Microsoft Exams - Just Another All in One TestKing Sites ... · 70-646 - Windows Server 2008,...

70-646 - Windows Server 2008, Server Administrator

Passing Score: 700Time Limit: 210 minFile Version: 1.0

http://www.gratisexam.com/

Microsoft Exams - Just Another All in One TestKing Sites

This practice exam has explanations for all questions so that you can understand allconcepts.

http://www.aiotestking.com/microsoft

Sections1. Exam A2. Exam B3. Exam C4. Exam D5. Exam E6. Exam F

Exam A

QUESTION 1You are an Enterprise administrator for TestKing.com. The corporate network of thecompany consists of 200 Windows Server 2008 servers. The company has recently decidedto open a new branch office and moved 75 Windows Server 2008 servers from the existingoffice to the new network segment.

Which of the following options would you choose to change the TCP/IP addresses on the 75servers that have been moved to the new branch office by using the minimum amount ofadministrative effort?

A. Use ServerManagerCMD tool and run it on the administrator’s client computer.B. Use the Netsh tool and run it on the administrator’s client computer.C. Use Remote Desktop to connect to each server to make the changes.D. Visit each server to make the changes.

Correct Answer: BSection: Exam AExplanation

Explanation/Reference:To change the TCP/IP addresses on the 75 servers that have been moved to the newbranch office by using the minimum amount of administrative effort, you need to run theNetsh tool from an administrator’s client computer.

You can use NETSH to make dynamic IP address changes from a static IP address toDHCP simply by importing a file. NETSH can also bring in the entire Layer-3 configuration(TCP/IP Address, DNS settings, WINS settings, IP aliases, etc.). This can be handy whenyou’re working on networks without DHCP and have a mobile computer that connects tomultiple networks, some of which have DHCP. NETSH shortcuts will far exceed thecapabilities of using Windows Automatic Public IP Addressing.

Reference: 10 things you should know about the NETSH tool / #4: Using NETSH todynamically change TCP/IP addresses

QUESTION 2You are an Enterprise administrator for contoso.com. The corporate network of thecompany runs 28 Windows Server 2008 servers and two Windows Server 2003 servers.One of the Windows Server 2003 servers called contosoServer1 hosts an application calledApp1 and another Windows Server 2003 server called contosoServer2 hosts the applicationcalled App2.

The App1application uses the 32-bit installation of Windows Server 2003 and App2application uses the 64-bit installation of Windows Server 2003. You need to run both theapplications on Windows Server 2008 server.

Which of the following options would you choose for replacing the servers that host App1and App2 in the minimum cost amount? (Select three. Each correct answer will present apart of the solution.)

A. Install a new server that runs a 64-bit version of Windows Server 2008 EnterpriseEdition.

B. Install two new servers that run 64-bit versions of Windows Server 2008 EnterpriseEdition.

C. Install two new servers. On one of the servers install the 32-bit version of WindowsServer 2008 Enterprise Edition and install the 64-bit version of Windows Server 2008Enterprise Edition on the other server.

D. Install the Hyper-V feature on the server(s).E. Install Windows System Resource Manager (WSRM) on the server(s).F. Install App1 and App2 in separate child virtual machines.G. Install App1 on the 32-bit server. Install App2 on the 64-bit server.

Correct Answer: ADFSection: Exam AExplanation

Explanation/Reference:For replacing the servers that host App1 and App2 in the minimum cost amount, you needto install a new server that runs a 64-bit version of Windows Server 2008 Enterprise Edition.Install the Hyper-V feature on the new server. Install App1 and App2 in separate child virtualmachines.

Hyper-V consists of a 64-bit hypervisor that can run 32-bit and 64-bit virtual machinesconcurrently. Therefore you need to install just one Windows Server 2008 to run these twoapplications. You can then install Hyper V feature that would allow you to create virtualmachines and run both the applications as desired. Hyper-V virtualization works with singleand multi-processor virtual machines and includes tools such as snapshots, which capturethe state of a running virtual machine.

QUESTION 3You are an Enterprise administrator for contoso.com. The corporate network of thecompany runs two Windows Server 2008 servers.

You have been asked to configure the Windows Server 2008 servers in such a way thatthey support the installation of Microsoft SQL Server 2005 and provide redundancy for SQLservices if a single server fails.

Which of the following options would you choose to accomplish this task? (Select two. Eachcorrect answer will present a part of the solution.)

A. Install a full installation of Windows Server 2008 Standard Edition on the servers.B. Install a full installation of Windows Server 2008 Enterprise Edition on the servers.C. Install a Server Core installation of Windows Server 2008 Enterprise Edition on the

servers.D. Configure Network Load Balancing on the servers.E. Configure failover clusters on the servers.

Correct Answer: BESection: Exam A

Explanation

Explanation/Reference:To configure the Windows Server 2008 servers in such a way that they support theinstallation of Microsoft SQL Server 2005 and provide redundancy for SQL services if asingle server fails, you need to install a full installation of Windows Server 2008 EnterpriseEdition on the servers. Configure failover clusters on the servers.

Failover clustering is a process in which the operating system and SQL Server 2008 worktogether to provide availability in the event of an application failure, hardware failure, oroperating-system error. Failover clustering provides hardware redundancy through aconfiguration in which mission-critical resources are transferred from a failing machine to anequally configured server automatically.

Reference: SQL Server 2008 Pricing and Licensing/ PASSIVE SERVERS / FAILOVERSUPPORT

http://download.microsoft.com/download/1/e/6/1e68f92c-f334-4517-b610-e4dee946ef91/2008%20SQL%20Licensing%20Overview%20final.docx.

QUESTION 4You are an Enterprise administrator for contoso.com. The company has a head office andfive branch offices. The corporate network of the company consists of a single ActiveDirectory domain.

Each office contains Windows 2000 Server domain controller and Windows Server 2008member servers. The physical security of the member servers was not reliable and serverscould be attacked.

Therefore, you decided to implement Windows BitLocker Drive Encryption (BitLocker) onthe member servers.

Which of the following options would you choose to ensure that you can access theBitLocker volume even if the BitLocker keys are corrupted on the member servers and storethe recovery information at a central location? (Select two. Each correct answer will presenta part of the solution.)

A. Upgrade all domain controllers to Windows Server 2008.B. Upgrade the domain controller that has the schema master role to Windows Server

2008.C. Upgrade the domain controller that has the primary domain controller (PDC) emulator

role to Windows Server 2008.D. Use Group Policy to configure Public Key Policies.E. Use Group Policy to enable a Data Recovery Agent (DRA).F. Use Group Policy to enable Trusted Platform Module (TPM) backups to Active Directory.

Correct Answer: AFSection: Exam AExplanation

Explanation/Reference:To ensure that you can access the BitLocker volume even if the BitLocker keys arecorrupted on the member servers and store the recovery information at a central location,you need to upgrade all domain controllers to Windows Server 2008. Use Group Policy toenable Trusted Platform Module (TPM) backups to Active Directory.

By default, no recovery information is backed up. Administrators can configure Group Policysettings to enable backup of BitLocker or TPM recovery information.

All user interfaces and programming interfaces within BitLocker and TPM Managementfeatures will adhere to your configured Group Policy settings. When these settings areenabled, recovery information (such as recovery passwords) will be automatically backed upto Active Directory whenever this information is created and changed.

Reference: BitLocker Drive Encryption Configuration Guide: Backing Up BitLocker and TPMRecovery Information to Active Directory http://technet.microsoft.com/en-us/library/cc766015.aspx

QUESTION 5You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain that contain 100 Windows Server2003 physical servers having 64-bit hardware.


The company has given you the responsibility to consolidate the 100 physical servers into30 Windows Server 2008 physical servers and send the remaining physical servers to thenew branch office that plans to open shortly.

Which of the following options would you choose to achieve the desired goal while ensuringthe maximum resource utilization by using existing hardware and software? You also needto ensure that your solution would support 64-bit child virtual machines and maintainseparate services among the servers.

A. Install the Hyper-V feature on the existing hardware. Then convert the physical machinesinto virtual machines.

B. Install the Microsoft Virtual PC. Then convert the physical machines into virtualmachines.

C. Create the necessary host (A) records after consolidating services across the physicalmachines.

D. Install Microsoft Virtual Server 2005 R2 on the existing hardware after installing WindowsServer 2008 on them. Then convert the physical machines into virtual machines.

Correct Answer: ASection: Exam AExplanation

Explanation/Reference:To ensure the maximum resource utilization by using existing hardware and software and toensure the support for 64-bit child virtual machines while maintaining separate servicesamong the servers, you need to install the Hyper-V feature to convert the physical machinesinto virtual machines.

The Hyper-V feature provides Physical-to-Virtual (P2V) Conversion Wizard that guidesadministrators through the process of creating a virtual version of a physical server,including creating images of physical hard disks, preparing the images for use in a VM, andcreating the final VM. The wizard can create virtual servers from physical servers and canrun on Windows Server 2003 with SP1 (32-bit only) and on Windows Server 2008 (withoutHyper-V role enabled) besides many other Operating systems.

Reference: Virtual Machine Manager 2008 Supports Hyper-V / Other Features

http://www.directionsonmicrosoft.com/sample/DOMIS/update/2008/07jul/0708vmm2sh.htm

QUESTION 6You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain that contains a Windows Server 2008server called contosoServer1. The server runs the DHCP service on it for the network.

Your company has decided to add a few Windows Vista computers and Windows Server2008 servers on the network.

You have been asked to prepare the network for the automated deployment of the abovegiven operating systems with the use Pre-boot Execution Environment (PXE) networkadapter.

Which of the following options would you choose to accomplish this task?

A. Install Windows Automated Installation Kit (WAIK) on a new server.B. Configure the Windows Deployment Services (WDS) server role on a new server.C. Install Windows Automated Installation Kit (WAIK) on contosoServer1.D. Configure the Windows Deployment Services (WDS) server role on contosoServer1.

Correct Answer: DSection: Exam AExplanation

Explanation/Reference:To prepare the network for the automated deployment of the above given operating systemswith the use Pre-boot Execution Environment (PXE) network adapter, you need to configurethe Windows Deployment Services (WDS) server role on contosoServer1.

Windows Deployment Services enables you to deploy Windows operating systems,particularly WindowsVista and Windows Server2008. You can use it to set up newcomputers by using a network-based installation. This means that you do not have to installeach operating system directly from a CD or DVD. It is an extensible and higher-performing

PXE server component.

You must have a functioning DHCP server with an active scope. To utilize PXE WDSrequired a DHCP server. Therefore you need to configure WDS on contosoServer1.

Reference: Step-by-Step Guide for Windows Deployment Services in Windows Server 2003/ What is Windows Deployment Services? http://technet.microsoft.com/en-us/library/cc766320.aspx#BKMK_1

Reference: Planning for PXE Initiated Operating System Deployments/ WindowsDeployment Services (WDS) and DHCP http://technet.microsoft.com/en-us/library/bb680753.aspx

QUESTION 7You are an Enterprise administrator for contoso.com. The company consists of a headoffice and a branch office. The corporate network of the company consists of a single ActiveDirectory domain.

Because the branch office was comparatively less secure, you decided to deploy a Read-only Domain Controller (RODC) in the branch office so that branch office supporttechnicians cannot manage domain user accounts on the RODC. However, they should beable to maintain drivers and disks on the RODC.

Which of the following options would you choose to manage the RODC to meet the desiredgoal?

A. Configure Administrator Role Separation on the RODC.B. For the branch office support technicians, set NTFS permissions on the Active Directory

database to Read & Execute.C. Configure the RODC to replicate the password for the branch office support technicians.D. For the branch office support technicians, set NTFS permissions on the Active Directory

database to Deny Full Control.


Explanation/Reference:To ensure that branch office support technicians would not manage domain user accountson the RODC and should be able to maintain drivers and disks on the RODC, you need toconfigure the RODC for Administrator Role Separation.

Administrator Role Separation specifies that any domain user or security group can bedelegated to be the local administrator of an RODC without granting that user or group anyrights for the domain or other domain controllers. Accordingly, a delegated administrator canlog on to an RODC to perform maintenance work on the server such as upgrading a driver.But the delegated administrator would not be able to log on to any other domain controlleror perform any other administrative task in the domain.

Reference: RODC Features/ Administrator role separation

http://technet.microsoft.com/en-us/library/cc753223.aspx#bkmk_separation

QUESTION 8You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain.

The company currently consists of a main office that has an Internet connection configured.The company plans to open a new branch office in near future and plans to connect thebranch office to the main office by using a WAN link having a limited bandwidth.

The branch office will not have access to the Internet and will contain 30 Windows Server2008 servers. The installations of these servers must be automated and must beautomatically activated. Besides the network traffic between the offices must be minimized.

Which of the following options would you include in your plan for the deployment of theservers in the branch office?

A. Use Multiple Activation Key (MAK) Independent Activation on the servers. In the mainoffice, implement a DHCP server and Windows Deployment Services (WDS).

B. In the branch office, implement Key Management Service (KMS), a DHCP server, andWindows Deployment Services (WDS).

C. In the main office, implement Windows Deployment Services (WDS). In the branchoffice, implement a DHCP server and implement the Key Management Service (KMS).

D. Use Multiple Activation Key (MAK) Independent Activation on the servers. In the mainoffice, implement a DHCP server. In the branch office, implement Windows DeploymentServices (WDS).


Explanation/Reference:

QUESTION 9You are an Enterprise administrator for contoso.com. The company has a head office and250 branch offices. The corporate network of the company consists of a single ActiveDirectory domain.

All the domain controllers on the corporate network run Windows Server 2008. You havebeen asked to deploy Read-only Domain Controllers (RODCs) in each designated branchoffices because the physical security at branch office locations cannot be guaranteed.

While deploying the RODCs, you need to ensure that the RODC installation source files donot contain cached secrets and the bandwidth used during the initial synchronization ofActive Directory Domain Services (AD DS) is minimized.

Which of the following options would you choose to accomplish the given task?

A. Backup of the critical volumes of an existing domain controller by using Windows Server

Backup. Now build the new RODCs using the backup.B. Using one of the domain controllers on the network create a DFS namespace that

contains the Active Directory database and then build the new RODCs using by using ananswer file.

C. Create an RODC installation media using ntdsutil ifm and the build the RODCs from theRODC installation media.

D. Perform a full backup of an existing domain controller using Windows Server Backup andthen use the backup to build the new RODCs.

Correct Answer: CSection: Exam AExplanation

Explanation/Reference:The new ntdsutil ifm sub command can be used to create installation media. It can be usedto remove secrets, such as passwords, from the AD DS database, so that you can install aread-only domain controller (RODC) without them. When you remove these secrets, theRODC installation media is more secure if it must be transported to a branch office for anRODC installation.

Ntbackup.exe cannot remove cached secrets from the installation media.

Reference: Steps for Deploying an RODC/ Optional: Install RODC from media http://technet.microsoft.com/en-us/library/cc754629.aspx

QUESTION 10You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. You have been asked to deploy fileservers that run Windows Server 2008 and ensure that the file server support volumeslarger than 2 terabytes.

You also need to ensure that if a single server fails, access to all data is maintained and if asingle disk fails, the data redundancy is maintained. You also need to maximize the diskthroughput.

Which of the following options would you choose to accomplish the assigned task? (Select2. Each correct answer will present a part of the solution)

A. Deploy a Windows Server 2008 server and connect an external storage subsystem to itthat supports Microsoft Multipath I/O.

B. Deploy a two-node failover cluster. Connect an external storage subsystem.C. Configure the external storage subsystem as a RAID 1 array and format the array as an

MBR disk.D. Configure the external storage subsystem as a RAID 10 array and format the array as a

GPT disk.

Correct Answer: BDSection: Exam AExplanation

Explanation/Reference:To ensure that if a single server fails, access to all data is maintained and if a single diskfails, the data redundancy is maintained, you need to deploy a two-node failover cluster.Connect an external storage subsystem. Configure the external storage subsystem as aRAID 10 array. Format the array as a GPT disk.

A combining the different RAID levels gives us the option of RAID10. RAID10 is equivalentto RAID1 + 0. So, you can have a few disks (at least 4 and always even numbers) andmirror the drives two at a time. This gives the redundancy. Then you take those mirrors andcombine them into a RAID 0 stripe. This allows redundancy, faster read operations, and fastwrites (avoiding a parity calculation). RAID1 is a mirror which is faster than a single disk, butnot as fast for read operations as 3+ disks (RAID1 is just 2 disks). RAID5 is a stripe withparity which is faster on read operations than RAID1 but not ideal for write operationsbecause it is required to calculate a parity block of data.

Reference: Brad Kingsley’s Blog http://blogs.orcsweb.com/brad/archive/2007/08/06/raid10.aspx

QUESTION 11You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. You have planned to install 10 newWindows Server 2008 servers on the network.

You want to automate the installation of the servers and activate the servers automatically.Which of the following options would you choose to accomplish the desired goal?

A. Implement Multiple Activation Key (MAK) Independent Activation and DeploymentServices (WDS).

B. Implement Key Management Service (KMS) and Windows Deployment Services (WDS).C. Use Multiple Activation Key (MAK) Independent Activation.D. Implement a DHCP server and the Key Management Service (KMS).


Explanation/Reference:For the deployment of the servers in the branch office with the given requirements, youneed to implement Key Management Service (KMS), and Windows Deployment Services(WDS).

The KMS key is used to activate computers against a service that you can host in yourenvironment, so you don’t have to connect to Microsoft servers. To activate computers byusing KMS, you must have a minimum number of physical computers. The KMS key isinstalled on the host computer only.

To activate the KMS host, you must have at least 25 computers running Windows Vista orWindows Server 2008 that are connected together; for Windows Server 2008, the minimumis 5 computers.

You need Windows Deployment Services (WDS) because it enables you to automate thedeployment Windows operating systems. You can use it to set up new computers by usinga network-based installation. This means that you do not have to install each operatingsystem directly from a CD or DVD.

Reference: Microsoft Product Activation http://www.microsoft.com/licensing/resources/vol/default.mspx

Reference: Step-by-Step Guide for Windows Deployment Services in Windows Server 2003/ What is Windows Deployment Services? http://technet.microsoft.com/en-us/library/cc766320.aspx#BKMK_1


Which of the following options would you choose to consolidate the 50 physical WindowsServer 2003 servers into 10 physical Windows Server 2008 servers?

While consolidation, you need to ensure that the existing hardware and software should beused and 64-bit child virtual machines can be created. Which of the following options wouldyou choose to accomplish the desired task?

A. Install Microsoft Virtual PC.B. Consolidate services across the physical machines and create the necessary host (A)

records.C. Install the Hyper-V feature.D. Install Microsoft Virtual Server 2005 R2.



QUESTION 13You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. The company has decided to open 2new branch offices and deploy 1,000 new Windows Vista Enterprise Edition computers.

The Windows Vista installations need to be done using Pre-boot Execution Environment(PXE) network adapters that those 1000 computers already have.

Which of the following options would you choose to ensure that 50 simultaneousinstallations of Windows Vista can be done in minimum amount of time and the impact ofnetwork operations during the deployment of the new computers is minimized?

A. Install Windows Deployment Services (WDS) server role and configure all the routers

with IP Helper tables.B. Install Windows Deployment Services (WDS) server role and configure each WDS server

by using legacy mode.C. Install both Windows Deployment Services (WDS) server role and Transport Server role

services and then configure the Transport Server with a static multicast address range.D. Install both Windows Deployment Services (WDS) server role and Transport Server role

services and then configure the Transport Server to use a custom network profile.


Explanation/Reference:To ensure that 50 simultaneous installations of Windows Vista in minimum amount of timein a Pre-boot Execution Environment, you need to deploy the Windows DeploymentServices (WDS) server role and the Transport Server feature. You can install both theDeployment Server and Transport Server role services (which is the default installation) oronly Transport Server role services.

The Windows Deployment Services (WDS) enables you to automate the deployment ofWindows operating systems. You can use it to set up new computers by using a network-based installation. This means that you do not have to install each operating system directlyfrom a CD or DVD.

You can configure Transport Server to enable you to boot from the network using Pre-BootExecution Environment (PXE) and Trivial File Transfer Protocol (TFTP), a multicast server,or both.

The Transport Server role service provides a subset of the functionality of WindowsDeployment Services. It contains only the core networking parts. You can use TransportServer to create multicast namespaces that transmit data (including operating systemimages) from a stand-alone server. The stand-alone server does not need Active Directory,DHCP, or DNS.

If multiple servers are using multicast functionality on a network (Transport Server,Deployment Server, or another solution), it is important that each server is configured sothat the multicast IP addresses do not collide. Otherwise, you may encounter excessivetraffic when you enable multicasting. Note that each Windows Deployment Services serverwill have the same default range. To work around this issue, specify static ranges that donot overlap to ensure that each server is using a unique IP address.

Reference: Transport Server http://technet.microsoft.com/en-us/library/cc771645.aspx

QUESTION 14You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain that runs a 64-bit version of WindowsServer 2008 server. The server has DHCP server role installed on it. The corporate networkonly uses IPv4.

The company has decided to deploy 50 new Windows Server 2008 servers.The installationsneed to be done using Pre-boot Execution Environment (PXE) network adapters that isalready supported by the new computers. Besides some of the new computers contain 64-bit hardware and some of the servers contain 32-bit hardware.

Which of the following options would you choose to ensure the automated deployment ofthe new servers in minimum hardware cost?

A. Deploy Windows Deployment Services (WDS) on two Windows Server 2008 servers,one for the 64-bit server and the other for 32-bit server.

B. Deploy Remote Installation Services (RIS) on two Windows Server 2003 servers havingService Pack 2 installed, one for the 64-bit server and the other for 32-bit server.

C. Deploy Windows Deployment Services (WDS) on the DHCP server.D. Deploy Remote Installation Services (RIS) on a 64-bit Windows Server 2003 server.


Explanation/Reference:To ensure the automated deployment of the new servers in minimum hardware cost in thegiven scenario, you need to deploy Windows Deployment Services (WDS) on the DHCPserver.

You must have a working DHCP server with an active scope on the network becauseWindows Deployment Services uses PXE, which relies on DHCP for IP addressing.

Reference: Installing Windows Deployment Services http://technet.microsoft.com/en-us/library/cc771670.aspx

QUESTION 15You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory forest having 20 domains configured under it.


All the domain controllers on the network run Windows Server 2008 and have the DNS roleinstalled on them. You company has decided to replace a legacy Windows Internet NameService (WINS) environment with a DNS-only environment for the name resolution.

Which of the following options would you choose to Support IPv4 and IPv6 environments,allow single-label name resolution across all domains, and minimize the amount of NetBTtraffic on the network while replacing a legacy Windows Internet Name Service (WINS)environment?

A. Configure all the DNS zones to perform a WINS forward lookup.

B. Configure all the DNS zones to replicate as part of a custom Active Directory replicationpartition.

C. Configure a GlobalNames zone on each domain controller.D. Configure all the DNS zones to replicate to each DNS server in the forest.


Explanation/Reference:To Support IPv4 and IPv6 environments, allow single-label name resolution across alldomains, and minimize the amount of NetBT traffic on the network while replacing a legacyWindows Internet Name Service (WINS) environment with a DNS-only environment, youneed to configure a GlobalNames zone on each domain controller.

The DNS Server Role in Windows Server 2008 now supports the GlobalNames Zone. Thishas been introduced to assist organizations to move away from WINS and alloworganizations to move to an all-DNS environment. Unlike WINS, The GlobalNames zone isnot intended to be used for peer-to-peer name resolution.

The GlobalNames Zone (GNZ) is used to hold single-label names. The GlobalNames zoneis most commonly used to hold CNAME resource records to map a single-label name to aFully Qualified Domain Name (FQDN). GNZ provides single-label name resolution whereasWINS provides NetBIOS resolution. If you plan to retire WINS or plan to deploy IPv6 only inyour environment, all name resolution will rely on DNS. It supports dual IPv4 and IPv6environment and use only DNS for name resolution.

Reference: Understanding the New GlobalNames Zone Functionality in WindowsServer2008http://johnpolicelli.wordpress.com/2008/01/15/understanding-the-new-globalnames-zone-in-windows-server-2008/

Reference: DNS Server GlobalNames Zone Deployment / How GNZ Resolution Works

QUESTION 16You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All servers on the corporate networkrun Windows Server 2008 and all client computers run Windows Vista. The company hasan enterprise certification authority (CA).

You have been asked to install certificates automatically on each client computer anddeploy the certificates to all users by using a new certificate template by using minimumamount of effort. You need to ensure that users have access to the new certificates whenthey log on to any client computer in the domain.

Which of the following options would you choose to accomplish the given task? (Select two.Each correct answer will form a part of the solution)

A. Configure auto enrollment of certificates.B. Deploy an enterprise subordinate CA.

C. Configure roaming user profiles.D. Configure folder redirection.E. Configure Credential Roaming.

Correct Answer: AESection: Exam AExplanation

Explanation/Reference:To ensure that users have access to the new certificates when they log on to any clientcomputer in the domain while meeting other requirements, you need to configure autoenrollment of certificates and Credential Roaming.

The auto enrollment process grants certificates based on certificate templates that aresupplied with Read, Enroll, and Auto Enroll permissions for the users, groups, or computerswho require auto enrollment.With the credential roaming functionality, managed environments can now store X.509certificates, certificate requests, and private keys specific to a user in Active Directory,independently from the profile.The credential roaming implementation in Windows Vista and Windows Server “Longhorn”is additionally able to roam stored user names and passwords. This would ensure that usershave access to the new certificates when they log on to any client computer in the domain.

With credential roaming, once a domain user chooses in a Windows authentication dialogbox to cache or "remember" the current credentials, the user will have the same experienceon any domain-joined computer that the user logs on to.

http://windowsitpro.com/article/articleid/48665/how-can-i-enable-digital-certificate-autoenrollment-in-windows-server-2003.html

QUESTION 17You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the servers on the network eitherrun Windows Server 2003 or Windows Server 2008 and all client computers run WindowsVista or Windows XP SP2.

You have been assigned the task to implement Encrypting File System (EFS) for all theclient computers on the network and ensure that users must be able to access their EFScertificates on any client computers.

You also need to ensure that if a client computers disk fails, the EFS certificates must beaccessible and only the minimum amount of data that is transferred across the networkwhen a user logs on to or off from a client computer.

Which of the following options would you choose to accomplish the assigned task?

A. Smart cardsB. Credential roamingC. Roaming user profiles

D. Data Recovery Agent



QUESTION 18You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. The network contains three serversthat run Windows Server 2000 and a few custom applications.

The applications on these servers are incompatible with each other, incompatible withWindows Server 2008, and consume less than 10 percent of the system resources. Thecompany has decided to update all the servers to Windows Server 2008.

As an Enterprise administrator of the company, you have been assigned the task to migratethe applications to new Windows Server 2008 servers in minimum hardware costs.

Which of the following two options would you choose to accomplish the assigned task?(Select two. Each selected option will present a part of the answer.)

A. Deploy one new server that runs Windows Server 2008 Enterprise Edition.B. Deploy three new servers that run Windows Server 2008 Standard Edition.C. Deploy one new server that runs Windows Server 2008 Datacenter Edition.D. Install the Windows System Resource Manager (WSRM) feature on the new server.E. Configure Windows 2000 compatibility mode for each application.F. Install the Hyper-V feature on the new server. Create three child virtual machines.G. Install the Desktop Experience feature.

Correct Answer: AFSection: Exam AExplanation

Explanation/Reference:To migrate the applications to new Windows Server 2008 servers in minimum hardwarecosts, you need to deploy one new server that runs Windows Server 2008 EnterpriseEdition, install the Hyper-V feature on the new server, and then create three child virtualmachines for each application.

Application virtualization of Hyper-V feature helps isolate the application runningenvironment from the operating system install requirements by creating application-specificcopies of all shared resources and helps reduce application to application incompatibilityand testing needs.

With Microsoft SoftGrid, desktop and network users can also reduce application installationtime and eliminate potential conflicts between applications by giving each application avirtual environment that’s not quite as extensive as an entire virtual machine. By providing

an abstracted view of key parts of the system, application virtualization reduces the time andexpense required to deploy and update applications.

http://download.microsoft.com/download/4/2/b/42bea8d6-9c77-4db8-b405-6bffce59b157/WS08%20Virtualization%20Product%20Overview.doc

QUESTION 19You are an Enterprise administrator for contoso.com. The company consists of a headoffice and a branch office. The corporate network of the company consists of a single ActiveDirectory domain and an Active Directory site exists for each office. All the domaincontrollers on the network run Windows Server 2008.

You have been assigned the task to modify the DNS infrastructure in such a way that theDNS service is available even if a single server fails, the synchronization data that is sentbetween DNS servers is encrypted and dynamic updates are supported on all DNS servers.

Which of the following options would you choose to accomplish the given task? (Select two.Each selected option will present a part of the answer.)

A. Install the DNS server role on a domain controller in the head office and on a Read onlyDomain Controller (RODC) in the branch office.

B. Install the DNS server role on a domain controller in the head office and on a domaincontroller in the branch office.

C. Install the DNS server role on two servers. Create a primary zone on the DNS server inthe head office.

D. Configure DNS to use Active Directory integrated zones.E. Create a secondary zone on the DNS server in the branch office.F. Install the DNS server role on two servers. Create a primary zone and a GlobalNames

zone on the DNS server in the head office.G. Create a GlobalNames zone on the DNS server in the branch office.

Correct Answer: BDSection: Exam AExplanation

Explanation/Reference:To modify the DNS infrastructure in such a way that the DNS service is available even if asingle server fails, you need to install the DNS server role on a domain controller in the headoffice and on a domain controller in the branch office and then configure DNS to use ActiveDirectory integrated zones.

This would also ensure that the synchronization data that is sent between DNS servers isencrypted and dynamic updates are supported on all DNS servers.

DNS servers running on domain controllers can store their zones in Active Directory. In thisway, it is not necessary to configure a separate DNS replication topology that uses ordinaryDNS zone transfers, because all zone data is replicated automatically by means of ActiveDirectory replication. This simplifies the process of deploying DNS provides the followingadvantages:

Multiple masters are created for DNS replication. Therefore, any domain controller in thedomain running the DNS server service can write updates to the Active Directory-integrated zones for the domain name for which they are authoritative. A separate DNS zone transfer topology is not needed.Secure dynamic updates are supported. Secure dynamic updates allow an administratorto control which computers update which names, and prevent unauthorized computersfrom overwriting existing names in DNS.ActiveDirectory-integrated DNS in Windows Server2008 stores zone data in applicationdirectory partitions. (There are no behavioral changes from WindowsServer2003-basedDNS integration with ActiveDirectory.)

QUESTION 20You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the domain controllers on thenetwork either run Windows Server 2008 and all client computers run Windows Vista.

The company plan to collaborate on a project with an external partner company calledTechKing.com. The TechKing.com domain also consists of an Active Directory domain thatruns Windows Server 2008 domain controllers.

You have been assigned the task to design a collaboration solution that allows the users ofboth the companies to prevent sensitive documents from being forwarded to untrustedrecipients or from being printed.

Besides, the users of TechKing.com should be allowed to access the protected content incontoso.com to which they have been granted rights. You need to ensure that all inter-organizational traffic is sent over port 443.

Which of the following options would you choose to accomplish the desired goal in aminimum amount of the administrative effort? (Select two. Each selected option will presenta part of the answer.)

A. Establish a federated trust between your company and the external partner.B. Establish an external forest trust between your company and the external partner.C. Deploy a Windows Server 2008 server that runs Microsoft Office SharePoint Server 2007

and that has the Active Directory Rights Management Services (AD RMS) role installed.D. Deploy a Windows Server 2008 server that has the Active Directory Rights Management

Service (AD RMS) role installed and the Windows SharePoint Services role installed.E. Deploy a Windows Server 2008 server that has the Active Directory Certificate Services

role installed. Implement Encrypting File System (EFS).F. Deploy a Windows Server 2008 server that has the Windows SharePoint Services role

installed.

Correct Answer: ACSection: Exam AExplanation

Explanation/Reference:To design a collaboration solution that allows the users of both the companies to prevent

sensitive documents from being forwarded to untrusted recipients or from being printed, youneed to establish a federated trust between your company and the external partner. Deploya Windows Server 2008 server that runs Microsoft Office SharePoint Server 2007 and thathas the Active Directory Rights Management Services (AD RMS) role installed.

With a federation trust, you can extend Active Directory to allow for the sharing of resourcessecurely in a B2B environment. Once the federation trust is established, authenticationrequests that are made to the Intranet server in the resource domain can flow through thefederation trust from users who are located in the domain where the accounts are locatedwithout issue.

Active Directory Rights Management Services (AD RMS) is an information protectiontechnology that works with AD RMS-enabled applications to help safeguard digitalinformation from unauthorized use. Content owners can define who can open, modify, print,forward, or take other actions with the information.

Office SharePoint Server 2007 provides an easy way to collaborate on documents byposting them to an Office SharePoint Server 2007 site so that they can be accessed overthe corporate network. The goal of integrating an Office SharePoint Server 2007deployment with an ADRMS infrastructure is to be able to protect documents that aredownloaded from the Office SharePoint Server 2007 server by users of any givenorganization.

http://www.windowsnetworking.com/articles_tutorials/Window-Server-2003-R2-New-Active-Directory.html

QUESTION 21You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the servers on the network runWindows Server 2008. The network contains two Windows Server 2008 computers calledcontosoServer1 and contosoServer2 and two identical print devices.

Which of the following options would you choose to plan a print services infrastructure thatwould allow you to manage the print queue from a central location and make the printservices available, even if one of the print devices fails?

A. Install and share a printer on contosoServer1 and enable printer pooling.B. Create a Network Load Balancing cluster and add contosoServer1 and contosoServer2

to it and then install a printer on each node of the cluster.C. Install and share one of the printer on contosoServer1 and the other printer on

contosoServer2. Use Print Manager to install the printers on the client computers.D. Install the Terminal Services server role on both servers. Configure Terminal Services

Session Broker (TS Session Broker).


Explanation/Reference:To plan a print services infrastructure that would allow you to manage the print queue from

a central location and make the print services available, even if one of the print devices fails,you need to install and share a printer on contosoServer1 and enable printer pooling.

Printer pooling allows you to print to several printers at once. If you have a large print jobyou can submit it to the pool and the operating system will balance the load among theprinters. This feature allows network administrators to configure and manage severalprinters as one, a process that can simplify printer administration. In addition, printer poolingprovides some load-balancing. That’s because Windows 2000 Server directs print jobs tothe connected printers based on jobs pending at each printer. A printer pool containsmultiple printers, all configured as a single printer instance.

Reference: Configure printer pooling to simplify printer management in Windows 2000 http://articles.techrepublic.com.com/5100-10878_11-5727870.html

QUESTION 22You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the servers on the network eitherrun Windows Server 2003 or Windows Server 2008 and all client computers run WindowsVista.

The company possesses a public key infrastructure (PKI) that consists of an offline rootcertification authority (CA) and two Enterprise Subordinate CAs that run Windows Server2003.

You publish the certificates to the user accounts and the computer accounts in ActiveDirectory.

Which of the following options would you choose to create a PKI solution for the WindowsVista client computers and the Windows Server 2008 servers in such a way that thecertificates must support Suite B hashing and encryption algorithms and store private keysin Active Directory in minimum amount of administrative effort?

A. Configure cross-certification between the CA hierarchies by creating a new PKI that usesWindows Server 2008 CAs.

B. Install a new Windows Server 2008 enterprise subordinate CA.C. Install a new Windows Server 2008 stand-alone subordinate CA.D. Create a new Active Directory forest and configure one-way forest trusts between the two

forests by deploying a new PKI that uses Windows Server 2008 CAs.


Explanation/Reference:To create a PKI solution for the Windows Vista client computers and the Windows Server2008 servers that meed the desired requirements, you need to install a new WindowsServer 2008 enterprise subordinate CA.

To use SuiteB algorithms for cryptographic operations, you first need a Windows Server2008-based CA to issue certificates that are SuiteB-enabled.

Suite B algorithms such as ECC are supported only on the Windows Vista ® and WindowsServer 2008 operating systems. This means it is not possible to use those certificates onearlier versions of Windows such as Windows XP or Windows Server 2003.

If you already have a PKI with CAs running Windows Server 2003 or where classicalgorithms are being used to support existing applications, you can add a subordinate CAon a server running Windows Server 2008, but you must continue using classic algorithms.

Reference: Cryptography Next Generation / How should I prepare to deploy this feature? http://technet.microsoft.com/en-us/library/cc730763.aspx

Exam B

QUESTION 1You are an Enterprise administrator for contoso.com. The company consists of a headoffice and a branch office. The corporate network of the company consists of a single ActiveDirectory domain. All the servers on the network run Windows Server 2008 and all clientcomputers run Windows Vista.

The branch office contains a Windows Server 2008 member server named BranchServer1that has the File Services server role installed on it. The Active Directory contain anorganizational unit (OU) called BranchOU to keep the computer objects for the servers inthe Branch office.

Besides the OU, a global group called Branch-adm also exists in AD to keep the useraccounts for the administrators in the branch office. Till now the administrators on thecorporate network manage the shared folders on the servers in the Branch office.

However, you now want to ensure that the members of Branch-adm can create sharedfolders on BranchServer1. Which of the following options would you choose to accomplishthis task?

A. Assign Full Control permissions on the BranchOU.B. Add the Branch-adm group to the Power Users local group on BranchServer1.C. Create Shared Folders permissions on the BranchOU.D. Add the Branch-adm group to the Administrators local group on BranchServer1.

Correct Answer: DSection: Exam BExplanation

Explanation/Reference:To ensure that the members of Branch-adm can create shared folders on BranchServer1,you need to add the Branch-adm group to the Administrators local group on BranchServer1.Administrators is a local group that provides full administrative access to an individualcomputer or a single domain, depending on its location. Because this account has completeaccess, you should be very careful about adding users to this group. To make someone anadministrator for a local computer or domain, all you need to do is make that person amember of this group. Only members of the Administrators group can modify this account.

http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html

QUESTION 2You are an Enterprise administrator for contoso.com. All the servers on the network runWindows Server 2008.

The company has assigned you the task to plan a data storage solution for the company byutilizing the existing network infrastructure and ensuring that the storage space to theservers is allocated as needed. You also need to ensure the maximum performance and themaximum fault tolerance in your solution.

To begin with, you decided to deploy eight file servers on the network and connect them toEthernet switches. Which of the following options will you include next in your plan toaccomplish the desired goal? (Select two. Each selected option will present a part of theanswer.)

A. Install Windows Server 2008 Datacenter Edition on each server.B. Install Windows Server 2008 Enterprise Edition on each server.C. Install Windows Server 2008 Standard Edition on each server.D. Deploy the servers in a failover cluster and deploy an iSCSI storage area network (SAN).E. Deploy the servers in a Network Load Balancing (NLB) cluster and map a network drive

on each server to an external storage array.F. Deploy the servers in a Network Load Balancing (NLB) cluster and implement RAID 5 on

each server.G. Deploy the servers in a failover cluster and deploy a Fibre Channel (FC) storage area

network (SAN).

Correct Answer: ADSection: Exam BExplanation

Explanation/Reference:To plan a data storage solution for the company to ensure the maximum performance andthe maximum fault tolerance, you need to install Windows Server 2008 Datacenter Editionon each server and deploy the servers in a failover cluster. Next deploy an iSCSI storagearea network (SAN).

The Datacenter Edition supports both iSCSI storage and failover clustering. The failoverclustering will ensure the fault tolerance. A popular SAN protocol, iSCSI allows clients tosend SCSI commands to storage devices on remote servers. Unlike Fibre Channel, whichrequires special-purpose cabling, iSCSI can be run over long distances using existingnetwork infrastructure.

The iSCSI is a protocol that allows two hosts to send SCSI commands over a TCP/IPnetwork. By doing this, you can use SCSI but free yourself of the limitations of traditionalSCSI cabling and, instead, use your LAN to connect your SCSI PCs and Server to yourSCSI storage.

iSCSI is a type of storage area network (SAN) and it is typically compared to Fibre Channel(FC) – its much more expensive competitor. With iSCSI you have a client who needsaccess to the storage on the server. The client uses initiator software (making it the initiator)to connect to the storage server (called the target).

http://www.windowsnetworking.com/articles_tutorials/Connect-Windows-Server-2008-Windows-Vista-iSCSI-Server.html

QUESTION 3You are an Enterprise administrator for contoso.com. The company consists of a headoffice and a branch office. The corporate network of the company consists of a single Active

Directory domain, which run at the functional level of Windows Server 2008. All the serverson the network run Windows Server 2008 and all client computers run Windows Vista.

You have been asked to design a file sharing strategy that ensures that the users in boththe offices must be able to access the same files using the same Universal NamingConvention (UNC) path to access the files.The users must be able to access files even if a server fails. While designing your filesharing strategy, you need to take care you’re your design must reduce the amount ofbandwidth used to access files.

To start with you deployed file servers on the network. Which of the following options wouldyou choose next to accomplish this task?

A. Domain-based DFS namespace using replicationB. Stand-alone DFS namespace using replicationC. Multi-site failover cluster having two servers, one located in the head office and another

in the branch officeD. Network Load Balancing cluster having two servers, one located in the head office and

another in the branch office.

Correct Answer: ASection: Exam BExplanation

Explanation/Reference:To design a file sharing strategy that meets the given requirements, you need to configure adomain-based DFS namespace that uses replication.

The domain based namespaces require all servers to be members of an Active Directorydomain. This environment support automatic synchronization of DFS targets.

The domain-based DFS enables multiple replications that provides you with a degree ofscalability. Rather than having every user in your organization access their files from thesame server, you can distribute the user workload across multiple DFS replicas rather thanover burdening a single server. This ensures that the users in both the offices must be ableto access the same files using the same Universal Naming Convention (UNC) path toaccess the files in reduced bandwidth.

Another reason for having multiple DFS replicas is because doing so provides you with adegree of fault tolerance.DFS can also provide fault tolerance from the standpoint ofprotecting you against network link failures.The fault tolerance ensures that users are ableto access files even if a server fails.

QUESTION 4You are an Enterprise administrator for contoso.com. The company has a head office and abranch office. The corporate network of the company consists of a single Active Directorydomain. All the servers on the network run Windows Server 2008.

The company has four domain administrators and two support technicians, which arelocated in the head office and the branch office respectively.

Which of the following options would you choose to deploy a new Windows Server 2008server in the branch office? You want to minimize the security privileges granted to thesupport technicians. However, you want to ensure that the support technicians are allowedto install server roles and are allowed to stop and start services.

A. Configure the restricted enrollment agent on the new Windows Server 2008 server andthen create a permissions list for the support technicians.

B. Create a new organizational unit (OU) for the support technicians permission and thenassign them the permissions to modify objects in the new OU. Put the new WindowsServer 2008 server in the new OU.

C. Add the support technicians to the Domain Admins group.D. Assign the support technicians to the Administrators group on the new Windows Server

2008 server.


Explanation/Reference:"Administrators" is a local group that provides full administrative access to an individualcomputer or a single domain, depending on its location. Because this account has completeaccess, you should be very careful about adding users to this group. To make someone anadministrator for a local computer or domain, all you need to do is make that person amember of this group. Only members of the Administrators group can modify this account.


QUESTION 5You are an Enterprise administrator for contoso.com. The corporate network of thecompany contains two Windows Server 2008 computers and two identical print devices.


Which of the following options would you choose to manage a large print job by balancingthe load of print jobs on both the printers?

A. Install and share a printer on one of the servers and enable printer pooling.B. Add both the servers to a Network Load Balancing cluster and install a printer on each

node of the cluster.C. Install and share a printer on each server and then install the printers on the client

computers using Print Manager.D. Install the Terminal Services server role on both servers and configure Terminal Services

Session Broker (TS Session Broker).


Explanation/Reference:To manage a large print job by balancing the load of print jobs on both the printers, youneed to install and share a printer on contosoServer1 and enable printer pooling.

Printer pooling allows you to print to several printers at once. If you have a large print jobyou can submit it to the pool and the operating system will balance the load among theprinters.

This feature allows network administrators to configure and manage several printers as one,a process that can simplify printer administration. In addition, printer pooling provides someload-balancing. That’s because Windows 2000 Server directs print jobs to the connectedprinters based on jobs pending at each printer. A printer pool contains multiple printers, allconfigured as a single printer instance.


The branch office contains 50 Windows Server 2008 member servers. The Active Directorycontain an organizational unit (OU) called BranchOU to keep the computer objects for theservers in the Branch office.

A global group called Branch-adm also exists in the AD to keep the user accounts for theadministrators in the branch office. The administrators on the corporate network manage allthe servers in the Branch office.

However, you now want to ensure that the members of Branch-adm group can Stop andstart services and change registry settings on the member servers of the branch office.Which of the following options would you choose to accomplish this task?

A. Assign Full Control permissions on the BranchOU to the Branch-adm group.B. Add the Branch-adm group to the Power Users local group on each server in the Branch

office.C. Assign the Branch-adm group change permissions to the BranchOU and to all child

objects.D. Add the Branch-adm group to the Administrators local group on each server in the

Branch office.


Explanation/Reference:To ensure that the members of add the Branch-adm group can Stop and start services and

change registry settings on the member servers of the branch office, you need to add theBranch-adm group to the Administrators local group on each server in the Branch office.

"Administrators" is a local group that provides full administrative access to an individualcomputer or a single domain, depending on its location. Because this account has completeaccess, you should be very careful about adding users to this group. To make someone anadministrator for a local computer or domain, all you need to do is make that person amember of this group. Only members of the Administrators group can modify this account.


QUESTION 7You are an Enterprise administrator for contoso.com. The company consists of a headoffice and a branch office. All the servers on the network run Windows Server 2008 and allclient computers run Windows Vista.You plan to deploy the Server Core installation of Windows Server 2008 on 10 servers inthe branch office. The servers will only be accessible by using TCP ports 80 and 443.

You need to ensure that the administration of the Server Core servers must enableadministrators to install and administer server roles remotely and fully manage the serversremotely from their Windows Vista computers / Windows Server 2008 servers.

Which of the following options would you choose to accomplish the desired task?

A. Enable Remote Desktop Connection (RDC) on the administrator’s computers.B. Enable Windows Remote Management (WinRM) on the administrator’s computers.C. Use Oclist.exe on the administrator’s computers.D. Use Ocsetup.exe on the administrator’s computers.

Correct Answer: BSection: Exam BExplanation

Explanation/Reference:To ensure that the administration of the Server Core servers must enable administrators toinstall and administer server roles remotely and fully manage the servers remotely, youneed to enable Windows Remote Management (WinRM) on each server.

Windows Remote Management (known as WinRM) is a handy new remote managementservice for Windows Server 2003 R2, Windows Vista, and Windows Server 2008. WinRM &WinRS are very powerful new tools that Windows system administrators should learn about.With WinRM/WinRS, you can install programs, change settings, or do troubleshooting (aslong as the network was up). You can even take it a step further and combine WinRS with ascript to perform those tasks on a list of computers.

http://www.windowsnetworking.com/articles_tutorials/How-Windows-Server-2008-WinRM-WinRS.html

QUESTION 8

You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of 50 DNS servers that run Windows Server 2003 and the clientcomputers that run Windows Vista.

A DNS server called contosoServer1 has Adminpak.msi installed. The administratorsmanage the DNS servers through contosoServer1. The administrators connect tocontosoServer1 through Remote Desktop Connection (RDC).

Recently, you have replaced Windows Server 2003 DNS servers with Server Coreinstallation of Windows Server 2008 servers by installing DNS server role on the ServerCore installation of Windows Server 2008.

Which of the following options would you choose to administer the new DNS servers? Youneed to ensure that the administrators manage the DNS server role by using a MicrosoftManagement Console (MMC).

A. Using a Group Policy, deploy Windows PowerShell to all administrators.B. Using a Group Policy, deploy the Windows Server 2003 Adminpak.msi file to all

administrators.C. Provide remote access to the Windows Server 2008 Server Core servers.D. Install Remote Server Administration Tools (RSAT) to a Windows Server 2008 server

and provide remote access to that server.


Explanation/Reference:To administer the new DNS servers, you need to provide remote access to a WindowsServer 2008 server that has the Remote Server Administration Tools (RSAT) installedRSAT is an excellent set of tools for IT Pros wanting to manage their Windows Serverenvironment right from their desktop. RSAT also includes an updated Group PolicyManagement Console (GPMC), which was previously removed in Windows Vista SP1.RSAT is an updated version of what is called ADMINPAK.MSI and can be used by IT Prosto manage computers running Windows Server 2008. Because many of these tools alsowork for managing computers running Windows Server 2003, it is essentially “the nextversion” of ADMINPAK.MSI.

http://windowsvistablog.com/blogs/windowsvista/archive/2008/03/25/remote-server-administration-tools-rsat-now-available-for-windows-vista-sp1.aspx


The network contains five Windows Server 2008 servers that host Web applications. Theadministrators need to manage the Web servers remotely. You need to ensure that the webdevelopers are allowed to configure features on the Web sites. However, they should not

have full administrative rights on the Web servers.


A. On each Web server, configure the authorization rules for Web developers.B. Add the Web developers to the Account Operators group in the domain.C. Configure request filtering on each Web server.D. For all Web developers, configure the security settings in Internet Explorer.


Explanation/Reference:To ensure that the web developers are allowed to configure features on the Web siteswithout having full administrative rights on the Web servers. You need to configureauthorization rules for Web developers on each Web server.

By configuring Authorization rule, you can grant or deny specific computers, groups ofcomputers, or domains access to sites, applications, directories, or files on your server. Forexample, suppose your intranet server hosts content that is available to all employees, inaddition to content that should be viewed only by members of specific groups, such asFinance or Human Resources. By configuring URL authorization rules, you can preventemployees who are not members of those specified groups from accessing restrictedcontent.

QUESTION 10You are an Enterprise administrator for contoso.com. The company consists of a headoffice and five branch offices. The corporate network of the company consists of a singleActive Directory domain. All the servers on the network run Windows Server 2008 and allclient computers run Windows Vista.

Each branch office contains a domain controller on which the DHCP Server role is alsoinstalled. Besides this, each branch office also contains a file server and posses its ownbranch office administrator.

You need to delegate the administration of DHCP in such a way that the branch officeadministrators are allowed to manage DHCP scopes for their own office. You also need toensure that the branch office administrators should not be allowed to manage the DHCPscopes in other offices.

Which of the following options would you choose to accomplish the given task in minimumamount of administrative effort?

A. Migrate the DHCP Server server role to the file server in each branch office.B. On each file server, add the branch office administrator to the DHCP Administrators local

group.C. Add the branch office administrators to the Network Configuration Operators domain

local group in the AD domain.

D. Add the branch office administrators to the Server Operators domain local group in theAD domain.

E. Add the branch office administrators to the DHCP Administrators domain local group inthe AD domain.

Correct Answer: ABSection: Exam BExplanation

Explanation/Reference:To delegate the administration of DHCP so that the branch office administrators are allowedto manage DHCP scopes for their own office you need to migrate the DHCP Server serverrole to the file server in each branch office.

To ensure that branch office administrators are not allowed to manage the DHCP scopes inother offices you need to add the branch office administrator to the DHCP Administratorslocal group.While members of the Domain Admins group obviously have full power to configure DHCPon the server, you can also delegate limited power to users whose job is to manage DHCPservers on your network. To do this, open Active Directory Users and Computers and addthe name of the user to the DHCP Administrators domain local group.

This gives the user the ability to manage DHCP servers on your network without giving himany unnecessary authority to perform other administrative tasks, which is an example of thewell-known security best practice of least privilege.

QUESTION 11You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory (AD) domain. All the servers on the networkrun Windows Server 2008 and all client computers run Windows Vista.

The AD contains an organizational unit (OU) called EmployeesOU that contains all useraccounts and a global group named HRAdmins that contains the accounts of the HRadministrators?

You have been asked to plan for the delegation of administrative authority in such a waythat the HR Admins are allowed to create user accounts in the EmployeesOU and changethe address attributes, the telephone number attributes, and the location attributes forexisting user accounts. You also need to ensure that HRAdmins are not allowed to reset thepasswords for the existing user accounts.

Which of the following options would you choose to accomplish the desired goal?

A. Run the Delegation of Control Wizard on the EmployeesOU.B. Create a new OU and move the HR Admins group to the new OU and then run the

Delegation of Control Wizard on the new OU.C. Move the HRAdmins group to the Domain Controllers OU.D. Add the HRAdmins group to the Account Operators group.

Correct Answer: A

Section: Exam BExplanation

Explanation/Reference:To accomplish the desired goal o accomplish the desired goal, you need to Run theDelegation of Control Wizard on the EmployeesOU. A Delegation wizard can be used tofacilitate the delegation of administrative rights over containers within Active Directory. TheDelegation wizard dynamically creates access control entries on the target container objectaccording to the options specified in the wizard.

The Delegation of Control Wizard provides an additional level of granularity allowing forcustom-built tasks to be assigned to specific users or groups.

QUESTION 12You are an Enterprise administrator for contoso.com. The company consists of a headoffice and a branch office. The corporate network of the company consists of a single ActiveDirectory domain. All the servers on the network run Windows Server 2008 and all clientcomputers run Windows Vista. Administrators manage the client computers and servers inthe Branch office. Branch office of the company contains a Read-only Domain Controller(RODC) named contosoServer1.A global group called Branch-admins contains the useraccounts for administrators.

You have been asked to recommend a solution for delegating control of contosoServer1 insuch as way that Branch-admins group has rights on contosoServer1 only and they shouldnot be allowed to modify Active Directory objects.

Besides, all the members of the Branch-admins group are allowed to administercontosoServer1; including, the change of device drivers and installation of operating systemupdates by using Windows Update.


A. On contosoServer1, add the Branch-admins global group to the Administrators localgroup.

B. Add the Branch-admins global group to the Server Operators domain local group.C. Create a new OU and move the contosoServer1 computer object to a new OU and then

grant Full Control permission on the new OU to the Branch-admins group.D. On the contosoServer1 computer object in the domain Grant Full Control permission to

the Branch-admins group.


Explanation/Reference:To accomplish the desired task, you need to add the Branch1-admins global group to theAdministrators local group of contosoServer1.

Administrators is a local group that provides full administrative access to an individualcomputer or a single domain, depending on its location. Because this account has complete

access, you should be very careful about adding users to this group. To make someone anadministrator for a local computer or domain, all you need to do is make that person amember of this group. Only members of the Administrators group can modify this account.

Domain Admins is a global group designed to help you administer all the computers in adomain. This group has administrative control over all computers in a domain because it’s amember of the Administrators group by default. To make someone an administrator for adomain, make that person a member of this group.

QUESTION 13You are an Enterprise administrator for TestKing.com. The corporate network of thecompany consists of a single Active Directory domain. All the servers on the network runWindows Server 2008 and all client computers run Windows Vista.

The Active Directory domain contains a top-level organizational unit (OU) calledAccountingOU, which contains all computer and user accounts for the accountingdepartment.

You have been asked to deploy an accounting application that can only be accessed by theaccounting users. Which of the following options would you deploy to accomplish thedesired task?

A. Terminal Service Session Broker (TS Session Broker) role serviceB. Microsoft System Center Operations Manager (SCOM)C. Group Policy object (GPO) for the Accounting OUD. Windows Server Update Service (WSUS)

Correct Answer: CSection: Exam BExplanation

Explanation/Reference:To deploy an accounting application that can only be accessed by the accounting users,you need to deploy a Group Policy object (GPO) for the AccountingOU.

As you may already know, in an Active Directory environment, group policies are the maincomponent of network security. Group policy objects can be applied either to users or tocomputers. Deploying applications through the Active Directory is also done through the useof group policies, and therefore applications are deployed either on a per user basis or on aper computer basis.

http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Deploy-Applications.html

QUESTION 14You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory forest. The AD forest was running at thefunctional level of Windows Server 2008.

The forest contains two domains named contoso.com and na.contoso.com. All the serverson the network run Windows Server 2008 and all client computers run Windows Vista.


The domain na.contoso.com contains an organizational unit (OU) called SecurityOU and thedomain contoso.com contains a user called Ben.

You have been asked to assign administrative rights to Ben so that he can manage GroupPolicies for the SecurityOU. While assigning administrative rights, you need to ensure thatBen must be granted the least administrative rights necessary to create and configureGroup Policies in na.contoso.com and link Group Policies to the SecurityOU.

Which of the following options would you choose to accomplish the desired goal? (Selecttwo. Each selected option will present a part of the answer.)

A. Run the Delegation of Control Wizard on na.contoso.com.B. Run the Delegation of Control Wizard on the SecurityOU.C. In the Group Policy Management Console, modify the permissions of the Group Policy

Objects container in the contoso.com domain.D. In the Group Policy Management Console, modify the permissions of the Group Policy

Objects container in the na.contoso.com domain.E. Add User1 to the Group Policy Creator Owners group in contoso.com.F. Add User1 to the Administrators group for na.contoso.com.G. Modify the permissions on the SecurityOU.

Correct Answer: BDSection: Exam BExplanation

Explanation/Reference:To ensure that Ben must be granted the least administrative rights necessary to create andconfigure Group Policies in na.contoso.com and link Group Policies to the SecurityOU, youneed to run the Delegation of Control Wizard on the Security OU. In the Group PolicyManagement Console, modify the permissions of the Group Policy Objects container in thena.contoso.com domain.

A Delegation wizard is used to facilitate the delegation of administrative rights overcontainers within Active Directory. Therefore it needs to be run on the SecurityOU. TheDelegation wizard dynamically creates access control entries on the target container objectaccording to the options specified in the wizard.

The Delegation of Control Wizard provides an additional level of granularity allowing forcustom-built tasks to be assigned to specific users or groups.

QUESTION 15You are an Enterprise administrator for contoso.com. The corporate network of the

company consists of a single Active Directory forest. The forest contains a root domain andtwo child domains named la.contoso.com and na.contoso.com.

All the servers on the network run Windows Server 2008 and all client computers runWindows Vista. The company has a corporate policy according to which, all local guestaccounts must be renamed and disabled and all the local administrator accounts must berenamed.

Which of the following options would you choose to implement the company’s policy?

A. On each domain, implement a GPO.B. On the root domain, implement a GPO.C. On the root domain controllers, deploy AD RMS.D. On all domain controllers in each domain, deploy NPAS.


Explanation/Reference:To deploy the corporate policy of the company that states that all the local administratoraccounts must be renamed and all the local guest accounts must be renamed and disabled,you need to implement a Group Policy object (GPO) for each domain.

You can change the administrator account and guest account names by using Group Policyin Windows Server 2003. This may be useful if you want to change the name of theadministrator or guest user accounts to minimize the chance of misuse of these accounts.

QUESTION 16You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the domain controllers on thenetwork run Windows Server 2008 and all client computers run Windows Vista. Thefunctional level of the domain is Windows Server 2008.

A corporate policy exists for the company. According to which, a legal notice should appearwhen any user logs on to the domain. Which of the following options would you choose toenforce the corporate policy by using the minimum amount of administrative effort?

A. Run the Delegation of Control Wizard for the domain and modify the Default DomainController policy.

B. Run the Delegation of Control Wizard for the domain and configure the Local Computerpolicy on a reference computer.

C. Create a new organizational unit (OU), place all computer accounts in the new OU, andthen run the Delegation of Control Wizard for the new OU.

D. Create, link and enforce a new GPO to the domain.


Explanation/Reference:To enforce the corporate policy by using the minimum amount of administrative effort, youneed to create a GPO and link the GPO to the domain and then configure the GPO to beenforced. Group policy settings are an integral part of any Windows-based IT environment.The number of desktop lockdown settings available to group policy administrators isenormous. They can prevent you from doing anything from changing your desktopappearance and start menu to running certain applications.

http://blogs.technet.com/markrussinovich/archive/2005/04/30/circumventing-group-policy-settings.aspx

QUESTION 17You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the servers and the domaincontrollers on the domain run Windows Server 2008 and all client computers run WindowsVista.You have been assigned the task to generate a monthly report on the status of softwareupdates for the client computers. You report should display all the updates includingoperating system and Microsoft application updates that are installed successfully. Yourreport should also display all the updates including the operating system and Microsoftapplication updates that are failed to install by putting minimum amount of administrativeeffort and in minimum cost.

Which of the following options would you choose to accomplish the desired task? (Selecttwo. Each correct answer will present a part of the solution.)

A. Install Microsoft System Center Essentials (Essentials) 2007.B. Install Microsoft System Center Configuration Manager (SCCM) 2007.C. Install Windows Software Update Services (WSUS) 3.0.D. Deploy management agents on all client computers.E. Configure Windows Update by using a Group Policy object (GPO).F. Deploy Microsoft Baseline Security Analyzer (MBSA) 2.1 on the client computers.G. Run MBSA on each client computer, and save the report to a shared folder on the

network.

Correct Answer: CESection: Exam BExplanation

Explanation/Reference:To generate the desired reports, you need to Install Windows Software Update Services(WSUS) 3.0. Configure Windows Update by using a Group Policy object (GPO).

The easiest way to configure automatic updates is through the group policy, in environmentswhere this is possible. If group policies (AD) are not available, you can use the registry filewhich has to be deployed to every machine. This registry file, or group policy template ifyou’re using Active Directory, enables advanced features available with the new WSUSclient.Reports can be easily generated, but unfortunately only the WSUS server administrator can

generate them. ITSS can generate reports per groups, so if your clients are properlyconfigured to report their group, you can ask ITSS to schedule generation of reports for yourgroups.You can also define the criteria of the report, so some events can be filtered. The criteriadefine status of updates for machines, so the following can be used:

Installed – lists updates which have been successfully installed on the client machines.Needed – lists updates which are needed, but have not been installed yet.Not needed – lists updates which are available on the server, but are not needed for thisparticular client.Unknown – lists updates with unknown status.Failed – lists updates which were downloaded by the client, but whose installation failed.

QUESTION 18You are an Enterprise administrator for contoso.com. The company has a head office andtwo branch offices. All the servers on the network run Windows Server 2008 and all clientcomputers run Windows Vista.

A server on the corporate network of the company run Windows Server Update Services(WSUS) and distributes updates to all computers on the internal network. The WSUS serveris configured to store updates locally.

The branch offices connect to the head office by using a dedicated WAN link. You need todesign a patch management strategy for the corporate network that would ensure that thebranch offices would get updates from the head office. However, the WSUS updates areapproved independently for each branch office without increasing the Internet traffic toomuch.


A. For each branch office, create organizational units (OUs). Create and link the GroupPolicy objects (GPOs) to the OUs.

B. In each branch office, install a WSUS server.C. Configure each branch office WSUS server as a replica of the main office WSUS server.D. Configure each branch office WSUS server as an autonomous server.E. Configure different schedules to download updates from the main office WSUS server to

the client computers in each branch office.F. Configure each branch office WSUS server to use the main office WSUS server as an

upstream server.

Correct Answer: BFSection: Exam BExplanation

Explanation/Reference:To design a patch management strategy for the corporate network that would ensure thatthe branch offices would get updates from the head office, you need to install a WSUSserver in each branch office and configure each branch office WSUS server to use the headoffice WSUS server as an upstream server.

A WSUS hierarchy supports two modes, autonomous mode (which we will discuss later)and replica mode. In replica mode, the upstream server is the only WSUS server thatdownloads its updates from Microsoft Update. It is also the only server that an administratorhas to manually configure computer groups and update approvals on. All informationdownloaded and configured on to an upstream server is replicated directly to all of thedevices configured as downstream servers. Using this method you will save a great deal ofbandwidth as only one computer is constantly updating from the Internet. More importantlyhowever, you will save a countless amount of time since you are only managing one servernow from a software standpoint.

Using autonomous mode, the upstream server transmits update files to the downstreamservers, but nothing else. This means that individual computer groups and update approvalsmust be configured for each particular downstream server. In this deployment type, you getthe benefit of optimized bandwidth usage with the flexibility of allowing individual siteadministrators to manage computer groups and update approvals themselves.

http://www.windowsnetworking.com/articles_tutorials/Deploying-Microsoft-Windows-Server-Update-Services.html

QUESTION 19You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the servers in the domain runWindows Server 2008 and all client computers run Windows Vista.

The File Server role is installed on the 10 servers on the domain. You have been asked tomonitor the file servers and ensure that the Administrators should be able to create reportsthat display folder usage by different Active Directory groups, receive automatic E-mailnotifications if any volume has less than 500 MB of free space, and are able to enforce thefile storage quotas.

How would you configure each file server to accomplish the desired task?

A. Configure Windows System Resource Manager (WSRM) feature and EventSubscriptions

B. Configure NTFS quotas and Event Viewer tasksC. Configure NTFS quotas and Performance Monitor alertsD. Configure the File Server Resource Manager (FSRM) role service and Quota

Management and Storage Reports Management


Explanation/Reference:FSRM (File Server Resource Manager) is a service of the File Services role in WindowsServer 2008. You can use FSRM to enhance your ability to manage and monitor storageactivities on your file server.

The main capabilities of FSRM include: Folder Quotas, File Screening, Storage Reports,Event Log Integration, E-mail Notifications, and Automated Scripts.

You can use FSRM to perform Limit the size of a folder to 2GB and log an event when theQuota limit is reached, E-mail an administrator whenever a specific folder reaches 85% ofits specified Quota. Besides, you can create a File Screen to prevent users from saving ofvideo/audio files to a share and send notifications when users attempt to do that, andschedule and publish a periodic storage reports that shows how much space is being usedby each user,. You can use it to automatically execute a script when a folder size exceeds500 MB to clean up stale data in the folder.

http://blogs.technet.com/josebda/archive/2008/08/20/the-basics-of-windows-server-2008-fsrm-file-server-resource-manager.aspx

QUESTION 20You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory forest. All the servers in the forest runWindows Server 2008 and all client computers run Windows Vista.

You have been assigned the task to monitor the performance of the servers of the salesdepartment of the company that consists of 600 Windows Server 2008 servers.

You need to generate alerts when the average processor usage is higher than 90 percentfor 20 minutes and automatically adjust the processor monitoring threshold to allow fortemporary changes in the workload.


A. Use Microsoft System Center Configuration Manager (SCCM).B. Use Windows System Resource Manager (WSRM).C. Use Microsoft Windows Reliability and Performance Monitor.D. Use Microsoft System Center Operations Manager (SCOM).


Explanation/Reference:To generate alerts when the average processor usage is higher than 90 percent for 20minutes and automatically adjust the processor monitoring threshold to allow for temporarychanges in the workload, you need to Deploy Microsoft System Center Operations Manager(SCOM).

System Center Operations Manager 2007(SCOM 2007) is a new version of MicrosoftOperations Manager 2005(MoM). It is the end – to – end service monitoring solution thatlets you monitor clients, events, services, applications, network devices rather than justservers. It provides integration with Active Directory for user authentication and agentdiscovery. It provides active directory integration, Service Oriented Monitoring, Self-TuningThreshold, Enhanced Reporting, windows computers monitoring and much more.

http://blogs.technet.com/kevinholman/archive/2008/03/19/self-tuning-thresholds-love-and-hate.aspx

QUESTION 21You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the servers on the network eitherrun Windows Server 2008 and all client computers run Windows Vista Service Pack 1. Thecorporate network is connected to the Internet through a firewall.

Which of the following options would you choose to allow remote access to the servers onyour network while ensure that all the remote connections and all remote authenticationattempts to the servers are encrypted?

You also need to ensure that only inbound connections to TCP port 80 and TCP port 443are allowed on the firewall.

A. Point-to-Point Tunneling Protocol (PPTP) and Microsoft Point-to-Point Encryption(MPPE)

B. Microsoft Secure Socket Tunneling Protocol (SSTP)C. Internet Protocol security (IPsec) and network address translation traversal (NAT-T)D. Internet Protocol security (IPsec) and certificates

Correct Answer: BSection: Exam BExplanation

Explanation/Reference:To allow remote access to the servers on your network while ensure that all the remoteconnections and all remote authentication attempts to the servers are encrypted and toensure that only inbound connections to TCP port 80 and TCP port 443 are allowed on thefirewall, you need to install Microsoft Secure Socket Tunneling Protocol (SSTP). TheMicrosoft Secure Socket Tunneling Protocol (SSTP), a mechanism to transport data-linklayer (L2) frames on a Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)connection. The protocol currently supports only the Point-to-Point Protocol (PPP) link layer.

The SSTP server directly accepts the HTTPS connection, which is similar to a virtual privatenetwork (VPN) server positioned on the edge of a network. The Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate is deployed on the SSTP server.

Reference: The Cable Guy The Secure Socket Tunneling Protocol SSTP in Windows http://technet.microsoft.com/en-us/magazine/cc162322.aspx

QUESTION 22You are an Enterprise administrator for contoso.com. The corporate network of thecompany is configured with Perimeter network as shown in the exhibit:

The company uses an enterprise certification authority (CA) and a Microsoft OnlineResponder on the internal network.

Which of the following options would you choose to implement a secure method for Internetusers to verify the validity of individual certificates with the use of minimum networkbandwidth? (Select two. Each correct answer will form a part of the answer.)

A. Install a stand-alone CA on a server on the perimeter network.B. Deploy a subordinate CA on the perimeter network.C. Install Network Device Enrollment Service (NDES) on a server on the perimeter network.D. Install a Network Policy Server (NPS) on a server on the perimeter network.E. Redirect authentication requests to a server on the internal network.F. Install IIS on a server on the perimeter network.G. Configure IIS to redirect requests to the Online Responder on the internal network.

Correct Answer: FGSection: Exam BExplanation

Explanation/Reference:To implement a secure method for Internet users to verify the validity of individualcertificates with the use of minimum network bandwidth, you need to install IIS on a serveron the perimeter network and configure IIS to redirect requests to the Online Responder onthe internal network.

Windows Vista and the Windows Server 2008 operating system will natively support bothCRL and Online Certificate Status Protocol (OCSP) as a method of determining certificatestatus. The OCSP support includes both the client component as well as the OnlineResponder, which is the server component.

The Online Responder Web proxy cache represents the service interface for the OnlineResponder. It is implemented as an Internet Server Application Programming Interface(ISAPI) extension hosted by Internet Information Services (IIS).

When an application performs a certificate evaluation, the validation is performed on allcertificates in that certificate’s chain. This includes every certificate from the end-entitycertificate presented to the application to the root certificate. It is an online process and isdesigned to respond to single certificate status requests.

Reference: Online Responder Installation, Configuration, and Troubleshooting Guide http://technet.microsoft.com/en-us/library/cc770413.aspx

Exam C


The network consists of a server called contosoServer1 that has the Terminal Services roleinstalled. You need to monitor contosoServer1 and prevent users from consuming morethan 15 percent of the CPU resources in a day.

You also need to ensure that the Administrators must not be limited by the amount of CPUresources that they can consume. Which of the following options would you choose toaccomplish the desired task? (Select Two. Each correct answer will present a part of theanswer.)

A. Configure Reliability and PerformanceB. Create user-defined Data Collector SetC. Configure session policiesD. Implement Windows System Resource Manager (WSRM)E. Configure user policiesF. Create an Event Trace Session Data Collector Set

Correct Answer: DESection: Exam CExplanation

Explanation/Reference:To monitor contosoServer1 and prevent users from consuming more than 15 percent of theCPU resources in a day, you need to implement Windows System Resource Manager(WSRM), and configure user policies.

Microsoft Windows System Resource Manager (WSRM) provides resource managementand enables the allocation of resources, including processor and memory resources, amongmultiple applications based on business priorities.

WSRM enables a system administrator to Set CPU and memory allocation policies onapplications. This includes selecting processes to be managed, and setting resource usagetargets or limits, Manage CPU utilization (percent CPU in use), Limit the process working setsize (physical resident pages in use), apply policies to users or groups on a TerminalServices application server, apply policies on a date/time schedule and much more.

WSRM maintains an updatable exclusion list of processes that shouldn’t be managedbecause of the negative system impact such management could create. WSRM alsoapplies limits to process working set size and committed memory consumption. WSRMdoes not manage address windowing extensions (AWE) memory, large page memory,locked memory, or OS pool memory.

QUESTION 2You are an Enterprise administrator for contoso.com. The corporate network of the

company consists of a single Active Directory domain. All the servers in the domain runWindows Server 2008 and all client computers run Windows Vista.

The network consists of a server called contosoServer1that has Windows SharePointServices (WSS) role installed. The server hosts are 30 SharePoint sites.

You have been asked to optimize the performance of contosoServer1 by allocating theequal amount of system resources to each SharePoint site when CPU utilization exceeds 70percent. Which of the following options would you choose to accomplish the given task?(Select Two. Each correct answer will present a part of the answer.)

A. Configure each SharePoint site to use a separate application pool.B. Configure each SharePoint site to use a separate IP address.C. Implement Windows System Resource Manager (WSRM).D. Implement File Server Resource Manager (FSRM).

Correct Answer: ACSection: Exam CExplanation

Explanation/Reference:To optimize the performance of contosoServer1 by allocating the equal amount of systemresources to each SharePoint site when CPU utilization exceeds 70 percent, you need toconfigure each SharePoint site to use a separate application pool. Implement WindowsSystem Resource Manager (WSRM).

Microsoft Windows System Resource Manager (WSRM) provides resource managementand enables the allocation of resources, including processor and memory resources, amongmultiple applications based on business priorities. WSRM enables a system administrator toManage CPU utilization (percent CPU in use), Limit the process working set size (physicalresident pages in use) and Set CPU and memory allocation policies on applications. Thisincludes selecting processes to be managed, and setting resource usage targets or limits.


QUESTION 3You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. The functional level of the domain isWindows Server 2008. All the servers in the domain run Windows Server 2008 and all clientcomputers run Windows Vista.

You need to plan a monitoring solution for 200 Windows Server 2008 servers and ensurethat an e-mail notification is sent to an administrator if an application error occurs on any ofthe servers by using the minimum amount of administrative effort.

Which of the following options would you choose to accomplish the desired task? (Select

Two. Each correct answer will present a part of the answer.)

A. On all servers, create event subscriptions for one server.B. On one server, create event subscriptions for each server.C. On one server, create an Event Trace Sessions Data Collector Set.D. On all servers, attach a task for the application error events.E. On the server, attach tasks to the application error events.F. On the servers, create a System Performance Data Collector Set.G. On the server, configure the report settings for the new Data Collector set.

Correct Answer: BESection: Exam CExplanation

Explanation/Reference:To plan a monitoring solution for 200 Windows Server 2008 servers and ensure that an e-mail notification is sent to an administrator if an application error occurs on any of theservers by using the minimum amount of administrative effort, you need to create eventsubscriptions for each server on one server and attach tasks to the application error events.

Event Viewer enables you to view events on a single remote computer. However,troubleshooting an issue might require you to examine a set of events stored in multiple logson multiple computers.

Windows Vista includes the ability to collect copies of events from multiple remotecomputers and store them locally. To specify which events to collect, you create an eventsubscription. Among other details, the subscription specifies exactly which events will becollected and in which log they will be stored locally. Once a subscription is active andevents are being collected, you can view and manipulate these forwarded events as youwould any other locally stored events.

QUESTION 4You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. The functional level of the domain isWindows Server 2008. All the domain controllers on the domain run Windows Server 2008and all client computers run Windows Vista.

The network contains 1,000 client computers that are connected to managed switches. Youhave been asked to ensure that users on the corporate network are unable to bypassnetwork access restrictions and only client computers that have up-to-date service packsand anti-malware software installed can access the network.

Which of the following options would you choose to accomplish the desired task? (SelectTwo. Each correct answer will present a part of the answer.)

A. Implement Network Access Protection (NAP)B. Implement a Network Policy Server (NPS)C. Use 802.1x enforcementD. Use DHCP enforcement.

E. Enable IPsec on the domain controllers.F. Enable Remote Authentication Dial-In User Service (RADIUS) authentication on the

managed switches.

Correct Answer: ACSection: Exam CExplanation

Explanation/Reference:To ensure that users on the corporate network are unable to bypass network accessrestrictions and only client computers that have up-to-date service packs and anti-malwaresoftware installed can access the network, you need to implement Network AccessProtection (NAP) that uses 802.1x enforcement.

Network Access Protection (NAP) is one of the most desired and highly anticipated featuresof Windows Server 2008. NAP is a new platform and solution that controls access tonetwork resources based on a client computer’s identity and compliance with corporategovernance policy. NAP allows network administrators to define granular levels of networkaccess based on who a client is, the groups to which the client belongs, and the degree towhich that client is compliant with corporate governance policy. If a client is not compliant,NAP provides a mechanism to automatically bring the client back into compliance and thendynamically increase its level of network access.With 802.1X enforcement, a computer must be compliant to obtain unlimited networkaccess through an 802.1X-authenticated network connection.

Administrators can create solutions for validating computers that connect to or communicateon their networks, provide needed updates or access to needed resources, and limit thenetwork access of computers that are noncompliant. The validation and enforcementfeatures of NAP can be integrated with software from other vendors or with customprograms.

Note: NAP is not designed to protect a private network from malicious users. It is designedto help administrators maintain the system health of the computers on a private network.NAP is used in conjunction with authentication and authorization of network access, such asusing IEEE 802.1X for wireless access.


The network contains three Network Policy Server (NPS) servers that are configured asRemote Authentication Dial-In User Service (RADIUS) servers. The servers are named ascontosoServer1, contosoServer2, and contosoServer3.

The network also contains 30 wireless access points that are configured as a RADIUSclient. Which of the following options would you choose to audit all access to the wirelessaccess points?

You need to ensure that in a minimum amount of cost the audit data is stored at a centrallocation and all RADIUS attributes and all RADIUS vendor-specific attributes are recorded.


A. Install Microsoft SQL Server 2005 Standard Edition on contosoServer1.B. Audit for account logon events on the domain controllers.C. Audit for logon events on the NPS servers.D. Configure RADIUS accounting by using local file logging on each server.E. Configure RADIUS accounting by using SQL logging on each server and use

contosoServer1 as the data source.F. Configure RADIUS authentication.G. Forward all events from contosoServer2 and contosoServer3 to contosoServer1.H. Store the log files in an Internet Authentication Service (IAS) format on a shared folder

on contosoServer1.

Correct Answer: DHSection: Exam CExplanation

Explanation/Reference:To ensure that in a minimum amount of cost the audit data is stored at a central locationand all RADIUS attributes and all RADIUS vendor-specific attributes are recorded, you needto Configure RADIUS accounting by using local file logging on each server. Store the logfiles in an Internet Authentication Service (IAS) format on a shared folder oncontosoServer1.

Rather than configuring network access policy at each network access server, such aswireless access points, 802.1X authenticating switches, VPN servers, and dial-up servers,you can create policies in a single location that specify all aspects of network connectionrequests, including who is allowed to connect, when they can connect, and the level ofsecurity they must use to connect to your network.

When you create a new RADIUS client or modify the settings of an existing RADIUS clientfrom the RADIUS Clients node of the Network Policy Server snap-in, there is a RADIUSclient is NAP-capable check box .When this check box is selected, the NPS service sendsNAP-specific RADIUS vendor-specific attributes (VSAs) in the Access-Accept message.When this check box is not selected, the NPS service does not send NAP-specific RADIUSVSAs in the RADIUS Access-Accept message.

QUESTION 6You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. The functional level of the domain isWindows Server 2008. All the servers and domain controllers in the domain run WindowsServer 2008 and all client computers run Windows Vista.

The network contains three Network Policy Server (NPS) servers that are configured asRemote Authentication Dial-In User Service (RADIUS) servers. The servers are named as

contosoServer1, contosoServer2, and contosoServer3. The contosoServer1 runs MicrosoftSQL Server 2005.

The network also contains 30 wireless access points that are configured as a RADIUSclient. Which of the following options would you choose to audit access to the wirelessaccess points?

You need to ensure that the audit data is stored at a central location in a format that issimple to query and all RADIUS attributes and all RADIUS vendor-specific attributes arerecorded.


A. Audit for account logon events on the domain controllersB. Configure RADIUS accounting by using SQL logging on each serverC. Use contosoServer1 as the database for RADIUS accountingD. Forward all security events from the NPS servers to contosoServer1E. Audit for logon events on the NPS serversF. Forward all security events from contosoServer2 and contosoServer3 to contosoServer1

Correct Answer: BCSection: Exam CExplanation

Explanation/Reference:To ensure that the audit data is stored at a central location in a format that is simple toquery and all RADIUS attributes and all RADIUS vendor-specific attributes are recorded,you need to configure RADIUS accounting by using SQL logging on each server. UsecontosoServer1 as the database for RADIUS accounting.

The Internet Authentication Service (IAS) in Microsoft Windows Server is the Microsoftimplementation of a RADIUS server and proxy server. As a RADIUS server, IAS performscentralized authentication, authorization, and accounting (AAA) of various types of networkconnections. As a RADIUS proxy server, IAS can forward RADIUS requests to anotherRADIUS server for AAA.

IAS can log to text logs or Microsoft SQL Server databases. Text based logging of RADIUSauthentication and accounting information is disabled by default in IAS.

You need to use contosoServer1 as the database for RADIUS accounting because SQLserver is installed on contosoServer1.

http://www.microsoft.com/technet/security/prodtech/windowsserver2003/pkiwire/PGCH05.mspx?mfr=true

QUESTION 7You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the servers in the domain run

either Windows Server 2003 or Windows Server 2008 and all client computers run WindowsVista.The network contains five Windows Server 2003 servers that have the Terminal Servercomponent installed and a firewall server runs Microsoft Internet Security and Acceleration(ISA) Server 2006.

You have been assigned the task to create a remote access strategy for the terminal serverusers and ensure that the access of the network is restricted to the specific users only. Youalso need to ensure that only minimum number of ports should be opened on the firewalland all remote connections to the terminal servers are encrypted.


A. Implement port forwarding on the ISA Server.B. Implement SSL bridging on the ISA Server.C. Require authentication on all inbound connections to the ISA Server.D. Upgrade a Windows Server 2003 server to Windows Server 2008.E. Configure the Terminal Services Gateway (TS Gateway) role and a Terminal Services

connection authorization policy (TS CAP) on the server.F. Configure the Terminal Services Gateway (TS Gateway) role and a Terminal Services

resource authorization policy (TS RAP) on the server.

Correct Answer: DESection: Exam CExplanation

Explanation/Reference:To create a remote access strategy with desired requirements for the terminal server users,you need to implement the Terminal Services Gateway (TS Gateway) role, and configure aTerminal Services connection authorization policy (TS CAP). For this you need to upgrade aWindows Server 2003 server to Windows Server 2008.

TS Gateway feature is available in Windows Server 2008. It allows the connection tointernal Terminal servers and RDP-enabled machines from the outside, but unlike the term“gateway” used in the previous scenario, the Windows Server 2008 TS Gateway is adedicated Terminal server using a specific service role called TS Gateway. This enables theexternal vendors to connect to it via SSL, pass a certain authentication process and policyevaluation, and only if allowed, it passes the RDP traffic to specified internal machines.These machines return the required data, and the TS Gateway then encrypts the data withSSL and passes it back to the remote user. The benefits in this scenario include the abilityto use SSL-based encryption, which easily passes through most firewalls without the needto open specific ports.

For remote clients to successfully connect to internal network resources (computers)through a Terminal Services Gateway (TS Gateway) server, the TS Gateway server must beconfigured correctly. The TS Gateway server must be configured to use an appropriateSecure Sockets Layer (SSL)-compatible X.509 certificate, and authorization policy settingsmust be configured correctly. Terminal Services connection authorization policies (TS

CAPs) specify who can connect to the TS Gateway server. The use of TS CAP will ensurethat the access of the network is restricted to specific users only.

http://www.petri.co.il/creating-secure-auditable-remote-access-management-environment-windows-server-security.htmhttp://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Terminal-Services-Gateway-Part2.html


The domain has 100 servers and 5,000 client computers. You have been assigned the taskto recommend an application deployment strategy for the network. While designing thestrategy, you need to ensure that the applications deployments must be scheduled to occurafter office hours and must only be deployed to the client computers that meet the minimumhardware requirements. Besides, the detailed reports on the success or failure of theapplication deployments must be generated. Which of the following options would youchoose to accomplish the desired goal?

A. Use Microsoft System Center Operations Manager (SCOM) 2007 B. Use Microsoft System Center Configuration Manager (SCCM) 2007C. Use Windows Software Update Services (WSUS)D. Deploy applications by using Group Policy

Correct Answer: BSection: Exam CExplanation

Explanation/Reference:To recommend an application deployment strategy for the network, you need to implementMicrosoft System Center Configuration Manager (SCCM) 2007. System CenterConfiguration Manager 2007 is the next version of Systems Management Server (SMS)2003. Configuration Manager 2007 contributes to a more effective IT department byenabling secure and scalable operating system and application deployment and desiredconfiguration management, enhancing system security, and providing comprehensive assetmanagement of servers, desktops, and mobile devices. SCCM 2007′s new maintenance,configuration-tracking and updated reporting features make it a must-have for largeWindows sites. SCCM sports a new feature called Maintenance Windows that letsadministrators schedule the best day and time for patches and updates for specific sets ofcomputers and servers.

QUESTION 9You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the servers in the domain runWindows Server 2008 and all client computers run Windows Vista. The servers on thenetwork have the Terminal Services role enabled.

You have been assigned the task to deploy a new line-of-business application to all client

computers and ensure that the users must access the application from an icon on theirdesktops, even when they are not connected to the network.


A. Publish the application as a TS RemoteApp.B. Assign the application to the terminal server by using a Group Policy object (GPO).C. Publish the application by using TS Web Access.D. Assign the application to all client computers by using a Group Policy object (GPO).

Correct Answer: DSection: Exam CExplanation

Explanation/Reference:There are two different ways that you can deploy an application through the ActiveDirectory. You can either publish the application or you can assign the application. You canonly publish applications to users, but you can assign applications to either users or tocomputers.

Assigning an application is a group policy action, so the assignment won’t take effect untilthe next time that the computer is rebooted. When the user does log in, they will see thatthe new application has been added to the Start menu and / or to the desktop. Thedeployment process actually installs the application rather than just the application’s icon.

You need to assign the application to all client computers and not to the terminal serverbecause the application icon will be available to users on when it is installed on their clientcomputers and not on terminal servers.



The network contains five servers on which Terminal Services role is installed. You havebeen assigned the task to create a Terminal Services server farm and ensure that the newusers are automatically connected to the terminal server that has the fewest activesessions.

You also need to ensure that the disconnected users are redirected to the server thatcontains their previous session. Which of the following options would you choose toaccomplish the given task?

A. Use Terminal Services Session Broker (TS Session Broker)B. Use Round-robin DNSC. Use Terminal Services Gateway (TS Gateway)D. Use Network Load Balancing (NLB)

Correct Answer: ASection: Exam CExplanation

Explanation/Reference:To create a Terminal Services server farm with given requirements, you need to useTerminal Services Session Broker (TS Session Broker).

Terminal Services Session Broker (TSSession Broker) is a role service in Windows Server2008 that enables a user to reconnect to an existing session in a load-balanced terminalserver farm. Additionally, Windows Server 2008 includes the new TSSession Broker LoadBalancing feature. This feature enables you to distribute the session load between serversin a load-balanced terminal server farm.

TSSession Broker stores session state information that includes session IDs and theirassociated user names, and the name of the server where each session resides. In thesecond phase, the terminal server where the initial connection was made redirects the userto the terminal server that was specified by TSSession Broker. The redirection behavior isas follows: A user with an existing session will connect to the server where their sessionexists. A user without an existing session will connect to the terminal server that has thefewest sessions.

QUESTION 11You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the servers in the domain runWindows Server 2008 and use internal storage only and all client computers run WindowsVista.

The network contains a file server. You have been assigned the task to deploy a client/server application in minimum cost in such as way that it is available even if a single serverfails.

Which of the following features would you deploy to accomplish the desired task?

A. Terminal Services RemoteApp (TS RemoteApp)B. Failover cluster that uses Node and File Share Disk MajorityC. Distributed File System (DFS) that uses replicationD. Failover cluster that uses No Majority: Disk Only


Explanation/Reference:To deploy a client/server application in minimum cost in such as way that it is available evenif a single server fails, you need to deploy a failover cluster that uses Node and File ShareDisk Majority.

The quorum configuration in a failover cluster determines the number of failures that thecluster can sustain. If an additional failure occurs, the cluster must stop running. The

relevant failures in this context are failures of nodes or, in some cases, of a witness disk(which contains a copy of the cluster configuration) or witness file share. It is essential thatthe cluster stop running if too many failures occur or if there is a problem withcommunication between the cluster nodes.

Node and Disk Majority is (recommended for clusters with an even number of nodes) Cansustain failures of half the nodes (rounding up) if the witness disk remains online. Forexample, a six node cluster in which the witness disk is online could sustain three nodefailures.Can sustain failures of half the nodes (rounding up) minus one if the witness disk goesoffline or fails. For example, a six node cluster with a failed witness disk could sustain two(3-1=2) node failures.

Node and File Share Majority is (for clusters with special configurations) Works in a similarway to Node and Disk Majority, but instead of a witness disk, this cluster uses a witness fileshare.

Note: If you use Node and File Share Majority, at least one of the available cluster nodesmust contain a current copy of the cluster configuration before you can start the cluster.Otherwise, you must force the starting of the cluster through a particular node.


The network contains five Windows Server 2008 servers that have the Terminal Servercomponent installed.

You have been assigned the task to create a remote access strategy for the terminal serverusers and ensure that the remote users can access only specific resources on the internalnetwork. You also need to ensure that all remote connections to the terminal servers areencrypted.


A. Configure the Terminal Services Gateway (TS Gateway) role and a Terminal Servicesresource authorization policy (TS RAP) on the server.

B. Require authentication on all inbound connections to the Server.C. Upgrade a Windows Server 2003 server to Windows Server 2008.D. Configure the Terminal Services Gateway (TS Gateway) role and a Terminal Services

connection authorization policy (TS CAP) on the server.E. Configure TS Gateway server to use an appropriate Secure Sockets Layer (SSL)-

compatible X.509 certificate.

Correct Answer: AESection: Exam CExplanation

Explanation/Reference:To create a remote access strategy for the terminal server users and ensure that the remoteusers can access only specific resources on the internal network, you need to configure theTerminal Services Gateway (TS Gateway) role and a Terminal Services resourceauthorization policy (TS RAP) on the server. You also need to configure TS Gateway serverto use an appropriate Secure Sockets Layer (SSL)-compatible X.509 certificate.

TS Gateway allows the connection to internal Terminal servers and RDP-enabled machinesfrom the outside. For remote clients to successfully connect to internal network resources(computers) through a Terminal Services Gateway (TS Gateway) server, the TS Gatewayserver must be configured correctly. The TS Gateway server must be configured to use anappropriate Secure Sockets Layer (SSL)-compatible X.509 certificate, and authorizationpolicy settings must be configured correctly. Terminal Services resource authorizationpolicies (TS RAPs) specify the internal network resources that clients can connect tothrough a TS Gateway server.

TS Gateway enables the external vendors to connect to it via SSL, pass a certainauthentication process and policy evaluation, and only if allowed, it passes the RDP trafficto specified internal machines.

These machines return the required data, and the TS Gateway then encrypts the data withSSL and passes it back to the remote user. The benefits in this scenario include the abilityto use SSL-based encryption.

http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Terminal-Services-Gateway-Part2.html

QUESTION 13You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the servers in the domain runWindows Server 2008 and all client computers run Windows Vista. The servers on thenetwork have the Terminal Services role enabled.

The Active Directory has two organizational units (OU) configured. One for all the useraccounts called UserOU and other for all the client computer accounts called ClientsOU.

You have been assigned the task to deploy a new application on the network and ensurethat the users must access the application from an icon on the Start menu. Besides, youneed to ensure that the application is available to remote users when they are offline.


A. Publish the application to users in the ClientsOU as a TS RemoteApp.B. Assign the application to computers in the UsersOU by using a Group Policy object

(GPO).C. Publish the application to users in the UsersOU by using a Group Policy object (GPO).D. Assign the application to computers in the ClientsOU by using a Group Policy object

(GPO).


Explanation/Reference:To deploy a new application on the network and ensure that the users must access theapplication from an icon on the Start menu, you need to assign the application to computersin the ClientsOU by using a Group Policy object (GPO).

There are two different ways that you can deploy an application through the ActiveDirectory. You can either publish the application or you can assign the application. You canonly publish applications to users, but you can assign applications to either users or tocomputers.

Assigning an application is a group policy action, so the assignment won’t take effect untilthe next time that the computer is rebooted. When the user does log in, they will see thatthe new application has been added to the Start menu and / or to the desktop. Thedeployment process actually installs the application rather than just the application’s icon.You need to assign the application to computers in the ClientsOU to link it to the computerrather than to the user. Assigning an application to a computer also differs from userassignments in that the deployment process actually installs the application rather than justthe application’s icon. So the application is available to users in the ClientsOU even whenthey are offline.



The network contains five servers that form a Terminal Services server farm on the network.You have been assigned the task to ensure that the session load is equally distributedbetween the servers in a terminal server farm.

Which of the following options would you choose to accomplish the given task?

A. Implement Terminal Services Session Broker (TS Session Broker) featureB. Use Round-robin DNS FeatureC. Use Terminal Services Gateway (TS Gateway) FeatureD. Implement Network Load Balancing (NLB) FeatureE. Implement TSASession Broker Load Balancing Feature

Correct Answer: ESection: Exam CExplanation

Explanation/Reference:To ensure that the session load is equally distributed between the servers in a terminalserver farm, you need to implement TSASession Broker Load Balancing Feature.

Windows Server2008 includes the new TSSession Broker Load Balancing feature thatenables you to distribute the session load between servers in a load-balanced terminalserver farm.


Which of the following options would you choose to provide users of the network acollaboration solution that would allow them to remotely access the files by using a Webbrowser? They should be provided full-text indexing of all user content and a secure accessto the files by assigning permissions. Besides, a support for the addition of more Webservers based on company growth is also available.


A. The Application Server roleB. Microsoft System Center Operations Manager (SCOM)C. The Web Server roleD. The Terminal Services Server roleE. Microsoft Office SharePoint Server 2007

Correct Answer: ESection: Exam CExplanation

Explanation/Reference:To provide users of the network a collaboration solution that meets the given requirements,you need to use Microsoft Office SharePoint Server 2007.

Microsoft Office SharePoint Server 2007 is a new server program that is part of the 2007Microsoft Office system. Your organization can use Office SharePoint Server 2007 tofacilitate collaboration, provide content management features, implement businessprocesses, and supply Microsoft delivers a best-of-breed collaborative infrastructure thatgives end users the tools to easily create their own workspaces and share assets acrossteams, departments, and organizations while maintaining IT control.

In Office SharePoint Server 2007, content management is divided into three categories:document managementrecords managementWeb content management

Collect and validate information by using browser-based forms when you design formtemplates with Office InfoPath 2007 and deploy them to an Office SharePoint Server 2007site, you can enable a setting that allows users to fill out forms by using a Web browser.That is because Office SharePoint Server 2007 employs InfoPath Forms Servicestechnology, which- in addition to enabling the deployment of browser-based forms- providesa central location to store and manage form templates for your organization.

When you publish a form template to an Office SharePoint Server 2007 site, you candistribute it not just on your corporate intranet, but also on external Web sites, such asextranet sites or corporate Web sites.Search in Office SharePoint Server 2007 provides new keyword syntax, including supportfor implicit industry standards for full text and property-based searching.

Administration of security has also been greatly enhanced. Administrators can create user“roles” that determine the kind of information that can be viewed by users during a search.This access control can be broad or granular, as defined by the corporation. All of thesetasks are administered through the Central Administration and SharePoint Services Portalinterfaces, making security administration more usable and efficient.

QUESTION 16You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the servers and the domaincontrollers in the domain run Windows Server 2008 and all client computers run WindowsXP Service Pack 2.

The network contains 10 servers and 500 client computers. One of the servers has TerminalServices installed. You have been assigned the task to deploy a new line-of-businessapplication and enable the desktop themes, which is a requirement of the application.

Your deployment strategy must only allow authorized users to access the application fromany client computer by performing minimum changes to the client computers and inminimum software cost.


A. Upgrade all client computers to Windows Vista.B. Deploy the Remote Desktop Connection (RDC) 6.0 software to the client computers.C. Use Group Policy object (GPO) to deploy the application to all client computers.D. Use Group Policy object (GPO) to deploy the application to the authorized users.E. Enable the Desktop Experience feature on the terminal server and install the application

on the terminal server.F. Install the application on the terminal server and implement Terminal Services Session

Broker (TS Session Broker).

Correct Answer: BESection: Exam CExplanation

Explanation/Reference:To deploy a new line-of-business application with given requirements, you need to deploythe Remote Desktop Connection (RDC) 6.0 software to the client computers. Enable theDesktop Experience feature on the terminal server. Install the application on the terminalserver.

Due to lower maintenance costs, many companies prefer to install their LOB applications ona terminal server and make these applications available through RemoteApps or Remote

Desktop. Single sign-on makes it possible to give users a better experience by eliminatingthe need for users to enter credentials every time they initiate a remote session.

Remote Desktop Connection (RDC)6.0 and RDC6.1 reproduce the desktop that exists onthe remote computer on the user’s client computer. To make the remote computer look andfeel more like the user’s local WindowsVista desktop experience, you can install theDesktop Experience feature on your Windows Server2008 terminal server. DesktopExperience installs features of WindowsVista, such as Windows Media Player 11, desktopthemes, and photo management.

QUESTION 17You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the servers in the domain runWindows Server 2008 and all client computers run Windows Vista Service Pack 1.

Some employees of the company use laptop computers and work remotely from home. Youhave been assigned the task to suggest a data provisioning infrastructure to securesensitive files on the network from being accessed by unauthorized remote users.

In your plan you need to ensure that the sensitive files must be stored in an encryptedformat and must be encrypted while they are transmitted over the Internet. They shouldhowever be accessible by remote users over the Internet.


A. Deploy a Windows SharePoint Services site that can be accessible to remote users byusing a Secure Socket Transmission Protocol (SSTP) connection.

B. Use Encrypting File System (EFS) to encrypt the folders that store sensitive files. UseSecure Socket Transmission Protocol (SSTP) to allow access to files to remote users.

C. Configure a Network Policy and Access Server (NPAS) to act as a VPN server. UseIPsec connection to the VPN server to allow access to files to remote users.

D. Deploy two Windows SharePoint Services sites, one site for internal users and other sitefor remote users. Publish the SharePoint sites by using HTTPS.


Explanation/Reference:To ensure that the sensitive files must be stored in an encrypted format and must beencrypted while they are transmitted over the Internet, you need to store all sensitive files infolders that are encrypted by using Encrypting File System (EFS). Require remote users toaccess the files by using Secure Socket Transmission Protocol (SSTP).

Microsoft EFS allows users to store confidential information on a computer when peoplewho have physical access to a computer could otherwise compromise that information,intentionally or unintentionally. EFS is especially useful for securing sensitive data onportable computers or on computers shared by several users. Another layer of security isadded by encrypting sensitive files by means of EFS.

SSTP is a new kind of Virtual Private Networking (VPN) tunnel that is available in theRouting and Remote Access Server role in Windows Server 2008. SSTP allows for Point-to-Point Protocol (PPP) packets to be encapsulated over HTTP. This allows for a VPNconnection to be more easily established through a firewall or through a Network AddressTranslation (NAT) device. Also, this allows for a VPN connection to be established throughan HTTP proxy device.

http://www.securitysoftwarezone.com/vista-and-windows-server-2008-encryption-broken-review968-6.html


The network contains a server that has the Terminal Services server role installed. Theserver runs six custom applications that are configured as Terminal Services RemoteAppson it.

Recently, some of the users have reported that when one of the applications is run by theremote users, the other applications become unresponsive and the server seems slow. Tosolve the problem, you decide to ensure that active user sessions receive equal access tosystem resources.


A. Reliability and Performance MonitorB. Terminal Services Session BrokerC. Implement Terminal Services Web AccessD. Implement Windows System Resource Manager


Explanation/Reference:To ensure that active user sessions receive equal access to system resources, you need toimplement Windows System Resource Manager.

Microsoft Windows System Resource Manager (WSRM) provides resource managementand enables the allocation of resources, including processor and memory resources, amongmultiple applications based on business priorities. WSRM applies limits to process workingset size and committed memory consumption.


Most of the domain users are mobile and need to log on to the domain from multiple

computers. You have been assigned the task to provide a data provisioning solution thatensures that user documents are not stored on the local client computer and users musthave access to their Documents folder regardless of the client computer that they use.

In your solution you also need to reduce the log on time to the domain. Which of thefollowing options would you choose to accomplish the desired task?

A. Logon scriptsB. Roaming user profilesC. Folder redirectionD. Configure offline files

Correct Answer: CSection: Exam CExplanation

Explanation/Reference:To provide a data provisioning solution that ensures that user documents are not stored onthe local client computer and users must have access to their Documents folder regardlessof the client computer that they use, you need to configure folder redirection.

Folder Redirection is a way to place data in a set of folders in the user profiles on thenetwork. Folder Redirection is a Group Policy setting that allows you to configure a set ofspecial folders, such as the My Documents folder, from the local computer on to thenetwork. The My Documents folder is the location on the Windows 2000 desktop where theuser can save their documents and graphic files. For example, you can redirect the MyDocuments folder, usually stored on the computer’s local hard disk, to a network location sothat the documents in the folder are available to that user from any computer on thenetwork.

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dseb_ovr_syul.mspx?mfr=true

QUESTION 20You are an Enterprise administrator for contoso.com. The company has a head office and abranch office. The corporate network of the company consists of a single Active Directorydomain. The functional level of the domain is Windows Server 2008. All the servers in thedomain run Windows Server 2008 and all client computers run Windows Vista.

For both the head office and the branch office an Active Directory site is available. You havebeen assigned the task to deploy file servers in each office and design a file sharingstrategy.

Your file sharing strategy should ensure that the users in both offices must be able toaccess the same files using the same Universal Naming Convention (UNC) path to accessfiles. You design must ensure the use of minimum amount of bandwidth used to access filesand the availability of files even if a server fails.Which of the following options would you choose to accomplish the desired goal?

A. A multi-site failover cluster having one of the servers located in the head office and the

other located in the branch office.B. A stand-alone DFS namespace that uses replication.C. A domain-based DFS namespace that uses replication.D. A Network Load Balancing cluster having one of the servers located in the head office

and the other located in the branch office.


Explanation/Reference:To deploy file servers in each office and design a file sharing strategy with givenrequirements, you need to deploy a domain-based DFS namespace that uses replication.

The domain based namespaces require all servers to be members of an Active Directorydomain. These types of environments support automatic synchronization of DFS targets.The namespace root namespace is based on a combination of the server’s NetBIOS nameand a root name, and is listed in the DNS.

In a domain environment, a server is capable of hosting multiple DFS roots. Using multiplereplicas provides you with a degree of scalability. Rather than having every user in yourorganization access their files from the same server, you can distribute the user workloadacross multiple DFS replicas rather than over burdening a single server.

Another reason for having multiple DFS replicas is because doing so provides you with adegree of fault tolerance. DFS can also provide fault tolerance from the standpoint ofprotecting you against network link failures.

QUESTION 21You are an Enterprise administrator for contoso.com. Your company possesses a stand-alone root certification authority (CA) for the corporate network.

The corporate network contains a Windows Server 2008 server called contosoServer1. Youissue a server certificate to contosoServer1 and deploy Secure Socket Tunneling Protocol(SSTP) on contosoServer1 for secure browsing.

Which of the following options would you choose to ensure that the external partnercomputers would be allowed to access internal network resources by using SSTP?

A. Terminal Services Session Broker role serviceB. Firewall to allow inbound traffic on TCP Port 1723C. Root CA certificate on external computersD. Network Access Protection (NAP) on the network


Explanation/Reference:To ensure that the external partner computers would be allowed to access internal network

resources by using SSTP, you need to deploy the Root CA certificate to the externalcomputers.

SSTP is a new kind of Virtual Private Networking (VPN) tunnel that is available in theRouting and Remote Access server role in Windows Server 2008. SSTP allows for Point-to-Point Protocol (PPP) packets to be encapsulated over HTTP. This feature allows for a VPNconnection to be more easily established through a firewall or through a Network AddressTranslation (NAT) device. Also, this feature allows for a VPN connection to be establishedthrough an HTTP proxy device.

Generally, if the client computer is joined to the domain and if you use domain credentials tolog on to the VPN server, the certificate is automatically installed in the Trusted RootCertification Authorities store. However, if the computer is not joined to the domain or if youuse an alternative certificate chain, you may need to Root CA certificate to the externalcomputers.

Reference: How to troubleshoot Secure Socket Tunneling Protocol (SSTP)-basedconnection failures in Windows Server 2008http://support.microsoft.com/kb/947031

QUESTION 22You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All domain controllers on thecorporate network run Windows Server 2008 and all client computers run either WindowsVista or Windows XP Service Pack 1.

The corporate network contains 100 servers and 5,000 client computers. Which of thefollowing options would you choose to implement a VPN solution that allows you to storeVPN passwords as encrypted text and provide support for Suite B cryptographic algorithms?

Besides it should support client computers that are configured as members of a workgroupand allow automatic enrollment of certificates. (Select three. Each correct answer will form apart of the answer.)

A. Upgrade the client computers to Windows Vista.B. Upgrade the client computers to Windows XP Service Pack 2.C. Implement an enterprise certification authority (CA) that is based on Windows Server

2008.D. Implement a stand-alone certification authority (CA).E. Implement an IPsec VPN that uses pre-shared keys.F. Implement an IPsec VPN that uses certificate-based authentication.

Correct Answer: ACFSection: Exam CExplanation

Explanation/Reference:To implement a VPN solution that allows you to store VPN passwords as encrypted text andprovide support for Suite B cryptographic algorithms, you need to Upgrade the client

computers to Windows Vista and implement an enterprise certification authority (CA) that isbased on Windows Server 2008.

Suite B cryptographic algorithms that was added in Windows Vista Service Pack 1 (SP1)and in Windows Server 2008. Suite B is a set of standards that are specified by the NationalSecurity Agency (NSA). Suite B includes Encryption algorithms.

To support client computers that are configured as members of a workgroup and allowautomatic enrollment of certificates, you need to Implement an IPsec VPN that usescertificate-based authentication.

IPSec deployments can take advantage of certificate-based authentication via industry-standard x.509 digital certificates. ADCS in Windows Server 2008 provides customizableservices for creating and managing the X.509 certificates that are used in software securitysystems that employ public key technologies. Organizations can use ADCS to enhancesecurity by binding the identity of a person, device, or service to a corresponding public key.ADCS also includes features that allow you to manage certificate enrollment and revocationin a variety of scalable environments.

Reference: Description of the support for Suite B cryptographic algorithms that was addedin Windows Vista Service Pack 1 and in Windows Server 2008 http://support.microsoft.com/kb/949856

Reference: iPhone and Virtual Private Networks (VPN)http://images.apple.com/iphone/enterprise/docs/iPhone_VPN.pdf.

Exam D


You have been assigned the task to ensue that all the users of the company can accesstheir Documents folder regardless of the client computer that they use.


A. Logon scriptsB. Folder redirectionC. Configure offline filesD. Local User profiles

Correct Answer: BSection: Exam DExplanation

Explanation/Reference:To provide a data provisioning solution that ensures that user documents are not stored onthe local client computer and users must have access to their Documents folder regardlessof the client computer that they use, you need to configure folder redirection.

Folder Redirection is a way to place data in a set of folders in the user profiles on thenetwork. Folder Redirection is a Group Policy setting that allows you to configure a set ofspecial folders, such as the My Documents folder, from the local computer on to thenetwork. The My Documents folder is the location on the Windows 2000 desktop where theuser can save their documents and graphic files. For example, you can redirect the MyDocuments folder, usually stored on the computer’s local hard disk, to a network location sothat the documents in the folder are available to that user from any computer on thenetwork.

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dseb_ovr_syul.mspx?mfr=true

QUESTION 2You are an Enterprise administrator for contoso.com. The company has a head office and abranch office. All the servers in the network run Windows Server 2008 and all clientcomputers run Windows Vista. Each office has a domain controller and file servers.

You have been asked to plan the deployment of Distributed File System (DFS) on thenetwork and ensure that users can access the data locally and are allowed to see only thefolders to which they have access permissions. You also need to ensure the use ofminimum bandwidth while data replication.


A. A stand-alone DFS namespace that uses DFS replication and has access-basedenumeration enabled

B. A stand-alone DFS namespace that uses File Replication Service (FRS) and haveaccess-based enumeration enabled

C. A domain-based DFS namespace that uses File Replication Service (FRS) and modifyeach share to be a hidden share

D. A domain-based DFS namespace that uses DFS replication and modify each share to bea hidden share

Correct Answer: ASection: Exam DExplanation

Explanation/Reference:To plan the deployment of Distributed File System (DFS) on the network and ensure thatusers can access the data locally and are allowed to see only the folders to which they haveaccess permissions, you need to deploy a stand-alone DFS namespace and has access-based enumeration enabled.

Rather than having every user in your organization access their files from the same server,you can distribute the user workload across multiple DFS replicas rather than overburdening a single server.

Standalone namespaces do allow you to use multiple folder targets for fault tolerancepurposes. In case you are not familiar with folder targets, the basic idea is that each foldertarget typically hosts a replica of the data that’s associated with a DFS folder. Using multiplefolder targets allows you to achieve a degree of fault tolerance, and offers betterperformance than if the data were only stored in a single location.

Domain-based DFS namespace requires an Active directory domain, which is not availablehere.Access-based enumeration allows users to see only files and folders on a file server towhich they have permission to access. This feature is not enabled by default fornamespaces (though it is enabled by default on newly-created shared folders in WindowsServer2008), and is only supported in a DFS namespace when the namespace is astandalone namespace hosted on a computer running Windows Server2008, or a domain-based namespace by using the Windows Server2008 mode.

QUESTION 3You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of servers that run Windows Server 2008 and client computers runWindows Vista. You have been asked to design a storage strategy so that a distributeddatabase application can be deploy on the network that runs on multiple servers. Whiledesigning the storage strategy, you need to ensure that you use existing networkinfrastructure and standard Windows management tools.

You also need to ensure that the storage space is allocated to servers as and whenrequired and that the data is available if a single disk fails. Which of the following optionswould you choose to accomplish the desired goal? (Select two. Each correct answer willpresent a part of the solution.)

A. A Fibre Channel (FC) disk storage subsystem that supports the Virtual Disk Service(VDS).

B. A Fibre Channel (FC) disk storage subsystem that supports Microsoft Multipath I/O.C. An iSCSI disk storage subsystem that supports Microsoft Multipath I/O.D. An iSCSI disk storage subsystem that supports Virtual Disk Service (VDS).E. Configure the storage subsystem as a RAID 5 array.F. Configure the storage subsystem as a RAID 0 array.

Correct Answer: DESection: Exam DExplanation

Explanation/Reference:To design a storage strategy so that a distributed database application can be deploy on thenetwork that runs on multiple servers with given requirements, you need to deploy an iSCSIdisk storage subsystem that supports Virtual Disk Service (VDS) and configure the storagesubsystem as a RAID 5 array.

Microsoft iSCSI Software Target option enables you to implement an iSCSI SAN withstorage provisioning and management capabilities. Managed via the Microsoft ManagementConsole, administrator’s can create and manage iSCSI targets and iSCSI virtual disks, aswell as schedule, export, and locally mount snapshots for use in backup and recoveryoperations.

An iSCSI disk storage subsystem supports Virtual Disk Service (VDS) and MicrosoftMultipath I/O. Virtual Disk Service (VDS) is a Windows service for managing volumes.Administrators now have a single interface that works with different vendors, if that vendorsupplies a VDS hardware provider for their networked storage device. This same interfacealso works with directly attached storage, providing a unified view of all disks and volumes,regardless of being connected via SCSI, Fiber Channel, iSCSI or PCI RAID. VDS exposesthe complex functionality provided by these storage hardware vendors and scales up toenterprise configurations.

Multipath I/O cannot be used because it only provides ability to use more than one physicalpath to access a storage device, providing improved system reliability and availability viafault tolerance and/or load balancing of the I/O traffic.

RAID 5 is the most powerful form of RAID that can be found in a desktop computer system.It provides increased storage array performance and Full data redundancy. RAID 0 cannotbe used because it is the lowest designated level of RAID. It is actually not a valid type ofRAID. It was given the designation of level 0 because it fails to provide any level ofredundancy for the data stored in the array. Thus, if one of the drives fails, all the data isdamaged.

http://blogs.technet.com/josebda/archive/2007/10/25/the-basics-of-the-virtual-disk-services-vds.aspx

QUESTION 4

You are an Enterprise administrator for contoso.com. The company has a head office andtwo branch offices that connect with each other by using a WAN link. The corporate networkof the company consists of a single Active Directory domain.

All the servers in the domain run Windows Server 2008 and all client computers runWindows Vista. Each office contains a file server and the office users use the local fileserver to store data on it. The users also have access to data from the other offices.

You have been assigned that task to plan a data access solution and ensure that foldersthat are stored on the file servers must be available to users in both offices and users mustbe able to access all files even when the WAN link fails. Besides this the network bandwidthusage between offices is minimized.


A. Implement Distributed File System Replication (DFSR) on the file servers in both theoffices.

B. On one of the servers, configure Distributed File System (DFS) and on the other,configure the Background Intelligent Transfer Service (BITS).

C. Configure File Server Resource Manager (FSRM) and File Replication Service (FRS) onboth the servers.

D. On one of the servers, configure File Server Resource Manager (FSRM) and on theother configure File Replication Service (FRS).


Explanation/Reference:To plan a data access solution and ensure that folders that are stored on the file serversmust be available to users in both offices and users must be able to access all files evenwhen the WAN link fails, you need to implement Distributed File System Replication (DFSR)on the file servers in both the offices.

Rather than having every user in your organization access their files from the same server,you can distribute the user workload across multiple DFS replicas rather than overburdening a single server.

DFS Replication is an efficient, multiple-master replication engine that you can use to keepfolders synchronized between servers across limited bandwidth network connections. Itreplaces the File Replication Service (FRS) as the replication engine for DFS Namespaces,as well as for replicating the SYSVOL folder in domains that use the Windows Server2008domain functional level.DFS Replication service has a totally revamped replication engine that uses a newreplication algorithm called Remote Differential Compression (RDC). This new algorithmreplicates only the changes to files and not the files themselves, which means that DFS nowworks much better over slow WAN links than before. In addition, the new replication enginesupports bandwidth throttling and replication scheduling, plus it operates on a multimasterreplication model.

QUESTION 5You are an Enterprise administrator for contoso.com. All the servers in the domain runWindows Server 2008 and all client computers run Windows Vista.

The network contains a Microsoft SQL Server 2005 that has two RAID 1 arrays and oneRAID 5 array configured.

You have been assigned the task to allocate hard disk space on the server and ensuremaximum performance of the SQL Server application and minimum loss of writeperformance if a hard disk drive fails. You also need to prevent the loss of data if a singlehard disk drive fails.

Which of the following options would you choose to achieve the desired goal?

A. Use RAID 1 arrays to place OS files and SQL database files and RAID 5 array to placeSQL transaction logs.

B. Use RAID 5 array to place types of files.C. Use RAID 1 arrays to place OS files and SQL transaction logs and RAID 5 array to place

SQL database files.D. Use RAID 5 arrays to place OS files and RAID 5 array to place SQL transaction logs and

SQL database files.

Correct Answer: CSection: Exam DExplanation

Explanation/Reference:To allocate hard disk space on the server and meet other requirements, you need to placethe operating system files on one of the RAID 1 arrays. Place the SQL transaction logs onthe other RAID 1 array and place the SQL database files on the RAID 5 array.

RAID version 1 was the first real implementation of RAID. It provides a simple form ofredundancy for data through a process called mirroring. This form typically requires twoindividual drives of similar capacity. One drive is the active drive and the secondary drive isthe mirror. When data is written to the active drive, the same data is written to the mirrordrive.

This provides a full level of redundancy for the data on the system. If one of the drives fails,the other drive still has all the data that existed in the system. It is best to place OS filesbecause it provides full redundancy of data. It does not increase performance therefore it isnot fit to store SQL database files.

For SQL database files you should use RAID 5 array because it is the most powerful form ofRAID that can be found in a desktop computer system. This method uses a form of stripingwith parity to maintain data redundancy. The parity bit shifts between the drives to increasethe performance and reliability of the data. The drive array will still have increasedperformance over a single drive because the multiple drives can write the data faster than asingle drive. The data is also fully redundant because of the parity bits. In the case of drive 2failing, the data can be rebuilt based on the data and parity bits on the two remaining drives.Data capacity is reduced due to the parity data blocks.


The company has recently merged with a partner company called TechKing.com andstarted using a Windows Server 2008 server of that company called TechKingServer1. Theserver has five internal SCSI hard disks that are connected to an onboard SCSI controller.

You have planned to deploy the TechkingServer1 as a file server and place it in yourcompany’s premises. You have to now plan for a storage strategy that ensures that the userdata is physically separated from the operating system data and maximum disk space isavailable for the data storage.

You also need to ensure that if disk fails, the integrity of the data is maintained on the serverand the operating system server can start successfully. To achieve this, you only want touse the hardware that is available on the server.

Which of the following options would you choose to accomplish the desired goal? (Selecttwo. Each correct answer will present a part of the answer)

A. Allocate three disks to a single RAID 5 volume for the user data.B. Allocate four disks to a single RAID 5 volume for the user data.C. Allocate three disks to a striped volume for the user data.D. Allocate two disks to a mirrored volume for the operating system data.E. Allocate one disk to a simple volume for the operating system data.F. Allocate three disks to a mirrored volume for the operating system data.G. Allocate all the disks to a single RAID 5 volume for the user data and for the operating

system data.

Correct Answer: ADSection: Exam DExplanation

Explanation/Reference:To ensure that if disk fails, the integrity of the data is maintained on the server and theoperating system server can start successfully, you need to allocate three disks to a singleRAID 5 volume for the user data and allocate two disks to a mirrored volume for theoperating system data.

Two disks to a mirrored volume for the operating system data are created using RAIDversion 1, which is the first real implementation of RAID. It provides a simple form ofredundancy for data through a process called mirroring. This form typically requires twoindividual drives of similar capacity. One drive is the active drive and the secondary drive isthe mirror. When data is written to the active drive, the same data is written to the mirrordrive.

This provides a full level of redundancy for the data on the system. If one of the drives fails,

the other drive still has all the data that existed in the system. It is best to place OS filesbecause it provides full redundancy of data.

A single RAID 5 volume for the user data is best because it is the most powerful form ofRAID that can be found in a desktop computer system. This method uses a form of stripingwith parity to maintain data redundancy. The parity bit shifts between the drives to increasethe performance and reliability of the data. A minimum of three drives is required to build aRAID 5 array and they should be identical drives for the best performance. The drive arraywill still have increased performance over a single drive because the multiple drives canwrite the data faster than a single drive. The data is also fully redundant because of theparity bits. In the case of drive 2 failing, the data can be rebuilt based on the data and paritybits on the two remaining drives. Data capacity is reduced due to the parity data blocks.

QUESTION 7You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the servers in the domain runWindows Server 2008 and all client computers run Windows XP Service Pack 1.

You have been assigned the task to plan the deployment of Distributed File System (DFS)to provide redundancy in the event that a single server fails in the minimum cost. You alsoneed to ensure that the client computers reconnect to their preferred server after a serverfailure is resolved.


A. Upgrade all client computers to Windows XP Service Pack 2.B. Upgrade all client computers to Windows Vista.C. Implement a stand-alone DFS namespace, create folders, add multiple targets, and

enable the clients fail back to preferred targets option.D. Implement a domain-based DFS namespace, add a second namespace server, and

enable the clients fail back to preferred targets option.

Correct Answer: ADSection: Exam DExplanation

Explanation/Reference:To plan the deployment of Distributed File System (DFS) with the given requirements, youneed to upgrade all client computers to Windows XP Service Pack 2 to use DFS andimplement a domain-based DFS namespace. You need to then add a second namespaceserver and enable the Clients fail back to preferred targets option.

Rather than having every user in your organization access their files from the same server,you can distribute the user workload across multiple DFS replicas rather than overburdening a single server. Domain based namespaces should be used here becauseDomain based namespaces require all servers to be members of an Active Directorydomain. The DFS supports automatic synchronization of DFS targets. In a domainenvironment, a server is capable of hosting multiple DFS roots that provides you with adegree of scalability.

Another reason for having multiple DFS replicas is because doing so provides you with adegree of fault tolerance.DFS can also provide fault tolerance from the standpoint ofprotecting you against network link failures.

You should add a second namespace server and enable the Clients fail back to preferredtargets option to ensure a client failback on the namespace (or on specific folders in yournamespace). So, when the failed target comes back online the client will fail back to thattarget as its preferred target.

If your WAN links are unreliable, you might find your clients frequently accessing differenttargets for the same folder. This can be a problem, for by default, DFS caches referrals for aperiod of time (300 seconds or 5 minutes) so if a target server suddenly goes down theclient will keep trying to connect to the target and give an error instead of making theresource available to the client from a different target. To prevent this from happening(especially non-optimal targets), you can configure a client failback to preferred targetsoption on the namespace.

http://www.windowsnetworking.com/articles_tutorials/Configuring-DFS-Namespaces.htmlReference: Planning a DFS Architecture, Part 1/ Planning a DFS Architecture, Part 2 /Domain-Based Namespaceshttp://www.petri.co.il/planning-dfs-architecture-part-one.htm

QUESTION 8You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory forest. All the servers in the domain runWindows Server 2008 and all client computers run Windows Vista.

The network contains a server that has the File Server role installed. The company has afew users who use portable computers that run Windows Vista Business Edition. Theseusers sometimes access the corporate network from the remote locations.


You have been asked to design a data storage solution that ensures that remote users areable to choose the documents that will be available when they are away from the network.You also need to ensure that users need to store only minimum number of documents ontheir portable computers and that time that users take to log in to the network is reduced.

Which of the following options would you choose to accomplish the desired task? (Selecttwo. Each correct answer will present a part of the answer)

A. Configure offline filesB. Deploy roaming profilesC. Use local profilesD. Implement folder redirection

E. Enable automatic cachingF. Enable manual caching

Correct Answer: AFSection: Exam DExplanation

Explanation/Reference:To design a data storage solution that ensures that remote users are able to choose thedocuments that will be available when they are away from the network configure offline filesand enable manual caching.

Offline Files allows you to keep using network files, folders, and applications whendisconnected from the network. The biggest beneficiaries of the Offline Files feature areusers of mobile computers who frequently connect and disconnect from the network to usetheir computers at home or on the road. Now mobile users can be assured that they areworking with the most up-to-date versions of network files, navigate through mappednetwork drives even when disconnected, and easily synchronize changes with the networkwhen they plug back into the network.

In Manual Caching For Documents option, the only documents that will be cached are thosethat the user specifically designates to be available offline.

The Automatic Caching For Documents cannot be used because with this option, when auser opens a file in this shared folder, it will be automatically downloaded and madeavailable offline without the user specifying that it be an offline file. Older copies of a file willbe deleted automatically to make room for files that have been accessed more recently.With this option, a file that the user has not opened while online will not be available offline.

QUESTION 9You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the servers in the domain runWindows Server 2008 and use internal storage only and all client computers run WindowsVista.

You have been assigned the task to deploy a six node cluster on the network. You need toensure that the cluster services are available even if two nodes of the cluster fail.

Which of the following features would you deploy to accomplish the desired task?

A. Terminal Services RemoteApp (TS RemoteApp)B. Failover cluster that uses Node and File Share Disk MajorityC. Distributed File System (DFS) that uses replicationD. Failover cluster that uses No Majority: Disk Only

Correct Answer: BSection: Exam DExplanation


To ensure that the cluster services are available even if three nodes of the cluster fail, youneed to deploy a failover cluster that uses Node and File Share Disk Majority.

The quorum configuration in a failover cluster determines the number of failures that thecluster can sustain. If an additional failure occurs, the cluster must stop running. Therelevant failures in this context are failures of nodes or, in some cases, of a witness disk(which contains a copy of the cluster configuration) or witness file share. It is essential thatthe cluster stop running if too many failures occur or if there is a problem withcommunication between the cluster nodes.

Node and Disk Majority is (recommended for clusters with an even number of nodes) Cansustain failures of half the nodes (rounding up) if the witness disk remains online and cansustain failures of half the nodes (rounding up) minus one if the witness disk goes offline orfails. For example, a six node cluster with a failed witness disk could sustain two (3-1=2)node failures.

QUESTION 10You are an Enterprise administrator for TestKing.com. The company has a head office anda branch office that connect with each other by using WAN links. The corporate network ofthe company consists of a single Active Directory domain and an Active Directory site existsfor each office.

All the servers in the domain run Windows Server 2008 Enterprise Edition and all clientcomputers run Windows Vista.

You have been assigned the task to deploy a failover cluster solution to service users inboth offices. The cluster must maintain the availability of services using minimum number ofservers when a single server fails.Which of the following options would you choose to accomplish the desired task?

A. Deploy a failover cluster that contains two nodes in each office, head office and branchoffice.

B. Deploy a failover cluster that contains two nodes in the head office.C. Deploy a failover cluster that contains one node in the head office.D. Deploy a failover cluster that contains one node in each office head office and branch

office.

Correct Answer: DSection: Exam DExplanation

Explanation/Reference:To deploy a failover cluster solution to service users in both offices and maintain theavailability of services using minimum number of servers when a single server fails, youneed to deploy a failover cluster that contains one node in each office head office andbranch office.

Windows Server 2008 supports the shared-nothing cluster model, in which two or moreindependent servers, or nodes, share resources; each server owns and is responsible formanaging its local resources and provides nonsharing services.

In case of a node failure, the disks, resources, and services running on the failed node failover to a surviving node in the cluster. For example, if an Exchange server is operating onnode 1 of the cluster and it crashes, the Exchange application and services willautomatically fail over to node 2 of the cluster. This model minimizes server outage anddowntime. Only one node manages one particular set of disks, cluster resources andservices at any given time.

QUESTION 11You are an Enterprise administrator for contoso.com. The network of your companycontains 4,000 client computers located on a single subnet and two DHCP servers. TheDHCP servers are named DHCP1 and DHCP2. A router that has a single IP address on theinternal interface separates the internal network from the Internet.

DHCP1 has the following scope information:Starting IP address: 172.16.0.1Ending IP address: 172.16.15.255Subnet mask: 255.255.224.0

You need to configure DHCP2 in such a way that the network gets a fault-tolerant DHCPinfrastructure and all client computers are be able to obtain a valid IP address if a DHCPserver fails.

Which of the following options would you choose to configure the DHCP2?

A. Create a scope for the subnet 172.16.8.0/19. Configure the scope to use a starting IPaddress of 172.16.16.1 and an ending IP address of 172.16.31.254.

B. Create a scope for the subnet 172.16.0.0/21. Configure the scope to use a starting IPaddress of 172.16.0.1 and an ending IP address of 172.16.15.254.

C. Create a scope for the subnet 172.16.0.0/20. Configure the scope to use a starting IPaddress of 172.16.8.1 and an ending IP address of 172.16.15.254.

D. Create a scope for the subnet 172.17.0.0/16. Configure the scope to use a starting IPaddress of 172.17.0.1 and an ending IP address of 172.17.255.254.


Explanation/Reference:The subnet mask 255.255.224.0 means a /19 subnet. For load balancing you need toensure that the DHCP2 should be configured on the same network therefore, you need toselect answer A where the subnet is 172.16.0.0/19.

The /19 network can contain IP address range from 172.16.0.1 to 172.16.31.255, whichmeans 8190 total hosts can be configured. DHCP1 already contains the IP address rangefrom 172.16.0.1 to 172.16.15.255 to serve 4000 hosts.

In case of the failure of DHCP1, another IP address range is required for the 4000computers that the network has. Therefore DHCP2 can contain the range of 172.16.16.1 to172.16.31.254.

QUESTION 12You are an Enterprise administrator for contoso.com. Which of the following options wouldyou choose to configure a fault-tolerant DHCP infrastructure in your company where twoDHCP servers exist? You need to ensure that all client computers are able to obtain a validIP address if a single DHCP server fails. The corporate network of the company contains1,000 DHCP client computers that are located on a single subnet.

The DHCP servers are named as contosoDHCP1 and contosoDHCP2. A router havingsingle IP address on the internal interface is also configured on the corporate network toseparate the internal network from the Internet.

The contosoDHCP1 is configured with following scope information:Starting IP address: 172.16.0.1Ending IP address: 172.16.7.255Subnet mask: 255.255.240.0

How should you configure contosoDHCP2?






Explanation/Reference:The subnet mask 255.255.240.0 means a /20 subnet. For load balancing you need toensure that the DHCP2 should be configured on the same network therefore, you need toselect answer A where the subnet is 172.16.0.0/20.


In case of the failure of DHCP1, another IP address range is required for the 1000computers that the network has. Therefore DHCP2 can contain the range of 172.16.8.1 to172.16.15.254.

QUESTION 13You are an Enterprise administrator for contoso.com. The company consists of a branchoffice and a head office. The corporate network of the company consists of a single ActiveDirectory domain. All the servers in the domain run Windows Server 2008 and all clientcomputers run Windows Vista.

The servers in both the offices are independent of each other and share resources. Youwant to deploy a clustering solution that ensures high availability minimum downtime for theservers on the network. You need to ensure that if a node fails, the disks, resources andservices running on the failed node fail over to a surviving node in the cluster.


A. Create a Network Load Balancing cluster.B. Create two application pools on each Web server.C. Configure a Web garden on each Web server.D. Configure a failover cluster.


Explanation/Reference:To ensure that if a node fails, the disks, resources and services running on the failed nodefail over to a surviving node in the cluster, you need to configure a failover cluster. WindowsServer 2008 supports the shared-nothing cluster model, in which two or more independentservers, or nodes, share resources; each server owns and is responsible for managing itslocal resources and provides nonsharing services.

In case of a node failure, the disks, resources and services running on the failed node failover to a surviving node in the cluster. This model minimizes server outage and downtime.Only one node manages one particular set of disks, cluster resources and services at anygiven time.

QUESTION 14You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory forest that contains an Active Directorydomain. All the servers in the domain run Windows Server 2003 and all client computers runWindows Vista.

The domain contains eight domain controllers. You upgraded one of the domain controllersto Windows Server 2008 called contosoDC1. During the upgrade some of the ActiveDirectory object gets deleted.You need to recover the deleted objects and plan for a recovery solution that ensures thatallow deleted objects to be recovered for up to one year after the date of deletion. Which ofthe following options would you choose to accomplish the desired task?

A. On contosoDC1, enable shadow copies of the drive that contains the Ntds.dit file.B. Configure daily backups of contosoDC1.C. Increase the interval of the garbage collection process for the forest.D. Increase the tombstone lifetime for the forest.


Explanation/Reference:To recover the deleted objects and plan for a recovery solution that allow deleted objects tobe recovered for up to one year after the date of deletion, you need to increase thetombstone lifetime for the forestIf you need to restore your domain controller, or you need to make an authoritative restoreof Active Directory, you need a backup which is younger than 60 days (by default). Theobjects that get deleted from Active Directory will remain as a tombstone.

The Tombstone is the object with limited attributes, such as the GUID, Name and SID of theobject, and the mark that it’s deleted. The garbage collection of Active Directory takes careto finally delete tombstones which are older than the tombstone-lifetime.

To avoid inconsistencies in object deletion, the tombstone lifetime is configured to be manytimes larger than the worst-case replication latency. By default, the Active Directorytombstone lifetime is sixty days. This value can be changed if necessary.

QUESTION 15You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the domain controllers in thedomain run Windows Server 2008 and all client computers run Windows Vista.

You have been assigned the task to implement a backup and recovery plan that restoresthe domain controllers in the event of a catastrophic server failure. In your plan, you cannotuse optical drives for backup because according to the company’s policy, the domaincontrollers cannot contain optical drives for security reasons.

Which of the following options would you choose to accomplish the desired goal? (Selecttwo. Each correct answer will present a part of the solution.)

A. Use Windows Server Backup to back up each domain controller to a local disk.B. Use Windows Server Backup to back up each domain controller to a remote network

share.C. Create a Windows Recovery Environment (Windows RE) partition on each domain

controller.D. Use Windows Deployment Services (WDS) to deploy the Windows Recovery

Environment (Windows RE).

Correct Answer: BDSection: Exam DExplanation

Explanation/Reference:To implement a backup and recovery plan that restores the domain controllers in the eventof a catastrophic server failure, you need to use Windows Server Backup to back up eachdomain controller to a remote network share. You can use Windows Server Backup to backup a full server (all volumes), selected volumes, or the system state.

In case of disasters like hard disk failures or catastrophic server failure you can perform asystem recovery, which will restore your complete system onto the new hard disk, by using

a full server backup and the Windows Recovery Environment.

You need to use Windows Deployment Services (WDS) to deploy the Windows RecoveryEnvironment (Windows RE). Windows Deployment Services enables you to deployWindows operating systems by using a network-based installation. This means that you donot have to install each operating system directly from a CD or DVD. Therefore, you canavoid the use of optical drive for backup.


The network contains 3 file servers store user documents. You have been assigned the taskto implement a data recovery strategy that ensures that ensures that all data volumes onthe file server must be backed up daily without creating much impact on performance.

The recovery strategy must also be able to restore individual files if a disk fails. Besides, theusers must be able to retrieve previous versions of files without the intervention of anadministrator.Which of the following options would you choose to accomplish the desired task? (Selecttwo. Each correct answer will present a part of the solution.)

A. Use Windows Server Backup to perform a daily backup to an external disk.B. Use Windows Server Backup to perform a daily backup to a remote network share.C. Deploy File Server Resource Manger (FSRM).D. Deploy Windows Automated Installation Kit (WAIK).E. Enable shadow copies for the volumes that contain shared user data. Store the shadow

copies on a separate physical disk.F. Enable shadow copies for the volumes that contain shared user data. Store the shadow

copies in the default location.

Correct Answer: AESection: Exam DExplanation

Explanation/Reference:Use Windows Server Backup to perform a daily backup to an external disk. Enable shadowcopies for the volumes that contain shared user data. Store the shadow copies on aseparate physical disk.

FSRM (File Server Resource Manager) is a service of the File Services role in WindowsServer 2008. You can use FSRM to enhance your ability to manage and monitor storageactivities on your file server.The main capabilities of FSRM include: Folder Quotas, File Screening, Storage Reports,Event Log Integration, E-mail Notifications, and Automated Scripts.

You use a Quota function to manage disk usage on a volume in the File Server ResourceManager (FSRM) and then you can enable the Shadow Copies feature on the volume.Shadow Copies for Shared Folders uses the Volume Shadow Copy Service to provide

point-in-time copies of files that are located on a shared network resource, such as a fileserver. With Shadow Copies for Shared Folders, users can quickly recover deleted orchanged files that are stored on the network without administrator assistance, which canincrease productivity and reduce administrative costs. Shadow copies allow users to retrieveprevious versions of files on their own without the intervention of an administrator.

By default shadow copies are stored on the same drive volume of shared folders beingbacked up. As a best practice, you should store the shadow copies on a separate physicaldisk as an extra fault tolerance measure.

http://blogs.technet.com/josebda/archive/2008/08/20/the-basics-of-windows-server-2008-fsrm-file-server-resource-manager.aspx

QUESTION 17You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the domain controllers in thedomain run Windows Server 2008 and all client computers run Windows Vista.

You have been assigned the task to implement a backup and recovery plan that restoresthe domain controllers and the client computers in the event of a catastrophic server failure.

Besides recovering the domain controller, you also want a provision to restore items fromclient computers by choosing a backup and then selecting specific items from that backup torestore. You want to restore an item by choosing the date of the backup version for the itemyou want to restore. You want make sure that the backup is not taken on an optical drive.


A. Use Windows Server Backup to back up each domain controller and the client computersto a local disk.

B. Use Ntbackup.exe tool to back up each domain controller and the client computers to alocal disk.

C. Use Windows Server Backup to back up each domain controller to a remote networkshare.

D. Create a Windows Recovery Environment (Windows RE) partition on each domaincontroller.

E. Use Windows Deployment Services (WDS) to deploy the Windows RecoveryEnvironment (Windows RE).

Correct Answer: CESection: Exam DExplanation

Explanation/Reference:To implement a backup and recovery plan that restores the domain controllers and theclient computers in the event of a catastrophic server failure, you need to use WindowsServer Backup to back up each domain controller to a remote network share. You can useWindows Server Backup to back up a full server (all volumes), selected volumes, or thesystem state.

You can restore items by choosing a backup and then selecting specific items from thatbackup to restore. You can recover specific files from a folder or all the contents of a folder.In addition, previously, you needed to manually restore from multiple backups if choose thedate of the backup version for the item you want to restore.

In case of disasters like hard disk failures or catastrophic server failure you can perform asystem recovery, which will restore your complete system onto the new hard disk, by usinga full server backup and the Windows Recovery Environment.

You need to use Windows Deployment Services (WDS) to deploy the Windows RecoveryEnvironment (Windows RE). Windows Deployment Services enables you to deployWindows operating systems by using a network-based installation. This means that you donot have to install each operating system directly from a CD or DVD. Therefore, you canavoid the use of optical drive for backup.


The network contains 20 file servers contains two volumes, one for operating system andthe other for the data files. You have been assigned the task to plan a recovery strategy thatensures the server continuity in case of the server failures. The recovery strategy mustensure the operating system and the data files to be restored in the minimum amount oftime.


A. Windows Automated Installation Kit (WAIK)B. Windows Deployment Services (WDS)C. Windows Recover Disk featureD. Windows Server Backup featureE. Volume Shadow CopiesF. Folder redirectionG. Windows Complete PC Restore

Correct Answer: DGSection: Exam DExplanation

Explanation/Reference:To plan a recovery strategy that ensures the server continuity in case of the server failures,you need to use the Windows Server Backup feature and Windows Complete PC Restore

Complete PC Backup and Restore is a comprehensive, image-based backup tool to helpyou out of a tight spot if you need to recover your entire system.While file restore is useful incases of file loss and data corruption, Windows Complete PC Restore is most useful for

disaster recovery when your PC malfunctions. Complete PC Backup and Restore is capableof restoring your entire PC environment, including the operating system, installed programs,user settings, and data files.

http://www.microsoft.com/singapore/windows/products/windowsvista/features/details/completepcbackup


The network contains 3 servers, a file server, a database server, and a messaging server.You have been assigned the task to provide a backup infrastructure to create consistentbackups of open files and applications, database server, and the messaging server.

The solution must also be able to minimize the interruption to applications. Which of thefollowing options would you choose to accomplish the desired task?

A. Use Windows Server Backup to perform a daily backup to an external disk.B. Use Windows Server Backup to perform a daily backup to a remote network share.C. Enable volume shadow copy service for the volumes that needs to be backed up.D. Enable shadow copies for the volumes that contain shared user data.


Explanation/Reference:To create consistent backups of open files and applications, database server, and themessaging server without interrupting the applications, you need to enable shadow copiesfor the volumes that need to be backed up.

Applications that are running often keep their files open continuously. For backup, this canpresent a problem because this prevents backup applications from accessing and copyingthese files to backup media. Additionally, backing up servers that are running criticalapplications such as databases or messaging services presents a unique challenge. Theseapplications run in a volatile state as a result of extensive optimizations that deal with hugeflows of transactions and messages.

Because these applications keep their data in a constant flux between memory and disk, itis difficult to pinpoint the data that needs to be archived. The most straightforward solution isto interrupt the application during backup, which puts the data into a stable state, but mightresult in unacceptable amounts of downtime, particularly if the applications are large.

For both problems, the Volume Shadow Copy Service provides a solution by enabling asnapshot of the data at a given point in time, while minimizing the interruption toapplications.

QUESTION 20You are an Enterprise administrator for contoso.com. The company has a head office and

20 branch offices. The corporate network of the company consists of a single ActiveDirectory domain. All the servers in the domain run Windows Server 2008 and all clientcomputers run Windows Vista.

Each branch office contains a file server that stores users’ data. You have been assignedthe task to design a strategy for backing up the file servers and ensure that the backups arescheduled, allow individual file recovery and a complete server recovery.

Besides this, your backup strategy must provide decentralized control over backups andrecovery in minimum administrative effort. Which of the following options would you chooseto accomplish the desired task?

A. Use Windows Server Backup to back up volumes to DVD.B. Configure Volume Shadow Copies.C. Use Windows Server Backup to back up to an external USB drive.D. Install the Windows Recovery Disc feature and then create a Scheduled task that runs

recdisc.exe.


Explanation/Reference:To design a strategy for backing up the file servers and ensure that the backups arescheduled, allow individual file recovery and a complete server recovery, you need to useWindows Server Backup to back up to an external USB drive.

Backup to USB drives are easy and simple. It provides software and hardware features tomake connecting any USB device just about as foolproof as possible. Most backup softwarenow supports USB devices. External USB drives are highly portable and can be used toback up several computers on the same drive.

You cannot use Windows Server Backup to back up volumes to DVD because WindowsServer Backup doesn’t support system state or file level backups and restores when usingDVDs. And you can’t schedule backups to DVD.

QUESTION 21You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory forest called contoso.com. The forest containsfive domains. The domain controllers on the network run Windows Server 2008 and havethe DNS server role installed.

You company has decided to replace a legacy Windows Internet Name Service (WINS)environment with a DNS-only environment for name resolution.

Which of the following options would you choose to plan the infrastructure for nameresolution to support IPv4 and IPv6 environments, enable single-label name resolutionacross all domains, and minimizing the amount of NetBIOS over TCP/IP (NetBT) traffic onthe network?

A. Implement custom Active Directory replication partition and modify each DNS zone toreplicate as part of it.

B. Configure each DNS zone to perform a WINS forward lookup.C. Configure each DNS zone to replicate to each DNS server in the forest.D. Configure a GlobalNames zone on each domain controller.


Explanation/Reference:To replace a legacy Windows Internet Name Service (WINS) environment with a DNS-onlyenvironment for name resolution with given requirements, you need to configure aGlobalNames zone on each domain controller.

The DNS Server Role in Windows Server 2008 now supports the GlobalNames Zone. Thishas been introduced to assist organizations to move away from WINS and alloworganizations to move to an all-DNS environment. Unlike WINS, The GlobalNames zone isnot intended to be used for peer-to-peer name resolution.

The GlobalNames Zone (GNZ) is used to hold single-label names. The GlobalNames zoneis most commonly used to hold CNAME resource records to map a single-label name to aFully Qualified Domain Name (FQDN). GNZ provides single-label name resolution whereasWINS provides NetBIOS resolution. If you plan to retire WINS or plan to deploy IPv6 only inyour environment, all name resolution will rely on DNS. It supports dual IPv4 and IPv6environment and use only DNS for name resolution.

Reference: Understanding the New GlobalNames Zone Functionality in Windows Server2008http://johnpolicelli.wordpress.com/2008/01/15/understanding-the-new-globalnames-zone-in-windows-server-2008/

Reference: DNS Server GlobalNames Zone Deployment / How GNZ Resolution Workshttp://download.microsoft.com/download/e/2/0/e2090852-3b7f-40a3-9883-07a427af1560/DNS-GlobalNames-Zone-Deployment.doc

Exam E

QUESTION 1You are an Enterprise administrator for contoso.com. All the servers on the network runeither Windows Server 2008 or Windows Server 2003 servers and all client computers runWindows Vista.

The network contains a Windows Server 2003 server that runs Web-based applicationcalled WebApp1. You have been assigned the task to migrate the Web-based application toWindows Server 2008.

To migrate the WebApp1, you need to prepare the server for the application. The servermust support the installation of .NET applications and the server configuration must ensurethat the application is available to all users if a single server fails in the minimum softwarecost? (Select two. Each correct answer will present a part of the answer)

A. Install the full installation of Windows Server 2008 Datacenter Edition on two servers.B. Install the Server Core installation of Windows Server 2008 Standard Edition on two

servers.C. Install the full installation of Windows Server 2008 Enterprise Edition on two servers.D. Install the full installation of Windows Server 2008 Web Edition on two servers.E. Configure the servers in a failover cluster.F. Configure the servers in a Network Load Balancing cluster.

Correct Answer: DFSection: Exam EExplanation

Explanation/Reference:To migrate the Web-based application to Windows Server 2008, you need to install the fullinstallation of Windows Server 2008 Web Edition on two servers. Configure the servers in aNetwork Load Balancing cluster.

Network load balancing is native to all editions of Windows Server 2008. Unlike failoverclustering, NLB does not require any special hardware.

Network load balancing (NLB), Windows Server 2008′s other high-availability alternative,enables an organization to scale server and application performance by distributing TCP/IPrequests to multiple servers, also known as hosts, within a server farm. This scenariooptimizes resource utilization, decreases computing time and ensures server availability.Typically, service providers should consider network load balancing if their customersituation includes, but is not limited to, Web server farms, Terminal Services farms, mediaservers or Exchange Outlook Web Access servers.

Reference: Failover clustering, network load balancing drive high availability http://searchsystemschannel.techtarget.com/tip/0,289483,sid99_gci1317355,00.html

QUESTION 2You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the servers in the domain run

Windows Server 2008 and all client computers run Windows Vista.

The client computers in the company run many applications, all applications all of which areconfigured to save documents to the local Documents folder. You need to therefore plan abackup strategy for the Documents folder for all the users in minimum amount ofadministrative effort.


A. Deploy agents to all client computers using System Center Operations Manager.B. Create a shared folder on a file server and then configure scheduled backups on each

client computer to store the backup files on the shared folder.C. Use Group Policy objects (GPO) to implement folder redirection and then back up the

folder redirection target.D. Run Windows Server Backup from a server and connect to each client computer.

Correct Answer: CSection: Exam EExplanation

Explanation/Reference:To plan a backup strategy for the Documents folder for all the users in minimum amount ofadministrative effort, you need to use Group Policy objects (GPO) to implement folderredirection and then back up the folder redirection target.

Folder Redirection is a Group Policy feature which enables you to redirect the systemfolders containing the profile of a user on the network. Through the use of the FolderRedirection feature, you can configure that the system folders’ contents on the user remainsthe same, irrespective of the particular computer which the user utilizes to log on to thesystem. The system folders for which you can configure folder redirection include MyDocuments folder.

Redirecting the My Documents folder ensures that users can access their data from anycomputer. Because redirected folder data is stored on a network server, you can back upthe data to an offline storage media.

Reference: Implementing Folder Redirection using Group Policy http://www.tech-faq.com/implementing-folder-redirection-using-group-policy.shtml

QUESTION 3You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the servers in the domain runWindows Server 2008 and all client computers run Windows Vista. You perform a fullbackup of the domain controllers every day.

Which of the following options would allow you to implement an Active Directory recoverystrategy that allows objects in a backup to be compared to objects in the live ActiveDirectory database? (Select two. Each correct answer will present a part of the solution.)

A. Restore the backup to a domain controller in a test forest.

B. Restore the backup to an alternate location.C. Restore the backup to the original location.D. Mount the database using the Active Directory Database Mounting Tool (Dsamain.exe).E. Use the Activate Directory Installation wizard to create a new domain controller.F. Create a snapshot using the Active Directory Service Utilities (Ntdsutil.exe).

Correct Answer: BDSection: Exam EExplanation

Explanation/Reference:To plan a recovery strategy for Active Directory objects, you need to restore the backup toan alternate location. Mount the database using the Active Directory Database MountingTool (Dsamain.exe).

The Active Directory database mounting tool (Dsamain.exe) can improve recoveryprocesses for your organizations by providing a means to compare data as it exists insnapshots that are taken at different times so that you can better decide which data torestore after data loss. This eliminates the need to restore multiple backups to compare theActive Directory data that they contain. You need to restore the backup to an alternatelocation so that you can compare the data.

Reference: Active Directory Database Mounting Tool Step-by-Step Guide http://technet.microsoft.com/en-us/library/cc753609.aspx


The company has created a web site which requires a very high availability and a highscalability for the success of the company. You therefore publish the Web site on two Webservers.

You have to now deploy an availability solution for your Web servers and ensure that theWeb site is accessible even if a single server fails and the addition of more Web serverscan be done for the website without interrupting client connections.

Which of the following options would you choose to create to accomplish the desired task?

A. A Network Load Balancing clusterB. A failover clusterC. Application pools on each Web serverD. A Web farm on each Web server

Correct Answer: ASection: Exam EExplanation


To deploy an availability solution for your Web servers and ensure that the Web site isaccessible even if a single server fails and the addition of more Web servers can be donefor the website without interrupting client connections, you need to create a Network LoadBalancing cluster.

Network load balancing (NLB), Windows Server 2008′s other high-availability alternative,enables an organization to scale server and application performance by distributing TCP/IPrequests to multiple servers, also known as hosts, within a server farm. This scenariooptimizes resource utilization, decreases computing time and ensures server availability.Typically, service providers should consider network load balancing if their customersituation includes, but is not limited to, Web server farms, Terminal Services farms, mediaservers or Exchange Outlook Web Access servers.

When designing and implementing NLB server farms, it’s common to start off with twoservers for scalability and high availability and then add additional nodes to the farm asClearly, failover clustering and network load balancing with Windows Server 2008 provideservice providers with options when designing and implementing high availability for theircustomers’ mission-critical servers and applications.

Reference: Failover clustering, network load balancing drive high availability http://searchsystemschannel.techtarget.com/tip/0,289483,sid99_gci1317355,00.html


The network contains two DHCP servers called contosoDHCP1 and contosoDHCP2 and500 DHCP client computers that are located on a single subnet. A router that has a singleIP address on the internal interface separates the internal network from the Internet.

contosoDHCP1 server is configured with:Starting IP address: 172.16.0.1Ending IP address: 172.16.3.254Subnet mask: 255.255.248.0

Which of the following options would you choose to provide a fault-tolerant DHCPinfrastructure for the company that supports the client computers on the internal network?You need to configure DHCP2 to ensure that all client computers must be able to obtain avalid IP address if a DHCP server fails.





Correct Answer: DSection: Exam EExplanation

Explanation/Reference:The subnet mask 255.255.248.0 means a /21 subnet. For load balancing you need toensure that the DHCP2 should be configured on the same network therefore, you need toselect answer D where the subnet is 172.16.0.0/21.


In case of the failure of DHCP1, another IP address range is required for the 500 computersthat the network has. Therefore DHCP2 can contain the range of 172.16.4.1 to172.16.7.254.

Reference: Subnet Addressinghttp://www.networkcomputing.com/unixworld/tutorial/001.html

Reference: Effects of Subnetting a Class B Network http://www.weird.com/~woods/classb.html

QUESTION 6

You are an Enterprise administrator for contoso.com. The company has a head office andfour branch offices. The corporate network of the company consists of a single ActiveDirectory domain. All the servers in the domain run Windows Server 2008 and all clientcomputers run Windows Vista. Your network is configured as shown in the followingdiagram. Each office contains a File Server that has a shared folder called SharedData.

You have been assigned the task to ensure the data availability of the SharedData folder inall of the offices when a WAN link fails or a single server fails. You also need to ensure thatthe users must be able to use existing drive mappings in case of WAN link or a serverfailure and minimum network traffic over the WAN links.


A. Stand-alone DFS namespaceB. Domain-based DFS namespaceC. Having DFS Replication in a hub and spoke topologyD. Having DFS Replication in a full mesh topology

Correct Answer: BCSection: Exam EExplanation

Explanation/Reference:To ensure the data availability of the SharedData folder in all of the offices when a WAN linkfails or a single server fails, you need to implement a domain-based DFS namespace thatuses DFS Replication in a hub and spoke topology.

Domain based namespaces require all servers to be members of an Active Directorydomain. These types of environments support automatic synchronization of DFS targets. Ina domain environment, a server is capable of hosting multiple DFS roots. It allows you todistribute the user workload across multiple DFS replicas rather than over burdening asingle server. In case a single server fails the other servers can take over.

Two pre-defined topologies can be selected for DFS Replication. In this scenario DFSReplication in a hub and spoke topology should be used. In this topology every hub memberreplicates with the hub member, and if desired you can add a second hub member for faulttolerance (the two hub members replicate with each other).

The hub and spoke topology is have a particular use for enterprises that have largeheadquarters where the company’s permanent IT staff are located and multiple smallbranch offices with little or no on-site IT staff present.

Full Mesh topology cannot be used because it will cause too much network traffic. This isbecause every member of the replication group replicates with every other member of thegroup. The full mesh topology is useful mainly in large LAN environments where all subnetshave high speed connectivity and you are using DFS Namespaces together with DFSReplication to provide fault-tolerant shared file resources to users.

Reference: Planning a DFS Architecture, Part 1/ Planning a DFS Architecture, Part 2 /Domain-Based Namespaceshttp://www.petri.co.il/planning-dfs-architecture-part-one.htm

Reference: Configuring and Using DFS Replicationhttp://www.windowsnetworking.com/articles_tutorials/Configuring-Using-DFS-Replication.html

QUESTION 7You are an Enterprise administrator for contoso.com. The company has a head office and abranch office that connect with each other by using WAN links. The corporate network ofthe company consists of a single Active Directory domain and an Active Directory site existsfor each office.

All the servers in the domain run Windows Server 2008 Enterprise Edition and all clientcomputers run Windows Vista. You have been assigned the task to deploy a failover clustersolution to service users in both offices.

Your failover cluster solution must use minimum number of servers and ensure that theavailability of services if a single server fails.


A. Deploy a failover cluster that contains two nodes in each office, head office and branchoffice.

B. Deploy a failover cluster that contains two nodes in the head office.C. Deploy a failover cluster that contains one node in the head office.D. Deploy a failover cluster that contains one node in each office head office and branch

office.


Explanation/Reference:To deploy a failover cluster solution to service users in both offices, you need to Deploy afailover cluster that contains one node in each office head office and branch office WindowsServer 2008 supports the shared-nothing cluster model, in which two or more independentservers, or nodes, share resources; each server owns and is responsible for managing itslocal resources and provides nonsharing services. In case of a node failure, the disks,resources and services running on the failed node fail over to a surviving node in the cluster.For example, if an Exchange server is operating on node 1 of the cluster and it crashes, theExchange application and services will automatically fail over to node 2 of the cluster. Thismodel minimizes server outage and downtime. Only one node manages one particular setof disks, cluster resources and services at any given time. Failover clustering, network loadbalancing drive high availability.

http://searchsystemschannel.techtarget.com/tip/0,289483,sid99_gci1317355,00.html

QUESTION 8You are an Enterprise administrator for contoso.com. All the servers on the network runWindows Server 2008 and all client computers run Windows Vista.

You have been asked to deploy a distributed database application on a Windows Server2008 server and design a storage strategy that allocates storage space to servers asrequired, isolates storage traffic from the existing network, and ensures that data is availableif a single disk or a single storage controller fails.


A. A Fibre Channel (FC) disk storage subsystem that supports the Virtual Disk Service(VDS).

B. A Fibre Channel (FC) disk storage subsystem that supports Microsoft Multipath I/O.C. An iSCSI disk storage subsystem that supports Microsoft Multipath I/O.D. An iSCSI disk storage subsystem that supports Virtual Disk Service (VDS).E. Configure the storage subsystem as a RAID 5 array.F. Configure the storage subsystem as a RAID 0 array.

Correct Answer: BESection: Exam EExplanation

Explanation/Reference:To deploy a distributed database application on a Windows Server 2008 server and designa storage strategy with given requirements, you need to implement a Fibre Channel (FC)disk storage subsystem that uses Microsoft Multipath I/O and configure a RAID 5 array.

The fibre channel (FC) technology and FC switches between servers and storage to createa Storage Area Network (SAN). The connectivity the switches provide allows the connectionof more than one server to a storage system. This reduces the number of storage systemsrequired. This would allow a distributed database application multiple servers and design astorage strategy that allocates storage space to servers as required. Multipath I/O (MPIO) isa feature that provides support for using multiple data paths to a storage device.Multipathing increases availability by providing multiple paths (path failover) from a server orcluster to a storage subsystem.

If a server supports Microsoft Multipath I/O (MPIO), Storage Manager for SANs can providepath failover by enabling multiple ports on the server for LUN I/O traffic. To prevent dataloss in a Fibre Channel environment, make sure that the server supports MPIO beforeenabling multiple ports. (On an iSCSI subsystem, this is not needed: the Microsoft iSCSIinitiator (version 2.0) that is installed on the server supports MPIO.)

Reference: Support for Multipath I/Ohttp://technet.microsoft.com/en-us/library/cc771719.aspx

Reference: Using Fibre Channel to Reduce SCSI Storage Costs http://dothill.com/assets/pdfs/storage_costs.pdf


The network is not connected to the Internet. The network contains a file server thatcontains a shared folder in which remote network users save files.

Which of the following options would you choose to design a data provisioning solution thatensure that only authorized remote users who are not connected to the corporate networkmust be able to access the files and the folders in the corporate network? (Select two. Eachcorrect answer will present a part of the solution.)

A. Configure caching on the shared folderB. Configure offline files to use encryptionC. Implement a certification authority (CA)D. Configure Encrypting File System (EFS) for the drive that hosts the filesE. Configure IPsec domain isolationF. Implement Windows SharePoint Services 3.0G. Enable Secure Socket Layer (SSL) encryption

Correct Answer: AB

Section: Exam EExplanation

Explanation/Reference:To design a data provisioning solution that ensure that only authorized remote users whoare not connected to the corporate network must be able to access the files and the foldersin the corporate network, you need to configure caching on the shared folder. The cachingfeature of Shared Folders ensures that users have access to shared files even when theyare working offline with no access to the network.

Next you need to configure offline files to use encryption, so that only authorized users canaccess the files on the shared folder.

Reference: Set Caching Options for Shared Folders http://technet.microsoft.com/en-us/library/cc755136.aspx


The network contains 100 servers and 5,000 client computers. Microsoft Office Outlook2007 is installed on all the client computers.

Recently the marketing department has received a custom application needs to be run by allthe employees of the department. The application requires access to Outlook 2003.

Which of the following options would you choose to suggest an application deploymentstrategy for the network that would ensure that access to both Outlook 2003 and Outlook2007 is provided without creating a conflict between Outlook 2003 and Outlook 2007 andthe other applications installed on the computers?

You also need to ensure that 50 concurrent sessions are supports and the additionaltraining requirements are minimized.

A. Use a Microsoft Application Compatibility Toolkit (ACT) application compatibility shim forall the computers in the marketing department.

B. Install Outlook 2003 on a server and enable Remote Desktop on it.C. Configure the Terminal Services server role on a server, install Outlook 2003 on the

terminal server, and publish Outlook 2003 as a TS RemoteApp.D. Use a Group Policy object (GPO) to assign Outlook 2003 to all computers in the

marketing department.


Explanation/Reference:To suggest an application deployment strategy for the network to meet the givenrequirements, you need to configure the Terminal Services server role on a server. Install

Outlook 2003 on the terminal server and Publish Outlook 2003 as a Terminal ServicesRemoteApp (TS RemoteApp).

With Terminal Services, organizations can provide access to Windows-based programsfrom almost any location to almost any computing device. Terminal Services in WindowsServer 2008 includes Terminal Services RemoteApp (TSRemoteApp).

RemoteApp programs are programs that are accessed remotely through Terminal Servicesand appear as if they are running on the end user’s local computer. Instead of beingpresented to the user in the desktop of the remote terminal server, the RemoteApp programis integrated with the client’s desktop, running in its own resizable window with its own entryin the taskbar.

Users can run RemoteApp programs side-by-side with their local programs. If a user isrunning more than one RemoteApp program on the same terminal server, the RemoteAppprograms will share the same Terminal Services session.

With TSRemoteApp you do not have to deploy and maintain different versions of the sameprogram for individual computers. If employees need to use multiple versions of a program,you can install those versions on one or more terminal servers, and users can access themthrough TSRemoteApp.


Which of the following options would you choose to plan a network access solution thatensure that only client computers that have the most up-to-date service packs can begranted general network access and all noncompliant client computers must be redirectedto a specific Web site?

A. Use Windows Server Update Service (WSUS)B. Use Active Directory Rights Management Services (AD RMS)C. Use Domain IsolationD. Use Network Access Protection (NAP)

Correct Answer: Section: Exam EExplanation

Explanation/Reference:To plan a network access solution that ensure that only client computers that have the mostup-to-date service packs can be granted general network access and all noncompliant clientcomputers must be redirected to a specific Web site, you need to implement NetworkAccess Protection (NAP).

Network Access Protection (NAP) is one of the most desired and highly anticipated featuresof Windows Server 2008. NAP is a new platform and solution that controls access to

network resources based on a client computer’s identity and compliance with corporategovernance policy. NAP allows network administrators to define granular levels of networkaccess based on who a client is, the groups to which the client belongs, and the degree towhich that client is compliant with corporate governance policy. If a client is not compliant,NAP provides a mechanism to automatically bring the client back into compliance and thendynamically increase its level of network access.

With 802.1X enforcement, a computer must be compliant to obtain unlimited networkaccess through an 802.1X-authenticated network connection Administrators can createsolutions for validating computers that connect to or communicate on their networks,provide needed updates or access to needed resources, and limit the network access ofcomputers that are noncompliant. The validation and enforcement features of NAP can beintegrated with software from other vendors or with custom programs.

Note NAP is not designed to protect a private network from malicious users. It is designed tohelp administrators maintain the system health of the computers on a private network. NAPis used in conjunction with authentication and authorization of network access, such asusing IEEE 802.1X for wireless access.

Reference: Network Access Protection Platform Overview http://technet.microsoft.com/hi-in/library/bb878083(en-us).aspx

Reference: Security and Policy Enforcementhttp://www.microsoft.com/windowsserver2008/en/us/security-policy.aspx


You install an application on a Windows Server 2008 failover cluster that contains a nodenamed contosoServer1.

Which of the following options would you choose to ensure that 50 percent of the processorutilization and the memory utilization can be reserved for the application execution? (SelectTwo. Each correct answer will present a part of the answer.)

A. Implement Windows System Resource Manager (WSRM)B. Implement File Server Resource Manager (FSRM)C. Implement Storage Manager for SANs (SMfS)D. Configure a resource-allocation policy for user-based managementE. Configure a resource-allocation policy for process-based managementF. Configure quotasG. Configure the LUN Management settings

Correct Answer: AESection: Exam EExplanation

Explanation/Reference:To ensure that 50 percent of the processor utilization and the memory utilization can bereserved for the application execution, you need to implement Windows System ResourceManager (WSRM) and configure a resource-allocation policy for process-basedmanagement.

Microsoft Windows System Resource Manager (WSRM) provides resource managementand enables the allocation of resources, including processor and memory resources, amongmultiple applications based on business priorities.

WSRM enables a system administrator to Manage CPU utilization (percent CPU in use),Limit the process working set size (physical resident pages in use) and Set CPU andmemory allocation policies on applications. This includes selecting processes to bemanaged, and setting resource usage targets or limits.


QUESTION 13Which of the following options would you choose to monitor the performance of 200Windows Server 2008 servers and generate alerts when the average processor usage ishigher than 70 percent for 15 minutes and automatically adjust the processor monitoringthreshold to allow for temporary changes in the workload?

A. Deploy Microsoft System Center Configuration Manager (SCCM).B. Install Windows System Resource Manager (WSRM).C. Configure Microsoft Windows Reliability and Performance Monitor.D. Deploy Microsoft System Center Operations Manager (SCOM).


Explanation/Reference:To generate alerts when the average processor usage is higher than 90 percent for 20minutes and automatically adjust the processor monitoring threshold to allow for temporarychanges in the workload, you need to Deploy Microsoft System Center Operations Manager(SCOM).

System Center Operations Manager 2007(SCOM 2007) is a new version of MicrosoftOperations Manager 2005(MoM). It is the end – to – end service monitoring solution thatlets you monitor clients, events, services, applications, network devices rather than justservers. It provides integration with Active Directory for user authentication and agentdiscovery.

It provides active directory integration, Service Oriented Monitoring, Self-Tuning Threshold,Enhanced Reporting, windows computers monitoring and much more.

Reference: From MOM to SCOMhttp://pcquest.ciol.com/content/enterprise/2007/107070501.asp

Reference: Self Tuning Thresholds – love and hatehttp://blogs.technet.com/kevinholman/archive/2008/03/19/self-tuning-thresholds-love-and-hate.aspx

QUESTION 14You are an Enterprise administrator for contoso.com. All the servers in the domain runWindows Server 2008. The company consists of 10,000 computers.

Which of the following options would you choose to design a storage architecture forWindows Server Update Services (WSUS) updates to ensure that the WSUS updates arehighly available?

A. Configure the WSUS servers to use a RAID 0 hardware controller and then store theWSUS updates on each WSUS server.

B. Use a remote file share to store the WSUS updates.C. Store the WSUS updates on a multi-homed network file server. Create two host (A)

resource records for the WSUS servers.D. Store the WSUS updates on a Distributed File System (DFS) link that uses multiple

replicating targets.


Explanation/Reference:Distributed File System (DFS) is a strategic storage management solution that givesadministrators a more flexible way to centrally manage their distributed resources. WithDFS, administrators can create simplified views of folders and files, that is, a virtualorganization called a namespace, regardless of where those files physically reside in anetwork.

You should create a single file location that is available to all the front-end WSUS servers.Even if you do not store updates locally, you will need a location for End User LicenseAgreement files. You may wish to do so by storing them on a Distributed File System share.

It is not necessary to use a DFS share with an NLB cluster. You can use a standard networkshare, and you can ensure redundancy by storing updates on a RAID controller.

Reference: Step 4: Set up a DFS sharehttp://technet.microsoft.com/en-us/library/cc708533.aspx

QUESTION 15You are an Enterprise administrator for contoso.com. All the servers in the domain runWindows Server 2008.

Several servers on the corporate network of the company run Windows Server Update

Services (WSUS) and distribute updates to all computers on the internal network.

The company has many remote users that connect the internal network from their personalcomputers using a split-tunnel VPN connection.

You need to deploy a patch management strategy to deploy updates on the remote user’scomputers network. While deploying the solution, you need to ensure that the requiredupdates are approved on the WSUS servers before they are installed on the clientcomputers within minimum the bandwidth use?

A. Implement client-side targeting by create a Group Policy object (GPO).B. Create and configure a computer group for the remote users computers to use the

internal WSUS server.C. Deploy and configure an additional WSUS server to leave the updates on the Microsoft

Update Web site and then configure the remote users to use the additional WSUSserver.

D. Use the Connection Manager Administration Kit (CMAK) to create a custom connectionand deploy it to all of the remote users computers.


Explanation/Reference:To deploy a patch management strategy that deploys updates on the remote user’scomputers, you need to deploy an additional WSUS server. Configure the remote userscomputers to use the additional WSUS server. Configure the additional WSUS server toleave the updates on the Microsoft Update Web site.

WSUS is a client-pull system, not a server-push. That is, the client initiates the connectionand downloads, not the server. As long as they can communicate, they will.

Also keep in mind that the connection is not continuous. The client only checks in once aday. It also uses BITS to transfer the downloads, so if the VPN connection is disconnectedin the middle, it will automatically recover when it next connects to the server. BITS will alsoattempt to not saturate you bandwidth, but a problem with BITS is that it measuresbandwidth by the connection at your network device (NIC, modem, etc), not the bandwidthalong the entire path to the server. Of course, this may have changed in more recentversion of BITS.

Reference: WSUS Forums>Technical Support>WSUS 3 Server http://www.wsus.info/forums/index.php?showtopic=11464

QUESTION 16You are an Enterprise administrator for contoso.com. All the servers on the network runWindows Server 2008.

The corporate network contains a Windows Server 2008 server that runs Windows ServerUpdate Services (WSUS), which was configured to store updates locally.

The company has recently opened a few satellite offices that are connected to the mainoffice using a dedicated WAN link.

Which of the following options would you choose to design a patch management strategy toensure that WSUS updates are approved from a central location and WAN traffic isminimized between the branch office and the satellite offices?

A. For each satellite office, create organizational units (OUs). Create and link the GroupPolicy objects (GPOs) to the OUs.

B. In each satellite office, install a WSUS server.C. Configure each satellite office WSUS server as a replica of the main office WSUS server.D. Configure each satellite office WSUS server as an autonomous server.E. Configure different schedules to download updates from the main office WSUS server to

the client computers in each satellite office.F. Configure each satellite office WSUS server to use the main office WSUS server as an

upstream server.

Correct Answer: BFSection: Exam EExplanation

Explanation/Reference:To design a patch management strategy to ensure that WSUS updates are approved from acentral location and WAN traffic is minimized between the branch office and the satelliteoffices, you need to install a WSUS server in each satellite office and configure eachsatellite office WSUS server as a replica of the branch office WSUS server. A WSUShierarchy supports two modes, autonomous mode and replica mode. In replica mode, theupstream server is the only WSUS server that downloads its updates from MicrosoftUpdate. It is also the only server that an administrator has to manually configure computergroups and update approvals on. All information downloaded and configured on to anupstream server is replicated directly to all of the devices configured as downstreamservers.

Using this method you will save a great deal of bandwidth as only one computer isconstantly updating from the Internet. More importantly however, you will save a countlessamount of time since you are only managing one server now from a software standpoint.

Reference: Deploying Microsoft Windows Server Update Serviceshttp://www.windowsnetworking.com/articles_tutorials/Deploying-Microsoft-Windows-Server-Update-Services.html


A server on the corporate network of the company run Windows Server Update Services(WSUS) and distributes updates to all computers on the internal network after obtainingupdates online from the Microsoft Update Web site.

Recently a network segment of the corporate network is disconnected from the rest of thenetwork. The users on the disconnected network segment reported that they cannot accessthe Internet and the WSUS server.

Which of the following options would you choose to recommend a patch managementstrategy to deploy updates to the computers that are on the disconnected networksegment?

A. Deploy a WSUS server on the secure network.B. Download the wsusscn2.cab file from the Microsoft Update Web site.C. Copy the wsusscn2.cab file to a computer on the secure network.D. From the online WSUS server, copy the update metadata and the WSUS content to the

WSUS server on the secure network.E. From the online WSUS server, regularly copy the web.config file and the default Web site

home directory to the WSUS server on the secure network.F. Scan the entire secure network by running Microsoft Baseline Security Analyzer against

the wsusscn2.cab file that you downloaded.

Correct Answer: ADSection: Exam EExplanation

Explanation/Reference:To recommend a patch management strategy to deploy updates to the computers that areon the disconnected network segment, you need to deploy a WSUS server on the securenetwork. From the online WSUS server, copy the update metadata and the WSUS contentto the WSUS server on the secure network.

If your environment demands a network segment be disconnected from the Internet, ordisconnected from the rest of your network altogether, don’t think you need to resort to the“sneaker net” method of patch distribution. Simply build a stand-alone WSUS server andimport updates from removable media such as tape or DVD-ROM.

The process of exporting the updates from an Internet-connected server, and then importingthem into your disconnected one is well documented in the WSUS Deployment Guide.However, here are the steps at a high level to give you an idea of the process:1. Build your stand-alone WSUS server and configure its language and express installationoptions to match that of the Internet-connected WSUS server that will provide updates.2. Copy the update content directory from the Internet-connected WSUS server toremovable media. Remember that this content directory may be quite large (multi-gigabytes)so you may need to resort to tape, dual-layer DVD, or external USB hard drive.3. Export and copy the update metadata from the Internet-connected WSUS server’sdatabase to removable media.4. Copy the update content from removable media onto the disconnected WSUS server.5. Import the update metadata from removable media into the disconnected WSUS server’sdatabase.

Reference: Advanced Deployment Options / Offline Updates http://www.wsuswiki.com/AdvDeployOptions


Several servers on the corporate network of the company run Windows Server UpdateServices (WSUS) and distribute updates to all computers on the internal network. TheWSUS server is configured to store updates locally.

The company has recently opened four new satellite offices that are connected to the mainoffice by using a dedicated WAN link. Internet access to the users of the satellite office isprovided through the main office.

Which of the following options would you choose to design a strategy for patchmanagement that ensures that the WSUS updates are approved independently for eachsatellite office with the use of minimum Internet traffic? (Select two. Each correct answer willpresent a part of the solution.)

A. For each satellite office, create organizational units (OUs). Create and link the GroupPolicy objects (GPOs) to the OUs.

B. In each satellite office, install a WSUS server.C. Configure each satellite office WSUS server as a replica of the main office WSUS server.D. Configure each satellite office WSUS server as an autonomous server.E. Configure different schedules to download updates from the main office WSUS server to

the client computers in each satellite office.F. Configure each satellite office WSUS server to use the main office WSUS server as an

upstream server.

Correct Answer: BFSection: Exam EExplanation

Explanation/Reference:To design a strategy for patch management that ensures that the WSUS updates areapproved independently for each satellite office and the minimum Internet traffic used, youneed to install a WSUS server in each satellite office and then configure each satellite officeWSUS server to use the main office WSUS server as an upstream server.

A WSUS hierarchy supports two modes, autonomous mode and replica mode. In replicamode, the upstream server is the only WSUS server that downloads its updates fromMicrosoft Update. It is also the only server that an administrator has to manually configurecomputer groups and update approvals on.

All information downloaded and configured on to an upstream server is replicated directly toall of the devices configured as downstream servers. Using this method you will save agreat deal of bandwidth as only one computer is constantly updating from the Internet. Moreimportantly however, you will save a countless amount of time since you are only managingone server now from a software standpoint.

Using autonomous mode, the upstream server transmits update files to the downstreamservers, but nothing else. This means that individual computer groups and update approvalsmust be configured for each particular downstream server. In this deployment type, you getthe benefit of optimized bandwidth usage with the flexibility of allowing individual siteadministrators to manage computer groups and update approvals themselves.


Which of the following options would you choose to design a Windows Server UpdateServices (WSUS) infrastructure that ensures that the updates are distributed from a centrallocation and all computers must continue to receive updates in the event that a server fails?(Select two. Each correct answer will present a part of the solution.)

A. Configure a single WSUS server to use multiple downstream servers.B. Configure two WSUS servers in a Microsoft SQL Server 2005 failover cluster.C. Configure a Microsoft SQL Server 2005 failover cluster.D. Configure each WSUS server to use a RAID 1 mirror and a local database.E. Configure each WSUS server to use a local database.F. Configure each WSUS server to use a RAID 5 array and a local database.G. Configure two WSUS servers in a Network Load Balancing cluster and then Configure

WSUS to use the remote SQL Server 2005 database instance.

Correct Answer: CGSection: Exam EExplanation

Explanation/Reference:To design a Windows Server Update Services (WSUS) infrastructure that ensures that theupdates are distributed from a central location and all computers must continue to receiveupdates in the event that a server fails, you need to:

Configure a Microsoft SQL Server 2005 failover cluster. Configure two WSUS servers ina Network Load Balancing cluster. Configure WSUS to use the remote SQL Server 2005database instance.Network load balancing (NLB) is a strategy that can keep networks running even if one(or more) servers go offline. It can be used in conjunction with WSUS, but requiresspecial steps at setup time. You should set up WSUS for NLB after configuring your SQLServer 2005 database as a failover cluster.

Reference: Appendix C: Configure WSUS for Network Load Balancing http://technet.microsoft.com/en-us/library/cc708533.aspx


Several servers on the corporate network of the company run Windows Server UpdateServices (WSUS) and distribute updates to all computers on the internal network.

The company has many remote users that connect the internal network from their personalcomputers using a split-tunnel VPN connection.

Which of the following options would you choose to deploy a patch management strategythat deploys updates on the remote user’s computers? While deploying the solution, youneed to ensure that the bandwidth use over the VPN connections is minimized and therequired updates are approved on the WSUS servers before they are installed on the clientcomputers?

A. Perform client-side targeting using a GPO.B. Create and configure a computer group for the remote users computers to allow them to

use the internal WSUS server.C. Deploy an additional WSUS server for the remote users computers. Configure the

additional WSUS server to leave the updates on the Microsoft Update Web site.D. Use Connection Manager Administration Kit (CMAK) to create a custom connection and

then deploy the custom connection to all of the remote users computers.


Explanation/Reference:To deploy a patch management strategy that deploys updates on the remote user’scomputers, you need to deploy an additional WSUS server. Configure the remote userscomputers to use the additional WSUS server. Configure the additional WSUS server toleave the updates on the Microsoft Update Web site.

Microsoft Windows Server Update Services (WSUS) is the Microsoft provided solution forenterprise patch management. Using WSUS, network administrators can manage anddeploy software updates for all of the Microsoft products in a network Using autonomousmode, the upstream server transmits update files to the downstream servers, but nothingelse. This means that individual computer groups and update approvals must be configuredfor each particular downstream server. In this deployment type, you get the benefit ofoptimized bandwidth usage with the flexibility of allowing individual site administrators tomanage computer groups and update approvals themselves.

In a typical WAN scenario the bandwidth is a restriction. It is common that remote networklocations will have a high speed connection to the internet but a rather low speed link backto the main office, such as through a VPN. In these cases, an upstream server can manageupdate approvals, but those remote downstream servers can be configured to download theapproved updates directly from the Internet as opposed to the upstream server. Thereforeyou need to configure the additional WSUS server to leave the updates on the MicrosoftUpdate Web site.

Reference: Deploying Microsoft Windows Server Update Serviceshttp://www.windowsnetworking.com/articles_tutorials/Deploying-Microsoft-Windows-Server-Update-Services.html

QUESTION 21You are an Enterprise administrator for contoso.com. The company consists of a headoffice and three branch offices. The corporate network of the company consists of a singleActive Directory domain.

Each office contains an Active Directory domain controller. Which of the following optionswould you choose to create a DNS infrastructure for the network that would allow the clientcomputers in each office to register DNS names within their respective offices? You alsoneed to ensure that the client computers must be able to resolve names for hosts in alloffices.

A. For each office site, create a standard primary zone.B. For the head office site, create a standard primary zone and for each branch office site,

create an Active Directory-integrated stub zone.C. For the head office site, create a standard primary zone at the head office site and for

each branch office site, create a secondary zone.D. Create an Active Directory-integrated zone at the head office site.


Explanation/Reference:To create a DNS infrastructure for the network that would allow the client computers in eachoffice to register DNS names within their respective offices and to ensure that the clientcomputers must be able to resolve names for hosts in all offices, you need to create anActive Directory-integrated zone at the head office site.

Active Directory Integrated zones, store their zone information within Active Directoryinstead of text files. This ensures that the client computers can resolve names for hosts inall offices. The advantages of this new type of zone included using Active Directoryreplication for zone transfers and allowing resource records to be added or modified on anydomain controller running DNS. In other words, all Active Directory Integrated zones arealways primary zones as they contain writable copies of the zone database.

Reference: DNS Stub Zones in Windows Server 2003http://www.windowsnetworking.com/articles_tutorials/DNS_Stub_Zones.html

Exam F


The company consists of 30 database servers. An organizational unit (OU) called Dataexists in AD domain that stores the computer accounts for these database servers. AnotherOU called Admin exists for the user accounts of the database administrators. The databaseadministrators are also the members of a global group called Data_Admins.

Which of the following options would you choose to allow the database administrators toperform administrative tasks on the database servers while preventing them fromperforming administrative tasks on other servers?

A. For Admin OU, deploy a group policy.B. In the Domain Admins global group, add the Data_Admins users.C. In the Server Operators domain local group, add the Data_Admins users.D. Deploy a group policy to the Data OU.

Correct Answer: DSection: Exam FExplanation

Explanation/Reference:To allow the database administrators to perform administrative tasks on the databaseservers while preventing them from performing administrative tasks on other servers, youneed to deploy a group policy to the Data OU.

Group Policy enables centralized, Active Directory based configuration and changemanagement of computers running Windows Server 2008, Windows Vista, Windows XPand Windows Server 2003. The Group Policy settings you create are contained within aGroup Policy Object (GPO) and associated with (or Linked to) a Domain, Site orOrganizational Unity (OU) using the Group Policy Management Console (GPMC). By usingthe Group Policy Management Console to link a GPO to an object in Active Directory, youapply these settings to the Users and Computers contained therein.

Reference: Windows Server 2008 Springboard Series Part 02: Deploying and ManagingGroup Policyhttp://71.203.223.220/files/WS08SBSprt02_GRPOL.docx

QUESTION 2You are an Enterprise administrator for contoso.com. The company has a head office and abranch office. The corporate network of the company consists of a single Active Directorydomain. All the domain controllers in the domain run Windows Server 2008 and all clientcomputers run Windows Vista.

The English language version of Windows Vista is installed in the head office use and theSpanish language version of Windows Vista is installed in the branch office.

Which of the following options would you choose to configure custom application settings byusing a Group Policy object (GPO) to allow administrators to view and edit the GPO in theirown language and minimize the number of GPOs deployed?

A. Create an ADM file and then configure the GPO and link it to the domain.B. Configure and link a Starter GPO to the head office site. Backup and import the Starter

GPO from the main office site and link it to the branch office site.C. Install the English language and the Spanish language on all domain controllers and then

configure and link a GPO to the head office site. Backup the GPO from the head officesite and import and link it to the branch office site.

D. Create ADMX and ADML files and then configure and link the GPO to the domain.


Explanation/Reference:To configure custom application settings by using a Group Policy object (GPO) to allowadministrators to view and edit the GPO in their own language and minimize the number ofGPOs deployed, you need to create ADMX and ADML files and then configure the GPOand link it to the domain.

ADMX files are language neutral. This basically means that the descriptions of Group Policysettings are not part of the .admx files. They are stored in .adml files. Vista automaticallyloads the correct .adml files. This is a very useful feature for international companies.Administrators in different countries can work with the same templates, but always get thedescriptions of the Group Policy settings in their own language.

ADMX files are like ADM files only templates. The Group Policy settings are still populatedto the clients thru registry.pol files. That’s the reason why ADMX files and ADM files cancoexist.

Reference: Group Policy templates in Windows Vista: ADMX files replace ADM fileshttp://4sysops.com/archives/group-policy-templates-in-windows-vista-admx-files-replace-adm-files/

QUESTION 3You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the servers run Windows Server2008 and all client computers run Windows Vista. All the servers have Terminal Servicesrole enabled.

Which of the following options would you choose to deploy of a new line-of-businessapplication to all client computers while ensuring that the users must access the applicationfrom an icon on their desktops? And they should be able to access to the application evenwhen they are not connected to the network.

A. Publish the application as TS RemoteApp.B. Use GPO to assign the application to all client computers.

C. Use GPO to assign the application to the terminal server.D. Use TS Web Access to publish the application.

Correct Answer: BSection: Exam FExplanation

Explanation/Reference:To ensure that the users must access the application from an icon on their desktops evenwhen they are not connected to the network, you need to assign the application to all clientcomputers by using a Group Policy object (GPO).

As you may already know, in an Active Directory environment, group policies are the maincomponent of network security. There are two different ways that you can deploy anapplication through the Active Directory. You can either publish the application or you canassign the application. Publishing an application doesn’t actually install the application, butrather makes it available to users.

Assigning an application to a user works differently than publishing an application. Again,assigning an application is a group policy action, so the assignment won’t take effect untilthe next time that the user logs in. When the user does log in, they will see that the newapplication has been added to the Start menu and / or to the desktop.

Although a menu option or an icon for the application exists, the software hasn’t actuallybeen installed though. To avoid overwhelming the server containing the installationpackage, the software is not actually installed until the user attempts to use it for the firsttime.

Reference: Using Group Policy to Deploy Applicationshttp://www.windowsnetworking.com/articles_tutorials/Group-Policy-Deploy-Applications.html

Reference: Planning and Deploying Group Policy 2008 http://www.scribd.com/doc/4716059/Planning-and-Deploying-Group-Policy-2008

QUESTION 4You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the servers on the network runWindows Server 2008 and all client computers run Windows Vista. The functional level ofthe domain is Windows Server 2008.

Which of the following options would you choose to ensure that administrators on thenetwork are allowed to install USB drives on their computers and the non-administrativeusers are prevented from installing USB drives on their computers?

A. Configure device installation restrictions using a GPO.B. Implement Windows BitLocker Drive Encryption.C. Use WSRM to configure a per user resource access policy.D. Implement the UDDI Services server role.

Correct Answer: A

Section: Exam FExplanation

Explanation/Reference:To ensure that administrators on the network are allowed to install USB drives on theircomputers and the non-administrative users are prevented from installing USB drives ontheir computers, you need to use a Group Policy object (GPO) to configure deviceinstallation restrictions.

You can find the group policy settings called Preventing Installation of Removable Devicesand Prevent Installation of Devices Not Described By Other Policy Settings would enableyou to achieve the desired goal. These policies can be found in the group policy tree at:Computer ConfigurationAdministrative TemplatesSystemDevice InstallationDeviceInstallation Restrictions.

Preventing Installation of Removable Devices prevent Installation of Removable Devicessetting prevents users from installing removable devices. The Prevent Installation ofDevices Not Described By Other Policy Settings prevents the Installation of Devices NotDescribed by Other Policy Settings group policy setting is kind of a catch all setting. Thereare a couple of different ways that you can use this policy setting. One thing that you can dois to enable this setting, but not enable any other hardware installation related settings. Indoing so, you will effectively prevent anyone from installing any hardware into systems towhich the policy applies.

Another thing that you can do with this group policy setting is to use other policy settings toallow specific devices based on device ID or class and then enable this policy setting. Indoing so, you will prevent the installation of any device that you have not specifically allowedusers to install.

Reference: Windows Longhorn: Using Group Policy to Control Device Management (Part 2)http://www.windowsnetworking.com/articles_tutorials/Windows-Longhorn-Using-Group-Policy-Control-Device-Management-Part2.html

QUESTION 5

You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the servers on the network runWindows Server 2008 and all client computers run Windows Vista. The functional level ofthe domain is Windows Server 2008.

The company consists of three departments: Sales, Finance, and Engineering. TheOrganizational Units (OU) called Employees, Managers, and Staff exists in the AD domain.The relevant portion of the Active Directory domain is shown in the diagram.

The Staff OU contains all user accounts except for the managers user accounts. TheManagersOU contains the managers user accounts and the Sales, Finance, andEngineering global groups. You have recently created a new Group Policy object (GPO)named GPO1, and then link it to the Employees OU.

After this configuration, the users from the Engineering global group report that they areunable to access the Run command on the Start menu. On troubleshooting, you discoveredthat the GPO1 settings are causing this problem.

Which of the following options would you choose to ensure that the users from theEngineering global group are able to access the Run command on the Start menu?

A. Under the Employees OU, create a new child OU for Engineering department and thenmove the Engineering global group to the new Engineering OU.

B. On the Managers OU, configure Block Policy Inheritance.C. For the Engineering global group, configure Group Policy filtering on GPO1.D. Configure GPO1 to use the Enforce Policy option.

Correct Answer: C

Section: Exam FExplanation

Explanation/Reference:To ensure that the users from the Engineering global group are able to access the Runcommand on the Start menu, you need to configure Group Policy filtering on GPO1 for theEngineering global group.

If you’ve been administering Group Policies for just a short period of time you have probablynoticed that there is no search option for specific policy settings. Search is not referred to as“search” within GPME, it’s still called “filtering” like the limited functionality we had inprevious versions – but it’s much more advanced now. You’ll be able to see that as soon asyou select the “Filter Options” from the View menu. You can use filtering to access the Runcommand on the Start menu for specific global groups.

Reference: Group Policy related changes in Windows Server 2008 – Part 2: GPMC Version2 Filtering to searchhttp://www.windowsecurity.com/articles/Group-Policy-related-changes-Windows-Server-2008-Part2.html

QUESTION 6You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the domain controllers on thenetwork run Windows Server 2008 and all client computers run Windows Vista. Thefunctional level of the domain is Windows Server 2008.

The company consists of four departments: Sales, Research, Development, and Marketing.The users of the Research department of the company contain sensitive information ontheir computers. Therefore the company requires that the users from the Researchdepartment have higher levels of account and password security than other users in thedomain.

Which of the following options would you choose to recommend a solution that meets thecompany’s requirements in minimum hardware and software costs?

A. Create a new Active Directory site for the research department users and deploy a GroupPolicy object (GPO) to the site.

B. Create a new domain, add the research department user accounts to the new domain,and configure a new security policy for the new domain.

C. For the research department users, create a new Password Settings Object (PSO).D. Create a new organizational unit (OU) in the domain for research department users

called ResearchOU and deploy a GPO to the ResearchOU.

Correct Answer: CSection: Exam FExplanation

Explanation/Reference:To recommend a solution that meets the company’s requirements in minimum hardwareand software costs, you need to create a new Password Settings Object (PSO) for the

research departments users.

Granular Password Settings” or “Fine-Grained Password Policy”, is based on theintroduction of two new object classes in the AD schema: the “Password Settings Container”and “Password Setting” objects. These objects basically provide us the option to introducemultiple password policies into a single AD domain.

Create PSOs and assign them to users and/or groups hosting scenarios where multiplecompanies are present in a single AD domain, another more common reason is where weneed stricter settings to apply to a specific group of people with privileged accounts (likedomain administrators, help desk personnel etc.).

Those privileged accounts can have a complexity requirement and a requirement of defininga minimum of 16 characters in their passwords and other, more limited accounts, can havemore “user friendly” requirements – although I would recommend everyone to usepasswords of that strength.

Reference: Configuring Granular Password Settings in Windows Server 2008, Part 2http://www.windowsecurity.com/articles/Configuring-Granular-Password-Settings-Windows-Server-2008-Part2.html


All the servers on the network run Windows Server 2008 and all client computers runWindows Vista. The domain contains three organizational units (OUs) named TestOU1,TestOU2, and TestOU3.

Which of the following options would you choose to redesign the layout of the OUs toensure that the Group Policy objects (GPOs) that are linked to the domain from applying tocomputers located in the TestOU2 are prevented? You also need to minimize the number ofGPOs and the number of OUs.

A. On the TestOU2 Configure block inheritance.B. Create a WMI filter.C. Delegate permissions on the Application OU.D. Create a Starter GPO.

Correct Answer: ASection: Exam FExplanation

Explanation/Reference:Typically, group policies are passed down from parent to child containers within a domain,which you can view with the Active Directory Users and Computers console. Group policy isnot inherited from parent to child domains. If you assign a specific group policy setting to ahigh-level parent container, that setting applies to all containers beneath the parentcontainer, including the user and computer objects in each container. However, if youexplicitly specify a group policy setting for a child container, the child container’s setting

overrides the one for the parent container.

The Block Policy inheritance option blocks Group Policy Objects that apply higher in theActive Directory hierarchy of sites, domains, and organizational units. It does not blockGPOs whose No Override setting is enabled. You can block policy inheritance at the domainor organizational unit level.

Reference: Inheriting a Meager Comprehension of Policy Inheritance http://www.informit.com/guides/content.aspx?g=windowsserver&seqNum=60

QUESTION 8You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the servers on the network runWindows Server 2008 and all client computers run Windows Vista.

The company has recently appointed 5 support technicians to provide support to networkusers. You have been asked to provide the support technicians a GPO that contains thepreconfigured settings, which they can used to create new GPOs.

Which of the following options would you choose to ensure that support technicians cancreate Group Policy objects (GPOs) in the domain using the preconfigured GPO? (Selecttwo. Each selected option will present a part of the answer.)

A. Add the support technicians to the Account Operators group.B. Add the support technicians to the Group Policy Creator Owners group.C. Delegate control on the Domain Controllers organizational unit (OU).D. Delegate control on the Users container.E. Assign permissions on the Sysvol folder.F. Create a new Starter GPO.G. Create an ADMX file.H. Create an ADML file.

Correct Answer: BFSection: Exam FExplanation

Explanation/Reference:To ensure that support technicians can create Group Policy objects (GPOs) in the domainusing the preconfigured GPO, you need to add the support technicians to the Group PolicyCreator Owners group. Create a new Starter GPO.

The GPMC 2.0 provides a new (empty) container called “Starter GPOs”. This new containercan hold “templates” for creating new GPOs – with the limitation that only “AdministrativeTemplates” settings are available – from both ‘Computer Configuration’ and ‘UserConfiguration’. Settings like “Software Settings” (software installation) and “WindowsSettings” (scripts, account policies, user rights, software restriction policies, etc.) are NOTavailable in Starter GPOs. The users who are added to Group Policy Creator Owners groupwould be allowed to use the Starter GPO to make required configurations.

Reference: Group Policy related changes in Windows Server 2008 – Part 1: What areStarter GPOs?http://www.windowsecurity.com/articles/Group-Policy-related-changes-Windows-Server-2008-Part1.html


Many users of the company store all of their files in their Documents folder. Mostly the filesstored are large. You plan to implement roaming user profiles for all users by using GroupPolicy. However, the roaming user profiles will takes them a long time to log on and log offof the computers.

Which of the following options would you choose to minimizes the amount of time thatroaming users take to log on and log off of the computers?

A. Include the Background Intelligent Transfer Service (BITS) settings in the Group Policyobject (GPO).

B. Enable caching on the profiles share on the server that hosts the roaming user profiles.C. Install and configure the Background Intelligent Transfer Service (BITS) server

extensions on any server.D. Modify the Group Policy object (GPO) to include folder redirection.


Explanation/Reference:To minimize the amount of time that roaming users take to log on and log off of thecomputers, you need to modify the Group Policy object (GPO) to include folder redirection.

The roaming profiles and folder redirections can make your life easier. With roaming profilesthough, each user’s files and settings follow them from PC to PC, so there is no need tomove anything.

Now that you know what a profile looks like, let’s talk about making the profile mobile. Thebasic technique behind creating a roaming profile involves creating a shared folder on theserver, creating the user a folder within the share, and then defining the user’s profilelocation through the group policy, which is called folder redirection.

Reference: Profile and Folder Redirection In Windows Server 2003http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-2003.html


Which of the following options would you choose to prevent users from being able to installremovable devices on client computers while ensuring that the domain administrators anddesktop support technicians are allowed to install removable devices on client computers?You need to achieve the desired goal in minimum amount of administrative effort.

A. On all domain controllers, implement Windows System Resource Manager (WSRM).B. On all client computers, deploy Connection Manager Administration Kit (CMAK).C. On all client computers, configure a Group Policy object (GPO).D. On all client computers, configure User Account Control.


Explanation/Reference:To prevent users from being able to install removable devices on client computers, youneed to implement a Group Policy object (GPO) for all client computers.

You can find the group policy settings called Preventing Installation of Removable Devicesand Prevent Installation of Devices Not Described By Other Policy Settings would enableyou to achieve the desired goal. These policies can be found in the group policy tree at:Computer ConfigurationAdministrative TemplatesSystemDevice InstallationDeviceInstallation Restrictions.

Preventing Installation of Removable Devices prevent Installation of Removable Devicessetting prevents users from installing removable devices. The Prevent Installation ofDevices Not Described By Other Policy Settings prevents the Installation of Devices NotDescribed by Other Policy Settings group policy setting is kind of a catch all setting. Thereare a couple of different ways that you can use this policy setting. One thing that you can dois to enable this setting, but not enable any other hardware installation related settings. Indoing so, you will effectively prevent anyone from installing any hardware into systems towhich the policy applies.

Another thing that you can do with this group policy setting is to use other policy settings toallow specific devices based on device ID or class and then enable this policy setting. Indoing so, you will prevent the installation of any device that you have not specifically allowedusers to install.

Reference: Windows Longhorn: Using Group Policy to Control Device Management (Part 2)http://www.windowsnetworking.com/articles_tutorials/Windows-Longhorn-Using-Group-Policy-Control-Device-Management-Part2.html

QUESTION 11

You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the servers on the network runWindows Server 2008 and all client computers run Windows Vista.

The AD domain consists of a top level OU called EmployeesOU that contains three OUscalled ManagesOU, StaffOU, and IntersOU to store the accounts of Managers, Staff, andInterns respectively. The relevant portion of the Active Directory domain is configured asshown in the exhibit.

Currently the EmployeeOU is configured in such a way that the users in the ManagersOUreceive the Group Policy object (GPO) settings that are deployed to the EmployeesOU.

Which of the following options would you choose to ensure that the user accounts in theManagersOU are unaffected by the GPOs that are deployed to the EmployeesOU?

A. On each GPO that links to the EmployeesOU, connect a Windows ManagementInstrumentation (WMI) filter.

B. Move the ManagersOU to the StaffOU.C. On the ManagersOU, configure Block Policy Inheritance.D. Enforce the GPO link on the Employees OU.


Explanation/Reference:To ensure that the user accounts in the ManagersOU are unaffected by the GPOs that aredeployed to the EmployeesOU, you need to configure Block Policy Inheritance on the

Managers OU.

Typically, group policies are passed down from parent to child containers within a domain,which you can view with the Active Directory Users and Computers console. Group policy isnot inherited from parent to child domains, for example, from cco.com to sales.cco.com. Ifyou assign a specific group policy setting to a high-level parent container, that settingapplies to all containers beneath the parent container, including the user and computerobjects in each container. However, if you explicitly specify a group policy setting for a childcontainer, the child container’s setting overrides the one for the parent container.

The Block Policy inheritance option blocks Group Policy Objects that apply higher in theActive Directory hierarchy of sites, domains, and organizational units. It does not blockGPOs whose No Override setting is enabled.

You can block policy inheritance at the domain or organizational unit level. In WS2K3 R2,you don’t use Active Directory Users and Computers for this function like you used to; younow use the Group Policy Management console.

Reference: Inheriting a Meager Comprehension of Policy Inheritance http://www.informit.com/guides/content.aspx?g=windowsserver&seqNum=60

QUESTION 12You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory Directory forest that contains a root domainand two child domains. All the servers on the network run Windows Server 2008 and allclient computers run Windows Vista.

Which of the following options would you choose to deploy the corporate policy of thecompany that states that all the local administrator accounts must be renamed and all thelocal guest accounts must be renamed and disabled?

A. In each domain, deploy Network Policy and Access Services (NPAS) on all domaincontrollers.

B. Implement a Group Policy object (GPO) for each domain.C. On the root domain controllers, deploy Active Directory Rights Management Services

(AD RMS).D. Implement a Group Policy object (GPO) for the root domain.


Explanation/Reference:To deploy the corporate policy of the company that states that all the local administratoraccounts must be renamed and all the local guest accounts must be renamed and disabled,you need to implement a Group Policy object (GPO) for each domain.

You can change the administrator account and guest account names by using Group Policyin Windows Server 2003. This may be useful if you want to change the name of theadministrator or guest user accounts to minimize the chance of misuse of these accounts.

Reference: HOW TO: Rename the Administrator and Guest Account in Windows Server http://support.microsoft.com/kb/816109

QUESTION 13You are an Enterprise administrator for contoso.com. The company consists of a headoffice and a branch office. The corporate network of the company consists of a single ActiveDirectory domain. Branch office of the company contains a Read-only Domain Controller(RODC) named contosoServer1. A global group called GLB contains the user accounts foradministrators.

Which of the following options would you choose to ensure that GLB group has rights oncontosoServer1 only and they should not be allowed to modify Active Directory objects?



A. On contosoServer1, add the GLB global group to the Administrators local group.B. Add the GLB global group to the Server Operators domain local group.C. Create a new OU and move the contosoServer1 computer object to a new OU and then

grant Full Control permission on the new OU to the GLB group.D. On the contosoServer1 computer object in the domain Grant Full Control permission to

the GLB group.


Explanation/Reference:To accomplish the desired task, you need to add the GLB global group to the Administratorslocal group of contosoServer1.

Administrators is a local group that provides full administrative access to an individualcomputer or a single domain, depending on its location.

Domain Admins is a global group designed to help you administer all the computers in adomain. This group has administrative control over all computers in a domain because it’s amember of the Administrators group by default. To make someone an administrator for adomain, make that person a member of this group.

Reference: Using Default Group Accountshttp://technet.microsoft.com/en-us/library/bb726982.aspx

Reference: Securing the Local Administrators Group on Every Desktophttp://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-

Desktop.html

QUESTION 14You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the servers on the network runWindows Server 2008 and all client computers run Windows Vista and Microsoft OfficeOutlook 2007.

The corporate network run:File serversDatabase serverMicrosoft Exchange Server 2007 servers

The company has many mobile users that can access the corporate network remotely byusing HTTP and HTTPS connections only.

Which of the following options would you choose to ensure that remote users are able toestablish secure connections to the network and are able to access the database serverand file servers and have access to e-mail? (Select two. Each selected option will present apart of the answer.)

A. Upgrade all client computers to Windows Vista Service Pack 1.B. Implement a VPN solution that uses Layer Two Tunneling Protocol (L2TP).C. Deploy Connection Manager Administration Kit (CMAK) profiles to the client computers.D. Implement Outlook Anywhere for Exchange Server 2007.E. Implement a VPN solution that uses Secure Socket Tunneling Protocol (SSTP).F. Implement a VPN solution that uses Point-to-Point Tunneling Protocol (PPTP).

Correct Answer: AESection: Exam FExplanation

Explanation/Reference:To ensure that remote users are able to establish secure connections to the network andare able to access the database server and file servers and have access to e-mail, youneed to upgrade all client computers to Windows Vista Service Pack 1 and implement aVPN solution that uses Secure Socket Tunneling Protocol (SSTP).

Windows Vista Service Pack 1 and Windows Server 2008 now include a new VPNtechnology called Secure Socket Tunneling Protocol (SSTP), which is designed to makesecure remote access very easy. SSTP is designed to enable VPN tunneling for virtuallyany scenario. You can use it behind a NAT, across a firewall, through a Web proxy – aslong as TCP port 443 is open (which it usually is for HTTPS traffic).

SSTP is more than just another SSL-based VPN that only works with Web clients. It’s fullyintegrated into the remote access architecture of Windows, which means you can use it withWinlogon authentication or with strong authentication such as smart card or RSA SecureID;or, you can create and manage CMAK profiles, remote access policies, and the like. Plus, ituses only one HTTPS channel between the SSTP client (Windows Vista) and the SSTP

server (Windows Server 2008) for each SSTP VPN connection, which makes itstraightforward to load-balance SSTP sessions across servers.

Reference: SSTP Makes Secure Remote Access Easier http://biztechmagazine.com/article.asp?item_id=377

QUESTION 15You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a DNS server that runs a Server Core installation of Windows Server2008. All the servers on the network run Windows Server 2008 and all client computers runWindows Vista.

Which of the following options would you choose to allow the administrators of the companyto manage DNS server from their Windows Vista client computers?

A. Set the Remote Access Connection Manager Service to automatic on the DNS server.B. Create a custom Microsoft Management Console on the Windows Vista client computers

and then add the Component Services snap-in.C. Install Remote Server Administration Tools (RSAT) on the Windows Vista client

computers.D. Run Setup.exe /u from the Windows Server 2008 installation media on the Windows

Vista client computers.


Explanation/Reference:To allow the administrators of the company to manage DNS server from their WindowsVista client computers, you need to install Remote Server Administration Tools (RSAT) onthe Windows Vista client computers.

RSAT is an excellent set of tools for IT Pros wanting to manage their Windows Serverenvironment right from their desktop. RSAT also includes an updated Group PolicyManagement Console (GPMC), which was previously removed in Windows Vista SP1.RSAT is an updated version of what is called ADMINPAK.MSI and can be used by IT Prosto manage computers running Windows Server 2008.

Reference: Remote Server Administration Tools (RSAT) Now Available for Windows VistaSP1http://windowsvistablog.com/blogs/windowsvista/archive/2008/03/25/remote-server-administration-tools-rsat-now-available-for-windows-vista-sp1.aspx

QUESTION 16You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the servers on the network runeither Windows Server 2003 or Windows Server 2008 and all client computers run WindowsVista.

All domain controllers on the network run Windows Server 2008 and a firewall server runs

Microsoft Internet Security and Acceleration (ISA) Server 2006. The Windows Server 2003servers have the Terminal Server component installed. You have been asked to give remoteusers access to the Terminal Server servers.

Which of the following options would you choose to accomplish the given task whileensuring that minimum number of ports open on the firewall server, all remote connectionsto the Terminal Server servers are encrypted, and access to client computers havingWindows Firewall disabled are prevented? (Select two. Each selected option will present apart of the answer.)

A. Upgrade a Windows Server 2003 server to Windows Server 2008.B. Implement the Terminal Services Gateway (TS Gateway) role and configure a Terminal

Services resource authorization policy (TS RAP).C. Implement the Terminal Services Gateway (TS Gateway) role and Network Access

Protection (NAP).D. Implement the Terminal Services Gateway (TS Gateway) role and configure a Terminal

Services connection authorization policy (TS CAP).E. Implement port forwarding and Network Access Quarantine Control on the ISA Server.

Correct Answer: ACSection: Exam FExplanation

Explanation/Reference:To accomplish the given task, you need to upgrade a Windows Server 2003 server toWindows Server 2008. On the Windows Server 2008 server, implement the TerminalServices Gateway (TS Gateway) role, and implement Network Access Protection (NAP).

You need to upgrade Windows Server 2003 server to Windows Server 2008 because NAPis a feature of Windows Server 2008. Network Access Protection helps you ensure that thecomputers that connect to your network meet health status requirements, reducing the riskthat they’ll introduce viruses or serve as the conduit for attacks and exploits. (e.g., updatedand protected by a firewall, antivirus, and anti-spyware software) can be connected to aremediation server, to be brought into compliance.

Terminal Services Gateway (TS Gateway) is a role service that enables authorized remoteusers to connect to resources on an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client. The networkresources can be terminal servers, terminal servers running Terminal Services RemoteAppprograms, or computers with Remote Desktop enabled TSGateway enables remote users toconnect to internal network resources over the Internet, by using an encrypted connection,without needing to configure virtual private network (VPN) connections.

TSGateway transmits RDP traffic to port 443 instead, by using an HTTP Secure SocketsLayer/Transport Layer Security (SSL/TLS) tunnel. Because most corporations open port443 to enable Internet connectivity, TSGateway takes advantage of this network design toprovide remote access connectivity across multiple firewalls.

QUESTION 17You are an Enterprise administrator for contoso.com. All the servers on the network run

Windows Server 2008 and all client computers run Windows Vista. The corporate networkof the company consists of two servers that run the Server Core installation of WindowsServer 2008 as a part of a Network Load Balancing cluster.

Which of the following options would you choose to allow the administrators to remotelymanage the Network Load Balancing cluster through their Windows Vista client computers?Your strategy must support automation.

A. Enable Windows Remote Management (WinRM).on the client computers.B. Enable Windows Remote Management (WinRM) on the servers.C. Add the administrators to the remote Desktop Users group on the servers.D. Add the administrators to the remote Desktop Users group on the client computers.


Explanation/Reference:To allow the administrators to remotely manage the Network Load Balancing cluster throughtheir Windows Vista client computers, you need to enable Windows Remote Management(WinRM) on the servers.

By using another computer running Windows Vista or Windows Server 2008, you can useWindows Remote Shell that uses Windows RM to run command-line tools and scripts on aserver running a Server Core installation.

Windows Remote Management (known as WinRM) is a handy new remote managementservice for Windows Server 2003 R2, Windows Vista, and Windows Server 2008. WinRM isthe “server” component of this remote management application and WinRS (WindowsRemote Shell) is the “client” for WinRM, which runs on the remote computer attempting toremotely manage the WinRM server.

Reference: Server Core Installation Option of Windows Server 2008 Step-By-Step Guide http://technet.microsoft.com/en-us/library/cc753802.aspx#bkmk_managingservercore

Reference: How can Windows Server 2008 WinRM & WinRS help you?http://www.windowsnetworking.com/articles_tutorials/How-Windows-Server-2008-WinRM-WinRS.html

QUESTION 18You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory domain. All the servers on the network runWindows Server 2008 and all client computers run Windows Vista and Microsoft OfficeOutlook 2007.

The corporate network run two file servers, one database server on TCP port 47182, andMicrosoft Exchange Server 2007 servers. The company has many mobile users and youhave been asked to provide them the remote access to the corporate network.

You have been told that the remote users work from locations that only support access to

the Internet by using HTTP and HTTPS.

Which of the following options would you choose to ensure that remote users are able toestablish secure connections to the network and are able to access the database and fileservers and e-mail ? (Select two. Each selected option will present a part of the answer.)

A. Upgrade all client computers to Windows Vista Service Pack 1.B. Implement Outlook Anywhere for Exchange Server 2007.C. Deploy Connection Manager Administration Kit (CMAK) profiles to the client computers.D. Implement a VPN solution that uses Layer Two Tunneling Protocol (L2TP).E. Implement a VPN solution that uses Point-to-Point Tunneling Protocol (PPTP).F. Implement a VPN solution that uses Secure Socket Tunneling Protocol (SSTP).

Correct Answer: AFSection: Exam FExplanation

Explanation/Reference:To ensure that remote users are able to establish secure connections to the network andare able to access the database server and file servers and have access to e-mail, youneed to upgrade all client computers to Windows Vista Service Pack 1 and implement aVPN solution that uses Secure Socket Tunneling Protocol (SSTP).

Windows Vista Service Pack 1 and Windows Server 2008 now include a new VPNtechnology called Secure Socket Tunneling Protocol (SSTP), which is designed to makesecure remote access very easy. SSTP is designed to enable VPN tunneling for virtuallyany scenario. You can use it behind a NAT, across a firewall, through a Web proxy – aslong as TCP port 443 is open (which it usually is for HTTPS traffic).

SSTP is more than just another SSL-based VPN that only works with Web clients. It’s fullyintegrated into the remote access architecture of Windows, which means you can use it withWinlogon authentication or with strong authentication such as smart card or RSA SecurID;or, you can create and manage CMAK profiles, remote access policies, and the like. Plus, ituses only one HTTPS channel between the SSTP client (Windows Vista) and the SSTPserver (Windows Server 2008) for each SSTP VPN connection, which makes itstraightforward to load-balance SSTP sessions across servers.

Reference: SSTP Makes Secure Remote Access Easier http://biztechmagazine.com/article.asp?item_id=377

QUESTION 19You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory forest, which contains three domains namedcontoso.com, region1.contoso.com, and region2.contoso.com.

All the servers on the network run Windows Server 2008 and all client computers runWindows Vista. The functional level of the three domains is Windows Server The companycontains a helpdesk team, which is a part of the Account Operators group in thecontoso.com domain. The members of helpdesk team frequently join and leave the

helpdesk team. The helpdesk employees have all the permissions to modify the propertiesof user objects in contoso.com.

Which of the following options would you choose to minimize the administrative effortrequired to manage the frequent changes to the helpdesk staff and enable the helpdeskemployees to manage the user objects in all the three domains. (Select two. Each selectedoption will present a part of the answer.)

A. Add the respective helpdesk user accounts to the Account Operators group in bothregion1.contoso.com and region2.contoso.com.

B. Create a new global group for helpdesk users in contoso.com. Add the helpdesk useraccounts to the global group and to the Account Operators group in all three domains.

C. Assign Full Control permissions to the Account Operators group in contoso.com for useraccounts in all three domains.

D. Create a new global group in contoso.com for helpdesk users in contoso.com. Add thehelpdesk user accounts to the global group and then add the global group to theAccounts Operators group that is on every member server in all three domains.


Explanation/Reference:To minimize the administrative effort required to manage the frequent changes to thehelpdesk staff and enable the helpdesk employees to manage the user objects in all thethree domains, you need to: Create a new global group in contoso.com named Helpdesk-group. Add the helpdesk user accounts to Helpdesk-group. Add Helpdesk-group to theAccount Operators group that is in all three domains.

Helpdesk-group global group will help the helpdesk users to administer the domain tree orforest. Next when you add the Helpdesk-group to the Account Operators group that is in allthree domains, you would limit the privileges of this group. Account Operators is a localgroup that grants limited account creation privileges to a user. Members of this group cancreate and modify most types of accounts, including those of users, local groups, and globalgroups. They can also log on locally to domain controllers. However, Account Operatorscan’t manage the Administrator user account, the user accounts of administrators, or thegroup accounts Administrators, Server Operators, Account Operators, Backup Operators,and Print Operators. Account Operators also can’t modify user rights.

QUESTION 20You are an Enterprise administrator for contoso.com. The corporate network of thecompany contains two Windows Server 2008 computers and two identical print devices.

Which of the following options would you choose to manage the print queue from a centrallocation and balance the load of print jobs on both the printers?

A. Install and share a printer on one of the servers and enable printer pooling.B. Add both the servers to a Network Load Balancing cluster and install a printer on each

node of the cluster.

C. Install and share a printer on each server and then install the printers on the clientcomputers using Print Manager.

D. Install the Terminal Services server role on both servers and configure Terminal ServicesSession Broker (TS Session Broker).


Explanation/Reference:To plan a print services infrastructure that would allow you to manage the print queue froma central location and balance the load of print jobs on both the printers, you need to installand share a printer on contosoServer1 and enable printer pooling.

Printer pooling allows you to print to several printers at once. If you have a large print jobyou can submit it to the pool and the operating system will balance the load among theprinters. This feature allows network administrators to configure and manage severalprinters as one, a process that can simplify printer administration. In addition, printer poolingprovides some load-balancing. That’s because Windows 2000 Server directs print jobs tothe connected printers based on jobs pending at each printer. A printer pool containsmultiple printers, all configured as a single printer instance.

Reference: Configure printer pooling to simplify printer management in Windows 2000http://articles.techrepublic.com.com/5100-10878_11-5727870.html

QUESTION 21You are an Enterprise administrator for contoso.com. The corporate network of thecompany consists of a single Active Directory forest called contoso.com. The forest containstwo domains. You want to configure another child domain called Branch3.contoso.com withtwo domain controllers having the DNS server role installed.

You want to put all the users and computers in the new branch office in theBranch3.contoso.com domain.Which of the following options would you choose toimplement a DNS infrastructure for the child domain to ensure resources in the root domainand child domains are accessible by fully qualified domain names?

You solution must also provide name resolution services in the event that a single serverfails for a prolonged period of time and automatically recognize when new DNS servers areadded to or removed from the contoso.com domain.

A. Add conditional forwarders for contoso.com on both the domain controllers ofbranch3.contoso.com domain. Next create a standard primary zone forbranch.contoso.com.

B. On one of the domain controllers of branch3.contoso.com domain, create a standardprimary zone for contoso.com. On the other domain controller, create a standardsecondary zone for contoso.com.

C. On both the domain controllers of branch3.contoso.com domain, modify the root hints toinclude the domain controllers for contoso.com. On one of domain controllers, create anActive Directory integrated zone for branch.contoso.com.

D. On one of the domain controllers of branch3.contoso.com domain, create an ActiveDirectory Integrated zone for branch3.contoso.com and create an Active DirectoryIntegrated stub zone for contoso.com.


Explanation/Reference:To implement a DNS infrastructure for the child domain to ensure resources in the rootdomain and child domains are accessible by fully qualified domain names, you need tocreate an Active Directory Integrated zone for branch3.contoso.com on one of the domaincontrollers of branch3.contoso.com domain.

Active Directory Integrated zones, store their zone information within Active Directoryinstead of text files. The advantages of this new type of zone included using Active Directoryreplication for zone transfers and allowing resource records to be added or modified on anydomain controller running DNS. In other words, all Active Directory Integrated zones arealways primary zones as they contain writable copies of the zone database.This wouldensure that the name resolution service will automatically recognize when new DNS serversare added to or removed from the contoso.com domain.

You also need to create an Active Directory Integrated stub zone for contoso.com to ensurethe name resolution services in the event that a single server fails for a prolonged period oftime. It contains copies of all the resource records in the corresponding zone on the mastername server.

A stub zone is like a secondary zone in that it obtains its resource records from other nameservers (one or more master name servers). Stub zones can be used instead of secondaryzones to reduce the amount of zone transfer traffic over the WAN link connecting the twocompanies. When Active Directory-integrated stub zones are hosted in separate sites, youcan update them using a local list of master servers in each site.

Reference: DNS Stub Zones in Windows Server 2003http://www.windowsnetworking.com/articles_tutorials/DNS_Stub_Zones.html

Reference: Host Name Resolution Overviewhttp://www.tech-faq.com/planning-and-implementing-a-dns-namespace.shtml


Date post:	22-Apr-2018
Category:	Documents
Upload:	docong
View:	215 times
Download:	2 times