QUESTION 21
Your network consists of one Active Directory domain. The functional level of the domain is Windows Server 2008. The domain has 30 domain controllers. Twenty administrators manage the domain. You plan to implement an audit and compliance policy. You need to ensure that all changes made to Active Directory objects are recorded. What should you do?
A. On all domain controllers, run the Security Configuration Wizard (SCW).
B. In the Default Domain Controller Policy, configure a Directory Services Auditing policy.
C. In the Default Domain Controller Policy, configure and implement a file-level audit policy for the SYSVOL
volume.
D. Create a Group Policy object (GPO) linked to the Domain Controllers OU. Configure the GPO to install
the Microsoft Baseline Security Analyzer (MBSA).
Answer: B
Explanation:
To implement an audit and compliance policy and ensure that all changes made to Active Directory objects are recorded, you need to configure a Directory Services Auditing policy in the Default Domain Controller Policy. In Windows Server 2008, you can enable Audit Directory Service Access policy to log events in the Security event log whenever certain operations are performed on objects stored in Active Directory. Enabling the global audit policy, Audit directory service access, enables all directory service policy subcategories. You can set this global audit policy in the Default Domain Controllers Group Policy (under Security Settings\Local Policies\Audit Policy). Reference: Windows Server 2008 Auditing AD DS Changes Step-by-Step Guide http://technet2.microsoft.com/windowsserver2008/en/library/a9c25483-89e2-4202-881c-ea8e02b4b2a51033.mspx?mfr=true
QUESTION 22
Your network consists of one Active Directory domain. All domain controllers run Windows Server 2003. You need to plan the forest and domain functional levels to support the following requirements:
– Read-only domain controllers (RODC)
– Windows Server 2003 domain controllers
Which functional levels should you include in your plan?
A. the forest functional level of Windows 2000 and the domain functional level of Windows Server 2003.
B. the forest functional level of Windows Server 2003 and the domain functional level of Windows Server 2003.
C. the forest functional level of Windows Server 2003 and the domain functional level of Windows Server 2008.
D. the forest functional level of Windows Server 2008 and the domain functional level of Windows Server 2008.
Answer: B
Explanation:
To create an Active Directory forest and domain functional levels to support Read-only domain controllers (RODC) and Windows Server 2003 domain controllers, you need to create both the forest and domain functional levels of Windows Server 2003. This is because only when you use both the forest and domain functional levels of Windows Server 2003, you will be able to support Read-only domain controllers (RODC) and Windows Server 2003 domain controllers.
Reference: Appendix of Functional Level Features
http://technet2.microsoft.com/windowsserver2008/en/library/34678199-98f1-465f-9156-c600f723b31f1033.mspx?mfr=true
QUESTION 23
Your network contains servers that run Windows Server 2008 and client computers that run Windows Vista. All network routers support IPsec connections. Client computers and servers use IPsec to connect through network routers. You have two servers named Server1 and Server2. Server1 has Active Directory Certificate Services (AD CS) installed and is configured as a certification authority (CA). Server2 runs Internet Information Services (IIS). You need to recommend a certificate solution for the network routers. The solution must meet the following requirements:
– Use the Simple Certificate Enrollment Protocol (SCEP).
– Enable the routers to automatically request certificates.
What should you recommend implementing?
A. certification authority Web enrollment services on Server2
B. Network Device Enrollment Service on Server2
C. Online Responder service on Server1
D. subordinate CA on Server1
Answer: B
Explanation:
To recommend a certificate solution for the network routers that would enable the routers to automatically request certificates and that would use Simple Certificate Enrollment Protocol (SCEP), you need to implement Network Device Enrollment Service on Server2. The Network Device Enrollment Service allows routers and other network devices to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP) from Microsoft Systems Inc. Reference: Windows Server Active Directory Certificate Services Step-by-Step Guide/ AD CS Technology Review
http://technet2.microsoft.com/windowsserver2008/en/library/f7dfccc0-4f65-4d6f-a801-ae6a87fd174c1033.mspx?mfr=true
QUESTION 24
Your network consists of two Active Directory forests named Forest1 and Forest2. The functional level of both forests is Windows Server 2003. Both forests contain only domain controllers that run Windows Server 2008. You install a new server named Server1 in Forest2. You need to recommend an access solution that meets the following requirements:
?Users in Forest1 must have access to resources on Server1. ?Users in Forest1 must be denied access to all other resources within Forest2.
What should you recommend?
A. Raise the forest functional level of Forest1 and Forest2 to Windows Server 2008.
B. Raise the domain functional level of all domains in both forests to Windows Server 2008.
C. Create a forest trust between Forest1 and Forest2. Set the Allowed to Authenticate right on the
computer object for Server1.
D. Create a forest trust between Forest1 and Forest2. Set the Allowed to Authenticate right on the
computer object for the Forest2 infrastructure operations master object.
Answer: C
Explanation:
To ensure that the users in Forest1 are denied access to all the resources Forest2 except the resources on Server1, you need to create a forest trust between Forest1 and Forest2 so that resources can be shared between both the forests. You can however set the trust authentication setting to selective authentication so that only selected authentication is allowed. Next you need to set the Allowed to Authenticate right on the computer object for Server1 so that each user must be explicitly granted the Allowed to Authenticate permission to access resources on Server1. You should not set the Allowed to Authenticate right on the computer object for the Forest2 infrastructure operations master object because Allowed to Authenticate right is set for the users in a trusted Windows Server 2003 domain or forest to be able to access resources in a trusting Windows Server 2003 domain or forest, where the trust authentication setting has been set to selective authentication, each user must be explicitly granted the `Allowed to Authenticate’ permission on the security descriptor of the computer objects (resource computers) that reside in the trusting domain or forest.
Reference: Grant the Allowed to Authenticate permission on computers in the trusting domain or forest
http://technet2.microsoft.com/windowsserver/en/library/b4d96434-0fde-4370-bd29-39e4b3cc7da81033.mspx?mfr=true
QUESTION 25
Your network contains a server that runs Windows Server 2008. Internal users of the network and external partners collaborate on work projects. You need to plan a collaboration solution for the internal users and the external partners to meet the following requirements:
– Enable environment access audits.
– Enable secure access to files based on permissions.
– Enable remote access to files by using a Web browser.
– Enable search of data stored in database and file servers.
What should you include in your plan?
A. Install and configure the Web Server role.
B. Install and configure the Application Server role.
C. Install and configure Microsoft Windows SharePoint Services (WSS) 3.0.
D. Install and configure Microsoft Office SharePoint Server (MOSS) 2007.
Answer: D
Explanation:
To implement a collaboration solution for the internal users and the external partners of the company that would enable secure access to files based on the permissions of the users and meet other requirements, you need to use Microsoft Office SharePoint Server (MOSS) 2007. Office SharePoint Server 2007 is tightly integrated with familiar client desktop applications, e-mail, and Web browsers to provide a consistent user experience that simplifies how people interact with content, processes, and business data. This tight integration, coupled with robust out-of-the-box functionality, helps you employ services themselves and facilitates product adoption. Reference: Microsoft Office SharePoint Server 2007 top 10 benefits http://office.microsoft.com/en-us/sharepointserver/HA101655201033.aspx
QUESTION 26
Your company has a main office and a new branch office. The network consists of one Active directory domain. The branch office contains two member servers that run Windows Server 2008 R2. One of the servers is configured as a file server that hosts shared folders. An administrator in the branch office is responsible for maintaining the servers. You have a single DNS zone that is hosted on a DNS server located in the main office. A wide area network (WAN) link between the branch office and the main office is unreliable. You need to recommend a network services solution for the new branch office. The solution must meet the following requirements:
– Users must be able to log on to the domain if a WAN link fails.
– Users must be able to access file shares on the local server if a WAN link fails.
– Branch office administrators must be prevented from initiating changes to Active Directory.
– Branch office administrators must be able to make configuration changes to the servers in the branch office.
What should you recommend?
A. Promote the member server to a domain controller and add the branch office administrators to the
Domain Admins group.
B. Promote the member server to a read-only domain controller (RODC) and add the branch office
administrators to the Domain Admins group.
C. Promote the member server to a read-only domain controller (RODC) and configure the DNS role.
Delegate administrative rights to the local branch office administrator.
D. Promote the member server to a domain controller and configure the DNS role. Create an organizational
unit (OU) for each branch office and delegate administrative rights to the local branch office administrator.
Answer: C
Explanation:
To ensure that the users in the branch office are able to log on to the domain even if the WAN link fails, you need to promote the member server to a read-only domain controller (RODC) because the RODC works as a domain controller and allow log in to the domains except allowing modifications and changes to the Active directory domain. Delegating administrative rights to the local branch office administrator after promoting a member server to a RODC will make sure that branch office administrator is not allowed to initiate any changes to Active Directory but should be allowed to make configuration changes to the servers in the branch office. Configuring the DNS role to the member server, will ensure that the users are allowed to access file shares on the local server in the absence of the WAN link. Without name resolution and the other services that are provided by DNS servers, client access to remote host computers would be prohibitively difficult. DNS servers need to be configured because in intranets computer users rarely know the IP addresses of computers on their local area network (LAN).
Reference: DNS Server Role: Read-only domain controller support/ Who will be interested in this server role?
http://technet2.microsoft.com/windowsserver2008/en/library/533a1cfc-5173-4248-914c-433bd018f66d1033.mspx?mfr=true
QUESTION 27
Your Company has one main office and 100 branch offices. The network consists of one Active Directory domain. All domain controllers run Windows Server 2008 R2. The wide area network (WAN) links from the branch offices to the main office are unreliable. A local administrator manages each branch office. Your company plans to add a new branch office. You create a new organizational unit (OU) that contains all the computer accounts for the new branch office. You configure a server in the main office to test all new software updates. You install Microsoft Windows Server Update Services (WSUS) 3.0. You need to implement an update management solution for the new branch office to meet the following requirements:
– Only approved updates must be installed in the branch office.
– Client computers must be able to download updates if a WAN link fails.
– Each branch office administrator must be able to approve updates before installation.
What should you do?
A. In each branch office, install a WSUS 3.0 server as a replica server and configure it to download
updates from the main office. Configure all computers to receive updates from their local WSUS server.
B. In each branch office, install a WSUS 3.0 server as a child server and configure it to download updates
from Microsoft Update. Configure all computers to receive updates from their local WSUS server.
C. In the main office, install a WSUS 3.0 server as a child server and configure it to download updates
from Microsoft Update. Configure all computers to receive updates from the new WSUS server.
D. In the main office, install and configure a WSUS 3.0 server as a stand-alone server and configure it to
download updates from Microsoft Update. Configure all computers to receive updates from the new
WSUS server.
Answer: B
Explanation:
To ensure that only the approved updates by the head office are allowed to be installed in the new branch office and to ensure that each branch office administrator must be able to approve the updates before their installation, you need to install a WSUS 3.0 server as a child server in each branch office. A child server can be configured as a replica or as an autonomous server. You should not install/configure replica server because you don’t want a single administrator managing all WSUS activities, rather you want each branch office administrator to be able to approve the updates before their installation, which is possible in autonomous mode. To ensure that the client computers are able to download the updates even if the WAN link fails, you need to configure WSUS 3.0 server to download updates from Microsoft Update
Reference: Deploying Microsoft Windows Server Update Services WSUS in a WAN http://www.windowsnetworking.com/articles_tutorials/Deploying-Microsoft-Windows-Server-Update-Services.html
QUESTION 28
Your company has one main office and eight branch offices. Each branch office has one server and 20 client computers. The network consists of one Active Directory domain. All main office domain controllers run Windows Server 2008. All branch office servers are configured as domain controllers and run Windows Server 2003 Service Pack 1 (SP1). You need to implement a security solution for the branch offices to meet the following requirements:
The number of user passwords stored on branch office domain controllers must be minimized. All files stored on the branch office domain controller must be protected in the event of an offline attack. What should you do?
A. Upgrade branch office domain controllers to Windows Server 2008. Enable Windows BitLocker Drive
Encryption (BitLocker).
B. Replace branch office domain controllers with Windows Server 2008 read-only domain controllers
(RODCs).Enable Windows BitLocker Drive Encryption (BitLocker).
C. Replace branch office domain controllers with Windows Server 2008 read-only domain controllers
(RODCs).Enable Encrypting File System (EFS) for all server drives.
D. Add the branch office domain controller computer accounts to the read-only domain controllers
(RODCs) group. Enable Encrypting File System (EFS) for all server drives.
Answer: B
Explanation:
To ensure that only minimum numbers of user passwords are stored on the branch office domain controllers, you need to replace branch office domain controllers with Windows Server 2008 read- only domain controllers (RODCs) because an RODC can be configured to store only the passwords of specified users and computers. This limitation reduces the risks in case an RODC is compromised. To ensure that all files stored on the domain controller must be protected from any kind of an offline attack, you need to use Windows BitLocker Drive Encryption. BitLocker allows you to encrypt all data stored on the Windows operating system volume and use the security of using a Trusted Platform Module (TPM) that helps protect user data and to ensure that a computer running Windows Server Vista or Server 2008 have not been tampered with while the system was offline.
Reference: Active Directory Enhancements in Windows Server 2008 http://windowsitpro.com/articles/print.cfm?articleid=98061
Reference: BitLocker Drive Encryption Technical Overview http://technet2.microsoft.com/windowsserver2008/en/library/a2ba17e6-153b-4269-bc46-6866df4b253c1033.mspx?mfr=true
QUESTION 29
Your network consists of one Active Directory domain and one IP subnet. All servers run Windows Server 2008 R2. All client computers run Windows 7. The servers are configured as shown in the following table. (Click the Exhibit)
All network switches used for client connections are unmanaged. Some users connect to the local area network (LAN) from client computers that are joined to a workgroup. Some client computers do not have the latest Microsoft updates installed. You need to recommend a Network Access Protection (NAP) solution to protect the network. The solution must meet the following requirements:
– Only computers that are joined to the domain must be able to connect to servers in the domain.
– Only computers that have the latest Microsoft updates installed must be able to connect to servers in the domain.
Which NAP enforcement method should you use?
A. 802.1 x
B. DHCP
C. IPsec
D. virtual private network (VPN)
Answer: C
Explanation:
To ensure that only the computers that have the latest Microsoft updates installed must be able to connect to servers in the domain and only the computers that are joined to the domain must be able to connect to servers in the domain, you need to use IPSec NAP enforcement method. IPsec domain and server isolation methods are used to prevent unmanaged computers from accessing network resources. This method enforces health policies when a client computer attempts to communicate with another computer using IPsec.
Reference: Protecting a Network from Unmanaged Clients / Solutions http://www.microsoft.com/technet/security/midsizebusiness/topics/serversecurity/unmanagedclients.mspx
Reference: Network Access Protection (NAP) Deployment Planning / Choosing Enforcement Methods
http://blogs.technet.com/nap/archive/2007/07/28/network-access-protection-deployment-planning.aspx
QUESTION 30
Your network consists of one Active Directory forest. You have two servers named Server1 and Server2. Both servers run Windows Server 2008. All client computers run Windows Vista. Hardware on the servers is installed as shown in the following table. (Click the Exhibit)
Client computers use the Remote Desktop client to connect to Server1 and Server2. You need to recommend a solution to control the distribution of user requests made to Server1 and Server2. The solution must enable administrators to distribute the traffic based on the server hardware. What should you recommend?
A. Use DNS round-robin. Set the DoNotRoundRobinTypes registry entry to ptr srv ns.
B. Add the failover clustering feature. Configure Server1 as a passive node and Server2 as an active node.
C. Install Network Load Balancing. In Host Parameters, set Priority to 1 for Server2 and set Priority to 2
for Server1.
D. Use Terminal Services Session Broker (TS Session Broker) Load Balancing. Assign a weight value
of 100 to Server1 and a weight value of 200 to Server2.
Answer: D
Explanation:
To control the distribution of user requests made to Server1 and Server2 in such a way that the administrators would be able to distribute the traffic based on the server hardware, you need to use TS Session Broker Load Balancing and assign a weight value of 100 to Server1 and a weight value of 200 to Server2. Terminal Services Session Broker (TS Session Broker) is a role service in the Windows Server?2008 operating system that enables you to load balance sessions between terminal servers in a farm, and allows a user to reconnect to an existing session in a load-balanced terminal server farm. The TS Session Broker Load Balancing feature also enables you to assign a relative weight value to each server. By assigning a relative weight value, you can help to distribute the load between more powerful and less powerful servers in the farm. By default, the server weight value is 100. The server weight is relative. Therefore, if you assign one server a value of 100, and one a value of 200, the server with a relative weight of 200 will receive twice the number of sessions.
Reference: Windows Server 2008 TS Session Broker Load Balancing Step-by-Step Guide / Configure TS Session Broker settings by using Terminal Services Configuration http://technet2.microsoft.com/windowsserver2008/en/library/f9fe9c74-77f5-4bba-a6b9433d823bbfbd1033.mspx?mfr=true
If you want to pass Microsoft 70-647 successfully, donot missing to read latest lead2pass Microsoft 70-647 practice exams.
If you can master all lead2pass questions you will able to pass 100% guaranteed.