QUESTION 51
You are the enterprise administrator for a company named Contoso, Ltd. The network consists of one Active Directory domain named contoso.com. You have a Microsoft Exchange Server 2007 organization named Contoso. All users log on to their computers by using credentials identical to their e-mail addresses. The company plans to change its name to A . Datum Corporation and modify all user e-mail addresses to include a new adatum.com domain name. You need to enable all users to log on to their computers by using the new domain name. The solution must not disrupt existing applications on the network. What should you do first?
A. Use the Active Directory domain Rename Tool to rename the domain to adatum.com.
B. Use the DNS Management Console to create a new forward lookup zone named adatum.com.
C. Create an alternative user principal name (UPN) suffix of adatum.com.
D. Create a new accepted domain named adatum.com in the Exchange Server 2007 organization.
Answer: C
Explanation:
To ensure that all the network users should be able to log on to their computers by using the new email id credentials without affecting the existing applications on the network, you need to create an alternative user principal name (UPN) suffix of ExamKing.com. The UPN name that looks like an email address is the deprecation of NetBIOS domain names and usernames (referred to in Active Directory Users and Computers as “User logon name (pre-Windows 2000)”). These are (slowly) being replaced by what ADU&C now calls “User logon name”, in the format of an email address. These logon names are stored in Active Directory. It has a format of: username@upn-suffix. Therefore you just create an alternative user principal name (UPN) suffix of ExamKing.com, you can achieve the desired results.
Reference: The User Principle Name and You
http://theessentialexchange.com/blogs/michael/archive/2007/11/13/the-user-principle-name-and-you.aspx
Reference: Implementing User Principle Name Suffix
http://books.google.co.in/books?id=eo3Kj3JVql8C&pg=PA162&lpg=PA162&dq=alternative+user+principal+name+(UPN)+suffix+&source=web&ots=AwIOUicASN&sig=RE2Wfzx9IMf0cm1TpQSor-4NdnU&hl=en
QUESTION 52
Your company has a main office and nine branch offices. Each office is configured as a separate TCP/IP subnet. You plan to deploy Active Directory domain controllers in all offices. You install the first domain controller for the forest in the main office. You need to prepare the environment for the deployment of domain controllers in all offices. The solution must ensure that users always authenticate to a domain controller in their local office, unless it is unavailable. What should you do?
A. Create 10 subnet objects and one site object. Link all subnet objects to the site.
Install domain controllers in all offices.
B. Create a subnet object and a site object for each office.
Link each subnet object to its respective site. Install domain controllers in all offices.
C. Install domain controllers in all offices.
Create 10 subnet objects and one site object. Link all subnet objects to the site.
D. Install domain controllers in all offices.
Create a subnet object and a site object for each office.
Link each subnet object to its respective site.
Answer: B
Explanation:
To prepare the environment for the deployment of domain controllers in all offices and that the users should always authenticate to their local domain controllers in their local office, unless the domain controller in their local offices is unavailable, you need to create a subnet object and a site object for each office and then link each subnet object to its respective site and then install domain controllers in all offices. You should create sites for all locations in which you plan to place domain controllers and create subnet objects in AD DS for every IP subnet and subnet mask associated with each location. Subnet objects are used to represent all the IP addresses within the site. A well- designed site topology helps an organization to optimize the ability of client computers to locate the nearest resources, such as domain controllers and Distributed File System (DFS) servers. This helps client computers to authenticate to their nearest domain controllers. Domain controllers use site information to inform Active Directory clients about domain controllers present within the closest site as the client. The domain controller also informs the client whether the chosen domain controller is the closest one to it. By finding a domain controller in the same site, the client avoids communications over WAN links. If no domain controllers are located at the client site, a domain controller that has the lowest cost connections relative to other connected sites advertises itself in the site that does not have a domain controller. The domain controllers that are published in DNS are those from the closest site as defined by the site topology. This process ensures that every site has a preferred domain controller for authentication.
Reference: Creating a Site Design Deciding which locations will become sites http://technet2.microsoft.com/windowsserver2008/en/library/5ed8b9ca-e88a-4e06-a203- 83d37b54d9bb1033.mspx?mfr=true
Reference: Site Functions
http://technet2.microsoft.com/windowsserver2008/en/library/5ed8b9ca-e88a-4e06-a203- 83d37b54d9bb1033.mspx?mfr=true
QUESTION 53
Your network consists of one Active Directory forest named contoso.com. The functional level of the contoso.com forest is Windows Server 2008. The network contains seven servers that run Internet Information Services (IIS) 7.0 and host Web services. Remote users from a partner company access the Web services through HTTPS. The partner company has a separate Active Directory forest named fabrikam.com. The functional level of the fabrikam.com forest is Windows Server 2003. You need to recommend an authentication solution for the fabrikam.com users. The solution must meet the following requirements:
– All communications between both forests must use only HTTPS.
– Remote users must only authenticate once to access all Web services. fabrikam.com must access the Web services by using user accounts in the Users from fabrikam.com forest.
What should you recommend?
A. Implement Client Certificate Mapping Authentication on the IIS servers.
B. Implement Microsoft Identity Lifecycle Manager (ILM) 2007 on the contoso.com forest.
C. Implement a forest trust between the contoso.com and the fabrikam.com forests.
Configure the forest trust to use Selective Authentication.
D. Implement Active Directory Federation Services (AD FS) in the contoso.com forest.
Create a federation trust between the contoso.com forest and the fabrikam.com forest.
Answer: D
Explanation:
You can use Active Directory Federation Services (ADFS) to enable efficient and secure online transactions between Partner organizations that are joined by federation trust relationships. You can establish federation trust relationships between two partner organizations when both of the organizations deploy at least one ADFS federation server and they configure their Federation Service settings appropriately. In this case, you need to configure Active Directory Federation Services (AD FS) in the Contoso.com forest so that the users of TechMasters.com can access web services from the network of Contoso.com. You can then configure a federation trust between the Contoso.com and the Fabrikam.com forests so that the authentication can be performed by using user accounts in the Fabrikam.com for the remote users of the company to access all Web services on Contoso.com.
Reference: Active Directory Federation Services Role
http://technet2.microsoft.com/windowsserver2008/en/library/f5e12c1f-a3fa-453d-98ce- be29352afaca1033.mspx?mfr=true
Reference: Federation trusts
http://technet2.microsoft.com/windowsserver/en/library/b38aa1ad-f9a3-45b1-ba72- a62f22ae748a1033.mspx?mfr=true
QUESTION 54
Your company has one main office and four branch offices. An Active Directory site exists for each office. The network consists of one Active Directory domain. All servers run Windows Server 2008. The branch offices are connected to the main office by slow and unreliable wide area network (WAN) links. Users complain that WAN link failures prevent them from accessing files on remote servers. You need to recommend a solution to maintain availability of files on the remote servers.
The solution must meet the following requirements:
– Support scheduling of WAN link traffic.
– Enable the connection to resume immediately after a WAN link interruption.
What should you recommend?
A. Use DFS Replication and replicate data to each branch office.
B. Use the File Server Resource Manager (FSRM) and create file screens.
C. Use the File Replication Service (FRS) and replicate data to each branch office.
D. Configure separate DFS Namespaces on each branch office server.
Answer: A
Explanation:
To keep folders synchronized between servers across all the branch offices of the company even if the WAN link fails and to take care that WAN link traffic can be scheduled and resume the connection immediately as soon as the WAN link interruption occurs, you need to use DFS Replication. DFS Replication is an efficient, multiple-master replication engine that you can use to keep folders synchronized between servers across limited bandwidth network connections. The DFS Replication in Windows Server 2008 also allows quicker recovery from unexpected shutdowns.
Reference
http://technet2.microsoft.com/windowsserver2008/en/library/1f0d326d-35af-4193-bda3- 0d1688f90ea71033.mspx?mfr=true
QUESTION 55
You deploy servers that run Windows Server 2008 on the network. You plan to deploy a client/server application. You plan to install the server component of the application on application servers. You plan to install the client component of the application on all computers that run Windows Vista. The client component connects to the server component by using only RPC. After testing, you discover that an RPC time-out error occurs when the client component connects to the server component through a network link that has high latency. You need to provide a solution so that users can connect to the application through the Internet without receiving an RPC time-out error. What should you do?
A. Install RPC over HTTP Proxy. Create a proxy connection to the application servers.
B. Install Microsoft Internet Security and Acceleration (ISA) Server 2006 and enable RPC filtering.
C. Install Terminal Services, Terminal Services Gateway (TS Gateway), and the client component of the
client/server application on the terminal server.
D. Configure the Routing and Remote Access Service (RRAS). Configure all users to connect to the
application servers from the Internet by using virtual private network (VPN) connections.
Answer: C
Explanation:
The RPC time-out error was occurring on connecting the client component to the server component by using RPC because the network link had a high latency. To get rid of the RPC time-out error, you need to install Terminal Services, TS Gateway, and the client component of the client/server application on the terminal server. Terminal Services delivers applications and data via the Remote Desktop Protocol (RDP), an optimized transport mechanism low bandwidth. Traditional client server applications that slow end-user productivity over a slow network connection, receive a performance boost when delivered via Terminal Services to remote users Reference: Remote Desktop Protocol
http://209.85.175.104/search?q=cache:YHRCTn8lepAJ:download.microsoft.com/download/b/b/5/b b50037f-e4ae-40d1-a898-7cdfcf0ee9d8/TERMINAL_SERVICES/TS-TDM-Scenario- RemoteAccessScenario.docx+Terminal+Services,+TS+Gateway,+client/server+application&hl=en&ct= clnk&cd=15&gl=in
QUESTION 56
Your network consists of one Windows Server 2008 domain. The network contains portable computers. You configure a server that runs Windows Server 2008 as a Routing and Remote Access Service (RRAS) server. Users connect remotely to the network through a virtual private network (VPN) connection to the RRAS server from both company-issued portable computers and non- company-issued computers. The relevant portion of the network is shown in the following diagram.
You need to prepare the environment to secure remote access to the network. The solution must meet the following requirements:
– Only computers that have Windows Firewall enabled can connect remotely.
– Only computers that have the most up-to-date antivirus definitions can connect remotely.
– Only computers that run Windows Vista and have the most up-to-date updates can connect remotely.
What should you do?
A. Implement Authorization Manager.
B. Implement Network Access Protection (NAP) on the perimeter network.
C. Install a Microsoft Internet Security and Acceleration Server (ISA) 2006 on the network.
D. Create a domain Group Policy object (GPO). Enable Windows Firewall and publish updated antivirus
definitions in the GPO.
Answer: B
Explanation:
To ensure that the computers that connect to the corporate network meet all the required conditions, you need to implement Network Access Protection (NAP) on the perimeter network. NAP uses System Health Agent (SHA) to check if the specified system health requirements are fulfilled. The SHA can verify whether the Windows Firewall is on; antivirus and antispyware software are installed, enabled, and updated; Microsoft Update Services is enabled, and the most recent security updates are installed. If the system is not in the required state, the SHA can then start a process to remedy the situation. For example, it can enable Windows Firewall or contact a remediation server to update the antivirus signatures
Reference: Windows Server 2008 NAP (Network Access Protection) infrastructure http://4sysops.com/archives/windows-server-2008-nap-network-access-protection-infrastructure/
QUESTION 57
Your network contains a server that runs Windows Server 2008 R2. You plan to deploy a content management system on the server. You need to recommend a content management system to meet the following requirements:
– Automatically protect documents that are uploaded to a central data store.
– Protect documents by preventing users from remotely printing sensitive corporate data.
What should you recommend?
A. Enable Windows BitLocker Drive Encryption (BitLocker) on a Microsoft Windows SharePoint Services
(WSS) 3.0 server.
B. Enable Windows BitLocker Drive Encryption (BitLocker) on a Microsoft Office SharePoint Server (MOSS)
2007 server.
C. Use Active Directory Rights Management Services (AD RMS) and Microsoft Office SharePoint Server
(MOSS) 2007.
D. Use Active Directory Rights Management Services (AD RMS) and Microsoft Windows SharePoint Services
(WSS) 3.0.
Answer: C
Explanation:
To deploy a content management system on the server and manage a central data store you need to use Use Microsoft Office SharePoint Server (MOSS) 2007 server. MOSS 2007 can be used to “facilitate collaboration and provide content management features. Users can then log in and make changes directly to these items in a centralized space. To automatically protect documents uploaded to the central data store and prevent users from remotely printing sensitive corporate data, you need to use Active Directory Rights Management Services (AD RMS). AD RMS helps you to prevent sensitive information–such as financial reports, product specifications, customer data, and confidential e-mail messages–from intentionally or accidentally getting into the wrong hands. You can use AD RMS on applications such as content management systems or portal servers running on Windows or other operating systems to help safeguard sensitive information.
Reference: MOSS 2007: What It Means for Your Business
http://business.itbusinessnet.com/articles/viewarticle.jsp?id=225367 Reference: Active Directory Rights Management Services Overview http://technet2.microsoft.com/windowsserver2008/en/library/74272acc-0f2d-4dc2-876f- 15b156a0b4e01033.mspx?mfr=true
QUESTION 58
Your network consists of 20 Active directory domains in a single forest. The functional level of the forest is Windows Server 2008 R2. You company has 20 departments. A separate domain exists for each department. Each domain has an organizational unit (OU) named DepartmentUsers that contains the respective domain users. Each domain has its own IT department. You need to plan the consolidation of all the IT departments into a single IT department. The solution must meet the following requirements:
– IT administrators must be denied from making domain-wide changes.
– IT administrators must be able to administer users in all departments.
Your solution must use the minimum amount of administrative effort.
What should you include in your plan?
A. In one domain, create a universal group for all the IT administrators.
Add the universal group to the Domain Admins group in each domain.
B. In one domain, create a global group for all the IT administrators.
Add the global group to the Domain Admins group in each domain.
C. In one domain, create a universal group for all the IT administrators.
Delegate administration of the DepartmentUsers OU in each domain to the universal group.
D. In each domain, create a domain local group for the IT administrators.
Delegate administration of the DepartmentUsers OU in each domain to the corresponding domain
local group.
Answer: C
Explanation:
To consolidate all the IT departments into a single IT department, you need to create a Universal group for all the IT administrators in a domain. The Universal groups allow users (and groups) from multiple domains to have membership in a single group that is available throughout the Active Directory forest. This is useful in a forest with multiple Active Directory domains to simplify resource access permissions. If users or groups from different domains need access to resources that are located in multiple domains, a universal group can be used to allow for that access. Next you need to delegate administration of the DeptUsersOU in each domain to the common group (Universal group) that you have created for IT administrators so that IT administrators are able to administer users in all departments. You cannot add that group \9Universal group that you have created) to the Domain Admins group in each domain because you don’t want ID administrators to make domain- wide changes.
Reference: Universal Group Membership Caching: Lessons Learned the Hard Way http://www.informit.com/articles/article.aspx?p=415792
QUESTION 59
Your company has a main office and three branch offices. Each office has a server that runs Windows Server 2008. The server has the DNS Server role installed. The branch offices contain client computers that run Windows 2000. You plan to deploy Active Directory Domain Services (AD DS) on the network. You need to plan a name resolution solution for the deployment of Active Directory Domain Services (AD DS). The solution must meet the following requirements:
– Support secure dynamic updates.
– Minimize response times for users connecting to resources anywhere on the network.
What should you include in your plan?
A. A GlobalNames zone for the forest.
B. A single Active Directory-integrated DNS zone.
C. A stub zone on the DNS server in each branch office.
D. A standard primary zone in the main office and secondary zones in each branch office.
Answer: B
Explanation:
To deploy Active Directory Domain Services (AD DS) on the corporate network of the company with given requirements, you need to implement a single Active Directory-integrated (ADI) DNS zone. Active Directory integrated (ADI) primary DNS zone enables built-in recovery, scalability, and performance. An ADI zone is a writeable copy of a forward lookup zone that is hosted on a domain controller. It can therefore reduce the response times for users connecting to resources anywhere on the network and because it uses directory-integrated storage it also simplifies dynamic updates for DNS clients that are running Windows 2000. None of the other options can be used to meet the desired objectives.
Reference: From the Windows 2000 Resource Kit
http://windowsitpro.com/article/articleid/76616/jsi-tip-5312-when-you-change-your-dns-active- directory-integrated-zone-type-to-secondary-it-changes-back-to-active-directory-integrated-when- you-restart.html
Reference: ACTIVE DIRECTORY ADMINISTRATION TIPS
http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1115858,00.html
QUESTION 60
Your network consists of one Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to deploy Certificate Services on the network to support the following requirements:
– Maintain availability if a single server fails.
– Delegate the enrollment of certificates for separate groups of users.
– Restrict the types of certificates that can be issued by a certificate manager.
What should you do?
A. Deploy two servers that run Windows Server 2008 R2 Enterprise Edition.
Configure a failover cluster.
Configure an enterprise certification authority (CA).
B. Deploy two servers that run Windows Server 2008 Enterprise Edition.
Configure a failover cluster.
Configure a stand-alone root certification authority (CA).
C. Deploy two servers that run Windows Server 2008 Enterprise Edition.
Configure an enterprise root certification authority (CA) and a stand-alone subordinate CA.
D. Deploy two servers that run Windows Server 2008 Standard Edition.
Configure a stand-alone root certification authority (CA) and an enterprise subordinate CA.
Answer: A
Explanation:
To deploy Certificate Services on the network and ensure that the server services are available if a single server fails, you need to deploy two servers that run Windows Server 2008 Enterprise Edition because Enterprise Edition of Windows Server 2008 should be used to configure failover clustering. You need to deploy two servers to configure a failover cluster. You need to then configure a failover cluster, so that the server services are available if a single server fails. Finally you need to configure an enterprise certification authority (CA). You should use Enterprise CA because you need to use certificates in the internal network and not in the external world.
Reference: Certificate Server / Enterprise CA
http://www.windowsitlibrary.com/Content/405/17/1.html
Reference: Windows Server 2008: Features by Edition / 8 Node Failover Clustering http://uxevangelist.blogspot.com/2008/02/windows-server-2008-features-by-edition.html
If you want to pass Microsoft 70-647 successfully, donot missing to read latest lead2pass Microsoft 70-647 dumps.
If you can master all lead2pass questions you will able to pass 100% guaranteed.