QUESTION 71
You network consists of one Active Directory domain. All domain controllers run either Windows Server 2008 R2 or Windows Server 2003 SP2. A custom application stores passwords in Active Directory. You plan to deploy read-only domain controllers (RODCs) on the network. You need to prevent custom application passwords from being replicated to the RODCs. What should you do?
A. Upgrade the schema master to Windows Server 2008 R2. Configure a fine-grained password policy.
B. Upgrade the infrastructure master to Windows Server 2003 Service Pack 2 (SP2).
Mark the custom application password attribute as confidential.
C. Upgrade all domain controllers to Windows Server 2008 R2.
Add the custom application password attribute to the RODC filtered attribute set and mark the attribute
as confidential.
D. Upgrade all domain controllers to Windows Server 2008 R2.
Set the functional level of the forest and the domain to Windows Server 2008 R2.
Configure a fine-grained password policy.
Answer: C
Explanation:
To deploy read-only domain controllers (RODCs) on the network, you need to upgrade all domain controllers to Windows Server 2008. To make sure that the custom application passwords are not replicated to the RODCs, you need to add the custom application password attribute to the RODC filtered attribute set and mark the attribute as confidential. The RODC filtered attribute set is a dynamic set of attributes that is not replicated to any RODCs in the forest. You can configure the RODC filtered attribute set on a schema master that runs Windows Server 2008. When the attributes are prevented from replicating to RODCs, that data cannot be exposed unnecessarily if an RODC is stolen or compromised. In addition, it is recommended that you also mark as confidential any attributes that you configure as part of the RODC filtered attribute set. Marking the attribute as confidential provides an additional safeguard against an RODC that is compromised by removing the permissions that are necessary to read the credential-like data. Reference: RODC Features / Adding attributes to the RODC filtered attribute set http://technet2.microsoft.com/windowsserver2008/en/library/0e8e874f-3ef4-43e6-b496-302a47101e611033.mspx?mfr=true
QUESTION 72
Your network consists of one Active Directory domain that contains domain controllers that run Windows Server 2008. You deploy Windows Server 2008 Enterprise Edition on 20 new computers. You deploy a Server Core installation of Windows Server 2008 Standard Edition on 20 old computers. You create a new organization unit (OU) named Servers OU. You move all server computer accounts to Servers OU. You need to recommend a patch management solution for the new computers. The solution must ensure that all computers automatically download and install updates approved by administrators. What should you recommend?
A. Implement a new Windows Server Update Services (WSUS) 3.0 server.
Manually enable the servers for Automatic Updates.
B. Implement a new Windows Server Update Services (WSUS) 3.0 server.
Create a new Group Policy object (GPO) for Servers OU.
Configure the GPO to enable Automatic Updates from a local server.
C. Create a new Group Policy object (GPO) for Servers OU.
Configure the GPO to enable Automatic Updates from Microsoft Update.
D. Create a new Group Policy object (GPO) for the Active Directory domain.
Configure the GPO to enable Automatic Updates from Microsoft Update.
Answer: B
Explanation:
To ensure that all new computers on which Windows Server 2008 Enterprise Edition was installed should be able to automatically download and install updates on them, you need to implement a new Windows Server Update Services (WSUS) 3.0 server that enables you to deploy the latest Microsoft product updates to computers running Windows Operating systems. Next, you need to create a new Group Policy object (GPO) for Servers OU so that all the new servers in the Servers OU receive updates. You should not create a new Group Policy object (GPO) for the Active Directory domain because you don’t want all the network computers, which include servers as well as desktop computers to receive updates. Finally, you need to configure the GPO to enable Automatic Updates from a local server so that all the servers receive updates automatically. You need to enable Automatic Updates from a local server instead of Microsoft Update because you are using WSUS server to receive updates.
Reference: Microsoft Windows Server Update Services 3.0 Overview http://technet2.microsoft.com/windowsserver/en/library/632f98ac-9d45-480b-b801- 996b714cebd01033.mspx?mfr=true
Reference: GPO for installing Windows update through WSUS http://www.petri.co.il/forums/showthread.php?t=22168
Reference: Configuring WSUS 3.0
http://netjammr.net/tech/2008/02/19/install-and-configure-windows-server-update-services-30- part-2/
QUESTION 73
Your network consists of one Active directory domain. All domain controllers run Windows Server 2008. The network contains both portable and desktop computers. Your company has two departments named Sales and Engineering. You create one organizational unit (OU) for each department. You move all user and computer accounts to their respective OUs. You need to prepare the environment for the deployment of Group Policy objects (GPO) to meet the following requirements:
– Remote users in the Sales department must be able to save documents to any USB flash drive. – Remote users in the Engineering department must be able to save documents only to USB flash drives supplied by the company.
– Local network users from both departments must be able to use a USB mouse and a USB keyboard.
What should you do?
A. Create a single GPO for both OUs.
B. Modify the Default Domain Policy. Create a new GPO for each OU.
C. Create a new OU for all desktop computers. Create a GPO for the new OU.
D. Modify the Default Domain Controllers Policy. Create a new GPO for each OU.
Answer: B
Explanation:
Every Default Domain Policy setting configured in that GPO apply to every user and computer account in the domain unless these settings are overwritten by other domain GPOs having higher precedence or by GPOs linked to OUs. Therefore, you need to first modify the Default Domain Policy to not include any settings except account policies and then create a new GPO for Sales organizational unit (OU) to allow the remote users of the Sales department to save documents to any USB flash drive and a new GPO for Development OU to allow the remote users of Development department to save documents only to USB flash drives supplied by the company. Beside you need to configure both the GPOs to allow the local network users from both the departments to be able to use a USB mouse and a USB keyboard.
Reference: Caution with Default Domain Policy
http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/Admin/Cautio nwithDefaultDomainPolicy.html
QUESTION 74
Your company named Contoso and another company named Fabrikam establish a partnership. The Contoso network consists of one Active Directory domain named contoso.com. File servers are installed on the contoso.com domain. All file servers run Windows Server 2008. The Fabrikam network consists of one Active Directory forest named fabrikam.com. You need to plan a solution to enable Fabrikam users to access resources on the file servers. The solution must meet the following requirements:
– Ensure that Fabrikam users can access resources only on the file servers.
– Ensure that Contoso users are denied access to Fabrikam resources.
What should you do first?
A. Create a one-way forest trust so that Contoso trusts Fabrikam. Set selective authentication on the trust.
B. Create a one-way forest trust so that Fabrikam trusts Contoso. Set selective authentication on the trust.
C. Create a one-way forest trust so that Contoso trusts Fabrikam. Set forest-wide authentication on the trust.
D. Create a one-way forest trust so that Fabrikam trusts Contoso. Set forest-wide authentication on the trust.
Answer: A
Explanation:
To ensure that that the users of TechMasters.com can access resources only on the file servers of Contoso.com and the users of Contoso.com cannot access any resource on fabrikam.com, you need to create a one-way forest trust so that Contoso can trust fabrikam and allow the users of Contoso to access its resources. Choosing Selective Authentication will allow you to specify which users in the remote domain have access to which of the local resources. You need to select this option so that you can restrict the access to only file server resources. Domain-Wide Authentication cannot be used because it will authenticate all users in the remote forest for all resources in the local forest. Reference: Choosing Selective Authentication will allow you to specify which users in the remote domain have access to local resources
http://blogs.techrepublic.com.com/window-on-windows/?p=500
QUESTION 75
Your company has a main office and 10 branch offices. The network consists of one Active Directory domain. All domain controllers run Windows Server 2008 and are located in the main office. You need to plan the deployment of one Windows Server 2008 domain controller in each branch office.
The solution must meet the following requirements:
– Branch office domain controllers must be able to log users on to the domain.
– Branch office domain controllers must be able to store the passwords of only some domain users.
– Users must be able to download Group Policy objects (GPOs) from the branch office domain controllers.
What should your plan include?
A. Install Active Directory Lightweight Directory Services (AD LDS).
B. Install Active Directory Domain Services (AD DS) on a Server Core installation of Windows Server 2008.
C. Install Active Directory Domain Services (AD DS). Select the read-only domain controller (RODC) option
during installation.
D. Install Active Directory Domain Services (AD DS). Create a new Password Settings object (PSO).
Link the PSO to user objects in the respective branch office.
Answer: C
Explanation:
To deploy Windows Server 2008 domain controller in each branch office and to ensure that branch office domain controllers would allow users to log on to the domain you need to install Active Directory Domain Services (AD DS) and select the read-only domain controller (RODC) option during installation. RODC store the passwords of only some domain users and allows you to download Group Policy objects (GPOs). Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable domain controller holds. By default, an RODC does not store user or computer credentials. The exceptions are the computer account of the RODC and a special krbtgt account that each RODC has. You must explicitly allow any other credential caching on an RODC.
Reference: AD DS: Read-Only Domain Controllers/ Credential caching http://technet2.microsoft.com/windowsserver2008/en/library/ce82863f-9303-444f-9bb3- ecaf649bd3dd1033.mspx?mfr=true
QUESTION 76
You network contains only servers that run Windows Server 2008. You plan to use only iSCSI for shared storage. You plan to deploy servers that run Microsoft SQL Server 2005 on the network. You need to recommend a high-availability solution for the SQL Server 2005 servers to withstand the failure of any single hardware component. What should you recommend?
A. Install a two node failover cluster that has multiple network cards.
B. Install a two node failover cluster that has a dual port teamed network card.
C. Install a Network Load Balancing cluster that has multiple network cards.
D. Install a Network Load Balancing cluster that has multiple teamed network cards.
Answer: A
Explanation:
To deploy Microsoft SQL Server 2005 servers on the network and ensure the high-availability of these servers to withstand the failure of any single hardware component, you need to configure a two node failover cluster that has multiple network cards. For a failover cluster network, to avoid having single points of failure, you can connect your cluster nodes by multiple, distinct networks using multiple network cards. You should not configure a two node failover cluster that has a dual
port teamed network card because Microsoft doesn’t fully support Network Card Teaming in a SQL Server failover cluster. In network card teaming a number of network cards in a single server operate as a team. Running multiple heartbeat or public networks on VLAN-configured switches is also not supported by Microsoft. In this clustering solution, no network can share a single point of failure with another network. You should configure a failover cluster instead of Network Load balancing because you need services to remain available if one of the servers fails. Network load balancing can only divide the load when the number of requests are too high between servers but cannot provide fault tolerance.
Reference: Reduce Downtime: Implement SQL Server 2000 On A Cluster The Cluster Configuration http://technet.microsoft.com/en-us/magazine/cc160784.aspx Reference: Step-by-Step Guide for Configuring a Two-Node File Server Failover Cluster in Windows Server 2008 / Hardware requirements for a two-node failover cluster http://computer.ebooktops.com/step-by-step-guide-for-configuring-a-two-node-file-server-failover- cluster-in-windows-server-2008/
QUESTION 77
Your network consists of one Active Directory domain. You have a single site. You deploy a new Active Directory-integrated application on a server that runs Windows Server 2008. The application sends a large number of LDAP queries to the domain controllers. You plan to install a new domain controller to respond to the LDAP queries. You need to reduce the number of authentication requests client computers send to the new domain controller. What should you do?
A. Create a new site and disable the Bridge all site links option.
B. Create a new site. Move the application server and the new domain controller to the new site.
C. Create a new organizational unit (OU). Move the application server and the new domain controller to
the new OU.
D. Create two new sites. Move the application server to one site and the new domain controller to another site.
Create a new site link that connects the two sites.
Answer: B
Explanation:
When the client receives the SRV records, it performs a quick LDAP ping to all of them by sending out a bind query to UDP port 389. The first domain controller to respond is selected as the primary LDAP server by the client. You cannot configure a preferred domain controller for a client. If you have a large LAN and you want to compartmentalize your clients based on their area of a campus LAN or MAN (metropolitan area network), you must structure your replication topology around multiple sites. Therefore to reduce the number of authentication requests that the client computers would send to the new domain controller, you need to create a new site in the domain and then move the server on which application is installed and the new domain controller to the new site
Reference: Understanding Active Directory Services
http://www.windowsitlibrary.com/Content/716/06/5.html
QUESTION 78
Your network consists of one Active Directory domain. The domain contains four servers that run Windows Server 2008. The relevant servers are configured as shown in the following table. (Click the Exhibit)
Your company has a department named Sales. All client computers in the Sales department run Windows Vista and use an application named Application1. Application1 uses a dynamic-link library (DLL) named Salesapp.dll. You plan to deploy a new application named Application2 that uses a different version of Salesapp.dll. During testing, administrators report that Application2 causes Application1 to fail when both applications run on the same computer. You need to ensure that users can run both applications successfully on the same computer. The solution must enable users that use portable computers to run both applications when they are disconnected from the network.
What should you do?
A. On Server1, create and link a Group Policy object (GPO) that assigns Application2 to all computers in
the Sales department.
B. On Server3, create a SoftGrid application package that contains Application2 and stream it to all computers
in the Sales department.
C. On Server2, install Application2. Configure all computers in the Sales department to access Application2
by using Terminal Services Gateway (TS Gateway).
D. On Server2, install Application2. Configure all computers in the Sales department to run Application2 by
using Terminal Services RemoteApp (TS RemoteApps).
Answer: B
Explanation:
To ensure that both the applications should be able run on the same computer and must enable users that use portable computers to run both applications when they are disconnected from the
network, you need to create a SoftGrid application package that contains App2 on Server3 and stream it to all computers in the Marketing department. SoftGrid applications are sandboxed from each other, so that different versions of the same application can be run under SoftGrid concurrently. There can be numerous scripts per profile and scripts can even be stuff that is not directly executable such as data or DLLs. SoftGrid can be executed on a connected desktop system and published via Citrix. The Scripts used on this server can run BEFORE application execution or AFTER the application terminates and can run inside or outside of isolation. Reference: Application Streaming and SoftGrid – dual mode http://blogs.technet.com/virtualworld/archive/2008/02/23/application-streaming-and-softgrid- dual-mode.aspx
QUESTION 79
Your network contains a server that runs Windows Server 2008. You install Microsoft Office 2007 on the server. You need to recommend an update management solution for the server. The solution must ensure that all operating system, security updates, drivers, and Office updates are installed on the server. What should you recommend?
A. Use Windows Update.
B. Use Microsoft Update.
C. Run the Security Configuration Wizard (SCW).
D. Run the Microsoft Baseline Security Analyzer (MBSA).
Answer: B
Explanation:
To install all security updates of the operating system, drivers, and Office updates on the server, you need to use Microsoft Update. You need to use Microsoft Update because you need Office updates also besides OS updates. You can get updates for Windows, Office and other Microsoft applications from Microsoft Update. You cannot use Windows Update because it allows you to get only operating System updates.
Reference: Microsoft Update
http://www.update.microsoft.com/microsoftupdate/v6/muoptdefault.aspx?returnurl=http://www.
update.microsoft.com/microsoftupdate&ln=en-us
QUESTION 80
Your network consists of four Active directory domains named East, West, North, and South. The North domain is the forest root domain. All domain controllers run Windows Server 2008 R2. Department managers use a sales reporting application on a server named SalesServer1 in the East domain. A domain local group named SalesAppEast in the East domain has access to the application. Each domain has a global group named LocalManagers that contains all managers from the corresponding domain. All global groups are added to the SalesAppEast domain local group. You need to ensure that any unauthorized member added to SalesAppEast is automatically removed.
What should you do?
A. Deny the Modify permission for the SalesAppEast domain local group.
B. Create a Group Policy object (GPO).
Configure the GPO to restrict group membership to the SalesAppEast group and link the GPO to
the East domain.
C. Create a Group Policy object (GPO).
Configure the GPO to restrict group membership to the LocalManagers group and link the GPO to
the North domain.
D. Create a Group Policy object (GPO).
Configure the GPO to restrict group membership to the LocalManagers group and link the GPO to
the North, South, and West domains.
Answer: B
Explanation:
To ensure that any unauthorized member added to LocEastGr is automatically removed, you need to create and configure the GPO to restrict group membership to the LocEastGr group and link the GPO to the East domain. A restricted group’s membership is enforced by group policy. It allows you to clearly specify which accounts must not considered members of a client’s local group, and which accounts must always be considered members of a local group. This way you can enforce rights and privileges for who gets to log onto a local client and who does not. You should not create and configure the GPO to restrict group membership to the global domain group because you want to configure LocEastGr for unauthorized access and not global domain groups.
Reference: Using Group Policy to Restrict Group Membership http://www.informit.com/guides/content.aspx?g=windowsserver&seqNum=68
If you want to pass Microsoft 70-647 successfully, donot missing to read latest lead2pass Microsoft 70-647 dumps.
If you can master all lead2pass questions you will able to pass 100% guaranteed.