Exam : 070-647 Title : PRO: Windows Server 2008, Enterprise Administrator Ver : 06-26-2008
QUESTION 1 You are an enterprise administrator for Certkiller. The company has a head office in San Diego and a branch office in New York. The corporate network of Certkiller consists of an Active Directory forest having two domains, Certkiller.com and Branch. Certkiller.com for the head office and the branch office respectively. All the servers on the corporate network run Windows Server 2008 and both the offices hold their respective domain controllers on their physical office locations. The two domain controllers at Certkiller.com are called Certkiller Server1 and Certkiller Server2 and the two domain controllers at Branch. Certkiller.com are called Certkiller Server3 and Certkiller Server4. All domain controllers host Active Directory-integrated DNS zones for their respective domains. As an enterprise administrator of the company, you have been assigned the task to ensure that users from each office can resolve computer names for both domains from a local DNS server. Which of the following options would you choose to accomplish this task? A. Add the Certkiller.com and the Branch. Certkiller.com DNS zones to the ForestDNSZones partition. B. Create a stub DNS zone for Certkiller.com on Certkiller Server3 and a stub DNS zone for Branch. Certkiller.com on Certkiller Server1. C. Create a standard primary DNS zone named Certkiller.com on Certkiller Server3 and a standard primary DNS zone named Branch. Certkiller.com on Certkiller Server1. D. Configure conditional forwarders on Certkiller Server1 to point to Certkiller Server3 conditional forwarders on Certkiller Server3 to point to Certkiller Server1. E. None of the above. Answer: A To ensure that users from each office can resolve computer names for both domains from a local DNS server, you need to add the Certkiller.com and the Branch. Certkiller.com DNS zones to the ForestDNSZones partition because the ForestDNSZones directory partition can be replicated among all domain controllers (DCs) located in both the domains Certkiller.com and Branch. Certkiller.com in the forest of the company. This is because all the domain controllers have the DNS service installed. Once the DNS Zones data is replicated the users from each office can resolve computer names for both domains from their local DNS server A stub zone cannot be used because it is used to resolve names between separate DNS namespaces a Standard Primary DNS zone cannot be used because the DNS Server in this type of zone contains the only writable copy of the DNS zone database files. There can be only one Standard Primary DNS Server for a particular zone. A conditional forwarder cannot be used because it handles name resolution only for a specific domain. Reference: What causes the error I receive in the event log when I attempt to replicate the ForestDNSZones directory partition?
http://windowsitpro.com/article/articleid/43165/q-what-causes-the-error-i-receive-in-the-event-log-when-iattem Reference: Understanding stub zones http://207.46.196.114/windowsserver/en/library/648f2efd-0ad4-4788-80c8-75f8491f660e1033.mspx?mfr=true Reference: DNS Conditional Forwarding in Windows Server 2003 http://www.windowsnetworking.com/articles_tutorials/dns_conditional_forwarding_in_windows_server_20 0 QUESTION 2 You are an enterprise administrator for Certkiller. The company has a head and a three branch offices. Each office has a Windows Server 2008 server running with a DNS role installed on it. All the branch offices consist of Windows 2000 Professional client computers installed on their networks. As an enterprise administrator of the company, you have been assigned the task to deploy Active Directory Domain Services (AD DS) on the corporate network of the company. You also need to plan the implementation of a name resolution solution for the deployment of AD DS that supports secure dynamic updates and minimize the response times for users connecting to resources anywhere on the network. Which of the following options would you include in your plan to accomplish this task? A. Implement GlobalNames zone (GNZ) for the forest. B. Implement a single Active Directory-integrated (ADI) DNS zone. C. Create a stub zone on the DNS server in each branch office. D. Create a standard primary zone in the head office and the secondary zones in branch offices. E. None of the above. Answer: B To deploy Active Directory Domain Services (AD DS) on the corporate network of the company with given requirements, you need to implement a single Active Directory-integrated (ADI) DNS zone. Active Directory integrated (ADI) primary DNS zone enables built-in recovery, scalability, and performance. An ADI zone is a writeable copy of a forward lookup zone that is hosted on a domain controller. It can therefore reduce the response times for users connecting to resources anywhere on the network and because it uses directory-integrated storage it also simplifies dynamic updates for DNS clients that are running Windows 2000. None of the other options can be used to meet the desired objectives. Reference: From the Windows 2000 Resource Kit http://windowsitpro.com/article/articleid/76616/jsi-tip-5312-when-you-change-your-dns-active-directoryintegra Reference: ACTIVE DIRECTORY ADMINISTRATION TIPS http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1115858,00.html
QUESTION 3 You are an enterprise administrator for Certkiller. The company has a head office and a branch office located at different physical locations. The corporate network of the company consists of a single Active Directory domain. Both the offices of the company run Windows Server 2008 servers and have 2,000 client computers configured as DHCP clients without having DHCP relay supported on the network routers. As an enterprise administrator of the company, you have been assigned the task to configure a DHCP addressing solution for both the offices that would minimize the traffic between the offices and is available in case any one of the DHCP server fails. Which of the following options would you choose to accomplish this task? A. Install two DHCP servers, one in the head office and the other in branch office and make sure that both the DHCP servers have two scopes. B. Install a DHCP instance on a two node failover cluster in each office, the head office and the branch office. C. In the head office, install a DHCP server and in the branch office, install a DHCP Relay Agent. D. In the head office, install a DHCP instance on a two node failover cluster and in the branch office, install a DHCP Relay Agent. E. None of the above. Answer: B To configure a DHCP addressing solution for both the offices that would minimize the traffic between the offices and is available in case any one of the DHCP server fails, you need to install a DHCP instance on a two node failover cluster in each office, the head office and the branch office. The two node failover cluster in each office will ensure that the DHCP server is always available even if one of the DHCP servers fails. Because DHCP relay is not supported on the network, both the offices need to have a separate DHCP failover clustering solution. Having two scopes of DHCP servers will not help because DHCP relay is not supported on the network. Installing a DHCP server and DHCP Relay Agent in the branch office and installing a DHCP instance on a two node failover cluster and in the branch office and a DHCP Relay Agent will not help because this solution would increase the traffic between the offices in case any one of the DHCP server fails. Reference: Step-by-Step Guide for Configuring Two-Node File Server Failover Cluster in Windows Server 2008 http://209.85.175.104/search?q=cache:9u-snewiutgj:download.microsoft.com/download/b/1/0/b106fc39-936c- Reference: DHCP Relay Agent Overview http://www.tech-faq.com/dhcp-relay-agent.shtml
QUESTION 4 You are an enterprise administrator for Certkiller. The corporate network of the company consists of a single Active Directory forest that contains 25 domains. All the DNS servers on the corporate network run Windows Server 2008. The users on the corporate network use NetBIOS name to connect to the network applications in all the domains. Currently the network is configured with IPv4 addressing. As an enterprise administrator of the company, you have been assigned the task to migrate the network to an IPv6-enabled only network without affecting any client computer. Which of the following options would you choose to accomplish this task? A. Configure GlobalNames zones on the DNS servers running Windows Server 2008. B. Add all domain zones to the ForestDNSZones partition on the DNS servers running Windows Server 2008. C. Create a new running Windows Server 2008 server and configure WINS server on it. D. Create a new running Windows Server 2003 server and configure WINS server on it. E. None of the above. Answer: A To migrate the network from IPv4-enabled to an IPv6-enabled only network without affecting any client computer, you need to configure GlobalNames zones on the DNS servers running Windows Server 2008. To help customers migrate to DNS for all name resolution, the DNS Server role in Windows Server 2008 supports a special GlobalNames Zone (also known as GNZ) feature. The client and server name resolution depends on DNS. A DNS Client is able to resolve single-label names by appending an appropriate list of suffixes to the name. The correct DNS suffix depends on the domain membership of the client but can also be manually configured in the advanced TCP/IP properties for the computer. The problem occurs managing a suffix search list when there are many domains. For environments that require both many domains and single-label name resolution of corporate server resources, GNZ provides a more scalable solution. GNZ is designed to enable the resolution of the single-label, static, global names for servers using DNS. WINS cannot be used because it does not support IPv6 protocols and both are entering legacy mode for Windows Server 2008. ForestDNSZones partition cannot help to migrate a IPv4-enabled network to an IPv6-enabled only network Reference: Understanding GlobalNames Zone in Windows Server 2008 http://www.petri.co.il/windows-dns-globalnames-zone.htm Reference: Using GlobalNames Zone in Windows Server 2008 http://www.petri.co.il/using-globalnames-zone-window-server-2008.htm QUESTION 5 You are an enterprise administrator for Certkiller. The company has a head office and two branch offices. The corporate network of Certkiller consists of a single Windows Server 2008 Active Directory domain called Certkiller.com.
The DNS Service is installed on the member servers of the Certkiller.com domain and all the domain controllers and DNS servers for the Certkiller.com domain are located in the head office. As an enterprise administrator of the company, you have been assigned the task to deploy two new Active Directory domains named branch1. Certkiller.com and branch2. Certkiller.com in the branch offices. To accomplish this task, you installed a DNS server in each branch office. Which of the following actions would you perform next to prepare the environment for the installation of the new domains? (Select three. Each selected option will form a part of the answer.) A. Configure a delegation subdomain DNS record on the main office DNS server for each new domain. B. Create a new standard primary zone on each branch office DNS server for the new domains. C. Create a new stub zone on each branch office DNS server for the new domains D. Configure forwarders on the main office DNS servers to point to the branch office servers. E. Configure conditional forwarders on the main office DNS servers to point to the branch office DNS servers. F. Configure zone transfer for the Certkiller.com zone to the branch office DNS servers. Answer: A, B, F To deploy two new Active Directory domains in the branch offices, you need to first configure a delegation subdomain DNS record on the main office DNS server for each new domain then create a new standard primary zone on each branch office DNS server for the new domains and then configure zone transfer for the Certkiller.com zone to the branch office DNS servers after installing DNS server in each branch office. In DNS, a subdomain is a portion of a domain that you've delegated to another DNS zone. A subdomain is configured when you need to create domains in existing domain. A company might use subdomains for its various divisions. Because, to migrate your DNS zone data for the Certkiller.com zone to the branch office DNS servers, you will need to have a functioning standard primary server, you will need to create a new standard primary zone on each branch office DNS server for the new domains. Reference: Delegate subdomains in DNS in Windows 2000 Server http://articles.techrepublic.com.com/5100-10878_11-5846057.html Reference: Step-By-Step: How to migrate DNS information to Windows Server 2003 http://www.lockergnome.com/it/2005/01/14/step-by-step-how-to-migrate-dns-information-to-windows-server- 20 Reference: DNS Stub Zones in Windows Server 2003 http://www.windowsnetworking.com/articles_tutorials/dns_stub_zones.html QUESTION 6 You are an enterprise administrator for Certkiller. The corporate network of Certkiller consists of a single Active Directory forest that is made up of a single root
domain and 15 child domains. The Administrators of the child domains need to frequently modify the records for authoritative DNS servers for the child domain DNS zones. The administrators take a long time in modifying these records. As an enterprise administrator of the company, you have been assigned the task to implement a solution that would minimize the effort required to maintain name resolution on the network. Which of the following options would you choose to accomplish this task? A. Create stub zones for the root domain zone on the child domain DNS servers. B. Configure conditional forwarders for the parent domain on the child domain DNS servers. C. Create stub zones for the child domain zones on the root domain DNS servers. D. Configure delegation subdomain records for the child domains on the root domain DNS servers. E. None of the above. Answer: C To implement a solution that would minimize the effort required to maintain name resolution on the network, you need to create stub zones for the child domain zones on the root domain DNS servers. Stub zones can help reduce the amount of DNS traffic on your network by streamlining name resolution and zone replication. The Stub zone should be configured for the child domain zones on the root domain DNS servers and not vice versa because a stub zone is like a secondary zone that obtains its resource records from other name servers (one or more master name servers). Reference: DNS Stub Zones in Windows Server 2003 http://www.windowsnetworking.com/articles_tutorials/dns_stub_zones.html QUESTION 7 You are an enterprise administrator for Certkiller. The corporate network of Certkiller consists of a single Windows Server 2008 Active Directory domain and one IP subnet. All servers in the domain run Windows Server 2008 and all the client computers run Windows Vista. On one of the Windows Server 2008 member servers, Certkiller Server1, Active Directory Domain Services (AD DS), Active Directory Certificate Services (AD CS), and DHCP services are configured. On another Windows Server 2008 member server, Certkiller Server2, Routing and Remote Access Service (RRAS), Network Policy Service (NPS), Health Registration Authority (HRA) services are configured. Some client computers that do not have the latest Microsoft updates installed connect to the local area network (LAN) from client computers that are joined to a workgroup. Besides all network switches used for client connections are unmanaged. As an enterprise administrator of the company, you have been assigned the task to
implement a Network Access Protection (NAP) solution to protect the network. You need to ensure that only the computers that have the latest Microsoft updates installed must be able to connect to servers in the domain and only the computers that are joined to the domain must be able to connect to servers in the domain. Which of the following NAP enforcement method should you use to accomplish this task? A. 802.1x B. DHCP C. IPsec D. VPN E. None of the above. Answer: C To ensure that only the computers that have the latest Microsoft updates installed must be able to connect to servers in the domain and only the computers that are joined to the domain must be able to connect to servers in the domain, you need to use IPSec NAP enforcement method. IPsec domain and server isolation methods are used to prevent unmanaged computers from accessing network resources. This method enforces health policies when a client computer attempts to communicate with another computer using IPsec. Reference: Protecting a Network from Unmanaged Clients / Solutions http://www.microsoft.com/technet/security/midsizebusiness/topics/serversecurity/unmanagedclients.mspx Reference: Network Access Protection (NAP) Deployment Planning / Choosing Enforcement Methods http://blogs.technet.com/nap/archive/2007/07/28/network-access-protection-deployment-planning.aspx QUESTION 8 You are an enterprise administrator for Certkiller. The corporate network of Certkiller consists of a single Windows Server 2008 Active Directory domain and one IP subnet. All servers in the domain run Windows Server 2008 and all the client computers run Windows Vista, Windows XP Professional, and Windows 2000 Professional. On one of the Windows Server 2008 member servers, Certkiller Server1, Active Directory Domain Services (AD DS), Active Directory Certificate Services (AD CS), and DHCP services are configured. On another Windows Server 2008 member server, Certkiller Server2, Routing and Remote Access Service (RRAS), Network Policy Service (NPS), Health Registration Authority (HRA) services are configured. The NAP is configured by using IPsec, DHCP, and 802.1x enforcement methods. Currently the computers that are not joined to the domain can easily connect to the domain and access network resources. As a network administrator, you want to stop this security lapse and want to ensure that only computers that are joined to the domain can access network resources on the domain. Which of the following options
would you choose to accomplish this task? A. Configure all DHCP scopes on Certkiller Server1 to enable NAP. B. Configure all network switches to require 802.1x authentication. C. Create a GPO, link it to the domain. Enable a secure server IPsec policy on all member servers in the domain in the GPO. D. Create a GPO, link it to the domain. Enable a NAP enforcement client for IPsec communications on all client computers in the domain in the GPO. E. None of the above. Answer: C To ensure that only computers that are joined to the domain can access network resources on the domain, you need to create a GPO, link it to the domain and enable a secure server IPsec policy on all member servers in the domain in the GPO. IPsec domain and server isolation methods are used to prevent unmanaged computers from accessing network resources. This method enforces health policies when a client computer attempts to communicate with another computer using IPsec. Configuring DHCP scope cannot stop unmanaged computers that are not joined to the domain from accessing the network. NAP is not required in this scenario because you just want the member computers to access network resources. Therefore, you need not create a GPO, link it to the domain. Enable a NAP enforcement client for IPsec communications on all client computers in the domain in the GPO. Reference: Protecting a Network from Unmanaged Clients / Solutions http://www.microsoft.com/technet/security/midsizebusiness/topics/serversecurity/unmanagedclients.mspx QUESTION 9 You are an enterprise administrator for Certkiller. The corporate network of Certkiller consists of a single IP subnet. All servers in the domain run Windows Server 2008 and all the client computers run Windows Vista. The network contains three Windows Server 2008 servers configured as follows: 1. Certkiller Server1 - Configured with Active Directory Domain Services (AD DS), Active Directory Certificate Services (AD CS), and DHCP services. 1. Certkiller Server2 - Configured with Routing and Remote Access Service (RRAS), Network Policy Service (NPS), Health Registration Authority (HRA), and Microsoft System Center Configuration Manager (SCCM) 2007 services 1. Certkiller Server3 - Configured with File Services and Microsoft Windows SharePoint Services (WSS). As an enterprise administrator of the company, you have been assigned the task to configure the NAP environment that would only allow computers that have required Microsoft updates installed to access the internal network resources. Besides, you need to ensure that when the client computers connect to the network, the network switches would only allow them to communicate with only Certkiller Server1 and Certkiller Server2 initially..
Which of the following NAP enforcement method should you use to accomplish this task? A. 802.1x B. DHCP C. IPsec communications D. VPN E. None of the above. Answer: A To configure the NAP environment that would only allow computers that have required Microsoft updates installed to access the internal network resources and to ensure that when the client computers connect to the network, the network switches would only allow them to communicate with only Certkiller Server1 and Certkiller Server2 initially, you need to use 802.1x NAP enforcement method because this method enforces health policies when a client computer attempts to access a network using EAP through an 802.1X wireless connection or an authenticating switch connection. Reference: Network Access Protection (NAP) Deployment Planning / Choosing Enforcement Methods http://blogs.technet.com/nap/archive/2007/07/28/network-access-protection-deployment-planning.asp QUESTION 10 You are an enterprise administrator for Certkiller. The corporate network of Certkiller consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all the client computers run Windows Vista with Service Pack 1. The network contains three Windows Server 2008 servers configured as follows: 1. Certkiller Server1- Configured with Network Policy and Access Services (NPAS). 2. Certkiller Server2 - Configured with Microsoft Windows SharePoint Services (WSS). 3. Certkiller Server3 - Configured with File Services. The company has many remote users (domain members) that need to access the domain resources from their remote locations. Some of the remote users informed you that they can access Certkiller Server2 by using the URL https://portal. Certkiller.com from their remote locations through Internet but the firewall used at their remote location site prevents all other outbound connections. As an enterprise administrator of the company, you have been assigned the task to plan a solution that would allow the remote users to access files on Certkiller Server3 through a VPN connection Which of the following types of connections should you enable on Certkiller Server1? A. Configure IPsec tunnel mode connection B. Configure a L2TP VPN connection C. Configure a PPTP VPN connection
D. Configure Secure Socket Tunneling Protocol (SSTP) connection E. None of the above. Answer: D To plan a solution that would allow the remote users using firewall on their remote locations to access files on Certkiller Server3 through a VPN connection, you need to configure Secure Socket Tunneling Protocol (SSTP) connection. Before Windows Server 2008, all kinds of VPN connections such as PPTP L2TP, and IPSec had problems with firewalls, NATs, and Web proxies. To prevent problems, firewalls must be configured to allow connections. If your VPN client computer is behind a NAT, both the VPN client and the VPN server must support IPsec NAT-Traversal (NAT-T). Besides, VPN server can't be located behind a NAT, and that L2TP/IPsec traffic can't flow through a Web proxy. With the advent of SSTP in Windows Server 2008 all the VPN connectivity problems such as firewalls, NATs, and Web proxies are solved. The SSTP connection allows the use of HTTP over secure sockets layer (SSL). SSTP uses an HTTP-over-SSL session between VPN clients and servers to exchange encapsulated IPv4 or IPv6 packets. Reference: The Cable Guy: The Secure Socket Tunneling Protocol / The New VPN Solution http://technet.microsoft.com/en-us/magazine/cc162322.aspx QUESTION 11 You are an enterprise administrator for Certkiller. The company has three departments, Sales, Marketing, and Development. The corporate network of Certkiller consists of a single Windows Server 2008 Active Directory domain. Some employees in the Development department are allowed to work from home because of their inability to come to the office for some reasons. These employees usually need to access the applications installed on the internal network computers and the file servers on the corporate network. As an enterprise administrator of the company, you have been assigned the task to provide a secure remote access solution for the development department employees keeping in mind the company's security policy. According to the security policy of the company, the remote computers can only connect to the corporate network by using SSL. Besides this all the remote computers that connect to the network must have an up-to-date antivirus application and all available security updates installed on them. Which of the following types of remote connection solution would you select to accomplish this task? A. Configure a PPTP VPN connection. B. Configure a L2TP VPN connection. C. Configure a TS connection that uses TS Gateway. D. Configure a TS connection that uses TS Web Access. E. None of the above.
Answer: C The TSGateway Manager snap-in console enables you to configure authorization policies to define conditions that must be met for remote users to connect to internal network resources. This may include an up-to-date antivirus application and all available security updates installed on them. TSGateway encapsulates Remote Desktop Protocol (RDP) within RPC, within HTTP over a Secure Sockets Layer (SSL) connection. Reference: TS Gateway Overview http://technet2.microsoft.com/windowsserver2008/en/library/722f3aa8-2f22-462f-bcc6-72ad31713ddd1033.msp QUESTION 12 You are a network administrator for Certkiller. The corporate network of the company consists of a single domain. The corporate network of the company consists of a Windows Server 2008 server that run Routing and Remote Access Service (RRAS) and 20 portable client computers that run different client operating systems The portable computers have been issued to the remote users of the company that connect to the network using a VPN connection to the RRAS server. The some remote users also use their personal computers to connect to the corporate network. Which of the following options would you choose to ensure that the computers that connect to the corporate network of the company remotely must have Windows Vista installed, Windows Firewall enabled, most up-to-date antivirus definitions, and most up-to-date updates installed on them? A. Implement Authorization Manager. B. Implement Network Access Protection (NAP) on the perimeter network. C. Install a Microsoft Internet Security and Acceleration Server (ISA) 2006 on the network. D. Create a Group Policy object (GPO), link it to the domain and publish updated antivirus definitions through it. Also enable Windows Firewall on it. E. None of the above. Answer: B To ensure that the computers that connect to the corporate network meet all the required conditions, you need to implement Network Access Protection (NAP) on the perimeter network. NAP uses System Health Agent (SHA) to check if the specified system health requirements are fulfilled. The SHA can verify whether the Windows Firewall is on; antivirus and antispyware software are installed, enabled, and updated; Microsoft Update Services is enabled, and the most recent security updates are installed. If the system is not in the required state, the SHA can then start a process to remedy the
situation. For example, it can enable Windows Firewall or contact a remediation server to update the antivirus signatures Reference: Windows Server 2008 NAP (Network Access Protection) infrastructure http://4sysops.com/archives/windows-server-2008-nap-network-access-protection-infrastructure/ QUESTION 13 You are a network administrator for Certkiller. The corporate network of the company consists of a single Active Directory domain. All domain controllers on the corporate network of the company run Windows Server 2008. You have been assigned the task to configure access restriction policies for the network which would only allow Windows Vista computers that have Windows Firewall enabled to access the network Which of the following option would you choose to accomplish this task? A. Implement Authorization Manager. B. Implement Network Access Protection (NAP). C. Create and link a Group Policy object (GPO) to the domain and then enable the Windows Firewall settings in it. D. Create a Group Policy object (GPO) and an organizational unit (OU), link the GPO to OU and then enable the Windows Firewall settings in the GPO. E. None of the above. Answer: B To configure access restriction policies for the network which would only allow Windows Vista computers that have Windows Firewall enabled to access the network, you need to implement Network Access Protection (NAP). NAP uses System Health Agent (SHA) to check if the specified system health requirements are fulfilled. The SHA can verify whether the Windows Firewall is on; antivirus and antispyware software are installed, enabled, and updated; Microsoft Update Services is enabled, and the most recent security updates are installed. If the system is not in the required state, the SHA can then start a process to remedy the situation. For example, it can enable Windows Firewall or contact a remediation server to update the antivirus signatures Reference: Windows Server 2008 NAP (Network Access Protection) infrastructure http://4sysops.com/archives/windows-server-2008-nap-network-access-protection-infrastructure/ QUESTION 14 You are an enterprise administrator for Certkiller. The corporate network of Certkiller consists of a single Active Directory domain. The network contains four Windows Server 2008 servers configured as follows: 1. Certkiller Server1 (Domain Controller) - Configured with Active Directory Domain Services (AD DS). 2. Certkiller Server2 (RAS for VPN connections, RADIUS client) - Configured with Routing and Remote Access Service (RRAS).
3. Certkiller Server3 (RAS for VPN connections, RADIUS client) - Configured with Routing and Remote Access Service (RRAS). 4. Certkiller Server4 (RADIUS Server) - Configured with Network Policy Server (NPS). As an enterprise administrator of the company, you have been assigned the task to plan a solution that would allow you to manage all VPN connections to the network by allowing you to specify the allowed VPN connection protocols, allowed VPN client authentication mechanisms, and VPN client access rights based on group membership. Which of the following options would you choose to accomplish this task? A. Create a GPO and apply it to Certkiller Server2 and Certkiller Server3 B. Create a GPO and apply it to the computers that must establish VPN connections C. Create a local computer policy on Certkiller Server2 and Certkiller Server3 D. Create a network policy on Certkiller Server4 E. None of the above. Answer: D To plan a solution that would allow you to manage all VPN connections to the network by allowing you to specify the allowed VPN connection protocols, allowed VPN client authentication mechanisms, and VPN client access rights based on group membership, you need to create a network policy on Certkiller Server4, which is a Network Policy Server. This server is the Microsoft implementation of a RADIUS server and proxy in Windows Server 2008. As a RADIUS server, NPS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. The GPOs cannot be used in this scenario because they can be used to Create/Replace/Update or Delete a Virtual Private Network (VPN) or Dial-Up Network (DUN) connection and cannot be used to specify the allowed VPN connection protocols, allowed VPN client authentication mechanisms, and VPN client access rights based on group membership Reference: Network Policy Server http://technet.microsoft.com/en-us/network/bb629414.aspx Reference: Group Policy related changes in Windows Server 2008 - Part 3: Introduction to Group Policy Preferences http://www.windowsecurity.com/articles/group-policy-related-changes-windows-server-2008-part3.html QUESTION 15 You are an enterprise administrator for Certkiller. The corporate network of Certkiller consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008. The network contains three Windows Server 2008 servers configured as follows: 1. Certkiller Server1- Configured with Active Directory Domain Services (AD DS).
2. Certkiller Server2 - Configured with Microsoft System Center Virtual Application Server (SCVAS). 3. Certkiller Server3 - Configured with Terminal Services. You have recently installed an application called App1 on Certkiller Server3, which needs to be run by multiple users. The user-specific settings for the application were stored in a.ini file for the application. Soon you realized that the application has started failing. On diagnosing the problem, you found that.ini file is overwritten because multiple users were running the application concurrently Which of the following option would you choose to enable the users to successfully run application on Certkiller Server3? A. Deploy TS Session Broker On Certkiller Server3. B. On Certkiller Server2, stream a SoftGrid application package containing App1 to Certkiller Server3. C. Configure App1 as a TS RemoteApp on Certkiller Server3. D. On Certkiller Server1, create and link a Group Policy object (GPO) to publish App1 to all users who establish a Terminal Services session on Certkiller Server3. E. None of the above. Answer: B To enable the users to successfully run application on Certkiller Server3, which is configured with Terminal Services, you need to stream a SoftGrid application package containing App1 on Certkiller Server2 to Certkiller Server3. SoftGrid applications are sandboxed from each other, so that different versions of the same application can be run under SoftGrid concurrently. There can be numerous scripts per profile and scripts can even be stuff that is not directly executable such as data or DLLs. SoftGrid can be executed on a connected desktop system and published via Citrix. The Scripts used on this server can run BEFORE application execution or AFTER the application terminates and can run inside or outside of isolation. Reference: Application Streaming and SoftGrid - dual mode http://blogs.technet.com/virtualworld/archive/2008/02/23/application-streaming-and-softgrid-dual-mode.aspx Reference: Microsoft Application Virtualization http://en.wikipedia.org/wiki/microsoft_application_virtualization QUESTION 16 You are an enterprise administrator for Certkiller. The corporate network of Certkiller consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. The network contains two Windows Server 2008 servers configured as follows: 1. Certkiller Server1- Configured with Active Directory Domain Services (AD DS). 2. Certkiller Server2 - Configured with Terminal Services. The users of the Marketing department of the company currently run an application called MktApp on their computers. The application uses a dynamic-link library (DLL) named mkapp.dll.
Recently the users need to run another application called App2 on their computers that use a different version of mkapp.dll. When you installed the App1 on the computers, you realized that the App1 is causing MktApp to fail because of the new mkapp.dll. Both the applications need to be run on the same computer. Which of the following options would you choose to ensure that users can run both applications successfully on the same computer? A. Create a GPO and link it to the domain on Certkiller Server1. Publish the App2 to all users in the Marketing department. B. Create a GPO and link it to the domain on Certkiller Server1. Assign the App2 to all users in the Marketing department. C. Install MktApp and App2 on Certkiller Server2. Configure all computers in the Marketing department to run the applications by using TS RemoteApp. D. Install App2 on Certkiller Server2 and configure all computers in the marketing department to run the application by using TS RemoteApp. E. None of the above. Answer: D To ensure that users can run both applications successfully on the same computer, you need to install App2 on Certkiller Server2 that runs Terminal services and configure all computers in the marketing department to run the application by using TS RemoteApp. When marketing department users run App2 using TS RemoteApp from a Terminal Services computer, the App2 will appear as if it is running on the end user's local computer. This will solve the problem of mkapp.dll being overwritten by the installation of App2 because now App2 is running on a remote computer and appears to be running on the local computer. The RemoteApp program is integrated with the client's desktop instead of being presented to the user in the desktop of the remote terminal server. It runs in its own resizable window with its own entry in the taskbar. Reference: Terminal Services RemoteApp (TS RemoteApp) http://technet2.microsoft.com/windowsserver2008/en/library/57995ee7-e204-45a4-bcee- 5d1f4a51a09f1033.msp QUESTION 17 You are an enterprise administrator for Certkiller. The corporate network of Certkiller consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista. The network contains four Windows Server 2008 servers configured as follows: 1. Certkiller Server1- Configured with Active Directory Domain Services (AD DS). 2. Certkiller Server2 - Configured with Terminal Services. 3. Certkiller Server3 - Configured with Microsoft System Center Virtual Application Server (SCVAS) 4. Certkiller Server4 - Configured with Microsoft System Center Configuration Manager (SCCM)
The users of the Marketing department of the company currently run an application called MktApp on their computers. The application uses a dynamic-link library (DLL) named mktapp.dll. Recently the users need to run another application called App2 on their computers that use a different version of mktapp.dll. When you installed the App2 on the computers, you realized that the App2 is causing MktApp to fail because of the new mktapp.dll. As an enterprise administrator of the company, you have been assigned the task to ensure that both the applications should be able run on the same computer and must enable users that use portable computers to run both applications when they are disconnected from the network. Which of the following options would you choose to accomplish this task? A. Create a GPO and link it to the domain on Certkiller Server1. Publish the App2 to all users in the Marketing department. B. Create a SoftGrid application package that contains App2 on Certkiller Server3 and stream it to all computers in the Marketing department. C. Install App2 on Certkiller Server2 and configure all computers in the Marketing department to access the application by using TS Gateway. D. Install App2 on Certkiller Server2 and configure all computers in the Marketing department to run the application by using TS RemoteApps. Answer: B To ensure that both the applications should be able run on the same computer and must enable users that use portable computers to run both applications when they are disconnected from the network, you need to create a SoftGrid application package that contains App2 on Certkiller Server3 and stream it to all computers in the Marketing department. SoftGridapplications are sandboxed from each other, so that different versions of the same application can be run under SoftGrid concurrently. There can be numerous scripts per profile and scripts can even be stuff that is not directly executable such as data or DLLs. SoftGrid can be executed on a connected desktop system and published via Citrix. The Scripts used on this server can run BEFORE application execution or AFTER the application terminates and can run inside or outside of isolation. Reference: Application Streaming and SoftGrid - dual mode http://blogs.technet.com/virtualworld/archive/2008/02/23/application-streaming-and-softgrid-dual-mode.aspx Reference: Microsoft Application Virtualization http://en.wikipedia.org/wiki/microsoft_application_virtualization QUESTION 18 You are an enterprise administrator for Certkiller. The corporate network of Certkiller consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008 and all client computers run Windows Vista.
The network contains three Windows Server 2008 servers configured as follows: 1. Certkiller Server1- Configured with Active Directory Domain Services (AD DS). 2. Certkiller Server2 - Configured with Terminal Services. 3. Certkiller Server3 - Configured with Internet Information Services (IIS) The company has certain remote users that need to connect to the corporate network through Internet using VPN connections. You have been assigned the task to enable remote users to run TS RemoteApp applications on Certkiller Server2. Which of the following options would you choose to prepare the environment to provide users access to the applications and provide a custom Web page that contains shortcuts to authorized applications for each user. A. Install the Web Server (IIS) server role on Certkiller Server2. B. Install the Terminal Services server role on Certkiller Server2 that has TS Gateway role service. C. Install the Terminal Services server role on Certkiller Server3 that has the TS Web Access role service. D. Install the Terminal Services server role on Certkiller Server2 and Certkiller Server3 that has the TS Session Broker role service. E. None of the above. Answer: C To enable remote users to run TS RemoteApp applications on Certkiller Server2 and to provide users a custom Web page to access applications, you need to install the Terminal Services server role on Certkiller Server3 that has the TS Web Access role service Terminal Services Web Access (TSWeb Access) is a role service in the Terminal Services role that lets you make Terminal Services RemoteApp (TSRemoteApp) programs, and a connection to the terminal server desktop, available to users from a Web browser. Reference: Terminal Services Web Access (TS Web Access) http://technet2.microsoft.com/windowsserver2008/en/library/57995ee7-e204-45a4-bcee- 5d1f4a51a09f1033.msp QUESTION 19 You are an enterprise administrator for Certkiller. The corporate network of Certkiller consists of a single Active Directory domain. The two organizational units (OU) called OUUsers and OUComputers are configured in the domain and hold all user accounts and all the computer accounts respectively. You have been assigned the task to install six line-of-business (LOB) applications that take two hours to install and make them available to all users. One of these applications named App1 needs to be updated monthly by uninstalling and then reinstalling. Which of the following options would you choose to ensure that the network users would be able to access the applications quickly and should be able to uninstall and reinstall App1 with the minimum amount of administrative effort? Beside you need
to ensure that the users must be able to access the LOB applications from the Start menu or by opening files that are associated with App1. A. Create a new GPO, link it to the OUUsers, and deploy the applications using this GPO. B. Create a new GPO, link it to the OUComputers, and deploy the applications using this GPO. C. Install Terminal Services role on servers that run Windows Server 2008. Install the applications on the servers and provide access to them by using TS Web Access. D. Install Terminal Services role on servers that run Windows Server 2008. Install the applications on the servers and provide access to them by using TS RemoteApp. E. None of the above. Answer: D To ensure that the network users would be able to access the applications quickly, uninstall and reinstall App1 with the minimum amount of administrative effort, and are able to access the LOB applications from the Start menu or by opening files that are associated with App1, you need to install Terminal Services role on servers that run Windows Server 2008. Install the applications on the servers and provide access to them by using TS RemoteApp RemoteApp programs are programs that are accessed remotely through Terminal Services and appear as if they are running on the end user's local computer. It improves the user's experience, eases program deployment, and reduces the amount of administrative effort required to support the programs deployed. This is because you need to install and uninstall applications only from one computer and not from all. The RemoteApp program is integrated with the client's desktop instead of being presented to the user in the desktop of the remote terminal server. It runs in its own resizable window with its own entry in the taskbar. Reference: Terminal Services RemoteApp (TS RemoteApp) http://technet2.microsoft.com/windowsserver2008/en/library/57995ee7-e204-45a4-bcee- 5d1f4a51a09f1033.msp QUESTION 20 You are an enterprise administrator for Certkiller. The corporate network of Certkiller consists of a single Windows 2000 native Active Directory domain. All domain controllers run Windows Server 2003. The network contains four Windows Server 2003 servers configured as follows: 1. Certkiller Server1-Terminal Services licensing server 2. Certkiller Server2 - Terminal server 3. Certkiller Server3 - Terminal server 4. Certkiller Server4 - Terminal server As an enterprise administrator of your company, you have been assigned the task to deploy a new terminal server that runs Windows Server 2008 and implement a solution that enables reporting for all Terminal Services client access licenses (TS
CALs). Which of the following options would you choose to accomplish this task? A. Upgrade Certkiller Server1 to Windows Server 2008. B. Upgrade all domain controllers to Windows Server 2008. C. Upgrade Certkiller Server2, Certkiller Server3, and Certkiller Server4 to Windows Server 2008. D. Raise the functional level of the domain to Windows Server 2003. E. None of the above. Answer: A Terminal Services Licensing (TS Licensing) is a Terminal Services role service that manages the Terminal Services client access licenses (TSCALs) that are required for each device or user to connect to a terminal server. Because a terminal server running Windows Server2008 can only communicate with a license server running Windows Server2008, you need to upgrade Certkiller Server1 to Windows Server 2008 to enable reporting for all Terminal Services client access licenses (TS CALs). Reference: TS Licensing http://technet2.microsoft.com/windowsserver2008/en/library/2a9fd6e5-f880-4a9b-b492- e4f6f7983e951033.mspx QUESTION 21 You are an enterprise administrator for Certkiller. The corporate network of Certkiller consists of a single Active Directory domain. All servers in the domain run Windows Server 2008. Thee network consists of three terminal servers and one server that has Terminal Services Gateway (TS Gateway) deployed on it. The access to Internet for internal users is allowed through the firewall. Besides, the Inbound TCP/IP port 443 is allowed on the firewall for inbound connections. As an enterprise administrator for the company, you have been assigned the task to implement a solution that enables remote users to access network resources by using TS Gateway. Which of the following option would you choose to accomplish this task? A. Modify the firewall rule to allow inbound traffic through TCP/IP port 3389 from the Internet. B. Install TS Web Access services role on the servers that have Terminal Services server role installed. C. Install TS Session Broker services role on the servers that have Terminal Services server role installed. D. Create a Terminal Services connection authorization policy (TS CAP) and a Terminal Services resource authorization policy (TS RAP). E. None of the above.
Answer: D To implement a solution that enables remote users to access network resources by using TS Gateway, you need to create a Terminal Services connection authorization policy (TS CAP) and a Terminal Services resource authorization policy (TS RAP). TSCAPs allow you to specify who can connect to a TSGateway server. Users are granted access to a TSGateway server if they meet the conditions specified in the TSCAP. You must also create a Terminal Services resource authorization policy (TSRAP). A TSRAP allows you to specify the internal network resources that users can connect to through TSGateway. Until you create both a TSCAP and a TSRAP, users cannot connect to internal network resources through this TSGateway server. Reference: Terminal Services Gateway (TS Gateway) / Why are TSCAPs important? http://technet2.microsoft.com/windowsserver2008/en/library/9da3742f-699d-4476-b050- c50aa14aaf081033.msp QUESTION 22 You are an enterprise administrator for Certkiller. The corporate network of Certkiller consists of a single Active Directory forest. All servers in the forest run Windows Server 2008 and all client computers run Windows Vista. The network contains two Windows Server 2008 servers having hardware installed as follows: 1. Certkiller Server1-Consists of 4 processor cores and 4 GB RAM. 2. Certkiller Server2 - Consists of 8 processor cores and 16 GB RAM. The company had many remote clients that use the Remote Desktop client to connect to Certkiller Server1 and Certkiller Server2 As an enterprise administrator of the company, you have been assigned the task to control the distribution of user requests made to Certkiller Server1 and Certkiller Server2 in such a way that the administrators would be able to distribute the traffic based on the server hardware. Which of the following options would you choose to accomplish this task? A. Use DNS round-robin for the distribution of user requests and set the DoNotRoundRobinTypes registry entry to ptr srv ns. B. Add the failover clustering feature on the network by configuring Certkiller Server1 as a passive node and Certkiller Server2 as an active node. C. Implement Network Load Balancing on the network by configuring Priority to 1 for Certkiller Server2 and Priority to 2 for Certkiller Server1 in Host Parameters. D. Use TS Session Broker Load Balancing and assign a weight value of 100 to Certkiller Server1 and a weight value of 200 to Certkiller Server2. E. None of the above. Answer: D To control the distribution of user requests made to Certkiller Server1 and