70-646 exam questions full

Explanation:

To prevent a cluster host from responding to traffic sent to a specific port, create a port rule with the filtering mode set to Multiple host. For that host, configure a value of 0 for the load weight.

Configuring a value other than 0 for the weight would distribute requests between the two servers based on a percentage of the weight value. Configuring the filtering mode to use Single host directs all traffic to the host with the lowest priority value. However, if that host fails, traffic is directed to the other cluster host. In this scenario, configuring Single host filtering would mean that Srv10 would process requests for App3 if Srv5 fails.

Objective(s):

502. Plan high availability.

Reference(s):

LabSim for Windows Server 2008 Server Administrator, Section 8.3.

[ms646-502 #51]

You are the server administrator for the eastsim.com domain.

You have an application server named Srv5 that is used by members of the Sales team. The server runs three applications: App1, App2, and App3. Each application uses a different TCP/IP port.

Because of recent growth, this server is becoming unable to process all incoming requests in a timely manner. You decide to use Network Load Balancing (NLB) as your solution. You add a second server named Srv10.

Your NLB should meet the following requirements:

� Requests for App1 and App2 should be evenly distributed between Srv5 and Srv10. � Because App3 is not running on Srv10, all requests for that application should be sent to Srv5. Requests

should never be directed to Srv10.

You need to configure a solution to meet the requirements. What should you do?

nmlkjiFor App3, configure a port rule with the filtering mode set to Multiple host. Configure Srv5 with a weight of 30 and Srv10 with a weight of 0.

nmlkjFor App3, configure a port rule with the filtering mode set to Single host. Configure Srv5 with a priority of 30 and Srv10 with a priority of 1.

nmlkjFor App3, configure a port rule with the filtering mode set to Multiple host. Configure Srv5 with a weight of 100 and Srv10 with a weight of 50.


Your company has a 32-bit application that is currently running on an application server. The Development team has recently started work on upgrading the application to a 64-bit application.

To test the application, you would like to install a virtual machine. You find a spare server in your lab that can run Hyper-V to use for testing. The lab computer has two SATA hard disks, one for the operating system and the second is currently blank.

You need to configure the virtual machine to meet the following requirements:

of 39

Explanation:

Use an internal network so that the virtual machine and the management operating system can communicate with each other and to prevent other network devices from communicating with the virtual machine. Configure a virtual hard disk using an existing SATA disk. With virtual disks, the virtual disk type does not have to match the physical disk type. You can configure a virtual SCSI disk on the SATA disk.

With a private network, the virtual machine will not be able to communicate with the management operating system. With an external network, the virtual machine can communicate with other network devices.

Objective(s):

104. Plan application servers and services.

Reference(s):


[ms646-104 #69]

� You will use the management operating system as a client to the application running on the virtual machine. The management operating system will communicate with the application running in the virtual machine so you can test how the application responds.

� No other network device should be able to communicate with the virtual machine. � The virtual machine must be configured with SCSI disks and controllers to verify that the application can

access disk resources correctly.

You need to minimize any additional hardware or software purchases for the lab computer.

What should you do? (Select two. Each choice is a required part of the solution.)

gfedcb Configure a virtual hard disk for the virtual machine using one of the existing SATA disks.

gfedcb Create an internal network

gfedc Install a SCSI controller and disk in the host computer. Configure a pass-through disk.

gfedc Create a private network

gfedc Create an external network

You are an administrator for a large corporation. Your department uses a single domain within the company’s multi-tree forest.

Your department uses the entire building and is the only domain on the local subnet. You have a T3 connection to corporate headquarters. There is a Global Catalog server onsite.

Because your department handles extremely sensitive information, a decision has been made to require the use of smart cards within the domain. Your job is to modify the existing Windows infrastructure to require the use of smart cards for logon. You will need to provide certificate services for smart card logon as well as for EFS, but you will not need certificates for any other purposes.

What kind of certificate authority should you use?

nmlkj Implement a standalone root CA.

nmlkji Implement an enterprise root CA.

of 39

Explanation:

Because it is the only CA on the network, your CA must be a root CA. Because it will be used for smart card logon, it must be integrated with Active Directory (i.e., it must be an enterprise CA).

Using a standalone root CA or a standalone subordinate CA would not allow smart card logon, the principal purpose of the certificate server. To implement an enterprise subordinate CA, there would need to already be an enterprise root CA in place, which there is not. Using a third-party CA for smart card logon won’t work and would be far too expensive even if it did.

Objective(s):

103. Plan infrastructure services server roles.

Reference(s):


[ms646-103 #208]

Explanation:

To manage a Server Core installation with GUI administration tools, install the Remote Server Administration Tools (RSAT) tools on another computer. Run the management consoles on that computer and connect to the Server Core server. Most management consoles can be used to manage a remote computer. Because the tool is running on a regular computer, the GUI console is available.

You can only use Server Manager to manage the local server; you cannot connect to a remote computer using Server Manager. You can establish a Remote Desktop connection to a Server Core server; however, you will only see the tools available to the Server Core system. You cannot add the Terminal Server role to a Server Core installation.

Objective(s):

nmlkj Implement a standalone subordinate CA.

nmlkj Use a third-party CA to issue certificates.

nmlkj Implement an enterprise subordinate CA.

You are the server administrator for the westsim.com domain.

Srv5 has a Server Core installation of Windows Server 2008. You have added the DNS and DHCP roles to Srv5.

You would like to manage the DHCP and DNS services using a GUI management tool.

What should you do?

nmlkj Establish a Remote Desktop session with the server and run Server Manager.

nmlkjiFrom a computer with the Remote Server Administration Tools installed, run the DHCP and DNS consoles and connect to Srv5.

nmlkjInstall Terminal Services on Srv5 and configure the DHCP and DNS consoles as remote applications. Connect to TS RemoteApp from a terminal server client.

nmlkj From a Windows Server 2008 computer with a full installation, run Server Manager and connect to Srv5.

of 39

201. Plan server management strategies.

Reference(s):


[ms646-201 #32]

Explanation:

Add the File Server role service to add the Share and Storage Management console. When sharing the folder, use the SMB protocol. SMB is the default protocol used by Windows clients and servers for file sharing.

Services for Network File System (NFS) add the capability to provide access to files through the NFS protocol, commonly used by UNIX computers. By adding this role service, you can share the folder using NFS to allow UNIX computers to access the folder.

Objective(s):

402. Provision data.

Reference(s):


[ms646-105-402 #249]

You are the server administrator for the westsim.com domain. All client computers currently run Windows Vista Business or Windows XP Professional. All servers run Windows Server 2008.

You need to configure the FS3 server so that client computers can connect to a shared folder named Benefits on the server. You want to be able to manage all shared folders on the server using the Share and Storage Management console.


gfedc Share the Benefits folder using both SMB and NFS.

gfedcb Share the Benefits folder using SMB only.

gfedc Add the File Server and Services for Network File System (NFS) role services.

gfedcb Add the File Server role service.

gfedc Share the Benefits folder using NFS only.

You are deploying two new applications to users in the company as follows:

� All computers should have Microsoft Word installed. � All users in the Accounting department should have Microsoft Access installed. � For other users in the company, you want to allow them to install Microsoft Access if desired by using the

Add/Remove Programs applet in the Control Panel.

Each department has its own organizational unit.

of 39

Explanation:

Assigning programs is preferable with large numbers of people who all need access to a particular program. The programs are easy to find because they appear to be installed on the computer. Because all users in the company need to use Microsoft Word, you should assign Microsoft Word in a GPO linked to the domain. Because all Accounting users need to use Microsoft Access, you should similarly assign Microsoft Access in a GPO linked to the Accounting OU. For those outside the Accounting department, you should publish Microsoft Access at the domain level, so they can install the program, if required.

Objective(s):

401. Provision applications.

Reference(s):


[ms646-401 #74]

Explanation:

To remove permissions assigned through the Delegation of Control wizard, edit the ACL for the Active Directory object and modify the permissions. Alternatively, you could remove the user or group from the ACL, then re-run the wizard to assign the new permissions.

How should you deploy these applications? (Select all that apply.)

gfedcb Assign Microsoft Access in a GPO linked to the Accounting OU.

gfedc Publish Microsoft Word in a GPO linked to the domain.

gfedcb Assign Microsoft Word in a GPO linked to the domain.

gfedc Assign Microsoft Access in a GPO linked to the domain.

gfedc Assign Microsoft Word in a GPO linked to each department's OU.

gfedcb Publish Microsoft Access in a GPO linked to the domain.

You are the administrator for the westsim.com domain. Organizational units (OUs) have been created for each department, with all user accounts being moved into their departmental OUs.

Previously, you used the Delegation of Control wizard to assign permissions to a user to change passwords and manage user accounts in the Marketing OU. Now you need to remove some of the permissions assigned to that user for objects in the OU.

What should you do?

nmlkji Edit the ACL for the OU and remove the unnecessary permissions.

nmlkj Run Dsacls with the /resetDefaultDACL switch.

nmlkj Re-run the Delegation of Control wizard, specifying only the necessary permissions.

nmlkjAdd the user to a group. Run the Delegation of Control wizard for the OU, assigning the necessary permissions to the group.

of 39

You cannot modify existing permissions by using the wizard. If you run the wizard again, the new permissions will be added to the existing permissions. Permissions assigned for an OU to a user or a group are cumulative; permissions assigned to the group are added to permissions assigned to the user.

Run the Dsacls command with the /resetDefaultDACL switch to reset permissions on an object. This removes all permissions to the object for all users, except for the default permissions.

Objective(s):

202. Plan for delegated administration.

Reference(s):


[ms646-202 #34]

Explanation:

Configure Srv5 to store updates locally so that clients download updates from Srv5 and not directly from Microsoft Update. Use server-side targeting to configure computer groups on the WSUS server.

If updates were not saved locally on Srv5, clients would need to download updates from Microsoft Update through the Internet connection. Use client-side targeting to configure computer groups using Group Policy.

Objective(s):

301. Implement patch management strategy.

Reference(s):


[ms646-301 #31]

You are the server administrator for the westsim.com domain. You manage a network with a main office and a branch office. The branch office is connected to the main office with a WAN link. Both the main office and the branch office have their own Internet connections.

You want to implement a WSUS solution for the network. You have installed WSUS on Srv7 in the main office and on Srv5 in the branch office. Your solution must meet the following requirements:

� Computers in the main office will download updates from Srv7. Computers in the branch office will download updates from Srv5.

� Updates for both locations will be approved locally. � Traffic on the WAN link between the two sites must be minimized. � Computers will be manually assigned to computer groups in the WSUS console.

How should you configure Srv5? (Select two. Each choice is a required part of the solution.)

gfedcb Enable server-side targeting on Srv5.

gfedcb Configure Srv5 to store updates locally.

gfedc Enable client-side targeting on Srv5.

gfedc Configure Srv5 to not store updates locally.

of 39

Explanation:

To allow the server to accept incoming dial-up connections, add the Remote Access Service. To configure network access policies on the server, add the Network Policy Server role service.

Install the Active Directory Domain Services (AD DS) role to make the server a domain controller. The remote access server does not have to be a domain controller in order to authenticate domain users.

The Routing role service would only be required if users needed to access resources on the private network in addition to resources on the remote access server. Add the Health Registration Authority when using IPsec enforcement for Network Access Protection (NAP). Use the Host Credential Authorization Protocol to integrate NAP with Cisco's NAP solution.

Objective(s):


Reference(s):


[ms646-103 #110]

Members of the Sales team have requested that they be able to dial in and access product documentation while traveling.

To accommodate their request, you want to configure Srv12 to allow dial-up connections. Srv12 is a domain member server.

The configuration has the following requirements:

� Sales team members will use modems to dial in directly to Srv12. � All product documentation will be stored on the Srv12 server. � Users do not need to access any other servers on the private network through the dial-up connection. � Srv12 will process authentication requests using Active Directory user accounts and policies stored on

Srv12.

Which role services should you install? (Select two. Each choice is a required part of the solution.)

gfedc Health Registration Authority

gfedcb Network Policy Server

gfedc Active Directory Domain Services (AD DS)

gfedc Routing

gfedcb Remote Access Service

gfedc Host Credential Authorization Protocol

You manage a Windows Server 2008 server that is used to hold user data files. The system volume is drive C:, while all user data is on drive E:. You will use Windows Server Backup to configure a backup schedule.

You want to back up only the E: volume twice a day. You want to be able to restore individual files and folders. If possible, you want to save backups on optical media so you can place the backup disc in a media catalog server for easy retrieval.

of 39

Explanation:

To configure a backup schedule that excludes the system volumes, you must create a Scheduled Task that runs wbadmin start backup. To be able to restore individual files, you must save the backup to a shared folder or a disk.

Backups scheduled using wbadmin enable backup or the Backup Schedule wizard automatically include system volumes, and these volumes cannot be excluded. If you save backups to DVD or removable media, you can only restore entire volumes, not individual folders or files.

Objective(s):

503. Plan for backup and recovery.

Reference(s):


[ms646-503 #15]


gfedc Save the backup to DVD.

gfedcb Save the backup to an external hard disk.

gfedcb Create a Scheduled Task that runs wbadmin start backup.

gfedc Create a Scheduled Task that runs wbadmin enable backup.

gfedc In Windows Server Backup, run the Backup Schedule wizard.

You are the server administrator for the westsim.com domain. You have implemented the Distributed File System (DFS) as follows:

� Srv1 is running Windows Server 2003 R2 Standard edition. It hosts the //westsim.com/sales namespace. � Srv2 is running Windows Server 2008 Enterprise edition. It hosts the //westsim.com/marketing

namespace.

You would like to provide redundancy for the //westsim.com/marketing namespace and all of its folders using Srv1 so that if Srv2 goes down, all data would still be accessible through Srv1. You also want to use Remote Differential Compression (RDC) for replicating folder target data if possible.

What should you do?

nmlkji

Upgrade Srv1 to Windows Server 2003 Enterprise. Add Srv1 as a namespace server to the //westsim.com/marketing namespace. Create folder targets on Srv2 for folders within the namespace. Configure DFS replication.

nmlkjAdd Srv1 as a namespace server to the //westsim.com/marketing namespace. Create folder targets on Srv2 for folders within the namespace. Configure DFS replication.

nmlkj

Upgrade Srv1 to Windows Server 2003 Enterprise. Add Srv1 as a namespace server to the //westsim.com/marketing namespace. Create folder targets on Srv2 for folders within the namespace. Configure FRS replication.

nmlkjAdd Srv1 as a namespace server to the //westsim.com/marketing namespace. Create folder targets on Srv2 for folders within the namespace. Configure FRS replication.

of 39

Explanation:

You must first upgrade the server to an Enterprise edition of either Windows 2003 or 2008. You can host multiple namespaces on a single server if the server is running an Enterprise or Datacenter edition of Windows Server 2003 or 2008. Otherwise, each server can host only a single namespace. To use RDC, configure the servers to use DFS replication. DFS replication is a newer replication method introduced with Windows Server 2003 R2 and supported on Windows Server 2008.

Objective(s):

105. Plan file and print server roles.

Reference(s):


[ms646-105-402 #69]

Explanation:

Use Group Policy to distribute the software update. To make sure the update is installed on specific computers, assign the package to computers.

Publish or assign software to users to install the software based on users who log on and not computer account. Because the software is not a Microsoft application, you cannot use WSUS to update the software. Manually running the installer package would require more effort than using Group Policy.

Objective(s):


Reference(s):


[ms646-301 #56]

You are the server administrator for the westsim.com domain. All servers used by the Research department are in an OU named ResearchServers. You are using Windows Server Update Services (WSUS) to approve and apply patches to these servers.

All of the Research servers are running an application produced by a partner organization. You receive an update to the application that is installed using a Windows Installer package. You want to update each of the servers as quickly as possible.

What should you do?

nmlkj Place the installer package on a network share. At each server console, run the update.

nmlkji Create a GPO linked to the ResearchServers OU to assign the software to computers.

nmlkj Copy the installer file to the WSUS server. Approve the update for all Research servers.

nmlkj Create a GPO linked to the ResearchServers OU to publish the software to users.

of 39

Explanation:

Use a domain isolation rule to enforce IPsec between all computers in the domain. Domain member computers can only accept connections from other authenticated domain member computers, but can still initiate communications with non-domain members and receive back responses. Non-domain members are not allowed to initiate communications with domain members.

When using domain isolation, configure exceptions that identify non-domain computers that are allowed to initiate unsecured communications. In this scenario, no outside computers should be allowed to do this, so exceptions should not be used.

Use server isolation to require all communications with a specific server to use IPsec. Without group-specific settings, all domain members can communicate with the server. With group-specific settings, only computers that are members of the specified group can communicate with the server.

Objective(s):

303. Monitor and maintain security and policies.

Reference(s):


[ms646-303 #101]

You are the server administrator for the westsim.com domain. A recent government contract requires that all communications between all computers in the domain be secured.

You need to implement a solution that meets the following requirements:

� All communications between any two computers in the domain must use IPsec. � Domain members must be able to initiate communications with non-domain members, and receive back

responses. � Non-domain members must not be allowed to initiate communications with domain members.

What should you do?

nmlkji Use the Windows Firewall to create a domain isolation rule.

nmlkj Use the Windows Firewall to create a group-specific server isolation rule.

nmlkj Use the Windows Firewall to create a server isolation rule.

nmlkj Use the Windows Firewall to create a domain isolation rule with exceptions for non-domain computers.

You have been hired as a consultant for a small business that is using Windows Server 2008. Three months ago, they installed a new server. Since that time, they report that from time to time, the system has had slowdowns and crashes.

You want to look at a report that shows important events for the server since it was installed. You'd like to see when software was installed, along with any hardware or application failures.

You want to view this information with as little effort as possible.

What should you do?

of 39

Explanation:

The System Stability Chart in Reliability Monitor keeps track of overall server health on a daily basis. It shows you an historical record of system changes and events, and assigns an overall server health value to each day (with 1 being the least stable and 10 being the most stable).

You might be able to create filters or a custom view in Event Viewer to see the same kind of information. However, if the event logs were full or cleared, data might be missing. In addition, you would have to configure the custom view, and then possibly interpret the events that you see.

With Performance Monitor, you can configure objects and counters to see current information, but you cannot go back and review past information. You can use a data collector set to capture information, but the collector must have already been configured and running in order to view historical data.

Objective(s):

302. Monitor servers for performance evaluation and optimization.

Reference(s):


[ms646-302 #31]

Explanation:

Create an organizational unit (OU) structure where each department has its own OU. Use the Delegation of Control wizard to grant each computer support user appropriate permission to their department OU. Even better, create a global group for each department, and add the department's computer support user or users to the group. Then grant

nmlkj Create a custom view in Event Viewer that filters on the events you are looking for.

nmlkji Open the System Stability Chart in Reliability Monitor.

nmlkj Add objects and counters to Performance Monitor for the events you want to view.

nmlkj Configure a data collector set with performance counter data collectors and configuration data collectors.

You are the network administrator for your company. Your company has three standalone servers that run Windows Server 2008. All servers are located in a single location. You have decided to create a single Active Directory domain for your network.

Currently, each department has one employee designated as the department's computer support person. Employees in this role create user accounts and reset passwords for the department. As you design Active Directory, you want these users to maintain their responsibilities. You must not give these users more permission than they need.

What should you do?

nmlkjiCreate an organizational unit (OU) structure where each department has its own OU. Use the Delegation of Control wizard to grant each computer support user appropriate permissions to their department OUs.

nmlkjCreate a domain for each department. Make each computer support user a member of the Domain Admins group.

nmlkj

Create an organizational unit (OU) structure where each department has its own OU. Create a Computer Support global group that contains each computer support user. Grant the Computer Support global group appropriate permissions to each departmental OU.

nmlkjCreate an organizational unit (OU) structure where each department has its own OU. Make each computer support user a member of the Domain Admins group.

of 39

permission to the group rather than to the individual user accounts. This method will minimize administration as roles change over time.

Do not add all department computer support users to the same group, or all users will have the same permissions. Do not make the users a member of the Domain Admins group, because this group has more permissions than required.

Objective(s):


Reference(s):


[ms646-202 #15]

Explanation:

Suite B support is added through the use of version 3 certificates. Version 3 certificates can only be issued by CAs running Windows Server 2008, and can only be used by computers running Windows Vista or Windows Server 2008.

Add the Online Responder role service to configure the server to use the Online Certificate Status Protocol (OCSP) to respond to certificate status requests. Add the Network Device Enrollment Service role service to configure the server as a registration authority (RA) that can submit certificate requests for non-Microsoft devices.

Objective(s):


Reference(s):


[ms646-103 #181]

You are the server administrator for the westsim.com network. Servers run either Windows Server 2003 or Windows Server 2008, and clients run either Windows XP Professional or Windows Vista Business. All computers have the latest service packs installed.

Your network has its own Public Key Infrastructure (PKI) for issuing client and user certificates. A single enterprise CA named Srv-CA1 issues all certificates. Srv-CA1 is running Windows Server 2008 Enterprise edition and has only the Certification Authority role service installed.

You decide that you want to implement Suite B encryption on computers throughout your network.


gfedcb Upgrade all servers to Windows Server 2008 and all clients to Windows Vista.

gfedc Configure version 2 or version 3 certificates on the CA.

gfedc Add the Network Device Enrollment Service role service to Srv-CA1.

gfedcb Configure version 3 certificates on the CA.

gfedc Add the Online Responder role service to Srv-CA1.

of 39

Explanation:

Assigning the MSI package through a Group Policy Object ensures that the application is installed upon reboot. In this case, the service pack should be targeted at those systems in the Servers Organizational Unit, and should be configured using Computer Configuration (not user).

While you could use a startup script to install the update, the MSI package is already configured to perform the same tasks as a script would. By assigning the update in the GPO as opposed to publishing it, you can be assured the update is truly installed on each system.

Objective(s):


Reference(s):


[ms646-401 #56]

You are the network administrator of a very large network. There are approximately 50 servers in the organization that all require the latest Microsoft service pack. You have acquired an MSI package that installs the latest service pack.

All servers are located in an Active Directory OU called Servers.

How should you deploy the service pack to all of the servers using the least administrative effort? (Select two. Each choice is a required part of the solution.)

gfedc Create a Group Policy Object and link it at the Domain level.

gfedc Assign the MSI package using User Configuration.

gfedcb Assign the MSI package using Computer Configuration.

gfedc Configure a startup script for the installation. Assign it using User Configuration.

gfedc Configure a startup script for the installation. Assign it using Computer Configuration.

gfedcb Create a Group Policy Object and link it to the Servers OU.

You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs.

You define a password and account lockout policy for the domain. However, members of the Directors OU want to enforce longer passwords than are required for the rest of the users.

You need to make the change as easily as possible. What should you do?

nmlkji Implement a granular password policy for the users in the Directors OU.

nmlkjIn Active Directory Users and Computers, select all user accounts in the Directors OU. Edit the user account properties to require the longer password.

nmlkjCreate a new domain. Move the contents of the Directors OU to the new domain. Configure the necessary password policy on the domain.

nmlkj Create a GPO linked to the Directors OU. Configure the password policy in the new GPO.

of 39

Explanation:

Use granular password policies to force different password policy requirements for different users.

Password and account lockout policies are enforced only in GPOs linked to the domain, not to individual OUs. Prior to Windows Server 2008, the only way to configure different password policies was by creating a different domain.

Objective(s):


Reference(s):


[ms646-303 #7]

Explanation:

Add the Online Responder role service to configure and manage Online Certificate Status Protocol (OCSP) validation and revocation checking in Windows-based networks. The online responder maintains revocation lists for multiple CAs, giving clients a single location to check for the status of a certificate. Clients check the status of a single certificate instead of downloading the entire CRL. Microsoft recommends that you add the Online Responder role to a server that is not a CA. The online responder must be running the Windows Server 2008 Enterprise or Datacenter edition.

Add the Certification Authority role service to configure the server as a CA that can issue certificates to other CAs or to users and computers. Add the Certification Authority Web Enrollment role service to allow users to connect to a CA through a Web browser and perform common tasks, such as requesting certificates. Add the Network Device Enrollment Service role service to configure the server as a registration authority (RA) that can submit certificate requests for non-Microsoft devices.

Objective(s):

You manage a large network with its own Public Key Infrastructure (PKI). You use Windows Server 2008 on all certification authority servers. You have an offline standalone root with multiple enterprise subordinate CAs.

Because of the size of your CA solution, you find that managing certificate revocation is becoming difficult. You would like to implement a solution to meet the following requirements:

� A single server will hold all certificate revocation information for all CAs in the hierarchy. � Clients will request certificate status information from the central server. � Clients will submit a request for a single certificate instead of downloading an entire CRL.

You would like to configure the Srv7 server to fulfill these requirements. What are the minimum role services that you should install?

nmlkj Certification Authority and Certification Authority Web Enrollment

nmlkj Certification Authority and Network Device Enrollment Service

nmlkj Network Device Enrollment Service

nmlkj Certification Authority and Online Responder

nmlkji Online Responder

of 39


Reference(s):


[ms646-103 #155]

Explanation:

Perform a nonauthoritative restore of Active Directory. All of the objects are restored with the same update sequence number they had at the time of backup. Active Directory will determine these objects are out of date, and the objects will be synchronized from the data held on other domain controllers.

Objective(s):


Reference(s):


[ms646-503 #41]

You work for a consulting company. Your best customer, a university on summer break, has a serious problem. One of the student interns carried a large cup of coffee into the computer room and promptly tripped over a section of the raised flooring. The coffee spilled and found its way into one of the domain controllers. Sparks flew and the domain controller was dead on arrival to the tech bench. The system board was no longer functional and two SCSI hard drives have failed.

You replace the system board and SCSI hard drives. Fortunately, a system state backup was done two nights ago, but several changes in Active Directory have occurred since then and have been fully replicated to other domain controllers in this single domain network. You need to decide how to restore Active Directory on the failed server. You must complete the restoration as quickly as possible.

What should you do?

nmlkji Perform a nonauthoritative restore of the entire Active Directory database.

nmlkjPerform an authoritative restore of only the Active Directory objects created or updated since the server failed.

nmlkj Perform an authoritative restore of the entire Active Directory database.

nmlkjPerform a nonauthoritative restore of only the Active Directory objects created or updated since the server failed.

You are the server administrator for the westsim.com domain. The Accounting department stores payroll and budgeting information on the Srv12 server.

You want to secure communications with the Srv12 server to meet the following requirements:

� All communications with the Srv12 server must be encrypted. � The server should only accept connections from domain member computers, and only if a secure

communication channel can be established. � Only members of the Accounting department who connect to the server from an accounting computer

should be allowed to communicate with the server. � Your solution should not require encryption for communications between other computers.

of 39

Explanation:

Use a server isolation rule to enforce IPsec for a specific server. Use group-specific server isolation to restrict access to domain members computers that are members of a specific group. In this scenario, you would create a group that includes all workstations used by the Accounting department.

Using server isolation without group-specific settings permits connections from any domain member computer if IPsec is used. Use group-specific server isolation to restrict access to a specified set of computers.

With domain isolation, the Connection Security rules specify that all domain member computers can only accept communications from authenticated domain members. This allows domain members to initiate communication with non-domain computers, but does not allow non-domain computers to initiate communications with domain computers.

Objective(s):


Reference(s):


[ms646-303 #93]

� Your solution should not require encryption for communications between other computers.

What should you do?

nmlkjUse the Windows Firewall to create a group-specific server isolation rule. Identify users who are members of the Accounting department.

nmlkjiUse the Windows Firewall to create a group-specific server isolation rule. Identify computers that are used by Accounting department members.


nmlkj Use the Windows Firewall to create a domain isolation rule.

You manage a network with two locations: New York and Los Angeles. All computers are members of a single domain named northsim.com.

You have been put in charge of creating a remote access solution so that sales team members can connect to both sites using a VPN connection.

On a server in the New York location, you configure a network access policy that allows access to VPN users who are members of the Sales group. You test the connection and find that everything is working properly.

You install a second remote access server in the Los Angeles location. However, when you try to connect using the VPN connection, the connection is refused, even though you used the same user account that was able to connect to the server in the New York location.

What should you do?

nmlkjCreate a GPO with the necessary network access policy settings. Link the GPO to an OU that applies to both remote access servers.

nmlkj Configure the server in Los Angeles to forward authentication requests to the server in New York.

nmlkjMake sure both remote access servers are installed on domain controllers. Configure Active Directory replication.

Create a network access policy on the server in Los Angeles that is similar to the policy on the server in New

of 39

Explanation:

Network access policies must be configured on each remote access server. When you use multiple remote access servers, you must configure similar policies on each server.

An exception would be if you are using RADIUS for authentication. In this case, remote access servers are configured as RADIUS clients to a RADIUS server. Network policies are configured on the RADIUS server. However, simply pointing one server to another is insufficient to configure RADIUS. You would also need to configure the RADIUS server to recognize the client servers. In this scenario, additional tasks would also be required to configure the New York server to process both local and remote requests.

Reference(s):


[ms646-303 #196]

Explanation:

To allow the cluster to keep functioning if half of the cluster nodes fail, use node and disk majority for the quorum mode. This configuration requires either a witness disk or a witness share to save a copy of the cluster configuration. The witness disk or share acts as an additional node in determining quorum. If half the nodes fail and the witness is still available, a majority is maintained. Node and disk majority should be used if you have an even number of cluster nodes.

Node majority does not use a witness disk, and just uses a majority of cluster nodes to keep functioning. In this scenario, if you chose node majority, the cluster would stop functioning if three of the nodes failed, because that would result in only three remaining nodes, not a majority of the total.

With the no majority mode, the cluster can continue to operate as long as at least one node is operating and the witness disk is still available. If all nodes in the cluster fail except for one, and if the witness disk is still available, the cluster continues to run.

nmlkjiCreate a network access policy on the server in Los Angeles that is similar to the policy on the server in New York.

Your company is responsible for processing payroll for other businesses. Because the pay days for many businesses are the same, your servers experience heavy loads during some days, with light loads on other days.

Payroll processing is done by a custom application running on an application server. To handle the load, you configure Failover Clustering on a cluster of six servers.

You want the cluster to keep operating even in the event of a failure of up to three of the nodes. If more than three nodes fail, the cluster should stop.

What should you do?

nmlkj Configure a witness disk. Use node majority for the quorum mode.

nmlkj Configure a witness disk. Use no majority with disk only for the quorum mode.

nmlkji Configure a witness disk. Use node and disk majority for the quorum mode.

nmlkj Use node majority for the quorum mode.

nmlkj Use no majority with disk only for the quorum mode.

nmlkj Use node and disk majority for the quorum mode.

of 39

Objective(s):


Reference(s):


[ms646-502 #76]

Explanation:

Select the Datacenter edition of Windows Server 2008. The Datacenter edition is required to support more than 8 processors. The Datacenter edition supports the following hardware:

� The 32-bit version supports up to 32 processors; the 64-bit version supports up to 64 processors. � The 32-bit version supports up to 64 GB of RAM; the 64-bit version supports up to 2 TB.

The Standard edition supports up to 4 processors, and the Enterprise edition supports up to 8 processors. The 64-bit version of the Standard edition supports up to 32 GB of RAM, and the Enterprise edition supports up to 2 TB of RAM. All of the server roles that will be installed on the server are supported by the Standard edition, however you must use the Datacenter edition to support the number of processors and the total amount of RAM.

Objective(s):

101. Plan server installations and upgrades.

Reference(s):

You are preparing to install Windows Server 2008 on a new server. The server has the following hardware:

� 2 TB RAM � 16 64-bit Intel-VT processors � 10 GB mirrored hard disk for the system partition

You will use the server for the following server roles:

� File Services � Print Services � Application Server for a database application � Terminal Services � Active Directory Rights Management Services (AD RMS)

You want to select the minimum Windows Server 2008 edition to support the required roles.

Which edition should you install?

nmlkj Itanium edition

nmlkji Datacenter edition

nmlkj Standard edition

nmlkj Enterprise edition

nmlkj Web Server edition

of 39


[ms646-101 #7]

Explanation:

Use Performance Monitor to view current system statistics. Add objects and counters to customize the statistics that are shown.

Use data collector sets to define statistics to gather over time. These statistics are saved to a file. You open the file to analyze the statistics. You cannot view current statistics from a defined data collector set.

A custom view is a saved filter in Event Viewer. Use Event Subscriptions to view a set of events stored in multiple logs on multiple computers. Events that occur on one computer are sent to another computer where they are saved and can be viewed. Event Viewer shows events, such as error messages, and not data about system statistics.

Objective(s):


Reference(s):


[ms646-302 #72]

You are the server manager for the westsim.com domain. You have just installed a custom application on Srv3. The application generates Event Viewer events and logs those events to the default Application and the Security logs in Event Viewer.

You are concerned about system performance while running the application on the server. You would like to be able to open Server Manager and view the current statistics for processor, memory, and disk reads and writes for the server. You only want to see these statistics and no others, and you want to be able to easily save the configuration so that the same statistics are shown each time.

What should you do?

nmlkj Create a Custom View in Event Viewer

nmlkj Configure event subscriptions

nmlkj Create a data collector set in Reliability and Performance Monitor

nmlkji Add objects and counters in Performance Monitor

You are preparing to install Windows Server 2008 on a new server. You will use the server for the following server roles:

� DHCP � DNS � Active Directory Lightweight Directory Services (AD LDS) � Web Server (IIS)

Which Windows Server 2008 editions and versions can you install on this server?

of 39

Explanation:

You can install the Standard, Enterprise, or Datacenter editions, with either the regular or Server Core installations. Server core can run the following server roles:

� Active Directory Directory Services (AD DS) � Active Directory Lightweight Directory Services (AD LDS) � DHCP � DNS � File services � Print services � Media Services � Web server (IIS)

Objective(s):


Reference(s):


[ms646-101 #68]

nmlkj Enterprise or Datacenter editions, not the Server Core installation

nmlkj Enterprise or Datacenter editions, regular and Server Core installations

nmlkj Standard, Enterprise, or Datacenter editions, not the Server Core installation

nmlkji Standard, Enterprise, or Datacenter editions, regular and Server Core installations

You are the administrator for WestSim Corporation. The network has a single domain, westsim.com, running at Windows Server 2003 functional level. Five domain controllers, all running Windows 2008 server, are located on the network.

Users in the Shipping department have a special software program that helps them keep track of incoming products and match the SKU number with items in the order database. You have created an OU called Shipping and have placed all computers and users for that department into the OU. You create a software GPO called SKUWare that publishes the software to all users in the department. All manager user objects have been placed in an OU called Managers.

The shipping manager logs on to one of the computers in the shipping department. He calls you because the software package is not available to install on the workstation. You need to make the software package available so he can install it. You want to make sure that anyone else who logs on to any workstation in the shipping department can install the software.

What should you do?

nmlkj Link the SKUWare GPO to the domain.

nmlkj Link the SKUWare GPO to the Managers OU.

nmlkj Modify the SKUWare GPO to publish the software to computers.

nmlkji Enable loopback processing in the SKUWare GPO.

of 39

Explanation:

Enable loopback processing in the SKUWare GPO. This will apply user settings in the GPO regardless of the location of the user object in Active Directory. Without loopback processing enabled, only user objects in the shipping department will have the software published. With loopback processing, user settings (including software publishing) are applied to all computers, regardless of the user who logs on.

You cannot publish the software to computers, you can only assign software to computers. Linking the GPO to the domain would publish the software to all users regardless of the location of the computer objects in Active Directory. Linking the GPO to the Managers OU would publish the software only to the user objects in the Managers OU, but would not meet the requirement of publishing the software to other users in the domain. In addition, the software would be published on all computers, and not just those in the Shipping OU.

Objective(s):

203. Plan and implement group policy strategy.

Reference(s):


[ms646-203 #69]

Explanation:

You need to configure share permissions to allow access. By default, share permissions allow only Read access to the shared folder. The effective permissions are the most restrictive of either the NTFS or share permissions. Granting Everyone or Users the Full Control share permission will correct the problem.

Configure caching of files to customize how files are made available when the client is offline. Enable access-based enumeration to filter the list of folders and files based on the access permissions of the user.

Objective(s):


Reference(s):

Members of the Accounting team need to share files that contain income and expense reports. All members of the team must be able to edit these files.

You copy the files to a folder named AcctReports on the FS4 server. You share the folder with the default settings and configure NTFS permissions to allow members of the Accounting group to edit the files.

You get a call from a user in the Accounting group saying that she can't edit the files.

What should you do?

nmlkj Enable automatic caching of all files, optimized for performance.

nmlkj Enable automatic caching of all files, not optimized for performance.

nmlkji Configure share permissions on AcctReports.

nmlkj Enable access-based enumeration on AcctReports.

of 39


[ms646-105-402 #241]

Explanation:

Use the Group Policy Results wizard to view a report of the Group Policy settings that are currently being applied to a specific computer and user account. You should select the test computer and a test user account. If you select your own user account, you will only see the effective settings that are applied to your account.

The Settings tab on a GPO shows a summary of settings defined in the GPO. However, effective settings include settings that come from inherited settings, as well as settings not applied through loopback processing or blocking. Simply viewing the GPO settings will be insufficient to determine the effective settings.

Objective(s):


Reference(s):


[ms646-203 #23]

You are the network administrator for a network that serves a large school district. During a spring break, you are responsible for coming up with Group Policies that will let administrators deploy new applications throughout the district quickly and with a minimum of human intervention.

You are currently testing some software distribution Group Policy settings in a lab environment. You create a GPO and configure it to deploy a software package. To test the GPO, you log on with a user account to a computer that should be affected by the GPO. The application is not installed as desired.

You want to view a report of the Group Policy settings that are being applied to the user account and the source GPO where the Group Policy settings originate.

What should you do?

nmlkji Run the Group Policy Results wizard. Select the test computer and the test user account.

nmlkjIn the Group Policy Management console, select a GPO linked to the target OU. View the report on the Settings tab.

nmlkj Run the Group Policy Modeling wizard. Select the local computer and your user account.

nmlkj Run the Group Policy Results wizard. Select your computer and your user account.

You are the security administrator for your organization. Your multiple domain Active Directory forest uses Windows Server 2008 for domain controllers and member servers. The computer accounts for your member servers are located in the Member Servers OU. Computer accounts for domain controllers are in the Domain Controllers OU. Computer accounts for workstations are located in the Workstations OU.

You are creating a security template that you plan to import into a GPO. You would like to log whenever a user is unable to log on to any computer using a domain user account.


of 39

Explanation:

To audit unsuccessful logons:

� Audit the Account Logon event. This event type will be recorded when an account is authenticated against an account database such as Active Directory. In short, Account Logon events are generated where the account lives; in the case of domain accounts this would be domain controllers.

� Audit failed events. � Link the GPO to the Domain Controllers OU. Domain logon uses a domain controller for authentication. Link the

GPO to the Member Servers and the Workstations OUs if you wanted to audit Logon events for every computer.

Objective(s):


Reference(s):


[ms646-303 #41]

Explanation:

To copy a GPO from one domain or forest to another, you can back up and import the GPO, or you can simply copy the GPO using the Group Policy Management Console. To import the settings, you must first create a GPO in the target domain, then import (not restore) the settings from the backup.

gfedc Enable the logging of failed Logon events.

gfedc Enable the logging of successful Account Logon events.

gfedcb Enable the logging of failed Account Logon events.

gfedc Link the GPO to the Member Servers and Workstations OU.

gfedcb Link the GPO to the Domain Controllers OU.

gfedc Enable the logging of successful Logon events.

You manage Group Policy for the westsim.com domain. You have set up a lab with a separate forest named westsim.test. In the lab domain, you create a GPO named UserSettings. You test this GPO in the lab and then decide that you want to use it in your production domain.

You need to move the GPO to the westsim.com domain.

What should you do? (Select two. Each choice is a possible solution.)

gfedcbTake a backup of the UserSettings GPO. In westsim.com, create a new GPO. Import the settings from the backup.

gfedcbEstablish a trust relationship between westsim.com and westsim.test. In the Group Policy Management Console, drag the UserSettings GPO from westsim.test to westsim.com.

gfedcTake a backup of the UserSettings GPO. In westsim.com, create a new GPO. Restore the settings from the backup.

gfedc Take a backup of the UserSettings GPO. In westsim.com, restore the GPO from the backup.

of 39

You can only restore GPOs within the same domain. To copy the GPO to another domain, use the import feature.

Objective(s):


Reference(s):


[ms646-203 #94]

Explanation:

To use a GUI tool to manage services on a Server Core installation, you will need to run the MMC console from a remote computer and connect to the Server Core installation. Add the Remote Server Administration Tools (RSAT) tools on a Windows Vista or 2008 computer to install the preconfigured consoles on a computer that does not already have those consoles installed. To allow those tools to connect to the Server Core installation, enable the Remote Administration exception in the Windows firewall.

You cannot install PowerShell or the Terminal Server role on a Server Core installation. Run Winrm quickconfig to enable remote administration using the Windows Remote Shell. Run Winrs on the remote computer to execute commands. Windows Remote Shell is a command prompt remote administration solution.

Objective(s):


Reference(s):


[ms646-201 #40]


Srv7 has a Server Core installation of Windows Server 2008.

You would like to use MMC consoles to manage the services running on Srv7.


gfedcb Enable the Remote Administration exception in the Windows firewall on Srv7.

gfedc Install the Terminal Server role on Srv7 and configure TS RemoteApp.

gfedc Add PowerShell to Srv7.

gfedcb Install the Remote Server Administration Tools (RSAT) tools on a Windows Vista or 2008 computer.

gfedc Run Winrm quickconfig on Srv7.


Srv5 is an application server that runs an application used by the Sales team. You are concerned that this server is a single point of failure--if the server goes down, the application will be unavailable.

of 39

Explanation:

While both Failover Clustering and NLB allow for load balancing and fault tolerance, only Failover Clustering includes the ability for the server to monitor the clustered application and restart it if possible. To allow the cluster to continue functioning if one of the two nodes fails, use node and disk majority. You will need to configure a witness disk, which acts like a third cluster node for the purpose of determining quorum. If one server fails, the other server and the witness disk still constitute a majority.

If you used node majority for the cluster, when one node fails, the remaining node would be unable to form a majority (a majority of nodes is more than half of the total cluster nodes).

Objective(s):


Reference(s):


[ms646-502 #95]

is a single point of failure--if the server goes down, the application will be unavailable.

You would like to add a second server to provide redundancy. Your solution should meet the following requirements:

� All client requests should be divided between both servers. � If either server goes down, client requests should be redirected to the other server. � If the application stops but the server is up, the server should automatically try to restart the application to

make it available.

You want to configure Srv10 to provide redundancy for Srv5 based on the stated requirements.

What should you do?

nmlkj Configure Network Load Balancing (NLB) with network client affinity.

nmlkj Configure Network Load Balancing (NLB) and disable client affinity.

nmlkji Configure Failover Clustering with node and disk majority.

nmlkj Configure Failover Clustering with node majority.

nmlkj Configure Network Load Balancing (NLB) with single client affinity.

You are the server manager for your company. You have just installed Windows Server 2008 on a new server.

You have configured Windows Server Backup to take regular backups once a day and save those backups to an external disk.

You find that users working on a new project are constantly overwriting files and asking you to restore older versions of files that exist on backups from as far back as a week ago. You would like to implement a solution so that users can restore files without an administrator's help.

What should you do?

nmlkjConfigure a Scheduled Task to run Wbadmin and save backups to rewriteable DVDs in an automatic disc changer.

nmlkji Enable VSS on the volume that holds user data.

of 39

Explanation:

Using Volume Shadow Copy Services (VSS) to take regular shadow copies of the user data is the best choice for this scenario because it is easy to use and eliminates the need to load media and restore individual files. VSS lets users restore previous versions of files without performing backups or restores. Snapshots of files are taken automatically, allowing you to revert back to older versions of specific files.

Teaching users to use Windows Server Backup is not a recommended nor practical solution. When saving backups to DVD, you cannot restore individual folders or files. The Indexing Service is an indexing solution that provides faster searching of files for clients and applications that use the Indexing Service.

Objective(s):


Reference(s):


[ms646-503 #107]


nmlkjKeep regular backup disks connected to the server and online. Teach users how to recover files from the backups.

nmlkj Add the Indexing Service role service to the server.

You have been assigned to create a remote access strategy for your network. All full-time company employees should be allowed remote access during any time of the day. In addition, you have some contractors who are working with the Marketing department who should be allowed access only between 6am and 6pm.

You have created a special group called Contractors, and defined the following network access policies on the server.

You configure the policies in the following order:

1. Contractors Deny Night 2. Contractors Allow 3. Allow Any

At 10am you get a call from one of the contractors stating that she cannot gain remote access. You check and find that no contractor has been granted access. You need to modify the configuration to meet the remote access requirements.

What should you do?

Remote Access Policy Name

Conditions Permissions Constraints

Allow AnyDomain Users group membership Dialup connection

Allow access, ignoring Active Directory

None

Contractors AllowContractors group membership Dialup connection


None

Contractors Deny NightContractors Group membership Dialup connection

Deny access, ignoring Active Directory

6pm to 6am

of 39

Explanation:

To solve the problem, you should remove the constraints from the Contractors Deny Night policy, and add 6pm to 6am to the conditions. When a connection request matches both conditions, the connection will be denied. If the connection matches only the group membership (but not the time of day), then the second policy will be checked and the connection will be allowed for the contractors.

Moving the Contractors Allow policy up in the list would allow contractors access at any time of the day. The conditions in the first policy would always match regardless of the time of day. Moving the Allow All policy up in the list would cause the same problem. Editing the Contractors Allow policy to add 6am to 6pm to the profile would work only if that profile were at the top of the list.

Reference(s):


[ms646-303 #188]

Explanation:

Because the Information Systems OU has users to which the GPO should apply as well as those to which the GPO should not apply, the GPO must be linked to the domain or each individual OU. Linking the GPO to the domain is a simpler solution than linking it to each individual OU, and is the best solution. Then, to prevent the Group Policy object from applying to members of the Domain Admins group, you need to deny that group the Apply Group Policy permission to the GPO. Do not deny the Read permission or Domain Administrators will not be able to edit the GPO.

What should you do? nmlkj Change the constraints in the Contractors Allow policy to 6am to 6pm.

nmlkj Move the Allow Any policy to position 1 in the list of policies.

nmlkji Remove the constraints from the Contractors Deny Night policy and add a condition for 6pm to 6am.

nmlkj Move the Contractors Allow policy up in the list.

You are the administrator for a network with a single Active Directory domain named widgets.local. The widgets.local domain has an Organizational Unit object for each major department in the company, including the Information Systems department. User objects are located in their respective departmental OUs. Users who are members of the Domain Admins group belong to the Information Systems department. However, not all employees in the Information Systems department are members of the Domain Admins group.

To simplify employees’ computing environment and prevent problems, you link a Group Policy object (GPO) to the widgets.local domain that disables the Control Panel for users. You do not want this Group Policy object to apply to members of the Domain Admins group.

What should you do?

nmlkjOn the Group Policy object’s access control list, deny the Read permission for members of the Domain Admins group.

nmlkj Link the Group Policy object to each organizational unit rather than to the domain.

nmlkjiOn the Group Policy object’s access control list, deny the Apply Group Policy permission for members of the Domain Admins group.

nmlkj Configure the Information Systems OU to block policy inheritance.

nmlkjLink the Group Policy object to each organizational unit (except the Information Systems OU) rather than to the domain.

of 39

Objective(s):


Reference(s):


[ms646-203 #128]

Explanation:

Use Oclist to see a list of installed roles on a Server Core installation.

Use ServerManagerCMD -query to see a list of installed roles on a regular installation. ServerManagerCMD does not work on a Server Core installation. Use Winrs to create a remote connection to a server and run commands. You could use Winrs to connect to a server and then run the ServerManagerCMD or Oclist commands.

Objective(s):


Reference(s):


[ms646-201 #24]


Srv5 has a Server Core installation of Windows Server 2008. You would like to view a list of all roles, role services, and features installed on the server.

Which command should you use?

nmlkji Oclist

nmlkj Winrs -list

nmlkj ServerManagerCMD -query

nmlkj ServerManagerCMD -roles


Srv12 has the Enterprise edition of Windows Server 2008 installed. You would like to use the command prompt to view a list of all roles, role services, and features installed on the server.


nmlkji ServerManagerCMD -query


of 39

Explanation:

To see a list of roles and role services installed on a server, run: ServerManagerCMD -query.

Use Oclist to see a list of installed roles on a Server Core installation. Use Winrs to create a remote connection to a server and run commands. You could use Winrs to connect to a server and then run the ServerManagerCMD or Oclist commands.

Objective(s):


Reference(s):


[ms646-201 #16]

Explanation:

To correct the problem, give the EFS Agents group the Allow Issue and Manage Certificates permission to the CA.

Giving the group the Allow Manage CA permission allows the group to manage the CA but not to approve pending certificates. The Cert Publishers group allows CAs to publish certificates.

Objective(s):


Reference(s):

nmlkj Winrs -list

nmlkj Oclist

You are the administrator for the westsim.private network. The network has a single domain. The forest and domains are at Windows Server 2003 functional level.

You want to configure certificates for EFS recovery agents. Certificate requests must be approved manually by a member of a special group you've created called EFS Agents.

You install an enterprise certification authority (CA) and configure the recovery agent certificate. As a test, you request a certificate for your user account. You ask a member of the EFS Agents group to approve the certificate. When he checks the Certification Authority console, he can see the pending request but is unable to approve it.

What should you do?

nmlkj Grant the EFS Agents group the Allow Manage CA permission to the CA.

nmlkj Grant the EFS Agents group the Allow Enroll permission to the certificate.

nmlkj Grant the EFS Agents group the Allow Full Control permission to the certificate.

nmlkji Grant the EFS Agents group the Allow Issue and Manage Certificates permission to the CA.

nmlkj Add the EFS Agent group to the Cert Publishers group.

of 39

LabSim for Windows Server 2008 Server Administrator, Sections 6.3 and 7.6.

[ms646-202 #83]

Explanation:

Use Telnet or the Windows Remote Shell to manage a server remotely through a command prompt. Telnet uses port 23 to connect to a remote server and create an interactive command prompt session. Windows Remote Shell uses port 443 to create the remote session. With both tools, you submit commands to the remote server.

The Remote Server Administration Tools (RSAT) are GUI-based administration tools. A TS Gateway server allows a Remote Desktop connection to a server through the Internet using port 443. ServerManagerCMD, Ocsetup, and Oclist are tools you use locally to manage a server. You might run these tools from the command prompt after establishing the remote session.

Objective(s):


Reference(s):


[ms646-201 #57]

You are the server administrator for the westsim.com domain. You are in charge of 20 Windows Server 2008 servers.

You would like to manage the servers remotely using a command prompt.

Which tools can you use to make the connection and manage the servers? (Select two. Each choice is a possible solution.)

gfedc TS Gateway

gfedc ServerManagerCMD

gfedc Remote Server Administration Tools (RSAT)

gfedc Ocsetup and Oclist

gfedcb Telnet

gfedcb Windows Remote Shell

You are the server administrator for the westsim.com domain. Srv6 is an application server.

Your company has developed a custom application that runs in four instances on Srv6. You want to configure the server so that each instance of the application has equal access to CPU resources.

What should you do?

nmlkji Create a profile in Windows System Resource Manager (WSRM).

nmlkj Create a performance counter data collector set in Reliability and Performance Monitor.

nmlkj Create a performance alert data collector set in Reliability and Performance Monitor.

of 39

Explanation:

Windows System Resource Manager (WSRM) is a tool that you can use to control the use of system resources by applications, processes, or services. Resources are allocated in WSRM by creating resource allocation policies. The policy identifies the user or application and the resource limits that apply.

Use a performance counter data collector in Reliability and Performance Monitor to save system statistics over time in a log. Use a performance counter alert to configure triggers that take an action when a counter reaches a threshold value. Use the System Center Configuration Manager to gather information about hardware and software on network computers.

Objective(s):


Reference(s):


[ms646-401 #84]

Explanation:

To ensure that the server can continue to access the shared storage in the event of a failed host adapter, add multiple host adapters to each server. This gives you multiple paths to the shared storage; if one path goes down, the other path can still be used. To configure the server to use both paths for load balancing, configure Multipath I/O (MPIO) with the round-robin policy. With round-robin, all paths are used equally. In addition to using round-robin, you can use the round-robin with subset, dynamic least queue depth, or weighted paths policies to use multiple paths at the same time.

The failover policy with MPIO uses a single path as the primary path. Additional paths are only used when the primary path fails.

Network Load Balancing (NLB) is a service that load balances client requests. Because the three servers share the storage, they will likely be configured in an NLB cluster or a failover cluster. However, neither service allows the server to continue accessing the shared storage if the host adapter fails.


nmlkj Create a software inventory in System Center Configuration Manager.

You are in the process of implementing a storage area network (SAN) for use by three Windows Server 2008 servers: Srv1, Srv2, and Srv3. You have purchased an iSCSI storage device and configured the SAN.

You need to design how each server will connect to the SAN. Your solution must meet the following requirements:

� If the host adapter in a server fails, the server must still be able to access the shared storage. � The server should use all available paths to the shared storage device equally.

What should you do?

nmlkjConfigure all servers in an NLB cluster. Use multiple host filtering with equal load weighting and single affinity.

nmlkjConfigure all servers in an NLB cluster. Use multiple host filtering with equal load weighting and network affinity.

nmlkji Install multiple host adapters in each server. Configure MPIO with the round-robin policy.

nmlkj Install multiple host adapters in each server. Configure MPIO with the failover policy.

of 39

Objective(s):

501. Plan storage.

Reference(s):


[ms646-501 #16]

Explanation:

To create images for WDS deployment, you can boot the computer using a capture image, or you can run ImageX.

Use a discover image to boot a computer from media instead of the network to connect to the WDS server and install the operating system. Use RIPrep to create images for use with Remote Installation Services (RIS).

Objective(s):

102. Plan for automated server deployment.

Reference(s):


[ms646-102 #68]

You have just been put in charge of installing 30 new workstations. The following operating systems will be installed:

� Windows Vista Business on 64-bit multicore computers � Windows XP Professional on 32-bit unicore and multicore computers

You decide to use Windows Deployment Services (WDS) to help automate the installation.

How should you create custom install images for deployment on the WDS server? (Select two. Each choice is a possible solution.)

gfedc Boot the reference computer using a discover image.

gfedcb Run ImageX.

gfedc Run RIPrep.

gfedcb Boot the reference computer using a capture image.

You manage the network for the westsim.com domain. The network uses both DNS and WINS for name resolution. Client computers are configured to try DNS for name resolution first, and then try WINS if that fails.

You would like to transition your network to use IPv6. You want to make sure that clients can contact hosts using single-label names that resolve to the IPv6 address for that host. You want to do this with the least amount of effort possible.

What should you do?

of 39

Explanation:

To support single-label name resolution for IPv6 hosts, use the GlobalNames zone in DNS.

IPv6 is not supported by WINS. NetBT is a required protocol for WINS, and is already enabled on client computers.

Objective(s):


Reference(s):


[ms646-103 #54]

Explanation:

To enable applications to run even on clients that do not meet the hardware requirements for the application, use Terminal Services. Add the Terminal Server and TS Web Access role services to a network server, then install the necessary applications. With TS Web Access, users can go to a Web page to see a list of available applications to run from the terminal server. When the application runs, it runs on the server but displays the results to the client through the Remote Desktop Client software. RDC is required to connect to the terminal server, even when using TS Web Access.

nmlkj Create a DNS zone named wins.westsim.com. Enable WINS name resolution on the zone.

nmlkj Enable the NetBT protocol on all client computers.

nmlkjiConfigure the GlobalNames zone in DNS. Create CNAME records for each host pointing to the corresponding AAAA record.

nmlkj Add IPv6 addresses for hosts in the WINS database.

You are the server administrator for the westsim.com domain. All servers run Windows Server 2008. All client computers run Windows XP Professional.

You manage several custom applications for all users throughout the company. You would like to design a solution to meet the following needs:

� Applications must be able to run on all client workstations, even if the workstation does not have sufficient hardware resources to run the application.

� Users should be able to open a Web page so they can see a list of available applications to run. � You want to centrally-manage application installations and updates.

What should you do?

nmlkj Install the Web Server (IIS) role on a network server. Configure ISAPI filters for each application.

nmlkj

Create .msi packages for each application. Use Group Policy with a GPO linked to the domain to distribute the software to all computers. Create a WMI filter to apply the GPO only to computers that meet the hardware requirements.

nmlkjCreate .msi packages for each application. Use Group Policy with a GPO linked to the domain to distribute the software to all computers.

nmlkjiOn a network server, install Terminal Services. Install the Remote Desktop Client software on all client computers.

of 39

You can distribute applications to clients with a GPO. Installer packages in the GPO run on the client and install the application software. However, installing the applications on all computers would not enable the software to run on clients that do not meet the hardware requirements. Using a WMI filter to selectively install the software also would not allow clients that do not meet the hardware requirements to be able to run the software.

Use IIS 7.0 to create Web sites and to support Web applications. When using Web applications, the applications must be written to execute on the Web server. From the scenario, it is evident that the applications are intended to run on client computers, not a Web server. In addition, an ISAPI filter is used to run a process on a Web server that examines each HTTP request, taking actions as necessary to modify the request or execute a program. Use an ISAPI extension to run an application on a Web server.

Objective(s):


Reference(s):


[ms646-401 #7]

Explanation:

To make a system state backup, run wbadmin start systemstatebackup. System state backups can only be run from the command line (or through a Scheduled Task), and must be saved on a local disk (not a shared folder or DVD).

Objective(s):


Reference(s):


[ms646-503 #24]

You manage a Windows Server 2008 server that is used to hold user data files. You will use Windows Server Backup to configure a backup schedule.

You are about to make some configuration changes to the server. You want to create a backup of the system state only right now before making the changes.


gfedc Run Windows Server Backup and start the Backup Once wizard.

gfedc Run Windows Server Backup and start the Backup Schedule wizard.

gfedcb Save the backup to a local disk.

gfedcb Run wbadmin.

gfedc Save the backup to a local disk, shared folder, or DVD.

You are the server administrator for the westsim.com domain. The Srv5 server provides DHCP, DNS, and Active Directory Domain Services (AD DS).

of 39

Explanation:

Create an Active Directory-integrated zone. Only an Active Directory-integrated zone supports secure dynamic updates, where changes to the original DNS record can only be made by the original computer that registered the record. To allow a secondary server to copy zone data, you must enable zone transfers on the zone.

A primary zone supports dynamic updates, but does not support secure dynamic updates. If you replicate Active Directory-integrated zone data only between DNS servers that are domain controllers, you can disable zone transfers. A secondary zone had a read-only copy of the zone data, and cannot be updated by clients.

Objective(s):


Reference(s):


[ms646-103 #217]

Directory Domain Services (AD DS).

Because of a recent expansion, your sales department had grown in size. To simplify management, you decide to create a new zone named sales.westsim.com. This zone will be used for all computers in the sales department.

The new zone must meet the following requirements:

� Hostnames and IP addresses should be registered automatically in DNS. � Only the original computer should be able to update the DNS record. � Zone data must be replicated to a second read-only server.

How should you configure the zone on Srv5?

nmlkj Create a primary zone with dynamic updates enabled and zone transfers enabled.

nmlkjCreate an Active Directory-integrated zone with secure dynamic updates enabled and zone transfers enabled.

nmlkj Create a primary zone with dynamic updates enabled and zone transfers disabled.

nmlkj Create a secondary zone with dynamic updates enabled and zone transfers disabled.

nmlkjiCreate an Active Directory-integrated zone with secure dynamic updates enabled and zone transfers disabled.

nmlkj Create a secondary zone with dynamic updates enabled and zone transfers enabled.

You have just created a stand-alone DFS root with the namespace name of SharedFiles on Srv1. You create a folder in DFS named Reports that points to the 2008-rep shared folder on Srv2.

You would like to configure Srv3 to provide redundancy for your DFS solution so that if Srv1 is down, the data held on Srv2 can still be accessed.

What should you do?

nmlkj Share a folder on Srv3. Add this folder as a target to the Reports folder. Configure DFS replication.

nmlkji Configure Srv3 as a cluster server with Srv1.

nmlkj Share a folder on Srv3. Add this folder as a target to the Reports folder. Configure FRS replication.

nmlkj Add Srv3 as a namespace server.

of 39

Explanation:

To provide redundancy to the namespace root, configure Srv3 as a cluster server with Srv1. Because the DFS namespace is a stand-alone namespace, you can have only one server as a namespace server. Using a cluster is the only way to provide redundancy for the namespace server in this instance.

Configure additional folder targets and replication to provide redundancy for the data in a shared folder. Replication keeps the data in the folders synchronized. When users connect to a shared folder, they are redirected to the closest server that holds a replica of the shared folder.

Objective(s):


Reference(s):


[ms646-105-402 #31]

Explanation:

To make the GPO apply to all computers in the domain, link the GPO to the domain. The setting to not display last logon information is a setting that must be enforced on each computer.

Linking the GPO to the Domain Controllers OU would apply the setting only to domain controllers. Non-domain controllers would continue to display the last logon information. Applying the GPO to the departmental OUs would not apply the settings because computer accounts by default are in the Computers container. You cannot link a GPO to the Computers container because it is not an OU; any setting that should be applied to a computer in the Computers container must be set on the domain.

Objective(s):


Reference(s):

Add Srv3 as a namespace server.

You are the computer and server administrator for the eastsim.com domain. In Active Directory, organizational units (OUs) have been created for each department. User accounts have been created in the corresponding departmental OUs. All computer accounts are in the default locations.

You want to prevent the last user name from appearing on the logon screen for every computer. You create a GPO that enforces the setting.

How should you link the GPO?

nmlkj Link the GPO to the Computers container.

nmlkj Link the GPO to the Domain Controllers OU.

nmlkji Link the GPO to the domain.

nmlkj Link the GPO to each departmental OU.

of 39


[ms646-203 #155]

Explanation:

In the DFS console, delegate management permissions to each replication group. In the DFS console, right-click the desired level (either the namespace, replication node, or replication group) and choose Delegate Management Permissions.

Delegating permissions to the namespace lets the user manage the namespace and all folders, but not replication. You cannot delegate permissions to the folder.

Use NTFS permissions to control who can modify files within the folder targets.

Objective(s):


Reference(s):


[ms646-202 #117]

You are the administrator for the westsim.com domain. Organizational units (OUs) have been created for each department.

You have created a DFS structure with a single namespace and multiple namespace servers. You create a folder for each department, and specify a minimum of two targets for each folder. You create a replication group for each folder.

You would like to delegate the task of managing replication for each folder to different administrators.

What should you do?

nmlkj In the DFS console, delegate management permissions to the namespace.

nmlkji In the DFS console, delegate management permissions to each replication group.

nmlkj In the DFS console, delegate management permissions to the folder.

nmlkj Configure NTFS permissions on the folder targets.


You would like to configure each server to use multiple paths to the iSCSI storage device. You add the Multipath I/O (MPIO) feature to each server. You want to configure each server to use multiple paths, with the path that has the least load being used first.

Which MPIO policy should you use?

nmlkj Weighted paths

of 39

Explanation:

Dynamic Least Queue Depth monitors paths and directs I/O to the path with the least load.

Failover uses a single primary path and one or more standby paths. The primary path is used for processing device requests. If the primary path fails, one of the standby paths is used. If multiple standby paths exist, they are listed in decreasing order of preference, with the most preferred path being used first. With the failover policy, load balancing is not performed because only a single path is used at a time.

Round-robin uses all available paths and the load is distributed among all paths. If a path fails, the load is redistributed between all remaining paths. Round-robin with Subset configures two sets of paths: a set of preferred paths and a set of standby paths. The preferred set is used until all paths fail. When all preferred paths fail, the standby paths are used.

Weighted Paths assigns a weight to each path, with larger weight numbers indicating a lower path priority. I/O is directed to the available path with the least weight.

Objective(s):

501. Plan storage.

Reference(s):


[ms646-501 #55]

Explanation:

Members of the SUS Reports group can create and view reports in WSUS, but not manage the WSUS server or its settings. Members of the WSUS Administrators group can manage the WSUS service and its settings.

Members of the Event Log Readers group can read the event logs on the computer. Members of the Performance Log Users can manage performance counters, logs, and alerts, both locally and from remote clients.

nmlkj Round-robin

nmlkj Failover

nmlkj Round-robin with subset

nmlkji Dynamic least queue depth

You are the administrator for the westsim.com domain. You have installed multiple Windows Server Update Services (WSUS) servers in your domain.

You want to delegate the ability to the TWhite user to view reports about client computers and the updates that have or have not been applied to those computers. You want to assign the least amount of permissions as possible.

What should you do?

nmlkj Make TWhite a member of the Performance Log Users group.

nmlkji Make TWhite a member of the SUS Reports group.

nmlkj Make TWhite a member of the WSUS Administrators group.

nmlkj Make TWhite a member of the Event Log Readers group.

of 39

Objective(s):


Reference(s):


[ms646-202 #66]

of 39

Explanation:

For this situation, configure a RADIUS server to simplify remote access policy administration. Configure one server as a RADIUS server, with all other servers as RADIUS clients. Configure the network access policies on the RADIUS server. Authentication requests from each remote access server are forwarded to the RADIUS server. The RADIUS server uses the policies stored on the server to authenticate the remote connection requests.

Objective(s):


Reference(s):


[ms646-303 #150]

Explanation:

You are in charge of installing a remote access solution for your network. You decide you need a total of four remote access servers to service all remote clients. Because remote clients might connect to any of the four servers, you decide that each remote access server must enforce the exact same policies. You anticipate that the policies will change frequently.


gfedcb Configure network access policies on the RADIUS server.

gfedc Use Group Policy to configure network access policies in the default Domain Controllers GPO.

gfedcb Configure one of the remote access servers as a RADIUS server, and all other servers as RADIUS clients.

gfedc Configure the exact same network access policies on each server.

gfedc Make each remote access server a member of the RemoteServers group.

gfedc Configure each remote access server as a domain controller.

As part of the regular system maintenance for Srv4, you are checking Performance Monitor statistics and Event log events.

You notice that there are several error events listed with the same ID number and a description that sounds as if the error is related to system hardware. You check your Performance Monitor logs but don't notice anything unusual around the time that the events were generated.

You would like to get an e-mail every time the event is logged so you can check the system statistics at that moment.

What should you do?

nmlkj Configure a performance counter alert

nmlkj Configure an event trace data collector

nmlkji Attach a task to the event


Page 1 of 39

Attach a task to an event or a log to receive notification or take other actions when an event is logged. Tasks attached to an event execute the action whenever an event with that ID, source, and log occurs.

Use a performance counter alert to configure triggers that take an action when a counter reaches a threshold value. Alerts monitor a system performance statistic, such as processor time or disk space; they do not monitor Event log events. Use an event trace data collector in Performance Monitor to capture events logged by software processes.

Use Event Subscriptions to view a set of events stored in multiple logs on multiple computers. Events that occur on one computer are sent to another computer where they are saved and can be viewed.

Objective(s):


Reference(s):


[ms646-302 #39]

Explanation:






What should you do?





Page 2 of 39

Objective(s):


Reference(s):


[ms646-203 #69]

Explanation:

Create an organizational unit (OU) structure where each department has its own OU. Use the Delegation of Control wizard to grant each computer support user appropriate permission to their department OU. Even better, create a global group for each department, and add the department's computer support user or users to the group. Then grant permission to the group rather than to the individual user accounts. This method will minimize administration as roles change over time.

Do not add all department computer support users to the same group, or all users will have the same permissions. Do not make the users a member of the Domain Admins group, because this group has more permissions than required.

Objective(s):


Reference(s):


[ms646-202 #15]

You are the network administrator for your company. Your company has three standalone servers that run Windows Server 2008. All servers are located in a single location. You have decided to create a single Active Directory domain for your network.

Currently, each department has one employee designated as the department's computer support person. Employees in this role create user accounts and reset passwords for the department. As you design Active Directory, you want these users to maintain their responsibilities. You must not give these users more permission than they need.

What should you do?

nmlkj

Create an organizational unit (OU) structure where each department has its own OU. Create a Computer Support global group that contains each computer support user. Grant the Computer Support global group appropriate permissions to each departmental OU.

nmlkjiCreate an organizational unit (OU) structure where each department has its own OU. Use the Delegation of Control wizard to grant each computer support user appropriate permissions to their department OUs.

nmlkjCreate a domain for each department. Make each computer support user a member of the Domain Admins group.

nmlkjCreate an organizational unit (OU) structure where each department has its own OU. Make each computer support user a member of the Domain Admins group.

You are the server manager for the westsim.com domain. Servers run either Windows Server 2003 or Windows Server 2008. All domain controllers are in the Domain Controllers OU, and all other servers are in the Servers OU.

Page 3 of 39

Explanation:

Link the GPO to the Servers OU, and configure a WMI filter. The WMI filter identifies criteria, such as processor architecture, operating system version, and installed hotfixes, that are used to determine whether or not to apply the GPO. Linking the GPO to the Servers OU ensures that the GPO settings are only evaluated or processed for servers in the Servers OU.

If you link the GPO to the domain or other OU, the GPO will be processed and the filter criteria analyzed for every computer at or below the specified object. Because you want the GPO to only apply to the servers in the Servers OU, linking the GPO at a higher level would cause extra processing for computers to which the GPO should never apply.

By default, Group Policy configuration applies computer settings during startup and user settings during logon. For this reason, user settings take precedence in the event of a conflict. With loopback processing, computer settings are reapplied after user logon. Use loopback processing to make sure that computer settings take precedence over user settings.

Objective(s):


Reference(s):


[ms646-203 #102]

You create a GPO that configures several security settings. You want to apply the GPO as follows:

� Settings should apply only to servers with 64-bit processors that are running Windows Server 2008 and that have a specific hotfix applied.

� Settings should not be applied to any domain controllers. � The GPO should not be processed for domain controllers or client computers.


gfedc Link the GPO to the domain.

gfedcb Configure a WMI filter on the GPO.

gfedcb Link the GPO to the Servers OU.

gfedc Link the GPO to the Domain Controllers OU and the Servers OU.

gfedc Enable loopback processing on the GPO.


You have implemented a Network Load Balancing (NLB) cluster for several application servers.

Client computers use several proxy servers to connect to the NLB cluster. You would like client connections to be directed to a cluster node based on the Class C subnet address.

What should you do?

nmlkj Configure a port rule with the filtering mode set to Single host.

nmlkj Configure a port rule with the filtering mode set to Multiple host. Configure None for the client affinity.

Page 4 of 39

Explanation:

To direct all requests from the same Class C network address to the same cluster host, configure a port rule with Multiple host as the filtering method, and Network as the client affinity setting. Use this option when clients connect using multiple proxy servers. This option ensures that requests from clients on a specific subnet always connect to a specific cluster host.

Use an affinity setting of Single to direct multiple requests from the same IP address to the same cluster host. Use an affinity setting of None to distribute all requests between all cluster hosts based on the load balancing rules. Use a filtering mode of Single host to direct all traffic identified by the rule to a single cluster host.

Objective(s):


Reference(s):


[ms646-502 #59]

Explanation:

Because the settings you want to copy include user rights and security options, you can copy an existing GPO or import settings from a backup of another GPO.

Starter GPOs only contain Administrative Template settings, not other GPO settings such as software installation, user rights, or security options. .admx files are templates that identify possible Administrative Template settings; the files do not contain specific settings. You can only restore a GPO to the same GPO that was backed up.

nmlkj Configure a port rule with the filtering mode set to Multiple host. Configure None for the client affinity.

nmlkj Configure a port rule with the filtering mode set to Multiple host. Configure Single for the client affinity.

nmlkji Configure a port rule with the filtering mode set to Multiple host. Configure Network for the client affinity.

You are the administrator for the widgets.com domain. Organizational Units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs.

As you manage Group Policy objects (GPOs), you find that you often make similar user rights, security options, and Administrative Template settings in different GPOs. Rather than make these same settings each time, you would like to create some templates that contain your most common settings.


gfedcbCreate GPOs with the common settings. Take a backup of each GPO. After creating new GPOs, import the settings from one of the backed up GPOs.

gfedcb Create GPOs with the common settings. When creating new GPOs, copy one of the existing GPOs.

gfedc Create starter GPOs. When creating new GPOs, select the appropriate starter GPO.

gfedcCreate GPOs with the common settings. Take a backup of each GPO. After creating new GPOs, restore one of the backed up GPOs.

gfedcCreate custom .admx files with the necessary settings. Copy these files to the central store. After creating the GPO, import the settings from the .admx files.

Page 5 of 39

Objective(s):


Reference(s):


[ms646-203 #85]

Explanation:

Use a private network to enable the virtual machines to communicate with each other but to prevent communications with the management operating system or other network devices. Because the virtual client machines must perform a network boot, you will need to use the legacy virtual network adapter.

Use an internal network if the virtual machines must communicate with the management operating system. The regular virtual network adapter does not support a network boot.

Objective(s):


Reference(s):


[ms646-104 #78]

You are getting ready to implement a Windows Deployment Services (WDS) solution to install 25 new Windows Vista computers on your network. Because this is the first time you will be using WDS, you want to create a WDS setup on a lab computer.

The lab computer will be configured as follows:

� A single server running Windows Server 2008 and Hyper-V will be used to create the test deployment. � Virtual machines will be created for the WDS server and several Vista client computers. � The WDS server will be a domain controller and run DNS and DHCP. � The WDS server must be able to communicate with all virtual clients. No virtual computers should

communicate with the management operating system. � Virtual clients must be able to perform a network boot to test the WDS installation.

What should you do?

nmlkj Create an internal network using the legacy virtual network adapter for each client virtual machine.

nmlkj Create a private network using the regular virtual network adapter for each client virtual machine.

nmlkji Create a private network using the legacy virtual network adapter for each client virtual machine.

nmlkj Create an internal network using the regular virtual network adapter for each client virtual machine.

You are troubleshooting a custom application on Srv4, a server that runs Windows Server 2008.

On a periodic basis, the application writes or modifies several registry entries. You want to monitor these registry

Page 6 of 39

Explanation:

Use a configuration data collector in Reliability and Performance monitor to monitor registry keys and values. Configure an interval (such as every 10 minutes) for the data collector to report the setting of the registry keys at that time. Configure the Data Collector Set with a stop duration of 5 days to collect data only for those 5 days. By using the data collector, you can easily create a report from the log data.

Changing a registry key does not automatically log an event in the Event Log, nor can you use Event Viewer to easily generate a report. Backing up the registry at selected intervals will capture the existing configuration, but the data is not in an easy-to-read format. The System Stability Report does not monitor registry changes, only software install/uninstall or failures (hardware, software, Windows, etc.).

Objective(s):


Reference(s):


[ms646-302 #23]

On a periodic basis, the application writes or modifies several registry entries. You want to monitor these registry keys so that you can create a report that shows their corresponding settings over the next 5 days.

What should you do?

nmlkji In Reliability and Performance Monitor, configure a configuration data collector.

nmlkjCreate a Scheduled Task that runs periodically. In the task, create a script that backs up the necessary portions of the registry.

nmlkjUse the reports generated in Reliability Monitor. Select each of the past 5 days and look for registry changes in the System Stability Report.

nmlkj In Event Viewer, attach a task to the events that are logged when the registry values change.




What should you do?






Page 7 of 39

Explanation:



Objective(s):


Reference(s):


[ms646-202 #83]

Explanation:



Objective(s):


Reference(s):


[ms646-203 #155]








Page 8 of 39

Explanation:

GPOs are applied in the following order:

1. Site 2. Domain 3. OU

Therefore, settings in GPOs linked to OUs override settings in GPOs linked to the domain, by default. You can prevent settings in a GPO from being overridden by configuring the Enforced option.

Objective(s):


Reference(s):


[ms646-203 #137]

You are a domain administrator for a single-domain network. The domain has several organizational units (OUs) representing each department in the organization. You have delegated complete administration for each OU to appropriate users in each department. You have made these users members of the Group Policy Creator Owners group.

You create a Group Policy object (GPO) named Corporate Desktop that configures the desktop environment for users in the company. You link the GPO to the domain.

Later, you discover that some of the settings are not being applied to users in the Development department.

How can you make sure that all settings in the Corporate Desktop GPO get applied to all users in the company?

nmlkji Configure the Enforced option for the Corporate Desktop GPO.

nmlkj Grant users in the Development department the Read and Apply Group Policy permissions to the domain.

nmlkjGrant users in the Development department the Read and Apply Group Policy permissions to the Corporate Desktop GPO.

nmlkj Deny all users the Write permission to the Corporate Desktop GPO.

You are in charge of managing user accounts in your Active Directory domain. Your company hires seasonal workers every October through December. At the end of December, all seasonal workers leave the company.

You create an Active Directory user object for every seasonal worker. At the end of December, you delete the user objects.

You start to notice that many of the same workers return year after year. While you don't want to disable these user accounts and keep them in Active Directory, you would like to be able to restore any previously-deleted user accounts the following October.

You would like to implement a solution so that any user account that has been deleted from Active Directory could be restored from a backup for up to 1 year after it was deleted.

What should you do?

Page 9 of 39

Explanation:

You need to increase the tombstone lifetime to 365 days. Backups are only valid as long as the tombstone lifetime. After that time, the backup can no longer be used to restore Active Directory into a replicated environment. Deleted objects that exist on backups that are past the tombstone lifetime cannot be restored from backup. By default, the tombstone lifetime for Windows Server 2008 is 180 days.

Taking snapshots of the Active Directory database creates read-only copies of the database. You cannot restore data from a snapshot; instead, you open a snapshot and manually record object information. VSS snapshots cannot be used for restoring Active Directory objects. In addition, VSS snapshots are overwritten as new snapshots are taken. Use the LostAndFound folder to restore objects added to OUs on one domain controller after the OU was deleted on another domain controller.

Objective(s):


Reference(s):


[ms646-503 #115]

Explanation:

NetBIOS names are single-label names that are not registered in DNS. To enable DNS to resolve single-label names, configure a GlobalNames zone. In the zone, create records to identify each NetBIOS client.

What should you do?

nmlkji Increase the tombstone lifetime.

nmlkj Enable VSS on the volume that holds the Active Directory database.

nmlkj Enable the LostAndFound folder in Active Directory.

nmlkj Run Ntdsutil to take regular snapshots of the Active Directory database.

You manage a single private domain called westsim.private. All DNS servers run Windows Server 2008. Client computers run Windows Vista Business, and are members of the westsim.private domain. Client computers have NetBT disabled, and use only DNS for name resolution.

You have a group of computers that use only NetBIOS names and do not use DNS. Your network does not have a WINS server.

You need to enable all Vista client computers to resolve host names for the NetBIOS computers.

What should you do?

nmlkjCreate the wins.westsim.private zone with dynamic updates enabled on the zone. Add wins.westsim.private to the search suffix for each Vista client.

nmlkj Add a WINS record in the westsim.private zone for each NetBIOS client.

nmlkji Configure a GlobalNames zone. Create records in the zone for all NetBIOS computers.

nmlkj Enable WINS lookups on the westsim.private zone.

Page 10 of 39

Enable WINS lookups on a zone to forward DNS name requests to a WINS server. In this scenario, your network does not have a WINS server, so enabling WINS lookups on the zone would not allow for name resolution. Creating a special zone called wins.westsim.private does not provide name resolution for NetBIOS hosts. Use a WINS record to identify WINS servers within a zone that has WINS lookup enabled to identify the WINS servers to which requests are forwarded.

Objective(s):


Reference(s):


[ms646-103 #37]

Explanation:

To enable Srv1 and Srv2 to run applications for remote clients, you must install the Terminal Server role service on both servers. To enable clients to launch applications from a Web browser, use one of the following methods:

� Install the TS Web Access role on each terminal server. � Install the TS Web Access role on a single server, then use Windows Sharepoint Services to redirect incoming

requests to the appropriate terminal server. Because the option in the question did not include Sharepoint in the solution, simply adding the TS Web Access role service to Srv3 would be insufficient to provide a complete solution.

Use the TS Session Broker role service to distribute incoming requests between two or more terminal servers in a terminal server farm. Use the TS Gateway role service to allow connections from the Internet to connect to terminal servers on the private network. While using either service might add to the configuration, neither option would allow clients to launch applications through a Web browser (the TS Web Access role service must be present for this feature to be available).

Objective(s):

You are the server administrator for the westsim.com domain. All servers run Windows Server 2008.

You want to use Srv1 and Srv2 as terminal servers so that client computers can remotely run applications installed on those servers. Users should be able to open a Web page so they can see a list of available applications to run.

In addition to Srv1 and Srv2, you can also use Srv3 for your solution if necessary.

What should you do?

nmlkjOn Srv1 and Srv2, install Terminal Services with the Terminal Server role service. On Srv3, install the Terminal Services with the TS Web Access role service.

nmlkjOn Srv1 and Srv2, install Terminal Services with the Terminal Server role service. On Srv3, install the Terminal Services with the TS Session Broker role service.

nmlkjOn Srv1 and Srv2, install Terminal Services with the Terminal Server role service. On Srv3, install the Terminal Services with the TS Gateway role service.

nmlkjOn Srv1 and Srv2, install Terminal Services with the Terminal Server role service. On Srv3, install the Web Server (IIS) role.

nmlkji On Srv1 and Srv2, install Terminal Services with the Terminal Server and TS Web Access role services.

Page 11 of 39


Reference(s):


[ms646-401 #15]

Explanation:




Objective(s):


Reference(s):


[ms646-502 #76]




What should you do?







Page 12 of 39

Explanation:

To use granular password policies:

1. Create the Password Settings Object (PSO) with the necessary settings. 2. Edit the msDS-PSOAppliesTo property in the PSO to identify the users or global security groups to which the

policy applies. 3. If the policy was applied to a group, add members to the group.

The msDS-PSOAppliesTo property in the PSO identifies the users to which the policy applies. Using ADSI Edit, you can apply the policy to any object. However, only policies applied to user accounts or global security groups will be effective. To apply a policy to all users in an OU, add each user to the msDS-PSOAppliesTo property or use a global security group.

Objective(s):


Reference(s):


[ms646-303 #15]




nmlkj Create a granular password policy. Apply the policy to the Directors OU.

nmlkjCreate a granular password policy. Create a universal security group. Apply the policy to the group. Add all users in the Directors OU to the group.

nmlkji Create a granular password policy. Apply the policy to all users in the Directors OU.

nmlkjCreate a granular password policy. Create a global distribution group. Apply the policy to the group. Add all users in the Directors OU to the group.

You manage a Windows Server 2008 server that is used to hold user data files. The system volume is drive C:, while all user data is on drive E:. You will use Windows Server Backup to configure a backup schedule.

You want to back up only the E: volume twice a day. You want to be able to restore individual files and folders. If possible, you want to save backups on optical media so you can place the backup disc in a media catalog server for easy retrieval.



gfedcb Save the backup to an external hard disk.


gfedc Create a Scheduled Task that runs wbadmin enable backup.

Page 13 of 39

Explanation:

To configure a backup schedule that excludes the system volumes, you must create a Scheduled Task that runs wbadmin start backup. To be able to restore individual files, you must save the backup to a shared folder or a disk.

Backups scheduled using wbadmin enable backup or the Backup Schedule wizard automatically include system volumes, and these volumes cannot be excluded. If you save backups to DVD or removable media, you can only restore entire volumes, not individual folders or files.

Objective(s):


Reference(s):


[ms646-503 #15]

Explanation:



Objective(s):


Reference(s):


[ms646-201 #24]

gfedc Save the backup to DVD.






nmlkj Winrs -list

nmlkji Oclist

Page 14 of 39

Explanation:

Use a GPO linked to the Accounting OU to assign the .msi file to computers. Assigning the update file runs the update automatically. If you only publish the update, the update will be available but not installed automatically.

You cannot use WSUS because WSUS works only with Microsoft updates; WSUS cannot be used for third-party software.

Objective(s):


Reference(s):


[ms646-401 #66]

You are the network administrator for the westsim.com domain. All client computers are running Windows XP Professional (SP2) and all servers are running Windows Server 2003 or Windows Server 2008. Organizational Units (OUs) have been created for each department, and user and computer accounts have been moved into the department OUs.

You have recently configured a Windows Server Update Services (WSUS) infrastructure on the network. All client computers are configured to download updates from your internal WSUS server.

You have just received notification that the accounting software has a new update. The update is critical and must be deployed as quickly as possible to all computers in the accounting department.

What should you do?

nmlkjCreate a GPO linked to the domain. Create a custom script that runs the update file. Use WMI filtering to apply the GPO to the accounting computers.

nmlkji Create a GPO linked to the Accounting OU. Assign the .msi file included with the update to computers.

nmlkj Create a GPO linked to the Accounting OU. Publish the .msi file included with the update to computers.

nmlkjOn the WSUS server, approve the update. Use client-side targeting to apply the update to the accounting computers.




What should you do?




Page 15 of 39

Explanation:



Objective(s):


Reference(s):


[ms646-201 #32]

Explanation:












nmlkjiCreate a granular password policy. Create a universal security group. Apply the policy to the group. Add all users in the Directors OU to the group.

Page 16 of 39

Objective(s):


Reference(s):


[ms646-303 #23]

Explanation:

Deploy each printer using a Group Policy Object (GPO) linked to an OU that applies to all Accounting users. Deploy the printers using the User Configuration portion of the GPO to add the printer for the user, regardless of which computer they log on to. Deploying the printer to computers adds the printer to the computer, regardless of what user is logged on.

Listing the printer in Active Directory makes the printer name and its characteristics appear in Active Directory. Users can then search Active Directory to find the printer by name or by special features (such as location or color support). The Manage Documents permission allows users to manage all documents in the print queue, such as pausing, reordering, or deleting print jobs. The Manage Printer permission allows users to change printer configuration settings and permissions.

Objective(s):


Reference(s):


[ms646-105-402 #170]

You are the server administrator for the westsim.com domain. You manage all printing for your network.

Members of the Accounting group use a set of special printers in a locked room for printing all print jobs. Accounting computers use Windows Vista Business.

You want to make sure that these printers and any others you might add for the group are always installed and configured for any member of the Accounting group, regardless of the computer they are using.

What should you do?

nmlkj List each printer in Active Directory.

nmlkj Grant Accounting group members the Manage Printer permission to all printers.

nmlkj Deploy the printers using Group Policy to computers.

nmlkj Grant Accounting group members the Manage Documents permission to all printers.

nmlkji Deploy the printers using Group Policy to users.

You are the administrator for a network with a single Active Directory domain named widgets.local. The widgets.local domain has an Organizational Unit object for each major department in the company, including the Information Systems department. User objects are located in their respective departmental OUs. Users who are

Page 17 of 39

Explanation:

Because the Information Systems OU has users to which the GPO should apply as well as those to which the GPO should not apply, the GPO must be linked to the domain or each individual OU. Linking the GPO to the domain is a simpler solution than linking it to each individual OU, and is the best solution. Then, to prevent the Group Policy object from applying to members of the Domain Admins group, you need to deny that group the Apply Group Policy permission to the GPO. Do not deny the Read permission or Domain Administrators will not be able to edit the GPO.

Objective(s):


Reference(s):


[ms646-203 #128]

Information Systems department. User objects are located in their respective departmental OUs. Users who are members of the Domain Admins group belong to the Information Systems department. However, not all employees in the Information Systems department are members of the Domain Admins group.


What should you do?









What should you do?





Page 18 of 39

Explanation:



Objective(s):


Reference(s):


[ms646-503 #107]

Explanation:



Objective(s):


Reference(s):




What should you do?





Page 19 of 39


[ms646-301 #56]

Explanation:

Use the TS Session Broker role service to provide load balancing for terminal servers. The session broker directs client requests evenly between the servers in the server farm. If a user has an existing session, the connection is redirected to the server where the session resides.

When configuring a terminal server farm, configure either DNS round robin or Network Load Balancing (NLB) to point to the server farm. Client computers use DNS or NLB to locate the server farm for the initial connection. Following the initial connection, the TS Session Broker redirects the connection to a specific terminal server. When configuring DNS round robin, configure multiple host (A) records using the server farm name as the host name and the IP address of the terminal servers for the IP addresses.

Using NLB for the initial client connection to the server farm is a possible solution, but using NLB or failover clustering by themselves will not allow users with existing sessions to reconnect to the server where the session is active. Using NLB or failover clustering could result in users with active sessions being directed to the terminal server without the active session, thereby creating a new session instead of reconnecting to the existing session. You must use TS Session Broker to provide this functionality.

Objective(s):


Reference(s):



You have previously installed the Terminal Server role with the Terminal Server role service on TS-Srv1 and configured several applications for clients to run.

Because of recent growth, TS-Srv1 is beginning to reach its maximum capacity. You would like to add a second terminal server named TS-Srv2 and configure it with the same applications that are running on TS-Srv1. Your solution must meet the following requirements:

� New client connections should be evenly distributed between TS-Srv1 and TS-Srv2. � If a client disconnects and reconnects, the client should be reconnected to the same session if it is still

active.

In addition to TS-Srv1 and TS-Srv2, you can also use Srv3 for your solution if necessary.

What should you do?

nmlkj Install Failover Clustering on TS-Srv1 and TS-Srv2. Create a cluster and add both servers to the cluster.

nmlkjOn Srv3, install the Terminal Services role with the TS Gateway role service. Configure TS RAPs to allow access to TS-Srv1 and TS-Srv2.

nmlkjInstall Network Load Balancing (NLB) on TS-Srv1 and TS-Srv2. Create a cluster and add both servers to the cluster.

nmlkjiOn Srv3, install the Terminal Services role with the TS Session Broker role service. Configure DSN round robin and make TS-Srv1 and TS-Srv2 members of the terminal server farm.

Page 20 of 39

[ms646-401 #24]

Explanation:

To allow the server to boot without a PIN or a startup key on a USB drive, you must use a Trusted Platform Module (TPM). If the system does not have a TPM, you must use a startup key on a USB drive.

Implementing BitLocker requires two NTFS partitions:

� The system partition is a 1.5 GB volume that contains the boot files. This partition is set to active, and is not encrypted by the BitLocker process.

� The operating system partition must be large enough for the operating system files. This partition is encrypted by BitLocker.

While you can use two hard disks instead of separate partitions on the same disk, the boot files are stored separate from the operating system files.

Objective(s):


Reference(s):


[ms646-101 #117]

You are the server and workstation manager for the westsim.com domain.

You are implementing Windows Server 2008 on a new server. You would like to configure the server to use BitLocker. The servers should start up without requiring a PIN or a USB device during startup.


gfedc Disable the TPM.

gfedc Install two hard disks. Put boot and operating system files on the first disk, and user data on the second disk.

gfedcb Enable the TPM.

gfedcbCreate two partitions on the hard disk. Put boot files on the first partition, and operating system files and data on the second partition.




nmlkj Round-robin


Page 21 of 39

Explanation:





Objective(s):

501. Plan storage.

Reference(s):


[ms646-501 #55]

Explanation:

Use FSRM file screens to prevent specific types of files from being saved in the specified volume or folder.

Use FSRM quotas to limit the size of files saved in a folder. Use Group Policy with software restriction properties to prevent users from running specific files; they do not prevent saving those files.


nmlkj Failover



You are the server administrator for the Srv12 server. This server is running the File Services role and is used for user home folders. Each user has a folder that they can use for storing personal files.

Recently you have found that users are downloading executable files and saving them to their home folders. Your company security policy strictly states that saving executable files to personal folders is prohibited.

You need to prevent users from saving these files to their home folders. What should you do?

nmlkji Configure FSRM file screens.

nmlkj Configure NTFS and share permissions with access-based enumeration.

nmlkj Configure Group Policy with object access auditing.

nmlkj Configure FSRM quotas.

nmlkj Configure Group Policy with a software restriction policy.

Page 22 of 39

Objective(s):


Reference(s):


[ms646-105-402 #111]

Explanation:



Objective(s):


Reference(s):


[ms646-502 #51]












Page 23 of 39

Explanation:



Objective(s):


Reference(s):


[ms646-401 #84]



What should you do?





Members of the Marketing team have requested that they be able to dial in and access product documentation while traveling.

To accommodate their request, you want to configure Srv10 to allow VPN connections. Srv10 is a domain member server.


� Marketing team members will connect to Srv10 through the Internet. � All connections will use an SSTP VPN connection. � Users will gain access to servers on the private network through the VPN connection. � A separate RADIUS server will be used for authentication.



gfedcb Routing


Page 24 of 39

Explanation:

To allow the server to accept VPN connections, add the Remote Access Service. To allow clients to connect to computers on the private network through the VPN server, add the Routing role service.

The Network Policy Server role service is not needed because the VPN server will not be performing authentication; add this role service to the RADIUS server to configure network access policies on the RADIUS server.

Add the Health Registration Authority when using IPsec enforcement for Network Access Protection (NAP). The Online Responder is a role service of Active Directory Certificate Services (AD CS) and allows you to configure a central server for certificate status and revocation requests.

Objective(s):


Reference(s):


[ms646-103 #120]

Explanation:

A computer that is not PXE capable is unable to perform a network boot. Because it can't boot from the network, it can't download a boot image from the WDS server. For non-PXE computers, use a discover image. The discover image is placed on media, such as a CD or USB drive, and is used to boot the computer into Windows PE. The server can then connect to the WDS server to download the necessary install image.


gfedc Online Responder

gfedc Network Policy Server

Due to a recent expansion, your company will add a new division at your location. You have been put in charge of installing Windows Server 2008 on about 15 new servers.

You use Windows Deployment Services (WDS) to install the operating system on ten of the servers. You find, however, that the remaining five servers do not have PXE support.

You need to install Windows Server 2008 on the remaining five servers with as little effort as possible.

What should you do?

nmlkj On each remaining server, perform a manual installation of Windows Server 2008.

nmlkj

Install Windows Server 2008 on one of the servers. Create a capture image, and use the capture image to create a custom install image using that server. On the remaining four servers, connect to the WDS server and use the custom image to complete the installation.

nmlkjiCreate a discover boot image and an ISO image. Burn the ISO image to CD. Boot each computer to the CD, connect to the WDS server, and complete the installation.

nmlkj

Run Windows SIM to create a custom unattended installation file that includes the necessary settings for the remaining five servers. Add the resulting file to the WDS server. On the remaining five servers, connect to the WDS server and use the unattended file to complete the installation.

Page 25 of 39

Creating a custom install image is not necessary, because install images do not depend on minor differences in hardware (only the architecture is important). Even if you created a custom install image or answer file, without PXE capabilities or a bootable device, the non-PXE servers will be unable to connect to the WDS server to download the install image.

Objective(s):


Reference(s):


[ms646-102 #34]

Explanation:

To enable users to manage a single server, make the user a member of the local Administrators group. This allows users to manage all aspects of the server, including all services running on the server. While this option might give the user additional management capabilities over that one server, this option is typically preferable to giving the user additional capabilities on multiple servers.

Adding the user to the built-in Administrators group in Active Directory gives the user the ability to manage all domain controllers in the domain. Members of the DnsAdmins group can manage all DNS servers in the domain, including modifying server settings and managing zones and records.

Use the Delegation of Control wizard to assign permissions to Active Directory objects. You would typically run this on an OU to delegate permissions to objects within the OU.

Objective(s):


Reference(s):


You are the administrator for the westsim.com domain.

You have a DNS server that is a domain controller. The DNS server has a standard primary zone for the sales.westsim.com domain.

You want to allow user BBarnes to manage the sales.westsim.com zone as well as manage DNS server settings such as forwarding for the server that hosts this zone. He should not be able to manage other domain controllers or other DNS servers.

What should you do?

nmlkj Make the BBarnes user a member of the DnsAdmins group.

nmlkjiMove the zone to a DNS server that is not a domain controller. Make the BBarnes user a member of the Administrators local group on the server.

nmlkj Make the BBarnes user a member of the Administrators built-in group in Active Directory.

nmlkj Run the Delegation of Control wizard and assign the necessary permissions.

Page 26 of 39

[ms646-202 #50]

Explanation:

The System Stability Chart in Reliability Monitor keeps track of overall server health on a daily basis. It shows you an historical record of system changes and events, and assigns an overall server health value to each day (with 1 being the least stable and 10 being the most stable).

You might be able to create filters or a custom view in Event Viewer to see the same kind of information. However, if the event logs were full or cleared, data might be missing. In addition, you would have to configure the custom view, and then possibly interpret the events that you see.

With Performance Monitor, you can configure objects and counters to see current information, but you cannot go back and review past information. You can use a data collector set to capture information, but the collector must have already been configured and running in order to view historical data.

Objective(s):


Reference(s):


[ms646-302 #31]

You have been hired as a consultant for a small business that is using Windows Server 2008. Three months ago, they installed a new server. Since that time, they report that from time to time, the system has had slowdowns and crashes.

You want to look at a report that shows important events for the server since it was installed. You'd like to see when software was installed, along with any hardware or application failures.

You want to view this information with as little effort as possible.

What should you do?

nmlkji Open the System Stability Chart in Reliability Monitor.

nmlkj Create a custom view in Event Viewer that filters on the events you are looking for.

nmlkj Configure a data collector set with performance counter data collectors and configuration data collectors.

nmlkj Add objects and counters to Performance Monitor for the events you want to view.

You are the server administrator for the westsim.com domain. Your network has a main office in Tulsa, with a branch office in Norman.

You want to provide a site-to-site VPN solution to connect the two sites. The solution must provide the following:

� Authentication using certificates and Kerberos � Encryption using Suite B encryption � Support for health certificates used by NAP

Which protocol should you use?

Page 27 of 39

Explanation:

Use IPsec to secure host-to-host and site-to-site communications, or to require only encrypted communications with specific servers or hosts. IPsec supports Suite B encryption methods and authentication using Kerberos, NTLMv2, or certificates. IPsec supports health certificates used by NAP.

Objective(s):


Reference(s):


[ms646-303 #85]

Explanation:



Objective(s):


Reference(s):


nmlkj Point-to-Point Tunneling Protocol (PPTP)

nmlkji Internet Protocol Security (IPsec)

nmlkj Layer Two Tunneling Protocol (L2TP)

nmlkj Secure Socket Tunneling Protocol (SSTP)




nmlkj Oclist


nmlkj Winrs -list


Page 28 of 39

[ms646-201 #16]

Explanation:



Objective(s):


Reference(s):


[ms646-201 #57]







gfedcb Telnet


gfedc TS Gateway

You manage the DNS infrastructure for you network. Server Dns1 holds a primary zone for the research.westsim.com domain. Server Dns2 holds a primary zone for the sales.westsim.com domain. Both servers are also domain controllers.

Computers configured to use Dns1 as the preferred DNS server are unable to resolve names for hosts in the sales.westsim.com domain. You need to enable Dns1 to resolve names for hosts in that domain. Your company security policy states that DNS zone transfers are not allowed between Dns1 and Dns2.

What should you do?

nmlkji On Dns1, configure a conditional forwarder for sales.westsim.com.

nmlkj On Dns1, configure a stub zone for sales.westsim.com.

Page 29 of 39

Explanation:

Configure a conditional forwarder to forward DNS requests from one server to another server based on the domain name.

Using a stub zone or a secondary zone would enable name resolution, but would require zone transfers between the two DNS servers. Stub zones only replicate the NS records and the A records for name servers so the zone transfer traffic is limited, but zone transfers still happen.

Use a delegation on a parent zone (such as westsim.com) to identify the name servers for child zones.

Objective(s):


Reference(s):


[ms646-103 #102]

Explanation:

To support failover clustering, use either the Enterprise or Datacenter editions. The Standard edition or a Server Core installation does not support failover clustering.

Objective(s):


Reference(s):

nmlkj On Dns1, configure a stub zone for sales.westsim.com.

nmlkj On Dns1, configure a secondary zone for sales.westsim.com.

nmlkj On Dns1, configure a zone delegation for sales.westsim.com.


� 32 GB RAM � One quad-core Intel-VT processor � 10 GB mirrored hard disk for the system partition

You will use this server to add the DHCP server role and configure the server in a failover cluster with two nodes.



nmlkj Standard edition, standard installation

nmlkj Standard edition, Server Core installation

nmlkj Enterprise or Datacenter edition, Server Core installation

nmlkji Enterprise or Datacenter edition, standard installation

Page 30 of 39


[ms646-101 #84]

Explanation:

Configure Srv5 as a downstream server to Srv7 and make it a replica of the upstream server. When a server is a replica, it gets its list of approved updates as well as its computer groups from the upstream server. All configuration is performed on the upstream server. If Srv5 were not a replica, then you could have different approvals and computer groups on Srv5 than exist on Srv7.

Configure client-side targeting to assign computers to WSUS computer groups automatically. Use a Group Policy Object (GPO) to identify the computer group. To assign computer groups based on the Active Directory OU, create a GPO for each OU with a different computer group setting for each.

Use server-side targeting to configure computer groups on the WSUS server. Because Srv7 is the upstream server, you would create computer groups on Srv7.

Objective(s):


Reference(s):


[ms646-301 #23]

You are the server administrator for the westsim.com domain. You manage a network with a main office and a branch office. The branch office is connected to the main office with a WAN link.



� Updates for both locations will be approved centrally. � Computers will be assigned to WSUS computer groups automatically based on the Active Directory OU

where the computer account resides.


gfedc Enable server-side targeting on Srv5.

gfedcb Enable client-side targeting on Srv5.

gfedcb Configure Srv5 as a downstream server to Srv7. Make Srv5 a replica of the upstream server.

gfedc Configure Srv5 as a downstream server to Srv7. Do not make Srv5 a replica of the upstream server.


Your company has developed a custom application that runs in four instances on Srv6. You want to divide the processor and the memory resources evenly between the four instances of the application.

You decide to use the Windows System Resource Manager (WSRM). You want to implement a solution as easily

Page 31 of 39

Explanation:

You will need to create a custom policy to specify the application and to add memory resources to be managed. To enforce the policy settings, make the policy the managing policy.

The default Equal_Per_Process policy applies to all processes and allocates only CPU use between all processes evenly. You cannot edit the default policies. Make a policy the profiling policy to gather statistics about processes but not enforce resource limits.

Objective(s):


Reference(s):


[ms646-401 #92]

Explanation:

The proper event to enable is the Logon event. This event type will record when a network logon occurs, such as a

You decide to use the Windows System Resource Manager (WSRM). You want to implement a solution as easily as possible.


gfedcEdit the Equal_Per_Process policy to apply only to the application. Modify the policy to include memory allocation.

gfedcb Make the policy the managing policy.

gfedc Edit the Equal_Per_Process policy to apply only to the application.

gfedc Make the policy the profiling policy.

gfedcb Create a custom policy that applies only to the application and allocates processor and memory resources.

You are the security administrator for your organization. Your multiple domain Active Directory forest uses Windows Server 2008 for domain controllers and member servers. The computer accounts for your member servers are located in the Member Servers OU. Computer accounts for domain controllers are in the Domain Controllers OU.

You are creating a security template that you plan to import into a GPO. You want to log all domain user accounts that connect to the member servers. You want to be able to check each server's log for the events.

What should you do? (Choose two. Each choice is a required part of the solution.)

gfedc Enable the logging of Account Logon events.

gfedc Link the GPO to the Domain Controllers OU.

gfedc Enable the logging of System events.

gfedcb Link the GPO to the Member Servers OU.

gfedcb Enable the logging of Logon events

gfedc Enable the logging of Object Access events.

Page 32 of 39

domain user connecting to a share on the member server. Link the GPO to the Member Servers OU so that it applies to each member server.

Account Logon events for domain accounts will be recorded on the domain controllers, not the member servers. In short, Account Logon events are generated where the account lives; Logon events are generated where the logon attempt occurs. If you wanted to audit when a domain user account was authenticated to the domain you would enable the Account Logon event in a GPO linked to the Domain Controllers OU.

Object Access must be enabled for a computer before you can enable NTFS or Printer auditing. System events record start-up and shut-down events on a computer.

Objective(s):


Reference(s):


[ms646-303 #31]

Explanation:

Members of the Administrators local group can manage all aspects of the server, including managing all services running on the server, sharing folders, installing devices, and formatting the hard disk.

If the server is a domain controller, use the Server Operators built-in group in Active Directory to enable these same management tasks. Use the Administrators built-in group in Active Directory to designate a domain controller administrator. For both groups, adding a user gives the user the rights on all domain controllers in the domain.

With Windows Server 2008, the Power Users group still exists, but has no more permissions than the Users group has. Power Users cannot create shared folders.

Objective(s):


Reference(s):

You are the administrator for the westsim.com domain. You have just installed a new file server named FS7 on a domain member server.

You want to delegate authority to another administrator so she can manage the FS7 server. She needs to be able to log on and log off, shut down the server, and share folders on the server. You want to assign the least amount of permissions as possible.

What should you do?

nmlkj Make the user a member of the Administrators built-in group in Active Directory.

nmlkj Make the user a member of the Power Users local group on the server.

nmlkji Make the user a member of the Administrators local group on the server.

nmlkj Make the user a member of the Server Operators built-in group in Active Directory.

Page 33 of 39


[ms646-202 #157]

Explanation:

To protect the volumes in the event that a single disk fails, you will need to create mirrored (RAID-1) or RAID-5 volumes. For the data volume, create a RAID-5 volume. RAID-5 provides both fault tolerance and improved performance because of data striping. RAID-5 requires a minimum of three disks. Using three disks for the data volume lets you use two disks to create a mirrored volume for the system volume.

Striped (RAID-0) volumes improve performance but do not provide fault tolerance; failure in one drive makes all data in the volume inaccessible. When you create a RAID-5 volume, you cannot partition it into multiple drive letters.

Objective(s):

501. Plan storage.

Reference(s):


[ms646-501 #7]

You are planning a storage solution for a new Windows Server 2008 server. The server will be used for file and print services and as a database server. The new server has five hard disks, all with equal capacity.

Your storage solution should meet the following requirements:

� System files should be on a volume separate from data files. � All volumes should be protected so that the server can continue to run in the event of a failure of one of the

disks. � The data volume should be optimized for improved disk access times. � You will use Windows Disk Management to create and manage the volumes.

What should you do?

nmlkj Create a RAID-5 volume using four disks for the data volume. Use the remaining disk for the system volume.

nmlkjCreate a mirrored volume using two disks for the system volume and a striped volume using three disks for the data volume.

nmlkjCreate a mirrored volume using two disks for the system volume and a mirrored volume using two disks for the data volume. Keep the remaining disk as a spare.

nmlkjCreate a RAID-5 volume using five disks. Create two drives on the volume, one for system files and one for data.

nmlkjiCreate a mirrored volume using two disks for the system volume and a RAID-5 volume using three disks for the data volume.



Page 34 of 39

Explanation:

Select the Datacenter edition of Windows Server 2008. The Datacenter edition is required to support more than 8 processors. The Datacenter edition supports the following hardware:

� The 32-bit version supports up to 32 processors; the 64-bit version supports up to 64 processors. � The 32-bit version supports up to 64 GB of RAM; the 64-bit version supports up to 2 TB.

The Standard edition supports up to 4 processors, and the Enterprise edition supports up to 8 processors. The 64-bit version of the Standard edition supports up to 32 GB of RAM, and the Enterprise edition supports up to 2 TB of RAM. All of the server roles that will be installed on the server are supported by the Standard edition, however you must use the Datacenter edition to support the number of processors and the total amount of RAM.

Objective(s):


Reference(s):


[ms646-101 #7]

You will use the server for the following server roles:

� File Services � Print Services � Application Server for a database application � Terminal Services � Active Directory Rights Management Services (AD RMS)



nmlkj Standard edition

nmlkj Web Server edition

nmlkj Itanium edition

nmlkj Enterprise edition

nmlkji Datacenter edition

You are the server administrator for the westsim.com domain. Client computers run Windows XP Professional. In addition, the Research department has five UNIX computers. All servers run Windows Server 2008.

You need to configure the FS9 server so that all company clients can connect to a shared folder named Forms. Users need only Read access to documents in this folder.

How should you configure the server? (Select two. Each choice is a required part of the solution.)

gfedcb Share the Forms folder using both SMB and NFS.

gfedc Share the Forms folder using SMB only.

Page 35 of 39

Explanation:

Add the Services for Network File System (NFS) role service to provide access to files through the NFS protocol, commonly used by UNIX computers. To configure a shared folder to use NFS, you must also add the File Server role service which adds the Share and Storage Management console. Use this console to share the folder using both SMB for Windows clients and NFS for UNIX clients.

Adding only the File Server role service does not add NFS support. Sharing the folder using SMB only would not allow the UNIX computers to connect. Sharing the folder with NFS only would not allow the Windows computers to connect to the shared folder.

Objective(s):


Reference(s):


[ms646-105-402 #258]

Explanation:

gfedc Share the Forms folder using NFS only.

gfedc Add the File Server role service.

gfedcb Add the File Server and Services for Network File System (NFS) role services.



Place each network access policy in the proper order to configure the required access.





None



None

Contractors Deny Night

Contractors Group membership Dialup connection 6pm to 6am


None

Allow Any Contractors Deny Night Policy #1

Contractors Allow Contractors Allow Policy #2

Contractors Deny Night Allow Any Policy #3

Page 36 of 39

Place the policies in the following order:


Policy processing will be as follows:

� When a contractor tries to connect during the day: 1. The conditions will not match in the first policy because the connection time does not match. 2. The conditions will match in the first policy because the group membership will match. The connection will

be allowed. � When a contractor tries to connect at night, the conditions will match the first policy (both group membership and

time of day). The connection will be refused. � When anyone else tries to connect, the first two policies will not match because the group memberships do not

match. The last policy matches the group membership and the connection is allowed.

Note the following problems that arise from placing the policies in the wrong order:

� If the Contractors Allow policy is at the top of the list, contractors would be allowed access at any time. Because the conditions would always match the first policy, the time restrictions would never be enforced. The Contractors Deny Night policy must come before the Contractors Allow policy.

� If the Allow Any policy were first in the list, everyone, including contractors, would have access at any time of day for a similar reason. The two contractor policies must come before the Allow Any policy.

Reference(s):


[ms646-303 #176]

Explanation:

To configure a backup schedule that is less frequent than once a day, you must create a Scheduled Task that runs wbadmin start backup. To be able to restore individual files, you must save the backup to a shared folder or a disk.

Running the Backup Schedule wizard, you must schedule backups daily or more frequently. If you save backups to DVD or removable media, you can only restore entire volumes, not individual folders or files.

Objective(s):



You want to perform a complete system backup every Monday, Wednesday, and Friday. You want to be able to restore the entire system or individual files from the backup.


gfedcb Save backups to a shared folder.


gfedc Save backups to DVDs.


Page 37 of 39

Reference(s):


[ms646-503 #7]

Explanation:



Objective(s):


Reference(s):


[ms646-103 #181]










You are the administrator for the westsim.com domain. You have installed multiple Windows Server Update Services (WSUS) servers in your domain.

You want to delegate the ability to the TWhite user to view performance data on the WSUS servers such as processor and memory utilization. You want to assign the least amount of permissions as possible.

What should you do?

Page 38 of 39

Explanation:

Make TWhite a member of the Performance Monitor Users group. Members of the Performance Monitor Users group can monitor performance counters, both locally and from remote clients. Group members can only view performance data, but not manage logs, alerts, or collector sets.

Members of the Performance Log Users can manage performance counters, logs, and alerts, both locally and from remote clients. Members of the Event Log Readers group can read the event logs on the computer.

Processor and memory statistics are saved in Performance Monitor, not in the WSUS console. Members of the SUS Reports group can create and view reports in WSUS, but not manage the WSUS server or its settings. Members of the WSUS Administrators group can manage the WSUS server and its settings.

Objective(s):


Reference(s):


[ms646-202 #74]

nmlkji Make TWhite a member of the Performance Monitor Users group.

nmlkj Make TWhite a member of the Event Log Readers group.

nmlkj Make TWhite a member of the SUS Reports group.

nmlkj Make TWhite a member of the Performance Log Users group.

nmlkj Make TWhite a member of the WSUS Administrators group.

Page 39 of 39

Explanation:




Objective(s):


Reference(s):


[ms646-303 #93]






What should you do?





You manage the DNS infrastructure for you network. Server Dns1 holds a primary zone for the westsim.com domain. Server Dns2 holds a primary zone for the sales.westsim.com domain. Both servers are also domain controllers.

Computers configured to use Dns1 as the preferred DNS server are unable to resolve names for hosts in the sales.westsim.com domain. You need to enable Dns1 to resolve names for hosts in that domain. Zone data for the sales.westsim.com domain should not be stored on the Dns1 server.

What should you do?

Page 1 of 40

Explanation:

On Dns1, create a zone delegation for sales.westsim.com. The zone delegation identifies the zone name and the authoritative name servers for the zone.

You could enable name resolution for the sales.westsim.com zone by configuring a secondary zone on Dns1 or by converting the zone to an Active Directory-integrated zone. However, both solutions would mean that Dns1 would hold zone data. The scenario requests that zone data is not stored on Dns1.

Objective(s):


Reference(s):


[ms646-103 #94]

Explanation:

Use Performance Monitor to view current system statistics. Add objects and counters to customize the statistics that are shown.

Use data collector sets to define statistics to gather over time. These statistics are saved to a file. You open the file to analyze the statistics. You cannot view current statistics from a defined data collector set.

A custom view is a saved filter in Event Viewer. Use Event Subscriptions to view a set of events stored in multiple logs on multiple computers. Events that occur on one computer are sent to another computer where they are saved and can be

nmlkji On Dns1, create a zone delegation for sales.westsim.com.

nmlkj On Dns2, create a zone delegation for westsim.com.

nmlkj On Dns1, configure a secondary zone for the sales.westsim.com zone.

nmlkj On Dns2, convert the sales.westsim.com zone to an Active Directory-integrated zone.


You are concerned about system performance while running the application on the server. You would like to be able to open Server Manager and view the current statistics for processor, memory, and disk reads and writes for the server. You only want to see these statistics and no others, and you want to be able to easily save the configuration so that the same statistics are shown each time.

What should you do?

nmlkji Add objects and counters in Performance Monitor

nmlkj Create a data collector set in Reliability and Performance Monitor


nmlkj Create a Custom View in Event Viewer

Page 2 of 40

viewed. Event Viewer shows events, such as error messages, and not data about system statistics.

Objective(s):


Reference(s):


[ms646-302 #72]

Explanation:

Users must have the Apply Group Policy and Read permissions to a GPO for that GPO to be applied to the user. You can prevent a group from receiving a GPO by denying the group the required permissions to the GPO. By denying the permissions for the Managers group, you can prevent the GPO settings from applying to group members.

Objective(s):


Reference(s):


[ms646-203 #111]

You are the network administrator for a large metropolitan hospital. The hospital must conform to several new regulations dealing with patient privacy.

Several users in the accounting department are able to access confidential patient data. The users are utilizing the search function in Windows XP Professional to access the patient records. As part of a solution, you decide to distribute a group policy to users in the Accounting organizational unit (OU) that disables the search function no matter which workstation is being used.

After you configure and test the policy, you report to the head of the accounting department what you are about to do. The department head points out that several people in the Accounting OU have valid reasons for using the search function. Removing the search function for these users would seriously compromise their ability to perform their jobs. These people are part of a security group named Managers. You need to prevent the Group Policy object (GPO) that you have configured from applying to members of the Managers group.

What should you do?

nmlkjMove members of the Managers group to their own OU beneath the Accounting OU. Enable Block Policy inheritance for the new OU.

nmlkjAdd the Managers group to the Accounting OU's discretionary access control list (DACL). Deny the Apply Group Policy and Read permissions to the Managers group.

nmlkj Make sure that the Managers group is not on the GPO's discretionary access control list (DACL).

nmlkjiAdd the Managers group to the GPO's discretionary access control list (DACL). Deny the Apply Group Policy and Read permissions to the Managers group.

Page 3 of 40

Explanation:

To enable the target computer to support remote shell connections, run Winrm quickconfig. Because Remote Shell sets up HTTP listeners on ports 80 or 443, you will not need to open any additional firewall ports. To connect to the target computer, run Winrs along with the command you want to execute.

Open the Remote Administration firewall exception to enable MMC consoles to communicate with the servers remotely. Open the Remote Desktop firewall exception to allow Remote Desktop connections. Use Ocsetup and ServerManagerCMD to add roles, role services, and features to a server. Telnet is not required for Windows Remote Shell.

Objective(s):


Reference(s):


[ms646-201 #67]


You would like to manage the servers remotely using the Windows Remote Shell.

What should you do on each server to enable remote management with Windows Remote Shell?

nmlkj Run Netsh to open the Remote Administration firewall exception.

nmlkji Run Winrm quickconfig.

nmlkj Run Cscript to open the Remote Desktop firewall exception.

nmlkj Run Ocsetup or ServerManagerCMD to install the Telnet server.

Your company has just decided to upgrade from Windows NT 4.0 to Windows Server 2008. You are in charge of designing the Active Directory tree. You have a small company that has only one location. You have determined that you will have approximately 500 objects in your completed tree.

The tree design has been the subject of some controversy. In preliminary meetings, you have determined that there are four primary areas of the company: Accounting, Manufacturing, Sales, and Administration. Each area is autonomous and reports directly to the CEO. In meetings on the Active Directory tree design, the manager of each area wants to make sure that some management control of their users and resources remains in the department.

What should you do?

nmlkj

Create a local group. Add a designated user from each department to the local group. Make the local group a member of the Administrators domain local group, thus giving the designated users the ability to manage the department resources, no matter where the resources are in the tree.

nmlkji

Create an Organizational Unit object for each department. Train a member of each department to perform limited administrative duties. Use the Delegation of Control wizard to give a member of each OU enough rights to perform the necessary administrative tasks only in the appropriate OU.

nmlkjCreate an Organizational Unit object for each department and use the Delegation of Control wizard to make the department managers members of the Administrators group.

nmlkj

Explain to the managers of each of the departments that best practices for an Active Directory tree of this size suggest that centralized administration is the most efficient method. All network administration will

Page 4 of 40

Explanation:

Active Directory tree design can be impacted by many factors, including corporate politics. By creating four OUs, you have given each of the areas the desired autonomy. You can then use the Delegation of Control wizard to give a trained administrator in each OU the ability to perform limited administrative tasks, while giving you control over the remainder of the tree.

Objective(s):


Reference(s):


[ms646-202 #7]

Explanation:

Use TS Gateway to allow Remote Desktop connections through the Internet using port 443. From your laptop, you connect to the TS Gateway server. On the TS Gateway server, you configure TS RAPs and TS CAPs to identify which users can connect and the resources (servers) they can connect to.

To use the Remote Server Administration Tools (RSAT) tools, you will need to open the corresponding firewall ports to allow the necessary tools to communicate. Windows Remote Shell uses port 443, but is a command prompt administration tool.

Use Oclist to see a list of installed roles on a Server Core installation. Use ServerManagerCMD to manage the server from a command prompt.

nmlkj size suggest that centralized administration is the most efficient method. All network administration will remain within your department.


You would like to be able to manage your servers from your laptop, even when you are traveling or at home. Your solution must meet the following requirements:

� You need to be able to connect to the servers through the Internet. � You want to see the server desktop so you can run Server Manager and other administration tools on the

servers. � Only you should be able to connect remotely, and you should only be able to connect to the servers and no

other computers. � Your company firewall only allows ports 80 and 443.

What should you do?

nmlkj Install the Remote Server Administration Tools (RSAT) tools on your laptop.

nmlkj Run Winrm quickconfig on each server. Run Winrs on your laptop to connect to each server.

nmlkj Run Ocsetup on each server. Run ServerManagerCMD on your laptop.

nmlkji Configure a server connected to the Internet with TS Gateway.

Page 5 of 40

Objective(s):


Reference(s):


[ms646-201 #49]

Explanation:



Objective(s):


Reference(s):


[ms646-502 #51]












Page 6 of 40

Explanation:

For this scenario, use a Network Load Balancing (NLB) cluster. NLB provides both load balancing and failover for application servers. NLB works best with stateless applications (applications that do not save state information between sessions). Because each server maintains its own copy of the data, NLB works best for applications where the data is relatively static, or where you can easily replicate data between servers.

Failover Clustering cannot be used in this scenario for several reasons:

� Failover Clustering works best for stateful applications. If you need to provide redundancy for stateless applications, NLB might be the better choice.

� Failover Clustering uses shared storage between servers. � Failover Clustering does not support internal, parallel SCSI storage.

Use a terminal server farm when you need to allow users to launch applications; Terminal Services is not used to provide redundancy and fault tolerance for applications that are running on an application server.

DNS round robin is a way to distribute client requests between two servers. However, if one server goes down, client requests continue to be directed to that server.

Objective(s):


Reference(s):


[ms646-502 #7]


You have an application server named Srv12 that runs a stateless Web application using IIS. Because of recent growth, this server is becoming unable to process all incoming requests in a timely manner.

You would like to add a second server to run the application. Your solution should meet the following requirements:

� Client requests should be divided evenly between the two servers. � If one server goes down, all requests should go to the other server. � All application data will be stored on internal parallel SCSI drives on each server.

You install the application on the second server. You now need to configure a solution to meet the requirements.

What should you do?

nmlkj Configure DNS round robin, with a host (A) record for each server.

nmlkji Configure both servers in a Network Load Balancing (NLB) cluster.

nmlkj Configure both servers in a Failover Clustering cluster.

nmlkj Configure both servers in a Terminal Services server farm. Configure a third server as a TS Session Broker.


Members of the Sales team use laptops while traveling. All laptops run Windows Vista Enterprise. You would like

Page 7 of 40

Explanation:

Use BitLocker to encrypt the entire system volume and protect both operating system and user data. Use BitLocker with a Trusted Platform Module (TPM) to protect the boot environment components such as the BIOS, Master Boot Record, Boot Sector, Boot Manager, and Windows Loader. The system is shut down if a boot environment change is detected. Using BitLocker, drives are locked if they are moved to another computer, and you can require a startup key on a USB drive or a PIN before the system will boot.

If you use BitLocker without a TPM, system integrity checks are not performed. The TPM is required for saving the startup file information that is used to verify system integrity. When using BitLocker without a TPM, you must use a startup key on a USB device; when using a TPM, this is an optional configuration.

EFS encrypts individual files. With EFS, only the user who encrypted the file and any additionally-designated users can access the file. EFS does not provide integrity checks for boot files.

Objective(s):


Reference(s):


[ms646-101 #92]

Members of the Sales team use laptops while traveling. All laptops run Windows Vista Enterprise. You would like to protect the data on these laptops to meet the following requirements:

� All operating system and user data should be encrypted. � All user data should be inaccessible (unreadable) if the hard disk is removed and connected to a different

computer. � The computer should not boot unless a special key is found on a USB drive. � The computer should not boot if a change is detected in the boot files.

You need to implement a solution to meet the stated requirements. What should you do?

nmlkj Instruct each user to use the Encrypting File System (EFS) to enable encryption on the volume

nmlkji Implement BitLocker with a TPM

nmlkj Implement BitLocker without a TPM

nmlkj Instruct each user to use the Encrypting File System (EFS) to encrypt all user data files

You are the server administrator for the westsim.com domain. You have implemented the Distributed File System (DFS) as follows:

� Srv1 is running Windows Server 2003 R2 Standard edition. It hosts the //westsim.com/sales namespace. � Srv2 is running Windows Server 2008 Enterprise edition. It hosts the //westsim.com/marketing

namespace.

You would like to provide redundancy for the //westsim.com/marketing namespace and all of its folders using Srv1 so that if Srv2 goes down, all data would still be accessible through Srv1. You also want to use Remote Differential Compression (RDC) for replicating folder target data if possible.

What should you do?

nmlkjAdd Srv1 as a namespace server to the //westsim.com/marketing namespace. Create folder targets on Srv2 for folders within the namespace. Configure DFS replication.

Page 8 of 40

Explanation:

You must first upgrade the server to an Enterprise edition of either Windows 2003 or 2008. You can host multiple namespaces on a single server if the server is running an Enterprise or Datacenter edition of Windows Server 2003 or 2008. Otherwise, each server can host only a single namespace. To use RDC, configure the servers to use DFS replication. DFS replication is a newer replication method introduced with Windows Server 2003 R2 and supported on Windows Server 2008.

Objective(s):


Reference(s):


[ms646-105-402 #69]

Explanation:

Perform a nonauthoritative restore of Active Directory. All of the objects are restored with the same update sequence number they had at the time of backup. Active Directory will determine these objects are out of date, and the objects will be synchronized from the data held on other domain controllers.

Objective(s):

Srv2 for folders within the namespace. Configure DFS replication.

nmlkji

Upgrade Srv1 to Windows Server 2003 Enterprise. Add Srv1 as a namespace server to the //westsim.com/marketing namespace. Create folder targets on Srv2 for folders within the namespace. Configure DFS replication.

nmlkjAdd Srv1 as a namespace server to the //westsim.com/marketing namespace. Create folder targets on Srv2 for folders within the namespace. Configure FRS replication.

nmlkj

Upgrade Srv1 to Windows Server 2003 Enterprise. Add Srv1 as a namespace server to the //westsim.com/marketing namespace. Create folder targets on Srv2 for folders within the namespace. Configure FRS replication.

You work for a consulting company. Your best customer, a university on summer break, has a serious problem. One of the student interns carried a large cup of coffee into the computer room and promptly tripped over a section of the raised flooring. The coffee spilled and found its way into one of the domain controllers. Sparks flew and the domain controller was dead on arrival to the tech bench. The system board was no longer functional and two SCSI hard drives have failed.

You replace the system board and SCSI hard drives. Fortunately, a system state backup was done two nights ago, but several changes in Active Directory have occurred since then and have been fully replicated to other domain controllers in this single domain network. You need to decide how to restore Active Directory on the failed server. You must complete the restoration as quickly as possible.

What should you do?

nmlkj Perform an authoritative restore of the entire Active Directory database.

nmlkji Perform a nonauthoritative restore of the entire Active Directory database.

nmlkjPerform a nonauthoritative restore of only the Active Directory objects created or updated since the server failed.

nmlkjPerform an authoritative restore of only the Active Directory objects created or updated since the server failed.

Page 9 of 40


Reference(s):


[ms646-503 #41]

Explanation:

To protect the volumes in the event that a single disk fails, you will need to create RAID-1 or RAID-5 volumes. Because all of the solutions involve only two disks, you must create a RAID-1 volume; RAID-5 volumes require a minimum of three disks. To allow disk access in the event of a single disk controller failure, install two controllers with each disk on a different controller.

Objective(s):

501. Plan storage.

Reference(s):


[ms646-501 #24]

You are getting ready to install a new Windows Server 2008 server as a domain controller.

You would like to implement a storage solution for the new server such that the system volume remains available in the event of a single disk or disk controller failure. If possible, you would also like to improve disk access performance.

What should you do?

nmlkji Install two hard disks, each on a different disk controller. Create a RAID-1 volume for the system volume.

nmlkj Install two hard disks on the same disk controller. Create a RAID-1 volume for the system volume.

nmlkj Install two hard disks, each on a different disk controller. Create a RAID-5 volume for the system volume.

nmlkj Install two hard disks on the same disk controller. Create a RAID-5 volume for the system volume.

You want to monitor the processor utilization on Srv12, a system running Windows Server 2008.

You want to get an e-mail notification every time the processor utilization exceeds 90%. You create a new Data Collector Set in the Reliability and Performance Monitor.

What type of Data Collector should you create?

nmlkj Performance counter data collector

nmlkj Event trace data collector

nmlkji Performance counter alert

nmlkj Configuration data collector

Page 10 of 40

Explanation:

Use a performance counter alert to be notified when a counter is above or below a threshold amount.

Use a performance counter data collector to capture system statistics over time. Use an event trace collector to gather information reported by trace providers included with the operating system or some applications. Use a configuration data collector to collect registry key settings.

Objective(s):


Reference(s):


[ms646-302 #15]

Explanation:



Objective(s):


Reference(s):





What should you do?





Page 11 of 40

[ms646-203 #23]

Explanation:

A custom view is a saved filter. Custom views apply filter criteria to one or more event logs. The filter criteria for a custom view is similar to that for a filter, but also includes the log(s) you want to include in the view. Custom views are saved between Event Viewer sessions, and are available each time you use Event Viewer. You can export a custom view and import it on another system. This exports and imports the custom view criteria, not the events showing in the view.

Adding a filter in Event Viewer has the following limitations:

� You cannot save a filter. Each time you start Event Viewer, you will need to redefine the filter criteria. � Filters apply only to a single log; you cannot filter multiple logs into a single view. � You cannot export and import filter criteria to other computers.

Use Event Subscriptions to view a set of events stored in multiple logs on multiple computers. Events that occur on one computer are sent to another computer where they are saved and can be viewed. Attach a task to an event or a log to receive notification or take other actions when an event is logged.

Objective(s):


Reference(s):


[ms646-302 #56]


As you monitor the application, you'd like to be able to do the following:

� View all events related to the application from a single log. � View only the events related to the application and no others. � View the necessary events with minimal future configuration. � Save the Event Viewer configuration so that you can easily export and import the solution to other servers

that will be running the application.

What should you do?


nmlkj Create a filter on the Application and Security logs

nmlkji Create a custom view

nmlkj Attach a task to the event IDs generated by the application

You are the server administrator for the westsim.com domain. You have recently implemented a remote access solution using a single server configured as a RADIUS server and four additional servers configured as remote access servers and RADIUS clients.

Page 12 of 40

Explanation:

You will need to enable both accounting and authentication logging. Accounting logging tracks information about users sessions, and authentication logging records the actual authentication requests and responses.

To save the data directly to a SQL server, use SQL server logging. Use local file logging to save the log entries on the RAIUS server. Use the database-compatible log format with local logging if you will import the log into a database.

Objective(s):


Reference(s):


[ms646-303 #119]

You want to be able to track remote access use on your servers. You need to configure logging to meet the following requirements:

� You need to gather information about user sessions, including the start and stop time of a user session. � You want to view information about the logon requests sent by remote access clients, along with the

RADIUS server's reply to those requests. � Log entries will be saved directly to a SQL server database.


gfedc Enable logging for accounting requests.

gfedcb Enable logging for accounting and authentication requests.

gfedc Configure local file logging with the database-compatible log format.

gfedc Configure local file logging with IAS formatted log format.

gfedcb Configure SQL server logging.

gfedc Enable logging for authentication requests.





Srv12.


gfedc Routing


Page 13 of 40

Explanation:




Objective(s):


Reference(s):


[ms646-103 #110]

Explanation:






You have configured both Srv1 and Srv2 as terminal services by installing the Terminal Server role service. You have configured several applications on both servers that are available for clients to run.

Members of the Sales team need to be able to run these applications while they are traveling. You need to enable access to Srv1 and Srv2 on your private network from the Internet. Your solution should meet the following requirements:

� Users should be able to connect to either Srv1 or Srv2 through an Internet connection. � Only members of the Sales team are allowed to connect remotely. � Only ports 80 and 443 are allowed opened in your external firewall.

If necessary, you can use Srv3 for your solution.

What should you do?

nmlkj Install the Terminal Server and TS Web Access role services on Srv3.

nmlkj Install the TS Session Broker role service on Srv3.

nmlkji Install the TS Gateway role service on Srv3.

nmlkj Install the Web Server (IIS) role service on Srv3.

Page 14 of 40

Install the TS Gateway role service on Srv3. Terminal Services Gateway (TS Gateway) is a role service that allows users with the Remote Desktop client and an Internet connection to connect to computers on an internal network. TS Gateway encrypts the Remote Desktop Protocol (RDP) data using SSL over HTTP through port 443.

Use the TS Session Broker role service to create a terminal server farm for load balancing. Use the TS Web Access role service to allow clients to connect to a terminal server through a Web page. However, if you were to add the TS Web Access role service to Srv3, then users would only be able to access Terminal Services running on Srv3. TS Web Access by itself cannot redirect incoming requests to other terminal servers.

Objective(s):


Reference(s):


[ms646-401 #32]

Explanation:

Make the user a member of the DHCP Administrators group to allow the user to manage all DHCP servers in the domain. Because you only have a single DHCP server, this would effectively limit the user to managing only DHCP on the one server. The DHCP Administrators group cannot authorize servers in Active Directory.

Members of the Domain Admins group can authorize servers in Active Directory, but also get additional permissions throughout the domain. Adding the user to the built-in Administrators group in Active Directory gives the user the ability to manage all domain controllers in the domain. Use the Delegation of Control wizard to assign permissions to Active Directory objects. You would typically run this on an OU to delegate permissions to objects within the OU.

Objective(s):


Reference(s):


[ms646-202 #58]

You are the administrator for the westsim.com domain. You currently have a single DHCP server that is running on a domain controller.

You want to delegate user MSmith to manage the DHCP server. She should be able to create scopes and modify server settings, but not authorize the server in Active Directory. You want to assign the least amount of permissions as possible.

What should you do?

nmlkj Make MSmith a member of the Domain Admins group.


nmlkji Make MSmith a member of the DHCP Administrators group.

nmlkj Make MSmith a member of the Administrators built-in group.

Page 15 of 40

Explanation:

Use the Windows System Image Manager (Windows SIM) to create and edit answer files. Windows SIM is included in the Windows Automated Installation Kit (WAIK). To create the answer file, run Windows SIM and load an install image. After loading the image, select and edit the responses to the questions presented during product installation.

Use Setup Manager to create an answer file for Windows 2003 installations. Use ImageX to create custom install images that can be used with Windows Deployment Services (WDS) to install Windows Server 2008. Use the Windows Deployment Services console to manage images used with WDS installations. An answer file can be used with or without WDS.

Objective(s):


Reference(s):


[ms646-102 #84]

You are the server administrator for your company. Due to a recent expansion, you will be opening a new office in Phoenix.

The new office will have 20 new servers, all running Windows Server 2008. You would like to use an answer file to automate the installation process.

What tool should you use to create the Autoattend.xml file?

nmlkj System Center Configuration Manager

nmlkj Setup Manager

nmlkji Windows System Image Manager (Windows SIM)

nmlkj ImageX

nmlkj Windows Deployment Services console

You manage the remote access solution for your network. Currently you have two remote access servers, RA1 and RA2, with an additional server, RA3, configured as a RADIUS server.

You need to configure RA1 and RA2 to forward authentication requests to RA3.

What should you do?

nmlkjOn RA1 and RA2, run the Network Policy Server. Create a network access policy and specify RA3 as the MS-RAS Vendor.

nmlkj On RA1 and RA2, run the Network Policy Server. Add RA3 as a RADIUS server.

nmlkjiOn RA1 and RA2, run Routing and Remote Access. Edit the properties of the server and configure it to use RA3 for authentication.

nmlkjOn RA1 and RA2, run the Network Policy Server. Create a Remote RADIUS server group, identifying RA3 as the only member.

Page 16 of 40

Explanation:

When using a RADIUS solution, you must configure each remote access server as a RADIUS client. To do this, run the Routing and Remote Access console. Edit the properties of the server and configure it to use the RADIUS server for authentication. Authentication requests are forwarded to the RADIUS server.

Configure network access policies on the RADIUS server. On the RADIUS server, run the Network Policy Server console and identify each remote access server as a RADIUS client. Configure a Remote RADIUS Server group on a RADIUS proxy.

Objective(s):


Reference(s):


[ms646-303 #160]

Explanation:




Objective(s):





What should you do?





Page 17 of 40

Reference(s):


[ms646-202 #50]

Explanation:

Enable logging for accounting requests to include the start or stop of a user session as well as server ready or offline messages. Enable logging for authentication requests to capture the actual logon requests that are submitted by remote access users. Enable logging for periodic status information to gather server status information.

To save log files locally, enable local file logging. When using a database application to analyze the logs, use the database-compatible log format. With local logging, log files are saved locally and must be imported to the database server. Use SQL server logging to save log entries directly to the server. With SQL server logging, log entries are not saved on the RADIUS server.

Objective(s):


Reference(s):


[ms646-303 #109]

You are the server administrator for the westsim.com domain. You have recently implemented a remote access solution using a single server configured as a RADIUS server and four additional servers configured as remote access servers and RADIUS clients.

You want to be able to track remote access use on your servers. You need to configure logging to meet the following requirements:

� You need to gather information about user sessions, including the start and stop time of a user session. � Log entries will be saved to the local RADIUS server. � Log entries will be imported to a SQL Server where they can be analyzed.


gfedc Use SQL server logging.

gfedc Enable logging for periodic status information.

gfedcb Enable logging for accounting requests.

gfedcb Use local file logging with the database-compatible log format.

gfedc Use local file logging with IAS formatted log format.

gfedc Enable logging for authentication requests.



Page 18 of 40

Explanation:



Objective(s):


Reference(s):


[ms646-201 #32]

Explanation:


What should you do?





You manage the network infrastructure for the westsim.com domain. All servers have recently been upgraded to Windows Server 2008, and all clients run Windows XP Professional. All server and client computers are members of the domain.

You have previously configured a DFS solution with a domain-based DFS root. Srv1 hosts the DFS root, and the namespace is named Sales. A single folder named Contacts in the DFS root points to the SalesSF shared folder on Srv3.

You would like to provide redundancy so that the data in the Contacts shared folder will still be available even if Srv1 goes down. You want to use Srv4 to provide the redundancy.

What should you do?

nmlkj Share a folder on Srv4. Create a new folder in DFS, using the new folder on Srv4 as the target.

nmlkji Add Srv4 as a namespace server.

nmlkj Share a folder on Srv4. Add this folder as a target to the Contacts folder. Configure DFS replication.

nmlkj Configure Srv4 as a cluster server to Srv3.

Page 19 of 40

To add redundancy to the DFS root, configure additional namespace servers. Each namespace server holds information about the DFS structure. Only domain-based DFS roots can have multiple namespace servers. Users connect to the namespace using the domain name in the UNC path. Active Directory automatically directs the users to the closest namespace server.


Objective(s):


Reference(s):


[ms646-105-402 #77]

Explanation:

To remove permissions assigned through the Delegation of Control wizard, edit the ACL for the Active Directory object and modify the permissions. Alternatively, you could remove the user or group from the ACL, then re-run the wizard to assign the new permissions.

You cannot modify existing permissions by using the wizard. If you run the wizard again, the new permissions will be added to the existing permissions. Permissions assigned for an OU to a user or a group are cumulative; permissions assigned to the group are added to permissions assigned to the user.

Run the Dsacls command with the /resetDefaultDACL switch to reset permissions on an object. This removes all permissions to the object for all users, except for the default permissions.

Objective(s):


Reference(s):


You are the administrator for the westsim.com domain. Organizational units (OUs) have been created for each department, with all user accounts being moved into their departmental OUs.

Previously, you used the Delegation of Control wizard to assign permissions to a user to change passwords and manage user accounts in the Marketing OU. Now you need to remove some of the permissions assigned to that user for objects in the OU.

What should you do?

nmlkjAdd the user to a group. Run the Delegation of Control wizard for the OU, assigning the necessary permissions to the group.

nmlkji Edit the ACL for the OU and remove the unnecessary permissions.

nmlkj Re-run the Delegation of Control wizard, specifying only the necessary permissions.

nmlkj Run Dsacls with the /resetDefaultDACL switch.

Page 20 of 40

[ms646-202 #34]

Explanation:

To support multiple namespace servers, configure a domain-based DFS root. A stand-alone root supports only a single namespace server. To support replication of the Graphics shared folder, configure FRS replication. You cannot use DFS replication because DFS replication cannot be used on Windows 2000/2003 R1.

Objective(s):


Reference(s):


[ms646-105-402 #23]

You want to create a DFS namespace to provide a single point of access for shared folders for the Marketing department.

The following table shows the servers that will participate in the DFS structure.

Currently, only Srv1 will be a namespace server, but you would like to add additional namespace servers as the solution becomes implemented.

Which of the following will be part of your implementation? (Select two. Each choice is a required part of the solution.)

Server Operating System Role

Srv1 Windows Server 2008Domain controller Namespace server hosting the namespace root

Srv2 Windows Server 2008 Holds the Graphics shared folder

Srv2 Windows Server 2003 R1 Holds a copy of the Graphics shared folder

Srv3 Windows Server 2008 Holds the Offers shared folder

gfedc Create a stand-alone namespace

gfedc Configure DFS replication

gfedcb Configure FRS replication

gfedcb Create a domain-based namespace







None

Page 21 of 40

Explanation:











Reference(s):


[ms646-303 #176]


Dialup connection



None




None






What should you do?

Page 22 of 40

Explanation:



Objective(s):


Reference(s):


[ms646-401 #84]

Explanation:













nmlkj Round-robin

nmlkj Failover

Page 23 of 40



Objective(s):

501. Plan storage.

Reference(s):


[ms646-501 #55]

Explanation:

Use a performance counter alert to configure triggers that take an action when a counter reaches a threshold value. Alerts monitor a system performance statistic, such as processor time or disk space.

Use an event trace data collector in Performance Monitor to capture events logged by software processes. Attach a task to an event or a log to receive notification or take other actions when an event is logged.


Objective(s):


Reference(s):


[ms646-302 #64]

You are the server manager for the westsim.com domain. You are concerned about the disk space use on a Windows Server 2008 file server named FS5.

You would like to be notified by e-mail when the disk space usage exceeds 85%.

What should you do?



nmlkj Attach a task to the System log

nmlkji Configure a performance counter alert

You are the network administrator for a network with a single Active Directory domain. All computer and user

Page 24 of 40

Explanation:

To ask "what if" questions about the result of Group Policy, run the Group Policy Modeling wizard. Because you are interested in results for computers and users in the Dallas site, select a computer and user in the Dallas OU. You will also need to select to include slow link processing in the results.

Running Group Policy Results shows the current settings as they would be applied under the current conditions. It is possible that at the time the wizard runs, the link will not be slow, so the effective results at this time might not match the results if the link were slow. Choosing your computer and user account would show Group Policy settings for you, but not for Dallas users or computers.

Objective(s):


Reference(s):


[ms646-203 #15]

You are the network administrator for a network with a single Active Directory domain. All computer and user accounts are divided into OUs named for each location.

The Dallas office has five users and no domain controllers. The location is connected to headquarters with a WAN link.

You are planning to implement several Group Policy settings including software deployment and logon scripts. You want to be able to see what Group Policy settings would be applied if the WAN link were operating at 256 Kbps.

What should you do?

nmlkj Run the Group Policy Results wizard. Select your computer and user account.

nmlkj Run the Group Policy Results wizard. Select a computer and user account in the Dallas OU.

nmlkji Run the Group Policy Modeling wizard. Select a computer and user account in the Dallas OU.

nmlkj Run the Group Policy Modeling wizard. Select your computer and user account.


Your company has developed a custom application that runs in four instances on Srv6. You want to divide the processor and the memory resources evenly between the four instances of the application.

You decide to use the Windows System Resource Manager (WSRM). You want to implement a solution as easily as possible.


gfedcEdit the Equal_Per_Process policy to apply only to the application. Modify the policy to include memory allocation.

gfedc Edit the Equal_Per_Process policy to apply only to the application.

gfedc Make the policy the profiling policy.

gfedcb Create a custom policy that applies only to the application and allocates processor and memory resources.

gfedcb Make the policy the managing policy.

Page 25 of 40

Explanation:

You will need to create a custom policy to specify the application and to add memory resources to be managed. To enforce the policy settings, make the policy the managing policy.

The default Equal_Per_Process policy applies to all processes and allocates only CPU use between all processes evenly. You cannot edit the default policies. Make a policy the profiling policy to gather statistics about processes but not enforce resource limits.

Objective(s):


Reference(s):


[ms646-401 #92]

Explanation:



Objective(s):


Reference(s):




What should you do?





Page 26 of 40


[ms646-503 #107]

Explanation:




Objective(s):


Reference(s):


[ms646-203 #102]











You are the server manager for the westsim.com domain. You have previously installed Windows Server 2008 on two new servers, ServerA and ServerB. You configure both servers with BitLocker. Both servers have a TPM installed.

Page 27 of 40

Explanation:

To access an encrypted volume when the drive is moved to another computer, use the recovery key that was created on the original computer (in this case ServerA).

The startup key is used to prevent system startup when the startup key is not present. To boot ServerB, use the startup key for ServerB. The startup key for ServerA can only be used to boot ServerA, and cannot be used for volume recovery.

Objective(s):


Reference(s):


[ms646-101 #125]

Because of a hardware failure, ServerA will not boot. You need to access the data on the drive where BitLocker was enabled as quickly as possible.

What should you do?

nmlkjiMove the hard disk from ServerA to ServerB. Use the recovery key from ServerA to gain access to the encrypted volume.

nmlkjMove the hard disk from ServerA to ServerB. Use the recovery key from ServerB to gain access to the encrypted volume.

nmlkjMove the hard disk from ServerA to ServerB. Insert the USB drive containing the startup key from ServerA and reboot ServerB.

nmlkjMove the hard disk from ServerA to ServerB. Insert the USB drive containing the startup key from ServerB and reboot ServerB.

You manage a network with two locations: San Jose and Oakland. The two networks are connected with a WAN link, and each site has its own Internet connection. Srv1 is in San Jose, and Srv2 is in Oakland.

You decide to implement a WSUS solution using Srv1 and Srv2 as WSUS servers. Your solution should meet the following requirements:

� Client computers should contact the WSUS server in their site for a list of approvals and download the updates from the WSUS server in their site.

� All updates for both sites are approved from Srv1. � You must minimize traffic on the WAN link between the two sites.

You have completed the configuration of the WSUS server in the San Jose location. How should you configure Srv2 in Oakland to meet the design requirements?

nmlkjConfigure Srv2 to synchronize with Srv1 and operate in autonomous mode. Configure the server to not store updates locally.

nmlkjiConfigure Srv2 to synchronize with Srv1 as a replica of Srv1. Configure the server to store updates locally, and to download updates from Microsoft Update.

nmlkj Configure Srv2 to synchronize with Microsoft Update and to store files locally.

nmlkjConfigure Srv2 to synchronize with Srv1 as a replica of Srv1. Configure the server to store updates locally, and to download updates from Srv1.

Page 28 of 40

Explanation:

Configure Srv2 as follows:

� To manage the approved updates only from Srv1, configure Srv2 to synchronize with Srv1. Make Srv2 a replica of Srv1 to force Srv2 to use the same approval list. When Srv2 is a replica, you cannot approve updates on Srv2.

� To have client computers download updates from the WSUS server (and not the Microsoft Update website), store updates locally on the WSUS server.

� To minimize WAN link traffic, configure Srv2 to download the update files from Microsoft Update (and not Srv1) by selecting the Download files from Microsoft Update; do not download from upstream server option. If this option was not selected, Srv2 would download update files from Srv1 across the WAN link.

Objective(s):


Reference(s):


[ms646-301 #7]

Explanation:

Add the ISAPI Filters role service. An ISAPI filter is a program that continually runs on the Web server. The program examines or filters every request, looking for a request that it needs to process. When it finds a request that meets its filter criteria, it takes the specified action.

An ISAPI extension is a program that is associated with a file extension. When a Web page is requested with that extension, the program loads and executes. One difference between ISAPI filters and ISAPI extensions is that with filters, the program is constantly running, while with extensions, the program loads only when the Web page is requested.

Add ASP support to run Web pages build with active server pages using server side scripts. Add CGI support to support programs written using the CGI protocol that defines how the Web server passes information to an external program.

Add the Server Side Includes role service to support SSI scripts embedded in a Web document. Documents with include

You are planning the deployment of a new Windows Server 2008 server. The server will have the Application Server role installed with the Web Server (IIS) Support role service.

The Web server must support an application that runs constantly examining the URL submitted. When a URL from an authenticated user is submitted, the application will modify the URL to redirect the user to a different Web page based on user preferences.

Which role service would you add?

nmlkj CGI

nmlkji ISAPI Filters

nmlkj Server Side Includes

nmlkj ISAPI Extensions

nmlkj ASP

Page 29 of 40

statements are saved with the .shtml or .shtm extension. The Web server parses the Web page and executes the script embedded in the document before sending the document to the client.

Objective(s):


Reference(s):


[ms646-104 #110]

Explanation:

Boot a domain controller into Directory services restore mode and perform a nonauthoritative restore. Then run Ntdsutil and mark the Accounting OU as authoritative. All Directory Services restorations are nonauthoritative to begin with. After performing the nonauthoritative restore and before you reboot normally, you need to mark the necessary objects as authoritative, thus increasing their version number to ensure that these objects will be restored to all domain controllers.

Do not mark the entire restore as authoritative or you will lose any changes to Active Directory since your backup. You cannot selectively restore Active Directory objects during the restore.

Objective(s):


Reference(s):


[ms646-503 #49]

You are the network administrator for a network with a single Active Directory parent domain and two child domains. All domains controllers are running Windows Server 2008. You are responsible for disaster recovery across the entire network. You decide to use Windows Server Backup. You schedule full server backups to be taken every night, along with a system state backup an hour later.

On Friday morning, you are creating new users in the Accounting OU when you receive an error stating that the user cannot be created because the context could not be found. After some investigation you find that a co-worker has deleted the OU and the change has replicated to all domain controllers. You want to restore the latest version of the OU without affecting the rest of Active Directory.

What should you do?

nmlkjBoot a domain controller into Directory services restore mode. Perform a nonauthoritative restore of the Accounting OU.

nmlkjBoot a domain controller into Directory services restore mode. Perform a nonauthoritative restore. Run Ntdsutil and mark the entire restore as authoritative.

nmlkjiBoot a domain controller into Directory services restore mode. Perform a nonauthoritative restore. Run Ntdsutil and mark the Accounting OU as authoritative.

nmlkj Boot a domain controller into Directory services restore mode. Perform a nonauthoritative restore.

nmlkjBoot a domain controller into Directory services restore mode. Perform an authoritative restore of the Accounting OU.

Page 30 of 40

Explanation:



Objective(s):


Reference(s):


[ms646-201 #57]




gfedc TS Gateway

gfedcb Telnet





You are the server manager for the westsim.com domain. Your company is opening a branch office in a neighboring city.

Because the branch office will have only a few users, you will install a single server in the branch office and configure it with a Server Core installation. The server will provide Active Directory Domain Services (AD DS) and file and print services.

You are concerned about the security of the server in the branch office. Specifically, you want to meet the following requirements:

� If the hard disk is removed from the server, none of the Active Directory or user files should be readable. � When the server boots, a PIN must be manually entered at the server console for the boot process to

complete. You will designate two people in the branch office who know this PIN. � If the PIN is not supplied, the server should not boot.


Page 31 of 40

Explanation:

Use BitLocker to encrypt the entire system volume and protect both operating system and user data. Use BitLocker with a Trusted Platform Module (TPM) to require a PIN for system startup to proceed; if the PIN is not entered, the system will not boot. BitLocker prevents the contents of a drive from being read if the hard disk is moved to a different computer.

A TPM is required to use a PIN during system startup. Without a TPM, an encryption key must be present on a USB drive before the system will start. However, in a server environment, using a USB device for the startup key likely means that the USB drive will be kept in the drive, and therefore the USB drive will be stolen if the server is also stolen.

EFS encrypts files based on users, but does not prevent a system from starting if a PIN is not entered. You cannot use Group Policy to require a PIN before the operating system loads; Group Policy is only enforced after Windows loads.

Objective(s):


Reference(s):


[ms646-101 #100]


nmlkjEncrypt the volume with EFS using an encryption key assigned to the server. Configure Group Policy to prevent startup without a PIN.

nmlkj Implement BitLocker without a TPM.

nmlkj Have one of the authorized users encrypt the volume using EFS. Add the second user as an additional user.

nmlkji Implement BitLocker with a TPM.


Srv5 is an application server that runs an application used by the Sales team. You are concerned that this server is a single point of failure--if the server goes down, the application will be unavailable.

You would like to add a second server to provide redundancy. Your solution should meet the following requirements:

� All client requests should be directed to Srv5 if it is available. � If Srv5 goes down, all requests should be directed to the new server. � Both servers should use the same set of data files.

You want to configure Srv10 to provide redundancy for Srv5. Both Srv5 and Srv10 are configured to use DHCP for IP addressing information.


nmlkjConfigure both servers in a Network Load Balancing (NLB) cluster. Configure the Distributed File System (DFS) to replicate data from Srv5 to Srv10.

nmlkjConfigure both servers in a Network Load Balancing (NLB) cluster. Save the application data to a shared folder on a third server, and configure each application server to use the shared folder for the data.

nmlkjConfigure both servers in a Terminal Services server farm. Configure a third server as a TS Session Broker. Configure both servers to use a shared folder on the session broker server for application data.

nmlkjiConfigure both servers in a Failover Clustering cluster. Configure a storage area network for the application data.

Page 32 of 40

Explanation:

Use Failover Clustering to provide failover redundancy for application servers. For this scenario, configure the application as a single-instance application, with Srv5 as the active node and Srv10 as a passive node. If Srv5 fails, the application fails over to Srv10.

You cannot use a Network Load Balancing (NLB) cluster because the servers use DHCP for IP addressing information; NLB requires static IP addresses.


Objective(s):


Reference(s):


[ms646-502 #35]

Explanation:


nmlkji data.




What should you do?





Page 33 of 40


Objective(s):


Reference(s):


[ms646-203 #69]

Explanation:

Configure NTFS permissions to control access to folder targets. For example, grant the Read and Write permissions to allow a user to modify content in a replicated folder.

Delegating permissions in the DFS console designates users who can manage all namespaces, a single namespace, a replication group, or a replication node. You do not delegate permissions to specific folders or folder targets.

Objective(s):


Reference(s):


[ms646-202 #125]



You would like to designate one person in each department who can add, delete, and modify files on the folder targets.

What should you do?

nmlkji Configure NTFS permissions on the folder targets.


nmlkj In the DFS console, delegate management permissions to each replication group.


You are the administrator of a small network with a single Active Directory domain.

Page 34 of 40

Explanation:

Install a standalone root CA on a computer that is not a member of the domain and use Web-based enrollment to issue the certificates.

An enterprise CA is most appropriate for issuing certificates within an organization. However, you cannot use an enterprise CA because it requires Active Directory to issue certificates and you have disconnected it from the domain.

You cannot install a subordinate CA without installing a root CA first.

Objective(s):


Reference(s):


[ms646-103 #200]

You are the administrator of a small network with a single Active Directory domain.

The information produced by your company is very valuable and could devastate your company’s business if leaked to competitors. You want to tighten network security by requiring all network users and computers to use digital certificates.

You decide to create a certification authority (CA) hierarchy that will issue certificates only for your organization. To provide maximum security for the company’s new CA, you choose to host the CA on a computer that is not connected to the corporate domain.

What should you do to set up the new CA?

nmlkj Install a standalone subordinate CA.

nmlkj Install an enterprise subordinate CA.

nmlkji Install a standalone root CA.

nmlkj Install an enterprise root CA.

You have been assigned to design a Distributed File System (DFS) solution for the Sales and Accounting departments. You have identified two servers that you can use:

� Srv1 runs Windows Server 2008 Enterprise edition � Srv2 runs Windows Server 2003 R2 Standard edition

Your solution should meet the following requirements:

� Srv2 will be the namespace server. Srv1 will not be a namespace server. � Folders for both the Sales and Accounting departments will be replicated between both servers. � When connecting to the folder target, users should only see the files and folders that they have sufficient

NTFS permissions to access.

You need to configure the solution with the least amount of effort possible while meeting the requirements. What should you do?

nmlkj Upgrade Srv2 to Windows Server 2008. Create a domain-based namespace in Windows 2000 mode.

Page 35 of 40

Explanation:

Create a domain-based namespace in Windows 2008 mode. To filter the list of files that users see when accessing the shared folders, you will need to use access-based enumeration. Windows 2008 mode is necessary to support access-based enumeration. Servers must be running Windows Server 2003 R2 or Windows Server 2008 to support Windows 2008 mode.

You do not need to upgrade Srv2 to support Windows 2008 mode in DFS.

Objective(s):


Reference(s):


[ms646-105-402 #59]

Explanation:



Objective(s):


nmlkji Create a domain-based namespace in Windows 2008 mode.

nmlkj Create a domain-based namespace in Windows 2000 mode.

nmlkj Create a stand-alone namespace.

nmlkj Upgrade Srv2 to Windows Server 2008. Create a stand-alone namespace.



What should you do?





Page 36 of 40


Reference(s):


[ms646-301 #56]

Explanation:

In this scenario, you will need to restore the Windows Server 2003 installation from a recent backup, then upgrade the server to Windows Server 2008 Standard edition. Alternatively, you could install Windows Server 2008 as a new installation, but the current configuration settings would be lost. If you perform an upgrade to Windows Server 2008, you cannot uninstall Server 2008 following the upgrade to revert back to the previous installation.

You can only roll back an installation of Windows Server 2008 if the installation has not completed successfully and you have not logged on. After you use the installation, you cannot revert back to the previous installation. You cannot downgrade from one edition to a lower edition; you can only upgrade from a lower edition to a higher one.

Objective(s):


Reference(s):


[ms646-101 #203]

The Srv1 server on your network is currently being used as a file server. Srv1 runs Windows Server 2003 Standard edition. You decide that you want to upgrade Srv1 to Windows Server 2008.

You finish the installation and start running the server under Windows Server 2008. You realize that you installed the Enterprise edition of 2008 when you should have installed the Standard edition.

You need to install Windows Server 2003 Standard edition on the server with the same settings as the server had previously.

What should you do?

nmlkjiRestore the Windows Server 2003 installation from a recent backup. Upgrade the server to Windows Server 2008 Standard edition.

nmlkj Downgrade the current 2008 installation to Windows Server 2008 Standard edition.

nmlkjRoll back the installation of Windows Server 2008. Upgrade the server to Windows Server 2008 Standard edition.

nmlkj Uninstall Windows Server 2008. Upgrade the server to Windows Server 2008 Standard edition.

You manage a single private domain called westsim.private. All DNS servers run Windows Server 2008. Client computers run Windows Vista Business, and are members of the westsim.private domain. Client computers have NetBT disabled, and use only DNS for name resolution.

You have a group of computers that use only NetBIOS names and do not use DNS. Your network does not have a WINS server.

Page 37 of 40

Explanation:

NetBIOS names are single-label names that are not registered in DNS. To enable DNS to resolve single-label names, configure a GlobalNames zone. In the zone, create records to identify each NetBIOS client.

Enable WINS lookups on a zone to forward DNS name requests to a WINS server. In this scenario, your network does not have a WINS server, so enabling WINS lookups on the zone would not allow for name resolution. Creating a special zone called wins.westsim.private does not provide name resolution for NetBIOS hosts. Use a WINS record to identify WINS servers within a zone that has WINS lookup enabled to identify the WINS servers to which requests are forwarded.

Objective(s):


Reference(s):


[ms646-103 #37]

Explanation:

You need to enable all Vista client computers to resolve host names for the NetBIOS computers.

What should you do?

nmlkjCreate the wins.westsim.private zone with dynamic updates enabled on the zone. Add wins.westsim.private to the search suffix for each Vista client.

nmlkj Add a WINS record in the westsim.private zone for each NetBIOS client.

nmlkji Configure a GlobalNames zone. Create records in the zone for all NetBIOS computers.

nmlkj Enable WINS lookups on the westsim.private zone.

You are the server administrator for the westsim.com domain. Client computers run Windows Vista Business. All servers run Windows Server 2008.

You have a server named FS12 that holds a shared folder named Reports. Within this folder, subfolders have been created for each company department. All company employees have Read access to the shared folder.

The Board of Directors use a subfolder in the shared folder named BoardReports for their reports. They would like this subfolder to only be visible to members of the Board of Directors and specific people that they authorize to see the folder and its contents.

What should you do?

nmlkjAdd the File Server Resource Manager (FSRM) role service to FS12. Configure file screens on the BoardReports folder.

nmlkjiEnable access-based enumeration on the shared folder. Configure NTFS permissions on the BoardReports folder to control access.

nmlkjAdd the Windows Search Service role service to FS12. Enable indexing on the Reports folder; disable indexing on the BoardReports folder.

nmlkj Share the BoardReports folder. Configure share and NTFS permissions on the new shared folder.

Page 38 of 40

Enable access-based enumeration on the shared folder. Access-based enumeration filters the files and folders within the share and only shows those items that the user has NTFS permissions to access. Configure NTFS permissions on the contents of the shared folder to remove the Read permission from Everyone or the Users group so that users without explicit access will not see the subfolder.

Sharing the subfolder as a new share will not prevent the folder from being visible within the Reports share. Use file screens to prevent the type of files that can be saved in a folder. Use the Windows Search Service to allow client computers to perform fast file searches on the server.

Objective(s):


Reference(s):


[ms646-105-402 #267]

Explanation:

To create a backup of Active Directory, create a system state backup. A system state backup must be run from the command prompt using the wbadmin command. The only way to schedule a system state backup is to create a scheduled task that runs the command. The backup can only be saved to a local drive, not to a shared folder or a disc. To take the backup to a different location, use removable hard disks.

Objective(s):


Reference(s):


[ms646-503 #66]

You have just installed a new domain on a new domain controller running Windows Server 2008.

You would like to use Windows Server Backup to back up Active Directory. You would like to perform the backup so that you can restore the domain controller if the domain controller is able to boot but when Active Directory is corrupt.

You want the backup to run once a day. You want to take the backup medium and put it in a safe in an offsite location.


gfedc Run the Windows Server Backup console. Create a schedule to take a critical volumes backup.

gfedc Run the Windows Server Backup console. Create a schedule to take a system state backup.

gfedcb Create a scheduled task to run wbadmin start systemstatebackup.


gfedc Save the backup to a DVD disc.

Page 39 of 40

Explanation:

Configure NTFS permissions to control access to folder targets. For example, grant the Read and Write permissions to allow a user to modify content in a replicated folder.

Delegating permissions in the DFS console designates users who can manage all namespaces, a single namespace, a replication group, or a replication node. You do not delegate permissions to specific folders or folder targets.

Objective(s):


Reference(s):


[ms646-202 #125]

Explanation:




You would like to designate one person in each department who can add, delete, and modify files on the folder targets.

What should you do?


nmlkj In the DFS console, delegate management permissions to each replication group.


nmlkji Configure NTFS permissions on the folder targets.




nmlkj Oclist



nmlkj Winrs -list

Page 1 of 39


Objective(s):


Reference(s):


[ms646-201 #16]

Explanation:




Objective(s):






Srv12.






gfedc Routing


Page 2 of 39

Reference(s):


[ms646-103 #110]

Explanation:

To track when the system shuts down, audit successful system events. System events auditing tracks system shutdown, restart, or the starting of system services. It also tracks events that affect security or the security log.

To configure auditing, create a GPO and link it to the domain or OU. In this example, to audit member servers, link the GPO to the domain. By default, member servers are in the Computers container. However, you cannot link a GPO to this container. A better solution would be to create an OU with only the member servers, and then link the GPO to that OU. Linking the GPO to the domain means that system events will be audited on all computers in the domain.

You do not need to audit failed events because you are only interested in when the system actually shuts down, not when someone tried to shut it down but was unsuccessful.

Account management auditing tracks changes to user accounts. Directory service access auditing tracks changes to Active Directory objects.

Objective(s):


Reference(s):


[ms646-303 #51]

You are in charge of managing the servers in your network. Recently, you have noticed that many of the domain member servers are being shut down.

You would like to use auditing to track who performs these actions. You want to only monitor the necessary events and no others.


gfedc Audit failed system events.

gfedc Audit failed account management events.

gfedc Audit successful account management events.

gfedc Create a GPO to configure auditing. Link the GPO to the Computers container.

gfedcb Audit successful system events.

gfedcb Create a GPO to configure auditing. Link the GPO to the domain.


You have previously installed the Terminal Server role with the Terminal Server role service on TS-Srv1 and configured several applications for clients to run.

Page 3 of 39

Explanation:

Use the TS Session Broker role service to provide load balancing for terminal servers. The session broker directs client requests evenly between the servers in the server farm. If a user has an existing session, the connection is redirected to the server where the session resides.

When configuring a terminal server farm, configure either DNS round robin or Network Load Balancing (NLB) to point to the server farm. Client computers use DNS or NLB to locate the server farm for the initial connection. Following the initial connection, the TS Session Broker redirects the connection to a specific terminal server. When configuring DNS round robin, configure multiple host (A) records using the server farm name as the host name and the IP address of the terminal servers for the IP addresses.

Using NLB for the initial client connection to the server farm is a possible solution, but using NLB or failover clustering by themselves will not allow users with existing sessions to reconnect to the server where the session is active. Using NLB or failover clustering could result in users with active sessions being directed to the terminal server without the active session, thereby creating a new session instead of reconnecting to the existing session. You must use TS Session Broker to provide this functionality.

Objective(s):


Reference(s):


[ms646-401 #24]

Because of recent growth, TS-Srv1 is beginning to reach its maximum capacity. You would like to add a second terminal server named TS-Srv2 and configure it with the same applications that are running on TS-Srv1. Your solution must meet the following requirements:

� New client connections should be evenly distributed between TS-Srv1 and TS-Srv2. � If a client disconnects and reconnects, the client should be reconnected to the same session if it is still

active.

In addition to TS-Srv1 and TS-Srv2, you can also use Srv3 for your solution if necessary.

What should you do?

nmlkj Install Failover Clustering on TS-Srv1 and TS-Srv2. Create a cluster and add both servers to the cluster.

nmlkjOn Srv3, install the Terminal Services role with the TS Gateway role service. Configure TS RAPs to allow access to TS-Srv1 and TS-Srv2.

nmlkjInstall Network Load Balancing (NLB) on TS-Srv1 and TS-Srv2. Create a cluster and add both servers to the cluster.

nmlkjiOn Srv3, install the Terminal Services role with the TS Session Broker role service. Configure DSN round robin and make TS-Srv1 and TS-Srv2 members of the terminal server farm.

You are an administrator for a large corporation. Your department uses a single domain within the company’s multi-tree forest.

Your department uses the entire building and is the only domain on the local subnet. You have a T3 connection to corporate headquarters. There is a Global Catalog server onsite.

Because your department handles extremely sensitive information, a decision has been made to require the use of

Page 4 of 39

Explanation:

Because it is the only CA on the network, your CA must be a root CA. Because it will be used for smart card logon, it must be integrated with Active Directory (i.e., it must be an enterprise CA).

Using a standalone root CA or a standalone subordinate CA would not allow smart card logon, the principal purpose of the certificate server. To implement an enterprise subordinate CA, there would need to already be an enterprise root CA in place, which there is not. Using a third-party CA for smart card logon won’t work and would be far too expensive even if it did.

Objective(s):


Reference(s):


[ms646-103 #208]

Explanation:

Because your department handles extremely sensitive information, a decision has been made to require the use of smart cards within the domain. Your job is to modify the existing Windows infrastructure to require the use of smart cards for logon. You will need to provide certificate services for smart card logon as well as for EFS, but you will not need certificates for any other purposes.

What kind of certificate authority should you use?

nmlkj Implement a standalone subordinate CA.

nmlkj Implement a standalone root CA.

nmlkji Implement an enterprise root CA.

nmlkj Implement an enterprise subordinate CA.

nmlkj Use a third-party CA to issue certificates.

You are the computer and server administrator for the westsim.com domain. In Active Directory, organizational units (OUs) have been created for each department. User and computer accounts have been moved into the departmental OUs. All domain controllers are in the Domain Controllers OU, and all servers for the company are in the Servers OU.

You create a GPO that restricts access to the Control Panel. You want this GPO to apply to all client computers. The GPO should not apply to any servers.


gfedcb Link the GPO to the domain.

gfedc Link the GPO to the Domain Controllers and the Servers OUs.


gfedc Link the GPO to the Computers container.

gfedcbBlock inheritance on the Domain Controllers and the Servers OUs. Enforce any other GPOs linked to the domain.

Page 5 of 39

Because client computers are in different OUs, you will need to link the GPO to the domain, or link the GPO to each departmental OU. If you link the GPO to the domain, you need to configure a way to prevent the GPO settings from applying to servers. In this scenario, you can block inheritance on the Domain Controllers and the Servers OUs. However, doing so also blocks any other GPOs linked to the domain (including the default domain policy). To make sure that these settings are still applied, enforce the other GPOs linked to the domain.

Linking the GPO to the Domain Controllers and the Servers OUs would apply the settings to servers and not client computers. You cannot link a GPO to the Computers container because it is not an OU. Use loopback processing to reapply computer settings in a GPO after the user settings have been applied.

Objective(s):


Reference(s):


[ms646-203 #146]

Explanation:

To use a GUI tool to manage services on a Server Core installation, you will need to run the MMC console from a remote computer and connect to the Server Core installation. Add the Remote Server Administration Tools (RSAT) tools on a Windows Vista or 2008 computer to install the preconfigured consoles on a computer that does not already have those consoles installed. To allow those tools to connect to the Server Core installation, enable the Remote Administration exception in the Windows firewall.

You cannot install PowerShell or the Terminal Server role on a Server Core installation. Run Winrm quickconfig to enable remote administration using the Windows Remote Shell. Run Winrs on the remote computer to execute commands. Windows Remote Shell is a command prompt remote administration solution.

Objective(s):


Reference(s):



Srv7 has a Server Core installation of Windows Server 2008.

You would like to use MMC consoles to manage the services running on Srv7.


gfedcb Enable the Remote Administration exception in the Windows firewall on Srv7.

gfedc Run Winrm quickconfig on Srv7.

gfedcb Install the Remote Server Administration Tools (RSAT) tools on a Windows Vista or 2008 computer.

gfedc Install the Terminal Server role on Srv7 and configure TS RemoteApp.

gfedc Add PowerShell to Srv7.

Page 6 of 39

[ms646-201 #40]

Explanation:

The only solution that allows for file access while disconnected from the network is to configure Offline Files. When network files are made available offline, the network versions of files and folders are copied to the local hard disk. When users are not connected to the network, they have access to the offline versions of the files and folders as though they were connected to the network. When they reconnect to the network, the stored files and folders are synchronized with the network versions of the files.

DFS would provide access from the main office and the branch office, but not while disconnected from the network. When using DFS, use DFS replication to minimize replication traffic. Configuring a remote access server would require that users connect to the network as well.

Objective(s):


Reference(s):


[ms646-105-402 #233]

You manage a network with a main office and one branch office. The branch office is connected to the main office with a WAN link.

In the main office, the FS5 server has a shared folder named Reports that is available to the members of the Management team. This server is running Windows Server 2008.

Managers have laptops that they use while traveling. You need to configure the Reports shared folder to meet the following requirements:

� Managers need to be able to view all files in the shared folder, whether they are in the main office, in the branch office, or while traveling disconnected from the network.

� Any changes that Managers make to documents must be synchronized with the documents in the shared folder.

� Traffic on the WAN link between the main office and the branch office must be minimized.

What should you do?

nmlkjConfigure the Distributed File System (DFS) on FS5 and a server in the branch office. Add the Reports folder as a target on both servers. Use DFS replication.

nmlkji Enable caching of offline files on the Reports folder.

nmlkjConfigure the Distributed File System (DFS) on FS5 and a server in the branch office. Add the Reports folder as a target on both servers. Use FRS replication.

nmlkjConfigure a remote access server in the main office. Add the Routing service and allow access to FS5 through the remote access connection.


You define a password and account lockout policy for the domain. However, members of the Directors OU want to

Page 7 of 39

Explanation:





Objective(s):


Reference(s):


[ms646-303 #23]







Several employees in your company have personal laptop computers that they bring to work and connect to the company network. Because they often use these laptops while traveling or to help them do their jobs, you can't prevent them from connecting to the network. However, you are concerned that many of these computers don't have the latest security patches installed.

You want to implement a solution so that computers are checked for the latest security updates as they connect to the network. If the required updates are missing, you want to prevent these computers from having full access to the private network.

What should you do?

nmlkj Configure Windows Server Update Services (WSUS) with Automatic Updates.

nmlkji Implement Network Access Protection (NAP) with a quarantine network.

nmlkj Configure Software Restriction Policies in Group Policy.

nmlkj Configure a Software Installation policy in Group Policy.

Page 8 of 39

Explanation:

Use Network Access Protection (NAP) to regulate network access or communication based on a computer's compliance with health requirement policies. When you configure NAP, you define health requirements, such as the presence of security updates or antivirus software, that must be met before a full connection to the network is allowed. For computers that are not compliant with the health requirements, you can create a limited access quarantine network. This network can contain servers and other resources that the computer can use to become compliant.

Use Windows Server Update Services (WSUS) to approve product updates for client computers. While you can use WSUS to make sure that all computers have the latest patches installed, you cannot use WSUS to deny access to the network. Use a Software Installation policy to make software automatically available to computers or users. Use a Software Restriction policy to prevent running specific software.

Objective(s):


Reference(s):


[ms646-103 #7]

Explanation:

Members of the Administrators local group can manage all aspects of the server, including managing all services running on the server, sharing folders, installing devices, and formatting the hard disk.

If the server is a domain controller, use the Server Operators built-in group in Active Directory to enable these same management tasks. Use the Administrators built-in group in Active Directory to designate a domain controller administrator. For both groups, adding a user gives the user the rights on all domain controllers in the domain.

With Windows Server 2008, the Power Users group still exists, but has no more permissions than the Users group has. Power Users cannot create shared folders.

Objective(s):


You are the administrator for the westsim.com domain. You have just installed a new file server named FS7 on a domain member server.

You want to delegate authority to another administrator so she can manage the FS7 server. She needs to be able to log on and log off, shut down the server, and share folders on the server. You want to assign the least amount of permissions as possible.

What should you do?

nmlkj Make the user a member of the Administrators built-in group in Active Directory.

nmlkj Make the user a member of the Power Users local group on the server.

nmlkji Make the user a member of the Administrators local group on the server.

nmlkj Make the user a member of the Server Operators built-in group in Active Directory.

Page 9 of 39

Reference(s):


[ms646-202 #157]

Explanation:

To allow a user to manage a single GPO, add the user to the Delegation tab for the GPO in the Group Policy Management console.

Adding the user to the Delegation tab on the Group Policy Objects container lets them manage settings in all GPOs. Making the user a member of the Group Policy Creator Owners group, does the same thing. With the Delegation of Control wizard, you can delegate permissions so the user can manage GPO links on an OU. Permissions granted in this way do not allow the user to edit GPO settings.

Objective(s):


Reference(s):


[ms646-202 #100]


You have created a GPO named AccountingGPO and linked it to the Accounting OU. You want to give John Parker the ability to edit the settings in only that GPO. You want to assign the least amount of permissions as possible.

What should you do?

nmlkji In the Group Policy Management console, add the user to the Delegation tab for the GPO.

nmlkj Make the user a member of the Group Policy Creator Owners group.


nmlkjIn the Group Policy Management console, add the user to the Delegation tab on the Group Policy Objects container.

Due to a recent expansion, your company will add a new division at your location. You have been put in charge of installing Windows Server 2008 on about 15 servers.

You decide to use Windows Deployment Services (WDS) to help automate the installation. Your solution needs to accommodate the following:

� You need to install both 32-bit and 64-bit versions of Windows Server 2008. � You will install the Standard and Datacenter editions. � All servers running the Datacenter edition are 64-bit. Servers running the Standard edition are 32-bit or 64-

bit. � Five servers do not have PXE support. � You will only use default install images included with Windows Server 2008; you will not create any custom

install images.

Page 10 of 39

Explanation:

For this scenario, you need three types of images: boot, discover, and install. The boot image is used by the computer for an initial boot and to start the operating system install. The install image contains the operating system images that will be installed. Because some computers are not PXE-capable, you will need to use a discover image. The discover image is used to boot from media (such as a CD or USB drive) instead of performing a network boot.

Capture images are used to create custom install images from a reference computer. You install the operating system on the reference computer and configure it as desired. Then you boot the reference computer using the capture image, and run the wizard to create the custom install image based on the current configuration.

Objective(s):


Reference(s):


[ms646-102 #25]

Explanation:


install images.

Which image types will you use in your deployment?

nmlkj Install only

nmlkj Boot, capture, discover, and install

nmlkji Boot, discover, and install

nmlkj Boot and install

nmlkj Boot, capture, and discover



What should you do?





Page 11 of 39


Objective(s):


Reference(s):


[ms646-301 #56]

Explanation:

To support Active Directory Federation Services (AD FS), you will need the Enterprise or Datacenter editions. The Standard edition or a Server Core installation supports all of the required roles except for AD FS.

Objective(s):


Reference(s):


[ms646-101 #76]

You are preparing to install Windows Server 2008 on a new server. You will use the server for the following server roles:

� DHCP � DNS � Active Directory Directory Services (AD DS) � Active Directory Federation Services (AD FS) � Web Server (IIS)

Which Windows Server 2008 editions and versions can you install on this server?

nmlkji Enterprise or Datacenter editions, not the Server Core installation

nmlkj Standard, Enterprise, or Datacenter editions, not the Server Core installation

nmlkj Enterprise or Datacenter editions, regular and Server Core installations

nmlkj Standard, Enterprise, or Datacenter editions, regular and Server Core installations

You are the security administrator for your organization. Your multiple domain Active Directory forest uses Windows Server 2008 for domain controllers and member servers. The computer accounts for your member servers are located in the Member Servers OU. Computer accounts for domain controllers are in the Domain Controllers OU. Computer accounts for workstations are located in the Workstations OU.

You are creating a security template that you plan to import into a GPO. You would like to log whenever a user is unable to log on to any computer using a domain user account.

Page 12 of 39

Explanation:

To audit unsuccessful logons:

� Audit the Account Logon event. This event type will be recorded when an account is authenticated against an account database such as Active Directory. In short, Account Logon events are generated where the account lives; in the case of domain accounts this would be domain controllers.

� Audit failed events. � Link the GPO to the Domain Controllers OU. Domain logon uses a domain controller for authentication. Link the

GPO to the Member Servers and the Workstations OUs if you wanted to audit Logon events for every computer.

Objective(s):


Reference(s):


[ms646-303 #41]

unable to log on to any computer using a domain user account.


gfedcb Link the GPO to the Domain Controllers OU.

gfedc Enable the logging of successful Account Logon events.

gfedc Link the GPO to the Member Servers and Workstations OU.

gfedc Enable the logging of failed Logon events.

gfedc Enable the logging of successful Logon events.

gfedcb Enable the logging of failed Account Logon events.






What should you do?





Page 13 of 39

Explanation:







Objective(s):


Reference(s):


[ms646-502 #7]

Explanation:

Configure Srv5 to store updates locally so that clients download updates from Srv5 and not directly from Microsoft Update. Use server-side targeting to configure computer groups on the WSUS server.

You are the server administrator for the westsim.com domain. You manage a network with a main office and a branch office. The branch office is connected to the main office with a WAN link. Both the main office and the branch office have their own Internet connections.



� Updates for both locations will be approved locally. � Traffic on the WAN link between the two sites must be minimized. � Computers will be manually assigned to computer groups in the WSUS console.

How should you configure Srv5? (Select two. Each choice is a required part of the solution.)

gfedcb Configure Srv5 to store updates locally.

gfedcb Enable server-side targeting on Srv5.

gfedc Enable client-side targeting on Srv5.

gfedc Configure Srv5 to not store updates locally.

Page 14 of 39

If updates were not saved locally on Srv5, clients would need to download updates from Microsoft Update through the Internet connection. Use client-side targeting to configure computer groups using Group Policy.

Objective(s):


Reference(s):


[ms646-301 #31]

Explanation:

To allow a user to manage GPO links on an OU, run the Delegation of Control wizard. Users can link and unlink GPOs and block inheritance, but cannot create or edit GPOs.

Members of the Group Policy Creator Owners group can create and edit GPOs. You can also add users or groups to the Delegation tab on the Group Policy Objects container. To allow a user to manage a specific GPO, add the user to the Delegation tab for the GPO in the Group Policy Management console.

Objective(s):


Reference(s):


[ms646-202 #92]


You want to give the TWhite user account the ability to link and unlink GPOs on the Sales OU. You want to assign the least amount of permissions as possible.

What should you do?

nmlkjIn the Group Policy Management console, add TWhite to the Delegation tab on the Group Policy Objects container.

nmlkji Run the Delegation of Control wizard.

nmlkj Make TWhite a member of the Group Policy Creator Owners group.

nmlkjIn the Group Policy Management console, add TWhite to the Delegation tab for the GPO linked to the Sales OU.

You are the administrator of the westsim.com Active Directory domain.

You delegate administration of the Sales OU and Research OU to other administrators. You want to prevent the administrators of those OUs from creating any other Group Policy objects with settings that conflict with those you have configured for the domain.

Page 15 of 39

Explanation:

If you set the Enforced option on Group Policy objects linked to the domain, lower-level OUs will not be able to block the Group Policy object. The Block Inheritance setting causes inherited Group Policy objects to be ignored. However, it cannot block Group Policy objects that have the Enforced option enabled.

Objective(s):


Reference(s):


[ms646-203 #119]

Explanation:

Because the Information Systems OU has users to which the GPO should apply as well as those to which the GPO should not apply, the GPO must be linked to the domain or each individual OU. Linking the GPO to the domain is a simpler solution than linking it to each individual OU, and is the best solution. Then, to prevent the Group Policy object

What should you do?

nmlkjDistribute a Group Policy object to the Sales OU and Research OU that disables the Block Inheritance option.

nmlkj In Group Policy objects linked to the Sales OU and Research OU, set the Enforced option.

nmlkj Enable the Block Inheritance option for the westsim.com domain.

nmlkji In Group Policy objects linked to the westsim.com domain, set the Enforced option.

nmlkj Distribute a Group Policy object to the westsim.com domain that disables the Block Inheritance option.

You are the administrator for a network with a single Active Directory domain named widgets.local. The widgets.local domain has an Organizational Unit object for each major department in the company, including the Information Systems department. User objects are located in their respective departmental OUs. Users who are members of the Domain Admins group belong to the Information Systems department. However, not all employees in the Information Systems department are members of the Domain Admins group.


What should you do?






Page 16 of 39

from applying to members of the Domain Admins group, you need to deny that group the Apply Group Policy permission to the GPO. Do not deny the Read permission or Domain Administrators will not be able to edit the GPO.

Objective(s):


Reference(s):


[ms646-203 #128]

Explanation:


Objective(s):


Reference(s):


[ms646-401 #74]













Page 17 of 39

Explanation:




Objective(s):


Reference(s):


[ms646-202 #50]




What should you do?












Page 18 of 39

Explanation:



Objective(s):


Reference(s):


[ms646-302 #15]

Explanation:

Deploy each printer using a Group Policy Object (GPO) linked to an OU that applies to all Accounting users. Deploy the printers using the User Configuration portion of the GPO to add the printer for the user, regardless of which computer they log on to. Deploying the printer to computers adds the printer to the computer, regardless of what user is logged on.

Listing the printer in Active Directory makes the printer name and its characteristics appear in Active Directory. Users can then search Active Directory to find the printer by name or by special features (such as location or color support). The Manage Documents permission allows users to manage all documents in the print queue, such as pausing, reordering, or deleting print jobs. The Manage Printer permission allows users to change printer configuration settings and permissions.

Objective(s):


Reference(s):


Members of the Accounting group use a set of special printers in a locked room for printing all print jobs. Accounting computers use Windows Vista Business.

You want to make sure that these printers and any others you might add for the group are always installed and configured for any member of the Accounting group, regardless of the computer they are using.

What should you do?

nmlkj Deploy the printers using Group Policy to computers.

nmlkj List each printer in Active Directory.

nmlkj Grant Accounting group members the Manage Documents permission to all printers.

nmlkji Deploy the printers using Group Policy to users.

nmlkj Grant Accounting group members the Manage Printer permission to all printers.

Page 19 of 39


[ms646-105-402 #170]

Explanation:



Objective(s):


Reference(s):


[ms646-302 #23]



What should you do?








What should you do?

Page 20 of 39

Explanation:



Objective(s):


Reference(s):


[ms646-203 #23]






You have an intranet site for your company using IIS and running on Srv5. Because of recent growth, this server is becoming unable to process all incoming requests in a timely manner.


� New client requests should be directed to either of the two servers. � Because of differences in hardware between the two servers, two-thirds of the client requests should be

directed to Srv5, with the remaining going to the new server. � If one server goes down, all requests should go to the other server. � If the same client computer creates multiple sessions at the same time, all sessions should be created on

the same server.

You install the Web site on the second server and copy the Web site content to the server. You now need to configure a solution to meet the requirements.

What should you do?

nmlkjiConfigure both servers in a Network Load Balancing (NLB) cluster. Configure a port rule with client affinity set to Single.



nmlkjConfigure both servers in a Network Load Balancing (NLB) cluster. Configure a port rule with the filtering mode set to Single host.

Page 21 of 39

Explanation:

For this scenario, use a Network Load Balancing (NLB) cluster. NLB provides both load balancing and failover for application servers. The affinity setting controls whether or not requests from the same client are directed to the same cluster member. A setting of Single ensures that all requests from the same client are directed to the same cluster host.

Configure the filtering mode to specify how the cluster handles the traffic identified by the rule. In this scenario, a setting of Single host for the filtering mode would direct all traffic to one of the servers. Use a setting of Multiple host to distribute the load between multiple servers.

Use a terminal server farm when you need to allow users to launch applications; Terminal Services is not used to provide redundancy and fault tolerance for applications that are running on an application server. Failover Clustering cannot be used because it uses shared storage between servers.

Objective(s):


Reference(s):


[ms646-502 #15]

Explanation:

To recover only the missing file, you will need a backup on disk or shared folder. When restoring backups on DVD, the entire volume must be restored. Going and getting the disk would likely be faster and less disruptive than restoring the entire volume.

Run wbadmin start sysrecovery to start a full system restore.

Objective(s):


Reference(s):

You manage a Windows Server 2008 server that is used to hold user data files. You have previously configured several scheduled backups in Windows Server Backup.

A user comes to you wanting a file restored from a recent backup. You check your backup media and find you have a DVD from today. You also have a hard disk with a backup taken last night, but that disk is stored in an offsite location.

You need to restore the file as soon as possible with the least disruption on other users.

What should you do?

nmlkji Go get the hard disk with last night's backup. Run the Recovery Wizard using the backup on the disk.

nmlkj Run wbadmin start sysrecovery using the backup on the DVD.

nmlkj Go get the hard disk with last night's backup. Run wbadmin start sysrecovery using the backup on the disk.

nmlkj Run the Recovery Wizard using the backup on the DVD.

Page 22 of 39


[ms646-503 #91]

Explanation:



Objective(s):


Reference(s):


[ms646-201 #67]








You have just been put in charge of installing 30 new workstations. The following operating systems will be installed:

� Windows Vista Business on 64-bit unicore and multicore computers � Windows XP Professional on 32-bit unicore and multicore computers

You decide to use Windows Deployment Services (WDS) to help automate the installation.

You want to use the minimum number of install images. How many will you need?

nmlkj 1

nmlkj 2

nmlkji 3

Page 23 of 39

Explanation:

You will need three install images: one image for all Vista computers, and two images for the XP computers. Vista images are HAL-independent, meaning that a single image can be used for computers with different hardware abstraction layers. Windows XP images are HAL-dependent, so you will need an image for each installation with a different HAL.

Images are architecture-dependent. If you were installing both 32-bit and 64-bit versions of Vista, you would need two images, one for each architecture.

Objective(s):


Reference(s):


[ms646-102 #76]

Explanation:



Objective(s):


Reference(s):

nmlkj 4










Page 24 of 39


[ms646-401 #56]

Explanation:




Objective(s):


Reference(s):


[ms646-203 #102]











You are the server administrator for the westsim.com domain. You manage a network with a main office and a branch office. The branch office is connected to the main office with a WAN link.

You want to implement a WSUS solution for the network. You have installed WSUS on Srv7 in the main office and

Page 25 of 39

Explanation:

Configure Srv5 as a downstream server to Srv7 and make it a replica of the upstream server. When a server is a replica, it gets its list of approved updates as well as its computer groups from the upstream server. All configuration is performed on the upstream server. If Srv5 were not a replica, then you could have different approvals and computer groups on Srv5 than exist on Srv7.

Configure client-side targeting to assign computers to WSUS computer groups automatically. Use a Group Policy Object (GPO) to identify the computer group. To assign computer groups based on the Active Directory OU, create a GPO for each OU with a different computer group setting for each.

Use server-side targeting to configure computer groups on the WSUS server. Because Srv7 is the upstream server, you would create computer groups on Srv7.

Objective(s):


Reference(s):


[ms646-301 #23]



� Updates for both locations will be approved centrally. � Computers will be assigned to WSUS computer groups automatically based on the Active Directory OU

where the computer account resides.


gfedc Configure Srv5 as a downstream server to Srv7. Do not make Srv5 a replica of the upstream server.

gfedc Enable server-side targeting on Srv5.

gfedcb Configure Srv5 as a downstream server to Srv7. Make Srv5 a replica of the upstream server.

gfedcb Enable client-side targeting on Srv5.


You are about to make some configuration changes to the server. You want to create a backup of the system state only right now before making the changes.


gfedc Run Windows Server Backup and start the Backup Once wizard.

gfedc Save the backup to a local disk, shared folder, or DVD.

gfedc Run Windows Server Backup and start the Backup Schedule wizard.


gfedcb Run wbadmin.

Page 26 of 39

Explanation:

To make a system state backup, run wbadmin start systemstatebackup. System state backups can only be run from the command line (or through a Scheduled Task), and must be saved on a local disk (not a shared folder or DVD).

Objective(s):


Reference(s):


[ms646-503 #24]

Explanation:






Objective(s):


Reference(s):


gfedcb Run wbadmin.








Page 27 of 39

[ms646-101 #117]

Explanation:



Objective(s):


Reference(s):


[ms646-503 #107]




What should you do?





You are the server administrator for the westsim.com domain. You manage the following servers:

� Srv1 runs Windows Server 2003 SP1 � Srv2 runs Windows Server 2008

You have previously configured Srv1 with Terminal Services and configured several applications for remote client access.

Because of recent growth, Srv1 is beginning to reach its maximum capacity. You would like to install Terminal Services on Srv2 and configure it with the same applications that are running on Srv1. Your solution must meet the following requirements:

� New client connections should be evenly distributed between Srv1 and Srv2.

Page 28 of 39

Explanation:

Upgrade Srv1 to Windows Server 2008, then use the TS Session Broker role service to provide load balancing for terminal servers. Only servers running Windows Server 2008 can be made members of the terminal server farm.

The session broker directs client requests evenly between the servers in the server farm. If a user has an existing session, the connection is redirected to the server where the session resides. While using NLB provides load balancing, using NLB could result in users with active sessions being directed to the terminal server without the active session, thereby creating a new session instead of reconnecting to the existing session. You must use TS Session Broker to provide this functionality.

Objective(s):


Reference(s):


[ms646-401 #40]

� New client connections should be evenly distributed between Srv1 and Srv2. � If a client disconnects and reconnects, the client should be reconnected to the same session if it is still

active.

What should you do? nmlkjUpgrade Srv1 to Windows Server 2008. Install Network Load Balancing (NLB) on Srv1 and Srv2. Configure Srv1 and Srv2 as members of the same cluster.

nmlkjInstall the TS Session Broker role service on Srv2. Configure Srv1 and Srv2 as members of the same server farm.

nmlkjiInstall the TS Session Broker role service on Srv2. Upgrade Srv1 to Windows Server 2008. Configure Srv1 and Srv2 as members of the same server farm.

nmlkjInstall Network Load Balancing (NLB) on Srv1 and Srv2. Configure Srv1 and Srv2 as members of the same cluster.

You manage a large network with its own Public Key Infrastructure (PKI). You have decided to implement the Online Responder role on your network.

You have the following servers available:

You would like to configure Srv8 with the Online Certificate Status Protocol (OCSP). What should you do?

Server Operating system Role(s)

Srv5 Windows Server 2008 Standard Standalone root CA

Srv6 Windows Server 2008 Enterprise Enterprise subordinate CA


Srv8 Windows Server 2003 StandardDHCP DNS

nmlkji Upgrade to Windows Server 2008 Enterprise edition. Add the Online Responder role service.

nmlkj Add the Certification Authority and Online Responder role services.

nmlkjUpgrade to Windows Server 2003 Enterprise edition. Add the Network Device Enrollment Service role service.

nmlkj Add the Online Responder role service.

Page 29 of 39

Explanation:

Add the Online Responder role service to configure the server to use the Online Certificate Status Protocol (OCSP) to respond to certificate status requests. To add the Online Responder role service, the server must be running Windows Server 2008 Enterprise edition. Microsoft recommends that the Online Responder role should not be added to a server that is a CA, although this configuration is possible.

Add the Network Device Enrollment Service role service to configure the server as a registration authority (RA) that can submit certificate requests for non-Microsoft devices.

Objective(s):


Reference(s):


[ms646-103 #173]

Explanation:

Adding the Online Responder service configures the server to use the Online Certificate Status Protocol (OCSP), which allows it to respond to requests for information about the status of a single certificate. Clients query the OCSP server about the status of the certificate rather than downloading the entire CRL. You can install the online responder on a CA or on a server running Windows Server 2008.

Using delta CRLs, differential changes to the base CRL are published in an updated CRL. The client downloads the base CRL and the latest delta CRL. The delta CRL is smaller than the base CRL, and creates smaller updates to the CRL. However, both the base and the delta CRL contain information about multiple certificates.

A partitioned CRL is a CRL that contains a subset of the base CRL. For example, the partitioned CRL might contain only user or computer certificates. Windows CAs do not support partitioned CRLs.

Use the Web Enrollment service to allow users to request certificates through a Web browser. Use the Network Device Enrollment Service (NDES) to allow non-domain devices (such as routers) to request a certificate.

Objective(s):

You manage certificate services for the northsim.com domain. You have a single CA named CA1 that is an enterprise root CA.

You want client computers to request information for the status of a single certificate instead of receiving a list of all revoked certificates for a CA.

What should you do?

nmlkj Configure the Network Device Enrollment Service on CA1.

nmlkj Configure CA1 to use partitioned CRLs.

nmlkj Configure CA1 to use delta CRLs.

nmlkj Configure the Web Enrollment service on CA1.

nmlkji Configure the Online Responder service on CA1.

Page 30 of 39


Reference(s):


[ms646-103 #146]

Explanation:



Objective(s):


Reference(s):


[ms646-503 #49]



What should you do?






You are planning a server virtualization implementation using Windows Server 2008 and Hyper-V. Your virtualization solution must meet the following requirements:

Page 31 of 39

Explanation:

Use a private network to allow the virtual machines to communicate with each other and no other devices, including the management operating system. Use dynamically expanding virtual disks to conserve hard disk space. Physical disk space is allocated only as the space is required by the virtual machine. The .vhd file starts out small and grows as more space is used.

Use an internal network if the private network must include the management operating system. Use an external network if the virtual machines must communicate with other network devices.

With fixed disks, disk space for the entire volume is allocated in the .vhd file. With a differencing disk, multiple virtual machines share a parent disk, with the variations for each virtual machine being saved in a second child or differencing virtual disk file.

Objective(s):


Reference(s):


[ms646-104 #40]

� Both 32-bit and 64-bit operating systems will be installed as virtual machines. � You need to install six virtual machines. � All virtual machines must be able to communicate with each other. � Virtual machines should not be able to communicate with any other network devices. Virtual machines

should not be able to communicate with the management operating system. � Each virtual machine must use its own unique virtual hard disk saved as a single file. � The size of each virtual disk file must be as small as possible.


gfedcb Create a private network

gfedc Use differencing virtual disks

gfedc Use fixed virtual disks

gfedc Create an external network

gfedc Create an internal network

gfedcb Use dynamically expanding virtual disks

The Srv1 server on your network is currently being used as a file server. Srv1 runs Windows Server 2003 Standard edition. You decide that you want to upgrade Srv1 to Windows Server 2008.

You perform an upgrade of the server to Windows Server 2008 Enterprise edition. During the installation, the installation program stops and will not continue.

You want to configure the server to return to its previous configuration of running Windows Server 2003. You want to do this with the least amount of effort possible.

What should you do?

Page 32 of 39

Explanation:

If the upgrade to Window Server 2008 fails without completing, you can roll back to the previous version. You cannot roll back after you have successfully logged on following the upgrade. Rollback is faster than reinstalling or restoring from backup.

If you perform an upgrade to Windows Server 2008, you cannot uninstall Server 2008 following the upgrade to revert back to the previous installation.

Objective(s):


Reference(s):


[ms646-101 #211]

Explanation:



nmlkji Roll back the installation of Windows Server 2008

nmlkj Uninstall Windows Server 2008

nmlkj Reinstall Windows Server 2003

nmlkj Restore the Windows Server 2003 installation from a recent backup




What should you do?





Page 33 of 39


Objective(s):

501. Plan storage.

Reference(s):


[ms646-501 #16]

Explanation:




Objective(s):


Reference(s):






What should you do?





Page 34 of 39


[ms646-303 #93]

Explanation:


Attach a task to an event or a log to receive notification or take other actions when an event is logged. Tasks attached to a log or a custom view execute the action when any event is added to the log or the custom view. A custom view is a saved filter. Custom views are saved between Event Viewer sessions, and are available each time you use Event Viewer.

Use a performance counter alert to configure triggers that take an action when a counter reaches a threshold value. Alerts monitor a system performance statistic, such as processor time or disk space. Use an event trace data collector in Performance Monitor to capture events logged by software processes.

Objective(s):


Reference(s):


[ms646-302 #47]

You are the server manager for the westsim.com domain. You have just installed a custom application on three servers: Srv1, Srv2, and Srv3. The application generates Event Viewer events and logs those events to a custom log for the application.

You would like to send all events from the application to Srv4 where you can save and view the logs.

What should you do?

nmlkj Attach a task to the application's log


nmlkji Configure event subscriptions


nmlkj Create a custom view

You are planning the deployment of a new Windows Server 2008 server. The server will have the Application Server role installed.

The server must be able to start and stop applications dynamically based on network messages received using TCP.


nmlkj Distributed Transactions

Page 35 of 39

Explanation:

Add the Windows Process Activation Service Support role service. The Windows Process Activation Service (WAS) starts and stops applications dynamically in response to network messages. You can choose which message types to support by adding the appropriate role service component: HTTP Activation, Message Queuing Activation, TCP Activation, and/or Named Pipes Activation.

Use COM+ Network Access to support applications that communicate with each other using the COM+ protocol. Use TCP Port Sharing to enable applications to use the same TCP port for communicating with clients. Use the Distributed Transactions role to support applications, such as database applications, that perform operations that involve multiple servers.

Objective(s):


Reference(s):


[ms646-104 #94]

Explanation:



Round-robin uses all available paths and the load is distributed among all paths. If a path fails, the load is redistributed

nmlkj Distributed Transactions

nmlkj TCP Port Sharing

nmlkji Windows Process Activation Service Support

nmlkj COM+ Network Access





nmlkj Round-robin


nmlkj Failover


Page 36 of 39

between all remaining paths. Round-robin with Subset configures two sets of paths: a set of preferred paths and a set of standby paths. The preferred set is used until all paths fail. When all preferred paths fail, the standby paths are used.


Objective(s):

501. Plan storage.

Reference(s):


[ms646-501 #55]

Explanation:

Install the Standard edition for ADCS1 and ADCS2, and the Enterprise edition for the remaining servers. Remember the following:

� The Standard edition supports up to 4 processors, with 32 GB of RAM for the 64-bit version and 4 GB of RAM for the 32-bit version.

� The Enterprise or Datacenter editions are required to support more than 32 GB of RAM on a 64-bit system (up to 2 TB is supported).

� The Standard edition can be used for the Certification Authority role service. Windows Server 2003 required the Enterprise edition for enterprise CAs.

� The Enterprise or Datacenter editions are required when using the Online Responder or Network Device Enrollment Service (NDES) with Certificate Services.

You are preparing to install an Active Directory Certificate Services (AD CS) solution for your network. You have the following servers that will be configured as follows:

You want to select the minimum Windows Server 2008 edition to support the required roles. Which Windows Server 2008 editions should you install on each server? To answer, drag the operating system edition from the right to the server name on the left.

Server Name

RAM CPUs Role Service(s)

ADCS116 GB

One 64-bitCertification Authority, configured as an enterprise root CA

ADCS232 GB

One quad core 64-bit

Certification Authority, configured as an enterprise subordinate CA

ADCS3 1 TB Two 64-bitCertification Authority, configured as an enterprise subordinate CA Certification Authority Web Enrollment

ADCS4 4 GB One 32-bit Online Responder

ADCS532 GB

One dual core 64-bit

Network Device Enrollment Service

ADCS1 Standard editionStandard edition

ADCS2 Standard editionWeb Server edition

ADCS3 Enterprise editionEnterprise edition

ADCS4 Enterprise editionDatacenter edition

ADCS5 Enterprise edition

Page 37 of 39

Objective(s):


Reference(s):


[ms646-101 #51]

Explanation:

BitLocker requires Windows Vista Enterprise, Windows Vista Ultimate, or Windows Server 2008. When implementing BitLocker without a TPM, you must use a startup key on a USB device.

Windows Vista Business does not support BitLocker. When using a TPM with BitLocker, you can configure the computer to start with a PIN, a startup key on a USB drive, or without any additional intervention.

Objective(s):


Reference(s):


[ms646-101 #108]


Members of the Sales team use laptops while traveling. You would like to use BitLocker on each computer to protect the volume used for the operating system and all user data. None of the laptops have a Trusted Platform Module (TPM).

You need to configure the computers to use BitLocker. What should you do? (Select two. Each choice is a required part of the solution.)

gfedc Configure BitLocker to start without requiring a PIN or USB drive.

gfedcb Configure BitLocker to use a startup key on a USB drive.

gfedc Install Windows Vista Business on each laptop.

gfedcb Install Windows Vista Ultimate on each laptop.

gfedc Configure BitLocker to require a PIN for startup.


You have a UNIX server that needs to be able to print to a shared printer on your Windows Server 2008 server.

How should you configure the Windows Server 2008 server?

Page 38 of 39

Explanation:

Add the Line Printer Daemon (LPD) Service to enable UNIX computers or other computers that use the Line Printer Remote (LPR) service to print to printers configured on a Windows Server 2008 server.

Add the Line Printer Remote (LPR) Port Monitor feature to allow the server to print to the Line Printer Daemon (LPD) service on a UNIX print server. Add this feature only if the print server is a UNIX print server. Create a network printer with a Standard TCP/IP printer port to use the LPD protocol if the print server is not on a UNIX system.

Installing the Internet Printing role service creates a Web site that users can use to print to, share, and manage printers.

Objective(s):


Reference(s):


[ms646-105-402 #138]

nmlkj Add the LPR Port Monitor feature.

nmlkj Create a network printer with a Standard TCP/IP printer port.

nmlkji Add the LPD Service role service.

nmlkj Add the Internet Printing role service.

Page 39 of 39

Explanation:

To enable peer-to-peer communications between cluster members when the cluster members have a single network adapter, configure the cluster to operate in multicast mode. In multicast mode, each cluster host retains the original hardware unicast MAC address of the adapter, and a common multicast MAC address is used for NLB traffic. If you used unicast mode, communication between cluster hosts, except for cluster-related traffic, cannot take place. To allow cluster members to communicate with each other using unicast mode, install a second NIC in each host.

To distribute traffic between multiple servers, configure a port rule with the filtering mode set to Multiple host. To distribute traffic using a two-thirds distribution, configure the weight value for Srv5 to be twice the weight value of Srv10 (such as 60/30, 50/25, or 100/50). Traffic is balanced based on the weight value configured for a specific host when compared to the sum of all weights configured on all active hosts.

Objective(s):


Reference(s):


[ms646-502 #43]



You decide to use Network Load Balancing (NLB) as your solution. You add a second server named Srv10. Both Srv5 and Srv10 have similar hardware, with a single network adapter.



directed to Srv5, with the remaining going to the new server. � Both Srv5 and Srv10 must be able to support peer-to-peer communications.

You need to configure a solution to meet the requirements. What should you do? (Select two. Each choice is a required part of the solution.)

gfedc Configure the cluster to operate in unicast mode.

gfedcbConfigure a port rule with the filtering mode set to Multiple host. Configure Srv5 with a weight of 60 and Srv10 with a weight of 30.

gfedcb Configure the cluster to operate in multicast mode.

gfedcConfigure a port rule with the filtering mode set to Multiple host. Configure Srv5 with a weight of 75 and Srv10 with a weight of 25.



You would like to add a second server to run the application. Your solution should meet the following

Page 1 of 39

Explanation:







Objective(s):


Reference(s):


[ms646-502 #7]




What should you do?





You are the administrator of the westsim.com Active Directory domain.

You delegate administration of the Sales OU and Research OU to other administrators. You want to prevent the administrators of those OUs from creating any other Group Policy objects with settings that conflict with those you have configured for the domain.

What should you do?

nmlkj In Group Policy objects linked to the Sales OU and Research OU, set the Enforced option.

Page 2 of 39

Explanation:

If you set the Enforced option on Group Policy objects linked to the domain, lower-level OUs will not be able to block the Group Policy object. The Block Inheritance setting causes inherited Group Policy objects to be ignored. However, it cannot block Group Policy objects that have the Enforced option enabled.

Objective(s):


Reference(s):


[ms646-203 #119]

Explanation:

Add the ISAPI Filters role service. An ISAPI filter is a program that continually runs on the Web server. The program examines or filters every request, looking for a request that it needs to process. When it finds a request that meets its filter criteria, it takes the specified action.

An ISAPI extension is a program that is associated with a file extension. When a Web page is requested with that extension, the program loads and executes. One difference between ISAPI filters and ISAPI extensions is that with filters, the program is constantly running, while with extensions, the program loads only when the Web page is requested.

Add ASP support to run Web pages build with active server pages using server side scripts. Add CGI support to support programs written using the CGI protocol that defines how the Web server passes information to an external program.

Add the Server Side Includes role service to support SSI scripts embedded in a Web document. Documents with include statements are saved with the .shtml or .shtm extension. The Web server parses the Web page and executes the script

nmlkj Enable the Block Inheritance option for the westsim.com domain.

nmlkjDistribute a Group Policy object to the Sales OU and Research OU that disables the Block Inheritance option.

nmlkj Distribute a Group Policy object to the westsim.com domain that disables the Block Inheritance option.

nmlkji In Group Policy objects linked to the westsim.com domain, set the Enforced option.

You are planning the deployment of a new Windows Server 2008 server. The server will have the Application Server role installed with the Web Server (IIS) Support role service.

The Web server must support an application that runs constantly examining the URL submitted. When a URL from an authenticated user is submitted, the application will modify the URL to redirect the user to a different Web page based on user preferences.


nmlkji ISAPI Filters

nmlkj CGI

nmlkj ASP

nmlkj ISAPI Extensions

nmlkj Server Side Includes

Page 3 of 39

embedded in the document before sending the document to the client.

Objective(s):


Reference(s):


[ms646-104 #110]

Explanation:

To create a backup of Active Directory, create a system state backup. This includes everything necessary to restore Active Directory.

Use a full server or a critical volumes backup to restore a server that is unable to boot. You cannot back up individual files and folders using Windows Server Backup.

Objective(s):


Reference(s):


[ms646-503 #58]

You have just installed a new domain on a new domain controller running Windows Server 2008.

You would like to use Windows Server Backup to back up Active Directory. You would like to perform the backup so that you can restore the domain controller if the domain controller is able to boot but when Active Directory is corrupt.

Which type of backup should you create?

nmlkj Back up the Ntds.dit file and the Sysvol folder

nmlkj Full server backup

nmlkji System state backup

nmlkj Critical volume backup

You are the server administrator for the westsim.com domain. Client computers run Windows XP Professional. In addition, the Research department has five UNIX computers. All servers run Windows Server 2008.

You need to configure the FS9 server so that all company clients can connect to a shared folder named Forms. Users need only Read access to documents in this folder.

How should you configure the server? (Select two. Each choice is a required part of the solution.)

Page 4 of 39

Explanation:

Add the Services for Network File System (NFS) role service to provide access to files through the NFS protocol, commonly used by UNIX computers. To configure a shared folder to use NFS, you must also add the File Server role service which adds the Share and Storage Management console. Use this console to share the folder using both SMB for Windows clients and NFS for UNIX clients.

Adding only the File Server role service does not add NFS support. Sharing the folder using SMB only would not allow the UNIX computers to connect. Sharing the folder with NFS only would not allow the Windows computers to connect to the shared folder.

Objective(s):


Reference(s):


[ms646-105-402 #258]

Explanation:

When configuring directory service access auditing, you must enable auditing for the domain or OU, then identify the users and objects you want to audit. Simply enabling auditing using a GPO will be insufficient.

Using a filter or a custom view in Event Viewer can help you find events that you are looking for. However, without enabling auditing for specific users and objects, no events will be shown.

gfedc Share the Forms folder using NFS only.

gfedc Add the File Server role service.

gfedcb Share the Forms folder using both SMB and NFS.

gfedcb Add the File Server and Services for Network File System (NFS) role services.

gfedc Share the Forms folder using SMB only.

You manage a single domain named widgets.com. Recently, you notice that there have been several unusual changes to objects in the Sales OU.

You would like to use auditing to keep track of those changes. You enable successful auditing of directory service access events in a GPO, and link the GPO to the domain.

After several days, you check Event Viewer but you do not see any events listed in the event log indicating changes to Active Directory objects.

What should you do?

nmlkj Create a custom view in Event Viewer, showing only Active Directory events.

nmlkj Create a filter in Event Viewer, showing only Active Directory events.

nmlkji Edit the access list for the OU. Identify specific users and events to audit.

nmlkj Link the GPO to the Sales OU.

Page 5 of 39

Objective(s):


Reference(s):


[ms646-303 #61]

Explanation:

Configure NTFS permissions to control access to content in virtual directories. For example, grant the Read and Write permissions to a folder that holds the virtual directory content to allow a user to edit that content.

Use IIS Manager permissions to add users to manage a Web site or an application running on the Web site. Configuring permissions is done by adding the user to the Allow list for the Web site or the application. You cannot add a user to a specific virtual directory.

Use Feature Delegation to control whether specific settings, such as authentication or Web site settings, can be modified by users who are IIS Managers.

Objective(s):


Reference(s):


[ms646-202 #133]


You add the Web Server role to Srv5. In the Default Web Site, you create a virtual directory for every department. This virtual directory will be used by the department to maintain a custom intranet for department employees.

You would like to designate one person in each department who can add, delete, and modify files within the virtual directory.

What should you do?

nmlkji Configure NTFS permissions on the folder referenced by the virtual directory.

nmlkj Configure Feature Delegation.

nmlkj Add each department user as an IIS Manager for their respective departmental virtual directory.

nmlkj Add each user as an IIS Manager for the Web site.


Page 6 of 39

Explanation:

A custom view is a saved filter. Custom views apply filter criteria to one or more event logs. The filter criteria for a custom view is similar to that for a filter, but also includes the log(s) you want to include in the view. Custom views are saved between Event Viewer sessions, and are available each time you use Event Viewer. You can export a custom view and import it on another system. This exports and imports the custom view criteria, not the events showing in the view.

Adding a filter in Event Viewer has the following limitations:

� You cannot save a filter. Each time you start Event Viewer, you will need to redefine the filter criteria. � Filters apply only to a single log; you cannot filter multiple logs into a single view. � You cannot export and import filter criteria to other computers.

Use Event Subscriptions to view a set of events stored in multiple logs on multiple computers. Events that occur on one computer are sent to another computer where they are saved and can be viewed. Attach a task to an event or a log to receive notification or take other actions when an event is logged.

Objective(s):


Reference(s):


[ms646-302 #56]

As you monitor the application, you'd like to be able to do the following:

� View all events related to the application from a single log. � View only the events related to the application and no others. � View the necessary events with minimal future configuration. � Save the Event Viewer configuration so that you can easily export and import the solution to other servers

that will be running the application.

What should you do?

nmlkji Create a custom view

nmlkj Create a filter on the Application and Security logs

nmlkj Attach a task to the event IDs generated by the application


You are the administrator for the westsim.com domain. Srv5 is a domain member server running the Web Server (IIS) role.

You create a Web site for the Sales team. You want to allow a user to manage only the following Web site settings:

� Authentication � Default document � Error pages � Logging

What should you do?

Page 7 of 39

Explanation:

Add users to the IIS Manager Permissions list to identify a user who is an administrator. Configure Feature Delegation to control whether specific settings, such as authentication or Web site settings, can be modified. Set the feature to Read/Write to allow users designated by IIS Manager Permissions to modify the settings.

Use NTFS permissions to control access to Web site content stored on disk. You might need to configure NTFS permissions to allow a user to modify the default home page or custom error pages. You cannot assign specific users and permissions to each feature.


Objective(s):


Reference(s):


[ms646-202 #149]

Explanation:

What should you do?

nmlkj Edit the permissions for each Web site setting. Assign the user the necessary permissions.

nmlkj Configure NTFS permissions.

nmlkji Use IIS Manager Permissions to add the user. Configure Feature Delegation.

nmlkj Run the Delegation of Control wizard.

Due to a recent expansion, your company will add a new division at your location. You have been put in charge of installing Windows Server 2008 on about 15 new servers.

You use Windows Deployment Services (WDS) to install the operating system on ten of the servers. You find, however, that the remaining five servers do not have PXE support.

You need to install Windows Server 2008 on the remaining five servers with as little effort as possible.

What should you do?

nmlkj

Run Windows SIM to create a custom unattended installation file that includes the necessary settings for the remaining five servers. Add the resulting file to the WDS server. On the remaining five servers, connect to the WDS server and use the unattended file to complete the installation.

nmlkjiCreate a discover boot image and an ISO image. Burn the ISO image to CD. Boot each computer to the CD, connect to the WDS server, and complete the installation.

nmlkj

Install Windows Server 2008 on one of the servers. Create a capture image, and use the capture image to create a custom install image using that server. On the remaining four servers, connect to the WDS server and use the custom image to complete the installation.

nmlkj On each remaining server, perform a manual installation of Windows Server 2008.

Page 8 of 39

A computer that is not PXE capable is unable to perform a network boot. Because it can't boot from the network, it can't download a boot image from the WDS server. For non-PXE computers, use a discover image. The discover image is placed on media, such as a CD or USB drive, and is used to boot the computer into Windows PE. The server can then connect to the WDS server to download the necessary install image.

Creating a custom install image is not necessary, because install images do not depend on minor differences in hardware (only the architecture is important). Even if you created a custom install image or answer file, without PXE capabilities or a bootable device, the non-PXE servers will be unable to connect to the WDS server to download the install image.

Objective(s):


Reference(s):


[ms646-102 #34]

Explanation:




Objective(s):


Reference(s):









Page 9 of 39


[ms646-203 #137]

Explanation:

To provide redundancy to the namespace root, configure Srv3 as a cluster server with Srv1. Because the DFS namespace is a stand-alone namespace, you can have only one server as a namespace server. Using a cluster is the only way to provide redundancy for the namespace server in this instance.


Objective(s):


Reference(s):


[ms646-105-402 #31]


You would like to configure Srv3 to provide redundancy for your DFS solution so that if Srv1 is down, the data held on Srv2 can still be accessed.

What should you do?

nmlkj Share a folder on Srv3. Add this folder as a target to the Reports folder. Configure FRS replication.

nmlkji Configure Srv3 as a cluster server with Srv1.



You manage a large network with its own Public Key Infrastructure (PKI). You have the following servers in your PKI:

You want to configure a CA to issue certificates that can be used for Suite B encryption.

What should you do?


Srv5 Windows Server 2003 Standalone root CA



nmlkji Configure version 3 certificates on Srv6.

nmlkj Configure version 2 or 3 certificates on Srv6.

Page 10 of 39

Explanation:


Objective(s):


Reference(s):


[ms646-103 #190]

Explanation:

Configure Srv2 as follows:

� To manage the approved updates only from Srv1, configure Srv2 to synchronize with Srv1. Make Srv2 a replica of Srv1 to force Srv2 to use the same approval list. When Srv2 is a replica, you cannot approve updates on Srv2.

� To have client computers download updates from the WSUS server (and not the Microsoft Update website), store updates locally on the WSUS server.

� To minimize WAN link traffic, configure Srv2 to download the update files from Microsoft Update (and not Srv1) by selecting the Download files from Microsoft Update; do not download from upstream server option. If this

nmlkj Configure version 2 or 3 certificates on Srv6.

nmlkj Configure version 2 or 3 certificates on Srv6 or Srv7.

nmlkj Configure version 2 or 3 certificates on Srv5, Srv6, or Srv7.

nmlkj Configure version 3 certificates on Srv5, Srv6, or Srv7.

nmlkj Configure version 3 certificates on Srv6 or Srv7.

You manage a network with two locations: San Jose and Oakland. The two networks are connected with a WAN link, and each site has its own Internet connection. Srv1 is in San Jose, and Srv2 is in Oakland.

You decide to implement a WSUS solution using Srv1 and Srv2 as WSUS servers. Your solution should meet the following requirements:

� Client computers should contact the WSUS server in their site for a list of approvals and download the updates from the WSUS server in their site.

� All updates for both sites are approved from Srv1. � You must minimize traffic on the WAN link between the two sites.

You have completed the configuration of the WSUS server in the San Jose location. How should you configure Srv2 in Oakland to meet the design requirements?

nmlkjConfigure Srv2 to synchronize with Srv1 as a replica of Srv1. Configure the server to store updates locally, and to download updates from Srv1.

nmlkjConfigure Srv2 to synchronize with Srv1 and operate in autonomous mode. Configure the server to not store updates locally.

nmlkj Configure Srv2 to synchronize with Microsoft Update and to store files locally.

nmlkjiConfigure Srv2 to synchronize with Srv1 as a replica of Srv1. Configure the server to store updates locally, and to download updates from Microsoft Update.

Page 11 of 39

option was not selected, Srv2 would download update files from Srv1 across the WAN link.

Objective(s):


Reference(s):


[ms646-301 #7]

Explanation:

In the DFS console, delegate management permissions to each replication group. In the DFS console, right-click the desired level (either the namespace, replication node, or replication group) and choose Delegate Management Permissions.

Delegating permissions to the namespace lets the user manage the namespace and all folders, but not replication. You cannot delegate permissions to the folder.

Use NTFS permissions to control who can modify files within the folder targets.

Objective(s):


Reference(s):


[ms646-202 #117]



You would like to delegate the task of managing replication for each folder to different administrators.

What should you do?

nmlkj Configure NTFS permissions on the folder targets.



nmlkji In the DFS console, delegate management permissions to each replication group.

You are the server administrator for the westsim.com domain. All client computers currently run Windows XP Professional. All servers run Windows Server 2003 or 2008.

Page 12 of 39

Explanation:

To add the Windows Search Service, you will need to remove the Indexing Service first; you cannot have both installed at the same time. To configure clients to use the Windows Search Service, you will need to add the Windows Desktop Search to all client computers. The client component is included on Vista and Server 2008 computers, but must be added to Windows XP and Server 2003 computers.

Objective(s):


Reference(s):


[ms646-105-402 #196]

Explanation:


You have a Windows Server 2008 server named FS12. You have previously added the Indexing Service role service to support an application that uses the Indexing Service.

You would like to use the Windows Search Service included with Windows Server 2008 to provide indexing of e-mail, contacts, and calendar items. You want to add this role service to FS12 and configure clients to support the service.

What should you do?

nmlkj Add the Windows Search Service.

nmlkj Remove the Indexing Service. Add the Windows Search Service.

nmlkj Add the Windows Search Service. Add the Windows Desktop Search to all client computers.

nmlkjiRemove the Indexing Service. Add the Windows Search Service. Add the Windows Desktop Search to all client computers.







nmlkj Failover

nmlkj Round-robin

Page 13 of 39




Objective(s):

501. Plan storage.

Reference(s):


[ms646-501 #55]

Explanation:


Objective(s):













Page 14 of 39

Reference(s):


[ms646-401 #74]

Explanation:

Install the Datacenter edition with a single license for the Datacenter edition. The Datacenter edition allows for an unlimited number of virtual servers running any edition of Windows Server 2008 (Standard, Enterprise, or Datacenter editions).

You cannot install the Standard edition because it only supports up to 4 processors and 32 GB of RAM. The Enterprise edition supports up to 4 virtual server instances running either the Standard or the Enterprise editions.

Objective(s):


Reference(s):


[ms646-101 #34]



You will install Hyper-V on the server and create seven virtual servers, with each server running Windows Server 2008 Standard edition.

Which Windows Server 2008 edition should you install, and how many licenses should you purchase?

nmlkj Install the Enterprise edition with a single license for the Enterprise edition.

nmlkj Install the Datacenter edition with one Datacenter edition license and 2 Standard edition licenses.

nmlkji Install the Datacenter edition with a single license for the Datacenter edition.

nmlkj Install the Standard edition with a total of 8 Standard edition licenses.

nmlkj Install the Enterprise edition with one Enterprise edition license and 7 Standard edition licenses.



Page 15 of 39

Explanation:



Objective(s):


Reference(s):


[ms646-203 #69]

Explanation:


What should you do?





You manage the DNS infrastructure for you network. Server Dns1 holds a primary zone for the westsim.com domain. Server Dns2 holds a primary zone for the sales.westsim.com domain. Both servers are also domain controllers.

Computers configured to use Dns1 as the preferred DNS server are unable to resolve names for hosts in the sales.westsim.com domain. You need to enable Dns1 to resolve names for hosts in that domain. Zone data for the sales.westsim.com domain should not be stored on the Dns1 server.

What should you do?

nmlkj On Dns2, create a zone delegation for westsim.com.

nmlkj On Dns1, configure a secondary zone for the sales.westsim.com zone.

nmlkj On Dns2, convert the sales.westsim.com zone to an Active Directory-integrated zone.

nmlkji On Dns1, create a zone delegation for sales.westsim.com.

Page 16 of 39

On Dns1, create a zone delegation for sales.westsim.com. The zone delegation identifies the zone name and the authoritative name servers for the zone.

You could enable name resolution for the sales.westsim.com zone by configuring a secondary zone on Dns1 or by converting the zone to an Active Directory-integrated zone. However, both solutions would mean that Dns1 would hold zone data. The scenario requests that zone data is not stored on Dns1.

Objective(s):


Reference(s):


[ms646-103 #94]

Explanation:

Use client or server side targeting to create different approval lists for groups of computers. With client side targeting, use a GPO to identify the computer group for the accounting computers. On the WSUS server, create the computer group, and identify the specific approved updates for that group.

Using a second WSUS server for the accounting computers would work as long as the second server was not a replica of the first. When you use a replica, the replica server has the same approval list as the upstream server. In addition, using computer groups and targeting is more efficient than installing another WSUS server.

Use Update Rules to configure rules that are used for automatically approving updates. Update Rules can apply to specific computer groups, but they cannot be used without targeting to supply different updates for different computer groups. Pointing non-accounting computers to Microsoft Update means that these computers will no longer use the approved list of updates.

Objective(s):


Reference(s):

You manage a network with a single location. You have previously deployed a WSUS server in your location to specify the approved list of updates. All client computers are configured to download updates from your local WSUS server.

Members of the Accounting department report that a new system update causes instability with their accounting software. You want to prevent this update from being applied to the accounting department computers, but you still want to ensure that all other updates are being applied as they should.

What should you do?

nmlkji Configure client side targeting on the WSUS server and computers in the Accounting department.

nmlkjConfigure a second WSUS server as a replica to the first WSUS server. Configure accounting computers to use this new server for updates.

nmlkj Configure an Update Rule on the WSUS server to exclude the problematic update.

nmlkjUnapprove the problematic update on the WSUS server. Configure non-accounting computers to use Microsoft Update instead of the WSUS server.

Page 17 of 39


[ms646-301 #15]

Explanation:




Objective(s):


Reference(s):


[ms646-202 #50]




What should you do?









Page 18 of 39

Explanation:



Objective(s):


Reference(s):


[ms646-302 #15]

Explanation:

Add the Line Printer Daemon (LPD) Service to enable UNIX computers or other computers that use the Line Printer Remote (LPR) service to print to printers configured on a Windows Server 2008 server.

Add the Line Printer Remote (LPR) Port Monitor feature to allow the server to print to the Line Printer Daemon (LPD) service on a UNIX print server. Add this feature only if the print server is a UNIX print server. Create a network printer with a Standard TCP/IP printer port to use the LPD protocol if the print server is not on a UNIX system.

Installing the Internet Printing role service creates a Web site that users can use to print to, share, and manage printers.

Objective(s):


Reference(s):






You have a UNIX server that needs to be able to print to a shared printer on your Windows Server 2008 server.


nmlkji Add the LPD Service role service.



nmlkj Add the LPR Port Monitor feature.

Page 19 of 39


[ms646-105-402 #138]

Explanation:



Objective(s):


Reference(s):


[ms646-401 #56]












What should you do?



Page 20 of 39

Explanation:




Objective(s):


Reference(s):


[ms646-302 #47]




Your network has a single Active Directory forest with two domains: eastsim.private and HQ.eastsim.private. Organizational units Accounting, Marketing, and Sales represent departments of the HQ domain. Additional OUs (not pictured) exist in the eastsim.private domain. No other OUs exist in the HQ domain. All user and computer accounts for all departments company-wide are in their respective departmental OUs.

You are in the process of designing Group Policy for the network.

� You create a GPO called AutoEnroll that automatically enrolls user certificates. This GPO should apply to all users in both domains.

� You create a GPO called MyDoc Redirect that redirects the My Documents folder. This GPO should apply to all users in the Accounting department.

� You create a GPO called CustomApp that distributes a custom application. This GPO should apply to all users in the Marketing and Sales departments.

How should you link the GPOs to meet the design objectives? To answer, drag the label corresponding to the GPO to the appropriate boxes.

AutoEnroll GPOAutoEnroll GPO

CustomApp GPO

MyDoc Redirect GPO

Block Inheritance AutoEnroll GPO

No Override

Page 21 of 39

Explanation:

To meet the requirements, link the GPOs as follows:

� Link the AutoEnroll GPO to both the westsim.private and HQ.westsim.private domains. Linking them to the domain means the GPO settings will apply to all users in the domain. GPO settings do not cross domain boundaries, so you need to link the GPO to each domain.

� Link the MyDoc Redirect GPO to the Accounting OU. The GPO will apply only to users in the Accounting OU. � Link the CustomApp GPO to the HQ.westsim.private domain. Then set No Override on the Accounting OU.

Do not apply the GPO to the domain, as this would apply the settings to computers in the Accounting OU as well.

Objective(s):


Reference(s):


[ms646-203 #31]

CustomApp GPOMyDoc Redirect GPO

CustomApp GPO





Srv12.





gfedc Routing



Page 22 of 39

Explanation:




Objective(s):


Reference(s):


[ms646-103 #110]

Explanation:

To provide redundancy for shared folder data, configure additional targets for the folder in DFS. If one target is unavailable, users can still access data held on the other server.

Configure replication to keep the contents of the shared folders synchronized. Because the namespace is a stand-alone namespace, you must use FRS replication. DFS replication can only be used for domain-based namespaces.

Objective(s):


Reference(s):




You would like to configure Srv3 to provide redundancy so that data in the shared folder is still accessible even if Srv2 goes down.

What should you do?

nmlkji Share a folder on Srv3. Add this folder as a target to the Reports folder. Configure FRS replication.


nmlkj Configure Srv3 as a cluster server with Srv1.


Page 23 of 39

[ms646-105-402 #39]

Explanation:

Restoring deleted data requires the following steps:

1. Boot a domain controller into directory services restore mode. 2. Restore Active Directory (this is called a nonauthoritative restore). 3. Run Ntdsutil and perform an authoritative restore of the deleted data.

Performing an authoritative restore of the OU that was deleted will force that object to go back into Active Directory. If you don't do the authoritative restore, the object will be deleted as soon as the domain controller replicates.

Objective(s):


Reference(s):


[ms646-503 #33]

You are the network administrator for a company with a single Active Directory domain. The domain functional level is Windows Server 2003. Each departmental administrative team has delegated control over an organization unit (OU) for their department.

In the last few weeks there have been several new administrators join the team that have never managed Active Directory before. Yesterday, one of the new administrators inadvertently deleted an entire OU from within his department’s OU structure. You have located a backup from two days ago to use for the restoration.

What should you do? (Choose two. Each correct answer is part of the solution.)

gfedcb Run Ntdsutil and mark the deleted OU for authoritative restore.

gfedcRestore Active Directory from the backup and then reboot the domain controller into directory services restore mode.

gfedc Perform a nonauthoritative restore and reboot the domain controller normally.

gfedcbReboot a domain controller into directory services restore mode and restore Active Directory from the backup.







Page 24 of 39

Explanation:






Objective(s):


Reference(s):


[ms646-101 #117]

Explanation:



Objective(s):

on the second partition.









Page 25 of 39


Reference(s):


[ms646-201 #67]

Explanation:

To correct the problem, enable LAN routing on the remote access server. Without LAN routing enabled, remote access users will only be able to connect to resources on the remote access server.

Because the private company network has only a single subnet, you do not need to configure static routes or enable a routing protocol. You should only configure the modem as a demand dial interface if users on the private network need to dial out to another network. You know that permissions on the private network is not the problem because a ping to the private network fails. You need to repair communications before you can worry about fixing permissions.

Objective(s):


Reference(s):


[ms646-103 #248]

You want to provide dial-up capabilities to users in your company so they can work from home. Users will dial in to the remote access server and then access all resources on the company network.

You install Windows Server 2008 on a new server, Remote1, and configure it for remote access. You configure the network access policies to allow connections between 7am and 8pm.

The next day, you get a call from one of the users reporting that she can connect to the remote access server, but can't access any resources on the company network. You ask her to ping a server on the private network using the IP address, but the ping fails. From the remote access server you can access all resources on the private network.

What should you do?

nmlkj On the private network, grant remote access users permissions to resources.

nmlkj In Routing and Remote Access, configure a static route to the company network.

nmlkj In Routing and Remote Access, configure the modem as a new demand-dial interface.

nmlkji In Routing and Remote Access, enable LAN routing on the server.

nmlkjIn Routing and Remote Access, configure RIP and add the LAN and modem interfaces to the routing protocol.

Your company has just decided to upgrade from Windows NT 4.0 to Windows Server 2008. You are in charge of designing the Active Directory tree. You have a small company that has only one location. You have determined that you will have approximately 500 objects in your completed tree.

The tree design has been the subject of some controversy. In preliminary meetings, you have determined that

Page 26 of 39

Explanation:

Active Directory tree design can be impacted by many factors, including corporate politics. By creating four OUs, you have given each of the areas the desired autonomy. You can then use the Delegation of Control wizard to give a trained administrator in each OU the ability to perform limited administrative tasks, while giving you control over the remainder of the tree.

Objective(s):


Reference(s):


[ms646-202 #7]

The tree design has been the subject of some controversy. In preliminary meetings, you have determined that there are four primary areas of the company: Accounting, Manufacturing, Sales, and Administration. Each area is autonomous and reports directly to the CEO. In meetings on the Active Directory tree design, the manager of each area wants to make sure that some management control of their users and resources remains in the department.

What should you do?

nmlkji

Create an Organizational Unit object for each department. Train a member of each department to perform limited administrative duties. Use the Delegation of Control wizard to give a member of each OU enough rights to perform the necessary administrative tasks only in the appropriate OU.

nmlkjCreate an Organizational Unit object for each department and use the Delegation of Control wizard to make the department managers members of the Administrators group.

nmlkj

Create a local group. Add a designated user from each department to the local group. Make the local group a member of the Administrators domain local group, thus giving the designated users the ability to manage the department resources, no matter where the resources are in the tree.

nmlkj

Explain to the managers of each of the departments that best practices for an Active Directory tree of this size suggest that centralized administration is the most efficient method. All network administration will remain within your department.







None



None




None

Page 27 of 39

Explanation:











Reference(s):


[ms646-303 #176]








What should you do?




Page 28 of 39

Explanation:




Objective(s):


Reference(s):


[ms646-502 #76]

Explanation:



policy applies.











Page 29 of 39

3. If the policy was applied to a group, add members to the group.


Objective(s):


Reference(s):


[ms646-303 #23]

Explanation:

Use the Distributed Transactions role to support applications, such as database applications, that perform operations that involve multiple servers. With a transaction, all actions within the group (the transaction) must complete successfully or all actions will be undone.

Use COM+ Network Access to support applications that communicate with each other using the COM+ protocol. Use TCP Port Sharing to enable applications to use the same TCP port for communicating with clients. Use the Windows Process Activation Service to support remote startup and stopping of applications.

Objective(s):


Reference(s):


[ms646-104 #102]


The application server will run a database program that communicates with other database servers. Before committing changes to the database, the server must verify that all changes are complete, and that any related changes made on other database servers have also completed successfully.

Which role service would you add to provide this support?


nmlkj Windows Process Activation Service Support

nmlkji Distributed Transactions


You are a technical consultant for many businesses in your community. One of your clients, a small law firm, has a

Page 30 of 39

Explanation:

Using shadow copies is the best choice for this scenario because it is easy to use and eliminates the need to load media and restore individual files. VSS lets users restore previous versions of files without performing backups or restores. Snapshots of files are taken automatically, allowing you to revert back to older versions of specific files.

Back up files to media other than tape is not a good solution because someone will still need to restore the individual files and use the backup program. Creating a cluster server is also not a good option because the data is identical across each cluster; this solution does not solve the problem.

Objective(s):


Reference(s):


[ms646-503 #83]

Explanation:

You are a technical consultant for many businesses in your community. One of your clients, a small law firm, has a single Windows 2008 Active Directory domain. They have two Windows 2008 servers. Both servers are configured as domain controllers while also serving as file and printer servers.

This client is calling you on a regular basis because users are deleting or damaging their files. You must visit the client's site and restore the files from backup. Your client has asked you to create an alternate solution.

What should you do?

nmlkji Implement shadow copies on the relevant data.

nmlkj Create a cluster server.

nmlkj Train the users how to use the backup program.

nmlkj Enable incremental backups to a media other than tape.




What should you do?





Page 31 of 39



Objective(s):


Reference(s):


[ms646-201 #32]



You configure the policies in the following order:


At 10am you get a call from one of the contractors stating that she cannot gain remote access. You check and find that no contractor has been granted access. You need to modify the configuration to meet the remote access requirements.

What should you do?





None



None

Contractors Deny NightContractors Group membership Dialup connection


6pm to 6am

nmlkj Move the Contractors Allow policy up in the list.

nmlkj Change the constraints in the Contractors Allow policy to 6am to 6pm.

nmlkj Move the Allow Any policy to position 1 in the list of policies.

nmlkji Remove the constraints from the Contractors Deny Night policy and add a condition for 6pm to 6am.

Page 32 of 39

Explanation:

To solve the problem, you should remove the constraints from the Contractors Deny Night policy, and add 6pm to 6am to the conditions. When a connection request matches both conditions, the connection will be denied. If the connection matches only the group membership (but not the time of day), then the second policy will be checked and the connection will be allowed for the contractors.

Moving the Contractors Allow policy up in the list would allow contractors access at any time of the day. The conditions in the first policy would always match regardless of the time of day. Moving the Allow All policy up in the list would cause the same problem. Editing the Contractors Allow policy to add 6am to 6pm to the profile would work only if that profile were at the top of the list.

Reference(s):


[ms646-303 #188]

Explanation:

To enable Srv1 and Srv2 to run applications for remote clients, you must install the Terminal Server role service on both servers. To enable clients to launch applications from a Web browser, use one of the following methods:

� Install the TS Web Access role on each terminal server. � Install the TS Web Access role on a single server, then use Windows Sharepoint Services to redirect incoming

requests to the appropriate terminal server. Because the option in the question did not include Sharepoint in the solution, simply adding the TS Web Access role service to Srv3 would be insufficient to provide a complete solution.

Use the TS Session Broker role service to distribute incoming requests between two or more terminal servers in a terminal server farm. Use the TS Gateway role service to allow connections from the Internet to connect to terminal servers on the private network. While using either service might add to the configuration, neither option would allow clients to launch applications through a Web browser (the TS Web Access role service must be present for this feature to be available).


You want to use Srv1 and Srv2 as terminal servers so that client computers can remotely run applications installed on those servers. Users should be able to open a Web page so they can see a list of available applications to run.

In addition to Srv1 and Srv2, you can also use Srv3 for your solution if necessary.

What should you do?

nmlkjOn Srv1 and Srv2, install Terminal Services with the Terminal Server role service. On Srv3, install the Web Server (IIS) role.

nmlkji On Srv1 and Srv2, install Terminal Services with the Terminal Server and TS Web Access role services.

nmlkjOn Srv1 and Srv2, install Terminal Services with the Terminal Server role service. On Srv3, install the Terminal Services with the TS Gateway role service.

nmlkjOn Srv1 and Srv2, install Terminal Services with the Terminal Server role service. On Srv3, install the Terminal Services with the TS Session Broker role service.

nmlkjOn Srv1 and Srv2, install Terminal Services with the Terminal Server role service. On Srv3, install the Terminal Services with the TS Web Access role service.

Page 33 of 39

Objective(s):


Reference(s):


[ms646-401 #15]

Explanation:



Objective(s):


Reference(s):


[ms646-203 #155]










Page 34 of 39

Explanation:





Objective(s):


Reference(s):


[ms646-303 #51]

Explanation:











nmlkji Oclist



nmlkj Winrs -list

Page 35 of 39



Objective(s):


Reference(s):


[ms646-201 #24]

Explanation:

Add the Line Printer Remote (LPR) Port Monitor feature to allow the server to print to the Line Printer Daemon (LPD) service on a UNIX print server. Add this feature only if the print server is a UNIX print server.

Create a network printer with a Standard TCP/IP printer port to use the LPD protocol if the print server is not on a UNIX system. Add the Line Printer Daemon (LPD) Service to enable UNIX computers or other computers that use the Line Printer Remote (LPR) service to print to printers configured on the server.

Adding the Print Server role service installs the Print Management snap-in. Installing the Internet Printing role service creates a Web site that users can use to print to, share, and manage printers.

Objective(s):


Reference(s):


[ms646-105-402 #129]


You have a UNIX server that is a print server for a high-speed drafting printer. You need to configure a Windows Server 2008 server to be able to sent print jobs to this printer.



nmlkji Add the LPR Port Monitor feature.

nmlkj Add the Print Server role service.


nmlkj Add the LPD Service role service.

Page 36 of 39

Explanation:

To configure who can manage an application, configure IIS Manager Permissions for each application. You can set IIS Manager Permissions for a Web site or an application.

Adding users to the IIS Manager Permissions for the Web site allows users to manage Web site settings. Use Feature Delegation to identify the Web site settings that can be configured. Use NTFS permissions to control access to Web site content stored on disk.

Objective(s):


Reference(s):


[ms646-202 #141]

Explanation:


You add the Web Server role to Srv5. The Web server runs three applications. Each application has been added to the Web site.

You have a different programming team for each application. You want to allow only team members to manage their respective application.

What should you do?

nmlkj Configure IIS Manager Permissions on the Web site.

nmlkji Configure IIS Manager Permissions on each application.

nmlkj Configure NTFS permissions.


You have been put in charge of providing a VPN solution for all members of the Sales team. Sales team members have been issued new laptop computers running Windows Vista Business SP1. All remote access servers run Windows Server 2008.

Salesmen complain that with the previous VPN solution, there were many times that they were unable to establish the VPN solution because the hotel or airport firewalls blocked the necessary VPN ports. You need to come up with a solution that will work in most instances.

Which VPN method should you choose?

nmlkji Secure Socket Tunneling Protocol (SSTP)

nmlkj Internet Protocol Security (IPsec) in tunnel mode

nmlkj Layer Two Tunneling Protocol (L2TP)

nmlkj Point-to-Point Tunneling Protocol (PPTP)

Page 37 of 39

Use Secure Socket Tunneling Protocol (SSTP) for the VPN protocol. SSTP uses SSL which uses port 443. Because SSL is used by many web sites for secure transactions, this port is already opened in most firewalls. SSTP requires Vista SP1 or Windows Server 2008.

PPTP, L2TP, and IPsec require special firewall ports to be opened. While many organizations that provide Internet access have these ports opened, many do not. In situations where you cannot control the firewall ports that are opened, choose SSTP for the broadest support.

Objective(s):


Reference(s):


[ms646-303 #77]

Explanation:



Objective(s):


Reference(s):





What should you do?





Page 38 of 39

Explanation:

To protect the volumes in the event that a single disk fails, you will need to create mirrored (RAID-1) or RAID-5 volumes. For the data volume, create a RAID-5 volume. RAID-5 provides both fault tolerance and improved performance because of data striping. RAID-5 requires a minimum of three disks. Using three disks for the data volume lets you use two disks to create a mirrored volume for the system volume.

Striped (RAID-0) volumes improve performance but do not provide fault tolerance; failure in one drive makes all data in the volume inaccessible. When you create a RAID-5 volume, you cannot partition it into multiple drive letters.

Objective(s):

501. Plan storage.

Reference(s):


[ms646-501 #7]

You are planning a storage solution for a new Windows Server 2008 server. The server will be used for file and print services and as a database server. The new server has five hard disks, all with equal capacity.

Your storage solution should meet the following requirements:

� System files should be on a volume separate from data files. � All volumes should be protected so that the server can continue to run in the event of a failure of one of the

disks. � The data volume should be optimized for improved disk access times. � You will use Windows Disk Management to create and manage the volumes.

What should you do?

nmlkjCreate a mirrored volume using two disks for the system volume and a striped volume using three disks for the data volume.

nmlkjCreate a mirrored volume using two disks for the system volume and a mirrored volume using two disks for the data volume. Keep the remaining disk as a spare.

nmlkj Create a RAID-5 volume using four disks for the data volume. Use the remaining disk for the system volume.

nmlkjCreate a RAID-5 volume using five disks. Create two drives on the volume, one for system files and one for data.

nmlkjiCreate a mirrored volume using two disks for the system volume and a RAID-5 volume using three disks for the data volume.





Page 1 of 40

Explanation:




Objective(s):


Reference(s):


[ms646-203 #137]

Explanation:

Make the user a member of the DHCP Administrators group to allow the user to manage all DHCP servers in the domain. Because you only have a single DHCP server, this would effectively limit the user to managing only DHCP on the one server. The DHCP Administrators group cannot authorize servers in Active Directory.

Members of the Domain Admins group can authorize servers in Active Directory, but also get additional permissions throughout the domain. Adding the user to the built-in Administrators group in Active Directory gives the user the ability to manage all domain controllers in the domain. Use the Delegation of Control wizard to assign permissions to Active






You are the administrator for the westsim.com domain. You currently have a single DHCP server that is running on a domain controller.

You want to delegate user MSmith to manage the DHCP server. She should be able to create scopes and modify server settings, but not authorize the server in Active Directory. You want to assign the least amount of permissions as possible.

What should you do?


nmlkj Make MSmith a member of the Domain Admins group.

nmlkj Make MSmith a member of the Administrators built-in group.

nmlkji Make MSmith a member of the DHCP Administrators group.

Page 2 of 40

Directory objects. You would typically run this on an OU to delegate permissions to objects within the OU.

Objective(s):


Reference(s):


[ms646-202 #58]

Explanation:

When using a RADIUS solution, you must configure each remote access server as a RADIUS client. To do this, run the Routing and Remote Access console. Edit the properties of the server and configure it to use the RADIUS server for authentication. Authentication requests are forwarded to the RADIUS server.

Configure network access policies on the RADIUS server. On the RADIUS server, run the Network Policy Server console and identify each remote access server as a RADIUS client. Configure a Remote RADIUS Server group on a RADIUS proxy.

Objective(s):


Reference(s):


[ms646-303 #160]

You manage the remote access solution for your network. Currently you have two remote access servers, RA1 and RA2, with an additional server, RA3, configured as a RADIUS server.

You need to configure RA1 and RA2 to forward authentication requests to RA3.

What should you do?

nmlkj On RA1 and RA2, run the Network Policy Server. Add RA3 as a RADIUS server.

nmlkjOn RA1 and RA2, run the Network Policy Server. Create a Remote RADIUS server group, identifying RA3 as the only member.

nmlkjiOn RA1 and RA2, run Routing and Remote Access. Edit the properties of the server and configure it to use RA3 for authentication.

nmlkjOn RA1 and RA2, run the Network Policy Server. Create a network access policy and specify RA3 as the MS-RAS Vendor.

You are the server manager for the westsim.com domain. You need to install 15 new servers, all running Windows Server 2008. You want to use BitLocker on all new servers.

Your implementation should meet the following requirements:

Page 3 of 40

Explanation:


Use Group Policy to configure each server to automatically generate the recovery key and save the key in Active Directory.

Objective(s):


Reference(s):


[ms646-101 #149]

� Servers should start up automatically without user intervention. � To meet security requirements, USB support must be disabled on each server. � You want to automatically generate recovery keys and store those keys in a central location.

You need to implement a solution to meet the stated requirements. What should you do? (Select two. Each choice is a required part of the solution.)

gfedcb Implement BitLocker with a TPM.

gfedc Implement BitLocker without a TPM.

gfedc Save the recovery key as a password. Store all passwords on a network share.

gfedc Save the recovery key as a file. Store all recovery keys on a network share.

gfedcb Configure Group Policy to store recovery keys in Active Directory.




What should you do?






Page 4 of 40

Explanation:



Objective(s):


Reference(s):


[ms646-202 #83]

Explanation:

The best way to configure the connections is to edit the ports and disable remote access and demand-dial routing for PPTP. This prevents any PPTP connections from being accepted on the server.

You could edit the VPN connection on each client, but this would require more work. By default, clients are configured to use any available VPN protocol. Any clients that were not configured properly could still connect using PPTP. Configuring a remote access policy would not work in this situation because the server is configured as a router, not a remote access server.

Objective(s):


Reference(s):


[ms646-103 #257]

You want to allow Research users to connect to the private network through a VPN connection. Users will connect to the Internet while on the road, then connect through a VPN server to the private network. All users will use laptops that run Windows XP Professional.

You configure a Windows Server 2008 server as a router and configure it to accept VPN connections. During a random check one day, you notice that some connections are using PPTP while others are using L2TP. You want to force all connections to use L2TP.

What should you do?

nmlkj On each client computer, configure L2TP as the VPN connection type.

nmlkj In Routing and Remote Access, edit the PPTP ports and set the number of ports to 0.

nmlkjiIn Routing and Remote Access, edit the Ports node. Disable remote access and demand-dial routing connections for PPTP.

nmlkj In Routing and Remote Access, configure a remote access policy to accept only L2TP connections.

Page 5 of 40

Explanation:



Objective(s):


Reference(s):


[ms646-401 #66]




What should you do?





You are the systems administrator for WestSim Corporation. You have been assigned to set up a new branch office in Tulsa. The branch will be represented by a single domain. The branch office is connected with a T-1 line to the rest of the network.

You install a single DNS server called TulsaDNS and configure a primary zone for the branch office domain. You configure a DHCP server to deliver the IP address for TulsaDNS to network hosts as the primary DNS server.

You test name resolution and find that hosts can only resolve names for hosts within the domain. You need to enable clients in the Tulsa location to resolve names for hosts in other domains within your private network. You need to minimize network traffic across the WAN link.

What should you do?

nmlkj Configure TulsaDNS with root hints.

Configure network clients to use a DNS server located on the rest of the network.

Page 6 of 40

Explanation:

Configure TulsaDNS to use forwarders. When TulsaDNS receives a request for a hostname on another domain, it forwards the request to another DNS server. The TulsaDNS server submits a recursive request so that only the single request and response travels across the WAN link.

Configuring TulsaDNS with root hints pointing to root servers on the rest of the network would enable name resolution. However, TulsaDNS would refer to the root zone servers and perform iterative queries to resolve all host names outside of its own domain. This would result in multiple requests crossing the WAN link to resolve a single host name.

Configuring TulsaDNS as a caching-only server would increase WAN link traffic, as the domain for the Tulsa location would need to be placed on the other side of the WAN link. Name resolution requests for hosts within the domain in Tulsa would need to cross the WAN link once for each host until the server cached the host names of all other hosts.

Objective(s):


Reference(s):


[ms646-103 #78]

nmlkj Configure network clients to use a DNS server located on the rest of the network.

nmlkj Configure TulsaDNS as a caching-only server.

nmlkji Configure TulsaDNS to use forwarders.





directed to Srv5, with the remaining going to the new server. � If one server goes down, all requests should go to the other server. � If the same client computer creates multiple sessions at the same time, all sessions should be created on

the same server.

You install the Web site on the second server and copy the Web site content to the server. You now need to configure a solution to meet the requirements.

What should you do?


nmlkjConfigure both servers in a Network Load Balancing (NLB) cluster. Configure a port rule with the filtering mode set to Single host.


nmlkjiConfigure both servers in a Network Load Balancing (NLB) cluster. Configure a port rule with client affinity set to Single.

Page 7 of 40

Explanation:

For this scenario, use a Network Load Balancing (NLB) cluster. NLB provides both load balancing and failover for application servers. The affinity setting controls whether or not requests from the same client are directed to the same cluster member. A setting of Single ensures that all requests from the same client are directed to the same cluster host.

Configure the filtering mode to specify how the cluster handles the traffic identified by the rule. In this scenario, a setting of Single host for the filtering mode would direct all traffic to one of the servers. Use a setting of Multiple host to distribute the load between multiple servers.

Use a terminal server farm when you need to allow users to launch applications; Terminal Services is not used to provide redundancy and fault tolerance for applications that are running on an application server. Failover Clustering cannot be used because it uses shared storage between servers.

Objective(s):


Reference(s):


[ms646-502 #15]

Explanation:

To allow a user to manage a single GPO, add the user to the Delegation tab for the GPO in the Group Policy Management console.

Adding the user to the Delegation tab on the Group Policy Objects container lets them manage settings in all GPOs. Making the user a member of the Group Policy Creator Owners group, does the same thing. With the Delegation of Control wizard, you can delegate permissions so the user can manage GPO links on an OU. Permissions granted in this way do not allow the user to edit GPO settings.

Objective(s):


Reference(s):


You have created a GPO named AccountingGPO and linked it to the Accounting OU. You want to give John Parker the ability to edit the settings in only that GPO. You want to assign the least amount of permissions as possible.

What should you do?


nmlkj Make the user a member of the Group Policy Creator Owners group.

nmlkji In the Group Policy Management console, add the user to the Delegation tab for the GPO.

nmlkjIn the Group Policy Management console, add the user to the Delegation tab on the Group Policy Objects container.

Page 8 of 40


[ms646-202 #100]

Explanation:





Objective(s):


Reference(s):


[ms646-303 #51]












How should you deploy the service pack to all of the servers using the least administrative effort? (Select two.

Page 9 of 40

Explanation:



Objective(s):


Reference(s):


[ms646-401 #56]

Explanation:

When you share a printer, you can choose to list the printer in Active Directory. Listing the printer in Active Directory makes the printer name and its characteristics appear in Active Directory. Users can then search Active Directory to find the printer by name or by special features (such as location or color support). Listing the printer in Active Directory does not automatically add a printer to client computers. Users must still connect to the printer.

When you deploy a printer using Group Policy, printer objects are automatically created on client computers that point to








You have a Windows Server 2008 server named Print1 that is the print server for 5 shared printers. You have configured a printer object for each printer, and shared each printer.

Your network has several hundred users. You would like users to be able to search for printers based on capabilities such as color, duplex, and other features, and to be able to select the printer that is appropriate for a specific task.

What should you do?

nmlkj In the properties for each printer, enable advanced printing features.

nmlkj Deploy each printer with Group Policy.

nmlkj Enable notifications on the print server properties.

nmlkji List each printer in Active Directory.

Page 10 of 40

the deployed printers. Configure notifications on the print server to notify users when print jobs complete.

Objective(s):


Reference(s):


[ms646-105-402 #162]

Explanation:

Use the Distributed Transactions role to support applications, such as database applications, that perform operations that involve multiple servers. With a transaction, all actions within the group (the transaction) must complete successfully or all actions will be undone.

Use COM+ Network Access to support applications that communicate with each other using the COM+ protocol. Use TCP Port Sharing to enable applications to use the same TCP port for communicating with clients. Use the Windows Process Activation Service to support remote startup and stopping of applications.

Objective(s):


Reference(s):


[ms646-104 #102]


The application server will run a database program that communicates with other database servers. Before committing changes to the database, the server must verify that all changes are complete, and that any related changes made on other database servers have also completed successfully.

Which role service would you add to provide this support?



nmlkji Distributed Transactions

nmlkj Windows Process Activation Service Support

You manage a network with a single location. You have previously deployed a WSUS server in your location to specify the approved list of updates. All client computers are configured to download updates from your local WSUS server.

Members of the Accounting department report that a new system update causes instability with their accounting software. You want to prevent this update from being applied to the accounting department computers, but you still

Page 11 of 40

Explanation:

Use client or server side targeting to create different approval lists for groups of computers. With client side targeting, use a GPO to identify the computer group for the accounting computers. On the WSUS server, create the computer group, and identify the specific approved updates for that group.

Using a second WSUS server for the accounting computers would work as long as the second server was not a replica of the first. When you use a replica, the replica server has the same approval list as the upstream server. In addition, using computer groups and targeting is more efficient than installing another WSUS server.

Use Update Rules to configure rules that are used for automatically approving updates. Update Rules can apply to specific computer groups, but they cannot be used without targeting to supply different updates for different computer groups. Pointing non-accounting computers to Microsoft Update means that these computers will no longer use the approved list of updates.

Objective(s):


Reference(s):


[ms646-301 #15]

software. You want to prevent this update from being applied to the accounting department computers, but you still want to ensure that all other updates are being applied as they should.

What should you do?

nmlkjUnapprove the problematic update on the WSUS server. Configure non-accounting computers to use Microsoft Update instead of the WSUS server.

nmlkj Configure an Update Rule on the WSUS server to exclude the problematic update.

nmlkjConfigure a second WSUS server as a replica to the first WSUS server. Configure accounting computers to use this new server for updates.

nmlkji Configure client side targeting on the WSUS server and computers in the Accounting department.

Due to a recent expansion, your company will add a new division at your location. You have been put in charge of installing Windows Server 2008 on about 15 servers. Most of the servers will use new hardware, but some will be new installations of Windows Server 2008 on existing servers.

You have identified the following different installations:

� Windows Server 2008 Standard edition on both 32-bit and 64-bit systems. � Windows Server 2008 Enterprise edition on 64-bit systems. � Windows Server 2008 Datacenter edition on 64-bit systems.

You decide to use Windows Deployment Services (WDS) to help automate the installation. All servers are PXE-boot capable.

You want to minimize the number of images that you need to create and manage. Which images will you need to create to complete the installation of all required servers?

nmlkji One boot image and two install images

Page 12 of 40

Explanation:

To minimize the number of images:

� Use a single boot image. Using the 32-bit boot image, you can boot both 32-bit and 64-bit systems. When you use a 32-bit boot image on a 64-bit computer, you can still install a 64-bit operating system image.

� Use two install images. Install images are architecture-dependent. If you have both 32-bit and 64-bit systems, you will need at least one install image for each. You do not need separate install images for different server editions, because the default install image includes all versions of the corresponding operating system.

Objective(s):


Reference(s):


[ms646-102 #16]

Explanation:



Objective(s):

nmlkj Two boot images and three install images

nmlkj One boot image and one install image

nmlkj Two boot images and two install images

nmlkj Two boot images and four install images








Page 13 of 40


Reference(s):


[ms646-203 #155]

Explanation:



Objective(s):


Reference(s):


[ms646-503 #49]



What should you do?






You are the security administrator for your organization. Your multiple domain Active Directory forest uses Windows Server 2008 for domain controllers and member servers. The computer accounts for your member servers are located in the Member Servers OU. Computer accounts for domain controllers are in the Domain

Page 14 of 40

Explanation:

The proper event to enable is the Logon event. This event type will record when a network logon occurs, such as a domain user connecting to a share on the member server. Link the GPO to the Member Servers OU so that it applies to each member server.

Account Logon events for domain accounts will be recorded on the domain controllers, not the member servers. In short, Account Logon events are generated where the account lives; Logon events are generated where the logon attempt occurs. If you wanted to audit when a domain user account was authenticated to the domain you would enable the Account Logon event in a GPO linked to the Domain Controllers OU.

Object Access must be enabled for a computer before you can enable NTFS or Printer auditing. System events record start-up and shut-down events on a computer.

Objective(s):


Reference(s):


[ms646-303 #31]

servers are located in the Member Servers OU. Computer accounts for domain controllers are in the Domain Controllers OU.

You are creating a security template that you plan to import into a GPO. You want to log all domain user accounts that connect to the member servers. You want to be able to check each server's log for the events.

What should you do? (Choose two. Each choice is a required part of the solution.)

gfedc Enable the logging of Account Logon events.

gfedcb Enable the logging of Logon events

gfedc Enable the logging of Object Access events.

gfedc Enable the logging of System events.

gfedc Link the GPO to the Domain Controllers OU.

gfedcb Link the GPO to the Member Servers OU.




What should you do?



Page 15 of 40

Explanation:



Objective(s):


Reference(s):


[ms646-203 #23]



Your network has a single Active Directory forest with two domains: eastsim.private and HQ.eastsim.private. Organizational units Accounting, Marketing, and Sales represent departments of the HQ domain. Additional OUs (not pictured) exist in the eastsim.private domain. No other OUs exist in the HQ domain. All user and computer accounts for all departments company-wide are in their respective departmental OUs.

You are in the process of designing Group Policy for the network.

� You create a GPO called AutoEnroll that automatically enrolls user certificates. This GPO should apply to all users in both domains.

� You create a GPO called MyDoc Redirect that redirects the My Documents folder. This GPO should apply to all users in the Accounting department.

� You create a GPO called CustomApp that distributes a custom application. This GPO should apply to all users in the Marketing and Sales departments.

How should you link the GPOs to meet the design objectives? To answer, drag the label corresponding to the GPO to the appropriate boxes.

AutoEnroll GPOAutoEnroll GPO

CustomApp GPO

MyDoc Redirect GPO

Block Inheritance AutoEnroll GPO

No Override

CustomApp GPOMyDoc Redirect GPO

Page 16 of 40

Explanation:

To meet the requirements, link the GPOs as follows:

� Link the AutoEnroll GPO to both the westsim.private and HQ.westsim.private domains. Linking them to the domain means the GPO settings will apply to all users in the domain. GPO settings do not cross domain boundaries, so you need to link the GPO to each domain.

� Link the MyDoc Redirect GPO to the Accounting OU. The GPO will apply only to users in the Accounting OU. � Link the CustomApp GPO to the HQ.westsim.private domain. Then set No Override on the Accounting OU.

Do not apply the GPO to the domain, as this would apply the settings to computers in the Accounting OU as well.

Objective(s):


Reference(s):


[ms646-203 #31]

Explanation:

Audit Directory Service Changes to record the old and new values for changed objects. Auditing the Directory Service Access subcategory records that a change has been made, but does not indicate the old and new values.

Objective(s):


Reference(s):

CustomApp GPO

You manage a single domain named widgets.com. Recently, you notice that there have been several unusual changes to objects in the Sales OU.

You would like to use auditing to keep track of those changes. You want to only enable auditing that shows you the old and new values of the changed objects.

Which directory service auditing subcategory should you enable?

nmlkj Directory Service Replication

nmlkj Detailed Directory Service Replication

nmlkji Directory Service Changes

nmlkj Directory Service Access

Page 17 of 40


[ms646-303 #69]

Explanation:

Configure NTFS permissions to control access to content in virtual directories. For example, grant the Read and Write permissions to a folder that holds the virtual directory content to allow a user to edit that content.

Use IIS Manager permissions to add users to manage a Web site or an application running on the Web site. Configuring permissions is done by adding the user to the Allow list for the Web site or the application. You cannot add a user to a specific virtual directory.

Use Feature Delegation to control whether specific settings, such as authentication or Web site settings, can be modified by users who are IIS Managers.

Objective(s):


Reference(s):


[ms646-202 #133]


You add the Web Server role to Srv5. In the Default Web Site, you create a virtual directory for every department. This virtual directory will be used by the department to maintain a custom intranet for department employees.

You would like to designate one person in each department who can add, delete, and modify files within the virtual directory.

What should you do?

nmlkj Add each department user as an IIS Manager for their respective departmental virtual directory.

nmlkj Add each user as an IIS Manager for the Web site.


nmlkji Configure NTFS permissions on the folder referenced by the virtual directory.




What should you do?


Page 18 of 40

Explanation:



Objective(s):


Reference(s):


[ms646-201 #32]

Explanation:

Add the Online Responder role service to configure and manage Online Certificate Status Protocol (OCSP) validation and revocation checking in Windows-based networks. The online responder maintains revocation lists for multiple CAs, giving clients a single location to check for the status of a certificate. Clients check the status of a single certificate

nmlkji and connect to Srv5.




You manage a large network with its own Public Key Infrastructure (PKI). You use Windows Server 2008 on all certification authority servers. You have an offline standalone root with multiple enterprise subordinate CAs.

Because of the size of your CA solution, you find that managing certificate revocation is becoming difficult. You would like to implement a solution to meet the following requirements:

� A single server will hold all certificate revocation information for all CAs in the hierarchy. � Clients will request certificate status information from the central server. � Clients will submit a request for a single certificate instead of downloading an entire CRL.

You would like to configure the Srv7 server to fulfill these requirements. What are the minimum role services that you should install?

nmlkj Certification Authority and Network Device Enrollment Service

nmlkji Online Responder

nmlkj Certification Authority and Online Responder

nmlkj Certification Authority and Certification Authority Web Enrollment

nmlkj Network Device Enrollment Service

Page 19 of 40

instead of downloading the entire CRL. Microsoft recommends that you add the Online Responder role to a server that is not a CA. The online responder must be running the Windows Server 2008 Enterprise or Datacenter edition.

Add the Certification Authority role service to configure the server as a CA that can issue certificates to other CAs or to users and computers. Add the Certification Authority Web Enrollment role service to allow users to connect to a CA through a Web browser and perform common tasks, such as requesting certificates. Add the Network Device Enrollment Service role service to configure the server as a registration authority (RA) that can submit certificate requests for non-Microsoft devices.

Objective(s):


Reference(s):


[ms646-103 #155]

Explanation:

Add the Online Responder role service to configure the server to use the Online Certificate Status Protocol (OCSP) to respond to certificate status requests. To add the Online Responder role service, the server must be running Windows Server 2008 Enterprise edition. Microsoft recommends that the Online Responder role should not be added to a server that is a CA, although this configuration is possible.

Add the Network Device Enrollment Service role service to configure the server as a registration authority (RA) that can submit certificate requests for non-Microsoft devices.

Objective(s):


You manage a large network with its own Public Key Infrastructure (PKI). You have decided to implement the Online Responder role on your network.

You have the following servers available:

You would like to configure Srv8 with the Online Certificate Status Protocol (OCSP). What should you do?


Srv5 Windows Server 2008 Standard Standalone root CA



Srv8 Windows Server 2003 StandardDHCP DNS

nmlkji Upgrade to Windows Server 2008 Enterprise edition. Add the Online Responder role service.

nmlkj Add the Certification Authority and Online Responder role services.

nmlkjUpgrade to Windows Server 2003 Enterprise edition. Add the Network Device Enrollment Service role service.

nmlkj Add the Online Responder role service.

Page 20 of 40

Reference(s):


[ms646-103 #173]

Explanation:

Use Network Access Protection (NAP) to regulate network access or communication based on a computer's compliance with health requirement policies. When you configure NAP, you define health requirements, such as the presence of security updates or antivirus software, that must be met before a full connection to the network is allowed. For computers that are not compliant with the health requirements, you can create a limited access quarantine network. This network can contain servers and other resources that the computer can use to become compliant.

Use Windows Server Update Services (WSUS) to approve product updates for client computers. While you can use WSUS to make sure that all computers have the latest patches installed, you cannot use WSUS to deny access to the network. Use a Software Installation policy to make software automatically available to computers or users. Use a Software Restriction policy to prevent running specific software.

Objective(s):


Reference(s):


[ms646-103 #7]

Several employees in your company have personal laptop computers that they bring to work and connect to the company network. Because they often use these laptops while traveling or to help them do their jobs, you can't prevent them from connecting to the network. However, you are concerned that many of these computers don't have the latest security patches installed.

You want to implement a solution so that computers are checked for the latest security updates as they connect to the network. If the required updates are missing, you want to prevent these computers from having full access to the private network.

What should you do?

nmlkj Configure Software Restriction Policies in Group Policy.

nmlkj Configure a Software Installation policy in Group Policy.

nmlkji Implement Network Access Protection (NAP) with a quarantine network.

nmlkj Configure Windows Server Update Services (WSUS) with Automatic Updates.



What should you do?

Page 21 of 40

Explanation:




Objective(s):


Reference(s):


[ms646-302 #47]

Explanation:









What should you do?





Page 22 of 40


Objective(s):


Reference(s):


[ms646-302 #23]

Explanation:

Because the settings you want to copy include user rights and security options, you can copy an existing GPO or import settings from a backup of another GPO.

Starter GPOs only contain Administrative Template settings, not other GPO settings such as software installation, user rights, or security options. .admx files are templates that identify possible Administrative Template settings; the files do not contain specific settings. You can only restore a GPO to the same GPO that was backed up.

Objective(s):


Reference(s):


[ms646-203 #85]

You are the administrator for the widgets.com domain. Organizational Units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs.

As you manage Group Policy objects (GPOs), you find that you often make similar user rights, security options, and Administrative Template settings in different GPOs. Rather than make these same settings each time, you would like to create some templates that contain your most common settings.


gfedcbCreate GPOs with the common settings. Take a backup of each GPO. After creating new GPOs, import the settings from one of the backed up GPOs.

gfedcCreate custom .admx files with the necessary settings. Copy these files to the central store. After creating the GPO, import the settings from the .admx files.

gfedcCreate GPOs with the common settings. Take a backup of each GPO. After creating new GPOs, restore one of the backed up GPOs.

gfedc Create starter GPOs. When creating new GPOs, select the appropriate starter GPO.

gfedcb Create GPOs with the common settings. When creating new GPOs, copy one of the existing GPOs.

Page 23 of 40

Explanation:







Objective(s):


Reference(s):


[ms646-502 #7]






What should you do?






Your company has developed a custom application that runs in four instances on Srv6. You want to configure the

Page 24 of 40

Explanation:



Objective(s):


Reference(s):


[ms646-401 #84]


What should you do?





You are the server administrator for the westsim.com domain. You manage a network with a main office and a branch office. The main office has an Internet connection, but the branch office does not. The branch office is not connected to the main office.

You would like to use WSUS for supplying updates to computers in the main office and the branch office. Your solution should meet the following requirements:

� All updates are to be approved on a WSUS server in the main office. � Computers in the main office are to download approved updates from the WSUS server in the main office. � Computers in the branch office are to download approved updates from a WSUS server in the branch

office.

How should you configure the WSUS server in the branch office?

nmlkjiConfigure approvals on the main office server. Export the settings from the main office server to removable media, then import the settings to the branch office server.

nmlkjConfigure the branch office server as a downstream server to the main office server. Do not store updates locally on the branch office server.

nmlkjConfigure the branch office server to synchronize with Microsoft Updates. Do not store updates locally on the branch office server.

nmlkjConfigure the branch office server as a downstream server to the main office server. Store updates locally on the branch office server.

Page 25 of 40

Explanation:

Because the branch office does not have an Internet connection or a connection to the branch office, you must configure settings on the main office server, export the settings (including the updates), then import those settings on the branch office server.

You can't configure the branch office server as a downstream server because it can't communicate with the main office server. You must store updates locally on the branch office server because clients will not be able to communicate with Microsoft Update to download the approved updates.

Objective(s):


Reference(s):


[ms646-301 #48]

Explanation:





Objective(s):









Page 26 of 40

Reference(s):


[ms646-303 #23]

Explanation:

To support failover clustering, use either the Enterprise or Datacenter editions. The Standard edition or a Server Core installation does not support failover clustering.

Objective(s):


Reference(s):


[ms646-101 #84]


� 32 GB RAM � One quad-core Intel-VT processor � 10 GB mirrored hard disk for the system partition

You will use this server to add the DHCP server role and configure the server in a failover cluster with two nodes.



nmlkj Enterprise or Datacenter edition, Server Core installation

nmlkj Standard edition, standard installation

nmlkji Enterprise or Datacenter edition, standard installation

nmlkj Standard edition, Server Core installation




What should you do?



Page 27 of 40

Explanation:




Objective(s):

501. Plan storage.

Reference(s):


[ms646-501 #16]

Explanation:

To add a role to an existing server core installation, run Ocsetup. To add the DNS server role, use a command as follows:

start /w ocsetup DNS-Server-Core-Role

Use ServerManagerCMD to manage a non-Server Core installation from the command prompt; ServerManagerCMD does not work on a Server Core installation. Use Setup.exe to install Windows 2008. Use Dnscmd to manage DNS after the role is installed, such as creating zones and DNS records. Use Dnslint to verify DNS records for a domain, such as to troubleshoot incorrect delegation.

Objective(s):




You have a Windows Server 2008 server that has Windows Server core installed. You would like to add the DNS server role to this server.

What should you do?

nmlkj At a command prompt, run Dnslint.

nmlkji At a command prompt, run Ocsetup.

nmlkj Insert the Windows Server 2008 DVD. At a command prompt, run Setup.exe.

nmlkj At a command prompt, run ServerManagerCMD.

nmlkj At a command prompt, run Dnscmd.

Page 28 of 40


Reference(s):


[ms646-201 #7]

Explanation:

To configure the Distributed File System (DFS) to meet the requirements:

� Create a domain-based namespace with both Srv5 and a server in the branch office as namespace servers. If only Srv5 was a namespace server, all data within the namespace would not be accessible if Srv5 went down.

� Create folder targets on both Srv5 and a server in the branch office. In this way, if one of the servers went down, the data would still be accessible on the other server.

� Configure DFS replication between the two servers. This keeps data synchronized between the folder targets. Using DFS instead of FRS replication minimizes network traffic caused by replication.

A stand-alone namespace can only have a single namespace server.

Objective(s):


Reference(s):


You have recently opened a branch office. The branch office is connected to the main office by a WAN link. Members of the Sales team work out of both the main office and the branch office.

Currently, Sales team data is stored on Srv5 in the main office. Srv5 is running Windows Server 2003 R2.

You would like to provide a solution to make this data available in the branch office. Your solution should meet the following requirements:

� For redundancy, data should be stored on a server in both locations. � Changes made to the data on one server should be replicated to the other server. � If one of the servers goes down, data should be accessible from the other server. � WAN traffic caused by replication should be minimized.


gfedc Configure DFS to use FRS replication.

gfedcConfigure DFS with a domain-based namespace on Srv5 with folder targets pointing to the existing data. Configure folder targets on a server in the branch office.

gfedcb Configure DFS to use DFS replication.

gfedcConfigure DFS with a stand-alone namespace on Srv5 with folder targets pointing to the existing data. Configure folder targets on a server in the branch office.

gfedcb

Configure DFS with a domain-based namespace on Srv5 with folder targets pointing to the existing data. Configure a server in the branch office as a namespace server. Configure folder targets on the branch office server.

Page 29 of 40

[ms646-105-402 #47]

Explanation:




Objective(s):


Reference(s):


[ms646-203 #102]











You manage a Windows Server 2008 server that is used to hold user data files. You have previously configured several scheduled backups in Windows Server Backup.

A user comes to you wanting a file restored from a recent backup. You check your backup media and find you have a DVD from today. You also have a hard disk with a backup taken last night, but that disk is stored in an offsite location.

Page 30 of 40

Explanation:

To recover only the missing file, you will need a backup on disk or shared folder. When restoring backups on DVD, the entire volume must be restored. Going and getting the disk would likely be faster and less disruptive than restoring the entire volume.

Run wbadmin start sysrecovery to start a full system restore.

Objective(s):


Reference(s):


[ms646-503 #91]

offsite location.

You need to restore the file as soon as possible with the least disruption on other users.

What should you do?

nmlkj Go get the hard disk with last night's backup. Run wbadmin start sysrecovery using the backup on the disk.

nmlkj Run the Recovery Wizard using the backup on the DVD.

nmlkj Run wbadmin start sysrecovery using the backup on the DVD.

nmlkji Go get the hard disk with last night's backup. Run the Recovery Wizard using the backup on the disk.

You are the network administrator of a network with 90 workstations on a single subnet. Workstations are running either Windows XP Professional or Windows Vista Business.

All client computers are configured to receive IP address assignments using DHCP. A single Windows 2008 server called SRV1 provides DHCP services and is configured with a single scope: 194.172.64.10 to 194.172.64.254.

You want to add a second DHCP server for redundancy and fault tolerance. The existing DHCP server should assign most of the addresses, while the second server will be primarily a backup. You want the two servers to work together, efficiently, to assign the available addresses. However, you want to do this while using Microsoft’s best practices and with as little administrative overhead possible.

You install a Windows 2008 Server named SRV2 as the secondary server and configure it with the DHCP service.

How should you configure the scopes on both servers?

nmlkjOn SRV1, set the scope range to 194.172.64.10 to 194.172.64.206. On SRV2, set the scope range to 194.172.64.207 to 194.172.64.254.

nmlkjiOn both servers, set the scope range to 194.172.64.10 to 194.172.64.254. On SRV1, exclude addresses 194.172.64.206 to 194.172.64.254. On SRV2, exclude addresses 192.172.64.10 to 192.172.64.205.

nmlkj On both servers, set the scope range to 194.172.64.10 to 194.172.64.254.

nmlkjOn SRV1, set the scope range to 194.172.64.10 to 194.172.64.206. On SRV2, set the scope range to 194.172.64.206 to 194.172.64.254.

Page 31 of 40

Explanation:

On both servers, set the scope range to 194.172.64.10 to 194.172.64.254. On the main server, exclude addresses 194.172.64.206 to 194.172.64.254. On the second server, exclude addresses 192.172.64.10 to 192.172.64.205. This is called the 80/20 rule. When two DHCP servers exist on the same subnet, they can provide fault tolerance for all the seats on the subnet. If one server becomes unavailable, the second can take up the slack. When applying the 80/20 rule, one server will be assigned 80 percent of the addresses and the second will be assigned the remaining 20 percent. That is, both will be assigned the same scope but addresses will be excluded based on the percentage. This allows for efficient assignment of addresses.

There are a number of problems with assigning separate scopes to both servers or giving them the same scope but not excluding any addresses. When separate scopes are configured, one server will not take over for the other should one go down because it would fall, literally, outside its scope. Just sharing one IP address between them will make no real difference, their scopes need to be the same.

However, giving them both the same scopes without excluding addresses would not be the most efficient way to assign addresses when both servers are up and running (which should be most of the time). It certainly wouldn’t be considered a Microsoft best practice. It is the excluded addresses that need to be different.

Objective(s):


Reference(s):


[ms646-103 #15]

Explanation:

To access an encrypted volume when the drive is moved to another computer, use the recovery key that was created on the original computer (in this case ServerA).

The startup key is used to prevent system startup when the startup key is not present. To boot ServerB, use the startup key for ServerB. The startup key for ServerA can only be used to boot ServerA, and cannot be used for volume recovery.

You are the server manager for the westsim.com domain. You have previously installed Windows Server 2008 on two new servers, ServerA and ServerB. You configure both servers with BitLocker. Both servers have a TPM installed.

Because of a hardware failure, ServerA will not boot. You need to access the data on the drive where BitLocker was enabled as quickly as possible.

What should you do?

nmlkjMove the hard disk from ServerA to ServerB. Insert the USB drive containing the startup key from ServerA and reboot ServerB.

nmlkjMove the hard disk from ServerA to ServerB. Insert the USB drive containing the startup key from ServerB and reboot ServerB.

nmlkjMove the hard disk from ServerA to ServerB. Use the recovery key from ServerB to gain access to the encrypted volume.

nmlkjiMove the hard disk from ServerA to ServerB. Use the recovery key from ServerA to gain access to the encrypted volume.

Page 32 of 40

Objective(s):


Reference(s):


[ms646-101 #125]

Exhibit

Click the Exhibit button and use the graphic to answer the following question.

Exhibit

You are the administrator for WestSim Corporation. The network has a single domain, westsim.com, running at Windows 2003 functional level. Five domain controllers, all running Windows 2008 server, are located on the network.

The Active Directory Structure is shown in the Exhibit. All user and computer accounts have been placed in the department OUs.

Main offices are located in Orlando, with additional offices in Boston and New York and a small branch office in Chicago. There are three departments within the company: Sales, Marketing, and Accounting. Employees from each department are at each location.

You want to appoint an employee in each department to help with changing passwords for users within their department. They should not be able to perform any other tasks.

What should you do?

nmlkj Use the Delegation of Control wizard. Grant each user administrator all permissions for their department OU.

nmlkj Grant each user administrator Read and Change permissions to their department OU.

nmlkjiUse the Delegation of Control wizard. Grant each user administrator permissions to modify passwords for their department OU.

nmlkjUse the Delegation of Control wizard. Grant each user administrator permissions to modify passwords for the domain.

Page 33 of 40

Explanation:

In this scenario, use the Delegation of Control wizard to grant each user administrator permissions to modify passwords for their department OU. This allows each administrator to only modify the passwords for user accounts within their department.

Do not grant the administrators permissions to the domain as this would allow them to modify passwords for all users, even those not in their department. Do not grant the Allow Change permission as this would permit administrators to change many more properties than just the passwords for user objects.

Objective(s):


Reference(s):


[ms646-202 #23]

You manage certificate services for the northsim.com domain. You have a single CA named CA1 that is an enterprise root CA.

You want client computers to request information for the status of a single certificate instead of receiving a list of all revoked certificates for a CA.

What should you do?

nmlkj Configure CA1 to use partitioned CRLs.

nmlkj Configure the Web Enrollment service on CA1.

nmlkj Configure CA1 to use delta CRLs.

nmlkji Configure the Online Responder service on CA1.

nmlkj Configure the Network Device Enrollment Service on CA1.

Page 34 of 40

Explanation:

Adding the Online Responder service configures the server to use the Online Certificate Status Protocol (OCSP), which allows it to respond to requests for information about the status of a single certificate. Clients query the OCSP server about the status of the certificate rather than downloading the entire CRL. You can install the online responder on a CA or on a server running Windows Server 2008.

Using delta CRLs, differential changes to the base CRL are published in an updated CRL. The client downloads the base CRL and the latest delta CRL. The delta CRL is smaller than the base CRL, and creates smaller updates to the CRL. However, both the base and the delta CRL contain information about multiple certificates.

A partitioned CRL is a CRL that contains a subset of the base CRL. For example, the partitioned CRL might contain only user or computer certificates. Windows CAs do not support partitioned CRLs.

Use the Web Enrollment service to allow users to request certificates through a Web browser. Use the Network Device Enrollment Service (NDES) to allow non-domain devices (such as routers) to request a certificate.

Objective(s):


Reference(s):


[ms646-103 #146]

Explanation:

You can use a single physical server running a 64-bit version of Windows Server 2008. You can then install both 32-bit and 64-bit virtual machines running on the same host computer.

Your configuration will have two child partitions. Each server has a single parent partition where the first installation of Windows Server 2008 runs. Virtual machines each run in their own child partition.

Objective(s):

You are the server administrator for the westsim.com domain. Your company runs two custom applications on application servers. One application requires a 32-bit installation of the operating system, while the other installation requires a 64-bit operating system install.

You want to create two virtual machines, one for each application. The application should run in a virtual machine on the physical computer and not in the management installation.

You want to use the least number of physical servers as possible.

What should you do?

nmlkji Use one physical server with one parent partition and two child partitions.

nmlkj Use two physical servers, each with one parent partition and one child partition.

nmlkj Use one physical server with one parent partition and one child partition.

nmlkj Use two physical servers, each with a single parent partition.

Page 35 of 40


Reference(s):


[ms646-104 #24]

Explanation:

The main issue in this scenario is that the domain controller must be reconnected to the network before the tombstone lifetime expires. Make sure the tombstone lifetime is greater than 90 days. Although the default for Windows Server 2008 is 180 days, you should verify that the default setting has not been changed.

Objective(s):


Reference(s):


[ms646-503 #123]

You are the server administrator for a non-profit organization with a single domain. All domain controllers run Windows Server 2008.

Your organization has recently started providing services to a small village in a remote location.

You configure a read-only domain controller in your main offices, and then package the server to be shipped to the remote location. The server will be sent with the team of workers as they travel to the remote location.

Once there, they will set up the server and connect it to a satellite phone. Connectivity with the rest of the network will only be established every 10 days. Because of the travel schedule, you expect that the server might not arrive and make connection back to the main network for 60-90 days.

What should you do to prepare the server?

nmlkji Make sure the tombstone lifetime is greater than 90 days.

nmlkj Make sure the tombstone lifetime is less than 10 days.

nmlkjRun Ntdsutil to take a snapshot of Active Directory as it existed when installed on the server. Send a copy of the snapshot with the server.

nmlkjRun Wbadmin to take a backup of the system state data to disk. Save this backup on a second disk on the server.

Recently you had a security incident where a user had a laptop that was infected with a virus. She connected her laptop to the corporate network, and the virus ran and deleted hundreds of files on the network before it was stopped.

You would like to implement a solution to reduce the chance of this happening again. Your solution should meet the following requirements:

All computers that connect to the network must have anti-virus software installed.

Page 36 of 40

Explanation:

Network Access Protection (NAP) is a collection of components that allow administrators to regulate network access or communication based on a computer's compliance with health requirement policies. NAP gives you the ability to restrict access for non-compliant computers as well as to provide access to updates or health update resources to allow computers to become compliant. With NAP, use 802.1x enforcement for both wired and wireless clients. Configure VLANs on switches to define NAP networks.

Use IPsec enforcement to require encrypted communications using IPsec in addition to health compliance. When using IPsec, you must also add the Health Registration Authority role service.

Use Active Directory Certificate Services (AD CS) to configure certificates for the network. The Online Responder role service provides a way to centralize certificate status and revocation information. The Network Device Enrollment Service makes it possible for software running on network devices such as routers and switches (which cannot otherwise be authenticated on the network) to enroll for certificates from a certificate authority.

Objective(s):


Reference(s):


[ms646-103 #129]

� All computers that connect to the network must have anti-virus software installed. � All computers that connect to the network must have the latest security updates installed. � You will use switches to create separate VLANs for the private network and for computers that do not meet

the connection requirements. � Computers that do not meet the connection requirements should have access to servers where the anti-

virus software and updates can be downloaded.

What should you do?

nmlkji Implement Network Access Protection (NAP) with 802.1x enforcement

nmlkj Implement Active Directory Certificate Services (AD CS) with an online responder

nmlkj Implement Network Access Protection (NAP) with a Health Registration Authority and IPsec enforcement

nmlkj Implement Active Directory Certificate Services (AD CS) with the Network Device Enrollment Service


You would like to be able to manage your servers from your laptop, even when you are traveling or at home. Your solution must meet the following requirements:

� You need to be able to connect to the servers through the Internet. � You want to see the server desktop so you can run Server Manager and other administration tools on the

servers. � Only you should be able to connect remotely, and you should only be able to connect to the servers and no

other computers. � Your company firewall only allows ports 80 and 443.

What should you do?


Page 37 of 40

Explanation:

Use TS Gateway to allow Remote Desktop connections through the Internet using port 443. From your laptop, you connect to the TS Gateway server. On the TS Gateway server, you configure TS RAPs and TS CAPs to identify which users can connect and the resources (servers) they can connect to.

To use the Remote Server Administration Tools (RSAT) tools, you will need to open the corresponding firewall ports to allow the necessary tools to communicate. Windows Remote Shell uses port 443, but is a command prompt administration tool.

Use Oclist to see a list of installed roles on a Server Core installation. Use ServerManagerCMD to manage the server from a command prompt.

Objective(s):


Reference(s):


[ms646-201 #49]

Explanation:

Use the Group Policy Management console to back up GPOs and starter GPOs. You can create a backup that contains all GPOs, but you must back up starter GPOs separately.

A system state backup includes everything necessary to restore all of Active Directory. You cannot use webadmin to back up an individual folder. Even if you could, there would be extra content in the backup in addition to the GPO and starter GPO data.


nmlkj Install the Remote Server Administration Tools (RSAT) tools on your laptop.

nmlkj Run Ocsetup on each server. Run ServerManagerCMD on your laptop.

nmlkj Run Winrm quickconfig on each server. Run Winrs on your laptop to connect to each server.

You manage the network for the eastsim.com domain. You have three domain controllers, all running Windows Server 2008.

You have created several Group Policy objects (GPOs) for your domain and various OUs. You have also enabled the Administrative Templates central store.

You want to take a backup of GPO and starter GPOs. You want to perform as few backups as possible, and the backup should contain these items and as little else as possible.

What should you do?

nmlkji In Group Policy Management, back up all GPOs. Back up all starter GPOs separately.

nmlkj In Group Policy Management, create a backup that includes all GPOs and starter GPOs.

nmlkj Run wbadmin and back up the Sysvol folder.

nmlkj Run wbadmin and take a system state backup.

Page 38 of 40

Objective(s):


Reference(s):


[ms646-203 #7]

Explanation:

Create a domain-based namespace in Windows 2008 mode. To filter the list of files that users see when accessing the shared folders, you will need to use access-based enumeration. Windows 2008 mode is necessary to support access-based enumeration. Servers must be running Windows Server 2003 R2 or Windows Server 2008 to support Windows 2008 mode.

You do not need to upgrade Srv2 to support Windows 2008 mode in DFS.

Objective(s):


Reference(s):


[ms646-105-402 #59]

You have been assigned to design a Distributed File System (DFS) solution for the Sales and Accounting departments. You have identified two servers that you can use:

� Srv1 runs Windows Server 2008 Enterprise edition � Srv2 runs Windows Server 2003 R2 Standard edition

Your solution should meet the following requirements:

� Srv2 will be the namespace server. Srv1 will not be a namespace server. � Folders for both the Sales and Accounting departments will be replicated between both servers. � When connecting to the folder target, users should only see the files and folders that they have sufficient

NTFS permissions to access.

You need to configure the solution with the least amount of effort possible while meeting the requirements. What should you do?

nmlkj Create a stand-alone namespace.


nmlkji Create a domain-based namespace in Windows 2008 mode.


nmlkj Create a domain-based namespace in Windows 2000 mode.

nmlkj Upgrade Srv2 to Windows Server 2008. Create a stand-alone namespace.

Page 39 of 40

Explanation:



Objective(s):


Reference(s):


[ms646-103 #181]










Page 40 of 40

[ms646-401 #66]

Explanation:

To protect the volumes in the event that a single disk fails, you will need to create RAID-1 or RAID-5 volumes. To improve performance in addition to providing fault tolerance, configure a RAID-5 volume. RAID-5 uses striping with parity. Striping improves performance by saving files across all disks in the array. Parity provides fault tolerance by saving parity information on each disk; if a disk fails, the lost data can be recovered using the parity information.

A RAID-0 volume is a striped volume; it improves performance but does not provide fault tolerance. A RAID-1 volume is a mirrored volume; it provides fault tolerance but does not improve performance.

Objective(s):

501. Plan storage.

Reference(s):


[ms646-501 #32]

You are getting ready to install a new Windows Server 2008 server as a file and print server.

You would like to implement a storage solution for the new server such that the system volume remains available in the event of a single disk or disk controller failure. If possible, you would also like to improve disk access performance.

How should you configure the data volume?

nmlkj Install three hard disks on the same controller. Create a RAID-5 volume.

nmlkj Install two hard disks, each on a different controller. Create a RAID-1 volume.

nmlkji Install three hard disks, each on a different controller. Create a RAID-5 volume.

nmlkj Install three hard disks on the same controller. Create a RAID-0 volume.

nmlkj Install two hard disks on the same controller. Create a RAID-1 volume.

nmlkj Install three hard disks, each on a different controller. Create a RAID-0 volume.

Page 39 of 39