Microsoft 70-646 70-646 Pro: Windows Server 2008, Server Administrator Practice Test Updated: Jan 19, 2010 Version
QUESTION NO: 1 Microsoft 70-646: Practice Exam consists of 200 Windows Server 2008 servers. The company has recently decided to open a new branch office and moved 75 Windows Server 2008 servers from the existing office to the new network segment. Which of the following options would you choose to change the TCP/IP addresses on the 75 servers that have been moved to the new branch office by using the minimum amount of administrative effort? A. Use ServerManagerCMD tool and run it on the administrator's client computer. B. Use the Netsh tool and run it on the administrator's client computer. C. Use Remote Desktop to connect to each server to make the changes. D. Visit each server to make the changes. E. None of the above Answer: B To change the TCP/IP addresses on the 75 servers that have been moved to the new branch office by using the minimum amount of administrative effort, you need to run the Netsh tool from an administrator's client computer. You can use NETSH to make dynamic IP address changes from a static IP address to DHCP simply by importing a file. NETSH can also bring in the entire Layer-3 configuration (TCP/IP Address, DNS settings, WINS settings, IP aliases, etc.). This can be handy when you're working on networks without DHCP and have a mobile computer that connects to multiple networks, some of which have DHCP. NETSH shortcuts will far exceed the capabilities of using Windows Automatic Public IP Addressing. Reference: 10 things you should know about the NETSH tool / #4: Using NETSH to dynamically change TCP/IP addresses Reference: 10 Windows Server 2008 Netsh commands you should know http://www.builderau.com.au/program/windows/soa/10-things-you-should-know-about-the-netshtool/0,339024644,339272916,00.htm http://www.windowsnetworking.com/articles_tutorials/10-windows-server-2008-netshcommands.html "Pass Any Exam. Any Time." - www.actualtests.com 2
QUESTION NO: 2 Microsoft 70-646: Practice Exam runs 28 Windows Server 2008 servers and two Windows Server 2003 servers. One of the Windows Server 2003 servers called CertKillerServer1 hosts an application called App1 and another Windows Server 2003 server called CertKillerServer2 hosts the application called App2 The App1application uses the 32-bit installation of Windows Server 2003 and App2 application uses the 64-bit installation of Windows Server 2003. You need to run both the applications on Windows Server 2008 server. Which of the following options would you choose for replacing the servers that host App1 and App2 in the minimum cost amount? (Select three. Each correct answer will present a part of the solution.) A. Install a new server that runs a 64-bit version of Windows Server 2008 Enterprise Edition. B. Install two new servers that run 64-bit versions of Windows Server 2008 Enterprise Edition. C. Install two new servers. On one of the servers install the 32-bit version of Windows Server 2008 Enterprise Edition and install the 64-bit version of Windows Server 2008 Enterprise Edition on the other server. D. Install the Hyper-V feature on the server(s). E. Install Windows System Resource Manager (WSRM) on the server(s). F. Install App1 and App2 in separate child virtual machines G. Install App1 on the 32-bit server. Install App2 on the 64-bit server. Answer: A,D,F For replacing the servers that host App1 and App2 in the minimum cost amount, you need to install a new server that runs a 64-bit version of Windows Server 2008 Enterprise Edition. Install the Hyper-V feature on the new server. Install App1 and App2 in separate child virtual machines Hyper-V consists of a 64-bit hypervisor that can run 32-bit and 64-bit virtual machines concurrently. Therefore you need to install just one Windows Server 2008 to run these two applications. You can then install Hyper V feature that would allow you to create virtual machines and run both the applications as desired. Hyper-V virtualization works with single and multiprocessor virtual machines and includes tools such as snapshots, which capture the state of a running virtual machine. Reference : Microsoft Hyper-V Guide http://searchservervirtualization.techtarget.com/generic/0,295582,sid94_gci1318785,00.html "Pass Any Exam. Any Time." - www.actualtests.com 3
QUESTION NO: 3 runs two Windows Server 2008 servers. You have been asked to configure the Windows Server 2008 servers in such a way that they support the installation of Microsoft SQL Server 2005 and provide redundancy for SQL services if a single server fails. (Select two. Each correct answer will present a part of the solution.) Which of the following options would you choose to accomplish this task? A. Install a full installation of Windows Server 2008 Standard Edition on the servers. B. Install a full installation of Windows Server 2008 Enterprise Edition on the servers. C. Install a Server Core installation of Windows Server 2008 Enterprise Edition on the servers. D. Configure Network Load Balancing on the servers. E. Configure failover clusters on the servers. Answer: B,E To configure the Windows Server 2008 servers in such a way that they support the installation of Microsoft SQL Server 2005 and provide redundancy for SQL services if a single server fails, you need to install a full installation of Windows Server 2008 Enterprise Edition on the servers. Configure failover clusters on the servers. Failover clustering is a process in which the operating system and SQL Server 2008 work together to provide availability in the event of an application failure, hardware failure, or operating-system error. Failover clustering provides hardware redundancy through a configuration in which missioncritical resources are transferred from a failing machine to an equally configured server automatically. Reference : SQL Server 2008 Pricing and Licensing/ PASSIVE SERVERS / FAILOVER SUPPORT http://download.microsoft.com/download/1/e/6/1e68f92c-f334-4517-b610- e4dee946ef91/2008%20sql%20licensing%20overview%20final.docx. QUESTION NO: 4 You are an Enterprise administrator for CertKiller.com. The company has a head office and five branch offices. The corporate network of the company consists of a single Active Directory domain. "Pass Any Exam. Any Time." - www.actualtests.com 4
Each office contains Windows 2000 Server domain controller and Windows Server 2008 member servers. The physical security of the member servers was not reliable and servers could be attacked. Therefore, you decided to implement Windows BitLocker Drive Encryption (BitLocker) on the member servers. Which of the following options would you choose to ensure that you can access the BitLocker volume even if the BitLocker keys are corrupted on the member servers and store the recovery information at a central location? (Select two. Each correct answer will present a part of the solution.) A. Upgrade all domain controllers to Windows Server 2008. B. Upgrade the domain controller that has the schema master role to Windows Server 2008. C. Upgrade the domain controller that has the primary domain controller (PDC) emulator role to Windows Server 2008. D. Use Group Policy to configure Public Key Policies. E. Use Group Policy to enable a Data Recovery Agent (DRA). F. Use Group Policy to enable Trusted Platform Module (TPM) backups to Active Directory. Answer: A,F To ensure that you can access the BitLocker volume even if the BitLocker keys are corrupted on the member servers and store the recovery information at a central location, you need to upgrade all domain controllers to Windows Server 2008. Use Group Policy to enable Trusted Platform Module (TPM) backups to Active Directory. By default, no recovery information is backed up. Administrators can configure Group Policy settings to enable backup of BitLocker or TPM recovery information. All user interfaces and programming interfaces within BitLocker and TPM Management features will adhere to your configured Group Policy settings. When these settings are enabled, recovery information (such as recovery passwords) will be automatically backed up to Active Directory whenever this information is created and changed. Reference : BitLocker Drive Encryption Configuration Guide: Backing Up BitLocker and TPM Recovery Information to Active Directory http://technet.microsoft.com/en-us/library/cc766015.aspx QUESTION NO: 5 "Pass Any Exam. Any Time." - www.actualtests.com 5
consists of a single Active Directory domain that contain 100 Windows Server 2003 physical servers having 64-bit hardware. The company has given you the responsibility to consolidate the 100 physical servers into 30 Windows Server 2008 physical servers and send the remaining physical servers to the new branch office that plans to open shortly. Which of the following options would you choose to achieve the desired goal while ensuring the maximum resource utilization by using existing hardware and software? You also need to ensure that your solution would support 64-bit child virtual machines and maintain separate services among the servers. A. Install the Hyper-V feature on the existing hardware. Then convert the physical machines into virtual machines. B. Install the Microsoft Virtual PC. Then convert the physical machines into virtual machines. C. Create the necessary host (A) records after consolidating services across the physical machines. D. Install Microsoft Virtual Server 2005 R2 on the existing hardware after installing Windows Server 2008 on them. Then convert the physical machines into virtual machines. E. None of the above Answer: A To ensure the maximum resource utilization by using existing hardware and software and to ensure the support for 64-bit child virtual machines while maintaining separate services among the servers, you need to install the Hyper-V feature to convert the physical machines into virtual machines. The Hyper-V feature provides Physical-to-Virtual (P2V) Conversion Wizard that guides administrators through the process of creating a virtual version of a physical server, including creating images of physical hard disks, preparing the images for use in a VM, and creating the final VM. The wizard can create virtual servers from physical servers and can run on Windows Server 2003 with SP1 (32-bit only) and on Windows Server 2008 (without Hyper-V role enabled) besides many other Operating systems. Reference : Virtual Machine Manager 2008 Supports Hyper-V / Other Features http://www.directionsonmicrosoft.com/sample/domis/update/2008/07jul/0708vmm2sh.htm Section 2, Plan for automated server deployment (9 Questions) "Pass Any Exam. Any Time." - www.actualtests.com 6
QUESTION NO: 6 consists of a single Active Directory domain that contains a Windows Server 2008 server called CertKillerServer1. The server runs the DHCP service on it for the network. Your company has decided to add a few Windows Vista computers and Windows Server 2008 servers on the network. You have been asked to prepare the network for the automated deployment of the above given operating systems with the use Pre-boot Execution Environment (PXE) network adapter. Which of the following options would you choose to accomplish this task? A. Install Windows Automated Installation Kit (WAIK) on a new server. B. Configure the Windows Deployment Services (WDS) server role on a new server. C. Install Windows Automated Installation Kit (WAIK) on CertKillerServer1. D. Configure the Windows Deployment Services (WDS) server role on CertKillerServer1. E. None of the above Answer: D To prepare the network for the automated deployment of the above given operating systems with the use Pre-boot Execution Environment (PXE) network adapter, you need to configure the Windows Deployment Services (WDS) server role on CertKillerServer1. Windows Deployment Services enables you to deploy Windows operating systems, particularly WindowsVista and Windows Server2008. You can use it to set up new computers by using a network-based installation. This means that you do not have to install each operating system directly from a CD or DVD. It is an extensible and higher-performing PXE server component. You must have a functioning DHCP server with an active scope. To utilize PXE WDS required a DHCP server. Therefore you need to configure WDS on CertKillerServer1 Reference : Step-by-Step Guide for Windows Deployment Services in Windows Server 2003 / What is Windows Deployment Services? http://technet.microsoft.com/en-us/library/cc766320.aspx#bkmk_1 Reference : Planning for PXE Initiated Operating System Deployments/ Windows Deployment "Pass Any Exam. Any Time." - www.actualtests.com 7
Services (WDS) and DHCP Microsoft 70-646: Practice Exam http://technet.microsoft.com/en-us/library/bb680753.aspx QUESTION NO: 7 You are an Enterprise administrator for CertKiller.com. The company consists of a head office and a branch office. The corporate network of the company consists of a single Active Directory domain. Because the branch office was comparatively less secure, you decided to deploy a Read-only Domain Controller (RODC) in the branch office so that branch office support technicians cannot manage domain user accounts on the RODC. However, they should be able to maintain drivers and disks on the RODC. Which of the following options would you choose to manage the RODC to meet the desired goal? A. Configure Administrator Role Separation on the RODC. B. For the branch office support technicians, set NTFS permissions on the Active Directory database to Read & Execute. C. Configure the RODC to replicate the password for the branch office support technicians. D. For the branch office support technicians, set NTFS permissions on the Active Directory database to Deny Full Control. E. None of the above Answer: A To ensure that branch office support technicians would not manage domain user accounts on the RODC and should be able to maintain drivers and disks on the RODC, you need to configure the RODC for Administrator Role Separation. Administrator Role Separation specifies that any domain user or security group can be delegated to be the local administrator of an RODC without granting that user or group any rights for the domain or other domain controllers. Accordingly, a delegated administrator can log on to an RODC to perform maintenance work on the server such as upgrading a driver. But the delegated administrator would not be able to log on to any other domain controller or perform any other administrative task in the domain. Reference : RODC Features/ Administrator role separation http://technet.microsoft.com/en-us/library/cc753223.aspx#bkmk_separation "Pass Any Exam. Any Time." - www.actualtests.com 8
QUESTION NO: 8 consists of a single Active Directory domain that contain. The company currently consists of a main office that has an Internet connection configured. The company plans to open a new branch office in near future and plans to connect the branch office to the main office by using a WAN link having a limited bandwidth. The branch office will not have access to the Internet and will contain 30 Windows Server 2008 servers. The installations of these servers must be automated and must be automatically activated. Besides the network traffic between the offices must be minimized. Which of the following options would you include in your plan for the deployment of the servers in the branch office? A. Use Multiple Activation Key (MAK) Independent Activation on the servers. In the main office, implement a DHCP server and Windows Deployment Services (WDS). B. In the branch office, implement Key Management Service (KMS), a DHCP server, and Windows Deployment Services (WDS). C. In the main office, implement Windows Deployment Services (WDS). In the branch office, implement a DHCP server and implement the Key Management Service (KMS). D. Use Multiple Activation Key (MAK) Independent Activation on the servers. In the main office, implement a DHCP server. In the branch office, implement Windows Deployment Services (WDS). E. None of the above Answer: B For the deployment of the servers in the branch office with the given requirements, you need to implement Key Management Service (KMS), a DHCP server, and Windows Deployment Services (WDS) in the branch office. The KMS key is used to activate computers against a service that you can host in your environment, so you don't have to connect to Microsoft servers. To activate computers by using KMS, you must have a minimum number of physical computers. The KMS key is installed on the host computer only. To activate the KMS host, you must have at least 25 computers running Windows Vista or Windows Server 2008 that are connected together; for Windows Server 2008, the minimum is 5 computers. You need Windows Deployment Services (WDS) because it enables you to automate the "Pass Any Exam. Any Time." - www.actualtests.com 9
deployment Windows operating systems. You can use it to set up new computers by using a network-based installation. This means that you do not have to install each operating system directly from a CD or DVD. You must have a functioning DHCP server with an active scope so that WDS will utilize PXE. Reference : Microsoft Product Activation http://www.microsoft.com/licensing/resources/vol/default.mspx Reference : Step-by-Step Guide for Windows Deployment Services in Windows Server 2003 / What is Windows Deployment Services? http://technet.microsoft.com/en-us/library/cc766320.aspx#bkmk_1 Reference : Planning for PXE Initiated Operating System Deployments/ Windows Deployment Services (WDS) and DHCP http://technet.microsoft.com/en-us/library/bb680753.aspx QUESTION NO: 9 You are an Enterprise administrator for CertKiller.com. The company has a head office and 250 branch offices. The corporate network of the company consists of a single Active Directory domain. All the domain controllers on the corporate network run Windows Server 2008. You have been asked to deploy Read-only Domain Controllers (RODCs) in each designated branch offices because the physical security at branch office locations cannot be guaranteed. While deploying the RODCs, you need to ensure that the RODC installation source files do not contain cached secrets and the bandwidth used during the initial synchronization of Active Directory Domain Services (AD DS) is minimized. Which of the following options would you choose to accomplish the given task? A. Backup of the critical volumes of an existing domain controller by using Windows Server Backup. Now build the new RODCs using the backup. B. Using one of the domain controllers on the nework create a DFS Namespace that contains the Active Directory database and then build the new RODCs using by using an answer file. C. Create an RODC installation media using ntdsutil ifmand the build the RODCs from the RODC installation media. D. Perform a full backup of an existing domain controller using Windows Server Backup and then use the backup to build the new RODCs. "Pass Any Exam. Any Time." - www.actualtests.com 10
E. None of the above Microsoft 70-646: Practice Exam Answer: C : The new ntdsutil ifm subcommand can be used to create installation media. It can be used to remove secrets, such as passwords, from the AD DS database, so that you can install a read-only domain controller (RODC) without them. When you remove these secrets, the RODC installation media is more secure if it must be transported to a branch office for an RODC installation. Ntbackup.exe cannot remove cached secrets from the installation media. Reference : Steps for Deploying an RODC/ Optional: Install RODC from media http://technet.microsoft.com/en-us/library/cc754629.aspx QUESTION NO: 10 consists of a single Active Directory domain. You have been asked to deploy file servers that run Windows Server 2008 and ensure that the file server support volumes larger than 2 terabytes. You also need to ensure that if a single server fails, access to all data is maintained and if a single disk fails, the data redundancy is maintained. You also need to maximize the disk throughput Which of the following options would you choose to accomplish the assigned task? (Select 2. Each correct answer will present a part of the solution) A. Deploy a Windows Server 2008 server and connect an external storage subsystem to it that supports Microsoft Multipath I/O. B. Deploy a two-node failover cluster. Connect an external storage subsystem. C. Configure the external storage subsystem as a RAID 1 array and format the array as an MBR disk. D. Configure the external storage subsystem as a RAID 10 array and format the array as a GPT disk. Answer: B,D To ensure that if a single server fails, access to all data is maintained and if a single disk fails, the data redundancy is maintained, you need to deploy a two-node failover cluster. Connect an external storage subsystem. Configure the external storage subsystem as a RAID 10 array. Format the array as a GPT disk. A combining the different RAID levels gives us the option of RAID10. RAID10 is equivalent "Pass Any Exam. Any Time." - www.actualtests.com 11
toraid1 + 0. So, you can have a few disks (at least 4 and always even numbers) and mirror the drives two at a time. This gives the redundancy. Then you take those mirrors and combine them into a RAID 0 stripe. This allows redundancy, faster read operations, and fast writes (avoiding a parity calculation). RAID1 is a mirror which is faster than a single disk, but not as fast for read operations as 3+ disks (RAID1 is just 2 disks). RAID5 is a stripe with parity which is faster on read operations than RAID1 but not ideal for write operations because it is required to calculate a parity block of data. Reference : Brad Kingsley's Blog http://blogs.orcsweb.com/brad/archive/2007/08/06/raid10.aspx QUESTION NO: 11 consists of a single Active Directory domain. You have planned to install 10 new Windows Server 2008 servers on the network. You want to automate the installation of the servers and activate the servers automatically. Which of the following options would you choose to accomplish the desired goal? A. Implement Multiple Activation Key (MAK) Independent Activation and Deployment Services (WDS). B. Implement Key Management Service (KMS) and Windows Deployment Services (WDS). C. Use Multiple Activation Key (MAK) Independent Activation. D. Implement a DHCP server and the Key Management Service (KMS). E. None of the above Answer: B For the deployment of the servers in the branch office with the given requirements, you need to implement Key Management Service (KMS), and Windows Deployment Services (WDS). The KMS key is used to activate computers against a service that you can host in your environment, so you don't have to connect to Microsoft servers. To activate computers by using KMS, you must have a minimum number of physical computers. The KMS key is installed on the host computer only. To activate the KMS host, you must have at least 25 computers running Windows Vista or Windows Server 2008 that are connected together; for Windows Server 2008, the minimum is 5 computers. You need Windows Deployment Services (WDS) because it enables you to automate the deployment Windows operating systems. You can use it to set up new computers by using a "Pass Any Exam. Any Time." - www.actualtests.com 12
network-based installation. This means that you do not have to install each operating system directly from a CD or DVD. Microsoft 70-646: Practice Exam Reference : Microsoft Product Activation http://www.microsoft.com/licensing/resources/vol/default.mspx Reference : Step-by-Step Guide for Windows Deployment Services in Windows Server 2003 / What is Windows Deployment Services? http://technet.microsoft.com/en-us/library/cc766320.aspx#bkmk_1 QUESTION NO: 12 consists of a single Active Directory domain. Which of the following options would you choose to consolidate the 50 physical Windows Server 2003 servers into 10 physical Windows Server 2008 servers? While consolidation, you need to ensure that the existing hardware and software should be used and 64-bit child virtual machines can be created. Which of the following options would you choose to accomplish the desired task? A. Install Microsoft Virtual PC. B. Install the Hyper-V feature. C. Consolidate services across the physical machines and create the necessary host (A) records. D. Install Microsoft Virtual Server 2005 R2. E. None of the above Answer: B To ensure that existing hardware and software is used and to ensure the support for 64-bit child virtual machines, you need to install the Hyper-V feature to convert the physical machines into virtual machines. The Hyper-V feature provides Physical-to-Virtual (P2V) Conversion Wizard that guides administrators through the process of creating a virtual version of a physical server, including creating images of physical hard disks, preparing the images for use in a VM, and creating the final VM. The wizard can create virtual servers from physical servers and can run on Windows Server 2003 with SP1 (32-bit only) and on Windows Server 2008 (without Hyper-V role enabled) besides many other Operating systems. "Pass Any Exam. Any Time." - www.actualtests.com 13
Reference : Virtual Machine Manager 2008 Supports Hyper-V / Other Features http://www.directionsonmicrosoft.com/sample/domis/update/2008/07jul/0708vmm2sh.htm QUESTION NO: 13 consists of a single Active Directory domain. The company has decided to open 2 new branch offices and deploy 1,000 new Windows Vista Enterprise Edition computers. The Windows Vista installations need to be done using Pre-boot Execution Environment (PXE) network adapters that those 1000 computers already have. Which of the following options would you choose to ensure that 50 simultaneous installations of Windows Vista can be done in minimum amount of time and the impact of network operations during the deployment of the new computers is minimized? A. Install Windows Deployment Services (WDS) server role and configure all the routers with IP Helper tables. B. Install Windows Deployment Services (WDS) server role and configure eachwds server by using legacy mode. C. Install both Windows Deployment Services (WDS) server role and Transport Server role services and then configure the Transport Server with a static multicast address range. D. Install both Windows Deployment Services (WDS) server role and Transport Server role services and then configure the Transport Server to use a custom network profile. E. None of the above Answer: C To ensure that 50 simultaneous installations of Windows Vista in minimum amount of time in a Pre-boot Execution Environment, you need to deploy the Windows Deployment Services (WDS) server role and the Transport Server feature. You can install both the Deployment Server and Transport Server role services (which is the default installation) or only Transport Server role services. The Windows Deployment Services (WDS) enables you to automate the deployment of Windows operating systems. You can use it to set up new computers by using a network-based installation. This means that you do not have to install each operating system directly from a CD or DVD You can configure Transport Server to enable you to boot from the network using Pre-Boot Execution Environment (PXE) and Trivial File Transfer Protocol (TFTP), a multicast server, or both. "Pass Any Exam. Any Time." - www.actualtests.com 14
The Transport Server role service provides a subset of the functionality of Windows Deployment Services. It contains only the core networking parts. You can use Transport Server to create multicast namespaces that transmit data (including operating system images) from a stand-alone server. The stand-alone server does not need Active Directory, DHCP, or DNS. You can If multiple servers are using multicast functionality on a network (Transport Server, Deployment Server, or another solution), it is important that each server is configured so that the multicast IP addresses do not collide. Otherwise, you may encounter excessive traffic when you enable multicasting. Note that each Windows Deployment Services server will have the same default range. To work around this issue, specify static ranges that do not overlap to ensure that each server is using a unique IP address Reference : Transport Server http://technet.microsoft.com/en-us/library/cc771645.aspx QUESTION NO: 14 consists of a single Active Directory domain that runs a 64-bit version of Windows Server 2008 server. The server has DHCP server role installed on it. The corporate network only uses IPv4. The company has decided to deploy 50 new Windows Server 2008 servers.the installations need to be done using Pre-boot Execution Environment (PXE) network adapters that is already supported by the new computers. Besides some of the new computers contain 64-bit hardware and some of the servers contain 32-bit hardware. Which of the following options would you choose to ensure the automated deployment of the new servers in minimum hardware cost? A. Deploy Windows Deployment Services (WDS) on two Windows Server 2008 servers. One for the 64-bit server and the other for 32-bit server B. Deploy Remote Installation Services (RIS) on two Windows Server 2003 servers having Service Pack 2 installed. One for the 64-bit server and the other for 32-bit server C. Deploy Windows Deployment Services (WDS) on the DHCP server D. Deploy Remote Installation Services (RIS) on a 64-bit Windows Server 2003 server. E. None of the above Answer: C "Pass Any Exam. Any Time." - www.actualtests.com 15
To ensure the automated deployment of the new servers in minimum hardware cost in the given scenario, you need to deploy Windows Deployment Services (WDS) on the DHCP server. You must have a working DHCP server with an active scope on the network because Windows Deployment Services uses PXE, which relies on DHCP for IP addressing Reference : Installing Windows Deployment Services http://technet.microsoft.com/en-us/library/cc771670.aspx Section 3, Plan infrastructure services server roles (10 Questions) QUESTION NO: 15 consists of a single Active Directory forest having 20 domains configured under it. All the domain controllers on the network run Windows Server 2008 and have the DNS role installed on them. You company has decided to replace a legacy Windows Internet Name Service (WINS) environment with a DNS-only environment for the name resolution. Which of the following options would you choose to Support IPv4 and IPv6 environments, allow single-label name resolution across all domains, and minimize the amount of NetBT traffic on the network while replacing a legacy Windows Internet Name Service (WINS) environment? A. Configure all the DNS zones to perform a WINS forward lookup. B. Configure all the DNS zones to replicate as part of a custom Active Directory replication partition. C. Configure a GlobalNames zone on each domain controller. D. Configure all the DNS zones to replicate to each DNS server in the forest. E. None of the above Answer: C To Support IPv4 and IPv6 environments, allow single-label name resolution across all domains, and minimize the amount of NetBT traffic on the network while replacing a legacy Windows Internet Name Service (WINS) environment with a DNS-only environment, you need to configure a GlobalNames zone on each domain controller. The DNS Server Role in Windows Server 2008 now supports the GlobalNames Zone. This has been introduced to assist organizations to move away from WINS and allow organizations to move to an all-dns environment. Unlike WINS, The GlobalNames zone is not intended to be used for "Pass Any Exam. Any Time." - www.actualtests.com 16
peer-to-peer name resolution. The GlobalNames Zone (GNZ) is used to hold single-label names. The GlobalNames zone is most commonly used to hold CNAME resource records to map a single-label name to a Fully Qualified Domain Name (FQDN). GNZ provides single-label name resolution whereas WINS provides NetBIOS resolution. If you plan to retire WINS or plan to deploy IPv6 only in your environment, all name resolution will rely on DNS. It supports dual IPv4 and IPv6 environment and use only DNS for name resolution. Reference : Understanding the New GlobalNames Zone Functionality in Windows Server2008 http://johnpolicelli.wordpress.com/2008/01/15/understanding-the-new-globalnames-zone-inwindows-server-2008/ Reference : DNS Server GlobalNames Zone Deployment / How GNZ Resolution Works http://download.microsoft.com/download/e/2/0/e2090852-3b7f-40a3-9883-07a427af1560/dns- GlobalNames-Zone-Deployment.doc. QUESTION NO: 16 consists of a single Active Directory domain. All servers on the corporate network run Windows Server 2008 and all client computers run Windows Vista. The company has an enterprise certification authority (CA). You have been asked to install certificates automatically on each client computer and deploy the certificates to all users by using a new certificate template by using minimum amount of effort. You need to ensure that users have access to the new certificates when they log on to any client computer in the domain. Which of the following options would you choose to accomplish the given task? (Select two. Each correct answer will form a part of the solution) A. Configure autoenrollment of certificates. B. Deploy an enterprise subordinate CA C. Configure roaming user profiles. D. Configure folder redirection. E. Configure Credential Roaming. Answer: A,E "Pass Any Exam. Any Time." - www.actualtests.com 17
To ensure that users have access to the new certificates when they log on to any client computer in the domain while meeting other requirements, you need to Configure autoenrollment of certificates and Credential Roaming The autoenrollment process grants certificates based on certificate templates that are supplied with Read, Enroll, and Autoenroll permissions for the users, groups, or computers who require autoenrollment. With the credential roaming functionality, managed environments can now store X.509 certificates, certificate requests, and private keys specific to a user in Active Directory, independently from the profile. The credential roaming implementation in Windows Vista and Windows Server "Longhorn" is additionally able to roam stored user names and passwords. This would ensure that users have access to the new certificates when they log on to any client computer in the domain With credential roaming, once a domain user chooses in a Windows authentication dialog box to cache or 'remember' the current credentials, the user will have the same experience on any domain-joined computer that the user logs on to. Reference : How can I enable digital certificate autoenrollment in Windows Server 2003? http://windowsitpro.com/article/articleid/48665/how-can-i-enable-digital-certificate-autoenrollmentin-windows-server-2003.html Reference : About Credential Roaming http://technet.microsoft.com/hi-in/library/cc700848(en-us).aspx QUESTION NO: 17 consists of a single Active Directory domain. All domain controllers on the corporate network run Windows Server 2008 and all client computers run either Windows Vista or Windows XP Service Pack 1. The corporate network contains 100 servers and 5,000 client computers. Which of the following options would you choose to implement a VPN solution that allows you to store VPN passwords as encrypted text and provide support for Suite B cryptographic algorithms? Besides it should support client computers that are configured as members of a workgroup and allow automatic enrollment of certificates. (Select three. Each correct answer will form a part of the answer.) "Pass Any Exam. Any Time." - www.actualtests.com 18
A. Upgrade the client computers to Windows Vista. B. Upgrade the client computers to Windows XP Service Pack 2. C. Implement an enterprise certification authority (CA) that is based on Windows Server 2008. D. Implement a stand-alone certification authority (CA). E. Implement an IPsec VPN that uses pre-shared keys. F. Implement an IPsec VPN that uses certificate-based authentication. Answer: A,C,F To implement a VPN solution that allows you to store VPN passwords as encrypted text and provide support for Suite B cryptographic algorithms, you need to Upgrade the client computers to Windows Vista and implement an enterprise certification authority (CA) that is based on Windows Server 2008. Suite B cryptographic algorithms that was added in Windows Vista Service Pack 1 (SP1) and in Windows Server 2008. Suite B is a set of standards that are specified by the National Security Agency (NSA). Suite B includes Encryption algorithms. To support client computers that are configured as members of a workgroup and allow automatic enrollment of certificates, you need to Implement an IPsec VPN that uses certificate-based authentication. IPSec deployments can take advantage of certificate-based authentication via industry-standard x.509 digital certificates. ADCS in Windows Server2008 provides customizable services for creating and managing the X.509 certificates that are used in software security systems that employ public key technologies. Organizations can use ADCS to enhance security by binding the identity of a person, device, or service to a corresponding public key. ADCS also includes features that allow you to manage certificate enrollment and revocation in a variety of scalable environments. Reference : Description of the support for Suite B cryptographic algorithms that was added in Windows Vista Service Pack 1 and in Windows Server 2008 http://support.microsoft.com/kb/949856 Reference : iphone and Virtual Private Networks (VPN) http://images.apple.com/iphone/enterprise/docs/iphone_vpn.pdf. QUESTION NO: 18 "Pass Any Exam. Any Time." - www.actualtests.com 19
is configured with Perimeter network as shown in the exhibit. Exhibit: The company uses an enterprise certification authority (CA) and a Microsoft Online Responder on the internal network. Which of the following options would you choose to implement a secure method for Internet users to verify the validity of individual certificates with the use of minimum network bandwidth? (Select two. Each correct answer will form a part of the answer.) A. Install a stand-alone CA on a server on the perimeter network B. Deploy a subordinate CA on the perimeter network. C. Install Network Device Enrollment Service (NDES) on a server on the perimeter network. D. Install a Network Policy Server (NPS) on a server on the perimeter network. E. Redirect authentication requests to a server on the internal network. F. Install IIS on a server on the perimeter network G. Configure IIS to redirect requests to the Online Responder on the internal network. Answer: F,G To implement a secure method for Internet users to verify the validity of individual certificates with the use of minimum network bandwidth, you need to install IIS on a server on the perimeter network and configure IIS to redirect requests to the Online Responder on the internal network. Windows Vista and the WindowsServer 2008 operating system will natively support both CRL and Online Certificate Status Protocol (OCSP) as a method of determining certificate status. The OCSP support includes both the client component as well as the Online Responder, which is the server component. The Online Responder Web proxy cache represents the service interface for the Online Responder. It is implemented as an Internet Server Application Programming Interface (ISAPI) extension hosted by Internet Information Services (IIS) When an application performs a certificate evaluation, the validation is performed on all certificates in that certificate's chain. This includes every certificate from the end-entity certificate presented to the application to the root certificate. It is an online process and is designed to respond to single "Pass Any Exam. Any Time." - www.actualtests.com 20
certificate status requests. Microsoft 70-646: Practice Exam Reference : Online Responder Installation, Configuration, and Troubleshooting Guide http://technet.microsoft.com/en-us/library/cc770413.aspx QUESTION NO: 19 consists of a single Active Directory domain. All the servers on the network either run Windows Server 2003 or Windows Server 2008 and all client computers run Windows Vista. The company possesses a public key infrastructure (PKI) that consists of an offline root certification authority (CA) and two Enterprise Subordinate CAs that run Windows Server 2003. You publish the certificates to the user accounts and the computer accounts in Active Directory. Which of the following options would you choose to create a PKI solution for the Windows Vista client computers and the Windows Server 2008 servers in such a way that the certificates must support Suite B hashing and encryption algorithms and store private keys in Active Directory in minimum amount of administrative effort? A. Configure cross-certification between the CA hierarchies by creating a new PKI that uses Windows Server 2008 CAs.. B. Install a new Windows Server 2008 enterprise subordinate CA. C. Install a new Windows Server 2008 stand-alone subordinate CA. D. Create a new Active Directory forest and configure one-way forest trusts between the two forests by deploying a new PKI that uses Windows Server 2008 CAs. E. None of the above. Answer: B To create a PKI solution for the Windows Vista client computers and the Windows Server 2008 servers that meed the desired requirements, you need to install a new Windows Server 2008 enterprise subordinate CA. To use SuiteB algorithms for cryptographic operations, you first need a Windows Server2008- based CA to issue certificates that are SuiteB-enabled SuiteÂB algorithms such as ECC are supported only on the WindowsÂVista and Windows ServerÂ2008 operating systems. This means it is not possible to use those certificates on earlier versions of Windows such as WindowsÂXP or WindowsÂServerÂ2003. "Pass Any Exam. Any Time." - www.actualtests.com 21
If you already have a PKI with CAs running WindowsÂServerÂ2003 or where classic algorithms are being used to support existing applications, you can add a subordinate CA on a server running Windows ServerÂ2008, but you must continue using classic algorithms. Reference : Cryptography Next Generation / How should I prepare to deploy this feature? http://technet.microsoft.com/en-us/library/cc730763.aspx QUESTION NO: 20 consists of a single Active Directory forest called CertKiller.com. The forest contains two domains. You want to configure another child domain called Branch3.CertKiller.com with two domain controllers having the DNS server role installed. You want to put all the users and computers in the new branch office in the branch3.certkiller.com domain. Which of the following options would you choose to implement a DNS infrastructure for the child domain to ensure resources in the root domain and child domains are accessible by fully qualified domain names? You solution must also provide name resolution services in the event that a single server fails for a prolonged period of time and automatically recognize when new DNS servers are added to or removed from the CertKiller.com domain. A. Add conditional forwarders for CertKiller.com on both the domain controllers of branch3.certkiller.com domain. Next create a standard primary zone for branch.certkiller.com. B. On one of the domain controllers of branch3.certkiller.com domain, create a standard primary zone for CertKiller.com. On the other domain controller, create a standard secondary zone for CertKiller.com. C. On both the domain controllers of branch3.certkiller.com domain, modify the root hints to include the domain controllers for CertKiller.com. On one of domain controllers, create an Active Directory integrated zone for branch.certkiller.com. D. On one of the domain controllers of branch3.certkiller.com domain, create an Active Directory Integrated zone for branch3.certkiller.com and create an Active Directory Integrated stub zone for CertKiller.com. E. None of the above. Answer: D To implement a DNS infrastructure for the child domain to ensure resources in the root domain and child domains are accessible by fully qualified domain names, you need to create an Active "Pass Any Exam. Any Time." - www.actualtests.com 22
Directory Integrated zone for branch3.certkiller.com on one of the domain controllers of branch3.certkiller.com domain. Microsoft 70-646: Practice Exam Active Directory Integrated zones, store their zone information within Active Directory instead of text files. The advantages of this new type of zone included using Active Directory replication for zone transfers and allowing resource records to be added or modified on any domain controller running DNS. In other words, all Active Directory Integrated zones are always primary zones as they contain writable copies of the zone database.this would ensure that the name resolution service will automatically recognize when new DNS servers are added to or removed from the CertKiller.com domain You also need to create an Active Directory Integrated stub zone for CertKiller.com to ensure the name resolution services in the event that a single server fails for a prolonged period of time. It contains copies of all the resource records in the corresponding zone on the master name server. A stub zone is like a secondary zone in that it obtains its resource records from other name servers (one or more master name servers). Stub zones can be used instead of secondary zones to reduce the amount of zone transfer traffic over the WAN link connecting the two companies. When Active Directory-integrated stub zones are hosted in separate sites, you can update them using a local list of master servers in each site. Reference : DNS Stub Zones in Windows Server 2003 http://www.windowsnetworking.com/articles_tutorials/dns_stub_zones.html Reference: Host Name Resolution Overview http://www.tech-faq.com/planning-and-implementing-a-dns-namespace.shtml QUESTION NO: 21 You are an Enterprise administrator for CertKiller.com. The company consists of a head office and three branch offices. The corporate network of the company consists of a single Active Directory domain. Each office contains an Active Directory domain controller. Which of the following options would you choose to create a DNS infrastructure for the network that would allow the client computers in each office to register DNS names within their respective offices? You also need to ensure that the client computers must be able to resolve names for hosts in all offices. A. For each office site, create a standard primary zone. B. For the head office site, create a standard primary zone and for each branch office site, create an Active Directory-integrated stub zone. "Pass Any Exam. Any Time." - www.actualtests.com 23
C. For the head office site, create a standard primary zone at the head office site and for each branch office site, create a secondary zone. D. Create an Active Directory-integrated zone at the head office site. E. None of the above. Answer: D To create a DNS infrastructure for the network that would allow the client computers in each office to register DNS names within their respective offices and to ensure that the client computers must be able to resolve names for hosts in all offices, you need to create an Active Directory-integrated zone at the head office site Active Directory Integrated zones, store their zone information within Active Directory instead of text files. This ensures that the client computers can resolve names for hosts in all offices. The advantages of this new type of zone included using Active Directory replication for zone transfers and allowing resource records to be added or modified on any domain controller running DNS. In other words, all Active Directory Integrated zones are always primary zones as they contain writable copies of the zone database. Reference : DNS Stub Zones in Windows Server 2003 http://www.windowsnetworking.com/articles_tutorials/dns_stub_zones.html QUESTION NO: 22 consists of a single Active Directory forest called CertKiller.com. The forest contains five domains. The domain controllers on the network run Windows Server 2008 and have the DNS server role installed. You company has decided to replace a legacy Windows Internet Name Service (WINS) environment with a DNS-only environment for name resolution. Which of the following options would you choose to plan the infrastructure for name resolution to support IPv4 and IPv6 environments, enable single-label name resolution across all domains, and minimizing the amount of NetBIOS over TCP/IP (NetBT) traffic on the network? A. Implement custom Active Directory replication partition and modify each DNS zone to replicate as part of it B. Configure each DNS zone to perform a WINS forward lookup. C. Configure each DNS zone to replicate to each DNS server in the forest. "Pass Any Exam. Any Time." - www.actualtests.com 24
D. Configure a GlobalNames zone on each domain controller. E. None of the above. Answer: D To replace a legacy Windows Internet Name Service (WINS) environment with a DNS-only environment for name resolution with given requirements, you need to configure a GlobalNames zone on each domain controller. The DNS Server Role in Windows Server 2008 now supports the GlobalNames Zone. This has been introduced to assist organizations to move away from WINS and allow organizations to move to an all-dns environment. Unlike WINS, The GlobalNames zone is not intended to be used for peer-to-peer name resolution. The GlobalNames Zone (GNZ) is used to hold single-label names. The GlobalNames zone is most commonly used to hold CNAME resource records to map a single-label name to a Fully Qualified Domain Name (FQDN). GNZ provides single-label name resolution whereas WINS provides NetBIOS resolution. If you plan to retire WINS or plan to deploy IPv6 only in your environment, all name resolution will rely on DNS. It supports dual IPv4 and IPv6 environment and use only DNS for name resolution. Reference : Understanding the New GlobalNames Zone Functionality in Windows Server2008 http://johnpolicelli.wordpress.com/2008/01/15/understanding-the-new-globalnames-zone-inwindows-server-2008/ Reference : DNS Server GlobalNames Zone Deployment / How GNZ Resolution Works http://download.microsoft.com/download/e/2/0/e2090852-3b7f-40a3-9883-07a427af1560/dns- GlobalNames-Zone-Deployment.doc. QUESTION NO: 23 You are an Enterprise administrator for CertKiller.com. Your company possesses a stand-alone root certification authority (CA) for the corporate network. The corporate network contains a Windows Server 2008 server called CertKillerServer1. You issue a server certificate to CertKillerServer1 and deploy Secure Socket Tunneling Protocol (SSTP) on CertKillerServer1 for secure browsing. Which of the following options would you choose to ensure that the external partner computers would be allowed to access internal network resources by using SSTP? "Pass Any Exam. Any Time." - www.actualtests.com 25