL Server)Move the Database file through NTDSUTIL tool.Start the directory service using the net start command.

Reference: http://www.ucertify.com/blog/windows-server-2008-tools-used-for-configuring-and-maintaining-active-directory.html

QUESTION 2You need to perform an offline defragmentation of an Active Directory database.

Which four actions should you perform in sequence? (To answer, move the appropriate four actions from thelist of actions to the answer area and arrange them in the correct order.)

Select and Place:

Correct Answer:

Section: 70-648 Maintaining the Active Directory EnvironmentExplanation


To perform offline defragmentation of the directory database(...)3. At the command prompt, type the following command, and then press ENTER:

net stop ntds4. At the command prompt, type ntdsutil , and then press ENTER.5. At the ntdsutil prompt, type activate instance ntds , and then press ENTER.6. At the ntdsutil prompt, type files , and then press ENTER.

(...)9. If defragmentation succeeds with no errors, follow the Ntdsutil.exe onscreen instructions to:(...)

c. Manually copy the compacted database file to the original location, as follows:copy “<temporaryDrive>:\ntds.dit” “<originalDrive>:\<pathToOriginalDatabaseFile> \ntds.dit”

(...)14. Restart AD DS. At the command prompt, type the following command, and then press ENTER:

net start ntds

Reference: http://technet.microsoft.com/en-us/library/cc794920%28v=ws.10%29.aspx

QUESTION 3Your network contains an Active Directory domain. You have a server named Server1 that runs WindowsServer 2008 R2. Server1 is an enterprise root certification authority (CA).

You have a client computer named Computer1 that runs Windows 7. You enable automatic certificateenrollment for all client computers that run Windows 7.

You need to verify that the Windows 7 client computers can automatically enroll for certificates.

Which command should you run on Computer1?

A. certreq.exe -retrieve

B. certreq.exe -submit

C. certutil.exe -getkey

D. certutil.exe -pulse

Correct Answer: DSection: 70-648 Configuring Active Directory Certificate ServicesExplanation


certutil.exe -pulse is used to check on the status ("pulse") of autoenrollment events.

certutil.exe -getkey is used to retrieve or recover archived keys.

certreq.exe -retrieve is used to retrieve responses from requests made to a CA.

certreq.exe -submit is used to submit a certificate request to a CA.

References:http://technet.microsoft.com/library/cc732443.aspx (Command-Line reference for certutil)http://technet.microsoft.com/library/cc725793.aspx (Command-Line reference for certreq)

QUESTION 4Your network contains an Active Directory forest named adatum.com. All domain controllers currently runWindows Server 2003 Service Pack 2 (SP2). The functional level of the forest and the domain is WindowsServer 2003.

You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2.

What should you do first?

A. Run adprep.exe

B. Raise the functional level of the domain to Windows Server 2008.

C. Raise the functional level of the forest to Windows Server 2008.D. Deploy a writable domain controller that runs Windows Server 2008 R2.

Correct Answer: ASection: 70-648 Configuring Additional Active Directory Server RolesExplanation


One of the 1st steps in preparing an RODC is to prepare the AD schema to handle the extensions andattributes necessary.

RODC functionality works with Server 2003 forest and domain levels, so we do not need to raise them. For thesame reason, we also do not need a Server 2008 R2 domain controller (it is not a requirement).

To deploy an RODC, complete the following high-level tasks:Ensure that the forest functional level is Windows Server 2003 or higher (MY NOTE: In this scenario itobviously is)Run adprep /rodcprepYou do not have to perform this step if you are creating a new forest that will have only domain controllersrunning Windows Server 2008. (MY NOTE: We are only adding 1 Server 2008 DC, so w e can presumewe still have Server 2003 DCs)

(...)Reference: http://technet.microsoft.com/en-us/library/cc754629%28v=ws.10%29.aspx

QUESTION 5Your network contains a server named Server1. The Active Directory Rights Management Services (AD RMS)server role is installed on Server1.

An administrator changes the password of the user account that is used by AD RMS.

You need to update AD RMS to use the new password.

Which console should you use?

A. Active Directory Rights Management ServicesB. Local Users and GroupsC. ServicesD. Active Directory Users and Computers



The Active Directory Rights Management Services management console provides a wizard to change orupdate the AD RMS service account. The most common use for this process is to update the service accountpassword when it has been changed.

It is important to use this process to update or change the AD RMS service account. This ensures thenecessary components are updated properly.

Reference: http://social.technet.microsoft.com/wiki/contents/articles/13034.ad-rms-how-to-change-the-rms-service-account-password.aspx

The AD RMS service account is a domain account, but does not appear to be something to change in ADUC.

The AD RMS service account gets added to a local group on the RMS server, but the account itself clearlyreside there.

The service account for AD RMS on the local service could possibly be changed from the Services console, butthis provides no functionality for changing the password.

QUESTION 6Your network contains two Active Directory forests named contoso.com and adatum.com. The functional levelof both forests is Windows Server 2008 R2.

Each forest contains one domain. Active Directory Certificate Services (AD CS) is configured in thecontoso.com forest to allow users from both forests to automatically enroll user certificates.


You need to ensure that all users in the adatum.com forest have a user certificate from the contoso.comcertification authority (CA).

What should you configure in the adatum.com domain?

A. From the Default Domain Controllers Policy, modify the Enterprise Trust settings.B. From the Default Domain Controllers Policy, modify the Trusted Publishers settings.C. From the Default Domain Policy, modify the Certificate Enrollment policy.D. From the Default Domain Policy, modify the Trusted Root Certification Authority settings.

Correct Answer: CSection: 70-648 Configuring Active Directory Certificate ServicesExplanation


The question says you must ensure users have a certificate from the CA, so the Default Domain Policy is whatneeds editing, as it will affect all users. The Default Domain Controllers Policy would allow you to changesettings on domain controllers only and would not affect all users or machines.

The Certificate Enrollment policy option, as the name indicates, lets you configure enrollment options to controlhow/where users get their certificates.

The Trusted Root Certification Authority policy would let you control the enterprise list of Trusted Root CA's.Since AD Cs is configured to allow users from both forests to automatically enroll, it is likely that both CA's arealready trusted.

QUESTION 7You have a server named Server1 that has the following Active Directory Certificate Services (AD CS) roleservices installed:

Enterprise Root Certification Authority (CA)Certificate Enrollment Web ServiceCertificate Enrollment Policy Web Service

You create a new certificate template. External users report that the new template is unavailable when theyrequest a new certificate.

You verify that all other templates are available to the external users.

You need to ensure that the external users can request certificates by using the new template.

What should you do on Server1?

A. Run iisreset.exe /restart .

B. Run gpupdate.exe /force .

C. Run certutil.exe dspublish.

D. Restart the Active Directory Certificate Services service.

Correct Answer: ASection: 70-648 Configuring Active Directory Certificate ServicesExplanation


All other templates are available to the users, so the certificate services are working correctly. The website issimply not aware of the new certificates available in the store, so IIS must be reset so that the list is updated.

certutil.exe dspublish will publish a certificate toe AD, but this will already take place when the newcertificate is issued since we are using an Enterprise Root.Reference: http://technet.microsoft.com/library/cc732443.aspx

Restarting the AD CS service is likely not needed since all other aspects of certificate management arefunctioning as expected.

gpupdate.exe /force will force a group policy update on the client it is run from, but group policy is not atissue in this question.

QUESTION 8Your network contains an enterprise root certification authority (CA).

You need to ensure that a certificate issued by the CA is valid.

What should you do?

A. Run syskey.exe and use the Update option.

B. Run sigverif.exe and use the Advanced option.

C. Run certutil.exe and specify the -verify parameter.

D. Run certreq.exe and specify the -retrieve parameter.



certutil.exe -verify is used to verify a certificate or CRL.Reference: http://technet.microsoft.com/library/cc732443.aspx

certreq.exe is used to submit or manage certificate requests. The -retrieve option will retrieve a specificcertificate from the CA.

syskey.exe is used to enable strong encryption on the security accounts (SAM) database.

sigverif.exe is used to find unsigned hardware drivers.

QUESTION 9You have an enterprise subordinate certification authority (CA). The CA issues smart card logon certificates.

Users are required to log on to the domain by using a smart card.

Your company's corporate security policy states that when an employee resigns, his ability to log on to thenetwork must be immediately revoked.

An employee resigns.

You need to immediately prevent the employee from logging on to the domain.

What should you do?

A. Revoke the employee's smart card certificate.B. Disable the employee's Active Directory account.C. Publish a new delta certificate revocation list (CRL).D. Reset the password for the employee's Active Directory account.

Correct Answer: BSection: 70-648 Configuring Active Directory Certificate ServicesExplanation


Only disabling the AD account will prevent logon to the domain.

Resetting the password will prevent the user from logging on with the password he had been using, but if hecould guess the password he would still be able to logon.

Revoking the smart card certificate will not prevent the user from his smart card to login. This is also whypublishin a new delta CRL will not work.

QUESTION 10Your network contains a server that runs Windows Server 2008 R2. The server is configured as an enterpriseroot certification authority (CA).

You have a Web site that uses x.509 certificates for authentication. The Web site is configured to use a many-to-one mapping.

You revoke a certificate issued to an external partner.

You need to prevent the external partner from accessing the Web site.

What should you do?

A. Run certutil.exe -crl.

B. Run certutil.exe -delkey.

C. From Active Directory Users and Computers, modify the membership of the IIS_IUSRS group.

D. From Active Directory Users and Computers, modify the Contact object for the external partner.



certutil.exe -crl will publish a new CRL so that the web server knows the user's certificate is no longervalid.

-delkey is not a valid parameter of certutil.exe, nor would the certificate need to be deleted. The equivalent ofthis was accomplished when you revoked the certificate. However, the website is still not aware of thisrevocation until the next CRL is published.

Removing the user from the IIS_IUSRS group will restrict their access to the website files, but they will still likelyhave a minimum of read access to the site.

Modifying contact information for the partner in no way restricts their access to the system.

QUESTION 11You have an Active Directory domain that runs Windows Server 2008 R2. You need to implement a certificationauthority (CA) server that meets the following requirements:

Allows the certification authority to automatically issue certificatesIntegrates with Active Directory Domain Services

What should you do?

A. Purchase a certificate from a third-party certification authority. Import the certificate into the computer storeof the schema master.

B. Install and configure the Active Directory Certificate Services server role as a Standalone Root CA.C. Purchase a certificate from a third-party certification authority. Install and configure the Active Directory

Certificate Services server role as a Standalone Subordinate CA.D. Install and configure the Active Directory Certificate Services server role as an Enterprise Root CA.



Both of these features are only available with an Enterprise CA. Standalone CAs do not integrate with ActiveDirectory and do not allow automatic handling of certificate requests.

Importing a 3rd party certificate into the schema master will only allow it to verify secure requests made to it, butwill not allow it to function as a CA.

QUESTION 12Your company has an Active Directory forest. You plan to install an Enterprise certification authority (CA) on adedicated stand-alone server.

When you attempt to add the Active Directory Certificate Services (AD CS) server role, you find that theEnterprise CA option is not available.

You need to install the AD CS server role as an Enterprise CA.


A. Add the DNS Server server role.B. Join the server to the domain.C. Add the Web Server (IIS) server role and the AD CS server role.D. Add the Active Directory Lightweight Directory Services (AD LDS) server role.



The question specifies it is a stand-alone server, meaning it is not part of the Active Directory domain. Enterprise CA's integrate with Active Directory, so the server must first be a member of the domain before itcan serve as an Enterprise CA.

The other server roles can be used in conjunction with certificate services, but are not requirements forestablishing certificate services.

QUESTION 13You have a Windows Server 2008 R2 that has the Active Directory Certificate Services server role installed.

You need to minimize the amount of time it takes for client computers to download a certificate revocation list(CRL).

What should you do?

A. Install and configure an Online Responder.B. Install and configure an additional domain controller.C. Import the Root CA certificate into the Trusted Root Certification Authorities store on all client workstations.D. Import the Issuing CA certificate into the Trusted Root Certification Authorities store on all client

workstations.



Online Responders are specifically designed to lighten the load of CRL transfers by only working with changessince the last CRL, rather than transferring the entire CRL.

Domain controllers do not handle certificate requests. Updated the list of Trusted Root CA's will only ensurecertain servers are trusted to handle CRLs, but will not lighten the traffic load of CRL downloads.

QUESTION 14You have a Windows Server 2008 R2 Enterprise Root CA . Security policy prevents port 443 and port 80 frombeing opened on domain controllers and on the issuing CA.

You need to allow users to request certificates from a Web interface. You install the Active Directory CertificateServices (AD CS) server role.

What should you do next?

A. Configure the Online Responder role service on a member server.B. Configure the Online Responder role service on a domain controller.C. Configure the Certificate Enrollment Web Service role service on a member server.D. Configure the Certificate Enrollment Web Service role service on a domain controller.



The Certificate Enrollment Web Service role provides a web interface (ports 443/80) for requesting certificatesfrom a CA. The question indicates that company security policy does not allow ports 443/80 to be open on adomain controller, so the role service would need to be installed on a member server to satisfy this requirement.

The Online Responder role service helps reduce the traffic involved with CRL updates. It does not provide webaccess to certificate services.

QUESTION 15Your company has a server that runs Windows Server 2008 R2. Active Directory Certificate Services (AD CS)is configured as a standalone Certification Authority (CA) on the server.

You need to audit changes to the CA configuration settings and the CA security settings.

Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)

A. Configure auditing in the Certification Authority snap-in.B. Enable auditing of successful and failed attempts to change permissions on files in the %SYSTEM32%

\CertSrv directory.

C. Enable auditing of successful and failed attempts to write to files in the %SYSTEM32%\CertLog directory.

D. Enable the Audit Object Access setting in the Local Security Policy for the Active Directory CertificateServices (AD CS) server.

Correct Answer: ADSection: 70-648 Configuring Active Directory Certificate ServicesExplanation


In order to audit changes to CA settings you must enable Audit Object Access on the CA itself. Like with otherauditing procedures, however, this alone will not perform the audit; it only allows audits to take place on theserver.

In order for auditing to start, you must configure auditing on the CA using the Certification Authority snap-in.

The CertLog and CertSrv directories contain the log and application files, respectively, associate with certificateservices. Auditing access to these files will not allow you to be aware of specific configuration and securitysettings that are changed.

QUESTION 16Your company has an Active Directory domain. You install an Enterprise Root certification authority (CA) on amember server named Server1.

You need to ensure that only the Security Manager is authorized to revoke certificates that are supplied by

Server1.

What should you do?

A. Remove the Request Certificates permission from the Domain Users group.B. Remove the Request Certificates permission from the Authenticated Users group.C. Assign the Allow - Manage CA permission to only the Security Manager user account.D. Assign the Allow - Issue and Manage Certificates permission to only the Security Manager user account.



The Allow - Issue and Manage Certificates permission is the only one that will allow a user to issue, approve orrevoke certificates.

The Allow - Manage CA permission will grant the user ability to configure CA settings, but not to handlecertificate requests.

The Request Certificates permission is not required or used for revoking certificates.

QUESTION 17You have a Windows Server 2008 R2 Enterprise Root certification authority (CA).

You need to grant members of the Account Operators group the ability to only manage Basic EFS certificates.

You grant the Account Operators group the Issue and Manage Certificates permission on the CA.

Which three tasks should you perform next? (Each correct answer presents part of the solution. Choose three.)

A. Enable the Restrict Enrollment Agents option on the CA .B. Enable the Restrict Certificate Managers option on the CA .C. Add the Basic EFS certificate template for the Account Operators group.D. Grant the Account Operators group the Manage CA permission on the CA .E. Remove all unnecessary certificate templates that are assigned to the Account Operators group.

Correct Answer: BCESection: 70-648 Configuring Active Directory Certificate ServicesExplanation


To manage a specific certificate template, a group or user first needs the Issue and Manage permission(already assigned). This will allow them to manage all certificates assigned to them, so we must do thefollowing to prevent Account Operators from being able to manage other certificates:

1. Assign the Basic EFS template to the group so they are able to manage it2. Remove all other templates assigned to Account Operators so they do not have access to other templates3. Restrict Certificate Managers to the Account Operators group so other users/groups are not able to manage

certificates

The question specifies that the Account Operators group must manage Basic EFS certificates. The ability toenroll in certificates is not required, so restricting the Enrollment Agents will not achieve the desire outcome.

The Manage CA permission will allow the Account Operators permissions to configure CA settings but will notallow them to manage certificates.

QUESTION 18You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2.

Server1 is configured as an enterprise root certification authority (CA). You install the Online Responder roleservice on Server2.

You need to configure Server1 to support the Online Responder.

What should you do?

A. Import the enterprise root CA certificate.B. Configure the Certificate Revocation List Distribution Point extension.C. Configure the Authority Information Access (AIA) extension.D. Add the Server2 computer account to the CertPublishers group.



The AIA extension informs the Online Responder where it can find up-to-date certificates in the enterprise.

Importing the enterprise root CA certificate is needed when that CA needs to be added to a Trusted Root store(list of trusted CA's). As an Enterprise CA, Server1 would already be in the enterprise Trusted Root store.

The CRL Distribution Point extension informs servers where the latest CRLs (revocation lists) can be located.Online Responders do not transfer the full CRL, only information about a particular certificate.

Members of the CertPublishers group are allowed to publish certificates. An Online Responder does not needto publish certificates.

QUESTION 19Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company runsan Enterprise Root certification authority (CA).

You need to ensure that only Administrators can sign code.


A. Publish the Code Signing template.B. Edit the local computer policy of the Enterprise Root CA to allow users to trust peer certificates and allow

only Administrators to apply the policy.C. Edit the local computer policy of the Enterprise Root CA to allow only Administrators to manage Trusted

Publishers.D. Modify the security settings on the template to allow only Administrators to request code signing certificates.



For someone to sign code, the Code Signing template must be published to the CA.

The question also specifies that only administrators should be assigned this template. This means we mustupdate the template's Security tab to remove other groups from being able to receive the template.

Management of Trusted Publishers will allow the administrators to determine who can sign drivers, but will notprovide them the certificate necessary to do so.

Allowing Administrators the ability to apply a policy that enables Trust Peer Certificates will allow them to trustself-issued certificates, but not to sign them.

QUESTION 20Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company usesan Enterprise Root certification authority (CA) and an Enterprise Intermediate CA.

The Enterprise Intermediate CA certificate expires.

You need to deploy a new Enterprise Intermediate CA certificate to all computers in the domain.

What should you do?

A. Import the new certificate into the Intermediate Certification Store on the Enterprise Root CA server.B. Import the new certificate into the Intermediate Certification Store on the Enterprise Intermediate CA server.C. Import the new certificate into the Intermediate Certification Store in the Default Domain Controllers group

policy object.D. Import the new certificate into the Intermediate Certification Store in the Default Domain group policy object.



All computers must receive the certificate. This is only possible through the Default Domain policy.

The Default Domain Controllers policy will only deploy the certificate to domain controllers. Importing thecertificate to the Root CA or Intermediate CA will only deploy the certificate to that specific server, not to allcomputers in the enterprise.

QUESTION 21Your company has an Active Directory domain. You plan to install the Active Directory Certificate Services (ADCS) server role on a member server that runs Windows Server 2008 R2.

You need to ensure that members of the Account Operators group are able to issue smartcard credentials.They should not be able to revoke certificates.

Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)

A. Install the AD CS server role and configure it as an Enterprise Root CA .B. Install the AD CS server role and configure it as a Standalone CA .C. Restrict enrollment agents for the Smartcard logon certificate to the Account Operator group.D. Restrict certificate managers for the Smartcard logon certificate to the Account Operator group.E. Create a Smartcard logon certificate.F. Create an Enrollment Agent certificate.

Correct Answer: ACESection: 70-648 Configuring Active Directory Certificate ServicesExplanation


The question specifies you have an AD domain, so you would want to configure AD CS services as anEnterprise Root CA rather than Standalone.

The use of smartcards in a domain requires the Smartcard logon certificate.

You must ensure Account Operators can issue smartcards, meaning they must be able to enroll in Smartcardcertificates. This is done by editing the Enrollment Agents for the certificate template. Restricting managers willallow the Account Operators to manage the template itself, including the ability to revoke certificates.

QUESTION 22Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company usesan Enterprise Root certificate authority (CA).

You need to ensure that revoked certificate information is highly available.

What should you do?

A. Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing.B. Implement an Online Certificate Status Protocol (OCSP) responder by using an Internet Security and

Acceleration Server array.C. Publish the Trusted Certificate Authorities list to the domain by using a Group Policy Object (GPO).D. Create a new Group Policy Object (GPO) that allows users to trust peer certificates. Link the GPO to the

domain.



In order to ensure revoked certificate information is highly available, you should use Network Load Balancing.

None of the other options ensure high availability of revocation lists.

QUESTION 23Your company has an Active Directory domain. You have a two-tier PKI infrastructure that contains an offlineRoot CA and an online Issuing CA. The Enterprise Certification Authority is running Windows Server 2008 R2.

You need to ensure users are able to enroll new certificates.

What should you do?

A. Renew the Certificate Revocation List (CRL) on the Root CA. Copy the CRL to the CertEnroll folder onthe Issuing CA .

B. Renew the Certificate Revocation List (CRL) on the Issuing CA. Copy the CRL to the SystemCertificates folder in the users' profile.

C. Import the root CA certificate into the Trusted Root Certification Authorities store on all client workstations.D. Import the issuing CA certificate into the Intermediate Certification Authorities store on all client

workstations.



The Root CA is offline, so it will not be aware of any new certificates that have been issued since it was takenoffline. This means we must renew/update the CRL on the Root CA. In these scenarios, this is done by copyingthe CRL to C:\windows\system32\certsrv\certenroll on the Issuing CA

The Issuing CA is online and should not need a new CRL, nor will copying the CRL to SystemCertificatesachieve this.

The client workstations should not need updated Certification Authority lists as both servers would have beenplaced in the proper Certification Authority stores when they were configured.

Reference: http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Microsoft-PKI-Quick-Guide-Part3.html

QUESTION 24You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 isconfigured as an Enterprise Root certification authority (CA). You install the Online Responder role service onServer2.

You need to configure Server2 to issue certificate revocation lists (CRLs) for the Enterprise Root CA.


A. Import the Enterprise Root CA certificate.B. Import the OCSP Response Signing certificate.C. Add the Server1 computer account to the CertPublishers group.D. Set the Startup Type of the Certificate Propagation service to Automatic.

Correct Answer: ABSection: 70-648 Configuring Active Directory Certificate ServicesExplanation


Server2 is configured as an Online Responder, so it needs an OCSP Response Signing certificate to performits duties (issuing modified CRLs on behalf of the Enterprise Root CA). Without the Enterprise Root CA servercertificate, however, it will not be able to do this.

The CertPublishers group determines who can publish certificates. An Online Responder does not publishcertificates.

The Certificate Propogation service on a machine is used to process smartcard logons for that machine.

QUESTION 25You have an Enterprise Root certification authority (CA) that runs Windows Server 2008 R2.

You need to ensure that you can recover the private key of a certificate issued to a Web server.

What should you do?

A. From the CA, run the Get-PfxCertificate cmdlet.

B. From the Web server, run the Get-PfxCertificate cmdlet.

C. From the CA, run the certutil.exe tool and specify the -exportpfx parameter.

D. From the Web server, run the certutil.exe tool and specify the -exportpfx parameter.



certutil.exe -exportpfx will allow you to export certificate or keys from a certificate store. We need torecover a certificate issued to the web server, so we must run this command from the web server itself. Later,we would likely import the certificate to the CA.

The Get-PfxCertificate cmdlet gets information about .pfx certificates from a computer, but does notallow recovery or management of them.

QUESTION 26You install a Standalone Root certification authority (CA) on a server named Server1.

You need to ensure that every computer in the forest has a copy of the root CA certificate installed in the localcomputer's Trusted Root Certification Authorities store.

Which command should you run on Server1?

A. certreq.exe and specify the -accept parameter

B. certreq.exe and specify the -retrieve parameter

C. certutil.exe and specify the -dspublish parameter

D. certutil.exe and specify the -importcert parameter



certutil.exe -dspublish is used to publish a CRL to Active Directory. This is the only option thatpublishes a certificate, and specifically will do so for the entire AD domain. This satisfies the requirement thatevery computer in the forest receives information about the certificate.

certutil.exe -importcert is used to import a certificate or private key.

certreq.exe -accept is used to accept a response to a request from a CA.

certreq.exe -retrieve is used to retrieve a response to a request from a CA.

QUESTION 27Your network contains an Active Directory forest. The forest contains two domains. You have a standalone rootcertification authority (CA).

On a server in the child domain, you run the Add Roles Wizard and discover that the option to select anEnterprise CA is disabled.

You need to install an Enterprise Subordinate CA on the server.


What should you use to log on to the new server?

A. an account that is a member of the Certificate Publishers group in the child domainB. an account that is a member of the Certificate Publishers group in the forest root domainC. an account that is a member of the Schema Admins group in the forest root domainD. an account that is a member of the Enterprise Admins group in the forest root domain



One requirement of configuring Enterprise certificate services is that the user must be a member of EnterpriseAdmins in the domain.

Schema Admins are allowed to modify the AD schema but not to install Certificate Services.

Certificate Publishers controls who is allowed to publish certificates, but the question does not specify that therehas been a problem with publishing certificates. A certificate authority has not even been setup yet.

QUESTION 28You have an enterprise subordinate certification authority (CA). You have a group named Group1.

You need to allow members of Group1 to publish new certificate revocation lists. Members of Group1 must notbe allowed to revoke certificates.

What should you do?

A. Add Group1 to the local Administrators group.B. Add Group1 to the Certificate Publishers group.C. Assign the Manage CA permission to Group1.D. Assign the Issue and Manage Certificates permission to Group1.



The Manage CA permission allows a user to publish CRLs but does not allow a user to revoke certificates.

The Issue and Manage Certificates would grant the group the ability to revoke certificates.

The Certificate Publishers group allows members to publish certificates, not CRLs.

The local Administrators group allows full control of the CA itself, and would include the ability to revoke

certificates.

QUESTION 29You have an enterprise subordinate certification authority (CA) configured for key archival. Three key recoveryagent certificates are issued. The CA is configured to use two recovery agents.

You need to ensure that all of the recovery agent certificates can be used to recover all new private keys.

What should you do?

A. Add a Data Recovery Agent to the Default Domain Policy.B. Modify the value in the Number of recovery agents to use box.C. Revoke the current key recovery agent certificates and issue three new key recovery agent certificates.D. Assign the Issue and Manage Certificates permission to users who have the key recovery agent certificates.



The simple problem is we issued more recovery agent certificates (3) than we are configured the server to use(2). These numbers must match and we cannot do anything about certificates that have been issued other thanrevoke them. However, we are told all of the certificates must be used. This only leaves us with the option ofincreasing the number of recovery agents the server is configured for.

We would not revoke the existing certificates only to issue 3 more. The problem is that we need the server tosupport the same # of agents as there are certificates. If this option had stated to issue 2 new certificates, itwould be an alternative solution.

Issue and Manage certificates permissions for the current recovery agents will allow them all sorts of extraaccess to modify certificates, but will not fix the issue at hand.

Data Recovery Agents are used to recover data from BitLocker encrypted drives.

QUESTION 30You have an enterprise subordinate certification authority (CA). The CA is configured to use a hardwaresecurity module.

You need to back up Active Directory Certificate Services on the CA.

Which command should you run?

A. certutil.exe -backup

B. certutil.exe -backupDB

C. certutil.exe -backupKey

D. certutil.exe -store



certutil -backupDB backs up the AD CS database, including the private key. This is important because

the CA is using a hardware module, which relies on the private key.

References: http://technet.microsoft.com/en-us/library/ee126140%28v=ws.10%29.aspxhttp://poweradmin.se/blog/2010/01/11/backup-and-restore-for-active-directory-certificate-services/

certutil -backup only backs up the AD CS configuration

certutil -backupKey backs up only the AD CS key and private key. We need to backup the certificatedatabase as well.

ceretutil -store dumps the entire certificate store but does not backup the private key.

QUESTION 31You have an enterprise subordinate certification authority (CA).

You have a custom Version 3 certificate template.

Users can enroll for certificates based on the custom certificate template by using the Certificates console. Thecertificate template is unavailable for Web enrollment.

You need to ensure that the certificate template is available on the Web enrollment pages.

What should you do?

A. Run certutil.exe -pulse.

B. Run certutil.exe installcert.

C. Change the certificate template to a Version 2 certificate template.D. On the certificate template, assign the Autoenroll permission to the users.



Our problem is that we can't use version 3 templates with the Web enrollment - only version 1 and 2 aresupported.

Certificate Web enrollment cannot be used with version 3 certificate templates.Reference: http://technet.microsoft.com/en-us/library/cc732517.aspx

Version 3 templates cannot be requested via web enrollment using the “out of box” certificate web enrollmentpages. Reference: http://blogs.technet.com/b/ad/archive/2008/06/30/2008-web-enrollment-and-version-3-templates.aspx

certutil.exe -pulse is used to check on the status ("pulse") of autoenrollment events.

certutil.exe -installcert is used to install a CA certificate

Reference: http://technet.microsoft.com/library/cc732443.aspx

QUESTION 32You have an enterprise subordinate certification authority (CA). You have a custom certificate template that hasa key length of 1,024 bits. The template is enabled for autoenrollment.

You increase the template key length to 2,048 bits.

You need to ensure that all current certificate holders automatically enroll for a certificate that uses the newtemplate.


A. Active Directory Administrative CenterB. Certification AuthorityC. Certificate TemplatesD. Group Policy Management



Enrollment in a certificate is configured from the properties of the certificate template itself. This means weneed to use the Certificate Templates snap-in.

The Certification Authority snap-in is used for managing properties of the CA, not certificates.

Group Policy is used to configure autoenrollment settings for the domain, but will not perform the initialenrollment.

Active Directory Administrative Center is a GUI for AD that will let you work with user accounts properties, butthis is not where certificates are assigned/enrolled.

QUESTION 33Your network contains an Active Directory forest. All domain controllers run Windows Server 2008 Standard.

The functional level of the domain is Windows Server 2003. You have a certification authority (CA).

The relevant servers in the domain are configured as shown in the following table:

You need to ensure that you can install the Active Directory Certificate Services (AD CS) Certificate EnrollmentWeb Service on the network.

What should you do?

A. Upgrade Server1 to Windows Server 2008 R2.B. Upgrade Server2 to Windows Server 2008 R2.C. Raise the functional level of the domain to Windows Server 2008.D. Install the Windows Server 2008 R2 Active Directory Schema updates.

Correct Answer: DSection: 70-648 Configuring Additional Active Directory Server RolesExplanation


Before installing the certificate enrollment Web services, ensure that your environment meets theserequirements:

A host computer as a domain member running Windows Server 2008 R2. (MY NOTE: We meet thiscriteria with Server3)An Active Directory forest with a Windows Server 2008 R2 schema.An enterprise certification authority (CA) running Windows Server 2008 R2, Windows Server 2008, orWindows Server 2003. (MY NOTE: We meet this criteria with both Server1 and Server2)

Reference: http://technet.microsoft.com/en-us/library/dd759243.aspx

QUESTION 34You have Active Directory Certificate Services (AD CS) deployed. You create a custom certificate template.

You need to ensure that all of the users in the domain automatically enroll for a certificate based on the customcertificate template.

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

A. In a Group Policy object (GPO), configure the Autoenrollment settings.B. In a Group Policy object (GPO), configure the Automatic Certificate Request Settings.C. On the certificate template, assign the Read and Autoenroll permission to the Authenticated Users group.D. On the certificate template, assign the Read, Enroll, and Autoenroll permission to the Domain Users group.



To automatically enroll client computers for certificates in a domain environment, you must:

To configure an autoenrollment policy for the domain.(...)6. In Configuration Model, select Enabled to enable autoenrollment.

To configure certificate templates for autoenrollment.(...)6. In the Permissions for Authenticated Users list, select Read, Enroll, and Autoenroll in the Allow column, andthen click OK and Close to finish

MY NOTE: It says Authenticated Users here, and the answer says Domain Users. However, it is alsoclear that the Enroll permission is needed in addit ion to Read and Autoenroll. My only thoughts here i sthat Authenticated Users is a sort of subset of Dom ain Users - literally representing only users whohave an active ticket/token.


QUESTION 35Your company has a server that runs an instance of Active Directory Lightweight Directory Services (AD LDS).

You need to create new organizational units in the AD LDS application directory partition.

What should you do?

A. Use the Active Directory Users and Computers snap-in to create the organizational units on the AD LDSapplication directory partition.

B. Use the ADSI Edit snap-in to create the organizational units on the AD LDS application directory partition.C. Use the dsadd OU <OrganizationalUnitDN> command to create the organizational units.

D. Use the dsmod OU <OrganizationalUnitDN> command to create the organizational units.

Correct Answer: BSection: 70-648 Configuring Additional Active Directory Server RolesExplanation


To create new OUs in the AD LDS application directory partition, you should use the ADSI Edit snap-in. This isthe main snap-in used for most AD LDS management.

ADSI Edit is a snap-in that runs in a Microsoft Management Console (MMC). The default console containingADSI Edit is AdsiEdit.msc. If this snap-in is not added in your MMC,you can do it by adding through Add/Remove Snap-in menu option in the MMC or you can open AdsiEdit.msc from a Windows Explorer.

QUESTION 36Your company has a server that runs Windows Server 2008 R2. The server runs an instance of ActiveDirectory Lightweight Directory Services (AD LDS).

You need to replicate the AD LDS instance on a test computer that is located on the network.

What should you do?

A. Run the repadmin /kcc <servername> command on the test computer.

B. Create a naming context by running the dsmgmt command on the test computer.

C. Create a new directory partition by running the dsmgmt command on the test computer.

D. Create and install a replica by running the AD LDS Setup wizard on the test computer.



Only the AD LDS Setup wizard has built-in features to save a configuration and reuse it when installing AD LDSon other computers.Reference: http://technet.microsoft.com/en-us/library/cc771458%28v=ws.10%29.aspx

dsmgmt allows you to manage AD LDS directory partitions but does not replicate them. Creating a new partitionon the test computer will not copy the data from the original machine.

repadmin /kcc forces the KCC to recalculate replication on a domain controller. This is not the type ofreplication that is needed.

QUESTION 37Your company has an Active Directory Rights Management Services (AD RMS) server. Users have WindowsVista computers. An Active Directory domain is configured at the Windows Server 2003 functional level.

You need to configure AD RMS so that users are able to protect their documents.

What should you do?

A. Install the AD RMS client 2.0 on each client computer.B. Add the RMS service account to the local administrators group on the AD RMS server.C. Establish an e-mail account in Active Directory Domain Services (AD DS) for each RMS user.D. Upgrade the Active Directory domain to the functional level of Windows Server 2008.

Correct Answer: CSection: 70-648 Configuring Additional Active Directory Server RolesExplanation


For each user account and group that you configure with AD RMS, you need to add an e-mail address and thenassign the users to groups. Reference: http://technet.microsoft.com/en-us/library/cc753531%28v=ws.10%29.aspx

QUESTION 38Your company has an Active Directory forest that runs at the functional level of Windows Server 2008. Youimplement Active Directory Rights Management Services (AD RMS). You install Microsoft SQL Server 2005.

When you attempt to open the AD RMS administration Web site, you receive the following error message:"SQL Server does not exist or access denied."

You need to open the AD RMS administration Web site.


A. Restart IIS.B. Install Message Queuing.C. Start the MSSQLSVC service.D. Manually delete the Service Connection Point in Active Directory Domain Services (AD DS) and restart AD

RMS.

Correct Answer: ACSection: 70-648 Configuring Additional Active Directory Server RolesExplanation


The website is not detecting or is not able to connect to SQL Server, which the scenario states was installed.This likely means the service for the SQL instance is not running and it must be started. Doing this will alsorequire a restart of IIS so that the website detects the new status of the service.

AD RMS uses Message Queuing to log events, so that AD RMS can be audited. This will not fix the problem, itmight only allow us to determine more information about what is causing it.

The Active Directory Rights Management Services (AD RMS) Service Connection Point (SCP) is an object inActive Directory that holds the web address of the AD RMS certification cluster. Deleting this would break ADRMS access.Reference: http://social.technet.microsoft.com/wiki/contents/articles/710.the-ad-rms-service-connection-point.aspx

QUESTION 39Your company has a main office and 40 branch offices. Each branch office is configured as a separate ActiveDirectory site that has a dedicated read-only domain controller (RODC).

An RODC server is stolen from one of the branch offices.

You need to identify the user accounts that were cached on the stolen RODC server.

Which utility should you use?

A. dsmod.exe

B. ntdsutil.exe

C. Active Directory Sites and ServicesD. Active Directory Users and Computers



To view current credentials that are cached on an RODC1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.2. Ensure that Active Directory Users and Computers points to the writable domain controller that is running

Windows Server 2008, and then click Domain Controllers.3. In the details pane, right-click the RODC computer account, and then click Properties.4. Click the Password Replication Policy tab.5. Click Advanced.6. In the drop-down list, click Accounts whose passwords are stored on this Read-only Domain Controller, as

shown in the following illustration.

Reference: http://technet.microsoft.com/en-us/library/cc753470%28v=ws.10%29.aspx#bkmk_View_CredsOnRODC

QUESTION 40You need to deploy a read-only domain controller (RODC) that runs Windows Server 2008 R2.

What is the minimal forest functional level that you should use?

A. Windows Server 2008 R2B. Windows Server 2008C. Windows Server 2003D. Windows 2000



Complete the following prerequisites before you deploy a read-only domain controller (RODC):Ensure that the forest functional level is Windows Server 2003 or higher


QUESTION 41Your company has an Active Directory forest that contains a single domain. The domain member server has anActive Directory Federation Services (AD FS) server role installed.

You need to configure AD FS to ensure that AD FS tokens contain information from the Active Directorydomain.

What should you do?

A. Add and configure a new account store.B. Add and configure a new account partner.C. Add and configure a new resource partner.D. Add and configure a Claims-aware application.



To configure the AD FS trust policy to populate AD FS tokens with employee's information from Active directorydomain, you need to add and configure a new account store.

AD FS allows the secure sharing of identity information between trusted business partners across an extranet.When a user needs to access a Web application from one of its federation partners, the user's ownorganization is responsible for authenticating the user and providing identity information in the form of "claims"to the partner that hosts the Web application. The hosting partner uses its trust policy to map the incomingclaims to claims that are understood by its Web application, which uses the claims to make authorizationdecisions. Because claims originate from an account store, you need to configure account store to configurethe AD FS trust policy.

Reference: http://msdn2.microsoft.com/en-us/library/bb897402.aspx

QUESTION 42Your network contains two standalone servers named Server1 and Server2 that have Active DirectoryLightweight Directory Services (AD LDS) installed.

Server1 has an AD LDS instance.

You need to ensure that you can replicate the instance from Server1 to Server2.

What should you do on both servers?

A. Obtain a server certificate.B. Import the MS-User.ldf file.

C. Create a service user account for AD LDS.D. Register the service location (SRV) resource records.



AD LDS has service account requirements for replication to succeed.Reference: http://technet.microsoft.com/en-us/library/cc771946%28v=ws.10%29.aspx

For AD LDS instances that are joined to a configuration set, the service account is also used to authenticateagainst other AD LDS instances in the configuration set for replication.Reference: http://technet.microsoft.com/en-us/library/cc794945%28WS.10%29.aspx

QUESTION 43Your network contains a server named Server1 that runs Windows Server 2008 R2. You create an ActiveDirectory Lightweight Directory Services (AD LDS) instance on Server1.

You need to create an additional AD LDS application directory partition in the existing instance.

Which tool should you use?

A. adaminstall

B. dsadd

C. dsmod

D. ldp



ldp is used to bind to an AD server and run LDAP code. This would allow you to add a new diretory partition.

dsadd and dsmod are used to add/modify AD objects but do not provide options for creating directorypartitions.

adaminstall is used for automating installation of ADAM / AD LDS

QUESTION 44Your network contains a server named Server1 that runs Windows Server 2008 R2. On Server1, you create anActive Directory Lightweight Directory Services (AD LDS) instance named Instance1.

You connect to Instance1 by using ADSI Edit. You run the Create Object wizard and you discover that there isno User object class.

You need to ensure that you can create user objects in Instance1.

What should you do?

A. Run the AD LDS Setup Wizard.B. Modify the schema of Instance1.C. Modify the properties of the Instance1 service.D. Install the Remote Server Administration Tools (RSAT).



The schema is where object classes and attributes for a domain service are configured.

The AD LDS setup wizard would help us setup a new instance, but cannot necessarily repair our instance,which is missing a critical object class.

The Instance1 service would not have any properties to help add the User object to the schema. At best, itwould allow us to run the service with different credentials.

RSAT is used to remotely administer a server from a Windows Vista/7 workstation. This would not give us anyextra functionality than we already have, and we can assume this has already been installed since we are usingADSI Edit to connect to Instance1.

QUESTION 45Your network contains an Active Directory domain. The domain contains a server named Server1. Server1 runsWindows Server 2008 R2.

You need to mount an Active Directory Lightweight Directory Services (AD LDS) snapshot from Server1.

What should you do?

A. Run ldp.exe and use the Bind option.

B. Run diskpart.exe and use the Attach option.

C. Run dsdbutil.exe and use the snapshot option.

D. Run imagex.exe and specify the /mount parameter.



dsdbutil snapshot

Manages snapshots of the volumes that contain the Active Directory database and log files, which you can viewon a domain controller without starting in Directory Services Restore Mode (DSRM).


diskpart is for managing disk partitions.Reference: http://technet.microsoft.com/en-us/library/bb490893.aspx

ldp.exe is for running LDAP code or queries against a directory database. Bind is the option used to specifywhich database you are attaching to for your code.

imagex is for mounting VHD's used in a deployment system.Reference: http://technet.microsoft.com/en-us/library/cc722145%28v=ws.10%29.aspx

QUESTION 46Your network contains an Active Directory domain named contoso.com. The network contains client computersthat run either Windows Vista or Windows 7. Active Directory Rights Management Services (AD RMS) isdeployed on the network.

You create a new AD RMS template that is distributed by using the AD RMS pipeline. The template is updatedevery month.

You need to ensure that all the computers can use the most up-to-date version of the AD RMS template. Youwant to achieve this goal by using the minimum amount of administrative effort.

What should you do?

A. Upgrade all of the Windows Vista computers to Windows 7.B. Upgrade all of the Windows Vista computers to Windows Vista Service Pack 2 (SP2).C. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all users

by using a Software Installation extension of Group Policy.D. Assign the Microsoft Windows Rights Management Services (RMS) Client Service Pack 2 (SP2) to all

computers by using a Software Installation extension of Group Policy.



Windows 7 clients should automatically get the latest templates, but Windows Vista requires at least SP1 leveland we are not told that any clients are at SP1 or SP2 level. So we must upgrade them.

In Windows Vista® with Service Pack 1 (SP1), Windows Server® 2008, Windows® 7, and Windows Server®2008 R2, rights policy templates are automatically managed by the AD RMS clientReference: http://technet.microsoft.com/en-us/library/dd996658%28v=ws.10%29.aspx

QUESTION 47Active Directory Rights Management Services (AD RMS) is deployed on your network.

Users who have Windows Mobile 6 devices report that they cannot access documents that are protected by ADRMS.

You need to ensure that all users can access AD RMS protected content by using Windows Mobile 6 devices.

What should you do?

A. Modify the security of the ServerCertification.asmx file.

B. Modify the security of the MobileDeviceCertification.asmx file.

C. Enable anonymous authentication for the _wmcs virtual directory.D. Enable anonymous authentication for the certification virtual directory.



AD RMS can provide rights account certificates (RACs) and use licenses to AD RMS-enabled applications thatare running Windows Mobile 6. (...)AD RMS-enabled mobile applications can connect to the AD RMS mobile certification server by using the MobileDeviceCertification.asmx file.Reference: http://technet.microsoft.com/en-us/library/cc731519.aspx

QUESTION 48Your network contains an Active Directory Rights Management Services (AD RMS) cluster.

You have several custom policy templates. The custom policy templates are updated frequently.

Some users report that it takes as many as 30 days to receive the updated policy templates.

You need to ensure that users receive the updated custom policy templates within seven days.

What should you do?

A. Modify the registry on the AD RMS servers.B. Modify the registry on the users' computers.C. Change the schedule of the AD RMS Rights Policy Template Management (Manual) scheduled task.D. Change the schedule of the AD RMS Rights Policy Template Management (Automated) scheduled task.



The automated scheduled task will not query the AD RMS template distribution pipeline each time that thisscheduled task runs. Instead, it checks updateFrequency DWORD value registry entry. This registry entryspecifies the time interval (in days) after which the client should update its rights policy templates. By default theregistry key is not present on the client computer. In this scenario, the client checks for new, deleted, ormodified rights policy templates every 30 days. To configure an interval other than 30 days, create a registryentry at the following location: HKEY_CURRENT_USER\Software\Policies\Microsoft\MSDRM\TemplateManagement . In this registry key, you can also configure theupdateIfLastUpdatedBeforeTime , which forces the client computer to update its rights policy templates.

Reference: http://technet.microsoft.com/en-us/library/cc771971.aspx

QUESTION 49Your company has a main office and a branch office. The branch office contains a read-only domain controllernamed RODC1.

You need to ensure that a user named Admin1 can install updates on RODC1. The solution must preventAdmin1 from logging on to other domain controllers.

What should you do?

A. Run ntdsutil.exe and use the Roles option.

B. Run dsmgmt.exe and use the Local Roles option.

C. From Active Directory Sites and Services, modify the NTDS Site Settings.D. From Active Directory Users and Computers, add the user to the Server Operators group.



To configure Administrator Role Separation for an RODC1. Click Start, click Run, type cmd, and then press ENTER.2. At the command prompt, type dsmgmt.exe , and then press ENTER.3. At the DSMGMT prompt, type local roles , and then press ENTER.(...)


ntdsutil roles is used for transferring operations master roles.Reference: http://technet.microsoft.com/en-us/library/cc753343%28v=ws.10%29.aspx

QUESTION 50You install a read-only domain controller (RODC) named RODC1.

You need to ensure that a user named User1 can administer RODC1. The solution must minimize the numberof permissions assigned to User1.


A. Active Directory Administrative CenterB. Active Directory Users and ComputersC. dsadd

D. dsmgmt



There are a couple of ways to achieve this and two of them are mentioned in the listed answers, ActiveDirectory Users and Computers and Dsmgmt. The article below explains the different ways to implementAdministrator Role Separation on an RODC, and why the use of Active Directory Users is recommended overDsmgmt.

Delegating local administration of an RODC

Administrator Role Separation (ARS) is an RODC feature that you can use to delegate the ability to administeran RODC to a user or a security group. When you delegate the ability to log on to an RODC to a user or asecurity group, the user or group is not added the Domain Admins group and therefore does not have additionalrights to perform directory service operations.

Steps and best practices for setting up ARSYou can specify a delegated RODC administrator during an RODC installation or after it. To specify thedelegated RODC administrator after installation, you can use either of the following options:

Modify the Managed By tab of the RODC account properties in the Active Directory Users andComputers snap-in, as shown in the following figure. You can click Change to change which securityprincipal is the delegated RODC administrator. You can choose only one security principal. Specify asecurity group rather than an individual user so you can control RODC administration permissions mostefficiently. This method changes the managedBy attribute of the computer object that corresponds to theRODC to the SID of the security principal that you specify. This is the recommended way to specify thedelegated RODC administrator account because the information is stored in AD DS, where it can becentrally managed by domain administrators.

Use the ntdsutil local roles command or the dsmgmt local roles command. You can use thiscommand to view, add, or remove members from the Administrators group and other built-in groups on theRODC.

Using ntdsutil or dsmgmt to specify the delegated RODC administrator account is not recommendedbecause the information is stored only locally on the RODC. (...)using the Active Directory Users andComputers snap-in or a similar tool will not reveal that the RODC has a delegated administrator.


QUESTION 51Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site1contains four domain controllers. Site2 contains a read-only domain controller (RODC).

You add a user named User1 to the Allowed RODC Password Replication Group. The WAN link between Site1and Site2 fails.

User1 restarts his computer and reports that he is unable to log on to the domain. The WAN link is restored andUser1 reports that he is able to log on to the domain.

You need to prevent the problem from reoccurring if the WAN link fails.

What should you do?

A. Create a Password Settings object (PSO) and link the PSO to User1's user account.B. Create a Password Settings object (PSO) and link the PSO to the Domain Users group.C. Add the computer account of the RODC to the Allowed RODC Password Replication Group.D. Add the computer account of User1's computer to the Allowed RODC Password Replication Group.



When a network connection to a writeable domain controller is not available, a user is able to log on through anRODC only if the passwords of both the user account and the computer account (of the workstation that theuser is accessing) are cached on the RODC. (MY NOTE: This means BOTH accounts must be in theAllowed RODC Password Replication group, and we are not given the option of adding User1's useraccount to the group)(...)Prepopulating the password cache helps ensure that a user can log on to the network using the RODC, evenwhen a link to a writeable domain controller is not available. For example, suppose that a user who used towork in a data center transfers to a branch office with his computer. The RODC contacts the writable domaincontroller in the data center. If the PRP allows it, the RODC caches the password. However, if the wide areanetwork (WAN) link is offline when the user attempts to log on, the logon attempt fails because the RODC hasnot cached the password for the account.

To avoid this problem, you can prepopulate the password cache of the RODC in the branch office with thepassword of the user and his computer. This makes it unnecessary for the RODC to replicate the passwordfrom the writeable Windows Server 2008 domain controller over the WAN link.

Reference: http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy%28v=ws.10%29.aspx

QUESTION 52Your company has a main office and a branch office. The network contains an Active Directory domain. Themain office contains a writable domain controller named DC1. The branch office contains a read- only domaincontroller (RODC) named DC2.

You discover that the password of an administrator named Admin1 is cached on DC2.

You need to prevent Admin1's password from being cached on DC2.

What should you do?

A. Modify the NTDS Site Settings.B. Modify the properties of the domain.C. Create a Password Setting object (PSO).D. Modify the properties of DC2's computer account.



To prevent a user from being cached on an RODC, they need to be added to the Denied RODC PasswordReplication group. These memberships are configured from the properties of the RODC's account in ADUC.

To allow individual RODCs to cache user and computer credentials in specific locations, configure the Allowedand Denied Lists on the Password Replication Policy tab for the properties of each individual RODC account inthe Domain Controllers OU.Reference: https://sites.google.com/a/pccare.vn/it/ent-admin-pages/password-replication-policy-facts

QUESTION 53Your network contains an Active Directory domain named contoso.com. The network has a branch office sitethat contains a read-only domain controller (RODC) named RODC1. RODC1 runs Windows Server 2008 R2.

A user named User1 logs on to a computer in the branch office site. You discover that the password of User1 isnot stored on RODC1.

You need to ensure that User1's password is stored on RODC1.

What should you modify?

A. the Member Of properties of RODC1B. the Member Of properties of User1C. the Security properties of RODC1D. the Security properties of User1



For a user's password to be cached on an RODC, they need to be a member of the Allowed RODC PasswordReplication group. Therefore, we need to modify the group membership of User1, not RODC. This can also bedone from the properties of RODC in ADUC, but not on the "Member Of" tab (it would be done on the PasswordReplication Policy tab).

The Security properties would allow us to configure what permissions objects have over User1's account, butthis will not help ensure his username is cached.

QUESTION 54Your company has a main office and a branch office. The branch office has an Active Directory site thatcontains a read-only domain controller (RODC).

A user from the branch office reports that his account is locked out. From a writable domain controller in themain office, you discover that the user's account is not locked out.

You need to ensure that the user can log on to the domain.

What should you do?

A. Modify the Password Replication Policy.B. Reset the password of the user account.C. Run the Knowledge Consistency Checker (KCC) on the RODC.D. Restore network communication between the branch office and the main office.



We confirmed the account is not locked out, but the user believes it is. This means he is likely receiving amessage indicating that a domain controller could not be contacted. How? Since the branch office has anRODC, it would let him log in if his password was cached. But this is not happening, so his account must not becached, and he is getting directed to a writeable DC. But if he's getting a message that it can't be contacted,then the network link between the 2 offices must be down.

The KCC configures replication between DC's and is a fairly automated process. (we would not normally run itmanually). Anyhow, there is no sign that replication is not working as the user did not recently change hisaccount. We are only aware that the user's account is reporting a wrong status.

Password Replication Policy allows us to configure who can cache passwords on an RODC, but we're not givenany indication that he has not been able to use the RODC previously.

Resetting the password would not help, as he did not receive a message indicating that his password hadexpired.

QUESTION 55You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a server namedServer1.

You need to configure the Windows Firewall on Server1 to allow external users to authenticate by using AD FS.

Which protocol should you allow on Server1?

A. SMBB. RPCC. SSLD. Kerberos



AD FS uses a website to allow external users to authenticate. Because of the secure nature of user credentialsand internet traffic, as well as the requirement for certificates for AD FS, this is an SSL-based website.

NOTE: This question can also show up and ask for port #'s rather than protocols.

QUESTION 56Your network contains a single Active Directory domain. The domain contains five read-only domain controllers(RODCs) and five writable domain controllers. All servers run Windows Server 2008.

You plan to install a new RODC that runs Windows Server 2008 R2. You need to ensure that you can add thenew RODC to the domain. You want to achieve this goal by using the minimum amount of administrative effort.


A. At the command prompt, run adprep.exe /rodcprep.

B. At the command prompt, run adprep.exe /forestprep.

C. At the command prompt, run adprep.exe /domainprep .

D. From Active Directory Domains and Trusts, raise the functional level of the domain.E. From Active Directory Users and Computers, pre-stage the RODC computer account.

Correct Answer: BCSection: 70-648 Configuring Additional Active Directory Server RolesExplanation


We are adding our first R2 domain controller to the domain, so we need to prep the domain and forest for theR2 schema extensions.

We would not raise the functional level of the domain. RODCs are supported in as low as a Server 2003functional level, and all servers are on 2008 so our functional level is at least at 2003 or higher already.

The scenario mentions that we already have a mix of RODCs and writable DCs, so we do not need to run adprep /rodcprep

Pre-staging the account would only help with joining the server to the domain first, but this should already bedone before the machine is promoted to a domain controller.

QUESTION 57You deploy a new Active Directory Federation Services (AD FS) federation server. You request new certificatesfor the AD FS federation server.

You need to ensure that the AD FS federation server can use the new certificates.

To which certificate store should you import the certificates?

A. ComputerB. IIS Admin Service service accountC. Local AdministratorD. World Wide Web Publishing Service service account



To import the server authentication certificate for adfsresource to adfsweb4. Click Start, click Run, type mmc, and then click OK.5. Click File, and then click Add/Remove Snap-in.

6. Select Certificates, click Add, click Computer account, and then click Next.7. Click Local computer: (the computer this console is running on), click Finish, and then click OK.

Reference: http://technet.microsoft.com/en-us/library/dd378922%28v=ws.10%29.aspx#BKMK_5

QUESTION 58Your network contains an Active Directory domain named contoso.com. The domain contains a server namedServer1. Server1 has the Active Directory Federation Services (AD FS) role installed.

You have an application named App1 that is configured to use Server1 for AD FS authentication.

You deploy a new server named Server2. Server2 is configured as an AD FS 2.0 server.

You need to ensure that App1 can use Server2 for authentication.


A. Add an attribute store.B. Create a relying party trust.C. Create a claims provider trust.D. Create a relaying provider trust.



In order for App1 (on Server1) to authenticate against Server2, we need to make sure the right kind of trust is inplace.

A relying party trust allows an application to use a 2nd authentication server in the same domain (a relyingparty is where claims are sent after authentication has been done)A claims provider sends claims to a Federated Server, that is then passed on to relying party trusts.

In this case, Server1 (which hosts App1) needs to be a relying party to Server2, so that Server2 can forwardclaims to it before the App is used.

Attribute stores are used by applications to query for claim information.

QUESTION 59Your network contains an Active Directory domain named contoso.com. The domain contains a server namedServer1. The Active Directory Federation Services (AD FS) role is installed on Server1. Contoso.com is definedas an account store.

A partner company has a Web-based application that uses AD FS authentication. The partner company plansto provide users from contoso.com access to the Web application.

You need to configure AD FS on contoso.com to allow contoso.com users to be authenticated by the partnercompany.

What should you create on Server1?

A. a new applicationB. a resource partnerC. an account partnerD. an organization claim



When you use Active Directory Domain Services (AD DS) as the Active Directory Federation Services (AD FS)account store for an account Federation Service, you map an organization group claim to a security group inAD DS. This mapping is called a group claim extraction.Reference: http://technet.microsoft.com/en-us/library/cc731719.aspx

Creating a resource partner or account partner is done during the setup up of the Federation Trust.

We are not told that we need to create an application, rather, the partner company has the application that weneed to use.

QUESTION 60Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1has the Active Directory Federation Services (AD FS) Federation Service role service installed.

You plan to deploy AD FS 2.0 on Server2.

You need to export the token-signing certificate from Server1, and then import the certificate to Server2.

Which format should you use to export the certificate?

A. Base-64 encoded X.509 (.cer)B. Cryptographic Message Syntax Standard PKCS #7 (.p7b)C. DER encoded binary X.509 (.cer)D. Personal Information Exchange PKCS #12 (.pfx)



If you are implementing a server farm of federation servers that share a single, exportable private key certificatethat is issued by an enterprise certification authority (CA), the private key portion of the existing token-signingcertificate must be exported to make it available for importing into the certificate store on the new server.(...)To export the private key of a token-signing certificate1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.2. Right-click Federation Service, and then click Properties.3. On the General tab, click View.4. In the Certificate dialog box, click the Details tab.5. On the Details tab, click Copy to File.6. On the Welcome to the Certificate Export Wizard page, click Next.7. On the Export Private Key page, select Yes, export the private key, and then click Next.8. On the Export File Format page, select Personal Information Exchange = PKCS #12 (.PFX), and then click

Next.(...)Reference: http://technet.microsoft.com/en-us/library/cc784075.aspx

While initially setting up AD FS services, we would export the token-signing certificate to a DER file, but this isnot what the scenario covers.Reference: http://technet.microsoft.com/en-us/library/dd378922%28v=ws.10%29.aspx#BKMK_4

QUESTION 61Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2.

Server1 has Active Directory Federation Services (AD FS) 2.0 installed. Server1 is a member of an AD FSfarm.

The AD FS farm is configured to use a configuration database that is stored on a separate Microsoft SQLServer.

You install AD FS 2.0 on Server2. You need to add Server2 to the existing AD FS farm.

What should you do?

A. On Server1, run fsconfig.exe.

B. On Server1, run fsconfigwizard.exe.

C. On Server2, run fsconfig.exe.

D. On Server2, run fsconfigwizard.exe.



fsconfig.exe is used to configure an existing Federation Server. In this case, we need to add Server2,which already has AD FS, to the farm. So, in our scenario we would run the following command from Server2:

fsconfig JoinFarm

fsconfigwizard.exe is used to create a new Federation Server. The scenario states that we have alreadyinstalled AD FS on both servers.

Reference: http://technet.microsoft.com/en-us/library/adfs2-help-how-to-configure-a-new-federation-server%28v=ws.10%29.aspx

QUESTION 62Your network contains a single Active Directory domain. The functional level of the forest is Windows Server2008 R2.

You need to enable the Active Directory Recycle Bin.

What should you use?

A. the dsmod tool

B. the Enable-ADOptionalFeature cmdlet

C. the ntdsutil tool

D. the Set-ADDomainMode cmdlet

Correct Answer: BSection: 70-648 Maintaining the Active Directory EnvironmentExplanation


After the forest functional level of your environment is set to Windows Server 2008 R2, you can enable ActiveDirectory Recycle Bin by using the following methods:

Enable-ADOptionalFeature Active Directory module cmdlet (This is the recommended method.)Ldp.exe


QUESTION 63Your network contains an Active Directory domain.

You need to restore a deleted computer account from the Active Directory Recycle Bin.

What should you do?

A. From the command prompt, run recover.exe .

B. From the command prompt, run ntdsutil.exe .

C. From the Active Directory Module for Windows PowerShell, run the Restore-Computer cmdlet.

D. From the Active Directory Module for Windows PowerShell, run the Restore-ADObject cmdlet.

Correct Answer: DSection: 70-648 Maintaining the Active Directory EnvironmentExplanation


The Restore-ADObject cmdlet restores a deleted Active Directory object. (MY NOTE: Only in conjunctionwith the Recycle Bin feature in 2008 R2)Reference: http://technet.microsoft.com/en-us/library/ee617262.aspx

Restore-Computer is a cmdlet for working with System Restore / restore points.Reference: http://ss64.com/ps/restore-computer.html

ntdsutil is for maintaining AD databases offline. It allows us to defrag and perform authoritative restores,which is a process we could use to restore the computer account. However, this does not operate inconjunction with the new Recycle Bin, and is precisely why such feature was created!

In computing, recover was a primitive filesystem error recovery utility included in MS-DOS / IBM PC DOSversions prior to DOS 6.0Typing recover at the DOS command-line invoked the program file RECOVER.COM or RECOVER.EXE Reference: http://en.wikipedia.org/wiki/Recover_%28command%29

QUESTION 64Your network contains a single Active Directory domain.

You need to create an Active Directory Domain Services snapshot.


What should you do?

A. Use the Ldp tool.B. Use the ntdsutil tool.

C. Use the wbadmin tool.

D. From Windows Server Backup, perform a full backup.



In order to create an Active Directory snapshot you need to use the NTDSUTIL command. NTDSUTIL is builtinto Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server roleor the AD LDS server role installed.Reference: http://www.petri.co.il/working-active-directory-snapshots-windows-server-2008.htm

A full backup will give you a backup of the entire server, including the AD DS database file (ntds.dit), but this ismuch more than is needed. Similarly, wbadmin will not allow us to just get a snapshot of AD DS.

Ldp is used to connect to AD DS databases and snapshots and run code against them, but does not createsnapshots.

QUESTION 65You have an Active Directory snapshot.

You need to view the contents of the organizational units (OUs) in the snapshot.

Which tools should you run?

A. explorer.exe, netdom.exe, and dsa.msc

B. ntdsutil.exe, dsamain.exe, and dsa.msc

C. wbadmin.msc, dsamain.exe, and netdom.exe

D. wbadmin.msc, ntdsutil.exe, and explorer.exe



We need ntdsutil.exe to mount the snapshot, dsamain.exe to connect to it and dsa.msc (ADUC) toview the contents.

Before connecting to the snapshot we need to mount it. (...)

In order to mount an Active Directory snapshot follow these steps:1. Log on as a member of the Domain Admins group to one of your Windows Server 2008 Domain Controllers.2. Open a Command Prompt window by clicking on the CMD shortcut in the Start menu, or by typing CMD and

pressing Enter in the Run or Quick Search parts of the Start menuNote: You must run NTDSUTIL from an elevated command prompt. To open an elevated command prompt,click Start, right-click Command Prompt, and then click Run as administrator.

3. In the CMD window, type the following command: ntdsutil(...)

In order to connect to the AD snapshot you've mounted you will need to use the DSAMAIN command.(...)After using DSAMAIN to expose the information inside the AD snapshot, you can use any GUI tool that canconnect to the specified port, tools such as Active Directory Users and Computers (DSA.msc), ADSIEDIT.msc,LDP.exe or others.

Reference: http://www.petri.co.il/working-active-directory-snapshots-windows-server-2008.htm

QUESTION 66Your network contains a domain controller that runs Windows Server 2008 R2.

You need to change the location of the Active Directory log files.


A. dsamain

B. dsmgmt

C. dsmove

D. ntdsutil



To move the directory database and log files to a local drive1. In Directory Services Restore Mode, open a command prompt and change directories to the current location

of the directory database file (Ntds.dit ) or the log files, whichever you are moving.2. Run the dir command and make a note of the current size and location of the Ntds.dit file.3. At the command prompt, type ntdsutil and then press ENTER.4. At the ntdsutil : prompt, type files and then press ENTER.5. To move the database file, at the file maintenance: prompt, use the following commands: (...)

To move the log files, type:move logs to drive:\directory


QUESTION 67Your network contains an Active Directory domain that contains five domain controllers. You have amanagement computer that runs Windows 7.

From the Windows 7 computer, you need to view all account logon failures that occur in the domain. Theinformation must be consolidated on one list.

Which command should you run on each domain controller?

A. wecutil.exe qc

B. wevtutil.exe gli

C. winrm.exe quickconfig

D. winrshost.exe

Correct Answer: CSection: 70-648 Maintaining the Active Directory EnvironmentExplanation


To view account logon failures for the domain, we need each domain controller to be setup to forward events tothe Windows 7 computer. This is done on each source computer by using the winrm quickconfigcommand.Reference: http://technet.microsoft.com/en-us/library/cc748890%28v=WS.10%29.aspx

wecutil.exe qc would be run on the Windows 7 computer since it is going to collect the events.

winrshost.exe is used in Remote Management (WinRM), which allows automatic various remoteoperations (like collecting logs). However, this type of configuration is precisely what the winrm quickconfigcommand was designed to assist with automating in Server 2008.

wevtutil.exe gli displays the status of an event log or log file, but does not give us anything about theevents themselves.

QUESTION 68You create a new Active Directory domain. The functional level of the domain is Windows Server 2008 R2. Thedomain contains five domain controllers.

You need to monitor the replication of the group policy template files.


A. dfsrdiag

B. fsutil

C. ntdsutil

D. ntfrsutl

Correct Answer: ASection: 70-648 Maintaining the Active Directory EnvironmentExplanation


Group policy template files are in the SYSVOL share, and our domain level is Server 2008 R2, so DFSR isbeing used for replication of SYSVOL.

ntfrsutl would be used to replicate SYSVOL if our domain was still Server 2003.

mtdsutil is used for offline management of the AD database.

fsutil is used for managing file shares, but the SYSVOL is not a standard file share. Instead, it is adistributed file service that replicates across the domain

QUESTION 69You create a new Active Directory domain. The functional level of the domain is Windows Server 2003. Thedomain contains five domain controllers that run Windows Server 2008 R2.

You need to monitor the replication of the group policy template files.


A. dfsrdiag

B. fsutil

C. ntdsutil

D. ntfrsutl



This is a tricky one, but note that the functional level of the domain is Server 2003. Without raising ourfunctional level, we cannot use the new DFSR for replication. This means we are still using the old NTFRS,which we can manage with the ntfrsutl program.

ntdsutil is for managing the AD database offline.

fsutil is for managing and querying file shares and services, not replication.

QUESTION 70You have a domain controller named Server1 that runs Windows Server 2008 R2.

You need to determine the size of the Active Directory database on Server1.

What should you do?

A. Run the Active Directory Sizer tool.B. Run the Active Directory Diagnostics data collector set.C. From Windows Explorer, view the properties of the %systemroot%\ntds\ntds.dit file.

D. From Windows Explorer, view the properties of the %systemroot%\sysvol\domain folder.



The AD database is stored in the file %systemroot%\ntds\ntds.dit We just need to see how large thisfile is in Windows Explorer to get an idea of how much disk space it is using.

The %systemroot%\sysvol\domain folder contains lots of things that are replicated for the domain, butthis is also a public, distributed share and would not hold something as dear as the AD database!

The Active Directory service Sizer tool lets you estimate the hardware required for deploying Active Directory inan organization based on the organization's profile, domain information and site topology. Reference: http://www.petri.co.il/active_directory_sizer_tool.htm

The AD Diagnostics DCS will give us performance information for AD, and if it did poorly that might hint to usthat our database is getting large, but it would not necessarily report the size of the file.

QUESTION 71Your network contains a single Active Directory domain. The functional level of the forest is Windows Server2008. The functional level of the domain is Windows Server 2008 R2. All DNS servers run Windows Server2008. All domain controllers run Windows Server 2008 R2.

You need to ensure that you can enable the Active Directory Recycle Bin.

What should you do?

A. Change the functional level of the forest.B. Change the functional level of the domain.C. Modify the Active Directory schema.D. Modify the Universal Group Membership Caching settings.



By default, Active Directory Recycle Bin in Windows Server 2008 R2 is disabled. To enable it, you must firstraise the forest functional level of your AD DS or AD LDS environment to Windows Server 2008 R2, which inturn requires all forest domain controllers or all servers that host instances of AD LDS configuration sets to berunning Windows Server 2008 R2.


QUESTION 72Your network contains an Active Directory domain. The domain contains two domain controllers named DC1and DC2.

You perform a full backup of the domain controllers every night by using Windows Server Backup.

You update a script in the SYSVOL folder. You discover that the new script fails to run properly.

You need to restore the previous version of the script in the SYSVOL folder. The solution must minimize theamount of time required to restore the script.


A. Run the Restore-ADObject cmdlet.

B. Restore the system state to its original location.C. Restore the system state to an alternate location.D. Attach the VHD file created by Windows Server Backup.



Windows Server Backup uses VHD files for it's images, and we are told the DC's get backed up with thisprogram nightly.

Since VHDs are mountable as a filesystem in Server 2008, the quickest way to restore a folder is to mount theVHD and browse to where the old file is.

Restoring the System State will undo any other changes to the SYSVOL folder aside from the script.

Scripts in SYSVOL are just files in the distributed share, not objects in AD, so the Restore-ADObject cmdletwon't work.

QUESTION 73

You have a domain controller that runs Windows Server 2008 R2. The Windows Server Backup feature isinstalled on the domain controller.

You need to perform a non-authoritative restore of the domain controller by using an existing backup file.

What should you do?

A. Restart the domain controller in Directory Services Restore Mode. Use the wbadmin command to perform acritical volume restore.

B. Restart the domain controller in Directory Services Restore Mode. Use the Windows Server Backup snap-into perform a critical volume restore.

C. Restart the domain controller in Safe Mode. Use the Windows Server Backup snap-in to perform a criticalvolume restore.

D. Restart the domain controller in Safe Mode. Use the wbadmin command to perform a critical volumerestore.



To perform a non-authoritative restore, you must first stop the AD DS service or restart the domain controller inDirectory Services Restore Mode. Because the entire volume needs restored, only Directory Services RestoreMode (built on top of Safe Mode) will work.

Because we are in DSRM, only command-prompt is available to us. This prevents us from being able to useWindows Server Backup to perform the restore.

Safe Mode does not allow or provide options for restoring critical data and system state.

QUESTION 74Your company has an Active Directory domain that runs Windows Server 2008 R2. The Sales OU contains anOU for Computers, an OU for Groups, and an OU for Users. You perform nightly backups.

An administrator deletes the Groups OU.

You need to restore the Groups OU without affecting users and computers in the Sales OU.

What should you do?

A. Perform an authoritative restore of the Sales OU.B. Perform an authoritative restore of the Groups OU.C. Perform a non-authoritative restore of the Groups OU.D. Perform a non-authoritative restore of the Sales OU.



An authoritative restore will overwrite the existing copy of the Groups OU.

A non-authoritative restore would get deleted again, as the newer revision of the AD database does not have

the OU!

We do not want to restore the Sales OU, as that also contains a Computers OU and Users OU that could beaffected.

QUESTION 75Your network contains an Active Directory domain. The domain contains two Active Directory sites named Site1and Site2. Site1 contains two domain controllers named DC1 and DC2. Site2 contains two domain controllernamed DC3 and DC4.

The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is WindowsServer 2003.

Active Directory replication between Site1 and Site2 occurs from 20:00 to 01:00 every day.

At 07:00, an administrator deletes a user account while he is logged on to DC1.

You need to restore the deleted user account. You want to achieve this goal by using the minimum amount ofadministrative effort.

What should you do?

A. On DC1, run the Restore-ADObject cmdlet.

B. On DC3, run the Restore-ADObject cmdlet.

C. On DC1, stop Active Directory Domain Services, restore the System State, and then start Active DirectoryDomain Services.

D. On DC3, stop Active Directory Domain Services, perform an authoritative restore, and then start ActiveDirectory Domain Services.



Authoritative restore of AD DS has the following requirements:(...)You must stop the Active Directory Domain Services service before you run the ntdsutil authoritative restorecommand and restart the service after the command is complete.


We cannot use Restore-ADObject , because Restore-ADObject is a part of the Recycle Bin feature, andyou can only use Recycle Bin when the forest functional level is set to Windows Server 2008 R2.Reference: http://technet.microsoft.com/nl-nl/library/dd379481.aspx

QUESTION 76Your company has a main office and a branch office. The network contains a single Active Directory domain.The main office contains a domain controller named DC1.

You need to install a domain controller in the branch office by using an offline copy of the Active Directorydatabase.


A. From the ntdsutil tool, create an IFM media set.

B. From the command prompt, run djoin.exe /loadfile .

C. From Windows Server Backup, perform a system state backup.D. From Windows PowerShell, run the Get-ADDomainController cmdlet.



You can use the Ntdsutil.exe tool to create installation media for additional domain controllers that you arecreating in a domain. By using the Install from Media (IFM) option, you can minimize the replication of directorydata over the network. This helps you install additional domain controllers in remote sites more efficiently. Reference: http://technet.microsoft.com/en-us/library/cc770654%28v=ws.10%29.aspx

A system state backup would backup much more than the AD database and is not usable to install a new DC.

djoin.exe /loadfile is used to help join a machine to the domain while it is offline or unavailable tocontact a DC.

The Get-ADDomainController cmdlet will retrieve DC objects into the PowerShell pipeline for manipulation,such as retrieving or outputting properties or sending to other cmdlets. But at best this manipulates thecomputer object in AD, and is not helpful for provisioning a new DC.

QUESTION 77Your network contains an Active Directory domain. The domain contains five domain controllers. A domaincontroller named DC1 has the DHCP role and the file server role installed.

You need to move the Active Directory database on DC1 to an alternate location. The solution must minimizeimpact on the network during the database move.


A. Restart DC1 in Safe Mode.B. Restart DC1 in Directory Services Restore Mode.C. Start DC1 from Windows PE.D. Stop the Active Directory Domain Services service on DC1.



The first step in moving the Active Directory database to another location is to first bring down Active Directoryservices on that computer, as it locks the ntds.dit file containing the Active Directory database. This wastraditionally done only by rebooting a computer in DSRM, but this would not minimize impact on the network forDC1 as it also operates the DHCP and file server roles. Server 2008 added the ability to manage AD as aservice, which would only bring down AD but would not impact the DHCP and file server roles.

Safe Mode does not provide access to directory services restoration and would not minimize impact to thenetwork. The same applies for Windows PE.

QUESTION 78Your company has a main office and a branch office.

The network contains an Active Directory forest. The forest contains three domains.

The branch office contains one domain controller named DC5. DC5 is configured as a global catalog server, aDHCP server, and a file server.

You remove the global catalog from DC5.

You need to reduce the size of the Active Directory database on DC5. The solution must minimize the impacton all users in the branch office.


A. Start DC5 in Safe Mode.B. Start DC5 in Directory Services Restore Mode.C. On DC5, start the Protected Storage service.D. On DC5, stop the Active Directory Domain Services service.



The first step in maintaining the Active Directory database (ie, compacting) is to first bring down ActiveDirectory services on that computer, as it locks the ntds.dit file containing the Active Directory database.This was traditionally done only by rebooting a computer in DSRM, but this would not minimize impact on usersfor DC5 as it also operates the DHCP and file server roles. Server 2008 added the ability to manage AD as aservice, which would only bring down AD but would not impact the DHCP and file server roles.

Safe Mode does not provide access to directory services restoration and would not minimize impact to thenetwork.

Protected Storage provides applications with an interface to store user data that must be kept secure or freefrom modification. (MY NOTE: In other words, it is used for setting up data that is not going to bechanged. It is not used for AD, and as the referenc ed article also points out, it was only for Server2003 / XP)Reference: http://msdn.microsoft.com/en-us/library/bb432403%28v=vs.85%29.aspx

QUESTION 79A domain controller named DC12 runs critical services. Restructuring of the organizational unit hierarchy for thedomain has been completed and unnecessary objects have been deleted.

You need to perform an offline defragmentation of the Active Directory database on DC12. You also need toensure that the critical services remain online.

What should you do?

A. Start the domain controller in the Directory Services Restore Mode. Run the Defrag utility.

B. Start the domain controller in the Directory Services Restore Mode. Run the Ntdsutil utility.

C. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the Defrag utility.

D. Stop the Domain Controller service in the Services (local) Microsoft Management Console (MMC). Run the Ntdsutil utility.



We can't use DSRM here because the scenario states that we 'need to ensure that the critical services remainonline. Since a new feature of Server 2008 is supporting AD as a service, we merely just need to stop theservice to work on AD without killing other critical services.

Defrag is not designed for handling the AD database. Since AD is so critical, Microsoft designed their own utilityfor this (ntdsutil)Reference: http://technet.microsoft.com/en-us/library/cc794920%28v=ws.10%29.aspx

There are a few variations of this question's wording so pay attention in case the scenario is slightly different.The answer will remain the same, even if worded differently.

QUESTION 80You need to receive an e-mail message whenever a domain user account is locked out.


A. Active Directory Administrative CenterB. Event ViewerC. Resource MonitorD. Security Configuration Wizard



The Security log in Event Viewer lets us see when accounts are locked out or when they fail to acquire therights to access an object in AD. In Server 2008 this has the added functionality of being able to attack tasks tocertain events, whereby something like a notification could be configured when the event occurs.

The Security Configuration Wizard is used to improve security on a computer by applying stricter policies for theservices that are installed.Reference: http://technet.microsoft.com/en-us/library/cc754997.aspx

QUESTION 81Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.

You need to identify the Lightweight Directory Access Protocol (LDAP) clients that are using the largest amountof available CPU resources on a domain controller.

What should you do?

A. Review performance data in Resource Monitor.B. Review the Hardware Events log in the Event Viewer.C. Run the LAN Diagnostics Data Collector Set. Review the LAN Diagnostics report.D. Run the Active Directory Diagnostics Data Collector Set. Review the Active Directory Diagnostics report.



Active Directory Diagnostics This data collector set is present only on domain controllers. It logs kernel tracedata, Active Directory trace data, performance counters, and Active Directory registry configuration.

LAN Diagnostics You can use this data collector set when troubleshooting complex network problems such asnetwork time-outs, poor network performance, or virtual private network (VPN) connectivity problems. It logsnetwork performance counters, network configuration data, and diagnostics tracing data.

Reference: http://www.windowsserverbrain.info/learning-2008/builtin-data-collector-sets.html

MY NOTE: LDAP is the protocol used with AD/LDS, so we should run the AD Diagnostics DCS. As perthe screenshot below it specifically reports LDAP s tatistics.

Reference: http://servergeeks.wordpress.com/2012/12/31/active-directory-diagnostics/

Resource Monitor is a system application in Microsoft Windows operating systems. It is used to viewinformation about the use of hardware (CPU, memory, disk, and network) and software (file handles andmodules) resources in real timeReference: http://en.wikipedia.org/wiki/Resource_Monitor(MY NOTE: Under the hood, Resource Monitor is combi ning Perfmon, Event Logs and Task Manager.Perfmon is where we can get data like the scenario asks, but we would have to know what to look forand monitor.)

Hardware Events log will show us what is going on with hardware changes in the system, and could give us ahint as to when CPU usage is high, but won't let us know anything fine-grained, such as which clients are usingthe CPU for LDAP only.

QUESTION 82You add an Online Responder to an Online Responder Array. You need to ensure that the new Online

Responder resolves synchronization conflicts for all members of the Array.

What should you do?

A. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 1.B. From Network Load Balancing Manager, set the priority ID of the new Online Responder to 32.C. From the Online Responder Management Console, select the new Online Responder, and then select Set

as Array Controller.D. From the Online Responder Management Console, select the new Online Responder, and then select

Synchronize Members with Array Controller.



The role of the Array controller is to help resolve synchronization conflicts and to apply updated revocationconfiguration information to all Array members.

Synchronize Members with Array Controller will resynchronize the Online Responder's configuration data to allArray members. This is not the desired effect.Reference: http://technet.microsoft.com/en-us/library/cc770413%28v=ws.10%29.aspx

Modifying the priority ID of the server in NLB will determine it's priority in handling "all of the cluster's networktraffic that is not covered by a port rule." This could potentially keep the server from handling necessary formsof traffic, or ensure it handles more than is necessary.Reference: http://technet.microsoft.com/en-us/library/cc778263%28v=ws.10%29.aspx

QUESTION 83Your network contains a domain controller that runs Windows Server 2008 R2. You run the following commandon the domain controller:

dsamain.exe dbpath c:\$SNAP_201006170326_VOLUMEC$\W indows\NTDS\ntds.dit ldapport389 allowNonAdmin

The command fails.

You need to ensure that the command completes successfully.

How should you modify the command?

A. Include the path to Dsamain .

B. Change the value of the -dbpath parameter.

C. Change the value of the -ldapport parameter.

D. Remove the allowNonAdminAccess parameter.



dsamain is used for working with offline snapshots of AD, and the path to the ntds.dit (c:

\$SNAP_201006170326(...) ) file here clearly indicates this is what is being done. However, port 389 isused by the live (running) AD environment, so trying to connect to the snapshot using port 389 can causeproblems. We need to specify a different port, one that will not possibly conflict with any other directoryservices.

QUESTION 84Your network contains an Active Directory domain controller named DC1. DC1 runs Windows Server 2008 R2.

You need to defragment the Active Directory database on DC1. The solution must minimize downtime on DC1.


A. At the command prompt, run net stop ntds .

B. At the command prompt, run net stop netlogon .

C. Restart DC1 in Safe Mode.D. Restart DC1 in Directory Services Restore Mode (DSRM).



To perform offline defragmentation of the directory database(...)3. At the command prompt, type the following command, and then press ENTER:

net stop ntds4. At the command prompt, type ntdsutil, and then press ENTER.5. At the ntdsutil prompt, type activate instance ntds , and then press ENTER.6. At the ntdsutil prompt, type files , and then press ENTER.(...)9. If defragmentation succeeds with no errors, follow the Ntdsutil.exe onscreen instructions to:(...)

c. Manually copy the compacted database file to the original location, as follows:copy “<temporaryDrive>:\ntds.dit” “<originalDrive>:\<pathToOriginalDatabaseFile> \ntds.dit”

(...)14. Restart AD DS. At the command prompt, type the following command, and then press ENTER:

net start ntds


QUESTION 85Your company uses an application that stores data in an Active Directory Lightweight Directory Services (ADLDS) instance named Instance1.

You attempt to create a snapshot of Instance1 as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that you can take a snapshot of Instance1.

What should you do?

Exhibit:

A. At the command prompt, run net start VSS .

B. At the command prompt, run net start Instance1 .

C. Set the Start Type for the Instance1 service to Disabled.D. Set the Start Type for the Volume Shadow Copy Service (VSS) to Manual.



How to fix the error "0x80042302" in Windows 7?

(...)Normally this error is related to backup and system restore. Check whether Volume Shadow Copy Service,System Restore Service is started and Set to Automatic

1. Type Services.msc in Start Menu search box, hit Enter.2. Make sure that the Volume Shadow Copy Service is running and set on Automatic.3. If the Status of System Restore Service is not Started, Start it. Also set it on Automatic if it is not.4. Restart your computer.

Reference: http://www.askiyogi.com/windows/17372.html

We could also arrive at this solution by a process of elimination. We don't need to start Instance1 - it is alreadyrunning. If it weren't, we'd get a different message ("AD service must be running in order toperform this operation" )

We wouldn't disable the service for Instance1, as it is needed to access the instance so we can take asnapshot.

Setting the Startup Type for the Volume Shadow Copy Service (VSS) to Manual would prevent it from runningon-demand when the snapshot operation is requested. This would prevent us from taking the snapshot!

So the only option left is to start VSS (meaning whatever is supposed to automatically trigger it, isn't working).

QUESTION 86Your network contains an Active Directory domain named contoso.com. Contoso.com contains three servers.The servers are configure as shown in the following table.

You need to ensure that users can manually enroll and renew their certificates by using the CertificateEnrollment Web Service.


Which two actions should you perform? (Each current answer presents part of the solution. Choose two).

A. Configure the policy module setting.B. Configure the issuance requirements for the certificate templates.C. Configure the Certificate Services Client - Certificate Enrollment Policy group policy setting.D. Configure the delegation setting for the Certification Enrollment Web Service application pool account.

Correct Answer: BDSection: 70-648 Configuring Active Directory Certificate ServicesExplanation


If all of the following conditions are true, then you must configure delegation for the Web service account:The certification authority (CA) and the Certificate Enrollment Web Service are installed on separatecomputers. (MY NOTE: This is the case with Server1 and Server2 )The Web service authentication type is Windows integrated authentication or client certificateauthentication.The Web service is not configured for renewal-only mode.


An issuance policy (also known as an enrollment or certificate policy) is a group of administrative rules that isimplemented when issuing certificates. (MY NOTE: This is what controls the requirements fo r certificatesbefore they can be issued after a template. If user s are enrolling manually, we have to set this up so theserver knows how to handle those requests and what info. to look for before approving them)Reference: http://technet.microsoft.com/en-us/library/cc753139%28v=ws.10%29.aspx

The Certificate Services Client – Certificate Enrollment Policy setting is used when we want to configure grouppolicy to work with the Certificate Enrollment Policy Web Service (in this case, on Server3). This would be usedif we were trying to automate the enrollment and renewal of certificates, but the scenario indicates we wantusers to do this manually.Reference: http://technet.microsoft.com/en-us/library/dd759213.aspx

Policy modules are programs that receive requests from the Certificate Services, evaluate those requests, and

specify optional properties of the certificates that are built to fill these requests. (MY NOTE: We are not givenany indication that a program is needed to evaluate requests the users are making)Reference: http://msdn.microsoft.com/en-us/library/windows/desktop/aa387348%28v=vs.85%29.aspx

QUESTION 87Your network contains an Active Directory domain named contoso.com. Contoso.com contains a memberserver that runs Windows Server 2008 Standard.

You need to install an enterprise subordinate certification authority (CA) that support private key archival. Youmust achieve this goal by using the minimum amount of administrative effort.

What do you do first?

A. Initialize the Trusted Platform Module (TPM)B. Upgrade the menber server to Windows Server 2008 R2 Standard.C. Install the Certificate Enrollment Policy Web Service role service on the member server.D. Run the Security Configuration Wizard (SCW) and select the Active Directory Certificate Services -

Certification Authority server role template check box.



Private key archival is a new feature to CA's in Server 2008 R2, so this is why the server needs upgraded.Reference: http://technet.microsoft.com/en-us/library/cc730721.aspx

WRONG ANSWERS

The Certificate Enrollment Policy Web Service is an Active Directory Certificate Services (AD CS) role servicethat enables users and computers to obtain certificate enrollment policy information. Together with theCertificate Enrollment Web Service, this enables policy-based certificate enrollment when the client computer isnot a member of a domain or when a domain member is not connected to the domain.Reference: http://technet.microsoft.com/en-us/library/dd759230.aspx


The Trusted Platform Module is used to manage microchips that handle basic security, such as key encryption.Reference: http://technet.microsoft.com/en-us/library/cc749022%28v=ws.10%29.aspx

QUESTION 88You need to compact an Active Directory database on a domain controller that runs windows Server 2008 R2.

What should you do?

A. Run defrag.exe /a /c.

B. Run defrag.exe /c /u.

C. Form ntdsutil , use the files option

D. From ntdsutil , use the metadata cleanup option.

Correct Answer: C



Compacting the AD database is also known as an offline defragmentation. This is why MS is trying to trick uswith references to the defrag.exe command.

To perform offline defragmentation of the directory database(...)4. At the command prompt, type ntdsutil , and then press ENTER.5. At the ntdsutil prompt, type activate instance ntds , and then press ENTER.6. At the ntdsutil prompt, type files , and then press ENTER.(...)Reference: http://technet.microsoft.com/en-us/library/cc794920%28v=ws.10%29.aspx

Metadata cleanup removes data from Active Directory that identifies a domain controller to the replicationsystem. This procedure is required only for Active Directory domain controllers that were not successfullydemoted using Dcpromo.Reference: http://technet.microsoft.com/en-us/library/cc736378%28v=ws.10%29.aspx

defrag.exe /a /cThis command will try to analyze fragmentation status all volumes in the system.

defrag.exe /c /uThis command will try to defrag all volumes in the system and give us a progress indicator along the way.


QUESTION 89Your network contains an Active Directory forest. All client computers run Windows 7. The network contains ahigh-volume enterprise certification authority (CA).

You need to minimize the amount of network bandwidth required to validate a certificate.

What should you do?

A. Modify the settings of the delta certificate revocation list (CRL).B. Configure an Online Certification Status Protocol (OCSP) responder.C. Configure an LDAP publishing point for the certificate revocation list (CRL).D. Replicate the certificate revocation list (CRL) by using Distributed File System (DFS).



An OCSP does not need a full CRL but can still respond to and validate certificate requests, so using it reducesthe load from the enterprise CA.

Changing settings for the delta CRL could reduce the amount of data transmitted with each CRL, but dependingon the frequency of which it's published, could still generate high volume traffic compared to the OCSP.

Using DFS does not reduce the amount of data that is being transmitted over the network.

QUESTION 90Your network contains an Active Directory domain named contoso.com.

Contoso.com contains a domain controller named DC1 and a read-only domain controller (RODC) namedRODC1.

You need to view the most recent user accounts authenticated by RODC1.


A. From Active Directory Sites and Services, right-click the Connection object for DC1, and then click ReplicateNow.

B. From Active Directory Sites and Services, right-click the Connection object for DC2, and then click ReplicateNow.

C. From Active Directory Users and Computers, right-click contoso.com, click Change Domain Controller, andthen connect to DC1.

D. From Active Directory Users and Computers, right-click contoso.com, click Change Domain Controller, andthen connect to RODC1.



We view user accounts in a domain using ADUC, not AD Sites and Services. As per Technet, we must do thisfrom a writeable DC, so we use our snap-in to connect to DC1 rather than RODC1.

To view authenticated accounts using Active Directory Users and Computers1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In

Start Search, type dsa.msc, and then press ENTER.2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct

domain. (...)Reference: http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy.aspx

QUESTION 91Your network contains a single Active Directory domain. The domain contains an enterprise certificationauthority (CA).

You need to ensure that the encryption keys for e-mail certificates can be recovered from the CA database.

You modify the e-mail certificate template to support key archival.


A. Run certreq.exe -policy

B. Run certutil.exe -recoverkey

C. Issue the key recovery agent certificate templateD. Modify the location of the Authority Information Access (AIA) distribution point

Correct Answer: CSection: 70-648 Configuring Active Directory Certificate Services

Explanation


certutil.exe recoverkey recovers archived keys, but the e-mail certificate template does not have keyarchival by default. So we need to create a recovery agent. However, this cannot be done until we issue therecovery agent template.

The AIA extension specifies where to find up-to-date certificates for the CA.Reference: http://technet.microsoft.com/en-us/library/cc776904%28v=ws.10%29.aspx

certreq.exe -policyThis command sets the policy for a request(...)If you type the certreq -policy without any additionalparameter it will open a dialog window so you can select the requested fie Reference: http://technet.microsoft.com/library/cc725793.aspx

QUESTION 92You need to purge the list of user accounts that were authenticated on a read-only domain controller (RODC).

What should you do?

A. Run the dsrm.exe command and specify the -u parameter.

B. Run the repadmin.exe command and specify the /prp parameter.

C. From Active Directory Sites and Services, modify the properties of the RODC computer object.D. From Active Directory Users and Computers, modify the properties of the RODC computer object.



In addition to reviewing the list of authenticated users, you may decide to periodically clean up the list ofaccounts that are authenticated to the RODC. Cleaning up this list may help you more easily determine the newaccounts that have authenticated through the RODC.

Membership in the Domain Admins group of the domain in which the RODC is a member, or equivalent, is theminimum required to complete this procedure.

To clear all entries from the list, run the command repadmin /prp delete <hostname> auth2 /all .Substitute the actual host name of the RODC that you want to clear.

Reference: http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy.aspx

QUESTION 93Your network contains an Active Directory forest. The forest contains domain controllers that run WindowsServer 2008 R2.

The functional level of the forest is Windows Server 2003. The functional level of the domain is WindowsServer 2008.

From a domain controller, you need to perform an authoritative restore of an organizational unit (OU).


A. Restore the system state.B. Raise the functional level of the forest.C. Raise the functional level of the domain.D. Modify the tombstone lifetime of the forest.



To do an authoritative restore, we need to load a previous version of the AD database (from before the timethat replication occurred). The AD database is included in the System State backup, so this should suffice.

Since the DC's run R2, we could raise the functional level of the forest and/or domain if we wanted to use theAD Recycle Bin feature, but this cannot be used to restore objects from before the feature was implemented.

The tombstone lifetime in an Active Directory forest determines how long a deleted object (called a“tombstone”) is retained in Active Directory Domain Services (AD DS).Reference: http://technet.microsoft.com/en-us/library/cc784932%28v=ws.10%29.aspx

QUESTION 94As the Company administrator you had installed a read-only domain controller (RODC) server at remotelocation.

The remote location doesn't provide enough physical security for the server.

What should you do to allow administrative accounts to replicate authentication information to Read-OnlyDomain Controllers?

A. Remove any administrative accounts from RODC's groupB. Add administrative accounts to the domain Allowed RODC Password Replication groupC. Set the Deny on Receive as permission for administrative accounts on the RODC computer account

Security tab for the Group Policy Object (GPO)D. Configure a new Group Policy Object (GPO) with the Account Lockout settings enabled. Link the GPO to

the remote location. Activate the Read Allow and the Apply group policy Allow permissions for theadministrators on the Security tab for the GPO.

E. None of the above



The Allowed RODC Password Replication group in AD contains the accounts of users whose passwords areallowed to replicate with AD.

QUESTION 95Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 is configured asan Active Directory Federation Services (AD FS) 2.0 standalone server.

You plan to add a new token-signing certificate to Server1.

You import the certificate to the server as shown in the exhibit. (Click the Exhibit button.)

When you run the Add Token-Signing Certificate wizard, you discover that the new certificate is unavailable.

You need to ensure that you can use the new certificate for AD FS.

What should you do?

Exhibit:

A. From the properties of the certificate, modify the Certificate Policy OIDs setting.B. Import the certificate to the AD FS 2.0 Windows Service personal certificate store.C. From the properties of the certificate, modify the Certificate purposes setting.D. Import the certificate to the local computer Personal Certificate store.



When you deploy the first federation server in a new AD FS 2.0 installation, you must obtain a token-signingcertificate and install it in the local computer personal certificate store on that federation server.

Reference: http://technet.microsoft.com/en-us/library/hh341466.aspx

QUESTION 96Your network contains a server that has the Active Directory Lightweight Directory Services (AD LDS) roleinstalled.

You need to perform an automated installation of an AD LDS instance.


A. dism.exe

B. servermanagercmd.exe

C. adaminstall.exe

D. ocsetup.exe



To perform an unattended install of an AD LDS instance:1. Create a new text file by using any text editor.2. Specify the installation parameters.3. At a command prompt (or in a batch or script file), change to the drive and directory that contains the AD

LDS setup files.4. At the command prompt, type the following command, and then press ENTER: %systemroot%\ADAM\adaminstall.exe /answer:drive:\<p athname>\<filename>.txt


servermanagercmd.exe, dism.exe and ocsetup.exe are all executables that can be used to managethe roles, features and services of Windows installations. They could be used to kick off the AD LDS installationwizard, but this would not be an unattend (automatic) install as the the scenario asks for.

QUESTION 97Your network contains an Active Directory domain. The domain contains an enterprise certification authority(CA).

You need to ensure that only members of a group named Admin1 can create certificate templates.

Which tool should you use to assign permissions to Admin1?

A. the Certification Authority consoleB. Active Directory Users and ComputersC. the Certificates snap-inD. Active Directory Sites and Services


Explanation/Reference:We need to use Active Directory Sites and Services to assign permissions to create certificate templates toglobal or universal groups.

You can delegate the permission to create new templates by assigning permissions to a custom universalgroup for the CN=Certificate Templates,CN=Public KeyServices,CN=Services,CN=Configuration,ForestRootDomain container.

1. Log on as a member of the Enterprise Admins group or the forest root domain Domain Admins group.2. Open the Active Directory Sites And Services console.3. From the View menu, ensure that the Show Services Node setting is enabled.4. In the console tree, expand Services, expand Public Key Services, and then click Certificate Templates.5. In the console tree, right-click Certificate Templates, and then click Delegate Control.6. In the Delegation Of Control wizard, click Next.7. On the Users Or Groups page, click Add.8. In the Select Users, Computers, Or Groups dialog box, type a user or group name, and then click OK.

9. On the Users Or Groups page, click Next.10.On the Tasks To Delegate page, click Create A Custom Task To Delegate, and then click Next.11.On the Active Directory Object Type page, click This Folder, Existing Objects In This Folder, and Creation

Of New Objects In This Folder, and then click Next.12.On the Permissions page, in the Permissions list, enable Full Control, and then click Next.13.On the Completing The Delegation Of Control wizard page, click Finish.

Reference: Windows Server 2008 - PKI and Certificate Security (Microsoft Press, 2008) page 298

QUESTION 98Your network contains an Active Directory forest named adatum.com.

You need to create an Active Directory Rights Management Services (AD RMS) licensing-only cluster.

What should you install before you create the AD RMS root cluster?

A. The Failover Cluster featureB. The Active Directory Certificate Services (AD CS) roleC. Microsoft Exchange Server 2010D. Microsoft SharePoint Server 2010E. Microsoft SQL Server 2008

Correct Answer: ESection: 70-648 Configuring Additional Active Directory Server RolesExplanation


In addition to pre-installation requirements for AD RMS, we strongly recommend the following:Install the database server that is used to host the AD RMS databases on a separate computer.


The RMS root cluster itself issues the certificates for RMS, so we don't need AD CS.

An AD RMS root certification and licensing server running Windows Server 2008 – This server has the ADRMS role installed and is used as the root of the AD RMS hierarchy. In most scenarios, this server issues clientlicensor certificates, issuance licenses, and end-user licenses.Reference: http://technet.microsoft.com/en-us/library/dd941601%28v=ws.10%29.aspx

None of the other programs are requirements for implementing AD RMS.


The network has a branch office site that contains a read-only domain controller (RODC) named RODC1.RODC1 runs Windows Server 2008 R2.

A user logs on to a computer in the branch office site.

You discover that the user's password is not stored on RODC1.

You need to ensure that the user's password is stored on RODC1 when he logs on to a branch office sitecomputer.

What should you do?

A. Modify the RODC's password replication policy by removing the entry for the Allowed RODC PasswordReplication Group.

B. Modify the RODC's password replication policy by adding RODC1's computer account to the list of allowedusers, groups, and computers.

C. Add the user's user account to the built-in Allowed RODC Password Replication Group on RODC1.D. Add RODC1's computer account to the built-in Allowed RODC Password Replication Group on RODC1.



To facilitate the management of PRP, Windows Server 2008 R2 creates two domain local security groups in theUsers container of Active Directory. The first group, Allowed RODC Password Replication Group, is added tothe Allowed List of each new RODC. By default, the group has no members. Therefore, by default, a newRODC will not cache any user’s credentials. If you have users whose credentials you want to be cached by alldomain RODCs, add those users to the Allowed RODC Password Replication Group.

Reference: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 416-417

QUESTION 100ABC.com has an Active Directory forest on a single domain. The domain operates Windows Server 2008.

A new administrator accidentally deletes the entire organizational unit in the Active Directory database thathosts 6,000 objects.

You have backed up the system state data using third-party backup software. To restore backup, you start thedomain controller in the Directory Services Restore Mode (DSRM).

You need to perform an authoritative restore of the organizational unit and restore the domain controller to itsoriginal state.

Which three actions should you perform?

Build List and Reorder:

Correct Answer:


Explanation/Reference:If you are performing authoritative restore on a domain controller that has already received replication of thedeletions, perform the following procedures on the recovery domain controller:(...)2. (...)Restore from backup requires restarting the domain controller in DSRM. Taking the domain controlleroffline by stopping AD DS is not sufficient to run Ntdsutil procedures to restore from backup.3. Restore AD DS from Backup (Nonauthoritative Restore)4. Mark an Object or Objects as Authoritative(...) (MY NOTE: See 2nd article below where we are explici tlytold this requires ntdsutil)5. Restart the domain controller normally. (MY NOTE: Obviously restarting in Safe Mode won't he lp usmuch! The DC would not be able to synchronize!)


You can use this procedure to mark Active Directory objects as authoritative when you perform an authoritativerestore. In this procedure, you use the ntdsutil command to select objects that are to be markedauthoritative when they replicate to other domain controllers.Reference: http://technet.microsoft.com/en-us/library/cc816813.aspx

QUESTION 101Your company plans to open a new branch office. The new office will have a Iow-speed connection to theInternet.

You plan to deploy a read-only domain controller (RODC) in the branch office.

You need to create an offline copy of the Active Directory database that can be used to install Active Directoryon the new RODC.

Which commands should you run from Ntdsutil?

To answer, move the appropriate actions from the list of actions to the answer area and arrange them in thecorrect order.


Correct Answer:



Installing AD DS from MediaYou can use the Ntdsutil.exe tool to create installation media for additional domain controllers that you arecreating in a domain. By using the Install from Media (IFM) option, you can minimize the replication of directorydata over the network. This helps you install additional domain controllers in remote sites more efficiently.

To create installation media1. Click Start, right-click Command Prompt, and then click Run as administrator to open an elevated command

prompt.2. At the command prompt, type the following command, and then press ENTER: ntdsutil3. At the ntdsutil prompt, type the following command, and then press ENTER: activate instance ntds4. At the ntdsutil prompt, type the following command, and then press ENTER: ifm5. At the ifm: prompt, type the command for the type of installation media that you want to create (as listed in

the table earlier in this topic), and then press ENTER. For example, to create RODC installation media, typethe following command, and then press ENTER:

create rodc C:\InstallationMedia

where C:\InstallationMedia is the path to the folder where you want the installation media to be created.

You can save the installation media to a network shared folder or to any other type of removable media.



The Administrator deletes an OU named OU1 accidentally.

You need to restore OU1. Which cmdlet should you use?

A. Get-ADObject cmdlet.

B. Get-ADOrganizationalUnit cmdlet.

C. Get-ADUser cmdlet.

D. Get-ADGroup cmdlet.



You can also restore a deleted Active Directory object by using the Get-ADObject and Restore-ADObjectActive Directory module for Windows PowerShell cmdlets. The recommended approach is to use the Get-ADObject cmdlet to retrieve the deleted object and then pass that object through the pipeline to the Restore-

ADObject cmdlet.Reference: http://technet.microsoft.com/en-us/library/dd379509.aspx

The other cmdlets are used to search for or retrieve the respective objects into the pipeline, so they can bemanipulated. However, this will only retrieve certain properties of the objects. The Get-ADObject cmdlet, asits name implies, grabs the entire object (including all properties!) from the directory.

QUESTION 103Your network contains two Active Directory forests named contoso.com and adatum.com. Active DirectoryRights Management Services (AD RMS) is deployed in contoso.com. An AD RMS trusted user domain (TUD)exists between contoso.com and adatum.com.

From the AD RMS logs, you discover that some clients that have IP addresses in the adatum.com forest areauthenticating as users from contoso.com.

You need to prevent users from impersonating contoso.com users.

What should you do?

A. Configure trusted e-mail domains.B. Enable lockbox exclusion in AD RMS.C. Create a forest trust between adatum.com and contoso.com.D. Add a certificate from a third-party trusted certification authority (CA).



For each trusted user domain, you must specify which e-mail domains are trusted. It is an important securitystep to configure e-mail domains, otherwise it may be possible for a user from a trusted user domain toimpersonate an internal user.Reference: http://technet.microsoft.com/en-us/library/dd983944%28v=ws.10%29.aspx

A forest trust would have been needed to setup the RMS environment in the first place.

If you have enabled exclusion based on lockbox version, clients that are using a version of the lockbox softwarethat is earlier than the specified version cannot acquire rights account certificates or use licenses because theirrequests will be denied. Reference: http://technet.microsoft.com/en-us/library/cc747700%28v=ws.10%29.aspx

QUESTION 104Active Directory Rights Management Services (AD RMS) is deployed on your network.

You need to configure AD RMS to use Kerberos authentication.

Which two actions should you perform? (Each correct answer presents part of the solution.Choose two.)

A. Register a service principal name (SPN) for AD RMS.B. Register a service connection point (SCP) for AD RMS.C. Configure the identity setting of the _DRMSAppPool1 application pool.D. Configure the useAppPoolCredentials attribute in the Internet Information Services (IIS) metabase.

Correct Answer: ADSection: 70-648 Configuring Additional Active Directory Server Roles

Explanation


If you plan to use Active Directory Rights Management Services (AD RMS) with Kerberos authentication, youmust take additional steps to configure the server running AD RMS after installing the AD RMS server role andprovisioning the server. Specifically, you must perform these procedures:

Set the Internet Information Services (IIS) useAppPoolCredentials variable to TrueSet the Service Principal Names (SPN) value for the AD RMS service account


The Active Directory Rights Management Services (AD RMS) Service Connection Point (SCP) is an object inActive Directory that holds the web address of the AD RMS certification cluster.Reference: http://social.technet.microsoft.com/wiki/contents/articles/710.the-ad-rms-service-connection-point.aspx

The RMS Web services run within the context of an IIS application pool(...)The application pool for the Web siteyou provision is called "_DRMSAppPool1."Reference: http://technet.microsoft.com/en-us/library/cc747609%28v=ws.10%29.aspx

QUESTION 105Your network contains a single Active Directory domain. Active Directory Rights Management Services (ADRMS) is deployed on the network.

A user named User1 is a member of only the AD RMS Enterprise Administrators group.

You need to ensure that User1 can change the service connection point (SCP) for the AD RMS installation. Thesolution must minimize the administrative rights of User1.

To which group should you add User1?

A. AD RMS AuditorsB. AD RMS Service GroupC. Domain AdminsD. Schema Admins



To register the SCP you must be a member of the local AD RMS Enterprise Administrators group and theActive Directory Domain Services (AD DS) Enterprise Admins group, or you must have been given theappropriate authority. Reference: http://social.technet.microsoft.com/wiki/contents/articles/710.the-ad-rms-service-connection-point.aspx

MY NOTE: Based on this article, I would think this should be Enterprise Admins, but that's not a choic e.So we have to use elimination. Per the article belo w, neither of the "AD RMS" groups provide thefeature we need, and Schema Admins is only needed f or updating the schema (which would be donewhen RMS is first deployed). That leaves is with th e Domain Admins group.

AD RMS AuditorsMembers of this group can only access the reports feature in the AD RMS console.

(...)There is also the AD RMS Service Group. Members of this group act as the AD RMS service account. Duringthe installation of AD RMS, the user account designated as the service account is automatically added to thisgroup.Reference: http://technet.microsoft.com/en-us/library/cc731135.aspx

QUESTION 106Your network contains two Active Directory forests named contoso.com and nwtraders.com. Active DirectoryRights Management Services (AD RMS) is deployed in each forest.

You need to ensure that users from the nwtraders.com forest can access AD RMS protected content in thecontoso.com forest.

What should you do?

A. Create an external trust from nwtraders.com to contoso.com.B. Add a trusted user domain to the AD RMS cluster in the nwtraders.com domain.C. Create an external trust from contoso.com to nwtraders.com.D. Add a trusted user domain to the AD RMS cluster in the contoso.com domain.



It is not necessary to create trust or federation relationships between the Active Directory forests oforganizations to be able to share rights-protected information (MY NOTE: This is why we don't need tocreate an external trust) between separate organizations. AD RMS provides two types of trust relationshipsthat provide this kind of rights-protected information exchange. A trusted user domain (TUD) allows the ADRMS root cluster to process requests for client licensor certificates or use licenses from users whose rightsaccount certificates (RACs) were issued by a different AD RMS root cluster. You add a trusted user domain byimporting the server licensor certificate of the AD RMS cluster to trust. (MY NOTE: We add a TUD to thecontoso.com cluster because it is hosting the conte nt - it needs to be able to trust users fornwtraders.com)

Reference: http://technet.microsoft.com/en-us/library/hh311036.aspx

QUESTION 107You network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.

You need to reset the Directory Services Restore Mode (DSRM) password on a domain controller.

What tool should you use?

A. dsmod

B. ntdsutil

C. Local Users and Groups snap-inD. Active Directory Users and Computers snap-in



The ntdsutil command is used for configuring and managing directory services. The official procedure forresetting the DSRM password is as follows:ntdsutilset dsrm passwordreset password on server null

The DSRM password is not associated with a user account, so we would not use Local Users and Groups orActive Directory Users and Computers. Similarly, dsmod allows us to edit objects in AD, not manage directoryservice properties and configuration


You need to identify whether the Active Directory Recycle Bin is enabled.

What should you do?

A. From Ldp, search for the LostAndFound container.B. From Ldp, search for the Reanimate-Tombstones object.C. From Windows PowerShell, run the Get-ADObject cmdlet.

D. From Windows PowerShell, run the Get-ADOptionalFeature cmdlet.



Q. How do I enable the Active Directory (AD) Recycle Bin?A. Once you've raised the forest level to Windows Server 2008 R2, you need to use the Enable-ADOptionalFeature cmdlet to enable the Recycle Bin for the forest.(...)You can check if the Recycle Bin is enabled by viewing the AD Option features:PS C:\> Get-ADOptionalFeature -filter \{name -like "*"\}

Reference: http://windowsitpro.com/windows/q-how-do-i-enable-active-directory-ad-recycle-bin

WRONG ANSWERS

Get-ADObject allows us to bring AD objects into PowerShell's pipe so we can manipulate them. We mustspecifically use this to restore objects from the Recycle Bin, but the scenario asks us how to identify if theRecycle Bin is even enabled.

The LostAndFound container holds objects with conflicting states, before replication occurs.

"In some cases, an administrator might create or move an object into a container on one domain controller andanother administrator might delete that same container on a different domain controller before the object isreplicated. In such cases, the object is added to the LostAndFound container for the domain."Reference: http://technet.microsoft.com/en-us/library/bb727059.aspx

QUESTION 109Your company has a domain controller server that runs the Windows Server 2008 R2 operating system. Theserver is a backup server. The server has a single 500-GB hard disk that has three partitions for the operatingsystem, applications, and data. You perform daily backups of the server.

The hard disk fails. You replace the hard disk with a new hard disk of the same capacity.

You restart the computer on the installation media. You select the Repair your computer option.

You need to restore the operating system and all files.

What should you do?

A. Select the System Image Recovery option.B. Run the imagex utility at the command prompt.

C. Run the wbadmin utility at the command prompt.

D. Run the rollback utility at the command prompt.



We have to use wbadmin here because we have been taking backups of the server daily (implicitly by usingWindows Server Backup).

System Image recovery will overwrite a hard drive with a previously created system image, which would give usboth OS and files, but we are not told that a system image was ever created. Even then, creating systemimages is something that is not often done regularly or nightly.

Rollback is a developers tool. It was designed to purge the registry of any information added since the GUIphase of installation (MY NOTE: This means it wipes your registry back to a clean install of Windows -this is destructive, and will not give us the OS+fi les from before the hdd failure)Reference: http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/AdminTips/Utilities/WindowsNTGotchaRollback.exe.html

imagex is for mounting VHD's used in a deployment system.Reference: http://technet.microsoft.com/en-us/library/cc722145%28v=ws.10%29.aspx

QUESTION 110Your network contains an Active Directory domain named Contoso.com. Contoso.com contains an enterprisecertification authority (CA) named CA1.

You enable Secure Socket Tunneling Protocol (SSTP) on a server named Server1.

A user named User1 attempts to establish an SSTP connection to Server1 and receives the following errormessage:"Error 0x80092013: The revocation function was unab le to check revocation becausethe revocation server was offline."

You verify that all certificates services are online.

You need to ensure that User1 can connect to Server1 by using SSTP.


A. Configure User1 for certificate auto enrollment.B. Configure a pre-shared key for IPSec on User1's computer.C. Add a certificate to Server1 that contains Server1.contoso.com as a Subject Alternative Name (SAN).D. Publish the certificate revocation list distribution point (CDP) to a location that is accessible from the

Internet.


Explanation/Reference:Explanation 1:

Symptom6: Client tries to connect to SSTP VPN server and it fails to connect giving error message0x80092013

Trouble-shooting steps: This will happen if client is failing the certificate revocation check of the SSL certificateobtained from server side. Ensure the CRL check servers on the server side are exposed on the Internet. Thisis because CRL check is done on the client side during SSL connection establishment phase and the CRLcheck query will be directly going on the Internet.

Reference: http://support.microsoft.com/kb/961880

Explanation 2:

If all certificate services are indeed online locally, our problem must be that User1's computer can't accessthem from his internet connection. We can remedy this by specifying an appropriate CDP that is accessiblefrom the Internet.

The CDP extension specifies where to find up-to-date CRLs that are signed by the CAReference: http://technet.microsoft.com/en-us/library/cc776904%28v=ws.10%29.aspx

WRONG ANSWERS

IPSec with SSL VPN is an alternative solution to SSTP, so certainly we don't need to configure anything forIPSec.Reference: http://www.windowsecurity.com/articles-tutorials/firewalls_and_VPN/Secure-Socket-Tunneling-Protocol.html

Autoenrollment is not likely to be used over a tunnel, and the error message does not indicate a problem withenrollment.

A new feature in digital certificates is the Subject Alternative Name property. This allows you to have acertificate for more than one URI (i.e. www.c7solutions.com and www.c7solutions.co.uk) in the same certificate.It also means that in web servers such as IIS you can bind this certificate to the site and use up only one IPaddress.Reference: http://blogs.technet.com/b/industry_insiders/archive/2007/03/23/creating-subject-alternative-name-certificates-with-microsoft-certificate-server.aspx

SIDE NOTE: This question may also come up with a di fferent error message, such as "Error 0xBC(...)Access not CRL Server". The answer is still the same.

QUESTION 111Your network contains an Active Directory domain. You create and mount an Active Directory snapshot.

You run dsamain.exe as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that you can browse the contents of the Active Directory snapshot. What should you?

Exhibit:

A. Stop Active Directory Domain Services (AD DS), and then rerun dsamain.exe.

B. Change the value of the dbpath parameter, and then rerun dsamain.exe .

C. Change the value of the ldapport parameter, and then rerun dsamain.exe .

D. Restart the Volume Shadow Copy Service (VSS), and then rerun dsamain.exe .


Explanation/Reference:The error message says that the file is already in use. This makes sense, as in the exhibit, dbpath points to C:\Windows\NTDS\ntds.dit , the location of a running Active Directory database. We need to run thiscommand against the snapshot, which would be stored in another path.


If we stopped AD DS, we might be able to run our command, but we'd be doing so against the live ADdatabase, not the snapshot!

The ldapport parameter is fine, as it is configured for a port higher than 50000 and will not conflict with AD.

Our error doesn't indicate a problem with VSS so we do not need to restart it.

QUESTION 112Your network contains an Active Directory domain.

You need to activate the Active Directory Recycle Bin in the domain.


A. Dsamain

B. Set-ADDomain

C. Add-WindowsFeature

D. Ldp



Explanation/Reference:After the forest functional level of your environment is set to Windows Server 2008 R2, you can enable ActiveDirectory Recycle Bin by using the following methods:



QUESTION 113Your network contains an Active Directory forest named contoso.com. The functional level of the forest isWindows Server 2008 R2. The forest contains a single domain.

You need to ensure that objects can be restored from the Active Directory Recycle Bin.


A. Ntdsutil

B. Set-ADDomain

C. Dsamain

D. Enable-ADOptionalFeature


Explanation/Reference:After the forest functional level of your environment is set to Windows Server 2008 R2, you can enable ActiveDirectory Recycle Bin by using the following methods:



QUESTION 114Your company has a main office and a branch office. You deploy a read-only domain controller (RODC) thatruns Microsoft Windows Server 2008 to the branch office.

You need to ensure that users at the branch office are able to log on to the domain by using the RODC.

What should you do?

A. Add another RODC to the branch office.B. Configure a new bridgehead server in the main office.C. Decrease the replication interval for all connection objects by using the Active Directory Sites and Services

console.D. Configure the Password Replication Policy on the RODC.



To allow individual RODCs to cache user and computer credentials in specific locations, configure the Allowedand Denied Lists on the Password Replication Policy tab for the properties of each individual RODC account inthe Domain Controllers OU.Reference: https://sites.google.com/a/pccare.vn/it/ent-admin-pages/password-replication-policy-facts

We wouldn't add another RODC, as users aren't even able to log on to the first one yet! It is not necessary tohave more than 1 RODC at a branch office.

We wouldn't change the replication interval, as we have no reason to suspect that replication is not happeningor is out-of-date.

A bridgehead server is a domain controller (DC) that functions as the primary route of Active Directory (AD)replication data moving into and out of sites.Reference: http://windowsitpro.com/systems-management/bridgehead-servers

QUESTION 115Your company has a main office and a branch office that are configured as a single Active Directory forest. Thefunctional level of the Active Directory forest is Windows Server 2003. There are four Windows Server 2003domain controllers in the main office.

You need to ensure that you are able to deploy a read-only domain controller (RODC) at the branch office.


A. Raise the functional level of the forest to Windows Server 2008.B. Deploy a Windows Server 2008 domain controller at the main office.C. Raise the functional level of the domain to Windows Server 2008.D. Run the adprep /rodcprep command.

Correct Answer: BDSection: 70-648 Configuring Additional Active Directory Server RolesExplanation


Complete the following prerequisites before you deploy a read-only domain controller (RODC):Ensure that the forest functional level is Windows Server 2003 or higher (MY NOTE: The scenariospecifies we are at the 2003 level so nothing needs to be done with functional leves)Run Adprep.exe commands to prepare your existing forest and domains for domain controllers that runWindows Server 2008 or Windows Server 2008 R2(...)

1. Prepare the forest and domains. There are three adprep commands to complete and have the changesreplicate throughout the forest. Run the three commands as follows:

*) Prepare the forest by running adprep /forestprep on the server that holds the schema masteroperations master (also known as flexible single master operations or FSMO) role to update theschema. (...)*) Prepare the domain by running adprep /domainprep /gpprep on the server that holds theinfrastructure operations master role. (...)*) If you are installing an RODC in an existing Windows Server 2003 domain, you must also run adprep /rodcprep . (...)

Deploy at least one writable domain controller running Windows Server 2008 or Windows Server 2008 R2 inthe same domain as the RODC (...)


QUESTION 116One of the remote branch offices is running a Windows Server 2008 read only domain controller (RODC). Forsecurity reasons you don't want some critical credentials like (passwords, encryption keys) to be stored onRODC.

What should you do so that these credentials are not replicated to any RODC's in the forest? (Each correctanswer presents part of the solution. Choose two.)

A. Configure RODC filtered attribute set on the serverB. Configure RODC filtered set on the server that holds Schema Operations Master role.C. Delegate local administrative permissions for an RODC to any domain user without granting that user any

user rights for the domainD. Configure forest functional level server for Windows server 2008 to configure filtered attribute set.E. None of the above

Correct Answer: BDSection: 70-648 Configuring Additional Active Directory Server RolesExplanation


The RODC filtered attribute set is a dynamic set of attributes that is not replicated to any RODCs in the forest.You can configure the RODC filtered attribute set on a schema master that runs Windows Server 2008. (...)Therefore, as a security precaution, ensure that forest functional level is Windows Server 2008 if you plan toconfigure the RODC filtered attribute set.


We can restrict administrative permissions for an RODC but this will only control who is allowed to manage theserver. Critical credential information will still be replicated.

QUESTION 117ABC.com has a main office and a branch office. ABC.com's network consists of a single Active Directory forest.Some of the servers in the network run Windows Server 2008 and the rest run Windows server 2003.

You are the administrator at ABC.com. You have installed Active Directory Domain Services (AD DS) on acomputer that runs Windows Server 2008. The branch office is located in a physically insecure place. It has noIT personnel onsite and there are no administrators over there.

You need to setup a Read-Only Domain Controller (RODC) on the Server Core installation computer in thebranch office.

What should you do to setup RODC on the computer in branch office?

A. Execute an attended installation of AD DSB. Execute an unattended installation of AD DSC. Execute RODC through AD DSD. Execute AD DS by using deploying the image of AD DSE. none of the above



To install an RODC on a Server Core installation of Windows Server 2008, you must perform an unattendedinstallation of AD DS.


QUESTION 118You are an administrator at ABC.com. Company has a RODC (read-only domain controller) server at a remotelocation. The remote location doesn't have proper physical security.

You need to activate non-administrative accounts' passwords on that RODC server.

Which of the following action should be considered to populate the RODC server with non-administrativeaccounts passwords?

A. Delete all administrative accounts from the RODC's groupB. Configure the permission to Deny on Receive As for administrative accounts on the security tab for Group

Policy Object (GPO)C. Configure the administrative accounts to be added in the Domain RODC Password Replication Denied

groupD. Add a new GPO and enable Account Lockout settings. Link it to the remote RODC server and on the

security tab on GPO, check the Read Allow and the Apply group policy permissions for the administrators.E. None of the above



If we want only non-administrative users to have passwords populated on the RODC, we basically would wantto deny replication to administrative accounts. We would have a limited number of administrative accounts so itwould be easy to simply deny replication to them.

We don't want to delete administrative accounts from the RODC's group, this would keep us from being able toadminister the RODC.

Adding a new GPO with Account Lockout settings would help us control how account lockouts are handled onthe RODC but does not help us populate passwords.

The "Receive As" permission is related to Exchange Servers.

QUESTION 119ABC.com boasts a main office and 20 branch offices. Configured as a separate site, each branch office has aRead-Only Domain Controller (RODC) server installed.

Users in remote offices complain that they are unable to log on to their accounts.

What should you do to make sure that the cached credentials for user accounts are only stored in their localbranch office RODC server?

A. Open the RODC computer account security tab and set Allow on Receive As permission only for the usersthat are unable to log on to their accounts

B. Add a Password Replication Policy to the main domain RODC and add user accounts in the security groupC. Configure a unique security group for each branch office and add user accounts to the respective security

group. Add the security groups to the password replication Allowed group on the main RODC serverD. Configure and add a separate Password Replication Policy on each RODC computer account



The scenario basically says we have multiple sites, each with their own RODC. But we want each RODC toonly cache accounts for that local site. Cached credentials are configured by assigning accounts to the groupsin the Password Replication Policy tab on each computer account in ADUC. So the simplest way to do what weneed is configure each RODC's Password Replication Policy to cache accounts for users only at that local site.

Configuring a unique group for each office would be a possible way to start, but this answer goes on to suggestadding those groups to the PRP on the main RODC server. This will cache every branch office user at the mainoffice, not on their individual branch office only. Similarly, adding a PRP to the main office's RODC with the useraccounts would suffer the same fault.

The "Receive As" permission is related to Exchange Servers.

QUESTION 120Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site1 contains five domain controllers. Site2 contains one read-only domain controller (RODC). Site1 and Site2connect to each other by using a slow WAN link.

You discover that the cached password for a user named User1 is compromised on the RODC.

On a domain controller in Site1, you change the password for User1.

You need to replicate the new password for User1 to the RODC immediately. The solution must not replicateother objects to the RODC.


A. Active Directory Sites and ServicesB. Active Directory Users and ComputersC. Repadmin

D. Replmon


Explanation/Reference:

repadmin /rodcpwdreplTriggers replication of passwords for the specified users from a writable Windows Server 2008 source domaincontroller to one or more read-only domain controllers (RODCs).


QUESTION 121Your network contains an Active Directory forest. The forest contains an Active Directory site for a remoteoffice. The remote site contains a read-only domain controller (RODC).

You need to configure the RODC to store only the passwords of users in the remote site.

What should you do?

A. Create a Password Settings object (PSO).B. Modify the Partial-Attribute-Set attribute of the forest.C. Add the user accounts of the remote site users to the Allowed RODC Password Replication Group.D. Add the user accounts of users who are not in the remote site to the Denied RODC Password Replication

Group.



Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODCoperations. These are the Allowed RODC Password Replication Group and Denied RODC PasswordReplication Group.

These groups help implement a default Allowed List and Denied List for the RODC Password ReplicationPolicy.


QUESTION 122Your network contains an Active Directory domain named contoso.com. Contoso.com contains a writabledomain controller named DC1 and a read-only domain controller (RODC) named DC2. All domain controllersrun Windows Server 2008 R2.

You need to install a new writable domain controller named DC3 in a remote site. The solution must minimizethe amount of replication traffic that occurs during the installation of Active Directory Domain Services (AD DS)on DC3.


A. Run dcpromo.exe /createdcaccount on DC3.

B. Run ntdsutil.exe on DC2.

C. Run dcpromo.exe /adv on DC3.

D. Run ntdsutil.exe on DC1.


Explanation/Reference:We can run dcpromo.exe /adv on DC3 to install a new writable DC using the Install From Media (IFM) option toreduce replication traffic. But before we can do that, we have to create the installation media first. This is donewith ntdsutil. This must be done on DC1 rather than DC2, as DC2 is a RODC.

"You can use the Ntdsutil.exe tool to create installation media for additional domain controllers that you arecreating in a domain. By using the Install from Media (IFM) option, you can minimize the replication of directorydata over the network. This helps you install additional domain controllers in remote sites more efficiently."(...)"You must use writeable domain controller installation media to install a writeable domain controller. You cancreate writeable domain controller installation media only on a writeable domain controller."


QUESTION 123Your network contains an Active Directory domain. The domain contains several domain controllers.

You need to modify the Password Replication Policy on a read-only domain controller (RODC).


A. Group Policy ManagementB. Active Directory Domains and TrustsC. Active Directory Users and ComputersD. Computer ManagementE. Security Configuration Wizard



To configure the PRP using Active Directory Users and Computers1. Open Active Directory Users and Computers as a member of the Domain Admins group.2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct

domain.(...)


QUESTION 124Your network contains an Active Directory domain. The domain contains five sites. One of the sites contains aread-only domain controller (RODC) named RODC1.

You need to identify which user accounts can have their password cached on RODC1.


A. Repadmin

B. Dcdiag

C. Get-ADDomainControllerPasswordReplicationPolicyUsag e

D. Adtest



repadmin /prpLists and modifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs).

Syntaxrepadmin /prp view <RODC> {<List_Name>|<User>}

Displays the security principals in the specified list or displays the current PRP setting (allowed or denied) for aspecified user.

(...)

<List_Name>Specifies all the security principals that are in the list that you want to view. The valid list names are as follows:

(...)allow: The list of security principals in the msDS-RevealOnDemandGroup attribute. The RODC can cachepasswords for this list of security principals only.deny: The list of security principals in the msDS-NeverRevealGroup attribute. The RODC cannot cachepasswords for any security principals in this list.


The Get-ADDomainControllerPasswordReplicationPolicyUsag e gets the user or computer accountsthat are authenticated by a read-only domain controller (RODC) or that have passwords that are stored on thatRODC.

DCDiag is used to test general problems that can occur in AD environments.

Adtest is a performance testing tool for AD.Reference: http://www.microsoft.com/en-us/download/details.aspx?id=15275

QUESTION 125Your network contains an Active Directory domain named litwareinc.com. The domain contains two sitesnamed Sitel and Site2. Site2 contains a read-only domain controller (RODC).

You need to identify which user accounts attempted to authenticate to the RODC.


A. Active Directory Users and ComputersB. Ntdsutil

C. Get-ADAccountResultantPasswordReplicationPolicy

D. Adtest

Correct Answer: ASection: (none)Explanation


Periodically, you should review whose accounts have been authenticated to an RODC. (...)You can use Active Directory Users and Computers or repadmin /prp to review whose accounts have beenauthenticated to an RODC.

Reference: http://technet.microsoft.com/en-us/library/83a6daba-cdde-4606-97a3-6ebb9d7fa6bf(v=ws.10)#BKMK_Auth2

Get-ADAccountResultantPasswordReplicationPolicy is used to get the members of the allowed listor denied list of a read-only domain controller's password replication policy. Get-ADDomainControllerPasswordReplicationPolicyUsage could be used, but is not listed.Reference: http://technet.microsoft.com/en-us/library/ee617207.aspx

ntdsutil is used for offline management of the AD database and files.

Adtest is a performance testing tool for AD.Reference: http://www.microsoft.com/en-us/download/details.aspx?id=15275

QUESTION 126Your company has an Active Directory forest that contains multiple domain controllers. The domain controllersrun Windows Server 2008.

You need to perform an authoritative restore of a deleted organizational unit and its child objects.

Which four actions should you perform in sequence? (To answer, move the appropriate four actions from thelist of actions to the answer area, and arrange them in the correct order.)

Select and Place:

Correct Answer:



If you are performing authoritative restore on a domain controller that has already received replication of thedeletions, perform the following procedures on the recovery domain controller:(...)2. (...)Restore from backup requires restarting the domain controller in DSRM. Taking the domain controlleroffline by stopping AD DS is not sufficient to run Ntdsutil procedures to restore from backup.3. Restore AD DS from Backup (Nonauthoritative Restore)4. Mark an Object or Objects as Authoritative(...)5. Restart the domain controller normally. (MY NOTE: Obviously restarting in Safe Mode won't he lp usmuch! The DC would not be able to synchronize!)


QUESTION 127Your network contains an Active Directory domain. The relevant servers in the domain are configured as shownin the following table:

You need to ensure that all device certificate requests use the MD5 hash algorithm.

What should you do?

A. On Server2, run the Certutil tool.

B. On Server1, update the CEP Encryption certificate template.C. On Server1, update the Exchange Enrollment Agent (Offline Request) template.D. On Server3, set the value of the HKLM\Software\Microsoft\Cryptography\MSCEP

\HashAlgorithm\HashAlgorithm registry key.

Correct Answer: DSection: 70-648 Configuring Active Directory Certificate Services

Explanation


The hash algorithm for certificate requests is chosen when the CA is configured. After the CA is setup, it canonly be modified by editing the appropriate registry entries for Microsoft's cryptography provider.

certutil has options to apply a hash over existing files but cannot change the algorithm used for certificaterequests.

The CEP Encryption template allows a computer account to serve as a registration authority for simpleenrollment requests.

The Exchange Enrollment Agent (Offline Request) template is used to request certificates on behalf of anothersubject/user.

QUESTION 128Your network contains an Active Directory domain. The domain contains an enterprise certification authority(CA) named Server1 and a server named Server2.

On Server2, you deploy Network Policy Server (NPS) and you configure a Network Access Protection (NAP)enforcement policy for IPSec.

From the Health Registration Authority snap-in on Server2, you set the lifetime of health certificates to fourhours.

You discover that the validity period of the health certificates issued to client computers is one year.

You need to ensure that the health certificates are only valid for four hours.

What should you do?

A. Modify the Request Handling settings of the certificate template used for the health certificates.B. Modify the Issuance Requirements settings of the certificate template used for the health certificates.C. On Server1, run certutil.exe -setreg policy\editflags +editf_attrib uteenddate .

D. On Server1, run certutil.exe Csetregdbflags +dbflags_enablevolatile requests .



Use the following procedure to allow the CA to issue the new health certificate template. This procedure appliesto an enterprise NAP CA only.

To allow template validity period override

1. On the NAP CA, click Start, click Run, right-click Command Prompt, and then click Run as administrator.2. In the command window, type Certutil.exe -setreg policy\EditFlags

+EDITF_ATTRIBUTEENDDATE, and then press ENTER.3. In the command window, type net stop certsvc && net start certsvc , and then press ENTER.4. Verify that Active Directory Certificate Services (AD CS) stops and starts successfully.

Reference: http://technet.microsoft.com/en-us/library/dd296906(v=ws.10).aspx

QUESTION 129An Active Directory database is installed on the C volume of a domain controller.

You need to move the Active Directory database to a new volume.

What should you do?

A. Copy the ntds.dit file to the new volume by using the ROBOCOPY command.

B. Move the ntds.dit file to the new volume by using Windows Explorer.

C. Move the ntds.dit file to the new volume by running the Move-Item command in Microsoft WindowsPowerShell.

D. Move the ntds.dit file to the new volume by using the Files option in the Ntdsutil utility.



(...)

QUESTION 130Your company uses a Windows 2008 Enterprise certificate authority (CA) to issue certificates.

You need to implement key archival.

What should you do?

A. Configure the certificate for automatic enrollment for the computers that store encrypted files.B. Install an Enterprise Subordinate CA and issue a user certificate to users of the encrypted files.C. Apply the Hisecdc security template to the domain controllers.D. Archive the private key on the server.

Correct Answer: DSection: (none)Explanation


(...)

QUESTION 131Your company has an Active Directory domain. All servers run Windows Server.

You deploy a Certification Authority (CA) server.

You create a new global security group named CertIssuers.

You need to ensure that members of the CertIssuers group can issue, approve, and revoke certificates. Whatshould you do?

A. Assign the Certificate Manager role to the CertIssuers groupB. Place CertIssuers group in the Certificate Publisher groupC. Run the certsrv -add CertIssuers command from the command prompt of the certificate server

D. Run the Add-Member -membertype memberset CertIssuers command by using Microsoft WindowsPowershell



(...)

QUESTION 132Company has servers on the main network that run Windows Server 2008. It also has two domain controllers.Active Directory services are running on a domain controller named CKDC1.

You have to perform critical updates of Windows Server 2008 on CKDC1 without rebooting the server.

What should you do to perform offline critical updates on CKDC1 without rebooting the server?

A. Start the Active Directory Domain Services on CKDC1B. Disconnect from the network and start the Windows update featureC. Stop the Active Directory domain services and install the updates. Start the Active Directory domain

services after installing the updates.D. Stop Active Directory domain services and install updates. Disconnect from the network and then connect

again.E. None of the above



(...)

QUESTION 133Company has a server with Active Directory Rights Management Services (AD RMS) server installed. Usershave computers with Windows Vista installed on them with an Active Directory domain installed at WindowsServer 2003 functional level.

As an administrator at Company, you discover that the users are unable to benefit from AD RMS to protect theirdocuments.

You need to configure AD RMS to enable users to use it and protect their documents.

What should you do to achieve this functionality?

A. Configure an email account in Active Directory Domain Services (AD DS) for each user.B. Add and configure ADRMSADMIN account in local administrators group on the user computersC. Add and configure the ADRMSSRVC account in AD RMS server's local administrator groupD. Reinstall the Active Directory domain on user computersE. All of the above

Correct Answer: ASection: 70-648 Configuring Additional Active Directory Server Roles

Explanation


(...)

QUESTION 134You had installed an Active Directory Federation Services (AD FS) role on a Windows server 2008 in yourorganization.

Now you need to test the connectivity of clients in the network to ensure that they can successfully reach thenew Federation server and Federation server is operational.

What should you do? (Select all that apply)

A. Go to Services tab, and check if Active Directory Federation Services is runningB. In the event viewer, Applications, Event ID column look for event ID 674.C. Open a browser window, and then type the Federation Service URL for the new federation server.D. None of the above

Correct Answer: BCSection: 70-648 Configuring Additional Active Directory Server RolesExplanation


Verify that a specific event (ID 674) was generated on the federation server proxy computer. This event isgenerated when the federation server proxy is able to successfully communicate with the Federation Service.

To perform this procedure, you must be a member of the local Administrators group, or you must have beendelegated the appropriate authority.1. Log on to a client computer with Internet access.2. Open a browser window, and then type the Uniform Resource Locator (URL) for the Federation Service

endpoint, along with the path to the clientlogon.aspx page that is stored on the federation server proxy.3. Press ENTER.

Note - At this point your browser should display the error Server Error in '/adfs' Application. This step isnecessary to generate event message 674 to verify that the clientlogon.aspx page is being loadedproperly by Internet Information Services (IIS).

4. Log on to the federation server proxy.5. Click Start, point to Administrative Tools, and then click Event Viewer.6. In the details pane, double-click Application.7. In the Event column, look for event ID 674.


QUESTION 135Company has a single domain network with Windows 2000, Windows 2003, and Windows 2008 servers. Clientcomputers running Windows XP and Windows Vista. All domain controllers are running Windows server 2008.

You need to deploy Active Directory Rights Management System (AD RMS) to secure all documents,

spreadsheets and to provide user authentication.

What do you need to configure, in order to complete the deployment of AD RMS?

A. Upgrade all client computers to Windows Vista. Install AD RMS on domain controller Company _DC1B. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all

systems. Install AD RMS on domain controller Company _DC1C. Upgrade all client computers to Windows Vista. Install AD RMS on Company _SRV5D. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all

systems. Install AD RMS on domain controller Company _SRV5E. None of the above



QUESTION 136You are formulating the backup strategy for Active Directory Lightweight Directory Services (AD LDS) to ensurethat data and log files are backed up regularly. This will also ensure the continued availability of data toapplications and users in the event of a system failure.

Because you have limited media resources, you decided to backup only specific ADLDS instance instead oftaking backup of the entire volume.

What should you do to accomplish this task?

A. Use Windows Server backup utility and enable checkbox to take only backup of database and log files ofAD LDS

B. Use Dsdbutil.exe tool to create installation media that corresponds only to the ADLDS instance

C. Move AD LDS database and log files on a separate volume and use windows server backup utilityD. None of the above



With the Dsdbutil.exe tool, you can create installation media that corresponds only to the AD LDS instancethat you want to back up, as opposed to backing up entire volumes that contain the AD LDS instance.



Contoso.com contains a server named Server2. You open the System properties on Server2 as shown in theexhibit. (Click the Exhibit button.)

When you attempt to configure Server2 as an enterprise subordinate certification authority (CA), you discoverthat the enterprise subordinate CA option is unavailable.

You need to configure Server2 as an enterprise subordinate CA.


Exhibit:

A. Upgrade Server2 to Windows Server 2008 R2 Enterprise.B. Log in as an administrator and run Server Manager.C. Import the root CA certificate.D. Join Server2 to the domain.



Is it to upgrade to R2 Enterprise instead? There is some confusion over this.(...)

QUESTION 138Your network contains a server named Server1. Server1 runs Windows Server 2008 R2 and has the ActiveDirectory Lightweight Directory Services (AD LDS) role installed. Server1 hosts two AD LDS instances namedInstance1 and Instance2.

You need to remove Instance2 from Server1 without affecting Instance1.


A. NTDSUtil

B. Dsdbutil

C. Programs and Features in the Control PanelD. Server Manager



To remove an AD LDS instance1. To open Programs and Features, click Start, click Settings, click Control Panel, and then double-click

Programs and Features.2. Locate and click the AD LDS instance that you want to remove.3. Click Uninstall.

NoteIt is not necessary to restart the computer after you remove an AD LDS instance.


QUESTION 139Your network contains an Active Directory forest named contoso.com. You need to create an Active DirectoryRights Management Services (AD RMS) licensing-only cluster.

What should you do?

To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area andarrange them in the correct order.


Correct Answer:

Section: 70-648 Configuring Additional Active Directory Server Roles

Explanation

Explanation/Reference:During the installation of the AD RMS root cluster we need to select a configuration database, so we need toinstall SQL Server 2008 first. Next we need to install the AD RMS root cluster; only then can we install the AD RMS licensing-only cluster. The last step is to deploy the AD RMS policy templates.

Before you install AD RMSBefore you install Active Directory Rights Management Services (AD RMS) on Windows Server® 2008 R2 forthe first time, there are several requirements that must be met:

(...)

In addition to pre-installation requirements for AD RMS, we strongly recommend the following:Install the database server that is used to host the AD RMS databases on a separate computer.(...)


A root AD RMS cluster must already be present in the AD DS forest before you can install the licensing-onlycluster.Reference: http://technet.microsoft.com/en-us/library/cc772087.aspx

QUESTION 140You need to modify the Password Replication Policy on a read-only domain controller (RODC).


To answer, select the appropriate tool in the answer area.

Point and Shoot:

Correct Answer:

Section: 70-648 Configuring Additional Active Directory Server RolesExplanation


To configure the PRP using Active Directory Users and Computers1. Open Active Directory Users and Computers as a member of the Domain Admins group.2. Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct

domain.(...)


QUESTION 141Your network contains an Active Directory domain named contoso.com. The domain contains a server namedServer1 and a domain controller named DC1.

On Server1, you configure a collector-initiated subscription for the Application log of DC1. The subscription isconfigured to collect all events.

After several days, you discover that Server1 failed to collect any events from DC1, although there are morethan 100 new events in the Application log of DC1.

You need to ensure that Server1 collects events from DC1.


What should you do?

A. On Server1, run wecutil quick-config .

B. On Server1, run winrm quickconfig .

C. On DC1, run wecutil quick-config .

D. On DC1, run winrm quickconfig .



Since the subscription was created, wecutil quick-config has already run on Server1. The only thing leftis to configure DC1 to forward the events, using winrm quickconfig .

To configure computers in a domain to forward and collect events1. Log on to all collector and source computers. It is a best practice to use a domain account with

administrative privileges.2. On each source computer, type the following at an elevated command prompt: winrm quickconfig


QUESTION 142A network contains an Active Directory Domain Services (AD DS) domain. Active Directory is configured asshown in the following table.

The functional level of the domain is Windows Server 2008 R2. The functional level of the forest is WindowsServer 2003.

Active Directory replication between the Seattle site and the Chicago site occurs from 8:00 P.M. to 1:00 A.M.every day.

At 7:00 A.M. an administrator deletes a user account while he is logged on to DC001.

You need to restore the deleted user account. You must achieve this goal by using the minimum administrativeeffort.

What should you do?

A. On DC006, stop AD DS, perform an authoritative restore, and then start AD DS.B. On DC001, run the Restore-ADObject cmdlet.C. On DC006, run the Restore-ADObject cmdlet.D. On DC001, stop AD DS, restore the system state, and then start AD DS.


Explanation/Reference:We cannot use Restore-ADObject , because Restore-ADObject is a part of the Recycle Bin feature, andyou can only use Recycle Bin when the forest functional level is set to Windows Server 2008 R2. In thequestion text it says "The functional level of the forest is Windows Server 2003."

We can perform the restore directly from DC006 because replication hasn't occurred yet (and won't occur until8 PM). This is also why we don't need a backup from a previous state.

Reference: http://technet.microsoft.com/nl-nl/library/dd379481.aspx

Authoritative restore of AD DS has the following requirements:(...)You must stop the Active Directory Domain Services service before you run the ntdsutil authoritative restorecommand and restart the service after the command is complete.


QUESTION 143A company has an Active Directory forest. You plan to install an offline Enterprise root certification authority(CA) on a server named CA1. CA1 is a member of the PerimeterNetwork workgroup and is attached to ahardware security module for private key storage.

You attempt to add the Active Directory Certificate Services (AD CS) server role to CA1. The Enterprise CAoption is not available.

You need to install the AD CS server role as an Enterprise CA on CA1.


A. Add the DNS Server server role to CA1.B. Add the Web Server (IIS) server role and the AD CS server role to CA1.C. Add the Active Directory Lightweight Directory Services (AD LDS) server role to CA1.D. Join CA1 to the domain.



The scenario states the computer is currently part of a workgroup, in a perimeter network. An Enterprise CAmust be a member of the domain, however, as it integrates information with AD.

Network Infrastructure, Configuring

QUESTION 1Your network contains a Windows Server Update Services (WSUS) server named Server1. All client computersare configured to download updates from Server1. Server1 is configured only to synchronize manually toMicrosoft Update.

Your company deploys a new Microsoft application. You discover that the new application is not listed on theProducts and Classifications list.

You synchronize the WSUS server. You need to ensure that updates for the new application are available to allof the client computers.

What should you do?


Select and Place:

Correct Answer:

Section: 70-648 Monitoring and Managing A Network InfrastructureExplanation


We are explicitly told the application is not on the Products and Classifications list, so we need to firstcustomize that list to include our new application. After that is done, we'll have to synchronize the server again(see reference below). Finally, we need to approve the updates so they become available to clients.

"You may have to do an initial synchronization to get some products to appear in the list of productclassifications."Reference: http://technet.microsoft.com/en-us/library/cc720453%28v=ws.10%29.aspx

QUESTION 2Your network contains a server named Server1 that runs Windows Server 2008 R2.

You enable IPSec on Server1.

You need to identify which client computers have active IPSec associations to Server1.

Which administrative tool should you use to achieve this task?

To answer, select the appropriate tool from the answer area.

Hot Area:

Correct Answer:

Section: 70-648 Configuring IP Addressing and ServicesExplanation


Newer IPSec settings must be managed through WFAS now, a centralized location for security concerns onWindows Server.

"Firewall settings are now integrated with Internet Protocol security (IPsec) settings"

References:http://technet.microsoft.com/en-us/library/cc748991%28v=ws.10%29.aspxhttp://technet.microsoft.com/en-us/library/cc753765.aspx

QUESTION 3You have an application server that runs Windows Server 2008 R2.

You need to configure Windows Firewall to allow communications on the server as shown in the following table.

What is the minimum number of firewall rules you should create?

A. 4B. 2C. 1D. 3

Correct Answer: BSection: 70-648 Configuring Network AccessExplanation


We can create at least 1 rule to cover the range of ports 3400-3402 Outbound, and a separate rule for port3433 Inbound.

QUESTION 4Your network contains an Active Directory domain named contoso.com. Contoso.com contains two serversnamed Server1 and Server2 that run Windows Server 2008 R2.

DirectAccess is deployed on Server2. You need to configure Server1 as a network location server (NLS).

Which Web Server (IIS) role service should you install on Server1?

A. IP and Domain RestrictionsB. Request FilteringC. IIS Client Certificate Mapping AuthenticationD. URL Authorization

Correct Answer: ASection: 70-648 Monitoring and Managing A Network InfrastructureExplanation

Explanation/Reference:Explanation 1:

If your DirectAccess server is acting as the network location server, you must install the Web Server (IIS)server role with the IP and Domain Restrictions role service.Reference: http://technet.microsoft.com/en-us/library/ee649160%28WS.10%29.aspx

MY NOTE: At first this seems to be a direct referen ce specific to our scenario, and perhaps it isintended to be. But it says to install this role wh en the same server is acting as both Direct Accessserver (Server2) and NLS. The question asks what to install on Server1 to configure it as NLS. So I of feran attempt below to explain how this still is the r ight answer.

Explanation 2:

When a DirectAccess client computer enters the internal network, it connects to the network location serverover HTTPS(...)The network location server is a Web site with an HTTPS server certificate.(...)The network location server must not be accessible to DirectAccess clients connecting from the Internet.

Reference: http://technet.microsoft.com/en-us/library/gg315317.aspx

MY NOTE: The above explains why we need IIS for Dir ectAccess. It also states what we need to do withIIS - prevent clients from hitting the NL web serve r over the internet. This means we need to restrictaccess to the site in IIS, and that is is precisely the purpose of the "IP and Domain Restrictions" ro le forIIS.

QUESTION 5Your company hires 10 new employees. You want the new employees to connect to the main office through aVPN connection.

You create new user accounts and grant the new employees the Allow Read and Allow Execute permissions toshared resources in the main office.

The new employees are unable to access shared resources in the main office.

You need to ensure that users are able to establish a VPN connection to the main office.

What should you do?

A. Grant the new employees the Allow Full control permission.B. Grant the new employees the Allow Access Dial-in permission.C. Add the new employees to the Remote Desktop Users security group.D. Add the new employees to the Windows Authorization Access security group.



By default, Dial-in permissions in AD force a user to reference policy to determine if they're allowed for remoteVPN access.Since we're not told any specific policies are in place restricting access, they will essentially bedenied access up front. We simply need to change allowed Dial-in permission for them explicitly in AD so theyskip the evaluation of policies.

We need to be sure users can establish a VPN connection, so we don't need to manage file share permissions(they already have Read and Execute!) by assigning Full Control.

Adding users to the RD Users group will let them use RDP to get to the server, but the scenario states theyneed to be able to establish a VPN connection.

Windows Authorization Access Group: Members of this group have access to the computedtokenGroupsGlobalAndUniversal attribute on User objects (MY NOTE: This would give users access tocertain AD attributes, not help them get connected to VPN)Reference: http://www.techrepublic.com/blog/datacenter/a-closer-look-at-windows-server-2008s-active-directory-users-and-computers/364

QUESTION 6Your company has a main office and a branch office. You discover that when you disable IPv4 on a computer inthe branch office, the computer authenticates by using a domain controller in the main office.

You need to ensure that IPv6-only computers authenticate to domain controllers in the same site.

What should you do?

A. Configure the NTDS Site Settings object.B. Create Active Directory subnet objects.C. Create Active Directory Domain Services connection objects.D. Install an Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) router.

Correct Answer: BSection: 70-648 Configuring IP Addressing and ServicesExplanation


IPv4 was disabled on the computer, forcing it to use IPv6 only. Because it authenticated against a domaincontroller in the main office, however, we can conclude that the branch office isn't completely setup for IPv6 yet.So we would have to use subnet objects in AD to force each office to authenticate against local site DC's.

ISATAP tunnels IPv6 traffic over IPv4 networks, but the main office network clearly handles IPv6 fine.

NTDS Site Settings and AD connection objects are used for configuring AD replication and topology.

QUESTION 7Your network contains one Active Directory domain. You have a member server named Server1 that runsWindows Server 2008 R2. The server has the Routing and Remote Access Services role service installed.

You implement Network Access Protection (NAP) for the domain.

You need to configure the Point-to-Point Protocol (PPP) authentication method on Server1.

Which authentication method should you use?

A. Challenge Handshake Authentication Protocol (CHAP)B. Extensible Authentication Protocol (EAP)C. Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)D. Password Authentication Protocol (PAP)



All of these are valid authentication methods for PPP, but EAP is the most secure as it works with certificates.Most features of NAP require certificates also.

QUESTION 8You deploy a Windows Server 2008 R2 VPN server behind a firewall. Remote users connect to the VPN byusing portable computers that run Windows 7.

The firewall is configured to allow only secured Web communications. You need to enable remote users toconnect as securely as possible. You must achieve this goal without opening any additional ports on thefirewall.

What should you do?

A. Create an IPsec tunnel.B. Create an SSTP VPN connection.C. Create a PPTP VPN connection.D. Create an L2TP VPN connection.



The firewall only allows secure web (SSL) connections, so we need to setup a VPN that operates over SSL.SSTP is the only VPN type listed that will specifically do this. The other VPN types use non-standard ports, andan IPSec tunnel is for encrypting communication, not for connecting 2 networks.

"Secure Socket Tunneling Protocol (SSTP) is a form of VPN tunnel that provides a mechanism to transportPPP or L2TP traffic through an SSL 3.0 channel."Reference: http://en.wikipedia.org/wiki/Secure_Socket_Tunneling_Protocol

QUESTION 9Network Access Protection (NAP) is configured for the corporate network. Users connect to the corporatenetwork by using portable computers.

The company policy requires confidentiality of data when the data is in transit between the portable computersand the servers.

You need to ensure that users can access network resources only from computers that comply with thecompany policy.

What should you do?

A. Create an IPSec Enforcement network policy.B. Create an 802.1X Enforcement network policy.C. Create a Wired Network (IEEE 802.3) Group Policy.D. Create an Extensible Authentication Protocol (EAP) Enforcement network policy.

Correct Answer: ASection: 70-648 Configuring Network AccessExplanation


For the most secure and effective NAP deployment on your network, deploy strong enforcement methods, suchas the Internet Protocol security (IPsec), 802.1X, and virtual private network (VPN) enforcement methods. (MYNOTE: We would choose IPSec here over 802.1X becaus e IPSec performs encryption ("confidentialityof data"; 802.1x is merely a method of access contr ol, specifying whether or not a certain client canconnect)Reference: http://technet.microsoft.com/en-us/library/cc755120%28v=ws.10%29.aspx

Wired Network (IEEE 802.3) Policies - Group Policy Management Console (GPMC). You can use the WiredNetwork (IEEE 802.3) Policies to specify and modify configuration settings for Windows Vista clients that areequipped with network adapters and drivers that support Wired AutoConfig Service.


"Confidentiality of data" implies that we need encryption. EAP is an authentication method, not an encryptionmethod.

QUESTION 10Your company's corporate network uses Network Access Protection (NAP). Users are able to connect to thecorporate network remotely.

You need to ensure that data transmissions between remote client computers and the corporate network are assecure as possible.

What should you do?

A. Apply an IPsec NAP policy.B. Configure a NAP policy for 802.1X wireless connections.C. Configure VPN connections to use MS-CHAP v2 authentication.D. Restrict Dynamic Host Configuration Protocol (DHCP) clients by using NAP.



IPSec is the most secure method of protecting data in NAP as it encrypts packets completely throughtransmission.

MS-CHAPv2 is password-based (making it inherently insecure), and DHCP restrictions can be circumvented byusing a static IP.

Users are trying to connect remotely, so I'm not sure why you'd want to make a policy for wireless connectionsonly. Remote users are not likely to be associating with your local access points :)

QUESTION 11Your company has Active Directory Certificate Services (AD CS) and Network Access Protection (NAP)deployed on the network.

You need to ensure that NAP policies are enforced on portable computers that use a wireless connection toaccess the network.

What should you do?

A. Configure all access points to use 802.1X authentication.B. Configure all portable computers to use MS-CHAP v2 authentication.C. Use the Group Policy Management Console to access the wireless Group Policy settings, and enable the

Prevent connections to ad-hoc networks option.D. Use the Group Policy Management Console to access the wireless Group Policy settings, and disable the

Prevent connections to infrastructure networks option.



802.1x authentication is specifically useful for access control from an access point. It lets us apply policies toclients based on the access point they are using (which is helpful with wireless connections)

MS-CHAPv2 is password-based authentication for communications; it will not let us enforce a particular NAPpolicy.

Restricting the types of wireless networks a user can connect to will not help enforce NAP, and could preventthem from being connected to the network at all (depending on whether you have any use for ad-hoc networks).

QUESTION 12Your network contains a Network Policy Server (NPS) named NPS1.

You deploy a new NPS named NPS2.

You need to ensure that NPS2 sends all authentication requests to NPS1.

What should you modify on NPS2?

A. Health policiesB. Network policiesC. RADIUS clientsD. Remote RADIUS Server groups

Correct Answer: DSection: 70-648 Configuring Network AccessExplanation


Remote RADIUS Server groups are used to specify which computers receive authentication requests.Reference: http://technet.microsoft.com/en-us/library/cc754518.aspx

RADIUS clients are specify which machines (switches, APs, proxies, etc.) are able to communicate with theauthentication server.

Health policies allow checking a machine for specific criteria before they are authenticated.

Network policies can be used to control which computers can communicate with each other, but do notnecessarily control authentication.

QUESTION 13Your network contains a Network Policy Server (NPS) named Server1. NPS1 provides authentication for all ofthe VPN servers on the network.

You need to track the usage information of all VPN connections.

Which RADIUS attribute should you log?

A. Acct-Session-IdB. Acct-Status-TypeC. ClassD. NAS-Identifier

Correct Answer: CSection: 70-648 Configuring Network AccessExplanation


Use the RADIUS Class attribute to both track usage and simplify the identification of which department or userto charge for usage.Reference: http://technet.microsoft.com/en-us/library/cc755120%28v=ws.10%29.aspx

The Class attribute is sent by the server to the client and is unique to the application in use. It is not changed intransmission. Because it is sent between server and client, it should help us determine usage regarding theconnection.

The NAS-Identifier attribute contains a string identifying the NAS that originates a request

The Acct-Session-Id attribute provides a unique ID for matching start/stop records in a log file.The Acct-Status-Type attribute indicates whether a request marks the beginning of the user service (Start) orthe end (Stop).

References:http://freeradius.org/rfc/rfc2865.htmlhttp://freeradius.org/rfc/rfc2866.html

QUESTION 14Your network contains a Network Policy Server (NPS) named Server1. Server1 is configured to use SQLlogging.

You add a second NPS server named Server2. You need to ensure that Server2 has the same RADIUSauthentication and logging settings as Server1.

You export the NPS settings from Server1, and then import the settings to Server2.

What should you do next on Server2?

A. Create a new ODBC data source.B. Run netsh.exe nps reset config .

C. Manually configure the SQL logging settings.D. Restart the Network Policy Server (NPS) role service.



Server was configured to use SQL logging for the NPS service. The correct procedure has been followed torestore RADIUS authentication settings on Server2, but the RADIUS logging settings have not yet beenreplicated. This means we must configure SQL logging on Server2.

An ODBC data source is used to connect to a SQL database, and could be helpful in the configuration of SQLlogging, but SQL logging has not even been configured.

Restarting the NPS service is typically not needed when new settings are imported to RADIUS, and at bestwould only ensure the authentication settings that were imported are applied. Logging settings have still notbeen duplicated.

netsh.exe nps reset config will restore all settings on Server2 to their defaults, undoing the work ofimporting the authentication settings from Server1.

QUESTION 15

Your network contains an Active Directory forest. The forest contains two domains named contoso.com andeu.contoso.com.

You install a Network Policy Server (NPS) named Server1 in the contoso.com domain.

You need to ensure that Server1 can read the dial-in properties of the user accounts in the eu.contoso.comdomain.

What should you do?

A. In the contoso.com domain, add Server1 to the RAS and IAS Servers group.B. In the contoso.com domain, add Server1 to the Windows Authorization Access group.C. In the eu.contoso.com domain, add Server1 to the RAS and IAS Servers group.D. In the eu.contoso.com domain, add Server1 to the Windows Authorization Access group.



For NPS to have permission to access user account credentials and dial-in properties in AD DS, the serverrunning NPS must be registered in AD DS....To register the NPS server in the default domain using Active Directory Users and Computers1. Log on to the NPS server by using an account that has administrative credentials for the domain.2. Open the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in.3. In the console tree, click the Users folder in the appropriate domain.4. In the details pane, right-click RAS and IAS Servers , and then click Properties .5. In the RAS and IAS Servers Properties dialog box, on the Members tab, add each of the NPS servers.


QUESTION 16Your network contains a Network Policy Server (NPS) named Server1.

You need to configure a network policy for a VLAN.

Which RADIUS attributes should you add?

A. ·Login-LAT-Service·Login-LAT-Node·Login-LAT-Group·NAS-Identifier

B. ·Tunnel-Assignment-ID·Tunnel-Preference·Tunnel-Client-Auth-ID·NAS-Port-Id

C. ·Tunnel-Client-Endpt·Tunnel-Server-Endpt·NAS-Port-Type·Tunnel-Password

D. ·Tunnel-Medium-Type·Tunnel-Pvt-Group-ID·Tunnel-Type·Tunnel-Tag



To configure a network policy for VLANs(...)6. In Add Standard RADIUS Attribute, in Attributes, scroll down to and add the following attributes:

a. Tunnel-Medium-Type. Select a value appropriate to the previous selections you have made for the policy.For example, if the network policy you are configuring is a wireless policy, select Value: 802 (Includes all802 media plus Ethernet canonical format).b. Tunnel-Pvt-Group-ID. Enter the integer that represents the VLAN number to which group members will beassigned.c. Tunnel-Type. Select Virtual LANs (VLAN).

7. In Add Standard RADIUS Attribute, click Close.8. If your network access server (NAS) requires use of the Tunnel-Tag attribute...


QUESTION 17Your network contains a Network Policy Server (NPS) named NPS1 and a network access server namedNAS1. NAS1 is configured to use NPS1 for authentication and accounting. A firewall separates NPS1 andNAS1.

You need to ensure that NAS1 can successfully send authentication and accounting messages to NPS1.

Which ports should you allow through the firewall?

A. TCP ports 80, 443, 389 and 1645B. TCP ports 88, 135, 139 and 1813C. UDP ports 53, 67, 68 and 69D. UDP ports 1812, 1813, 1645 and 1646



RADIUS has been officially assigned UDP ports 1812 for RADIUS Authentication and 1813 for RADIUSAccounting by the Internet Assigned Numbers Authority (IANA). However, prior to IANA allocation of ports 1812and 1813, ports 1645 and 1646 (authentication and accounting, respectively) were used unofficially andbecame the default ports assigned by many RADIUS Client/Server implementations of the time. The tradition ofusing 1645 and 1646 for backwards compatibility continues to this day. For this reason many RADIUS Serverimplementations monitor both sets of UDP ports for RADIUS requestsReference: http://en.wikipedia.org/wiki/RADIUS

Ports 80 and 443 are used for web. Port 389 is used for AD

Port 88 is used for Kerberos. Port 135 is used for DCE endpoints (DirectAccess). Port 139 is used for theNetBIOS Session Service.

Port 53 is used for DNS. Ports 67 68 are used for BOOTP / DHCP. Port 69 is used for TFTP.

QUESTION 18Your network contains a Network Policy Server (NPS) named NPS1. NPS1 is configured for remote access

account lockout.

A domain user named User1 has been locked out by NPS1.

You need to unlock the User1 user account on NPS1.


A. the Netsh toolB. the Network Policy Server consoleC. the Registry EditorD. the Routing and Remote Access console



To manually reset a user account that has been locked out before it is automatically reset, delete the followingregistry subkey that corresponds to the user's account name on the remote access server:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service s\RemoteAccess\Parameters\AccountLockout\domain name:user name

When the lockout count for a user account is reset to 0 due to either a successful authentication or anautomatic reset, the registry subkey for the user account is deleted.

NOTERemote access account lockout is not related to the Unlock account setting on the Account tab on theproperties of a user account.

Reference: http://technet.microsoft.com/en-us/library/ff687746%28v=ws.10%29.aspx

QUESTION 19Your company has a single Active Directory domain. The company network is protected by a firewall. Remoteusers connect to your network through a VPN server by using PPTP.

When the users try to connect to the VPN server, they receive the following error message: "Error 721: The remote computer is not responding."

You need to ensure that users can establish a VPN connection.

What should you do?

A. Open port 1423 on the firewall.B. Open port 1723 on the firewall.C. Open port 3389 on the firewall.D. Open port 6000 on the firewall.



A PPTP tunnel is instantiated by communication to the peer on TCP port 1723

Reference: http://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol

Port 1423 currently is not assigned any specific application or use.

Port 3389 is used for Remote Desktop.

Port 6000 is used for network communication between X11 (UNIX Windowing system) client/servers

Reference: http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

QUESTION 20Your company has a main office and 15 branch offices. The company has a single Active Directory domain. Allservers run Windows Server 2008 R2.

You need to ensure that the VPN connections between the main office and the branch offices meet thefollowing requirements:

All data must be encrypted by using end-to-end encryption.The VPN connection must use computer-level authentication.User names and passwords cannot be used for authentication.

What should you do?

A. Configure an IPsec connection to use tunnel mode and pre-shared key authentication.B. Configure a PPTP connection to use version 2 of the MS-CHAP v2 authentication.C. Configure a L2TP/IPsec connection to use the EAP-TLS authentication.D. Configure a L2TP/IPsec connection to use version 2 of the MS-CHAP v2 authentication.



EAP-TLS authentication uses certificates. All other methods listed (MS-CHAP v2, pre-shared key) arepassword-based methods. However, the last requirement states: "User names and passwords cannot be usedfor authentication"

QUESTION 21Your network contains a server that runs Windows Server 2008 R2. The server has the Network Policy andAccess Services server role installed.

You need to allow only members of a global group named Group1 VPN access to the network.

What should you do?

A. Add Group1 to the RAS and IAS Servers group.B. Add Group1 to the Network Configuration Operators group.C. Create a new network policy and define a group-based condition for Group1. Set the access permission of

the policy to Access granted. Set the processing order of the policy to 1.D. Create a new network policy and define a group-based condition for Group1. Set the access permission of

the policy to Access granted. Set the processing order of the policy to 3.



We need to be able to restrict access to the VPN to Group1. This can be done through Network policies. Agroup-based condition allows us to evaluate all potential clients as members of the group before theappropriate action is taken. In this case, we want to Allow them access. Anyone not matching this criteria will,by default, be denied.

A processing order of 1 means this is the 1st condition to be evaluated. If the processing order is 3, this impliesthere are other conditions that are going to be evaluated first, which is not guaranteed to meet our criteria.

The RAS and IAS Servers group grants it's members permissions to determine if users have the appropriateDial-in permissions on their account to even begin communication with remote servers.

The Network Configuration Operators group is used to allow people to modify the network configuration ofmachines.

QUESTION 22Your company uses Network Access Protection (NAP) to enforce policies on client computers that connect tothe network. Client computers run Windows 7.

A Group Policy is used to configure client computers to obtain updates from Windows Server Update Services(WSUS). Company policy requires that updates labeled Important and Critical must be applied before clientcomputers can access network resources.

You need to ensure that client computers meet the company policy requirement.

What should you do?

A. Enable Automatic Updates on each client.B. Enable the Security Center on each client.C. Quarantine clients that do not have all available security updates installed.D. Disconnect the connection until the required updates are installed.



Only by putting clients in a quarantine will they be able to download updates from the WSUS server while beingprevented from accessing the corporate network. This is the purpose of the new Health Validation and NPSfeatures in Server 2008

Enabling Automatic Updates will ensure the clients are trying to get the latest updates from the WSUS server,but it will not prevent them from accessing the network while the updates are being downloaded.

Enabling Security Center will allow you to be aware of the health status of your clients, but will not help providethe clients with the updates they need or restrict them from accessing resources until they are updated.

Disconnecting the connection will not allow client computers to access network resources or obtain updates.

QUESTION 23Your company has deployed Network Access Protection (NAP) enforcement for VPNs.

You need to ensure that the health of all clients can be monitored and reported.

What should you do?

A. Create a Group Policy object (GPO) that enables Security Center and link the policy to the domain.B. Create a Group Policy object (GPO) that enables Security Center and link the policy to the Domain

Controllers organizational unit (OU).C. Create a Group Policy object (GPO) and set the Require Trusted Path For Credential Entry option to

Enabled. Link the policy to the domain.D. Create a Group Policy object (GPO) and set the Require Trusted Path For Credential Entry option to

Enabled. Link the policy to the Domain Controllers organizational unit (OU).



Security Center is the client application that tracks health status of the machine. We need to force this to beenabled on all clients so they will report their health status to the central server. This would need to be done atthe domain level so as to apply to all clients, not just Domain Controllers.

The Require Trusted Path For Credential Entry option requires the user to enter Microsoft Windows credentialsusing a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the user’sWindows credentials.Reference: http://www.wilderssecurity.com/showthread.php?p=1959147

QUESTION 24Your company has deployed Network Access Protection (NAP). You configure secure wireless access to thenetwork by using 802.1X authentication from any access point.

You need to ensure that all client computers that access the network are evaluated by NAP.

What should you do?

A. Configure all access points as RADIUS clients to the Remediation Servers.B. Configure all access points as RADIUS clients to the Network Policy Server (NPS).C. Create a network policy that defines Remote Access Server as a network connection method.D. Create a network policy that specifies EAP-TLS as the only available authentication method.



In order for all clients to be evaluated by NAP, the wireless access points they connect to must communicatewith a RADIUS server that will direct them to NAP. This means the wireless access points must function asRADIUS clients that forward authentication requests to a Server 2008 RADIUS (NPS) server.

Remediation servers provide updates for computers that fail the health check by the NAP, but do notnecessarily function as RADIUS servers themselves.

The Network connection method value in a Network Policy restricts NPS from evaluating a request unless itcomes from the type of server specified. If we set this to RAS, then only Server 2008 routers would be able tobe evaluated. All other clients on the network would fail to be checked.Reference: http://technet.microsoft.com/en-us/library/cc755309.aspx

Configuring EAP-TLS as the only available authentication method would essentially prevent client connections

in the event another protocol is possibly used for 802.1X at the access points. At best, it enforces standardizedsecurity for the clients, but does not provide a method for them to be evaluated by NAP.

QUESTION 25Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 has the RemoteAccess Service role service installed. Server1 is configured as a VPN server.

You need to ensure that you can configure Server1 as a Network Address Translation (NAT) server.

What should you do first on Server1?

A. Enable IPv4 routing.B. Enable IPv6 routing.C. Add a new routing protocol.D. Add the Routing role service.

Correct Answer: DSection: 70-648 Configuring IP Addressing and ServicesExplanation


To enable network address translation addressing1. In the RRAS MMC snap-in, expand Your Server Name. If you are using Server Manager, expand Routing

and Remote Access.


MY NOTE: Basically, NAT is a role service of the RR AS / Routing roles.

QUESTION 26Your company has a single Active Directory domain. The domain has servers that run Windows Server 2008R2. You have a server named NAT1 that functions as a NAT server.

You need to ensure that administrators can access a server named RDP1 by using Remote Desktop Protocol(RDP).

What should you do?

A. Configure NAT1 to forward port 389 to RDP1.B. Configure NAT1 to forward port 1432 to RDP1.C. Configure NAT1 to forward port 3339 to RDP1.D. Configure NAT1 to forward port 3389 to RDP1.



Remote Desktop Protocol (formerly Terminal Server) uses TCP port 3389.


QUESTION 27

Your network has Network Access Protection (NAP) deployed. The network contains two servers namedServer1 and Server2. Server1 is a Network Policy Server (NPS). Server2 has a third-party antivirus solutioninstalled.

Server1 is configured to use a custom system health validator provided by the antivirus vendor. The systemhealth validator uses Server2 to identify the version of the current antivirus definition.

You need to ensure that NAP clients are considered noncompliant if Server1 cannot connect to Server2.

Which error code resolution setting should you configure?

A. SHA not responding to NAP clientB. SHA unable to contact required servicesC. SHV not respondingD. SHV unable to contact required services



The following is a description of available error codes:

SHV unable to contact required services . This error can occur if Network Policy Server (NPS) losesconnectivity to a health requirement server, such as an antivirus signature server. (MY NOTE: Thescenario states we need to ensure clients are non-c ompliant if Server1 loses connectivity toServer2, the NPS server)SHA unable to contact required services . This error can occur if the SHA is unable to successfully read theclient configuration.SHA not responding to NAP Client . This error can occur if an SHA is not properly initialized and registered.SHV not responding . This error can occur if the performance of an SHV is degraded (for example, if NPS isout of memory).Vendor specific error code received . This error can occur if NPS receives an error code that is unique to theSHA or SHV vendor. Some vendors might return this code when NPS is unable to contact a healthrequirement server.


QUESTION 28Your company has computers in multiple locations that use IPv4 and IPv6. Each location is protected by afirewall that performs symmetric NAT.

You need to allow peer-to-peer communication between all locations.

What should you do?

A. Configure dynamic NAT on the firewall.B. Configure the firewall to allow the use of Teredo.C. Configure a link local IPv6 address for the internal interface of the firewall.D. Configure a global IPv6 address for the external interface of the firewall.



Since some locations use IPv4 and IPv6, they will not be able to talk to each other without Teredo tunneling atthe firewall.

Teredo is a transition technology that gives full IPv6 connectivity for IPv6-capable hosts which are on the IPv4Internet but which have no direct native connection to an IPv6 networkReference: http://en.wikipedia.org/wiki/Teredo_tunneling

NAT simply masks source traffic; changing from symmetric to dynamic will not change the fact that some IPv6connections are trying to communicate with IPv4 networks.

An IPv6 global address is essentially a public address for the internet. This would be needed for internetcommunications for all networks, but will not allow peer-to-peer communication.

An IPv6 link-local address is intended for communications with a local subnet; we need peer-to-peercommunications.


QUESTION 29Your network contains a single Active Directory domain. All servers run Windows Server 2008 R2.

A DHCP server is deployed on the network and configured to provide IPv6 prefixes.

You need to ensure that when you monitor network traffic, you see the interface identifiers derived from theExtended Unique Identifier (EUI)-64 address.


A. netsh.exe interface ipv6 set global addressmaskrepl y=disabled

B. netsh.exe interface ipv6 set global dhcpmediasense= enabled

C. netsh.exe interface ipv6 set global randomizeidenti fiers=disabled

D. netsh.exe interface ipv6 set privacy state=enabled

Correct Answer: CSection: 70-648 Configuring IP Addressing and ServicesExplanation


netsh.exe interface ipv6 set global This context for netsh is to set global parameters for all IPv6-enabled interfaces on the computer. Per thescenario, we need to see interface identifiers for all our interfaces, so this is the context we should be in.

randomizeidentifiers=disabledThis command would specify that interface identifiers should NOT be randomized (in other words, that theywould be unique). Of the 3 commands in the "set global" context, this one would achieve the desired effect.

dhcpmediasense=enabledThis command would enable DHCP media sense, which is what Windows uses to determine when a cable isplugged in to an interface. This would not help us with seeing interface identifiers in network packet captures.

addressmaskreply=disabledThis commands instructs the computer not to respond to ICMP address mask packets. This would not help uswith seeing interface identifiers in network packet captures.

Reference: http://www.colorconsole.de/cmd/en/Windows_7/netsh/interface/ipv6/set/global.htm

netsh.exe interface ipv6 set privacy state=enabledThis command would specify that temporary addresses for IPv6 are enabled. This is irrelevant to the task athand.

Reference: http://technet.microsoft.com/en-us/library/cc740203(v=ws.10).aspx

QUESTION 30You have a DHCP server that runs Windows Server 2008 R2. The DHCP server has two network connectionsnamed LAN1 and LAN2.

You need to prevent the DHCP server from responding to DHCP client requests on LAN2. The server mustcontinue to respond to non-DHCP client requests on LAN2.

What should you do?

A. From the DHCP snap-in, modify the bindings to associate only LAN1 with the DHCP service.B. From the DHCP snap-in, create a new multicast scope.C. From the properties of the LAN1 network connection, set the metric value to 1.D. From the properties of the LAN2 network connection, set the metric value to 1.

Correct Answer: ASection: 70-648 Configuring IP Addressing and ServicesExplanation


By default, the service bindings depend on whether the network connection is configured dynamically orstatically for TCP/IP. Based on the method of configuration it uses, reflected by its current settings in InternetProtocol (TCP/IP) properties, the DHCP Server service performs default service bindings as follows:

If the first network connection uses a manually specified IP address, the connection is enabled in serverbindings. For this to occur, a value for IP address must be configured and the Use the following IP addressoption selected in Internet Protocol (TCP/IP) properties. In this mode, the DHCP server listens for and providesservice to DHCP clients.

If the first network connection uses an IP address configured dynamically, the connection is disabled in serverbindings. This occurs when the Obtain an IP address automatically option is selected in Internet Protocol (TCP/IP) properties. For computers running Windows Server 2008 R2 operating systems, this is the default setting. Inthis mode, the DHCP server does not listen for and provide service to DHCP clients until a static IP address isconfigured.

The DHCP server will bind to the first static IP address configured on each adapter.

NoteBy design, DHCP server bindings are enabled and disabled on a per-connection, not per-address basis. Allbindings are based on the first configured IP address for each connection appearing in the NetworkConnections folder. If additional static IP addresses (for example, as set in Advanced TCP/IP properties) areconfigured for the applicable connection, these addresses are never used by DHCP servers running WindowsServer 2008 R2 and are inconsequential for server bindings.

DHCP servers running Windows Server 2008 R2 never bind to any of the NDISWAN or DHCP-enabledinterfaces used on the server. These interfaces are not displayed in the DHCP console under the current serverbindings list because they are never used for DHCP service. Only additional network connections that have aprimary static IP address configured can appear in the server bindings list (or be selectively enabled or disabledthere).

Reference: http://technet.microsoft.com/en-us/library/ee941100(v=ws.10).aspx

QUESTION 31You have a DHCP server that runs Windows Server 2008 R2. You restore the DHCP database by using arecent backup.

You need to prevent DHCP clients from receiving IP addresses that are currently in use on the network.

What should you do?

A. Add the DHCP server option 15.B. Add the DHCP server option 44.C. Set the Conflict Detection value to 0.D. Set the Conflict Detection value to 2.



For Conflict detection attempts, type a number greater than 0 (zero) and less than six, and then click OK.

The number you type determines how many times the DHCP server tests an IP address before leasing it to aclient.


Server option 15 is "Domain name" - the DNS domain the client should use for resolution.Server option 44 is for specifying WINS/NBNS servers.

MY NOTE: Clearly neither of these options will prev ent DHCP clients from getting addresses of amachine already on the network.


QUESTION 32Your company has a server named DC1 that runs Windows Server 2008 R2. Server1 has the DHCP Serverserver role installed.

You find that a desktop computer named Computer1 is unable to obtain an IP configuration from the DHCPserver.

You install the Microsoft Network Monitor 3.0 application on Server1. You enable P-mode in the NetworkMonitor application configuration.

You plan to capture only the DHCP server-related traffic between Server1 and Computer1. The networkinterface configuration for the two computers is shown in the following table.

You need to build a filter in the Network Monitor application to capture the DHCP traffic between Server1 andComputer1.

Which filter should you use?

A. IPv4.Address == 169.254.15.84 && DHCPB. IPv4.Address == 192.168.2.1 && DHCPC. Ethernet.Address == 0x000A5E1C7F67 && DHCPD. Ethernet.Address == 0x001731D55EFF && DHCP

Correct Answer: DSection: 70-648 Monitoring and Managing A Network InfrastructureExplanation


Network Monitor is being run from Server1. In order to view only DHCP traffic between Server1 andComputer1, we must specify a filter that is specific to Computer1. Because Computer1 cannot receive an IPfrom the DHCP server, we should use the Ethernet.Address filter, assigning it to the MAC of Computer1( 0x001731D55EFF)

If the Ethernet.Address filter is applied to 0x000A5E1C7F67 (the MAC of Server1), we would see all DHCPtraffic on Server1 (the capture server). Similarly, the IPv4.Address filter cannot be used for 192.168.2.1

The IPv4.Address filter cannot be used for 169.254.15.84 because this is an APIPA address; the client is notguaranteed to receive this each time it tries (and fails) to receive a reservation.

QUESTION 33Your network contains two DHCP servers named Server1 and Server2. On Server1, you create a scope namedScope1.

You need to ensure that DHCP clients receive IP addresses from the address range in Scope1 if Server1 isunavailable.

The solution must prevent both servers from assigning duplicate IP addresses.

What should you do from the DHCP console?

A. On Server1, create a superscope.B. On Server1, select Scope1, and then run the Split-Scope wizard.C. On Server2, create a scope, and then reconcile each scope.D. On Server2, create a scope, and then enable Network Access Protection.



We basically want a split-scope to implement the 80/20 rule, as that will provide the best fault tolerance inDHCP (clients can receive addresses if Server1 is unavailable). This is now done with a Split-Scope wizard inServer 2008.

A Dynamic Host Configuration Protocol (DHCP) split-scope configuration using multiple DHCP servers allowsfor increased fault tolerance and redundancy over using only one DHCP server. The new Split-scope Wizard inWindows Server® 2008 R2 replaces the more error prone manual split-scope configuration method used inearlier versions of Windows Server. Reference: http://technet.microsoft.com/en-us/library/ee405264%28v=ws.10%29.aspx

WRONG ANSWERS

A superscope is an administrative feature of DHCP servers running Windows Server 2003 that you can createand manage through the DHCP console. Using a superscope, you can group multiple scopes as a singleadministrative entity. (MY NOTE: This does not give us fault tolerance amo ngst scopes)Reference: http://technet.microsoft.com/en-us/library/cc757614%28v=ws.10%29.aspx

Network Access Protection (NAP) is a feature in Windows Server 2008 that controls access to networkresources based on a client computer’s identity and compliance with corporate governance policy.Reference: http://technet.microsoft.com/en-us/network/bb545879.aspx

Reconciling a scope will "fix inconsistencies, such as incorrect or missing information for client IP addresses,that are stored in scope lease information."Reference: http://technet.microsoft.com/en-us/library/dd183579%28v=ws.10%29.aspx

QUESTION 34Your network contains an Active Directory domain. The domain contains a DHCP server named Server1. Youcreate a scope named Scope1 on Server1.

You need to prevent unauthorized DHCP clients from receiving addresses from Server1.

What should you do?

A. From the DHCP console, configure filters.B. From the Local Security Policy console, modify the network settings.C. From the Local Users and Groups console, modify the membership of the DHCP Users group.D. From the Netsh tool, change to the DHCP Server context, and then run the initiate auth command.



DHCP filters are MAC-level filters to specify clients that should not be given an address.

Link layer-based filtering for Dynamic Host Configuration Protocol (DHCP) enables administrators to controlnetwork access based on media access control (MAC)address, providing a low-level security method. Reference: http://technet.microsoft.com/en-us/library/ee405265%28v=ws.10%29.aspx

WRONG ANSWERS

The Local Security Policy console lets us configure policy options that apply only to the local server. We coulduse a GP in conjunction with NAP to enable DHCP enforcement, but we are not told we have a NAP server,and this would not be done at the local policy in any manner.

netsh dhcp server initiate authInitiates authorization of the specified DHCP server in Active Directory.Reference: http://technet.microsoft.com/en-us/library/cc787375%28v=ws.10%29.aspx#BKMK_iniauth

Members of the DHCP Users group have read-only DHCP console access to the serverReference: http://technet.microsoft.com/en-us/library/cc737716%28v=ws.10%29.aspx

QUESTION 35

Your network contains two DHCP servers named Server1 and Server2. Server1 and Server2 are located in thesame subnet.

You configure a split scope named Scope1 on the DHCP servers.

You need to ensure that Server2 only responds to DHCP client requests if Server1 is unavailable.

What should you modify?

A. the Scope1 properties for Server1B. the Scope1 properties for Server2C. the server options for Server1D. the server options for Server2



Basically, we want Server1 to always respond to requests first, and Server2 to only be used when Server1 isnot responding. Since both servers are live, we do this by configuring a delay on Server2. This is done in theScope properties.

QUESTION 36Your network contains a DHCP server named DHCP1. You have a DHCP reservation for a computer named

Computer1. You add a DNS server option to the reservation.

You need to ensure that Computer1 immediately receives the new option.

What should you do?

A. Run ipconfig.exe /renew .

B. Run ipconfig.exe /registerdns .

C. On DHCP1, recreate the reservation.D. On DHCP1, delete the active lease for the reservation.



For Computer1 to get the new option, it has to renew it's lease with the server. This is what the ipconfig.exe/renew . command will do.

We only added a DNS server option, so we do not need to re-register Computer1's DNS with the server. Wewould only do this if DNS queries did not resolve Computer1 to an IP.

Modifying settings for the reservation on DHCP1 will not force Computer1, a client, to receive the new options.

QUESTION 37Your network contains a Routing and Remote Access server named RRAS1 and a DHCP server namedDHCP1. RRAS1 and DHCP1 are located in different subnets.

RRAS1 is configured to support VPN connections from the Internet.

DHCP1 has a scope that provides IP addresses for the VPN connections.

You need to ensure that VPN clients that connect to RRAS1 can receive IP addresses from DHCP1.

What should you do?

A. On DHCP1, configure a DHCP Relay Agent.B. On DHCP1, install the Routing role service.C. On RRAS1, configure a DHCP Relay Agent.D. On RRAS1, install the Routing role service.



We don't need to do anything to DHCP1, as it already has the scope configured. Instead, we need to makesure VPN clients (who get into the network through RRAS1) can forward DHCP requests to DHCP1 - this isknown as a Relay Agent. We configure it on RRAS1 because it is a feature of RRAS and is needed by theclients connecting in through RRAS1.

For each IP network segment that contains DHCP clients, either a DHCP server or a computer acting as aDHCP Relay Agent is required.


QUESTION 38Your company has a server named Server1 that runs Windows Server 2008 R2. Server1 runs the DHCPServer server role and the DNS Server server role. You also have a server named ServerCore that runs aServer Core installation of Windows Server 2008 R2.

All computers are configured to use only Server1 for DNS resolution. The IP address of Server1 is 192.168.0.1.The network interface on all the computers is named LAN.

Server1 is temporarily offline. A new DNS server named Server2 has been configured to use the IP address192.168.0.254.

You need to configure ServerCore to use Server2 as the preferred DNS server and Server1 as the alternateDNS server.

What should you do?

A. Run the netsh interface ipv4 add dnsserver "LAN" static 192 .168.0.254 index=1command.

B. Run the netsh interface ipv4 set dnsserver "LAN" static 192 .168.0.254 192.168.0.1both command.

C. Run the netsh interface ipv4 set dnsserver "LAN" static 19 2.168.0.254 primarycommand and the netsh interface ipv4 set dnsserver "LAN" static 192 .168.0.1 bothcommand.

D. Run the netsh interface ipv4 set dnsserver "LAN" static 192 .168.0.254 primarycommand and the netsh interface ipv4 add dnsserver "LAN" static 192 .168.0.1index=1 command.



To make Server2 the preferred DNS server, we basically just need to change it's index value.

add dnsserver

Adds a DNS server to a list of DNS servers for a specified interface.

Syntax

add dnsserver [name=]InterfaceName [addr=] DNSAddre ss [[index=]DNSIndex]

Parameters(...)

[index=] DNSIndexSpecifies the position of the added DNS server in the list of DNS servers for the interface.

WRONG ANSWERS

netsh interface ipv4 set dnsserver "LAN" static 192 .168.0.254 primary netsh interface ipv4 add dnsserver "LAN" static 192 .168.0.1 index=1For the 1st command here, the primary option registers the computer's name to only the primary DNS suffix.

This would not affect preferred/alternate DNS server configurations.The 2nd command essentially designates Server1 as 1st in the list, which is not what we want (it is alreadythere!)

netsh interface ipv4 set dnsserver "LAN" static 192 .168.0.254 192.168.0.1 bothFor this command here, the both option specifies to register the computer's name to both DNS suffixes(primary and connection-specific). This would not affect preferred/alternate DNS server configurations.

netsh interface ipv4 set dnsserver "LAN" static 192 .168.0.254 primary netsh interface ipv4 set dnsserver "LAN" static 192 .168.0.1 both As in the examples above, these commands essentially affect which DNS suffixes the computer will try toregister it's record with. This would not affect preferred/alternate DNS server configurations.

Reference: http://technet.microsoft.com/en-us/library/cc731521%28v=ws.10%29.aspx#BKMK_adddnsserver

QUESTION 39Your company runs Windows Server Update Services (WSUS) on a server named Server1. Server1 runsWindows Server 2008 R2. Server1 is located on the company intranet. You configure the WSUS Web site touse SSL.

You need to configure a Group Policy object (GPO) to specify the Intranet Update Locations.

Which URLs should you use?

A. http://SERVER1B. http://SERVER1:8080C. https://SERVER1D. https://SERVER1:8080

Correct Answer: CSection: 70-648 Monitoring and Managing A Network InfrastructureExplanation


Since we configured the website for SSL, we will need to use the https:// prefix.

Port 8080 is the default port used for web proxying and caching servers.

QUESTION 40You have 10 standalone servers that run Windows Server 2008 R2.

You install the Windows Server Update Services (WSUS) server role on a server named Server1.

You need to configure all of the servers to receive updates from Server1.

What should you do?

A. Configure the Windows Update settings on each server by using the Control Panel.B. Run the wuauclt.exe /detectnow command on each server.

C. Run the wuauclt.exe /reauthorization command on each server.

D. Configure the Windows Update settings on each server by using a local group policy.

Correct Answer: D



For all servers to be configured to point at Server1, we need to use Group Policy.

Configuring Windows Update settings on each server would not let us specify which server the computer uses.This is only done via the registry, which we can use Group Policy to control for all servers and simplify our job :)

wuauclt.exe /detectnowThis would force each server to look for new updates at the time the command was executed.

wuauclt.exe /reauthorizationThis would re-register the servers with the WSUS server (Server1), but does not inform them to get theirupdates from Server1.

QUESTION 41Your network contains a Windows Server Update Services (WSUS) server. All computers on the network areconfigured to download and install updates once a week.

You need to deploy a critical update to a WSUS client as soon as possible.


A. dism.exe /online /check-apppatch

B. gpupdate.exe /force

C. secedit.exe /refreshpolicy

D. wuauclt.exe /detectnow



wuauclt.exe /detectnowThis would force the client to look for new updates immediately, rather than waiting on the pre-configuredinterval (once a week).

dism.exe /online /check-apppatchThese parameters would check an online (running) deployment of Windows to see if any MSP patches from andeployment source need to be applied.References:http://technet.microsoft.com/en-us/library/dd744382%28v=ws.10%29.aspxhttp://technet.microsoft.com/en-us/library/dd744370%28v=ws.10%29.aspx

gpupdate.exe /force This will force a group policy update on the client it is run from, not a WSUS update.

secedit.exe /refreshpolicyThis would impose group policy settings on the client (similar to gpupdate /force)Reference: http://support.microsoft.com/kb/227302

QUESTION 42Your network contains a Windows Server Update Services (WSUS) server named Server1. Server1 providesupdates to client computers in two sites named Site1 and Site2.

A WSUS computer group named Group1 is configured for automatic approval.

You need to ensure that new client computers in Site2 are automatically added to Group1.


A. Create a new automatic approval update rule.B. Modify the Computers options in the Update Services console.C. Modify the Automatic Approvals options in the Update Services console.D. Configure a Group Policy object (GPO) that enables client-side targeting.

Correct Answer: BDSection: 70-648 Monitoring and Managing A Network InfrastructureExplanation


With client-side targeting, you enable client-computers to add themselves to the computer groups you create inthe WSUS console. You can enable client-side targeting through Group Policy (in an Active Directory networkenvironment) or by editing registry entries (in a non-Active Directory network environment) for the clientcomputers. When the client computers connect to the WSUS server, they will add themselves into the correctcomputer group. Client-side targeting is an excellent option if you have many client computers and want toautomate the process of assigning them to computer groups.

To enable client-side targeting on your WSUS server, click the Use Group Policy or registry settings on clientcomputers option on the Computers Options page. Reference: http://technet.microsoft.com/en-us/library/cc720450%28v=ws.10%29.aspx

WRONG ANSWERS

On the Automatic Approval Options page, you can configure your WSUS server to automatically approveinstallation or detection for updates and associated metadata when they are downloaded to the WSUS serverduring synchronization. Reference: http://technet.microsoft.com/en-us/library/cc708458%28v=ws.10%29.aspxMY NOTE: Basically, Automatic Approvals are for mak ing sure updates are automatically let out intothe network, but we were asked about having clients being automatically added into Group1.

QUESTION 43Your network contains an Active Directory domain. The domain contains a Windows Server Update Services(WSUS) server named Server1. A Group Policy object (GPO) named GPO1 configures all computers in thedomain to use Server1 for Windows Update.

You add a new Windows 7 computer named Computer1 to the domain.

From the Update Services console, you discover that Computer1 is not listed as a member of any computergroups.

You verify that GPO1 is applied to Computer1.

You need to ensure that Computer1 is available in the Update Services console.

What should you do?

A. On Computer1, run wuauclt.exe /detectnow .

B. On Computer1, run wuauclt.exe /reportnow .

C. On Server1, run wsusutil.exe reset .

D. On Server1, run wsusutil.exe listinactiveapprovals .

Correct Answer: BSection: 70-648 Monitoring and Managing A Network InfrastructureExplanation


wuauclt.exe /reportnowThis will force the client to report it's status to the server, at which point it should show up in the UpdateServices console.

WRONG ANSWERS

wuauclt.exe /detectnowThis would force the client to look for new updates from it's server immediately, but would not ensure it isofficially registered with the server. So likely it would receive these updates from Microsoft.

wsusutil.exe resetThis will check that every update in the database has corresponding update files stored in the file system. Inother words, it would make sure that your client has all the right files for reinstalling patches.

wsusutil.exe listinactiveapprovalsThis will return a list of updates with approvals in a permanently inactive state because of a change in serverlanguage settings.


QUESTION 44Your network contains a Windows Server Update Services (WSUS) server. A Group Policy object (GPO)configures all WSUS client computers to detect updates hourly and install updates weekly.

You download a critical update.

You need to ensure that the WSUS client computers install the critical update during the next detection interval.

What should you do?

A. From the client computers, run wuauclt.exe /force .

B. From the client computers, run gpupdate.exe /force .

C. From the server, configure the Deadline settings.D. From the server, configure the Synchronization Schedule options.



To force a client to install the update during a specific time, you can configure a deadline for the update. Reference: http://technet.microsoft.com/en-us/library/cc708585%28v=ws.10%29.aspx

WRONG ANSWERS

Synchronization in WSUS is used to make sure a server is up-to-date with it's upstream server or withMicrosoft. This is not what has been scheduled or what needs editing.

wuauclt.exe /detectnowThis would force the client to search for new updates immediately, but would not install it and would not operateon the pre-configured interval (once a week) to install an update.

gpupdate.exe /force This will force a group policy update on the client it is run from, not a WSUS update.

QUESTION 45Your network contains a Windows Server Update Services (WSUS) server.

You need to ensure that the WSUS server automatically downloads service packs.


A. From the Automatic Approvals options, modify the Update Rules list.B. From the Automatic Approvals options, modify the Advanced settings.C. From the Products and Classifications options, modify the Products settings.D. From the Products and Classifications options, modify the Classifications settings.



Service Packs are an Update Classification. By specifying Service Packs from the Classifications settings, wewill ensure WSUS downloads all Service Packs, regardless of the product they are available for.Reference: http://technet.microsoft.com/en-us/library/dd939871%28v=ws.10%29.aspx

WRONG ANSWERS

The Automatic Approvals options is for handling how updates are determined for automatic approval. Forinstance, we could specify we only want certain Classifications of downloads to be automatically approved, butthis is not directly related to whether the server downloads them, and it could have negative affects for otherClassifications of updates.Reference: http://technet.microsoft.com/en-us/library/cc708474%28v=ws.10%29.aspx

Products settings determine which programs WSUS will get updates for (ie, Windows, Office, SQL Server,Visual Studio).

QUESTION 46Your network contains a Windows Server Update Services (WSUS) Server infrastructure that has three serversnamed WSUS1, WSUS2, and WSUS3.

WSUS2 is a downstream replica server of WSUS1. WSUS3 is a downstream replica server of WSUS2.

You need to ensure that the Update Services console on WSUS2 only displays computers that receive updatesfrom WSUS2.

What should you configure on WSUS2?

A. Downstream serversB. PersonalizationC. Reporting RollupD. Synchronizations



Of the options available, only Personalization of the Update Services console will allow you to control whatservers you are viewing.

WRONG ANSWERS

The remaining options control WSUS updates but do not affect the display of the console.Downstream servers have already been configured - these control which servers a WSUS server receivesits metadata from.Reporting Rollup is a tool for generating reports about WSUS updates.Synchronization downloads updates from an upstream server.

QUESTION 47Your network contains a Windows Server Update Services (WSUS) server named Server1.

You need to configure all WSUS client computers to download approved updates directly from the MicrosoftUpdate servers. The solution must ensure that all WSUS client computers report successful installation ofupdates to Server1.

What should you do?

A. From Active Directory, deploy a Group Policy object (GPO).B. From Server1, modify the Update Source and Proxy options.C. From Server1, modify the Update Files and Languages options.D. From the WSUS client computers, modify the local computer policy.



You can specify whether to store update files on your local WSUS server or on Microsoft Update. If you chooseto store the updates locally, you can limit the updates downloaded to your server by language. If you choose tostore the update files on Microsoft Update, then your WSUS server obtains only update information (metadata)for the criteria you have specified on the Synchronization Options page. (...)To specify where to store downloaded update files1. On the WSUS console toolbar, click Options, and then click Synchronization Options.2. Under Update Files and Languages, click Advanced.3. Under Update Files, select whether to store update files on the server running Windows Server Update

Services (WSUS) or on Microsoft Update. If you choose to store update files on your server, you canchoose either to download update files only when they are approved, or to download express installationfiles.

4. If you selected to store the files on the WSUS server, under Languages, select whether you want to limit theupdates downloaded to your WSUS server by language, and then click OK. Note that if you select todownload all languages (which is selected by default) that this will take more disk space. If possible,consider limiting the languages you download if you are also choosing to store update files on your WSUSserver.

5. In Tasks, click Save settings, and then click OK.Reference: http://technet.microsoft.com/en-us/library/cc708480%28v=ws.10%29.aspx

QUESTION 48Your network contains two Windows Server Update Services (WSUS) servers named Server1 and Server2.

Server1 is a member of a domain named contoso.com. Server2 is a standalone server. Server2 is configuredas an autonomous downstream server.

You need to ensure that all updates approved on Server1 are automatically approved on Server2.

Which options should you modify?

A. Automatic ApprovalsB. Products and ClassificationsC. Synchronization ScheduleD. Update Source and Proxy Server



A WSUS server running in replica mode inherits the update approvals and computer groups created on itsparent WSUS administration server. You will typically have a single parent server with one or more downstreamreplica WSUS servers. You approve updates and create computer groups on the parent server, which thereplica servers will then mirror.

You may now designate any WSUS server as a downstream replica at any time. In the WSUS administrationconsole, select Options, then Update Source and Proxy Server, and on the Update Source tab, select theSynchronize from another Windows Server Update Services server check box, and then the This server is areplica of the upstream server check box.


QUESTION 49Your network contains a Windows Server Update Services (WSUS) server. You have an organizational unit(OU) named Sales. The Sales OU contains all of the computer objects for the sales department.

You enable client-side targeting for the Sales OU and set the target group name to Sales-Computers.

You restart a sales computer. You discover that the computer is not added to the Sales-Computer computergroup in WSUS.

You need to ensure that all sales computers are added to the Sales-Computers group.

Which options should you configure?

A. Automatic ApprovalsB. ComputersC. PersonalizationD. Products and Classifications



With client-side targeting, you enable client-computers to add themselves to the computer groups you create inthe WSUS console. You can enable client-side targeting through Group Policy (in an Active Directory networkenvironment) or by editing registry entries (in a non-Active Directory network environment) for the clientcomputers. When the client computers connect to the WSUS server, they will add themselves into the correctcomputer group. Client-side targeting is an excellent option if you have many client computers and want toautomate the process of assigning them to computer groups.

To enable client-side targeting on your WSUS server, click the Use Group Policy or registry settings on clientcomputers option on the Computers Options page. Reference: http://technet.microsoft.com/en-us/library/cc720450%28v=ws.10%29.aspx

QUESTION 50Your company has an IPv4 Ethernet network. A router named R1 connects your segment to the Internet.

A router named R2 joins your subnet with a segment named Private1. The Private1 segment has a networkaddress of 10.128.4.0/26.

Your computer named WKS1 requires access to servers on the Private1 network. The WKS1 computerconfiguration is as shown in the following table.

WKS1 is unable to connect to the Private1 network by using the current configuration.

You need to add a persistent route for the Private1 network to the routing table on WKS1.

Which command should you run on WKS1?

A. route add -p 10.128.4.0/22 10.128.4.1

B. route add -p 10.128.4.0/26 10.128.64.10

C. route add -p 10.128.4.0 mask 255.255.255.192 10.128 .64.1

D. route add -p 10.128.64.10 mask 255.255.255.192 10.1 28.4.0



This question can be tricky, since 10.128.64.1 is an interface on R1, and 10.128.64.10 is an interface on R2.

WKS1 is currently using 10.128.64.1 as its gateway, which is interface 1 on R1. As the table shows, this is theinternet router.

Our Private1 segment is 10.128.4.0/26, which is a host range of 10.128.4.1 - 10.128.4.62 This is what weneed a route to, which as the table shows is interface 2 on R2.

Of the commands listed, only route add -p 10.128.4.0/26 10.128.64.10 will route traffic for ourPrivate1 segment (the first parameter) to an interface on R2.

WRONG ANSWERS

route add -p 10.128.4.0/22 10.128.4.1

This route points to the right router/interface, but is a much larger host range than our Private1 segment, sotraffic intended for hosts outside of Private1 will still get sent R2 interface 2.

route add -p 10.128.4.0 mask 255.255.255.192 10.128 .64.1

This route specifies the right host range (IP/submask) but 10.128.64.1 is the current gateway, so the routes willnot change. If this were 10.128.64.10, we'd have a working route (which is why I mentioned this can be tricky)

route add -p 10.128.64.10 mask 255.255.255.192 10.1 28.4.0

This route will simply not even work, it basically says all traffic dessigned for R2 interface 1 (10.128.64.10)should be routed through 10.128.4.0, which is not a valid interface.

QUESTION 51Your company is designing its public network. The network will use an IPv4 range of 131.107.40.0/22. Thenetwork must be configured as shown in the following exhibit.

You need to configure subnets for each segment.

Which network addresses should you assign?

A. Segment A: 131.107.40.0/23Segment B: 131.107.42.0/24Segment C: 131.107.43.0/25Segment D: 131.107.43.128/27

B. Segment A: 131.107.40.0/25Segment B: 131.107.40.128/26Segment C: 131.107.43.192/27Segment D: 131.107.43.224/30

C. Segment A: 131.107.40.0/23Segment B: 131.107.41.0/24Segment C: 131.107.41.128/25Segment D: 131.107.43.0/27

D. Segment A: 131.107.40.128/23Segment B: 131.107.43.0/24Segment C: 131.107.44.0/25Segment D: 131.107.44.128/27



We should know right away our first subnet would not use a /25 mask, as this is only gives our largest segment126 hosts, but we need 280. That's one answer eliminated.

The remaining options all seem plausible at first glance, since a /23 subnet allows 510 hosts, a /24 subnet =254, a /25 subnet = 126 hosts and /27 = 30 hosts. This allows us enough room for the segments specified inthe diagram. What we have to do is figure out which subnets are valid ranges.

Starting with SegmentA, 131.107.40.0/23 gives a host range of 131.107.40.1 - 131.107.41.254. This meansour next range (SegmentB) should start with 131.107.42, but only one answer has this. That automaticallyeliminates the rest!

Reference: http://www.gestioip.net/cgi-bin/subnet_calculator.cgi

QUESTION 52Your company is designing its network. The network will use an IPv6 prefix of 2001:DB8:BBCC:0000::/53.

You need to identify an IPv6 addressing scheme that will support 2,000 subnets.

Which network mask should you use?

A. /61B. /62C. /63D. /64



IPv6 also uses subnets, but the subnet ID is built into the address.

In an IPv6 address, the first 48 bits are the network prefix. The next 16 bits are the subnet ID and are used fordefining subnets. The last 64 bits are the interface identifier (which is also known as the Interface ID or theDevice ID).

If necessary, the bits that are normally reserved for the Device ID can be used for additional subnet masking.However, this is normally not necessary, as using a 16-bit subnet and a 64-bit device ID provides for 65,535subnets with quintillions of possible device IDs per subnet.

Reference: http://www.techrepublic.com/blog/10things/10-things-you-should-know-about-ipv6-addressing/1893

Any of the other network masks would simply increase the # of available networks (each with 65,535 subnetsavailable) in IPv6. We are only being asked to support 2,000 subnets in 1 network.

QUESTION 53Your company uses DHCP to lease IPv4 addresses to computers at the main office. A WAN link connects themain office to a branch office.

All computers in the branch office are configured with static IP addresses. The branch office does not useDHCP and uses a different subnet.

You need to ensure that the portable computers can connect to network resources at the main office and thebranch office.

How should you configure each portable computer?

A. Use a static IPv4 address in the range used at the branch office.B. Use an alternate configuration that contains a static IP address in the range used at the main office.C. Use the address that was assigned by the DHCP server as a static IP address.D. Use an alternate configuration that contains a static IP address in the range used at the branch office.



Since the branch office does not use DHCP, we can specify a valid static IP for it in the alternate configurationon the adapter. This still allows us connections in the main office to use the default DHCP options for theprimary configuration.

WRONG ANSWERS

Using a static IP at the main office is not necessary, since the main office has DHCP. This also means theDHCP will still try to get an IP at the branch office, but fail, since it does not have DHCP.

Using any kind of static address in the branch office range (whether assigned by DHCP or not) would killcommunication in the branch office, but we need connectivity at both offices.

QUESTION 54You have a Windows Server 2008 R2 computer that has an IP address of 172.16.45.9/21. The server isconfigured to use IPv6 addressing.

You need to test IPv6 communication to a server that has an IP address of 172.16.40.18/21.

What should you do from a command prompt?

A. Type ping 172.16.45.9::

B. Type ping ::9.45.16.172.

C. Type ping followed by the Link-local address of the server.

D. Type ping followed by the Site-local address of the server.



In IPv6, the link-local address is intended for communications with the same subnet. Both servers are on thesame subnet (172.16.40.x - 172.16.47.x), so we can use this address.

Site-local addresses are the IPv6 equivalent of an IPv4 private IP. The scope is the private site, but bothservers here are on the same subnet.

172.16.45.9:: is the wrong format for pinging an IPv4 address in an IPv6 environment. Not to mention, thisoctet is for the server you are testing from, not the server you need to test communication with.

::9.45.16.172 is the correct format for pinging an IPv4 address in an IPv6 environment, but the octets arereversed. (not to mention, they are the octets for the server you are testing from, not the server you need to testcommunication with)

QUESTION 55Your network uses IPv4. You install a server that runs Windows Server 2008 R2 at a branch office. The serveris configured with two network interfaces.

You need to configure routing on the server at the branch office.


A. Install the Routing and Remote Access Services role service.B. Run the netsh ras ip set access ALL command.

C. Run the netsh interface ipv4 enable command.

D. Enable the IPv4 Router Routing and Remote Access option.

Correct Answer: ADSection: 70-648 Configuring IP Addressing and ServicesExplanation


We need to configure routing on the branch server, which is on an IPv4 network. Routing in Server 2008 isperformed through the Routing and Remote Access service, which is available only after the more broadRouting and Remote Access Services role is first installed.

netsh ras ip set access ALLSpecifies whether IPv4 network traffic from any client are forwarded to the network or networks to which theremote access server is connected.The all parameter allows clients to reach networks through the server. (MY NOTE: This command could beuseful for us, but we need RAS installed 1st before we could use this netsh context.)Reference: http://technet.microsoft.com/en-us/library/cc753735(v=ws.10).aspx

netsh interface ipv4This command for netsh basically enabled the IPv4 interface on the server, but will not configure routing.

QUESTION 56Your network contains a server named Server1. Server1 has DirectAccess deployed. A group named Group1 isenabled for DirectAccess.

Users report that when they log on to their computers, the computers are not configured to use DirectAccess.

You need to ensure that the users' computers are configured to use DirectAccess.


A. On each client computer, add Group1 to the Distributed COM Users group.B. On each client computer, add Group1 to the Network Configuration Operators group.C. From Active Directory Users and Computers, add the users' user accounts to Group1.D. From Active Directory Users and Computers, add the users' computer accounts to Group1.



Group1 is enabled for DirectAccess, so without being a member of this group, DirectAccess will not work.

The scenario states the users' computers need to be configured for DirectAccess, so we add the computeraccounts to the group, as opposed to the user accounts.

QUESTION 57Your network contains an Active Directory domain named contoso.com. The network has DirectAccessdeployed.

You deploy a new server named Server1 that hosts a management application. You need to ensure thatServer1 can initiate connections to DirectAccess client computers.

Which settings should you modify from the DirectAccess Setup console?

A. Application ServersB. DirectAccess ServerC. Infrastructure ServersD. Remote Clients



Client computers need to know that Server1 is available when connected through DA. Infrastructure servers arewhere we tell DirectAccess which DNS, location and management servers are accessible on the network.

"The Infrastructure Servers wizard is likely the one you’ll revisit the most often. This is where you will specifywhich hosts the computer accounts can access prior to a user logging onto the computer (like DomainControllers and virus update servers) and which hosts should not be accessible over DirectAccess (like theNLS and resources you truly want to be available on the Intranet only)."Reference: http://blog.concurrency.com/infrastructure/uag-directaccess-infrastructure-servers-wizard/

QUESTION 58Your network contains a client computer named Computer1 that runs Windows 7. Computer1 is configured touse DirectAccess.

You need to identify the URL of the network location server that Computer1 is configured to use.

What should you do?

A. From a command prompt, run ipconfig.exe /displaydns.

B. From a command prompt, run netsh.exe namespace show policy .

C. From Control Panel, run the Network Adapter Troubleshooter.D. From the Network Connection Status window, view the Network Connection Details.



To ensure that the FQDN of the network location server is reachable for a DirectAccess client with ForefrontUAG DirectAccess-based rules in the NRPT, the Forefront UAG DirectAccess Configuration Wizard by defaultadds the FQDN of the network location server as an exemption rule to the NRPT. http://technet.microsoft.com/en-us/library/ee809056.aspx

MY NOTE: So, the NRPT shows us where the network lo cation server is. How do we find thatinformation?

netsh.exe namespace show policy .This command shows the rules in the NRPT (Name Resolution Policy Table) on a DirectAccess clientReference: http://technet.microsoft.com/en-us/library/ee624067%28v=ws.10%29.aspx

Network Connection Details will let us know what the connectivity status is with the DA servers but will not showus information about the NL server that has been configured.

ipconfig.exe /displaydnsThis command would show us the currently configured DNS servers on the local interfaces, not the NL serverbeing used for DA.

The Network Adapter Troubleshooter, as the name implies, is used to troubleshoot problems with the adapter.We just need to identify information associated with it.

QUESTION 59Your network contains an Active Directory forest. The functional level of the forest is Windows Server 2008 R2.

You plan to deploy DirectAccess. You need to configure the DNS servers on your network to supportDirectAccess.

What should you do?

A. Modify the GlobalQueryBlockList registry key and restart the DNS Server service.

B. Modify the EnableGlobalNamesSupport registry key and restart the DNS Server service.

C. Create a Trust Anchor that uses a certificate issued by an internal certification authority (CA).D. Create a Trust Anchor that uses a certificate issued by a publicly trusted certification authority (CA).



In order for DNS to support DirectAccess, ISATAP (IPv6 tunneling) must be removed from the DNS GlobalQuery Block list. This can be done using dnscmd, as follows:dnscmd /config / globalqueryblocklist wpad

But this edit can also be done by removing the name ISATAP from the list in the following registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service s\DNS \Parameters

For the changes to take effect, you must restart the DNS Server service.net stop dnsnet start dns


WRONG ANSWERS

EnableGlobalNamesSupport, as it implies, would allow support for a Global Names zone, but this is notsomething we need.

A Trust anchor is a cryptographic key used in DNSSEC validation of zone data. This is used to encrypt/secureDNS, but is not needed for DirectAccess.Reference: http://technet.microsoft.com/en-us/library/ee649280%28v=ws.10%29.aspx

QUESTION 60Your network contains a server named Server1.contoso.com. Server1 is located on the internal network.

You have a client computer named Computer1 that runs Windows 7. Computer1 is located on a public networkthat is connected to the Internet. Computer1 is enabled for DirectAccess.

You need to verify whether Computer1 can resolve Server1 by using DirectAccess.

Which command should you run on Computer1?

A. nbtstat.exe -a server1.contoso.com

B. netsh.exe dnsclient show state

C. nslookup.exe server1.contoso.com

D. ping.exe server1.contoso.com



ping.exe is the tool we use for verifying connectivity, regardless of whether DirectAccess is being used or not.

WRONG ANSWERS

netsh.exe dnsclient show state This command shows the settings for the Name Resolution Policy Table (NRPT) on a DirectAccess client,including where the client is located (either on the intranet or on the Internet), whether the client has beenconfigured with DirectAccess NRPT rules, and whether the rules are enabled. (MY NOTE: We don't needlocation or configuration info. for our client ,we need to know if'ts able to resolve the address forServer1.)Reference: http://technet.microsoft.com/en-us/library/ee624067%28v=ws.10%29.aspx

nslookup.exe will help try to verify Server1 is working as a DNS server and returning the right records toclients that query it.

nbtstat.exe will show the NetBIOS resolution table of Server1. This is not used in DirectAccess.

QUESTION 61Your network contains a server named Server1 that runs Windows Server 2008 R2. You plan to deployDirectAccess on Server1.

You need to configure Windows Firewall on Server1 to support DirectAccess connections.

What should you allow from Windows Firewall on Server1?

A. ICMPv6 Echo RequestsB. ICMPv6 RedirectC. IGMPD. IPv6-Route



Explanation:

To provide connectivity for Teredo-based DirectAccess clients, you need to configure Windows Firewall withAdvanced Security rules for all of your domain member computers to allow Internet Control Message Protocolfor Internet Protocol version 6 (IPv6) (ICMPv6) Echo Request messages

Reference: http://technet.microsoft.com/en-us/library/ee649189%28v=ws.10%29.aspx

QUESTION 62Your network contains a computer named Computer1 that runs Windows 7.

You need to verify if Computer1 has active DirectAccess connections to the network.

What should you do?

A. From Network Connections, right-click the active network connection, and then click Status.B. From Network Connections, select the active network connection, and then click Diagnose this connection.C. From Windows Firewall with Advanced Security, click Monitoring, and then click Connection Security Rules.D. From Windows Firewall with Advanced Security, click Monitoring, click Security Associations, and then click

Main Mode.



DirectAccess uses IPSEC for encryption and authentication. In Server 2008, IPSEC is managed throughWindows Firewall with Advanced Security. Main Mode negotiation is used to establish secure channels, so thisis the area of WFAS we need to check to be sure the connection is active and working.

WRONG ANSWERS

Connection Security Rules are applied before machines can communicate and secure information. Monitoringthis information would not let us see if the connection is active.

Viewing the status of the active network connection will only provide us information about Computer1's adapter,and will not report any information about the DirectAccess connection.

'Diagnose this connection' is used to fix a broken connection by performing a series of common troubleshootingsteps for resetting connections. We do not have any indication that a connection is broken here, we just need toverify DA is working (which assumes the network adapter is working)

QUESTION 63Your network contains a server that has the SNMP Service installed.

You need to configure the SNMP security settings on the server.


A. Local Security PolicyB. scw

C. secedit

D. Services console



SNMP settings are configured from the properties of the service in the Services console.

WRONG ANSWERS

secedit configures and analyzes system security by comparing your current configuration to at least onetemplate.Reference: http://technet.microsoft.com/en-us/library/bb490997.aspx

scw is a shortcut for launching the Server Configuration Wizard. We might be able to add/remove the SNMPfeature here but not configure it's settings.

There are 3 local policies for SNMP that can be configured, but they manage how traps are configured, whocan configure SNMP, and which communities can be queried from the server.Reference: http://msdn.microsoft.com/en-us/library/windows/desktop/aa377961%28v=vs.85%29.aspx

QUESTION 64Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 has the SNMPService installed. You perform an SNMP query against Server1 and discover that the query returns theincorrect identification information.

You need to change the identification information returned by Server1.

What should you do?

A. From the properties of the SNMP service, modify the Agent settings.B. From the properties of the SNMP service, modify the General settings.C. From the properties of the SNMP Trap service, modify the Logon settings.D. From the properties of the SNMP Trap service, modify the General settings.



SNMP agent information is found on the Agent tab on the SNMP service properties.

To configure SNMP agent information:1. Click Start, point to Control Panel, point to Administrative Tools, and then click Computer Management.2. In the console tree, expand Services and Applications, and then click Services.3. In the right pane, double-click SNMP Service.4. Click the Agent tab.(...)


WRONG ANSWERS

The General settings tab of a service allows you to control how the startup type of the service, and lets youStart/Stop/Restart services as well.

The SNMP Trap service is used to allow a server to forward it's SNMP data to another server.

QUESTION 65You need to capture the HTTP traffic to and from a server every day between 09:00 and 10:00.

What should you do?

A. Create a scheduled task that runs the Netsh tool.

B. Create a scheduled task that runs the Nmcap tool.

C. From Network Monitor, configure the General options.D. From Network Monitor, configure the Capture options.



Network Monitor does not provide it's own scheduling options, but instead works with MS' built-in taskscheduler. So we need to create a new task, but this means we have to specify a fully working command.

nmcap is the fully functional command-line interface for Network Monitor.

netsh is used for configuring a variety of server roles and networking components.

QUESTION 66You perform a security audit on a server named Server1. You install the Microsoft Network Monitor 3.0application on Server1.

You find that only some of the captured frames display host mnemonic names in the Source column and theDestination column. All other frames display IP addresses.

You need to display mnemonic host names instead of IP addresses for all the frames.

What should you do?

A. Create a new display filter and apply the filter to the capture.B. Create a new capture filter and apply the filter to the capture.C. Populate the Aliases table and apply the aliases to the capture.D. Configure the Network Monitor application to enable the Enable Conversations option. Recapture the data

to a new file.



Aliases allow you to turn IP addresses into names that make sense in a particular network capture. Forexample, you could label one machine as ‘Server’ and another machine as ‘Client’.Reference: http://www.petri.co.il/microsoft-network-monitoring-part-2.htm

QUESTION 67Your network contains an Active Directory domain named contoso.com. The network is configured to useISATAP.

You have a server named Server1 that runs Windows Server 2008 R2.

On Server1, you discover that a tunnel adapter named isatap.contoso.com has a media state of "Mediadisconnected".

You confirm that Server1 has a valid network connection and can query the DNS server.

You need to ensure that the isatap.contoso.com tunnel adapter has an IPv6 address.

What should you do?

A. Start the IP Helper service.B. Start the IPsec Policy Agent service.C. Add a new rule to Windows Firewall.D. Add an entry for ISATAP to the Hosts file.



The IP Helper service works with the IPv6 protocol, of which ISATAP tunneling is a feature. This servicespecifically loads network configuration, so starting it should restore the ISATAP tunnel. (the question specifiesthat the network connection of the server is valid - only the tunnel is down)

WRONG ANSWERS

The purpose of the IPSec Policy Agent is to retrieve policy information and pass it to other IPSec componentsthat require this information to perform security services. We are not dealing with an IPSec tunnel, so you wouldnot start this service.Reference: http://technet.microsoft.com/en-us/library/cc782987%28v=ws.10%29.aspx

Windows Firewall rules are used to work with IPSec tunnels, not ISATAP tunnels.

The Hosts file controls name resolution. This would let us specify what IP address isatap.contoso.com getsresolved to by other clients, but would not restore the ISATAP tunnel. We are told Server1 already has a validconnection, so its endpoint should be able to resolve the address.

QUESTION 68Your company has a branch office that contains 1,000 computers.

You need to select a network address that supports 1,000 computers in the same subnet. The solution mustminimize the number of unused addresses in the subnet.

Which address range should you configure?

A. 172.16.0.0/16B. 172.16.0.0/18C. 172.16.0.0/22

D. 172.16.0.0/24



A standard /24 subnet allows for 254 hosts, so it will not work. We need more hosts, so we have to shrink oursubnet mask. Each bit we remove allows us to double the # of supported hosts. This means a /22 subnet givesus 1,022 hosts - just enough to cover our scenario.

The /16 and /18 subnets might work, but would allow for a massive number of hosts beyond the 1,000 needed.

QUESTION 69Your network contains a computer named Computer1. Computer1 is assigned an IP address of192.168.1.112/26.

Your company's corporate policy states that the first usable address in each subnet is allocated to the defaultgateway.

You need to configure the default gateway for Computer1.

Which address should you choose?

A. 192.168.1.1B. 192.168.1.63C. 192.168.1.65D. 192.168.1.93



A /26 subnet is 2 bits more than the Class C (/24) that allows 256 addresses. For each bit higher, we half the #of available hosts. This means we have 64 addresses on each subnet.

So our first network in our scenario would end with 192.168.1.64, and the next network would start with192.168.1.65, which is also the gateway address.

QUESTION 70Your network contains a single Active Directory domain. All servers run Windows Server 2008 R2.

You have an IPv6-only infrastructure that has multiple subnets. You deploy a new server named Server1.

You need to ensure that Server1 can communicate with the client computers in all of the internal subnets. Thesolution must use an address that is reserved for internal networks.

Which address should you assign?

A. 2001::68c0:9f7c:8393:c214B. fc00::68c0:9f7c:8393:c214C. fe80::68c0:9f7c:8393:c214

D. ff02::68c0:9f7c:8393:c214



The fc00:: prefix is resrved for unique local (internal network) addressing. This is the prefix we should beassigning an address from.

WRONG ANSWERS

The fe80:: prefix is reserved for link-local addressing (local subnet only). This would restrict communication toonly 1 subnet, not allow communication with all of them.

The ff02:: prefix is reserved for multicasting - sending a packet to multiple addresses at once. This does notnecessarily ensure communication with all such clients or subnets.

The 2001:: prefix is reserved for Teredo addressing (IPv6 clients in an IPv4 network).

Reference: http://www.sabi.co.uk/Notes/swIPv6Prefixes.html

QUESTION 71Your network contains a server named Server1. Server1 runs Windows Server 2008 R2 and has a singlenetwork connection.

The connection is configured to use a default gateway address of 10.0.0.1. The default gateway has a metricvalue of 100.

You configure a second default gateway that uses an address of 10.0.0.2.

You need to ensure that 10.0.0.2 is only used as the default gateway if 10.0.0.1 is unreachable.

What should you do?

A. For the interface, set the interface metric to 100.B. For the 10.0.0.2 gateway, set the metric to 50.C. For the 10.0.0.2 gateway, set the metric to 200.D. For the 10.0.0.1 gateway and the 10.0.0.2 gateway, enable automatic metric.



Each of the answers mentions configuring a metric, which you hopefully know is a value to specify which routesshould "cost" more than others. A lower metric is a "cheaper" route and will be used by the router before otheroptions.

We want 10.0.0.2 to be used only if 10.0.0.1 is unreachable, so we basically want it to have a higher "cost", ormetric. Since the default gateway has a metric of 100, only specifying the metric of 200 for 10.0.02 will work.

WRONG ANSWERS

Automatic metric sounds like something that would work, but according to Microsoft:

The Automatic Metric feature can be useful when the routing table contains multiple routes for the samedestination. For example, if you have a computer with a 10 megabit (Mb) network interface and a 100 Mbnetwork interface, and the computer has a default gateway that is configured on both network interfaces, theAutomatic Metric feature assigns a higher metric to the slower network interface. This feature can force all ofthe traffic that is destined for the Internet, for example, to use the fastest network interface that is available.Reference: http://support.microsoft.com/kb/299540

A metric of 50 will force 10.0.0.2 to always be used before 10.0.0.1 - achieving the opposite of what we want.

I am not clear on what "interface" we might set a metric for, but notice a metric of 100 matches the metric of thecurrent default gateway, balancing the load of your traffic. This is not the desired effect.

QUESTION 72Your network contains a server named Server1 that has the Routing role service installed. Server1 has twonetwork connections. One network connection connects to the internal network. The other network connectionconnects to the Internet. All network connections connected to the internal network use private IP addresses.

You install a Web server named Web1. Web1 hosts a secured Web site that only allows connections over TCPport 8281. Web1 is connected to the internal network.

You need to ensure that the secure Web site can be accessed from the Internet.

What should you do from the Routing and Remote Access console?

A. Configure Routing Information Protocol (RIP), and then activate authentication on the RIP interface.B. Configure Routing Information Protocol (RIP), and then configure the incoming packet protocol settings on

the RIP interface.C. Configure Network Address Translation (NAT), and then add a new service to the NAT interface.D. Configure Network Address Translation (NAT), and then enable the Secure Web Server (HTTPS) service

on the NAT interface.



Web1 is part of the internal network. In order for private clients like Web1 to be reached from the internet, NATmust be used to translate requests to the specific interface. You would not enable the HTTPS service becausethis uses port 443. The secure web site on Web1 is configured for port 8281. Thus, we need to to create acustom service on the NAT interface for this port.

RIP is used for configuring routes between 2 routing servers.

QUESTION 73Your network contains the servers configured as shown in the following table.

Your company is assigned the public IP addresses from 131.107.0.1 to 131.107.0.31.

You need to ensure that Web1 is accessible from the Internet by using https://131.107.0.2 .


A. From the Static Routes node, configure a static route.B. From the server properties, configure SSL Certificate Binding.C. From the NAT interface, add an address pool and a reservation.D. From the NAT interface, configure the Secure Web Server (HTTPS) service.



Web1 currently doesn't have a public IP assigned to it, so it won't be accessible from the internet by a public IPin our reserved range. This means we need to assign a public IP to it from our pool.

In the RRAS console, this is done from the Address Pool Tab (which specifically appears only when NAT isconfigured as a public interface connected to the internet!). Unfortunately, as per the article below, we mustconfigure at least 1 address pool before creating a reservation. That is why both things need to be done here.


QUESTION 74Your network contains multiple servers that run Windows Server 2008 R2. The servers have the Routing andRemote Access Services (RRAS) role service installed. The servers are configured to support RoutingInformation Protocol (RIP).

You need to prevent the server from receiving routes for the 10.0.0.0 network.


A. From the RIP properties page, modify the General settings.B. From the RIP properties page, modify the Security settings.C. From the RIP interface properties page, modify the Security settings.D. From the RIP interface properties page, modify the Neighbors settings.



IPv4 - RIP - Interface Properties - Security TabDialog box element: Ignore all routes in the ranges listedDescription: For incoming routes: Specifies that the router looks at each route entry in an incoming RIPannouncement and discards the route if it falls into one of the ranges listed.


WRONG ANSWERS

IPv4 - RIP Properties - Security TabThis contains settings for how announcements are accepted from routers, as well as the IP of the router andother routers in the setup.Reference: http://technet.microsoft.com/en-us/library/cc772584%28v=ws.10%29.aspx

IPv4 - RIP - Interface Properties - Neighbors TabThis contains settings to specify how RIP announcements are sent to neighboring routers.Reference: http://technet.microsoft.com/en-us/library/cc733164(v=ws.10).aspx

IPv4 - RIP Properties - General TabThis contains settings for how to log data and what interval to use for updates to routesReference: http://technet.microsoft.com/en-us/library/cc772578%28v=ws.10%29.aspx

QUESTION 75Your network contains a server named Server1 that runs Windows Server 2008 R2. The network containsmultiple subnets.

An administrator reports that Server1 fails to communicate with computers on remote subnets. You run route.exe print on Server1 as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that Server1 can communicate with all computers on the network.

What should you do?

Exhibit:

A. Disable IPv6.B. Change the subnet mask.C. Add a default gateway address.D. Change the default metric to 100.



Communication with remote subnets requires a valid gateway for the packets to be routed to. In the exhibit,however the gateway for all routes is "on-link". This means that these addresses will not be routed throughanother network. Therefore, we need to specify a gateway so that the addresses are routed to the remotenetworks.Reference: http://think-like-a-computer.com/2011/08/24/the-routing-table/

WRONG ANSWERS

Changing the metric to 100 will specify a certain route as "cheaper" for the interface to use for traffic, but

currently remote communication isn't even working.

While having IPv6 enabled can cause problems at times with servers trying to communicate on networks notdesigned around IPv6, disabling it will not allow communication with other subnets.

Changing the subnet mask will make the problem worse, as it will define Server1 to be in a different networksegment altogether (not even able to communicate with hosts on the same physical network!)

QUESTION 76Your network contains two servers named Server1 and Server2. Server1 and Server2 run the Server Coreinstallation of Windows Server 2008 R2.

You need to duplicate the Windows Firewall configurations from Server1 to Server2.


A. the Get-Item and the Set-Item cmdlets

B. the Get-Service and the Set-Service cmdlets

C. the netsh tool

D. the sconfig tool



NETSH (Network Shell)

Configure Network Interfaces, Windows Firewall, Routing & remote access.

(...)

=dump - Display a configuration script.netsh dump - Create a script that contains the current configuration. If saved to a file, this can be used to restore the configuration settings.

=exec - Run a script file.exec - Load a script file and run it.

Reference: http://ss64.com/nt/netsh.html

WRONG ANSWERS

...in Windows Server 2008 R2, there's an easy to use CLI, SCONFIG. SCONFIG dramatically eases serverconfiguration for Windows Server 2008 R2 core deployments.Reference: http://blogs.technet.com/b/virtualization/archive/2009/07/07/windows-server-2008-r2-core-introducing-sconfig.aspx

The Get-Service and the Set-Service let you view services and their properties, or change theirparameters.

Similarly, Get-Item and the Set-Item allow you to retrieve, edit and save namespace objects (files, registryentries, etc.)

QUESTION 77Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1has several custom inbound rules and connection security rules.

You need to duplicate the Windows Firewall rules from Server1 to Server2.


A. At the Command Prompt, run netsh.exe advfirewall dump .

B. At the Command Prompt, run netsh.exe advfirewall show > firewall.txt .

C. From the Windows Firewall with Advanced Security console, click Export Policy.D. From the Windows Firewall with Advanced Security console, click the Connection Security Rules node, and

then click Export List.



We need to export the settings from Server1 and then import them to Server2. You can replicate firewallconfigurations using the WFAS Import Policy and Export Policy options found in the WFAS snap-in or console.Reference: http://www.windows7library.com/blog/util/windows-firewall-with-advanced-security-wfas-basics/

WRONG ANSWERS

Clicking Export List from the Connection Security Rules context will give us a way to duplicate ConnectionSecurity Rules only, not Windows firewall rules.

netsh.exe advfirewall dumpThis command is available for some netsh contexts, but is not implemented for the netsh advfirewall context orany of its three subcontexts. It produces no output, but also generates no error.

netsh.exe advfirewall showDisplays settings that apply globally, or to the per-profile configurations of Windows Firewall with AdvancedSecurity. (MY NOTE: The > firewall.txt will redirect this display to a file called firewall.txt)


QUESTION 78Your network contains two Active Directory sites named Site1 and Site2. Site1 contains a server namedServer1. Server1 runs a custom application named App1.

Users in Site2 report that they cannot access App1 on Server1. Users in Site1 can access App1.

Server1 has a Windows Firewall with Advanced Security rule named Rule1. You discover that Rule1 blocks theconnection to App1.

You verify that Server1 has no connection security rules. You need to ensure that the Site2 users can connectto Server1.

What should you modify in Rule1?

A. the Authorized Computers listB. the Authorized Users list

C. the Edge Traversal settingsD. the Scope



We are informed that there are no Connection Security Rules. This simplifies troubleshooting, in that it allows tofocus only on what aspect of Rule1 may be blocking the connection.

Authorized Users and Authorized Computers lists allow us to limit connections from specific users/computers,but we are not told that only specific users/computers are being restricted. We are informed all users in Site2cannot access App1. This is likely because the firewall rule does not have a scope limiting it to Site1 only. So ifwe change the scope, we can make sure the rule does not apply to users in Site2's subnet.

Edge traversal is used to allow and application, service or port to be accessible from outside a NAT or edgedevice (when tunneling between 2 networks of different security levels). Site1 and Site2 are 2 AD sites but weare given no indication they are separated by uniquely different network devices (and we would not expect this,since they are both on the internal network)

QUESTION 79Your network contains a server named Server1 that has Windows Server 2008 R2. An administrator runs thefollowing command on Server1: netsh.exe advfirewall reset

You discover that you can no longer access Server1 on port 3389. You need to ensure that you can accessServer1 on port 3389.

Which firewall rule should you enable?

A. File and Printer Sharing (Echo Request ICMPv4-In)B. File and Printer Sharing (SMB-In)C. Remote Desktop (TCP-In)D. Remote Service Management (RPC)



Port 3389 is used by Remote Desktop

RPC uses TCP and UDP ports 80, 443 and 593 (HTTP), as well as 445 (Named Pipes) and 135 (EndpointMapper), and a dynamic port for each program that uses the service.

File and Printer Sharing (SMB) uses TCP ports 139 and 445, and UDP ports 137 and 138.

Reference: http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Enabling the File and Printer Sharing (Echo Request ICMPv4-In) rule would allow IPv4 ping requests toServer1.

QUESTION 80

Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 hosts a customapplication named App1. App1 is accessible on TCP port 5000.

You need to encrypt App1 data on the network.

What should you do?

A. From the Local Security Policy console, configure the Security options.B. From the Local Security Policy console, configure the Application Control policies.C. From the Windows Firewall with Advanced Security console, create an Inbound Rule.D. From the Windows Firewall with Advanced Security console, create a Connection Security Rule.



Since we want to encrypt data on the local network, we have to create a Connection Security rule in WFAS.

WRONG ANSWERS

An Inbound Rule would allow us to block / allow certain traffic coming into the server, but does not provideencryption.

Application control policies specify which programs are allowed to run on the local computer and which are not. Reference: http://technet.microsoft.com/en-us/library/hh125923%28v=ws.10%29.aspx

In the Local Security Policy console, Security options allows to configure a number of policies related to useraccounts, logons, network access, devices and network security - restricting access to certain features ofWindows. This does not provide encryption.

QUESTION 81Your network contains an Active Directory domain. All client computers run Windows XP Service Pack 3 (SP3).The domain contains a member server named Server1 that runs Windows Server 2008 R2.

On Server1, you create a connection security rule that requires authentication for inbound and outboundconnections. You configure the connection security rule to use Kerberos authentication.

You need to ensure that the client computers can connect to Server1. The solution must ensure that allconnections to Server1 are encrypted.

What should you do?

A. From the Windows Firewall with Advanced Security console, create an inbound rule on Server1.B. From the Windows Firewall with Advanced Security console, create an outbound rule on Server1.C. From a Group Policy object (GPO), enable the Client (Respond Only) IPSec policy on all client computers.D. From a Group Policy object (GPO), configure the Network Security: LDAP client signing requirements policy

setting for all client computers.



Explanation:

You've created a rule that requires authentication, but have not configured clients with an IPSec policy torespond to these requests. So the simplest fix is obviously to deploy a Client (Respond Only) policy.

WRONG ANSWERS

LDAP client signing requirements: This security setting determines the level of data signing that is requested onbehalf of clients issuing LDAP BIND requestsReference: http://technet.microsoft.com/en-us/library/cc738915%28v=ws.10%29.aspx

WFAS rules are for restricting packets to a server, not encrypting. Creating a connection security rule was theright, so we should be able to encrypt our connections if we configure everything right.

QUESTION 82Your network contains one Active Directory domain. You have a member server that runs Windows Server2008 R2.

You need to immediately disable all incoming connections to the server.

What should you do?

A. From the Services snap-in, disable the IP Helper.B. From the Services snap-in, disable the Netlogon service.C. From Windows Firewall, enable the Block all connections option on the Public profile.D. From Windows Firewall, enable the Block all connections option on the Domain profile.



If we block all connections on the Domain profile, then all network connections on the domain will get dropped.

WRONG ANSWERS

The scenario states we are setup in an AD domain, and we are not explicitly told that we are in any kind ofperimeter network (which would usually not involve a domain computer but a standalone). So blockingconnections for the Public profile will not stop connections from the domain.

Every Windows NT workstation, server, or domain controller has a Netlogon service. This service is responsiblefor communication between systems in response to a logon request, a domain synchronization request, and arequest to promote a Backup Domain Controller (BDC) to a Primary Domain Controller (PDC). (MY NOTE:This would prevent the server from processing logon requests)Reference: http://windowsitpro.com/windows-server/netlogon-service

IP Helper (service name 'iphlpsvc') is apparently designed to improve a Windows PC's support for IPv6 networkprotocol. Reference: http://compnetworking.about.com/b/2009/09/03/ip-helper-windows-vista-service.htm

QUESTION 83Your network consists of a single Active Directory domain. The domain contains a server named Server1 thatruns Windows Server 2008 R2.

All client computers run Windows 7. All computers are members of the Active Directory domain.

You assign the Secure Server (Require Security) IPsec policy to Server1 by using a Group Policy object(GPO).

Users report that they fail to connect to Server1.

You need to ensure that users can connect to Server1. All connections to Server1 must be encrypted.

What should you do?

A. Restart the IPsec Policy Agent service on Server1.B. Assign the Client (Respond Only) IPsec policy to Server1.C. Assign the Server (Request Security) IPsec policy to Server1.D. IPsec policy to all client computers.



You've assigned a policy that requires security, but have not configured clients with an IPSec policy to respondto these requests. So the simplest fix is obviously to deploy a Client (Respond Only) policy. This needs to beassigned to all client computers that will connect to Server1, not to Server1 itself.

WRONG ANSWERS

Server (Request Security) would conflict with the existing Require Security policy, and could potentially allowclients to communicate that are not encrypting.

The purpose of the policy agent is to retrieve IPSec policy information and pass it to the other IPSecmechanisms that require that information to perform security services. (MY NOTE: Although IPSeccommunication is not working, we have no indication the clients have been assigned a policy, so weshouldn't worry yet about the Policy Agent)Reference: http://technet.microsoft.com/en-us/library/cc959531.aspx

QUESTION 84Your company has a server that runs Windows Server 2008 R2. You have a new application that locatesremote resources by name. The new application requires IPv6.

You need to ensure that the application can locate remote resources by using IPv6.

What should you do?

A. Create a new Pointer (PTR) DNS record.B. Create a new Quad-A (AAAA) DNS record.C. Create a new Signature (SIG) DNS record.D. Create a new Route Through (RT) DNS record.



DNS host records (A) are used to locate remote resources by name (translating them to an IP). In IPv6, thehost record is known as a Quad-A (AAAA) record.

WRONG ANSWERS

PTR records are used for reverse DNS (locating a name for a particular IP), so adding a new PTR recordsachieves the opposite of what we need.

A SIG record is used in DNSSEC (secure DNS). We are not told we have or need such an environment.Reference: http://en.wikipedia.org/wiki/List_of_DNS_record_types

The route through (RT) resource record specifies an intermediate host that routes packets to a destination host.This is typically used in conjunction with X.121 addresses on an X.25 network.Reference: http://technet.microsoft.com/en-us/library/cc958958.aspx

QUESTION 85Your corporate network has a member server named RAS1 that runs Windows Server 2008 R2. You configureRAS1 to use the Routing and Remote Access Services (RRAS). The company's remote access policy allowsmembers of the Domain Users group to dial in to RAS1. The company issues smart cards to all employees.

You need to ensure that smart card users are able to connect to RAS1 by using a dial-up connection.

What should you do?

A. Install the Network Policy Server (NPS) server role on RAS1.B. Create a remote access policy that requires users to authenticate by using SPAP.C. Create a remote access policy that requires users to authenticate by using EAP-TLS.D. Create a remote access policy that requires users to authenticate by using MS-CHAP v2.



VPN server software requirements for smart card access are relatively straightforward. The remote accessservers must run Windows 2000 Server or later, have Routing and Remote Access enabled, and must supportExtensible Authentication Protocol-Transport Layer Security (EAP-TLS). Reference: http://technet.microsoft.com/en-us/library/cc875840.aspx

QUESTION 86You perform a security audit of a server named DC1. You install the Microsoft Network Monitor 3.0 applicationon DC1.

You plan to capture all the LDAP traffic that comes to and goes from the server between 20:00 and 07:00 thenext day and save it to the E:\data.cap file.

You create a scheduled task. You add a new Start a program action to the task. You need to add theapplication name and the application arguments to the new action.

What should you do?

A. Add nmcap.exe as the application name. Add the /networks * /capture LDAP /file e:\data.cap /stopwhen /timeafter 11hours line as arguments.

B. Add netmon.exe as the application name. Add the /networks * /capture LDAP /file e:\data.cap /stopwhen /timeafter 11hours line as arguments.

C. Add nmcap.exe as the application name. Add the /networks * /capture !LDAP /file e:\data.cap /stopwhen /timeafter 11hours line as arguments.

D. Add nmconfig.exe as the application name. Add the /networks * /capture &LDAP /file e:\data.cap /stopwhen /timeafter 11hours line as arguments.



nmcap.exe is the command-line utilty for capturing packets with Network Monitor. Specifying !LDAP willcapture everything but LDAP traffic, so we would not want the ! in front of LDAP.

netmon.exe is the executable for the graphical Network Monitor application.

nmconfig.exe is used for managing the Network Monitor driver that is needed to capture packets on anetwork adapter.

QUESTION 87Your network contains 100 servers that run Windows Server 2008 R2. A server named Server1 is deployed onthe network.

Server1 will be used to collect events from the Security event logs of the other servers on the network.

You need to define the Custom Event Delivery Optimization settings on Server1.


A. Event ViewerB. Task SchedulerC. wecutil

D. wevtutil



Set event delivery optimization.

wecutil ss "subscription-name" /cm:normal | minlate ncy | minbandwidth | custom

You can modify a subscription with the ss (set subscription) command.

The /cm switch enables you to change the Event Delivery Optimization settings (shown as the AdvancedSubscription Settings in Figure 26-7 after clicking the Advanced button).You can use the /cm:custom switch to configure more advanced settings, such as changing the latency. Thisrequires an additional switch as shown in the next example.

Reference: http://mscerts.programming4.us/windows_server/windows%20server%202008%20%20%20working%20with%20event%20subscriptions%20-%20managing%20subscriptions%20with%20wecutil%20%20%20logging%20events%20with%20eventcreate.aspx

You wouldn't figure any of this out from Microsoft's bulky article, unfortunately.

QUESTION 88Your network contains a server that runs Windows Server 2008 R2. You plan to create a custom script.

You need to ensure that each time the script runs, an entry is added to the Application event log.


A. eventcreate

B. eventvwr

C. wecutil

D. wevtutil



Eventcreate Enables an administrator to create a custom event in a specified event log.Reference: http://technet.microsoft.com/en-us/library/bb490899.aspx

WRONG ANSWERS

wevtutilEnables you to retrieve information about event logs and publishers. You can also use this command to installand uninstall event manifests, to run queries, and to export, archive, and clear logs.Reference: http://technet.microsoft.com/en-us/library/cc732848%28v=ws.10%29.aspx

wecutil is for configuring event subscriptions from a collector computer.

eventvwr is simply for viewing event logs.

QUESTION 89Your company has a main office and a branch office. The branch office has three servers that run a ServerCore installation of Windows Server 2008 R2. The servers are named Server1, Server2, and Server3.

You want to configure the Event Logs subscription on Server1 to collect events from Server2 and Server3. Youdiscover that you cannot create a subscription on Server1 from another computer.

You need to configure a subscription on Server1.


A. Run the wecutil cs subscription.xml command on Server1.

B. Run the wevtutil im subscription.xml command on Server1.

C. Create an event collector subscription configuration file. Name the file subscription.xml .

D. Create a custom view on Server1 by using Event Viewer. Export the custom view to a file named

subscription.xml .

Correct Answer: ACSection: 70-648 Monitoring and Managing A Network InfrastructureExplanation


If we can't create the subscription remotely from the server, then we can do so locally. We first need to create asubscription configuration, in this case subscription.xml, then import that configuration on Server1.

Run the wecutil cs subscription.xml command on Server1.This would create a new subscription on Server1, based on the subscription.xml created previously.

WRONG ANSWERS

Custom views only define what kinds of events are shown while browsing event logs; they do not help us withcreating a subscription.

wevtutil im subscription.xml would attempt to install event publishers and logs based on thesubscription.xml file. This is certainly not what we want to do!Reference: http://technet.microsoft.com/en-us/library/cc732848%28v=ws.10%29.aspx

QUESTION 90Your company has an Active Directory domain that has two domain controllers named DC1 and DC2.

You prepare both servers to support event subscriptions. On DC1, you create a new default subscription forDC2.

You need to review system events for DC2.

Which event log should you select?

A. System log on DC1B. Application log on DC2C. Forwarded Events log on DC1D. Forwarded Events log on DC2



The Forwarded Events log on DC1 should show us events from DC2 that have been forwarded to DC1.

We would not want to view any standard event logs on either server, as they would not show us events thatwere forwarded as a result of the subscription. They'd show us all events in the specified log,

QUESTION 91Your company has a network that has 100 servers. A server named Server1 is configured as a file server.

Server1 is connected to a SAN and has 15 logical drives. You want to automatically run a data archiving script ifthe free space on any of the logical drives is below 30 percent.

You need to automate the script execution.

You create a new Data Collector Set. What should you do next?

A. Add the Event Trace data collector.B. Add the Performance counter alert.C. Add the Performance counter data collector.D. Add the System Configuration Information data collector.



You can create a custom Data Collector Set containing performance counters and configure alert activitiesbased on the performance counters exceeding or dropping below limits you define.

After creating the Data Collector Set, you must configure the actions the system will take when the alert criteriaare met.(...)To create a Data Collector Set to monitor Performance counters1. In the Windows Performance Monitor navigation pane, expand Data Collector Sets , right-click User Defined

, point to New , and click Data Collector Set . The Create new Data Collector Set Wizard starts.2. Enter a name for your Data Collector Set.3. Select the Create manually option and click Next .4. Select the Performance Counter Alert option and click Next .

Reference: http://technet.microsoft.com/en-us/library/cc722414.aspx#BKMK_alert

QUESTION 92Your company has a network that has 100 servers. You install a new server that runs Windows Server 2008R2. The server has the Web Server (IIS) server role installed.

After a week, you discover that the Reliability Monitor has no data, and that the Systems Stability chart hasnever been updated.

You need to configure the server to collect the Reliability Monitor data.

What should you do?

A. Run the perfmon.exe /sys command on the server.

B. Configure the Task Scheduler service to start automatically.C. Configure the Remote Registry service to start automatically.D. Configure the Secondary Logon service to start automatically.



Reliability Monitor uses data provided by the RACAgent scheduled task, a pre-defined task that runs by defaulton a new installation of Windows Vista. If it is disabled, it must be enabled manually from the Task Scheduler

snap-in for MMC.Reference: http://www.petri.co.il/reliability_monitor_windows_vista.htm

QUESTION 93Your network consists of a single Active Directory domain. All servers run Windows Server 2008 R2. You havea server named Server1 that hosts shared documents.

Users report extremely slow response times when they try to open the shared documents on Server1. You logon to Server1 and observe real-time data indicating that the processor is operating at 100 percent of capacity.

You need to gather additional data to diagnose the cause of the problem.

What should you do?

A. In the Performance Monitor console, create a counter log to track processor usage.B. In Event Viewer, open and review the Application log for Performance events.C. In Resource Monitor, use the Resource View to see the percentage of processor capacity used by each

application.D. In Performance Monitor, create performance counter alert that will be triggered when processor usage

exceeds 80 percent for more than five minutes on Server1.



We need additional data, and we need it now! Resource Monitor will let us see how much CPU is used by eachapplication, after which we should be able to kill whatever is hogging the CPU.

Performance Monitor will not necessarily give us additional data related to the CPU that would be helpful fordiagnosis.

The Application log will not likely give us detailed information for troubleshooting, at best it will let us know thatthe system has recognized certain processes are running slower than expected.

QUESTION 94Your network contains 200 servers that run Windows Server 2008 R2.

You need to archive the Security log for each server on a daily basis.


A. netsh

B. secedit

C. wecutil

D. wevtutil



Enables you to retrieve information about event logs and publishers. You can also use this command to install

and uninstall event manifests, to run queries, and to export, archive, and clear logs.Reference: http://technet.microsoft.com/en-us/library/cc732848%28v=ws.10%29.aspx

WRONG ANSWERS

wecutil is used for configuring event subscriptions from a collector.

netsh is used for configuring server roles and components, not for working with event logs.

secedit configures and analyzes system security by comparing your current configuration to at least onetemplate.Reference: http://technet.microsoft.com/en-us/library/bb490997.aspx

QUESTION 95Your network contains a server named Server1 that runs Windows Server 2008 R2. You have a user namedUser1.

You need to ensure that User1 can view the events in the Security event log. The solution must minimize thenumber of rights assigned to User1.

What should you do?

A. In Event Viewer, filter the Security log.B. In Event Viewer, configure the properties of the Security log.C. In the Local Security Policy console, modify the Security Options.D. In the Registry Editor, add a Security Descriptor Definition Language (SDDL) value.



The Security Descriptor for each log is specified by using Security Descriptor Definition Language (SDDL)syntax. (...)

To construct an SDDL string, note that there are three distinct rights that pertain to event logs: Read, Write, andClear. These rights correspond to the following bits in the access rights field of the ACE string:

1= Read 2 = Write 4 = Clear

MY NOTE: Basically, we can restrict access to event logs using SDDL syntax to specify Read-onlyaccess for a user.


QUESTION 96Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. FromServer1, you create a collector-initiated subscription that uses Server2 as a source computer.

You verify the event subscription and discover the error message shown in the exhibit. (Click the Exhibitbutton.)

You need to ensure that the subscription collection runs successfully.

What should you do?

Exhibit:

A. On Server1, run winrm quickconfig.

B. On Server2, run winrm quickconfig .

C. From the properties of the subscription, modify the User Account options.D. From the properties of the subscription, modify the Protocol and Port options.



The exhibit shows that currently, the account that is being used is getting denied. This means we need anaccount with the right privileges. "On the Advanced Subscription Settings dialog box, you can either specify anevent delivery optimization or specify the account used to manage the process of collecting events."Reference: http://technet.microsoft.com/en-us/library/cc749167.aspx

winrm quickconfigThis command is used to configure remote operations on a Server 2008 machine, but if this were notconfigured our error message would indicate it could not find the services.

Protocol and Port options - I cannot find anything online about what this is.


You need to ensure that an administrator is notified by e-mail if the Event Viewer logs any error.

What should you do from the Event Viewer console?

A. Create a custom view, and then click the Filter Current Custom View action.B. Create a custom view, and then click the Attach Task to This Custom View action.C. From the System log, click the Filter Current Log action.D. From the System log, select an Error event, and then click the Attach Task to This Event action.



To send e-mails when certain events are logged, we need to Attach a Task in Event Viewer. The scenariostates any error in the event logs should be e-mailed, so we would attach the e-mail task to a custom view(displaying all errors) rather than only the System Log.

We would not click Filter Current Custom View, as this does not create the task we need to send an e-mail.

QUESTION 98Your network contains a server named Server1 that runs Windows Server 2008 R2. You have a user namedUser1.

You need to ensure that User1 can schedule Data Collector Sets (DCS) on Server1. The solution mustminimize the number of rights assigned to User1 .

What should you do?

A. Add User1 to the Performance Log Users group.B. Add User1 to the Performance Monitor Users group.C. Assign the Profile Single Process user right to User1.D. Assign the Bypass Traverse Checking user right to User1.



Windows Performance Monitor uses a consistent scheduling method for all data collection.During Data Collector Set creation, you can configure the schedule by selecting Open properties for thisdata collector set at the end of the Create New Data Collector Set WizardAfter a Data Collector Set has been created, you can access the schedule options by right-clicking the DataCollector Set name in the Microsoft Management Console (MMC) navigation pane and selecting Properties.

Membership in the local Performance Log Users or Administrators group, or equivalent, is the minimumrequired to complete this procedure.



You need to identify which processes perform the most disk writes and disk reads per second.


A. Disk ManagementB. Reliability MonitorC. Resource MonitorD. Storage Explorer



Resource Monitor displays per-process and aggregate CPU, memory, disk, and network usage information, inaddition to providing details about which processes are using individual file handles and modules. Advancedfiltering allows users to isolate the data related to one or more processes (either applications or services), start,stop, pause, and resume services, and close unresponsive applications from the user interface. It also includesa process analysis feature that can help identify deadlocked processes and file locking conflicts so that the usercan attempt to resolve the conflict instead of closing an application and potentially losing data.Reference: http://technet.microsoft.com/en-us/library/ee731897%28v=ws.10%29.aspx

WRONG ANSWERS

The Reliability Monitor snap-in for Microsoft Management Console (MMC) provides a system stability overviewand details about events that impact reliability.Reference: http://technet.microsoft.com/en-us/library/cc722107%28v=ws.10%29.aspx

You can use Disk Management in this version of Windows to perform disk-related tasks such as creating andformatting partitions and volumes, and assigning drive lettersReference: http://technet.microsoft.com/en-us/library/cc770943.aspx

With Storage Explorer, you can view and manage the Fibre Channel and iSCSI fabrics that are available in yourstorage area network (SAN).Reference: http://technet.microsoft.com/en-us/library/cc731884.aspx

QUESTION 100You need to document the following configurations of a server that runs Windows Server 2008 R2:

System servicesStartup programsHardware configurationCurrent CPU, network, disk, and memory utilization


A. mrinfo.exe localhost

B. msinfo32.exe

C. perfmon.exe /report

D. systeminfo.exe



perfmon.exe /report without any other parameters will generate the System Diagnostics report. This is areport detailing the status of local hardware resources, system response times, and processes on the localcomputer along with system information and configuration data. (MY NOTE: Keep in mind that systemreliability info. is new for PerfMon in Server 2008 , which is why it is being tested and also why it i s theanswer. Essentially, the report it generates is usi ng a load of WMI queries)Reference: http://technet.microsoft.com/en-us/library/cc766130.aspx

msinfo32.exe can be used to obtain information on the first 3 items, but not the current resource utilization.

systeminfo.exe can be used to view some very basic hardware and OS information, and memory usage,but does not report services, startup programs or current CPU / network / disk resources.

mrinfo.exe queries multicast routers.Reference: http://support.microsoft.com/kb/225158

QUESTION 101Your network contains a server named Server1 that runs Windows Server 2008 R2. You discover that theserver unexpectedly shut down several times during the past week.

You need to identify what caused the shutdowns and which software was recently installed.

What should you click from Action Center?

A. Maintenance, and then View Reliability HistoryB. Troubleshooting, and then ProgramsC. Troubleshooting, and then System and SecurityD. Troubleshooting, and then View history



Reliability Monitor is an advanced tool that measures hardware and software problems and other changes toyour computer. (...)

The Reliability Monitor is intended for advanced computer users, such as software developers and networkadministrators.

1. Open Action Center by clicking the Start button Picture of the Start button, clicking Control Panel, and then,under System and Security, clicking Review your computer's status.

2. Click Maintenance. Then, under Check for solutions to problem reports, click View reliability history.3. In Reliability Monitor, you can:

Click any event on the graph to view its details.Click Days or Weeks to view the stability index over a specific period of time.Click items in the Action column to view more information about each event.

Click View all problem reports to view only the problems that have occurred on your computer. This viewdoesn't include the other computer events that show up in Reliability Monitor, such as events about softwareinstallation.

Reference: http://windows.microsoft.com/en-us/windows7/how-to-use-reliability-monitor

QUESTION 102You create a Data Collector Set (DCS).

You need prevent the DCS from logging data if the server has less than 1 GB of available disk space.

What should you do?

A. Create a passive file screen.B. Create an active file screen.C. Modify the Data Manager settings of the DCS.D. Modify the Stop Conditions settings of the DCS.



I believe this should be 'Modify the Stop Condition s settings of the DCS' but have not seen a dumpprovide details here. An explanation for Data Manag er settings is provided further down, but here is a nexcerpt from MS on Stop Conditions:

A single stop condition, or a combination of multiple criteria, can be used to automatically halt or restart thecollection of data from a Data Collector Set. Reference: http://technet.microsoft.com/en-us/library/cc749267.aspx

The scenario states we want to prevent logging when the disk space is maxed, so this would seem towork.

All options in the Data Manager tab seem to simply delete old performance data so logging cancontinue when the size limit is reached!

To configure data management for a Data Collector Set1. In Windows Performance Monitor, expand Data Collector Sets and click User Defined .2. In the console pane, right-click the name of the Data Collector Set that you want to configure and click Data

Manager .3. On the Data Manager tab, you can accept the default values or make changes according to your data

retention policy. See the table below for details on each option.(...)Data Manager Properties

Minimum free disk

The amount of disk space that must be available on the drive where log data is stored. If selected, previousdata will be deleted according to the Resource policy that you choose when the limit is reached.


QUESTION 103Your network contains an Active Directory domain. The domain contains two servers named Server1 andServer2. All servers run Windows Server 2008 R2 and have Windows Firewall turned on.

You need to ensure that you can use Event Viewer on Server2 to access the Application log on Server1.

What should you do?

A. On Server2, create a new Event Subscription.B. On Server2, modify the Outbound firewall rules.C. On Server1, modify the Inbound firewall rules.D. On Server1, modify the settings on the Application log.



Firewall has been enabled for all servers, so remote connections to those servers (via snap-ins, etc.) are likelybeing blocked. We need to modify firewall rules on Server1 to allow the remote connection.

The settings of the Application log will let us control the size, location, security, etc. but nothing that affectsremote access.

QUESTION 104Your network contains an Active Directory domain. The domain contains a member server named Server1.

Server1 has a single network connection.

You need to log every attempt to connect to Server1 on a restricted port.

What should you do?

A. Change the settings of the Private firewall profile.B. Change the settings of the Domain firewall profile.C. Modify the properties of the Inbound firewall rules.D. Modify the properties of the Outbound firewall rules.



Attempts to connect to Server1 would be inbound, so we need to modify Inbound firewall rules for that restrictedport.

A firewall profile is a way of grouping settings, such as firewall rules and connection security rules, that areapplied to the computer depending on where the computer is connected. Reference: http://technet.microsoft.com/en-us/library/cc753002%28v=ws.10%29.aspx

QUESTION 105Your company has a network that has an Active Directory domain. The domain has two servers named DC1and DC2.

You plan to collect events from DC2 and transfer them to DC1. You configure the required subscriptions byselecting the Normal option for the Event delivery optimization setting and by using the HTTP protocol.

You discover that none of the subscriptions work.

You need to ensure that the servers support the event collectors.

Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)

A. Run the wecutil qc command on DC1.

B. Run the wecutil qc command on DC2.

C. Run the winrm quickconfig command on DC1.

D. Run the winrm quickconfig command on DC2.

E. Add the DC2 account to the Administrators group on DC1.F. Add the DC1 account to the Administrators group on DC2.

Correct Answer: ADFSection: 70-648 Monitoring and Managing A Network InfrastructureExplanation


To collect events on DC1, we need to run wecutil qc.To collect events from DC2, we need to run winrm quickconfig

The question does not specify that only certain logs are being forwarded, so it is implied that all are going to beforward. Therefore, in order for DC1 to read Security events, it needs to be an administrator on DC2.


administrative privileges.2. On each source computer, type the following at an elevated command prompt:

winrm quickconfig

Note If you intend to specify an event delivery optimization of Minimize Bandwidth or Minimize Latency, then youmust also run the above command on the collector computer.

3. On the collector computer, type the following at an elevated command prompt:

wecutil qc

4. Add the computer account of the collector computer to the local Administrators group on each of the sourcecomputers.

Reference: http://technet.microsoft.com/en-us/library/cc748890(v=WS.10).aspx

QUESTION 106Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 has the Routingand Remote Access service (RRAS) role service installed.

You need to view all inbound VPN packets. The solution must minimize the amount of data collected.

What should you do?

A. From RRAS, create an inbound packet filter.B. From Network Monitor, create a capture filter.

C. From the Registry Editor, configure File Tracing for RRAS.D. At the command prompt, run netsh.exe ras set tracing rasauth enabled.



To view live packets, we simply need to use Network Monitor.

WRONG ANSWERS

RRAS inbound packet filters function to prevent certain types of incoming traffic.Reference: http://technet.microsoft.com/en-us/library/dd469754%28v=ws.10%29.aspx

File tracing for RRAS is the equivalent of logging, when you need to troubleshoot connection problems.

netsh.exe ras set tracing rasauthThis command, as is implied by it's syntax, would enable tracing (logging) specifically for RAS authentication.Reference: http://technet.microsoft.com/en-us/library/cc753876(v=ws.10).aspx

QUESTION 107Your network contains an Active Directory domain. The network has DirectAccess deployed. You deploy theDirectAccess Connectivity Assistant (DCA) to all client computers.

You need to ensure that users can view their DirectAccess status by using the DCA.

Which two Group Policy settings should you configure? (Each correct answer presents part of the solution.Choose two.)

A. Dynamic Tunnel Endpoints (DTEs)B. Corporate Portal SiteC. Corporate ResourcesD. Portal Name

Correct Answer: ACSection: 70-648 Configuring Network AccessExplanation


The Dynamic Tunnel Endpoints policy specifies the endpoints of the IPsec tunnels that enable DirectAccess. Itis through these tunnels that the DCA attempts to access the resources specified in the CorporateResourcessetting.

Corporate Portal Site specifies the URL to an externally accessible Web site to which the DCA can refer usersto help troubleshoot DirectAccess issues.

PortalName specifies the friendly name of the corporate portal Web site.

Reference: http://technet.microsoft.com/en-us/library/ff453412%28v=ws.10%29.aspx

QUESTION 108

Your network contains two Active Directory forests named contoso.com and fabrikam.com. You have astandalone Network Policy Server (NPS) named NPS1.

You have a VPN server named VPN1. VPN1 is configured as a RADIUS client to NPS1.

You need to ensure that users from both forests can establish VPN connections by using their own domainaccounts.

What should you do?

A. On NPS1, configure Remediation Server groups.B. On NPS1, configure Connection Request Policies.C. On VPN1, modify the DNS Suffix Search Order.D. On VPN1, modify the IKEv2 Client Connection Controls.



You can create connection request policies so that some RADIUS request messages sent from RADIUS clientsare processed locally (NPS is being used as a RADIUS server) and other types of messages are forwarded toanother RADIUS server (NPS is being used as a RADIUS proxy). (MY NOTE: In our case, each forest needsa server to forward requests to the other, dependin g on the domain, since users need to connect 'byusing their own domain accounts')Reference: http://technet.microsoft.com/en-us/library/cc753603.aspx

WRONG ANSWERS

Remediation server groups are used to specify servers that are available to noncompliant Network AccessProtection (NAP) clients for the purpose of remediating their health state to comply with health requirements.The type of remediation servers that are required depend on your health requirements and network accessmethods.Reference: http://technet.microsoft.com/en-us/library/dd759158.aspx

DNS Suffix Search Order would control which DNS domain is attempted first when resolving hostnames whileconnected to the VPN. We need people to use their own accounts when they are first trying to connect!

Routing and Remote Access Service (RRAS) supports Internet Key Exchange version 2 (IKEv2), a VPNtunneling protocol described in RFC 4306. The primary advantage of IKEv2 is that it tolerates interruptions inthe underlying network connection.Reference: http://technet.microsoft.com/en-us/library/ff687731%28v=ws.10%29.aspx

QUESTION 109Your network contains a domain controller named DC1 and a member server named Server1.

You save a copy of the Active Directory Web Service (ADWS) event log on DC1. You copy the log to Server1.

You open the event log file on Server1 and discover that the event description information is unavailable.

You need to ensure that the event log file displays the same information when the file is open on Server1.


A. Create a custom view.B. Import a custom view.C. Copy the SYSVOL folder to DC1.D. Copy the LocaleMetaData folder from DC1.



To troubleshoot events that were logged on a remote computer, you must export and archive the log with thedisplay information. The display information for the saved events is stored in the LocaleMetaData folder andshould be moved with the log information when the information is viewed on another computer.Reference: http://technet.microsoft.com/en-us/library/cc749339.aspx

SYSVOL does not contain information about how to interpret Event logs. Custom views simply allow us tocontrol which events we can view, but do not provide the metadata required to interpret certain types of events.

QUESTION 110Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Thenetwork contains an client named Computer1 that runs Windows 7.

All comunication between Server1 and Server2 is encrypted by using IPSec. Comunication between the serverand the client does not require IPSec encryption.

You need to ensure that you can connect to Server1 by using the IP Security Monitor on Computer1.

What should you do?

A. Apply an IP Security policy to Computer1.B. Create a Connection Security rule on Computer1.C. Add a value to the PolicyAgent registry key on Server1.

D. Modify the Advanced Audit Policy Configuration on Server1.



"Before you can monitor IPsec on a remote computer, you must first add the computer to the snap-in. You musthave administrator-level access to the remote computer to add it and monitor IPsec."

"If the IPsec services are not started on the computer that is being monitored, the server icon is displayed as astopped service."

"On computers running Windows Server 2003 and later, you must set the EnableRemoteMgmt registry key to 1on the remote computer and restart the IPsec service. Otherwise, you will get an "IPsec service not running"error from the snap-in. The registry key is located at HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\PolicyAgent ."


WRONG ANSWERS

Applying an IPSec policy to Computer1 will encrypt communications between the 2 servers, but we are beingasked about how to connect to Server1 using the IP Security Monitor snap-in.

Similarly, Connection Security rules help configure authentication for IPSec but this is not needed to remotelymanage Server1 using the snap-in.

Advanced Audit Policy Configuration is a subset of 53 security audit policies for Windows.Reference: http://technet.microsoft.com/en-us/library/jj852202%28v=ws.10%29.aspx

QUESTION 111Your network contains a server that runs Windows Server 2008 R2.

You create a User Defined Data Collector Set (DCS) named Set1.

You need to ensure that the reports generated for Set1 are stored for at least one year.

What should you do?

A. From the properties of Set1, modify the Task settings.B. From the properties of Set1, modify the Shedule settings.C. From Data Manager for Set1 modify the Actions settings.D. From Data Manager for Set1, modify the Data Manager settings.



"Folder actions allow you to choose how data is archived before it is permanently deleted. You may decide todisable the Data Manager limits in favor of managing all data according to these folder action rules."

So we need to configure a folder action. This is av ailable from the "Actions" tab.

"With Data Management, you can configure how log data, reports, and compressed data are stored for eachData Collector Set."We need to configure how much data is stored, not how it is stored (small difference, I know! Which is whatmakes the question tricky)


QUESTION 112Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 has the IIS roleinstalled.

You need to review the contents of the IIS-Configuration Analytic event log on Server1. You configure EventViewer to show the Analytic log.

What should you do next.

A. Attach a task to the log.B. Create a custom view to the log.C. Modify the Subscriptions list for the log.D. Modify the General properties of the log.



Analytic and Debug logs are disabled by default.(...)To enable Analytic and Debug logs by using the Windows interface1. Start Event Viewer.2. Ensure that Analytic and Debug logs are visible by following the steps in Show or Hide Analytic and Debug

Logs.3. In the console tree, navigate to and select the Analytic or Debug log you want to enable.4. On the Action menu, click Properties .5. On the properties dialog box, select Enable logging and click OK . (MY NOTE: Properties always brings

up the default tab first. In this case, it is the G eneral tab)Reference: http://technet.microsoft.com/en-us/library/cc749492.aspx

QUESTION 113Your network contains two separate subnets named Subnet1 and Subnet2. Subnet1 contains a WindowsServer 2008 R2 Core installation named Server1.

Computers on Subnet1 can access resources on the Internet. Subnet2 is an isolated subnet.

You deploy a new WSUS Server named Server2 in Subnet2. You need to replicate the metadata from Server1to Server2.


A. Run wsusutil.exe and specify the export parameter.

B. Run wsusutil.exe and specify the movecontent parameter.

C. Run wbadmin.exe and specify the start backup parameter.

D. Run wbadmin.exe and specify the start systemstatebackup parameter.



wsusutil.exe export will export update metadata to an export package file. This could later be transferredto Server2 for replication of Server1's configuration.

wsusutil.exe movecontent will move the WSUS store from one server to another. We were asked onlyto replicate the data - leaving it on both servers.Reference: http://technet.microsoft.com/en-us/library/cc720466%28v=ws.10%29.aspx

wbadmin.exe would backup the entire volume, or system state, on Server1. This is much more data than isneeded for WSUS.

QUESTION 114Your network contains an Active Directory domain named contoso.com. An Administrator named Admin1 plansto install the Routing and Remote Access service (RRAS) role service on a server named Server1. Admin1 isnot member of the Domain Admins group.

You need to ensure that Server1 can authenticate users from Active Directory by using Windowsauthentication.

What should you do?

A. Add the computer account to the RAS and IAS Servers group.B. Add the computer account for Server1 to the Windows Authorization Access Group.C. Install the Network Policy Server (NPS) role service on a domain controller.D. Install the Active Directory Lightweight Directory Services (AD LDS) role on Server1.



To enable the Routing and Remote Access service1. If this server is a member of an Active Directory® domain and you are not a domain administrator, instruct

your domain administrator to add the computer account of this server to the RAS and IAS Servers securitygroup in the domain of which this server is a member.

Reference: http://technet.microsoft.com/en-us/library/cc770798%28WS.10%29

WRONG ANSWERS

NPS allows you to provide local and remote network access and to define and enforce policies for networkaccess authentication, authorizationReference: http://technet.microsoft.com/en-us/network/bb545879.aspx

Windows Authorization Access Group

Members of this group can read the constructed tokenGroupsGlobalAndUniversal (TGGAU) attribute on user,inetOrgPerson, group, and computer objects. TGGAU contains a list of the object's global and universal groupmemberships, and an application can use this information, for example, to make decisions about users that arenot logged on.Reference: http://www.informit.com/articles/article.aspx?p=352986

By using the Windows Server® 2008 Active Directory® Lightweight Directory Services (AD LDS) role, formerlyknown as Active Directory Application Mode (ADAM), you can provide directory services for directory-enabledapplications without incurring the overhead of domains and forests and the requirements of a single schemathroughout a forest.Reference: http://technet.microsoft.com/en-us/library/cc754361%28v=ws.10%29.aspx

QUESTION 115Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 has the NetworkPolicy Server (NPS) role installed.

You need to ensure that the NPS log files on Server1 contain information of client connections.

What should you do?

A. Enable the Accounting requests settings.B. Enable the Authentication requests settings.C. Configure the IAS (Legacy) log file format.D. Configure the DTS Compliant log file format.



The DTS Compliant log format is the newest one and only its XML has attributes for session duration. As perthe Technet article below, it is also the recommended log format for NPS logging.

WRONG ANSWERS

"ODBC and IAS legacy file types contain a subset of the information that NPS sends to its SQL Serverdatabase." This means Reference: http://technet.microsoft.com/en-us/library/ee663944%28v=ws.10%29.aspx

In Forwarding Connection Request, you can select either Authentication or Accounting to specify whether NPSforwards the authentication request or accounting request to a remote RADIUS server group or whether NPSprocesses the authentication or accounting request locally. Reference: http://technet.microsoft.com/en-us/library/cc753603%28v=ws.10%29.aspx

QUESTION 116You need to use link-local IPv6 addresses to perform multicasting.

Which IPv6 prefix should you use?

A. fd00::/8B. fe80::/10C. fec0::/10D. ff00::/8



The ff00:: prefix is specifically reserved for IPv6 multicasting.

The fd00:: prefix is used for random, local addressing.

The fe80:: prefix is used for link-local (same subnet) addressing. Multicasting is sending packets to multiplehosts at once, on any connected subnet.

The fec0:: prefix is used for site-local (same company) addressing. This could help make sure communicationwould be performed with all necessary subnets but is not usable for multicasting.Note: this is now obsolete (though may not have been when the MS tests were designed).

References:http://www.sabi.co.uk/Notes/swIPv6Prefixes.htmlhttp://technet.microsoft.com/en-us/library/cc757359%28v=ws.10%29.aspx


On Server1, you run route add 192.168.10.0 mask 255.255.255.0 172.23.1 .2 metric 10 .

You restart Server1, and then run route command as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that after you restart Server1, Server1 routes all of the traffic for 192.168.10.0/24 by usingthe route of 172.23.1.2.


Exhibit:

A. netstat -f 172.23.1.2

B. netstat -p ip 172.23.1.2

C. route add 192.168.10.0 mask 255.255.255.0 172.23.1. 2 metric 10 -p

D. route add 192.168.10.0 mask 255.255.255.128 172.23. 1.2 metric 1 -f



Since the route that was added is not persisting on a reboot, we need to make it persistent. This is done withthe -p parameter for the route add command.

To make a static route persistent, you can either enter route add commands in a batch file that is run duringsystem startup or use the -p option when adding routes.


The -f parameter for route add will clear the routing tables for the gateway before running the command.

netstat is used to view current TCP/IP connections on the local computer, and does not have a -f or -pparameter.

QUESTION 118Your network has Network Access Protection (NAP) policies deployed.

You need to identify the health agent compliance status of a client computer.


A. net config workstation

B. net statistics workstation

C. netsh nap client show config

D. netsh nap client show state



netsh nap client show stateDisplays state information, including client access restriction state, the state of installed enforcement clientsand system health agents, and the client compliance and remediation results.MY NOTE: In English, this basically means this is t he command to view compliance status of NAPclients.

netsh nap client show configDisplays configuration settings and state information for NAP client, including CSP, enforcement client, tracing,and trusted server group configurations.


net config workstationDisplays and allows you to make changes to the settings for the Workstation service while the service isrunning. Reference: http://technet.microsoft.com/en-us/library/bb490700.aspx

net statistics workstationDisplays the statistics log for the local Workstation serviceReference: http://technet.microsoft.com/en-us/library/bb490714.aspx

QUESTION 119You network contains a Windows Server Update Services (WSUS) server named Server1. You discover thatcertain updates listed in the WSUS administrative console are unavailable on Server1.

You need to ensure that all of the updates listed in the WSUS administrative console are available on Server1.


A. Restart the Update Services service.B. Run wsusutil.exe and specify the reset parameter.

C. Run wuauclt.exe and specify the detectnow parameter.

D. Run wsusutil.exe and specify the deleteunneededrevisions parameter.



wsusutil.exe reset checks that every update metadata row in the database has corresponding updatefiles stored in the file system. If update files are missing or have been corrupted, WSUS downloads the updatefiles again.

wsusutil.exe deleteuneededrevisions purges the update metadata for unnecessary update revisionsfrom the database. We are not storing unnecessary revisions, but rather missing specific updates on the localWSUS server.


wuauclt.exe /detectnow will force Server1 to check and see if new updates are available. However, ourproblem is that the updates themselves are not even installed - the files are not available. The questionmentions that the administrative console does list the updates as being available already.

Other than the updates not being downloaded, WSUS is functioning normally. Restarting the Update Servicesservice is not likely to help.

QUESTION 120Your company has a main office and five branch offices. The branch offices connect to the main office by usinga WAN link.

Each branch office has 100 client computers that run Windows XP or Windows Vista. All servers run WindowsServer 2008 R2.

The main office has a Windows Server Update Services (WSUS) server.

You need to minimize the amount of WAN traffic used to download updates from the WSUS server.

What should you do?

A. From Windows Explorer, enable Offline Files.B. From a Group Policy, enable Allow BITS Peercaching.C. From a Group Policy, enable the Set BranchCache Hosted Cache mode setting.D. From a Group Policy, enable the Set BranchCache Distributed Cache mode setting.



Windows Update and Microsoft Update use the Background Intelligent Transfer Service (BITS) to downloadupdates. You can optimize download performance by configuring BITS through Group Policy.(...)Peer caching can optimize bandwidth in the following ways:

Decreases the data that is transferred from the WSUS server to client computers because computers in thesame subnet will usually download the updates from each other.Decreases the data that is transferred across the WAN when some or all of the client computers of a WSUS

server are located in different locations. Decreases the data that is transferred across the Internet if WSUS client computers that are located in thesame subnet are configured to download updates from Microsoft Update.


QUESTION 121Your network contains an Active Directory domain named contoso.com. Contoso.com contains three servers.

The servers are configured as shown in the following table.

You plan to give users access to the files shares on Server2 by using DirectAccess.

You need to ensure that you can deploy DirectAccess on Server3.

What should you do?

A. Add a static IPv6 address to DC1.B. Add a static IPv6 address to Server2.C. Upgrade DC1 to Windows Server 2008 R2.D. Upgrade Server2 to Windows Server 2008 R2.



DirectAccess requires the following:

One or more DirectAccess servers running Windows Server 2008 R2 (with or without UAG) (MY NOTE:this would be Server3 once DA is deployed ) with two network adapters: one that is connected directly tothe Internet and one that is connected to the intranet. DirectAccess servers must be a member of an AD DSdomain. On the DirectAccess server, at least two consecutive, public IPv4 addresses assigned to the networkadapter that is connected to the Internet.DirectAccess client computers that are running Windows 7 Enterprise or Windows 7 Ultimate. DirectAccessclients must be members of an AD DS domain.At least one domain controller and DNS server that is running Windows Server 2008 SP2 or WindowsServer 2008 R2. When UAG is used, DirectAccess can be deployed with DNS servers and domaincontrollers that are running Windows Server 2003 when NAT64 functionality is enabled. (MY NOTE: DC1 isour DNS server but is currently running Server 2003 , so unless NAT64 is enabled we must upgradedDC1)A public key infrastructure (PKI) to issue computer certificates (MY NOTE: this would be Server1 ), andoptionally, smart card certificates for smart card authentication and health certificates for NAP. For moreinformation, see Public Key Infrastructure on the Microsoft Web site.

Without UAG, an optional NAT64 device to provide access to IPv4-only resources for DirectAccess clients.DirectAccess with UAG provides a built-in NAT64.

Reference: http://technet.microsoft.com/en-us/library/dd637797%28v=ws.10%29.aspx

Server2 is merely a file server; the OS present on it is irrelevant to the use of DirectAccess. Adding a staticaddress to it, or to DC1, might be important for many reasons but will not allow our environment to meet therequirements for DirectAccess.

QUESTION 122Your network contains an Active Directory domain. The domain contains 10 domain controllers that runWindows Server 2008 R2. You need to monitor the following information on the domain controllers during thenext five days:

Memory usageProcessor usageThe number of LDAP queries

What should you do?

A. Use the System Performance Data Collector Set (DCS).B. Use the Active Directory Diagnostics Data Collector Set (DCS).C. Create a User Defined Data Collector Set (DCS) that uses the System Performance template.D. Create a User Defined Data Collector Set (DCS) that uses the Active Directory Diagnostics template.



Memory usage and processor usage are part of the System Performance DCS, but LDAP queries are not. Theopposite applies to the AD Diagnostics DCS.

To get both sets of data, we have to create a custom (user-defined) DCS. The AD Diagnostics template wouldhave the LDAP information, so we can customize it to easily add the memory and processor use.

QUESTION 123Your network contains a server that runs a Server Core installation of Windows Server 2008 R2.

You need to configure outbound firewall rules on the server.


A. netcfg

B. netsh

C. ocsetup

D. servermanagercmd



netsh advfirewall add rule

Adds a new inbound or outbound firewall rule that filters traffic by allowing or blocking network packets thatmatch the specified criteria.Reference: http://technet.microsoft.com/en-us/library/dd734783%28v=ws.10%29.aspx

WRONG ANSWERS

netcfgInstalls the Windows Preinstallation Environment (WinPE), a lightweight version of Windows used to deployworkstations.Reference: http://technet.microsoft.com/en-us/library/hh875638%28v=ws.10%29.aspx

servermanagercmdInstalls and removes roles, role services, and features. Also displays the list of all roles, role services, andfeatures available, and shows which are installed on this computerReference: http://technet.microsoft.com/en-us/library/ee344834%28v=ws.10%29.aspx

You can use OCSetup.exe on a computer running Windows Vista or Windows Server 2008 to install oruninstall:

Microsoft System Installer (MSI) files that are passed to the Windows Installer service (MSIExec.exe)Component-Based Servicing (CBS) components that are passed to Package ManagerCBS or MSI packages that have an associated custom installer .exe file


QUESTION 124Your network contains a server that runs Windows Server 2008 R2. On the server, you run ipconfig.exe asshown in the exhibit. (Click the Exhibit button.)

You need to ensure that the server can access remote TCP/IPv6 hosts.

What should you do?

Exhibit:

A. Add a default gateway.B. Modify the subnet mask.C. Configure an IPv6 address.D. Disable Internet Protocol Version 4 (TCP/IPv4).



In the exhibit, the interface is using a link-local IPv6 address - the IPv6 equivalent of APIPA. This means it reallyhas no access to IPv6 hosts that are assigned a specific address in that environment. Configuring a staticaddress would remedy this.

WRONG ANSWERS

We do not need to add a default gateway, one is already available for IPv4. As long as that gateway can handleIPv6, we would be able to send requests to it once we are on the IPv6 network. If that gateway couldn't handleIPv6 then we would need to change the gateway.

The IPv4 subnet mask is correct for the currently assigned IPv4 address.

Disabling IPv4 at this point would kill all connectivity the machine has, as it currently is not assigned an IPv6address on the network (it's merely using link-local addressing)

QUESTION 125You need to configure a static IPv6 address for a server that runs a Server Core installation of Windows Server2008 R2.


A. ipconfig

B. netsh

C. ocsetup

D. servermanagercmd



We basically need to use the netsh int ip add address command to add a static address to theinterface.

You can use commands in the Netsh Interface IP context to configure the TCP/IP protocol (includingaddresses, default gateways, DNS servers, and WINS servers) and to display configuration and statisticalinformation.(...)

add address

Adds an IP address and a default gateway on a specified interface configured with a static IP address.

Reference: http://technet.microsoft.com/en-us/library/bb490943.aspx

WRONG ANSWERS

ipconfigDisplays all current TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol(DHCP) and Domain Name System (DNS) settings. Reference: http://technet.microsoft.com/en-us/library/bb490921.aspx

servermanagercmdInstalls and removes roles, role services, and features. Also displays the list of all roles, role services, andfeatures available, and shows which are installed on this computerReference: http://technet.microsoft.com/en-us/library/ee344834%28v=ws.10%29.aspx

You can use OCSetup.exe on a computer running Windows Vista or Windows Server 2008 to install oruninstall:

Microsoft System Installer (MSI) files that are passed to the Windows Installer service (MSIExec.exe)Component-Based Servicing (CBS) components that are passed to Package ManagerCBS or MSI packages that have an associated custom installer .exe file


QUESTION 126Your network contains three servers named Server1, Server2, and Server3 that have the Network Policy Server(NPS) role service installed.

On Server1, you configure a Remote RADIUS Server Group that contains Server2 and Server3. On Server2and Server3, you configure Server1 as a RADIUS client.

You configure Server2 and Server3 to authenticate remote users.

You need to configure Server1 to forward RADIUS authentication requests to Server2 and Server3.

What should you create on Server1?

A. a Connection Request policyB. a Server Health policyC. a Network policyD. a Remediation Server group



...if you want to forward connection requests to one or more RADIUS servers in untrusted domains, you canconfigure NPS as a RADIUS proxy to forward the requests to the remote RADIUS servers in the untrusteddomain.

To configure NPS as a RADIUS proxy, you must create a connection request policy that contains all of theinformation required for NPS to evaluate which messages to forward and where to send the messages.Reference: http://technet.microsoft.com/en-us/library/cc754518.aspx

WRONG ANSWERS

Remediation server groups are used to specify servers that are available to noncompliant Network AccessProtection (NAP) clients for the purpose of remediating their health state to comply with health requirements.The type of remediation servers that are required depend on your health requirements and network access

methods.Reference: http://technet.microsoft.com/en-us/library/dd759158.aspx

Network policies use conditions, settings, and constraints in order to determine who can connect to thenetwork.Reference: http://technet.microsoft.com/en-us/library/dd441006.aspx

QUESTION 127Your network contains two servers named Server1 and Server2 that run a Server Core installation of WindowsServer 2008 R2. Server1 has the SNMP Service installed.

You need to ensure that Server2 can send SNMP traps to Server1.

What should you do?

A. On Server1, run oclist snmp-sc .

B. On Server2, run oclist snmp-sc .

C. On Server1, run dism /online /enable-feature /featurename:snmp-sc .

D. On Server2, run dism /online /enable-feature /featurename:snmp-sc .



First of all, oclist was superseded by dism with the release of R2, so we would use dism . Secondly, all ofthe commands listed essentially install the SNMP service for ServerCore, so we need to do this from Server2,since Server1 already has SNMP installed. Server2 is essentially just going to be setup to send it's SNMP trapsto Server1 for management/monitoring.

Reference: http://blogs.technet.com/b/server_core/archive/2010/10/28/retiring-oclist-exe.aspx

QUESTION 128Your network contains a server that runs Windows Server 2008 R2 named Server1.

You install a new application on Server1. After the installation, you discover that Server1 frequently becomesunavailable.

You need to identify whether the issues on Server1 coincide with the installation of the application.

What should you do?

A. From Reliability Monitor, review the reliability details.B. From Administrative Tools, run Windows Memory Diagnostic.C. From the System Configuration utility, select Diagnostic startup.D. From the command prompt, run the Program Compatibility Wizard.



Reliability Monitor shows you your system stability history at a glance and lets you see details on a day-by-day

basis about events that impact reliability. (MY NOTE: This will basically let us see what kind of errors andevents are associated with system lockups, so we ca n see what was happening around the time theapplication was installed)Reference: http://technet.microsoft.com/en-us/library/cc749583%28v=ws.10%29.aspx

WRONG ANSWERS

...the Program Compatibility Wizard, which can be used to make setting adjustments for an incompatibleapplication and run the application successfully. (MY NOTE: This lets us try to run applications withdifferent settings, in hopes that they might run on a newer version of Windows, when they otherwisefail. The application here is running fine at first , but merely becomes unreliable over time. )Reference: http://technet.microsoft.com/en-us/library/cc784635%28v=ws.10%29.aspx

Diagnostic startup. Starts Windows with basic services and drivers only. This mode can help rule out basicWindows files as the problem.Reference: http://windows.microsoft.com/en-us/windows-vista/using-system-configuration

If Windows detects possible problems with your computer’s memory, it will prompt you to run the MemoryDiagnostics Tool.Reference: http://windows.microsoft.com/en-us/windows7/diagnosing-memory-problems-on-your-computer

QUESTION 129Your network contains a server named Server1 that runs a Server Core installation of Windows Server 2008R2. The network contains a client computer named Computer1 that runs Windows 7.

You need to ensure that you can collect events from Server1 on Computer1.

What should you run on Server1?

A. eventcreate /so

B. net config server

C. wecutil cs

D. winrm quickconfig




administrative privileges.2. On each source computer, type the following at an elevated command prompt:

winrm quickconfig

Note If you intend to specify an event delivery optimization of Minimize Bandwidth or Minimize Latency, then youmust also run the above command on the collector computer.

3. On the collector computer, type the following at an elevated command prompt:

wecutil qc

4. Add the computer account of the collector computer to the local Administrators group on each of the source

computers.

Reference: http://technet.microsoft.com/en-us/library/cc748890(v=WS.10).aspx

QUESTION 130Your network is configured as shown in the exhibit. (Click the Exhibit button.)

The network contains a server named TMG1. TMG1 runs Microsoft Forefront Threat Management Gateway(TMG) 2010 and has a default gateway of 131.107.1.2.

You need to ensure that TMG1 can connect to the Internet and to the client computers in all of the internalsubnets.

What should you do on TMG1?

Exhibit:

A. Change the default gateway to 192.168.1.1.B. Change the default gateway to 192.168.2.1.C. Run route -p add 192.168.1.0 netmask 255.255.255.0 192. 168.2.1 .

D. Run route -p add 192.168.2.0 netmask 255.255.255.0 192. 168.1.1 .



Because TMG1 has an interface with an IP on the 192.168.2.x network, it should be able to communicate withSubnet2 (192.168.2.0/24) fine. What it needs a route to Subnet1.

Router1 has this route on it's interface, and is connected to Subnet2. Without TMG1 knowing about thatinterface or router, however, it won't be able to communicate beyond Subnet2. So the correct command is asfollows:

route -p add 192.168.1.0 netmask 255.255.255.0 192. 168.2.1

This tells TMG1 that traffic for the 192.168.1.0/24 network should be handled by the router with 192.168.2.1,which is correct.

WRONG ANSWERS

route -p add 192.168.2.0 netmask 255.255.255.0 192. 168.1.1 .This command would say that all traffic for Subnet2 should be routed through 192.168.1.1, but we already havean interface connected directly to Subnet2.

Changing the default gateway won't help, as this only allows us to communicate with 1 subnet or the other, notboth.

QUESTION 131You deploy Network Access Protection (NAP) on your network.

An administrator configures a network policy as shown in the exhibit. (Click the Exhibit button.)

You discover that noncompliant client computers cannot access the remediation network.

You need to configure the network policy to ensure that noncompliant client computers can access theremediation network.

What should you do?

Exhibit:

A. In the Type of network access server list, click HCAP Server.

B. In the Type of network access server list, click Health Registration Authority,C. In Access Permission, select the Ignore user account dial-in properties check box.D. In Access Permission, select the Grant access. Grant access if the connection request matches this policy

option button.



Currently, the policy (specified and named for noncompliant computers) states that access will be denied. Wemust change this so that access is Granted.

WRONG ANSWERS

Checking the Ignore user account dial-in properties box would allow clients to connect, even if their dial-in tab inAD is not configured to do so. In fact, this would force all clients on the policy setting, which is still configured toDeny access to all clients.

Changing the server to an HCAP or HRA would allow it to send clients to the remediation network

QUESTION 132You perform a security audit of a server named CRM1. You want to build a list of all DNS requests that areinitiated by the server.

You install the Microsoft Network Monitor 3.0 application on CRM1. You capture all local traffic on CRM1 for 24hours. You save the capture file as data.cap . You find that the size of the file is more than 1 GB.

You need to create a file named DNSdata.cap from the existing capture file that contains only DNS relateddata.

What should you do?

A. Apply the display filter !DNS and save the displayed frames as a DNSdata.cap file.

B. Apply the capture filter DNS and save the displayed frames as a DNSdata.cap file.

C. Add a new alias named DNS to the aliases table and save the file as DNSdata.cap .

D. Run the nmcap.exe /inputcapture data.cap /capture DNS /file DNSdata.cap command.



nmcap.exe /inputcapture data.cap /capture DNS /file DNSdata.capThis command will "record" the data.cap capture, applying the DNS filter to it, and save it to an output file calledDNSdata.cap

WRONG ANSWERS

A display filter could be used, but !DNS will contain anything but DNS related data.

Capture filters can only be setup before a capture is run.

Aliases in Network Monitor allow friendly names to be displayed for various hosts in the capture file.

QUESTION 133Your network contains a server that runs a Server Core installation of Windows Server 2008 R2.

You need to log the CPU utilization of the server.


A. relog.exe

B. dism.exe

C. logman.exe

D. sc.exe



logman.exe creates and manages Event Trace Session and Performance logs and supports many functionsof Performance Monitor from the command line.Reference: http://technet.microsoft.com/en-us/library/cc753820(v=ws.10).aspx

WRONG ANSWERS

relog.exe extracts performance counters in other formats. This will not help us actually log performancedata.Reference: http://technet.microsoft.com/en-us/library/bb490958.aspx

dism.exe (which, as of R2, replaced oclist.exe and ocsetup.exe) is used to service windows images andinstallations (adding/removing features, roles, etc.)

sc.exe is used to control (stop/start) or get information about running services.

QUESTION 134Your network contains a server that has the Network Policy Server (NPS) role service installed.

You need to configure a network policy that will apply to wireless clients only.

Which condition should you configure?

A. NAS port TypeB. Service TypeC. MS-Service ClassD. Framed ProtocolE. NAS Identifier



NAS port TypeAllows you to specify the type of media used by the client computer to connect to the network. (MY NOTE: Thiswould allow us to restrict connection to wireless m edia only. None of the other conditions areapplicable)

Service TypeAllows you to specify the name of the network access server that sent the connection request to NPS

NAS IdentifierAllows you to specify the name of the network access server that sent the connection request to NPS

MS-Service ClassThis condition is used only when you are deploying NAP with the DHCP enforcement method

Framed ProtocolRestricts the policy to clients that specify a certain framing protocol for incoming packets, such as PPP or SLIP.


QUESTION 135Your network contains an Active Directory forest. The forest contains the member servers configured as shownin the following table.

All servers run Windows Server 2008 R2.

You deploy a new server named Server1.

You need to configure Server1 to provide central authentication for all dial-up connections and all VPNconnections.

What should you install on Server1?

A. Active Directory Lightweight Directory Services (AD LDS)B. Active Directory Federation Services (AD FS)C. Network Policy Server (NPS)D. Routing and Remote Access service (RRAS)



You can use NPS to centrally manage network access through a variety of network access servers, includingwireless access points, VPN servers, dial-up servers, and 802.1X authenticating switches. (MY NOTE: NPS is

the newer implementation of RADIUS, which is what i s needed)Reference: http://technet.microsoft.com/en-us/library/cc731321%28v=ws.10%29.aspx

WRONG ANSWERS

RRAS is used for routing between 2 networks, not authentication. This would be used to deploy the VPN anddial-up services but does not provide authentication mechanisms.

AD LDS is used for creating application-specific or customized user stores.

AD FS is used for trusting and sharing resources between 2 organizations.


You need to log performance counter data from Server1 to a SQL database.

What should you do?


Select and Place:

Correct Answer:



Be careful on this one, it is asking for us to log performance data to a SQL database, not to log theperformance of a SQL database. So do not drag ODBC tracing over at all! We basically have to setup a DSNon the local computer and create a custom (user-defined) DCS that points to the DSN for storage.

Pushing the Performance Monitor Data into a Database(...)1. Making a Data Collector: First for pushing any perfmon in the database first we need to build a Data Collector set from the perfmon(...)2. Making a System DSNNow for pushing this Performance Monitor from the blg file to the Database we need to create a System DSNfrom the ODBC of the server. You need to select the Database where you are going to push the perfmon.MY NOTE: I'm not sure why we wouldn't create the DS N first, as per the instructions here: http://www.sepago.de/d/nicholas/2009/11/02/performance-mon itoring-part-7-using-performance-monitor-with-a-database(...)

MY NOTE: This site does not mention modifying the D SN for the Data Collector, but it would be implied:you can't tell the Data Collector to send data to a database if it doesn't know which database to talk to!

Reference: http://social.technet.microsoft.com/wiki/contents/articles/12457.pushing-the-performance-monitor-data-into-a-database.aspx

QUESTION 137Your company has an Active Directory forest that contains client computers that run Windows Vista andWindows XP.

You need to ensure that users are able to install approved application updates on their computers.

Which two actions should you perform? (Each correct answer presents part of the solution.Choose two.)

A. Set up Automatic Updates through Control Panel on the client computers.B. Create a GPO and link it to the Domain Controllers organizational unit. Configure the GPO to automatically

search for updates on the Microsoft Update site.C. Create a GPO and link it to the domain. Configure the GPO to direct the client computers to the Windows

Server Update Services (WSUS) server for approved updates.D. Install the Windows Server Update Services (WSUS). Configure the server to search for new updates on

the Internet. Approve all required updates.

Correct Answer: CDSection: 70-648 Monitoring and Managing A Network InfrastructureExplanation


To be able to "approve" updates at all, WSUS must be installed in the AD environment.

Creating a GPO for client computers (linked to the domain) will ensure they all receive only the "approved"updates by forcing them to communicate with the WSUS server instead of Microsoft's servers.

WRONG ANSWERS

Configured Automatic Updates on each client will only control the download and (optional) automatic installationof updates.

Linking a GP to the Domain Controllers OU only affects domain controllers.

Both of these options would also not allow "approval" or management of updates - all updates would bedownloaded.

QUESTION 138Your network contains an Active Directory domain named contoso.com. You have a management computernamed Computer1 that runs Windows 7.

You need to forward the logon events of all the domain controllers in contoso.com to Computer1.

All new domain controllers must be dynamically added to the subscription.

What should you do?

A. From Computer1, configure source-initiated event subscriptions. From a Group Policy object (GPO) linkedto the Domain Controllers organizational unit (OU), configure the Event Forwarding node.

B. From Computer1, configure collector-initiated event subscriptions. From a Group Policy object (GPO) linkedto the Domain Controllers organizational unit (OU), configure the Event Forwarding node.

C. From Computer1, configure source-initiated event subscriptions. Install a server authentication certificate onComputer1. Implement autoenrollment for the Domain Controllers organizational unit (OU).

D. From Computer1, configure collector-initiated event subscriptions. Install a server authentication certificateon Computer1. Implement autoenrollment for the Domain Controllers organizational unit (OU).



Since we can't specify a static list (all new domain controllers must be dynamically added) of computers we aregathering logs from, we need to create a source-initiated subscription. We can use a policy on the DomainControllers OU to ensure they are all configured for Computer1 as a node to forward logs to.

"Source-initiated subscriptions allow you to define a subscription on an event collector computer withoutdefining the event source computers, and then multiple remote event source computers can be set up (using agroup policy setting) to forward events to the event collector computer. This differs from a collector initiatedsubscription because in the collector initiated subscription model, the event collector must define all the eventsources in the event subscription."Reference: http://msdn.microsoft.com/en-us/library/windows/desktop/bb870973(v=vs.85).aspx

QUESTION 139Your company has an IPv6 network that has 25 segments. You deploy a server on the IPv6 network.

You need to ensure that the server can communicate with all segments on the IPv6 network.

What should you do?

A. Configure the IPv6 address as fd00::2b0:d0ff:fee9:4143/8.B. Configure the IPv6 address as fe80::2b0:d0ff:fee9:4143/64.C. Configure the IPv6 address as ff80::2b0:d0ff:fee9:4143/64.D. Configure the IPv6 address as 0000::2b0:d0ff:fee9:4143/64.



The fd00:: prefix is used for unique, local addressing. This is the address we need for communication with otherIPv6 segments.

The fe80:: prefix is used for link-local (same subnet) addressing. The would only allow for communication withthe local segment.

The ff80:: prefix is used for multicasting. (sending a packet to multiple addresses at once). This would notnecessarily ensure all segments are reachable.

The 0000:: prefix is currently reserved by IANA.

References:http://www.sabi.co.uk/Notes/swIPv6Prefixes.htmlhttp://www.gestioip.net/cgi-bin/subnet_calculator.cgi

QUESTION 140Your network contains a server named Server1 that runs Windows Server 2008 R2. The network for Server1 isconfigured as shown in the table.

You plan to deploy DirectAccess on Server1.

You need to configure the network interfaces on Server1 to support DirectAccess.

What should you do?

A. Remove the IP address of 131.107.1.13 from Internet2, and then add the address to LAN1.B. Add the IP address of 10.1.2.2 to LAN1.C. Remove the IP of address 131.107.1.13 from Internet2, and then add the address to Internet1.D. Add the default gateway of 131.107.1.1 to Internet2.



Remove the IP of address 131.107.1.13 from Internet2, and then add the address to Internet1.This would give us 2 public IPs on the Internet1 interface. See below where this is the recommended procedurefor DA setup from Microsoft.

Moving the address to LAN1 would certainly confuse the system, and there is no need for 2 private IPs on theLAN1 interface.

Adding a Gateway seems like it would work, but is apparently not the appropriate method per Microsoft.

Step 1: Build and Provision a DirectAccess Server

Start by provisioning a Windows Server 2008 R2 machine with two NICs. Make sure it’s a member of yourinternal Active Directory domain. Connect the two NICs, one to an external subnet and the other to your internalnetwork. Next, you’ll be installing certificates and the DirectAccess components. Because this server will bridgethe inside and outside network, double-check to ensure it has all the required updates.

You’ll also need two consecutive, static, public IP addresses. For example, these two addresses could be98.34.120.34 and 98.34.120.35. The important thing is that they’re consecutive. ...Configure the two external addresses on the external adapter of your DirectAccess server.

(MY NOTE: For whatever reason, this is basically say ing the 2 consecutive public IPs, 131.107.1.12 and131.107.1.13, need to be on the same, single interf ace. The article below also mentions how the intern aladapter should only be assigned a single IP for the internal network.)

Reference: http://technet.microsoft.com/en-us/magazine/hh922970.aspx

QUESTION 141Your network contains a server named Server1.

An administrator named Admin1 installs the Windows Server Update Services (WSUS) server role on Server1.

You open the Windows Server Update Services console and view the Products and Classifications options asshown in the exhibit. (Click the Exhibit button.)

You need to ensure that you can select updates for Windows Server 2008 R2 Service Pack 1 (SP1) from theProducts and Classifications options.

What should you do?

Exhibit:

A. From the Service console, restart the Update Services service.B. From the WSUS Administration console, synchronize Server1.C. From a command prompt, run gpudate /force .

D. From a command prompt, run wuauclt /detectnow .



We can see the "Product" (Server 2008 R2 SP1) is not on the Products and Classifications list. Per the articlebelow, this means we need to synchronize the server.

"You may have to do an initial synchronization to get some products to appear in the list of productclassifications."Reference: http://technet.microsoft.com/en-us/library/cc720453%28v=ws.10%29.aspx

WRONG ANSWERS

Restarting the Update Services does not reload the WSUS config or synchronize the server.

gpudate /forceThis would force the server to grab the latest group policy settings or changes, but Products and Classificationsare not configured through Group Policy.

wuauclt /detectnowThis would for the server to look for the latest updates to be installed on the server, but does not affect theconfiguration of the Products and Classifications list.

QUESTION 142Your network contains an Active Directory forest named contoso.com. The forest contains a server namedServer1 that is configured as an enterprise certification authority (CA). The forest contains a server namedServer2 that has the Network Policy Server (NPS) role service installed.

You deploy Network Access Protection (NAP).

You discover that Server1 fails to issue health certificates.

You need to ensure that health certificates can be issued.

What should you do?

A. Install an additional server, configure the new server as a standalone CA, and then configure the HealthRegistration Authority (HRA) to use the CA.

B. From the Network Policy Server console, create a new health policy.C. From the Network Policy Server console, modify the Windows System Health Validators settings.D. Install the Host Credential Authorization Protocol (HCAP) role service on Server1.



(...)

QUESTION 143

Your network contains an Active Directory forest. The forest contains a member server named VPN1 that runsWindows Server 2008 R2.

You configure VPN1 as a VPN server.

You need to ensure that only client computers that have Windows Update enabled can establish VPNconnections to VPN1.

What should you install on VPN1?

A. Windows Server Update Services (WSUS)B. Network Policy Server (NPS)C. Health Registration Authority (HRA)D. Connection Manager Administration Kit (CMAK)



We can do these kinds of verification on VPN connections with NAP, which is a service of the NPS role.

In addition, if NAP-capable client computers are running Windows Update Agent and are registered with aWindows Server Update Service (WSUS) server, NAP can verify that the most recent software securityupdates are installed based on one of four possible values that match security severity ratings from theMicrosoft Security Response Center (MSRC).Reference: http://technet.microsoft.com/en-us/library/cc754378.aspx

Health Registration Authority (HRA) provides a service for the Network Access Protection (NAP) platform that iscommonly referred to as a registration authority in an X.509 public key infrastructure (PKI). As a registrationauthority, HRA is responsible for validating client credentials and then forwarding a certificate request to acertification authority (CA) on behalf of the client. (MY NOTE: It should be noted that HRA works with NA P,with requires NPS!)Reference: http://technet.microsoft.com/en-us/library/cc731872.aspx

Installing WSUS on VPN1 might give us a place from which udpates could be downloaded for remediation ofVPN clients, but it will not be able to perform the checking of client computers that we need.

Connection Manager is a versatile client dialer and connection software that you can customize by using theConnection Manager Administration Kit (CMAK) wizard. (Basically, we can use this to customizeconnections using a connection wizard, but it will not help the VPN server know if clients are up-to-d ateor not)Reference: http://technet.microsoft.com/en-us/library/cc739464%28v=ws.10%29.aspx

QUESTION 144You have a perimeter network that contains 20 servers. All of the servers run Windows Server 2008 R2 and aremembers of a workgroup.

You add an additional server named Server21 to the perimeter network.

You plan to configure Server21 to collect events forwarded from the other servers.

You need to ensure that the events are available on Server21 as quickly as possible.

Which event delivery optimization option should you enable?

A. NormalB. CustomC. Minimize BandwidthD. Minimize Latency



NormalThis option ensures reliable delivery of events and does not attempt to conserve bandwidth. It is the appropriatechoice unless you need tighter control over bandwidth usage or need forwarded events delivered as quickly aspossible. It uses pull delivery mode, batches 5 items at a time and sets a batch timeout of 15 minutes.

Minimize BandwidthThis option ensures that the use of network bandwidth for event delivery is strictly controlled. It is an appropriatechoice if you want to limit the frequency of network connections made to deliver events. It uses push deliverymode and sets a batch timeout of 6 hours. In addition, it uses a heartbeat interval of 6 hours.

Minimize LatencyThis option ensures that events are delivered with minimal delay. It is an appropriate choice if you are collectingalerts or critical events. It uses push delivery mode and sets a batch timeout of 30 seconds.


QUESTION 145You have a client computer named Computer1 that runs Windows 7. On Computer1, you configure a source-initiated subscription. You configure the subscription to retrieve all events from the Windows logs of a domaincontroller named DC1. The subscription is configured to use the HTTP protocol.

You discover that events from the Security log of DC1 are not collected on Computer1. Events from theApplication log of DC1 and the System log of DC1 are collected on Computer1.

You need to ensure that events from the Security log of DC1 are collected on Computer1.

What should you do?

A. Add the computer account of Computer1 to the Event Log Readers group on the domain controller.B. Add the Network Service security principal to the Event Log Readers group on the domain.C. Configure the subscription to use custom Event Delivery Optimization settings.D. Configure the subscription to use the HTTPS protocol.



You have to prepare your Windows Server 2008/2008 R2 machines for collection of security events. To do this,simply add the Network Service account to the Built-in Event Log Readers group.

Reference: http://blogs.technet.com/b/askds/archive/2011/08/29/the-security-log-haystack-event-forwarding-and-you.aspx

WRONG ANSWERS

The computer account does not need permissions to Event Log Readers.

We do not need the HTTPS protocol. If anything, the reverse might be possible: if HTTPS were being used, ifthere were firewall concerns or an improper HTTPS setup, we might want to configure HTTP instead.

Event Delivery Optimization specifies how to optimize collection of events for bandwidth / latency concerns.Reference: http://technet.microsoft.com/en-us/library/cc749167.aspx


You need to capture all replication errors from all domain controllers to a central location.

What should you do?

A. Configure Event Log Subscriptions.B. Start the System Performance data collector set.C. Start the Active Directory Diagnostics data collector set.D. Install Network Monitor and create a new capture.



In order to see replication errors from multiple computers in 1 place, we should setup an Event Logsubscription. We could customize the subscription so that only Event IDs relevant to replication are captured,and each domain controller could be setup to forward these events to the collector computer.

WRONG ANSWERS

Capturing data in Network Monitor will allow inspection of data packets passed between servers, but will noteasily provide us useful information to determine when replication has failed. It would be a very involvedprocess to find and obtain information that anything has happened, let alone what may have happened.

The Active Directory Diagnostics DCS collects general information about the performance of AD. The SystemPerformance DCS collects general information about the computer's performance. Neither of these will give usinformation about replication.

QUESTION 147The corporate network of CompanyA consists of a Windows Server 2008 single Active Directory domain. Thedomain has two servers named Company1 and Company2.

To ensure central monitoring of events, you decided to collect all the events on one server, Company2, andtransfer them to Company1.

You configure the required event subscriptions.

You selected the Normal option for the Event delivery optimization setting by using the HTTP protocol.However, you discovered that none of the subscriptions work.

Which of the following actions would you perform to configure the event collection and event forwarding on thetwo servers? (Select three. Each answer is a part of the complete solution).

A. From the Run window, execute the winrm quickconfig command on Company2.

B. From the Run window, execute the wecutil qc command on Company2.

C. Add the Company1 account to the Administrators group on Company2.D. From the Run window, execute the winrm quickconfig command on Company1.

E. Add the Company2 account to the Administrators group on Company1.F. From the Run window, execute the wecutil qc command on Company1.

Correct Answer: ACFSection: 70-648 Monitoring and Managing A Network InfrastructureExplanation


Before you can create a subscription to collect events on a computer, you must configure both the collectingcomputer (collector) and each computer from which events will be collected (source).


administrative privileges.2. On each source computer, type the following at an elevated command prompt: winrm quickconfig

NoteIf you intend to specify an event delivery optimization of Minimize Bandwidth or Minimize Latency, then youmust also run the above command on the collector computer.

3. On the collector computer, type the following at an elevated command prompt: wecutil qc4. Add the computer account of the collector computer to the local Administrators group on each of the source

computers.5. The computers are now configured to forward and collect events. Follow the steps in Create a New

Subscription to specify the events you want to have forwarded to the collector.


QUESTION 148Your network contains a server named Server1 that runs Windows Server 2008 R2. You need to ensure thatyou can log performance counter data from Server1 to a SQL database.


A. Component ServicesB. Data Sources (ODBC)C. Share and Storage ManagementD. Storage Explorer



We basically need to configure a DSN that points to our SQL database, so the Data Collector we create cancommunicate with it. This is done through the Data Sources console.

WRONG ANSWERS

Share and Storage Management provides a central location for you to manage shared resources, such asfolders and volumes, as well as storage resources.Reference: http://technet.microsoft.com/en-us/library/cc731574.aspx

With Storage Explorer, you can view and manage the Fibre Channel and iSCSI fabrics that are available in yourstorage area network (SAN).Reference: http://technet.microsoft.com/en-us/library/cc731884.aspx

You can use the Component Services snap-in in Microsoft Management Console (MMC) to configure andadminister Component Object Model (COM) components, COM+ applications, and the Distributed TransactionCoordinator (DTC).Reference: http://technet.microsoft.com/en-us/library/cc731901.aspx

QUESTION 149Your network contains four servers named Server1, Server2, Server3, and Server4 that run Windows Server2008 R2. The servers have the Network Policy Server (NPS) role service installed.

You configure a Remote RADIUS Server Group named Group1. Group 1 contains Server2, Server3, andServer4.

You need to configure load balancing for the members of Group1 to meet the following requirements:

· Server1 must send 25 percent of all authentication requests to Server3. · Server1 must send 75 percent of all authentication requests to Server2. · Server1 must only send authentication requests to Server4 if Server2 and Server3 are unavailable.

What should you do from the Network Policy Server console?

A. · For Server2, set the weight to 75 and the priority to 75, · For Server3, set the weight to 25 and the priority to 25.· For Server4, set the weight to 100 and the priority to 200.

B. · For Server2, set the weight to 75 and the priority to 1.· For Server3, set the weight to 25 and the priority to 1.· For Server4, set the weight to 100 and the priority to 100.

C. · For Server2, set the weight to 1 and the priority to 75.· For Server3, set the weight to 1 and the priority to 25.· For Server4, set the weight to 100 and the priority to 1.

D. · For Server2, set the weight to 75 and the priority to 25.· For Server3, set the weight to 25 and the priority to 75.· For Server4, set the weight to 100 and the priority to 1.


Explanation/Reference:Correct answer: B

MY NOTE: To word the requirements differently, Serv er2 must get 75% of requests, Server3 must get25% of requests, and Server4 should only get reques ts if Server2/Server3 are unavailable.

Based on the reference below, this means Server2 ne eds a weight of 75, Server 3 needs a weight of 25,and Server4 needs the highest priority value (for i t to be lowest in priority). Of the options availab le, 2of them have the correct weights, but only 1 has a high priority value (200) for Server4. A priority o f 1,

with weight of 100, would mean Server4 handles all requests!!!

During the NPS proxy configuration process, you can create remote RADIUS server groups and then addRADIUS servers to each group. To configure load balancing, you must have more than one RADIUS server perremote RADIUS server group. While adding group members, or after creating a RADIUS server as a groupmember, you can access the Add RADIUS server dialog box to configure the following items on the LoadBalancing tab:

Priority: Priority specifies the order of importance of the RADIUS server to the NPS proxy server. Priority levelmust be assigned a value that is an integer, such as 1, 2, or 3. The lower the number, the higher priority theNPS proxy gives to the RADIUS server. For example, if the RADIUS server is assigned the highest priority of 1,the NPS proxy sends connection requests to the RADIUS server first; if servers with priority 1 are not available,NPS then sends connection requests to RADIUS servers with priority 2, and so on. You can assign the samepriority to multiple RADIUS servers, and then use the Weight setting to load balance between them.

Weight: NPS uses this Weight setting to determine how many connection requests to send to each groupmember when the group members have the same priority level. Weight setting must be assigned a valuebetween 1 and 100, and the value represents a percentage of 100 percent. For example, if the remote RADIUSserver group contains two members that both have a priority level of 1 and a weight rating of 50, the NPS proxyforwards 50 percent of the connection requests to each RADIUS server.


QUESTION 150Your network contains a server named Server1 that has the Routing and Remote Access service (RRAS) roleservice installed.

Server1 provides access to the internal network by using Point-to-Point Tunneling Protocol (PPTP).

Static RRAS filters on the external interface of Server1 allow only PPTP. The IP address of the externalinterface is 131.107.1.100.

You install the Web Server (IIS) role on Server1.

You need to ensure that users on the Internet can access a Web site on Server1 by using HTTP. The solutionmust minimize the number of open ports on Server1.

Which two static RRAS filters should you configure on Server1? (Each correct answer presents part of thesolution. Choose two.)

A. An outbound filter that has the following configurations:Source network: 131.107.1.100/32Destination network: AnyProtocol: TCP (established)Port: 80

B. An outbound filter that has the following configurations:Source network: 131.107.1.100/32Destination network: AnyPort: 80

C. An outbound filter that has the following configurations:Source network: 131.107.1.100/32Destination network: AnyProtocol: TCPPort: Any

D. An inbound filter that has the following configurations:Source network: AnyDestination network: 131.107.1.100/32Protocol: TCPPort: 80

E. An inbound filter that has the following configurations:Source network: 131.107.1.100/32Destination network: AnyProtocol: TCPPort: Any

Correct Answer: ADSection: 70-648 Configuring Network AccessExplanation


We are told the solution must minimize the # of open ports. Right away, this eliminates the 2 answersspecifying "Port: Any"

We need users to access the web site on Server1 using HTTP (port 80), so we need an oubtound and inboundfilter. Only 1 inbound filter meets the requirements, so we need to determine which outbound filter is correct.

The only difference between the 2 outbound filters for port 80 is that one specifies the protocol must be TCP,the other says TCP (established). In other words, this means it will only allow previously established TCPconnections to get out from the web. This is the rule we want, as it is the most secure and will only let packetsout to clients that have connected to the site first.

If we allow all TCP connections out, any compromise of the computer or malfunction of TCP program on theserver could cause undesired effects for our users.

Same Choices

QUESTION 1Note: This question is part of a series of question that use the same set of answer choices. Eachanswer choice may be used once, more than once, or not at all.

Your network contains an Active Directory domain named contoso.com.

The domain contains a server named Server6 that runs a third-party POP3 server. Server6 only supportsencrypted POP3 connections

You need to configure the Windows Firewall on Server6 to allow client computers access to the POP3 server.

Which port or ports should you allow through Windows Firewall?

A. UDP 546 and UDP 547B. UDP 993C. TCP 993D. TCP 995E. UDP 995F. TCP 67 and TCP 68G. TCP 636H. TCP 587 and UDP 587I. TCP 546 and TCP 547J. UDP 67 and UDP 68K. UDP 1433L. TCP 1433M. TCP 53 and UDP 53



Be careful here, the scenario states Server6 only supports encrypted POP3, aka POP3 over SSL. Thisoperates on TCP port 995.




The domain contains a server named Server2 that has the DNS Server server role installed.

You need to configure the Windows Firewall on Server2 to allow client computers access to the DNS Serverservice.


A. UDP 546 and UDP 547B. UDP 993

C. TCP 993D. TCP 995E. UDP 995F. TCP 67 and TCP 68G. TCP 636H. TCP 587 and UDP 587I. TCP 546 and TCP 547J. UDP 67 and UDP 68K. UDP 1433L. TCP 1433M. TCP 53 and UDP 53

Correct Answer: MSection: 70-648 Configuring Network AccessExplanation





The domain contains a server named Server3 that has the DHCP Server server role installed.

You need to configure Windows Firewall on Server3 to allow IPv4 client computers access to the DHCP Serverservice.



Correct Answer: JSection: 70-648 Configuring Network AccessExplanation


Explanation:

Both BOOTP and DHCP servers use UDP port 67 to listen for and receive client request messages. BOOTPand DHCP clients typically reserve UDP port 68 for accepting message replies from either a BOOTP server orDHCP server.

References: http://technet.microsoft.com/en-us/library/cc781243(v=ws.10).aspxhttp://technet.microsoft.com/en-us/library/cc959833.aspx



The domain contains a server named Server1 that has Microsoft SQL Server 2008 R2 installed.

You need to configure the Windows Firewall on Server1 to allow client computers access to the SQL Serverinstallation.



Correct Answer: LSection: 70-648 Configuring Network AccessExplanation


SQL Server listens for incoming connections on a particular port. The default port for SQL Server is 1433. Theport doesn't need to be 1433, but 1433 is the official Internet Assigned Number Authority (IANA) socket numberfor SQL Server.

References: http://support.microsoft.com/kb/287932/EN-UShttp://technet.microsoft.com/en-us/library/cc959833.aspx


Your company contains an active directory domain name contoso.com. The network contains three subnetsthat they are separated by firewall.

The domain has a server named Server5 that has active directory lightweight services. Server5 only supportencrypted LDAP connection.

You need to configure to ensure the client computers can access the LDAP services on Server5.



Correct Answer: GSection: 70-648 Configuring Network AccessExplanation


Be careful here, the scenario states Server5 only supports encrypted LDAP, aka LDAP over SSL. This usesport 636.



Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2.

You need to collect all of the Directory Services events from all of the domain controllers and store the events ina single central computer.

What should you do?

A. Run the eventcreate.exe command.

B. Create a Data Collector Set (DCS).C. Configure subscriptions from Event Viewer.D. Create custom views from Event Viewer.E. Run the Get-ADForest cmdlet.

F. Run the ntdsutil.exe command.

G. Configure the Active Directory Diagnostics Data Collector Set (DCS).

H. Run the repadmin.exe command.

I. Run the dsquery.exe command.

J. Run the dsamain.exe command.



Event subscriptions allow us to collect events from multiple computers onto a single source computer,simplifying the troubleshooting of a problem that affects multiple computers.



You need to compact the Active Directory database.

What should you do?




G. Configure the Active Directory Diagnostics Data Collector Set (DCS).H. Run the repadmin.exe command.



Correct Answer: FSection: 70-648 Maintaining the Active Directory EnvironmentExplanation


Compacting the AD database is also known as an offline defragmentation.

To perform offline defragmentation of the directory database(...)4. At the command prompt, type ntdsutil , and then press ENTER.5. At the ntdsutil prompt, type activate instance ntds , and then press ENTER.6. At the ntdsutil prompt, type files , and then press ENTER.(...)Reference: http://technet.microsoft.com/en-us/library/cc794920%28v=ws.10%29.aspx



You need to receive a notification when more than 100 Active Directory objects are deleted per second.

What should you do?









(This one may also show up with a different # of objects but answer is always the same)

We basically need to setup a performance alert. We would not set one up on the AD DCS, as it does notprovide information about deleted objects in AD. Rather, we would have to create a custom DCS with theappropriate performance counter.

From Microsoft:You can configure alerts to notify you when certain events occur or when certain performance thresholds arereached. You can send these alerts as network messages and as events that are logged in the applicationevent log. You can also configure alerts to start applications and performance logs.

To configure an alert, follow these steps:1. In Performance Monitor, under the Data Collector Sets node, right-click the User-Defined node in the left

pane, point to New, and then choose Data Collector Set.(...)

Reference: http://technet.microsoft.com/en-us/magazine/ff458614.aspx



You need to create a snapshot of Active Directory.

What should you do?


B. Create a Data Collector Set (DCS).C. Configure subscriptions from Event Viewer.

D. Create custom views from Event Viewer.E. Run the Get-ADForest cmdlet.





Correct Answer: FSection: 70-648 Maintaining the Active Directory EnvironmentExplanation


To create an AD DS or AD LDS snapshot1. Log on to a domain controller as a member of the Enterprise Admins groups or the Domain Admins group.2. Click Start, right-click Command Prompt, and then click Run as administrator.3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then

click Continue.4. At the elevated command prompt, type the following command, and then press ENTER: ntdsutil5. At the ntdsutil prompt, type the following command, and then press ENTER: snapshot6. At the snapshot prompt, type the following command, and then press ENTER: activate instance

ntds7. At the snapshot prompt, type the following command, and then press ENTER: create




You mount an Active Directory snapshot.

You need to ensure that you can query the snapshot by using LDAP.

What should you do?







Correct Answer: JSection: 70-648 Maintaining the Active Directory EnvironmentExplanation


(This one may also show up asking about connection to the snapshot - the answer remains the same)

The Active Directory database mounting tool (Dsamain.exe ) can improve recovery processes for yourorganization by providing a means to compare data as it exists in snapshots that are taken at different times sothat you can better decide which data to restore after data loss. This eliminates the need to restore multiplebackups to compare the Active Directory data that they contain.(...)You do not need any additional software to use the Active Directory database mounting tool. All the tools thatare required to use this feature are built into Windows Server 2008 and are available if you have the AD DS orthe AD LDS server role installed. These tools include the following:

(...)Dsamain.exe , which you can use to expose the snapshot data as an LDAP serverExisting LDAP tools, such as Ldp.exe and Active Directory Users and Computers



Your network contains a server named DC1 that has the DHCP Server server role installed.

You discover that clients are not being assigned IP addresses from DC1.

You open the DHCP console as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that the clients can be assigned IP addresses from DC1.

What should you do?

Exhibit:

A. Compact the database.B. Configure DHCP link layer-based filtering.C. Configure a DHCP Relay Agent.D. Restore the database from a backup.E. Configure Routing Information Protocol version 2 (RIPv2) on the routerF. Increase the database cleanup interval.G. Configure Open Shortest Path First (OSPF) on the router

H. Configure name protection.I. Reconcile the scope.J. Modify the start address.K. Authorize DC1 in Active Directory.

Correct Answer: KSection: 70-648 Configuring IP Addressing and ServicesExplanation


Typically, on the setup of a new DHCP server, it will not hand out addresses until it is explicitly authorized to doso. We can see under DC1, both IPv4 and IPv6 are showing red down arrows. This confirms that the server isnot active or authorized, and that is why the clients are not getting an IP.



You need to prevent devices that are neither company-owned nor company-managed from being assignedDHCP addresses.

What should you enable on the DHCP server?

A. Compact the database.B. Configure DHCP link layer-based filtering.C. Configure a DHCP Relay Agent.D. Restore the database from a backup.E. Configure Routing Information Protocol version 2 (RIPv2) on the routerF. Increase the database cleanup interval.G. Configure Open Shortest Path First (OSPF) on the routerH. Configure name protection.I. Reconcile the scope.J. Modify the start address.K. Authorize DC1 in Active Directory.



Link-layer filtering provides network access control for the issuance or denial of DHCP leases of IP addressesbased on a media access control (MAC) address. Link layer filtering can be configured at the IPv4 node for allclients across all IPv4 scopes. This feature is currently available only for IPv4 networks.




You discover the following warning message in the Event log on DC1: "There were orphaned entries deleted in the configu ration due to the deletion ofa class and option definition. Please recheck the s erver configuration."

You need to resolve the warning message.

What should you do?


Correct Answer: ISection: 70-648 Configuring IP Addressing and ServicesExplanation


Message: There were some orphaned entries deleted in the configuration due to the deletion of a class or anoption definition. Please recheck the server configuration.

Resolve: Reconcile the DHCP scope

Reference: http://technet.microsoft.com/en-us/library/cc726942(v=ws.10).aspx



Clients located on the same subnet as DC1 are assigned valid IP addresses from DC1. Clients located on adifferent subnet are not assigned IP addresses from DC1.

You verify that there is network connectivity between the two subnets.

You need to ensure that the clients on both of the subnets can receive IP addresses from DC1.

What should you do?

A. Compact the database.B. Configure DHCP link layer-based filtering.C. Configure a DHCP Relay Agent.D. Restore the database from a backup.E. Configure Routing Information Protocol version 2 (RIPv2) on the router

F. Increase the database cleanup interval.G. Configure Open Shortest Path First (OSPF) on the routerH. Configure name protection.I. Reconcile the scope.J. Modify the start address.K. Authorize DC1 in Active Directory.



"For each IP network segment that contains DHCP clients, either a DHCP server or a computer acting as aDHCP Relay Agent is required."Reference: http://technet.microsoft.com/en-us/library/cc783103%28v=ws.10%29.aspx

MY NOTE: We know connectivity is working, but have no indication that the remote subnet has a DHCPserver itself. So, we need to configure a Relay Age nt.



DC1 has a DHCP scope for the 10.10.10.0/24 network ID.

You discover the following warning message in the Event log on DC1: "Scope, Scope1, is 98 percentfull with only two IP addresses remaining. "

You need to ensure that DC1 has enough IP addresses to assign to clients. The solution must not cause any IPconflicts.

What should you do?


Correct Answer: FSection: 70-648 Configuring IP Addressing and ServicesExplanation


Message: Scope, %1, is %2 percent full with only %3 IP addresses remaining.

Resolve: Extend DHCP scopes, reduce lease times, or decrease cleanup interval (MY NOTE: The answer inthe question says "Increase the database cleanup in terval"; I think it means to imply you wouldincrease the frequency of database cleanup, which i s done by decreasing the amount of time thatpasses before each cleanup occurs.)




You discover the following warning message in the Event log of DC1: "The DHCP service encountered the following error w hile cleaning up the database:An error occurred while accessing the DHCP database . Look at the DHCP serverevent log for more information on this error."

You need to resolve the warning message.

What should you do?




If the server is having problems accessing the DHCP database, it makes the most sense to restore it from abackup. Compacting it would help it take up less space, but that's not going to help the server access it, as itappears to have been corrupted.


Your network contains an Active Directory domain. The domain contains several VPN servers that have theRouting and Remote Access service (RRAS) role service installed.

You need to collect information about the duration of the VPN connections. The information must be stored in acentral location.

What should you configure on the VPN servers?

A. the Windows Accounting accounting providerB. the RADIUS Accounting accounting providerC. Connection Request policiesD. Health policiesE. the Windows Authentication authentication providerF. the RADIUS Authentication authentication providerG. Remediation Server groupsH. Group Policy preferencesI. System Health Validators (SHVs)J. IKEv2 client connections



RADIUS Accounting

The RADIUS server also collects a variety of information sent by the NAS that can be used for accounting andfor reporting on network activity. The RADIUS client sends information to designated RADIUS servers when theUser logs on and logs off. The RADIUS client may send additional usage information on a periodic basis whilethe session is in progress. The requests sent by the client to the server to record logon/logoff and usageinformation are generally called "accounting requests."

Reference: http://msdn.microsoft.com/en-us/library/windows/desktop/bb892012%28v=vs.85%29.aspx

MY NOTE: This question is tricky. The original answ er in some dumps was RADIUS Authenticationprovider. And indeed, a RADIUS server like this nee ds to be in place before RADIUS Accounting can beconfigured. But this question has been seen with on ly 4 choices, and RADIUS Accounting was apossible answer and not RADIUS Authentication. Othe r dumps have made this correction to the answeras well.


Your network contains an Active Directory domain. The domain contains several VPN servers that have theRouting and Remote Access service (RRAS) role service installed.

You need to configure all of the VPN servers to use the same network policies. The solution must ensure thatany changes to the network policies automatically apply to all of the VPN servers.

What should you configure on the VPN servers?

A. the Windows Accounting accounting providerB. the RADIUS Accounting accounting providerC. Connection Request policiesD. Health policiesE. the Windows Authentication authentication providerF. the RADIUS Authentication authentication provider

G. Remediation Server groupsH. Group Policy preferencesI. System Health Validators (SHVs)J. IKEv2 client connections

Correct Answer: FSection: 70-648 Configuring Network AccessExplanation


Network Policy and Access Services provides the following network connectivity solutions:(...)

Central network policy management with RADIUS server and proxy


MY NOTE: So our VPNs need to use RADIUS as an authe ntication provider in order for us to havecentralized network policies for the VPNs.


Your network contains an Active Directory domain.

Your company is implementing Network Access Protection (NAP).

You need to define which network resources non-compliant client computers can access.

What should you configure?


Correct Answer: GSection: 70-648 Configuring Network AccessExplanation


Remediation server groups are used to specify servers that are available to noncompliant Network AccessProtection (NAP) clients for the purpose of remediating their health state to comply with health requirements.



Your network contains an Active Directory domain.

You deploy Network Access Protection (NAP).

You need to verify whether VPN clients have Windows Firewall enabled.



Correct Answer: ISection: 70-648 Configuring Network AccessExplanation


System health validators (SHVs) define configuration requirements for NAP client computers. All SHVs includefive error code conditions. If an error code is returned to the SHV, you can choose to have the SHV evaluatethe client as either compliant or noncompliant.



Your network contains an Active Directory domain. Your company provides VPN access for multipleorganizations.

You need to configure Network Policy Server (NPS) to forward authentication requests to the appropriateorganization.

What should you configure on the NPS server?

A. the Windows Accounting accounting providerB. the RADIUS Accounting accounting providerC. Connection Request policiesD. Health policiesE. the Windows Authentication authentication providerF. the RADIUS Authentication authentication providerG. Remediation Server groups

H. Group Policy preferencesI. System Health Validators (SHVs)J. IKEv2 client connections



Connection request policies are sets of conditions and settings that allow network administrators to designatewhich Remote Authentication Dial-In User Service (RADIUS) servers perform the authentication andauthorization of connection requests that the server running Network Policy Server (NPS) receives fromRADIUS clients. Connection request policies can be configured to designate which RADIUS servers are usedfor RADIUS accounting.


This question can show up with slightly different w ording or even more limited answer choices. Focuson the fact that Connection Request policies allow us to forward authentication to the right domains i npartnered domains.


Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008R2. All client computers run Windows 7 Professional.

The network contains an enterprise certification authority (CA).

You need to ensure that all of the members of a group named Managers can view the event log entries forCertificate Services.

Which snap-in should you use?

A. Active Directory Administrative CenterB. Authorization ManagerC. Certificate TemplatesD. CertificatesE. Certification AuthorityF. Enterprise PKIG. Group Policy ManagementH. Security Configuration WizardI. Share and Storage Management

Correct Answer: GSection: 70-648 Configuring Active Directory Certificate ServicesExplanation


To give non-Administrator users access to read-only access to event logs, add them to the built-in Event LogReaders group.

Reference: http://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-administrators-permission-to-read-event-logs-windows-2003-and-windows-2008.aspx)

So if we make Group1 a member of the Event Log Readers group, they can view all event logs (includingCertificate Services). This is a local group on the server, so we need to assign this membership using GroupPolicy. Therefore, we would use the Group Policy Management console.

We would not use ADUC here, because Event Log readers is a local group on the server.

The various certificate snap-ins allow us to manage certificates but do not provide access to event logs forcertificate services.


Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise.

You enable key archival on the CA. The CA is configured to use custom certificate templates for Encrypted FileSystem (EFS) certificates.

You need to archive the private key for all new EFS certificates.





Key archival is strongly recommended for use with the Basic Encrypting File System (EFS) certificate templatein order to protect users from data loss(...)

To configure a certificate template for key archival and recovery1. Open the Certificate Templates snap-in.




You need to ensure that users can enroll for certificates that use the IPSEC (Offline request) certificate

template.





The only snap-in for managing templates is the Certificate Templates snap-in. On the Security tab of a specificcertificate template, you can configure access and permissions for the certificate, including Enroll permissions(allows a user to enroll in that certificate).

The Enterprise PKI snap-in is used for viewing properties for multiples CA's; we need to modify the propertiesof a single certificate template.

The Certification Authority snap-in is used for configuring various properties of a CA.

The Certificates snap-in lets us view the certificates installed on a local machine, and make requests for acertificate.

None of the other tools are used with certificate services.



You need to approve a pending certificate request.



Correct Answer: ESection: 70-648 Configuring Active Directory Certificate ServicesExplanation


To issue a pending certificate request:1. Log on to your root CA by using an account that is a certificate manager.2. Start the Certification Authority snap-in.3. In the console tree, expand your root CA, and click Pending Requests.4. In the details pane, right-click the pending CA certificate, and click Issue.

Reference: http://technet.microsoft.com/de-de/library/ff849263.aspx


Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2008R2 Enterprise. All client computers run Windows 7 Professional.

The network contains an enterprise certification authority (CA).

You have a custom certificate template named Sales_Temp. Sales_Temp is published to the CA.

You need to ensure that all of the members of a group named Sales can enroll for certificates that useSales_Temp.





After creating a new certificate template, the next step is to deploy the certificate template so that a certificationauthority (CA) can issue certificates based on it. Deployment includes publishing the certificate template to oneor more CAs, defining which security principals have Enroll permissions for the certificate template, anddeciding whether to configure autoenrollment for the certificate template.

To define permissions to allow a specific security principal to enroll for certificates based on a certificatetemplate1. Open the Certificate Templates snap-in (Certtmpl.msc).

(...)



Your network contains an Active Directory forest. The forest contains a member server named Server1 thatruns Windows Server 2008 R2.

You need to configure Server1 as a network address translation (NAT) server.

Which server role, role service, or feature should you install?

A. Health Registration Authority (HRA)B. Routing and Remote Access service (RRAS)C. Windows Server Update Services (WSUS)D. Network Load Balancing (NLB)E. Wireless LAN ServiceF. Windows Internal DatabaseG. Network Policy Server (NPS)H. File Server Resource Manager (FSRM)I. Services for Network File System (NFS)J. Group Policy ManagementK. Connection Manager Administration Kit (CMAK)L. Windows System Resource Manager (WSRM)M. Simple TCP/IP Services



Network address translation (NAT) allows you to share a connection to the public Internet through a singleinterface with a single public IP address. (...)To enable network address translation addressing

In the RRAS MMC snap-in, expand Your Server Name. If you are using Server Manager, expand Routingand Remote Access. (MY NOTE: In other words, as most books will tell y ou, NAT is a role service forthe RRAS server role)




You configure Server1 as a VPN server.

You need to ensure that only client computers that have up-to-date virus definitions can establish VPNconnections to Server1.



Correct Answer: GSection: 70-648 Configuring IP Addressing and ServicesExplanation


This one is strange. We need to setup NAP, which is a service of the NPS server role. However, we are alsotold that Server1 was configured as a VPN server, so NPS should already be installed. I would think we shouldbe able to go straight to configured the NAP service.

"By using NAP, you can establish health policies that define such things as software requirements, securityupdate requirements, and required configuration settings for computers that connect to your network."References: http://technet.microsoft.com/en-us/library/cc754378.aspx



You need to ensure that UNIX-based client computers can access shared folders on Server1.


A. Health Registration Authority (HRA)B. Routing and Remote Access service (RRAS)C. Windows Server Update Services (WSUS)D. Network Load Balancing (NLB)E. Wireless LAN ServiceF. Windows Internal DatabaseG. Network Policy Server (NPS)H. File Server Resource Manager (FSRM)I. Services for Network File System (NFS)J. Group Policy ManagementK. Connection Manager Administration Kit (CMAK)

L. Windows System Resource Manager (WSRM)M. Simple TCP/IP Services

Correct Answer: ISection: 70-648 Configuring IP Addressing and ServicesExplanation


Services for Network File System (NFS) provides a file-sharing solution for enterprises that have a mixedWindows and UNIX environment. Services for NFS enables users to transfer files between computers runningthe Windows Server® 2008 operating system and UNIX-based computers using the NFS protocol.Reference: http://technet.microsoft.com/en-us/library/cc753302(v=ws.10).aspx



You need to create folder quotas on Server1.



Correct Answer: HSection: 70-648 Configuring IP Addressing and ServicesExplanation


By using File Server Resource Manager (FSRM) to create a quota for a volume or folder, you can limit the diskspace that is allocated for it. Reference: http://technet.microsoft.com/en-us/library/cc770989(v=ws.10).aspx


Your network contains an Active Directory forest. The forest contains a member server named Server1 that

runs Windows Server 2008 R2.

You need to configure Server1 to provide central authentication of dial-up, VPN, and wireless connections tothe network.

Which server role, role service or feature should you install?


Correct Answer: GSection: 70-648 Configuring IP Addressing and ServicesExplanation


You can use NPS to centrally manage network access through a variety of network access servers, includingwireless access points, VPN servers, dial-up servers, and 802.1X authenticating switches. Reference: http://technet.microsoft.com/en-us/library/cc731321%28v=ws.10%29.aspx

Out-of-Scope

QUESTION 1Your company has a main office and a branch office. The company has a single-domain Active Directory forest.The main office has two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. Thebranch office has a Windows Server 2008 R2 read-only domain controller (RODC) named DC3.

All domain controllers hold the DNS Server server role and are configured as Active Directory-integrated zones.The DNS zones only allow secure updates.

You need to enable dynamic DNS updates on DC3.

What should you do?

A. Run the ntdsutil.exe DS Behavior command on DC3.

B. Run the dnscmd.exe /ZoneResetType command on DC3.

C. Reinstall Active Directory Domain Services on DC3 as a writable domain controller.D. Create a custom application directory partition on DC1. Configure the partition to store Active Directory-

integrated zones.

Correct Answer: CSection: 70-640 Configuring Domain Name System (DNS) for Active DirectoryExplanation


The problem is that DC3, being an RODC, only has read-only access to the DNS zone as well. The scenariospecifies that we need to enable dynamic DNS updates on DC3, meaning that DC3 needs to be able to writeand update the DNS zone. This is only achieved by reinstalling AD.

Creating a custom application partition for AD-integrated zones would provide an alternative solution for DNSon DC3, but would still not provide DC3 with the ability to accept updates to DNS, since it is functioning as anRODC (and by extension, read-only DNS).

dnscmd.exe /ZoneResetType is used to change the zone type of a DNS zone. The zones are AD-integrated and as such should already be allowing dynamic updates.Reference: http://technet.microsoft.com/en-us/library/cc772069%28v=ws.10%29.aspx

ntdsutil.exe DS Behavior is used to manage password operations over unsecured connections.Reference: http://technet.microsoft.com/en-us/library/cc732352%28v=ws.10%29.aspx

QUESTION 2Your network contains an Active Directory domain named contoso.com. You create a GlobalNames zone. Youadd an alias (CNAME) resource record named Server1 to the zone. The target host of the record isserver2.contoso.com.

When you ping Server1, you discover that the name fails to resolve. You successfully resolveserver2.contoso.com.

You need to ensure that you can resolve names by using the GlobalNames zone.

What should you do?

A. From the command prompt, use the netsh tool.

B. From the command prompt, use the dnscmd tool.

C. From DNS Manager, modify the properties of the GlobalNames zone.

D. From DNS Manager, modify the advanced settings of the DNS server.

Correct Answer: BSection: 70-640 Configuring Domain Name System (DNS) for Active DirectoryExplanation


The GlobalNames zone is not available to provide name resolution until GlobalNames zone support is explicitlyenabled by using the following command on every authoritative DNS server in the forest:dnscmd <ServerName> /config /enableglobalnamessuppo rt 1


netsh has a context for adding/managing DNS servers in your client's IP configuration, but a new server has notbeen added and the scenario states that zones are AD-integrated as well.

The scenario states your client can resolve server2 to it's contoso.com suffix, so DNS and network connectivityis functioning properly. This means we do not need to modify anything in DNS Manager.

QUESTION 3Your company has a main office and a branch office. The network contains an Active Directory domain namedcontoso.com. The DNS zone for contoso.com is configured as an Active Directory- integrated zone and isreplicated to all domain controllers in the domain.

The main office contains a writable domain controller named DC1. The branch office contains a read- onlydomain controller (RODC) named RODC1. All domain controllers run Windows Server 2008 R2 and areconfigured as DNS servers.

You uninstall the DNS server role from RODC1.

You need to prevent DNS records from replicating to RODC1.

What should you do?

A. Modify the replication scope for the contoso.com zone.B. Flush the DNS cache and enable cache locking on RODC1.C. Configure conditional forwarding for the contoso.com zone.D. Modify the zone transfer settings for the contoso.com zone.

Correct Answer: ASection: 70-640 Configuring Domain Name System (DNS) for Active DirectoryExplanation


Since all DNS zones are AD-integrated, RODC1 will, by nature, automatically replicate DNS for thecontoso.com zone. In order to prevent this, we need to update the replication scope for the zone so as toexplicitly exclude RODC1 from the replication partners.

Zone transfer settings can be modified to only transfer zones to specific servers, but that would meanspecifying an unknown number of servers you do want replication for, rather than merely excluding 1 server.Reference: http://technet.microsoft.com/en-us/library/cc739056%28v=ws.10%29.aspx

Conditional forwarding is used to specify which servers can handle queries for certain domains. This would beuseful if we wanted to ensure queries other than contoso.com were resolved by RODC1, but this is not what is

being asked.

This issue is not being caused by anything related to DNS caching.

QUESTION 4Your network contains an Active Directory domain named contoso.com. The domain contains the serversshown in the following table:

The functional level of the forest is Windows Server 2003. The functional level of the domain is WindowsServer 2003. DNS1 and DNS2 host the contoso.com zone. All client computers run Windows 7 Enterprise.

You need to ensure that all of the names in the contoso.com zone are secured by using DNSSEC.


A. Change the functional level of the forest.B. Change the functional level of the domain.C. Upgrade DC1 to Windows Server 2008 R2.D. Upgrade DNS1 to Windows Server 2008 R2.

Correct Answer: DSection: 70-640 Configuring Domain Name System (DNS) for Active DirectoryExplanation


In Windows Server 2003 and Windows Server® 2008, DNSSEC is implemented on secondary zones asdescribed in RFC 2535. Because RFC 2535 has been made obsolete by the previously mentioned RFCs, theWindows Server 2003 and Windows Server 2008 implementations are not interoperable with the WindowsServer 2008 R2 or Windows 7 implementation. (MY NOTE: Because we have Windows7 clients, we mustuse the Server 2008 R2 implementation of DNSSEC, wh ich requires us to upgrade DNS1 to R2)Reference: http://technet.microsoft.com/en-us/library/ee649205%28v=ws.10%29.aspx

QUESTION 5Your network contains a single Active Directory domain named contoso.com. The domain contains two domaincontrollers named DC1 and DC2 that run Windows Server 2008 R2. DC1 hosts a primary zone forcontoso.com. DC2 hosts a secondary zone for contosto.com.

On DC1, you change the zone to an Active Directory-integrated zone and configure the zone to accept securedynamic updates only.

You need to ensure that DC2 can accept secure dynamic updates to the contoso.com zone.


A. dnscmd.exe dc2.contoso.com /createdirectorypartitio n dns.contoso.com

B. dnscmd.exe dc2.contoso.com /zoneresettype contoso.c om /dsprimary

C. dnslint.exe /ql

D. repadmin.exe /syncall /force



dnscmd.exe dc2.contoso.com /zoneresettype contoso.c om /dsprimaryDC2 currently hosts a secondary zone. Secondary zones are merely copies of primary zones, and are not ableto accept dynamic updates. In order for DC2 to receive dynamic updates, it must be converted to a primaryzone. This is precisely what the command above does. The zoneresettype parameter to dnscmd is used tochange zone types, and dsprimary obviously specifies a primary zone.

dnscmd.exe dc2.contoso.com /createdirectorypartitio n dns.contoso.comThis command will create a new directory partition to hold a zone, dns.contoso.com This could be assigned toDC2 for updates, but is essentially a new zone. We need to allow updates to the original contoso.com zone

repadmin.exe /syncall /force will force DC2 to replicate with all it's partners. This will update the DNSdatabase with the latest records available, but will not allow clients to submit their updates to DNS2, as isrequired.Reference: http://technet.microsoft.com/en-us/library/cc770963%28v=ws.10%29.aspx

dnslint.exe /ql requests DNS query tests fromt a list of servers specified in an input file.Reference: http://support.microsoft.com/kb/321045

QUESTION 6Your network contains an Active Directory domain named contoso.com. The contoso.com DNS zone is storedin Active Directory. All domain controllers run Windows Server 2008 R2.

You need to identify if all of the DNS records used for Active Directory replication are correctly registered.

What should you do?

A. From the command prompt, use netsh.exe .

B. From the command prompt, use dnslint.exe .

C. From the Active Directory Module for Windows PowerShell, run the Get-ADRootDSE cmdlet.

D. From the Active Directory Module for Windows PowerShell, run the Get-ADDomainController cmdlet.



DNSLint is a Microsoft Windows tool that can be used to help diagnose common DNS name resolution issues.It can be targeted to look for specific DNS record sets and ensure that they are consistent across multiple DNSservers. It can also be used to verify that DNS records used specifically for Active Directory replication arecorrect.Reference: http://technet.microsoft.com/en-us/library/dd197560.aspx

QUESTION 7

Your network contains a single Active Directory forest. The forest contains two domains named contoso.comand sales.contoso.com. The domain controllers are configured as shown in the following table:

All domain controllers run Windows Server 2008 R2. All zones are configured as Active Directory-integratedzones.

You need to ensure that contoso.com records are available on DC3.


A. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPart ition contoso.com /domain

B. dnscmd.exe DC1.contoso.com /ZoneChangeDirectoryPart ition contoso.com /forest

C. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPart ition contoso.com /domain

D. dnscmd.exe DC3.contoso.com /ZoneChangeDirectoryPart ition contoso.com /forest



Since DC3 is hosting a child domain from contoso.com, it will not be able to host records for contoso.comunless they are moved to the forest partition. We perform this operation from DC1, since it currently holds thecontoso.com zone.

dnscmd /zonechangedirectorypartition

Changes the directory partition on which the specified zone resides.

Syntaxdnscmd [<ServerName>] /zonechangedirectorypartition <ZoneName>]{[<NewPartitionName>] | [<ZoneType>] }

(...)

<ZoneType> Specifies the type of directory partition that the zone will be moved to.

/domain Moves the zone to the built-in domain directory partition.

/forest Moves the zone to the built-in forest directory partition.

QUESTION 8Your company network has an Active Directory forest that has one parent domain and one child domain. Thechild domain has two domain controllers that run Windows Server 2008.

All user accounts from the child domain are migrated to the parent domain. The child domain is scheduled tobe decommissioned.

You need to remove the child domain from the Active Directory forest.

What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choosetwo.)

A. Run the Computer Management console to stop the Domain Controller service on both domain controllersin the child domain.

B. Delete the computer accounts for each domain controller in the child domain. Remove the trust relationshipbetween the parent domain and the child domain.

C. Use Server Manager on both domain controllers in the child domain to uninstall the Active Directory domainservices role.

D. Run the dcpromo tool that has individual answer files on each domain controller in the child domain.

Correct Answer: CDSection: 70-640 Configuring Domain Name System (DNS) for Active DirectoryExplanation


To remove the domain, we need to remove the AD services from the Domain Controllers that are hosting it(also known as "demoting"). When the last server is "demoted", we can tell the AD install wizard to remove thedomain completely.

As you should know already, Server Manager and dcpromo each provide access to the AD install wizard that isused for this process.

Deleting the accounts and the trust will make the domain inaccessible, since the SRV records pointing to theservers will be deleted. But this does not remove the domain itself from AD.

Stopping services does not remove the domain from the AD environment, it merely means requests for thedomain will not be resolved.

QUESTION 9Your company has a DNS server that has 10 Active Directory integrated zones.

You need to provide copies of the zone files of the DNS server to the security department.


What should you do?

A. Run the dnscmd /ZoneInfo command.

B. Run the ipconfig /registerdns command.

C. Run the dnscmd /ZoneExport command.

D. Run the ntdsutil > Partition Management > List commands.

Correct Answer: CSection: 70-640 Configuring Domain Name System (DNS) for Active DirectoryExplanation


(...)

QUESTION 10Your company has an Active Directory domain. You install a new domain controller in the domain. Twenty usersreport that they are unable to log on to the domain.

You need to register the SRV records.

Which command should you run on the new domain controller?

A. Run the netsh interface reset command.

B. Run the ipconfig /flushdns command.

C. Run the dnscmd /EnlistDirectoryPartition command.

D. Run the sc stop netlogon command followed by the sc start netlogon command.

Correct Answer: DSection: 70-640 Configuring Domain Name System (DNS) for Active DirectoryExplanation


The SRV resource records for a domain controller are important in enabling clients to locate the domaincontroller. The Netlogon service on domain controllers registers this resource record whenever a domaincontroller is restarted. You can also re-register a domain controller’s SRV resource records by restarting thisservice from the Services branch of Server Manager or by typing net start netlogon . An exam questionmight ask you how to troubleshoot the nonregistration of SRV resource records.

Reference: MCTS 70-640 Cert Guide: Windows Server 2008 Active Directory, Configuring (Pearson ITCertification, 2010) page 62

QUESTION 11Company has an active directory forest on a single domain.

Company needs a distributed application that employs a custom application. The application is directorypartition software named PARDAT.

You need to implement this application for data replication.

Which two tools should you use to achieve this task? (Choose two answers. Each answer is a part of acomplete solution)

A. dnscmd.B. ntdsutil.C. ipconfigD. dnsutilE. All of the above

Correct Answer: ABSection: 70-640 Configuring Domain Name System (DNS) for Active DirectoryExplanation


(...)

QUESTION 12Your network contains an Active Directory forest named contoso.com. The functional level of the forest isWindows Server 2008 R2. The DNS zone for contoso.com is Active Directory-integrated.

You deploy a read-only domain controller (RODC) named RODC1. You install the DNS Server server role onRODC1.

You discover that RODC1 does not have any DNS application directory partitions.

You need to ensure that RODC1 has a copy of the DNS application directory partition of contoso.com.

What should you do? (Each correct answer presents a complete solution. Choose two.)

A. From DNS Manager, right-click RODC1 and click Create Default Application Directory Partitions.B. Run ntdsutil.exe . From the Partition Management context, run the create nc command.

C. Run dnscmd.exe and specify the /createbuiltindirectorypartitions parameter.

D. Run ntdsutil.exe . From the Partition Management context, run the add nc replica command.

E. Run dnscmd.exe and specify the /enlistdirectorypartition parameter.

Correct Answer: DESection: 70-640 Configuring Domain Name System (DNS) for Active DirectoryExplanation


If you install DNS server after the AD DS installation, you must also enlist the RODC in the DNS applicationdirectory partitions. The RODC is not enlisted automatically in the DNS application directory partitions by designbecause it is a privileged operation. If the RODC were allowed to enlist itself, it would have permissions to addor remove other DNS servers that are enlisted in the application directory partitions.

To enlist a DNS server in a DNS application directory partition1. Open an elevated command prompt.2. At the command prompt, type the following command, and then press ENTER:

dnscmd <ServerName> /EnlistDirectoryPartition <FQDN >

For example, to enlist RODC01 in the domain-wide DNS application directory partition in a domain namedchild.contoso.com, type the following command:

dnscmd RODC01 /EnlistDirectoryPartition DomainDNSZo nes.child.contoso.com

You might encounter the following error when you run this command:Command failed: ERROR_DS_COULDNT_CONTACT_FSMO 8367 0x20AF

If this error appears, use NTDSUTIL to add the RODC for the partition to be replicated:

1. ntdsutil2. partition management

3. connections4. Connect to a writeable domain controller (not an RODC):

connect to server <WriteableDC>.Child.contoso.com5. quit6. To enlist this server in the replication scope for this zone, run the following command:

add NC Replica DC=DomainDNSZones,DC=Child,DC=Contoso,DC=Com <rodcServer>.Child.contoso.com


QUESTION 13Your network consists of a single Active Directory domain. User accounts for engineering department arelocated in an OU named Engineering.

You need to create a password policy for the engineering department that is different from your domainpassword policy.

What should you do?

A. Create a new GPO. Link the GPO to the Engineering OU.B. Create a new GPO. Link the GPO to the domain. Block policy inheritance on all OUs except for the

Engineering OU.C. Create a global security group and add all the user accounts for the engineering department to the group.

Create a new Password Policy Object (PSO) and apply it to the group.D. Create a domain local security group and add all the user accounts for the engineering department to the

group. From the Active Directory Users and Computer console, select the group and run the Delegation ofControl Wizard.

Correct Answer: CSection: 70-642 Creating and Maintaining Active Directory ObjectsExplanation


(...)

QUESTION 14Your network contains an Active Directory forest. The functional level of the forest is Windows Server 2008 R2.

Your company's corporate security policy states that the password for each user account must be changed atleast every 45 days.

You have a user account named Service1. Service1 is used by a network application named Application1.Every 45 days, Application1 fails.

After resetting the password for Service1, Application1 runs properly.

You need to resolve the issue that causes Application1 to fail. The solution must adhere to the corporatesecurity policy.

What should you do?

A. Run the Set-ADAccountControl cmdlet.

B. Run the Set-ADServiceAccount cmdlet.

C. Create a new password policy.D. Create a new Password Settings object (PSO).

Correct Answer: BSection: 70-642 Creating and Maintaining Active Directory ObjectsExplanation


(...)

QUESTION 15Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Clientcomputers run either Windows XP Service Pack 3 (SP3) or Windows Vista.

You need to ensure that all client computers can apply Group Policy preferences.

What should you do?

A. Upgrade all Windows XP client computers to Windows 7.B. Create a central store that contains the Group Policy ADMX files.C. Install the Group Policy client-side extensions (CSEs) on all client computers.D. Upgrade all Windows Vista client computers to Windows Vista Service Pack 2 (SP2).



The problem is that our clients are not aware of the newer policy settings available in Server 2008 R2. Policysettings, however, are primarily handled through registry entries. Windows XP SP3 and Windows Vista supportgroup policy and registry entries, so we do not need to upgrade the computers. We need to enable them tounderstand the new settings. This is the purpose of the client-side extensions.

ADMX is the new file extension for Group Policy templates and is not understood by Windows XP / WindowsVista policy editor, which uses the older .ADM files.

QUESTION 16You configure and deploy a Group Policy object (GPO) that contains AppLocker settings.

You need to identify whether a specific application file is allowed to run on a computer.

Which Windows PowerShell cmdlet should you use?

A. Get-AppLockerFileInformation

B. Get-GPOReport

C. Get-GPPermissions

D. Test-AppLockerPolicy

Correct Answer: DSection: 70-642 Creating and Maintaining Active Directory ObjectsExplanation


Test-AppLockerPolicyTests whether the input files are allowed to run for a given user based on the specified AppLocker policy.

Reference: http://technet.microsoft.com/en-us/library/ee460960.aspx

QUESTION 17You create a Password Settings object (PSO).

You need to apply the PSO to a domain user named User1.

What should you do?

A. Modify the properties of the PSO.B. Modify the account options of the User1 account.C. Modify the security settings of the User1 account.D. Modify the password policy of the Default Domain Policy Group Policy object (GPO).

Correct Answer: ASection: 70-642 Creating and Maintaining Active Directory ObjectsExplanation


(...)

QUESTION 18You need to create a Password Settings object (PSO).


A. Active Directory Users and ComputersB. ADSI EditC. Group Policy Management ConsoleD. ntdsutil



(...)

QUESTION 19Your network contains an Active Directory domain. The domain contains several domain controllers. All domaincontrollers run Windows Server 2008 R2.

You need to restore the Default Domain Controllers Policy Group Policy object (GPO) to the Windows Server2008 R2 default settings.

What should you do?

A. Run dcgpofix.exe /target:dc .

B. Run dcgpofix.exe /target:domain .

C. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /sync.

D. Delete the link for the Default Domain Controllers Policy, and then run gpupdate.exe /force.



(...)

QUESTION 20Your network consists of a single Active Directory domain. The functional level of the forest is Windows Server2008 R2.

You need to create multiple password policies for users in your domain.

What should you do?

A. From the Active Directory Schema snap-in, create multiple class schema objects.B. From the ADSI Edit snap-in, create multiple Password Setting objects.C. From the Security Configuration Wizard, create multiple security policies.D. From the Group Policy Management snap-in, create multiple Group Policy objects.



PSO's (Password Setting objects) are created using ADSI Edit and allow us to manage more fine-grainedpassword policies for needs that don't fit the default domain policy.Reference: http://technet.microsoft.com/en-US/library/cc754461.aspx


QUESTION 21Your company has a main office and 50 branch offices. Each office contains multiple subnets.

You need to automate the creation of Active Directory subnet objects.


A. the dsadd tool

B. the netsh tool

C. the New-ADObject cmdlet

D. the New-Object cmdlet



(...)

QUESTION 22Your network contains an Active Directory forest.

You set the Windows PowerShell execution policy to allow unsigned scripts on a domain controller in thenetwork. You create a Windows PowerShell script named new-users.ps1 that contains the following lines:

new-aduser user1new-aduser user2new-aduser user3new-aduser user4new-aduser user5

On the domain controller, you double-click the script and the script runs. You discover that the script fails tocreate the user accounts.

You need to ensure that the script creates the user accounts.

Which cmdlet should you add to the script?

A. Import-Module

B. Register-ObjectEvent

C. Set-ADDomain

D. Set-ADUser



(...)

QUESTION 23Your network contains an Active Directory forest. The forest schema contains a custom attribute for userobjects.

You need to give the human resources department a file that contains the last logon time and the customattribute values for each user in the forest.

Which should you use?

A. the dsquery tool

B. the Export-CSV cmdlet

C. the Get-ADUser cmdlet

D. the net.exe user command



(...)

QUESTION 24You need to back up all of the group policies in a domain. The solution must minimize the size of the backup.


A. the Add-WBSystemState cmdlet

B. the Group Policy Management consoleC. the wbadmin tool

D. the Windows Server Backup feature



(...)

QUESTION 25Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2003.

You upgrade all domain controllers to Windows Server 2008 R2. You need to ensure that the Sysvol sharereplicates by using DFS Replication (DFS-R).

What should you do?

A. From the command prompt, run netdom /reset .

B. From the command prompt, run dfsutil /addroot:sysvol .

C. Raise the functional level of the domain to Windows Server 2008 R2.D. From the command prompt, run dcpromo /unattend:unattendfile.xml .

Correct Answer: CSection: 70-640 Configuring the Active Directory InfrastructureExplanation


(...)

QUESTION 26Your network contains an Active Directory domain. All domain controllers run Windows Server 2008. Thefunctional level of the domain is Windows Server 2003. All client computers run Windows 7. You installWindows Server 2008 R2 on a server named Server1.

You need to perform an offline domain join of Server1.


A. From Server1, run djoin.exe.

B. From Server1, run netdom.exe .

C. From a Windows 7 computer, run djoin.exe .

D. Upgrade one domain controller to Windows Server 2008 R2.E. Raise the functional level of the domain to Windows Server 2008.

Correct Answer: ACSection: 70-640 Configuring the Active Directory InfrastructureExplanation


(...)


The Audit account management policy setting and Audit directory services access setting are enabled for theentire domain.

You need to ensure that changes made to Active Directory objects can be logged. The logged changes mustinclude the old and new values of any attributes.

What should you do?

A. Enable the Audit Account Management policy in the Default Domain Controller Policy.B. Run auditpol.exe and then configure the Security settings of the Domain Controllers OU.

C. Run auditpol.exe and then enable the Audit Directory Service Access setting in the Default Domainpolicy.

D. From the Default Domain Controllers policy, enable the Audit Directory Service Access setting and AuditDirectory Service Changes setting



auditpol.exe is used to set and manipulate group policy, so this is the application we need to run to enforcethe policies that have been already configured in the scenario.

The scenario specifies that 'Audit directory service access' and 'Audit account management' are alreadyenabled for the entire domain (which would include the domain controllers). This means there is not only noneed to perform the other options listed, but they would not apply the policy.

QUESTION 28Your company has an Active Directory forest that contains only Windows Server 2008 domain controllers.

You need to prepare the Active Directory domain to install Windows Server 2008 R2 domain controllers.


A. Run the adprep /forestprep command.

B. Run the adprep /domainprep command.

C. Raise the forest functional level to Windows Server 2008.D. Raise the domain functional level to Windows Server 2008.

Correct Answer: ABSection: 70-640 Configuring the Active Directory InfrastructureExplanation


(...)

QUESTION 29Your company has a single Active Directory domain. All domain controllers run Windows Server 2003. Youinstall Windows Server 2008 R2 on a server.

You need to add the new server as a domain controller in your domain.


A. On the new server, run dcpromo /adv .

B. On the new server, run dcpromo /createdcaccount .

C. On a domain controller run adprep /rodcprep .

D. On a domain controller, run adprep /forestprep .

Correct Answer: DSection: 70-640 Configuring the Active Directory InfrastructureExplanation


We are creating our first 2008 R2 domain controller on the network, so we need to prepare the forest for the2008 R2 AD schema.

dcpromo is indeed used to add a new domain controller to a domain, but since all current DCs run 2003, theforest schema will not be able to support a 2008 R2 DC.

The scenario does not mention that an RODC is being installed, and even if so we would need to prep theforest with the new schema first.

QUESTION 30You have a Windows PowerShell script that contains the following code:

import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true -AccountPassword $_.password}

When you run the script, you receive an error message indicating that the format of the password is incorrect.The script fails.

You need to run a script that successfully creates the user accounts by using the password contained inaccounts.csv.

Which script should you run?

A. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true -AccountPassword (ConvertTo-SecureString "Password" -AsPlainText -force)}

B. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true -AccountPassword (ConvertTo-SecureString $_.Password -AsPlainText -force)}

C. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true -AccountPassword (Read-Host -AsSecureString "Passwor d")}

D. import-csv Accounts.csv | Foreach {New-ADUser -Name $_.Name -Enabled $true -AccountPassword (Read-Host -AsSecureString $_.Passw ord)}

Correct Answer: BSection: 70-640 Configuring the Active Directory InfrastructureExplanation


(...)

QUESTION 31Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. Clientcomputers run either Windows 7 or Windows Vista Service Pack 2 (SP2).

You need to audit user access to the administrative shares on the client computers.

What should you do?

A. Deploy a logon script that runs icacls.exe .

B. Deploy a logon script that runs auditpol.exe.

C. From the Default Domain Policy, modify the Advanced Audit Policy Configuration.D. From the Default Domain Controllers Policy, modify the Advanced Audit Policy Configuration.



(...)

QUESTION 32Your network contains a single Active Directory domain. All servers run Windows Server 2008 R2. You deploy anew server that runs Windows Server 2008 R2. The server is not connected to the internal network.

You need to ensure that the new server is already joined to the domain when it first connects to the internalnetwork.

What should you do?

A. From a domain controller, run sysprep.exe and specify the /oobe parameter. From the new server, runsysprep.exe and specify the /generalize parameter.

B. From a domain controller, run sysprep.exe and specify the /generalize parameter. From the newserver, run sysprep.exe and specify the /oobe parameter.

C. From a domain-joined computer, run djoin.exe and specify the /provision parameter. From the newserver, run djoin.exe and specify the /requestodj parameter.

D. From a domain-joined computer, run djoin.exe and specify the /requestodj parameter. From thenew server, run djoin.exe and specify the /provision parameter.



(...)

QUESTION 33Your company has an Active Directory forest that contains Windows Server 2008 R2 domain controllers andDNS servers. All client computers run Windows XP SP3.

You need to use your client computers to edit domain-based GPOs by using the ADMX files that are stored inthe ADMX central store.

What should you do?

A. Add your account to the Domain Admins group.B. Upgrade your client computers to Windows 7.C. Install .NET Framework 3.0 on your client computers.D. Create a folder on PDC emulator for the domain in the PolicyDefinitions path. Copy the ADMX files to

the PolicyDefinitions folder.



(...)

QUESTION 34Your network contains an Active Directory domain named contoso.com. All domain controllers run WindowsServer 2008 R2. The functional level of the domain is Windows Server 2008 R2. The functional level of theforest is Windows Server 2008.

You have a member server named Server1 that runs Windows Server 2008.

You need to ensure that you can add Server1 to contoso.com as a domain controller.

What should you run before you promote Server1?

A. dcpromo.exe /CreateDCAccount

B. dcpromo.exe /ReplicaOrNewDomain:replica

C. Set-ADDomainMode -Identity contoso.com -DomainMode Windows2008Domain

D. Set-ADForestMode -Identity contoso.com -ForestMode Windows2008R2Forest



(...)

QUESTION 35Your network contains an Active Directory domain. The domain contains a group named Group1. The minimumpassword length for the domain is set to six characters.

You need to ensure that the passwords for all users in Group1 are at least 10 characters long. All other usersmust be able to use passwords that are six characters long.


A. Run the New-ADFineGrainedPasswordPolicy cmdlet.

B. Run the Add-ADFineGrainedPasswordPolicySubject cmdlet.

C. From the Default Domain Policy, modify the password policy.D. From the Default Domain Controller Policy, modify the password policy.



To create a different password policy for users in Group1, we first need to create a fine-grained password policyobject. This is achieved with the The New-ADFineGrainedPasswordPolicy cmdlet.

After the policy is setup, we will then be able to apply that policy to Group1. This would be done with the Add-ADFineGrainedPasswordPolicySubject cmdlet.

Modifying the password policy will affect the passwords for all users in the domain, not just those in Group1.

QUESTION 36Your network contains an Active Directory domain. All domain controller run Windows Server 2003.

You replace all domain controllers with domain controllers that run Windows Server 2008 R2. You raise thefunctional level of the domain to Windows Server 2008 R2.

You need to minimize the amount of SYSVOL replication traffic on the network.

What should you do?

A. Raise the functional level of the forest to Windows Server 2008 R2.B. Modify the path of the SYSVOL folder on all of the domain controllers.C. On a global catalog server, run repadmin.exe and specify the KCC parameter.

D. On the domain controller that holds the primary domain controller (PDC) emulator FSMO role, run dfsrmig.exe.

Correct Answer: DSection: 70-640 Configuring the Active Directory InfrastructureExplanation


Now that the domain controllers have been upgraded to Windows Server 2008 R2 and the domain functionallevel has been upgraded to Windows Server 2008 R2 we can use DFS Replication for replicating SYSVOL,instead of File Replication Service (FRS) of previous Windows Server versions. The migration takes place on adomain controller holding the PDC Emulator role.

QUESTION 37Your network contains an Active Directory forest named contoso.com.

The password policy of the forest requires that the passwords for all of the user accounts be changed every 30days.

You need to create user accounts that will be used by services. The passwords for these accounts must be

changed automatically every 30 days.

Which tool should you use to create these accounts?

To answer, select the appropriate tool in the answer area.

Point and Shoot:

Correct Answer:

Section: 70-642 Creating and Maintaining Active Directory ObjectsExplanation


Use the Active Directory module for Windows PowerShell to create a managed service account.Reference: http://technet.microsoft.com/en-us/library/dd391964.aspx

QUESTION 38Your network contains an Active Directory forest named contoso.com. The forest contains four computers. Thecomputers are configured as shown in the following table.

An administrator creates a script that contains the following commands:

auditpol /get /sdauditpol /list /userauditpol /resourceSACL /type:File /clearauditpol /remove /user:{S-1-5-21-397123417-1234567}

You need to identity which computers can successfully run all of the commands in the script.

Which two computers should you identify? (Each correct answer presents part of the solution. Choose two.)

A. Computer1B. Server1C. Computer2D. Server2

Correct Answer: CDSection: 70-642 Creating and Maintaining Active Directory ObjectsExplanation


auditpol /resourceSACL applies only to Windows 7 and Windows Server 2008 R2. So only thesecomputers can run all of the commands in the script.

Reference: http://technet.microsoft.com/en-us/library/ff625687.aspx


You need to create one password policy for administrators and another password policy for all other users.


A. ntdsutil

B. Active Directory Users and ComputersC. ADSI EditD. Group Policy Management Console (GPMC)



To create a PSO using ADSI Edit1. Click Start, click Run, type adsiedit.msc, and then click OK.2. In the ADSI Edit snap-in, right-click ADSI Edit, and then click Connect to.3. In Name, type the fully qualified domain name (FQDN) of the domain in which you want to create the PSO,

and then click OK.4. Double-click the domain.5. Double-click DC=<domain_name>.6. Double-click CN=System.7. Click CN=Password Settings Container. All the PSO objects that have been created in the selected domain

appear.8. Right-click CN=Password Settings Container, click New, and then click Object.9. In the Create Object dialog box, under Select a class, click msDS-PasswordSettings, and then click Next.10. In Value, type the name of the new PSO, and then click Next.11.Continue with the wizard, and enter appropriate values for all mustHave attributes.

Reference: http://technet.microsoft.com/en-US/library/cc754461.aspx

QUESTION 40Your network contains an Active Directory domain named contoso.com. The functional level of the forest isWindows Server 2008 R2.

The Default Domain Controller Policy Group Policy object (GPO) contains audit policy settings.

On a domain controller named DC1, an administrator configures the Advanced Audit Policy Configurationsettings by using a local GPO.

You need to identify what will be audited on DC1.


A. Get-ADObject

B. secedit

C. Security Configuration and AnalysisD. auditpol

Correct Answer: DSection: 70-642 Creating and Maintaining Active Directory ObjectsExplanation


auditpol getRetrieves the system policy, per-user policy, auditing options, and audit security descriptor object.


QUESTION 41You remotely monitor several domain controllers.

You run winrm.exe quickconfig on each domain controller.

You need to create a WMI script query to retrieve information from the bios of each domain controller.

Which format should you use to write the query?

A. XrMLB. XMLC. WQLD. HTML



(...)

QUESTION 42Your network contain 10 domain controller that run Windows Server 2008 R2. The network contain a memberserver that is configured to collect all of events that occur on the domain controllers.

Your need to ensure that administrators are notified when a specific event occurs on any of the domaincontrollers. You want to achieve the goal by using the minimum amount effort.

What should you do?

A. From Event Viewer on the member server, create a subscription.B. From Event Viewer on each domain controller, create a subscription.C. From Event Viewer on the member server, run the Create Basic Task Wizard.D. From Event Viewer on each domain controller, run the Create Basic Task Wizard.



In order to have notifications sent when specific events occur, we need to create a Task on the Event Log. Thisis done through Event Viewer. Because the scenario states there is a member server that is collecting eventlogs, we need to run the Create Basic Task Wizard from that member server rather than the domaincontrollers.

Event subscriptions are used to forward event logs to a centralized management computer. This does notprovide any kind of notification of events to individual users, and the scenario indicates a member server hasalready been configured for this as well.

QUESTION 43Your company has 10 servers that run Windows Server 2008 R2. The servers have Remote Desktop Protocol(RDP) enabled for server administration.

RDP is configured to use default security settings. All administrators' computers run Windows 7.

You need to ensure the RDP connections are as secure as possible.


A. Set the security layer for each server to the RDP Security Layer.B. Configure the firewall on each server to block port 3389.

C. Acquire user certificates from the internal certification authority.D. Configure each server to allow connections only to Remote Desktop client computers that use Network

Level Authentication.

Correct Answer: CDSection: 70-642 Configuring File and Print ServicesExplanation


(...)

QUESTION 44Your company has a server named Server1 that runs Windows Server 2008 R2. The Windows Server Backupfeature is installed on Server1.

Server1 fails. You install a new server named Server2 that runs Windows Server 2008 R2. You need to restorethe company's Windows SharePoint Services (WSS) site to Server2.

What should you do?

A. Use wbadmin to restore the system state from backup.

B. Run wbadmin with the Get Versions option. Install WSS.

C. Run wbadmin with the Start Recovery option. Install WSS.

D. Use wbadmin to restore the application and the sites from backup.

Correct Answer: DSection: 70-642 Configuring File and Print ServicesExplanation


(...)

QUESTION 45Your network contains a server that runs Windows Server 2008 R2. Windows BitLocker Drive Encryption(BitLocker) is enabled for all drives.

You need to perform a bare metal recovery of the server.


A. From the BIOS, disable the Trusted Platform Module.B. From the BIOS, disable the processor's No Execute feature.C. Start the computer in Safe Mode.D. Start the computer from the Windows Server 2008 R2 installation media.



(...)

QUESTION 46Your network contains two servers named Server1 and Server2. Server1 runs Windows Server 2008 R2.Server2 runs Windows Server 2008.

You need to ensure that you can initiate a full server backup of Server2 from Server1.

What should you do?

A. Install Windows Server Backup on Server2.B. Upgrade Server2 to Windows Server 2008 R2.C. Add an exception to Windows Firewall on Server2.D. Add your user account to the Backup Operators group on Server2.

Correct Answer: BSection: 70-642 Configuring File and Print ServicesExplanation


Windows Server Backup supports operations on a remote computer via the snap-in, without the need toconfigure firewall rules. However, this option (Connect To Another Computer) of the snap-in is only available onServer 2008 R2, so we must upgrade Server2.

You do not need to add your user account to the Backup Operators group on Server2. Only network accessand general permissions to the server are required.

You would not install WSB on Server2 because you want to complete the backup from Server1. This iscompletely possible without Server2 having the WSB software.


You need to schedule backups of the server. The solution must ensure that multiple versions of the backup areavailable.

Which two possible backup locations should you use? (Each correct answer presents a completesolution.Choose two.)

A. external hard diskB. internal hard diskC. optical mediaD. remote shared folder

Correct Answer: ABSection: 70-642 Configuring File and Print ServicesExplanation


(...)

QUESTION 48Your network contains a server named Server1 that runs Windows Server 2008 R2. The disks on Server1 areconfigured as shown in the following table.

You run the Backup Once wizard and discover that the option for Full Server backup is unavailable.

You need to ensure that you can run a full server backup of Server1.

What should you do?

A. Take Disk 1 offline.B. Take Disk 2 offline.C. Run the Set-WBPolicy cmdlet.

D. Run Windows Server Backup as an Administrator.



(...)

QUESTION 49You manage a server that runs Windows Server 2008 R2. The D:\Payroll folder is corrupted. The mostrecent backup version is 10/29/2007-09:00.

You need to restore all the files in the D:\Payroll folder back to the most recent backup version withoutaffecting other folders on the server.

What should you do on the server?

A. Run the recover d:\payroll command.

B. Run the wbadmin restore catalog -backuptarget:D: -version:1 0/29/2007-09:00 quietcommand.

C. Run the wbadmin start recovery -backuptarget:D: -version:10 /29/2007-09:00overwrite Quiet command.

D. Run the wbadmin start recovery -version:10/29/2007-09:00 -i temType:File -items:d:\Payroll - overwrite -recursive quiet command.



(...)


You need to configure scheduled backups on Server1 to meet the following requirements:Maintain 60 days of backups.Minimize the performance impact on Server1 while a backup is running.

What should you do?

A. From Windows PowerShell, run the New-WBPolicy cmdlet.

B. From Windows PowerShell, run the Set-WBVssBackupOptions cmdlet.

C. From the Backup Schedule Wizard, click the Backup to a volume option.D. From the Backup Schedule Wizard, click the Backup to hard disk that is dedicated for backups

(recommended) option.



(...)

QUESTION 51Your network contains an Active Directory domain. The functional level of the domain is Windows Server 2003.The domain contains five domain controllers that run Windows Server 2008 and five domain controllers that runWindows Server 2008 R2.

You need to ensure that SYSVOL is replicated by using Distributed File System Replication (DFSR).


A. Run dfsrdiag.exe PollAD.

B. Run dfsrmig.exe /SetGlobalState 0 .

C. Upgrade all domain controllers to Windows Server 2008 R2.D. Raise the functional level of the domain to Windows Server 2008.



(...)

QUESTION 52Your company has a main office and one branch office. The main office has a print server named Printer1. Thebranch office has a print server named Printer2.

Printer1 manages 15 printers and Printer2 manages seven printers.

You add Printer2 to the Print Management console on Printer1. You need to send an automatic notificationwhen a printer is not available.

What should you do?

A. Configure an e-mail notification for the Printers With Jobs printer filter.B. Configure an e-mail notification for the Printers Not Ready printer filter.C. Enable the Show informational notifications for local printers option on both print servers.D. Enable the Show informational notifications for network printers option on both print servers.



(...)

QUESTION 53Your network contains a print server named Server1. Server1 has three shared printers named Printer1,Printer2, and Printer3. Each shared printer uses a different driver.

You need to ensure that if Printer1 causes an exception, users can still print to Printer2 and Printer3.

What should you do?

A. Add a Driver filter.B. Add a Printer filter.C. Modify the Print Processor options.D. Modify the Driver Isolation settings.



(...)

QUESTION 54Your network contains an Active Directory domain. The domain contains a print server named Server1. Server1runs Windows Server 2008 R2.

You need to ensure that users can locate all shared printers on Server1 by using Active Directory.

What should you do from Server1?

A. Run the pubprn.vbs script.

B. Run dism.exe.

C. Run the Set-ADObject cmdlet.

D. Modify the Print Server properties.

Correct Answer: ASection: 70-642 Configuring File and Print ServicesExplanation


(...)

QUESTION 55Your company has a server named FS1. FS1 hosts the domain-based DFS namespace named \\contoso.com\dfs . All domain users store their data in subfolders within the DFS namespace.

You need to prevent all users, except administrators, from creating new folders or new files at the root of the \\contoso.com\dfs share.

What should you do?

A. Run the dfscmd.exe \\FS1\dfs /restore command on FS1.

B. Configure the NTFS permissions for the C:\DFSroots\dfs folder on FS1. Set the Create folders/appenddata special permission to Deny for the Authenticated Users group. Set the Full Control permission to Allowfor the Administrators group.

C. Start the Delegate Management Permissions Wizard for the DFS namespace named \\contoso.com\dfs . Remove all groups that have the permission type Explicit except the Administrators group.

D. Configure the \\FS1\dfs shared folder permissions. Set the permissions for the Authenticated Usersgroup to Reader. Set the permissions for the Administrators group to Co-owner.



(...)

QUESTION 56Your network contains a single Active Directory domain named contoso.com. The domain contains two serversnamed Server1 and Server2. Server1 and Server2 are namespace servers for the \\contoso.com\DFS1namespace.

You need to ensure that users only connect to the \\contoso.com\DFS1 namespace on Server1 if Server2 isunavailable.

How should you configure the \\contoso.com\DFS1 namespace?

A. From the properties of the \\contoso.com\DFS1 namespace, modify the referrals settings.

B. From the properties of the \\contoso.com\DFS1 namespace, modify the advanced settings.

C. From the properties of the \\SERVER1\DFS1 namespace servers entry, modify the advanced settings.

D. From the properties of the \\SERVER2\DFS1 namespace servers entry, modify the advanced settings.



(...)

QUESTION 57Your network contains a domain-based namespace named DFS1. DFS1 has Windows 2008 Server modeenabled.

You need to ensure that only files and folders in DFS1 that users have permissions to access are displayed.

What should you do?

A. Disable referrals.B. Modify the system access control list.C. Enable Access-Based Enumeration (ABE).D. Modify the discretionary access control list.

Correct Answer: CSection: 70-642 Configuring File and Print ServicesExplanation


(...)

QUESTION 58Your company has a main office and a branch office. The network contains two servers named Server1 andServer2 that run Windows Server 2008 R2. Server1 is located in the main office. Server2 is located in thebranch office.

You have a domain-based namespace named \\contoso.com\DFS1 . Server1 is configured as thenamespace server for \\contoso.com\DFS1 .

\\contoso.com\DFS1 has a folder named Folder1. The folder targets for Folder1 are \\Server1\Folder1and \\Server2\Folder1.

Users in the main office report that they view different content in Folder1 than users in the branch office. Youneed to ensure that the content in Folder1 is identical for all of the users.

What should you do?

A. Create a new Replication Group.B. Configure Server2 as a namespace server.C. From Server2, run dfsutil.exe cache domain .

D. From Server2, run dfsutil.exe root forcesync \\contoso.com\DFS1 .



The fact that Server2 is not displaying the same files as Server1 indicates that replication is not occurring onServer2.

A replication group is a set of servers, known as members, that participates in the replication of one or morereplicated folders.Reference: http://technet.microsoft.com/en-us/library/cc759803%28v=ws.10%29.aspx

dfsutil.exe root forcesync \\contoso.com\DFS1 will force a resync of the namespace. However,Server2 is being used in the namespace. The files would be in sync if replication were working.

dfsutil.exe cache domain will display or flush the DFS domain cache.

Server2 does not need to be configured as a namespace server.

QUESTION 59Your network contains a Distributed File System (DFS) target folder named Folder1 that contains 100 GB ofdata. You plan to create a new DFS replica of Folder1 on a server named Server2.

You need to prestage the data in Folder1 on Server2. The solution must ensure that the amount of initial DFSreplication traffic is minimized.

Which tool should you use to prestage the Folder1 data?

A. dfscmd

B. dfsrmig

C. dfsutil

D. wbadmin



The hashes of prestaged data are affected by the following:PermissionsAudit propertiesInheritanceThe copy tool, such as Robocopy.exe or Xcopy.exe, that is used

Because the possible combinations of these factors are so wide and varied, predicting the success ofprestaging operations is very difficult. However, the Backup program in Windows Server is a reliablemechanism to prestage data.


QUESTION 60Your network contains a domain-based Distributed File System (DFS) namespace named \\contoso.com\DFS1 .

You have two servers named Server1 and Server2 that are configured as namespace servers for \\contoso.com\DFS1 .

You need to verify that the DFS namespace replicates successfully between Server1 and Server2.


A. dfscmd

B. dfsdiag

C. dfsrdiag

D. dfsutil



(...)

QUESTION 61Your company has a domain with multiple sites. You have a domain-based DFS namespace called \\contoso.com\Management . The \\contoso.com\Management namespace hierarchy is updatedfrequently.

You need to configure the \\contoso.com\Management namespace to reduce the workload of the PDCemulator.

What should you do?

A. Enable the Optimize for scalability option.B. Enable the Optimize for consistency option.C. Set the Ordering method option to Lowest cost.D. Set the Ordering method option to Random order.



"Choose Optimize for consistency if there are 16 or fewer namespace servers hosting the namespace.""Choose Optimize for scalability if there are more than 16 namespace servers. This reduces the load on thePrimary Domain Controller (PDC) Emulator"Reference: http://technet.microsoft.com/en-us/library/cc732193.aspx

A referral is an ordered list of targets that a client computer receives from a domain controller or namespaceserver when the user accesses a namespace root or folder with targets. After the client receives the referral,the client attempts to access the first target in the list. If the target is not available, the client attempts to accessthe next target.

Targets on the client's site are always listed first in a referral. Targets outside of the client's site are listedaccording to the ordering method. Reference: http://technet.microsoft.com/en-us/library/cc732414.aspx

MY NOTE: So the ordering method tells us which offs ite clients to use as a namespace target.Randomizing this would randomize hits to the differ ent namespace servers and possibly reduce someload on the PDC, but clearly is not the recommended method for large amounts of namespace servers.


You need to enable access-based enumeration (ABE) on a shared folder.


A. Disk ManagementB. File Server Resource ManagerC. Share and Storage ManagementD. Storage Explorer



ABE is a feature for shared folders that prevents users from seeing folders they do not have access to.

Share and Storage Management provides a central location for you to manage shared resources, such asfolders and volumes, as well as storage resources.Reference: http://technet.microsoft.com/en-us/library/cc731574.aspx

We do not need to manage quotes, file screens or reports, so FSRM is not the right tool.

File Server Resource Manager is a suite of tools for Windows Server® 2008 that allows administrators tounderstand, control, and manage the quantity and type of data that is stored on their servers. By using FileServer Resource Manager, administrators can place quotas on folders and volumes, actively screen files, andgenerate comprehensive storage reports. Reference: http://technet.microsoft.com/en-us/library/cc732431.aspx)

Storage Explorer is used for viewing fabrics in a SAN.

Disk Management is used to configure hard disk volumes and partitions and defragment hard disks.

QUESTION 63Your network contains a server named Server1. Server1 is configured as a BranchCache server. The cache islocated at D:\Branchcache .

You need to remove all existing files and hashes from the cache .


A. hashgen.exe d

B. branchcache

C. net.exe stop PeerDistSvc & net.exe start PeerDistSv c

D. netsh.exe branchcache flush

E. rd.exe d:\branchcache /s /q



(...)

QUESTION 64Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 is located in abranch office.

You view the BranchCache configuration of Server1 as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that client computers in the branch office retrieve cached files from Server1 only.


Exhibit:

A. Install the BranchCache for Network Files role service.B. Install the Services for Network File System role service.C. Run netsh.exe branchcache set service mode=DISTRIBUTED .

D. Run netsh.exe branchcache set service mode=HOSTEDCLIENT



(...)

QUESTION 65Your network contains the servers shown in the following table.

Office1 and Office2 connect to each other by using a WAN link. Users in Office2 frequently access the sameset of files stored in Data1.

You need to reduce the amount of file transfer traffic across the WAN link.

What should you add to Server1?

A. the Background Intelligent Transfer Service (BITS) featureB. the BranchCache featureC. the BranchCache For Network Files role serviceD. the Distributed File System (DFS) role service



In general, Branch Cache allows caching of file content to reduce WAN traffic. However, because Data1 is a fileshare (SMB), we must specifically use the BranchCache for Network Files role service over the BranchCacherole.

BITS is used to reduce traffic for Windows Updates.

DFS is used to synchronize files between a shared namespace, and could be used to allow Data1 to bereplicated on servers in both offices.

QUESTION 66Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 is located in abranch office.

You discover that users cannot obtain cached documents from Server1. The BranchCache configuration onServer1 is shown in the exhibit. (Click the Exhibit button.)

You need to ensure that Server1 hosts cached content for client computers in the branch office.

What should you do?

Exhibit:

A. Enable Peer Discovery firewall rules.B. Set the Startup Type of the BranchCache service to Automatic, and then start the service.C. At the command prompt, run netsh.exe branchcache set service mode=DISTRIBUTED .

D. At the command prompt, run netsh.exe branchcache set service mode=HOSTEDCLIENT .



(...)

QUESTION 67Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 has MicrosoftExchange Server 2010 deployed.

You schedule a backup of the server. You discover that the Exchange Server 2010 transaction log files arepurged during the backup.

You need to prevent the Exchange Server 2010 transaction log files from being purged.

What should you do?

A. From the properties of the backup, add an exclusion.

B. From the properties of the backup, modify the VSS settings.C. From Windows PowerShell, run the New-WBFileSpec cmdlet.

D. From Windows PowerShell, run the New-WBBackupTarget cmdlet.



So, when you do a VSS full backup, you create backup of all the files – but after that, the backup applicationmay truncate logs on the file system.

On the other hand, when you do a VSS copy backup, all files are backed up and you preserve the all theapplications files including log files on the live system.

Reference: http://blogs.technet.com/b/filecab/archive/2008/05/21/what-is-the-difference-between-vss-full-backup-and-vss-copy-backup-in-windows-server-2008.aspx

MY NOTE: Basically, to purge (truncate) logs from a backup, we have to do a VSS full backup. Thisoption is available from the properties of the back up job, under VSS settings.

WRONG ANSWERS

...

QUESTION 68Your network contains a file server that runs Windows Server 2008 R2. The server has File Server ResourceManager (FSRM) installed.

A file screen is created for a folder named Data. Data is located on the C drive. The file screen is configured toblock files contained in the Audio and Video file group.

You need to allow users in the sales department to upload video files to C:\Data\Sales .

What should you do?

A. Create a file screen exception.B. Modify the Audio and Video file group.C. Implement an active file screen on C:\Data\Sales.

D. Implement a passive file screen on C:\Data\Sales .



(...)

QUESTION 69Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 has the FileServices role installed.

You configure a file classification rule. You discover that scanned documents stored as JPG files are not beingclassified.

You need to ensure that all file classification rules apply to scanned documents.

What should you do?

A. Enable the Windows TIFF IFilter feature.B. Modify the properties of the file classification rule.C. Modify the properties of the Windows Search Service.D. Install the Office 2007 System Converter: Microsoft Filter Pack.



(...)

QUESTION 70Your network contains a file server named Server1 that runs Windows Server 2008 R2. On Server1, you createa disk quota for volume E that limits storage to 200 MB for all users.

You need to ensure that a user named User1 can store files that are larger than 200 MB on volume.

What would you do?

A. From a command prompt, run dirquota.exe .

B. From Disk Management, create a new quota entry.C. From Windows Explorer, modify the Security properties of the volume.D. From File Server Resource Manager, create a file screen exception.



To do this, we simply need to update the quota assigned to User1. We can issue the following command tomodify quotas:dirquota quota modifyReference: http://technet.microsoft.com/en-us/library/cc742171%28v=ws.10%29.aspx

We would not create a new quota entry, as quotas are per-user and the user already has an assigned quota atthe volume level.

The Security properties in Windows Explorer will let us control who can access the volume, but is not wherequotas are configured or managed.

We do not need a file screen exception, as we are not told an exception is even in place. Rather, a quota limithas been put in place.

QUESTION 71Your network contains a file server named Server1 that runs Windows Server 2008 R2. You have a folder

named Folder1.

You need to ensure that files in Folder1 that are older than 365 days are automatically moved to an archivefolder.

What should you create from the File Server Resource Manager console?

A. a file groupB. a file management taskC. a file screenD. a quota



(...)

QUESTION 72Your network contains an Active Directory domain named contoso.com. The functional level of the domain andthe functional level of the forest are Windows Server 2003. All domain controllers run Windows Server 2008.

You have a member server that runs Windows Server 2008 R2 named Server1. You install the DistributedScan Server role service on Server1. From the Scan Management console, you attempt to add a scan processand you receive the following error.

You need to ensure that you can add a scan process.

What should you do?

A. Install the Fax Server role.B. Install the Print Server role service.C. Update the Active Directory schema.D. Set the functional level of the forest to Windows Server 2008.



(...)

QUESTION 73You have a server that runs Windows Server 2008 R2. You create a new quota template. You apply quotas to100 folders by using the quota template.

You need to modify the quota settings for all 100 folders. You must achieve this goal by using the minimumamount of administrative effort.

What should you do?

A. Modify the quota template.B. Delete and recreate the quota template.C. Create a new quota template. Modify the quota for each folder.D. Create a file screen template. Apply the file screen template to the root of the volume that contains

thefolders.



(...)

QUESTION 74You have a file server that runs Windows Server 2008 R2. You configure quotas on the server.

You need to view each user's quota usage on a per folder basis.

What should you do?

A. From File Server Resource Manager, create a File Screen.B. From File Server Resource Manager, create a Storage Management report.C. From the command prompt, run dirquota.exe quota list .

D. From the properties of each volume, review the Quota Entries list.



(...)

QUESTION 75Your network contains an Active Directory domain named contoso.com. All server run Windows Server 2008R2. The topology of the Active Directory site is configured as shown in the exhibit. (Click the Exhibit button)

Server1 and Server2 host a Distributed File System (DFS) replica named \\contoso.com\dfs\Folder1 .

You discover that client computers in Site3 and Site4 always contact Server1 when they access files in \\contoso.com\dfs\Folder1 .

You need to ensure that client traffic from Site3 and Site4 is distributed between Server1 and Server2.

What should you do?

Exhibit:

A. From the properties of the \\contoso.com\dfs\folder1 folder, modify the Referrals settings.

B. From the properties of the \\contoso.com\dfs\folder1 folder, modify the Advanced settings.

C. From the properties of the \\contoso.com\dfs\ namesspace, modify the Polling settings of the name.

D. From the properties of the \\contoso.com\dfs\ namesspace, modify the Ordering Method of the name.



Site3 and Site4 have a lower cost to connect with Server1 than with Server2, which is why they are alwayscontacting it. We can configure DFS to use a different cost method from the Ordering Method tab of thenamespace properties.

Polling settings control how often the most recent information about a namespace is retrieved. We are nothaving problems with the staleness of namespace data.

DFS referrals control whether or not a particular server is used in the namespace. Server2 is alreadyparticipating in the namespace.

The Advanced settings for a folder is used to configure the location and size of a folder.

QUESTION 76Your network contains an Active Directory domain. You have 100 remote users who have client computers thatrun Windows 7. The client computers are joined to the domain.

The corporate security policy states that users working offline must be denied access to the files on thecorporate file servers.

You need to configure the network to meet the following requirements:

Support the corporate security policy.

Minimize the amount of time it takes for remote users to access the files on the corporate file servers.

What should you enable?

A. Shadow Copies on the client computersB. Shadow Copies on the corporate file serversC. Transparent Caching on the client computersD. Trasnparent Caching on the corporate file servers



(...)

QUESTION 77Your network contains a file server that runs Windows Server 2008 R2.

You create a shared folder on the server.

You need to ensure that an administrator is notified whenever a user saves .exe files to the shared folder.

What should you do?

A. Configure access-based enumeration (ABE).B. Create a file screen.C. Modify the NTFS permissions and the share permissions.D. Create a soft quota.



Create file screens to block files that belong to particular file groups from being saved on a volume or in a foldertree. A file screen affects all folders in the designated path. For example, you might create a file screen toprevent users from storing audio and video files in their personal folders on the server.

You can configure File Server Resource Manager to generate e-mail or other notifications when a file screeningevent occurs.

Reference: http://technet.microsoft.com/en-us/library/cc732349(WS.10).aspx

A soft quota is a disk quota limit that is not enforced but still notifies individuals when the limit has beenreached. We do not need notifications on disk quotas, however.

ABE is used to control which folders are shown on a file share. Only the folders a user has access to aredisplayed when browsing the share.

NTFS and share permissions control who can access certain files, but does not let us setup notifications, andmust be applied separately to each .exe file

QUESTION 78Your network contains a DNS server named DNS1 that runs Windows Server 2008 R2.

You need to be notified by e-mail if the DNS service logs errors or warnings. The solution must minimize thenumber of e-mail notifications you receive.

What should you do?

A. Create an alert in Performance Monitor.B. Run the Configure a DNS Server Wizard.C. Select the DNS Server log from Event Viewer and attach a task to the log.D. Create a custom view from Event Viewer and attach a task to the custom view.



(...)

QUESTION 79Your network contains a domain-based Distributed File System (DFS) namespace named \\contoso.com\dfs. \\contoso.com\\dfs is configured to use Windows 2000 Server mode.

The domain contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1 isconfigured as a namespace server for \\contoso.com\dfs .

You need to migrate \\contoso.com\dfs to Windows Server 2008 mode.

You install the Distributed File System role service on Server2.


A. Configure Server2 as a namespace server for \\contoso.com\dfs.

B. At the command prompt, run dfsutil root export \\contoso.com\dfs c:\dfs.xml .

C. At the command prompt, run dfsutil root adddom \\contoso.com\dfs v2 .

D. Create a new shared folder named DFS on Server2.



To migrate a domain-based namespace to Windows Server 2008 mode

1. Open a Command Prompt window and type the following command to export the namespace to a file,where \\domain\namespace is the name of the appropriate domain and namespace and path\filename is thepath and file name of the export file:

dfsutil root export \\domain\namespace c:\filename. xml


QUESTION 80You manage a server named Server1 that runs Windows Server 2008 R2 Service Pack 1 (SP1). Server1 hasthe File Services server role installed.

You have a file share named Share1.

You need to ensure that any Microsoft Word files saved to Share1 that contain the word "confidential" aremoved automatically to a folder named Confidential.

What should you configure in File Server Resource Manager? (Each correct answer presents part of thesolution. Choose three.)

A. a classification ruleB. a file management taskC. a file screenD. a file groupE. a classification property

Correct Answer: ABESection: 70-642 Configuring File and Print ServicesExplanation


(...)

QUESTION 81Your network contains an Active Directory domain. The domain contains a server that runs Windows Server2008 R2. The server contains 10 shared folders.

You need to be notified by email when users save .mp3 files to the shared folders.

What should you do?


Select and Place:

Correct Answer:

Section: 70-642 Configuring File and Print ServicesExplanation


You can configure File Server Resource Manager to generate e-mail or other notifications when a file screeningevent occurs.(...)Passive screening monitors users saving specific file types and generates any configured notifications, but does not prevent users from saving files.


MY NOTE: An active screen would prevent saving the .mp3 file, but we have not been asked for thisfunctionality.

QUESTION 82Your company has a single Active Directory forest that has a domain in North America named na.contoso. comand a domain in South America named sa.contoso.com. The client computers run Windows 7.

You need to configure the client computers in the North America office to improve the name resolutionresponse time for resources in the South America office.

What should you do?

A. Configure a new Group Policy object (GPO) that disables the Local-Link Multicast Name Resolutionfeature.Apply the policy to all the client computers in the North America office.

B. Configure a new Group Policy object (GPO) that enables the Local-Link Multicast Name Resolution feature.Apply the policy to all the client computers in the North America office.

C. Configure a new Group Policy object (GPO) that configures the DNS Suffix Search List option tosa.contoso.com, na.contoso.com. Apply the policy to all the client computers in the North America office.

D. Configure the priority value for the Service Location (SRV) records on each of the North America domaincontrollers to 5.

Correct Answer: CSection: 70-642 Configuring Names ResolutionExplanation


(...)

QUESTION 83Your company has two servers that run Windows Server 2008 R2 named Server2 and Server3. Both servershave the DNS Server server role installed.

Server3 is configured to forward all DNS requests to Server2.

You update a DNS record on Server2. You need to ensure that Server3 is able to immediately resolve theupdated DNS record.

What should you do?

A. Run the dnscmd /clearcache command on Server3.

B. Run the ipconfig /flushdns command on Server3.

C. Decrease the Time-to-Live (TTL) on the Start of Authority (SOA) record of na.contoso.com to 15 minutes.D. Increase the Retry Interval value on the Start of Authority (SOA) record of na.contoso.com to 15 minutes.

Correct Answer: ASection: 70-642 Configuring Names ResolutionExplanation


The DNS record for Server2 has just changed, so we need to update the DNS resolver cache so requests donot attempt to resolve to the old IP.

ipconfig /flushdns clears the resolver cache for a local client.dnscmd /clearcache clears the server cache.

Because Server3 has DNS services, it will not store a client cache but resolve queries directly through theserver. Therefore, we need to clear the server cache.

We are not having troubles with finding authoritative results, so any modifications to the SOA record will nothelp

The Start of Authority (SOA) record declares the host that's the most authoritative for the zone and, as such, isthe best source of DNS information for the zone.Reference: http://technet.microsoft.com/en-us/library/bb727018.aspx)

QUESTION 84Your company has a server named Server1 that runs a Server Core installation of Windows Server 2008 R2,and the DNS Server server role. Server1 has one network interface named Local Area Connection. The static

IP address of the network interface is configured as 10.0.0.1.

You need to create a DNS zone named local.contoso.com on Server1.

Which command should you use?

A. ipconfig /registerdns:local.contoso.com

B. dnscmd Server1 /ZoneAdd local.contoso.com /DSPrimar y

C. dnscmd Server1 /ZoneAdd local.contoso.com /Primary /file local.contoso.com.dns

D. netsh interface ipv4 set dnsserver name="local.cont oso.com" static 10.0.0.1primary



(...)

QUESTION 85Your company has an Active Directory forest. All domain controllers run the DNS Server server role. Thecompany plans to decommission the WINS service.

You need to enable forest-wide single name resolution.

What should you do?

A. Enable WINS-R lookup in DNS.B. Create Service Location (SRV) records for the single name resources.C. Create an Active Directory-integrated zone named LegacyWINS. Create host (A) records for the single

name resources.D. Create an Active Directory-integrated zone named GlobalNames. Create host (A) records for the single

name resources.

Correct Answer: DSection: 70-642 Configuring Names ResolutionExplanation


Consider deploying a GlobalNames zone if:You are retiring WINS or you are planning to deploy only IPv6 in your environment, so that all nameresolution will depend on DNS.


WINS is being decommissioned, so we do not want to allow WINS servers to still provide name resolution.Similarly, we do not want to allow WINS-R (reverse WINS) lookups.

SRV records tell clients where to find specific services. WINS services are being retired and the setup of DNSwill have created the necessary SRV records to respond to client requests.

QUESTION 86Your company has a single Active Directory domain. All servers run Windows Server 2008 R2. You install anadditional DNS server that runs Windows Server 2008 R2.

You need to delete the pointer record for the IP address 10.3.2.127.

What should you do?

A. Use DNS manager to delete the 127.in-addr.arpa zone.B. Run the dnscmd /RecordDelete 10.3.2.127 command at the command prompt.

C. Run the dnscmd /ZoneDelete 127.in-addr.arpa command at the command prompt.

D. Run the dnscmd /RecordDelete 10.in-addr.arpa. 127.2.3 PTR command at the commandprompt.



(...)

QUESTION 87You are building a test environment to evaluate DNS Security Extensions (DNSSEC). You have a domaincontroller named Server1 that runs Windows Server 2008 R2 in your test environment.

Server1 has the DNS Server server role installed.

You need to configure Server1 to support the DNSSEC evaluation.


A. Create a new Quad-A (AAAA) DNS record.B. Create a new Signature (SIG) DNS record.C. Create a new Public key (KEY) DNS record.D. Create a new Well-known service (WKS) DNS record.

Correct Answer: BCSection: 70-642 Configuring Names ResolutionExplanation


KEYDescription: Public key resource record. Contains a public key that is associated with a zone. In full DNSSECimplementation, resolvers and servers use KEY resource records to authenticate SIG resource recordsreceived from a signed zones.

SIGDescription: Signature resource record. Encrypts a RRset to a signer's (RRset's zone owner) domain name anda validity interval.

WKSDescription: Well-known service (WKS) resource record. Describes the well-known TCP/IP services supportedby a particular protocol on a specific IP address

AAAADescription: IPv6 host address (AAAA) resource record. Maps a DNS domain name to an Internet Protocol (IP)

version 6 128-bit address.


QUESTION 88Your company has a main office and a branch office. The main office has a domain controller named DC1 thathosts a DNS primary zone. The branch office has a DNS server named SRV1 that hosts a DNS secondaryzone. All client computers are configured to use their local server for DNS resolution.

You change the IP address of an existing server named SRV2 in the main office.

You need to ensure that SRV1 reflects the change immediately.

What should you do?

A. Restart the DNS Server service on DC1.B. Run the dnscmd command by using the /zonerefresh option on DC1.

C. Run the dnscmd command by using the /zonerefresh option on SRV1.

D. Set the refresh interval to 10 minutes on the Start of Authority (SOA) record.



(...)

QUESTION 89Your company has a single Active Directory domain. The company has a main office and a branch office. Boththe offices have domain controllers that run Active Directory-integrated DNS zones. All client computers areconfigured to use the local domain controllers for DNS resolution. The domain controllers at the branch officelocation are configured as Read-Only Domain Controllers (RODC).

You change the IP address of an existing server named SRV2 in the main office. You need the branch officeDNS servers to reflect the change immediately.

What should you do?

A. Run the dnscmd /ZoneUpdateFromDs command on the branch office servers.

B. Run the dnscmd /ZoneUpdateFromDs command on a domain controller in the main office.

C. Change the domain controllers at the branch offices from RODCs to standard domain controllers.D. Decrease the Minimum (default) TTL option to 15 minutes on the Start of Authority (SOA) record for the

zone.



(...)

QUESTION 90Your network contains a DNS server named DNS1 that runs Windows Server 2008 R2.

You need to ensure that DNS1 only responds to DNS queries from computers that are located in the samesubnet.


A. Interfaces from DNS ManagerB. Security from DNS ManagerC. Trust AnchorsD. Windows Firewall



If we want DNS1 to only respond to DNS queries from it's local subnet, then we must configure a firewall ruleon DNS1 that will block all DNS traffic, except from that subnet (in the rule's "scope").

The Interfaces tab of DNS Manager will allow you to configure the server to only listen to requests from certaincomputers, but an IP is needed for each individual computer. This would be cumbersome to configure andmaintain.Reference: http://technet.microsoft.com/en-us/library/cc753579.aspx

The Security tab of DNS Manager is used to restrict users/groups that are able to manage DNS services for theserver.

A Trust anchor is a cryptographic key used in DNSSEC validation of zone data. We have not been toldDNSSEC is being used, and this only is used to encrypt/secure DNS, not restrict it.Reference: http://technet.microsoft.com/en-us/library/ee649280%28v=ws.10%29.aspx

QUESTION 91Your network contains an Active Directory domain named contoso.com. The domain contains two sites namedSite1 and Site2. The servers for the sites are configured as shown in the following table.

Server1 hosts a standard primary zone for contoso.com. Server2 hosts a secondary zone for contoso.com.

You need to ensure that all DNS replication traffic between Server1 and Server2 is encrypted.

What should you do?

A. On Server1, configure DNSSEC for the contoso.com zone.B. On Server1, convert the contoso.com zone to an Active Directory-integrated zone.C. On each server, create Connection Security Rules.D. On each server, enable Encrypting File System (EFS) encryption for the contoso.com.dns file.

Correct Answer: CSection: 70-642 Configuring Names Resolution

Explanation


Zone replication can occur either by means of zone transfer or as part of Active Directory replication. If you donot secure zone replication, you run the risk of exposing the names and IP addresses of your computers toattackers. You can secure DNS zone replication by doing the following:

Using Active Directory replication.Encrypting zone replication sent over public networks such as the Internet. (MY NOTE: This is what weneed to do, as the servers are in separate sites so the traffic will travel over the internet)Restricting zone transfer to authorized servers.

(...)

Encrypt all replication traffic sent over public networks by using IPSec or VPN tunnels. (MY NOTE: This meanswe need to setup a Connection Security Rule on the VPN between the sites, that will specify the traffi cmust be encrypted. None of the other options are re lated to IPSEC or VPN)


QUESTION 92Your network contains an Active Directory forest. The forest contains three domain trees. Each domain treecontains multiple domains.

You have an Active Directory-integrated DNS zone. You install a Web server named Web1. All of the users inthe company will use Web1. You need to ensure that the users can access Web1 by using the URL http://web1.

You want to achieve this goal by using the minimum amount of administrative effort.

What should you do?

A. Configure a GlobalNames zone and add a Host (A) resource record for Web1.B. Create an Alias (CNAME) resource record for Web1 in the forest root domain zone.C. Create a reverse lookup zone and add an Alias (CNAME) resource record for Web1.D. Create a Host Information (HINFO) resource record for Web1 in the forest root domain zone.



A GlobalNames zone allows multiple domains in an environment to access a host or resource without needingto specify the DNS suffix.

A CNAME record allows us to specify an alternate host portion of the FQDN (in this case, something other thanweb1)

A reverse lookup zone is used with PTR records to allow lookup of the host, when given the IP.

An HINFO-record specifies the host / server's type of CPU and operating system.Reference: http://www.simpledns.com/help/v51/index.html?rec_hinfo.htm

QUESTION 93Your network contains two servers named Server1 and Server2 that run a Server Core installation of WindowsServer 2008. Server1 and Server2 are configured as DNS servers.

Server1 has an IP address of 10.0.0.1. Server2 has an IP address of 10.0.0.2.

Server1 contains a standard primary zone named contoso.com. Zone transfers are enabled for contoso.com.

You need to ensure that Server2 hosts a copy of the contoso.com zone.


A. dnscmd /zoneadd contoso.com /primary 10.0.0.1

B. dnscmd /zoneadd contoso.com /primary 10.0.0.2

C. dnscmd /zoneadd contoso.com /secondary 10.0.0.1

D. dnscmd /zoneadd contoso.com /secondary 10.0.0.2



Secondary zones are copies of primary zones, so we need to create secondary zone on Server2. Of thecommands specifying a new secondary zone, only one specifies 10.0.0.1 as the address of the master zone tobe copied from.

From Microsoft:

dnscmd /zoneaddAdds a zone to the DNS server.

Syntaxdnscmd [<ServerName>] /zoneadd <ZoneName> <ZoneType > [/dp <FQDN>| {/domain|/enterprise|/legacy}]


QUESTION 94Your network contains an Active Directory forest named contoso.com. Contoso.com contains three domaincontrollers that run Windows Server 2008 R2 and three domain controllers that run Windows Server 2003. Alldomain controllers are configured as DNS servers.

You configure the contoso.com zone to use DNSSEC.

You need to ensure that the zone only replicates to DNS servers that support DNSSEC.


A. Modify the Notify settings of the contoso.com zone.B. Create an application directory partition.C. Move the contoso.com zone to the ForestDnsZones application directory partition.D. Add a server certificate to the Windows Server 2003 DNS servers.

Correct Answer: BSection: 70-642 Configuring Names ResolutionExplanation


Explanation:

(...)

QUESTION 95Your network contains a DNS server that runs Windows Server 2008 R2 Service Pack 1 (SP1).

You need to prevent the DNS server from accepting updates for cached resource records until the time-to-live(TTL) value of the cached resource records expires.

Which tool should you use? (Each correct answer presents a complete solution. Choose two.)

A. Server ManagerB. netsh

C. DNS ManagerD. regedit

E. dnscmd

F. dns

Correct Answer: DESection: 70-642 Configuring Names ResolutionExplanation


Cache locking is a new security feature available with Windows Server® 2008 R2 that allows you to controlwhether or not information in the DNS cache can be overwritten. When a recursive DNS server responds to aquery, it will cache the results obtained so that it can respond quickly if it receives another query requesting thesame information. The period of time the DNS server will keep information in its cache is determined by theTime to Live (TTL) value for a resource record. Until the TTL period expires, information in the cache might beoverwritten if updated information about that resource record is received.

To configure cache locking using a command line1. Open an elevated command prompt.2. Type the following command, and then press ENTER:

dnscmd /Config /CacheLockingPercent <percent>3. Restart the DNS Server service.

To configure cache locking using the Windows interface1. Click Start, click Run, type regedit.exe , and then press ENTER.2. In Registry Editor, open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\service s\DNS

\Parameters .3. If the CacheLockingPercent registry key is not present, right-click Parameters, click New, click DWORD

(32-bit) Value, and then type CacheLockingPercent for the name of the new registry key.4. Double-click the CacheLockingPercent registry key.5. Under Base, choose Decimal , under Value data type a value from 0 to 100 for the cache locking percent,

and then click OK.6. Close Registry Editor.7. Restart the DNS Server service.


QUESTION 96Your network contains an Active Directory forest. The forest contains a server named Server1.contoso.com.

You need to ensure that all DNS clients can use DNS to resolve the single-label name of a server namedServer1.

What should you do?


Select and Place:

Correct Answer:

Section: 70-642 Configuring Names ResolutionExplanation


What the scenario requires is a GlobalNamesZone, wherein all domains in the forest could use the single-labelname of Server1 to resolve/access it's IP.

Deploying a GlobalNames Zone

Step 1: Create the GlobalNames zoneStep 2: Enable GlobalNames zone support

(...)dnscmd <ServerName> /config /enableglobalnamessuppo rt 1

Step 3: Replicate the GlobalNames zoneStep 4: Populate the GlobalNames zone

For each server that you want to be able to provide single-label name resolution for, add an alias (CNAME)resource record to the GlobalNames zone.


QUESTION 97Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2008R2. All client computers run Windows 7.

You discover that users can use Encrypting File System (EFS) when the smart cards on their computers areremoved.

You need to prevent the users from accessing EFS-encrypted files when their smart cards are removed. Fromthe EFS properties, you click Require a smart card for EFS.


A. Set the Elliptic Curve Cryptography to Allow.B. Set the Elliptic Curve Cryptography to Require.C. Disable the Allow delegating saved credentials setting.D. Disable the Create caching-capable user key from smart card option.


Explanation/Reference:Correct answer(s): DExplanation:

QUESTION 98Your network contains an Active Directory forest named contoso.com. The forest contains a server namedServer1 that runs Windows Server 2008 R2 Service Pack 1 (SP1) Standard. The forest contains a servernamed Server2 that runs Windows Server 2008 R2 SP1 Enterprise. Server1 and Server2 have the Print andDocument Services server role installed.

You need to migrate the print queues, printer settings, printer ports, and language monitors from Server1 toServer2.


A. PrintbrmB. Active Directory Users and ComputersC. Active Directory Sites and ServicesD. Devices and Printers

Correct Answer: ASection: (none)Explanation


To migrate print servers by using a command prompt

To open a Command Prompt window, click Start, click All Programs, click Accessories, right-click CommandPrompt, and then click Run as administrator.Type:CD %WINDIR%\System32\Spool\Tools Printbrm -s \\<sou rcecomputername> -b -f<filename>.printerExportType:Printbrm -s \\<destinationcomputername> -r -f <file name>.printerExport


QUESTION 99Your company has a main office and a branch office. All servers are located in the main office. The networkcontains an Active Directory forest named adatum.com. The forest contains a domain controller namedMainDC that runs Windows Server 2008 R2 Enterprise and a member server named FileServer that runsWindows Server 2008 R2 Standard.

You have a kiosk computer named Public_Computer that runs Windows 7. Public_Computer is not connectedto the network.

You need to join Public_Computer to the adatum.com domain.

What should you do?



Correct Answer:

Section: (none)Explanation

Explanation/Reference:Four major steps are required to join a computer to the domain by using offline domain join:

1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with anaccount that has permissions to join computers to the domain.

2. Use the DJoin command to provision a computer for offline d omain join . This step prepopulates ActiveDirectory with the information that Active Directory needs to join the computer to the domain, and exportsthe information called a blob to a text file.

3. At the offline computer that you want to join the domain use DJoin to import the blob into the Windowsdirectory.

4. When you start or restart the computer , it will be a member of the domain.

Reference: MS Press - Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 217, 218

QUESTION 100A corporate network includes a single Active Directory Domain Services (AD DS) domain.

The HR department has a dedicated organizational unit (OU) named HR. The HR OU has two sub-OUs: HRUsers and HR Computers. User accounts for the HR department reside in the HR Users OU. Computeraccounts for the HR department reside in the HR Computers OU. All HR department employees belong to asecurity group named HR Employees. All HR department computers belong to a security group named HRPCs.

Company policy requires that passwords are a minimum of 6 characters.

You need to ensure that, the next time HR department employees change their passwords, the passwords arerequired to have at least 8 characters. The password length requirement should not change for employees ofany other department.

What should you do?

A. Modify the password policy in the GPO that is applied to the domain.B. Create a new GPO, with the necessary password policy, and link it to the HR Users OU.C. Create a fine-grained password policy and apply it to the security group named HR Employees.D. Modify the password policy in the GPO that is applied to the domain controllers OU.



Are there any special considerations?Fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead ofuser objects) and global security groups. By default, only members of the Domain Admins group can set fine-grained password policies. However, you can also delegate the ability to set these policies to other users. Thedomain functional level must be Windows Server 2008.

Fine-grained password policy cannot be applied to an organizational unit (OU) directly. To apply fine-grainedpassword policy to users of an OU, you can use a shadow group. Reference: http://technet.microsoft.com/en-us/library/cc770394.aspx

QUESTION 101Your network contains an Active Directory forest named contoso.com.

You need to identify whether a fine-grained password policy is applied to a specific group.


A. Credential ManagerB. Group Policy Management EditorC. Active Directory Users and ComputersD. Active Directory Sites and Services

Correct Answer: CSection: (none)Explanation


Use Active Directory Users and Computers to determine the value of the msDS-PSOApplied attribute of thespecific group:

1. Open the Properties windows for the group in Active Directory Users and Computers2. Click the Attribute Editor tab, and then click Filter3. Ensure that the Show attributes/Optional check box is selected.4. Ensure that the Show read-only attributes/Backlinks check box is selected.5. Locate the value of msDS-PSOApplied in the Attributes list.


QUESTION 102Your network contains an Active Directory domain named contoso.com. The domain contains five domaincontrollers.

You add a logoff script to an existing Group Policy object (GPO).

You need to verify that each domain controller successfully replicates the updated group policy.

Which two objects should you verify on each domain controller? (Each correct answer presents part of thesolution. Choose two.)

A. \\servername\SYSVOL\contoso.com\Policies\{GUID}\gpt.iniB. \\servername\SYSVOL\contoso.com\Policies\{GUID}\machine\registry.polC. the uSNChanged value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com containerD. the versionNumber value for the CN={GUID},CN=Policies,CN=System,DC=contoso,DC=com container

Correct Answer: ADSection: (none)Explanation


(...)


Date post:	17-Jun-2020
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

Exam 70-648 TS: Upgrading from Windows Server 2003 MCSA to, Windows Server … · 2019-11-02 · A....

Documents