QUESTION 61
You network contains one Active Directory domain. All domain controllers run Windows Server 2008. The network has 100 servers and 5,000 client computers. Client computers run either Windows XP Service Pack 2 (SP2) or Windows Vista Service Pack 1 (SP1). You need to plan the deployment of Certificate Services on the network to support the following requirements:
– Automatic certificate enrollment
– Supported certificates for all client computers
What should you include in your plan?
A. Deploy a stand-alone certification authority (CA). Create V2 templates.
B. Deploy a stand-alone certification authority (CA). Create V3 templates.
C. Deploy an enterprise certification authority (CA). Create V2 templates.
D. Deploy an enterprise certification authority (CA). Create V3 templates.
Answer: C
Explanation:
To deploy Certificate Services on the network and ensure that there is automatic certificate enrollment on the network and there are supported certificates for all client computers, you need to Deploy an enterprise certification authority (CA) and create V2 templates. You should use enterprise certification authority (CA) because it is integrated with Active Directory, and only provides certificates to members within that Active Directory. You should not use Standalone CA because it doesn’t tap into a local or domain user account. You should used V2 templates instead of V1 templates because V2 templates are customizable. With V2 templates, a CA administrator is able to configure a wide range of settings that apply during certificate enrollment, such as minimum key length, subject name definition, enrollment requirements like enrollment agent signature, and so on
Reference: Certification Success – The Standalone CA Versus The Enterprise CA http://www.lockergnome.com/it/2004/10/19/certification-success-the-standalone-ca-versus-the-enterprise-ca/
Reference: Certificate Templates Overview
http://technet2.microsoft.com/windowsserver2008/en/library/65985352-e846-4d4d-9a0d-2fea1b7eceba1033.mspx?mfr=true
QUESTION 62
Your company has one main office and 10 branch offices. You plan to deploy Active Directory. You need to recommend a solution to recover Active Directory domain objects in the event of data loss.
The solution must ensure that you can recover individually deleted user accounts. What should you recommend?
A. Install multiple domain controllers.
B. Install a server that runs Windows Server 2008 that has Active Directory Lightweight Directory Services
(AD LDS).
C. Schedule regular system state backups by using Windows Server Backup.
D. Schedule regular backups of the SYSVOL folder on the existing domain controller.
Answer: C
Explanation:
To make sure that the Active Directory domain objects can be recovered in the event of data loss and to recover individually deleted user accounts, you need to use Windows Server Backup to schedule regular system state backups. The Windows Server Backup feature in Windows Server 2008 consists of an MMC snap-in and command-line tools that provide a complete solution for your day- to-day backup and recovery needs. You can use four wizards to guide you through running backups and recoveries. You can use Windows Server Backup to back up a full server (all volumes), selected volumes, or the system state. You can recover volumes, folders, files, certain applications, and the system state. And, in case of disasters like hard disk failures, you can perform a system recovery by using a full server backup and the Windows Recovery Environment–this will restore your complete system onto the new hard disk. You need not backup SYSVOL folder because it can include updates to passwords for user accounts, computer accounts, and trusts. It can also include updates to group membership, policies, and the replication topology and its schedules.
Reference: Backup and Recovery Overview / What is Windows Server Backup? http://technet2.microsoft.com/windowsserver2008/en/library/12d477a8-36db-4c26-aa9f- e85499545b5b1033.mspx?mfr=true
QUESTION 63
Your company has one office in New York and one office in Montreal. An Active Directory site exists for each office. The network consists of one Active directory domain. You create four organizational units (OUs) named NewYorkUsers, NewYorkComputers, MontrealUsers, and MontrealComputers. The offices collaborate on a company project. You create a group named Project that contains all user and computer accounts for employees working on the project. Project group users from the New York office are currently working from the Montreal office and are using their portable computers. You plan to deploy a new application to the Project group. You need to prepare the environment for the deployment of the application. The solution must meet the following requirements:
– Only the Project group must have the application installed.
– Existing Group Policy objects (GPOs) settings applied to the Project group must remain unaffected.
What should you do?
A. Create a GPO. Link the GPO to the Montreal site. Filter the application of the GPO to only the Project group.
B. Create a GPO. Link the GPO to the New York site. Filter the application of the GPO to only the Project group.
C. Move all Project group computers in the NewYorkComputers OU to the MontrealComputers OU.
Create a GPO. Link the GPO to the MontrealComputers OU to deploy the application.
D. Move all Project group computers in the MontrealComputers OU to the NewYorkComputers OU.
Create a GPO. Link the GPO to the NewYorkComputers OU to deploy the application.
Answer: A
Explanation:
To deploy a new application called App1 to only the JointProject group without affecting the existing Group Policy objects (GPOs) settings, you need to create a new GPO so that existing GPO settings are not affected and link a GPO to the branch office site. You need to then filter the application (App1) of the GPO to only the JointProject group rather than move all JointProject group computers to different OUs because filtering allows you to target only specific computers or users. You can create and modify multiple preference items within each GPO, and filter each preference item to target only specific computers or users. You should create and link a GPO to the branch office site and not to the head office site because all the users of the JointProject group are working from the branch office site even if some of them belong to head office site.
Reference: Group Policy/ Preferences
http://technet2.microsoft.com/windowsserver2008/en/library/3b4568bc-9d3c-4477-807d- 2ea149ff06491033.mspx?mfr=true
QUESTION 64
Your network consists of one Active Directory domain named contoso.com. The domain contains three Windows Server 2008 servers named Server1, Server2, and Server3. Server1 runs Active Directory Certificate Services (AD CS) and is configured as an enterprise root certification authority. Server2 hosts an internal Web site. Users currently connect to the Web site by using the URL https://server2.contoso.com. You plan to replicate the Web site from Server2 to Server3. You need to recommend a solution to enable users to connect to the Web site through HTTPS on either Server2 or Server3 by using a single URL The solution must meet the following requirements:
– Users must be able to use the https://www.contoso.com URL to connect to the Web site.
– Incoming connections must be dynamically balanced between Server2 and Servers3.
What should you recommend?
A. Add both servers to a Network Load Balancing cluster.
Export the Web server certificate on Server2 to Server3.
B. Add both servers to a failover cluster. Issue a Web server certificate forwww.contoso.com.
Install the certificate on Server2.
C. Add both servers to a Network Load Balancing cluster.
Issue a Web server certificate for www.contoso.com.Install the certificate on Server2 and Server3.
D. Add both servers to a failover cluster.
Issue a Web server certificate for server2.contoso.com and install the certificate on Server2.
Issue a Web server certificate for server3.contoso.com and install the certificate on Server3.
Answer: C
Explanation:
To connect to the Intranet website through HTTPS on either Server2 or Server3 by using a single URL, https://www.contoso.com add both servers to a Network Load Balancing cluster so that the client requests can be load balanced between both the servers and both the servers should be able to serve the request. You should not use a failover cluster because you don’t want another server to support if one of the servers fails. Next to make a secure intranet connection, you need to issue a web server certificate for www.contoso.com, which is the default web URL and includes both the intranet servers. You should not issue a Web server certificate for server2.contoso.com or server3.contoso.com because that will take care of only one web server whereas the common URL will take care of both the servers. Next you need to install the certificate on both Server2 and Server3 because to use certificates they must be installed on both the servers.
QUESTION 65
Your network consists of one Active Directory domain. The domain contains servers that run Windows Server 2008 R2. The relevant servers are configured as shown in the following table. (Click the Exhibit)
All client computers run Windows 7. Remote users connect to the network from the Internet by using virtual private network (VPN) connections. You plan to enable remote users to run RemoteApp applications on Server2. You need to prepare the environment to provide users access to the applications. The solution must provide a custom Web page that contains shortcuts to authorized applications for each user. What should you do?
A. On Server2, install the Web Server (IIS) server role.
B. On Server2, install the Remote Desktop Services server role that has the Remote Desktop Gateway
(RD Gateway) role service.
C. On Server3, install the Remote Desktop Services server role that has the Remote Desktop Web Access
(RD Web Access) role service.
D. On Server2 and Server3, install the Remote Desktop Services server role that has the Remote Desktop
Connection Broker (RD Connection Broker) role service.
Answer: C
QUESTION 66
Your company has one office in San Diego and one office in New York. The network consists of one Active Directory forest that contains one domain named contoso.com and one domain named newyork.contoso.com. All servers run Windows Server 2008. All domain controllers for contoso.com are located in San Diego. All domain controllers for newyork.contoso.com are located in New York. Contoso.com contains two domain controllers named Server1 and Server2. Newyork.contoso.com contains two domain controllers named Server3 and Server4. All domain controllers host Active Directory-integrated DNS zones for their respective domains. You need to ensure that users from each office can resolve computer names for both domains from a local DNS server. What should you do?
A. Add the contoso.com and the newyork.contoso.com DNS zones to the ForestDNSZones partition.
B. Create a stub DNS zone for contoso.com on Server3.
Create a stub DNS zone for newyork.contoso.com on Server1.
C. Create a standard primary DNS zone named contoso.com on Server3.
Create a standard primary DNS zone named newyork.contoso.com on Server1.
D. Configure conditional forwarders on Server1 to point to Server3.
Configure conditional forwarders on Server3 to point to Server1.
Answer: A
Explanation:
To ensure that users from each office can resolve computer names for both domains from a local DNS server, you need to add the contoso.com and the Branch.contoso.com DNS zones to the ForestDNSZones partition because the ForestDNSZones directory partition can be replicated among all domain controllers (DCs) located in both the domains Contoso.com and Newyork.contoso.com in the forest of the company. This is because all the domain controllers have the DNS service installed. Once the DNS Zones data is replicated the users from each office can resolve computer names for both domains from their local DNS server A stub zone cannot be used because it is used to resolve names between separate DNS namespaces a Standard Primary DNS zone cannot be used because the DNS Server in this type of zone contains the only writable copy of the DNS zone database files. There can be only one Standard Primary DNS Server for a particular zone. A conditional forwarder cannot be used because it handles name resolution only for a specific domain.
Reference: What causes the error I receive in the event log when I attempt to replicate the ForestDNSZones directory partition?
http://windowsitpro.com/article/articleid/43165/q-what-causes-the-error-i-receive-in-the-event-og-when-i-attempt-to-replicate-the-forestdnszones-directory-partition.html Reference: Understanding stub zones
http://207.46.196.114/windowsserver/en/library/648f2efd-0ad4-4788-80c8-75f8491f660e1033.mspx?mfr=true
Reference: DNS Conditional Forwarding in Windows Server 2003 http://www.windowsnetworking.com/articles_tutorials/DNS_Conditional_Forwarding_in_Windows_Server_2003.html
QUESTION 67
Your network contains two servers named Server1 and Server2 that run Windows Server 2008. Microsoft System Center Operations Manager (SCOM) 2007 is installed on Server2. The Hyper-V role is installed on Server1. Server1 hosts five child virtual machines that run Windows Server 2003. You need to recommend a solution that enables administrators to monitor the child virtual machines. The solution must gather the following data from the virtual machines:
– Performance statistics
– Event data from the application log
What should you recommend?
A. On Server1, install a SCOM agent.
B. On each child virtual machine, install a SCOM agent.
C. On Server2, install the Microsoft Virtual Server 2005 R2 Management Pack.
D. On Server2, install Microsoft System Center Virtual Machine Manager (SCVMM) 2007.
Answer: B
Explanation:
To enable administrators to monitor the child virtual machines and gather Performance statistics and event data from the application log from the virtual machines, you need to install a SCOM agent on each child virtual machine. SCOM is an end-to-end systems management and monitoring system for both physical and virtual systems. It lets you monitor clients, events, services, applications, network devices rather than just servers. If you install SCOM on each child virtual machine it will allow you to monitor each one of them.
You should not install it on Server1 because you don’t want to monitor Server1 rather the virtual machines on it.
Reference: http://www.itbusinessedge.com/blogs/dcc/?p=376 http://pcquest.ciol.com/content/enterprise/2007/107070501.asp
QUESTION 68
Your network consists of one Active Directory domain that contains two servers named Serverl1and Server2 that run Windows Server 2008. Server1 runs Active Directory Certificate Services (AD CS) and is configured as an enterprise root certification authority (CA). Server1 is only accessible from the internal network. Server1 issues certificates to both internal and external client computers that run Windows Vista. Server2 is configured as a Web server. Server2 is located in the perimeter network and is only accessible through HTTP. The network is configured as shown in the following diagram.
You need to recommend an e-mail security solution for all Windows Vista client computers that meets the following requirements. Users must only request status information for individual certificates. Users must be notified when they attempt to send a secure e-mail message to a user that has an expired certificate. What should you recommend?
A. Configure a root CA on Server2.
B. Configure a subordinate CA on Server2.
C. Configure the Online Responder service on Server2.
D. Configure a certification revocation list (CRL) distribution point on Server2.
Answer: C
Explanation:
To ensure that the clients can only request status information for individual certificates and they should be notified when they attempt to send a secure e-mail message to a user that has an expired certificate, you need to configure the Online Responder service on Server2. An Online Responder receives and responds only to requests from clients for information about the status of a single certificate. The use of Online Responders that distribute Online Certificate Status Protocol (OCSP) responses, along with the use of CRLs, is one of two common methods for conveying information about the validity of certificates. CRLs should not be used because they are distributed periodically and contain information about all certificates that have been revoked or suspended.
AD CS: Online Certificate Status Protocol Support
http://technet2.microsoft.com/windowsserver2008/en/library/99d1f392-6bcd-4ccf-94ee- 640fc100ba5f1033.mspx?mfr=true
QUESTION 69
Your network consists of one Active Directory domain. The domain contains servers that run Windows Server 2008. The servers are configured as shown in the following table. (Click the Exhibit)
All client computers run Windows Vista Service Pack 1 (SP1). Remote domain users at a customer site report that they can access Server2 from the Internet by using the URL https://portal.contoso.com. They also report that a firewall at the customer site prevents all other outbound connections. You need to implement a solution to enable remote users to access files on Server3 from a VPN connection. Which connection should you enable on Server1?
A. IPsec tunnel mode
B. L2TP
C. PPTP
D. Secure Socket Tunneling Protocol (SSTP)
Answer: D
Explanation:
To plan a solution that would allow the remote users using firewall on their remote locations to access files on Server3 through a VPN connection, you need to configure Secure Socket Tunneling Protocol (SSTP) connection. Before Windows Server 2008, all kinds of VPN connections such as PPTP L2TP, and IPSec had problems with firewalls, NATs, and Web proxies. To prevent problems, firewalls must be configured to allow connections. If your VPN client computer is behind a NAT, both the VPN client and the VPN server must support IPsec NAT-Traversal (NAT-T). Besides, VPN server can’t be located behind a NAT, and that L2TP/IPsec traffic can’t flow through a Web proxy. With the advent of SSTP in Windows Server 2008 all the VPN connectivity problems such as firewalls, NATs, and Web proxies are solved. The SSTP connection allows the use of HTTP over secure sockets layer (SSL). SSTP uses an HTTP-over-SSL session between VPN clients and servers to exchange encapsulated IPv4 or IPv6 packets.
Reference: The Cable Guy: The Secure Socket Tunneling Protocol / The New VPN Solution http://technet.microsoft.com/en-us/magazine/cc162322.aspx
QUESTION 70
Your network consists of one Active Directory domain that contains domain controllers that run Windows Server 2008. The relative identifier (RID) operations master role for the domain fails and cannot be restored. You need to restore the RID master role on the network. What should you do?
A. Run netdom query /d:contoso.com fsmo.
B. From another domain controller, seize the RID operations master role.
C. Force replication between all domain controllers, and then run the Server Manager.
D. Force replication between all domain controllers, and then run the File Server Resource Manager (FSRM).
Answer: B
Explanation:
To restore the RID master role on the network, you need to seize the RID operations master role from another domain controller. If the Domain Controller performing as the RID Master goes down or becomes inaccessible, Windows 2000 and above domain controllers will have no place to acquire new RID pool assignments. Domain controllers running Windows 2000 and Windows Server 2003 have a shared RID pool. The RID operations master is responsible for maintaining a pool of RIDs to be used by the domain controllers in its domain and for providing groups of RIDs to each domain controller when necessary.
Reference: How Operations Masters Work / RID Allocation http://technet2.microsoft.com/windowsserver/en/library/795229a5-8a74-4edb-a2f4-d5794d31c2a71033.mspx?mfr=true
If you want to pass Microsoft 70-647 successfully, donot missing to read latest lead2pass Microsoft 70-647 exam questions.
If you can master all lead2pass questions you will able to pass 100% guaranteed.