QUESTION 81
Your network consists of one Active Directory domain. Your company has a department named Sales. Some employees in the Sales department work from home and require access to applications and file servers on the corporate network. The corporate security policy includes the following requirements:
– Remote computers must only connect to the network by using Secure Socket Layer (SSL).
– Computers that connect to the network must have an up-to-date antivirus application and all available security updates installed.
You need to plan a remote access solution for the Sales department employees.
What should you include in your plan?
A. Configure a virtual private network (VPN) solution that uses PPTP.
B. Configure a virtual private network (VPN) solution that uses L2TP.
C. Configure a Remote Desktop Services solution that uses Remote Desktop Gateway (RD Gateway).
D. Configure a Remote Desktop Services solution that uses Remote Desktop Web Access (RD Web Access).
Answer: C
Explanation:
The TS Gateway Manager snap-in console enables you to configure authorization policies to define conditions that must be met for remote users to connect to internal network resources. This may include an up-to-date antivirus application and all available security updates installed on them. TS Gateway encapsulates Remote Desktop Protocol (RDP) within RPC, within HTTP over a Secure Sockets Layer (SSL) connection.
Reference: TS Gateway Overview
http://technet2.microsoft.com/windowsserver2008/en/library/722f3aa8-2f22-462f-bcc6-72ad31713ddd1033.mspx?mfr=true
QUESTION 82
Your network consists of one Active Directory domain. All domain controllers run Windows Server 2008 R2 and are configured as global catalog servers. The relevant portion of the network is configured as shown in the exhibit. (Click the Exhibit button.)
The Bridge all site links option is enabled. You are designing a failover strategy for domain controller availability. You need to ensure that client computers in SiteH only authenticate to DC1 or DC2 if DC8 fails. What should you do?
A. Change the B-H site link cost to 50.
B. Remove the global catalog server attribute from DC3, DC4, DC5, DC6, DC7, and DC8.
C. Disable the Bridge all site links option. In SiteB, install a new writable domain controller that runs
Windows Server 2008 R2.
D. Prevent DC3, DC4, DC5, DC6, DC7, and DC8 from registering generic (non-site-specific) domain
controller locator DNS records.
Answer: D
Explanation:
To design a failover strategy to ensure the high availability of domain controllers and to ensure SiteH only authenticate to DC1 or DC2 if DC8 fails, you need to prevent the domain controllers of all the spoke sites from registering generic (non-site-specific) domain controller locator DNS records. Usually it is preferable that if all domain controllers/global catalogs in a satellite site become unavailable, a client that is searching for a domain controller/global catalog in that site will fail over to a domain controller/global catalog in a central hub and not in another satellite site. To achieve this behavior, the domain controllers/global catalogs in the satellite offices should not register generic (non-site-specific) domain controller locator DNS records. These records are registered only by the domain controllers/global catalogs in the central hub. When clients cannot locate the domain controllers/global catalogs serving their site, they attempt to locate any domain controllers/global catalogs using these generic (non-site-specific) domain controller locator DNS records.
Reference: Section I: Hub-and-Spoke Topology
http://support.microsoft.com/kb/306602
QUESTION 83
Your network contains servers that run Windows Server 2008 R2 and client computers that run Windows 7. You deploy a public key infrastructure by using Certificate Services servers that run Windows Server 2008 R2. You need to plan the implementation of smart card authentication on the network. The solution must meet the following requirements:
– Help desk users must only be able to enroll user certificates.
– Managers must be able to enroll smartcards for other employees.
– Managers must be able to use their client computers to manage certificates.
What should you include in your plan?
A. Enable Web enrollment
B. Configure Restricted Enrollment Agents
C. Upgrade all certificates to V3 templates
D. Configure Restricted Certificate Managers
Answer: B
Explanation:
To ensure that the managers must be able to use their client computers to manage certificates and must be able to enroll smartcards for other employees, you need to use restricted Enrollment Agents. The restricted enrollment agent allows limiting the permissions that users designated as enrollment agents have for enrolling smart card certificates on behalf of other users. Enrollment agents are one or more authorized individuals within an organization. The enrollment agent needs to be issued an enrollment agent certificate, which enables the agent to enroll for smart card certificates on behalf of users.
Reference: AD CS: Restricted Enrollment Agent
http://technet2.microsoft.com/windowsserver2008/en/library/56d66319-2e49-447b-92a3- 1ca2a674fb8d1033.mspx?mfr=true
QUESTION 84
Your network consists of a single IP subnet. All servers and client computers connect to managed switches. All servers run Windows Server 2008 R2. All client computers run Windows 7. The servers on the network are configured as shown in the following table. (Click the Exhibit)
You need to prepare the Network Access Protection (NAP) environment to meet the following requirements:
– Computers that have the required Microsoft updates installed must be able to access all computers on the network.
– Network switches must first allow client computers to communicate to only Server1 and Server2 when the computers connect to the network.
Which NAP enforcement method should you use?
A. 802.1 x
B. DHCP
C. IPsec
D. VPN
Answer: A
QUESTION 85
Your company has a main office and five branch offices. Each office contains servers that run Windows Server 2008 R2. You need to prepare the environment for the installation of Active Directory domain controllers in the branch offices. The solution must meet the following requirements:
– Ensure that the minimum amount of replication traffic is sent between offices.
– Ensure that users always attempt to authenticate to a domain controller in their local office, unless it is unavailable.
You install the first domain controller on the network in the main office. What should you do next?
A. Disable the Bridge all site links option.
B. Enable Universal Group Membership Caching.
C. Create a site link and a site link bridge for each office.
D. Create a subnet object and a site object for each office.
Answer: D
Explanation:
To ensure that the minimum amount of replication traffic is sent between offices and that the users should always authenticate to their local domain controllers in their local office, unless the domain controller in their local offices is unavailable, you need to create a subnet object and a site object for each office. You should create sites for all locations in which you plan to place domain controllers and create subnet objects in AD DS for every IP subnet and subnet mask associated with each location. Subnet objects are used to represent all the IP addresses within the site. A well-designed site topology helps an organization to optimize the ability of client computers to locate the nearest resources, such as domain controllers and Distributed File System (DFS) servers. This helps client computers to authenticate to their nearest domain controllers. Domain controllers use site information to inform Active Directory clients about domain controllers present within the closest site as the client. The domain controller also informs the client whether the chosen domain controller is the closest one to it. By finding a domain controller in the same site, the client avoids communications over WAN links. If no domain controllers are located at the client site, a domain controller that has the lowest cost connections relative to other connected sites advertises itself in the site that does not have a domain controller. The domain controllers that are published in DNS are those from the closest site as defined by the site topology. This process ensures that every site has a preferred domain controller for authentication. Within sites, replication is optimized for speed–data updates trigger replication, and the data is sent without the overhead required by data compression. Conversely, replication between sites is compressed to minimize the cost of transmission over wide area network (WAN) links. When replication occurs between sites, a single domain controller per domain at each site collects and stores the directory changes and communicates them at a scheduled time to a domain controller in another site.
Reference: Creating a Site Design Deciding which locations will become sites http://technet2.microsoft.com/windowsserver2008/en/library/5ed8b9ca-e88a-4e06-a203- 83d37b54d9bb1033.mspx?mfr=true
Reference: Site Functions
http://technet2.microsoft.com/windowsserver2008/en/library/5ed8b9ca-e88a-4e06-a203- 83d37b54d9bb1033.mspx?mfr=true
QUESTION 86
Your company has four offices that are connected by using high speed wide area network (WAN) links. Each office has a router that supports the Simple Certificate Enrollment Protocol (SCEP). The network consists of one Active Directory domain. All domain controllers run Windows Server 2008. You have a Certificate Services infrastructure. The Certificate Services servers run Windows Server 2003 Standard Edition. You plan to enable device authentication for all routers. You need to recommend changes to the Certificate Services infrastructure to support device authentication.
Which changes should you recommend?
A. Install a new server that runs Windows Server 2008 Enterprise Edition.
Enable the Active Directory Certificate Services (AD CS) role.
B. Install a new server that runs Windows Server 2008 Standard Edition.
Install the Network Protection and Access Services (NPAS) role.
C. Upgrade the existing Certificate Services servers to Windows Server 2008 Standard Edition.
Enable the Web enrollment component.
D. Upgrade the existing Certificate Services servers to Windows Server 2008 Enterprise Edition.
Enable the Network Device Enrollment service.
Answer: D
Explanation:
To enable device authentication for all routers and recommend changes to the Certificate Services infrastructure to support device authentication, you need to upgrade the existing Certificate Services servers to Windows Server 2008 Enterprise Edition and then enable the Network Device Enrollment service. The Network Device Enrollment Service (NDES) is the Microsoft implementation of the Simple Certificate Enrollment Protocol (SCEP), a communication protocol that makes it possible for software running on network devices such as routers and switches, which cannot otherwise be authenticated on the network, to enroll for X.509 certificates from a certification authority (CA).
Reference: AD CS: Network Device Enrollment Service
http://technet2.microsoft.com/windowsserver2008/en/library/569cd0df-3aa4-4dd7-88b8- 227e9e3c012b1033.mspx?mfr=true
QUESTION 87
Your network consists of one Active Directory domain. The domain contains servers that run Windows Server 2008. The relevant servers are configured as shown in the following table. (Click the Exhibit)
Your company has a department named Sales. All users in the Sales department have desktop computers that run Windows Vista Enterprise Edition. All users in the Sales department run an application named Application1 that is compatible only with Windows 95. To run Application1, each user in the Sales department has a second desktop computer that runs Windows 95. The Windows 95 computers must be removed from the network. You use the Microsoft Application Compatibility Toolkit (ACT) 5.0 to test Application1. The test confirms that the application runs only on Windows 95 computers and must be redeveloped to be compatible with Windows Vista or Windows Server 2008. You need to recommend a solution that will enable you to remove the Windows 95 computers. Users in the Sales department must be able to continue running Application1. What should you do?
A. Create a virtual machine that runs Windows 95 and Application1.
Run the virtual machine on all computers in the Sales department by using Microsoft Virtual PC 2007.
B. Create and link a Group Policy object (GPO) that publishes Application1 to all client computers in the
Sales department. Configure Application1 to run as an administrator.
C. Create and link a Group Policy object (GPO) that assigns Application1 to all client computers in the
Sales department. Configure Application1 to run in compatibility mode for Windows 2000.
D. Install Application1 on Server2. Configure Application1 to run in compatibility mode for Windows
95. Configure all computers in the Sales department to run the application through Terminal Services.
Answer: A
Explanation:
To run a Windows 95 compatible application on Windows Vista Enterprise Edition computers, you need to use Microsoft Virtual PC 2007 to run the virtual machine on all computers. Virtual PC 2007 is a powerful software virtualization solution that allows you to run multiple PC-based operating systems simultaneously on one workstation. It can run on Windows Vista Enterprise Edition computers besides some other versions of Windows Vista.
Reference: Microsoft Virtual PC 2007
http://www.microsoft.com/windows/downloads/virtualpc/default.mspx
QUESTION 88
Your company has one main office and one branch office. The branch office is connected to the main office by using a wide area network (WAN) link. The network consists of one Active directory domain. The branch office has two member servers that run Windows Server 2008 R2. One of the servers is configured as a file server that hosts shared folders. The branch office has a local administrator. The main office has one standard primary DNS zone that is hosted on a DNS server. The branch office grows from 100 client computers to 1,000 client computers. You need to recommend a name resolution solution for the branch office to meet the following requirements:
– Users must be able to access file shares on the local server if a WAN link fails.
– The branch office administrator must be able to modify Active Directory objects while at the branch office if a WAN link fails.
What should you recommend?
A. Promote the member server to a domain controller and configure the DNS role.
Create a standard secondary zone.
B. Promote the member server to a domain controller and configure the DNS role.
Create a new standard primary zone.
C. Promote the member server to a read-only domain controler (RODC) and configure the DNS role.
Create a primary read-only zone.
D. Promote the member server to a read-only domain controller (RODC) and configure the DNS role.
Create a new standard secondary zone.
Answer: A
Explanation:
To ensure that the users are allowed to access file shares on the local server and the branch office administrator are allowed modify Active Directory objects from the branch office in the absence of the WAN link, you need to promote the member server to a domain controller and create a standard secondary zone. This is because you want the branch office administrator to modify Active Directory objects from the branch office. You should not promote the member server to a read-only domain controller (RODC) because and RODC is read only does not allow you to make any changes to the Active directory. Besides you need to create a standard secondary zone because you want to ensure that the users in the branch office are able to log on to the domain even if the WAN link fails. Primary zones store their zone information in a writable text file on the name server and Secondary zones store their zone information in a read-only text file on the name server. For a branch office, Secondary zone is used so that branch office users need not depend on the Primary zone, configured at the head office to access resources and for logging on.
Reference: DNS Stub Zones in Windows Server 2003 Types of DNS Zones http://www.windowsnetworking.com/articles_tutorials/DNS_Stub_Zones.html
QUESTION 89
Your company has one main office and 10 branch offices. The network contains servers that run Windows Server 2008. The servers are configured as file servers and are located in the branch office. You need to plan a security policy for the branch office. The policy must meet the following requirements:
– Users must be able to access all files on the servers.
– The operating system and the files on the servers must be inaccessible if a server is stolen.
What should you include in your plan?
A. Use Syskey on the servers.
B. Use Encrypting File System (EFS) on the servers.
C. Use Windows BitLocker Drive Encryption (BitLocker) on all servers.
D. Configure the servers as read-only domain controllers (RODCs).
Answer: C
Explanation:
To create a security policy for the users that would ensure that all users can access all files on the servers and if a server is stolen the operating system and the files on the servers become inaccessible, you need to use Windows BitLocker Drive Encryption (BitLocker). BitLocker allows you to encrypt all data stored on the Windows operating system volume and use the security of using a Trusted Platform Module (TPM) that helps protect user data and to ensure that a computer running Windows Server Vista or Server 2008 hav not been tampered with while the system was offline. In addition, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device, such as a flash drive, that contains a startup key. This process will ensure that all the users can access all files on the servers if they have the PIN.
Reference: BitLocker Drive Encryption Technical Overview http://technet2.microsoft.com/windowsserver2008/en/library/a2ba17e6-153b-4269-bc46- 6866df4b253c1033.mspx?mfr=true
QUESTION 90
Your network consists of two Active Directory forests. The Active Directory forests are configured as shown in the following table. (Click the Exhibit)
You need to prepare the environment to allow users to access resources in all domains from both forests. The solution must require the minimum amount of administrative effort. What should you do first?
A. Set the functional level of the contoso.com forest to Windows Server 2008.
B. Set the functional level of the fabrikam.com forest to Windows Server 2003.
C. Upgrade all domain controllers in the fabrikam.com domain to Windows Server 2008.
Set the domain functional level of fabrikam.com to Windows Server 2008.
D. Upgrade all domain controllers in the fabrikam.com and company2.fabrikam.com domains to
Windows Server 2008. Set the functional level of the fabrikam.com forest to Windows Server 2008.
Answer: B
Explanation:
To allow all the users to access resources in all the domains from both the forests without putting too much of administrative effort, you need to set the functional level of the Fabrikam.com forest from Windows Server 2000 to Windows Server 2003. This is because Contoso.com already runs at the functional level of Windows Server 2003. Contoso.com also contains domain controllers that run Windows Server 2008. Forest functional level of Windows Server 2003 supports Windows Server 2008 domain controllers and Windows Server 2003 domain controllers. The forest functional level of the Contoso.com or Fabrikam.com should not be raised to Windows Server 2008 because it does not support Windows Server 2003 domain controllers.
Reference: Appendix of Functional Level Features
http://technet2.microsoft.com/windowsserver2008/en/library/34678199-98f1-465f-9156- c600f723b31f1033.mspx?mfr=true
If you want to pass Microsoft 70-647 successfully, donot missing to read latest lead2pass Microsoft 70-647 exam questions.
If you can master all lead2pass questions you will able to pass 100% guaranteed.