QUESTION 91
Your company has a main office, three regional offices, and six branch offices. The network links are configured as shown in the exhibit. (Click the Exhibit button.)
The network consists of one Active Directory domain. You create an Active Directory site for each office. You create a site link for each wide area network (WAN) link. The Bridge all site links option is disabled. You need to plan the deployment of domain controllers. The solution must meet the following requirements. Windows PowerShell must be installed on all domain controllers in each regional office. Domain user account passwords stored on the domain controllers must be protected if a branch office domain controller is stolen. What should you do?
A. In each branch office and in each regional office, install a Server Core installation of Windows Server
2008 and configure a writable domain controller.
B. In each branch office and in each regional office, install a full installation of Windows Server 2008 and
configure a read-only domain controller (RODC).
C. In each branch office, install a Server Core installation of Windows Server 2008 and configure a read-only
domain controller (RODC). In each regional office, install a full installation of Windows Server 2008
and configure a writable domain controller.
D. In each branch office, install a full installation of Windows Server 2008 and configure a read-only domain
controller (RODC). In each regional office, install a Server Core installation of Windows Server 2008
and configure a writable domain controller.
Answer: C
Explanation:
To ensure that the domain user account passwords stored on the domain controllers must be protected if a branch office domain controller is stolen, you need to install a Server Core installation of Windows Server 2008 and configure it as a read-only domain controller (RODC) in each branch office. The Server Core installation of Windows Server 2008 will install only limited services on the RODC, which will store passwords. This installation will be very secure. A Server Core installation provides a minimal environment for running specific server roles, which reduces the maintenance and management requirements and the attack surface for those server roles. Next you can install a full installation of Windows Server 2008 and configure it as a writable domain controller in each regional office firstly because for RODCs to work you need to configure writable domain controllers from where data replication can happen and secondly you need to install them because you need to install Windows PowerShell on all domain controllers in each regional office.
Reference: Server Management / Windows PowerShell
http://www.microsoft.com/windowsserver2008/en/us/server-management.aspx
Reference: Server Core Installation Option of Windows Server 2008 Step-By-Step Guide http://technet2.microsoft.com/windowsserver2008/en/library/47a23a74-e13c-46de-8d30-ad0afb1eaffc1033.mspx?mfr=true
QUESTION 92
Your network consists of one Active directory domain. The functional level of the domain is Windows Server 2008 R2. You have one organizational unit (OU) named AllUsers that contains all user accounts for the domain. Your company has two departments named Sales and Engineering. Each department has a department manager. Each department has a global security group that contains all department users.
You need to prepare the environment to manage all user accounts.
The solution must meet the following requirements:
– Sales department users must be required to reset their passwords every 30 days.
– Department managers must administer only users in their respective departments.
– Engineering department users must be required to reset their passwords every 45 days.
The solution must be achieved by using the minimum amount of administrative effort.
What should you do?
A. Delegate administration of the AllUsers OU to the department manager of each department.
Modify the password policy for the domain.
B. Create a new OU for each department. Delegate administration to the department manager of each OU.
Create a new password policy for each global security group.
C. Create a child domain for each department. Delegate administration to the department manager of each domain.
Create a new password policy for each domain.
D. Create a new OU for each department. Delegate administration to the department manager of each new OU.
Create a new Group Policy object. Configure the password policy for the new GPO and link it to the OUs.
Answer: B
Explanation:
To ensure that the department managers must be allowed to manage the user accounts of only their departments, you need to create a new OU for each department and delegate administration to the department manager of each OU. To ensure that the users of both Sales and Development departments must change their passwords after the interval of 30 days and 45 days respectively, you need to create a new password policy for each global security group. The organizations that want different password and account lockout settings for different sets of users need to use fine-grained password policies. These policies cannot be applied to an organizational unit (OU) directly. To apply fine-grained password policy to users of an OU, you can use a shadow group, which is a global security group.
Reference: AD DS: Fine-Grained Password Policies / Are there any special considerations? http://technet2.microsoft.com/windowsserver2008/en/library/056a73ef-5c9e-44d7-acc1- 4f0bade6cd751033.mspx?mfr=true
QUESTION 93
Your company has one main office and five new branch offices. The branch offices are connected to the main office across slow network links. The network consists of one Active Directory domain. All domain controllers run Windows Server 2008. Each office has a local server administrator. You need to plan for the implementation of Windows Server 2008 domain controllers in each branch office. The solution must minimize the amount of network bandwidth used during the initial replication.
What should you include in your plan?
A. Create an installation media by using ntdsutil.
B. Run adprep /rodcprep on a server in each branch office.
C. Create a System State back up by using Windows Server Backup in Windows Server 2008.
D. Install Active Directory Lightweight Directory Services (AD LDS) in the branch office.
Answer: A
Explanation:
To implement Windows Server 2008 domain controllers in each branch office and to ensure that the minimum amount of network bandwidth is used during the initial replication, you need to use ntdsutil to create an installation media for the installation of Windows Server 2008 domain controller. By installing from media, you can minimize the replication of directory data over the network. This helps you install additional domain controllers in remote sites more efficiently.
Reference: Installing AD DS from Media
http://technet2.microsoft.com/windowsserver2008/en/library/146d1360-09ac-4cdd-8d44- c9756d3550c91033.mspx?mfr=true
QUESTION 94
Your network consists of one Active Directory forest that contains one root domain and 10 child domains. Administrators of the child domains frequently modify the records for authoritative DNS servers for the child domain DNS zones. You need to recommend a solution to minimize the amount of manual configuration steps required to maintain name resolution on the network. What should you recommend?
A. On the child domain DNS servers, create stub zones for the root domain zone.
B. On the child domain DNS servers, configure conditional forwarders for the parent domain.
C. On the root domain DNS servers, create stub zones for the child domain zones.
D. On the root domain DNS servers, configure delegation subdomain records for the child domains.
Answer: C
Explanation:
To implement a solution that would minimize the effort required to maintain name resolution on the network, you need to create stub zones for the child domain zones on the root domain DNS servers. Stub zones can help reduce the amount of DNS traffic on your network by streamlining name resolution and zone replication. The Stub zone should be configured for the child domain zones on the root domain DNS servers and not vice versa because a stub zone is like a secondary zone that obtains its resource records from other name servers (one or more master name servers).
Reference: DNS Stub Zones in Windows Server 2003
http://www.windowsnetworking.com/articles_tutorials/DNS_Stub_Zones.html
QUESTION 95
Your company has a main office. The main office is configured as an Active Directory site. The network consists of one Active Directory domain. All domain controllers run Windows Server 2008. All DNS zones are Active Directory-integrated. Administrators frequently join new client computers to the domain. You plan to deploy a new site in a new branch office. The new branch office is connected to the main office by using a single wide area network (WAN) link. You need to enable branch office administrators to successfully join computers to the domain if a WAN link fails. The solution must provide the highest level of security for the domain controllers. What should you do?
A. Deploy a writable domain controller in the branch office site.
B. Deploy an additional writable domain controller in the main site.
C. Deploy a read-only domain controller (RODC) in the new site.
Configure a stub zone in the main site.
D. Deploy a read-only domain controller (RODC) in the new site.
Configure a primary read-only zone in the branch office site.
Answer: D
QUESTION 96
Your company has a main office and two branch offices. The network contains one Active Directory domain named contoso.com. All domain controllers and DNS servers for the contoso.com domain are located in the main office. All DNS servers are member servers. You plan to deploy two new Active Directory domains named east.contoso.com and west.contoso.com in the branch offices. You install a DNS server in each branch office. You need to prepare the environment for the installation of the new domains. What should you do next?
A. Create a new standard primary zone on each branch office DNS server for the new domains.
Configure forwarders on the main office DNS servers to point to the branch office servers.
B. Create a new stub zone on each branch office DNS server for the new domains.
Configure conditional forwarders on the main office DNS servers to point to the branch office DNS servers.
C. Configure a delegation subdomain DNS record on the main office DNS server for each new domain.
Configure a stub zone on each branch office DNS server for the new domains.
Configure zone transfer for the contoso.com zone to the branch office DNS servers.
D. Configure a delegation subdomain DNS record on the main office DNS server for each new domain.
Create a new standard primary zone on each branch office DNS server for the new domains.
Configure zone transfer for the contoso.com zone to the branch office DNS servers.
Answer: D
Explanation:
To deploy two new Active Directory domains in the branch offices, you need to first configure a delegation subdomain DNS record on the main office DNS server for each new domain then create a new standard primary zone on each branch office DNS server for the new domains and then configure zone transfer for the Contoso.com zone to the branch office DNS servers after installing DNS server in each branch office. In DNS, a subdomain is a portion of a domain that you’ve delegated to another DNS zone. A subdomain is configured when you need to create domains in existing domain. A company might use subdomains for its various divisions. Because, to migrate your DNS zone data for the Contoso.com zone to the branch office DNS servers, you will need to have a functioning standard primary server, you will need to create a new standard primary zone on each branch office DNS server for the new domains.
Reference: Delegate subdomains in DNS in Windows 2000 Server http://articles.techrepublic.com.com/5100-10878_11-5846057.html
Reference: Step-By-Step: How to migrate DNS information to Windows Server 2003 http://www.lockergnome.com/it/2005/01/14/step-by-step-how-to-migrate-dns-information-to- windows-server-2003/
Reference: DNS Stub Zones in Windows Server 2003
http://www.windowsnetworking.com/articles_tutorials/DNS_Stub_Zones.html
QUESTION 97
Your network consists of one Active Directory domain and one IP subnet. All servers run Windows Server 2008. All client computers run Windows Vista, Windows XP Professional, and Windows 2000 Professional. The servers are configured as shown in the following table. (Click the Exhibit)
Server2 is configured to support Network Access Protection (NAP) by using IPsec, DHCP, and 802.1 x enforcement methods. Users from a partner company have computers that are not joined to the domain. The computers successfully connect to the network. You need to ensure that only computers that are joined to the domain can access network resources on the domain. What should you do?
A. Configure all DHCP scopes on Server1 to enable NAP.
B. Configure all network switches to require 802.1 x authentication.
C. Create a Group Policy object (GPO) and link it to the domain.
In the GPO, enable a secure server IPsec policy on all member servers in the domain.
D. Create a Group Policy object (GPO) and link it to the domain.
In the GPO, enable a NAP enforcement client for IPsec communications on all client computers in the domain.
Answer: C
Explanation:
To ensure that only computers that are joined to the domain can access network resources on the domain, you need to create a GPO, link it to the domain and enable a secure server IPsec policy on all member servers in the domain in the GPO. IPsec domain and server isolation methods are used to prevent unmanaged computers from accessing network resources. This method enforces health policies when a client computer attempts to communicate with another computer using IPsec. Configuring DHCP scope cannot stop unmanaged computers that are not joined to the domain from accessing the network. NAP is not required in this scenario because you just want the member computers to access network resources. Therefore, you need not create a GPO, link it to the domain. Enable a NAP enforcement client for IPsec communications on all client computers in the domain in the GPO.
Reference: Protecting a Network from Unmanaged Clients / Solutions http://www.microsoft.com/technet/security/midsizebusiness/topics/serversecurity/unmanagedclie nts.mspx
QUESTION 98
Your network consists of one Active directory domain. The functional level of the domain is Windows Server2008 R2. Your company has 10 departments. Each department has a department manager and a department administrator. Some department administrators are responsible for multiple departments. You have an organizational unit (OU) named All Users that contains all user accounts. You need to recommend a solution to simplify the management of all users in the domain. The solution must meet the following requirements:
– Department managers must only be able to reset passwords for users in their respective departments.
– Department administrators must only be able to modify user accounts in their respective departments.
– Only the respective department administrators and managers must be able to manage the accounts of users who are transferred to their departments from other departments.
What should you recommend?
A. Create an OU for each department.
Delegate password control for each new OU to the respective department manager.
Delegate administration of each new OU to the respective department administrator.
B. Create an OU for each department.
When the same administrator is responsible for multiple departments, create only one OU for those departments.
Delegate password control for each new OU to the respective department manager.
Delegate administration of each new OU to the respective department administrator.
C. Create an OU for each department.
When the same administrator is responsible for multiple departments, create a new OU and nest
the OUs of those departments into the new OU.
Delegate password control for each new OU to the respective to the respective department manager.
Delegate administration of each new OU to the respective department administrator.
D. Create a global security group for each department.
Add all the users, department managers, and administrators from each department to the global security group.
Delegate password control to the department managers of the AllUsers OU.
Delegate administration to the department administrators of the AllUsers OU.
Answer: A
Explanation:
To accomplish the desired goal by using the minimum amount of administrative effort, you need to first create an OU for each department so that each department can be managed separately You need to then delegate the password control for each new OU to the respective department manager so that the password control of each department can be managed by the respective department managers. Finally, you need to delegate administration of each new OU to the respective department administrator to ensure that the department administrators must be allowed to modify the user accounts of only their departments.
Reference: Organizational Unit
http://en.wikipedia.org/wiki/Organizational_Unit
QUESTION 99
Your company has a main office and 100 branch offices. The network consists of one Active Directory domain that contains 10,000 users. You plan to deploy one Windows Server 2008 domain controller in each branch office. You need to recommend a solution to minimize network traffic during the installation of Active Directory Domain Services (AD DS) on each branch office domain controller. What should you recommend?
A. Install AD DS by using the Install from Media feature.
B. Install AD DS and configure the read-only domain controller (RODC) option.
C. Install a Server Core installation of Windows Server 2008, and then install AD DS.
D. Disable the Global Catalog option on each branch office domain controller.
Enable Universal Group Membership Caching from each branch office site.
Answer: A
Explanation:
To minimize the network traffic during the installation of Active Directory Domain Services (AD DS) on each branch office domain controller, you need to use Media feature Install option to install AD DS. You can use ntdsutil to create an installation media for the installation of Windows Server 2008 domain controller. By installing from media, you can minimize the replication of directory data over the network. This helps you install additional domain controllers in remote sites more efficiently.
Reference: Installing AD DS from Media
http://technet2.microsoft.com/windowsserver2008/en/library/146d1360-09ac-4cdd-8d44- c9756d3550c91033.mspx?mfr=true
QUESTION 100
Your network consists of one Active Directory domain. The domain contains servers that run Windows Server 2008. The servers are configured as shown in the following table. (Click the Exhibit)
Server2 and Server3 are configured as RADIUS clients. You need to plan a solution to manage all VPN connections to the network. The solution must meet the following requirements:
– Specify the allowed VPN connection protocols.
– Specify the allowed VPN client authentication mechanisms.
– Specify VPN client access rights based on group membership.
What should you include in your plan?
A. a Group Policy object (GPO) applied to Server2 and Server3
B. a Group Policy object (GPO) applied to the computers that must establish VPN connections
C. a local computer policy on Server2 and Server3
D. a network policy on Server4
Answer: D
Explanation:
To plan a solution that would allow you to manage all VPN connections to the network by allowing you to specify the allowed VPN connection protocols, allowed VPN client authentication mechanisms, and VPN client access rights based on group membership, you need to create a network policy on Server4, which is a Network Policy Server. This server is the Microsoft implementation of a RADIUS server and proxy in Windows Server 2008. As a RADIUS server, NPS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. The GPOs cannot be used in this scenario because they can be used to Create/Replace/Update or Delete a Virtual Private Network (VPN) or Dial-Up Network (DUN) connection and cannot be used to specify the allowed VPN connection protocols, allowed VPN client authentication mechanisms, and VPN client access rights based on group membership
Reference: Network Policy Server
http://technet.microsoft.com/en-us/network/bb629414.aspx
Reference: Group Policy related changes in Windows Server 2008 – Part 3: Introduction to Group Policy Preferences
http://www.windowsecurity.com/articles/Group-Policy-related-changes-Windows-Server-2008- Part3.html
If you want to pass Microsoft 70-647 successfully, donot missing to read latest lead2pass Microsoft 70-647 dumps.
If you can master all lead2pass questions you will able to pass 100% guaranteed.