Practice Test - Gattner

14 downloads 1019 Views 2MB Size Report
Oct 19, 2009 ... 70-649 Upgrading MCSE on Windows Server 2003 to ... To keep the servers updated with latest updates, you install WSUS on a server named ...
Microsoft 70-649

70-649 Upgrading MCSE on Windows Server 2003 to Windows Server 2008, Technology Specialist

Practice Test Updated: Oct 19, 2009 Version:

Microsoft 70-649: Practice Exam QUESTION NO: 1 Certkiller has opened a new branch office where 10 standalone servers run Windows Server 2008. To keep the servers updated with latest updates, you install WSUS on a server named Certkiller 3. Which of the following actions would you perform next to configure all of the servers to receive updates from Certkiller 3? A. Use Control Panel to configure the Windows Update Settings on each server. B. Run the wuauclt.exe /reauthorization command on each server. C. Use the local group policy to configure the Windows Update Settings on each server. D. Run the wuauclt.exe /detectnow command on each server. E. None of the above Answer: C

Ac

QUESTION NO: 2

tua

lTe

sts

.co

m

Explanation: To configure all of the servers to receive updates from Certkiller 3, you need to configure the Windows Update Settings on each server by using the local group policy. Microsoft suggests the use of Group Policy for setting up computers and WSUS in clients. Configuring the Windows Update Settings on each server would be quite time consuming Configure the Windows Update Settings on each server by using the local group policy. wuauclt.exe /detectnow and wuauclt.exe / reauthorization force the update detection and reauthorization respectively and therefore cannot be used for configuration. Reference: What does wuauclt.exe /detectnow do http://www.wsus.info/forums/lofiversion/index.php?t6505.html Reference: Adding Computers to WSUS 3.0 SP1 (Windows Server 2008) http://www.geekzone.co.nz/chakkaradeep/4564

The corporate network of Certkiller consists of 100 servers that run Windows Server 2008. A file server Certkiller 4 is connected to a SAN and has 12 logical drives. As a system administrator of your company, you have been assigned the task to archive the data when the free space on file server is about to be finished. To accomplish this task, you decided to run a data archiving script automatically when the free space on any of the logical drives goes below 30 percent. To implement the solution, you created a new Data Collector Set and the data archiving script. Now which of the following actions would you perform to automate the execution of the script that you have created. A. Add the System configuration data collector. B. Add the Event trace data collector.

"Pass Any Exam. Any Time." - www.actualtests.com

2

Microsoft 70-649: Practice Exam C. Add the Performance counter alert. D. Add the Performance counter data collector. E. None of the above Answer: C

m

Explanation: To implement the solution, you now need to add the Performance counter alert. The Performance counter alert creates an alert if a performance counter reaches a threshold that you specify Reference: Creating a Snapshot of a Computer's Configuration with Data Collector Sets in Vista / How to Create Custom Data Collector Sets http://www.biztechmagazine.com/article.asp?item_id=241

.co

QUESTION NO: 3

lTe

sts

The corporate network of Certkiller consists of two servers, Certkiller 2 and Certkiller 3 that run Windows Server 2008. You installed WSUS on both servers to create a hierarchy of WSUS servers. You now need to configure WSUS on Certkiller 2 so that it can receive updates from Certkiller 3. Which of the following configuration would you perform on Certkiller 2 to accomplish this task?

Answer: D

Ac

tua

A. Create a new computer group for the server. B. Configure it as a proxy server. C. Configure it as an upstream server. D. Configure it in replica mode E. None of the above

Explanation: To configure WSUS on Certkiller 2 so that it can receive updates from Certkiller 3, you need to first link the servers by configuring Certkiller 2 as downstream server and Certkiller 3 as upstream server. When you link WSUS servers together, there is an upstream WSUS server and a downstream WSUS server. Because an upstream WSUS server shares updates, you need to configure and Certkiller 3 as upstream server. There are two ways to link WSUS servers together, Autonomous mode and Replica mode. So you can configure Certkiller 2 in Replica mode. Reference: Choose a Type of WSUS Deployment/ WSUS server hierarchies http://technet2.microsoft.com/windowsserver/en/library/12b665bc-07fa-4a4e-aed8f970efe80c4c1033.mspx?mfr

"Pass Any Exam. Any Time." - www.actualtests.com

3

Microsoft 70-649: Practice Exam

QUESTION NO: 4 The corporate network of Certkiller consists of a Windows Server 2008 single Active Directory domain that contains two domain controllers named Certkiller 4 and Certkiller 5. All servers in the domain run Windows Server 2008. You wanted to configure Event forwarding and subscription in the domain server. To accomplish this task you created a default subscription on Certkiller 4 for Certkiller 5. Which of the following event logs would you select, to review the system events for Certkiller 5?

.co

m

A. Forwarded Events log on Certkiller 5. B. Forwarded Events log on Certkiller 4. C. System log on Certkiller 4. D. Application log on Certkiller 5. E. None of the above Answer: B

QUESTION NO: 5

Ac

tua

lTe

sts

Explanation: To review the system events for Certkiller 5, you need to view theForwarded Events log on Certkiller 4, which is configured to centrally manage events. The Event Collector service can automatically forward event logs to other remote systems, running Windows Vista or Windows Server 2008 on a configurable schedule. Event logs can also be remotely viewed from other computers or multiple event logs can be centrally logged and monitored agentlessly and managed from a single computer. Reference: Event Viewer http://en.wikipedia.org/wiki/Event_Viewer

You are an enterprise administrator for Certkiller .com. The company runs Windows Server 2008 on all the servers on the network. One of the servers, Certkiller Server1 has the Web Server (IIS) role installed on it. A public website has recently been hosted on Certkiller Server1. After a few days, you noticed an unusual high traffic volume on the website. Which of the following options would you choose to identify the source of the traffic? A. Run the netstat -an command on Certkiller Server1. B. Using IIS Server Manager, first enable the website logging and then filter the logs for the source IP address.

"Pass Any Exam. Any Time." - www.actualtests.com

4

Microsoft 70-649: Practice Exam C. Enable Web scripting on Certkiller Server1. D. Using Event Viewer, filter information from the security log by creating a custom view in it. E. None of the above Answer: B

Ac

tua

lTe

sts

.co

m

Explanation: To identify the source of the traffic, you need to first enable the website logging using IIS Server Manager and then filter the logs for the source IP address so that the source of high traffic can be found out. The Internet Services Manager, available within the Administrative Tools folder on your Start menu, is the primary tool you'll use to administer your Web server. It allows you to enable logging on your web site. The IIS log files then can be used to identify performance issues in performance testing. The Client IP address filtering allows you to filter the IP address of the machine that accessed your web site. Although IP addresses aren't necessarily unique to any one visitor (as most visitors surf the web via a dynamic IP address provided by their ISP and not their own dedicated static IP and pipe), the IP address can still be useful in partitioning the log file into visitor sessions. The netstat -an command cannot be used because it is used to check various TCP/IP connections. The web scripting is used to enhance your browsing experience. Event logs are special files that record significant events on your computer, such as when a user logs on to the computer or when a program encounters an error. Therefore all these options cannot be used to detect the source of high traffic. Reference: How To Use IIS Log Files In Performance Testing http://www.codeplex.com/PerfTesting/Wiki/Print.aspx?title=How%20To%3A%20Use%20IIS%20Lo g%20File s Reference: Web Wizardry: Putting the Internet to Work on Windows 2000 http://mcpmag.com/features/print.asp?EditorialsID=94 Reference: Dissecting Log Files http://www.clicktracks.com/insidetrack/articles/dissecting_log_files.php

QUESTION NO: 6 You are an Enterprise administrator for Certkiller .com. The company consists of a single Active Directory domain where all the servers on the corporate network run Windows Server 2008. One of the web servers called Certkiller Server1 hosts shared documents. You have recently installed a few applications on the server. However, after these installations, users report extremely slow response times when they try to open the shared documents on Server1. To diagnose the problem, you used real time monitoring on the server and found "Pass Any Exam. Any Time." - www.actualtests.com

5

Microsoft 70-649: Practice Exam that the processor is operating at 100 percent of capacity. Which of the following options would you choose to gather additional data to diagnose the cause of the problem? A. Create a counter log to track processor usage in the Performance console. B. Open and review the application log for Performance events in the Event Viewer. C. Use the Resource View to see the percentage of processor capacity used by each application in Windows Reliability and Performance Monitor. D. Create an alert that will be triggered when processor usage exceeds 80 percent for more than five minutes on Certkiller Server1 in Windows Reliability and Performance Monitor. E. None of the above Answer: C

sts

.co

m

Explanation: To gather additional data to diagnose the cause of the problem, you need to use the Resource View in Windows Reliability and Performance Monitor to see the percentage of processor capacity used by each application.

QUESTION NO: 7

Ac

tua

lTe

The Resource View window of Windows Reliability and Performance Monitor provides a real-time graphical overview of CPU, disk, network, and memory usage. By expanding each of these monitored elements, system administrators can identify which processes are using which resources. In previous versions of Windows, this real-time process-specific data was only available in limited form in Task Manager Reference: Windows Reliability and Performance Monitor http://technet.microsoft.com/enus/library/cc755081.aspx

You are an Enterprise administrator for Certkiller .com. All the 100 servers on the corporate network run Windows Server 2008. A server called Certkiller Server1 is configured on the network with following configuration: 1. Connected to a SAN 2. Consists of 15 logical drives. 3. A new Data Collector Set is recently created Which of the following option would you choose to automatically run a data archiving script on Certkiller Server1 if the free space on any of the logical drives on the server is below 30 percent? A. Add the Event trace data collector "Pass Any Exam. Any Time." - www.actualtests.com

6

Microsoft 70-649: Practice Exam B. Add the Performance counter alert C. Add the Performance counter data collector D. Add the System configuration data collector Answer: B

sts

.co

m

Explanation: To automatically run a data archiving script if the free space on any of the logical drives is below 30 percent and to automate the script execution by creating a new Data Collector Set, you need to add the Performance counter alert. The Performance counter alert creates an alert if a performance counter reaches a threshold that you specify. You can configure your data collector set to automatically run at a scheduled time, to stop running after a number of minutes, or to launch a task after running. You can also configure your data collector set to automatically run on a scheduled basis. This is useful for proactively monitoring computers. Reference: Creating a Snapshot of a Computer's Configuration with Data Collector Sets in Vista / How to Create Custom Data Collector Sets http://www.biztechmagazine.com/article.asp?item_id=241

lTe

QUESTION NO: 8

Ac

tua

You are an enterprise administrator for Certkiller . The corporate network of the company consists of servers that run Windows Server 2008 in an Active Directory domain. The domain consists of two servers named Certkiller Server1 and Certkiller Server2. You need to configure event subscription on the servers so that events from Certkiller Server2 can be collected and transferred to Certkiller Server1. You configure the required subscriptions by selecting the normal option for the event delivery optimization setting and using the HTTP protocol. However, you noticed that none of the subscriptions work. Which of the following three options would you choose to ensure that the servers support event collectors? (Each correct answer presents part of the solution) A. Run the wecutil qc command on Certkiller Server1 B. Run the wecutil qc command on Certkiller Server2 C. Run the winrm quickconfig command on Certkiller Server1 D. Run the winrm quickconfig command on Certkiller Server2 E. Add the Certkiller Server2account to the administrators group on Certkiller Server1 F. Add the Certkiller Server1account to the administrators group on Certkiller Server2 Answer: A,D,F

"Pass Any Exam. Any Time." - www.actualtests.com

7

Microsoft 70-649: Practice Exam Explanation: To collect events from Certkiller Server2 and transfer them to Certkiller Server1, you need to first run the wecutil qc command on Certkiller Server1. This command enables you to create and manage subscriptions to events that are forwarded from remote computers. Then you need to run the winrm quickconfig command on Certkiller Server2. WinRM is required by Windows Event Forwarding as WS-Man is the protocol used by WS-Eventing. Group Policy can be used to enable and configure Windows Remote Management (WinRM or WS-Man) on the Source Computers. With WinRM, Group Policy can be used to configure Source Computers (Clients) to forward events to a collector (or set of collectors). Finally, you need to add the Certkiller Server1 account to the administrators group on Certkiller Server2 so that access rights can be granted to the collector system on f the forwarding computer.

sts

.co

m

Reference: uick and Dirty Large Scale Eventing for Windows http://blogs.technet.com/otto/archive/2008/07/08/quick-and-dirty-enterprise-eventing-forwindows.aspx Reference: Collect Vista Events http://www.prismmicrosys.com/newsletters_june2007.php

QUESTION NO: 9

Ac

tua

lTe

You are an enterprise administrator for Certkiller . The corporate network of the company consists of servers that run Windows Server 2008 in an Active Directory domain. To find out the security lapse in the corporate network, you decided to build a list of all DNS requests that are initiated by a network server called CRM Certkiller 1. To perform this, you installed the Microsoft Network Monitor 3.0 application on CRM Certkiller 1 and configured the server to perform a security audit. You captured all local traffic on CRM Certkiller 1 for 24hours and saved the capture file as data.cap. You however realized that the size of data.cap file is more than 1GB, so you decided to create a file named CRM1DNSdata.cap from the existing capture file that contains only DNS -related data. Which of the following options would you choose to accomplish this task? A. Apply the display filter !DNS and save the displayed frames as CRM1DNSdata.cap file B. Apply the capture filter DNS and save the displayed frames as a CRM1DNSdata.cap file C. Add a new alias named DNS to the aliases table and save the file as CRM1DNSdata.cap D. Run the nmcap.exe /inputcapture data.cap /capture DNS /file CRM1DNSdata.cap command. E. None of the above Answer: D

"Pass Any Exam. Any Time." - www.actualtests.com

8

Microsoft 70-649: Practice Exam Explanation: NMCap also allows you to accept a capture file as input. This can be useful for cleansing your traces before you use them. Or you could also parse traffic by different ports or by IP addresses. The below given command allows you to create a file named CRM1DNSdata.cap to store only the DNS-related data after filtering it from data.cap file, which is a capture file. The command nmcap.exe /inputcapture data.cap /capture DNS /file CRM1DNSdata.cap file Reference: Network Monitor / Cool NMCap trick, using another capture file as the input source http://blogs.technet.com/netmon/Default.aspx?p=2

QUESTION NO: 10

sts

.co

m

You are an enterprise administrator for Certkiller . The corporate network of the company consists of 100 servers that run Windows Server 2008 in an Active Directory domain. You have recently installed Windows Server 2008 on a new server and named it Certkiller Server1. You installed Web Server (IIS) role on it. The Certkiller Server1 has no Reliability Monitor data currently, and the system stability share has never been updated. Which of the following options would you choose to configure the Certkiller Server1 to collect the reliability monitor data?

Answer: B

tua

lTe

A. On the Certkiller Server1, run the perfmon.exe /sys command. B. On the Certkiller Server1Configure the Task scheduler service to start automatically. C. On the Certkiller Server1, configure the Remote Registry service to start automatically. D. On the Certkiller Server1, configure the Secondary Login service to start automatically.

Ac

Explanation: To configure the Certkiller Server1 to collect the reliability monitor data, you need to configure the Task scheduler service to start automatically. Reliability Monitor uses data provided by the RACAgent scheduled task, a pre-defined task that runs by default on a new installation of Windows Vista. The seamless integration between the Task Scheduler user interface and the Event Viewer allows an eventtriggered task to be created with just five clicks. In addition to events, the Task Scheduler in Windows Vista / Server 2008 supports a number of other new types of triggers, including triggers that launch tasks at machine idle, startup, or logon. Because you need Task Scheduler to collect reliability monitor data, you need to you need to configure the Task scheduler service to start automatically. Reference: Network Monitor 3.1 OneClick ... now what? / Task Scheduler Changes in Windows Vista and Windows Server 2008 Part One http://blogs.technet.com/askperf/ Reference: What allows the Reliability Monitor to display data? "Pass Any Exam. Any Time." - www.actualtests.com

9

Microsoft 70-649: Practice Exam http://www.petri.co.il/reliability_monitor_windows_vista.htm

QUESTION NO: 11

lTe

sts

.co

m

You are an enterprise administrator for Certkiller . The corporate network of the company consists of servers that run Windows Server 2008 in an Active Directory domain. A server named Certkiller DC1 has the DHCP server role installed on it. You have recently been informed that a desktop computer named Certkiller SalesComp is unable to obtain an IP configuration from the Certkiller DC1 server. To find out the problem you installed the Microsoft Network Monitor 3.0 application on Certkiller DC1, enabled P-mode in the Network Monitor application configuration and decided to capture only the DHCP server-related traffic originating from Certkiller DC1 and going to Certkiller SalesComp. The network interface configuration for the two computers is shown in the exhibit. Which of the following options would you choose to build a filter in the Network Monitor application to capture the DHCP traffic between Certkiller DC1 and Certkiller SalesComp?

Answer: A

Ac

tua

A. IPv4. Address == 169.254.15.84 && DHCP B. IPv4 address == 192.168.2.1 && DHCP C. Ethernet Address == 0x000A5E1C7F67 && DHCP D. Ethernet Address == 0x001731D55EFF && DHCP

Explanation: To build a filter in the Network application to capture the DHCP traffic between Certkiller DC1 and Certkiller SalesComp, you need to use IPv4.Address == 169.254.15.84 && DHCP. To define a filter, you need to specify IPv4, period, SourceAddress then the equal mark (twice) and the IP address (source). In order to fine tune a specific filter, you can combine several conditions in a specific filter using the AND (&&) and OR (||) logical operators. In this question you need to find the traffic originating from 169.254.15.84 that is DHCP related. Therefore you would use 169.254.15.84 && DHCP. Reference: A Guide to Network Monitor 3.1 / Building a complex filter (or defining several conditions) http://blogs.microsoft.co.il/blogs/erikr/archive/2007/08/29/A-Guide-to-Network-Monitor-3.1.aspx "Pass Any Exam. Any Time." - www.actualtests.com

10

Microsoft 70-649: Practice Exam

QUESTION NO: 12 You are an enterprise administrator for Certkiller . The corporate network of the company consists of servers that run Windows Server 2008 in a non-Active Directory environment. You have recently installed and configured WSUS on a server called Certkiller Server1 on your corporate network and you now need to configure all the servers on the network to receive updates from Certkiller Server1. Which of the following options would you choose to accomplish this task?

.co

m

A. Use Control Panel to configure the windows Update Settings on each server on the network. B. On each server on the corporate network, run the wuauclt.exe /detectnow command. C. On each server on the corporate network, run the wuauclt.exe /reauthorization command. D. On each server on the corporate network, use local group policy to configure the Windows Update settings. Answer: D

Ac

tua

lTe

sts

Explanation: To configure all the servers on the network to receive updates from Certkiller Server1, you need to configure the Windows Update settings using local group policy on each server on the corporate network. Windows Server Update Services (WSUS) clients can be configured to provide update installation and reboot behavior best suited to your environment and your business needs. You can use Group Policy or Local Group Policy to modify Automatic Update configuration on your WSUS clients to determine what notification, download, install, and reboot behavior your WSUS managed clients will experience in updating from WSUS. Reference: Managing the WSUS Automatic Updates Client Download, Install, and Reboot Behavior with Group Policy http://technet.microsoft.com/hi-in/library/cc512630(en-us).aspx

QUESTION NO: 13 You are an Enterprise administrator for Certkiller .com. All the servers on the corporate network run Windows Server 2008. On a network server called Certkiller Server1, WSUS is installed. Which of the following options would you choose to ensure that the traffic between the WSUS administrative website and the server administrator's computer is encrypted? A. On the WSUS server administrative website, configure SSL encryption.

"Pass Any Exam. Any Time." - www.actualtests.com

11

Microsoft 70-649: Practice Exam B. On the Certkiller Server1, run the netdom trust /SecurePasswordPrompt command. C. Configure the NTFS permissions on the Certkiller Server1, on the content directory to Deny Full Control permission to the Everyone group. D. Configure the Certkiller Server1 to require Integrated Windows Authentication (IWA) when users connect to the WSUS server. Answer: A

sts

.co

m

Explanation: To ensure that the traffic between the WSUS administrative website and the server administrator's computer is encrypted, you need to configure SSL encryption on the WSUS server website Now that you have the necessary certificate, you must configure IIS to use it. To do so, expand the Default Web Site in the IIS Manager console and then right click on the WSUSAdmin virtual directory and select the Properties command from the resulting shortcut menu. You will now see the properties sheet for the WSUSAdmin virtual directory. Select the properties sheet's Directory Security tab and then click the Edit button that's found in the Secure Communications section. Select the Require Secure Channel (SSL) check box and click OK, Apply, and OK. Reference: Applying Certificates to a WSUS Server / Enforcing SSL Encryption http://www.windowsecurity.com/articles/Applying-certificates-WSUS-Server.html

lTe

QUESTION NO: 14

Ac

tua

You are an Enterprise administrator for Certkiller .com. All the servers on the corporate network run Windows Server 2008. The corporate network consists of two servers called Certkiller Server1 and Certkiller Server2 that run Windows Server 2008. On both the servers, the WSUS is installed. Which of the following options would you choose to configure WSUS on Certkiller Server1 so that the Certkiller Server2 receive updates from Certkiller Server1? A. Configure Certkiller Server1 as a proxy server B. Configure Certkiller Server1 as an upstream server C. Create a new replica group on Certkiller Server1 D. Create a new computer group on Certkiller Server1 E. None of the above Answer: B Explanation: To configure WSUS on Certkiller Server1 so that the Certkiller Server2 receive updates from Certkiller Server1, you need to configure Certkiller Server1 as an upstream server. The WSUS hierarchy model allows a single WSUS server to act as an upstream server and impose its "Pass Any Exam. Any Time." - www.actualtests.com

12

Microsoft 70-649: Practice Exam configuration on those servers configured as downstream servers below it. A WSUS hierarchy supports two modes, autonomous mode and replica mode. In replica mode, the upstream server is the only WSUS server that downloads its updates from Microsoft Update. It is also the only server that an administrator has to manually configure computer groups and update approvals on. All information downloaded and configured on to an upstream server is replicated directly to all of the devices configured as downstream servers. Reference: Deploying Microsoft Windows Server Update Services / WSUS in a Large LAN http://www.windowsnetworking.com/articles_tutorials/Deploying-Microsoft-Windows-ServerUpdate-Services.h

m

QUESTION NO: 15

tua

lTe

sts

.co

You install a Windows Server 2008 with routing and remote access on a server at Certkiller .com. You configure the server to act as a corporate VPN (Virtual Private Network) server. All the client computers at Certkiller .com have Windows XP Professional, Windows 2000 professional or Windows Vista installed. The remote users of Certkiller .com use this server to connect to the company's network domain. Sensitive data is transmitted from the remote users through VPN server. The company's security policy dictates that each user or computer should use public key infrastructure (PKI) to connect to the domain for the transmission of sensitive research data. You need to ensure that the VPN server meets those security requirements. What should you do to secure the VPN connection?

Ac

A. Use the Kerberos version 5 authentication protocol to create a custom IPSec policy B. Use the Pre-shared authentication by creating a policy for a highly secure data transmission C. Open the command line on the server and run secedit/refreshpolicy machine_policy D. Implement L2TP/IPsec policy to create certificate-based authentication E. None of the above Answer: D Explanation: The correct answer is option D. To secure the VPN connection, you don't have to create a custom IPSec policy when there is a much easier way. Similarly, the option C is invalid since it just refreshes the policy. The L2TP/IPSec ensures that the data is transmitted securely by implementing the Internet Protocol Security. The policy will create certificate-based authentication to identify the users.

"Pass Any Exam. Any Time." - www.actualtests.com

13

Microsoft 70-649: Practice Exam QUESTION NO: 16 Certkiller .com has 20 servers. As an administrator, you decide to add one more server. You need to install Windows Server 2008 on the new server. You want to remotely connect to a Windows Server 2008 core installation. Which two actions should you perform to remotely connect to the installation server? (Choose two answers) A. Execute Slmgr.vbs -ato script on the Windows core installation server B. Execute the netsh and set port status command on the Windows core installation server C. On the new server, execute the winrs -r dir c:\Windows command D. Execute the Server Manager on the new server and connect it to the Windows core installation server

m

Answer: B,C

Ac

QUESTION NO: 17

tua

lTe

sts

.co

Explanation: The answer is option B and C. The netsh command allows you to configure the Windows core installation server to accept the remote connection and 'set port status' command allows you to designate a port for the remote connection. On the new server, you execute the windows remote service command and -r will specify the localhost or the NetBIOS name of the server. The server core name should be specified and then the location of the windows folder. The other two options are not useable because the Server manager on the new server will not allow remote connection and the Slmgr.vbs -ato script is used to activate windows remotely. It can be used after you install the windows Server 2008 on the new server remotely.

There is a member server on the Certkiller .com corporate network that has Windows Server 2008 installed as the main operating system. It is called CKRA. CKRA provides routing and remote access to the members of the domain group. The company policy allows domain group members to dial-in to CKR A. To increase the remote access security, Certkiller has issued smart cards to all the employees in the domain group. What should you do to configure CKRA and your remote access policy to support the smart card service for dial-up connections? B. Install and configure Network Policy Server on CKRA C. Conjure up a remote access policy that enables users to authenticate by using Microsoft Challenge Handshake Authentication Protocol, version 2 (MS-CHAPv2) D. Conjure up a remote access policy that enables users to authenticate their connection by using Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) "Pass Any Exam. Any Time." - www.actualtests.com

14

Microsoft 70-649: Practice Exam E. Use Shiva Password Authentication Protocol (SPAP) by creating a remote access policy that enables users to authenticate their connection through this protocol F. All of the above Answer: C Explanation: The correct option is C. You should create a remote access policy that allows users to use Extensible Authentication Protocol Layer Security (EAP - TLS) because EAP-TLS requires a user certificate for the user requesting access and a computer certificate for the authenticating server. All other options like SPAP are not right because SPAP causes the remote access machine to send an encrypted password to the remote access server.

m

QUESTION NO: 18

lTe

sts

.co

Certkiller .com employs RRAS (Routing and Remote Access services) for remote user access. The remote users are not domain members. You find out that a virus is infecting internal member computer through a remote user computer. The remote user computer is the source of that virus that is infecting the domain members' computers. What should you do to protect the corporate network against viruses and malicious programs that are transmitted from a remote computer?

Answer: A

Ac

tua

A. Create a network health policy that requires an anti-virus software running and updates itself frequently B. Install file-level anti-virus software on RRAS server and configure it to update automatically C. Put all remote users in an organizational unit and install antivirus software by creating a GPO. D. Create a network health policy that requires an anti-spyware to run on the RRAS server. Ensure that it automatically updates itself. E. All of the above

Explanation: In this scenario, you should check the option A. You need to configure a network health policy that requires anti-virus software to execute and check all the incoming files from the remote computer. In order to keep the anti-virus database up to date, you need to check the automatic updates option so you don't have to do the manual updates.

QUESTION NO: 19

"Pass Any Exam. Any Time." - www.actualtests.com

15

Microsoft 70-649: Practice Exam As a network administrator for Certkiller , you have installed Windows 2008 Server on all the server computers of the company and Windows XP Professional Service Pack 2 and Windows Vista on all the client computers in the company. The company now wants all the computers to join the corporate network but wants to restrict non-compliant computers from communicating on the network. The computers must meet the system health requirements as stated in the corporate security policy. Which of the following roles service you should install to achieve this?

m

A. Network policy and Access services B. Routing and Remote Access services C. Terminal Services licensing D. Terminal Services gateway E. None of the above Answer: A

lTe

sts

.co

Explanation: The Network Access Protection (NAP) is a component of the Network policy and Access services that allow protecting network resources by enforcing compliance with system health requirements. Reference: Security and Policy Enforcement http://www.microsoft.com/windowsserver2008/en/us/security-policy.aspx

tua

QUESTION NO: 20

Ac

Certkiller uses Routing and Remote Access Service (RRAS) for remote users access on their corporate network, which uses Active directory domain. The remote user computers are not part of domain members. The remote user's computers are source of virus infection on internal member servers. As a desktop support technician for Certkiller , which of the following options would you choose to ensure that the corporate network of the company does not get infected with the virus infections that the remote computers might be infected with. A. Deploy anti-virus software on RRAS server and configure automatic updates for anti-virus software B. Configure a network health policy which ensures that anti-virus software is running and the antivirus application is up to date C. Configure a network health policy which enforces an anti-spy ware application and that the antispy ware application is up to date D. Create a separate OU for remote users. Deploy anti-virus software on OU by using a group policy object (GPO) "Pass Any Exam. Any Time." - www.actualtests.com

16

Microsoft 70-649: Practice Exam E. None of the above Answer: B

sts

.co

m

Explanation: To protect the network from virus infections transmitted via remote users, you need to configure a network health policy which enforces that anti-virus software is running and the anti-virus application is up to date. A network health policy can be configured by implementing NAP. Deploying anti-virus software on RRAS server will not ensure the implementation of NAP, which is important to ensure that the client computers on a private network meet administrator-defined requirements for system health. A network health policy which enforces that an anti-spy ware application is running and is up to date will not help because the anti-spyware software does not give protection from virus infections. Reference: SolutionBase: Introducing Network Access Protection for Windows http://techrepublic.com.com/2415-1035_11-177853.html Reference: Network Access Protection http://technet2.microsoft.com/windowsserver2008/en/library/40dcd5ed-1cb9-4f298470f6b4548c8e121033.msp

QUESTION NO: 21

tua

lTe

The corporate network of Certkiller consists of a Windows Server 2008 single Active Directory domain, All servers in the domain run Windows Server 2008. A domain server called Certkiller 3 functions as a NAT server. Which forward port would you configure on Certkiller 3 to Certkiller 7 to ensure that administrators can access the server, Certkiller 7 by using Remote Desktop Protocol (RDP).

Ac

A. Forward port 1432 to Certkiller 7 B. Forward port 389 to Certkiller 7 C. Forward port 3339 to Certkiller 7 D. Forward port 3386 to Certkiller 7 E. None of the above Answer: C

Explanation: To ensure that administrators can access the server, Certkiller 7 by using Remote Desktop Protocol (RDP), you need to configure the Certkiller 3 to forward port 3339 to Certkiller 7 The Remote Desktop Protocol is designed to work across TCP port 3389.If you are attempting to connect to a remote machine that sits behind a firewall, then the firewall must allow traffic to flow through TCP port 3389. Reference: Troubleshooting Remote Desktop / The Remote Computer Cannot be Found "Pass Any Exam. Any Time." - www.actualtests.com

17

Microsoft 70-649: Practice Exam http://www.windowsnetworKing.com/articles_tutorials/Troubleshooting-Remote-Desktop.html

QUESTION NO: 22 On the corporate network of Certkiller , you deployed a Windows Server 2008 VPN server behind the firewall. The firewall is configured to allow only secured Web communications. Most of the remote users that connect to the corporate network through VPN use portable computers that run Windows Vista with the latest service pack. Which of the following type of connection would you create to enable remote users to connect to the corporate network as securely as possible without opening ports on the firewall?

sts

.co

m

A. L2TP VPN connection B. SSTP VPN connection C. IPsec tunnel D. PPTP VPN connection E. None of the above Answer: C

QUESTION NO: 23

Ac

tua

lTe

Explanation: To enable remote users to connect to the corporate network as securely as possible without opening ports on the firewall, you need tocreate an IPsec tunnel, which does not require a firewall to open ports for secure communication. Reference: 14.10 VPN over IPsec http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html

You are an enterprise administrator for Certkiller . The company has a head office and 15 branch offices. The corporate network of the company consists of a single Active Directory domain, where all servers run Windows Server 2008. The branch office computers use VPN connections to connect to the head office computers. To ensure security you want VPN connections to use end-to-end encryption to encrypt data transmitting between the head office and the branch offices. Besides you want that VPN connection to use computer-level authentication and must not use user names and passwords for authentication. Which of the following options would you choose to accomplish this task?

"Pass Any Exam. Any Time." - www.actualtests.com

18

Microsoft 70-649: Practice Exam A. Use a PPTP connection and version 2 of the MS-CHAP v2 authentication. B. Use a L2TP/IPsec connection and version 2 of the MS-CHAP v2 authentication. C. Use a L2TP/IPsec connection and the EAP-TLS authentication. D. Use an IPsec connection and a tunnel mode and preshared key authentication. Answer: C

QUESTION NO: 24

tua

lTe

sts

.co

m

Explanation: To ensure that the VPN connections between the main office and the branch offices meet the given requirements, you need to configure a L2TP/IPsec connection to use the EAP-TLS authentication. L2TP leverages PPP user authentication and IPSec encryption to encapsulate and encrypt IP traffic. This combination, known as L2TP/IPSec, uses certificate-based computer identity authentication to create the IPSec session in addition to PPP-based user authentication. Therefore it ensures that all data is encrypted by using end-to-end encryption and the VPN connection uses computer-level authentication. To ensure that User names and passwords cannot be used for authentication, you need to use EAP-TLS authentication. With EAP-TLS, the VPN client sends its user certificate for authentication and the VPN server sends a computer certificate for authentication. This is the strongest authentication method as it does not rely on passwords. Reference: Virtual Private Networking with Windows Server 2003: Deploying Remote Access VPNs / Layer Two Tunneling Protocol with IPSec/ Authentication Protocols http://www.scribd.com/doc/2320023/DeployRasWithVPN

Ac

You are an enterprise administrator for Certkiller . The corporate network of the company consists of a single Active Directory domain called Certkiller .com, where all servers run Windows Server 2008. The domain consists of a member server named Certkiller Server1 on which the Routing and Remote Access role service is installed. The corporate network has Network Access Protection (NAP) configured for the domain. Which of the following authentication method should you use to configure the Point-to-Point Protocol (PPP) authentication method on Certkiller Server1? A. Password Authentication Protocol (PAP) B. Extensible Authentication Protocol (EAP) C. Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) D. Challenge Handshake Authentication Protocol (CHAP) E. None of the above

"Pass Any Exam. Any Time." - www.actualtests.com

19

Microsoft 70-649: Practice Exam Answer: B Explanation: To configure the Point-to-Point Protocol (PPP) authentication method on Certkiller Server1, you need to configure Extensible Authentication Protocol (EAP) authentication method. Microsoft Windows uses EAP to authenticate network access for Point-to-Point Protocol (PPP) connections. EAP was designed as an extension to PPP to be able to use newer authentication methods such as one-time passwords, smart cards, or biometric techniques. Reference: Making sense of remote access protocols in Windows / DIAL-UP AUTHENTICATION http://articles.techrepublic.com.com/5100-10878_11-1058239.html

m

QUESTION NO: 25

lTe

sts

.co

You are an enterprise administrator for Certkiller . The company consists of a head office and a branch office. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008. You have been assigned the task to configure the server in the head office as a VPN server. Which of the following roles would you install on the server to accomplish the given task? (Select two. Each correct answer will form a part of the answer)

Answer: A,B

Ac

tua

A. Network Policy and Access Services role B. Routing and Remote Access Services role service. C. Windows Deployment Services role D. Deployment Transport Role Service. E. Host Credential Authorization Protocol role service. F. Deployment Server role service.

Explanation: To configure the server as a VPN server, you need to install Network Policy and Access Services role and Routing and Remote Access Services role service on the server. To install Routing and Remote Access Services role service on the server, you need to first install Network Policy and Access Services role on the server. Reference: Configuring Windows Server 2008 as a Remote Access SSL VPN Server (Part 2) / Install the RRAS Server Role on the VPN Server http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Remote-Access-SSLVPN-Server-

"Pass Any Exam. Any Time." - www.actualtests.com

20

Microsoft 70-649: Practice Exam QUESTION NO: 26 You are an enterprise administrator for Certkiller . The company has a head office and 15 branch offices. The corporate network of the company consists of a single Active Directory domain, where all servers run Windows Server 2008. The branch office computers use VPN connections to connect to the head office computers. Which of the following options would you choose to ensure that users cannot access the VPN server remotely from 21:00 to 06:00?

m

A. Create a network policy for VPN connections and configure the Day and time restrictions accordingly. B. Configure the Logon Hours for the default domain policy by enabling the Force logoff when logon hours expire option. C. Create a network policy for VPN connections and apply an IP filter to deny access to the corporate network. D. Configure the Logon hours for all user objects by specifying only the VPN server on the Computer restrictions option.

.co

Answer: A

QUESTION NO: 27

Ac

tua

lTe

sts

Explanation: To ensure that users cannot access the VPN server remotely from 21:00 to 06:00, you need to create a network policy for VPN connections and then modify the Day and time restrictions. The network policy provides a policy conditions called "Allow full network access for a limited time", which allow clients to temporarily access full network. However, the NAP enforcement is delayed until the specified date and time. Reference: Step By Step Guide: Demonstrate VPN NAP Enforcement in a Test Lab / NAP enforcement and network restriction http://www.microsoft.com/downloads/details.aspx?FamilyID=729bba00-55ad-4199-b441378cc3d900a7&displa

Certkiller .com has a corporate network. Network Access Protection is configured on it. As per company policy, strict security measures are required to secure the data when it is transmitted between the servers and the clients. Users connect to the corporate network through their laptops or PCs to use network resources. You have to create a strict access requirement that will stop any other person connecting to the corporate network and using network resources. What should you do to implement the restricted access control? A. Add and configure an IPSec Enforcement Network policy B. Add and configure 802.1X Enforcement Network policy

"Pass Any Exam. Any Time." - www.actualtests.com

21

Microsoft 70-649: Practice Exam C. Add and configure a Wired Network Group policy D. Add and configure an Extensible Authentication Protocol (EAP) Enforcement Network policy E. None of the above Answer: A

.co

m

Explanation: To implement the restricted access control, you should choose option A. You need to configure an IPSec Enforcement Network Policy. The Internet Protocol Security will authenticate the IPs of authenticated users through its security. All you have to do is create an enforcement network policy that uses IPSec. The option B is a wireless enforcement network policy. So you could not use it in this scenario. The other options like option C are out of the context. You cannot use Wired Network Group policy for security and restricted access. It is just a group policy for wired network.

sts

QUESTION NO: 28

Ac

tua

lTe

Certkiller .com has a corporate network. The Network Access Protection (NAP) is configured on default settings for the network. You install an application on a client's computer that runs Windows Vista Business. The basic job of the application is to connect to a remote database server. When you install the application on the client's computer, the application fails. You start troubleshooting the problem and discover that the anti-spyware software installed on the client's computer is not compatible with the new application. Even after disabling the anti-spyware software, the application continues to fail. What should you do to ensure that the application works normally on every client's computer? A. Turn off the anti-spyware setting "up to date" on the Windows Security Health Validator window B. Turn off the Anti-spyware setting "Application is on" on the Windows Security Health Validator window C. Configure the Windows Defender service on client's computer to a manual startup. Disable the Windows Defender service and then enable it again after putting it on manual startup. D. Configure the system health agent failure option through Error code resolution to healthy E. All of the above Answer: B Explanation: To ensure that the application works normally on every client computer, you should choose the option B. You have to turn the anti-spyware settings "application is on" off on the Windows Security Health Validator window. The Windows Security Health "Pass Any Exam. Any Time." - www.actualtests.com

22

Microsoft 70-649: Practice Exam Validator keeps all the important application on to ensure that the critical applications are working. Since the Anti-spyware is not compatible with the application you are installing on client computers, you should turn it off in the Windows Security Health Validator Window. You should not choose option A because it will update the anti-spyware software. Similarly, the Windows Defender Service is also not an option for this scenario because it will not hinder with the new application and there is no use starting it manually and disabling it.

QUESTION NO: 29

.co

m

Certkiller .com has Network Access Protection (NAP) and Active Directory Certificate Services (AD CS) running on their Active Directory domain. New laptops with Windows Vista installed, are required to be connected to the wireless network and join the Active Directory domain. These portable computers will be using PEAP-MS-CHAP V2 for authentication. What should you do to ensure that the laptops could join the domain when users restart them?

Answer: B

tua

lTe

sts

A. Run the netsh wlan export profile command on all laptops. B. Configure each laptop computer with a Bootstrap wireless profile C. Configure a group policy with the use of Windows WLAN Auto Config service for clients policy setting enabled D. Configure a group policy with the use of Windows WLAN Auto Config service for clients policy setting disabled E. None of the above

Ac

Explanation: To ensure that the Wireless client laptops running Windows Vista using PEAP-MS-CHAP V2 for authentication could join the AD domain when users restart them, you need to configure each laptop computer with a Bootstrap wireless profile, which is a temporary wireless profile that can be used to obtain connectivity to a secure wireless network. Once connected to the wireless network, the wireless client user can join the computer to the domain after providing security credentials for an authentication by a RADIUS server. These credentials may include a username and password (for Protected EAP [PEAP]-Microsoft Challenge Handshake Authentication Protocol version 2 [MS-CHAP v2]) or certificates (for EAP- TLS). Reference Joining a Windows Vista Wireless Client to a Domain http://technet.microsoft.com/hiin/library/bb727033(en-us).aspx

"Pass Any Exam. Any Time." - www.actualtests.com

23

Microsoft 70-649: Practice Exam

QUESTION NO: 30

.co

m

Network Access Protection (NAP) is configured on the Certkiller Corporate network with the default settings. You need to deploy an application that is mandatory to use for all the employees of the company and needs to be installed to all the client computers running Windows Vista. The application connects to a remote database at the backend. However, when you tried to deploy the application, it failed to run on client computers. On investigating the problem, you discovered that the anti-spyware software running on the client computers is creating problems because it is not compatible with the application that you are trying to install. To correct the problem, you disabled the anti-spyware on the client computers, but application still failed to run on the client computers. Which of the following options would you choose to ensure that all the client computers could run the new application?

Answer: A

tua

lTe

sts

A. Disable the An anti-spyware application is on setting on the Windows Security Health Validator dialog box B. Disable the Anti-spyware is up to date setting on the Windows Security Health Validator dialog box C. Configure the Error code resolution setting for the System Health agent failure option to Healthy D. Configure the Windows Defender service to the Manual Startup type on the client computers. Re-start the Windows Defender Service. E. None of the above

Ac

Explanation: The application failed even after disabling the anti-spyware on the client computers because the client computers are supposed to be using anti-spyware application according to Windows Security Health Validator (SHV) policy that is configured on the client computers through NAP. To resolve the problem, you need to disable the anti-spyware application is on setting on the Windows Security Health Validator dialog box Disabling the Anti-spyware is up to date setting on the Windows Security Health Validator dialog box will not help if anti-spyware application is on setting on because the Anti-spyware is up to date setting will not ensure that the client is not using an anti-spyware application. Configuring the Windows Defender service or configuring the Error code resolution setting for the System Health agent failure option will not help because neither Windows defender nor System Health agent is creating problem in his case. Reference: An Introduction to Network Access Protection (Part 4) "Pass Any Exam. Any Time." - www.actualtests.com

24

Microsoft 70-649: Practice Exam http://www.windowsnetworKing.com/articles_tutorials/Introduction-Network-Access-ProtectionPart4.html

QUESTION NO: 31

m

The corporate network of Certkiller consists of servers that have Active Directory Certificate Services (AD CS) and Network Access Protection (NAP) deployed on them. A number of mobile users connect to the network wirelessly. You have NAP policies configured for these users. Which of the following options would you choose to ensure that NAP policies are enforced on portable computers that use a wireless connection to access the network? What should you do?

lTe

sts

.co

A. Use MS-CHAP v2 authentication on all portable computers. B. Disable the Prevent connections to infrastructure networks option in the wireless Group Policy settings in the Group Policy Management Console. C. Use 802.1X authentication to on all access points. D. Enable the Prevent connections to infrastructure networks option in the wireless Group Policy settings in the Group Policy Management Console. E. None of the above Answer: C

Ac

tua

Explanation: To ensure that NAP policies are enforced on portable computers that use a wireless connection to access the network, you need to configure all access points to use 802.1X authentication. 802.1X enforcement enforce health policy requirements every time a computer attempts an 802.1X-authenticated network connection. 802.1X enforcement also actively monitor the health status of the connected NAP client and applies the restricted access profile to the connection if the client becomes noncompliant. Reference: Microsoft Improves Security Policy Compliance with Network Access Protection http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000000983

QUESTION NO: 32 On the corporate network of Certkiller the Network Access Protection (NAP) is configured. Some users connect to the corporate network remotely. The remote computers can cause security problems to the corporate network Which of the following options would you choose to ensure that data transmissions between remote client computers and the corporate network are as secure as "Pass Any Exam. Any Time." - www.actualtests.com

25

Microsoft 70-649: Practice Exam possible? A. Use MS-CHAP v2 authentication for all VPN connections. B. Configure a NAP policy for 802.1x wireless connections. C. Restrict DHCP clients by using NAP. D. Apply an IPSec NAP policy. E. None of the above Answer: B

sts

.co

m

Explanation: To ensure that NAP policies are enforced on portable computers that use a wireless connection to access the network, you need to configure all access points to use 802.1X authentication. 802.1X enforcement enforce health policy requirements every time a computer attempts an 802.1X-authenticated network connection. 802.1X enforcement also actively monitor the health status of the connected NAP client and applies the restricted access profile to the connection if the client becomes noncompliant. Reference: Microsoft Improves Security Policy Compliance with Network Access Protection http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000000983

lTe

QUESTION NO: 33

tua

The corporate network of Certkiller contains a Windows Server 2008 that has the Network Policy Server (NPS) service role installed. Which of the following options would you choose to allow VPN access to only the members of a global group named Certkiller Staff to the network?

Ac

A. Create a new network policy, define a group-based condition for Certkiller Staff, Set the access permission to Access Granted, and set the processing order of the policy to 1. B. Add Certkiller Staff to the RAS and IAS Servers group. C. Create a new network policy, define a group-based condition for Certkiller Staff, Set the access permission to Access Granted, and set the processing order of the policy to 3. D. Add Certkiller Staff to the Network Configuration Operators group. E. None of the above Answer: A Explanation: To allow access to only the members of Certkiller Staff VPN to the network, you need to create a new network policy and define a group-based condition for Certkiller Staff then set the access permission of the policy to Access Granted and set the processing order of the policy to 1. You can create different compliance standards for users based on role, department, "Pass Any Exam. Any Time." - www.actualtests.com

26

Microsoft 70-649: Practice Exam geography, and so on and then create network policies based on them. For the same reason you can create a policy of Certkiller Staff VPN group and set the processing order of the policy to one. This is because the policies are evaluated from top to bottom and processing stops once a policy rule is matched. First is the Com-pli-ant FullAccess policy which states that machines that pass all SHV checks are granted unrestricted network access should be listed. Having this policy listed first reduces processing load and time on the NPS. The next policy used should be for Non-com-pli-ant or Restricted machines and the third policy is for backward compatibility of computers. Reference: Security WatchNetwork Access Protection / Contoso NAP Deployment http://technet.microsoft.com/en-us/magazine/cc162368.aspx

m

QUESTION NO: 34

sts

.co

On the corporate network of Certkiller the Network Access Protection (NAP) is configured. You have configured the 802.1x authentication to all the access points that will be used to access to the corporate network using wireless computers to ensure secure wireless access. Which of the following options would you choose to ensure that all the client computers that try to access the corporate network are evaluated by NAP?

Answer: A

Ac

tua

lTe

A. Configure a Connection Request Policy having EAP-TLS as the only available authentication method. B. Configure all access points as RADIUS clients to the Remediation Servers. C. Configure a Network Policy having the Remote Access Server as the only available authentication method. D. Configure all access points as RADIUS clients to the Network Policy Server (NPS). E. None of the above

Explanation: To ensure that all the client computers that try to access the corporate network are evaluated by NAP, you need to create a Connection Request Policy that specifies EAP-TLS as the only available authentication method. By default, Windows Server2008 supports the EAP methods: PEAP-MS-CHAPv2, EAP with Transport Layer Security (TLS) or EAP-TLS, and PEAP-TLS. The connection request policy can impose connection requirements. For example, for 802.1X and VPN enforcement, the connection request policy requires the use of a Protected Extensible Authentication Protocol (PEAP)-based authentication method. If the connecting client does not use PEAP, the connection request is rejected. Reference: The Cable Guy Troubleshooting NAP Enforcement / Health Requirement "Pass Any Exam. Any Time." - www.actualtests.com

27

Microsoft 70-649: Practice Exam Policies http://technet.microsoft.com/en-us/magazine/cc434701.aspx Reference: What Works Differently / 802.1X Authenticated Wired and Wireless Access http://technet2.microsoft.com/windowsserver2008/en/library/ec5b5e7b-5d5c-4d0498ad55d9a09677101033.ms

QUESTION NO: 35 Exhibit:

sts

.co

m

Certkiller .com has a server with Active Directory Domain and an Enterprise Root Certificate authority installed. To protect the VPN connection, Certkiller .com has decided to employ Network Access Protection (NAP) on the server. You are given the task for implementing the NAP on the server. You build two servers named Certkiller NPS and Certkiller VPN. You configure the functions on both servers as shown in the exhibit. What should you do to ensure that the system health policy is implemented on all client computers attempting to connect to the VPN server?

Ac

Answer: D

tua

lTe

A. Configure a NAP role on an Enterprise Certificate Server B. Reconfigure Certkiller NPS as a Radius Client C. Configure a NAP role and add it to a domain controller D. Reconfigure Certkiller VPN as a Radius client E. None of the above

Explanation: To ensure that the system health policy is implemented on all client computers that attempt a VPN connection, you should reconfigure Certkiller VPN as a Radius client. The Certkiller VPN will authenticate and authorize the client VPN connections and won't allow those clients who don't have a system health policy added on their machines.

QUESTION NO: 36 You are an enterprise administrator for Certkiller . The company has a head office and three branch offices. Besides this the company has many remote users that need to connect to the corporate network. The company has divided these remote users into two global groups, GroupA and GroupB. To secure the corporate network, you installed the Network Policy Server (NPS) service role on a "Pass Any Exam. Any Time." - www.actualtests.com 28

Microsoft 70-649: Practice Exam server that runs Windows Server 2008. You want to allow VPN access to the corporate network to GroupA. Which of the following options would you choose to accomplish this task? A. Add GroupA to the RAS and IAS Servers group. B. Add GroupA to the Network Configuration Operators group. C. Create a new network policy having a group-based condition for GroupA, set the access permission of the policy to Access granted and set the processing order of the policy to 3. D. Create a new network policy having a group-based condition for GroupA, set the access permission of the policy to Access granted and set the processing order of the policy to 1. Answer: D

Ac

tua

lTe

sts

.co

m

Explanation: Network Policy Server (NPS) in WindowsServer2008 allows you to create and enforce organization-wide network access policies for client health, connection request authentication, and connection request authorization. To allow only members of a global group named GroupA VPN access to the network, you need to create a new network policy and define a group-based condition for GroupA. Set the access permission of the policy to Access granted. Set the processing order of the policy to 1 Processing order specifies the numeric position of this policy in the list of policies configured on the NPS. Policies highest in the list (for example, at first position) are processed by NPS first. Policies added at positions above other policies cause the positions of the other policies to drop in the list by one position. If processing order is not specified, the policy is added at the end of the list. Reference: Connection Request Policy Commands http://technet2.microsoft.com/windowsserver2008/en/library/c504902c-9765-4c269306fca4a14f7fba1033.mspx Reference: Configuring Exemption Policies for Configuration Manager Network Access Protection http://technet.microsoft.com/en-us/library/bb693983.aspx

QUESTION NO: 37 You are an enterprise administrator for Certkiller . The corporate network of Certkiller consists of an Active directory domain called Certkiller .com. The domain runs Windows Server 2008 on all servers and Windows Vista on all client computers. The corporate network uses Network Access Protection (NAP) to enforce policies on client computers that connect to the network. According to the Company's policy, only the client computers that have updates labeled Important and Critical installed on them can access network resources. A Group Policy is used to configure client computers to obtain updates from WSUS. "Pass Any Exam. Any Time." - www.actualtests.com

29

Microsoft 70-649: Practice Exam Which of the following options would you choose to ensure that client computers meet the company's policy requirement? A. Disconnect the remote connection until the required updates are installed. B. Enable the Security Center on each client. C. Enable automatic updates on each client. D. Quarantine clients that do not have all available security updates installed. E. None of the above. Answer: D

QUESTION NO: 38

Ac

tua

lTe

sts

.co

m

Explanation: To ensure that client computers meet the company policy requirement, you need to Quarantine clients that do not have all available security updates installed. Using the NAP Client Configuration tool, you can configure separate enforcement policies for remote access clients. Administrators can use NAP to enforce health requirements for all computers that are connected to an organization's private network, regardless of how those computers are connected to the network. You can use NAP to improve the security of your private network by ensuring that the latest updates are installed before users connect to your private network. If a client computer does not meet the health requirements, you can prevent the computer from connecting to your private network. To enforce remote access NAP, open NAP Client Configuration tool, double-click Remote Access Quarantine Enforcement Client, and then select the Enable This Enforcement Client check box. Reference: Understanding Network Access Protection / Using Network Access Protection http://e-articles.info/e/a/title/Network-Access-Protection-(NAP)-in-Windows-Vista/

You are an Enterprise administrator for Certkiller .com. The company consists of a head office and a branch office, which are connected through VPN connectivity. The corporate network of the company consists of servers that run Windows Server 2008. The head office of the company has Network Access Protection (NAP) enforcement deployed for VPNs. Which of the following options would you choose to ensure that the health of all clients can be monitored and reported? A. Create a Group Policy object (GPO) and link it to the domain and then set the Require trusted path for credential entry option to Enabled. B. Create a Group Policy object (GPO) and link it to the domain and then enable the Security Center. "Pass Any Exam. Any Time." - www.actualtests.com

30

Microsoft 70-649: Practice Exam C. Create a Group Policy object (GPO) and link it to the Domain Controllers organizational unit (OU) and then enable the Security Center. D. Create a Group Policy object (GPO) and link it to the Domain Controllers organizational unit (OU) and then enabled the Require trusted path for credential entry option. Answer: B

lTe

sts

.co

m

Explanation: The NAP replaces Network Access Quarantine Control (NAQC) in Windows Server 2003, which provided the ability to restrict access to a network for dial-up and virtual private network (VPN) clients. The solution was restricted to dial-up/VPN clients only. NAP improves on this functionality by additionally restricting clients that connect to a network directly, either wirelessly or physically using the Security Center. NAP restricts clients using the following enforcement methods: IP security (IPsec), 802.1x, Dynamic Host Configuration Protocol (DHCP) and VPN. However, to enable NAP on all the clients in your domain, you should create a group policy and link it to a domain and then enable the Security Center Reference: Network Access Protection http://www.biztechmagazine.com/article.asp?item_id=382 Reference: Enabling NAP on clients through group security policies http://forums.technet.microsoft.com/en-US/winserverNAP/thread/749e65c7-42fa-40da-84b8c8edc62b3eda/

QUESTION NO: 39

Ac

tua

As an administrator at Certkiller .com, you create a Windows CardSpace in the Certkiller domain. The users are sales people from sales department. They are the member of Sales group and are included in the Sales organizational unit in the hierarchy. Since the sales people have to move consistently. They need to access the secured content from different sources. They need to access it from their office using computer, laptops, notebooks and Palm devices. They also access the secured content from clients' computers and from internet cafes. You need to ensure that the get the authentication to access most secured content from any computer using Windows CardSpace. What should you do to make sure they access secured content from any place? A. Let the users export their digital identities to a USB drive. Assign a password to access the exported file containing digital identities B. Create a new Group Policy Object (GPO). Connect the GPO to the Sales group in the organizational unit. Create and configure machine Access Restrictions in SDDL (Security Descriptor Definition Language) and configure the remote access setting for the Sales group

"Pass Any Exam. Any Time." - www.actualtests.com

31

Microsoft 70-649: Practice Exam C. Put the Sales global group in the local security group of Windows Authentication Access domain D. Create a new GPO and link it to the Sales global group in organizational unit. Setup the User Account Control for Sales users to prompt for credentials E. All of the above Answer: A

sts

.co

m

Explanation: To make sure that the users' can access secured content from any place, you should choose option A. It is the easiest and safest way to use the exported file containing digital identities to access secured content. USB drive is easy to carry and it is a plug n play device. The user can plug the USB drive to any computer and access the exported file containing digital identities to view the secured content. All other options are invalid in this scenario. You cannot put the sales global group in the local security group of windows Authentication Access domain because it is for local security. Users of the local security group will not be in the group once they leave their personal computer.

lTe

QUESTION NO: 40

tua

Certkiller .com has two servers named CKS1 and CKS2. Both servers run Windows Server 2008. For digital authentication, you are using Windows CardSpace to authenticate users accessing online services on internal websites on CKS1. You want to deploy the card information on CKS2. Which Microsoft recommended method should you use to transfer card information to CKS2?

Ac

A. Install and configure the third party backup tool and backup the card information on CKS1. use a third party restore backup tool to restore the backup on CKS2 B. Backup card information on CKS1 and restore it on CKS2 using Windows CardSpace C. Configure NTbackup tool to backup card information on CKS1 and restore it on CKS2 D. Create a backup of card information on CKS1 on a client computer and access it from CKS2 to restore the backup to CKS2 E. None of the above Answer: B Explanation: The Microsoft recommended method for transferring the card information to CKS2 is option B. You should use Windows CardSpace to backup card information and restore it on CKS2. You cannot use third party software for backup and restore because it is not recommended by Microsoft. It is obvious that Windows CardSpace should be used to "Pass Any Exam. Any Time." - www.actualtests.com

32

Microsoft 70-649: Practice Exam backup and restore the card information. NTbackup tool will not be able to restore the backup on the other server and putting the card information on a client computer and accessing it from CKS2 to restore the information is certainly not an option because you cannot use the third party backup for this scenario. You have to select the option which is recommended by Microsoft.

QUESTION NO: 41

m

On the corporate network of Certkiller , Network Access Protection is configured to limit the network access of computers based on predefined health requirements. Company's security policy enforces data confidentiality while the data is in transit between servers and client computers. As a network administrator of the company, you want to ensure that personal portable computers that don't comply with policy requirements must be prohibited from accessing company resources. What should you do to achieve this?

sts

.co

A. Create an IPSec enforcement network policy B. Create and 802.1X enforcement network policy C. Create a wired network (IEEE 802.3) group policy D. Create an extensible authentication protocol enforcement policy E. None of the above

lTe

Answer: A

Ac

tua

Explanation: Because the scenario suggests the configuration of the security policy on the network, you need to create an IPSec enforcement network policy as a Network Access Protection Mode to ensure that personal portable computers that don't comply with policy requirements are prohibited from accessing company resources. IPSec enforcement network policy authenticates NAP clients when they initiate IPsec-secured communications with other NAP clients. 802.1x-based enforcement network policy and the wired network (IEEE 802.3) group policy cannot be used because they are switch-based enforcement. Every time a client activates a switch port, it's placed in a limited-access VLAN until it authenticates to a NAC server and passes assessment, which is not required here. Extensible authentication protocol enforcement policy is not required here because it is used to allow EAP method vendors to easily develop and install new EAP methods on both client computers and NPS servers. Reference: NAP protects networks by restricting client connections http://www.biztechmagazine.com/article.asp?item_id=382 Reference: The Cable Guy IEEE 802.1X Wired Authentication http://technet.microsoft.com/enus/magazine/cc194418.aspx

"Pass Any Exam. Any Time." - www.actualtests.com

33

Microsoft 70-649: Practice Exam

QUESTION NO: 42 Certkiller has implemented Windows CardSpace in the company's network Active Directory domain. The company has many departments and their respective OUs are configured in the AD. All users of the HR department are members of the HR global group and reside in HR OU. The HR employees of the company are required to access secured content from multiple sources and access data using varied computers residing at different locations. You want the HR employees of the company to use Windows CardSpace for authentication. What should you do to ensure the HR employees of the company use Windows CardSpace for authentication from any computer to any of the most secured content locations?

Answer: B

tua

lTe

sts

.co

m

A. Places the HR global group into the Windows Authorization Access domain local security group B. Enable the users to export their digital identities to a USB drive. Configure a pass phrase for access to the exported file C. Configure a new group policy object (GPO). Link the new GPO to the HR OU. Configure the User Account Control: Behavior of the elevation prompt for standard user GPO setting to prompt for credentials. D. Configure a new group policy object (GPO). Link the new GPO to the HR OU. Configure the DCOM: Machine Access restrictions in security descriptor definition language setting (SDDL) syntax setting. Configure the Allow remote access setting for the HR global group. E. None of the above

Ac

Explanation: To ensure the HR employees of the company use Windows CardSpace for authentication from any computer to any of the most secured content locations, you need to enable the users to export their digital identities to a USB drive and then configure a pass phrase for access to the exported file. The Card Export feature of Windows CardSpace allows the copying of information cards onto an external storage medium, such as a USB drive. The USB drive can then be used to install cards onto other machines from where the user needs to access the information. For security purpose a user selected pass-phrase is used to encrypt information cards so that even if the storage medium is lost, only someone who knows the pass-phrase can decrypt the cards it contains. None of the other options can be used because configuring group policies cannot ensure the use of Windows CardSpace for roaming users. Reference: Introducing Windows CardSpace / Roaming with Information Cards http://msdn2.microsoft.com/en-us/library/aa480189.aspx#introinfocard_topic4 "Pass Any Exam. Any Time." - www.actualtests.com

34

Microsoft 70-649: Practice Exam

QUESTION NO: 43 You are an enterprise administrator for Certkiller . The company has a head office and 15 branch offices. The corporate network of the company consists of a single Active Directory domain, where all servers run Windows Server 2008. The branch office computers use VPN connections to connect to the head office computers. Which of the following options would you choose to ensure that users cannot access the VPN server remotely from 21:00 to 06:00?

sts

.co

m

A. Create a network policy for VPN connections and configure the Day and time restrictions accordingly. B. Configure the Logon Hours for the default domain policy by enabling the Force logoff when logon hours expire option. C. Create a network policy for VPN connections and apply an IP filter to deny access to the corporate network. D. Configure the Logon hours for all user objects by specifying only the VPN server on the Computer restrictions option. E. All of the above. Answer: A

Ac

tua

lTe

Explanation: To ensure that users cannot access the VPN server remotely from 21:00 to 06:00, you need to create a network policy for VPN connections and then modify the Day and time restrictions. The network policy provides a policy conditions called "Allow full network access for a limited time", which allow clients to temporarily access full network. However, the NAP enforcement is delayed until the specified date and time. Reference: Step By Step Guide: Demonstrate VPN NAP Enforcement in a Test Lab / NAP enforcement and network restriction http://www.microsoft.com/downloads/details.aspx?FamilyID=729bba00-55ad-4199-b441378cc3d900a7&displa

QUESTION NO: 44 You are an enterprise administrator for Certkiller . The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008. The company has three departments, Sales, Marketing, and Development. A member server called Certkiller Server1 has File Server role installed on it. The server consists of a shared folder named AcctShare. Which of the following options would you choose to ensure members of the Marketing group users can only view and open files in the shared folder? "Pass Any Exam. Any Time." - www.actualtests.com

35

Microsoft 70-649: Practice Exam A. Modify the share permissions for the Marketing Users group to Contributor. B. Modify the NTFS permissions for the Authenticated Users group to Modify and the share permissions to Contributor. C. Modify the NTFS permissions for the Marketing group to Modify. D. Modify the share permissions for the Marketing group to Read. Answer: D

lTe

sts

.co

m

Explanation: To ensure members of the Marketing group can only view and open files in the shared folder, you need to modify the share permissions for the Marketing group to Read NTFS permissions are associated with the object, so the permissions are always connected with the object during a rename, move, or archive of the object. Share permissions are only associated with the folder that is being shared. For example, if there are 5 subfolders below the folder that is shared, only the initial shared folder can have share permissions configured on it. NTFS permissions can be established on every file and folder within the data storage structure, even if a folder is not shared. The share permissions standard list of options is not as robust as the NTFS permissions. The share permissions only provide Full Control, Change, and Read. Therefore you need to assign read permission. Reference: Share Permissions http://www.windowsecurity.com/articles/Share-Permissions.html

tua

QUESTION NO: 45

Ac

Certkiller .com has 2 offices. The main office and a branch office. There are 24 servers and 90 workstations in the main office. The servers have Windows Server 2008 installed on them and the workstations run Windows XP professional. The branch office has 5 servers and 60 workstations. Servers have Windows Server 2008 and workstations have Windows XP Professional installed. In the main office, you install and configure Volume Activation Management Tool (VAMT) on a server named CKD1. You add all the servers to the VAMT server and configure them for Multiple Activation Key (MAK). Each server will do Independent Activation. The problem arises in the branch office where the servers are unable to activate Windows Server 2008. What would you do to activate Windows Server 2008 on all servers? (Select two) A. Create and install Key Management Service (KMS) on the network B. Connect the servers to the VAMT server in the main office and activate Windows Management Instrumentation Firewall exception on each server in the branch office

"Pass Any Exam. Any Time." - www.actualtests.com

36

Microsoft 70-649: Practice Exam C. Export the Computer Information List from VAMT server on CKD1 and send the file to Microsoft technical support for remote activation D. Activate and configure MAK Proxy Activation on all branch office servers E. All of the above Answer: A,B

.co

m

Explanation: The correct options in this scenario are A and B. KMS automatically activates the Windows by connecting to the KMS host. So you install KMS on the network to manage the activation process. You should, then, connect the servers to the VAMT server in the main office for instant activation. To bypass the firewall on the main server, you activate Windows Management Instrumentation Firewall exception on each server in the branch office. Other options like exporting the CIL from VAMT server and sending it to the Microsoft technical support for remote activation is not valid because you can easily activate windows using KMS.

sts

QUESTION NO: 46

Ac

tua

lTe

Certkiller .com has servers that run Windows Server 2008. As a network administrator at Certkiller .com, you install Windows Update Server (WSUS) on a server named CKW1 on a network. To store WSUS database, you use remote SQL. To encrypt metadata transferring between client machines and downstream WSUS servers, you configure a Secure Sockets Layer (SSL) on the WSUS server. While testing the whole process, you discover that the connection between SQL server and WSUS server is not secure. Which two actions should you perform to make sure that the database connection is secure? (Choose two answers. Each answer is a part of the complete solution) A. Put the database on WSUS server B. Secure the connection between SQL server and WSUS server by configuring Internet Protocol Security (IPSec) on the connection C. Install SQL server on one server and WSUS on the other server. Both servers should be standalone servers D. Configure the connection between WSUS server and SQL server by using IPv6 IP addresses. Make the addresses static Answer: D Explanation: The right options are A and D. You can place the database on WSUS server and configure IPSec on the network. The SSL protocol enables client computer and WSUS servers to "Pass Any Exam. Any Time." - www.actualtests.com

37

Microsoft 70-649: Practice Exam authenticate the WSUS server and pass encrypted metadata. You have to change the URL configured for the clients to connect to WSUS server. The WSUS SSL deployments have some security limitations. You should place the database on the WSUS server to secure the database connection in this scenario. Then you can deploy IPSec between the WSUS and SQL server to encrypt all traffic between them. Other options like installing both SQL server and WSUS on standalone computers are not valid because their membership in the domain has no effect on the data security exchanged between the two servers.

QUESTION NO: 47

m

In Windows Server 20008 Windows Media Services implements RTSP through the WMS RTSP Server Control Protocol plug-in. What is the default protocol and port used by this plug-in?

sts

.co

A. UDP, 554 B. TCP, 554 C. HTTP, 554 D. HTTPS, 554 E. IMCP, 445

lTe

Answer: B

QUESTION NO: 48

Ac

tua

Explanation: Windows Streaming Server Real Time Streaming Protocol Server Control Protocol plug-in uses TCP, 554 as the default protocol and port. Reference: Firewall Information for Windows Media Services 9 Series / Delivering a unicast stream http://www.microsoft.com/windows/windowsmedia/forpros/serve/firewall.aspx

On Windows server 2008, Windows Media services were configured to use the WMS HTTP server control protocol plug-in to control HTTP-based client connections. You need to enable the WMS HTTP server control protocol plug-in so that Windows Media Services can use HTTP to stream content to clients. However, when you tried to enable the plug-in, you received the error message "cannot enable plug-in". What should you do to correct this problem? A. Plug-in is enabled by default so you don't need to enable it B. Change the IP address that Windows Media Services uses for HTTP streaming.

"Pass Any Exam. Any Time." - www.actualtests.com

38

Microsoft 70-649: Practice Exam C. Change the port that Windows Media Services uses for HTTP streaming D. Change the IP address and the port that Windows Media Services uses for HTTP streaming E. None of the above Answer: D Explanation: You received the error message "cannot enable plug-in" on trying to enable the WMS HTTP server control protocol plug-in because the IIS may also be using the default port on the same IP address. So you need to change the IP address and the port that Windows Media Services uses for HTTP streaming to resolve the problem.

.co

m

Reference: Firewall Information for Windows Media Services 9 Series http://www.microsoft.com/windows/windowsmedia/forpros/serve/firewall.aspx

QUESTION NO: 49

lTe

sts

On the corporate network of Certkiller , you have installed a new server that runs Windows Server 2008. You want to restrict the server to use the TCP port 25 to establish communication sessions with other computers. Which of the following options would you choose to accomplish this task?

Answer: B

Ac

tua

A. Create an outbound rule in the Windows Firewall. B. Create an exception in Windows Firewall. C. Enable the Block all incoming connections option in Windows Firewall. D. Create an inbound rule in the Windows Firewall. E. None of the above

Explanation: To restrict the server to use the TCP port 25 to establish communication sessions with other computers, you need to add an exception from the Windows Firewall. The exceptions can be created on specific ports and can be configured with the scope to limit its use. Creating inbound or outbound rules will only block the traffic of one side and blocking all incoming connections will block all incoming connections instead of blocking just one port for all communications. Reference: How to manage Windows Vista Firewall http://www.zdnetasia.com/insight/security/0,39044829,62028420,00.htm

"Pass Any Exam. Any Time." - www.actualtests.com

39

Microsoft 70-649: Practice Exam QUESTION NO: 50 You are an Enterprise administrator for Certkiller .com. The corporate network of the company y consists of an Active Directory domain. All the servers on the corporate network run Windows Server 2008. Which of the following options would you choose to configure the Windows Firewall on a Windows Server 2008 server to prevent the server from establishing communication sessions to other computers by using TCP port 25? A. Add an exception B. Enable the Block all incoming connections option C. Using Advanced Security snap-in, create an inbound rule D. Using Advanced Security snap-in, create an outbound rule. E. None of the above

m

Answer: D

Ac

tua

lTe

sts

.co

Explanation: To prevent the server from establishing communication sessions to other computers by using TCP port 25, you need to create an outbound rule from the Windows Firewall with Advanced Security snap-in. By default, inbound network traffic to a computer that does not match a rule is blocked, but nothing prevents outbound traffic from leaving a computer. To block the network traffic for prohibited programs, you must create an outbound rule that blocks traffic with specific criteria from passing through Windows Firewall with Advanced Security Reference : Creating Rules that Block Unwanted Outbound Network Traffic / Step 1: Blocking Network Traffic for a Program by Using an Outbound Rule http://technet2.microsoft.com/windowsserver2008/en/library/c3bb5b29-b6a8-4fd4a66dddb39767b2ea1033.msp

QUESTION NO: 51 Certkiller .com has a network consisting of a Windows Server 2008 server and Windows Vista client computer. You are the administrator at Certkiller .com. Certkiller has asked you to deploy a protected IEEE 802.11 wireless network. They also asked you to secure the wireless network by configuring it to use smartcards. You configure the certificate infrastructure and Active Directory users and groups for wireless access. But the users complain that they cannot access the wireless network? What should you do to ensure that all users using their computers can access wireless network?

"Pass Any Exam. Any Time." - www.actualtests.com

40

Microsoft 70-649: Practice Exam A. Configure a group policy object link it to the server B. Install APs and configure RADIUS settings C. Configure users and computer accounts on client computers and set remote access permission with appropriate settings D. Configure the users and computer accounts on client computers and install the certificate authority on each client computer E. None of the above Answer: C

sts

.co

m

Explanation: The correct answer for this question is option C. You need to set the remote access permission by configuring the user accounts on client computers. The users can automatically connect to the wireless network through their user accounts. Installing Access Points (APs) and configuring RADIUS settings is not a valid option in this scenario because the signals are full. APs are installed and configured when client machines are not receiving full signals. Installing certificate authority on each client computer has nothing to do with wireless access because you have already configured and checked the certificate infrastructure.

lTe

QUESTION NO: 52

Ac

tua

You're an administrator at Certkiller .com. Certkiller .com has an IAS server. You need to deploy and configure wireless APs to provide wireless coverage fro the wireless network. You deploy APs and configure them to support authentication mechanism as per company policy. The authentication mechanism is Wireless Encryption Protocol (WEP) encryption with 802-1X authentication. But when you test the connection with APs, it gives errors. What should you do to ensure that the APs are set to broadcast the signals and the client computers can receive the wireless network coverage? A. Configure the RADIUS settings for the primary and secondary RADIUS servers B. Configure the Wi-Fi Protected Access (WPA) on APs C. Configure the WPA2 settings on APs D. Configure each client computer to accept the APs broadcast through Primary DNS server E. None of the above Answer: A Explanation: In this scenario, the correct option is A. You should configure the APs to include Remote Authentication Dial-in User service (RADIUS) settings. You should use the settings such as names of primary and secondary RADIUS servers, UDP ports, RADIUS shared secret and failure "Pass Any Exam. Any Time." - www.actualtests.com

41

Microsoft 70-649: Practice Exam detection settings. Options like configuring Wi-Fi Protected Access and WPA2 settings are not valid because WPA settings are related to Wireless connection security.

QUESTION NO: 53

m

Certkiller runs ISA server as a firewall to secure their internal corporate network. As a network administrator for the company, you have been assigned the task to setup the remote access for users to the corporate network through a Virtual Private Network (VPN) service using Point-to-Point Tunneling Protocol (PPTP). However, after configuring VPN, the users started receiving "Error 721: The remote computer is not responding" while trying to connect to the VPN server. What should you do to ensure that users successfully establish a VPN connection?

sts

.co

A. Open port 1423 on firewall B. Open port 1723 on firewall C. Open port 3389 on firewall D. Open port 6000 on firewall E. None of the above

lTe

Answer: B

Ac

tua

Explanation: To establish VPN connectivity through PPTP, you need to make sure that TCP Port 1723 is opened on the Firewall and IP Protocol 47 (GRE) is configured. The Error 721 occurs when the VPN is configured to use PPTP, which uses GRE protocol for tunneled data, and the network firewall does not permit Generic Routing Encapsulation (GRE) protocol traffic. To resolve this problem, you need to configure the network firewall to permit GRE protocol 47 and make sure that the network firewall permits TCP traffic on port 1723. Reference: RAS Error Code / Error 721: http://www.chicagotech.net/raserrors.htm#Error%20721 Reference: You receive an "Error 721" error message when you try to establish a VPN connection through your Windows Server-based remote access server http://support.microsoft.com/default.aspx?scid=KB;EN-US;888201

QUESTION NO: 54 Certkiller is deploying notebook computers that will be used over a wireless network. You have configured a group policy and configure profiles by using the names of approved wireless networks and linked the group policy object (GPO) to the Notebook OU. "Pass Any Exam. Any Time." - www.actualtests.com

42

Microsoft 70-649: Practice Exam The new notebook computer users complain that they cannot connect to the wireless network. What should you do to ensure that group policy wireless settings are applied to the notebook computers? A. Run the gpupdate / boot command on the notebook computers B. Run the gpupdate / target: computer command on the notebook computers C. Connect the notebook computers to the wired network. Log off the network computers, and then log on again D. Run the Add network that is in the range of this computer wizard on the notebook computers and leave the Service Set Identifier (SSID) blank. E. None of the above Answer: C

QUESTION NO: 55

tua

lTe

sts

.co

m

Explanation: The users cannot connect to the wireless network and the group policy wireless settings are not applied to the notebook computers because the GPO settings always try to get applied on startup before the wireless connects to the network, so it can't update. To resolve this problem, you need to connect the notebook computers to the wired network. Log off the network computers, and then log on again. As soon as the users connect to the domain as a wired network, they will receive the wireless settings. The logging off and logging on would help refreshing the policies on the notebook computers. Reference: GPO not applied for laptops http://techrepublic.com.com/5208-62300.html?forumID=101&threadID=237624&messageID=2320844

Ac

You are an administrator at Certkiller .com. Certkiller .com has a network that is comprised of a single Active Directory domain. It also has a server running Windows Server 2008. You plan to install an enterprise certification authority (CA) on the Windows Server 2008 server. After installing CA on the server, you start configuring the certificate revocation list (CRL) distribution points for enterprise certification authority (CA). For the maximum availability of CRLs, you want to designate multiple paths and protocols for CRL distribution points. Which Uniform Resource Locations (URLs) should you specify for CA distribution points? (Choose three answers. Each answer is a part of the complete solution) A. Lightweight Directory Access Protocol (LDAP) B. Secure Lightweight Directory Access Protocol (LDAPS) C. Hyper Text Transfer Protocol (HTTP) D. Hyper Text Transfer Protocol Secure (HTTPS) E. File Transfer Protocol (FTP) "Pass Any Exam. Any Time." - www.actualtests.com

43

Microsoft 70-649: Practice Exam F. File Transfer Protocol Secure (FTPS) Answer: A,C,E

.co

m

Explanation: Options stating Hyper Text Transfer Protocol Secure (HTTPS) and Secure Lightweight Directory Access Protocol (LDAPS) are incorrect because only HTTP, FTP, and LDAP URLs can be used to specify the CRL distribution points for a CA The URLS to specify the CRL distribution points for a CA are LDAP, HTTP and FTP. Microsoft CA issues every certificate with the URL of CRL distribution points as part of its content. A CRL distribution point can retrieve the current copy of the CRL or delta CRL by providing a certificate verifier with the network location. Multiple CRL distribution points can be specified for a C A. Multiple CRL distribution points are highly recommended for high availability of CRLs. You can use LDAP, HTTP and FRP for a CRL distribution point.

sts

QUESTION NO: 56

Ac

tua

lTe

Certkiller .com has a network comprised of a single Active Directory domain. You are the systems administrator at Certkiller .com. There is a server in the domain called CKS1. You are in the process of installing Active Directory Certificate Services (AD CS) on CKS1 that runs Windows Server 2008. For security purposes, you have planned to install Certification Authority (CA) role service and Microsoft Simple Certificate Enrollment Protocol (MSCEP) on CKS1 to issue certificates to routers, client computers and other devices on the network. When you install the CA role services and MSCEP role service at the same time on CKS2, you receive an error. The error says: "CANNOT INSTALL MSCEP" What should you do to ensure that both of the role services are installed correctly on CKS1? A. Configure the settings on AD CS to set the server to accept role services B. Install Active Directory Lightweight Directory Services (AD LDS) on CKS1 C. configure MSCEP to accept CA role service on CKS1 D. First install the CA role service and then install MSCEP role service E. None of the above Answer: D Explanation: To install CA and MSCEP role service correctly on CKS1, you should install the CA role service first and then the MSCEP role service. MSCEP is a communication protocol that enables software running on network devices like switches and routers; to enroll for "Pass Any Exam. Any Time." - www.actualtests.com

44

Microsoft 70-649: Practice Exam X.509 certificates from a Certificate Authority (CA). Windows Server 2008 doesn't allow you to install both of these services simultaneously. The only way to install both of the services on a server, you should install CA role service first and then MSCEP role service.

QUESTION NO: 57

Answer: C

lTe tua

A. Web1 B. Certkiller .com C. Owa. Certkiller .com D. Web1. Certkiller .com E. None of the above

sts

.co

m

Certkiller Ltd. runs web server named Web1 on Windows 2008 server. The fully qualified domain name of Web1 is web1. Certkiller .com. The public DNS server has an alias record named owa. Certkiller .com that maps to Web1. Certkiller .com. Users access Web1 on the Internet by using http://owa. Certkiller .com. As per the company's security policy, the owa. Certkiller .com should be accessed via HTTPS protocol. The security policy also indicates that users must not get security warnings when they connect to the website. To accomplish this task, you decided to request a certificate from a public certification authority (CA) and initiated the Create Certificate Request wizard from SSL Certificates window to complete the Request Certificate form. Which of the following names should be used in the Common Name Field?

Ac

Explanation: In the Common Name Field, Owa. Certkiller .com should be used. The common name should be the same name that the user will input when requesting your Web site. Reference: Generating a Certificate Request File Using the Certificate Wizard in IIS 5.0 http://support.microsoft.com/kb/228821

QUESTION NO: 58 Certkiller is running a single Active Directory forest on their corporate network. You were given the task to install an Active Directory Enterprise Certificate Authority (CA) on a dedicated stand-alone Windows Server 2008 computer. To initiate the process, you started adding the Active Directory Certificate Services (AD CS) role to the Server Manager through the Roles Summary section. However, on the Specify Setup Type page, the Enterprise option was not available. "Pass Any Exam. Any Time." - www.actualtests.com 45

Microsoft 70-649: Practice Exam Which of the following options would you choose to install the AD CS role on the server? A. Enable the DNS server role and join the server to domain B. Enable the Active Directory Domain Services (AD DS) C. Enable the Active Directory Domain Services (AD DS) after joining the server to domain D. Enable the Active Directory Lightweight Directory Service (AD LDS) E. Enable the Active Directory Lightweight Directory Service (AD LDS) after joining the server to domain F. Enable the Web Server (IIS) and the AD CS services and join the server to domain G. None of the above Answer: C

lTe

sts

.co

m

Explanation: On the Specify Setup Type page, the Enterprise option was not available because the server is not a member of the domain. To install the AD CS role on the dedicated stand-alone Windows Server 2008, you need to enable the Active Directory Domain Services (AD DS) on the computer after joining the server to domain because AD CS requires Windows Server2008 and Active Directory Domain Services (AD DS). Reference: Windows Server 2008 Cont'd: Active Directory Certificate Services http://daniels-it.spaces.live.com/blog/cns!1FA3D676EA967EC7!134.entry

QUESTION NO: 59

Ac

tua

Certkiller .com has servers that run Windows Server 2008. You are an administrator at Certkiller .com. To assign IPs dynamically to all client computers, you install and configure a member server named CKDHCP as a Dynamic Host Control Protocol (DHCP) server. You configure all client computers to get their IP addresses automatically from CKDHCP. The users at client computers complain that their machines are not receiving IP address from CKDHCP. They say that their computers are getting IP addresses from 129.168.x.x range. You find out that the DHCP server has stopped. The settings on CKDHCP are configured correctly. What should you do to make sure that the CKDHCP server is not stopped and all client machines are obtaining IP addresses from CKDHCP server automatically? A. Reconfigure the CKDHCP server to assign IP addresses to all client machines using DNS settings B. Restart the DHCP service on CKDHCP server C. Configure a scope on CKDHCP server D. Restart the CKDHCP server E. Authorize the DHCP server to assign IP addresses to client computers

"Pass Any Exam. Any Time." - www.actualtests.com

46

Microsoft 70-649: Practice Exam Answer: E Explanation: To make sure that the CKDHCP server is not stopped, you should authorize the DHCP server to assign IP addresses to client computers. DHCP assigns IP addresses, Default gateway and DNS servers to the DHCP-enabled clients. To ensure that the client machines receive their IP addresses and all related configuration, you should authorize the DHCP server. In fact you should authorize the DHCP server as soon as you install it. The easy way to do this is to install DHCP server on a machine that is running domain controller. The server is automatically authorized when you add the server to the DHCP server for the first time.

m

QUESTION NO: 60

sts

.co

Certkiller .com has servers on its network that run Windows Server 2008. It has a single Active Directory domain. As a network administrator of Certkiller .com, you are directed to install DHCP server on the network that will assign IP addresses automatically to all client machines. You need to ensure that you install the DHCP server and it is automatically authorized to enable client machines to obtain IP addresses from it. What should you do to achieve that?

Ac

Answer: C

tua

lTe

A. Install DHCP service on a server that is a member of Active Directory domain B. Install DHCP on a stand-alone server C. Install DHCP server on a domain controller D. Install DHCP on a member server and then configure a scope on DHCP server to access domain controller

Explanation: The correct option is C. you should install the DHCP server on a domain controller. The DHCP server dynamically allocates IP addresses and other related configurations to DHCP-enabled clients. You have to authorize the DHCP server to ensure that the DHCP is able to assign IP addresses to client computers. A DHCP server that is not authorized in your enterprise will not be able to function properly and will be stopped. But when you install the DHCP server on a computer that runs domain controller, the server is automatically authorized when you add the server to the DHCP console for the first time.

QUESTION NO: 61 Certkiller .com network is configured to use Internet Protocol version (Ipv6). You installed a Dynamic Host Configuration Protocol (DHCP) server on a server named Certkiller DHCP1 running "Pass Any Exam. Any Time." - www.actualtests.com

47

Microsoft 70-649: Practice Exam Windows Server 2008. You want to ensure that neither IP address nor other configuration settings are automatically allocated to DHCP clients on a subnet that does not use DHCPv6 from Certkiller DHCP1. How should you configure the Managed Address Configuration flag, and the other Stateful Configuration flag in the route advertisements? A. Set both Managed Address Configuration and Other Stateful Configuration flag to 0 B. Set both Managed Address Configuration and Other Stateful Configuration flag to 1 C. Set both Managed Address Configuration to 0 and Other Stateful Configuration flag to 1 D. Set both Managed Address Configuration to 1 and Other Stateful Configuration flag to Answer: A

lTe

sts

.co

m

Explanation: To ensure that neither IP address nor other configuration settings are automatically allocated to DHCP clients on a subnet that does not use DHCPv6 from Certkiller DHCP1, you need to set both Managed Address Configuration and Other Stateful Configuration flag to 0. Thecombination of both M and O flags set to 0corresponds to a network without a DHCPv6 infrastructure. Reference: The Cable Guy the DHCPv6 Protocol http://technet.microsoft.com/en-us/magazine/cc162485.aspx

tua

QUESTION NO: 62

Ac

Certkiller uses Windows Server 2008 on its network. All client computers use DHCP server to obtain IP addresses. You have recently upgraded the hardware of Domain Name Service (DNS) servers in your network and added two new domain controllers to the domain. However, after the upgrade of DNS servers, the network users were not able to logon to domain. What should you do to ensure that users are able to log on to the domain? A. Restart the Netlogon service on the new DNS servers B. Run ipconfig/registerdns at the command prompt of new DNS servers C. Reconfigure the DHCP scope option 006 DNS - Servers with the IP addresses of new DNS servers D. Configure the network settings for workstations to Disable NetBIOS over TCP/IP E. None of the above Answer: C Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com

48

Microsoft 70-649: Practice Exam To ensure that users are able to log on to the domain, you need to reconfigure the DHCP scope option 006 DNS - Servers with the IP addresses of new DNS servers because this option allows you to define IP addresses for one or more DNS servers to be used by the DHCP clients. Reference: Using Dynamic Host Configuration Protocol /Setting DHCP Options http://www.intranetjournal.com/articles/200004/im_dhcpg.html

QUESTION NO: 63

.co

m

Exhibit:

Ac

tua

lTe

sts

The corporate network of Certkiller .com consists of a Windows Server 2008 server called Certkiller 2. The server has DHCP Server role installed on it. A network user, who was using computer named Certkiller 101 complained that he is unable to get an IP configuration from the DHCP server. To find out the problem, you opened the Microsoft Network Monitor 3.0 on Certkiller 2, enabled the P-mode and decided to capture only the DHCP Server-related traffic between Certkiller 2 and Certkiller 101 The network interface configuration for the two computers is shown in the exhibit. Which of the following filters would you use to build a filter in the Network application to capture the DHCP traffic between Certkiller 2 and Certkiller 101? A. Ethernet. Address == 0x00103A4D5423 && DHCP B. IPv4.Address == 169.253.98.22 && DHCP C. IPv4.Address == 192.168.1.109 && DHCP D. Ethernet. Address == 0x0041A36E49E2 && DHCP E. None of the above Answer: B Explanation: To build a filter in the Network application to capture the DHCP traffic between Certkiller 2 and Certkiller 101, you need to use IPv4.Address == 169.253.98.22 && DHCP. To define a filter, you need to specify IPv4, period, SourceAddress then the equal mark (twice) and the IP address (source). In order to fine tune a specific filter, you can combine several conditions in a specific filter using the AND (&&) and OR (||) logical operators. In this question you need to find the traffic originating from "Pass Any Exam. Any Time." - www.actualtests.com

49

Microsoft 70-649: Practice Exam 169.253.98.22 that is DHCP related. Therefore you would use 169.253.98.22 && DHCP. Reference : A Guide to Network Monitor 3.1 / Building a complex filter (or defining several conditions) http://blogs.microsoft.co.il/blogs/erikr/archive/2007/08/29/A-Guide-to-Network-Monitor-3.1.aspx

QUESTION NO: 64

.co

m

You are an enterprise administrator for Certkiller . The corporate network of the company consists of a single Active Directory forest. The corporate network has a DHCP server installed that is used to configure the IP addresses of the client computers. The DHCP server has a DHCP client reservation for a portable computer named Certkiller PTC1. Recently, a second DHCP server is installed on the network. Which of the following options would you choose to ensure that Certkiller PTC1 receives the DHCP reservation from the DHCP service?

sts

A. Run the netsh add helper command on Certkiller PTC1. B. Run the ipconfig /renew command on Certkiller PTC1. C. Add the DHCP reservation for Certkiller PTC1 to the second DHCP server. D. Add both DHCP servers to the RAS and IAS Servers group in the Active Directory domain.

lTe

Answer: C

Ac

tua

Explanation: A reservation is a specific IP addresses that is tied to a certain device through its MAC address. By adding a reservation, you ensure that a machine always receives the same IP address from the DHCP server. In the above scenario you need to simply add the DHCP reservation for Certkiller PTC1 to the second DHCP server also, so that the same reservation is available on the other DHCP server also. Reference: Configure a DHCP server in Windows Server 2008 http://www.zdnetindia.com/index.php?action=articleDescription&prodid=18616 Reference: DHCP Reservations and Exclusions http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/Network/DHCP Reservati o

QUESTION NO: 65 You are an enterprise administrator for Certkiller . The corporate network of Certkiller consists of a single Active Directory domain called Certkiller .com. The domain consists of four Windows Server 2008 servers on which DNS role is installed. Each server has a static IP address. "Pass Any Exam. Any Time." - www.actualtests.com 50

Microsoft 70-649: Practice Exam The domain also consists of a DHCP server called DHCP1 that is used to assign IP addresses to the client computers. However, you need to prevent DHCP1 from assigning the addresses of the DNS servers to DHCP clients. Which of the following options would you choose to accomplish this task? A. Create a reservation for the DHCP1 server. B. Configure the 005 Name Servers scope option on DHCP1. C. Configure an exclusion that contains the IP addresses of the four DNS servers. D. Create a new scope for the DNS servers. Answer: C

lTe

sts

.co

m

Explanation: To prevent DHCP1 from assigning the addresses of the DNS servers to DHCP clients, you need to configure an exclusion that contains the IP addresses of the four DNS servers. An exclusion is an address or range of addresses taken from a DHCP scope that the DHCP server is not allowed to hand out. Reference: DHCP Reservations and Exclusions http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/Network/DHCP Reservati o

QUESTION NO: 66

tua

You are an enterprise administrator for Certkiller . The corporate network of Certkiller consists of a DHCP server that runs Windows Server 2008. Which of the following options would you choose to reduce the size of the DHCP database?

Ac

A. Enable the File is ready for archiving attribute of the dhcp.mdb file, from the properties of dhcp.mdb file. B. Enable the Compress contents to save disk space attribute of the dhcp.mdb file, from the properties of dhcp.mdb file. C. Reconcile the database from the DHCP snap-in. D. Run jetpack.exe dhcp.mdb temp.mdb from the folder that contains the DHCP database. Answer: D Explanation: To reduce the size of the DHCP database, you need to use jetpack dhcp.mdb temp.mdb command. (The file temp.mdb is used as a temporary database during the compacting operation.) After the database is compacted, the message: 'Jetpack completed successfully' appears. Reference: Section B: Migrate scopes and settings to the Management Server Prepare your "Pass Any Exam. Any Time." - www.actualtests.com

51

Microsoft 70-649: Practice Exam DHCP server environment and export your DHCP server configuration http://technet.microsoft.com/en-us/library/cc463365.aspx

QUESTION NO: 67

m

You are an enterprise administrator for Certkiller . The company has a head office and a branch office, which are connected through a WAN link. The corporate network of the company consists of a single Active Directory domain, where all servers run Windows Server 2008. The corporate network uses a DHCP server to assign IPv4 addresses to computers at the head office The branch office does not uses DHCP server and all computers in the branch office are configured with static IP addresses. The branch office uses a different subnet. Which of the following options would you choose to configure the portable computers so that they can connect to network resources at the head office and the branch office?

lTe

sts

.co

A. Configure the address assigned by the DHCP server as a static IP address on the portable computers. B. Configure the portable computers to use a static IPv4 address in the range used at the branch office. C. Configure the portable computers with an alternate configuration that contains a static IP address in the range used at the head office. D. Configure the portable computers with an alternate configuration that contains a static IP address in the range used at the branch office.

tua

Answer: D

Ac

Explanation: To ensure that the portable computers can connect to network resources at the head office and the branch office, you should configure each portable computer using an alternate configuration that contains a static IP address in the range used at the branch office. Alternate Configuration functionality can be used to establish multiple-network connectivity. This feature specifies that TCP/IP uses an alternative configuration if a DHCP server is not found. The Alternate Configuration functionality is useful in situations where you use the computer on more than one network, where one of those networks does not have a DHCP server, and you do not want to use an automatic private Internet protocol (IP) addressing configuration. You can use the Alternate Configuration functionality if you use a mobile computer at your office and at your home. When you are in the office, the computer uses a DHCP-allocated TCP/IP configuration. When you are at home (where you do not have access to a DHCP server), the computer automatically uses the alternative configuration. Similarly you can configure alternate configuration that contains a static IP address in the range used at the branch office to connect portable computers to the network resources at the main office and the branch office "Pass Any Exam. Any Time." - www.actualtests.com

52

Microsoft 70-649: Practice Exam Reference: How to use the Alternate Configuration feature for multiple network connectivity in Windows XP http://support.microsoft.com/kb/283676

QUESTION NO: 68

.co

m

You are an enterprise administrator for Certkiller . The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008. The domain consists of a DHCP server named Certkiller Server1, which is used to lease IP addresses to all the computers in the domain. The DHCP server contains only one scope. Besides this an application server named Certkiller Server2 runs in the domain. Which of the following options would you choose to ensure that Certkiller Server2 always receives the same IP address? You also need to make sure that the Certkiller Server2 must always receive its DNS settings and its WINS settings from DHCP server.

sts

A. Assign a static IP address to Certkiller Server2. B. Create a DHCP reservation in the DHCP scope of Certkiller Server1. C. Create an exclusion range in the DHCP scope of Certkiller Server1. D. Create a multicast scope in Certkiller Server1.

lTe

Answer: B

Ac

tua

Explanation: To ensure that Certkiller Server2 always receives the same IP address. Certkiller Server2 must receive its DNS settings and its WINS settings from DHCP, you need to create a DHCP reservation in the DHCP scope. A reservation is a specific IP addresses that is tied to a certain device through its MAC address. By adding a reservation, you ensure that a machine always receives the same IP address from the DHCP server. Reference: Configure a DHCP server in Windows Server 2008 http://www.zdnetindia.com/index.php?action=articleDescription&prodid=18616 Reference: DHCP Reservations and Exclusions http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/Network/DHCP Reservati

QUESTION NO: 69 You are an enterprise administrator for Certkiller . The corporate network of the company consists of a single Active Directory domain that runs at the functional level of Windows Server 2003. The domain consists of a member server called Certkiller DHCP1. To configure the server as a DHCP server, you installed the DHCP service on a server named "Pass Any Exam. Any Time." - www.actualtests.com 53

Microsoft 70-649: Practice Exam Certkiller DHCP1. However, when you attempted to start the DHCP service, it did not start. Which of the following options would you choose to ensure that the DHCP service starts on Certkiller DHCP1? A. Configure a scope on Certkiller DHCP1. B. Authorize Certkiller DHCP1in the Active Directory domain. C. Restart Certkiller DHCP1. D. Activate the scope on Certkiller DHCP1. Answer: B

sts

.co

m

Explanation: To ensure that the DHCP service starts, you need to authorize Certkiller DHCP1 in the Active Directory domain. This procedure needed because you are running a DHCP server on a member server. Reference: Authorize a DHCP server in Active Directory http://technet2.microsoft.com/windowsserver/en/library/9f713d6c-d7e5-42a087f743dbf86a17301033.mspx?mf

lTe

QUESTION NO: 70

Ac

tua

You are an enterprise administrator for Certkiller . The company consists of a head office and a branch office. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008. Recently the branch office users have started complaining that they are unable to access shared resources in the head office. To diagnose the problem, you checked the IP addresses of the computers in the branch office and found that they have IP addresses in the range of 169.254.x.x. Which of the following options would you choose to ensure that branch office computers can connect to shared resources in both the head office and the branch office. What should you do? A. Include the head offices DHCP server address in the Broadcast Address DHCP server option B. On a member server in the head office, configure a DHCP relay agent. C. Include the main offices server IP addresses in the Resource Location Servers DHCP server option. D. On a member server in the branch office, configure a DHCP relay agent. E. None of the above Answer: D Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com

54

Microsoft 70-649: Practice Exam To ensure that computers can connect to shared resources in both the head office and the branch office, you need to configure a DHCP relay agent on a member server in the branch office. The computers in the branch office have IP addresses in the range of 169.254.x.x because the client was not able to contact a DHCP server and obtain an IP address lease. This is because the DHCP server may be unavailable to the branch office computers, which are on the other LAN. A DHCP server can provide IP addresses to client computers on other LANs only if a DHCP relay agent is available. Reference: Chapter 5: Implementing the Dynamic Host Configuration Protocolcontinued / DHCP Servers Do Not Provide IP Addresses http://www.microsoft.com/mspress/books/sampchap/6371a.aspx

QUESTION NO: 71

Answer: D

tua

lTe

A. Set the DHCP server option to 44. B. Set the DHCP server option to 15. C. Set the Conflict Detection value to 0. D. Set the Conflict Detection value to 2.

sts

.co

m

You are an Enterprise administrator for Certkiller .com. The corporate network of the company consists of servers that run Windows Server 2008. The company consists of a DHCP server, which has recently failed. As an Enterprise administrator of the company, you restored the DHCP database by using a recent backup. Now you don't want the DHCP clients from receiving IP addresses that are currently in use on the network. Which of the following options would you choose to prevent DHCP clients from receiving IP addresses that are currently in use on the network?

Ac

Explanation: To prevent DHCP clients from receiving IP addresses that are currently in use on the network, you need to set the Conflict Detection value to 2. By default, "Conflict detection attempts" is set to 0, which means that DHCP server should not check the addresses that it is assigning to its clients. When this value is increased to the value of 1 or 2, this would enable the DHCP server to check once or twice to determine whether the address is in use before giving it to a client Reference: How can I enable conflict detection on my DHCP server? http://windowsitpro.com/article/articleid/47133/how-can-i-enable-conflict-detection-on-my-dhcpserver.html

QUESTION NO: 72

"Pass Any Exam. Any Time." - www.actualtests.com

55

Microsoft 70-649: Practice Exam You are an Enterprise administrator for Certkiller .com. The corporate network of the company consists of a single Active Directory domain. All computers are members of the Active Directory domain. All the servers on the corporate network run Windows Server 2008. The network consists of a DHCP server, called Certkiller DHCP1 that has two network connections named LAN1 and LAN2. Which of the following options would you choose to prevent the Certkiller DHCP1 from responding to DHCP client requests on LAN2 while allowing it to continue to respond to non-DHCP client requests on LAN2?

m

A. Set the metric value to 1 in the properties of the LAN2 network connection. B. Set the metric value to 1 in the properties of the LAN1 network connection. C. Create a new multicast scope from the DHCP snap-in. D. Modify the bindings to associate only LAN1 with the DHCP service from the DHCP snap-in. Answer: D

Ac

tua

lTe

sts

.co

Explanation: To prevent the Certkiller DHCP1 from responding to DHCP client requests on LAN2 while allowing it to continue to respond to non-DHCP client requests on LAN2, you need to modify the bindings to associate only LAN1 with the DHCP service, from the DHCP snap-in. The Change Server Connection Bindings option in DHCP Snap-in allows you to view the connections through which the DHCP server is providing addresses. If you have multiple network adapters in a DHCP server, can configure DHCP for only selected interfaces. You can click the Bindings button to view and configure the binding on your computer. Reference: Implementing, Managing, and Troubleshooting DHCP/ DHCP Server Common Commands http://www.informit.com/articles/article.aspx?p=684650&seqNum=5

QUESTION NO: 73 Certkiller .com has an IPv6 network which has 25 segments. As an administrator, you deploy a server on IPv6 network. What should you do to make sure that the server can communicate with systems on all segments of the IPv6 network? A. Configure the IPv6 address on the server as 0000::2c0:d11f:fec8:3124/64 B. Configure the IPv6 address on the server as ff80::2c0:d11f:fec8:3124/64 C. Configure the IPv6 address on the server as fe80::2c0:d11f:fec8:3124/64 D. Configure the IPv6 address on the server as fd00:: 2c0:d11f:fec8:3124/8.

"Pass Any Exam. Any Time." - www.actualtests.com

56

Microsoft 70-649: Practice Exam Answer: D

QUESTION NO: 74 You are a network administrator at Certkiller .com. You have upgraded all servers in the company to Windows Server 2008. Certkiller .com wants you to configure IPv6 addresses on all computers in the network. A global address prefix is assigned to you. The prefix is 3FFA:FF2B:4D:B000::/41. Certkiller .com has four departments. You have to assign a subnet to each department. In this way, which subnetted address prefix will you assign to the fourth department?

.co

m

A. 3FFA:FF2B:4D:C800::/43 B. 3FFA:FF2B:4D:B400::/43 C. 3FFA:FF2B:4D:C000::/43 D. 3FFA:FF2B:4D:F000::/45 Answer: A

QUESTION NO: 75

Ac

tua

lTe

sts

Explanation: The option 3FFA:FF2B:4D: C800::/43 is correct. The subnetting in IPv6 is performed by determining the number of bits used for subnetting and the itemization of the new subnetted address prefixes. Usually the number of bits for subnetting is s, where 2^s = number of subnets to be created. In this scenario 2^s = 4 and therefore s=2. Then the itemizations of the new subnetted address prefixes are done. In this scenario, the correct subnetted address prefix is 3FFA:FF2B:4D:C800::/43. So option A is the correct answer.

Exhibit:

"Pass Any Exam. Any Time." - www.actualtests.com

57

.co

m

Microsoft 70-649: Practice Exam

lTe

sts

Certkiller has decided to re-design its public network. The network will employ an IPv4 addressing. The range would be 129.108.10.0/21. The network must be configured in segments as shown in the exhibit. You have to configure the subnets for each segment in the network. You need to ensure that your solution must support all computers in each segment. Which network addresses should you assign to achieve this task?

Ac

tua

A. Segment A: 129.108.10.109/22, Segment B: 129.108.10.0/23, Segment C: 129.108.10.0/24, Segment D: 129.108.10.109/25 B. Segment A: 129.108.10.0/22, Segment B: 129.108.10.0/23, Segment C: 129.108.10.0/24, Segment D: 129.108.10.128/26 C. Segment A: 129.108.10.0/22, Segment B: 129.108.10.128/23, Segment C: 129.108.10.0/192, Segment D: 129.108.10.224/25 D. Segment A: 129.108.10.128/22, Segment B: 129.108.10.192/23, Segment C: 129.108.10.224/24, Segment D: 129.108.10.0/26 E. None of the above Answer: B

QUESTION NO: 76 Certkiller network is configured to use Internet Protocol version (Ipv6). You installed a Dynamic Host Configuration Protocol (DHCP) server on a server named Certkiller DHCP1 running Windows 2008 server. You want to ensure that neither IP address nor other configuration settings are automatically allocated to DHCP "Pass Any Exam. Any Time." - www.actualtests.com

58

Microsoft 70-649: Practice Exam clients on a subnet that does not use DHCPv6 from Certkiller DHCP1. How should you configure the Managed Address Configuration flag, and the other Stateful Configuration flag in the route advertisements? A. Set both Managed Address Configuration and Other Stateful Configuration flag to 0 B. Set both Managed Address Configuration and Other Stateful Configuration flag to 1 C. Set both Managed Address Configuration to 0 and Other Stateful Configuration flag to 1 D. Set both Managed Address Configuration to 1 and Other Stateful Configuration flag to E. None of the above Answer: A

.co

m

Explanation: This setting will ensure host will receive neither an IP address nor additional configuration information.

QUESTION NO: 77

lTe

sts

You have upgraded hardware of DNS servers in your network. You also added two new domain controllers to the domain. All client computers use DHCP. Users are not able to logon to domain after the upgrade of DNS servers. What should you do to ensure that users are able to log on to the domain?

Answer: C

Ac

tua

A. Restart the Netlogon service on the new DNS servers B. Run ipconfig/registerdns at the command prompt of new DNS servers C. Reconfigure the DHCP scope option 006 DNS name Servers with the new DNS servers IP addresses D. Configure the network settings for workstations to Disable NetBIOS over TCP/IP E. None of the above

QUESTION NO: 78 Exhibit:

"Pass Any Exam. Any Time." - www.actualtests.com

59

Microsoft 70-649: Practice Exam

The Certkiller company network consists of Windows 2008 server computers and Windows Vista client computers. You have the following eight Internet Protocol version 6 (Ipv6) sub netted address prefixes. Please refer to the exhibit. What would be the original prefix length for the global address prefix 3FFE:FFFF:0:C000:: ?

sts

.co

m

A. 51 B. 52 C. 53 D. 54 E. None of the above Answer: A

QUESTION NO: 79

Ac

tua

lTe

Explanation: The original prefix length for the globe address prefix 3FFE:FFFF:0:C000:: is 51. The eight Ipv6 subnetted address prefixes are the result of 3 bit subnetting of the global address prefix 3FFE:FFFF:0:C000::/51. To perform 3-bit subnetting of the global address prefix 3FFE:FFFF:0:C000::/51 we use the following calculations: Hexadecimal value of the subnet ID being subnetted, F = oxC000 Subnetting bits, s = 3

Certkiller Company has IPV6 network. The IPV6 network has 25 segments. You deployed a new Windows 2008 server on the IPV6 network. What should you do to ensure that the server could communicate with systems on all segments of the IPV6 network? A. Configure the IPV6 address as fd00::2b0:d0ff:fee9:4143/8 B. Configure the IPV6 address as fe80::2b0: d0ff:fee9:4143/64 C. Configure the IPV6 address as ff80::2b0: d0ff:fee9:4143/64 D. Configure the IPV6 address as 0000::2b0: d0ff:fee9:4143/64 E. None of the above Answer: A

"Pass Any Exam. Any Time." - www.actualtests.com

60

Microsoft 70-649: Practice Exam Explanation: To ensure that the server communicates with systems on all segments of the IPV6 network, you need to configure the IPV6 address as fd00::2b0:d0ff:fee9:4143 /8 because this address is the local unicast address type and is not routed on the Internet. It is generally filtered inbound. Reference: IPv6 Unicast Address Information http://www.netcraftsmen.net/welcher/papers/ipv6part02.html

QUESTION NO: 80

.co

m

You are an administrator at Certkiller .com. Certkiller .com has opened a new branch office at a new location. Windows Server 2008 is implemented on the servers. The initial network has 20 computers. You are asked to configure an appropriate IP addressing scheme in the network. Which network address should you use to accomplish this task?

lTe

sts

A. 192.10.100.0/26 B. 192.10.100.0/30 C. 192.10.100.0/29 D. 192.10.100.0./31 E. None of the above Answer: A

Ac

tua

Explanation: To configure an appropriate IP addressing scheme in the network, you should use 192.10.100.0/57. In this scenario, 50 computers have to be configured in a network. Network address is calculated as follows: 1. Class A networks has a default subnet mask of 255.0.0.0 and use 0-127 as their first octet 2. Class B networks has a default subnet mask of 255.255.0.0 and it can use 128-191 as their first octet 3. Class C networks has a default subnet mask of 255.255.255.0 and it can 192-223 as their first octet You need to configure the network address to accommodate at least 50 hosts per subnet. To calculate the number of host bits, use the formula: 2^n-2 where n=32 bits. To configure 50 hosts, you need 192.10.100/26 network address which has maximum 62 hosts per subnet. The formula to calculate the hosts per subnet is: 32-26= 6 2^6-2= 62 So according to this calculation, network address 192.10.100/26 will be able to accommodate 50 hosts per subnet. We have deducted 6 bits from the total of 32 bits. "Pass Any Exam. Any Time." - www.actualtests.com

61

Microsoft 70-649: Practice Exam

QUESTION NO: 81 You are an enterprise administrator for Certkiller . The corporate network of the company consists of servers that run Windows Server 2008 and client computers that run Windows XP Service Pack 2 (SP2), Windows 2000 Professional, or Windows Vista. The company has decided to use IPv6 protocol on its network. Which of the following options would you choose to ensure that all client computers can use the IPv6 protocol?

m

A. Run the IPv6.exe tool on all the client computers. B. Upgrade the Windows 2000 Professional computers to Windows XP SP2. C. Upgrade all Windows 2000 Professional computers with Service Pack 4. D. Install the Active Directory Client extension (DSClient.exe) on all the client computers.

.co

Answer: B

Ac

tua

lTe

sts

Explanation: To ensure that all computers can use the IPv6 protocol, you need to upgrade the Windows 2000 Professional computers to Windows XP SP2. IPv6 protocol is far superior to IPv4 protocol in terms of security, complexity, and quality of service (QoS). Therefore, all the new operating systems started using IPv6 protocol. The older operating systems such as Windows 2000 professional does not support Ipv6 therefore this needs to be upgraded to either Windows XP or Windows Vista. You can now get versions of Windows that fully support most aspects of IPv6 (namely Windows XP and Windows Server 2003) and you will soon be able to get versions of Windows that not only fully support IPv6 but also provide enhanced performance for IPv6 networking. Reference: IPv6 Support in Microsoft Windows/ Windows 2000 http://www.windowsnetworking.com/articles_tutorials/IPv6-Support-Microsoft-Windows.html

QUESTION NO: 82 You are an enterprise administrator for Certkiller . The company consists of a head office and two branch offices. The corporate network of Certkiller consists of a single Active Directory domain called Certkiller .com. The computers in the branch office locations use IPv4 and IPv6 protocols. Each branch office is protected by a firewall that performs symmetric NAT. Which of the following options would you choose to allow peer-to-peer communication between all branch offices? A. Configure the use of Teredo in the firewall. B. Configure the external interface of the firewall with a global IPv6 address. C. Configure the internal interface of the firewall with a link local IPv6 address.

"Pass Any Exam. Any Time." - www.actualtests.com

62

Microsoft 70-649: Practice Exam D. Configure dynamic NAT on the firewall. Answer: A

.co

m

Explanation: To allow peer-to-peer communication between all branch offices where each location is protected by a firewall that performs symmetric NAT, you need to configure the firewall to allow the use of Teredo. Teredo is an IPv6 transition technology that provides address assignment and host-to-host automatic tunneling for unicast IPv6 traffic when IPv6/IPv4 hosts are located behind one or multiple IPv4 network address translators (NATs). Teredo in Windows Vista and Windows Server "Longhorn" will work if one of the peers is behind a symmetric NAT and the other is behind a cone or restricted NAT. Reference: Teredo Overview http://technet.microsoft.com/en-us/library/bb457011(TechNet.10).aspx

QUESTION NO: 83

lTe

sts

You are an enterprise administrator for Certkiller . The corporate network of Certkiller consists of a Windows Server 2008 computer that is configured to use IPv6 addressing and has an IP address of 172.16.45.9/21. Which of the following command prompt options would you choose to test IPv6 communication to a server that has an IP address of 172.16.40.18/21?

Answer: A

Ac

tua

A. On the command prompt type ping followed by the Link-local address of the server. B. On the command prompt type ping 172.16.40.9:::::. C. On the command prompt type ping followed by the Site-local address of the server. D. On the command prompt type ping ::9.40.18.172.

Explanation: To test IPv6 communication to a server, you need to type ping followed by the Link-local address of the server. Link-local addresses are network addresses which are intended only for use in a local data link layer network, and not for routing beyond that network. Link-local addresses are often used for network address autoconfiguration where no external source of network addressing information is available. Windows Vista, Windows Server 2008, Windows XP with SP1 or later, and Windows Server 2003 include an IPv6-enabled version of the Ping.exe tool. Reference: Test an IPv6 configuration by using the ping command http://technet2.microsoft.com/windowsserver/en/library/8478cc0b-1613-431b8130529735d2945b1033.mspx?m Reference: link-local address "Pass Any Exam. Any Time." - www.actualtests.com

63

Microsoft 70-649: Practice Exam http://www.answers.com/topic/link-local-address-1?cat=technology

QUESTION NO: 84 You are an Enterprise administrator for Certkiller .com. The corporate network of the company consists of a single Active Directory domain. All computers are members of the Active Directory domain. All the servers on the corporate network run Windows Server 2008. The domain consists of a server called Certkiller Server1 that runs the Network Access Policy server role. Which of the following options would you choose to disable IPv6 for all connections except for the tunnel interface and the IPv6 Loopback interface?

sts

.co

m

A. Run the netsh interface ipv6 delete command. B. Remove the IPv6 protocol by using ipv6.exe. C. Run the netsh ras ipv6 set command. D. Uncheck Internet Protocol Version 6 (TCP/IPv6) from the Local Area Connection Properties window. Answer: D

Ac

tua

lTe

Explanation: To disable IPv6 for all connections except for the tunnel interface and the IPv6 Loopback interface, you need to uncheck Internet Protocol Version 6 (TCP/IPv6) from the Local Area Connection Properties window. This is because unlike Windows XP and Windows Server 2003, IPv6 in Windows Vista and Windows Server 2008 cannot be uninstalled. However, you can disable IPv6 in Windows Vista and Windows Server 2008 by doing one of the following: In the Network Connections folder, obtain properties on all of your connections and adapters and clear the check box next to the Internet Protocol version 6 (TCP/IPv6) component in the list. This method disables IPv6 on your LAN interfaces and connections, but does not disable IPv6 on tunnel interfaces or the IPv6 loopback interface. Reference: IPv6 for Microsoft Windows: Frequently Asked QUESTION NO:s http://www.microsoft.com/technet/network/ipv6/ipv6faq.mspx

QUESTION NO: 85 Certkiller .com has upgraded their servers from Windows Server 2003 to Windows Server 2008. You have succeeded in installing Windows Server 2008 on all servers and finished configuring necessary services. The network at the branch office has to be connected to the main network. You want to temporality connect the branch office network to the main corporate "Pass Any Exam. Any Time." - www.actualtests.com 64

Microsoft 70-649: Practice Exam network. To achieve this, you plan to add a route to the destination server which has an IP address of 10.61.0.0 and a subnet mask of 255.255.0.0. In the IP routing table, the next hop IP address for the route should be 10.33.0.1. Which command-line statement should you employ to achieve the task? A. route add 10.61.0.0 subnet mask: 255.255.0.0 10.33.0.1 B. route -p add 10.61.0.0 subnet mask: 255.255.0.0 10.33.0.1 C. route -4 10.61.0.0 subnet mask: 255.255.0.0 10.33.0.1 D. route add 10.61.0.0 subnet mask: 255.255.0.0 10.33.0.1 metric 45 E. All of the above Answer: A

QUESTION NO: 86

Ac

tua

lTe

sts

.co

m

Explanation: To add a route in the IP routing table, you should use 10.61.0.0 subnet mask: 255.255.0.0 10.33.0.1 command. The destination server address is 10.61.0.0 with a subnet mask of 255.255.0.0 along with the next hop address of 10.33.0.1. Basically the route command is used to change or view the entries in the local routing table. The full command syntax for this specific task is route[-f] [-p] [Command[Destination] [maskNetmask] [Gateway] [metricMetric]] [ifInterface]] The -f parameter issues a command to the Windows to clear all gateway entries in the routing table. The -p command is used to make a specific route persistent. When the server is rebooted, all routes configured through the route command are erased from the IP routing table. If you use the -p parameter, the route command instructs Windows to retain and keep the route in the IP routing table even if the server is rebooted. All other options are invalid in this scenario. If you use only the -p parameter along with this route commands. The command will not be executed because you haven't cleared the gateway entries in the IP routing table. Similarly if you use only -f, this route entry will be erased if the server is rebooted.

Certkiller .com has upgraded its central office network to Windows Server 2008. You are an administrator at Certkiller .com. You have connected the branch office network to the main network. However, the users at the main office complain that they cannot access the branch office network. Using route print command you view the routing table and find out that an incorrect entry 10.23.0.0 255.255.0.0 is present in the routing table. What should you do to restore connectivity between the two networks? A. Delete the wrong entry, 10.23.0.0 255.255.0.0 in the routing table by using the route -p "Pass Any Exam. Any Time." - www.actualtests.com

65

Microsoft 70-649: Practice Exam B. Delete all entries in the routing table by using route -delete on each entry C. Delete the wrong entry from the routing table by using route delete 10.23.0.0 255.255.0.0 command D. Delete the incorrect entry from the routing table by using route *224* command E. None of the above Answer: C

lTe

sts

.co

m

Explanation: To restore the connectivity between the main office and the branch office network, you should first delete the wrong entry from the routing table using the route -delete 10.23.0.0 255.255.0.0. After deleting the entry, you can use the route -add command to add the correct entry. Basically the route command is used to change or view the entries in the local routing table. The full command syntax for this specific task is route[-f] [-p] [Command[Destination] [maskNetmask] [Gateway] [metricMetric]] [ifInterface]] The -f parameter issues a command to the Windows to clear all gateway entries in the routing table. The -p command is used to make a specific route persistent. When the server is rebooted, all routes configured through the route command are erased from the IP routing table. If you use the -p parameter, the route command instructs Windows to retain and keep the route in the IP routing table even if the server is rebooted.

QUESTION NO: 87

Ac

tua

Exhibit:

"Pass Any Exam. Any Time." - www.actualtests.com

66

Microsoft 70-649: Practice Exam Certkiller has decided to re-design its public network. The network will employ an IPv4 addressing. The range would be 129.108.10.0/21. The network must be configured in segments as shown in the exhibit. You have to configure the subnets for each segment in the network. You need to ensure that your solution must support all computers in each segment. Which network addresses should you assign to achieve this task?

.co

m

A. Segment A: 129.108.10.109/22, Segment B: 129.108.10.0/23, Segment C: 129.108.10.0/24, Segment D: 129.108.10.109/25 B. Segment A: 129.108.10.0/22, Segment B: 129.108.10.0/23, Segment C: 129.108.10.0/24, Segment D: 129.108.10.128/26 C. Segment A: 129.108.10.0/22, Segment B: 129.108.10.128/23, Segment C: 129.108.10.0/192, Segment D: 129.108.10.224/25 D. Segment A: 129.108.10.128/22, Segment B: 129.108.10.192/23, Segment C: 129.108.10.224/24, Segment D: 129.108.10.0/26 E. None of the above Answer: B

Ac

tua

lTe

sts

Explanation: To ensure that your solution must support all computers in each segment, you need to configure Segment A: 129.108.10.0/22, Segment B: 129.108.10.0/23, Segment C: 129.108.10.0/24, Segment D: 129.108.10.128/24 This is because 129.108.10.0/21 can have maximum 2048 computers. /22 means that a subnet can have 1024 computers, /23 means that a subnet can have 512 computers, and /24 means that a subnet can have 254 computers. Because there are two networks with /24 subnet, 512 computer can be configured for /24 subnet. The sum of above three gives the required number of computers in the subnet. Reference: Subnetwork http://en.wikipedia.org/wiki/Subnetwork

QUESTION NO: 88 Certkiller is designing its public network; it will use an Ipv4 range of 131.107.40.0/22. The network should be configured as per the exhibit shown below:

"Pass Any Exam. Any Time." - www.actualtests.com

67

Microsoft 70-649: Practice Exam

.co sts lTe

Ac

tua

A. Segment A: 131.107.40.0/23 Segment B: 131.107.44.0/24 Segment C: 131.107.45.0/25 Segment D: 131.107.45.128/27 B. Segment A: 131.107.40.0/25 Segment B: 131.107.42.128/26 Segment C: 131.107.45.192/27 Segment D: 131.107.45.224/30 C. Segment A: 131.107.40.0/23 Segment B: 131.107.44.0/24 Segment C: 131.107.45.128/25 Segment D: 131.107.45.0/27 D. Segment A: 131.107.40.128/23 Segment B: 131.107.45.0/24 Segment C: 131.107.46.0/25 Segment D: 131.107.46.128/27 E. None of the above

m

We need to configure subnets for the segments of the network. In order to support computers in all segments which network addresses should you use?

Answer: A Explanation: To ensure that your solution must support all computers in each segment, you need to configure Segment A: 131.107.40.0/23, Segment B: 131.107.42.0/24, Segment C: 131.107.43.0/25, Segment D: 131.107.43.128/27 Segment A: 131.107.40.0/23 can have 512 computer covering 300 computers. Segment B: 131.107.42.0/24 can have 254 computers covering 125 computers Segment C: 131.107.43.0/25 can have 192 covering 100 computers Segment D: 131.107.43.128/27 can have 32 computers covering 15 nodes "Pass Any Exam. Any Time." - www.actualtests.com

68

Microsoft 70-649: Practice Exam The sum of above subnets gives the required number of computers in the subnet. Reference: "Subnetworks" http://en.wikipedia.org/wiki/Subnetwork

QUESTION NO: 89 You are an enterprise administrator for Certkiller . The corporate network of the company runs Windows Server 2008 servers. A new server has been deployed in the domain with the IP address: 192.168.45.186, Subnet mask: 255.255.255.192, and Default gateway: 192.168.45.1. However, the users of the server on remote subnets reported that they are unable to connect to the server. Which of the following changes you need to ensure all users are able to connect to the server?

.co

m

A. Change the IP address to 192.168.45.200. B. Change the IP address to 192.168.45.129. C. Change the subnet mask to a 27-bit mask. D. Change the subnet mask to a 24-bit mask.

sts

Answer: D

Ac

tua

lTe

Explanation: To ensure that all users are able to connect to the server, you need to change the subnet mask to a 24-bit mask. Because the subnet, 255.255.255.192 assign to the server can have maximum 2 hosts and because the subnet comes in different network, the server cannot communicate to the gateway (192.168.46.1) assigned to it. To communicate with the gateway, the server should have in the same subnet and therefore the subnet of the server needs to be changed to 24bit, which can have 254 hosts. Reference: Subnet Masks & Their Effect http://www.firewall.cx/ip-subnetting-mask-effect.php

QUESTION NO: 90 You are an enterprise administrator for Certkiller . The corporate network of Certkiller consists of a single Active Directory domain that is configured with IPv4 Ethernet network. A router named R1 (IP address 10.128.64.10) connects your segment to the Internet. A router named R2 joins your subnet with a segment named Private1. The Private1 segment has a network address of 10.128.4.0/26. A computer named Certkiller 1 requires access to servers on the Private1 network. However, the Certkiller 1 is unable to connect to the Private1 network by using the current configuration. Which of the following commands would you choose to add a persistent route for the Private1 network to the routing table on Certkiller 1? "Pass Any Exam. Any Time." - www.actualtests.com 69

Microsoft 70-649: Practice Exam A. Route add -p 10.128.4.0/26 10.128.64.10 B. Route add -p 10.128.4.0 mask 255.255.255.192 10.128.64.1 C. Route add -p 10.128.4.0/22 10.128.4.1 D. Route add -p 10.128.64.10 mask 255.255.255.192 10.128.4.0 Answer: A Explanation: To add a persistent route for the Private1 network to the routing table on Certkiller 1, you need to add command Route add -p 10.128.4.0/26 10.128.64.10. This is because 10.128.4.0/26 is the IP subnet you desired to connect and 10.128.64.10 is your IP gateway to the second subnet.

m

QUESTION NO: 91

lTe

sts

.co

You are an enterprise administrator for Certkiller . The company consists of a head office and a branch office. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008. The company's network uses IPv4 networking. You have recently installed a new Windows Server 2008 server in the branch office and configured it with two network interfaces. Which of the following options would you choose to configure routing on the server at the branch office? (Choose two. Each correct answer presents part of the solution.)

Answer: A,C

Ac

tua

A. Enable the IPv4 Router Routing and Remote Access option on the server at the branch office. B. Run the netsh ras ip set access ALL command on the server at the branch office. C. Install the Routing and Remote Access role on the server at the branch office. D. Run the netsh interface ipv4 enable command on the server at the branch office.

Explanation: To configure routing on the server at the branch office, you need to first install the Routing and Remote Access role on the server and then enable the IPv4 Router Routing and Remote Access option on the server. You cannot use Network shell (netsh) is a command because it only allows you to configure and display the status of various network communications server roles and components after they are installed on computers running WindowsServer2008 and does not allow you to configure routing. Reference: What's New in Routing and Remote Access/ To install Routing and Remote Access / To configure and enable the Routing and Remote Access service http://technet2.microsoft.com/windowsserver2008/en/library/62736172-aa83-43baa844f1c548f5a4ac1033.msp "Pass Any Exam. Any Time." - www.actualtests.com

70

Microsoft 70-649: Practice Exam Reference: Network Shell (Netsh) http://technet2.microsoft.com/windowsserver2008/en/library/8603ec40-4ca4-4158b5dbdc22336141eb1033.ms

QUESTION NO: 92

m

You are an Enterprise administrator for Certkiller .com. You have deployed a file server on the corporate network on a server that runs Windows Server 2008. You configured a shared folder on the server so that users can access shared files on the file server. However, the users reported that they are unable to access the shared files. The TCP/IP properties for the file server showed that it is configured to obtain IP address automatically and the user's computers were configured with IP addresses and subnet masks. You need to ensure that users are able to access the shared files. How should you configure the TCP/IP properties on the file server?

sts

.co

A. Configure the DNS server address. B. Configure the default gateway on the file server. C. Configure the file server with static IP address. D. Add the domain to the DNS suffix on the network interface.

lTe

Answer: C

Ac

tua

Explanation: To ensure that users are able to access the shared files, you need to configure a static IP address on the file server because In order for both PC's to be able to communicate together, the Ethernet adapters will need to be configured with a static IP address and a common Subnet mask. As an example, assign one PC an IP address of 192.198.0.1 and assign the second PC an IP address of 192.198.0.2. Both machines should use the Subnet mask 255.255.255.0. Reference: need help to setup a lan connection between 2 http://en.kioskea.net/forum/affich-2335-need-help-to-setup-a-lan-connection-between-2

QUESTION NO: 93 Windows Server 2008 is installed on two servers named CKS2 and CKS3. The Terminal services role is installed on both of these servers and the Terminal Services Gateway role is also installed on CKS3. Applications are published on CKS2 through Remote Desktop Connection configuration file (.rdp file). Users download the .rdp files from CKS2 using TSWeb virtual directory. You decide to reconfigure the applications on CKS2 to employ Terminal Services Gateway role on CKS3. You export the Remote program settings on CKS2 and import them on CKS3. The users report that they cannot access remote applications installed on CKS3. "Pass Any Exam. Any Time." - www.actualtests.com 71

Microsoft 70-649: Practice Exam They can access remote applications on CKS2 through Terminal Services Gateway role on CKS3. You try to find out the problem. During the process you have ensured that the application paths to both servers are identical. Which action should you perform to ensure that the users could access and use the remote applications on CKS3? A. Configure CKS3 to connect to CKS2 to access remote application files B. Install and configure the Terminal Services Session Directory feature on CKS3 and configure CKS2 to use this feature to for application files. C. Disable the User Authentication on CKS3 and implement it on CKS2 D. Reconfigure the .rdp files on CKS3 and distribute the files to the users E. All of above Answer: D

Ac

QUESTION NO: 94

tua

lTe

sts

.co

m

Explanation: When you exported the Remote program settings on CKS2 and import them on CKS3, only the RemoteApp Programs list and deployment settings are exported or imported. Any .rdp files or Windows Installer packages that were created from the programs were not be exported or imported and therefore the users reported that they cannot access remote applications installed on CKS3. To ensure that the users could access and use the remote applications on CKS3, you need to reconfigure the .rdp files on CKS3 and distribute the files to the users Reference: Windows Server2008 Terminal Services RemoteApp Step-by-Step Guide / To import the RemoteApp Programs list and deployment settings http://download.microsoft.com/download/b/1/0/b106fc39-936c-4857-a6ea3fb9d1f37063/Windows_Server_200

You had installed Terminal services on a Windows 2008 Server. You installed several business applications on this server. You now want all the users on the network to access these applications remotely. To achieve this, you added all applications to the RemoteApps list. To ensure that malicious users are not able to access any applications listed in RemoteApps list what should you do? A. Remove the business applications from RemoteApps list B. Select the Do not allow users to start unlisted program on initial connection (Recommended) option in TSRemoteApp Manager on the Terminal Server tab under Connection settings C. Select Allow users to start both listed and unlisted program option on initial connection option in TSRemoteApp Manager on the Terminal Server tab under Connection settings. "Pass Any Exam. Any Time." - www.actualtests.com

72

Microsoft 70-649: Practice Exam D. Uncheck the Make a remote desktop connection to this terminal server available in TS Web Access option on the Terminal Server tab in the RemoteApp Deployment Settings dialog box E. None of the above Answer: B

.co

m

Explanation: To ensure that malicious users are not able to access any applications listed in RemoteApps list, you need to Select the Do not allow users to start unlisted program on initial connection (Recommended) option in TSRemoteApp Manager on the Terminal Server tab under Connection settings. This setting helps to protect against malicious users, or a user unintentionally starting a program from an .rdp file on initial connection Reference: Windows Server 2008 Terminal Services RemoteApp Step-by-Step Guide / Configure terminal server settings http://technet2.microsoft.com/windowsserver2008/en/library/61d24255-dad1-4fd2b4a3a91a22973def1033.msp

sts

QUESTION NO: 95

tua

lTe

Certkiller .com has a network containing servers that run Windows Server 2008. To handle name resolution for the users, a server named CKDNS is configured as a DNS server on the network. CKDNS has an Active Directory Integrated zone that host DNS data for users on the network. While monitoring the server, you find out that the primary zone on CKDNS contains some entries from a computer unknown and not part of the domain. What should you do to prevent this?

Ac

A. Open the DNS server snap-in and right click on the DNS server node. Click on Scavenge resource records B. Set the DNS server to automatic scavenging of stale records C. In DNS manager snap-in and set the option to Set Aging/scavenging for all zones D. Open the properties of primary zone and select Secure Dynamic Updates Only option E. All of the above Answer: D

QUESTION NO: 96 Certkiller .com has a server that runs Windows Server 2008. Terminal services role is installed on the server. As an administrator at Certkiller .com, you deploy a new application on the server. The application creates a file that has an extension of .bdc You have to make sure that the users can launch application remotely from their "Pass Any Exam. Any Time." - www.actualtests.com

73

Microsoft 70-649: Practice Exam computer by double-clicking on the .bdc extension. What should you do to achieve this objective? A. Use Terminal Server Web Access website to configure the application as a published application B. Configure the remote desktop connection on the client computers to point the terminal services server C. Configure the Remote Desktop file to configure application as a published application D. Use Windows Installer package file to configure application as a published application E. None of the above Answer: D

.co

m

Explanation: To make sure that the users can launch application remotely from their computer by double-clicking on the .bdc extension, you should use Windows Installer package file to configure application as a published application

sts

QUESTION NO: 97

tua

lTe

Certkiller .com has a Terminal Server running Windows Server 2008. Through Terminal Services RemoteApp (TS RemoteApp), you create a Windows Installer package for the Microsoft Office Word 2007. After installing the package on a client machine, you double-click on a Word document and receive the error, "Windows cannot open this file". You have to make sure that you can open the Word Document by double clicking on the file. What should you do to solve this problem?

Ac

A. use msiexec.exe to install the windows installer package B. Delete the windows installer package and re-create a new one C. Change the file association on the TSRemoteApp server D. Create the Windows installer package again by using TSRemoteApp Answer: C Explanation: To make sure you can open the Word document file after installing MS Word 2007 on the client machine using Terminal services RemoteApp, you should change the file association on the TSRemoteApp server. Reference: http://forums.technet.microsoft.com/fr-FR/winserverTS/thread/213c907c-7d0c-43d7-970c2226a8dc55ee/

"Pass Any Exam. Any Time." - www.actualtests.com

74

Microsoft 70-649: Practice Exam

QUESTION NO: 98

.co

m

You are an enterprise administrator for Certkiller .com. The corporate network of the company consists of an Active Directory domain. All the servers on the network run Windows Server 2008. The network runs a Terminal server named Certkiller Server2 to enable remote users to run commonly required applications from their terminal. You have recently been asked to deploy a Terminal Services application called App1 on Certkiller Server2. To deploy the application, you first confirmed from the application vendor that the application can be deployed in a Terminal Services environment. The features of App1 are that it does not use Microsoft Windows Installer packages for installation and makes changes to the current user registry during installation. Which of the following options would you choose to install the application to support multiple user sessions? (Select all that apply)

Answer: A,B,C

tua

lTe

sts

A. Run the change user /install command on Certkiller Server2 B. Install the application. C. Run the change user /execute command on Certkiller Server2. D. Run the change logon /disable command on Certkiller Server2. E. Run the change logon /enable command on Certkiller Server2. F. Run the mstsc /v: Certkiller Server2/console command from the client computer to log on to Certkiller Server2.

Ac

Explanation: To install the application to support multiple user sessions in the above scenario, you need to first run the change user /install command on Certkiller Server2 because You must put a Terminal Services server in Install mode to install or remove programs on the server. You can put a Terminal Services server in Install mode either by using the Add/Remove Programs tool in Control Panel to add or remove a program, or by using the change user command at a command prompt. You need to then install the application. When you are finished installing the program, you need to return the Terminal Services server to Execute mode, to execute the application. Therefore, to return to the Execute mode, you need to run the change user /execute command on Certkiller Server2. Reference: HOW TO: Use the CHANGE USER Command to Switch to Install Mode in Windows 2000 Terminal Services http://support.microsoft.com/kb/320185

"Pass Any Exam. Any Time." - www.actualtests.com

75

Microsoft 70-649: Practice Exam QUESTION NO: 99

m

You are an enterprise administrator for Certkiller .com. The corporate network of the company consists of a single Active Directory domain. All the servers on the network run Windows Server 2008 and all the client computers run Windows XP Service Pack 2 (SP2). All computers are members of the domain. The network runs a server named Certkiller Server1 on which the Terminal Services role and the Terminal Services Web Access role are installed. The Network Level Authentication is enabled on the server. The Terminal Services Web Access role uses Active Directory Domain Services (AD DS). You have been assigned the task to deploy and publish an application called App1 on Certkiller Server1. Which of the following options would you choose to ensure that the users can launch App1 on Certkiller Server1 from the Terminal Services Web Access Web page?

sts

.co

A. Publish App1 on Certkiller Server1 as a Microsoft Windows Installer package. Distribute the Windows Installer package to the users. B. Install the Terminal Services Gateway (TS Gateway) role on Certkiller Server1 and then reconfigure the remote application publishing for App1 to reflect the change. C. Disable publishing to AD DS for the App1. D. Install the Remote Desktop Client 6.1 application on the client computers.

lTe

Answer: D

Ac

tua

Explanation: To ensure that the users can launch App1 on Certkiller Server1 from the Terminal Services Web Access Web page, you need to install the Remote Desktop Client 6.1 application on the client computers, which eases the deployment of Windows Server 2008 Terminal services on the client computers that run Windows XP Service Pack 2. Because the Remote Desktop Client 6.1 application supports Terminal Services Web Access, the Windows XP users can launch App1 on Certkiller Server1 from their Terminal Services Web Access Web page. Reference: Download Microsoft Remote Desktop Connection (Terminal Services Client 6.1) for Windows XP SP2 http://www.dabcc.com/article.aspx?id=8044

QUESTION NO: 100 Certkiller .com has an Active Directory domain. There are two servers named CKS1 and CKS2 that have Windows Server 2008 as their operating system. Terminal Services gateway role is active on CKS1 and Terminal Services role is active on CKS2. The printers in the network support PostScript only. Users must have the facility to print on the "Pass Any Exam. Any Time." - www.actualtests.com 76

Microsoft 70-649: Practice Exam printers that do not have prime driver support. What should you do to make sure that the Terminal Services provide primary printer support automatically?

m

A. Configure a new group policy that supports terminal server fallback printer driver behavior as a setting and turn it to Default to PS if the server is unable to find any driver. Set the policy on all client machines in the domain B. Configure all printers to use PostScript on CKS2 and create a new group policy to support the printer instances. Add the policy on all client machines in the domain C. Delete the PostScript and install the driver for all the printers on all the client machines. Create a group policy that adds the printer automatically to all the servers and instate the policy on all client machines D. Configure a new group policy object (GPO) that supports Specify terminal server fallback printer driver behavior setting to Default to PS if one is not found option. Apply the GPO to CKS2 E. None of the above

.co

Answer: D

Ac

tua

lTe

sts

Explanation: To make sure that the Terminal Services provide primary printer support automatically, you need toconfigure a new group policy object (GPO) that supports Specify terminal server fallback printer driver behavior setting to Default to PS if one is not found option. Apply the GPO to CKS2. This setting allows the use of Adobe PostScript (PS) fallback printer driver by Terminal Server if no suitable printer driver can be found. Reference: Terminal Services in Windows Server 2003 Service Pack 1 / New fallback printer driver capability http://technet2.microsoft.com/windowsserver/en/library/2284b19b-30a6-42b59bd1ff301f7248b01033.mspx?m Reference: Terminal Services Printing / What existing functionality is changing http://technet2.microsoft.com/windowsserver2008/en/library/484d57e7-feb4-4dcc9d13152c053516471033.msp

QUESTION NO: 101 Terminal Services role is installed on two Windows 2008 servers named Srv1 and Srv2. Srv2 is running Terminal Services Gateway role. Applications on Srv1 are published using a Remote Desktop Connection configuration file (.rdp file). Users download the .rdp files from the TSrvWeb virtual directory on Srv1. You reconfigure the applications on Srv1 to use the Terminal Services Gateway role on Srv2 and export the Remote Program settings from Srv1 and import them to Srv2. "Pass Any Exam. Any Time." - www.actualtests.com

77

Microsoft 70-649: Practice Exam Users are complaining that they cannot access the remote applications on Srv2. Users can access the remote applications on Srv1 by using the Terminal Services Gateway on Srv2. You already verified that the application paths on both servers are identical. In order to ensure that users can access the applications on Srv2. What should you do? A. Disable the Network level Authentication feature on Srv2 B. Re-create the .rdp files on Srv2 and redistribute the files to the users C. Copy the .rdp files from Srv1 to a new TSrvWeb virtual directory on Srv2 D. Configure and activate the Terminal Server Session Directory feature on Srv2, configure Srv1 to use the Terminal Server Session Directory feature E. None of the above Answer: B

QUESTION NO: 102

Ac

tua

lTe

sts

.co

m

Explanation: When you exported the Remote program settings on Srv1 and import them on Srv2, only the RemoteApp Programs list and deployment settings are exported or imported. Any .rdp files or Windows Installer packages that were created from the programs were not be exported or imported and therefore the users reported that they cannot access remote applications installed on Srv2. To ensure that the users could access and use the remote applications on Srv2, you need Recreate the .rdp files on Srv2 and redistribute the files to the users Reference: Windows Server2008 Terminal Services RemoteApp Step-by-Step Guide / To import the RemoteApp Programs list and deployment settings http://download.microsoft.com/download/b/1/0/b106fc39-936c-4857-a6ea3fb9d1f37063/Windows_Server_200

Terminal Services role is installed on two Windows 2008 servers named Srv1 and Srv2. Srv2 is running Terminal Services Gateway role. Applications on Srv1 are published using a Remote Desktop Connection configuration file (.rdp file). Users download the .rdp files from the TSrvWeb virtual directory on Srv1. You reconfigure the applications on Srv1 to use the Terminal Services Gateway role on Srv2 and export the Remote Program settings from Srv1 and import them to Srv2. Users are complaining that they cannot access the remote applications on Srv2. Users can access the remote applications on Srv1 by using the Terminal Services Gateway on Srv2. You have already verified that the application paths on both servers are identical. In order to ensure that users can access the applications on Srv2. What should you do?

"Pass Any Exam. Any Time." - www.actualtests.com

78

Microsoft 70-649: Practice Exam A. Disable the Network level Authentication feature on Srv2 B. Re-create the .rdp files on Srv2 and redistribute the files to the users C. Copy the .rdp files from Srv1 to a new TSrvWeb virtual directory on Srv2 D. Configure and activate the Terminal Server Session Directory feature on Srv2, configure Srv1 to use the Terminal Server Session Directory feature Answer: B

QUESTION NO: 103

sts

.co

m

The corporate network of Certkiller consists of 10 servers that run Windows Server 2008. You have recently enabled RDP on the servers to provide remote administration to the servers. All the computers that will be used to provide remote administration run Windows Vista. You configured RDP on server with default security settings. However, you are not satisfied with the default security setting and need to ensure that the RDP connections are as secure as possible. Which of the following two actions would you perform to configure secure RDP connections? (Each correct answer presents a part of the solution. Select two).

Answer: A,D

tua

lTe

A. Acquire user certificates. B. Block port 3389 of the firewall on each server. C. Set the security layer for each server to the RDP Security Layer. D. Configure each server to allow connections only to RDP client computers that use Network Level Authentication.

Ac

Explanation: To configure secure RDP connections, you need to first Acquire user certificates and then configure each server to allow connections only to Remote Desktop client computers that use Network Level Authentication. The Network Level Authentication is selected on each server to allow connections to Remote Desktop client computers because only Vista clients are used to connect to the Terminal Server Reference: Configuring the Windows Server 2008 Terminal Services Gateway (Part 1) http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Terminal-ServicesGateway-Part1

QUESTION NO: 104 Certkiller .com has a server that hosts an Active Directory domain. A server at Certkiller .com named CK2 has Terminal services role and Terminal Services web "Pass Any Exam. Any Time." - www.actualtests.com

79

Microsoft 70-649: Practice Exam access role installed. It also has a server called CKSA that runs ISA Server 2006. You are assigned the task to deploy Terminal Services Gateway (TS Gateway) role on a new server called CK4 . Certkiller .com. Certkiller .com wants to employ ISA as the SSL endpoint for Terminal Server connections. After doing the necessary configurations, you succeed in deploying TS Gateway role on CK4 . Certkiller .com. Now you have to configure the ISA for TS connections. To do this you need to configure the TS gateway on CK4 to use ISA 2006 on CK2 . What should you do to achieve this objective?

.co

m

A. On CK4 , configure the Terminal Services Connection Authorization Policy store to use CK2 ass the Central network policy server B. Design an SSL certificate from CK4 and export it to install the SSL certificate on CK2 . Set the ISA service on CK2 to use SSL certificate on CK4 C. Set the TS gateway to use SSL HTTPS-HTTP bridging D. Export an SSL certificate on CK4 and install it on CK2 . Set the TS gateway to accept SSL certificate from CK2 Answer: C

QUESTION NO: 105

tua

lTe

sts

Explanation: To configure the TS gateway on CK4 to use ISA 2006 on CK2 , you have to configure the TS gateway to use SSL HTTPS-HTTP bridging. The HTTPS-HTTP bridging works when the TS gateway client initiates an SSL (HTTPS) request to the SSL bridging device. A new HTTP request to the TS Gateway server is started by the SSL bridging device.

Ac

Certkiller .com runs Terminal services on an Active Directory domain. As an administrator of Certkiller .com, you configure the main office printer as the default printer on Terminal server. Certkiller .com has a stringent security policy which states that all the remote client computers must meet the following requirements: * The default printer on client computers must be the main office printer * Users must also be able to access their local printers during a terminal session To meet the company policy, you have to set a Group Policy Object by using the Terminal Services Printer Redirection template. What should you do to achieve this objective? A. In a session options, set the 'Do not set default client printer' to default printer Enabled. Apply GPO to the Terminal Server B. Set the Terminal services option on print to default printer and disable Easy printer driver. Apply the GPO to the Terminal Server "Pass Any Exam. Any Time." - www.actualtests.com

80

Microsoft 70-649: Practice Exam C. Apply the GPO to all the client computers and configure their printer options to Set default printer for office printer and local printers as user printers D. Configure Easy Printer driver and disable the first option. Apply the GPO to the Terminal Server Answer: A

.co

m

Explanation: To set a Group Policy Object by using the Terminal Services Printer Redirection template, you should access the session options and set the 'Do not set default client printer' to default printer Enabled. Apply GPO to the Terminal Server. When you set the default client printer to default printer enabled, the main printer will become the default printer. The GPO will set the policy of accessing the main office printer by default and the user printers will also be accessible during terminal session so if the default printer is busy or has any problem, the next available printer (user printer) will automatically print the required document.

QUESTION NO: 106

tua

lTe

sts

You are an administrator at Certkiller .com. You manage a server named CK2 that runs Windows Server 2008. You are instructed to publish an application using Terminal Services. All users must be able to connect to the Terminal Services application by using Remote Desktop Protocol. To achieve this, you install and configure the Terminal Services Gateway (TS Gateway) role service on CK2 . You also configure a default domain policy to enable the Enable Connection through TS gateway setting. But Users report that they cannot connect to the Terminal Services application. What should you do to ensure that the users can access the Terminal Services application on the intranet from the Internet?

Ac

A. Disable the Enable Connection through TS Gateway Group Policy setting B. Configure the Remote Desktop connection on each client computer to Always Connect even if the server authentication fails. C. Create a GPO and link the TS Gateway server authentication to the domain D. Create and configure the Set TS Gateway server address Group Policy and also configure the IP address of the TS Gateway server. Link the configured GPO to the domain Answer: D Explanation: To ensure that the users can access the Terminal Services application on the intranet from the internet, you should create and configure the Set TS Gateway server address group policy and also configure the IP address of the TS Gateway server. After that, link the configure GPO to the domain.

"Pass Any Exam. Any Time." - www.actualtests.com

81

Microsoft 70-649: Practice Exam

QUESTION NO: 107 You are an Administrator at Certkiller .com. You manage a member server that runs Windows Server 2008. The Terminal Server Gateway (TS Gateway) is also installed on the member server. You want to find out whether a group of users have ever connected to their workstations remotely through TS Gateway server. What should you do to achieve this task? A. Open the TS gateway console and view the events in the monitoring field B. View the Windows Server 2008 Event Viewer for TS Gateway connections C. View Event Viewer security log D. View the Event Viewer Terminal Services-gateway log

m

Answer: D

lTe

sts

.co

Explanation: To find out whether a group of users have ever connected to their workstations remotely through TS Gateway Server, you should check the Event View Terminal Services-gateway log. You can access the Event Viewer Terminal Services-gateway log through the Windows Event Viewer. The log will tell you about the connections made to the workstation through TS Gateway server.

QUESTION NO: 108

Ac

tua

You are an enterprise administrator for Certkiller .com. The company runs Windows Server 2008 on all the servers on the network. The company has many remote users One of the servers on the network called Certkiller Server1 has the Terminal Services Gateway (TS Gateway) role installed on it. The remote users of the company need to connect remotely to desktop computers located in their offices through the gateway. To ensure secure connection to the gateway, you created a security group named RemoteUsersGrp1 for the remote users who need to connect to computers in their offices. Which of the following options would you choose to enable the remote users to connect to the TS Gateway? (Select two. Both the selected options will form a part of the answer.) A. Create a resource authorization policy. B. Create a client authorization policy. C. Create a Group Policy object enable the Set TS Gateway authentication method properties to Ask for credentials, use Basic protocol. D. Add the RemoteUsersGrp1 security group and enable Device redirection. E. Add the RemoteUsersGrp1 security group to the local remote desktop users group on the TS Gateway server. "Pass Any Exam. Any Time." - www.actualtests.com

82

Microsoft 70-649: Practice Exam F. Add the RemoteUsersGrp1 security group and enable Users to connect to any resource. G. Apply the policy to the TS Gateway server. Answer: B,D

lTe

sts

.co

m

Explanation: To enable the remote users belonging to RemoteUsersGrp1 to connect to the TS Gateway, you need to create a client authorization policy. Add the RemoteUsersGrp1 security group and enable Device redirection. A connection authorization policy (CAP) allows you to control who can connect to the Terminal Server through the Terminal Services Gateway. The Device Redirection gives you the option of disabling redirection for trusted a remote client devices. The tab contains a series of checkboxes that you can use to disable things like disk drives, the Windows clipboard, printers, serial ports, and even plug and play devices. Reference: Configuring the Windows Server 2008 Terminal Services Gateway (Part 2)/ Create a Terminal Services Gateway CAP http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Terminal-ServicesGateway-Part2 Reference: An Overview of Longhorn Server's Terminal Service Gateway (Part 4) http://www.msterminalservices.org/articles/Overview-Longhorn-Servers-Terminal-ServiceGateway-Part4.html

QUESTION NO: 109

Ac

tua

You are an enterprise administrator for Certkiller .com. The company runs Windows Server 2008 on all the servers on the network. One of the servers, Certkiller Server1 has the Terminal Services Gateway (TS Gateway) role installed on it. Which of the following options would you choose to provide a security group access to the TS Gateway server? A. Add the security group to the Remote Desktop Users group. B. Add the security group to the TS Web Access Computers group. C. Create and configure groups that can access Terminal Server through the TS Gateway through a Resource Authorization Policy. D. Create and configure groups that can access Terminal Server through the TS Gateway through a Connection Authorization Policy. Answer: D Explanation: To provide a security group access to the TS Gateway server, you need to create and configure a Connection Authorization Policy. A connection authorization policy (CAP) allows you to "Pass Any Exam. Any Time." - www.actualtests.com

83

Microsoft 70-649: Practice Exam control who can connect to the Terminal Server through the Terminal Services Gateway. You can configure what groups can access the Terminal Server through the TS Gateway. Reference: Configuring the Windows Server 2008 Terminal Services Gateway (Part 2) / Create a Terminal Services Gateway CAP http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Terminal-ServicesGateway-Part2

QUESTION NO: 110

lTe

sts

.co

m

The Certkiller is running Windows Server 2003 and Windows Server 2008 servers on their corporate network domain. The Terminal Service Gateway role is installed on a Windows Server 2008 server named Serv1. The Terminal Service role is installed on servers named Serv2 and Serv3, which are running Windows Server 2003. Serv2 and Serv3 are configured in a load balancing terminal Server Farm name Certkiller TSLoad. A Terminal Server Broker Service is installed on a Windows Server 2008 server named Serv4 and Certkiller TSLoad farm is added to the Terminal Server Broker Service configuration on Serv4. You configured some applications to use TS Session Load Balancing Service and found that TSSession Broker Load Balancing is not providing load balancing for Serv2 and Serv3. What do you need to do to enable TS Session Broker Load Balancing Service on Serv2 and Serv3?

Answer: B

Ac

tua

A. Add Serv2 and Serv3 to the Session Broker Computers local group on Serv4 B. Load Balancing Service cannot be configured on Serv2 and Serv3 servers because Windows Server2003-based terminal servers cannot use the TSSession Broker Load Balancing feature C. Run remote Desktop Connection (RDC) version5.2 on clients connecting to Serv2 and Serv3 D. None of the above

Explanation: The TS Session Broker Load Balancing Service is not providing load balancing for Serv2 and Serv3 because Windows Server2003-based terminal servers cannot use the TSSession Broker Load Balancing feature. Reference: Windows Server 2008 TS Session Broker Load Balancing Step-by-Step Guide http://technet2.microsoft.com/windowsserver2008/en/library/f9fe9c74-77f5-4bbaa6b9433d823bbfbd1033.mspx

"Pass Any Exam. Any Time." - www.actualtests.com

84

Microsoft 70-649: Practice Exam QUESTION NO: 111 Certkiller network domain is running Windows Server 2003 and Windows Server 2008 servers. The Terminal Service Gateway role is installed on a Windows 2008 server. The Terminal Service role is installed on servers named New1, New2 and New3 and configured in a load balancing terminal Server Farm name NewTSLoad. New2 and New 3 are running Windows Server 2003. A Terminal Server Broker Service is installed on a new server named New1 and NewTSLoad farm is added to the Terminal Server Broker Service configuration on New1. When you check event logs, you find an event ID: 1023 is getting generated. The event ID description indicates TS session Broker farm service is in inconsistent state. What should you do?

.co

m

A. Install Terminal Server Broker Service on Windows Server 2008 servers. B. Move Terminal server broker service on Windows server 2003 named New2 or New3. C. Enable Terminal server broker service on Windows 2003 servers D. Disable Terminal server broker service for Windows 2003 servers E. None of the above

sts

Answer: A

Ac

tua

lTe

Explanation: The Event ID: 1023 is getting generated and the event ID description indicates that TS session Broker farm service is in inconsistent state because Terminal servers that are running Microsoft Windows Server 2003 do not support TS Session Broker load balancing and therefore for load balancing you need to install Terminal Server Broker Service on Windows Server 2008 servers . Reference: Windows Server 2008 TS Session Broker Load Balancing Step-by-Step Guide http://technet2.microsoft.com/windowsserver2008/en/library/f9fe9c74-77f5-4bbaa6b9433d823bbfbd1033.mspx

QUESTION NO: 112 Certkiller .com has a server that runs Windows Server 2008. There are four terminal servers installed. They are named CK2 , CK3 , CK4 , CK5 . As an administrator at Certkiller .com, you install the Terminal Server Session Broker role service on CK2 . What tool should you use to configure load balancing for the four terminal servers? You also have to make sure that CK3 is the preferred server for TS sessions. A. TS Gateway Manager B. Group Policy Manager C. Terminal Services Manager

"Pass Any Exam. Any Time." - www.actualtests.com

85

Microsoft 70-649: Practice Exam D. Terminal Services Configuration E. None of the above Answer: D Explanation: You should use Terminal Services Configuration to configure load balancing for the four terminal servers. It will also make CK3 the preferred server for TS sessions. Using NBL with Terminal Services provide increased availability, scalability, and load-balancing performance, as well as the ability to distribute a large number of Terminal Services clients over a group of terminal servers.

QUESTION NO: 113

sts

.co

m

Certkiller .com has an Active Directory domain. All servers in the domain run Windows Server 2008. You install a Terminal Services Gateway (TS Gateway) role service on a server named S11. The Terminal services role is installed on servers called S2 and S3. Both of these servers are configured in a load balancing Terminal Server farm named as TSFrm. You install and configure the Terminal Services (TS) Session Broker service on a new server named S4. You need to configure S2 and S3 to join the TS Session Broker. What should you do to achieve this task?

Answer: A

Ac

tua

lTe

A. Create a new Group Policy object (GPO) that assigns S4 to S2 and S3 as their session broker server. Apply the GPO to S2 and S3. B. Configure a Group Policy object (GPO) to set the Set TS Gateway server address option in the Terminal Services Security section to Server1. Apply the GPO to all client computers. C. Configure S2 and S3 to use the TS Gateway role service to access TS Session Broker. D. Configure a Group Policy object (GPO) to set require secure RPC communications option in the Terminal Services Security section to False. Apply the GPO to S2 and S3. E. None of the above

Explanation: To configure S2 and S3 to join the TS session broker, you should create a new GPO that assigns S2, S3 and S4 as their session broker server. After that you can apply the GPO to S2 and S3. The Group Policy Object will enable all three servers to act as session broker server and when you apply the GPO to the S2 and S3 server, both servers join the TS session broker.

QUESTION NO: 114

"Pass Any Exam. Any Time." - www.actualtests.com

86

Microsoft 70-649: Practice Exam

.co

m

You are an enterprise administrator for Certkiller .com. The corporate network of the company consists of a single Active Directory domain. All the servers on the network run Windows Server 2008. The network consists of four servers configured as follows: 1. Certkiller Server1: The Terminal Services Gateway role service is installed. 2. Certkiller Server2: The Terminal Services role is installed and is configured in a load balancing Terminal Server farm named TSLoad. 3. Certkiller Server3: The Terminal Services role is installed is configured in a load balancing Terminal Server farm named TSLoad. 4. Certkiller Server4: Recently been perfectly configured with the Terminal Services (TS) Session Broker service that works correctly. To handle the load distribution to the Terminal Server farm you have recently deployed a hardware load balancing device that has specialized support for terminal servers and routing tokens to the Terminal Server farm. However, after this installation, you discovered that the TS Session Broker service has started failing. Which of the following options would you choose to ensure that the TS Session Broker works correctly? Group Policy object (GPO) should you create and apply to the Terminal Server farm to?

Ac

tua

lTe

sts

A. Create a GPO that enables the Use TS Session Broker Load Balancing policy setting in the Session Directory section of the Terminal Server Group Policy template and apply it to the Terminal Server farm. B. Create a GPO that disables the Use IP Address Redirection policy setting in the TS Session Broker section of the Terminal Server Group Policy template and apply it to the Terminal Server farm. C. Create a GPO that enables the Use IP Address Redirection policy setting in the Session Directory section of the Terminal Server Group Policy template and apply it to the Terminal Server farm. D. Create a GPO that disables the Use TS Session Broker Load Balancing policy setting in the Session Directory section of the Terminal Server Group Policy template and apply it to the Terminal Server farm. Answer: B Explanation: To ensure that the TS Session Broker works correctly in the above given scenario, you need to create a GPO that disables the Use IP Address Redirection policy setting in the TS Session Broker section of the Terminal Server Group Policy template. The TS Session Broker service is failing because you have recently deployed a hardware load balancing device that has specialized support for terminal servers and routing tokens to the Terminal Server farm. When routing tokens are used the IP address of the terminal server is not sent to the client. Instead, the IP address is embedded in a token. This can happen when you disable Use IP Address Redirection policy setting. When a client reconnects to the load balancer, the routing token is used to redirect the "Pass Any Exam. Any Time." - www.actualtests.com

87

Microsoft 70-649: Practice Exam client to their existing session on the correct terminal server in the farm. Reference: TS Session Broker http://technet2.microsoft.com/windowsserver2008/en/library/8a46c71e-cc7d-4bf082cc8261f7c3069c1033.msp

QUESTION NO: 115

.co

m

You are an enterprise administrator for Certkiller .com. The company runs Windows Server 2008 on all the servers on the network. On the corporate network a Network Load Balancing cluster named nlb. Certkiller .com is configured. The two hosts of the cluster are named as Certkiller Web1 and Certkiller Web2. A single port rule has been configured for the cluster according to which all HTTP traffic is evenly distributes between both the hosts. Which of the following options would you choose to configure the cluster in such a way that Certkiller Web2 handles all HTTPS traffic for nlb. Certkiller .com while ensuring the even distribution of HTTP traffic between Certkiller Web1 and Certkiller Web2? (Choose two. Each correct answer presents part of the solution.)

Answer: B,C

Ac

tua

lTe

sts

A. Change the Handling priority option for the TCP 443 port rule to the value of 0 in the properties for Certkiller Web1 B. Create a new port rule for port TCP 443 that has the Filtering mode option set to Single host in the properties for the cluster. C. Change the Handling priority option for the TCP 443 port rule to the value of 1 in the properties for Certkiller Web2. D. In the properties for the cluster, create a new port rule for port TCP 443 that has the Filtering mode option set to Multiple host and the Affinity option set to the value of Single.

Explanation: To configure the cluster so that Certkiller Web2 handles all HTTPS traffic for nlb. Certkiller .com evenly distribute the HTTP traffic between Certkiller Web1 and Certkiller Web2: You need to create a new port rule for port TCP 443 that has the Filtering mode option set to Single host in the properties for the cluster. The Single Host filtering mode directs the specified network traffic to a single host. For example, in an IIS Web farm in which only one server contains the SSL certificate for a secure Web site, the single host port rule will direct port TCP 443 (SSL port) traffic to that particular server. And then in the properties for Certkiller Web2, change the Handling priority option for the TCP 443 port rule to the value of 1 In Host Parameters, the Priority (Unique host identifier) specifies the handling priority option. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among "Pass Any Exam. Any Time." - www.actualtests.com

88

Microsoft 70-649: Practice Exam the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. You can override these priorities or provide load balancing for specific ranges of ports by specifying rules on the Port rules tab of the Network Load Balancing Properties dialog box. In this scenario there are two hosts, so the value 1 will equally distribute the load. Reference: Network Load Balancing Step-by-Step Guide: Configuring Network Load Balancing with Terminal Services To create an NLB cluster http://technet2.microsoft.com/windowsserver2008/en/library/6e3fc3a6-ef42-41cfafed602a60f562001033.mspx Reference: Network Load Balancing Overview http://www.tech-faq.com/network-load-balancing.shtml

m

QUESTION NO: 116

lTe

sts

.co

As an administrator at Certkiller .com, you install a member server named ebms1 that has Windows Server 2008 as its primary operating system. The Terminal Services role is installed on the ebms1. The Terminal Server user profiles are in a folder named as UPT on a server called CKTS. On CKTS3, a home folder is placed for each user. As you monitor CKTS, you find out that there is only 5% of hard disk space remaining because the users are saving their files on their profiles on CKTS instead of using their home folders. You have to limit the amount of disk space allocated to each user to 200 MB. What should you do to achieve that?

Ac

tua

A. On the ebms1, configure a group policy object. Configure a default quota limit to 200 MB and set a warning level policy B. Create a new group policy object and link it to the CKTS. Configure the UPT folder to limit the disk space quota to allocate 200 MB to all users. C. Configure the disk quotas for the volume that hosts UPT folder. Limit the users to use only 200 MB of space. D. Configure each profile by activating disk quota on each profile. Apply folder redirection settings to redirect the users to save their files on CKTS3 E. None of the above Answer: C Explanation: To limit the amount of disk space allocated to each user to 200 MB, you need to configure the disk quotas for the volume that hosts UPT folder and then limit the users to use only 200 MB of space. Configuring a quota limit through group policy will not help in Terminal services scenario. Also disk quotas cannot be configured for each user profile rather it is configured on a volume or a folder. Reference: WorKing with Quotas "Pass Any Exam. Any Time." - www.actualtests.com

89

Microsoft 70-649: Practice Exam http://technet2.microsoft.com/windowsserver2008/en/library/31790148-eaf1-41158a504ce7a4503d211033.msp Reference: Setting Up File Sharing Services http://safari.phptr.com/9780596514112/setting_up_file_sharing_services

QUESTION NO: 117 In Windows Server 2008, Windows System resource manager (WSRM) uses resource-allocation policies to determine how computer resources, such as CPU and memory, are allocated to processes running on the computer. Name the two resource-allocation policies that are specifically designed for computers running Terminal Services in Windows sever 2008 Terminal services environment?

sts

.co

m

A. Equal-Per-User and Equal-Per-Session B. Per_user_Equal and Per_Session_Equal C. Equal_Per_User and Equal_Per_Session D. User_Per_Equal and Session_Per_Equal E. None of the above Answer: C

Ac

tua

lTe

Explanation: The two resource-allocation policies that are specifically designed for computers running Terminal Services in Windows sever 2008 Terminal services environment are Equal_Per_User and Equal_Per_Session Reference: Terminal Services and Windows System Resource Manager /Resource-Allocation Policies http://technet2.microsoft.com/windowsserver2008/en/library/a25ed552-a42d-4107b225fcb40efa8e3c1033.msp

QUESTION NO: 118 You are an enterprise administrator for Certkiller .com. The corporate network of the company consists of a single Active Directory domain. All the servers on the network run Windows Server 2008. The network consists of a server called Certkiller Server1 that has the Terminal Services role is installed on it. You have recently deployed a remote application called APP1 on the Terminal server. You need to ensure that the company's security policy that states that users should not be allowed to copy and paste information to a local computer during a Terminal Services session, requirements must be met while configuring Terminal Services. Which of the following options would you choose to accomplish this task? "Pass Any Exam. Any Time." - www.actualtests.com

90

Microsoft 70-649: Practice Exam A. In the RDP-Tcp Client Setting properties for the server, disable the Drive option. B. In the RDP Settings for the published application, deselect the Clipboard option. C. Enable the Use temporary folders per session option. D. Change the Security Encryption Level to FIPS Compliant. Answer: B

Ac

QUESTION NO: 119

tua

lTe

sts

.co

m

Explanation: To ensure that the users are not allowed to copy and paste information to a local computer during a Terminal Services session, you need to deselect the Clipboard option in the RDP Settings for the published application When connecting to a terminal server using an RDP client, many of the local resources are available within the remote session, including the client file system, smart cards, audio (output), serial ports, printers (including network), and the clipboard. These redirection facilities allow users to easily take advantage of the capabilities of their client device from within the remote session. Similarly clipboard can be used to copy and paste information to local computer. To stop the copy paste, you need to go to Terminal Services Configuration and on the Client Settings tab, under Disable the following Clipboard mapping to disable client clipboard mapping. Reference: Configure settings for mapping client devices/ Using Terminal Services Configuration http://technet2.microsoft.com/windowsserver/en/library/17d44d9a-cf4b-4a6a94ec093cb5f8b2b71033.mspx?mf Reference: Frequently Asked Windows Terminal Services QUESTION NO:s! / New Features and Improvements http://www.msterminalservices.org/faq/WindowsTerminalServices/?page=5

You are an enterprise administrator for Certkiller .com. The corporate network of the company consists of an Active Directory domain. All the servers on the network run Windows Server 2008. The network runs a Terminal services role on a server to enable remote users to run commonly required applications from their terminal. A Terminal Services application called App1 that runs on the server has suddenly stopped responding. To diagnose the problem, you monitored the memory usage on the server for a week and discover that App1 application has a memory leak. To resolve the problem, you first looked for a patch but that was not currently available. So you created a new resource-allocation policy in Microsoft Windows Server Resource Manager and configured a Process Matching Criteria named TrackMem for the application. Which of the following options would you choose to terminate the application when the application consumes more than half of the available memory on the server? (Select two. Each selected answer will form a part of the answer) "Pass Any Exam. Any Time." - www.actualtests.com

91

Microsoft 70-649: Practice Exam A. Configure the resource-allocation policy and set the maximum working set limit option to half the available memory on the server. B. Configure the resource-allocation policy and set the maximum committed memory option to half the available memory on the server. C. Set the new policy as a Profiling Policy. D. Set the new policy as a Managing Policy. Answer: B,D

Ac

QUESTION NO: 120

tua

lTe

sts

.co

m

Explanation: To terminate the application when the application consumes more than half of the available memory on the server, you need to configure the resource-allocation policy and set the maximum committed memory option to half the available memory on the server and then set the new policy as a Managing Policy. A memory limit should be set when an application is leaking memory from the Memory tab. Select the Use Maximum Committed Memory For Each Process check box. In Maximum Committed Memory Limit Per Process, you can type a value in megabytes. The Maximum Committed Memory Limit Per Process field allows you to limit the memory on per process basis. Now you're ready to set the new resource allocation policy to manage the computer. In the console tree, click Resource Allocation Policies. In the details pane, right-click the resource allocation policy you want to set, and then click Set As Managing Policy. This is because this policy is for computer management and not for profile management. Reference: Use Windows System Resource Manager to control a server's powers http://articles.techrepublic.com.com/5100-10878_11-5054954.html

You are an enterprise administrator for Certkiller .com. All the servers on the network run Windows Server 2008. The network consists of 20 servers on which the Terminal Services role and the Microsoft Windows System Resource Manager (WSRM) features are installed. On one of the servers called Certkiller Server1, you have recently configured a resource-allocation policy with all the required custom settings. Which of the following options would you choose to configure the WSRM settings on all the servers to match the WSRM settings on Certkiller Server1? A. Configure the Remote WSRM accounting option of Certkiller Server1 on each server by enabling the Accounting function on each server. B. Export the registry key, HKLM\SYSTEM\CurrentControlSet\Services\WSRM on Certkiller Server1 and import the registry key on other servers.

"Pass Any Exam. Any Time." - www.actualtests.com

92

Microsoft 70-649: Practice Exam C. Using the WSRM console on Certkiller Server1, export the WSRM settings to a shared folder and then import the WSRM settings from others servers using the WSRM console from the shared folder. D. Backup the system state data on and then restore the System State data on each server. Answer: C

sts

.co

m

Explanation: To configure the WSRM settings on all the servers to match the WSRM settings on Certkiller Server1, you need to use the WSRM console on Certkiller Server1 to export the WSRM information to a shared folder. Use the WSRM console to import the WSRM information from the shared folder. The WSRM settings can be imported or exported using command line or WSRM console. Enabling accounting function will not help also, you cannot copy the registry settings from one system to another to duplicate the WSRM settings. You also cannot use Backup tool for this purpose because you cannot copy the system state from the system to another to duplicate the WSRM settings from one computer to another. Reference: Implementing Windows System Resource Manager/ Running WSRM in a clustered Environment http://www.docstoc.com/docs/284328/redp3701

lTe

QUESTION NO: 121

Ac

tua

There is an Active Directory domain at Certkiller .com's corporate network. On the member server, CK1 , terminal services are installed and on a new test server called CK2 in a workgroup environment, the Terminal Licensing role is installed. On CK2 , you wanted to enable the Terminal Services per User Client Access License (CAL) mode but you were not allowed to do so. What should you do to ensure that you could employ Terminal Services per User CAL mode on CK2 ? A. Connect CK2 to the Active Directory domain B. Configure Terminal Service Per User CAL on CK1 and connect CK2 to CK1 C. Configure the license keys obtained from Microsoft Clearinghouse and enter these into the licensing server D. Configure a group policy object for CK1 to sue CK2 for licensing. Apply the GPO on CK1 E. None of the above Answer: A Explanation: To ensure that you could employ Terminal Services per User CAL mode on CK2 , you need to connect CK2 to the Active Directory domain because TS Per User CAL tracking and reporting is "Pass Any Exam. Any Time." - www.actualtests.com

93

Microsoft 70-649: Practice Exam supported only in domain-joined scenarios. Reference: TS Licensing/Are there any special considerations? http://technet2.microsoft.com/windowsserver2008/en/library/5a4afe2f-5911-4b3fa98a338b442b76041033.msp

QUESTION NO: 122

m

The Terminal Services role is installed on a member server named Srv1. The Terminal Services Licensing role is installed on a new test server named TestSrv in a workgroup. You cannot enable the Terminal Services Per User Client Access License (CAL) mode in the Terminal Services Licensing role on TestSrv. What should you do to ensure that you could use the Terminal Services Per User CAL mode on test server?

lTe

sts

.co

A. Join TestSrv to the domain. B. Obtain license keys from Microsoft Clearinghouse. Enter the keys into the Licensing server. C. Configure Srv1 to use TestSrv for the Terminal Services Licensing role. Reconfigure Test Server for the Terminal Services Per User CAL mode D. Install the Terminal Services Gateway role on Srv1. Configure a group policy object that configures Server1 to use test Server for licensing. Apply the policy to Srv1 E. None of the above Answer: A

Ac

tua

Explanation: To ensure that you could employ Terminal Services per User CAL mode on CK2 , you need to connect CK2 to the Active Directory domain because TS Per User CAL tracKing and reporting is supported only in domain-joined scenarios. Reference: TS Licensing / Are there any special considerations? http://technet2.microsoft.com/windowsserver2008/en/library/5a4afe2f-5911-4b3fa98a338b442b76041033.msp

QUESTION NO: 123 Certkiller .com has a server that runs Windows Server 2003. It has an Active Directory domain. There is a server on the network that runs Windows Server 2008. It is called CK7 . Another server named CK9 runs Windows Server 2006. The terminal services role is installed on CK7 and the Terminal Services Licensing role service is installed on CK9 . You have to set the Terminal Services Per User Client Access License (TS Per User CAL) traceKing and reports to work on both the servers. What should you do to achieve this objective? "Pass Any Exam. Any Time." - www.actualtests.com

94

Microsoft 70-649: Practice Exam A. On CK9 , uninstall the terminal services licensing role and install it on CK7 . Then, configure TS Per User CAL traceKing and reporting on CK9 B. Configure the CK7 by adding terminal services licensing role on it. Install terminal services role on CK9 and activate TraceKing and reporting C. Configure the Terminal Services Licensing Server on CK9 D. Add CK7 in the Windows Server 2003 Terminal services licensing service Answer: A

m

Explanation: To set the Terminal Services Per User CAL traceKing and reports to work on both the servers, you should uninstall the terminal services licensing role on CK9 and install it on CK7 . After that, you should configure TS Per User CAL traceKing and reporting on CK9 .

.co

QUESTION NO: 124

Ac

tua

lTe

sts

You are an enterprise administrator for Certkiller .com. The corporate network of the company consists of a single Active Directory domain. All the servers on the network run Windows Server 2008. The network consists of two servers configured as follows: 1. Certkiller Server1 (Member server): The Terminal Services role is installed. 2. Certkiller Server2 (Test server in a workgroup environment): The Terminal Services Licensing role service is installed. You wanted to use Terminal Services Per User Client Access License (TS Per User CAL) mode on Certkiller Server2. However, you were not able to enable the TS Per User CAL mode in the Terminal Services Licensing role service on Certkiller Server2. Which of the following options would you choose to ensure that you can use TS Per User CAL mode on Certkiller Server2? A. Disjoin Certkiller Server1 from the domain. B. Extend the schema to add attributes for Terminal Services Licensing. C. Join Certkiller Server2 to the domain. D. Create a Group Policy object (GPO) that configures Certkiller Server1 to use Certkiller Server2 for licensing. Answer: C Explanation: To ensure that you can use TS Per User CAL mode on Certkiller Server2, you need to join Certkiller Server2 to the domain. This is because the TS Per User CAL tracking and reporting is supported only in domain-joined scenarios (the terminal server and the license server are members of a domain) and is not supported in workgroup mode. "Pass Any Exam. Any Time." - www.actualtests.com

95

Microsoft 70-649: Practice Exam Reference: Terminal Services Licensing (TS Licensing)/ Are there any special considerations about TSLicensing? http://technet2.microsoft.com/windowsserver2008/en/library/04bf6206-1546-4326a9a0b32bc50aeb8d1033.msp

QUESTION NO: 125

m

You are an enterprise administrator for Certkiller . The corporate network of the company consists of 10 servers that run Windows Server 2008 in an Active Directory domain and several client computers that run Windows Vista. All the servers were Remote Desktop (RDP) enabled with default security settings for server administration. Which of the following options would you choose to ensure the RDP connections between Windows Server 2008 servers and Windows Vista client computers are as secure as possible?

Answer: D

tua

lTe

sts

.co

A. Configure the firewall on each server to block port 3380. B. Set the security layer for each server to the RDP security Layer and acquire user certificates from the internal certificate authority C. Set the security layer for each server to the RDP security Layer and configure the firewall on each server to block port 3389. D. Acquire user certificates from the internal certificate authority and configure each server to allow connections only to Remote Desktop client computers that use Network Level Authentication. E. None of the above.

Ac

Explanation: To ensure the RDP connections are as secure as possible, you need to first acquire user certificates from the internal certificate authority and then configure each server to allow connections only to Remote Desktop client computers that use Network Level Authentication. In the pre-W2008 Terminal Server, you used to enter the name of the server and a connection is initiated to its logon screen. Then, at that logon screen you attempt to authenticate. From a security perspective, this isn't a good idea. Because by doing it in this manner, you're actually getting access to a server prior to authentication - the access you're getting is right to a session on that server - and that is not considered a good security practice. NLA, or Network Level Authentication, reverses the order in which a client attempts to connect. The new RDC 6.0 client asks you for your username and password before it takes you to the logon screen. If you're attempting to connect to a pre-W2008 server, a failure in that initial logon will fail back to the old way of logging in. It shines when connecting to Windows Vista computers and W2008 servers with NLA configured it prevents the "Pass Any Exam. Any Time." - www.actualtests.com

96

Microsoft 70-649: Practice Exam failback authentication from ever occurring, which prevents the bad guys from gaining accessing your server without a successful authentication. Reference: Server 2008 Terminal Services Part 2: NLA - Network Level Authentication http://www.realtime-windowsserver.com/tips_tricks/2007/06/server_2008_terminal_services_2.htm

QUESTION NO: 126

sts

.co

m

Certkiller .com is running Windows Server 2008 on a server called CKS2. The Terminal Services are installed on CKS2. You installed a new Terminal Services application on CKS2. The new application vendor assured you that the application can be installed in Terminal Services environment. He also informed you that the application does not use Windows Installation packages for installation and that it makes changes in the user registry during installation process. After the installation, the users complained that application is not responding. When you diagnosed the problem, you found that the sessions are disconnected and that the application is not accepting multiple sessions. What should you do to make sure that the application accepts multiple sessions?

Answer: A

Ac

tua

lTe

A. Execute the command chguser/install on CKS2 and install the application. Execute the chgusr/execute after installing the application on the CKS2 B. Execute chgusr/disable on CKS2 and install the application. Run the chgusr on user computers to allow multiple sessions C. Execute chglogon/execute command after installing the application on the CKS2 and execute chglogon/muliplesessions on each client computer D. Run mstsc/v:CKS2/enable command on the client computer and then install the application E. None of the above

Explanation: To make sure that the application accepts multiple sessions on a terminal server, you need to execute the command chguser/install on CKS2 and install the application. Execute the chgusr/execute after installing the application on the CKS2. IF you install an application using chuser/install command the application will be installed for multiple users to be able to use them, other wise they will be installed in single user mode and can only be run directly from the server itself by the local admin. Reference: Forums / Topic Title: Why reinstall apps after Terminal Server installation? http://forums.windowsitpro.com/web/forum/messageview.aspx?catid=45&threadid=83425&enterthr ead=y

"Pass Any Exam. Any Time." - www.actualtests.com

97

Microsoft 70-649: Practice Exam QUESTION NO: 127 Certkiller network has a terminal server named TERM1 running on Windows server 2008. You are running some business applications on the terminal server for the remote users in the branch office of the company, who will be remotely accessing these applications from this terminal server. You have configured the user accounts to provide them a Terminal Services-specific profile and a home folder. While testing connection, you realized that the Terminal server profile has failed to load and the event ID: 1046 has been generated and logged to the event viewer. What should you do now?

.co

m

A. Specify a new location for the Terminal Services profile path, ensuring that the path does not exceed 256 characters B. Specify the Terminal Services profile path by using Group Policy C. Establish a remote session with the terminal server and check that the user's desktop and other settings D. None of the above

sts

Answer: A

QUESTION NO: 128

Ac

tua

lTe

Explanation: The event ID: 1046 generates when the profile path is less than 256 characters in length. Therefore to resolve the problem, you need to specify a new location for the Terminal Services profile path, ensuring that the path does not exceed 256 characters. Reference: Event ID 1046 - Terminal Services User Configuration http://technet2.microsoft.com/windowsserver2008/en/library/f4c0f0c3-19c9-4220b1c607c3590db9f41033.msp

Certkiller .com has a server that runs Terminal Services. As an administrator at Certkiller .com, you plan to install an application update for an application named tsap.exe on the Terminal Server (TS). While checking the application, you find out that instances of tsap.exe process are running even after the users have disconnected. In order to perform an application update, you have to terminate all instances of tsap.exe process. Which two actions would you perform to achieve this objective? (Choose two answers. Each answer is a part of a complete solution) A. Open Terminal Services Manager Console and end all instances of tsap.exe B. Execute the TSapp - getprocess command on Terminal server

"Pass Any Exam. Any Time." - www.actualtests.com

98

Microsoft 70-649: Practice Exam C. End all instances of the tsap.exe and restart the server. Execute a appkill command to stop the application immediately D. On the Terminal Server, execute Tskill tsap/a command Answer: A,D

.co

m

Explanation: To terminate all instances of tsap.exe process, you have to end all instances of tsap.exe process by accessing the Terminal Services Manager Console. The processes are displayed there. You kill the unwanted process by terminating a process. Use Microsoft Management Console to access the Terminal Services Manager console snap-in. After doing this, you have to execute a Tskill tsap/a command to end active processes. You can end the process by right-clicking on the process in the processes tab in Terminal Services Manager and clicking End process or you can use tskill command to do this. If you end a process through this command, no notification will be sent to the user. The process is ended immediately.

sts

QUESTION NO: 129

tua

lTe

Certkiller .com has an Active Directory domain installed on a server that runs Windows Server 2008. Another server named S3 also runs Windows Server 2008. All client machines have Windows Vista. Certkiller .com has instructed you to install the Terminal Services role, Terminal Services Gateway role and Terminal Services Web Access role service on S3. To protect the network, you want to ensure that all client machines have firewall, antivirus software and anti-spyware software installed. Which actions should you perform to achieve this task? (Select two answers. Each answer is a part of a complete solution)

Ac

A. Configure Windows Authorization Access domain local security group and add Terminal Services client computers B. Configure Terminal Services client computers to access the Terminal Services health policy. C. Set the Request clients to sent a health option statement in the Terminal Services client access policy D. Install and configure Network Access Protection (NAP) on the server in the domain E. None of the above Answer: C,D Explanation: To ensure that all client machines have firewall, antivirus software and anti-spyware software installed, you should set the Request clients to sent a health option statement in the Terminal Services client access policy and install and configure Network Access Protection (NAP) on the server in the domain "Pass Any Exam. Any Time." - www.actualtests.com

99

Microsoft 70-649: Practice Exam

QUESTION NO: 130 Certkiller .com has an Active Directory domain. Terminal Services is installed on a server. All terminal services accounts are configured to allow session takeover without permission. A user logged on to a server named S2 using an account named U1. The terminal session ID for U1 is 1209. Which command should you run to perform a session takeover for Terminal session ID 1209?

m

A. Beown/U U1 1209, and the execute TSconnection 1209 B. Tsdiscon 1209, and then Tscon 1209 C. Chgport/U U1 1209 D. chguser 1209, Tscon 1209 E. None of the above

.co

Answer: B

Ac

tua

lTe

sts

Explanation: To perform a session takeover for the Terminal session ID 1209, you should run Tsdiscon 1209 and then Tscon 1209. You can use the tsdiscon command to disconnect an active Terminal Services session. The session remains attached to the Terminal Services server in a disconnected state. Programs that are currently in use continue to run. When you reconnect to the Terminal Services server, you can reconnect by using the same session from which you disconnected. You can resume working without any loss of data in the programs that were running when you disconnected. You can use the tscon command to connect to another Terminal Services user session. You can connect to sessions that are in an active or disconnected state. When you connect to another session, you are disconnected from your previous session. If you create more than one session on a server, you can use this option to switch between the sessions. Reference: http://support.microsoft.com/kb/321703 http://support.microsoft.com/kb/321705

QUESTION NO: 131 Certkiller .com has an active directory domain. You are the administrator of ES1, a server that runs Windows Server 2008 and has Terminal Services role and the Terminal Services Web Access role service installed on it. You install Terminal Services Gateway role on ES1 and create the Terminal Services connection authorization policy. Users are reporting that they cannot access ES1. What should you do to ensure that the users can connect to ES1?

"Pass Any Exam. Any Time." - www.actualtests.com

100

Microsoft 70-649: Practice Exam A. Install and configure the Terminal Services Resource Authorization Policy (RAP) on ES1 B. Configure the Network Access Protection on ES1 and start the Terminal services gateway service C. Create a Terminal Services Group Policy Object and allow users to connect remotely to the Terminal services setting on the GPO. Link the GPO to the domain controller D. Create a Terminal services GPO and Set the TS Roaming profiles setting on the GPO E. None of the above Answer: A

.co

m

Explanation: To ensure that the users can connect to ES1, you should install and configure the Terminal Services Resource Authorization Policy on ES1. RAP's are used to control which Terminal Servers can be accessed through the Terminal Services Gateway. Reference:http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-TerminalServices

sts

QUESTION NO: 132

Ac

tua

lTe

You are an enterprise administrator for Certkiller .com. The corporate network of the company consists of an Active Directory domain. All the servers on the network run Windows Server 2008. The network runs Terminal services to enable remote users to run commonly required applications from their terminal. A remote user logged on to the Terminal Server, required some help on the application he wanted to run. However, when you connect to the Terminal Server session, you cannot operate any applications. Which of the following options would you choose to ensure that you can assist any user on the Terminal Server? A. From the Terminal Server, run the Chgusr /execute command and then reconnect to the session. B. In the RDP-Tcp Properties on the Terminal Server, enable the Use remote control option with default user settings. C. In the RDP-Tcp Properties on the Terminal Server, enable the Use remote control with the following settings option and then configure the Level of control policy setting to Interact with the session. Ask the user to log off and log back on. D. From the Terminal Server, run the Tscon /v command and then reconnect to the session. Answer: C Explanation: To ensure that you can assist any user on the Terminal Server, you need to enable the Use remote control with the following settings option and then configure the Level of "Pass Any Exam. Any Time." - www.actualtests.com

101

Microsoft 70-649: Practice Exam control policy setting to Interact with the session. Ask the user to log off and log back on. You can configure remote control with the Level of control to Interact with the session. When this option is selected, the user's session can be actively controlled with your keyboard and mouse. Reference: Need to monitor a terminal services session? Use Shadow. / How to Configure Remote Control Settings http://www.myitforum.com/articles/16/view.asp?id=5808

QUESTION NO: 133

.co

m

You are an enterprise administrator for Certkiller .com. The corporate network of the company consists of an Active Directory domain. All the servers on the network run Windows Server 2008. The network runs a Terminal server named Certkiller Server2 to enable remote users to run commonly required applications from their terminal. Which of the following options would you choose to prevent new sessions on the Terminal Server without affecting current user sessions?

lTe

sts

A. Run Tskill /server: Certkiller Server2/A command B. Run Taskkill /S Certkiller Server2 /fi "MODULES eq TermSrv" command C. Run Change user /execute disable command D. Run Change logon /disable command

tua

Answer: D

Ac

Explanation: To prevent new sessions on the Terminal Server without affecting current user sessions, you need to run Change logon /disable command. This command disables subsequent logons from client sessions, but not from the console. This also ensures that the currently logged on users do not get affected. Reference: Change logon http://technet2.microsoft.com/windowsserver/en/library/85af3fd0-b518-4b919f9324c75173494e1033.mspx?mf

QUESTION NO: 134 You are an enterprise administrator for Certkiller .com. The corporate network of the company consists of a single Active Directory domain. All the servers on the network run Windows Server 2008 and all the client computers run Windows Vista. All computers are members of the domain. The network runs a Terminal server named Certkiller Server2. You have recently deployed an application called App1 by using the TS RemoteApp Manager. "Pass Any Exam. Any Time." - www.actualtests.com 102

Microsoft 70-649: Practice Exam You set the Terminal Servers security layer to Negotiate. Which of the following options would you choose to ensure that domain users are not prompted for credentials when they access the application? A. Modify the Password Policy settings in the local Group Policy on all the client computers. B. Modify the Credential Delegation settings in the local Group Policy on all client computers. C. Modify the Credential Delegation settings in the local Group Policy on the terminal server, Certkiller Server2. D. Modify the Password Policy settings in the local Group Policy on the terminal server, Certkiller Server2. Answer: B

Ac

tua

lTe

sts

.co

m

Explanation: To ensure that domain users are not prompted for credentials when they access the application, you need to modify the Credential Delegation settings in the local Group Policy on all client computers. WindowsVista introduces a new authentication package called the Credential Security Service Provider, or CredSSP, that provides a single sign-on (SSO) user experience when starting new Terminal Services sessions. CredSSP enables applications to delegate users' credentials from the client computer (by using the client-side security service provider) to the target server (through the server-side security service provider) based on client policies. CredSSP policies are configured via Group Policy, and delegation of credentials is turned off by default In addition, a few of the policy settings might increase or decrease the risk. For example, the Allow Default Credentials with NTLM-only Server Authentication and Allow Fresh Credentials with NTLM-only Server Authentication policy settings remove the restriction to require the Kerberos authentication protocol for authentication between the client and server. Reference: Credential Security Service Provider and SSO for Terminal Services Logon http://technet2.microsoft.com/WindowsVista/en/library/6b6bf605-0b9f-45ed990012aca2a0f2a21033.mspx?mfr

QUESTION NO: 135 You are an enterprise administrator for Certkiller .com. All the servers on the network run Windows Server 2008. The network consists of a Terminal Server. Which of the following options would you choose to configure the Terminal Server to end any sessions that are inactive for more than one hour? A. Modify the RDP-Tcp settings from Terminal Services Configuration. B. Modify the User logon mode setting from Terminal Services Configuration. C. Create a new group from Terminal Services Manager. D. Delete the inactive sessions from Terminal Services Manager. "Pass Any Exam. Any Time." - www.actualtests.com

103

Microsoft 70-649: Practice Exam Answer: A Explanation: To configure the Terminal Server to end any sessions that are inactive for more than one hour, you need to modify the RDP-Tcp settings from Terminal Services Configuration. You can configure the properties of the terminal server's RDP-TCP connection to provide better protection. You can set session time limits that help to ensure that sessions are not left unattended and active for long periods Reference: How Secure are Windows Terminal Services? / Securing the RDP-TCP Connection http://www.windowsecurity.com/articles/Windows_Terminal_Services.html

QUESTION NO: 136

tua

lTe

sts

.co

m

Certkiller .com has servers with Windows Server 2008 installed as a primary operating system. The servers are in an Active Directory domain. CKS1 is a server, which has Terminal Services gateway role installed. The Terminal Services role is installed on CKS2 and CKS3. Both servers are added in a load balancing terminal server farm called TSF. Another administrator installs Terminal service broker on a new server called CKS4 and configures TSF farm to be added to the Terminal Server Broker Service configuration on CKS4. Due to a requirement, you setup the published applications to employ Terminal Server Broker Service. You find out that CKS2 and CKS3 are not accepted in Terminal Server broker service. What should you do to ensure that Terminal Server Broker Service accepts the CKS2 and CKS3 connections?

Ac

A. Open the Session Broker Computers local group on CKS4 and add CKS2 and CKS3 B. Configure and set a Group Policy Object and set the Allow reconnection option to True for Terminal services security section and apply it to the CKS2 and CKS3 C. Configure and set a GPO to set the Deny reconnection option to True for Terminal Server Broker Service and apply it to CKS2 and CKS3 D. Configure the Windows Authorization Access domain for CKS3 and add CKS2 and CKS4 in the Active Directory domain E. None of the above Answer: A Explanation: For terminal servers to use TSSession Broker, you must add the computer account for each terminal server in the farm to the Session Directory Computers local group on the TSSession Broker server. Therefore to ensure that Terminal Server Broker Service accepts the CKS2 and CKS3 connections, you need to open the Session Broker Computers local group on CKS4 and add CKS2 and CKS3. Reference: Windows Server 2008 TS Session Broker Load Balancing Step-by-Step "Pass Any Exam. Any Time." - www.actualtests.com

104

Microsoft 70-649: Practice Exam Guide / Add each terminal server in the farm to the Session Directory Computers local group http://technet2.microsoft.com/windowsserver2008/en/library/f9fe9c74-77f5-4bbaa6b9433d823bbfbd1033.mspx

QUESTION NO: 137

m

Certkiller .com has an Active Directory domain. It has Terminal services installed on the Windows Server 2008 computers in the domain. All client machines have Windows Vista as their operating system. Due to a nature of work, users are required to view some training videos on Windows Media Player 11 during Terminal Services session. What should you do to ensure that the users could run Windows Media Player 11 during the Terminal services session?

lTe

sts

.co

A. On the terminal server, install the Quality Audio Video feature. B. Open the Terminal server settings and enable the 'allow desktop applications to run on session'. Disable the default settings C. Install and configure the Desktop Experience feature on the terminal server D. Create a group policy object that allows Windows Media Player 11 to set the differential services code point value to 10 and apply the policy to the client machines that want to use Windows Media Player 11 E. All of the above

tua

Answer: C

Ac

Explanation: When Desktop Experience is installed on Windows Server 2008, the user can use Windows Vista features, such as Windows Media Player, desktop themes, and photo management within their remote connection. Therefore to ensure that the users could run Windows Media Player 11 during the Terminal services session, you need to Install and configure the Desktop Experience feature on the terminal server Reference: Windows Server 2008 Technical Overview / Terminal Services http://www.microsoft.com/technet/windowsserver/longhorn/evaluate/whitepaper.mspx?wt.svl=glob alheadline

QUESTION NO: 138 As an administrator at Certkiller .com, you manage a member server having Windows Server 2008. A Terminal Services role is installed on the server along with Microsoft Windows System Resource Manager (WSRM). Users are complaining about degradation in performance on Terminal Server. You find out that a single user is consuming 100% of the processor time. To rectify the "Pass Any Exam. Any Time." - www.actualtests.com 105

Microsoft 70-649: Practice Exam problem, you create a resource-allocation policy named Policy1 which limits each user to 30% of the total processor time. Still, there is no improvement in the performance. What should you do to configure WSRM to force Policy1? A. Configure each user account to allocate a resource quota on WSRM application B. Configure Policy1 to accept the WSRM resource quota for each user C. Restart the Server and the Terminal Services configuration service D. Configure policy1 as the Managing Policy Answer: D

.co

m

Explanation: To configure WSRM to force Policy1, you should configure policy1 and Managing policy. You can set a policy as managing policy by accessing Resource Allocation Policies node in the left-hand pane. You can click on the policy and set it as managing policy by click on "Set as Managing Policy" link in the right pane.

sts

QUESTION NO: 139

Ac

tua

lTe

You are an enterprise administrator for Certkiller .com. The corporate network of the company consists of an Active Directory domain. All the servers on the network run Windows Server 2008. The network runs Terminal services to enable remote users to run commonly required applications from their terminal. An organizational unit (OU) called TermSerUsers have been configured for the standard users who connect to the Terminal Server and an OU called TermSerAdmin is configured for the administrative users. Besides these two types of users, no other user can connect to the Terminal Server. Which of the following options would you choose to ensure that only members of the TermSerAdmin OU can run the Remote Desktop Protocol files? A. Create a GPO and disabled the Allow .rdp files from unknown publishers policy setting in the Remote Desktop Client Connection template. Apply the GPO to the TermSerUsers OU. B. Create a GPO) and enable the Allow .rdp files from valid publishers and users default .rdp settings policy setting in the Remote Desktop Client Connection template. Apply the GPO to the TermSerUsers OU. C. Create a GPO and enable the Allow .rdp files from valid publishers and users default .rdp settings policy setting in the Remote Desktop Client Connection template. Apply the GPO to the TermSerAdmin OU. D. Create a GPO and enable the Specify SHA1 thumbprints of certificates representing trusted .rdp publishers policy setting in the Remote Desktop Client Connection template. Apply the GPO to the TermSerAdmin OU. "Pass Any Exam. Any Time." - www.actualtests.com

106

Microsoft 70-649: Practice Exam Answer: B

QUESTION NO: 140

tua

lTe

sts

.co

m

Explanation: To ensure that only members of the TermSerAdmin OU can run the Remote Desktop Protocol files, you need to enable the Allow .rdp files from valid publishers and users default .rdp settings policy setting in the Remote Desktop Client Connection template. This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file). If you enable this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect. If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked Reference: Remote Desktop Connection Client http://technet2.microsoft.com/windowsserver2008/en/library/76fb7e12-b823-429b988705dc70d28d0c1033.ms

Ac

You are an administrator of a Server that runs Windows Server 2008. It is named as CKFSVE. This server is dedicated to a FTP service. According to the Certkiller .com policy, the FTP server should only be available for selected authorized projects. What should you do to make sure that FTP service unavailable after restarting the server? A. Execute the iisftp/stop command on CKFSVE B. Execute the netsrvr32/stop ftp: CKFSVE command on CKFSVE C. Run the WMIC /NODE: CKFSVE SERVICE WHERE the caption="FTP Publishing Service" CALL ChangeStartMode "Disabled" command on this particular Certkiller FTP server D. Execute iisreset ftp. Certkiller .com command on the CKFSVE server E. Execute WMIC/node: CKFSVE command on publishing service command on the server F. None of the above

"Pass Any Exam. Any Time." - www.actualtests.com

107

Microsoft 70-649: Practice Exam Answer: C

.co

m

Explanation: To make sure that FTP service unavailable after restarting the server, you need to Run the WMIC /NODE: CKFSVE SERVICE WHERE the caption="FTP Publishing Service" CALL ChangeStartMode "Disabled" command on this particular Certkiller FTP server. The WMI command-line (WMIC) utility provides a command-line interface for WMI. The /Node command allows you to specify computer names and synchronously execute all commands against all computers listed in this value. To disable FTP service on the computer, you need to use ChangeStartMode "Disabled" command. Reference: wmic http://msdn2.microsoft.com/en-us/library/aa394531(VS.85).aspx Reference: Gathering WMI Data without Writing a Single Line of Code / System Configuration Changes http://technet.microsoft.com/en-us/magazine/cc160919.aspx

QUESTION NO: 141

tua

Answer: D

Ac

A. .TXT files B. HTTP files C. CGI script files D. .NET XML based files E. None of the above

lTe

sts

The Windows server 2008 FTP service no longer uses metadata and the new configuration store in IIS 7.0 uses files to store configuration details. What is the format of new configuration files?

Explanation: The format of new configuration files is .NET XML based files. The IIS 7.0 has a brand-new administration interface which uses a new FTP instead of the old IIS 6 metabase. The new configuration store is based on the .NET XML-based *.config format. Reference: Microsoft FTP Service for IIS 7.0 (x86) / Integration with IIS 7.0 http://www.microsoft.com/downloads/details.aspx?familyid=2ECCF14A-5C4F-4CFB-9153CFE1204B346A&d

QUESTION NO: 142 Certkiller .com has a server that runs Windows Server 2008. You install the FTP role service on the server. After installing the FTP service, you allow users to use it. Users complain that they "Pass Any Exam. Any Time." - www.actualtests.com

108

Microsoft 70-649: Practice Exam receive an error message when they attempt to use FTP site to upload files. What should you do to allow authenticated users to access the FTP sites to upload files? A. Execute the ftp -a command on the Windows Server 2008 B. Set write permission on the FTP site. On the FTP destination folder, set the NTFS permissions for Authenticated Users group to allow Read/write attributes C. Configure the FTP settings to allow Authenticated users to connect to the FTP server using the port 26. D. Configure the FTP settings to allow Authenticated users to connect to the FTP server by using their account logins and passwords E. None of the above Answer: B

lTe

sts

.co

m

Explanation: To allow authenticated users to access FTP sites to upload files, you have to set write permission on the FTP site and set the NTFS permissions for Authenticated Users group on FTP designation folder to allow Read/write attributes. By setting the write permission on FTP site, users will be able to upload files on FTP and adding Authenticated Users group in NTFS permissions will enable the users to upload files without getting any warning messages.

QUESTION NO: 143

Ac

tua

Certkiller .com has a server that runs Windows Server 2008. You install the FTP role service on the server. Users complain that they receive an error message while uploading files to the FTP site. You have to allow authenticated users to upload files to the FTP site. What should you do to achieve this task? A. Execute the FTP -authenticate 192.168.10.23 command on the Windows Server 2008 server B. Set write permission on the FTP site. Configure the NTFS permission on the FTP destination folder for the Authenticated users group C. Set the Write permissions on the FTP site. Set NTFS permission on the FTP destination folder for the Authenticated Users group to Allow-Modify D. Execute appcmd -ftp command on the server to unlock Config.txt file Answer: C Explanation: To allow authenticated users to upload files to the FTP site, you should set the Write Permission on the FTP site folder and set NTFS permission on the FTP destination folder for the Authenticated Users group to Allow-Modify. By setting the write permission on the FTP site folder, you will enable the authenticated users to access the FTP site. By setting NTFS permission on the "Pass Any Exam. Any Time." - www.actualtests.com

109

Microsoft 70-649: Practice Exam FTP destination folder, you allow the Authenticated Users group to modify the files and add or delete them.

QUESTION NO: 144 Certkiller .com has a server that operates Windows Server 2008. You install an IIS server role on the server. What should you do to backup the changes in configuration of IIS Server?

.co

m

A. Open the Windows Power Shell utility on the IIS server and execute the command: addmemberCmemberTypemethod/mainbackup to backup the configuration changes B. Execute the appcmd addbackup command on the IIS server C. Execute ntdsutil/backup: servertype filename command on the IIS server D. Execute the appcmd add backup filename iis server "PrimeBackup" command on the IIS server E. None of the above Answer: B

QUESTION NO: 145

Ac

tua

lTe

sts

Explanation: AppCmd.exe provides the BACKUP object that allows you to easily back-up, and restore the global server configuration. Therefore to backup the changes in configuration of IIS Server, you need to execute AppCmd Add Backup "BackupName" command on the IIS server. Reference: Most Important AppCmd Commands: BacKing up and restoring IIS7 configuration http://mvolo.com/blogs/serverside/archive/2007/03/18/Most-Important-AppCmdCommands_3A00_-BacKing-u

Certkiller is running domain controller on Windows Server 2008. Server is backed up over the network from a dedicated backup server that runs Microsoft Windows server 2003. You want to make a domain controller for disaster recovery apart from the regular backup procedures. You tried to backup the system state data for the domain controller, but failed to launch backup utility. What should you do to backup system state data from the Windows server 2008 domain controller server? A. Add your user account to local Backup Operators group B. Use the Server Manager feature to install the Windows Server Backup feature C. Use the Server Manager feature to install the Removable Storage Manager feature D. Deactivate the backup job that is configured to back up the Windows server 2008 domain controller server on the Windows Server 2003 backup server

"Pass Any Exam. Any Time." - www.actualtests.com

110

Microsoft 70-649: Practice Exam E. None of the above Answer: B Explanation: To backup system state data from the Windows server 2008 domain controller server, you need to first use the Server Manager feature to install the Windows Server Backup feature and then perform system state data backup. Reference: Step-by-Step Guide for Windows Server Backup in Windows Server 2008 http://technet2.microsoft.com/windowsserver2008/en/library/00162c92-a834-43f99e8a71aeb25fa4ad1033.msp

QUESTION NO: 146

lTe

sts

.co

m

You are an Enterprise administrator for Certkiller .com. The corporate network of the company consists of servers that run Windows Server 2008. On a network server called Certkiller Server1. The Windows Backup and Restore utility is installed. However due to some reason the Certkiller Server1 failed and stopped responding. To get rid of the problem, you installed another server called Certkiller Server2 with Windows Backup and Restore utility. Which of the following options would you choose to restore the company's Windows SharePoint Services (WSS) site to Certkiller Server2.

Answer: B

Ac

tua

A. Run Wbadmin Get Versions on the command line and then install WSS. B. Run Wbadmin Start Recovery on the command line and then install WSS. C. Run Wbadmin and restore the system state. D. Run Wbadmin to restore the application and the sites from backup. E. None of the above

Explanation: To restore the company's Windows SharePoint Services (WSS) site to Certkiller Server2, you need to run Wbadmin with the Start Recovery option and then install WSS on the Server. The Start Recovery option will run a recovery of the volumes, applications, files, or folders specified and will recover the application and sites. However, to run the WSS site, you need WSS on Certkiller Server2 and therefore you need to install WSS on it. Reference: http://technet2.microsoft.com/windowsserver2008/en/library/4b0b3f32-d21f-486184bbb2eadbf1e7b81033.msp http://technet2.microsoft.com/windowsserver2008/en/library/4b0b3f32-d21f-486184bbb2eadbf1e7b81033.msp Reference:Active Directory Backup and Restore in Windows Server 2008 "Pass Any Exam. Any Time." - www.actualtests.com

111

Microsoft 70-649: Practice Exam http://technet.microsoft.com/en-us/magazine/cc462796(TechNet.10).aspx

QUESTION NO: 147 Certkiller .com has a server that runs Windows Server 2008. Certkiller .com has WSUS (Windows Server Update Services) installed on this server. This server is located on the Certkiller .com's intranet. It is installed on the default website. Due to a company policy, you configured the update and statistics servers to employ SSL (Secure Socket Layer). Which URLs should you use to configure a group policy object (GPO) that specifies the intranet update locations on a default port?

.co

m

A. https://server1: 80 B. http://server1: 1073 C. https://server1: 8080 D. https://server1 E. None of the above Answer: D

Ac

tua

lTe

sts

Explanation: To configure a group policy object (GPO) that specifies the intranet update locations on a default port, you need to use https://server1. You must include a URL for a secure port that the WSUS server is listening on. Because you cannot require SSL on the server, the only way to ensure that client computers use a secure channel is to make sure they use a URL that specifies HTTPS. If you are using any port other than 443 for SSL, you must include that port in the URL, too. Reference: WSUS SSL Client Configuration http://www.techsupportforum.com/microsoft-support/windows-nt-2000-2003-server/115983-wsusssl-clientcon Reference: Specify Intranet Microsoft Update Service Location http://technet2.microsoft.com/windowsserver/en/library/ac90c1de-9e04-46fdb8ab0bb4ab8515461033.mspx?m

QUESTION NO: 148 Certkiller .com has a server that runs Windows Server 2008. This server is running IIS 7.0 and one .ASP NET application for Sales department users. You had previously another version of ASP NET installed on this server. You want that new application should use the specific version of ASP NET at virtual directory\ASP.NET application level. What you should do to choose the specific version of .ASP NET for a specific application? "Pass Any Exam. Any Time." - www.actualtests.com

112

Microsoft 70-649: Practice Exam A. In IIS management console, navigate to the Website or ASP.NET application folder, in the Properties tab go to ASP NET tab and choose the version to use B. Run Aspnet_regiis.exe tool to check version of ASP.NET C. You need to uninstall previous version of ASP.NET before installing a new version D. None of the above Answer: A

.co

m

Explanation: To choose the specific version of .ASP NET for a specific application, you need to open the IIS management console, and then navigate to the Website or ASP.NET application folder. In the Properties tab go to ASP NET tab and choose the version to use. Reference: Configure a Web Application to Use a Specific Version of ASP.NET / Configuring an ASP.NET Application to Use a Specific Version of ASP.NET http://www.codeguru.com/csharp/.net/net_asp/miscellaneous/article.php/c10879/

QUESTION NO: 149

tua

lTe

sts

Certkiller .com uses Windows Server 2008 on all its servers. An active directory domain is acting as a Certkiller network named CK1 .com. The network also has a web server named CK2 .com. The users on the domains access the web server by using http:// CK2 .com. To implement SSL, you generate a self-signed certificate for CK2 .com and configure it to use Secure Socket Layer (SSL). After the implementation, users complain that when they try to connect to the web server using http:// CK2 .com, they get a warning message. What should you do to ensure that the users are able to connect to CK2 .com without getting warning messages?

Ac

A. Export the self-signed certificate to CK2 .cer file by accessing the certificate from the certificates console on CK1 . Install the CK2 .cer file on all computers in the domain B. Configure the security zones on all computers in the domain. Put http:// CK2 .com in the trusted zone. C. Configure the DNS host records on CK2 .com and reissue the self-signed certificate. Ask users to connect to CK2 .tb1.com to access resources on http:// CK2 .com D. Connect the CK2 .com to tb1 server and reissue the certificate. Ask the users to use https:// CK2 .com instead of http:// CK2 .com Answer: A Explanation: To ensure that the users can connect to CK2 .com without getting warning messages, you should export the self-signed certificate to a CK2 .cer file. Then, you install the CK2 .cer file on all computers accessing the website. The users account will be authenticated "Pass Any Exam. Any Time." - www.actualtests.com

113

Microsoft 70-649: Practice Exam through the certificate and they will not get any warning messages. The .cer file is an internet security certificate extension which confirms the authenticity of a website installed on a server.

QUESTION NO: 150 As an administrator at Certkiller .com, you install Web server (IIS) role on a server that runs Windows Server 2008. You created a new site called Certkiller .com. You need to install an application on the website called webcontent. You copy the application to the server. What should you do to add the application on the website?

.co

m

A. Create a virtual directory and copy the website contents in it. Copy the application in the directory and install it B. Execute appcmd command on the command prompt on the server C. Open the IIS Manager Console and select the website. Select Add Application D. Execute appcmd -t on the command prompt on the server Answer: C

QUESTION NO: 151 Exhibit:

Ac

tua

lTe

sts

Explanation: To add the application on the website, you should use IIS Manager Console and select the website. The website is listed in the IIS Manager Console and you can access it through the navigation tree. Right-click on the website name and select 'Add Application'. The wizard will walk you through the process of adding the application to a website. Reference: www.tech-faq.com/securing-webservers.shtml

"Pass Any Exam. Any Time." - www.actualtests.com

114

Microsoft 70-649: Practice Exam

lTe

sts

.co

m

You are an enterprise administrator for Certkiller .com. All the servers on the corporate network run Windows Server 2008. A new server farm has recently been created on the network. The company uses Public folders and Web Distributed Authoring and Versioning. You have been assigned the task to install Microsoft Windows SharePoint Services (WSS) as a server in a new server farm. However, when you started the installation by starting the SharePoint Products and Technologies Configuration Wizard, you receive an error message that states "Failed to connect to the database server or the database name does not exist", as shown in the exhibit. Which of the following server/services would install to configure WSS to start SharePoint Services 3.0 Central Administration?

Answer: A

Ac

tua

A. Microsoft SQL Server 2005 server B. Active Directory Rights Management Services role C. Active Directory Lightweight Directory Services role D. Windows Internal Database

Explanation: To resolve this problem, you need to install Microsoft SQL Server 2005 server on the farm. This error message occurs when either the SQL Server does not exist or the SQL Server services id stopped. The server farm account is used to access your configuration database. It also acts as the application pool identity for the SharePoint Central Administration application pool, and it is the account under which the Windows SharePoint Services Timer service runs. The SharePoint Products and Technologies Configuration Wizard adds this account to the SQL Server Logins, the SQL Server Database Creator server role, and the SQL Server Security Administrators server role. If SQL Server is not available then the above mentioned error message will appear. Reference: Configuration Wizard - Failed to Connect "Pass Any Exam. Any Time." - www.actualtests.com

115

Microsoft 70-649: Practice Exam http://blogs.msdn.com/neilth/archive/2008/04/25/failed-to-connect-or-database-name-does-notexist.aspx

QUESTION NO: 152

sts

.co

m

You are an enterprise administrator for Certkiller .com. The company runs Windows Server 2008 on all the servers on the network. One of the servers, Certkiller Server1 has the Web Server (IIS) role installed on it. The Certkiller Server1 hosts an Internet-accessible Web site called Certkiller .com that has a virtual directory named /Salesorders/. A Web server certificate is installed and an SSL listener has been configured for the Web site. Which of the following options would you choose to configure the /salesorders/ virtual directory to meet the company policy requirements that states that the /salesorders/ virtual directory must be accessible to authenticated users only and it should allow authentication types to support all browsers? Besides it should encrypt all authentication traffic by using HTTPS and all other directories of the Website must be accessible to anonymous users and be available without SSL. (Select all that apply. Each correct answer presents part of the solution.)

Answer: D,E,G

Ac

tua

lTe

A. Configure the Basic Authentication setting to Enabled for the Web site B. Configure the Anonymous Authentication setting to Disabled for the Web site. C. Configure the Web site to the Require SSL setting. D. Configure the Basic Authentication setting to Enabled for the / salesorders / virtual directory. E. Configure the Anonymous Authentication setting to Disabled for the / salesorders / virtual directory. F. Configure the Digest Authentication setting to Enabled for the / salesorders/ virtual directory. G. Configure the /salesorders / virtual directory to the Require SSL setting.

Explanation: To configure the /salesorders/ virtual directory so that it is accessible to authenticated users only and it should allow authentication types to support all browsers, you need to configure the Basic Authentication setting to Enabled for the / salesorders / virtual directory, because the Basic authentication is supported by mostly all the browsers. Next you need to Disable the Anonymous Authentication setting to for the / salesorders / virtual directory, so that only authenticated users can access the virtual directory. Finally, you need to configure only the /salesorders / virtual directory to the Require SSL setting so that only the authentication traffic to this directory is encrypted and all other directories of the Website must be accessible to anonymous users and be available without SSL. "Pass Any Exam. Any Time." - www.actualtests.com

116

Microsoft 70-649: Practice Exam To configure authentication for a virtual directory or a physical directory in a Web site, you need to configure the virtual directory for the Web site and not the website. Reference: How to configure IIS Web site authentication http://support.microsoft.com/kb/308160 Reference: Basic access authentication http://en.wikipedia.org/wiki/Basic_access_authentication

QUESTION NO: 153

.co

m

A branch office of Certkiller .com is configured as a separate Active Directory site. An Active Directory domain controller is installed on it. A new application is installed on this site. However, this Active Directory site needs a global catalog server to support the application. What should you do to setup the domain controller at branch office to act as a Global Catalog Server?

lTe

sts

A. Run the dcncon.exe utility B. Configure the server through Active directory domains and Trust console C. Configure the server through Server Manager console D. Configure the server and application through the computer management console E. None of the above Answer: E

Ac

tua

Explanation: To setup the domain controller at branch office to act as a Global Catalog Server, you need to configure the server through Active directory Sites and Services console. Therefore none of the above options are correct. Reference: SolutionBase: Recovering Active Directory when you don't have a backup / Global Catalog Server Failure http://articles.techrepublic.com.com/5100-6345_11-5746161.html

QUESTION NO: 154 Certkiller .com has six domains in an Active Directory Forest. Certkiller .com has 20 sites. Certkiller .com orders you to install and configure a new distributed application to employ a custom directory partition application named DRData to be used for data replication. The application is hosted on one member server in 10 sites. What should you do to configure 10 member servers to get the DRData for data replication?

"Pass Any Exam. Any Time." - www.actualtests.com

117

Microsoft 70-649: Practice Exam A. Execute Regsvr32 command on 10 member servers B. Execute DRdatarep.exe on 10 member servers C. Execute RacAgent tool on 10 member servers D. Execute Dcpromo tool on 10 member servers E. None of the above Answer: D

sts

.co

m

Explanation: To configure 10 member servers to get the DRData for data replication, you need to execute Dcpromo tool on 10 member servers. None of the other tools can be used for data replication. Reference: Distributed File System http://technet2.microsoft.com/windowsserver2008/en/library/1f0d326d-35af-4193bda30d1688f90ea71033.msp Reference: Windows Server 2008 screencast - Core Read Only DC creation http://blogs.technet.com/keithcombs/archive/2007/07/14/windows-server-2008-screencast-coreread-only-dc-cre

QUESTION NO: 155

Ac

tua

lTe

Certkiller .com has a prime office and 300 site offices. To synchronize data across the prime office and the site offices, Certkiller .com utilizes a distributed data processing application. The application has many components. One of them is a Distributed Transaction Coordinator (DTC) service, which is installed on a three node Microsoft Failover Cluster in the main office. The DTC service has a dedicated resource group called DTCRG. The three nodes are named as Dnode1, Dnode2, and Dnode3. While testing, the DTC Service group failover, you found out that the group is incapable of failing over to Dnode3 from Dnode1 and Dnode2. However, the failover works well from Dnode1 to Dnode2. While doing some further tests, you discovered that you can failover other resource groups to Dnode3 from Dnode1 and Dnode2. What should you do to configure the DTC Service group to fail over between all cluster nodes? A. Configure the Dnode3 as a possible owner for all cluster resources in the DTC service group B. Configure failover to use DTC service group as the main cluster C. Remove Dnode1 and Dnode2 from the cluster group and create a new group for DTC service D. Select Dnode3 as a preferred owner for the DTC service group E. All of the above Answer: A

"Pass Any Exam. Any Time." - www.actualtests.com

118

Microsoft 70-649: Practice Exam

m

Explanation: DTC Service group failover is incapable of failing over to Dnode3 from Dnode1 and Dnode2 while the failover works well from Dnode1 to Dnode2. Besides, you can failover other resource groups to Dnode3 from Dnode1 and Dnode2 because probably Dnode3 is not configured as a possible owner node for the cluster. A possible owner is a node in the cluster on which the resource can be brought online. Therefore to resolve the problem, you need to configure the Dnode3 as a possible owner for all cluster resources in the DTC service group. Reference: Implementing a Two Node Cluster with Windows 2003 Enterprise http://www.redlinesoftware.com/eng/support/articles/msexchange/2003/implementing_two_node_cluster_windo Reference: 3 or More Nodes - Failover Process http://msmvps.com/blogs/clusterhelp/archive/2006/09/27/3-or-More-Nodes-_2D00_-FailoverProcess.aspx

.co

QUESTION NO: 156

lTe

sts

As an administrator at Certkiller , you have installed an IIS Server role on a server that has Windows Server 2008 running as its operating system. You run CGI Legacy applications on IIS Server 5.0. These applications must be executed on an IIS Server 7.0 because you want to upgrade the IIS Server to 7.0. You upgrade an install the IIS Server 7.0 on the server and you need to configure the CGI applications to actively run on this new IIS Server. Which of the following commands should you execute on the IIS 7.0 server?

Answer: D

Ac

tua

A. Execute the iiscnfg/execute: application name B. Execute the appcmd set config/application handler/ access script enable CGI module C. Execute the iiscnfg/enable: application name check version D. Execute the appcmd set config/section: handlers/[name='CGiModule']. RequireAccess: Execute E. All of the above

Explanation: To configure the CGI applications to actively run on this new IIS Server, you need to execute the appcmd set config/section: handlers/[name='CGiModule']. RequireAccess: Execute To configure request restrictions for a handler mapping, you need to use the following syntax: appcmd set config /section:handlers /[name='string'].attribute:string To specify that a handler named 'CGiModule' requires Execute rights in order to run, you need to specify RequireAccess: Execute attribute to the above syntax. Reference: IIS 7.0: Configure Request Restrictions for a Handler Mapping / Command Line http://technet2.microsoft.com/windowsserver2008/en/library/98dc8915-fed0-4b23a6eac7d17b80a2811033.msp "Pass Any Exam. Any Time." - www.actualtests.com

119

Microsoft 70-649: Practice Exam

QUESTION NO: 157 Certkiller .com has two servers named CK9 and CK1 0. Both servers runs Windows Server 2008 Enterprise edition. You have installed the Failover Clustering feature and configured the servers as a two-node cluster. An application named CKA is running on the cluster. This application is required by the users to be available from 09:00 to 17:00 hours which are the Certkiller .com business timings. You have configured another server named CK2 as the preferred owner of CKA application. What should you do to prevent failback of the cluster during business hours?

.co

m

A. Open the Failover properties and enable Prevent failback B. Configure the period option to 8 hours in the Failover properties C. In the Failover properties, set the maximum restarts for specified period to 0 D. In the Failover properties, configure the Allow failback option to enable failback between 0900 to 1700 hours Answer: D

QUESTION NO: 158

tua

lTe

sts

Explanation: To prevent failback of the cluster during business hours, you should configure the Allow failback option to enable failback between 0900 to 1700 hours. You can access this option in Failover properties. By configure the Allow failback option; you specify the failback of the cluster for a specific time period. The default option is 'Prevent Failback'.

Ac

You are an enterprise administrator for Certkiller .com. The company runs Windows Server 2008 on all the servers on the network. One of the servers, Certkiller Server1 has the Web Server (IIS) role installed. An application called App1 runs on Certkiller Server1. Due to some requirement, you need to make some configuration changes to App1. However, after those changes, the users report that the application fails. To diagnose the problem, you checked the event log and discovered an error message saying "503 Service Unavailable" appearing. Which of the following options would you choose to ensure that users are able to connect to App1? A. Run appcmd stop apppool on Certkiller Server1 B. Run appcmd set config on Certkiller Server1 C. Run appcmd start apppool on Certkiller Server1 D. Run appcmd set apppool on Certkiller Server1

"Pass Any Exam. Any Time." - www.actualtests.com

120

Microsoft 70-649: Practice Exam Answer: C

.co

m

Explanation: To ensure that users are able to connect to App1, you need to run appcmd start apppool on Certkiller Server1. The "503 Service Unavailable" error mostly occurs whenever HTTP.SYS, the kernel HTTP driver that manages http connections for IIS, fails to create an IIS worker process to process the request. This failure is typically caused by a critical error during worker process initialization, or more likely an unhandled exception / access violation occurring during worker process startup. After a certain number of failures, the application pool will trigger Rapid Fail Protection, a WAS feature designed to stop application pools with a persistent failure condition to avoid an endless loop of failing to start worker processes. At this point, all requests to applications within the stopped application pool will result in the 503 error, and the application pool will need to be re-started manually Reference: Troubleshooting IIS7 503 "Service unavailable" errors with startup debugging http://mvolo.com/blogs/serverside/archive/2007/05/19/Troubleshooting-IIS7-503_2200_Serviceunavailable_22

sts

QUESTION NO: 159

Ac

tua

lTe

You are an enterprise administrator for Certkiller .com. The company runs Windows Server 2008 on all the servers on the network. One of the servers, Certkiller Server1 has the Web Server (IIS) role installed. The server hosts a Web application called App1 that uses a custom application pool, which is set to recycle every 1,440 minutes. The App1 does not support multiple worker processes. Which of the following options would you choose to configure the application pool to ensure that users can access App1 after the application pool is recycled? A. Set the Disable Overlapped Recycling option to True. B. Set the Shutdown Executable option to True. C. Set the Disable Recycling for Configuration Changes option to True. D. Set the Process Orphaning Enabled option to True. Answer: A Explanation: To configure the application pool to ensure that users can access App1 after the application pool is recycled, you need to set the Disable Overlapped Recycling option to True. If your application cannot run in a multi-instance environment, you must configure only one worker process for an application pool (which is the default value), and disable the overlapped recycling feature if application pool recycling is being used. Reference: IIS Process Recycling / Considerations When Recycling Applications "Pass Any Exam. Any Time." - www.actualtests.com

121

Microsoft 70-649: Practice Exam http://msdn.microsoft.com/en-us/library/ms525803.aspx

QUESTION NO: 160 You are an enterprise administrator for Certkiller .com. The company runs Windows Server 2008 on all the servers on the network. One of the servers, Certkiller Server1 has the Web Server (IIS) role installed on it. The Certkiller Server1 hosts multiple websites. Which of the following options would you choose to configure the server to automatically release memory for a single website without affecting the other Web sites?

.co

m

A. Modify the Physical Path Credentials on the virtual directory. B. Modify the bindings for the Web site. C. Modify the Recycling options from the Application Pool Defaults. D. Create a new application pool and associate the Web site to the application pool. Answer: D

Ac

tua

lTe

sts

Explanation: To configure the server to automatically release memory for a single website without affecting the other Web sites, you need to create a new application pool and associate the Web site to the application pool An application pool is a group of one or more URLs that are served by a worker process or a set of worker processes. Application pools set boundaries for the applications they contain, which means that any applications that are running outside a given application pool cannot affect the applications in the application pool. You can configure the server to automatically release memory or to release memory after reaching maximum used memory. Reference: IIS 7.0: Managing Application Pools in IIS 7.0 http://technet2.microsoft.com/windowsserver2008/en/library/1dbaa793-0a05-4914a0654d109db3b9101033.ms Reference: IIS 7.0: Configuring Recycling Settings for an Application Pool http://technet2.microsoft.com/windowsserver2008/en/library/0d5770e3-2f6f-4e11a47c9bab6a69ebc71033.msp

QUESTION NO: 161 As an administrator at Certkiller .com, you installed and configured an IIS server on CKS1 and added the file server role on a server named CKS2. The hard disk installed in CKS1 hosts the Certkiller /apps virtual directory. You discovered that the hard disk is running out of space. So you moved the data on hard disk at CKS1 to a new volume, which has a new-shared directory on CKS2. You named the directory as CKWCKAPP. "Pass Any Exam. Any Time." - www.actualtests.com 122

Microsoft 70-649: Practice Exam What should you do to ensure that applications use CKWCKAPP? A. Execute the Appcmd set vdir/vdir.name: CKWCKAPP/APPS/TTO/physicalpath:\\CKS2\CKWCKAPP command on CKS1 B. Execute Appcmd set vdir/vdir.name: Certkiller /apps/ physicalPath:\\CKS2\CKWCKAPP command on CKS1 C. Execute Appcmd set vdir /vdir.name: Contoso/Apps /physicalPath:C:\WebApp command on Server2. D. Execute Appcmd set vdir /vdir.name: CKS2/Apps /physicalPath:C:\WebApp command on CKS2. E. None of the above Answer: B

QUESTION NO: 162

tua

lTe

sts

.co

m

Explanation: To ensure that applications use CKWCKAPP, you need to execute Appcmd set vdir/vdir.name: Certkiller /apps/ physicalPath:\\CKS2\ CKWCKAPP command on CKS1. To change the path of a virtual directory's content, you need to use the following syntax: appcmd set vdir /vdir.name:string/physicalPath:string The variable vdir.namestring is the virtual path of the virtual directory, and physicalPathstring is the physical path of the application's content. Reference: IIS 7.0: Change the Physical Path of Virtual Directory Content http://technet2.microsoft.com/windowsserver2008/en/library/836c7fa3-e7fe-4134a970b9ae1034f2311033.mspx

Ac

You are an administrator at Certkiller .com managing a member server that has Windows Server 2008 installed. An IIS Server role is installed on this member server. The IIS server hosts a restricted website that only Certkiller .com executives can access. According to the company's policy, it is necessary for the executives to use user certificates to access the restricted website. While monitoring the Server, you found out that the executives are accessing the secured website by using their usernames and passwords. What should you do to ensure that the executives can access the secured website only though user certificates? A. Open the secure website properties dialog box and modify the SSL settings to accept 128-bit of SSL certificate for authentication B. Install and configure a Group Policy Object to define a Certificate Trust list. Link the GPO to the IIS server to accept user certificates as login type. "Pass Any Exam. Any Time." - www.actualtests.com

123

Microsoft 70-649: Practice Exam C. Modify the Client Certificate settings to Require on SSL Settings for the secured website D. Modify the Client Certificate setting to Accept in SSL settings for the secured website. E. All of the above Answer: C

.co

m

Explanation: By default, client certificates are ignored. If you want the clients to verify their identity before they access the content of a website, you need to configure client certificates. Therefore to ensure that the executives can access the secured website only though user certificates you need to modify the Client Certificate settings to Require on SSL Settings for the secured website Reference: IIS 7.0: Specify Whether to Use Client Certificates http://technet2.microsoft.com/windowsserver2008/en/library/5adc0029-8875-4390a717e5eb2eba97781033.msp

QUESTION NO: 163

lTe

sts

Certkiller .com has a server that runs on Windows Server 2008. The server also has an instance of Active Directory Lightweight Directory Services (AD LDS) running. In order to test AD LDS, you need to replicate the AD LDS instance on a test computer located on the network. What should you do to achieve this objective?

Answer: A

Ac

tua

A. Execute AD LDS Setup wizard on the test computer to create and install a replica of AD LDS. B. Execute repadmin/bs command on the test computer C. Install and configure a new AD LDS instance on the test computer by copy and pasting the entire partition on the test computer D. Execute the Dsmgmt command on the test computer and create a naming context

Explanation: To replicate the AD LDS instance on a test computer located on the network, you should execute AD LDS setup wizard on the test computer to create and install a replica of AD LDS. This is the only way to replicate the AD LDS instance on another computer on the network. The setup wizard has the option to replicate the AD LDS instance on another computer.

QUESTION NO: 164 Certkiller .com has a server named CK1 . CK1 runs Windows Server 2008. A web server (IIS) role is also installed on CK1 . "Pass Any Exam. Any Time." - www.actualtests.com

124

Microsoft 70-649: Practice Exam A public website is hosted on CK1 . While monitoring the traffic on the public site, you notice an unusual high volume of traffic on the website. You need to find the source of the traffic. What should you do to achieve this objective? A. Open the IIS server manager and enable website logging to filter the logs for the source IP address B. Install a third-party traffic analysis software to view the source IP address of the traffic C. Execute net session - at command on the server D. Execute net stat/all command to view the traffic statistics E. None of the above Answer: A

.co

m

Explanation: To find the source of unexpected source of traffic, you should open the IIS server manager and enable website logging which will filter the logs for the source IP address. It will list the IP addresses of the people visiting the website and a lot more information.

sts

QUESTION NO: 165

tua

lTe

Certkiller .com has a server that runs Windows Server 2008. You install the Web Server (IIS) role on this server. The server hosts company's default website with an IP address of 23.52.10.1. Certkiller .com has instructed you to add a Website on the server named Customer Service. After doing necessary configurations, you find out that the Customer Service Website cannot be started. What should you do to configure and start Customer Service website?

Ac

A. Configure Customer Service Website to use a host header B. Execute iisreset/enable command on the server C. Execute iisconfig/renew command and add /name: Customer Service/id:1/physicalPath: c:\Customer Service/binding: port 50 D. Execute the iisreset/start Customer Service:8080 command on the server Answer: A Explanation: To get the customer website started, you need to configure the website to use a host header. A host header is a third piece of information that you can use in addition to the IP address and port number to uniquely identify a Web domain or, as Microsoft calls it, an application server. For example, the host header name for the URL http://www. Certkiller .com is www. Certkiller .com. Reference: http://www.visualwin.com/host-header/

"Pass Any Exam. Any Time." - www.actualtests.com

125

Microsoft 70-649: Practice Exam QUESTION NO: 166 You are an enterprise administrator for Certkiller .com. The company runs Windows Server 2008 on all the servers on the network. One of the servers, Certkiller Server1 has the Web Server (IIS) role installed and all the Web Server role services on it. Which of the following features would you configure on the server to provide a user the ability to administer a website? A. Configure .Net Users feature on Certkiller Server1 B. Configure.Net Roles feature on Certkiller Server1 C. Configure IIS Manager Permissions feature on Certkiller Server1 D. Configure Authentication feature on Certkiller Server1

m

Answer: C

QUESTION NO: 167

Ac

tua

lTe

sts

.co

Explanation: To provide a user the ability to administer a website, you need to configure IIS Manager Permissions feature on Certkiller Server1. The IIS Manager Permissions feature is used to allow users to connect to sites and applications in IIS Manager. Permitted users can configure delegated features in any sites or applications for which they have permission. Users can be either IIS Manager users, which are credentials created in IIS Manager by using the IIS Manager Users feature, or Windows users and groups on the local computer or on the domain to which the computer belongs. Reference: IIS 7.0: Configuring Permissions for IIS Manager Users and Windows Users http://technet2.microsoft.com/windowsserver2008/en/library/33aaec94-c0cb-4402b91ea5e3b9c3e0e01033.msp

Certkiller .com has a Windows Server 2008 installed on a server that runs IIS server role. Users complain that when the try to connect to the IIS server, they receive an error message. You check the server and receive the following message: "The maximum number of worker processes is reached or out of resources." Which command should you execute to identify the website that is causing this problem? A. Execute appcmd list wp B. Execute appcmd list site C. Execute cmd command and list the IIS server running on the computer

"Pass Any Exam. Any Time." - www.actualtests.com

126

Microsoft 70-649: Practice Exam D. Execute apppool.exe to identify the website causing problem E. None of the above Answer: A

.co

m

Explanation: To identify the website that is causing this problem, you need to Execute appcmd list wp AppCmd.exe is the single command line tool for managing IIS 7.0 without using a graphical administration tool The LISTcommand is used to display the objects on the machine. An optional can specify a unique object to list, or one or more parameters can be specified to match against object properties. You can use the WP (worker process) object to list running worker processes and thereby identifying the website that is causing this problem. Reference: Overview of Command Line Administration - AppCmd.exe http://www.iis.net/954/SinglePageArticle.ashx

sts

QUESTION NO: 168

tua

lTe

Exhibit:

Ac

Certkiller .com has a server that runs Windows Server 2008. You install an IIS server role on this server. Certkiller .com has decided to add a new website to the IIS server. The settings of the new site are shown in the exhibit. What would you do to setup the new website according to the settings shown in the exhibit? A. Open the command prompt on the server and execute appcmd set app /app.name: Certkiller /[path='/'].physicalPath:d:\ Certkiller _content_ID2 command B. Open the command prompt on the server and execute theappcmd add site /name: Certkiller /id:45 /physicalPath: f:\ Certkiller _content /binding:http/:80: www. Certkiller .com command C. Open the command prompt on the server and execute theappcmd add app /app.name: Certkiller /[path='/'] D. Execute the command set-location/ Certkiller -new website port: 80 by utilizing the MS Windows command prompt utility E. None of the other alternatives apply "Pass Any Exam. Any Time." - www.actualtests.com

127

Microsoft 70-649: Practice Exam Answer: E Explanation: To setup the new website according to the settings shown in the exhibit, you need to run the following command on the server: appcmd add site /name: Certkiller /id:2 /physicalPath: d:\ Certkiller _content /binding:http/*:80: www. Certkiller .com. To add a site, you need to use the following syntax: appcmd add site /name:string /id:uint /physicalPath:string /bindings:string Reference: IIS 7.0: Create a Web Site / Command Line http://technet2.microsoft.com/windowsserver2008/en/library/f6c26eb7-ad7e-4fe292399f5aa4ff44ce1033.mspx

m

QUESTION NO: 169

lTe

sts

.co

Certkiller .com has a member server that has Windows Server 2008. An IIS Server role is installed on the member server. This member server hosts an intranet website. Windows Authentication is setup on the website and it is the only authentication method that is active on the server. You decide to create a virtual directory named /tm/. This directory has content that can be accessed only by the Technical management global group. What should you do to configure options on the website to allow only the Technical management group to access the /tm/ virtual directory?

Ac

tua

A. Reconfigure the default Authorization rule on /tm/ directory B. Configure a deny authorization rule on /hr/ virtual directory that denys all anonymous users and allow only users in Technical management global group C. Configure the Allow Authorization rule on /tm/ directory. Set the roles and user groups setting and allow Technical management users group to access the directory D. Add a Deny Authorization rule on the user groups for all other groups and set the allow option for technical management group in the user roles E. None of the above Answer: C Explanation: To configure options on the website to allow only the Technical management group to access the /tm/ virtual directory, you need to configure the Allow Authorization rule on /tm/ directory. Select the Specified users setting and add Technical management group

"Pass Any Exam. Any Time." - www.actualtests.com

128

Microsoft 70-649: Practice Exam

name. The Authorization rule allows you to add additional authentication and authorization settings for the specific user accounts for a website. Reference: Creating a New FTP Site / Step 2: Adding Additional FTP Security Settings http://learn.iis.net/page.aspx/301/creating-a-new-ftp-site/

QUESTION NO: 170

sts

.co

m

Certkiller .com provides Web hosting services. AS an administrator, you manage the server that has Windows Server 2008 installed on it as its operating system. An IIS server role is installed on this server. The server has multiple websites running. You have to configure a new website for a new client on the IIS server. While deploying the website on the server, you find out that the website looks like an FTP download page instead of the normal HTTP page that presents the content without letting anyone to download it. You have to setup the website to present the content through HTTP and make sure the files are not downloaded by the users. Which two actions should you perform to complete this task? (Choose two answers. Each answer is a part of the complete solution. )

Ac

Answer: A,C

tua

lTe

A. Match the webpage file to the website by configure the default document setting B. Configure the website to use the application pool C. Execute the appcmd set config/section:directoryBrowse/enabled: false command D. Configure the directory that hosts website to grant Allow, read and execute permission to the users of the website content E. Configure a DNS zone for the domain that hosts website and create a CNAME record

Explanation: To setup the website to present the content through HTTP and make sure the files are not downloaded by the users, you need to first match the web page file to the website by configuring the Default document setting and then executing the appcmd set config/section: directoryBrowse/enabled: false command. Configuring default document setting will allow you to hide the document name while showing its content. The default document specifies what file to serve. The appcmd set config/section: directoryBrowse/enabled: false command will allow you to turn off the directory browsing on the website. Reference: Default Documents http://learn.iis.net/page.aspx/203/default-documents/ Reference: Getting Started with AppCmd.exe / Controlling Location of Configuration http://learn.iis.net/page.aspx/114/getting-started-with-appcmdexe/ "Pass Any Exam. Any Time." - www.actualtests.com

129

Microsoft 70-649: Practice Exam

QUESTION NO: 171 Certkiller .com has a server that runs Windows Server 2008. A Web Server (IIS) role is installed on the server which is used to host multiple websites. You are assigned to release memory for a single website. You have to configure the server automatically to release memory. What should you do to achieve this objective without affecting other websites hosted on the same Web server? A. Change the Recycling options from the application pool defaults B. Edit the bindings for the website by creating a new website C. Create and configure a virtual directory. Link the physical path credentials to the website D. Associate the website to an application pool by creating a new application pool

m

Answer: D

QUESTION NO: 172

tua

lTe

sts

.co

Explanation: To configure the server automatically to release memory without affecting other website hosted on the same web server, you should associate the website to an application pool by creating a new application pool. Application pools helps isolate the applications running on a web server. Each application pool has its own worker process in the system. By adding an application to a specific pool, the application never affects on applications in other pools. Even if the application process crashes, only the pool which is hosting it will be affected. The web server and other pools will continue to run normally.

Ac

Certkiller .com has a server running Windows Server 2008. The Web Server (IIS) server role is also installed on it. The IIS server hosts a Website. You are instructed to ensure that the cookies sent from the Website are encrypted on users' computer. Which website feature should you configure to achieve this task? A. Controls and Pages B. Authorization Rules C. Machine Key D. IIS Secure Socket Layer configuration E. None of the above Answer: C Explanation: To encrypt the cookies sent from the website on the users' computer, you need to use machine key. Encrypting cookies is important to prevent tampering. A hacker can easily view a "Pass Any Exam. Any Time." - www.actualtests.com 130

Microsoft 70-649: Practice Exam cookie and alter it. So to protect the cookie, machine key is used in ASP .NET 2.0. Encryption is based on a hash plus the actual data encrypted, so that if you try to change the data, it's pretty difficult. ASP.NET's ViewState uses the Machinekey config file section to configure the keys and such... this is important when the application is going to be run on a web farm, where load balancing webservers may be in no affinity mode. Reference: http://www.codeproject.com/KB/web-security/HttpCookieEncryption.aspx

QUESTION NO: 173

.co

m

Certkiller .com has a server that runs Windows Server 2008. You have installed the Web Server (IIS) role on it. Certkiller plans to host multiple websites on the server. To achieve this you configure a single IP address on the server. You also configure all websites to be registered in DNS to point to the single IP address configured on the server. You have to make sure that each and every website responds only to the name requests from all client machines. What should you do to achieve this task?

lTe

sts

A. Configure the primary and secondary DNS to point to the server's IP address B. Configure a network address for each website C. Assign a unique port for each website D. Configure and assign a unique Host Header to each website Answer: D

Ac

tua

Explanation: To ensure that each and every website responds only to the name requests from all client machines, you should configure and assign a unique Host Header to each website. A host header is a third piece of information that you can use in addition to the IP address and port number to uniquely identify a Web domain or, as Microsoft calls it, an application server. For example, the host header name for the URL http://www. Certkiller .com is www. Certkiller .com. Reference: http://www.visualwin.com/host-header/

QUESTION NO: 174 Certkiller .com has 20 servers that run Windows Server 2008. All servers have Web server (IIS) server role installed. Being the members of a server farm, all servers host the same website. Certkiller .com has instructed you to configure the servers to meet the minimized administrative effort policy. You need to configure the servers to allow web server configuration changes been made on one server to be made on all the servers in the farm. You have to make sure that the administrative effort to perform the configuration changes is minimized. What should you do to achieve this "Pass Any Exam. Any Time." - www.actualtests.com

131

Microsoft 70-649: Practice Exam task? A. Create a scheduled task on a single server and copy the Inetpub folder and put it on all the servers B. Configure the shared configuration group policy and apply it on all the servers C. Create a script that enables a single server to impose its configuration settings on all other servers D. Configure the Shared Configurations setting on all servers Answer: D

sts

.co

m

Explanation: To ensure that the administrative effort to perform the configuration changes is minimized, you should configure the shared configurations setting on all servers. This will allow a Config file to be shared among other servers and they can use that file to update their configuration settings. Reference: http://technet2.microsoft.com/windowsserver2008/en/library/8941cb68-2833-4788-9ef38714fe9113001033

lTe

QUESTION NO: 175

tua

You are an enterprise administrator for Certkiller .com. The company runs Windows Server 2008 on all the servers on the network. One of the servers, Certkiller Server1 has the Web Server (IIS) role installed on it. Which of the following commands would you choose to create a virtual directory on the company website www. Certkiller .com/sl for the Sales department?

Ac

A. appcmd add site /name:sl /physicalPath:c:\websites\sl B. appcmd set vdir /vdir.name:sl /path:/sl /physicalPath:c:\websites\sl C. appcmd add app /app.name: Certkiller /path:/sl /physicalPath:c:\websites\sl D. appcmd add vdir /app.name: Certkiller /path:/sl /physicalPath:c:\websites\sl Answer: D Explanation: The syntax to add a virtual directory to the root application in a site is: appcmd add vdir /app.name:string/ /path:string /physicalPath:string The variable app.namestring is the site name and the / following the name specifies that the virtual directory should be added to the root application of the site. The variable pathstring is the virtual path of the virtual directory, such as /sl, and physicalPathstring is the physical path of the virtual directory's content in the file system. For example, to add a virtual directory named sl with a physical location of c:\websites to "Pass Any Exam. Any Time." - www.actualtests.com

132

Microsoft 70-649: Practice Exam the root application in a site named Certkiller , you need to type the following command prompt appcmd add vdir /app.name: Certkiller / path:/sl /physicalPath:c:\websites\sl Reference: IIS 7.0: Create a Virtual Directory http://technet2.microsoft.com/windowsserver2008/en/library/87d8a3d7-8d90-46268f853c782ec9a5331033.msp

QUESTION NO: 176

sts

.co

m

Certkiller network contains an Internet Information Services (IIS) 7.0 server, named IISSrv, which runs Windows 2008 server. IISSrv hosts an application named DreamGraphics within the Dreamsuites Website, which uses a virtual directory named "IISSrv\GFX\Logos. You are experiencing performance degradation of IISSrv server due to low disk space over a period of time, so you have installed a new server on the network named Dream1 and moved the contents of the virtual directory to the \\Dream1\DreamSuites\GFXdata folder. What should be done to ensure that users are able to access the contents of \\Dream1\DreamSuites\GFXdata folder?

Answer: A

Ac

tua

lTe

A. Run the Appcmd set vdir/ vdir.name:"Dreamsuites/GFX/Logos" /physical path:\\Dream1\ DreamSuites\GFXdata command. B. Run the Appcmd set vdir/ vdir.name:"Dreamsuites/GFX/Logos" /path:\\Dream1\ DreamSuites\GFXdata command. C. Run the Appcmd set vdir/ vdir.name:"Logos" /Physical path:\\Dream1\ DreamSuites\GFXdata command. D. Run the Appcmd set vdir/ vdir.name:"Logos" /Path:\\Dream1\ DreamSuites\GFXdata command. E. None of the above

Explanation: To ensure that users are able to access the contents of \\Dream1\DreamSuites\GFXdata folder, you need to run the Appcmd set vdir/ vdir.name:"Dreamsuites/GFX/Logos" /physical path:\\Dream1\ DreamSuites\GFXdata command This is because, when you move the location of a virtual directory's content in the file system, you must also update the physical path in IIS to ensure that users are able to access the content of the virtual directory. You can run Appcmd set vdir command with the /vdir.name and /physicalPath parameters to change the path to a virtual directory's content. The /vdir.name parameter specifies the virtual path of the virtual directory. The /physicalPath specifies the physical path to the content used by the application. "Pass Any Exam. Any Time." - www.actualtests.com

133

Microsoft 70-649: Practice Exam Reference: IIS 7.0: Change the Physical Path of Virtual Directory Content http://technet2.microsoft.com/windowsserver2008/en/library/836c7fa3-e7fe-4134a970b9ae1034f2311033.mspx

QUESTION NO: 177 Certkiller network had recently migrated to Windows server 2008 and you installed the Internet Information Services (IIS) 7.0 on it. You have one UNIX Web server in the organization running two websites. You plan to migrate those websites on the new Windows server 2008. What tool should you use to migrate websites?

.co

m

A. IIS Migration Wizard B. Sitemigrationtool.exe C. Migrate.exe D. Take a backup and restore on new server E. None of the above Answer: A

Exhibit:

Ac

QUESTION NO: 178

tua

lTe

sts

Explanation: To migrate the websites on UNIX web server to the new Windows server 2008, you need to use IIS Migration Wizard, which allows UNIX to Windows Migration. Reference: HOW TO: Use the IIS Migration Wizard for a UNIX-to-Windows Migration http://support.microsoft.com/kb/324063

You are an enterprise administrator for Certkiller .com. The company runs Windows Server 2008 on all the servers on the network. One of the servers, Certkiller Server1 has the Web Server (IIS) role installed on it. A web developer configured a Web site named Certkiller .com and a Web application named Certkiller App on the Web server. However, after this configuration, the Web server runs out of disk space. So to resolve the problem, you move Certkiller App to another drive on the Web server. The exhibit shows the current application configuration. After moving Certkiller App to another drive on the Web server, the users reported that they cannot access Certkiller App. Which of the following options would you choose to enable users to access Certkiller App? "Pass Any Exam. Any Time." - www.actualtests.com 134

Microsoft 70-649: Practice Exam A. Run appcmd add app /site.name: Certkiller /path:/ Certkiller App /physicalPath:d:\ Certkiller App command on the server B. Run appcmd set app /site.name: Certkiller /path:/ Certkiller App /physicalPath:d:\ Certkiller App command on the server C. Run appcmd set app /site.name: Certkiller /path:/ Certkiller App /physicalPath:f:\ Certkiller App command on the server D. appcmd add app /site.name: Certkiller /path:/ Certkiller App /physicalPath:f:\ Certkiller App command on the server Answer: C

sts

.co

m

Explanation: To enable users to access Certkiller App on another drive on the Web server, you need to run appcmd set app /site.name: Certkiller /path:/ Certkiller App /physicalPath:f:\ Certkiller App command on the server. Reference: IIS 7.0: Appcmd.exe http://technet2.microsoft.com/windowsserver2008/en/library/ec52c53b-6aff-4d76995e3d222588bf321033.msp

QUESTION NO: 179

Ac

tua

lTe

Certkiller .com has a web hosting service. It hosts websites for 40 customers. An SMTP server is dedicated for each website. You changed the server and installed the IIS server role and SMTP server on the new server that is running Windows Server 2008. Certkiller .com has acquired a new client. You create their website and install the SMTP server for the new client. However, the SMTP server fails to start. What should you do to configure the new SMTP server to start on the IIS server? (Select all that apply) A. Configure the SMTP server to integrate the IIS server role B. Use a different IP address for the new SMTP server C. Configure the SMTP server by using the iiscnfgr/enable command on the IIS server D. Add the SMTP server IP address in the IIS Server SMTP settings E. Use a different port for the new SMTP server Answer: B,E Explanation: To configure the new SMTP server to start on the IIS server, you need to either use a different IP address for the new SMTP server or use a different port for the new SMTP server. This is because more than one virtual server can use the same TCP port if all servers are configured by using different IP addresses. "Pass Any Exam. Any Time." - www.actualtests.com

135

Microsoft 70-649: Practice Exam Reference: IIS 7.0: Configure SMTP E-mail http://technet2.microsoft.com/windowsserver2008/en/library/e56b93b1-8521-48aba902e47b0ee4408b1033.ms

QUESTION NO: 180 You are running a SMTP server on a Windows server 2008. Some of the developers want to create a set of web pages that let a user type a message in a form and mail it to techsupport@mail. Certkiller .com. The form creates a text file with the proper SMTP headers. In which folder should the file be copied?

.co

m

A. Mailroot\Delivery B. Mail\Queue C. Mailroot\Pickup D. Mailroot\Queue E. None of the above Answer: C

QUESTION NO: 181

tua

lTe

sts

Explanation: The file should be copied to Mailroot\Pickup folder because all the files copied to the Mailroot\Pickup folder are processed and delivered as regular mail. Reference: SMTP and IIS / OVERVIEW OF THE MESSAGE DELIVERY PROCESS http://www.windowsitlibrary.com/Content/141/09/1.html

Ac

Certkiller .com has a server named CK1 which runs Windows Server 2008. An IIS role and an SMTP server feature are also installed on CK1 . You are assigned a task to configure the new SMTP server to forward all mails to the mail server of the ISP (Internet Service Provider). What should you do to achieve this objective? A. Execute the adprep/dm: getfromiis command B. Configure the local host to use smart host setting C. Configure the SMTP delivery setting to open ports assigned by ISP for SMTP service D. Set smart host setting to employ the mail server of ISP Answer: D Explanation: To configure the new SMTP server to forward all mails to the mail server of the ISP, you should set smart host setting to use the ISP mail server. A smart host server helps you in delivering all your mail. IT processes bounce-backs, retries and general mail delivery. Due to the processor"Pass Any Exam. Any Time." - www.actualtests.com 136

Microsoft 70-649: Practice Exam intensive nature of the mail delivery system with millions of spam messages, a server can get overwhelmed processing mails. It doesn't have enough time to do normal web serving. To address this issue, you should use smart host on your ISP mail server to manage the mail delivery and the related tasks.

QUESTION NO: 182

m

Certkiller .com has a Windows Server 2008 server named S1. You have installed Web Server (IIS) server role on S1. The server has an SMTP gateway that connects to the internet. You have an internal firewall installed on the network which prevents all client machines from establishing a connection to the internet except the SMTP gateway over TCP port 25. You configure the SMTP gateway to relay e-mail for S1. What should you do to configure a website on S1 to send email to internet users?

sts

.co

A. Install and configure SMTP server feature on S1 B. Configure the SMTP email feature for the website on S1 C. Create a DNS server on S1 and configure the SMTP mail service D. Create an MX record for the SMTP gateway on an internal DNS server E. None of the above

lTe

Answer: B

Ac

tua

Explanation: To configure a website on a server to send email to the internet users, you should configure the SMTP email feature for the website on that server. The Simple Message Transfer Protocol allows the emails to be sent to a specific address. Reference: http://technet2.microsoft.com/windowsserver2008/en/library/4ade618d-ff7a-4359b6ba4982f0bdf4a51033.mspx

QUESTION NO: 183 Certkiller .com has a server that runs Windows Server 2008. You have installed Windows SharePoint Services (WSS) role on the Windows Server 2008 server. You want to configure WSS to support SMTP. What should you do to achieve this task? A. Reinstall the WSS role B. Open the Server Manager console and install Application Server C. Configure port 25 for WSS role D. Open the Server Manager console and install the SMTP Server feature

"Pass Any Exam. Any Time." - www.actualtests.com

137

Microsoft 70-649: Practice Exam Answer: D Explanation: To configure WSS to support SMTP, you should install the SMTP server feature through Server Manager Console. Based on SMTP, WSS works with any mail server or SMTP gateway. It acts as an SMTP relay (it does not store mail, only forwards it) and handles all incoming and outgoing SMTP traffic. For most installations, you'll simply have to modify your domain MX record and make a few configuration changes on your e-mail server. When installing WSS on the same host as your mail server, you must make additional configuration changes, such as SMTP port numbers. Reference: http://www.networkcomputing.com/913/913sp3.html

m

QUESTION NO: 184

sts

.co

You manage a server that runs Windows Server 2008. You have installed the Windows SharePoint Services (WSS) server role on the server. The server is configured to accept incoming mail. To streamline the process, you create a new document library. You have to make sure that any user can send email to the document library. What should you do to achieve this task?

Answer: A

tua

lTe

A. Change the incoming email settings for the document library B. Enable basic user authentication for the document library C. Modify the document library settings to accept emails from SMTP servers D. Change the permissions for the document library

Ac

Explanation: To ensure that any user can send email to the document library, you should change the incoming mail settings for the document library. Reference: http://technet.microsoft.com/en-us/library/cc262947(TechNet.10).aspx

QUESTION NO: 185 You had installed a new Windows server 2008 server in your network with UDDI services role. As per company security policy you need to define security roles in UDDI services in order to define the level of access / interaction for each user / user groups. You have an OU named CKCommunications, this OU consists of a group of people who belong to Corporate Communication departments. Users of this department need to query, publish, and configure data in the UDDI Services Web-based user interface. What security role would you assign them to successfully carry on their duties? "Pass Any Exam. Any Time." - www.actualtests.com

138

Microsoft 70-649: Practice Exam A. Assign User role B. Assign Publisher role C. Assign Administrator role D. Assign Coordinator role E. None of the above Answer: D

sts

.co

m

Explanation: To query, publish, and configure data in the UDDI Services Web-based user interface, you need to assign the Coordinator role to CKCommunications group. UDDIServices contains four roles that define the level of interaction that each user is allowed. The Coordinator role allows users to query, publish, and configure data in the UDDIServices Webbased user interface. Besides a Coordinator can view and modify any data stored in UDDIServices, change entity ownerships, import categorization schemes, and generate and view statistical reports. Reference: Introduction to UDDIServices / UDDIServices Roles https://rdws.rd.go.th/uddipublic/help/1033/intro.whatisuddi.aspx

QUESTION NO: 186

tua

lTe

You had installed a new Windows server 2008 server in your network with UDDI services role. You want to use SSL certificates for publishing updates to provide increased security for communication between client computers and UDDIServices Web Application. The SSL is enabled for publishing updates to the UDDI services site but still your UUDI services are not functioning. What should you do?

Ac

A. To use SSL encryption, you must have an SSL authentication certificate installed for Internet Information Services (IIS) that hosts the UDDI Services Web Application B. Enable use of SSL encryption in Secure communications tab under UDDI services C. UDDI doesn't support SSL encryption D. You need to have Publisher rights to use SSL encryption with UDDI services E. None of the above Answer: A Explanation: To use SSL certificates for publishing updates to provide increased security for communication between client computers and UDDIServices Web Application, you need to you must have an SSL authentication certificate installed for Internet Information Services (IIS) that hosts the UDDI Services Web Application You can use Certificate Server to issue certificates for use with the Secure Sockets Layer (SSL). This is typically done on a local intranet, where you have the ability to directly inform your clients "Pass Any Exam. Any Time." - www.actualtests.com

139

Microsoft 70-649: Practice Exam that they can trust your certificates Reference: How to configure Certificate Server for use with SSL on IIS http://support.microsoft.com/kb/218445

QUESTION NO: 187

.co

m

Certkiller .com has a server that runs Windows Server 2008. You install an IIS server role on that server. You add a website to the server that uses a virtual directory called CKV1. The virtual directory holds an approved CGI application. While testing the website, the CGI application fails. As per company security policy, permission should not be granted to any application unless it is needed to achieve an approve business goal. How to configure the handler permission to enable the CGI application to be used while fulfilling the company's security policies?

lTe

sts

A. Enable the Read, write option on the CKV1 virtual directory B. Enable the Execute option on the CKV1 virtual directory C. Enable the Read, write option in the website options menu D. Enable the execute script option in the website options menu E. All of the above Answer: B

Ac

tua

Explanation: To configure the handler permission to enable the CGI application to be used while fulfilling the company's security policies, you need to enable the Execute option on the CKV1 virtual directory. Due to the security settings in IIS 6 and 7 generic ISAPI and CGI extensions (and ASP and ASP.NET even) are not allowed to execute. The extension needs to be explicitly enabled. Windows Vista and Windows Server 2007 IIS 7 Configuration / Setting the ISAPI Restrictions for each copy of wc.dll http://www.west-wind.com/webconnection/docs/_22f0xkbmq.htm

QUESTION NO: 188 Windows Server 2008 provides a feature that disables unneeded services and blocks unused or unnecessary ports to reduce attack surface of a server. What is the name of tool used to achieve the same?

"Pass Any Exam. Any Time." - www.actualtests.com

140

Microsoft 70-649: Practice Exam A. Windows Firewall B. SCWcmd.exe C. Security configuration wizard D. Appcmd.exe E. Winfat.exe Answer: B,C

m

Explanation: You can use either the SCW or the SCWcmd.exe command-line tool to disable unneeded services and blocking unused or unnecessary ports to reduce attack surface of a server Reference: Chapter 2: Reducing the Attack Surface by Server Role / Security Configuration Wizard http://technet.microsoft.com/en-us/library/cc264464.aspx

.co

QUESTION NO: 189 CORRECT TEXT

Ac

tua

lTe

sts

Certkiller network consists of Windows server 2008 servers and Windows Vista client computers. You are formalizing the security policies related to ASP .NET based web applications that are developed internally. You need to create a list of the .NET trust levels, along with the functions that these levels will allow. (See Exhibit C). Place the corresponding trust level required to DENY the applications to perform a specific function. Exhibit C

QUESTION NO: 190 What is the command line (CLI) utility provided in IIS 7.0 to mange .NET Trust levels? A. .NETTrust.exe B. Appcmd.exe C. Setturst.exe D. Edit the configuration file on IIS interface E. None of the above Answer: B "Pass Any Exam. Any Time." - www.actualtests.com

141

Microsoft 70-649: Practice Exam Explanation: The command line utility provided in IIS 7.0 to mange .NET Trust levels is Appcmd.exe. The following syntax can be used to set the trust level. appcmd set config /commit:Webroot /section:trust /level: Full | High | Medium | Low | Minimal Reference: IIS 7.0: Set a Trust Level / Command Line http://technet2.microsoft.com/windowsserver2008/en/library/53af2681-45d4-4b759004bd8a502f9cb91033.msp

QUESTION NO: 191

sts

.co

m

You are an administrator at Certkiller .com. You have been instructed to install Web Server (IIS) on a new Windows Server 2008 server. After installing IIS, you install Microsoft .NET framework 1.0 application on a website hosted on the server. You also have to make sure that all applications must run on a minimum level of permission according to the company security policy. You should configure the website application to have permissions to execute without creating other content or accessing Windows Server 2008 system components. What should you do to achieve this task?

Answer: C

tua

lTe

A. Configure the .NET Framework website trust level to low B. Configure the .NET Framework website trust level to High C. Configure the .NET Framework website trust level to Full D. Configure the .NET Framework website trust level to Medium E. Configure the .NET Framework website trust level to Optimal

Ac

Explanation: To configure the website application to have permission to execute without creating other content or accessing Windows Server 2008 system components, you should configure the .NET Framework website trust level to full. In the .NET Framework, code access security controls access to resources by controlling how code runs. When a user runs an application, the common language runtime assigns the application to any one of the following five zones: 1. My Computer - The application code is hosted directly on the user's computer. 2. Local Intranet - The application code runs from a file share on the user's intranet. 3. Internet - The application code runs from the Internet. 4. Trusted Sites - The application code runs from a Web site that is defined as "Trusted" in Internet Explorer. 5. Untrusted Sites - The application code runs from a Web site that is defined as "Restricted" in Internet Explorer. You can set the security level for each zone to High, Medium, Medium-low, or Low. Reference: "Pass Any Exam. Any Time." - www.actualtests.com

142

Microsoft 70-649: Practice Exam http://support.microsoft.com/kb/832742

QUESTION NO: 192

Ac

tua

lTe

sts

.co

m

Exhibit:

Certkiller .com has a member server that is under your control. The member server has Windows Server 2008 installed as its prime operating system. An IIS server role is installed on the server, which also hosts an intranet website of Certkiller .com's. The website authentication settings are shown in the exhibit. Certkiller .com has a branch office that accesses the intranet through a proxy server. All client machines in the branch office and the main office use Microsoft Internet explorer. Users on the corporate network in the main office have no problems to get authenticated to the intranet website while the users in the branch office are unable to authenticate and access the website. The authentication process is encrypted on the IIS server to enhance the performance. What should you do to configure the website to support authentication for the users in the main office and the users in the branch office? A. Enable the Basic authentication settings and Disable the Windows Authentication setting for the users. After that select Require SSL through website properties "Pass Any Exam. Any Time." - www.actualtests.com

143

Microsoft 70-649: Practice Exam B. Configure each client machine in the branch office and deselect Integrated Windows authentication option in the Internet Options Advanced settings dialog box. C. Add the Digest Authentication role service to the IIS server. Configure the Digest Authentication setting to Enabled. D. Add and enable the Host Credential Authorization Protocol role service on the IIS server E. None of the above Answer: C

tua

QUESTION NO: 193

lTe

sts

.co

m

Explanation: The users in the branch office are unable to authenticate and access the website because they were accessing the intranet through a proxy server and the authentication method configured (Windows Authentication) was not supporting proxy server. To configure the website to support authentication for the users in the main office and the users in the branch office, you need to add the Digest Authentication role service to the IIS server and then configure the Digest Authentication setting to Enabled. Digest Authentication works by sending a password hash to a Windows domain controller to authenticate users. When you need improved security over Basic authentication, consider using Digest authentication, especially if users who must be authenticated access your Web site from behind firewalls and proxy servers. Reference: Available Role Services in IIS 7.0 / Security Features http://technet2.microsoft.com/windowsserver2008/en/library/1ec80c97-4455-4829a31930e1e1c081691033.msp

Ac

You are running a Windows server 2008 with IIS server role installed. The web server is hosting the Intranet site and using Windows Authentication as the only authentication method that is set to Enabled. You need to create a new virtual directory /Sales/ which holds contents that can be accessed only by the members of SalesUsers global group. What should you do? A. Remove the Default Allow Authorization rule the /Sales/ virtual directory B. Modify the Default Allow Authorization rule on the /Sales/ virtual directory. Select the specified roles or user groups setting and add the SalesUsers group name C. Add a new Deny Allow Authorization rule on the /Sales/ virtual directory that applies to all anonymous users. Remove the Default Allow Authorization rule on the /Sales/ virtual directory D. Modify the Default Allow Authorization rule on the /Sales/ virtual directory. Select the specified roles or user groups setting and add the SalesUsers group name. Add a new Deny Authorization rule that applies to all users on the /Sales/ virtual directory.

"Pass Any Exam. Any Time." - www.actualtests.com

144

Microsoft 70-649: Practice Exam E. None of the above Answer: B Explanation: To create a new virtual directory /sales/ which holds contents that can be accessed only by the members of SalesUsers global group, you should modify the Default Allow Authorization rule on the /Sales/ virtual directory. Then, select the specified roles or user groups setting and add the SalesUsers group name

QUESTION NO: 194

sts

.co

m

As the network administrator of Certkiller , it was your responsibility to ensure that all computers on the corporate network are always updated with Microsoft updates. To ensure that all computers get latest updates, you installed WSUS on a server called Certkiller 10 that runs Windows Server 2008. To ensure the secure communication between the WSUS administrative Web site and the server administrator's computer, you decided to encrypt the traffic between them. What of the following options would you choose to accomplish this task?

Answer: B

Ac

tua

lTe

A. On the Certkiller 10 execute the netdom trust /SecurePasswordPrompt command from the command prompt. B. Configure the Certkiller 10 to require Integrated Windows Authentication (IWA) when user connects to it. C. Configure SSL encryption on the WSUS server web site on Certkiller 10. D. Configure the NTFS permissions on the content directory of Certkiller 10 to Deny Full Control permission to the Everyone group. E. None of the above

Explanation: To ensure that the traffic between the WSUS administrative Web site and the server administrator's computer is encrypted, you need to first configure IIS to disable anonymous access to the ServerSyncWebService virtual directory and then enable Integrated Windows authentication. You cannot set up the entire WSUS Web site to require SSL. This would mean that all traffic to the WSUS site would have to be encrypted, whereas WSUS only encrypts metadata traffic. Reference: Plan and Assess: Using Windows Server Update Services (WSUS) http://technet.microsoft.com/en-us/updatemanagement/bb245871.aspx

"Pass Any Exam. Any Time." - www.actualtests.com

145

Microsoft 70-649: Practice Exam QUESTION NO: 195 You are an administrator at Certkiller .com. You are instructed to implement a member server that runs Windows Server 2008. Web Server (IIS) role is also installed on the member server. The primary purpose of the member server is to host intranet websites. The company policy dictates that a server should: 1. use encryption for all authentication traffic to the intranet website 2. Avoid SSL on the web server for performance reasons 3. Authenticate users through Active Directory credentials What should you do to configure all websites on the server according to the company policy? (Choose three answers. Each answers is a part of the complete solution)

.co

m

A. Enable the Active Directory Client Certificate Authentication on the server B. Disable the Basic Authentication setting on the server C. Enable Digest Authentication setting on the server D. Enable Windows Authentication setting on the server E. Disable Anonymous Authentication setting on the server Answer: C,D,E

QUESTION NO: 196

tua

lTe

sts

Explanation: To configure all website on the server according to the company policies, you should first disable Anonymous Authentication setting on the server and then enable Digest Authentication and Windows Authentication settings on the server. Reference: http://support.microsoft.com/kb/810572

Ac

Certkiller .com has an Active Directory domain. Another administrator at Certkiller .com attempts to log on to a computer that was offline for 12 weeks. While accessing the computer, administrator receives an error message that authentication has failed. What should you do to ensure that the administrator can log on to the computer? A. Disjoin the computer from the domain and rejoin it to the domain. Reset the computer account B. Delete the computer account from the organizational unit and then add the account again C. Execute the netsh command on the computer and set the machine options D. Execute netsh trust/reset command and join the computer to the domain again. Answer: A Explanation: To ensure that the administrator can log on to the computer, you should disjoin the computer from the domain and rejoin it again. Rest the computer account too. Due to long inactivity, the computer "Pass Any Exam. Any Time." - www.actualtests.com

146

Microsoft 70-649: Practice Exam was not responding to the authentication query using the Active Directory records. So when you disjoin and rejoin the computer to the domain and reset the computer account, the Active Directory refreshes the records. After that the administrator can easily log on to the computer.

QUESTION NO: 197 Certkiller plans to open a new branch office. Sales users at branch office need to dial in to company network, so you created a template account for them. How do you ensure that all new user accounts in the sales department will have desired dial-in-rights?

sts

.co

m

A. Add the group membership information to the template account, and then create a connection request policy that includes the new group B. Add the group membership information to the template account, and then create a group policy that grants the new group local logon permissions C. Modify the schema for the account by changing the logon hours to 6:00 - 18:00 hours from Monday to Friday D. Modify the schema for the group membership attribute by selecting the index this attribute in the active directory check box. E. None of the above

lTe

Answer: A

Ac

tua

Explanation: To ensure that all new user accounts in the sales department will have desired dial-in-rights, you need to add the group membership information to the template account, and then create a connection request policy that includes the new group. The connection request policy allows you to configure desired dial-in-rights for the users on the Network Policy Server. Network Policy Server is the Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server and proxy. You can use NPS to centrally manage network access through a variety of network access servers, including wireless access points, VPN servers, dial-up servers, and 802.1X authenticating switches. Reference: Network Policy Server http://technet2.microsoft.com/windowsserver2008/en/library/d347e8aa-3d9b-43a58a4a0faf4c5baf141033.mspx

QUESTION NO: 198 Certkiller network is running a domain controller on Windows Server 2008. Users of the International marketing department need to access a specific web based application related to sales, once the order is finalized the users need to access the "Pass Any Exam. Any Time." - www.actualtests.com

147

Microsoft 70-649: Practice Exam application and update the status. You are currently running IPV4 in your network. What should you do to grant sales users the permission to access the local area network using dial-up? A. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties, select the Allow callers to access my local area network check box B. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties, Select Assign TCP/IP addresses automatically C. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties, Select Allow calling computer to specify its own IP address D. None of the above Answer: A

tua

lTe

sts

.co

m

Explanation: To grant sales users the permission to access the local area network using dial-up, you need to select the Allow callers to access my local area network check box on the Networking tab under Internet Protocol Version 4 (TCP/IPv4). The Allow callers to access my local area network option allow incoming users to access the local area network on which the dial-up host computer resides Reference: Configure an Incoming Connection to Use TCP/IP / Configure an incoming connection to use IPv4 http://technet2.microsoft.com/windowsserver2008/en/library/5cc9c8ab-1db3-49848051da25cc3ac55d1033.msp

QUESTION NO: 199 CORRECT TEXT

Ac

You are an administrator at Certkiller .com. You are instructed to implement a member server that runs Windows Server 2008. Web Server (IIS) role is also installed on the member server. The primary purpose of the member server is to host intranet websites. The company policy dictates that a server should: 1. use encryption for all authentication traffic to the intranet website 2. Avoid SSL on the web server for performance reasons 3. Authenticate users through Active Directory credentials What should you do to configure all websites on the server according to the company policy? (Choose three answers. Each answers is a part of the complete solution) Answer: C, D, E

QUESTION NO: 200

"Pass Any Exam. Any Time." - www.actualtests.com

148

Microsoft 70-649: Practice Exam Certkiller .com offers Web hosting services. As an administrator you manage a member server that has Windows Server 2008 as its operating system. The server named Exbla1 has an IIS server role actively running. Exbla1 hosts 5 client companies. You are setting up a website for a new client company called WXYZ inc. on the IIS server. You put content for the WXYZ website on IIS server and store the HTML content documents on the virtual directory of the website, which is on a Windows Server 2008 remote server called CK3 . The content directory is named WXYZ_VDIR. On CK3 , you grant share and NTFS permission to a user account called WXYZ_ADMIN for that virtual directory. The user complains that he is unable to access the content in the directory although he has access to the main website. What should you do to enable the user to access the content in the virtual directory?

sts

.co

m

A. Configure the WXYZ_ADMIN user account by accessing the account settings and enabling Connect on demand to the virtual directory B. Open the virtual directory options and select Edit permissions. On the customize tab, set Use this folder type as a template setting to documents C. Create a Group Policy Object and link it to the virtual directory. Configure the GPO to enable the WXYZ_ADMIN to access the virtual directory on CK3 . D. Open the properties of Virtual directory and click Connect As button and then configure the specific user setting to WXYZ_ADMIN E. All of the above

lTe

Answer: D

Ac

tua

Explanation: To enable the user to access the content in the virtual directory, you need to open the properties of Virtual directory and click Connect As button and then configure the specific user setting to WXYZ_ADMIN The Connect As dialog box can be used to specify credentials that have permission to access the physical path. If you do not use specific credentials, select the Application user (pass-thru authentication) option in the Connect As dialog box Reference: IIS 7.0: Create a Virtual Directory http://technet2.microsoft.com/WindowsServer2008/f/?en/Library/32c434c0-5c5f-43ebbd927302b95e43dd1033

QUESTION NO: 201 Certkiller provides web-hosting services. You are running a Windows server 2008 with IIS server role installed. The server hosts websites of 10 partner companies. You are configuring a website for a new partner named Flexinet on IIS server. Contents of Flexinet web site will be stored on IIS server. The HTML content documents for a virtual directory for the website would be stored on a remote Windows server 2008 named FI_Serv1. The contents folder is a shared folder "Pass Any Exam. Any Time." - www.actualtests.com

149

Microsoft 70-649: Practice Exam named Flexinet_VDIR. You granted the share and NTFS permission to a user account named Flexinet_admin in the virtual directory content on FI_Serv1. Users are unable to access the contents of virtual directory although they can access main website. What should you do to enable the users to access to the contents of virtual directory?

m

A. Add the Flexinet_admin user account to the Domain Administrator global security group B. Add the Flexinet_admin user account to the Windows Authorization Access Domain local security group C. Configure the Specific user setting to Flexinet_admin in the Connect As dialog box in the properties of the virtual directory D. Select the Edit Permissions option for the virtual directory. Set the use this folder type as Template setting to Documents on the Customize tab E. None of the above Answer: C

QUESTION NO: 202

Ac

tua

lTe

sts

.co

Explanation: To enable the users to access to the contents of virtual directory, you need toconfigure the specific user settings to Flexinet_admin in the Connect As dialog box in the properties of the virtual directory The Connect As dialog box can be used to specify credentials that have permission to access the physical path. If you do not use specific credentials, select the Application user (pass-thru authentication) option in the Connect As dialog box Reference: IIS 7.0: Create a Virtual Directory http://technet2.microsoft.com/WindowsServer2008/f/?en/Library/32c434c0-5c5f-43ebbd927302b95e43dd1033

You are an Enterprise administrator for Certkiller .com. The corporate network of the company consists of a single Active Directory domain. All the servers on the corporate network run Windows Server 2008. The company has a server named Certkiller FS1 that hosts the domain-based DFS namespace named \\ Certkiller .com\dfs. All domain users store their data in subfolders within the DFS namespace. Which of the following options would you choose to prevent all users, except administrators, from creating new folders or new files at the root of the \\ Certkiller .com\dfs share? A. On Certkiller FS1, first configure the NTFS permissions for the C:\DFSroots\dfs folder and then set the Create folders/append data special permission to Deny for the Authenticated Users group and set the Full Control permission to Allow for the Administrators group. "Pass Any Exam. Any Time." - www.actualtests.com

150

Microsoft 70-649: Practice Exam B. On Certkiller FS1, start the Delegate Management Permissions Wizard for the DFS namespace named \\ Certkiller .com\dfs and then remove all groups that have the permission type Explicit except the Administrators group. C. Configure the \\ Certkiller FS1\dfs shared folder permissions by setting the permissions for the Authenticated Users group to Reader and the Administrators group to Co-owner. D. Run the dfscmd.exe \\ Certkiller FS1\dfs /restore command on Certkiller FS1. Answer: C

.co

m

Explanation: To prevent all users, except administrators, from creating new folders or new files at the root of the \\ Certkiller .com\dfs share, you need to configure the \\ Certkiller FS1\dfs shared folder permissions by setting the permissions for the Authenticated Users group to Reader and the Administrators group to Co-owner Reader is allowed to only view the files and folders and a Co-owner is allowed viewing, adding, changing, and deleting all files.

sts

Reference: Managing Files and Folders in Windows Vista http://www.informit.com/articles/article.aspx?p=698129&seqNum=29

lTe

QUESTION NO: 203

Answer: A,B,D

Ac

A. Windows Authentication B. SSL Authentication C. Passport Authentication D. Forms Authentication

tua

ASP.NET in Windows server 2008 provides role based authorizations. What are those? (Select 3)

Explanation: ASP.NET in Windows server 2008 provides three types of role based authorizations such as Windows Authentication, which is used when working on an intranet, Passport Authentication, which uses Microsoft's Passport service, and Forms Authentication which prompts the user for a set of credentials Reference: Role-Based Authorization With Forms Authentication / A Quick Security Overview http://aspnet.4guysfromrolla.com/articles/082703-1.aspx

QUESTION NO: 204

"Pass Any Exam. Any Time." - www.actualtests.com

151

Microsoft 70-649: Practice Exam Certkiller is running Windows Server 2008. The company had distribution partner from where some sales users work remotely. As per the company policy you need to ensure that these sales users can access / login to Windows server 2008 domain controller during a specific time of the day i.e. 9:00 - 12:00 pm daily. What should you do to permit the desired access within specified time limit? A. Use Authorization rule based on time of the day criteria B. Use Group policy object to define logon timings C. Use Servermanager.exe D. Use the "appcmd" command E. None of the above Answer: A

Ac

QUESTION NO: 205

tua

lTe

sts

.co

m

Explanation: To permit the desired access within specified time limit, you need to use Authorization rule based on time of the day criteria.The authorization rules are the scripts written in VBScript or Jscript and give you tremendous control to define the conditions that must be met for authorization to occur. You can limit authorization to a specific time of day, or base it on whether an expense limit has been met or the amount in a specified account balance. Reference: Authorization Manager and Role-Based Administration in Windows Server 2003 (Part 2) / Authorization Rules http://www.windowsecurity.com/articles/Authorization-Manager-Role-Based-AdministrationWindows-Server2

You are an administrator at Certkiller .com. You are instructed to implement a member server that runs Windows Server 2008. Web Server (IIS) role is also installed on the member server. The primary purpose of the member server is to host intranet websites. The company policy dictates that a server should: 1. use encryption for all authentication traffic to the intranet website 2. Avoid SSL on the web server for performance reasons 3. Authenticate users through Active Directory credentials What should you do to configure all websites on the server according to the company policy? (Choose three answers. Each answers is a part of the complete solution) A. Enable the Active Directory Client Certificate Authentication on the server B. Disable the Basic Authentication setting on the server C. Enable Digest Authentication setting on the server "Pass Any Exam. Any Time." - www.actualtests.com

152

Microsoft 70-649: Practice Exam D. Enable Windows Authentication setting on the server E. Disable Anonymous Authentication setting on the server Answer: C,D,E Explanation: To configure all website on the server according to the company policies, you should first disable Anonymous Authentication setting on the server and then enable Digest Authentication and Windows Authentication settings on the server. Reference: http://support.microsoft.com/kb/810572

QUESTION NO: 206

tua

lTe

sts

.co

m

You are an enterprise administrator for Certkiller .com. The company runs Windows Server 2008 on all the servers on the network. One of the servers, Certkiller Server1 has the Web Server (IIS) role installed on it. A web developer of the company created a website that run a web application called App1 using ASP.NET 3.0 and hosted it on Certkiller Server1. The Certkiller Server1 was already running other ASP.NET applications. The new web application App1 must run under a security context that is separate from any other ASP.NET application on the Web server. To fulfill this requirement, you create a local user account and grant account rights and permissions to run App1. Which of the following options would choose to configure authentication for the new website to support App1?

Ac

A. Enable the ASP.NET Impersonation setting and specify the new local user account by editing the ASP.NET Impersonation setting. B. Enable the Windows Authentication setting. C. Enable the Forms Authentication setting and retain all the default settings. D. Configure the ASP.NET State service to log on to the new local user account by using the Services console. Answer: A Explanation: To configure authentication for the new website to support App1 so that it may run under a security context that is separate from any other ASP.NET application on the Web server, you need to enable the ASP.NET Impersonation setting and specify the new local user account by editing the ASP.NET Impersonation setting. Impersonation is when ASP.NET executes code in the context of an authenticated and authorized client. By default, ASP.NET does not use impersonation and instead executes all code using the same user account as the ASP.NET process, which is typically the ASPNET account. Using impersonation, ASP.NET applications can optionally execute the processing thread using "Pass Any Exam. Any Time." - www.actualtests.com

153

Microsoft 70-649: Practice Exam the identity of the client on whose behalf they are operating. Reference: ASP.NET Impersonation http://msdn.microsoft.com/en-us/library/aa292118(VS.71).aspx

QUESTION NO: 207

.co

m

You are an Enterprise administrator for Certkiller .com. The company consists of a single Active Directory domain where all the servers on the corporate network run Windows Server 2008. The company consists of 10 servers that perform as Web servers. One of the web servers called Certkiller Server1 has FTP service installed. The server stores all the confidential files of the company. According to the company's security policy all the confidential data of the company must be transmitted over the network in the most secure manner. However, when during a routine security check, you found that the confidential files stored on Certkiller Server1 server are being transmitted over the network without encryption. Which of the following options would you choose to ensure that encryption is always used when the confidential files on the Certkiller Server1 server are transmitted over the network? (Select all that apply)

Answer: B,C

Ac

tua

lTe

sts

A. Use NTLM authentication methods on the Certkiller Server1 server. B. Publish the confidential files on Certkiller Server1 using IIS and then activate SSL on the ISS server. C. Use IPSec encryption between the Certkiller Server1 server and the other network computers where the files need to be transmitted. D. Use the Server Message Block (SMB) signing between the Certkiller Server1 server and the other network computers where the files need to be transmitted. E. Activate offline files for the confidential files that are stored on the Certkiller Server1 server and select the Encrypt contents to secure data option in the Folder Advanced Properties dialog box.

Explanation: To ensure that encryption is always used when the confidential files on the FSS1 server are transmitted over the network, you need to either publish the confidential files using IIS to and activating SSL on the IIS server or use IPSec encryption between the FSS1 server and the computers of the users who need to access the confidential files. One of the features of IIS 7.0 is FTP over Secure Sockets Layer (SSL). This allows sessions to be encrypted between an FTP client and server. IP Security (IPSec), mentioned briefly in previous sections, is essentially a mechanism for establishing end-to-end encryption of all data packets sent between computers. IPSec operates at Layer 3 of the OSI model and subsequently uses encrypted packets for all traffic between members. IPSec is often considered to be one of the best ways to secure the traffic generated in an "Pass Any Exam. Any Time." - www.actualtests.com

154

Microsoft 70-649: Practice Exam environment, and is useful for securing servers and workstations both in high-risk Internet access scenarios and also in private network configurations for an enhanced layer of security. Reference: Using FTP Over SSL http://learn.iis.net/page.aspx/304/using-ftp-over-ssl/ Reference: Using IPSec Encryption with Windows Server 2008 http://my.safaribooksonline.com/9780672329302/ch14lev1sec5

QUESTION NO: 208

Answer: D

tua Ac

A. Certkiller .com B. Eweb. Certkiller .com C. EWCK D. Sow. Certkiller .com E. None of the above

lTe

sts

.co

m

Certkiller .com has a web server named EWCK on which Windows Server 2008 was installed as its operating system. The full domain name of this web server is eweb. Certkiller .com. There is an alias record of this server on another DNS server. The alias-record name is sow. Certkiller .com and it maps to eweb. Certkiller .com. Anyone can access the EWCK by using http://sow. Certkiller .com. Certkiller .com has instated a new security policy that states that sow. Certkiller .com should be available to Internet users only though secure HTTP (HTTPS). It also dictates that the users shouldn't get any security warning while connecting to the site. To achieve that, you request a public certification authority (CA). You start creating a Certificate through Certificate Request wizard in SSL certificates window. Which name should you type in the Common name field while filling out the Certificate Request form?

Explanation: In the Common Name Field, Sow. Certkiller .com should be used. The common name should be the same name that the user will input when requesting your Web site. Reference: Generating a Certificate Request File Using the Certificate Wizard in IIS 5.0 http://support.microsoft.com/kb/228821

QUESTION NO: 209 Certkiller has a main office and five branch offices with single domain having four sites. One of the server's in the domain is configured as an Enterprise Root Certificate Authority (CA). The Enterprise Root CA certificate is installed on all computers in the domain. An application is "Pass Any Exam. Any Time." - www.actualtests.com 155

Microsoft 70-649: Practice Exam installed on all computers. The company security policy requires that application must use only Lightweight Directory Access protocol over Secure Sockets Layer (LDAPS). The application is unable to connect to a global catalog server in a remote site. You need to test the LDAPS connection between the client computer and the global catalog server in the remote site. What should you do? A. Run the ldp.exe tool B. Run the Repadmin.exe tool C. Run the certification Authority console D. Run the Active Directory sites and Services console E. None of the above Answer: A

lTe

sts

.co

m

Explanation: To test the LDAPS connection between the client computer and the global catalog server in the remote site, you need to run the ldp.exe tool. This GUI tool allows users to perform connect, bind, search, modify, add, delete operations against any LDAP-compatible directory, such as Active Directory. Reference: Ldp Overview http://technet2.microsoft.com/windowsserver/en/library/4efcf47f-e3eb-46e49c6c842b39eca2011033.mspx?mfr

tua

QUESTION NO: 210

Ac

Certkiller .com has servers that run Windows Server 2008. You administer 2 servers named S1 and S2. You have installed the enterprise root certification authority (CA) on S1 and Online Responder role service on S2. You want the S1 to support the online responder. What should you do to configure online responder on S1? A. On S1, configure Authority Information Access (AIA) extension B. Configure CertPublishers group on S1 and S2 C. Configure Dual Certificate List extension on S1 and S2 D. Create a conventional Group Policy Object (GPO) and import enterprise root CA certificate. Link the GPO to S1 E. None of the above Answer: A Explanation: To configure online responder role service on S1, you should configure AIA extension. The authority information access extension indicates how to access CA information and services for "Pass Any Exam. Any Time." - www.actualtests.com

156

Microsoft 70-649: Practice Exam the issuer of the certificate in which the extension appears. Information and services may include on-line validation services and CA policy data. (The location of CRLs is not specified in this extension; that information is provided by the cRLDistributionPoints extension.) This extension may be included in subject or CA certificates, and it MUST be non-criticalReference: datatracker.ietf.org/documents/LIAISON/file315.pdf

QUESTION NO: 211

lTe

sts

.co

m

You are an enterprise administrator for Certkiller .com. The company runs Windows Server 2008 on all the servers on the network. The corporate network consists of a web server called Certkiller Server1, which uses an SSL certificate from a public certification authority (CA). The users access the server through Internet using URLS: http://www. Certkiller .com and https://www. Certkiller .com. Due to heavy traffic on the server, the company has decided to configure Network Load Balancing cluster on the network so that the traffic can be load balanced between two servers. To implement the idea, an additional Web server called Certkiller Server2 was installed and Network Load Balancing cluster is configured using both the servers to distribute the incoming HTTP and HTTPS traffic between both the Web servers. Which of the following options would you choose to configure an SSL certificate on Certkiller Server2 to support HTTPS connections so that all users can connect to https://www. Certkiller .com without receiving security warnings?

Ac

tua

A. Export the SSL certificate to a .pfx file. Import the .pfx file to Certkiller Server2 from IIS Manager console on Certkiller Server1. B. Create a self-signed certificate from IIS Manager console on Certkiller Server2. C. Request a new SSL certificate from the public C D. Use Certkiller Server2 as the Common Name in the request and then install the new certificate on Certkiller Server2. D. Export the SSL certificate to a .cer file and Import the .cer file to Certkiller Server2 from the Certificates console on Certkiller Server1. Answer: A Explanation: To configure an SSL certificate on Certkiller Server2 also to support HTTPS connections so that all users can connect to https://www. Certkiller .com without receiving security warnings, you need to configure the same certificate on that exists on Certkiller Server1 to Certkiller Server2 also. To do this you need to export the SSL certificate to a .pfx file and import the .pfx file to Certkiller Server2. The certificate can be exported to pfx file therefore you need to export it to .pfx file and not .cer file. "Pass Any Exam. Any Time." - www.actualtests.com

157

Microsoft 70-649: Practice Exam Reference: Exporting Existing SSL OWA Certificates from Exchange 2003 FES to Exchange 2007 SP1 CAS on Windows2008 http://telnetport25.wordpress.com/2008/03/28/exporting-existing-ssl-owa-certificates-fromexchange-2003-festo

QUESTION NO: 212

m

You are an enterprise administrator for Certkiller .com. The company runs Windows Server 2008 on all the servers on the network. One of the servers, Certkiller Server1 has the Web Server (IIS) role installed on it. Which of the following options would you choose to activate SSL for the default Web site on the server? (Choose two. Each correct answer presents part of the solution.)

sts

.co

A. Select the Generate Key option in the Machine Key dialog box for the default Web site. B. Create an HTTPS binding on the default Web site. C. Install the Digest Authentication component for the Web server D. Obtain an appropriate server certificate.

lTe

Answer: B,D

Ac

tua

Explanation: To activate SSL for the default Web site on the server, you need to get an appropriate certificate and create an HTTPS binding on a site. On Windows Vista and Windows Server 2008, HTTP.sys handles SSL encryption/decryption in kernel mode, resulting in up to 20% better performance for secure connections. Moving SSL to kernel mode requiresstoring SSL binding information in two places. First, the binding is stored in %windir%\system32\inetsrv\applicationHost.config for your site. When the site starts, IIS 7.0sends the binding to HTTP.sys and HTTP.sys starts listening for requests on the specified IP:Port (this works for all bindings). Second, SSL configuration associated with the binding is stored in HTTP.sys configuration.When a client connects and initiates an SSL negotiation, HTTP.sys looks in its SSL configuration for the IP:Port pair that the client connected to. The HTTP.sys SSL configuration must include a certificate hash and the name of the certificate's store for the SSL negotiation to succeed. Reference: How to Setup SSL on IIS 7.0 http://learn.iis.net/page.aspx/144/how-to-setup-ssl-on-iis-7/

"Pass Any Exam. Any Time." - www.actualtests.com

158

Microsoft 70-649: Practice Exam QUESTION NO: 213 Certkiller .com has a server that runs Windows Server 2008. You have installed Microsoft Windows Deployment Services (WDS) on this Certkiller server. While uploading spanned image files to the WDS server, you get an error message and the image fails to upload. What should you do to ensure that the images files are uploaded to the WDS server?

m

A. Access the \REMINST directory and grant Full Control permissions to the Authenticated Users group B. Open the command line at WDS server and execute the wdsutil/add-image /imagefile:\\server\share\sources\install.wim /image type:install command individually for each component file C. Merge the spanned image files together and put them in a single WIM file D. Open the command line on the WDS server and execute thewdsutil/Convert command E. None of the above

.co

Answer: C

Ac

tua

lTe

sts

Explanation: To ensure that the image files are uploaded to the WDS server, you have to merge the spanned image files together and put them in a single WIM file so that you can upload the spanned image files to the WDS server. By merging the spanned image files together, you can easily upload them in one go. If you use the wdsutil/add-image /imagefile:\\server\share\sources\install.wim /image type:install command, you will need to upload each file individually and you have to type this command for each spanned image file. Similarly you cannot use the option A because even if you grant Full control permission to the Authenticated User group, you will not be able to upload spanned image files to the WDS server. The problem is not authentication related.

QUESTION NO: 214 Certkiller .com has got 30 new computers. You are the system administrator at Certkiller .com. You want to deploy Windows Vista on the new computers at the main office. You need to use the multicasting feature of WDS (Windows Deployment Services) to deploy Windows Vista operation system images on 30 new computers. The Windows Vista computers and the WDS server are on a single subnet dedicated to WDS. You have created custom network profiles to help you in deployment. You edit the registry keys to adjust network profile parameters to achieve as much bandwidth as possible for the deployment and transfer of the Windows Vista OS images to clients as quickly as possible. What should you do to achieve both of the requirements? (Choose two answers. Each answer is a part of the complete solution) "Pass Any Exam. Any Time." - www.actualtests.com

159

Microsoft 70-649: Practice Exam A. Tune the TpMaxBandwidth to a value of 10 B. Tune the TpMaxBandwidth to a value of 80 C. Tune the TpMulticastTTL parameter from 4 to 9 D. Tune the TpMulticastTTL parameter from 4 to 20 E. Tune the ApBlockSize parameter from 8 to 4 KB F. Tune the ApBlockSize parameter from 8 to 16 KB Answer: B,F

sts

.co

m

Explanation: To achieve as much bandwidth as possible, you should adjust the TpMaxBandwidth to a value of 80. When you configure the parameter value to 80, you set the network card of the WDS server to utilize 80% of the total available bandwidth. If you adjust the parameter to 10, the network card will only use 10% of the available bandwidth. After this, you should adjust the ApBlockSize parameter from 8 to 16 KB. This will result in a faster transfer because larger the block size, faster the transfer shall be. If you choose a parameter from 8 to 4 KB, the data transmission will be slower because the block size is smaller.

QUESTION NO: 215

tua

lTe

In Certkiller network, all the servers have Windows Server 2008 installed as their primary operating system. You install Microsoft Windows Deployment Services (WDS) on a network computer to deploy Windows Server 2008 image of the reference computer on 300 new computers. However, after deployment, the computers had the same name. What should you do to ensure that the computers receive unique identities?

Ac

A. Create an image group by using the WDS snap-in. Redeploy image to the client computers B. Run the WDSutil/enable command on the reference computer. Capture a new image of the reference computer and deploy the new image to client computers C. Run the Sysprep utility on the reference computer. Capture a new image of the reference computer and deploy the new image to client computers D. Configure read permissions for the authenticated user group in the directory that contains the image files. Redeploy the new image to the client computers. E. None of the above Answer: C Explanation: To ensure that client computers receive unique identities, you need to run the Sysprep utility on the reference computer. Capture a new image of the reference computer and deploy the new image to client computers. "Pass Any Exam. Any Time." - www.actualtests.com

160

Microsoft 70-649: Practice Exam Sysprep utility can be used to create a clean PC to use for an image-based Windows deployment System Preparation tool (Sysprep) can be used to clone a computer and automate the deployment of the operating system. It uses the answer file that enables it to create different identities of the computers. Reference: Step-by-Step Guide for Windows Deployment Services in Windows Server 2008 / Steps for creating an install image http://technet2.microsoft.com/windowsserver2008/en/library/7d837d88-6d8e-420cb68fa5b4baeb52481033.msp

QUESTION NO: 216

m

Microsoft Windows Deployment services (WDS) are running on a Windows 2008 server. You discovered that one of the image's on server is out of date. What should you do to remove the image from the server?

Answer: A

tua

lTe

sts

.co

A. Run the WDSUTIL command with the /Remove-image and /ImageType: install options at WDS server B. Run the WDSUTIL command with the /Remove-image and /ImageType: boot options at the WDS server C. Run the WDSUTIL command with the /Export-image and /ImageType: install options at WDS server D. Run the WDSUTIL command with the /Export-image and / ImageType: boot options at the WDS server E. None of the above

Ac

Explanation: To remove the install image from the server, you need to run the WDSUTIL command with the /Remove-image and /ImageType: install options at WDS server. The /remove-Image removes a specified image from a server. The syntax is: WDSUTIL [Options] /Remove-Image /Image: [/Server:] /ImageType:Install [/ImageGroup:] [/Filename:] Reference: /remove-Image http://technet2.microsoft.com/windowsserver2008/en/library/ce5e2384-2264-4b2292af74eec8c10ae01033.msp

QUESTION NO: 217 Certkiller .com has a server that runs Windows Server 2008. You have installed Microsoft Windows Deployment Services (WDS) on this Certkiller server. While uploading "Pass Any Exam. Any Time." - www.actualtests.com

161

Microsoft 70-649: Practice Exam spanned image files to the WDS server, you get an error message and the image fails to upload. What should you do to ensure that the images files are uploaded to the WDS server? A. Access the \REMINST directory and grant Full Control permissions to the Authenticated Users group B. Open the command line at WDS server and execute the wdsutil/add-image /imagefile:\\server\share\sources\install.wim /image type:install command individually for each component file C. Merge the spanned image files together and put them in a single WIM file D. Open the command line on the WDS server and execute thewdsutil/Convert command E. None of the above Answer: C

Ac

QUESTION NO: 218

tua

lTe

sts

.co

m

Explanation: To ensure that the image files are uploaded to the WDS server, you have to merge the spanned image files together and put them in a single WIM file so that you can upload the spanned image files to the WDS server. By merging the spanned image files together, you can easily upload them in one go. If you use the wdsutil/add-image /imagefile:\\server\share\sources\install.wim /image type:install command, you will need to upload each file individually and you have to type this command for each spanned image file. Similarly you cannot use the option A because even if you grant Full control permission to the Authenticated User group, you will not be able to upload spanned image files to the WDS server. The problem is not authentication related.

Certkiller .com has a server that runs Windows Server 2008. You installed Windows Deployment Services (WDS) role on the server. You decide to install Windows Vista on a computer that does not support Preboot Execution Environment (PXE). The Windows Vista image is stored on the WDS server. You have to start the computer and install the Windows Vista image stored on the WDS server. What should you create to achieve this task? A. Image Boost B. Discover image C. PXE drivers image D. WDS image Answer: B

"Pass Any Exam. Any Time." - www.actualtests.com

162

Microsoft 70-649: Practice Exam

.co

m

Explanation: To start the computer and install Windows Vista image stored on the WDS server, you should create the Discover image. If you have a computer that is not PXE enabled, you can create a discover image and use it to install an operating system on that computer. When you create a discover image and save it to media (CD, DVD, USB drive, and so on), you can then boot a computer to the media. The discover image on the media locates a Windows Deployment Services server, and the server deploys the install image to the computer. You can configure discover images to target a specific Windows Deployment Services server. This means that if you have multiple servers in your environment, you can create a discover image for each, and then name them based on the name of the server. Reference: http://technet2.microsoft.com/WindowsVista/en/library/9e197135-6711-4c20bfadfc80fc2151301033.mspx?mf

QUESTION NO: 219

lTe

sts

Certkiller .com has 20 servers. All servers run Windows Server 2008. It also has a single Active Directory Forest. You install Microsoft Windows Deployment Services (WDS) on the network. You need to deploy the image of a reference computer on 500 client computers by capturing an image of the reference computer. There are no unique names. All client machines have the same name. What would you do to ensure that each client machine receive a unique identity?

Ac

tua

A. Access the directory containing image files. Set the read permission for the Authenticated users group for the directory and redeploy the image on all client computers. B. Use WDS snap-in to create an image group. Redeploy the image to the client computers C. Open up the command line on WDS server and run thewdsutil/enable command. Redeploy the image on the client computers D. Open up the command line on reference computer. Run theSysprep command and capture a new image of the reference computer. Deploy the new image to the client computers E. None of the above Answer: D Explanation: To ensure that each client receives a unique identity, you should run Sysprep and then capture new images of the reference computer. Deploy the new images at the client computers. The sysprep utility is used to assign new security IDS to a computer for the first time when it's started. The name and security IDs for the new computer are different from the reference computer. To ensure that the new computers do not have the same "Pass Any Exam. Any Time." - www.actualtests.com

163

Microsoft 70-649: Practice Exam name as the reference computer, you should type the following command at command prompt: sysprep/OOBE/generalize/reboot The /OOBE parameter sets up the Windows Welcome screen. It is also known as machine OOBE (out-of-box experience). The generalize parameter is utilized to remove security IDs from the reference computer. The reboot parameter will reboot the system after the command is executed.

QUESTION NO: 220

.co

m

Certkiller .com is planning to deploy 550 new computers that will run Windows Vista operating system. Certkiller .com has planned to deploy Windows Vista on new computers through imaging. After creating a reference image you test it by deploying the image to several test computers. You find that when you deploy the image to test computers, the computers boot up for the first time with expired activation timers. What should you do to ensure that this does not occur during the actual deployment?

lTe

sts

A. Run the sysprep/ktime command on the reference computer before creating an image B. Run the sysprep/generalize command before creating an image on the reference computer C. Run the sysprep/generalize command after deploying the image on new computers D. Run the sysprep -wds command before deploying the image on new computers E. All of the above

tua

Answer: B

Ac

Explanation: Before creating an image on referencing computer, you should run the sysprep/generalize command on reference computer. Generally, in all deployment scenarios, you should reset the product activation timers by typing this command: "%systemroot%\system32\sysprep\sysprep /generalize" This command should be run on the reference system before distributing the images to the user machines. You cannot execute the sysprep/ktime command on the reference computer because this is not such parameter related to sysprep command. You will not achieve anything if you run sysprep/generalize command after the deployment of images. The command should be run before deployment to remove machine specific information such as SID. You cannot execute sysprep-wds command before deploying the image on the new computers because there is no such parameter related to sysprep command.

"Pass Any Exam. Any Time." - www.actualtests.com

164

Microsoft 70-649: Practice Exam QUESTION NO: 221 All servers in your active directory domain are running Windows Server 2008. You installed Windows deployment Services (WDS) on a network computer. You need to deploy the Windows Server 2008 using Windows image file to 200 computers that have no operating system installed. When you try to deploy image on test computer it fails giving a driver error. What should you do to modify the image in order to include the correct driver? A. Mount the image file, and run the Sysprep utility B. Mount the image file, and modify the image file by using the System Image Manager (SIM) utility C. Map the image file to an installation point that holds the correct driver D. Update the driver in the Device Manger of the WDS server

m

Answer: B

QUESTION NO: 222

tua

lTe

sts

.co

Explanation: To modify the image in order to include the correct driver, you need to mount the image file, and modify the image file by using the System Image Manager (SIM) utility. Windows System Image Manager (Windows SIM) lets you create answer files (Unattend.xml) and network shares or modify the files contained in a configuration set. The answer files can be modified to include correct drivers. Reference: Interview With Michael Manos: How Microsoft Does Data Centers / Deployment Technologies For Vista http://www.lockergnome.com/it/tag/microsoft/

Ac

Certkiller is running a Microsoft Windows 2008 server with Microsoft Windows Deployment Services (WDS) and the DHCP server role. When users try to deploy images to new systems, the new computers didn't receive response from the WDS server. What should you do to configure the WDS server to deploy the images? A. Configure port 67 TCP to listen to the WDS server B. Configure port 60 TCP to avoid listening on the WDS server C. Run the WDSUTIL/ set-server /autodiscovery: yes command at the WDS server command prompt D. Run the WDSUTIL/set-server /DHCPoption60: yes command at the WDS server command prompt E. Run the WDSUTIL/set-server /useddhcpports no command at the WDS server command prompt

"Pass Any Exam. Any Time." - www.actualtests.com

165

Microsoft 70-649: Practice Exam Answer: D,E

.co

m

Explanation: To configure the WDS server to deploy the images, you need to Run the WDSUTIL/set-server /DHCPoption60: yes command and WDSUTIL/set-server /useddhcpports no command at the WDS server command prompt. The /DhcpOption60:Yes command allows you to configure DHCP option 60 for PXE support. This option is set if the DHCP and Windows Deployment Services are running on the same server. You also need to set the /UseDhcpPorts option to No to enable the DHCP server to utilize the port. Both the WDS and DHCP services listen on port UDP 67. When WDS and DHCP are installed on the same machine, you'll have to configure WDS to not listen on port UDP 67. Reference: /set-Server http://technet2.microsoft.com/windowsserver2008/en/library/da55c29d-a94a-4d73877baf480f906ca01033.msp

QUESTION NO: 223

tua

lTe

sts

Certkiller .com has a domain with Active Directory running on it. Windows Server 2008 is installed on all the servers. You plan to deploy an image to 50 computers with no operating system installed. For this you install Microsoft Windows Deployment Services on the network. When you install the image on a test computer, a driver error shows up on the screen. What would you do to change the image to include the correct driver?

Ac

A. Configure and map the image file to the installation folder which hosts the correct driver B. Take the image file and mount it. Using the System Image Manager (SIM) utility, change the image file C. Open WDS server and update the driver through Device Manager D. Take the image file and mount it. Run the sysprep utility to get the correct driver E. None of the above Answer: B Explanation: To include the correct driver, you should mount the image file and change it using System Image Manager (SIM). You need to include the correct driver in the image file so it will install with all the correct drivers. You should not configure and map the image file to the installation folder hosting the correct driver because the image file is deployed in full. Windows Server 200 will not consider the contents of the folder where image file resides. It will deploy the image file only with all its content You cannot update the driver through Device Manager on WDS server. It has nothing to do with the image file. "Pass Any Exam. Any Time." - www.actualtests.com

166

Microsoft 70-649: Practice Exam You cannot mount the image file and run sysprep utility. Sysprep utility cannot get the correct driver for you and change the image file. Sysprep utility is related to WDS server and the deployment of images to the client computers.

QUESTION NO: 224 Certkiller .com has a server that runs Windows Server 2008. As an administrator at Certkiller .com, you install Microsoft Windows Deployment Service (WDS). While testing an image, you find out that the image is outdated. What should you do to remove the image from the server?

sts

.co

m

A. Open the command prompt at WDS server and execute WDSUTIL/Remove-Image and /ImageType:install options B. Open the command prompt at WDS server and execute theWDSUTIL command with/ExportImage and /ImageType: install options C. Open the command prompt at WDS server and execute theWDSUTIL with /Export-Image and /ImageType: boot options D. Open the command promt at WDS server and execute theWDSUTIL command with /RemoveImage and /ImageType:boot options E. All of the above

lTe

Answer: A

Ac

tua

Explanation: To remove the image from the server, you should execute WDSUTIL/remove-image on the command prompt at WDS server. Then execute WDSUTIL/image-type:install command and install the new image. The WDSUTIL is a command specific to modify and view the images at WDS server. You need to remove the image and then install the updated one using these commands. You cannot use the export-image parameter with WDSUTIL in this scenario. You have to remove the image not to export it to a folder. You should not use the /image-type:boot parameter because you need to install a fresh image. You don't need to boot the service for this.

QUESTION NO: 225 Certkiller .com has four branch offices. To deploy the images, you install Microsoft Windows Deployment Services (WDS) on the network. Certkiller .com creates 4 images for each branch office. There are a total of 16 images for Certkiller .com. You deploy these images through WDS. A problem occurs in one branch office where the administrator reports that when he boots the WDS client computer, some of the images for his regional office does not show up in the boot menu. What should you do to ensure that every administrator can view all the images for his branch office? "Pass Any Exam. Any Time." - www.actualtests.com 167

Microsoft 70-649: Practice Exam A. Create separate image group for each branch office on the WDS server B. Create unique organizational unit for each branch office and create profiles for each computer in the branch office C. Organize a global group for each branch office and create profiles of each computer in a branch office D. Create a Global Unique Identifier for each computer to recognize its branch office and connect it to the WDS server E. None of the above Answer: A

sts

.co

m

Explanation: To ensure that every administrator can view all the images for his branch office, you should create separate image group for each branch office on WDS server. A separate image will enable all the administrators to view each image from their machine in the branch office. You should not create an OU for each branch office. There is no logic in creating an OU for each branch office and profiles for each computer in the branch office. You should not organize a global group for each branch office. A global group can host all the branch offices of Certkiller .com

lTe

QUESTION NO: 226

tua

Microsoft Windows Deployment Services (WDS) is running on a Windows 2008 server. When you try to upload spanned image files onto WDS server, you received an error message. What should you do to ensure that image files could be uploaded?

Ac

A. Combine the spanned image files into a single WIM file B. Grant the Authenticated Users group Full Control on the \REMINST directory C. Run the WDSutil/Convert command from command line on the WDS server D. Run the WDSutil/add-image/imagefile:\\server\share\sources\install.wim/image type: install command for each component file individually at the command line on WDS server E. None of the above Answer: A Explanation: When you try to upload spanned image files onto WDS server, you received an error message because you can only mount a single WIM file once for read/write access and therefore you need to combine the spanned image files into a single WIM file to correct the problem. Reference: The Desktop Files The Power User's Guide to WIM and ImageX / Using /mount, /mountrw, and /delete http://technet.microsoft.com/en-us/magazine/cc137794.aspx "Pass Any Exam. Any Time." - www.actualtests.com

168

Microsoft 70-649: Practice Exam

QUESTION NO: 227 Microsoft Windows Deployment Services (WDS) is running on the network. Company has four regional offices so for each office administrator, you created four images. So you created total 16 images for the company offices. These standard images for workstations will be deployed using WDS. An administrator from one of the regional office reports that when WDS client computer is booted, some of the images for their regional office don't appear on the boot menu. What should you do to ensure that each administrator could view the images for his or her regional office?

sts

.co

m

A. Put each regional office into a separate image group on the WDS server B. Create a global group for each regional office, and place the computers in the respective OU C. Create an organizational unit for each regional office, and place the computers in the respective global group D. Pre-stage each computer account by using the individual computer Global Unique Identifier (GUID) to identify its regional office E. None of the above

lTe

Answer: D

Ac

tua

Explanation: Some of the images for their regional office don't appear on the boot menu because the Windows Imaging format (WIM) images are displayed to the user based on the HAL type of the client computer. Therefore, only WIM images that exactly match the HAL type of the client computer are displayed in the menu of operating system images. To work around this problem, you need to create an operating system image for each computer HAL type that is present in your environment. Reference: After you upgrade to WDS, an ACPI Multiprocessor image does not appear in the menu of operating system images when you start a PXE client that uses an ACPI Uniprocessor computer HAL http://support.microsoft.com/kb/935772

QUESTION NO: 228 Certkiller .com has a Windows Server 2008 server with a single Active Directory domain installed on it. You are the administrator of a server name CKWDS which runs Windows Server 2008. You install the Windows Deployment Services (WDS) role on CKWDS. You are instructed to deploy the image of a reference computer on 30 client computers. After capturing the reference computer image, you find out that all the client computers have the same name. What should you do to ensure that each client computer receives a unique security identifier? "Pass Any Exam. Any Time." - www.actualtests.com 169

Microsoft 70-649: Practice Exam A. Open the WDS snap-in and create an image group. Redeploy the image on all client computers B. Execute wdsutil/nickname:yes command on CKWDS server command prompt and redeploy the image on all client computers C. Execute wdsutil/ser-server/prestageusingMAC:yes command on the CKWDS server command prompt and redeploy the image on all client computers D. Execute imagex/securityid:yes command on the CKWDS server command prompt and redeploy the image to the client computers Answer: C

sts

.co

m

Explanation: To ensure that each client computer receives a unique security identifier, you should execute wdsutil/ser-server/prestageusingMAC:yes command on the CKWDS server command prompt and redeploy the image on all client computers. Unique security identifier is a data structure of variable length that identifies user, group, and computer accounts. Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an account's SID rather than the account's user or group name. Reference: www.guardianedge.com/resources/glossary/active-directory.php

lTe

QUESTION NO: 229

Ac

tua

Certkiller .com has upgraded all servers in its network to Windows Server 2008. Certkiller .com also directed you to install Windows Vista on all client machines. You install Windows Vista on client machines and Windows Server 2008 on the servers. You use Multiple Activation Key (MAK) to activate the new operating systems on the network. You use proxy activation over the internet using Volume Activation Management Tool (VAMT). The Windows Vista on client computers were successfully activated using this method but the Windows Server 2008 failed to activate using VAMT. What should you do to ensure that the Windows Server 2008 is activated on all the servers? A. Contact Microsoft Support Center and activate the Windows server 2008 over the phone B. Upgrade VAMT using Windows Server 2008 RTM for VAMT to function with Windows Server 2008 Volume Licensing C. Upgrade VAMT using Key Management Service (KMS) for Windows Server 2008 RTM to function with Windows Server 2008 Volume Licensing D. Contact Microsoft Support Center and activate Windows Server 2008 over the internet using MAK only E. All of the above Answer: B "Pass Any Exam. Any Time." - www.actualtests.com

170

Microsoft 70-649: Practice Exam Explanation: To ensure that the Windows Server 2008 is activated on all the servers, you should upgrade VAMT using Windows Server 2008 RTM for VAMT. You have to update VAMT at Windows Server 2008 RTM for VAMT to function with Windows Server 2008 volume licensing. VAMT (Volume Activation Management Tool) is a volume licensing tool for all flavors of Windows Vista. There are various activation methods available for volume licensing. These methods use two types of customer specific keys: Multiple Activation Key (MAK) and Key Management Service (KMS). The VAMT tool is used to activate the license through proxy over internet. VAMT is a tool for Windows Vista and to use it for Windows Server 2008, it needs an update.

m

QUESTION NO: 230

lTe

sts

.co

Certkiller .com has added 5 servers to its network. As an administrator at Certkiller .com, you install Windows Server 2008 Enterprise edition on two servers and Windows Server 2008 storage server enterprise on other two servers. You want to automatically activate both editions of Windows Server 2008 without any administrator or Microsoft intervention. You also want the activation to occur every 6months. Which volume activation service should you use to automatically activate both editions of Windows Server 2008?

Answer: D

Ac

tua

A. Multiple Activation Key(MAK) B. Volume Activation Management Tool (VAMT) C. Volume Activation 1.0 (VA 1.0) D. Key Management Service (KMS) E. None of the above

Explanation: You should use KMS to activate both editions of Windows Server 2008. KMS automatically activates Windows Vista and Windows Server 2008. Computers that are been activated by KMS are required to reactivate by connecting to a KMS host at least once every six months. The VL editions of Windows Serve 2008 and Windows Vista are installed as KMS clients by default. The clients can automatically discover the KMS hosts on the network with a properly configured KMS infrastructure. The clients can also activate using KMS infrastructure without administrative or user intervention.

"Pass Any Exam. Any Time." - www.actualtests.com

171

Microsoft 70-649: Practice Exam QUESTION NO: 231 Certkiller has main office and a branch office. Main office is running 20 Windows Server 2008 computers and 125 computers running Microsoft Windows XP Professional. Branch office is running 3 Windows Server 2008 computers and 50 Windows XP Professional computers running on its network. Computers in the main office have access to Internet. All servers are having the same security configuration and there are no plans in near future to add new servers or systems in the network. You installed Volume Activation Management Tool (VAMT) on a server named Certkiller _DC1 in the main office and added all servers to VMAT server and configured the servers for Multiple Activation Key (MAK) independent activation. Servers at branch office are unable to activate Windows Server 2008. What should you do to activate Windows server 2008 on all servers?

sts

.co

m

A. Install a Management Activation Key (MAK) server on the network B. Configure MAK Proxy activation on all servers in the branch office C. Configure Windows Management Instrumentation (WMI) Firewall Exception on all servers in the branch office D. Open VAMT on Certkiller _DC1 and export the Computer Information List (CIL). Send this file to Microsoft Technical support for activation E. None of the above

lTe

Answer: B

Ac

tua

Explanation: To activate Windows server 2008 on all servers, you need to configure MAK Proxy activation on all servers in the branch office. The MAK can be activated by using two methods, MAK Independent Activation and MAK Proxy Activation. MAK Independent Activation is used when each computer is activated individually by connecting to Microsoft servers over the Internet or by telephone and MAK Proxy Activation is used when Volume Activation Management Tool (VAMT) is installed on a server and you need to activate multiple computers at the same time through a single connection to Microsoft servers over the Internet or phone. Therefore, instead of MAK Independent Activation you need to use MAK Proxy activation on all servers in the branch office. Reference: Frequently Asked QUESTION NO:s About Volume License Keys for Windows Vista and Windows Server 2008 http://www.microsoft.com/licensing/resources/vol/ActivationFAQ/default.mspx

QUESTION NO: 232 You are network administrator for Certkiller network. You configured a Windows server 2008 server named Certkiller _KM1 as Key Management Service (KMS) host. This server "Pass Any Exam. Any Time." - www.actualtests.com

172

Microsoft 70-649: Practice Exam is also configured as Windows Sharepoint Services server. This location has currently 18 computers having Windows Vista KMS client and you have added 10 more Windows Vista KMS client systems in the network recently. These 10 additional client computers are installed using Windows Vista image file. The KMS host is unable to activate any of the KMS client computers in the network. What should you do? A. Install KMS on a dedicated Windows Sever 2008 B. Run Sysprep /generalize on the Vista reference computer used to create image C. Run slmgr.vbs/rearm Vista reference computer used to create image D. Run slmgr.vbs/dli on the KMS host computer E. Run slmgr.vbs/cpri on the KMS host computer F. None of the above

m

Answer: B

QUESTION NO: 233

tua

lTe

sts

.co

Explanation: To activate the KMS client computers in the network, you need to run the Sysprep /generalize on the Vista reference computer used to create image. sysprep /generalize is used to reset activation and other system-specific information as the last step before storing or capturing the VM image. If sysprep /generalize is not used, the activation timer will run down while the product is in storage and the KMS host will be unable to activate any of the KMS client computers in the network. Reference: KMS host is unable to activate any of the KMS client computers in the network http://blog.windowsvirtualization.com/virtualization/faq-virtalization-and-volume-activation-20

Ac

Certkiller .com has an Active Directory domain. You are an administrator at Certkiller .com. You administer a server named CKKMS that runs Windows Server 2008. Certkiller .com has instructed you to deploy Windows Server 2008 on 12 new servers. You install first two servers. The servers fail to activate Windows Server 2008 using CKKMS. You have to activate the new server through KMS server. What should you do to achieve this task? A. Configure the Windows Firewall to have Windows Management Instrumentation exceptions on the new servers. B. Complete the installation of the remaining 10 servers C. Install Volume Activation Management Tool (VAMT) on the CKKMS server and configure Multiple Activation Key (MAK) service D. Install VAMT and configure MAK independent activation Answer: B

"Pass Any Exam. Any Time." - www.actualtests.com

173

Microsoft 70-649: Practice Exam Explanation: To activate the new server through KMS server, you should complete the installation of the remaining 10 servers. The Key Management Service is a Windows service. KMS is a trusted mechanism that, once the KMS host is activated, allows volume client computers within the enterprise to activate themselves without any interactions with Microsoft. KMS activation of Windows Server 2008 follows a hierarchical structure. Each successive product group can activate all the groups below it, and the KMS can be hosted on any edition that it can activate.

QUESTION NO: 234

sts

.co

m

Certkiller .com has a single Active Directory domain called dbill.com. All servers in the domain run Windows Server 2008. There are two domain controllers in the network: ED1 and ED2 and the DNS service is installed on the domain controllers. Both DNS servers host Active Directory integrated zones that are configured to allow the most secured updates. ED1 has a Key Management Services (KMS) installed and activated. During maintenance, you find that the service locater records from the dbill.com zone hosted on CK2 and CK2 are missing. You have to force registration of the KMS service locator records in the Certkiller .com zone. What should you do to correct this problem?

Ac

Answer: D

tua

lTe

A. Execute slmgr.vbs script on ED1 at the command prompt B. Configure non-secure updates on dbill.com C. Execute the net stop netlogon command on ED2 and run net start logon command D. At the command prompt on ED1, run net stop sppsvc command and after that execute the net start sppsvc command E. None of the above

Explanation: To force registration of the KMS service locator records in the Certkiller .com zone, you should run the net stop sppsvc command at the command prompt and then execute the net start sppsvc command. This whole procedure is to start the KMS service locator records to force registration in the Certkiller .com zone.

QUESTION NO: 235 Certkiller .com has an Active Directory domain. You are the administrator of a server named CKKMS that runs Windows Server 2008. You install and configure Key Management Service (KMS) on KMS1. You plan to deploy Windows Server 2008 on 10 new servers. You install the first two servers. The servers fail to activate by using KMS1. You need to activate the new servers by using the KMS server. What should you do to achieve this task? "Pass Any Exam. Any Time." - www.actualtests.com 174

Microsoft 70-649: Practice Exam A. Configure Windows Management Instrumentation (WMI) exceptions in Windows Firewall on the new servers. B. Install Volume Activation Management Tool (VAMT) on the KMS server and configure Multiple Activation Key (MAK) Proxy Activation. C. Install Volume Activation Management Tool (VAMT) on the KMS server and configure Multiple Activation Key (MAK) Independent Activation. D. Complete the installation of the remaining eight servers. E. None of the above. Answer: D

sts

.co

m

Explanation: To activate the new servers using KMS server, you should complete the installation of the remaining eight servers. The Key Management Service is a Windows service. KMS is a trusted mechanism that, once the KMS host is activated, allows volume client computers within the enterprise to activate themselves without any interactions with Microsoft. KMS activation of Windows Server 2008 follows a hierarchical structure. Each successive product group can activate all the groups below it, and the KMS can be hosted on any edition that it can activate.

lTe

QUESTION NO: 236

Ac

tua

Certkiller .com has a server with single Active Directory domain. For security, Certkiller .com has an ISA 2006 server functioning as a firewall. You configure user access through virtual private network service by deploying the PPTP (Point-to-Point Tunneling Protocol). When a user connects to the VPN service, an error occurs. The error message says "Error 721: The remote computer is not responding." What should you do to ensure that the users connect to the VPN service? A. Open the port 2200 on the firewall B. Open the port 1423 on the firewall C. Open the port 1723 on the firewall D. Open the port 721 on the firewall E. All of the above Answer: C Explanation: To ensure that users connect to VPN service, you should open the port 1723 on the firewall. The port 1723 is a TCP port for PPTP tunnel maintenance traffic. For VPN connections, you need to open this port for PPTP tunnel maintenance traffic and permit IP Type 47 Generic Routing Encapsulation (GRE) packets for PPTP tunnel data to pass to your RRAS server's IP address. "Pass Any Exam. Any Time." - www.actualtests.com

175

Microsoft 70-649: Practice Exam You cannot open port 721. The port 721 on the firewall is a printer port so it is not related to VPN connection

QUESTION NO: 237 DRAG DROP

Ac

Answer:

tua

lTe

sts

.co

m

Certkiller has a server named CK1 that runs Windows Server 2008 and Microsoft Virtual Server 2005 R2. You want to create eight virtual servers that run Windows Server 2008 and configure the virtual servers as an Active Directory forest for testing purposes in the Certkiller Lab. You discover that CK1 has only 30 GB of hard disk space that is free. You need to install the eight new virtual servers on CK1. From the steps shown, what steps need to be completed in a specific order?

"Pass Any Exam. Any Time." - www.actualtests.com

176

Microsoft 70-649: Practice Exam QUESTION NO: 238 When you create a virtual machine in Windows server 2008, the guest OS configuration (memory, disk, network, etc) could be saved into a file. What is the format of the file which stores the configuration details? A. HTML formatted file B. XML formatted file C. Text file D. Word file E. None of the above Answer: B

lTe

sts

.co

m

Explanation: The XML formatted file stores the guest OS configuration details such as memory, disk, and network to create the Virtual Machine. Reference: Testing Windows Server 2008 using Virtual PC (step-by-step) / Create a Virtual Machine http://blogs.technet.com/josebda/archive/2007/08/05/testing-windows-server-2008-using-virtualpc-step-by-step

QUESTION NO: 239

Ac

tua

Certkiller runs Microsoft virtual server 2005 R2 on a Windows Server 2008. This server hosts 5 virtual machines. For some time, you are experiencing performance degradation. Upon investigation it is revealed that you are running low on disk space on the volume where virtual machine disk files are stored. You plan to move some of the virtual disk image files onto other volume. What should you do? A. Shutdown virtual machine and Delete the symbolic link from the folder %systemroot%\ProgramData\Microsoft\Windows\virtualisation\Virtual Machines and then move VHD files to new volume B. Create a new symbolic link to the virtual machine's XML configuration file and then move VHD files to new volume C. Open the virtual machine's configuration file and update any references to physical paths and then move VHD files to new volume D. In the Windows Virtualization Management MMC console Move the virtual machines files to new volume E. None of the above Answer: A

"Pass Any Exam. Any Time." - www.actualtests.com

177

Microsoft 70-649: Practice Exam Explanation: To move some of the virtual disk image files onto other volume, you need to shutdown virtual machine and Delete the symbolic link from the folder systemroot%\ProgramData\Microsoft\Windows\virtualisation\Virtual Machines and then move VHD files to new volume. Windows Server 2008 Hyper-V stores a list of virtual machines in systemroot%\ProgramData\Microsoft\Windows\virtualisation\Virtual Machines folder. It also contains a set of symbolic links that are linked to the actual config files for each virtual machine. Therefore you need to shutdown virtual machine and Delete the symbolic link from the folder before moving files. Reference: Moving a Windows Server 2008 Hyper-V virtual machine http://www.adopenstatic.com/cs/blogs/ken/archive/2008/01/14/15467.aspx

m

QUESTION NO: 240

lTe

sts

.co

Certkiller .com has a server that runs Windows Server 2008. A server virtualization role service is installed on this server. It also hosts a virtual machine. The Virtual machine runs Windows Server 2008. You are planning to install a new application on the virtual machine. You have to ensure that you can restore the Virtual machine to its original state if the application installation fails. What should you do to achieve this objective?

Answer: A

Ac

tua

A. Create a snapshot of the Virtual machine from the Virtualization Management Console B. Backup the Virtual machines using Windows Backup utility C. Save the state of the virtual machine through Virtualization Management Console D. Use a third-party backup software to backup the date on Virtual machine and put it on the server E. None of the above

Explanation: To ensure that you can restore the Virtual machine to its original state if an application installation fails, you should create a snapshot of the virtual machine using the Virtualization Management Console. You can always restore the virtual machines in its original state by using the snapshot you created.

QUESTION NO: 241 Certkiller .com has a server named CKS which runs Windows Server 2008 and Microsoft Hyper-V. You have installed two virtual machines on this server which runs Windows Server 2003. What should you do to configure the virtual machines to revert back to their original "Pass Any Exam. Any Time." - www.actualtests.com 178

Microsoft 70-649: Practice Exam state in their event of system failure? A. Create a backup of .vmc files for each virtual machine using Windows backup utility B. On each virtual machine running Windows Server 2003, create a backup of all volumes C. Using Virtual Services Manager, take a snapshot of the virtual machines. D. Create restore points on each virtual machine by using the Windows Server 2003 system restore Answer: C

.co

m

Explanation: To configure the virtual machines to revert back to their original state in the event of system failure, you should create a snapshot of the virtual machines through Virtual services manager. You can revert back the VM to original state by using the snapshot you created.

QUESTION NO: 242

lTe

sts

Certkiller .com has a Windows Server 2008 server that has a Windows Server Virtualization (WSv) server role installed on it. You create a new virtual machine. You have to configure the network communications between the virtual machines and the host server. You also need to configure it to prevent communications with other network servers. What should you do first to achieve this task?

Answer: C

Ac

tua

A. Configure a Microsoft Loopback Adapter B. Configure the interface card to broadcast a unique IP address for the virtual machine C. Create and configure a virtual network switch D. Configure the Internet Connection Sharing E. None of the above

Explanation: To configure the network communications between the virtual machines and the host server and prevent communications with other network server, you have to create and configure a virtual network switch. Like traditional network security switches, the virtual switch integrates network policy enforcement and access control. The product features virtual network partitioning, a firewall, and virtual network discovery capabilities. It also secures communication between virtual environments and enables policy based switching and traffic monitoring. Reference: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1307117,00.html

"Pass Any Exam. Any Time." - www.actualtests.com

179

Microsoft 70-649: Practice Exam

QUESTION NO: 243 Certkiller .com has a server named CKV1 which runs Windows Server 2008 and Microsoft HyperV. 30 virtual machines are hosted on CKV1. Certkiller .com has instructed you to configure CKV1 to shut down each virtual machine running on it before it shut downs itself. What should you do to achieve this task?

.co

m

A. Open the Automatic stop action properties on each virtual machine and Enable the Shut down the guest operating system option. B. Write a custom shutdown script for each virtual machine C. Open the Automatic stop action properties on each virtual machine and Disable the Never shut down option. D. Open the general properties of each virtual machine and Enable the Shut down on Prompt option. E. None of the above Answer: A

QUESTION NO: 244

Ac

tua

lTe

sts

Explanation: To ensure that each virtual machines running on the server shuts down before the server shutdown, you should enable the Shut down the guest operation system option in the Automatic stop action properties on each virtual machine. When you enable the Shut down the guest operating system option, the server turns off the virtual machines before shutting down itself. It is very important to shut down the virtual machines before shutting down the server because it can corrupt the virtual machine files. The Automatic Stop action properties can be accessed on the virtual machine.

You are an administrator at Certkiller .com. Certkiller has a server that runs Windows Server 2008. It is named CKVirS1. Microsoft Virtual Server 2005 R2 is also installed on this server. This server hosts 20 virtual servers. One of the virtual servers called CKWINNT has a database application installed on it. A dedicated administrator looks after this server. His user account name is WINNTAD. You wish to provide WINNTAD access to the Virtual Server standard tools on CKVirS1. But you don't want him to access other virtual servers except CKWINNT. Which two actions will you perform to configure the CKVirS1 for the WINNTAD account? (Choose two answers. Each answer is a part of the whole solution) A. Configure the WINNTAD account on Deny Read permission on all virtual server configuration files except the one with the name CKWINNT

"Pass Any Exam. Any Time." - www.actualtests.com

180

Microsoft 70-649: Practice Exam B. Go to the virtual server administration website and connect to CKVirS1 virtual server. Change the security settings to allow the WINNTAD account View and Control permissions for the CKVirS1 virtual server. C. Go to the virtual server administration website and connect to CKVirS1 virtual server. Change the security settings to allow the WINNTAD account Deny Modify permissions for the CKVirS1 virtual server. D. Modify the Deny Read permission for CKWINNT account on all virtual hard disk files except the files that are used by WINNTAD E. Go to the virtual server administration website and connect to CKVirS1 virtual server. Modify the settings to allow CKWINNT virtual server to accept WINNTAD account as the administrator. In this way the CKVirS1 will allow the WINNTAD account to access its standard virtual server tools and resources.

m

Answer: A,B

Ac

QUESTION NO: 245

tua

lTe

sts

.co

Explanation: First of all, you need to configure the WINNTAD account to Deny Read permission on all virtual server configuration files except the one with the name CKWINNT. CKWINNT is been administered through the WINNTAD account. Then you have to open the virtual server administration site and establish a connection to CKVirS1 virtual server. You need to give View and Control permissions to WINNTAD for EbVirS1 virtual server. If you don't configure the WINNTAD account to Deny Read permission on all virtual servers, and just give View and Control permission for CKVirS1, the user of this account can access all virtual servers. So it is important to deny read permission to WINNTAD for all the virtual servers before giving access to CKVirS1 virtual server

Certkiller .com has a software evaluation lab. There is a server in the evaluation lab named as CK1 . CK1 runs Windows Server 2008 and Microsoft Virtual Server 2005 R2. CK1 has 200 virtual servers running on an isolated virtual segment to evaluate software. To connect to the internet, it uses physical network interface card. Certkiller .com requires every server in the company to access Internet. Certkiller .com security policy dictates that the IP address space used by software evaluation lab must not be used by other networks. Similarly, it states the IP address space used by other networks should not be used by the evaluation lab network. As an administrator you find you that the applications tested in the software evaluation lab need to access normal network to connect to the vendors update servers on the internet. You need to configure all virtual servers on the CK1 server to access the internet. You also need to comply with company's security policy. Which two actions should you perform to achieve this task? (Choose two answers. Each answer is a part of the complete solution) "Pass Any Exam. Any Time." - www.actualtests.com

181

Microsoft 70-649: Practice Exam A. Trigger the Virtual DHCP server for the external virtual network and run ipconfig/renew command on each virtual server B. On CK1 's physical network interface, activate the Internet Connection Sharing (ICS) C. Use Certkiller .com intranet IP addresses on all virtual servers on CK1 . D. Add and install a Microsoft Loopback Adapter network interface on CK1 . Use a new network interface and create a new virtual network. E. None of the above Answer: B,D

sts

.co

m

Explanation: In this scenario, you should activate the Internet Connection Sharing on CK1 's physical network interface and then install a Microsoft Loopback Adapter network interface on CK1 . With the net network interface you can create a new virtual network. A built-in, software-based network interface, The Microsoft Loopback Adapter acts as a constraint. When you use it, network traffic between connected virtual machines and the virtual server host is constrained to the internal virtual network. This internal virtual network is isolated from external physical networks.

QUESTION NO: 246

Ac

tua

lTe

Certkiller runs Microsoft virtual server 2005 R2 on a Windows 2008 server. This server hosts 10 virtual servers. One of the virtual server's named WINNT_VS1 is running a database application, and a dedicated administrator supports this server. The administrative user account name is WINNT_VS1_Admin. You want to provide the WINNT_VS1_Admin account access to the virtual server standard tools on WINNT_VS1 server with permissions only to view and access the WINNT_VS1 server. What should you do to configure the WINNT_VS1 server for the WINNT_VS1_Admin account? (Select two. Each selected option will form a part of the answer. ) A. Connect to WINNT_VS1 using Virtual Server Administration Web site. Configure the WINNT_VS1 virtual server to run under the WINNT_VS1_Admin account B. Connect to WINNT_VS1 using Virtual Server Administration Web site. Configure the WINNT_VS1 security settings to set the Deny Modify Permission for the WINNT_VS1_Admin account C. Connect to WINNT_VS1 using Virtual Server Administration Web site. Configure the WINNT_VS1 security settings to grant the WINNT_VS1_Admin account the Allow View and Allow Control permissions D. Set the Deny Read Permission for the WINNT_VS1_Admin account on all Virtual server configuration files except the virtual server configuration file for the WINNT_VS1 virtual server "Pass Any Exam. Any Time." - www.actualtests.com

182

Microsoft 70-649: Practice Exam E. Set the Deny Read Permission for the WINNT_VS1_Admin account on all Virtual hard disk files except the virtual hard disk files that are used by WINNT_VS1 virtual server Answer: C,D

tua

QUESTION NO: 247

lTe

sts

.co

m

Explanation: To configure the WINNT_VS1 server for the WINNT_VS1_Admin account, you need to connect to WINNT_VS1 using Virtual Server Administration Web site. Configure the WINNT_VS1 security settings to grant the WINNT_VS1_Admin account the Allow View and Allow Control permissions. To set the permissions, you need to start the Virtual Server Administration Website and click on "Server Properties" found under "Virtual Server" on the navigation pane. You need to then Select "Virtual Server security," push the "Add Entry" button and grant permissions. You need to grant the WINNT_VS1_Admin account the Allow View and Allow Control permissions, so that WINNT_VS1_Admin account permissions to view and access the WINNT_VS1 server. After that you can set the Deny Read Permission for the WINNT_VS1_Admin account on all Virtual server configuration files except the virtual server configuration file for the WINNT_VS1 virtual server. This is because you have many virtual servers running and you want to grant permissions only to one specific server and deny permissions from rest of the servers. Reference: Scripting Basics for Virtual Server 2005 R2 / Security http://mcpmag.com/features/article.asp?EditorialsID=623

Ac

Certkiller has a server named Certkiller _VS1 running Windows server 2008 and Microsoft Virtual Server 2005 R2. It hosts 10 virtual machines, which are connected to a built in internal virtual network. A DHCP server is used to assign IP addresses to all client computers on the Intranet. You configured a new virtual server named Certkiller _VS2 on Certkiller _VS1 server and configured and activated scope for built-in internal virtual network. You also configured and authorized a DHCP server on Certkiller _VS2. You are noticing that all virtual machines getting their IP address from an unknown scope. What should you do to stop all the virtual machines get their IP address from an unknown scope? A. Activate ICS on the physical interface on the Certkiller _VS1 server B. Deactivate the default virtual DHCP server on the built-in internal virtual network C. Uninstall the DHCP server from the Certkiller _VS2 virtual machine. Configure a new scope on the default virtual DHCP server on the built-in internal virtual network

"Pass Any Exam. Any Time." - www.actualtests.com

183

Microsoft 70-649: Practice Exam D. Uninstall the DHCP server from the Certkiller _VS2 virtual machine. Configure a new scope for the virtual machines on the intranet DHCP server E. None of the above Answer: B

lTe

sts

.co

m

Explanation: By default, Virtual Server 2005 R2 creates a virtual network designated as Internal Network. The Internal Network supports virtual machine to virtual machine connectivity, ensuring that communications between virtual machines are isolated from any physical network. Virtual Server 2005 R2 also includes a Virtual DHCP server that can be enabled or disabled on each individual virtual network. If enabled on a virtual network, the Virtual DHCP server provides standard network configuration settings to virtual machines connected to the virtual network Therefore to stop all the virtual machines get their IP address from an unknown scope, you need to deactivate the default virtual DHCP server on the built-in internal virtual network, which is providing network configuration settings to virtual machines connected to the virtual network. Reference: Virtual Networks http://vscommunity.com/blogs/virtualzone/archive/2007/02/26/virtual-server-2005-r2-virtualnetworks.aspx

tua

QUESTION NO: 248

Ac

Your company hosts a Web site on a server that runs Windows Server 2008. The server has the Web Server (IIS) role installed. SSL is configured on the Web site for virtual directories that require encryption. You are implementing a new Web application on the Web site. The new application has its own logon page named userlogin.aspx. You enable Forms Authentication in the Web site properties. You need to configure the Web site to use userlogin.aspx to authenticate user accounts. What should you do? A. Configure the Forms Authentication Settings to Require SSL. B. Configure the Login URL property for the Forms Authentication Settings to the userlogin.aspx filename. C. Configure the Default Document setting to add the userlogin.aspx filename in the Web site properties. D. Configure the Name property of the Cookie Settings to the userlogin.aspx filename. Answer: B

"Pass Any Exam. Any Time." - www.actualtests.com

184

Microsoft 70-649: Practice Exam QUESTION NO: 249 You are an enterprise administrator for Certkiller .com. The company runs Windows Server 2008 on all the servers on the network. The Windows Server virtualization role service installed on two servers called Certkiller Server1 and Certkiller Server2. Which of the following options would you choose to remotely manage the virtualization settings of Certkiller Server2 from Certkiller Server1? A. From the Virtualization Management Console, right-click Virtualization Services and then click Connect to Server. B. Run vmconnect.exe Certkiller Server2. C. Run vmconnect.exe Certkiller Server1 Certkiller Server2. D. From the Virtualization Management Console, right-click Certkiller Server1 on the left pane, point to New, and then click Virtual machine.

m

Answer: A

QUESTION NO: 250

Ac

tua

lTe

sts

.co

Explanation: To remotely manage the virtualization settings of Certkiller Server2 from Certkiller Server1, you need to right-click Virtualization Services from the Virtualization Management Console and then click Connect to Server. You can manage multiple Hyper-V server instances in the management console's left pane. Selecting a server instance displays that server's VMs in the center Virtual Machines pane. You can manage the VMs by right-clicking them and selecting the desired commands on the context menu. The Connect command allows you to connect to a running VM, which starts the Virtual Machine Connection window. Reference: A First Look at Windows Server 2008 Hyper-V http://windowsitpro.com/Windows/Articles/ArticleID/97857/pg/2/2.html

You are an enterprise administrator for Certkiller .com. All the servers on the network run Windows Server 2008. The network consists of a Server that has the Windows Server virtualization role service installed. You create a new virtual machine, installed Windows Server 2008 on it, and configure it to use the physical network card of the host server. After this installation and configuration the virtual machine, you were unable to access network resources from the virtual machine. Which of the following options would you choose to ensure that the virtual host can connect to the physical network? A. Install the MS Loopback adapter on the virtual machine. B. Enable the Multipath I/O feature on the host server.

"Pass Any Exam. Any Time." - www.actualtests.com

185

Microsoft 70-649: Practice Exam C. Install Windows Server virtualization Guest Integration Components on the virtual machine. D. Install the MS Loopback adapter on the host server. Answer: C

.co

m

Explanation: To ensure that the virtual host can connect to the physical network, you need to install Windows Server virtualization Guest Integration Components on the virtual machine. The network adapter in the VM ported from Virtual Server to Windows Server is no longer recognized. Workaround is to add a legacy network adapter to the VM. In WSv, the network adapter seen by the guest OS is not an emulated device (DEC/Intel 21140 Ethernet adapter. It is an entirely new, high performance, purely synthetic device available as part of the Windows Server virtualization Integration Components call Microsoft VMBus Network Adapter Reference: Archive for the 'Virtual Server/PC/WSv/Hyper-V' Category / Windows Server 2008 Common FAQ (condensed) http://www.leedesmond.com/weblog/index.php?cat=6&paged=3

sts

QUESTION NO: 251

Ac

tua

lTe

You are an enterprise administrator for Certkiller .com. All the servers on the network run Windows Server 2008. The network consists of a server called Certkiller Server1 that runs Microsoft Hyper-V and hosts three virtual machines. To fulfill a network requirement, you need to configure all of the virtual machines to connect to each other. However, the company policy states that the virtual machines must not connect to the company network. Which of the following options would you choose to ensure that all the virtual machines connect to each other and you meet the company policy also? A. Enable the Enable virtual LAN identification option for each virtual machine B. Enable the Enable virtual LAN identification option for each virtual machine and then set the Connection to Host for the network interface card. C. Enable the Enable virtual LAN identification option for each virtual machine and then Set the Connection to None for the network interface card D. Select the Not connected option for each virtual machine. Answer: B Explanation: To ensure that all the virtual machines connect to each other and you meet the company policy also, you need to first enable the Enable virtual LAN identification option for each virtual machine and then set the Connection to Host for the network interface card. You can use virtual LAN identification as a way to isolate network traffic. However, this type "Pass Any Exam. Any Time." - www.actualtests.com

186

Microsoft 70-649: Practice Exam of configuration must be supported by the physical network adapter. Reference: Step-by-Step Guide to Getting Started with Hyper-V To create a virtual network http://technet2.microsoft.com/windowsserver2008/en/library/c513e254-adf1-400e8fcbc1aec8a029311033.mspx

QUESTION NO: 252

sts

.co

m

You are an administrator at Certkiller .com. Certkiller has a server named CKV1. The server runs on Windows Server 2008 and Microsoft Server 2005 R2. CKV1 is the main server that hosts 24 virtual servers connected to the internal virtual network. Certkiller uses DHCP service to assign IP addresses to all workstation connected to the server through intranet. To tidy up the network, you create a virtual server on CKV1 by the name CKVirM1. You create and configure a DHCP server on CKVirM1 and authorize it to assign IP addresses to all client computers. You create a scope for the built-in internal virtual network. While you are configuring the DHCP server, you find out that an unknown scope is assigning IP addresses to al virtual machines. What would you do to use DHCP scope from CKVirM1 to assign IP addresses and scope options along with the domain name option to all virtual machines in the internal network?

Answer: C

Ac

tua

lTe

A. On the CKV1, start ICS on physical interface B. Connect the DHCP on CKVirM1 to the default DHCP and create new scopes for the internal network C. Stop the default virtual DHCP server on the internal virtual network and uninstall it D. Uninstall all virtual DHCP servers on CKV1 and CKVirM1. Create a new scope for all the client computers on the DHCP server on intranet E. All of the above

Explanation: To use DHCP scope from CKVirM1 to assign IP addresses and scope options along with the domain name option to all virtual machines in the internal network, you have to first stop the default virtual DHCP server on the intranet and uninstall it. The default virtual DHCP was worKing before you configured a new DHCP server. It has been assigning IP addresses. When you configure a new DHCP server, you need to stop the DHCP service on the default DHCP server and then uninstall it. The new DHCP server will automatically take up the role of a default DHCP server. You cannot start ICS on physical interface on CKV1; it simply doesn't make sense in the given scenario. Similarly, if you connect the DHCP on CKVirM2 to the default DHCP and create new scopes for the internal network, you won't be able to change the default "Pass Any Exam. Any Time." - www.actualtests.com

187

Microsoft 70-649: Practice Exam DHCP to the new server. The old DHCP server will continue to assign IP addresses to the virtual machines.

QUESTION NO: 253 Certkiller .com bought a new computer. You are directed to install Windows Server 2008 on the machine. You name it CKN. In the process of installing Windows Server 2008, you execute four driver installation programs from third-party CDs. When you restart the machine, CKN fails to load and displays the following error: "Windows could not start because the following file is missing or corrupt: \WINNT\SYSTEM32\CONFIG\COMPONENTS." What would you do to ensure that CKN loads correctly without giving any error?

lTe

sts

.co

m

A. Repair the registry of CKN by shutting it down and restarting it through installation CD. Perform a System Restore on CKN B. Repair the registry by starting CKN in a safe mode and opening the command line. Run the bootcfg command with suitable switches C. Repair the registry by shutting down and restarting CKN through installation media. Run Recovery Console and execute the fixboot command D. Repair the registry by starting CKN in a safe mode and opening the command line. Run the bcdedit command with suitable switches E. None of the above

tua

Answer: A

Ac

Explanation: In this scenario, the installation of drivers has corrupted the components file in config folder. To resolve this, you need to repair the registry of CKN by shutting it down and restarting it though installation CD. After that, you have to perform a system restore on CKN to bring the system back to the state before the installation of driver programs. You cannot use the bootcfg command. bootcfg command changes the boot.ini file and it has no relation to the problem of missing or corrupt components file. You cannot use the fixboot command because it is related to booting options. You cannot boot the server and restart it because the problem will remain the same. The bcdedit open the boot configuration data store. This problem cannot be solved with booting the server. You need to repair the registry and perform a system restore to restore the original state before the installation of drivers.

QUESTION NO: 254 A new Windows Server 2008 is installed in a test environment. The server is configured to dual boot from Microsoft Windows Server 2003. "Pass Any Exam. Any Time." - www.actualtests.com 188

Microsoft 70-649: Practice Exam After reconfiguring options on server, it is observed that server is booting by default from Windows 2003. What should you do configure the server to boot from Windows 2008 by default? A. Run the bcdedit command with the /default option B. Run the bcdedit command with the /bootsequence option C. Add an entry on the Startup tab in the msconfig.exe utility D. Edit the boot.ini file to configure the default operating system E. None of the above Answer: A

lTe

sts

.co

m

Explanation: BCDedit command is a comman line tool that allows you to edit the Boot Configuration Data (BCD). You can update the BCD default Windows Loader objects to point to the correct device partition. For example if the c: partition is the drive letter of the primary operating system partition then you can use following syntax to set the default boot partition: bcedit/set {default} device partition=c: Reference: ImagingGuidelinesfor Windows Server 2008 onUEFI Systems http://download.microsoft.com/download/0/0/b/00bba048-35e6-4e5b-a3dc36da83cbb0d1/UEFIGuide.doc.

tua

QUESTION NO: 255

Ac

You installed Windows server 2008 on a new computer named Certkiller _SRV1. While installation you had run six driver installation programs from third party CDs. When you rebooted server, it fails to start and following error message is displayed "Windows could not start because following file is missing or corrupt \\WINNT\SYSTEM32\CONFIG\SYSTEM". What should you do to repair the registry on Certkiller SRV1. A. Shutdown Certkiller _SRV1. Restart Certkiller _SRV1 using the installation media and perform a system restore on Certkiller _SRV1 B. Shutdown Certkiller _SRV1. Restart Certkiller _SRV1 using the installation media. Start the recovery console and run fixboot command C. Restart Certkiller _SRV1 in safe mode and run the "bootcfg" command at the command line D. Restart Certkiller _SRV1 in safe mode and run the "bcdedit" command at the command line E. None of the above Answer: A

"Pass Any Exam. Any Time." - www.actualtests.com

189

Microsoft 70-649: Practice Exam Explanation: To repair the registry on Certkiller SRV1, you need to shutdown Certkiller _SRV1. Restart Certkiller _SRV1 using the installation media and perform a system restore on Certkiller _SRV1. System Restore helps you restore your computer's system files to an earlier point in time. It's a way to undo system changes to your computer without affecting your personal files, such as email, documents, or photos Reference: Using System Restore in Windows Vista http://www.petri.co.il/using_system_restore_windows_vista.htm

QUESTION NO: 256

.co

m

You are doing a Windows server 2008 core installation. The installation was successfully completed with default settings. You need to make the server accessible to domain users. You also need to change the server name and to connect it to the domain. Which tool should you do to complete the task?

lTe

sts

A. Rung the Netdom.exe tool B. Run the Ocsetup.exe tool C. Run the Oclist.exe tool D. Run the Netsh.exe tool E. All of the above

tua

Answer: A

Ac

Explanation: To make the server accessible to domain users, change the server name and connect it to the domain. You should run the netdom.exe too. Netdom.exe is used to connect the server or a computer to a domain. It can also be used to change the server name. When you connect the server to the domain, the server will automatically be available to domain users. Netdom.exe is a command-line utility which enables administrators to manage Windows Server 2003, Windows Server 2000 and Windows Server 2008 domains and trust relationships. You should not use ocsetup.exe. Ocsetup.exe is used as a wrapper for Package manager (PKRMGR.exe) and for Windows Installer. This tool is a command-line utility that is used to perform scripted installs and uninstalls of Windows optional components. Oclist.exe is a tool that queries the installed roles on your Windows Server 2008 core server. It is not related to this scenario. You cannot use netsh.exe in this given scenario. Netsh.exe is used to configure and monitor Windows-based computer at a command prompt.

"Pass Any Exam. Any Time." - www.actualtests.com

190

Microsoft 70-649: Practice Exam QUESTION NO: 257 As a researcher at Certkiller .com, you install Windows Server 2008 on a server during a testing phase. The server has Windows Server 2003 installed too. Therefore, the server dual boots with Microsoft Windows Server 2008 and Windows Server 2003. Another researcher reconfigures the options on that server. After reconfiguring the options, the server automatically boots into Windows Server 2003. What should you do to configure the server to boot Windows Server 2008 by default?

m

A. Open msconfig tool and put an entry in the startup B. Execute the bcdedit/default command C. Open the boot.ini file and edit it for default operating system D. Execute the bcdedit/bootsequence command E. None of the above

.co

Answer: B

Ac

tua

lTe

sts

Explanation: To configure the server to boot Windows Server 2008 by default, you should use bcdedit/default command on the command prompt. bcdedit.exe with the /default parameter is used to specify which Windows Operating system stats by default each time the computer is restarted. You can also use msconfig tool to specify the default operating system but you cannot do that in the startup. The startup is the list of processes that start when the Windows operating system starts. You can use the boot tab in msconfig tool to specify the default operating system The bcdedit/bootsequence command should be used in this scenario because when you use the /bootsequence parameter, the bcdedit.exe command sets the one-time boot sequence for the boot manager. When the computer is rebooted again, BCD reverts back to the original order of boot sequence.

QUESTION NO: 258 You are running a computer in your network that runs Windows server core installation of Windows Server 2008. What should you do to connect this computer remotely? (Select 2. Each option is the part of the complete solution.) A. Run the slmgr.vbs -ato script on the Windows server core computer B. Run Server Manager on client computer and connect to the Windows server core computer C. Run the netsh add set portstatus command on the Windows server core computer D. Run the winrs - r, dir c:\windows command on the client computer

"Pass Any Exam. Any Time." - www.actualtests.com

191

Microsoft 70-649: Practice Exam Answer: B,D

.co

m

Explanation: To connect Windows server core installation computer remotely, you need to first run Server Manager on client computer to connect to the Windows server core computer and then on another computer, at a command prompt, use WinRS.exe to run commands on a server running a Server Core installation. You can use following command to perform a directory listing of the Windows folder: winrs -r: dir c:\windows Where ServerName is the name of the server running a Server Core installation Reference: Server Core Installation Option of Windows Server 2008 Step-By-Step Guide / To manage a server running a Server Core installation by using the Windows Remote Shell http://technet2.microsoft.com/windowsserver2008/en/library/47a23a74-e13c-46de8d30ad0afb1eaffc1033.mspx

QUESTION NO: 259

tua

Answer: B

Ac

A. Netsh.exe B. Netdom.exe C. Ocsetup.exe D. Oclist.exe E. None of the above

lTe

sts

You have done a default installation of Windows 2008 server. The server needs to be made accessible to the domain users. We need to change server time and also need to join the server to the domain. Which tool should you run?

Explanation: To change server time to join the server to the domain, you should run Netdom.exe Reference: Windows Server 2008 Domain Join with netdom.exe http://www.networknet.nl/apps/wp/archives/category/windows-2008/core-server

QUESTION NO: 260 Certkiller .com has a domain controller server that uses Windows Server 2008 as its main operating system. To backup all data, a dedicated backup server is used over the network which runs Windows Server 2003. Your boss asks you to setup a domain controller for disaster recovery which does not rely on routine backup procedures. As you prepare for the task, you attempt to backup the system state "Pass Any Exam. Any Time." - www.actualtests.com

192

Microsoft 70-649: Practice Exam data for the domain controller. You find that you cannot launch the backup utility. What should you do to ensure that you backup the system state data of the domain controller that runs Windows Server 2008? A. Install the Removable Storage Manager feature by using the Server Manager B. Install the Windows Server backup feature by employing Server Manager C. Stop the backup task that backs up the domain controller server on another computer which uses Windows Server 2003 operating system D. Open the local backup operators group and add your login account in it E. None of the above Answer: B

QUESTION NO: 261

Ac

tua

lTe

sts

.co

m

Explanation: To ensure that you backup the system state data of the domain controller, you should install the Windows Server backup feature through Server Manager. In Windows Server 2008, the Windows Server backup feature can be accessed through Microsoft Management Console (MMC) snap-in or from command-line tools. The Microsoft Server Backup feature can give you a complete backup solution. There are four wizards that can guide you through backups and recoveries. Windows Server backup feature can provide full server backups including all volumes, selected volumes and system state. In case of disasters, like hard drive failure, you can perform a system recovery which can recover your entire system on a new hard disk. You can also backup data on remote computers. It comes with all the perks and features, you can ask. It is a full backup solution for all your needs. Reference: http://technet2.microsoft.com/windowsserver2008/en/library/00162c92-a834-43f99e8a71aeb25fa4ad1033.msp

Certkiller .com has a main office and thirty branch offices. Each office has its own Active Directory domain in the same forest. The computers in the network are set to use Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). What should you do to ensure that the host names of the important servers on the network remain unique throughout all domains in the forest? (Choose two answers. Each answer is a part of a complete solution) A. Install DNS service on a server that runs Windows Server 2008 B. Configure the IPv4 on all important servers in the network C. Create a new primary zone called CKGnames. This zone stores data in AD DS D. Configure the DNS server on a server that runs Windows Server 2003 "Pass Any Exam. Any Time." - www.actualtests.com

193

Microsoft 70-649: Practice Exam E. Create a secondary zone that stores data in AD LDS Answer: A,C

.co

m

Explanation: To ensure that the host names of the important servers on the network remain unique throughout all domains in the forest, you should install the DNS service on a domain controller that runs Windows Server 2008. Along with this, you should create a new primary zone and name it CKGnames. This zone will store data in AD DS. The DNS service role in Windows Server 2008 has four unique features: IPv6 support, background zone loading, Read-Only domain controllers (RODC) support and the GlobalNames zone. The basic function of GlobalNames zone is to provide single-label name resolution for large enterprise networks that are devoid of WINS server. The name GlobalNames is a reserved word that indicates a DNS service running on Windows Server 2008 and that the zone is to be used for single-name resolution. All authoritative DNS servers must be running Windows Server 2008 to ensure that the GlobalNames zone must be integrated with AD DS.

sts

QUESTION NO: 262

lTe

You had installed a new Windows server 2008 in your network. You want to enable AD LDS role on this new server. What option should you use to do the same? (Select 2)

Answer: B,C

Ac

tua

A. Roles are chosen when you install Windows server 2008 and they cannot be added later B. Use Add Roles wizard in server manager to select the desired role C. Use ServerManagerCmd.exe command to enable AD LDS role on new Windows server 2008 D. Use ServerMananagerole.exe command to enable AD LDS role on new Windows server 2008

Explanation: To enable AD LDS role on this new Windows Server 2008, you need to use Add Roles wizard in server manager to select the desired role or use ServerManagerCmd.exe command to enable AD LDS role on new Windows server 2008. ServerManagerCmd.exe allows you to install new Server 2008 Roles, perform logging on the install, select sub-features to be installed, perform "what if" analysis on what the results of the install would be, and much more. Reference: Using the new Windows Server 2008 Servermanager.exe CLI tool to Add & Remove Server Roles http://www.windowsnetworKing.com/articles_tutorials/Windows-Server-2008-ServermanagerexeCLI-tool"Pass Any Exam. Any Time." - www.actualtests.com

194

Microsoft 70-649: Practice Exam Add

QUESTION NO: 263 You had installed a new Windows server 2008 server in your network. You are now trying to enable the DNS and DHCP role on the server. The server is returning an error message while you try to do so" Another user is currently adding or removing roles or features on this computer. Only one user can add or remove roles or features at a time to prevent conflicting configurations". What should you check to prevent this problem?

.co

m

A. Don't use the "Add Roles Wizard" and run a ServerManagercmd.exe command at the same time B. Roles are chosen when you install Windows server 2008 and they cannot be added later C. In the core server installation you cannot add roles later D. None of the above Answer: A

tua

lTe

sts

Explanation: To check that one user installs roles at a time, you need to use ServerManagercmd.exe command instead of Add Roles Wizard because the ServerManagercmd.exe generates a friendly error that states that only one user can add a role at a time. You cannot use the "Add Roles Wizard" and run a ServerManagercmd.exe command at the same time. Reference: Using the new Windows Server 2008 Servermanager.exe CLI tool to Add & Remove Server Roles

Ac

http://www.windowsnetworKing.com/articles_tutorials/Windows-Server-2008-ServermanagerexeCLI-toolAdd

QUESTION NO: 264 You are an enterprise administrator for Certkiller . The corporate network of Certkiller consists of a single Active Directory domain called Certkiller .com. The domain also consists of computers that run UNIX operating system. The domain runs a member Windows Server 2008 called Certkiller Server1. The default Print Server role is installed on Certkiller Server1. Which of the following options would you choose to centralize printing on Certkiller Server1 for both UNIX and Windows users? (Select all that apply.) "Pass Any Exam. Any Time." - www.actualtests.com

195

Microsoft 70-649: Practice Exam A. Install the File Server role and activate the services for the NFS Role Service option on Certkiller Server1. B. Install the Line Printer Daemon (LPD) Services role service on Certkiller Server1. C. Configure the printers on Certkiller Server1 to use Line Printer Remote printing. D. Install the Internet Printing server role on Certkiller Server1. Answer: B,C

Ac

Exhibit:

tua

QUESTION NO: 265 DRAG DROP

lTe

sts

.co

m

Explanation: To provide support to the UNIX users who print on Certkiller Server1, you need to either install the Line Printer Daemon (LPD) Services role service on Certkiller Server1 or configure the printers on Certkiller Server1 to use Line Printer Remote printing. The Line Printer Daemon (LPD) Service installs and starts the TCP/IP Print Server (LPDSVC) service, which enables UNIX-based computers or other computers that are using the Line Printer Remote (LPR) service to print to shared printers on this server. You can use Print Services for UNIX to make your Windows computer work as a Line Printer Daemon (LPD) and Remote Line Printer client Reference: Overview of Print Services/ LPD Service http://technet2.microsoft.com/windowsserver2008/en/library/b7ccec81-c84b-45339a7b53bdaed2f7841033.msp Reference: HOW TO: Install and Configure Print Services for UNIX http://support.microsoft.com/kb/324078

A server named CK-LDS1 resides in the Certkiller LAN and has the Active Directory Domain Services (AD DS) role and the Active Directory Lightweight Directory Services (AD LDS) role installed. An AD LDS instance named CKLDS1 stores its data on the default application directory partition. The drive letters, size and space available on the CK-LDS1 server are configured as shown in the table exhibit. You find that the AD LDS database files are growing quickly, so you decide to relocate the AD LDS application partition to the D: drive where more space is available. Which three actions should you perform, and in what order? Note: Some answer choices will not be used.

"Pass Any Exam. Any Time." - www.actualtests.com

196

Microsoft 70-649: Practice Exam

QUESTION NO: 266

Ac

tua

lTe

sts

.co

m

Answer:

Certkiller .com has a network that is comprise of a single Active Directory Domain. As an administrator at Certkiller .com, you install Active Directory Lightweight Directory Services (AD LDS) on a server that runs Windows Server 2008. To enable Secure Sockets Layer (SSL) based connections to the AD LDS server, you install certificates from a trusted Certification Authority (CA) on the AD LDS server and client computers. Which tool should you use to test the certificate with AD LDS? A. Ldp.exe B. Active Directory Domain services C. ntdsutil.exe "Pass Any Exam. Any Time." - www.actualtests.com

197

Microsoft 70-649: Practice Exam D. Lds.exe E. wsamain.exe F. None of the above Answer: A

m

Explanation: To test the certificate with AD LDS, you should use the Ldp tool. To establish SSL connections to AD LDS, a certificate should be present on the server. To setup SSL for AD LDS, a certificate marked for server authentication from a trusted CA should be installed on a computer running AD LDS. To test the certificate with the AD LDS server, you should run ldp.exe which has its own GUI. You should run Ldp.exe on a computer running AD LDS and connect to the local instance of AD LDS by employing SSL.

.co

QUESTION NO: 267

tua

lTe

sts

Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) role is installed on a Windows Server 2008 named Certkiller -LDS1. An AD LDS instance named LDS1 is storing its data on the default application directory partition. The AD LDS database files are growing very fast and you need to relocate the AD LDS application partition to the D: Drive. What actions you need to perform to do the same? (Select 3. Each option will form a part of answer)

Ac

A. Run the net stop "Domain Controller" command B. Run the net stop Certkiller -LDS1 command C. Use the Ntdsutil tool to move the database files D. Run the xcopy command to move the database files E. Run the net start Certkiller -LDS1 command F. Run the net start "Domain Controller" command Answer: B,C,E Explanation: To relocate the AD LDS application partition to the D: Drive, you need to use Ntdsutil tool. The Ntdsutil.exe is a command-line tool that allows you to manage Active Directory. For example it can be used to perform database maintenance of Active Directory, manage and control single master operations, remove metadata left behind by domain controllers, and create application directory partitions. Before you use Ntdsutil tool, you need to stop the NTDS service using net stop command on the Certkiller -LDS1 server and after moving the partition, you need to again start the NTDS service using net start command on the Certkiller -LDS1 server. Reference: Using Ntdsutil "Pass Any Exam. Any Time." - www.actualtests.com

198

Microsoft 70-649: Practice Exam http://technet2.microsoft.com/windowsserver/en/library/5b1d983d-ffab-4514a95e6aa0420dacb51033.mspx?mf Reference: Event ID 1136 - Schema Operations http://technet2.microsoft.com/windowsserver2008/en/library/6a5d89c1-81df-445bb67dd5ce9b0fed921033.msp

QUESTION NO: 268

m

You are formulating the backup strategy for Active Directory Lightweight Directory Services (AD LDS) to ensure that data and log files are backed up regularly. This will also ensure the continued availability of data to applications and users in the event of a system failure. Because you have limited media resources, you decided to backup only specific ADLDS instance instead of taKing backup of the entire volume. What should you do to accomplish this task?

lTe

sts

.co

A. Use Windows Server backup utility and enable checkbox to take only backup of database and log files of AD LDS B. Use Dsdbutil.exe tool to create installation media that corresponds only to the ADLDS instance C. Move AD LDS database and log files on a separate volume and use windows server backup utility D. None of the above Answer: B

Ac

tua

Explanation: To backup only specific ADLDS instance instead of taking backup of the entire volume, you need to use Dsdbutil.exe tool to create installation media that corresponds only to the ADLDS instance. The Dsdbutil.exe tool allows you to create installation media that corresponds only to the ADLDS instance that you want to back up instead of backing up entire volumes that contain the ADLDS instance. Reference: Step 1: Back Up AD LDS Instance Data http://technet2.microsoft.com/windowsserver2008/en/library/8e82c111-32da-430ea954c0dbe9f4607f1033.msp

QUESTION NO: 269 Certkiller .com has installed a server. You are assigned to install and run an instance of Active Directory Lightweight Directory Service (AD LDS). After doing necessary configurations, you start an instance of AD LDS successfully. Now you need to create new Organizational Units in the AD LDS application directory partition. What should you do to create new OUs in the AD LDS application directory partition? "Pass Any Exam. Any Time." - www.actualtests.com

199

Microsoft 70-649: Practice Exam A. To create the OUs, use the dsmod OU command B. Employ ADSI Edit Snap-in to create the OUs on the AD LDS application directory partition C. Create OUs by executing dsadd OU command D. Create OUs on the AD LDS application directory partition by using Active Directory Users and Computers snap-in. Answer: B

m

Explanation: To create new OUs in the AD LDS application directory partition, you should use ADSI Edit snapin. ADSI Edit is a snap-in that runs in a Microsoft Management Console (MMC). The default console containing ADSI Edit is AdsiEdit.msc. If this snap-in is not added in your MMC, you can do it by adding through Add/Remove Snap-in menu option in the MMC or you can open AdsiEdit.msc from a Windows Explorer.

.co

QUESTION NO: 270

lTe

sts

Certkiller .com has a server that runs on Windows Server 2008. The server also has an instance of Active Directory Lightweight Directory Services (AD LDS) running. In order to test AD LDS, you need to replicate the AD LDS instance on a test computer located on the network. What should you do to achieve this objective?

Ac

Answer: A

tua

A. Execute AD LDS Setup wizard on the test computer to create and install a replica of AD LDS. B. Execute repadmin/bs command on the test computer C. Install and configure a new AD LDS instance on the test computer by copy and pasting the entire partition on the test computer D. Execute the Dsmgmt command on the test computer and create a naming context

Explanation: To replicate the AD LDS instance on a test computer located on the network, you should execute AD LDS setup wizard on the test computer to create and install a replica of AD LDS. This is the only way to replicate the AD LDS instance on another computer on the network. The setup wizard has the option to replicate the AD LDS instance on another computer.

QUESTION NO: 271 Certkiller .com has a server with Active Directory Rights Management Services (AD RMS) server installed. Users have computers with Windows Vista installed on them with an Active Directory domain installed at Windows Server 2003 functional level. "Pass Any Exam. Any Time." - www.actualtests.com

200

Microsoft 70-649: Practice Exam As an administrator at Certkiller .com, you discover that the users are unable to benefit from AD RMS to protect their documents. You need to configure AD RMS to enable users to use it and protect their documents. What should you do to achieve this functionality? A. Configure an email account in Active Directory Domain Services (AD DS) for each user. B. Add and configure ADRMSADMIN account in local administrators group on the user computers C. Add and configure the ADRMSSRVC account in AD RMS server's local administrator group D. Reinstall the Active Directory domain on user computers E. All of the above Answer: A

QUESTION NO: 272

tua

lTe

sts

.co

m

Explanation: To configure AD RMS to enable users to use it and protect their documents, you should configure an email account in Active Directory Domain Services (AD DS) for each user. To regulate access to rights-protected content for all AD RMS users in the AD DS forest, AD RMS must use AD DS. AD RMS cannot grant licenses to publish and consume right-protected content if AD DS is not available to work with AD RMS. You should not add and configure ADRMSADMIN account in local administrators group on the user computers because AD DS is needed for AD RMS to function properly. Reference: http://technet2.microsoft.com/windowsserver2008/en/library/c8f83d5b-e10d-4c318af9d2afb076dbf81033.mspx

Ac

Certkiller .com has a domain controller that runs Windows Server 2008. The Certkiller .com network boosts 40 Windows Vista client machines. As an administrator at Certkiller .com, you want to deploy Active Directory Certificate service (AD CS) to authorize the network users by issuing digital certificates. What should you do to manage certificate settings on all machines in a domain from one main location? A. Configure Enterprise CA certificate settings B. Configure Enterprise trust certificate settings C. Configure Advance CA certificate settings D. Configure Group Policy certificate settings E. All of the above Answer: D

"Pass Any Exam. Any Time." - www.actualtests.com

201

Microsoft 70-649: Practice Exam Explanation: To manage certificate settings on all machines in a domain from one main location, you should configure group policy certificate settings. The main feature of certificate settings in group policy is to allow administrators to manage certificate settings for the entire network from a single location. When you configure certificate setting by using group policy, it changes the settings throughout the domain. AD CS is a certificate service that is a type of server role in Windows Server 2008. You can use server manager to configure AD CS.

QUESTION NO: 273

.co

m

Certkiller is having an Active Directory Rights Management Service (AD RMS) server. Users machines are running Windows Vista and an Active Directory domain is configured at Microsoft Windows Server 2003 functional level. Users are complaining that they cannot protect their documents. You need to configure AD RMS so that users are able to protect their documents. What should you do?

lTe

sts

A. Use a group policy to install the AD RMS client computers B. Add the ADRMSADMIN account to the local administrators group on the computers C. Add the ADRMSSRVC account to the local administrators on the AD RMS server D. Establish an e-mail account in Active Directory Domain Services (AD DS) for each user E. Upgrade the active directory domain to the functional level of Windows 2008 server

tua

Answer: D

Ac

Explanation: To configure AD RMS so that users are able to protect their documents, you can establish an email account in Active Directory Domain Services (AD DS) for each user. The ADRMS can be enabled on Microsoft Word, Outlook, or PowerPoint in Microsoft Office2007 applications that can be used to access or send information outside organization. For additional security, ADRMS can be integrated with other technologies such as smart cards. Reference: Active Directory Rights Management Services Overview http://technet2.microsoft.com/windowsserver2008/en/library/74272acc-0f2d-4dc2876f15b156a0b4e01033.msp

QUESTION NO: 274 Certkiller has a single domain network with Windows 2000, Windows 2003, and Windows 2008 servers. Please see exhibit B. Client computers running Windows XP and Windows Vista. All domain controllers are running Windows server 2008. "Pass Any Exam. Any Time." - www.actualtests.com 202

Microsoft 70-649: Practice Exam Exhibit B

You need to deploy Active Directory Rights Management System (AD RMS) to secure all documents, spreadsheets and to provide user authentication. What all you need to configure in order to complete the deployment of AD RMS?

sts

.co

m

A. Upgrade all client computers to Windows Vista. Install AD RMS on domain controller Certkiller _DC1 B. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all systems. Install AD RMS on domain controller Certkiller _DC1 C. Upgrade all client computers to Windows Vista. Install AD RMS on Certkiller _SRV5 D. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all systems. Install AD RMS on domain controller Certkiller _SRV5 E. None of the above

lTe

Answer: D

Ac

tua

Explanation: To deploy Active Directory Rights Management System (AD RMS) to secure all documents, spreadsheets and to provide user authentication, you need to ensure that all Windows XP computers have the latest service pack and install the RMS client on all systems. Install AD RMS on Certkiller _SRV5. You can only deploy the AD RMS on a member server in the domain and not on Domain controllers and therefore you cannot install AD RMS on Certkiller _DC1, which is a domain controller but on Certkiller _SRV5, which is a File and Print server. Reference: Pre-installation Information for Active Directory Rights Management Services http://technet2.microsoft.com/windowsserver2008/en/library/878e9550-5966-40f3862c7ea309ddb0ed1033.msp Reference: Active Directory Rights Management Services Overview http://technet2.microsoft.com/windowsserver2008/en/library/74272acc-0f2d-4dc2876f15b156a0b4e01033.msp

QUESTION NO: 275 "Pass Any Exam. Any Time." - www.actualtests.com

203

Microsoft 70-649: Practice Exam Certkiller .com has a server with Active Directory Rights Management Services (AD RMS) server installed. Users have computers with Windows Vista installed on them with an Active Directory domain installed at Windows Server 2003 functional level. As an administrator at Certkiller .com, you discover that the users are unable to benefit from AD RMS to protect their documents. You need to configure AD RMS to enable users to use it and protect their documents. What should you do to achieve this functionality? A. Configure an email account in Active Directory Domain Services (AD DS) for each user. B. Add and configure ADRMSADMIN account in local administrators group on the user computers C. Add and configure the ADRMSSRVC account in AD RMS server's local administrator group D. Reinstall the Active Directory domain on user computers E. All of the above

m

Answer: A

sts

.co

Explanation: To configure AD RMS to enable users to use it and protect their documents, you should configure email account in Active Directory Domain Services (AD DS) for each user. User can use the email account application to protect their documents.

lTe

QUESTION NO: 276

Ac

tua

Certkiller .com has a server that's runs Windows Server 2008. Active directory forest is configured at the functional level. To enable users to have a database services on the server, you install Microsoft SQL server 2005 and implement Active Directory Rights Management Service (AD RMS). While testing the server, you attempt to open the AD RMS administration website. You receive an error message saying: "SQL Server does not exist or access is denied" You want to rectify this problem and open AD RMS administration website. Which two actions should you perform to achieve this objective? (Select two answers. Each answer is the part of complete solution) A. Install and configure Message Queuing B. Restart the Internet Information Server (IIS) C. Delete the AD RMS instance and the SQL server and install it again. D. Start the MSSQLSVC service E. None of the above Answer: B,D Explanation: To rectify the SQL server problem, you have to restart the internet information server (IIS). The IIS server will be refreshed. Then you start the MSSQULSVC service to start the SQL server. This will "Pass Any Exam. Any Time." - www.actualtests.com

204

Microsoft 70-649: Practice Exam enable you to access the database from AD RMS administration website.

QUESTION NO: 277 Certkiller .com has an Active Directory forest with a root domain named root. Certkiller .local and three sub domains named subA. Certkiller .local, subB. Certkiller .local and subC. Certkiller .local. On the subA. Certkiller .local, you have installed a Windows Server 2008 core edition server. It is named ebv-core

sts

.co

m

A. Certkiller .com has announced restructuring of several departments. The ebv-coreA is now configured on subB. Certkiller .local. Which command should you use to put ebv-coreA on subB. Certkiller .local? B. netsh.exe tool C. Active Directory Domain services snap-in D. netdom.exe tool E. ocsetup.exe tool F. All of the above Answer: C

QUESTION NO: 278

Ac

tua

lTe

Explanation: To put ebv-coreA on subB. Certkiller .local, you should use netdom.exe. Netdom.exe is used to connect the server or a computer to a domain. It can also be used to change the server name. When you connect the server to the domain, the server will automatically be available to domain users. Netdom.exe is a command-line utility which enables administrators to manage Windows Server 2003, Windows Server 2000 and Windows Server 2008 domains and trust relationships.

Certkiller .com has servers that run Windows Server 2008. As an administrator at Certkiller .com, you install the Server Core on one of the computers that run Windows Server 2008. Which command should you run to activate the Server Core computer? A. slmrg.vbs -dli B. slmrg.vbs -ato C. slmrg.vbs -did D. slmrg.vbs -ipk E. All of the above

"Pass Any Exam. Any Time." - www.actualtests.com

205

Microsoft 70-649: Practice Exam Answer: B

.co

m

Explanation: To activate the server core computer, you should use slmrg.vbs -ato command. There is a Visual basic (.vbs) script in Windows Server 2008. This script (slmgr.vbs) is used to activate Server Core installation. You can activate a Server Core installation by using Slmgr.vbs script locally or remotely. To activate the server locally, you can use slmrg.vbs -ato command. For remote activation, you can run Cscript slmgr.vbs -ato command You should not use Slmgr.vbs -dli because this command is used to display license information on a computer running Server Core installation You should not use slmrg.vbs -did because this command is used to verify that if the activation was successful or not You should not use Slmrg.vbs -ipk command because this command is used to install a product key on a server core installation computer.

QUESTION NO: 279

sts

You had done a Windows server 2008 core installation in the network. You need to configure time, date and time zone settings on this server. What should you do to configure the settings?

Ac

Answer: B

tua

lTe

A. On the command prompt type "change Time/Date" B. On the command prompt type "Control timedate.cpl" C. On the command prompt type "Control timezone.cpl" D. On the command prompt type "Control timedate.txt" E. None of the above

Explanation: To find out available server roles on windows server 2008 core installation, you need to use Ocsetup.exe command. Reference: Using the new Windows Server 2008 Core OCList and OCSetup CLI tools to Add & Remove Server Roles http://www.windowsnetworKing.com/articles_tutorials/Windows-Server-2008-Core-OCListOCSetup-CLItools

QUESTION NO: 280 You had done a Windows 2008 server core installation in your network. Now you need to install a server role on a server core installation of Windows server 2008. What command should you used "Pass Any Exam. Any Time." - www.actualtests.com

206

Microsoft 70-649: Practice Exam to find out available server roles on windows server 2008 core installation? A. Ocsetup.exe B. Net start /show all C. Dcpromo list D. Cscript scregedit.wsf E. None of the above Answer: A

sts

.co

m

Explanation: To find out available server roles on windows server 2008 core installation, you need to use Ocsetup.exe command. Reference: Using the new Windows Server 2008 Core OCList and OCSetup CLI tools to Add & Remove Server Roles http://www.windowsnetworKing.com/articles_tutorials/Windows-Server-2008-Core-OCListOCSetup-CLItools

QUESTION NO: 281

tua

lTe

You are an administrator at Certkiller .com. Certkiller has a RODC (read-only domain controller) server at a remote location. The remote location doesn't have proper physical security. You need to activate non-administrative accounts passwords on that RODC server. Which of the following action should be considered to populate the RODC server with non-administrative accounts passwords?

Ac

A. Delete all administrative accounts from the RODC's group B. Configure the permission to Deny on Receive for administrative accounts on the security tab for Group Policy Object (GPO) C. Configure the administrative accounts to be added in the Domain RODC Password Replication Denied group D. Add a new GPO and enable Account Lockout settings. Link it to the remote RODC server and on the security tab on GPO, check the Read Allow and the Apply group policy permissions for the administrators. E. None of the above Answer: C Explanation: To populate the RODC server with non-administrative accounts passwords, you should configure the administrative accounts to be added in the Domain RODC Password Replication Denied Group. "Pass Any Exam. Any Time." - www.actualtests.com

207

Microsoft 70-649: Practice Exam The password replication policy is like an access control list. It verifies if the RODC is permitted to cache a password. When the RODC receives a user or computer logon request, it forwards the request to Password Replication Policy to determine if the password for that account should be cached. When the Password Replication Policy allows RODC to cache a password, the same account can perform subsequent logon in a more efficient manner. For non-administrative passwords, you have to add the administrative accounts in the RODC password replication denied group so that the password could not be cached. The Password Replication policy lists the accounts that are permitted to be cached and the account that are denied from being cached.

QUESTION NO: 282

lTe

sts

.co

m

Certkiller .com has a main office and a branch office. Certkiller .com's network consists of a single Active Directory forest. Some of the servers in the network run Windows Server 2008 and the rest run Windows server 2003. You are the administrator at Certkiller .com. You have installed Active Directory Domain Services (AD DS) on a computer that runs Windows Server 2008. The branch office is located in a physically insecure place. It has not IT personnel onsite and there are no administrators over there. You need to setup a Read-Only Domain Controller (RODC) on the Server Core installation computer in the branch office. What should you do to setup RODC on the computer in branch office?

Answer: B

Ac

tua

A. Execute an attended installation of AD DS B. Execute an unattended installation of AD DS C. Execute RODC through AD DS D. Execute AD DS by using deploying the image of AD DS E. None of the above

Explanation: To setup RODC on the computer in the branch office, you should perform an unattended installation of AD DS. RODC is a new type of domain controller offered by Windows Server 2008. It is a platform that hosts a read-only replica of Active Directory database. Through RODC, you can deploy a domain controller easily at locations where physical security can be compromised, such as a branch office or a perimeter network. You can install RODC on a Server Core installation of Windows Server 2008. You need to be a member of Domain Admins group or have an authority to perform installation in order to install RODC. To install RODC on a Server Core system, you need to perform an unattended installation of AD DS. The main purpose of unattended installations is to install without responding to a user interface prompt. "Pass Any Exam. Any Time." - www.actualtests.com

208

Microsoft 70-649: Practice Exam You should not perform an attended installation of AD DS because you won't be able to install RODC on a Server Core installation. Only unattended installations of AD D S can be performed to install RODC.

QUESTION NO: 283 As the Certkiller administrator you had installed a read-only domain controller (RODC) server at remote location. The remote location doesn't provide enough physical security for the server. What should you do to allow administrative accounts to replicate authentication information to Read-Only Domain Controllers?

sts

.co

m

A. Remove any administrative accounts from RODC's group B. Add administrative accounts to the domain Allowed RODC Password Replication group C. Set the Deny on Receive as permission for administrative accounts on the RODC computer account Security tab for the Group Policy Object (GPO) D. Configure a new Group Policy Object (GPO) with the Account Lockout settings enabled. Link the GPO to the remote location. Activate the Read Allow and the Apply group policy Allow permissions for the administrators on the Security tab for the GPO. E. None of the above

lTe

Answer: B

Ac

tua

Explanation: To allow administrative accounts to replicate authentication information to Read-Only Domain Controllers, you need to add administrative accounts to the domain Allowed RODC Password Replication group. By default, only the members of the Allowed RODC Password Replication group are allowed to replicate authentication information to Read-Only Domain Controllers. The actual replication would happen only when the members of this group are authenticated by the RODC. Note that the Administrators group is explicitly denied such replication.

Reference: Security MVP Article of the Month - December 2007 / Physical Security http://www.microsoft.com/technet/community/columns/secmvp/sv1207.mspx

"Pass Any Exam. Any Time." - www.actualtests.com

209

Microsoft 70-649: Practice Exam

QUESTION NO: 284 One of the remote branch offices of Certkiller branch is running a Windows Server 2008 having ready only domain controller (RODC) installed. For security reasons you don't want some critical credentials like (passwords, encryption keys) to be stored on RODC. What should you do so that these credentials are not replicated to any RODC's in the forest? (Select 2)

.co

m

A. Configure RODC filtered attribute set on the server B. Configure RODC filtered set on the server that holds Schema Operations Master role C. Delegate local administrative permissions for an RODC to any domain user without granting that user any user rights for the domain D. Configure forest functional level server for Windows server 2008 to configure filtered attribute set E. None of the above Answer: B,D

Ac

tua

lTe

sts

Explanation: To ensure the critical credentials are not replicated to any RODC's in the forest, you need to first configure a filtered attribute set. The attributes that are defined in the RODC filtered attribute set are not allowed to replicate to any RODCs in the forest. You need to then configure the RODC filtered set on the server that holds Schema Operations Master role because the RODC filtered attribute set is configured on the server that holds the schema operations master role. You need to use forest functional level server for Windows server 2008 to configure filtered attribute set because RODC can be configured from a WindowsServer2003 domain controller to replicate the attributes defined in the RODC filtered attribute set by malicious users and the replication request may succeed. However, if forest functional level server is Windows Server 2008 then an RODC that is compromised cannot be exploited in this manner because domain controllers that are running WindowsServer2003 are not allowed in the forest. Reference: AD DS: Read-Only Domain Controllers / RODC filtered attribute set http://technet2.microsoft.com/windowsserver2008/en/library/ce82863f-9303-444f9bb3ecaf649bd3dd1033.msp

QUESTION NO: 285 Certkiller .com has a main office and branch office in another city. You are assigned to deploy and implement a Read-only Domain Controller (RODC) at the branch office. You deploy a RODC that runs Windows Server 2008. "Pass Any Exam. Any Time." - www.actualtests.com 210

Microsoft 70-649: Practice Exam What should you do to ensure that the users at the branch office can log on to the domain using RODC? A. Use Password Replication Policy on the RODC B. Add RODC to the main office C. Deploy and configure a new bridgehead server in the branch office D. Deploy and configure a Password Replication Policy on the RODC in the main office Answer: A

.co

m

Explanation: To ensure that the users at the branch office can log on to the domain using RODC, you should use Password Replication Policy. RODC don't cache any user or machine passwords. You can change this by adding a policy through each RODC's unique Password Replication Policy (PRP). A policy would create a group for each branch office with a RODC and add users in that branch office. An administrator, then, can allow password replication for the branch-office group.

sts

QUESTION NO: 286

tua

lTe

Certkiller .com has a main office and 30 branch offices. To manage the network, each branch office has a separate active directory site that has a dedicated read-only domain controller (RODC). A branch office located in a far off location reports a robbery. The robbers have stolen the RODC server. Which utility should you do to recover the user accounts that were cached on the stolen RODC server?

Ac

A. Execute Dsmod.exe B. Use Active Directory Users and Computers C. Use Active Directory Sites and Computers D. Execute Ntdstuil.exe with -ato parameter E. None of the above Answer: B Explanation: You should use Active Directory Users and Computers to recover the user accounts cached on the stolen RODC server. The Active Directory Users and Computers have user accounts and OUs. You can get the users accounts cached on the stolen RODC server easily from there.

QUESTION NO: 287

"Pass Any Exam. Any Time." - www.actualtests.com

211

Microsoft 70-649: Practice Exam The Certkiller network contains a main office and 20 branch offices. Configured as a separate site, each branch office has a Read-Only Domain Controller (RODC) server installed. Users in remote offices complain that they are unable to log on to their accounts. What should you do to make sure that the cached credentials for user accounts are only stored in their local branch office RODC server?

m

A. Open the RODC computer account security tab and set Allow on the Receive as permission only for the users that are unable to log on to their accounts B. Add a password replication policy to the main Domain RODC and add user accounts in the security group C. Configure a unique security group for each branch office and add user accounts to the respective security group. Add the security groups to the password replication allowed group on the main RODC server D. Configure and add a separate password replication policy on each RODC computer account

.co

Answer: D

lTe

sts

Explanation: To ensure that the cached credential for user accounts are only stored in their local RODC server, you have to configure and add a separate password replication policy on each RODC computer account. By adding a separate PRP, the user accounts in each branch office will be able to authenticate their accounts.

tua

QUESTION NO: 288

Ac

Certkiller .com has an Active Directory domain. There is a server in this domain that has AD CS (Active Directory Certificate Services). The AD CS is configured as Enterprise Root Certificate authority (CA). The Enterprise Root CA is also installed and configured on all machines in the domain. There is a need for a new application in technical department. You install that application. Certkiller .com security policy dictates that the application should employ Lightweight Directory Access Protocol over Secure Sockets Layer (LDAPS). How will you enable LDAPS connections between the application and the domain controllers? A. Request a client certificate from Enterprise Root CA and install it on domain controller that has a Domain Naming Master role B. Get the user certificate for each individual user from Enterprise Root CA, Install the certificate on each user profile in the technical department C. Install AD CS certificate on all computers in the technical department. Request an Enterprise Root CA certificate and install that on each computer D. Install a server certificate requested from Enterprise Root CA, on all domain controllers E. None of the above "Pass Any Exam. Any Time." - www.actualtests.com

212

Microsoft 70-649: Practice Exam Answer: D Explanation: To enable LDAPS connections between the application and the domain controllers, you should install a server certificate requested from enterprise Root CA, on all domain controllers. When an application needs an LDAPS connection to the AD LDS server or a global catalog server, a server certificate must be installed on the LDAP server or domain controller.

QUESTION NO: 289

.co

m

Certkiller .com has an Active directory forest on a single domain. You install an Active Directory Enterprise certification authority (CA) on a stand-alone server. You also add the Active Directory Certificate Services (AD CS) role to the server. When you add the AD CS, you find out that the Enterprise CA option is not showing up in the Specify Setup Type selection dialog box. What should you do to ensure that you are able to install AD CS role on the server

lTe

sts

A. Add the DNS Server role B. Add Active Directory Lightweight Directory Services (AD LDS) role C. In the option box, enable the Active Directory Domain Services (AD DS) role D. In the option box, enable the IIS and AD CS roles E. None of the above

tua

Answer: C

Ac

Explanation: To install AD CS role on the server, you should enable the Active Directory Domain Services (AD DS) role in the option dialog box. AD DS stores information about objects on the network and provides this information to the users and network administrators. AD DS uses domain controllers to provide network users with access to permitted resources anywhere on the network through a single logon process. You should not enable IIS role in the option box because IIS server publishes a webpage and it is not relevant in this scenario. You should not add the DNS Server role because you are trying to install AD CS role on the server. DNS server has nothing to do with the installation of AD CS role on the server.

QUESTION NO: 290 Certkiller network consists of a network with single Active Directory domain running Windows 2008 server. "Pass Any Exam. Any Time." - www.actualtests.com

213

Microsoft 70-649: Practice Exam Company wants to provide smart cards to all users to log on to the domain. You need to install an Enterprise Root Certificate Authority (CA) in the domain. What two actions you should do to install an Enterprise Root CA? Select two. A. Install Windows Server 2008 Enterprise edition on a server in the network B. Add the new CA to domain C. Install Windows Server 2008 standard edition on a server in the network D. Install Active directory Lightweight Directory services (AD LDS) on a server in the network E. Leave the CA in workgroup F. None of the above Answer: A,B

lTe

sts

.co

m

Explanation: Enterprise CAs and Online Responders can only be installed on servers running Windows Server2008 Enterprise or Windows Server2008 Datacenter. Therefore to install an Enterprise Root Certificate Authority (CA) in the domain, you need to install Windows Server 2008 Enterprise edition on a server in the network and add the new CA to domain. Reference: Windows Server Active Directory Certificate Services Step-by-Step Guide / Step 1: Setting Up an Enterprise Root CA http://technet2.microsoft.com/windowsserver2008/en/library/f7dfccc0-4f65-4d6fa801ae6a87fd174c1033.mspx

tua

QUESTION NO: 291

Ac

Certkiller network consists of a network with single Active Directory domain running Windows 2008 server. Ten servers of the domain perform as web servers. All confidential files are stored on a server named Fserv1. To comply with company's security policy which states that all confidential data must be transmitted in secure manner, you had activated Encryption File System (EFS) on the confidential files. You also added EFS certificates to the Data Decryption Field (DDF) of the confidential files for the users who need to access those files. On monitoring network you discovered that the confidential files are stored on Fserv1 are being transmitted over the network without encryption. In order to ensure that encryption is always enabled when confidential files are transmitted over the network, what you should do? (Select all that apply) A. Deactivate all LM and NTLM authentication methods on the Fserv1 B. Use IIS to publish the confidential files, activate SSL on the IIS server, and then open the files on the web server C. Use IPSec encryption between the Fserv1 server and the computers of the users who want to access the confidential files D. Use the Server Message Block (SMB) signing between the Fserv1 server and the computers of the users who want to access confidential files "Pass Any Exam. Any Time." - www.actualtests.com

214

Microsoft 70-649: Practice Exam E. Activate offline files for the confidential files that are stored on the Fserv1 server. In the folder Advanced Properties dialogue box, select the encrypt contents to secure data option. F. All of the above Answer: B,C

m

Explanation: In order to ensure that encryption is always enabled when confidential files are transmitted over the network, you need to publish the confidential files using IIS after using SSL on it. The SSL will ensure that the files are always encrypted and publishing will distribute the files to all users in the same manner. You can also use IPSec encryption between the Fserv1 server and the computers of the users who want to access the confidential files. Reference: How to Setup SSL on IIS 7.0 http://learn.iis.net/page.aspx/144/how-to-setup-ssl-on-iis-7/

.co

QUESTION NO: 292

lTe

sts

You are an Enterprise administrator for Certkiller .com. The corporate network of the company consists of a single Active Directory domain. All the servers on the corporate network run Windows Server 2008. The company has Active Directory Certificate Services (AD CS) and Network Access Protection (NAP) deployed on the network. Which of the following options would you choose to configure the wireless network to accept smart cards?

Answer: C

Ac

tua

A. Use WEP, 802.1X authentication, PEAP, and MSCHAP v2. B. Use WPA2, PEAP, and MSCHAP v2. C. Use WPA2, 802.1X authentication and EAP-TLS. D. Use WPA, PEAP, and MSCHAP v2 and also require strong user passwords.

Explanation: To configure the wireless network to accept smart cards, you need to use WPA2, 802.1X authentication and EAP-TLS. The use of smart cards for user authentication is the strongest form of authentication in the Windows Server2003 family. For remote access connections, you must use the Extensible Authentication Protocol (EAP) with the Smart card or other certificate (TLS) EAP type, also known as EAP-Transport Level Security (EAP-TLS). Reference: Using smart cards for remote access http://technet2.microsoft.com/windowsserver/en/library/c19be042-6b5c-407a-952dfb6f451b5edd1033.mspx?m

"Pass Any Exam. Any Time." - www.actualtests.com

215

Microsoft 70-649: Practice Exam QUESTION NO: 293 Certkiller .com runs Window Server 2008 on all of its servers. It has a single Active Directory domain and it uses Enterprise Certificate Authority. The security policy at Certkiller .com makes it necessary to examine revoked certificate information. You need to make sure that the revoked certificate information is available at all times. What should you do to achieve that? A. Add and configure a new GPO (Group Policy Object) that enables users to accept peer certificates and link the GPO to the domain. B. Configure and use a GPO to publish a list of trusted certificate authorities to the domain C. Configure and publish an OCSP (Online certificate status protocol) responder through ISAS (Internet Security and Acceleration Server) array. D. Use network load balancing and publish an OCSP responder E. None of the above

m

Answer: D

QUESTION NO: 294

tua

lTe

sts

.co

Explanation: To ensure that the revoked certificate information is available at all, you should use the network load balancing and publish an OCSP responder. OCSP is an online responder that can receive a request to check for revocation of a certificate without the client having to download the entire CRL. This process speeds up certificate revocation checking and reduces network bandwidth used for this process. This can be helpful especially when such checking is down over slow WAN links.

Ac

Certkiller .com has a software evaluation lab. There is a server in the evaluation lab named as CKT. CKT runs Windows Server 2008 and Microsoft Virtual Server 2005 R2. CKT has 200 virtual servers running on an isolated virtual segment to evaluate software. To connect to the internet, it uses physical network interface card. Certkiller .com requires every server in the company to access Internet. Certkiller .com security policy dictates that the IP address space used by software evaluation lab must not be used by other networks. Similarly, it states the IP address space used by other networks should not be used by the evaluation lab network. As an administrator you find you that the applications tested in the software evaluation lab need to access normal network to connect to the vendors update servers on the internet. You need to configure all virtual servers on the CKT server to access the internet. You also need to comply with company's security policy. Which two actions should you perform to achieve this task? (Choose two answers. Each answer is a part of the complete solution)

"Pass Any Exam. Any Time." - www.actualtests.com

216

Microsoft 70-649: Practice Exam A. Trigger the Virtual DHCP server for the external virtual network and run ipconfig/renew command on each virtual server B. On CKT's physical network interface, activate the Internet Connection Sharing (ICS) C. Use Certkiller .com intranet IP addresses on all virtual servers on CKT. D. Add and install a Microsoft Loopback Adapter network interface on CKT. Use a new network interface and create a new virtual network. E. None of the above Answer: A,D

lTe

sts

.co

m

Explanation: To configure all virtual servers on the CKT server to access the internet and comply with company's security policy, you should trigger the virtual DHCP server for the external virtual network and run ipconfig/renew command on each virtual server. Then add and install Microsoft Loopback adapter network interface on CKT. Create a virtual network using the new interface. When you configure the Virtual DHCP server for the external virtual network, a set of IP addresses are assigned to the virtual servers on CKT server. By running ipconfig/renew command, the new IP addresses will be renewed. The Microsoft Loopback adapter network interface will ensure that the IP address space used by other networks are not been used by the virtual servers on CKT server. You create a new virtual network on the new network interface which will enable you to access internet.

tua

QUESTION NO: 295

Ac

Certkiller has an Active Directory forest with single domain. Some other applications are also hosted on its perimeter network. The organization wants single sign-on to all applications hosted on perimeter network. The company has a domain member server with Active Directory Federation Services (AD FS) role installed. You are required to configure the AD FS trust policy to populate AD FS tokens with employee's information from Active directory domain. What should you do? A. Add and configure a new account store B. Add and configure a new organization claim C. Add and configure a new account partner D. Add and configure a new application E. None of the above Answer: A Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com

217

Microsoft 70-649: Practice Exam To configure the AD FS trust policy to populate AD FS tokens with employee's information from Active directory domain, you need to add and configure a new account store. AD FS allows the secure sharing of identity information between trusted business partners across an extranet. When a user needs to access a Web application from one of its federation partners, the user's own organization is responsible for authenticating the user and providing identity information in the form of "claims" to the partner that hosts the Web application. The hosting partner uses its trust policy to map the incoming claims to claims that are understood by its Web application, which uses the claims to make authorization decisions. Because claims originate from an account store, you need to configure account store to configure the AD FS trust policy. Reference: Active Directory Federation Services http://msdn2.microsoft.com/en-us/library/bb897402.aspx

m

QUESTION NO: 296

sts

.co

You had installed an Active Directory Federation Services (AD FS) role on a Windows server 2008 in your organization. Now you need to test the connectivity of clients in the network to ensure that they can successfully reach the new Federation server and Federation server is operational. What should you do? (Select all that apply)

Ac

Answer: B,C

tua

lTe

A. Go to Services tab, and check if Active Directory Federation Services is running B. In the event viewer, Applications, Event ID column look for event ID 674. C. Open a browser window, and then type the Federation Service URL for the new federation server. D. None of the above

Explanation: To test the connectivity of clients in the network to ensure that they can successfully reach the new Federation server and Federation server is operational, you can look for event ID 674. This event verifies that the federation server was able to successfully communicate with the Federation Service. You can also open a browser window, and then type the Federation Service URL for the new federation server. The Federation Server Service page should appear along with a list of links that identify the Web methods that the Federation Service uses. The Federation Service URL should include the Domain Name System (DNS) host name of the federation server. Reference: Event ID 674 - Trust Policy and Configuration http://technet2.microsoft.com/windowsserver2008/en/library/71705c30-e97f-4e3692abd33175bf588d1033.msp "Pass Any Exam. Any Time." - www.actualtests.com

218

Microsoft 70-649: Practice Exam Reference: Verify That a Federation Server Is Operational http://technet2.microsoft.com/windowsserver2008/en/library/ecf28b0c-014

QUESTION NO: 297 As an administrator at Certkiller .com, you have installed an Active Directory forest that has a single domain. You have installed an Active Directory Federation services (AD FS) on the domain member server. What should you do to configure AD FS to make sure that AD FS token contains information from the active directory domain?

.co

m

A. Add a new account store and configure it B. Add a new resource partner and configure it C. Add a new resource store and configure it D. Add a new administrator account on AD FS and configure it Answer: A

QUESTION NO: 298

tua

lTe

sts

Explanation: To ensure that AD FS token contains information from the active directory domain, you should add a new account store and configure it accordingly. To add a new account store you can use AD FS console. By expanding the My organization, you right-click on the Account stores and create a new account store. The Add Account Store Wizard will guide to through the process.

Ac

Certkiller .com boosts a two-node Network Load Balancing cluster which is called web. CK1 .com. The purpose of this cluster is to provide load balancing and high availability of the intranet website only. With monitoring the cluster, you discover that the users can view the Network Load Balancing cluster in their Network Neighborhood and they can use it to connect to various services by using the name web. CK1 .com. You also discover that there is only one port rule configured for Network Load Balancing cluster. You have to configure web. CK1 .com NLB cluster to accept HTTP traffic only. Which two actions should you perform to achieve this objective? (Choose two answers. Each answer is part of the complete solution) A. Create a new rule for TCP port 80 by using the Network Load Balancing Cluster console B. Run the wlbs disable command on the cluster nodes C. Assign a unique port rule for NLB cluster by using the NLB Cluster console

"Pass Any Exam. Any Time." - www.actualtests.com

219

Microsoft 70-649: Practice Exam D. Delete the default port rules through Network Load Balancing Cluster console Answer: A,D Explanation: To configure web. CK1 .com NLB cluster to accept HTTP traffic only, you should first create anew rule for TCP port 80 by using the NLB cluster console. Then you should delete the default port rules through NLB Cluster console. By creating a new rule for TCP port 80, you configure the port to accept only HTTP traffic. Then deleting the default port rules ensure that those rule won't be implemented automatically.

QUESTION NO: 299

.co

m

Certkiller asks you to implement Windows Cardspace in the domain. You want to use Windows Cardspace at your home. Your home and office computers run Windows Vista Ultimate. What should you do to create a backup copy of Windows Cardspace cards to be used at home?

Answer: D

tua

lTe

sts

A. Log on with your administrator account and copy \Windows\ServiceProfiles folder to your USB drive B. Backup \Windows\Globalization folder by using backup status and save the folder on your USB drive C. Back up the system state data by using backup status tool on your USB drive D. Employ Windows Cardspace application to backup the data on your USB drive E. Reformat the C: Drive

Ac

Explanation: Of course, you should use Windows Cardspace application to backup the data on your USB drive. You can use this data on any computer to access and use Windows Cardspace. Windows Cardspace is a tool that creates relationships with website and online services. Windows CardSpace provides a unique way for 1. sites to request information from you 2. you to review the identity of a site 3. you to manage your information by using information cards 4. you to review card information before you send it. The Windows CardSpace has a backup feature. You can use it to backup cards data to a storage medium. You should not backup the system state data by using backup status tool on your USB drive. It is not related to the scenario mentioned above. You should not backup \Windows\Globalization folder by using backup status and save the folder "Pass Any Exam. Any Time." - www.actualtests.com

220

Microsoft 70-649: Practice Exam on your USB drive because backup status will not be able to backup the data on to any storage device.

QUESTION NO: 300

sts

.co

A. Critical volume backup B. Backup of all the volumes C. Backup of the volume that hosts Operating system D. Backup of AD DS folders E. All of the above

m

Certkiller .com has a network that consists of a single Active Directory domain. A technician has accidently deleted an Organizational unit (OU) on the domain controller. As an administrator of Certkiller .com, you are in process of restoring the OU. You need to execute a non-authoritative restore before an authoritative restore of the OU. Which backup should you use to perform non-authoritative restore of Active Directory Domain Services (AD DS) without disturbing other data stored on domain controller?

Answer: A

Ac

tua

lTe

Explanation: You should use critical volume backup to perform non-authoritative restore of AD DS without disturbing other data stored on domain controller. At the time of backup, an authoritative restore process returns a designated object or a container of objects to its state. The authoritative restore marks the OU as authoritative and causes the replication process to restore it to all domain controllers in the domain. You must first complete a non-authoritative restore before performing an authoritative restore of AD DS. You also need to ensure that the replication does not occur after non-authoritative restore. You must do a critical-volume backup before you perform a non-authoritative restore. To prevent the replication from occurring after the non-authoritative and to perform the authoritative restore portion of the operation, you must restart the domain controller in Directory Services Restore Mode and perform the authoritative restore at the domain controller that you are restoring. You should start the domain controller normally after performing the authoritative restore of AD DS. You should also synchronize replication with all replication partners.

QUESTION NO: 301 DRAG DROP Certkiller.com has an Active Directory forest on a single domain. The domain operates Windows Server 2008. A new administrator accidentally deletes the entire organizational unit in the Active Directory database that hosts 6000 objects. "Pass Any Exam. Any Time." - www.actualtests.com 221

Microsoft 70-649: Practice Exam

.co

m

You have backed up the system state data using third-party backup software. To restore backup, you start the domain controller in the Directory Services Restore Mode (DSRM). You need to perform an authoritative restore of the organizational unit and restore the domain controller to its original state. Which three actions should you perform? The answer should be in a sequence. Drag and drop the appropriate action into the sequential order.

Ac

tua

lTe

sts

Answer:

QUESTION NO: 302 The Certkiller has a Windows 2008 domain controller server. This server is routinely backed up over the network from a dedicated backup server that is running Windows 2003 OS. You need to prepare the domain controller for disaster recovery apart from the routine backup procedures. You are unable to launch the backup utility while attempting to back up the system state data for the data controller. You need to backup system state data from the Windows Server 2008 domain controller server. "Pass Any Exam. Any Time." - www.actualtests.com

222

Microsoft 70-649: Practice Exam What should you do? A. Add your user account to the local Backup Operators group B. Install the Windows Server backup feature using the Server Manager feature C. Install the Removable Storage Manager feature using the Server Manager feature D. Deactivating the backup job that is configured to backup Windows 2008 server domain controller on the Windows 2003 server. E. None of the above Answer: B

sts

.co

m

Explanation: To backup system state data from the Windows Server 2008 domain controller server, you need toinstall the Windows Server backup feature using the Server Manager feature. Windows Server Backup is not installed by default. You must install it by using the Add Features option in Server Manager. Reference: What's New in AD DS Backup and Recovery? http://technet2.microsoft.com/windowsserver2008/en/library/67f18955-c504-4d639f849b8c25d428e81033.msp

lTe

QUESTION NO: 303

A. Diskpart.exe B. Chkdsk.exe C. Fsutil.exe D. Fdisk.exe E. None of the above

Ac

tua

You had installed Windows Server 2008 on a computer and configured it as a file server, named FileSrv1. The FileSrv1 computer contains four hard disks, which are configured as basic disks. For fault tolerance and performance you want to configure Redundant Array of Independent Disks (RAID) 0 +1 on FileSrv1. Which utility you will use to convert basic disks to dynamic disks on FileSrv1?

Answer: A Explanation: To convert basic disks to dynamic disks on FileSrv1, you need to use Diskpart.exe utility. Reference: Managing and Troubleshooting Desktop Storage / Basic Disks http://www.informit.com/articles/article.aspx?p=332154

"Pass Any Exam. Any Time." - www.actualtests.com

223

Microsoft 70-649: Practice Exam QUESTION NO: 304 You are an enterprise administrator for Certkiller . The corporate network of Certkiller consists of a Windows Server 2008 on which the Windows Backup and Restore utility is installed. Which of the following command options would you choose to run on the server to create a full backup of all system state data to the DVD drive (E: drive)? A. Wbadmin enable backup -addtarget:R: /quiet B. Wbadmin enable backup addtarget:C: /quiet C. Wbadmin start backup allCritical backuptarget:C: /quiet D. Wbadmin start backup allCritical backuptarget:E: /quiet Answer: D

Ac

tua

lTe

sts

.co

m

Explanation: To create a full backup of all system state data to the DVD drive (E: drive) on the server, you need to run Wbadmin start backup allCritical backuptarget:E: /quiet command on the server. Wbadmin enables you to back up and restore your operating system, volumes, files, folders, and applications from a command prompt Wbadmin start backup runs a one-time backup. If used with no parameters, uses the settings from the daily backup schedule allCritical Automatically includes all critical volumes (volumes that contain operating system's state). Can be used with the -include parameter. This parameter is useful if you are creating a backup for full system or system state recovery. It should be used only when -backupTarget is specified. Here the backupTarget isDVD drive (E: drive) on the server,so you need to specify backuptarget:E: /quiet runs the subcommand without any prompts to the user Reference: Wbadmin start backup http://technet2.microsoft.com/windowsserver2008/en/library/4b0b3f32-d21f-486184bbb2eadbf1e7b81033.msp

QUESTION NO: 305 You are an enterprise administrator for Certkiller . The corporate network of Certkiller consists of a single Active Directory domain called Certkiller .com. The domain consists of a file server that runs Windows Server 2008. A network users of the company started restoring a critical large file by using the Previous Versions tab. The users wanted to view the progress of the file restoration. Which of the following options would you choose to view the progress of the file restoration? A. Click on Sessions under the Shared Folders node in the Computer Management.

"Pass Any Exam. Any Time." - www.actualtests.com

224

Microsoft 70-649: Practice Exam B. Click on Open Files under the Shared Folders node in the Computer Management C. Run vssadmin.exe query reverts on the command prompt. D. Run shadow.exe /v on the command prompt. Answer: C

sts

.co

m

Explanation: To view the progress of the file restoration, you need to run vssadmin.exe query reverts from the command prompt. The Windows Server 2003 Volume Shadow Copy Service can also be administered from the command line by using the VSSAdmin tool that is included with Windows Server 2003. This tool replicates the features of the Shadow Copies tab of the volume Properties screen and can be called from batch files and scripts. VSSAdmin does not follow the typical "Command /switch" form, but instead uses a list of fixed commands to guide its function. Query Reverts queries the status of in-progress revert operations. Reference: Rapid Recovery with the Volume Shadow Copy Service / Command-Line Management http://technet.microsoft.com/en-us/magazine/cc196308.aspx

QUESTION NO: 306

Ac

tua

lTe

You are an enterprise administrator for Certkiller . The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008. A member server Called Certkiller Server1 has a SaleRecords folder created on it on the D: drive. The D:\ SaleRecords folder is corrupted. The most recent backup version is 01/28/2008-09:00. Which of the following options would you choose to restore all the files in the D:\ SaleRecords folder back to the most recent backup version, without affecting other folders on the server? A. Run the Wbadmin start recovery -version: 01/28/2008-09:00-itemType:File items:d:\SaleRecords -overwrite -recursive -quiet command. B. Run the Wbadmin start recovery -backuptarget:D: -version: 01/28/2008-09:00-overwrite -quiet command. C. Run the Recover d:\ SaleRecords command. D. Run the Wbadmin restore catalog -backuptarget:D: -version: 01/28/2008-09:00-quiet command. Answer: A Explanation: To restore all the files in the D:\ SaleRecords folder back to the most recent backup version without affecting other folders on the server, you need to run the Wbadmin start recovery -version:10/29/2007-09:00 "Pass Any Exam. Any Time." - www.actualtests.com

225

Microsoft 70-649: Practice Exam -itemType:File -items:d:\ SaleRecords-overwrite -recursive -quiet command. Wbadmin start recovery runs a recovery based on the parameters that are specified. In the above query, the -version 10/29/2007-09:00 specifies the version identifier of the backup to recover, -itemtype:File specifies type of items to recover. In this case it is the file that needs to be recovered. The -items:d:\SaleRecords specifies that d:\SaleRecordsfolder needs to be recovered. -Overwrite causes Windows Server Backup to overwrite the existing file with the file from the backup. -recursive will only recover files which reside directly under the specified folder. And -quiet runs the subcommand with no prompts to the user. Reference: Wbadmin start recovery http://technet2.microsoft.com/windowsserver2008/en/library/52381316-a0fa-459fb6a601e31fb216121033.msp

m

QUESTION NO: 307

sts

.co

Certkiller .com has a server running Windows Server 2008. Windows Server Virtualization role service is installed on this server. For maximum storage capacity you need to merge a parent disk and a differencing disk. What should you do to achieve this task?

Answer: A

tua

lTe

A. Edit the differencing disk B. Edit parent disk C. Configure the Merge settings on differencing disk D. Configure the Merge settings on Parent disk

Ac

Explanation: For maximum storage capacity, you need to merge a parent disk and a differencing disk by editing the differencing disk. A differencing disk is a child and it can be merged with the parent disk. The differencing disk stores all changes that would otherwise be made to the parent disk if the differencing disk was not being used. The differencing disk provides an ongoing way to save changes without altering the parent disk. You can use the differencing disk to store changes indefinitely, as long as there is enough space on the physical disk where the differencing disk is stored. The differencing disk expands dynamically as data is written to it and can grow as large as the maximum size allocated for the parent disk when the parent disk was created. Reference: http://technet2.microsoft.com/windowsserver/en/library/d9ef5bd9-6ca2-488ba960f3f8ecd6ecc51033.mspx?mfr

"Pass Any Exam. Any Time." - www.actualtests.com

226

Microsoft 70-649: Practice Exam QUESTION NO: 308 You are an enterprise administrator for Certkiller . The corporate network of the company consists of servers that run Windows Server 2008 in an Active Directory domain. On a network file server that runs Windows Server 2008 OS, a user restores a large file by using the Previous Versions tab. Which of the following options would you choose to view the progress of the file restoration?

.co

m

A. Rum shadow.exe /v, from the command prompt. B. Run vssadmin.exe query reverts from the command prompt. C. Click on sessions on the shared folders node in the Computer Management window that appears in Administrative tools D. Click on open files on the shared folders node in the Computer Management window that appears in Administrative tools. E. None of the above. Answer: B

Ac

tua

lTe

sts

Explanation: To view the progress of the file restoration, you need to run vssadmin.exe query reverts from the command prompt. The Windows Server 2003 Volume Shadow Copy Service can also be administered from the command line by using the VSSAdmin tool that is included with Windows Server 2003. This tool replicates the features of the Shadow Copies tab of the volume Properties screen and can be called from batch files and scripts. VSSAdmin does not follow the typical "Command /switch" form, but instead uses a list of fixed commands to guide its function. Query Reverts queries the status of in-progress revert operations. Reference: Rapid Recovery with the Volume Shadow Copy Service / Command-Line Management http://technet.microsoft.com/en-us/magazine/cc196308.aspx

QUESTION NO: 309 Critical services are running on CKD20, a domain controller. You have completed restructuring the organizational unit hierarchy for the domain and deleted the needless objects. What would you do to perform an offline defragmentation of the Active Directory database on CKD20 while ensuring that the critical services remain online? A. Open the Microsoft Management Console (MMC) and stop the Domain Controller service. After that, run the defrag tool

"Pass Any Exam. Any Time." - www.actualtests.com

227

Microsoft 70-649: Practice Exam B. Start the domain controller in the Directory Service restore mode and run the Ntdsutil tool C. Start the domain controller and then use the Defrag tool to start defragmentation D. Open the MMC and stop the Domain Controller service. After that, run the Ntdsutil tool. E. All of the above Answer: D

lTe

sts

.co

m

Explanation: To perform an offline defragmentation of the Active Directory database on CKD20 while ensuring that the critical services remain online, you should open the MMC and stop the Domain Controller service. Then you should run Ntdsutil tool. Ntdsutil is a command-line tool that offers management facilities for Active Directory. When you stop the Domain Controller service, the critical services remain online. Then you should run Ntdsutil tool which will find out the location of the data files, working directory and log files. You can use the info command which is a part of ntdsutil command-line tool to find out the location of the data files, log files and working directory. The info command analyzes and reports the free space for all disks installed on the computer and reads the registry keys that contact the location of the Active Directory files and reports their values.

QUESTION NO: 310

Ac

tua

Certkiller .com has servers on the main network that run Windows Server 2008. It also has two domain controllers. Active Directory services are running on a domain controller named CKDC1. You have to perform critical updates of Windows Server 2008 on CKDC1 without rebooting the server. What should you do to perform offline critical updates on CKDC1 without rebooting the server? A. Start the Active Directory Domain Services on CKDC1 B. Disconnect from the network and start the Windows update feature C. Stop the Active Directory domain services and install the updates. Start the Active Directory domain services after installing the updates D. Stop Active Directory domain services and install updates. Disconnect from the network and then connect again E. None of the above Answer: C Explanation: To perform offline critical updates on CKDC1 without rebooting the server, you should stop the Active Directory domain services and install the updates. Start the Active "Pass Any Exam. Any Time." - www.actualtests.com

228

Microsoft 70-649: Practice Exam Directory domain services after installing the updates. By stopping the Active Directory domain services, you don't need to reboot the server. The updates are related to the Windows Server 2008 on CKDC1 so when you stop the Active Directory domain services and start it again after the installation of the updates, the Server will perform in a normal way.

QUESTION NO: 311

sts

.co

m

There are 100 server and 2000 computers present at Certkiller .com headquarters. The DHCP service is installed on a two-node Microsoft failover cluster named CKMFO to ensure the high availability of the service. The nodes are named as CKMFON1 and CKMFON2. The cluster on CKMFO has one physical shared disk of 400 GB capacity. A 200GB single volume is configured on the shared disk. Certkiller .com has decided to host a Windows Internet Naming Service (WINS) on CKMFON1. The DHCP and WINS services will be hosted on other nodes. Using High Availability Wizard, you begin creating the WINS service group on cluster available on CKMFON1 node. The wizard shows an error "no disks are available" during configuration. Which action should you perform to configure storage volumes on CKMFON1 to successfully add the WINS Service group to CKMFON1?

Ac

tua

lTe

A. Backup all data on the single volume on CKMFON1 and configure the disk with GUID partition table and create two volumes. Restore the backed up data on one of the volumes and use the other for WINS service group B. Add a new physical shared disk to the CKMFON1 cluster and configure a new volume on it. Use this volume to fix the error in the wizard C. Add new physical shared disks to CKMFON1 and EMBFON2. Configure the volumes on these disk and direct CKMOFONI to use CKMFON2 volume for the WINS service group D. Add and configure a new volume on the existing shared disk which has 400GB of space. Use this volume to fix the error in the wizard E. None of the above Answer: B Explanation: To configure storage volumes on CKMFON1 to successfully add the WINS Service group to CKMFON1, you need to add a new physical shared disk to the CKMFON1 cluster and configure a new volume on it. Use this volume to fix the error in the wizard. This is because a cluster does not use shared storage. A cluster must use a hardware solution based either on shared storage or on replication between nodes. Reference: No disks found http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=2964971&SiteID=17 "Pass Any Exam. Any Time." - www.actualtests.com

229

Microsoft 70-649: Practice Exam

QUESTION NO: 312 Domain Controller Bill12 runs critical services in Certkiller network. Restructuring of organizational unit domain hierarchy is being done and all unnecessary objects also being deleted. Offline de-fragmentation of the active directory database is to be performed on Bill12. We also need to ensure that critical services keep alive. What should you do?

.co

m

A. Start the domain controller in the Directory Services restore mode. Run the defrag utility B. Start the domain controller in the Directory Services restore mode. Run the Ntdsutil utility C. Stop the Domain controller service in the Services MMC and run the Defrag utility. D. Stop the Domain controller service in the Services MMC and run the Ntdsutil utility E. None of the above Answer: D

Ac

tua

lTe

sts

Explanation: To perform offline de-fragmentation of the active directory database on Bill12, you need to Stop the Domain controller service in the Services MMC and run the Ntdsutil utility You can use the restart feature of AD DS to stop AD DS so that you can perform offline operations such as defragmentation of Active Directory objects. Reference: Superior Identity Management Features in Windows Server 2008 Enterprise and Windows Server 2008 Datacenter / Directory Services: Active Directory Domain Services http://download.microsoft.com/download/8/2/f/82fa3808-7168-46f1a07bf1a7c9cb4e85/WS08%20Identity%20

QUESTION NO: 313 The corporate network of Certkiller consists of a Windows Server 2008 single Active Directory domain. The domain has two servers named Certkiller 1 and Certkiller 2. To ensure central monitoring of events you decided to collect all the events on one server, Certkiller 1. To collect events from Certkiller 2 and transfer them to Certkiller 1, you configured the required event subscriptions. You selected the Normal option for the Event delivery optimization setting by using the HTTP protocol. However, you discovered that none of the subscriptions work. Which of the following actions would you perform to configure the event collection and event forwarding on the two servers? (Select three. Each answer is a part of the complete solution). "Pass Any Exam. Any Time." - www.actualtests.com 230

Microsoft 70-649: Practice Exam A. Through Run window execute the winrm quickconfig command on Certkiller 2. B. Through Run window execute the wecutil qc command on Certkiller 2. C. Add the Certkiller 1 account to the Administrators group on Certkiller 2. D. Through Run window execute the winrm quickconfig command on Certkiller 1. E. Add the Certkiller 2 account to the Administrators group on Certkiller 1. F. Through Run window execute the wecutil qc command on Certkiller 1. Answer: A,B,C

Ac

QUESTION NO: 314

tua

lTe

sts

.co

m

Explanation: The subscriptions are not working because Normal subscriptions work only in Workgroup environment. To configure the event collection and event forwarding on the two servers, you need to first add the Certkiller 1 account to the Administrators group on Certkiller 2. Because you are working with machines that are part of an Active Directory (AD), on the source computer, type winrm quickconfig command. Then, type y followed with Enter to make the changes. This command sets up the source system to accept WS-Management requests from other computers. Now, move to the collection system. Repeat the WinRM command. This will allow you to control bandwidth usage or latency of the event forwarding process. Next, using the same elevated command prompt, run wecutil qc command. Then, type y followed with Enter to make the changes. This will configure the Windows Event Collector service to delayed autostart and start the service. Reference: Collect Vista Events http://www.prismmicrosys.com/newsletters_june2007.php

You are an enterprise administrator for Certkiller . The company consists of a head office and a branch office. The corporate network of the company consists of a single Active Directory domain. All the servers in the domain run Windows Server 2008. The branch office consists of three servers called Certkiller Server1, Certkiller Server2, and Certkiller Server3. All the three servers run a Server Core installation of Windows Server 2008. To monitor Certkiller Sever2 and Certkiller Server3 from Certkiller server1, you decided to configure the Event Logs subscription on Certkiller Server1. However, you discovered that you cannot create a subscription on Certkiller Server1 to collect events from Certkiller Server2 and Certkiller Server3. Which of the following options would you choose to configure a subscription on Certkiller Server1? (Choose two. Each correct answer presents part of the solution.)

"Pass Any Exam. Any Time." - www.actualtests.com

231

Microsoft 70-649: Practice Exam A. Run the wecutil cs subscription.xml command on Certkiller Server1. B. Create an event collector subscription configuration file called subscription.xml on Certkiller Server1. C. Use Event Viewer on Certkiller Server1 to create a custom view and export the custom view to subscription.xml file. D. Run the wevtutil im subscription.xml command on Certkiller Server1. Answer: A,B

lTe

sts

.co

m

Explanation: To configure a subscription on Certkiller Server1, you need to first create an event collector subscription configuration file and Name the file subscription.xml. You need to then run the wecutil cs subscription.xml command on Certkiller Server1. This command enables you to create and manage subscriptions to events that are forwarded from remote computers, which support WS-Management protocol. wecutil cs subscription.xml command will create a subscription to forward events from a Windows Vista Application event log of a remote computer at Certkiller .com to the ForwardedEvents log. Reference: Wecutil http://technet2.microsoft.com/windowsserver2008/en/library/0c82a6cb-d652-429c9c3d0f568c78d54b1033.msp

QUESTION NO: 315

tua

Certkiller .com has an active directory forest on a single domain. Certkiller needs a distributed application that employs a custom application. The application is directory partition software named PARDAT

Ac

A. You need to implement this application for data replication. Which two tools should you use to achieve this task? (Choose two answers. Each answer is a part of a complete solution) B. Dnscmd C. Ntdsutil D. Ipconfig E. Dnsutil F. All of the above Answer: A,B Explanation: To implement the application for data replication, you should use the Dnscmd and Ntdsutil tools. The dnscmd command displays and changes the properties of DNS servers, zones and resource records. Through dnscmd, you can manually modify these properties, "Pass Any Exam. Any Time." - www.actualtests.com

232

Microsoft 70-649: Practice Exam create and delete zone and resources records and forces replication events between DNS server physical memory and DNS databases and data file. You can implement the PARDATA application and distribute it through dnscmd. Ntdsutil tool is a command-line utility that offers management facilities for Active Directory. You can create application directory partitions using this tool. The tool has a series of menus that allow you to perform multiple management tasks. Ntdstul is installed in the systemroot\system32 folder. It can be accessed through command prompt.

QUESTION NO: 316

.co

m

Certkiller .com has a main office and a branch office. Active Directory domain is present in each office. The users of sales department need some space to store data for an application named SalesPros. You create an application directory partition for this purpose. You want to add a replica of SalesPros application directory partition to the domain controller in the branch office too. The domain controller is called CKO2. Which tool should you use to add replica for the SalesPros application directory partition to CKO2?

lTe

sts

A. Dnscmd.exe B. Repadmin.exe C. Ntdsutil.exe D. Dcpromo.exe E. All of the above

tua

Answer: C

Ac

Explanation: To add replica for the SalesPros application directory partition to CKO2, you should use Ntdsutil tool. Ntdsutil tool is a command-line utility that offers management facilities for Active Directory. You can create application directory partitions using this tool. The tool has a series of menus that allow you to perform multiple management tasks. Ntdstul is installed in the systemroot\system32 folder. It can be accessed through command prompt.

QUESTION NO: 317 Certkiller has an Active Directory forest with six domains. The company has 5 sites. The company requires a new distributed application that uses a custom application directory partition named ResData for data replication. The application is installed on one member server in five sites. You need to configure the five member servers to receive the ResData application directory partition for data replication. What should you do? "Pass Any Exam. Any Time." - www.actualtests.com

233

Microsoft 70-649: Practice Exam A. Run the Dcpromo utility on the five member servers B. Run the Regsvr32 command on the five member servers C. Run the Webadmin command on the five member servers D. Run the RacAgent utility on the five member servers Answer: A

.co

m

Explanation: To configure the five member servers to receive the ResData application directory partition for data replication, you need to run the Dcpromo utility on the five member servers. ApplicationPartitionsToReplicate:"" parameter with partition names can be used with Dcpromo to specify the application directory partitions that dcpromo will replicate. Reference: Dcpromo http://technet2.microsoft.com/windowsserver2008/en/library/d660e761-9ee7-4382822a06fc2365a1d21033.msp

QUESTION NO: 318

tua

Answer: A,B

Ac

A. Ntdsutil B. Wbadmin C. RacAgent D. Regsvr32

lTe

sts

The company has an Active directory forest and they require a new distributed application that uses a custom application directory partition named ResData. We need to implement the ResData application directory partition for data replication. To achieve your goal what two utilities you should run?

QUESTION NO: 319 Exhibit:

"Pass Any Exam. Any Time." - www.actualtests.com

234

Microsoft 70-649: Practice Exam

.co

m

Certkiller .com servers run Windows Server 2008. It has a single Active Directory domain. A server called CK4 has file services role installed. You install some disk for additional storage. The disks are configured as shown in the exhibit. To support data stripping with parity, you have to create a new drive volume. What should you do to achieve this objective?

lTe

sts

A. Build a new spanned volume by combining Disk0 and Disk1 B. Create a new Raid-5 volume by adding another disk C. Create a new virtual volume by combining Disk 1 and Disk 2 D. Build a new striped volume by combining Disk0 and Disk 2 Answer: B

QUESTION NO: 320

Ac

tua

Explanation: To support data stripping with parity, you should create a new Raid-5 volume by adding another disk. By adding another volume, the total number of disk will be four. This way you can easily create data strip and the parity strips.

You are an enterprise administrator for Certkiller . The corporate network of the company runs Windows Server 2008 servers. One of the servers called Certkiller Server1 has file server role installed on it. Certkiller Server1 was accessed by many network users, who work on the server and used to store data on it. To manage the server space, you configured quotas on the server. Which of the following options would you choose to view each user's quota usage on a per folder basis? A. Run dirquota.exe quota list on the command prompt. B. Create a File Screen using File Server Resource Manager. C. Review the Quota Entries list from the properties of each volume.

"Pass Any Exam. Any Time." - www.actualtests.com

235

Microsoft 70-649: Practice Exam D. Create a Storage Management report from File Server Resource Manager. Answer: D

sts

.co

m

Explanation: To view each users quota usage on a per folder basis, you need to create a Storage Management report from File Server Resource Manager. File Server Resource Manager allows you to create quotas to limit the space allowed for a volume or folder and generate notifications when the quota limits are approached or exceeded. It also allows you to generate storage reports instantly, on demand. To manage storage resources on a remote computer, you can connect to the computer from File Server Resource Manager. While you are connected, File Server Resource Manager will display the objects created on the remote computer. Reference: Using the File Server Resource Manager Component / Managing Storage Resources on a Remote Computer http://technet2.microsoft.com/windowsserver/en/library/3510fd7c-cbfc-4f67b4fcd7de7c13373b1033.mspx?mfr Reference: Introduction to File Server Resource Manager http://technet2.microsoft.com/windowsserver/en/library/3510fd7c-cbfc-4f67b4fcd7de7c13373b1033.mspx?mfr

lTe

QUESTION NO: 321

Ac

tua

You are an enterprise administrator for Certkiller . The corporate network of the company runs Windows Server 2008 servers. One of the servers called Certkiller Server1 has file server role installed on it. Certkiller Server1 is accessed by 100 network users, who work on the server and used to store data on it. To manage the server space, you decided to configure quotas on the server. Because too many quotas need to be configured, you decided to use a new quota template to apply quotas to 100 folders Which of the following options would you choose to modify the quota settings for all 100 folders by using the minimum amount of administrative effort? A. Modify the quota template. B. Create a file screen template and apply it to the root of the volume that contains the folders. C. Delete and create the quota template again. D. Create a new quota template, apply it to all the folders, and then modify the quota for each folder. E. None of the above. Answer: A

"Pass Any Exam. Any Time." - www.actualtests.com

236

Microsoft 70-649: Practice Exam Explanation: To modify the quota settings for all 100 folders by using the minimum amount of administrative effort, you can simply modify the quota template with the new settings that you want for all the 100 folders. If you base your quotas on a template, you can automatically update all quotas that are based on a specific template by editing that template. This feature simplifies the process of updating the properties of quotas by providing one central point where all changes can be made Reference: "About Quota Templates" http://technet2.microsoft.com/windowsserver2008/en/library/31790148-eaf1-41158a504ce7a4503d211033.msp

m

QUESTION NO: 322

Answer: C

Ac

tua

A. A Passive Screening File Screen. B. An Active Screening File Screen. C. A soft quota. D. A hard quota.

lTe

sts

.co

You are an enterprise administrator for Certkiller . The corporate network of Certkiller consists of a file server that runs Windows Server 2008. All the network users store data on the file server on a shared folder. Because the data stored by the network users is critical for the company, you don't want to deny users to store data on the shared folder when they exceed their 500 MB limit of data storage. However, you want to receive a notification when a user stores more than 500 MB of data in the shared folder. Which of the following elements would you create to accomplish this task?

Explanation: To allow users to store more than 500 MB of data in the shared folder and to receive a notification when a user stores more than 500 MB of data in the shared folder, you need to create a soft quota. A soft quota does not enforce the quota limit but generates all configured notifications. A hard quota cannot be used because it prevents users from saving files after the space limit is reached and generates notifications when the volume of data reaches each configured threshold. Reference: Working with Quotas http://technet2.microsoft.com/windowsserver2008/en/library/fa248320-c5a5-4c4082371bc22eb8253d1033.msp

"Pass Any Exam. Any Time." - www.actualtests.com

237

Microsoft 70-649: Practice Exam

QUESTION NO: 323

.co

m

Exhibit:

tua

lTe

sts

Certkiller .com has servers that run Windows Server 2008. It also has a single Active Directory domain. You are an administrator of a server called EFS. A file services role is installed on EFS. Certkiller .com requires the data disk drives to provide redundancy. The disks are configured as shown in the exhibit. You have to configure the hard disk drives to support RAID 1. What should you do to achieve this task? (Choose two answers. Each answer is the part of a complete solution)

Answer: B,D

Ac

A. Create a group volume by using Disk1 and Disk 0 B. Create Disk1 and Disk 2 as dynamic drives C. Create and configure a striped volume across Disk1 and Disk2 D. Using the Disk 1 and Disk 2, create a new mirrored volume

Explanation: To configure the hard drives to support Raid1, you should create Disk1 and Disk 2 as dynamic drives and create a new mirrored volume using Disk1 and Disk 2. In data storage, disk mirroring or RAID1 is the replication of logical disk volumes onto separate physical hard disks in real time to ensure continuous availability. A mirrored volume is a complete logical representation of separate volume copies. Reference: technet2.microsoft.com/windowsserver/en/library/28af1c0d-8490-4ab0-8be049e5923c4bae1033.mspx

"Pass Any Exam. Any Time." - www.actualtests.com

238

Microsoft 70-649: Practice Exam QUESTION NO: 324 Certkiller .com has servers that run Windows Server 2008. There are 2 domain controllers installed on the network. An Active Directory database is installed on the D volume of a domain controller. You want to move the Active Directory database to a new volume. What should you do to achieve this task? A. Open the Files option in the Ntdsutil utility and move the ntds.dit file to the new volume B. Move the ntds.dit file to the new volume using Copy Paste function in the Windows Power Shell C. Use XCOPY command on Windows Command prompt to move ntds.dit file to the new volume D. Use Windows Explorer to move ntds.dit file to the new volume. Answer: A

lTe

sts

.co

m

Explanation: To move the Active Directory database to a new volume, you should move the ntds.dit file to the new volume by opening the Files option in the ntdsutil utility. Use Ntdsutil.exe to move the database file, the log files, or both to a larger existing partition. If you are not using Ntdsutil.exe when moving files to a different partition, you will need to manually update the registry. Reference: http://technet2.microsoft.com/windowsserver/en/library/af6646aa-2360-46e4-81cad51707bf01eb1033.msp

tua

QUESTION NO: 325

Ac

Certkiller .com has a main office with six branch offices. The Active Directory forest of the company is on a single domain that has three sites. Active Directory Certificate Services (AD CS) is installed and configured as an Enterprise Root Certificate Authority (CA) on a server that is on the same domain. All computers in the domain have Enterprise Root CA installed on them. You plan to install an application on all computers in the domain. When you install that application, you remember that the company security policy dictates that an application must use Lightweight Directory Access Protocol over Secure Sockets Layer (LDAPS). The application fails to connect to a remote global catalog server. What should you do to test the LDAPS connection between the remote global catalog server and the client computer accessing it? A. Execute repadmin.exe command B. Execute the Certification authority console C. Execute Ldp.exe command

"Pass Any Exam. Any Time." - www.actualtests.com

239

Microsoft 70-649: Practice Exam D. Execute and open the Active Directory Sites and Services console E. All of the above Answer: A Explanation: To test LDAPS connection between the remote global catalog server and the client computer accessing it, you should execute repadmin.exe command. Repadmin tool has a monitoring option. You can monitor the relative health of an Active Directory Forest. You can use replsummary, showrepl, showrepl /csv, and showvector /latency parameters to check, test and monitor the connections.

QUESTION NO: 326

lTe

sts

.co

m

Certkiller .com has 10 servers. All servers are on Active Directory domain and run Windows Server 2008. The client computers have Windows XP Professional and Windows Vista Ultimate installed as prime operating systems. The company has devised a new security policy that states new auditing rules for the domain. The new auditing rules dictate that changes in the registry should not trigger any other type of event. What should you do to fabricate a policy to audit the changes in the registry?

Answer: D

Ac

tua

A. Execute the auditpol /set /subcategory "audit system events" /success:disable /failure:enable command B. Execute auditpol /set /subcategory "audit process tracKing" /success:disable /failure:enable command C. Execute auditpol /set /subcategory "audit policy change" /failure:enable command. D. Execute auditpol /set /subcategory "audit object access" /failure:enable command E. All of the above

Explanation: To make a policy to audit the changes in the registry, you should use auditpol /set /subcategory "audit object access" /failure:enable command. The auditpol command is used to view or set audit policy subcategories. Auditpol.exe is a command-line utility. The /set parameter is used to set an audit policy. You should use the audit object access subcategory to audit the registry changes. The audit object access policy allows you to audit only those events when a user accesses an object. Objects include folders, files, registry keys, Active Directory objects and printers. You should not use the audit system events policy because this subcategory is used to audit the system events. You should not use the audit process tracking policy because it is used to audit the "Pass Any Exam. Any Time." - www.actualtests.com

240

Microsoft 70-649: Practice Exam process tracKing of the processes running on a computer. Likewise, you should not use audit policy change because it is used to audit the change in policies you have set for various objects.

QUESTION NO: 327 Certkiller .com has an active directory forest on a single domain. There are file servers located in the Payroll organizational unit. These servers contain payroll files. You have also created a GPO. What should you do to setup the security settings of the domain to track the access to the payroll files in the file server?

sts

.co

m

A. Start the Audit Object Access. Link the GPO to the domain and configure auditing for the Authenticated Users group in the payroll files folder on the domain controllers B. Start the Audit process tracKing. Link the GPO to the domain controllers organizational unit and configure auditing for the authenticated Users group in the payroll folder on member servers C. Start the Audit process tracKing option and link the GPO to the domain. Configure auditing for Everyone group in the payroll files folder on a members server D. Start the Audit Object Access and link the GPO to the Payroll organizational unit. Configure Auditing for the Administrators group in the payroll files folder on the file servers E. None of the above

lTe

Answer: E

Ac

tua

Explanation: The answer to this question is none of the above. You have to activate the Audit Object Access option. Then link the GPO to the Payroll organizational unit. Then configure Auditing for the Everyone group in the payroll files folder on the file servers. You can activate the Audit Object Access option through this command: auditpol /set /subcategory "audit object access" You must link the Group Policy object to the Payroll OU. After than you need to configure auditing for the Everyone group in the payroll files folder options on the file servers

QUESTION NO: 328 You are an enterprise administrator for Certkiller . The corporate network of the company consists of a Windows Server 2008 server called DC1 that works as a domain controller. To check the security of the corporate network, you decided to perform a security audit of a DC1 and installed the Microsoft Network Monitor 3.0 on it. While capturing data on the server, you find that only some of the captured frames display host mnemonic names in the Source and the Destination columns while all other frames display IP addresses. Which of the following options would you choose to display mnemonic host names instead of IP "Pass Any Exam. Any Time." - www.actualtests.com 241

Microsoft 70-649: Practice Exam addresses for all the frames? A. Apply the aliases to the capture after populating the Aliases table. B. Apply the filter to the capture by creating a new display filter. C. Apply the filter to the capture by creating a new capture filter. D. Enable the Enable Conversations option in the Network Monitor application and then recapture the data to a new file. Answer: A

sts

.co

m

Explanation: To display mnemonic host names instead of IP addresses for all the frames, you need to populate the Aliases table and apply the aliases to the capture. Aliases table display mnemonic host names. So in cases where you'd like to see the real IP address and a resolved name exists, turning off the aliases doesn't show you the real IP address. Reference: Network Monitor/ SourceNetworkAddress and DestinationNetworkAddress http://blogs.technet.com/netmon/

QUESTION NO: 329

Ac

tua

lTe

You are an enterprise administrator for Certkiller . The corporate network of the company consists of a Windows Server 2008 server called DC1 that works as a domain controller. To check the security of the corporate network, you decided to perform a security audit of a DC1 and installed the Microsoft Network Monitor 3.0 on it. You decided to capture all the LDAP traffic that comes to and goes from the server between 21:00 and 07:00 the next day and save it to the C:\LDAPData.cap file. To accomplish this task, you created a scheduled task and added a new 'Start a program action' to the task. Which of the following options would you choose to add the application name and the application arguments to the new action? A. Add netmon.exe as the application name and provide the /networks */capture LDAP /file C:\LDAPData.cap /stopwhen /timeafter 10hours as arguments. B. Add nmconfig.exe as the application name and provide the /networks * /capture &LDAP /file C:\LDAPData.cap /stopwhen /timeafter 10hours as arguments. C. Add nmcap.exe as the application name and provide the /networks * /capture LDAP /file C:\LDAPData.cap /stopwhen /timeafter 10hours as arguments. D. Add nmcap.exe as the application name and provide the /networks * /capture !LDAP /file C:\LDAPData.cap /stopwhen /timeafter 10hours as arguments. Answer: C

"Pass Any Exam. Any Time." - www.actualtests.com

242

Microsoft 70-649: Practice Exam Explanation: The "/network", defines which network interface we are capturing on. In this case, we say "*" for all interfaces. The next parameters "/capture /file %1" tells NMCap what to filter out. In this case it tells to filter LDAP to C:\LDAPData.cap. The last part of NMCap, the "/stopwhen" directive, that allows it to determine when NMCap should stop capturing. So we pass it a "/frame" parameter which tells it to stop the capturing after 10 hours and exit NMCap. Reference: Network Monitor/ Stop That Capture: How does NMCap get stopped? http://blogs.technet.com/netmon/Default.aspx?p=2

QUESTION NO: 330

sts

.co

m

Certkiller .com has a network with a single Active Directory domain. There are two domain controllers installed which run Windows Server 2008. You have enabled the Audit account management policy and Audit directory services access settings for the entire domain. You must ensure that the changes made to Active Directory objects are logged. The changes logged must show the old and new values of any attribute. What should you do to achieve this task?

Answer: C

tua

lTe

A. Enable the Audit Directory services access setting and directory service changes by accessing Default Domain Controllers policy B. Disable Audit account management policy and enable it again C. Execute auditpol.exe and configure the security settings of the domain controllers Organizational unit D. Execute Audipol.exe and disable the default domain policy

Ac

Explanation: To make sure the changes made to active directory objects are logged and the logs show the old and new values of any attribute, you should run audipol.exe and configure the security settings for the domain controllers Organizational Unit.

QUESTION NO: 331 You are an administrator at Certkiller .com. Certkiller has a network of 5 member servers acting as file servers. It has an Active Directory domain. You have installed a software application on the servers. As soon as the application is installed, one of the member servers shuts down itself. To trace and rectify the problem, you create a Group Policy Object (GPO). You need to change the domain security settings to trace the shutdowns and identify the cause of it. What should you do to perform this task? "Pass Any Exam. Any Time." - www.actualtests.com

243

Microsoft 70-649: Practice Exam A. Link the GPO to the domain and enable System Events option B. Link the GPO to the domain and enable Audit Object Access option C. Link the GPO to the Domain Controllers and enable Audit Object Access option D. Link the GPO to the Domain Controllers and enable Audit Process tracKing option E. Perform all of the above actions Answer: A

.co

m

Explanation: To change the domain security settings to trace the shutdowns and identify the cause of it, you should link the Group Policy Object to the domain and enable System Events option. The system events will track the problem and tell you what is causing the shutdowns. You should not enable Audit Object Access option because it is used to audit the access to the objects like registry keys, files and folders. You should not enable Audit Process tracKing option because this option is used to audit the process tracKing on a server.

sts

QUESTION NO: 332

tua

lTe

Certkiller .com has organizational units in the Active Directory domain. There are 10 servers in the organizational unit called Security. As an administrator at Certkiller .com, you generate a Group Policy Object (GPO) and link it to the Security organizational unit. What should you do to monitor the network connections to the servers in Security organizational unit?

Ac

A. Start the Audit Object Access option B. Start the Audit System Events option C. Start the Audit Logon Events option D. Start the Audit process tracKing option E. All of the above Answer: C

Explanation: To monitor the network connections to the servers in security organizational unit, you should start the Audit Logon Events option. The Audit logon event is a security setting that decides whether to audit each instance of a user logging on or off from a computer. Basically, the account logon events are generated on domain controllers to monitor the domain account activity and local account activity on local computers. If you enable both account logon and logon audit policy categories, the domain account logons will generate a logon or log off event on a server or a workstation and they will generate a logon or log off event on the domain controller. So if you start the Audit logon events option, you will be able to monitor the network connections to the servers in "Pass Any Exam. Any Time." - www.actualtests.com

244

Microsoft 70-649: Practice Exam security organizational unit.

QUESTION NO: 333 Certkiller .com has purchased laptop computers that will be used to connect to a wireless network. You create a laptop organizational unit and create a Group Policy Object (GPO) and configure user profiles by utilizing the names of approved wireless networks. You link the GPO to the laptop organizational unit. The new laptop users complain to you that they cannot connect to a wireless network. What should you do to enforce the group policy wireless settings to the laptop computers?

.co

m

A. Execute gpupdate/target:computer command at the command prompt on laptop computers B. Execute Add a network command and leave the SSID (service set identifier) blank C. Execute gpupdate/boot command at the command prompt on laptops computers D. Connect each laptop computer to a wired network and log off the laptop computer and then login again. E. None of the above

sts

Answer: D

QUESTION NO: 334

Ac

tua

lTe

Explanation: To enforce the group policy wireless settings on the laptop computers, you should connect each laptop to a wired network and log off on the laptop computer. Login again to enforce the group policy wireless settings. When you connect the laptop to a wired network and log off and then login again, the wireless settings group policy is enforced and users can connect to a wireless network.

Certkiller .com has a main office and a branch office. The main office has an Active Directory domain and the servers in the network run Windows Server 2008. At the main office, there are three servers named CKS1, CKS2 and CKS3. The users in the main office accessing CKS1 and CKS2 report that the file download is slow between 2 P.M. and 6 P.M. You need to see the processor and memory use on CKS1 and CKS2 servers. Which tool should you use to schedule performance logs and alerts on CKS1 and CKS2 servers to automatically start at 2 P.M.? A. Microsoft Component Services B. Event Viewer C. Task Scheduler D. Reliability and Performance Monitor

"Pass Any Exam. Any Time." - www.actualtests.com

245

Microsoft 70-649: Practice Exam E. All of the above Answer: D

m

Explanation: To schedule the performance logs and alerts on CKS1 and CKS2 serves to automatically start at 2 P.M, you should use the Reliability and Performance Monitor. You can use the performance logs and alerts to set the new log for memory and processor to be scheduled at 2 P.M. You can access the Reliability and Performance Monitor through Microsoft Management Console (MMC) snap-in. In Windows Server 2008, the Windows Reliability and Performance Monitor provides functionalities combine all previous stand-alone tools, such as Performance logs and alerts, server performance advisor and system monitor. It also provides a graphical interface which can be used for customizing performance data collection and event trace sessions.

.co

QUESTION NO: 335

Ac

A. Dsget B. Dsmod C. Dschge D. Dsrm E. All of the above

tua

lTe

sts

Certkiller .com has a network with an Active Directory domain. The servers in the network have Windows Server 2008 as their operating system and the client computers run Windows Vista professional edition. As an administrator at Certkiller .com, you create multiple policies in Active Directory that assigns a certain level of access to resources for each user on the network. You want to restrict any assistant administrator to make changes in these policies. Which Directory Services command-line tool should you use to achieve this without least administrative effort?

Answer: B Explanation: You should use Dsmod tool to restrict anyone to make changes in the policies. Directory Service command-line utilities are used to perform administrative tasks for Active Directory. It includes Dsadd, Dsmod, Dsget, Dsmove, Dsquery and Dsrm. You should use Dsmod to modify attributes of an existing user in the directory. The Dsmod command provides many parameters that can be used to modify users' attributes.

"Pass Any Exam. Any Time." - www.actualtests.com

246

Microsoft 70-649: Practice Exam QUESTION NO: 336 The corporate network of Certkiller consists of a Windows Server 2008 single Active Directory domain, All servers in the domain run Windows Server 2008. One of the servers, Certkiller 1 hosts shared documents. Recently all the users of the Certkiller 1 have started reporting an extremely slow response time of the server at the time of opening the shared documents on the server. As a network administrator of Certkiller , you have been assigned the task to resolve the problem of slow response time of the server. To solve the problem, when you monitored the real-time data on the server ( Certkiller 1), you observed that the processor is operating at the 100 percent capacity. Which of the following options would you choose to gather additional data to diagnose the slow response time of the server?

sts

.co

m

A. Use Windows Reliability and Performance Monitor to find out the percentage of processor capacity used by each application in the Resource View window. B. Create a counter log to track the processor usage in the Performance console. C. Create an alert using Windows Reliability and Performance Monitor that will trigger when the usage of the processor exceeds 80 percent for more than five minutes on Certkiller 1 D. Review the application log for Performance events in the Event Viewer. E. None of the above

lTe

Answer: A

Ac

tua

Explanation: To gather additional data to diagnose the slow response time of the server, you need to open the Windows Reliability and Performance Monitor on the server and use the Resource View to see the percentage of processor capacity used by each application The Resource View screen of Windows Reliability and Performance Monitor provides a real-time graphical overview of CPU, disk, network, and memory usage. By expanding each of these monitored elements, system administrators can identify which processes are using which resources. In previous versions of Windows, this real-time process-specific data was only available in limited form in Task Manager. Creating a counter log to track processor usage in the Performance console or creating an alert that will be triggered when processor usage exceeds 80 percent for more than five minutes on Certkiller 1 will not help because they will not help you identify which application is causing high performance of the processor. Neither can performance events can help you find out the application that is creating problem. Reference: Windows Reliability and Performance Monitor / Resource View http://technet2.microsoft.com/windowsserver2008/en/library/ec5b5e7b-5d5c-4d0498ad55d9a09677101033.ms

"Pass Any Exam. Any Time." - www.actualtests.com

247

Microsoft 70-649: Practice Exam QUESTION NO: 337 You suspected security lapse on one of the domain servers, Certkiller 1 of Certkiller . To perform a security audit of the server and to build a list of all DNS requests that are initiated by the server, you performed following tasks of the server: Install Microsoft Network Monitor 3.0 application, captured all local traffic on the server ( Certkiller 1) for 24 hours, and then save the captured file as data.cap. However, you observed that the size of the file is more than 1 GB and it is difficult to find the relevant data. You therefore decided to create a file named DNSdata.cap from the existing capture file, data.cap to contain only DNS-related data. Which of the following options would you choose to accomplish this task?

lTe

sts

.co

m

A. Create a new DNSdata.cap file by adding a new alias 'DNS' to aliases table and then saving it as a file. B. Run the nmcap.exe /inputcapture data.cap /capture DNS /file DNSdata.cap command C. Apply the display filter for DNS data and save the displayed frames as a DNSdata.cap file. D. Apply the capture filter for DNS data and save the displayed frames as a DNSdata.cap file. E. None of the above Answer: C

Ac

tua

Explanation: To create a file named DNSdata.cap from the existing capture file, data.cap to contain only DNSrelated data, you need to apply the display filter for DNS data and then save the displayed frames as a DNSdata.cap file. Network Monitor often captures traffic that is unrelated to the activity that you are trying to analyze. You can apply display filter to have a filtered the list of captured data to display only the frames that you are interested in. Reference: Information about Network Monitor 3 http://support.microsoft.com/kb/933741 Reference: WorKing with Network Monitor (Part 3) http://www.windowsnetworKing.com/articles_tutorials/WorKing-With-Network-Monitor-Part3.html

QUESTION NO: 338 The corporate network of Certkiller consists of 100 servers that run different operating systems. You added a new Windows Server 2008 to the network and installed the Web Server (IIS) role on it. After few days, at the time of your regular routine checking, you discovered that the Reliability "Pass Any Exam. Any Time." - www.actualtests.com 248

Microsoft 70-649: Practice Exam Monitor does not contain any data and the Systems Stability chart has never has been updated on the new server. Which of the following options would you choose to configure the new server to collect the Reliability Monitor data? A. Configure the Remote Registry service to start automatically. B. Configure the Secondary Logon service to start automatically. C. Configure the Task Schedule server to start automatically. D. Run the perfmon.exe command on the server. E. None of the above Answer: D

QUESTION NO: 339

tua

lTe

sts

.co

m

Explanation: To configure the new server to collect the Reliability Monitor data, you need to run the perfmon.exe command on the server. This command will start the Windows Performance Diagnostic Console in the Resource View screen. The Reliability Monitor does not contain any data and the Systems Stability chart has never has been updated on the new server because theWindows Performance Diagnostic Console is not running on the server. Reference: Windows Vista Performance and Reliability Monitoring Step-by-Step Guide / Known issues for monitoring general system activity using Resource View http://technet2.microsoft.com/WindowsVista/en/library/ab3b2cfc-b177-43ec-8a4d0bfac62d88961033.mspx?mf

Ac

Certkiller .com has an Active Directory domain called ad. Certkiller .com. There are two domain controllers on the network: EB1 and EB2. Other administrators try to log on to the domain controllers but their logon attempts fail. You have to identify the logon attempts on the domain controllers. What should you do to achieve this task? A. Check the security tab on the domain controller computer object B. Access the Event Viewer C. Check the security data on domain controller event viewer D. Execute netsh/events command on the command prompt Answer: B Explanation: To identify the logon attempts on the domain controllers, you should access the Event Viewer and check the logon attempts. The Event viewer will tell you the IP address and other details of the "Pass Any Exam. Any Time." - www.actualtests.com

249

Microsoft 70-649: Practice Exam user account which was used to logon to the domain controllers.

QUESTION NO: 340 Certkiller has a Microsoft SQL Server. You need to restrict the service account without affecting the database usability. Perform two actions that will restrict the service account and doesn't affect the database usage. (Each choice is the part of the solution. Choose two answers)

m

A. Put the service account in the security group on guest domain B. Set the service account to Account is sensitive and the setting cannot be delegated through user account properties C. Set the Log on to option of the service account to include only SQL server D. Access the SQL Server database file and set the NTFS Deny Full Control permission for the service account

.co

Answer: B,C

Ac

QUESTION NO: 341

tua

lTe

sts

Explanation: To restrict the service account without affecting database usage, you should check the Account is Sensitive option and make sure that the setting cannot be assigned through user account properties. After that, you should set the Log on to option of the service account to include SQL server only. When you check the Account is Sensitive option, the service account will treat this account as sensitive and it will not let anyone to change this setting. When you set the log on option of the service account to include SQL server, the service account will not let anyone access anything except the SQL server.

Certkiller .com utilizes Windows Server 2008 on all servers. The company has a main office and 10 branch offices with a single Active Directory domain. The branch office networks and the main office networks are connected through Routing and Remote Access Servers (RRASs) located at each office. The company utilizes VPN connections over the internet to connect with each other. Certkiller .com security policy has some strict security requirements for VPN connections. It states that all data transmitted through VPN connections should be encrypted with end to end encryption. The VPN connection must use computer-level authentication instead of usernames and password authentication. What should you do to ensure that the VPN connections meet these authentication requirements? A. Utilize a L2TP/IPSec (Layer 2 Tunneling Protocol/Internet Protocol Security)connection to employ the EAP-TLS (Extensible Authentication Protocol Transport Layer Security) authentication "Pass Any Exam. Any Time." - www.actualtests.com

250

Microsoft 70-649: Practice Exam B. Utilize a L2TP/IPSec (Layer 2 Tunneling Protocol/Internet Protocol Security)connection to employ MS-CHAP v2 (Micrsoft Challenge Handshake Authentication Protocol) authentication C. Utilize and configure an IPSec connection to use preshared key authentication and tunnel mode D. Configure a PPTP (Point-to-Point Tunneling Protocol) to use MS-CHAP v2 for authentication E. All of the above Answer: A

sts

.co

m

Explanation: To ensure that the VPN connections meet these authentication requirements, you should utilize a L2TP/IPSec (Layer 2 Tunneling Protocol/Internet Protocol Security) connection to employ the EAP-TLS authentication. L2TP/IPSec is a VPN protocol. This protocol was a joint development between Microsoft and Cisco. L2TP/IPSec is more secure than PPTP because it employs a secure IPSec session which is established before credentials are sent over the network. The main feature of IPSec is that it provides a mutual machine authentication so that untrusted machines are not able to connect to the L2TP/IPSec VPN gateway. L2TP supports EAP and PPP authentication mechanisms which provide high level of logon security because both user and the machine are authenticated.

lTe

QUESTION NO: 342

Ac

tua

Certkiller .com has an Active directory forest on a single domain. All servers in the network have Windows Server 2008 as their operating system. Certkiller .com has 15 servers that are used as Web Servers. Among these servers, CKCD is the one which hosts all confidential files. As per company policy, it is necessary to encrypt all confidential data for a secure transmission over the network. You activate Encrypting file system (EFS) and add EFS certificates to the Data Decryption field (DDF) of the confidential files so that the users can access them in a secure manner. While monitoring the network, you find out that the confidential files stored in CKCD server are transmitted without encryption over the network. You have to ensure that the confidential files on CKCD server are always transmitted over the network in an encrypted state. Which two actions should you perform to achieve this task? (Choose two answers. Each answer is a part of the complete solution. ) A. Activate the offline files hosted on CKCD server. Open the folder and select 'Advanced' properties. Select the option "Encrypt contents" to secure the data B. Shutdown all LM and NTLM authentication methods on the CKCD server C. Employ the SMB (Server Message Block) signing between CKCD server and the computers that are used to access the confidential data from CKCD server

"Pass Any Exam. Any Time." - www.actualtests.com

251

Microsoft 70-649: Practice Exam D. To publish the confidential files, use IIS to publish them and activate SSL on the IIS server. Open the files as web folder E. Employ IPSec encryption between the files on CKCD server and the computers that are used to access these files. Answer: D,E

.co

m

Explanation: To ensure that the confidential files on CKCD server are always transmitted over the network in an encrypted state, you should publish the confidential files by using IIS and activate Secure Sockets layer on the IIS server. To implement the SSL encryption, you should open the files as web folder or through a browser. Use the IPSec encryption between the files on CKCD server and the computer that access these files. You can enable IPSec encryption on CKCD server and the computers that access the files. In this way, the files will be securely transmitted over the network.

QUESTION NO: 343

tua

lTe

sts

Exhibit

Ac

Certkiller has an Active Directory domain. Every server in this domain is running Windows Server 2008 and there also exists a server in the SQLServer organizational unit that runs Microsoft SQL Server 2005. The SQL Server 2005 server runs a database application. You create user accounts within the Active Directory domain and place the user accounts as shown in the exhibit. You have been tasked with setting up role-based authorization for this Certkiller network. To configure the Active Directory security groups to use role-based authorization in the application, what should you do? A. Configure using the AD Users and Computers console. B. Configure using the Authorization Manager console. C. Run the "member/add" command in Microsoft Windows PowerShell. D. Configure using the Cmos utility. E. None of above Answer: B "Pass Any Exam. Any Time." - www.actualtests.com

252

Microsoft 70-649: Practice Exam Explanation: To configure the Active Directory security groups to use role-based authorization in the application, you should use Authorization Manager Console. The Authorization Manager Console (known as Azman) is a role-based access control framework that provides an administrative tool to manage authorization policy and a runtime that allows applications to perform access checks against that policy. You can access AzMan administration tool through MMC snap-in. Reference: http://msdn2.microsoft.com/en-us/library/bb897401.aspx

QUESTION NO: 344

.co

m

Exhibit:

tua

lTe

sts

As show in the exhibit, Certkiller .com has an active directory forest. In each domain, there are 5 domain controllers. You need to modify folder permission on a file server named CKFS1. Using Remote Desktop tool, you connect to the server through a workstation in ma.corp. Certkiller .com. The file server is on ca.corp. Certkiller .com. When you access the security tab of the folder by using Microsoft Windows Explorer, you find out that some entries start with S-4-6-12 and there is no account names listed. Which action should you perform to ensure that the folder names are displayed in the security tab of the folder?

Ac

A. Enable the replication of friendly name by modifying the server setting attribute to the Global catalog B. Configure the folder settings on CKFS1 C. Modify the RID Master role in ma.corp. Certkiller .com domain and move it to another domain controller that is not related to Global catalog server D. In the ma.corp. Certkiller .com domain, move the Infrastructure Master role to a domain that does not host Global catalog server E. None of the above Answer: D Explanation: To ensure that the folder names are displayed in the security tab of the folder, you need to move the Infrastructure Master role to a domain that does not host Global catalog server in the ma.corp. Certkiller .com domain. The infrastructure master should be always be located on a non-global catalog server that "Pass Any Exam. Any Time." - www.actualtests.com 253

Microsoft 70-649: Practice Exam has a direct connection object to some global catalog in the forest, preferably in the same Active Directory site. Because the global catalog server holds a partial replica of every object in the forest, the infrastructure master, if placed on a global catalog server, will never update anything, because it does not contain any references to objects that it does not hold. Reference: FSMO placement and optimization on Active Directory domain controllers / General recommendations for FSMO placement http://support.microsoft.com/kb/223346

QUESTION NO: 345

.co

m

Certkiller .com has three Active Directory domains in a single forest. As you install a new application with Active Directory enabled, the application extends the Active directory schema with new user attributes. After the new application is installed, you find out that the Active Directory replication traffic to the global catalogs has increased significantly. What should you do to avoid the replication of the new attributes to the global catalogs?

lTe

sts

A. Reinstall the application B. Move the new attributes to a new Active Directory domain C. Reconfigure the replication interval D. Change the properties for the new attributes in the Active Directory Schema E. None of the above

tua

Answer: D

Ac

Explanation: To ensure that only changes in attributes are replicated to the global catalogs, you need to change the properties for the new attributes in the Active Directory Schema. You can make changes to partial attribute sets with only the modified attribute replicated to global catalog servers throughout the organization Reference: Introduction to Windows 2003's Schema http://www.computerperformance.co.uk/w2k3/W2K3_Schema.htm Reference: Windows Server 2003 Technology Primer http://www.aspfree.com/c/a/MS-SQL-Server/Windows-Server-2003-Technology-Primer/9/

QUESTION NO: 346 Certkiller .com has an Active Directory forest with 15 domains. It has 30 branch offices. A branch office in southern part has 60 users. These users are members of a universal group that has access to all 29 offices. A domain controller is installed in this office. It is called Certkiller 14. "Pass Any Exam. Any Time." - www.actualtests.com 254

Microsoft 70-649: Practice Exam The branch office is connected to the main central network through a WAN connection of 128Kbps. This connection is active during office hours. The users complain that the network is unavailable to them after office hours. What should you do to make sure the users are able to logon to the network any time? A. Configure the replication interval on the WAN connection to increase B. Install and configure a Terminal services at the branch office site C. Configure the replication interval on the domain controller to OFF for that branch office D. Modify the Certkiller 14 as a bridge server between the main network and the branch office E. Configure and set the group membership caching to ON for the branch office F. None of the above Answer: E

lTe

sts

.co

m

Explanation: To make sure the users are able to logon to the network any time, you need to configure and set the group membership caching to ON for the branch office. This is because group membership caching allows the users to log onto user accounts when the global catalog server is offline. Reference: Universal Group Membership Caching: Lessons Learned the Hard Way http://www.informit.com/articles/article.aspx?p=415792

tua

QUESTION NO: 347

Ac

Certkiller .com hosts a single Active Directory domain. All servers have Windows Server 2008. You are instructed to install an iSCSI storage area network (SAN) for a group of file servers. Corporate security policy requires that all data communication to and from iSCSI SAN must be very secure. You are assigned the task to implement the highest security available for communications to and from the iSCSI SAN. What should you do to achieve this task? A. Create a Group Policy Object (GPO) to enable System objects B. Create a Microsoft Challenge Handshake Authentication Protocol (MS-CHAPv2) authentication in iSCSI Initiator Properties. C. Open iSCSI Initiator Properties and implement IPSec security. Set up inbound and outbound rules by using Windows Firewall D. Open iSCSI Initiator Properties and implement Secure Mode transition. Set outbound and inbound rules by using Windows Defender Answer: C

"Pass Any Exam. Any Time." - www.actualtests.com

255

Microsoft 70-649: Practice Exam Explanation: To implement the highest security available for communication to and from iSCSI SAN, you should implement IPSec security. You can access the IPSec security by opening the iSCSI Initiator Properties. After that you need to set inbound and outbound rules by using Windows Firewall.

QUESTION NO: 348

Answer: C

.co

A. Active Directory Security for Computers snap-in B. Netsh C. ntdsutil D. Domain Controller security snap-in

m

Certkiller .com has a single Active Directory domain and two domain controllers which run Windows Server 2008. Due to a problem, you need to reset the Directory Services Recovery Mode (DSRM) password on one domain controller. What tool should you use to achieve this task?

Ac

QUESTION NO: 349

tua

lTe

sts

Explanation: To reset the DSRM password on a single domain controller, you should use ntdsutil utility. You can use Ntdsutil.exe to reset this password for the server on which you are working, or for another domain controller in the domain. Type ntdsutil and at the ntdsutil command prompt, type set dsrm password. Reference: http://support.microsoft.com/kb/322672

You are a network administrator at Certkiller .com. Certkiller .com decided to open a new branch office which would be a part of its Active Directory infrastructure. The engineering department is setting up the new office and the users at engineering department have to dial-in to the company's network to connect the new office to the company's network and to use network resources. How would you ensure that the engineering department personnel working in the new branch office have appropriate dial-in rights that would make it easy for them to access the company's network? A. Modify the account's logon hours to 8:00- 17:00 hours, 5 days a week B. Change the group membership attribute by modifying the Index attribute for the Active Directory C. Create a template account and add group membership information. Create a new connection request policy and add the new group to it.

"Pass Any Exam. Any Time." - www.actualtests.com

256

Microsoft 70-649: Practice Exam D. Include the group membership information to the template account and grant local logon permissions by creating a group policy E. All of the above Answer: C

m

Explanation: To ensure that the engineering department personnel working in the new branch office have appropriate dial-in rights, you should create a template account and add group membership information to it. Create a new connection request policy and add the new group to it. Adding group membership information is important. It will allow the members to access that account. Similarly when you create a new connection request policy, you should add the new group to it so it will be easy for that group to connect to the company's network using the dial-in rights.

.co

QUESTION NO: 350

lTe

sts

Certkiller .com has a network that comprises of domain controllers that run Windows Server 2003. You want to install a new Windows Server 2008 domain controller in the present domain. This domain controller will be a writeable domain controller in the Windows Server 2003 domain and you also want this domain controller to act as a global catalog server. What should you do before installing a Windows Server 2008 domain controller?

Answer: A

Ac

tua

A. Execute adprep/domainprep command on the master infrastructure B. Execute sysprep/domainprep command on the schema operations master C. Execute adprep/forestprep command on master infrastructure D. Execute sysprep/adsprep command on all domain controllers E. None of the above

Explanation: To prepare the domain before installing the new Windows Server 2008 domain controller, you should run the adprep/domainprep command on the master infrastructure. This command will ensure that the existing Windows Server 2003 domain is prepared for installing a new Windows Server 2008 domain controller. You must install Active Directory Domain Services (AD DS) to create a new Windows Server 2008 domain controller after preparing the existing domain. If you want the domain controller to act as a global catalog server as well, you should use Active Directory Users and Computers tool or the Active Directory Domains and Trusts tool after the installation.

"Pass Any Exam. Any Time." - www.actualtests.com

257

Microsoft 70-649: Practice Exam QUESTION NO: 351 You have an SQL Server service account, which you need to restrict without affecting the usability of the database. What should you do to achieve this? (Choose 2 answers. Each answer is the part of complete solution) A. Place the service account in the Guests domain local security group B. Configure NTFS Deny Full Control permissions for the service account on the SQL server database file C. Configure the Log On To option of the service account to include only the SQL server D. Configure the service account by enabling the Account is sensitive and cannot be delegated setting in the user account properties. Answer: C,D

QUESTION NO: 352

tua

lTe

sts

.co

m

Explanation: To restrict the SQL Server service account without affecting the usability of the database, you need to first configure the Log On To option of the service account to include only the SQL server and then configure the service account by enabling the Account is sensitive and cannot be delegated setting in the user account properties. Account is sensitive and cannot be delegated option will ensure that the account is not impersonated by a service. Reference: User Accounts in Windows Server 2003 Part III http://www.lockergnome.com/it/2004/12/13/user-accounts-in-windows-server-2003-part-iii/

Ac

Certkiller is running all Windows servers 2008 in their active directory domain. A server in the SQLServer OU runs Microsoft SQL server 2005. The SQL server is hosting a database application. You created 2000 users accounts in the Active directory domain and place the user accounts. The database application requires the use of role-based authorization. What should you do to configure the Active Directory security groups to use role-based authorization in the application? A. Use the Dsmod utility B. Use the active directory users and computers console C. Use the authorization Manager console D. Run the add-member command in Microsoft Windows PowerShell E. None of the above Answer: C

"Pass Any Exam. Any Time." - www.actualtests.com

258

Microsoft 70-649: Practice Exam Explanation: To configure the Active Directory security groups to use role-based authorization in the application, you need to use the authorization Manager console. Reference: Authorization Manager and Role-Based Administration in Windows Server 2003 (Part 2) http://www.windowsecurity.com/articles/Authorization-Manager-Role-Based-AdministrationWindows-Server-2

QUESTION NO: 353

Ac

tua

lTe

sts

.co

m

Exhibit:

As an administrator at Certkiller .com, you manage a member server that runs Windows Server 2008. The Web Server (IIS) role is also installed on the member server. The web server hosts an intranet website called intranet-e. The intranet-e is only accessed by internal active directory users. As shown in the exhibit, the authentication settings for intranet-e are basic. You have to ensure that the users accessing the website are authenticated through Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) encrypted Active Directory credentials. What should you do to achieve this task? (Choose two answers. each answer is the part of a complete solution) A. Add Windows Authentication role service to the IIS server. Enable the Windows Authentication settings in the intranet-e properties "Pass Any Exam. Any Time." - www.actualtests.com

259

Microsoft 70-649: Practice Exam B. Configure Digest Authentication role service on IIS server and add URL authentication role service to the server. C. Disable the basic authentication and set the Anonymous Authentication to enabled in the intranet-e properties D. Add the internal Active Directory users to the IIS Access Permissions and use Basic Authentication in Intranet-e properties E. Disable the basic authentication setting in the intranet-e properties Answer: A,E

sts

.co

m

Explanation: To ensure that the users accessing the website are authenticated through MS-CHAPv2 encrypted Active Directory credentials, you should Add Windows Authentication role service to the IIS server. Enable the Windows Authentication settings in the intranet-e properties and disable the basic authentication setting in the intranet-e properties. Basic authentication is a set of basic rules that authenticate users. To implement MS-CHAPv2, you have to disable the basic authentication and then, add windows authentication role services to the IIS server. After adding it, you should enable it. The Windows Authentication role service will allow the website to be authenticated through MS-CHAPv2.

lTe

QUESTION NO: 354

Ac

tua

You are an Enterprise administrator for Certkiller .com. The corporate network of the company consists of a single Active Directory domain. All computers are members of the Active Directory domain. All the servers on the corporate network run Windows Server 2008 and all client computers run Windows Vista. The domain consists of a server called Certkiller Server1 on which the Secure Server (Require Security) IPsec policy is assigned by using a GPO. However, after this assignment, the network users reported that they fail to connect to Certkiller Server1. Which of the following options would you choose to ensure that users can connect to Certkiller Server1 and all connections to Certkiller Server1 must be encrypted? A. Assign the Client (Respond Only) IPsec policy to all client computers. B. Assign the Server (Request Security) IPsec policy to Certkiller Server1. C. Assign the Client (Respond Only) IPsec policy to Certkiller Server1. D. Restart the IPsec Policy Agent service on Certkiller Server1. Answer: A Explanation: The network users fail to connect to Certkiller Server1 when Secure Server (Require Security) IPsec policy was assigned because this policy requires all communications to be secure. "Pass Any Exam. Any Time." - www.actualtests.com

260

Microsoft 70-649: Practice Exam

m

Once this policy has been applied, the server will neither send nor accept insecure communications. Any client wanting to communicate with the server must use at least the minimum level of security described by the policy. The network users may not be fulfilling the defined security requirements. To ensure that users can connect to Certkiller Server1 and all connections to Certkiller Server1 must be encrypted, you need to assign the Client (Respond Only) IPsec policy to all client computers. This policy is designed to be run on client machines that don't normally need to worry about security. The policy is designed in such a way that the client will never initiate secure communications on its own. However, if a server requests that the client go into secure communications mode, the client will respond appropriately. Reference: What are IPSEC Policies and how do I work with them? http://www.petri.co.il/what_are_ipsec_policies.htm

.co

QUESTION NO: 355

sts

You have a server that runs Windows Server 2008. The server has the Terminal Services Gateway (TS Gateway) role service installed. You need to provide a security group access to the TS Gateway server. What should you do?

QUESTION NO: 356

Ac

Answer: A

tua

lTe

A. Create and configure a Connection Authorization Policy. B. Add the security group to the Remote Desktop Users group. C. Create and configure a Resource Authorization Policy. D. Add the security group to the TS Web Access Computers group.

Your company has an Active Directory domain. The company runs Terminal Services. Standard users who connect to the Terminal Server are in the TSUsers organizational unit (OU). Administrative users are in the TSAdmins OU. No other users connect to the Terminal Server. You need to ensure that only members of the TSAdmins OU can run the Remote Desktop Protocol files. What should you do? A. Create a Group Policy object (GPO) that configures the Allow .rdp files from valid publishers and users default .rdp settings policy setting in the Remote Desktop Client Connection template to Enabled. Apply the GPO to the TSAdmins OU. B. Create a Group Policy object (GPO) that configures the Allow .rdp files from valid publishers and users default .rdp settings policy setting in the Remote Desktop Client Connection template to Disabled. Apply the GPO to the TSUsers OU. "Pass Any Exam. Any Time." - www.actualtests.com

261

Microsoft 70-649: Practice Exam C. Create a Group Policy object (GPO) that configures the Allow .rdp files from unknown publishers policy setting in the Remote Desktop Client Connection template to Disabled. Apply the GPO to the TSUsers OU. D. Create a Group Policy object (GPO) that configures the Specify SHA1 thumbprints of certificates representing trusted .rdp publishers policy setting in the Remote Desktop Client Connection template to Enabled. Apply the GPO to the TSAdmins OU. Answer: B

QUESTION NO: 357

.co

m

You have a server that runs Windows Server 2008. The Web Server (IIS) role is installed. You plan to host multiple Web sites on the server. You configure a single IP address for the server. All Web sites are registered in DNS to point to the single IP address. You need to ensure that each Web site only responds to requests by name from all client computers. What should you do?

lTe

sts

A. Configue a unique IP address for each Web site. B. Configue a unique Host Header for each Web site. C. Configue a unique port for each Web site. D. Edit the Hosts file on the server to add all the Web site names associated to the network address.

QUESTION NO: 358

tua

Answer: B

Ac

Your network contains one Active Directory domain. You have a member server that runs Windows Server 2008. You need to immediately disable all incoming connections to the server. What should you do? A. From Windows Firewall, enable the Block all connections option on the Domain Profile. B. From the Services snap-in, disable the Net Logon service. C. From Windows Firewall, enable the Block all connections option on the Public Profile. D. From the Services snap-in, disable the IP Helper. Answer: A

QUESTION NO: 359 Your company has deployed Network Access Protection (NAP) enforcement for VPNs. You need to ensure that the health of all clients can be monitored and reported. What "Pass Any Exam. Any Time." - www.actualtests.com 262

Microsoft 70-649: Practice Exam should you do? A. Create a Group Policy object (GPO) and set the Require trusted path for credential entry option to Enabled. Link the policy to the Domain Controllers organizational unit (OU). B. Create a Group Policy object (GPO) and set the Require trusted path for credential entry option to Enabled. Link the policy to the domain. C. Create a Group Policy object (GPO) that enables Security Center and link the policy to the domain. D. Create a Group Policy object (GPO) that enables Security Center and link the policy to the Domain Controllers organizational unit (OU).

m

Answer: C

.co

QUESTION NO: 360

lTe

sts

Your company has an Active Directory domain. The Terminal Services role is installed on a member server named TS01. The Terminal Services Licensing role service is installed on a new test server named TS10 in a workgroup. You cannot enable the Terminal Services Per User Client Access License (TS Per User CAL) mode in the Terminal Services Licensing role service on TS10. You need to ensure that you can use TS Per User CAL mode on TS10. What should you do?

Ac

Answer: A

tua

A. Join TS10 to the domain. B. Disjoin TS01 from the domain. C. Extend the schema to add attributes for Terminal Services Licensing. D. Create a Group Policy object (GPO) that configures TS01 to use TS10 for licensing.

QUESTION NO: 361 Your corporate network has a member server named RAS1 that runs Windows Server 2008. You configure RAS1 to use the Routing and Remote Access Service (RRAS). The companys remote access policy allows members of the Domain Users group to dial in to RAS1. The company issues smart cards to all employees. You need to ensure that smart card users are able to connect to RAS1 by using a dial-up connection. What should you do? A. Create a remote access policy that requires users to authenticate by using MS-CHAP v2.

"Pass Any Exam. Any Time." - www.actualtests.com

263

Microsoft 70-649: Practice Exam B. Create a remote access policy that requires users to authenticate by using EAP-TLS. C. Install the Network Policy Server (NPS) on the RAS1 server. D. Create a remote access policy that requires users to authenticate by using SPAP. Answer: B

QUESTION NO: 362

m

You have a server that runs Windows Server 2008. The server has the Windows Server virtualization role service installed. You create a new virtual machine and perform an installation of Windows Server 2008 on the virtual machine. You configure the virtual machine to use the physical network card of the host server. You notice that you are unable to access network resources from the virtual machine. You need to ensure that the virtual host can connect to the physical network. What should you do?

sts

.co

A. On the virtual machine, install Windows Server virtualization Guest Integration Components. B. On the host server, install the MS Loopback adapter. C. On the virtual machine, install the MS Loopback adapter. D. On the host server, enable the Multipath I/O feature.

lTe

Answer: A

QUESTION NO: 363

Ac

tua

Your company has a server that runs Windows Server 2008. The server has the Web Server (IIS) role installed. You need to activate SSL for the default Web site. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Select the Generate Key option in the Machine Key dialog box for the default Web site. B. Obtain and import a server certificate by using the IIS Manager console. C. Add bindings for the HTTPS protocol to the default Web site by using the IIS Manager console. D. Install the Digest Authentication component for the Web server role by using the Server Manager console. Answer: B,C

QUESTION NO: 364 Your company has a main office and a branch office that are configured as a single Active Directory forest. The functional level of the Active Directory forest is Windows Server 2003. "Pass Any Exam. Any Time." - www.actualtests.com 264

Microsoft 70-649: Practice Exam There are four Windows Server 2003 domain controllers in the main office. You need to ensure that you are able to deploy a read-only domain controller (RODC) at the branch office. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. Run the adprep/rodcprep command. B. Deploy a Windows Server 2008 domain controller at the main office. C. Raise the functional level of the domain to Windows Server 2008. D. Raise the functional level of the forest to Windows Server 2008. Answer: A,B

QUESTION NO: 365

.co

m

You manage a computer named FTPSrv1 that runs Windows Server 2008. Your company policy requires that the FTP service be available only when required by authorized projects. You need to ensure that the FTP service is unavailable after restarting the server. What should you do?

lTe

sts

A. Run the iisreset command on the FTPSrv1 server. B. Run the net stop msftpsvc command on the FTP server. C. Run the WMIC /NODE:FTPSrv1 SERVICE WHERE caption="FTP Publishing Service" CALL ChangeStartMode "Disabled" command on the FTP server. D. Run the suspend-service msftpsvc cmdlet in Microsoft Windows PowerShell tool.

Ac

QUESTION NO: 366

tua

Answer: C

You deploy a Windows Server 2008 VPN server behind a firewall. Remote users connect to the VPN by using portable computers that run Windows Vista with the latest service pack. The firewall is configured to allow only secured Web communications. You need to enable remote users to connect as securely as possible. You must achieve this goal without opening any additional ports on the firewall. What should you do? A. Create an SSTP VPN connection. B. Create an L2TP VPN connection. C. Create a PPTP VPN connection. D. Create an IPsec tunnel. Answer: A

"Pass Any Exam. Any Time." - www.actualtests.com

265

Microsoft 70-649: Practice Exam QUESTION NO: 367 Your company has a Windows Server 2003 Active Directory domain. A server named Server1 runs Windows Server 2008. The Terminal Services role is installed on Server1. A server named Server2 runs Windows Server 2003. The Terminal Services Licensing role service is installed on Server2. You need to configure the Terminal Services Per User Client Access License (TS Per User CAL) tracking and reporting to work on both Server1 and Server2. What should you do? A. Uninstall the Terminal Services Licensing role on Server2 and install that role on Server1. Configure TS Per User CAL tracking and reporting on Server1. B. Activate the Terminal Services Licensing Server on Server 2. C. Add Server1 to the servers managed by the Windows Server 2003 Terminal Services Licensing service. D. Rename Server1 to have the same computer name as the domain and join it to a workgroup.

.co

m

Answer: A

QUESTION NO: 368

lTe

sts

Your company has an Active Directory forest that contains a single domain. The domain member server has an Active Directory Federation Services (AD FS) role installed. You need to configure AD FS to ensure that AD FS tokens contain information from the Active Directory domain. What should you do?

Answer: A

Ac

tua

A. Add and configure a new account store. B. Add and configure a new account partner. C. Add and configure a new resource partner. D. Add and configure a Claims-aware application.

QUESTION NO: 369 Your company has an Active Directory domain. The company has a server named Server1 that has the Terminal Services role and the Terminal Services Web Access role installed. All client computers run Windows XP Service Pack 2 (SP2). You deploy and publish an application named TimeReport on Server1. The Terminal Services Web Access role uses Active Directory Domain Services (AD DS) and Network Level Authentication is enabled. You need to ensure that the users can launch TimeReport on Server1 from the Terminal Services Web Access Web page. What should you do? A. Install the Terminal Services Gateway (TS Gateway) role on Server1. Reconfigure the TimeReport remote application publishing to reflect the change in the infrastructure. "Pass Any Exam. Any Time." - www.actualtests.com

266

Microsoft 70-649: Practice Exam B. Publish TimeReport on Server1 as a Microsoft Windows Installer package. Distribute the Windows Installer package to the users. C. Disable publishing to AD DS for the TimeReport remote application. D. Install the Remote Desktop Client 6.1 application on the client computers that run Windows XP SP2.

Ac

tua

lTe

sts

.co

m

Answer: D

"Pass Any Exam. Any Time." - www.actualtests.com

267