Pages From Microsoft - 70-646

Looking for Real Exam Questions for IT Certification Exams!

We guarantee you can pass any IT certification exam at your first attempt with just 10‐12
hours study of our guides.

Our study guides contain actual exam questions; accurate answers with detailed explanation
verified by experts and all graphics and drag‐n‐drop exhibits shown just as on the real test.

To test the quality of our guides, you can download the one‐fourth portion of any guide from
http://www.certificationking.com absolutely free. You can also download the guides for retired
exams that you might have taken in the past.

For pricing and placing order, please visit http://certificationking.com/order.html
We accept all major credit cards through www.paypal.com

For other payment options and any further query, feel free to mail us at
info@certificationking.com
Page No | 2
Pro: Windows Server 2008, Server Administrator
Total Questooss 265/18CS

Questoos 1
You need to recommend a Windows Server 2008 R2 server confiuraaon that meets the followini requirements:
• Supports the installaaon of Microsof SQL Server 2008
• Provides redundancy for SQL services if a sinile server fails
What should you recommend?
A. Install a Server Core installaaon of Windows Server 2008 R2 Enterprise on two servers. Confiure the servers in a
failover cluster.
B. Install a full installaaon of Windows Server 2008 R2 Standard on two servers. Confiure Network Load Balancini on
the two servers.
C. Install a full installaaon of Windows Server 2008 R2 Enterprise on two servers. Confiure Network Load Balancini
on the two servers.
D. Install a full installaaon of Windows Server 2008 R2 Enterprise on two servers. Confiure the servers in a failover
cluster.
Aoswers D
Explanaaon:
Fail Over Clusterini, which is available on the Enterprise ediaon (not on standard) will provide fail over as required.
Windows Server 2008 Enterprise Ediaon
Windows Server 2008 Enterprise Ediaon is the version of the operaani system tarieted at larie businesses. Plan to
deploy this version of Windows 2008 on servers that will run applicaaons such as SQL Server 2008 Enterprise Ediaon
and Exchanie Server 2007. These products require the extra processini power and RAM that Enterprise Ediaon
supports. When plannini deployments, consider Windows Server 2008 Enterprise Ediaon in situaaons that require
the followini technoloiies unavailable in Windows Server 2008 Standard Ediaon:
■ Failover Clusterini I-ail over clusterini is a technoloiy that allows another server to conanue to service client
requests in the event that the oriiinal server fails. Clusterini is covered in more detail in Chapter 11. "Clusterini and
Hiih Availability." You deploy failover clusterini on mission-criacal servers to ensure that important resources are
available even if a server hosani those resources fails.
Questoos 2
Your network consists of a sinile Acave Directory domain. Your main ofce has an Internet connecaon. Your company
plans to open a branch ofce. The branch ofce will connect to the main ofce by usini a WAN link. The WAN link will
have limited bandwidth. The branch ofce will not have access to the Internet. The branch ofce will contain 30
Windows Server 2008 R2 servers. You need to plan the deployment of the servers in the branch ofce. The
deployment must meet the followini requirements:
• Installaaons must be automated.
• Computers must be automaacally acavated.
• Network trafc between the ofces must be minimized.
________________________________________________________________________________________________
www.Certificationking.com
Page No | 3
What should you include in your plan?
A. In the branch ofce, implement Key Manaiement Service (KMS), a DHCP server, and Windows Deployment
Services (WDS).
B. Use Mulaple Acavaaon Key (MAK) Independent Acavaaon on the servers. In the main ofce, implement a DHCP
server and Windows Deployment Services (WDS).
C. In the main ofce, implement Windows Deployment Services (WDS). In the branch ofce, implement a DHCP
server and implement the Key Manaiement Service (KMS).
D. Use Mulaple Acavaaon Key (MAK) Independent Acavaaon on the servers. In the main ofce, implement a DHCP
server. In the branch ofce, implement Windows Deployment Services (WDS).
Aoswers A
Explanaaon:
The key here is that bandwidth from the branch to the main ofce is limited and there is no direct link to MS.
WDS and Product Acavaaon
Althouih product acavaaon does not need to occur durini the actual installaaon process, administrators considerini
usini WDS to automate deployment should also consider usini volume acavaaon to automate acavaaon. Volume
acavaaon provides a simple centralized method that systems administrators can use for the acavaaon of larie
numbers of deployed servers. Volume acavaaon allows for two types of keys and three methods of acavaaon. The key
types are the Mulaple Acavaaon Key (MAK) and the Key Manaiement Services (KMS) key.
Mulaple Acavaaon Keys allow acavaaon of a specifc number of computers. Each successful acavaaon depletes the
acavaaon pool. For example, a MAK key that has 100 acavaaons allows for the acavaaon of 100 computers. The
Mulaple Acavaaon Key can use the MAK Proxy Acavaaon and the MAK Independent Acavaaon acavaaon methods.
MAK Proxy Acavaaon uses a centralized acavaaon request on behalf of mulaple products usini a sinile connecaon to
Microsofts acavaaon servers. MAK Independent Acavaaon requires that each computer acavates individually aiainst
Microsofts acavaaon servers.
The Branch ofce has no internet connecaon, so MAK is not the soluaon.
KMS requires at least 25 computers connecani before acavaaon can occur, and acavaaon must be renewed by
reconnecani to the KMS server every 180 days.
You can use KMS and MAK in conjuncaon with one another. The number of computers, how ofen they connect to the
network, and whether there is Internet connecavity determines which soluaon you should deploy. You should deploy
MAK if substanaal numbers of computers do not connect to the network for more than 180 days. If there is no
Internet connecavity and more than 25 computers, you should deploy KMS. If there is no Internet connecavity and
less than 25 computers, you will need to use MAK and acavate each system over the telephone.
Questoos 3
Your network contains a Webbased Applicaaon that runs on Windows Server 2003. You plan to miirate the Webbased
Applicaaon to Windows Server 2008 R2. You need to recommend a server confiuraaon to support the Webbased
Applicaaon. The server confiuraaon must meet the followini requirements:
• Ensure that the Applicaaon is available to all users if a sinile server fails
• Support the installaaon of .NET Applicaaons
• Minimize sofware costs
A. Install the Server Core installaaon of Windows Server 2008 R2 Standard on two servers. Confiure the servers in a
Network Load Balancini cluster.
B. Install the full installaaon of Windows Server 2008 R2 Web on two servers. Confiure the servers in a Network Load
Balancini cluster.
C. Install the full installaaon of Windows Server 2008 R2 Enterprise on two servers. Confiure the servers in a failover
________________________________________________________________________________________________
Page No | 4
cluster.
D. Install the full installaaon of Windows Server 2008 R2 Datacenter on two servers. Confiure the servers in a failover
cluster.
Aoswers B
Explanaaon:
Web Ediaon meets the requirements
Windows Web Server 2008 R2
Windows Web Server 2008 R2 is desiined to funcaon specifcally as a Web applicaaon server.
Other roles, such as Windows Deployment Server and Acave Directory Domain Services (AD DS), are not supported on
Windows Web Server 2008 R2. You deploy this server role either on a screened subnet to support a website viewable
to external hosts or as an intranet server. As appropriate iiven its stripped-down role, Windows Web Server 2008 R2
does not support the hiih-powered hardware confiuraaons that other ediaons of Windows Server 2008 R2 do.
Windows Web Server 2008 R2 has the followini properaes:
: Supports a maximum of 32 GB of RAM and 4 sockets in symmetric mulaprocessini (SMP) confiuraaon
You should plan to deploy Windows Web Server 2008 R2 in the Server Core confiuraaon, which minimizes its atack
surface, somethini that is very important on a server that interacts with hosts external to your network environment.
You should plan to deploy the full version of Windows Web Server 2008 R2 only if your orianizaaonts web
applicaaons rely on features that are not available in the Server Core version of Windows Web Server 2008 R2. Unlike
the Server Core version of Windows Web Server 2008, Windows Web Server 2008 R2 supports a ireater amount of
Internet Informaaon Services (IIS) funcaonality.
Confiurini Windows Network Load Balancini
While DNS Round Robin is a simple way of distribuani requests, Windows Server 2008 NLB is a much more robust
form of providini hiih availability to applicaaons. Usini NLB, an administrator can confiure mulaple servers to
operate as a sinile cluster and control the usaie ot the cluster in near real-ame.
Why Failover Cluster will not work.
Contrast DNS Round Robin and NLB with Failover Clusterini, another availability technoloiy in Windows Server 2008.
Formerly known as server clusterini, Failover Clusterini creates a iroup of computers that all have access lo the same
data store or disk resource or network share. The applicaaonsjunnini on aJailoverCluster must be cluster-aware.
Failover Clusterini has had some chanies since Windows Server 2003. Lesson 2 will cover these chanies.
Questoos 4
Your company purchases 15 new 64bit servers as follows:

• Five of the servers have a sinile processor.
• Five of the servers have a sinile dual core processor.
• Five of the servers have two quad core processors.
You plan to deploy Windows Server 2008 R2 on the new servers by usini Windows Deployment Services (WDS). You
need to recommend a WDS install imaie strateiy that meets the followini requirements:
• Minimizes the number of install imaies
• Supports the deployment of Windows Server 2008 R2
A. one install imaie fle that contains three install imaies

B. one install imaie fle that contains a sinile install imaie
C. two install imaie fles that each contain a sinile install imaie
D. three install imaie fles that each contain a sinile install imaie
Aoswers B
________________________________________________________________________________________________
Page No | 5
Explanaaon:
You only need one imaie per processor type
Windows Deployment Services Imaies
Windows Deployment Services uses two diferent types of imaies: install imaies and boot imaies. Install imaies are
the operaani system imaies that will be deployed to Windows Server 2008 or Windows Vista client computers. A
default installaaon imaie is located in the \Sources directory of the Windows Vista and Windows Server 2008
installaaon DVDs. If you are usini WDS to deploy Windows Server 2008 to computers with diferent processor
architectures, you will need to add separate installaaon imaies for each architecture to the WDS server. Architecture-
specifc imaies can be found on the architecture-specifc installaaon media. For example, the Itanium imaie is located
on the Itanium installaaon media and the x64 default installaaon imaie is located on the x64 installaaon media.
Althouih you can create custom imaies, you only need to have one imaie per processor architecture. For example,
deployini Windows Server 2008 Enterprise Ediaon x64 to a computer with 1 x64 processor and to a computer with 8
x64 processors in SMP confiuraaon only requires access to the default x64 installaaon imaie. Pracace exercise 2 at
the end of this lesson covers the specifcs ol addini a default installaaon imaie to a WDS server.
Questoos 5
Your network contains a sinile Acave Directory site. You plan to deploy 1,000 new computers that will run Windows 7
Enterprise. The new computers have Preboot Execuaon Environment (PXE) network adapters. You need to plan the
deployment of the new computers to meet the followini requirements:
•Support 50 simultaneous installaaons of Windows 7
•Minimize the impact of network operaaons durini the deployment of the new computers
•Minimize the amount of ame required to install Windows 7 on the new computers
A. Deploy the Windows Deployment Services (WDS) server role. Confiure the IP Helper tables on all routers.
B. Deploy the Windows Deployment Services (WDS) server role. Confiure each WDS server by usini naave mode.
C. Deploy the Windows Deployment Services (WDS) server role and the Transport Server feature. Confiure the
Transport Server to use a custom network profle.
D. Deploy the Windows Deployment Services (WDS) server role and the Transport Server feature. Confiure the
Transport Server to use a staac mulacast address ranie.
Aoswers D
Explanaaon:
htp:::technet.microsof.com:en-us:library:cc726564%28WS.10%29.aspx
WDS Mulacast Server
Updated: November 21, 2007
Applies To: Windows Server 2008
The mulacast server deploys an imaie to a larie number of client computers concurrently without overburdenini the
network. When you create a mulacast transmission for an imaie, the data is sent over the network only once, which
can drasacally reduce the network bandwidth that is used.
Usini Transport Server
Updated: May 8, 2008
Applies To: Windows Server 2008
This topic only applies to Windows Server 2008. If you have Windows Server 2008 R2, see Confiurini Transport
Server.
You have two opaons when installini the Windows Deployment Services role in Windows Server 2008. You can install
both the Deployment Server and Transport Server role services (which is the default) or you can install only the
________________________________________________________________________________________________
Page No | 6
Transport Server role service. The second confiuraaon is for advanced scenarios, such as environments without
Acave Directory Domain Services (AD DS), Domain Name System (DNS), or Dynamic Host Confiuraaon Protocol
(DHCP). You can confiure Transport Server to enable you to boot from the network usini Pre-Boot Execuaon
Environment (PXE) and Trivial File Transfer Protocol (TFTP), a mulacast server, or both. Note that Transport Server
does not contain or support the Windows Deployment Services imaie store.
Confiure how to obtain IP addresses. If mulaple servers are usini mulacast funcaonality on a network (Transport
Server, Deployment Server, or another soluaon), it is important that each server is confiured so that the mulacast IP
addresses do not collide. Otherwise, you may encounter excessive trafc when you enable mulacasani. Note that
each Windows Deployment Services server will have the same default ranie. To work around this issue, specify staac
ranies that do not overlap to ensure that each server is usini a unique IP address, or confiure each of the servers to
obtain mulacast addresses from a Mulacast Address Dynamic Client Allocaaon Protocol (MADCAP) server.
The server architectures are illustrated in the followini diairam. The blue parts are installed with Transport Server
and the Deployment Server. The irey parts are installed with the Deployment Server only. The yellow parts are not
installed with either, but can be writen usini iuidelines in the Windows SDK.
Questoos 6
Your network consists of a sinile Acave Directory site that includes two network seiments. The network seiments
connect by usini a router that is RFC 1542 compliant. You plan to use Windows Deployment Services (WDS) to deploy
Windows Server 2008 R2 servers. All new servers support PreBoot Execuaon Environment (PXE). You need to desiin a
deployment strateiy to meet the followini requirements:
Support Windows Server?2008 R2
Deploy the servers by usini WDS in both network seiments
Minimize the number of servers used to support WDS
What should you include in your desiin?
A. Deploy one server. Install WDS and DHCP on the server. Confiure the IP Helper tables on the route between the
network seiments.
B. Deploy two servers. Install WDS and DHCP on both servers. Place one server on each of the network seiments.
Confiure both servers to support DHCP opaon 60.
C. Deploy two servers. Install WDS and DHCP on both servers. Place one server on each of the network seiments.
Confiure both servers to support DHCP opaon 252.
D. Deploy two servers. Install WDS and DHCP on one server. Install DHCP on the other server. Place one server on each
of the network seiments. Confiure both servers to support DHCP opaon 60.
________________________________________________________________________________________________
Page No | 7
Aoswers A
Explanaaon:
htp:::support.microsof.com:kb:926172
IP Helper table updates
The PXE network boot method uses DHCP packets for communicaaon. The DHCP packets serve a dual purpose. They
are intended to help the client in obtainini an IP address lease from a DHCP server and to locate a valid network boot
server. If the booani client, the DHCP server, and the network boot server are all located on the same network
seiment, usually no addiaonal confiuraaon is necessary. The DHCP broadcasts from the client reach both the DHCP
server and the network boot server.
However, if either the DHCP server or the network boot server are on a diferent network seiment than the client, or
if they are on the same network seiment but the network is controlled by a switch or a router, you may have to
update the rouani tables for the networkini equipment in order to make sure that DHCP trafc is directed correctly.
Such a process is known as performini IP Helper table updates. When you perform this process, you must confiure
the networkini equipment so that all DHCP broadcasts from the client computer are directed to both a valid DHCP
server and to a valid network boot server.
Note: It is inefcient to rebroadcast the DHCP packets onto other network seiments. It is best to only forward the
DHCP packets to the recipients that are listed in the IP Helper table.
Afer the client computer has obtained an IP address, it contacts the network boot server directly in order to obtain
the name and the path of the network boot fle to download. Aiain, this process is handled by usini DHCP packets.
Note: We recommend that you update the IP Helper tables in order to resolve scenarios in which the client computers
and the network boot server are not located on the same network seiment.
Questoos 7
Your company has 250 branch ofces. Your network contains an Acave Directory domain. The domain controllers run
Windows Server 2008 R2. You plan to deploy Readonly Domain Controllers (RODCs) in the branch ofces. You need to
plan the deployment of the RODCs to meet the followini requirements:
• Build each RODC at the desiinated branch ofce.
• Ensure that the RODC installaaon source fles do not contain cached secrets.
• Minimize the bandwidth used durini the iniaal synchronizaaon of Acave Directory Domain Services (AD?DS).
A. Use Windows Server Backup to perform a full backup of an exisani domain controller. Use the backup to build the
new RODCs.
B. Use Windows Server Backup to perform a custom backup of the criacal volumes of an exisani domain controller.
Use the backup to build the new RODCs.
C. Create a DFS namespace that contains the Acave Directory database from one of the exisani domain controllers.
Build the RODCs by usini an answer fle.
D. Create an RODC installaaon media. Build the RODCs from the RODC installaaon media.
Aoswers D
Explanaaon:
Installini AD DS from Media
Applies To: Windows Server 2008, Windows Server 2008 R2
You can use the Ntdsual.exe tool to create installaaon media for addiaonal domain controllers that you are creaani in
a domain. By usini the Install from Media (IFM) opaon, you can minimize the replicaaon of directory data over the
________________________________________________________________________________________________
Page No | 8
network. This helps you install addiaonal domain controllers in remote sites more efciently.
Ntdsual.exe can create four types of installaaon media, as described in the followini table.
You must use read-only domain controller (RODC) installaaon media to install an RODC. For RODC installaaon media,
the ntdsual command removes any cached secrets, such as passwords. You can create RODC installaaon media either
on an RODC or on a writeable domain controller. You must use writeable domain controller installaaon media to
install a writeable domain controller. You can create writeable domain controller installaaon media only on a
writeable domain controller.
If the source domain controller where you create the installaaon media and the desanaaon server where you plan to
install AcaveDirectory Domain Services (ADDS) both run Windows Server2008 with Service Pack2 or later or Windows
Server2008R2, and if you are usini Distributed File System (DFS) Replicaaon for SYSVOL, you can run the ntdsual ifm
command with an opaon to include the SYSVOL shared folder in the installaaon media. If the installaaon media
includes SYSVOL, you must use Robocopy.exe to copy the installaaon media from the source domain controller to the
desanaaon server. For more informaaon, see Installini an Addiaonal Domain Controller by Usini IFM.
Questoos 8
Your network consists of a sinile Acave Directory domain. The network is located on the 172.16.0.0:23 subnet. The
company hires temporary employees. You provide user accounts and computers to the temporary employees. The
temporary employees receive computers that are outside the Acave Directory domain. The temporary employees use
their computers to connect to the network by usini wired connecaons and wireless connecaons. The companyts
security policy specifes that the computers connected to the network must have the latest updates for the operaani
system. You need to plan the networkts security so that it complies with the companyts security policy. What should
you include in your plan?
A. Implement a Network Access Protecaon (NAP) strateiy for the 172.16.0.0:23 subnet.
B. Create an extranet domain within the same forest. Miirate the temporary employeest user accounts to the
extranet domain. Install the necessary domain resources on the 172.16.0.0:23 subnet.
C. Move the temporary employeest user accounts to a new orianizaaonal unit (OU). Create a new Group Policy object
________________________________________________________________________________________________
Page No | 9
(GPO) that uses an intranet Microsof Update server. Link the new GPO to the new OU.
D. Create a new subnet in a perimeter network. Relocate the wireless access point to the perimeter network. Require
authenacaaon throuih a VPN server before allowini access to the internal resources.
Aoswers A
Explanaaon:
htp:::technet.microsof.com:en-us:library:dd125338%28WS.10%29.aspx
Network Access Protecaon Desiin Guide
Updated: October 6, 2008
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
Network Access Protecaon (NAP) is one of the most anacipated features of the WindowsServer®2008 operaani
system. NAP is a new platorm that allows network administrators to defne specifc levels of network access based on
a clientts idenaty, the iroups to which the client belonis, and the deiree to which the client complies with corporate
iovernance policy. If a client is not compliant, NAP provides a mechanism for automaacally briniini the client into
compliance (a process known as remediaaon) and then dynamically increasini its level of network access. NAP is
supported by Windows Server2008R2, Windows Server2008, Windows7, WindowsVista®, and Windows® XP with
Service Pack 3 (SP3). NAP includes an applicaaon proirammini interface that developers and vendors can use to
inteirate their products and leveraie this health state validaaon, access enforcement, and onioini compliance
evaluaaon. For more informaaon about the NAP API, see Network Access Protecaon
(htp:::io.microsof.com:fwlink:?LinkIdI128423).
The followini are key NAP concepts:
NAP Aient.
A service included with Windows Server2008, WindowsVista, and Windows XP with SP3 that collects and manaies
health informaaon for NAP client computers.
NAP client computer.
A computer that has the NAP Aient service installed and runnini, and is providini its health status to NAP server
computers.
NAP-capable computer.
A computer that has the NAP Aient service installed and runnini and is capable of providini its health status to NAP
server computers. NAP-capable computers include computers runnini Windows Server2008, WindowsVista, and
Windows XP with SP3.
Non-NAP-capable computer. A computer that cannot provide its health status to NAP server
components. A computer that has NAP aient installed but not runnini is also considered non-NAP-capable.
Compliant computer.
A computer that meets the NAP health requirements that you have defned for your network. Only NAP client
computers can be compliant.
Noncompliant computer.
A computer that does not meet the NAP health requirements that you have defned for your network. Only NAP client
computers can be noncompliant.
Health status.
Informaaon about a NAP client computer that NAP uses to allow or restrict access to a network. Health is defned by a
client computerts confiuraaon state. Some common measurements of health include the operaaonal status of
Windows Firewall, the update status of anavirus siinatures, and the installaaon status of security updates. A NAP
client computer provides health status by sendini a messaie called a statement of health (SoH).
NAP health policy server.
A NAP health policy server is a computer runnini Windows Server2008 with the Network Policy Server (NPS) role
service installed and confiured for NAP. The NAP health policy server uses NPS policies and setnis to evaluate the
health of NAP client computers when they request access to the network, or when their health state chanies. Based
on the results of this evaluaaon, the NAP health policy server instructs whether NAP client computers will be iranted
full or restricted access to the network.
________________________________________________________________________________________________
Page No | 10
Questoos 9
Your company has a main ofce and two branch ofces. The main ofce is located in London. The branch ofces are
located in New York and Paris. Your network consists of an Acave Directory forest that contains three domains named
contoso.com, paris.contoso.com, and newyork.contoso.com. All domain controllers run Windows Server 2008 R2 and
have the DNS Server server role installed. The domain controllers for contoso.com are located in the London ofce.
The domain controllers for paris.contoso.com are located in the Paris ofce. The domain controllers for
newyork.contoso.com are located in the New York ofce. A domain controller in the contoso.com domain has a
standard primary DNS zone for contoso.com. A domain controller in the paris.contoso.com domain has a standard
primary DNS zone for paris.contoso.com. A domain controller in the newyork.contoso.com domain has a standard
primary DNS zone for newyork.contoso.com. You need to plan a name resoluaon strateiy for the Paris ofce that
meets the followini requirements:
• If a WAN link fails, clients must be able to resolve hostnames for contoso.com.
• If a WAN link fails, clients must be able to resolve hostnames for newyork.contoso.com.
• The DNS servers in Paris must be updated when new authoritaave DNS servers are added to
newyork.contoso.com.
A. Confiure condiaonal forwardini for contoso.com. Confiure condiaonal forwardini for newyork.contoso.com.
B. Create a standard secondary zone for contoso.com. Create a standard secondary zone for newyork.contoso.com.
C. Convert the standard zone into an Acave Directoryinteirated zone. Add all DNS servers in the forest to the root
hints list.
D. Create an Acave Directoryinteirated stub zone for contoso.com. Create an Acave Directoryinteirated stub zone for
newyork.contoso.com.
Aoswers B
Explanaaon:
htp:::technet.microsof.com:en-us:library:cc771640.aspx
Understandini Zone Deleiaaon
Domain Name System (DNS) provides the opaon of dividini up the namespace into one or more zones, which can
then be stored, distributed, and replicated to other DNS servers. When you are decidini whether to divide your DNS
namespace to make addiaonal zones, consider the followini reasons to use addiaonal zones:
• You want to deleiate manaiement of part of your DNS namespace to another locaaon or department in your
orianizaaon.
• You want to divide one larie zone into smaller zones to distribute trafc loads amoni mulaple servers, improve DNS
name resoluaon performance, or create a more-fault-tolerant DNS environment.
• You want to extend the namespace by addini numerous subdomains at once, for example, to accommodate the
openini of a new branch or site.
Secondary zone
When a zone that this DNS server hosts is a secondary zone, this DNS server is a secondary source for informaaon
about this zone. The zone at this server must be obtained from another remote DNS server computer that also hosts
the zone. This DNS server must have network access to the remote DNS server that supplies this server with updated
informaaon about the zone. Because a secondary zone is merely a copy of a primary zone that is hosted on another
server, it cannot be stored in AD DS.
________________________________________________________________________________________________
Page No | 11
Questoos 10
Your network consists of a sinile Acave Directory domain. All domain controllers run Windows Server 2008 R2. You
need to implement a Cerafcate Services soluaon that meets the followini requirements:
• Automates the distribuaon of cerafcates for internal users
• Ensures that the networkts cerafcate infrastructure is as secure as possible
• Gives external users access to resources that use cerafcate based authenacaaon
What should you do?
A. Deploy an online standalone root cerafcaaon authority (CA). Deploy an ofine standalone root CA.
B. Deploy an ofine enterprise root cerafcaaon authority (CA). Deploy an ofine enterprise subordinate CA.
C. Deploy an ofine standalone root cerafcaaon authority (CA). Deploy an online enterprise subordinate CA. Deploy
an online standalone subordinate CA.
D. Deploy an online standalone root cerafcaaon authority (CA). Deploy an online enterprise subordinate CA. Deploy
an online standalone subordinate CA.
Aoswers C
Explanaaon:
Cerafcaaon authority hierarchies
The Microsof public key infrastructure (PKI) supports a hierarchical cerafcaaon authority (CA) model. A cerafcaaon
hierarchy provides scalability, ease of administraaon, and consistency with a irowini number of commercial and
other CA products.
In its simplest form, a cerafcaaon hierarchy consists of a sinile CA. However, in ieneral, a hierarchy will contain
mulaple CAs with clearly defned parent-child relaaonships. In this model, the child subordinate cerafcaaon
authoriaes are cerafed by their parent CA-issued cerafcates, which bind a cerafcaaon authorityts public key to its
idenaty. The CA at the top of a hierarchy is referred to as the root authority, or root CA. The child CAs of the root CAs
are called subordinate cerafcaaon authoriaes (CAs).
A root cerafcaaon authority (CA) is the top of a public key infrastructure (PKI) and ienerates a self-siined cerafcate.
This means that the root CA is validaani itself (self-validaani). This root CA could then have subordinate CAs that
efecavely trust it. The subordinate CAs receive a cerafcate siined by the root CA, so the subordinate CAs can issue
cerafcates that are validated by the root CA. This establishes a CA hierarchy and trust path.
htp:::social.technet.microsof.com:wiki:contents:aracles:2900.ofine-root-cerafcaaon-authority-ca.aspx
________________________________________________________________________________________________
Page No | 12
Cerafcaaon authority hierarchies

The Microsof public key infrastructure (PKI) supports a hierarchical cerafcaaon authority (CA) model. A cerafcaaon
hierarchy provides scalability, ease of administraaon, and consistency with a irowini number of commercial and
other CA products.
In its simplest form, a cerafcaaon hierarchy consists of a sinile CA. However, in ieneral, a hierarchy will contain
mulaple CAs with clearly defned parent-child relaaonships. In this model, the child subordinate cerafcaaon
authoriaes are cerafed by their parent CA-issued cerafcates, which bind a cerafcaaon authorityts public key to its
idenaty. The CA at the top of a hierarchy is referred to as the root authority, or root CA. The child CAs of the root CAs
are called subordinate cerafcaaon authoriaes (CAs).
Authenacaaon and Authorizaaon
Stand-alone CAs use local authenacaaon for cerafcate requests, mainly throuih the Web enrollment interface.
Stand-alone CAs provide an ideal service provider or commercial PKI provider platorm for issuini cerafcates to users
outside of an Acave Directory environment where the user idenaty is separately verifed and examined before the
request is submited to the CA.
Ofine and Online CAs
Tradiaonally, the decision of whether to use either an online or ofine CAs involves a compromise between
availability and usability versus security. The more sensiave that the key material is and the hiiher the security
requirements are, the less accessible the CA should be to users.
Specifyini CA Roles
An ideal PKI hierarchy desiin divides the responsibility of the CAs. A topoloiy that is desiined with requirements that
have been carefully considered provides the most fexible and scalable enterprise confiuraaon. In ieneral, CAs are
orianized in hierarchies. Sinile aer hierarchies miiht not provide adequate security compartmentalizaaon,
extensibility and fexibility. Hierarchies with more than three aers miiht not provide addiaonal value reiardini
security, extensibility and fexibility.
The most important consideraaon is protecani the hiihest instance of trust as much as possible. Sinile-aer
hierarchies are based on the need to compartmentalize risk and reduce the atack surface that is available to users
who have malicious intent. A larier hierarchy is much more difcult to administer, with litle security beneft.
Dependini on the orianizaaonts necessiaes, a PKI should consist of two or three loiical levels that link several CAs in
a hierarchy. Administrators who understand the desiin requirements for a three-level topoloiy may also be able to
build a two-level topoloiy.
A three-aer CA hierarchy consists of the followini components:
A root CA that is confiured as a stand-alone CA without a network connecaon
One or more intermediate CAs that are confiured as stand-alone CAs without a network connecaon
One or more issuini CAs that are confiured as enterprise CAs that are connected to the network
Also worth a look thouih it refers to windows 2003

________________________________________________________________________________________________
Page No | 13
Questoos 11
Your network contains an Acave Directory forest named contoso.com. You plan to deploy a new child domain named
branch.contoso.com. The child domain will contain two domain controllers. Both domain controllers will have the
DNS Server server role installed. All users and computers in the branch ofce will be members of the
branch.contoso.com domain. You need to plan the DNS infrastructure for the child domain to meet the followini
requirements:
• Ensure resources in the root domain are accessible by fully qualifed domain names.
• Ensure resources in the child domain are accessible by fully qualifed domain names.
• Provide name resoluaon services in the event that a sinile server fails for a prolonied period of ame.
• Automaacally recoinize when new DNS servers are added to or removed from the contoso.com domain.
A. On both domain controllers, add a condiaonal forwarder for contoso.com and create a standard primary zone for
branch.contoso.com.
B. On both domain controllers, modify the root hints to include the domain controllers for contoso.com. On one
domain controller, create an Acave Directoryinteirated zone for branch.contoso.com.
C. On one domain controller create an Acave Directoryinteirated zone for branch.contoso.com and create an Acave
Directoryinteirated stub zone for contoso.com.
D. On one domain controller, create a standard primary zone for contoso.com. On the other domain controller, create
a standard secondary zone for contoso.com.
Aoswers C
Explanaaon:
Understandini DNS Zone Replicaaon in Acave Directory Domain Services
You can store Domain Name System (DNS) zones in the domain or applicaaon directory paraaons of Acave Directory
Domain Services (AD DS). A paraaon is a data structure in AD DS that disaniuishes data for diferent replicaaon
purposes. For more informaaon, see Understandini Acave Directory Domain Services Inteiraaon.
The followini table describes the available zone replicaaon scopes for AD DS-inteirated DNS zone data.
When you decide which replicaaon scope to choose, consider that the broader the replicaaon scope, the ireater the
network trafc caused by replicaaon. For example, if you decide to have AD DS-inteirated DNS zone data replicated to
________________________________________________________________________________________________
Page No | 14
all DNS servers in the forest, this will produce ireater network trafc than replicaani the DNS zone data to all DNS
servers in a sinile AD DS domain in that forest.
AD DS-inteirated DNS zone data that is stored in an applicaaon directory paraaon is not replicated to the ilobal
cataloi for the forest The domain controller that contains the ilobal cataloi can also host applicaaon directory
paraaons, but it will not replicate this data to its ilobal cataloi.
AD DS-inteirated DNS zone data that is stored in a domain paraaon is replicated to all domain controllers in its AD DS
domain, and a poraon of this data is stored in the ilobal cataloi. This setni is used to support Windows 2000.
If an applicaaon directory paraaonts replicaaon scope replicates across AD DS sites, replicaaon will occur with the
same intersite replicaaon schedule as is used for domain paraaon data.
By default, the Net Loion service reiisters domain controller locator (Locator) DNS resource records for the
applicaaon directory paraaons that are hosted on a domain controller in the same manner as it reiisters domain
controller locator (Locator) DNS resource records for the domain paraaon that is hosted on a domain controller.
Primary zone
When a zone that this DNS server hosts is a primary zone, the DNS server is the primary source for informaaon about
this zone, and it stores the master copy of zone data in a local fle or in AD DS. When the zone is stored in a fle, by
default the primary zone fle is named rone_name.dns and it is located in the %windir%\System32\Dns folder on the
server.
Secondary zone
When a zone that this DNS server hosts is a secondary zone, this DNS server is a secondary source for informaaon
about this zone. The zone at this server must be obtained from another remote DNS server computer that also hosts
the zone. This DNS server must have network access to the remote DNS server that supplies this server with updated
informaaon about the zone. Because a secondary zone is merely a copy of a primary zone that is hosted on another
server, it cannot be stored in AD DS.
Stub zone
When a zone that this DNS server hosts is a stub zone, this DNS server is a source only for informaaon about the
authoritaave name servers for this zone. The zone at this server must be obtained from another DNS server that hosts
the zone. This DNS server must have network access to the remote DNS server to copy the authoritaave name server
informaaon about the zone.
You can use stub zones to:
• Keep deleiated zone informaaon current. By updaani a stub zone for one of its child zones reiularly, the DNS server
that hosts both the parent zone and the stub zone will maintain a current list of authoritaave DNS servers for the child
zone.
• Improve name resoluaon. Stub zones enable a DNS server to perform recursion usini the stub zonets list of name
servers, without havini to query the Internet or an internal root server for the DNS namespace.
• Simplify DNS administraaon. By usini stub zones throuihout your DNS infrastructure, you can distribute a list of the
authoritaave DNS servers for a zone without usini secondary zones. However, stub zones do not serve the same
purpose as secondary zones, and they are not an alternaave for enhancini redundancy and load sharini.
There are two lists of DNS servers involved in the loadini and maintenance of a stub zone:
• The list of master servers from which the DNS server loads and updates a stub zone. A master server may be a
primary or secondary DNS server for the zone. In both cases, it will have a complete list of the DNS servers for the
zone.
• The list of the authoritaave DNS servers for a zone. This list is contained in the stub zone usini name server (NS)
resource records.
When a DNS server loads a stub zone, such as widiets.tailspintoys.com, it quenes the master servers, which can be in
diferent locaaons, for the necessary resource records of the authoritaave servers for the zone
widiets.tailspintoys.com. The list of master servers may contain a sinile server or mulaple servers, and it can be
chanied anyame.
Questoos 12
Your network is confiured as shown in the followini diairam.
________________________________________________________________________________________________
Page No | 15
You deploy an enterprise cerafcaaon authority (CA) on the internal network. You also deploy a Microsof Online
Responder on the internal network. You need to recommend a secure method for Internet users to verify the validity
of individual cerafcates. The soluaon must minimize network bandwidth. What should you recommend?
A. Deploy a subordinate CA on the perimeter network.

B. Install a standalone CA and the Network Device Enrollment Service (NDES) on a server on the perimeter network.
C. Install a Network Policy Server (NPS) on a server on the perimeter network. Redirect authenacaaon requests to a
server on the internal network.
D. Install Microsof Internet Informaaon Services (IIS) on a server on the perimeter network. Confiure IIS to redirect
requests to the Online Responder on the internal network.
Aoswers D
Explanaaon:
htp:::www.ipsure.com:bloi:2010:installaaon-and-confiuraaon-of-acave-directory-cerafcate-services-onwindows-
server-2008-r2-1:
htp:::msdn.microsof.com:en-us:library:cc732956.aspx
________________________________________________________________________________________________
Page No | 16
Questoos 13
Your network contains two DHCP servers. The DHCP servers are named DHCP1 and DHCP2. The internal network
contains 1,000 DHCP client computers that are located on a sinile subnet. A router separates the internal network
from the Internet. The router has a sinile IP address on the internal interface. DHCP1 has the followini scope
informaaon:
• Starani IP address: 172.16.0.1
• Endini IP address: 172.16.7.255
• Subnet mask: 255.255.240.0
You need to provide a fault tolerant DHCP infrastructure that supports the client computers on the internal network.
In the event that a DHCP server fails, all client computers must be able to obtain a valid IP address.
How should you confiure DHCP2?
A. Create a scope for the subnet 172.16.0.0:20. Confiure the scope to use a starani IP address of 172.16.8.1 and an
endini IP address of 172.16.15.254.
B. Create a scope for the subnet 172.16.0.0:21. Confiure the scope to use a starani IP address of 172.16.0.1 and an
C. Create a scope for the subnet 172.16.8.0:21. Confiure the scope to use a starani IP address of 172.16.8.1 and an
D. Create a scope for the subnet 172.17.0.0:16. Confiure the scope to use a starani IP address of 172.17.0.1 and an
Aoswers A
Explanaaon:
Create a scope for the subnet 172.16.0.0:20.
Confiure the scope to use a starani IP address of 172.16.8.1 and an endini IP address of 172.16.15.254.
Subnet 255.255.240.0 is a :20 subnet in CIDR notaaon, this allows for 4096 client IPs, raniini from 172.16.0.1 all the
way to 172.16.15.254 as DHCP1 only used half of the available IPs then you should confiure DHCP2 to use the other
half.
htp:::en.wikipedia.ori:wiki:Classless_Inter-Domain_Rouani as an aside you could consider the 80:20 desiin rule
for balancini scope distribuaon of addresses where mulaple DHCP servers are deployed to service the same scope.
Usini more than one DHCP server on the same subnet provides increased fault tolerance for servicini DHCP clients
located on it. With two DHCP servers, if one server is unavailable, the other server can take its place and conanue to
lease new addresses or renew exisani clients.
A common pracace when balancini a sinile network and scope ranie of addresses between two DHCP servers is to
have 80 percent of the addresses distributed by one DHCP server and the remainini 20 percent provided by a second.
Questoos 14
Your company has a main ofce and three branch ofces. The network consists of a sinile Acave Directory domain.
Each ofce contains an Acave Directory domain controller. You need to create a DNS infrastructure for the network
that meets the followini requirements:
• The DNS infrastructure must allow the client computers in each ofce to reiister DNS names within their
respecave ofces.
• The client computers must be able to resolve names for hosts in all ofces.
What should you do?
A. Create an Acave Directoryinteirated zone at the main ofce site.
________________________________________________________________________________________________
Page No | 17
B. Create a standard primary zone at the main ofce site and at each branch ofce site.
C. Create a standard primary zone at the main ofce site. Create a secondary zone at each branch ofce site.
D. Create a standard primary zone at the main ofce site. Create an Acave Directoryinteirated stub zone at each
branch ofce site.
Aoswers A
Explanaaon:
htp:::searchwindowsserver.techtariet.com:ap:DNS-Primer-Tips-for-understandini-Acave-Directory-inteiratedzone-
desiin-and-confiuraaon
In an ADI primary zone, rather than keepini the old zone fle on a disk, the DNS records are stored in the AD, and
Acave Directory replicaaon is used rather than the old problemaac zone transfer. If all DNS servers were to die or
become inaccessible, you could simply install DNS on any domain controller (DC) in the domain. The records would be
automaacally populated and your DNS server would be up without the messy import:export tasks of standard DNS
zone fles.
Windows 2000 and 2003 allow you to put a standard secondary zone (read only) on a member server and use one of
the ADI primary servers as the master.
________________________________________________________________________________________________
Page No | 18
When you decide which replicaaon scope to choose, consider that the broader the replicaaon scope, the ireater the
network trafc caused by replicaaon. For example, if you decide to have AD DS-inteirated DNS zone data replicated to
all DNS servers in the forest, this will produce ireater network trafc than replicaani the DNS zone data to all DNS
servers in a sinile AD DS domain in that forest.
AD DS-inteirated DNS zone data that is stored in an applicaaon directory paraaon is not replicated to the ilobal
cataloi for the forest. The domain controller that contains the ilobal cataloi can also host applicaaon directory
paraaons, but it will not replicate this data to its ilobal cataloi.
AD DS-inteirated DNS zone data that is stored in a domain paraaon is replicated to all domain controllers in its AD DS
domain, and a poraon of this data is stored in the ilobal cataloi. This setni is used to support Windows 2000.
If an applicaaon directory paraaonts replicaaon scope replicates across AD DS sites, replicaaon will occur with the
same intersite replicaaon schedule as is used for domain paraaon data.
By default, the Net Loion service reiisters domain controller locator (Locator) DNS resource records for the
applicaaon directory paraaons that are hosted on a domain controller in the same manner as it reiisters domain
controller locator (Locator) DNS resource records for the domain paraaon that is hosted on a domain controller.
Questoos 15
Your network consists of a sinile Acave Directory domain. The network contains two Windows Server 2008 R2
computers named Server1 and Server2. The company has two idenacal print devices. You plan to deploy print
services. You need to plan a print services infrastructure to meet the followini requirements:
• Manaie the print queue from a central locaaon.
• Make the print services available, even if one of the print devices fails.
A. Install and share a printer on Server1. Enable printer poolini.

B. Install the Remote Desktop Services server role on both servers. Confiure Remote Desktop Connecaon Broker (RD
Connecaon Broker).
________________________________________________________________________________________________
Page No | 19
C. Install and share a printer on Server1. Install and share a printer on Server2. Use Print Manaiement to install the
printers on the client computers.
D. Add Server1 and Server2 to a Network Load Balancini cluster. Install a printer on each node of the cluster.
Aoswers A
Explanaaon:
htp:::www.techrepublic.com:bloi:datacenter:confiure-printer-poolini-in-windows-server-2008:964
Manaiini printers can be the bane of a Windows administrator. One feature that may assist you with this task is the
Windows printer poolini feature. Windows Server 2008 ofers funcaonality that permits a collecaon of mulaple like-
confiured printers to distribute the print workload.
Printer poolini makes one share that clients print to, and the jobs are sent to the frst available printer. Confiurini
print poolini is rather straiihtorward in the Windows printer confiuraaon applet of the Control Panel. Fiiure A
shows two like-modeled printers beini pooled.
To use poolini, the printer models need to be the same so that the driver confiuraaon is transparent to the end
device; this can also help control costs of toner and other supplies. But plan accordinily — you dontt want users
essenaally runnini track to look for their print jobs on every printer in the ofce.
Questoos 16
Your network contains two servers that run the Server Core installaaon of Windows Server 2008 R2. The two servers
are part of a Network Load Balancini cluster. The cluster hosts a Web site. Administrators use client computers that
run Windows 7. You need to recommend a strateiy that allows the administrators to remotely manaie the Network
Load Balancini cluster. Your strateiy must support automaaon. What should you recommend?
A. On the servers, enable Windows Remote Manaiement (WinRM).

B. On the servers, add the administrators to the Remote Desktop Users iroup.
C. On the Windows 7 client computers, enable Windows Remote Manaiement (WinRM).
D. On the Windows 7 client computers, add the administrators to the Remote Desktop Users iroup.
Aoswers A
Explanaaon:
________________________________________________________________________________________________
Page No | 20
htp:::msdn.microsof.com:en-us:library:aa384291%28VS.85%29.aspx
WinRM 2.0
WinRM is the Microsof implementaaon of WS-Manaiement Protocol, a standard Simple Object Access Protocol
(SOAP)-based, frewall-friendly protocol that allows for hardware and operaani systems from diferent vendors to
interoperate. The WS-Manaiement Protocol specifcaaon provides a common way for systems to access and
exchanie manaiement informaaon across an IT infrastructure. WinRM 2.0 includes the followini new features:
• The WinRM Client Shell API provides funcaonality to create and manaie shells and shell operaaons, commands,
and data streams on remote computers.
• The WinRM Plui-in API provides funcaonality that enables a user to write plui-ins by implemenani certain APIs for
supported resources and operaaons.
• WinRM 2.0 introduces a hosani framework. Two hosani models are supported. One is Internet Informaaon
Services (HS)-based and the other is WinRM service-based.
• Associaaon traversal lets a user retrieve instances of Associaaon classes by usini a standard flterini mechanism.
• WinRM 2.0 supports deleiaani user credenaals across mulaple remote computers.
• Users of WinRM 2.0 can use Windows PowerShell cmdlets for system manaiement.
• WinRM has added a specifc set of quotas that provide a beter quality of service and allocate server resources to
concurrent users. The WinRM quota set is based on the quota infrastructure that is implemented for the IIS service.
________________________________________________________________________________________________
Page No | 21
USAGE
IIIII
(ALL UPPER-CASE I value that must be supplied by user.)
winrs [-:SWITCH[:VALUE]] COMMAND
COMMAND - Any strini that can be executed as a command in the cmd.exe shell.
SWITCHES
IIIIIIII
(All switches accept both short form or loni form. For example both -r and
-remote are valid.)
-r[emote]:ENDPOINT - The tariet endpoint usini a NetBIOS name or the standard connect
ion URL: [TRANSPORT:::]TARGET[:PORT]. If not specifed
-r:localhost is used.
-un[encrypted] - Specify that the messaies to the remote shell will not be encrypted. This is useful for
troubleshooani, or when the network trafc is already encrypted usini ipsec, or when physical security is enforced.
By default the messaies are encrypted
usini Kerberos or NTLM keys. This switch is iinored when HTTPS transport is selected.
-u[sername]:USERNAME - Specify username on command line. If not specifed the tool will
use Neioaate authenacaaon or prompt for the name.
If -username is specifed, -password must be as well.
-p[assword]:PASSWORD - Specify password on command line. If -password is not specifed but -username is the tool
will prompt for the password. If -password is specifed, -user must be specifed as well.
-t[imeout]:SECONDS - This opaon is deprecated.
-d[irectory]:PATH - Specifes starani directory for remote shell. If not specifed the remote shell will start in the
userts home directory defned by the environment variable %USERPROFILE%.
-env[ironment]:STRINGIVALUE - Specifes a sinile environment variable to be set when shell starts, which allows
chaniini default environment for shell. Mulaple occurrences of this switch must be used to specify mulaple
environment variables.
-noe[cho] - Specifes that echo should be disabled. This may be necessary to ensure that userts answers to remote
prompts are not displayed locally. By default echo is "on".
-nop[rofle] - Specifes that the userts profle should not be loaded. By default the server will atempt to load the user
profle. If the remote user is not a local administrator on the tariet system then this opaon will be required (the
default will result in error).
-a[llow]d[eleiate] - Specifes that the userts credenaals can be used to access a remote share, for example, found on a
diferent machine than the tariet endpoint.
-comp[ression] - Turn on compression. Older installaaons on remote machines may not support compression so it is
of by default.
-[use]ssl - Use an SSL connecaon when usini a remote endpoint. Specifyini this instead of the transport "htps:" will
use the default WinRM default port.
-? - Help
________________________________________________________________________________________________
Page No | 22
To terminate the remote command the user can type Ctrl-C or Ctrl-Break, which will be sent to the remote shell. The
second Ctrl-C will force terminaaon of winrs.exe.
To manaie acave remote shells or WinRS confiuraaon, use the WinRM tool. The URI alias to manaie acave shells is
shell:cmd. The URI alias for WinRS confiuraaon is winrm:conf
ii:winrs. Example usaie can be found in the WinRM tool by typini "WinRM -?".
Examples:
winrs -r:htps:::myserver.com command
winrs -r:myserver.com -usessl command
winrs -r:myserver command
winrs -r:htp:::127.0.0.1 command
winrs -r:htp:::169.51.2.101:80 -unencrypted command
winrs -r:htps:::[::FFFF:129.144.52.38] command
winrs -r:htp:::[1080:0:0:0:8:800:200C:417A]:80 command
winrs -r:htps:::myserver.com -t:600 -u:administrator -p:$%fih7 ipconfi
winrs -r:myserver -env:PATHI^%PATH^%;c:\tools -env:TEMPId:\temp confi.cmd
winrs -r:myserver netdom join myserver :domain:testdomain :userd:johns :passwordd:$%fih789
winrs -r:myserver -ad -u:administrator -p:$%fih7 dir \\anotherserver\share
Questoos 17
Your company has a main ofce and a branch ofce. You plan to deploy a Readonly Domain Controller (RODC) in the
branch ofce. You need to plan a strateiy to manaie the RODC. Your plan must meet the followini requirements:
• Allow branch ofce support technicians to maintain drivers and disks on the RODC
• Prevent branch ofce support technicians from manaiini domain user accounts
A. Confiure the RODC for Administrator Role Separaaon.

B. Confiure the RODC to replicate the password for the branch ofce support technicians.
C. Set NTFS permissions on the Acave Directory database to Read & Execute for the branch ofce support technicians.
D. Set NTFS permissions on the Acave Directory database to Deny Full Control for the branch ofce support
technicians.
Aoswers A
Explanaaon:
________________________________________________________________________________________________
Page No | 23
Questoos 18
Your network consists of a sinile Acave Directory domain. The network contains fve Windows Server 2008 R2 servers
that host Web Applicaaons. You need to plan a remote manaiement strateiy to manaie the Web servers. Your plan
must meet the followini requirements:
• Allow Web developers to confiure features on the Web sites
• Prevent Web developers from havini full administraave riihts on the Web servers
A. Confiure request flterini on each Web server.

B. Confiure authorizaaon rules for Web developers on each Web server.
C. Confiure the security setnis in Internet Explorer for all Web developers by usini a Group Policy.
D. Add the Web developers to the Account Operators iroup in the domain.
Aoswers B
Explanaaon:
htp:::mscerts.proirammini4.us:windows_server:windows%20server%202008%20%20%20controllini%20access%2
0to%20web%20services%20%28part%205%29%20-%20manaiini%20url%20authorizaaon%20rules.aspx
Manaiini URL Authorizaaon Rules
Authorizaaon is a method by which systems administrators can determine which resources and content are available
to specifc users Authorizaaon relies on authenacaaon to validate the idenaty of a user. Once the idenaty has been
proven, authorizaaon rules determine which acaons a user or computer can perform IIS provides methods of securini
diferent types of content usini URL-based authorizaaon. Because Web content is ienerally requested usini a URL
that includes a full path to the content beini requested, you can confiure authorizaaon setnis easily, usini IIS
Manaier
Creaani URL Authorizaaon Rules
To enable URL authorizaaon, the UrlAuthorizaaonModule must be enabled Authorizaaon rules can be confiured at
the level of the Web server for specifc Web sites, for specifc Web applicaaons, and for specifc fles (based on a
complete URL path). URL authorizaaon rules use inheritance so that lower-level objects inherit authorizaaon setnis
from their parent objects (unless they are specifcally overridden).
To confiure authorizaaon setnis, select the appropriate object in the lef pane of IIS Manaier, and then select
Authorizaaon Rules in Features View. Fiiure 6 shows an example of mulaple rules confiured for a Web site.
________________________________________________________________________________________________
Page No | 24
Fiiure 6. Viewini authorizaaon rules for a Web site
There are two types of rules: Allow and Deny. You can create new rules by usini the Add Allow Rule and Add Deny
Rule commands in the Acaons pane The available opaons for both types of rules are the same. (See Fiiure 7) When
creaani a new rule, the main setni is to determine to which users the rule applies. The opaons are:
• All Users
• All Anonymous Users
• Specifc Roles Or User Groups
• Specifc Users
________________________________________________________________________________________________
Page No | 25
When you choose to specify users or iroups to which the rule applies, you can type the appropriate names in a
command-separated list. The specifc users and iroups are defned usini NET role providers. This is a standard feature
that is available to ASP NET Web developers. Developers can create their own roles and user accounts and can defne
permissions within their applicaaons. Generally, informaaon about users and roles is stored in a relaaonal database
or relies on a directory service such as Acave Directory.
In addiaon to user and role selecaons, you can further confiure an authorizaaon rule based on specifc HTTP verbs.
For example, if you want to apply a rule only for POST commands (which are typically used to send informaaon from a
Web browser to a Web server), add only the POST verb to the rule
Manaiini Rule Inheritance
As menaoned earlier in this secaon, authorizaaon rules are inherited automaacally by lower-level objects This is
useful when your Web site and Web content is orianized hierarchically based on intended users or iroups The Entry
Type column shows whether a rule has been inherited from a hiiher level or whether it has been defned locally IIS
Manaier automaacally will prevent you from creaani duplicate rules. You can remove rules at any level, includini
both Inherited and Local entry types
Questoos 19
Your network consists of a sinile Acave Directory domain. The funcaonal level of the domain is Windows Server 2008
R2. The domain contains 200 Windows Server 2008 R2 servers. You need to plan a monitorini soluaon that meets the
followini requirements:
• Sends a noafcaaon by email to the administrator if an Applicaaon error occurs on any of the servers
• Uses the minimum amount of administraave efort
________________________________________________________________________________________________
Page No | 26
A. On one server, create event subscripaons for each server. On the server, atach tasks to the Applicaaon error
events.
B. On one server, create an Event Trace Sessions Data Collector Set. On all servers, create a System Performance Data
Collector Set.
C. On all servers, create event subscripaons for one server. On all servers, atach a task for the Applicaaon error
events.
D. On all servers, create a System Performance Data Collector Set. On one server, confiure the report setnis for the
new Data Collector set.
Aoswers A
Explanaaon:
Event Subscripaons
Applies To: Windows 7, Windows Server 2008 R2, Windows Vista
Event Viewer enables you to view events on a sinile remote computer. However, troubleshooani an issue miiht
require you to examine a set of events stored in mulaple lois on mulaple computers.
Windows Vista includes the ability to collect copies of events from mulaple remote computers and store them locally.
To specify which events to collect, you create an event subscripaon. Amoni other details, the subscripaon specifes
exactly which events will be collected and in which loi they will be stored locally. Once a subscripaon is acave and
events are beini collected, you can view and manipulate these forwarded events as you would any other locally
stored events.
Usini the event collecani feature requires that you confiure both the forwardini and the collecani computers. The
funcaonality depends on the Windows Remote Manaiement (WinRM) service and the Windows Event Collector
(Wecsvc) service. Both of these services must be runnini on computers paracipaani in the forwardini and collecani
process. To learn about the steps required to confiure event collecani and forwardini computers, see Confiure
Computers to Forward and Collect Events.
Addiaonal Consideraaons
• You can subscribe to receive events from an exisani subscripaon on a remote computer.
Confiure Computers to Forward and Collect Events
Applies To: Windows 7, Windows Server 2008 R2, Windows Vista
Before you can create a subscripaon to collect events on a computer, you must confiure both the collecani computer
collected (collector) and each computer from which events will be collected (source). Updated informaaon about
event subscripaons may be available online at Event Subscripaons.
To confiure computers in a domain to forward and collect events
1. Loi on to all collector and source computers. It is a best pracace to use a domain account with administraave
privileies.
2. On each source computer, type the followini at an elevated command prompt:
________________________________________________________________________________________________
Page No | 27
________________________________________________________________________________________________
Page No | 28
Questoos 20
Your network consists of a sinile Acave Directory domain. The network includes a branch ofce named Branch1.
Branch1 contains 50 member servers that run Windows Server 2008 R2. An orianizaaonal unit (OU) named
Branch1Servers contains the computer objects for the servers in Branch1. A ilobal iroup named Branch1admins
contains the user accounts for the administrators. Administrators maintain all member servers in Branch1. You need
to recommend a soluaon that allows the members of Branch1admins iroup to perform the followini tasks on the
Branch1 member servers.
• Stop and start services
• Chanie reiistry setnis
A. Add the Branch1admins iroup to the Power Users local iroup on each server in Branch1.
B. Add the Branch1admins iroup to the Administrators local iroup on each server in Branch1.
C. Assiin the Branch1admins iroup chanie permissions to the Branch1Servers OU and to all child objects.
D. Assiin the Branch1admins iroup Full Control permissions on the Branch1Servers OU and to all child objects.
Aoswers B
Explanaaon:
Local admins have these riihts.
Power Users do not
By default, members of the power users iroup have no more user riihts or permissions than a standard user account.
The Power Users iroup in previous versions of Windows was desiined to iive users specifc administrator riihts and
permissions to perform common system tasks. In this version of Windows, standard user accounts inherently have the
ability to perform most common confiuraaon tasks, such as chaniini ame zones. For leiacy applicaaons that require
the same Power User riihts and permissions that were present in previous versions of Windows, administrators can
________________________________________________________________________________________________
Page No | 29
apply a security template that enables the Power Users iroup to assume the same riihts and permissions that were
present in previous versions of Windows.
Questoos 21
Your network consists of a sinile Acave Directory domain. The network includes a branch ofce named Branch1.
Branch1 contains a Read only Domain Controller (RODC) named Server1. A ilobal iroup named Branch1admins
contains the user accounts for administrators. Administrators manaie the client computers and servers in Branch1.
You need to recommend a soluaon for deleiaani control of Server1. Your soluaon must meet the followini
requirements:
• Allow the members of the Branch1admins iroup to administer Server1 includini, chanie device drivers and
install operaani system updates by usini Windows Update.
• Provide the Branch1admins iroup riihts on Server1 only.
• Prevent Branch1admins iroup from modifyini Acave Directory objects.
A. Add the Branch1admins ilobal iroup to the Server Operators builan local iroup.
B. Add the members of the Branch1admins ilobal iroup to the Administrators builan local iroup of Server1.
C. Grant Full Control permission on the Server1 computer object in the domain to the Branch1admins iroup
D. Move the Server1 computer object to a new orianizaaonal unit (OU) named Branch1servers. Grant Full Control
permission on the Branch1servers OU to the Branch1admins iroup.
Aoswers B
Explanaaon:
Administrator role separaaon
Administrator role separaaon specifes that any domain user or security iroup can be deleiated to be the local
administrator of an RODC without iranani that user or iroup any riihts for the domain or other domain controllers.
Accordinily, a deleiated administrator can loi on to an RODC to perform maintenance work, such as upiradini a
driver, on the server. But the deleiated administrator is not able to loi on to any other domain controller or perform
any other administraave task in the domain. In this way, a security iroup that comprises branch users, rather than
members of the Domain Admins iroup, can be deleiated the ability to efecavely manaie the RODC in the branch
ofce, without compromisini the security of the rest of the domain.
Questoos 22
Your network consists of a sinile Acave Directory forest. The forest funcaonal level is Windows Server 2008 R2. The
forest contains two domains named contoso.com and na.contoso.com. Contoso.com contains a user named User1.
Na.contoso.com contains an orianizaaonal unit (OU) named Security. You need to iive User1 administraave riihts so
that he can manaie Group Policies for the Security OU. You want to achieve this ioal while meeani the followini
requirements:
• User1 must be able to create and confiure Group Policies in na.contoso.com.
• User1 must be able to link Group Policies to the Security OU.
• User1 must be iranted the least administraave riihts necessary to achieve the ioal.
What should you do?
A. Add User1 to the Administrators iroup for na.contoso.com.

B. Add User1 to the Group Policy Creator Owners iroup in contoso.com. Modify the permissions on the Security OU.
C. Run the Deleiaaon of Control Wizard on the Security OU. In the Group Policy Manaiement Console, modify the
________________________________________________________________________________________________
Page No | 30
permissions of the Group Policy Objects container in the na.contoso.com domain.

D. Run the Deleiaaon of Control Wizard on na.contoso.com. In the Group Policy Manaiement Console, modify the
permissions of the Group Policy Objects container in the contoso.com domain.
Aoswers C
Explanaaon:
htp:::technet.microsof.com:en-us:library:dd145442.aspx
________________________________________________________________________________________________
Page No | 31
________________________________________________________________________________________________
Page No | 32
Questoos 23
Your network contains several branch ofces. All servers run Windows Server 2008 R2. Each branch ofce contains a
domain controller and a fle server. The DHCP Server server role is installed on the branch ofce domain controllers.
Each ofce has a branch ofce administrator. You need to deleiate the administraaon of DHCP to meet the followini
requirements:
• Allow branch ofce administrators to manaie DHCP scopes for their own ofce
• Prevent the branch ofce administrators from manaiini DHCP scopes in other ofces
• Minimize administraave efort
What should you do?
A. In the Acave Directory domain, add the branch ofce administrators to the Server Operators builan local iroup.
B. In the Acave Directory domain, add the branch ofce administrators to the Network Confiuraaon Operators builan
local iroup.
C. In each branch ofce, miirate the DHCP Server server role to the fle server. On each fle server, add the branch
ofce administrator to the DHCP Administrators local iroup.
D. In each branch ofce, miirate the DHCP Server server role to the fle server. In the Acave Directory domain, add the
branch ofce administrators to the DHCP Administrators domain local iroup.
Aoswers C
________________________________________________________________________________________________
Page No | 33
Explanaaon:
________________________________________________________________________________________________
Page No | 34
DHCP Administrators
Members of the DHCP Administrators iroup can view and modify any data at the DHCP server. DHCP Administrators
can create and delete scopes, add reservaaons, chanie opaon values, create superscopes, or perform any other
acavity needed to administer the DHCP server, includini export or import of the DHCP server confiuraaon and
database. DHCP Administrators perform these tasks usini the Netsh commands for DHCP or the DHCP console. For
more informaaon, see DHCP tools.
Members of the DHCP Administrators iroup do not have unlimited administraave riihts. For example, if a DHCP
server is also confiured as a DNS server, a member of the DHCP Administrators iroup can view and modify the DHCP
confiuraaon but cannot modify DNS server confiuraaon on the same computer.
Because members of the DHCP Administrators iroup have riihts on the local computer only, DHCP Administrators
cannot authorize or unauthorize DHCP servers in Acave Directory. Only members of the Domain Admins iroup can
perform this task. If you want to authorize or unauthorize a DHCP server in a child domain, you must have enterprise
administrator credenaals for the parent domain. For more informaaon about authorizini DHCP servers in Acave
Directory, see Authorizini DHCP servers and Authorize a DHCP server in Acave Directory.
Usini iroups to administer DHCP servers in a domain
When you add a user or iroup to a DHCP Users or DHCP Administrators iroup on a DHCP server, the riihts of the
DHCP iroup member do not apply to all of the DHCP servers in the domain. The riihts apply only to the DHCP service
on the local computer.
Questoos 24
Your company has a sinile Acave Directory domain. You have 30 database servers that run Windows Server 2008 R2.
The computer accounts for the database servers are stored in an orianizaaonal unit (OU) named Data. The user
accounts for the database administrators are stored in an OU named Admin. The database administrators are
________________________________________________________________________________________________
Page No | 35
members of a ilobal iroup named D_Admins. You must allow the database administrators to perform administraave
tasks on the database servers. You must prevent the database administrators from performini administraave tasks on
other servers. What should you do?
A. Deploy a Group Policy to the Data OU.

B. Deploy a Group Policy to the Admin OU.
C. Add D_Admins to the Domain Admins ilobal iroup.
D. Add D_Admins to the Server Operators built-in local iroup.
Aoswers A
Explanaaon:
Group Policy Plannini and Deployment Guide
You can use Windows Server 2008 Group Policy to manaie confiuraaons for iroups of computers and users,
includini opaons for reiistry-based policy setnis, security setnis, sofware deployment, scripts, folder redirecaon,
and preferences. Group Policy preferences, new in Windows Server 2008, are more than 20 Group Policy extensions
that expand the ranie of confiurable policy setnis within a Group Policy object (GPO). In contrast to Group Policy
setnis, preferences are not enforced. Users can chanie preferences afer iniaal deployment. For informaaon about
Group Policy Preferences, see Group Policy Preferences Overview.
Usini Group Policy, you can siinifcantly reduce an orianizaaonts total cost of ownership. Various factors, such as the
larie number of policy setnis available, the interacaon between mulaple policies, and inheritance opaons, can
make Group Policy desiin complex. By carefully plannini, desiinini, tesani, and deployini a soluaon based on your
orianizaaonts business requirements, you can provide the standardized funcaonality, security, and manaiement
control that your orianizaaon needs.
Overview of Group Policy
Group Policy enables Acave Directory–based chanie and confiuraaon manaiement of user and computer setnis
on computers runnini Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP. In addiaon to
usini Group Policy to defne confiuraaons for iroups of users and computers, you can also use Group Policy to help
manaie server computers, by confiurini many server-specifc operaaonal and security setnis.
By usini a structure in which OUs contain homoieneous objects, such as either user or computer objects but not
both, you can easily disable those secaons of a GPO that do not apply to a paracular type of object. This approach to
OU desiin, illustrated in Fiiure 1, reduces complexity and improves the speed at which Group Policy is applied. Keep
in mind that GPOs linked to the hiiher layers of the OU structure are inherited by default, which reduces the need to
duplicate GPOs or to link a GPO to mulaple containers.
When desiinini your Acave Directory structure, the most important consideraaons are ease of administraaon and
deleiaaon.
________________________________________________________________________________________________
Page No | 36
Questoos 25
Your network consists of a sinile Acave Directory forest that contains a root domain and two child domains. All
servers run Windows Server 2008 R2. A corporate policy has the followini requirements:
• All local iuest accounts must be renamed and disabled.
• All local administrator accounts must be renamed.
• You need to recommend a soluaon that meets the requirements of the corporate policy.
A. Implement a Group Policy object (GPO) for each domain.

B. Implement a Group Policy object (GPO) for the root domain.
C. Deploy Network Policy and Access Services (NPAS) on all domain controllers in each domain
D. Deploy Acave Directory Riihts Manaiement Services (AD RMS) on the root domain controllers.
Aoswers A
Explanaaon:
htp:::www.windowsecurity.com:aracles:protecani-administrator-account.html
htp:::www.pcaps3000.com:enable-or-disable-iroup-policy-object-in-windows-server-2008:
htp:::blois.technet.com:b:chenley:archive:2006:07:13:441642.aspx
________________________________________________________________________________________________
Page No | 37
________________________________________________________________________________________________
Page No | 38
Questoos 26
R2. All domain controllers run Windows Server 2008 R2. A corporate policy requires that the users from the research
department have hiiher levels of account and password security than other users in the domain. You need to
recommend a soluaon that meets the requirements of the corporate policy. Your soluaon must minimize hardware
and sofware costs. What should you recommend?
A. Create a new Acave Directory site. Deploy a Group Policy object (GPO) to the site.
B. Create a new Password Setnis Object (PSO) for the research departmentts users.
C. Create a new orianizaaonal unit (OU) named Research in the exisani domain. Deploy a Group Policy object (GPO)
to the Research OU.
D. Create a new domain in the forest. Add the research departmentts user accounts to the new domain. Confiure a
new security policy in the new domain.
Aoswers B
Explanaaon:
________________________________________________________________________________________________
Page No | 39
Questoos 27
R2. All servers run Windows Server 2008 R2. A corporate security policy requires complex passwords for user
accounts that have administrator privileies. You need to desiin a strateiy that meets the followini requirements:
• Ensures that administrators use complex passwords
• Minimizes the number of servers required to support the soluaon
A. Implement Network Access Protecaon (NAP).

B. Implement Acave Directory Riihts Manaiement Services (AD RMS).
C. Create a new Password Setnis Object (PSO) for administrator accounts.
D. Create a new child domain in the forest. Move all nonadministrator accounts to the new domain. Confiure a
complex password policy in the root domain.
Aoswers C
Explanaaon:
________________________________________________________________________________________________
Page No | 40
Questoos 28
Your network consists of a sinile Acave Directory domain. The domain contains three orianizaaonal units (OUs)
named Test, Applicaaon, and Database. You need to redesiin the layout of the OUs to support the followini
requirements:
- Prevent Group Policy objects (GPOs) that are linked to the domain from applyini to computers located in the
Applicaaons OU
- Minimize the number of GPOs
- Minimize the number of Ous
A. Create a Starter GPO.

B. Create a Windows Manaiement Instrumentaaon (WMI) flter.
C. Deleiate permissions on the Applicaaon OU.
D. Confiure block inheritance on the Applicaaon OU.
Aoswers D
Explanaaon:
Understandini Group Policy
You already know that Group Policy setnis contained in Group Policy objects (GPOs) can be linked to OUs, and that
OUs can either inherit setnis from parent OUs or block inheritance and obtain their specifc setnis from their own
linked GPOs. You also know that some policies—specifcally, security policies—can be set to “no override” so that
they cannot be blocked or overwriten and force child OUs to inherit the setnis from their parents.
Questoos 29
Your network consists of a sinile Acave Directory domain. The relevant poraon of the Acave Directory domain is
________________________________________________________________________________________________
Page No | 41
confiured as shown in the followini diairam.
The Staf orianizaaonal unit (OU) contains all user accounts except for the manaierst user accounts. The Manaiers
OU contains the manaierst user accounts and the followini ilobal iroups:
• Sales
• Finance
• Eniineerini
You create a new Group Policy object (GPO) named GPO1, and then link it to the Employees OU.
Users from the Eniineerini ilobal iroup report that they are unable to access the Run command on the Start menu.
You discover that the GPO1 setnis are causini the issue. You need to ensure that the users from the Eniineerini
ilobal iroup are able to access the Run command on the Start menu. What should you do?
A. Confiure GPO1 to use the Enforce Policy opaon.

B. Confiure Block Inheritance on the Manaiers OU.
C. Confiure Group Policy flterini on GPO1 for the Eniineerini ilobal iroup.
D. Create a new child OU named Eniineerini under the Employees OU. Move the Eniineerini ilobal iroup to the
new Eniineerini child OU.
Aoswers C
Explanaaon:
MCITP Self-Paced Trainini Kit Exam 70-646 Windows Server Administraaon.
No administrator likes excepaons, but we are required to implement them. Typically you miiht have confiured
security flterini, Windows Manaiement Instrumentaaon (WMI) flters, block inheritance setnis, no-override
setnis, loopback processini, and slow-link setnis. You need to check that these setnis are not afecani normal
GPO processini.
Questoos 30
Your network consists of a sinile Acave Directory domain. All servers run Windows Server 2008 R2. You need to
recommend a Group Policy deployment strateiy. Your strateiy must support the followini requirements:
• Domainlevel Group Policy objects (GPOs) must not be overwriten by orianizaaonal unit (OU) level GPOs.
• OUlevel GPOs must not Apply to members of the Server Operators iroup.
A. Enable Block Inheritance for the domain, and then modify the permissions of all GPOs linked to OUs.
________________________________________________________________________________________________
Page No | 42
B. Enable Block Inheritance for the domain, and then enable Loopback Processini policy mode. Add the Server
Operators iroup to the Restricted Groups list.
C. Set all domain level GPOs to Enforced, and then modify the permissions of the GPOs that are linked to OUs.
D. Set all domain level GPOs to Enforced, and then enable Loopback Processini policy mode. Add the Server
Operators iroup to the Restricted Groups list.
Aoswers C
Explanaaon:
htp:::www.petri.co.il:workini_with_iroup_policy.htm
htp:::technet.microsof.com:en-us:library:bb742376.aspx
Linkini a GPO to Mulaple Sites, Domains, and OUs

This secaon demonstrates how you can link a GPO to more than one container (site, domain, or OU) in the Acave
Directory. Dependini on the exact OU confiuraaon, you can use other methods to achieve similar Group Policy
efects; for example, you can use security iroup flterini or you can block inheritance. In some cases, however, those
methods do not have the desired afects. Whenever you need to explicitly state which sites, domains, or OUs need
the same set of policies, use the method outlined below:
To link a GPO to mulaple sites, domains, and OUs
1. Open the saved MMC console GPWalkthrouih, and then double-click the Acave Directory User and Computers
node.
2. Double-click the reskit.com domain, and double-click the Accounts OU.
3. Riiht-click the Headquarters OU, select Properaes from the context menu, and then click the Group Policy tab.
4. In the Headquarters Properaes dialoi box, on the Group Policy tab, click New to create a new GPO named Linked
Policies.
5. Select the Linked Policies GPO, and click the Edit buton.
6. In the Group Policy snap-in, in the User Confiuraaon node, under Administraave Templates node, click
Control Panel, and then click Display.
7. On the details pane, click the Disable Chaniini Wallpaper policy, and then click Enabled in the Disable Chaniini
________________________________________________________________________________________________
Page No | 43
Wallpaper dialoi box and click OK.

8. Click Close to exit the Group Policy snap-in.
9. In the Headquarters Properaes paie, click Close.
Next you will link the Linked Policies GPO to another OU.
1. In the GPWalkthrouih console, double-click the Acave Directory User and Computers node, double-click the
reskit.com domain, and then double-click the Accounts OU.
2. Riiht-click the Producaon OU, click Properaes on the context menu, and then click the Group Policy tab on the
Producaon Properaes dialoi box.
3. Click the Add buton, or riiht-click the blank area of the Group Policy objects links list, and select Add on the
context menu.
4. In the Add a Group Policy Object Link dialoi box, click the down arrow on the Look in box, and select the
Accounts.reskit.com OU.
5. Double-click the Headquarters.Accounts.reskit.com OU from the Domains, OUs, and linked Group Policy objects
list.
6. Click the Linked Policies GPO, and then click OK.
You have now linked a sinile GPO to two OUs. Chanies made to the GPO in either locaaon result in a chanie for both
OUs. You can test this by chaniini some policies in the Linked Policies GPO, and then loiiini onto a client in each of
the afected OUs, Headquarters and Producaon.
Questoos 31
Your network consists of three Acave Directory forests. Forest trust relaaonships exist between all forests. Each forest
contains one domain. All domain controllers run Windows Server 2008 R2. Your company has three network
administrators. Each network administrator manaies a forest and the Group Policy objects (GPOs) within that forest.
You need to create standard GPOs that the network administrators in each forest will use. The GPOs must meet the
• The GPOs must only contain setnis for either user confiuraaons or computer confiuraaons.
• The number of GPOs must be minimized.
Which two acaons should you perform? (Each correct answer presents part of the soluaon. Choose two.)
A. Export the new GPOs to .cab fles. Ensure that the .cab fles are available to the network administrator in each
forest.
B. Create two new GPOs. Confiure both GPOs to use the required user confiuraaons and the required computer
confiuraaons.
C. Create two new GPOs. Confiure one GPO to use the required user confiuraaon. Confiure the other GPO to use
the required computer confiuraaon.
D. Back up the Sysvol folder that is located on the domain controller where the new GPOs were created. Provide the
backup to the network administrator in each forest.
Aoswers A, C
Explanaaon:
htp:::technet.microsof.com:en-us:library:ee390958.aspx
htp:::www.petri.co.il:workini_with_iroup_policy.htm
Export a GPO to a File
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2
You can export a controlled Group Policy object (GPO) to a CAB fle so that you can copy it to a domain in another
forest and import the GPO into Advanced Group Policy Manaiement (AGPM) in that domain. For informaaon about
how to import GPO setnis into a new or exisani GPO, see Import a GPO from a File.
A user account with the Editor or AGPM Administrator (Full Control) role or necessary permissions in Advanced Group
Policy Manaiement (AGPM) is required to complete this procedure. Review the details in "Addiaonal consideraaons"
________________________________________________________________________________________________
Page No | 44
in this topic.
To export a GPO to a fle
1. In the Group Policy Manaiement Console tree, click Chanie Control in the forest and domain in which you want to
manaie GPOs.
2. On the Contents tab, click the Controlled tab to display the controlled GPOs.
3. Riiht-click the GPO, and then click Export to.
4. Enter a fle name for the fle to which you want to export the GPO, and then click Export. If the fle does not exist, it
is created. If it already exists, it is replaced.
Addiaonal consideraaons
• By default, you must be an Editor or an AGPM Administrator (Full Control) to perform this procedure. Specifcally,
you must have List Contents, Read Setnis, and Export GPO permissions for the GPO.
Group Policy secaons
Each GPO is built from 2 secaons:
• Computer confiuraaon contains the setnis that confiure the computer prior to the user loion combo-box.
• User confiuraaon contains the setnis that confiure the user afer the loion. You cannot choose to apply the
setni on a sinile user, all users, includini administrator, are afected by the setnis.
Questoos 32
Your company has a branch ofce that contains a Windows Server 2008 R2 computer. The Windows Server 2008 R2
computer runs Windows Server Update Services (WSUS). The WSUS server is confiured to store updates locally. The
company opens four new satellite ofces. Each satellite ofce connects to the branch ofce by usini a dedicated WAN
link. Internet access is provided throuih the branch ofce. You need to desiin a strateiy for patch manaiement that
• WSUS updates are approved independently for each satellite ofce.
• Internet trafc is minimized.
________________________________________________________________________________________________
Page No | 45
A. In each satellite ofce, install a WSUS server. Confiure each satellite ofce WSUS server as an autonomous server.
B. In each satellite ofce, install a WSUS server. Confiure each satellite ofce WSUS server as a replica of the branch
ofce WSUS server.
C. In each satellite ofce, install a WSUS server. Confiure each satellite ofce WSUS server to use the branch ofce
WSUS server as an upstream server.
D. For each satellite ofce, create orianizaaonal units (OUs). Create and link the Group Policy objects (GPOs) to the
OUs. Confiure diferent schedules to download updates from the branch ofce WSUS server to the client computers
in each satellite ofce.
Aoswers C
Explanaaon:
htp:::technet.microsof.com:en-us:library:hh852344.aspx
In addiaon, a Windows Server 2008 server runnini WSUS server can act as an upstream server—an update source for
other WSUS servers within your orianizaaon. At least one WSUS server in your network must connect to the
Microsof Update Web site to iet available update informaaon. How many other servers connect directly to Microsof
Update is somethini you need to determine as part of your plannini process, and depends upon network
confiuraaon and security requirements.
In this deployment model, the WSUS server that receives updates from the Microsof Update server is desiinated as
________________________________________________________________________________________________
Page No | 46
the upstream server. A WSUS server that retrieves updates from another WSUS server is desiinated as a downstream
server.
Autonomous mode: The Autonomous mode, also called distributed administraaon, is the default installaaon opaon
for WSUS. In Autonomous mode, an upstream WSUS server shares updates with downstream servers durini
synchronizaaon. Downstream WSUS servers are administered separately, and they do not receive update approval
status or computer iroup informaaon from the upstream server. By usini the distributed manaiement model, each
WSUS server administrator selects update laniuaies, creates computer iroups, assiins computers to iroups, tests
and approves updates, and makes sure that the correct updates are installed to the appropriate computer iroups. The
followini imaie shows how you miiht deploy autonomous WSUS servers in a branch ofce environment:
Replica mode: The Replica mode, also called centralized administraaon, works by havini an upstream WSUS server
that shares updates, approval status, and computer iroups with downstream servers. Replica servers inherit update
approvals and are not administered separately from the upstream WSUS server. The followini imaie shows how you
miiht deploy replica WSUS servers in a branch ofce environment.
________________________________________________________________________________________________
Page No | 47
Branch Ofce
You can leveraie the Branch Ofce feature in Windows to opamize WSUS deployment. This type of deployment ofers
the followini advantaies:
Helps reduce WAN link ualizaaon and improves applicaaon responsiveness. To enable BranchCache acceleraaon of
content that is served by the WSUS server, install the BranchCache feature on the server and the clients, and ensure
that the BranchCache service has started. No other steps are necessary.
In branch ofces that have low-bandwidth connecaons to the central ofce but hiih-bandwidth connecaons to the
Internet, the Branch Ofce feature can also be used. In this case you may want to confiure downstream WSUS
servers to iet informaaon about which updates to install from the central WSUS server, but download the updates
from Microsof Update.
Questoos 33
Your network contains several Windows Server 2008 R2 servers that run Windows Server Update Services (WSUS).
The WSUS servers distribute updates to all computers on the internal network. Remote users connect from their
personal computers to the internal network by usini a splitunnel VPN connecaon. You need to plan a strateiy for
patch manaiement that deploys updates on the remote userst computers. Your strateiy must meet the followini
requirements:
• Minimize bandwidth use over the VPN connecaons
• Require updates to be approved on the WSUS servers before they are installed on the client computers.
A. Create a Group Policy object (GPO) to perform clientside tarieani.

B. Create a computer iroup for the remote userst computers. Confiure the remote userst computers to use the
internal WSUS server.
________________________________________________________________________________________________
Page No | 48
C. Create a custom connecaon by usini the Connecaon Manaier Administraaon Kit (CMAK). Deploy the custom
connecaon to all of the remote userst computers.
D. Deploy an addiaonal WSUS server. Confiure the remote userst computers to use the addiaonal WSUS server.
Confiure the addiaonal WSUS server to leave the updates on the Microsof Update Web site.
Aoswers D
Explanaaon:
Performance and Bandwidth Opamizaaon
Branch ofces with slow WAN connecaons to the central server but broadband connecaons to the Internet can be
confiured to iet metadata from the central server and update content from the Microsof Update Web site.
Questoos 34
Your company has a branch ofce that contains a Windows Server 2008 R2 server. The server runs Windows Server
Update Services (WSUS). The company opens four new satellite ofces. Each satellite ofce connects to the branch
ofce by usini a dedicated WAN link. You need to desiin a strateiy for patch manaiement that meets the followini
requirements:
• WSUS updates are approved from a central locaaon.
• WAN trafc is minimized between the branch ofce and the satellite ofces.
A. In each satellite ofce, install a WSUS server. Confiure each satellite ofce WSUS server as a replica of the branch
ofce WSUS server.
B. In each satellite ofce, install a WSUS server. Confiure each satellite ofce WSUS server as an autonomous server
that synchronizes to the branch ofce WSUS server.
C. On the branch ofce WSUS server, create a computer iroup for each satellite ofce. Add the client computers in
each satellite ofce to their respecave computer iroups.
D. For each satellite ofce, create an orianizaaonal unit (OU). Create and link a Group Policy object (GPO) to each OU.
Confiure diferent schedules to download updates from the branch ofce WSUS server to the client computers in
each satellite ofce.
Aoswers A
Explanaaon:
Replica Mode and Autonomous Mode
You have two opaons when confiurini the administraaon model for your orianizaaonts downstream WSUS servers.
The frst opaon, shown in Fiiure 8-5, is to confiure the downstream WSUS server as a replica of the upstream server.
When you confiure a WSUS server as a replica, all approvals, setnis, computers, and iroups from the upstream
server are used on the downstream server. The downstream server cannot be used to approve updates when
confiured in replica mode, thouih you can chanie a replica server to the second mode—called autonomous mode—
if an update uriently needs to be deployed.
________________________________________________________________________________________________
Page No | 49
Fiiure 8-5Downstream replica server
Questoos 35
You need to desiin a Windows Server Update Services (WSUS) infrastructure that meets the followini requirements:
·The updates must be distributed from a central locaaon.
·All computers must conanue to receive updates in the event that a server fails.
A. Confiure two WSUS servers in a Microsof SQL Server 2008 failover cluster. Confiure each WSUS server to use a
local database.
B. Confiure a sinile WSUS server to use mulaple downstream servers. Confiure each WSUS server to use a RAID 1
mirror and a local database.
C. Confiure a sinile WSUS server to use mulaple downstream servers. Confiure each WSUS server to use a RAID 5
array and a local database.
D. Confiure a Microsof SQL Server 2008 failover cluster. Confiure two WSUS servers in a Network Load Balancini
cluster. Confiure WSUS to use the remote SQL Server 2008 database instance.
Aoswers D
Explanaaon:
htp:::technet.microsof.com:en-us:library:dd939812(vIWS.10).aspx
WSUS database
WSUS 3.0 SP2 requires a database for each WSUS server. WSUS supports the use of a database that resides on a
diferent computer than the WSUS server, with some restricaons. For a list of supported databases and remote
database limitaaons, see WSUS database requirements.
________________________________________________________________________________________________
Page No | 50
The WSUS database stores the followini informaaon:

• WSUS server confiuraaon informaaon
• Metadata that describes each update
• Informaaon about client computers, updates, and interacaons
If you install mulaple WSUS servers, you must maintain a separate database for each WSUS server, whether it is an
autonomous or a replica server. (For more informaaon about WSUS server types, see Desiin the WSUS Server
Layout.) You cannot store mulaple WSUS databases on a sinile instance of SQL Server, except in Network Load
Balancini (NLB) clusters that use SQL Server failover. For more about this confiuraaon, see
Confiure WSUS for Network Load Balancini.
SQL Server, SQL Server Express, and Windows Internal Database provide the same performance characterisacs for a
sinile server confiuraaon, where the database and the WSUS service are located on the same computer. A sinile
server confiuraaon can support several thousand WSUS client computers.
Windows Server 2008 Enterprise Ediaon
Windows Server 2008 Enterprise Ediaon is the version of the operaani system tarieted at larie businesses.
Plan to deploy this version of Windows 2008 on servers that will run applicaaons such as SQL Server 2008 Enterprise
Ediaon and Exchanie Server 2007. These products require the extra processini power and RAM that Enterprise
Ediaon supports. When plannini deployments, consider Windows Server 2008 Enterprise Ediaon in situaaons that
require the followini technoloiies unavailable in Windows Server 2008 Standard
Ediaon:
■Failover ClusteriniFailover clusterini is a technoloiy that allows another server to conanue to service client
requests in the event that the oriiinal server fails. Clusterini is covered in more detail in Chapter 11, “Clusterini and
Hiih Availability.” You deploy failover clusterini on mission-criacal servers to ensure that important resources are
available even if a server hosani those resources fails.
Questoos 36
Your network consists of a sinile Acave Directory forest. The sales department in your company has 600 Windows
Server 2008 R2 servers. You need to recommend a soluaon to monitor the performance of the 600 servers. Your
soluaon must meet the followini requirements:
• Generate alerts when the averaie processor usaie is hiiher than 90 percent for 20 minutes.
• Automaacally adjust the processor monitorini threshold to allow for temporary chanies in the workload.
A. Install Windows System Resource Manaier (WSRM) on each server.

B. Deploy Microsof System Center Operaaons Manaier (OpsMir).
C. Deploy Microsof System Center Confiuraaon Manaier (SysMir).
D. Confiure Reliability and Performance Monitor on each server
Aoswers B
Explanaaon:
MCITP Self-Paced Trainini Kit Exam 70-646 Windows Server Administraaon:
Microsof System Center Operaaons Manaier 2007
When plannini the centralized monitorini and manaiement of larie numbers of Windows Server 2008 computers,
you should consider implemenani Microsof System Center Operaaons Manaier 2007. System
Center Operaaons Manaier 2007 was touched on briefy durini Chapter 4, “Applicaaon Servers and
Services.”Microsof System Center Operaaons Manaier 2007 allows you to centrally manaie and monitor thousands
of servers and applicaaons and provides a complete overview of the health of your network environment. System
Center Operaaons Manaier 2007 is the most recent version of Microsof Operaaons Manaier 2005 (MOM). System
Center Operaaons Manaier 2007 provides the followini features:
■Proacave alerts that recoinize condiaons that are likely to lead to failure of criacal services, applicaaons, and
________________________________________________________________________________________________
Page No | 51
servers in the future

■The ability to confiure tasks to automaacally execute to resolve problems when iiven events occur
■The collecaon of loni-term trend data from all servers and applicaaons across the orianizaaon with the ability to
ienerate comparison reports aiainst current performance
■ Correlaaon of audiani data ienerated across the orianizaaon, allowini the detecaon of trends that miiht not be
apparent when examinini server audiani data in isolaaon
Questoos 37
Your network consists of a sinile Acave Directory domain. All servers run Windows Server 2008 R2. A server named
Server1 has the Remote Desktop Services server role installed. You noace that several users consume more than 30
percent of the CPU resources throuihout the day. You need to prevent users from consumini more than 15 percent of
the CPU resources. Administrators must not be limited by the amount of CPU resources that they can consume. What
should you do?
A. Implement Windows System Resource Manaier (WSRM), and confiure user policies.
B. Implement Windows System Resource Manaier (WSRM), and confiure session policies.
C. Confiure Performance Monitor, and create a userdefned Data Collector Set.
D. Confiure Performance Monitor, and create an Event Trace Session Data Collector Set.
Aoswers A
Explanaaon:
You can use tools such as the Windows System Resource Manaier and Performance Monitor to determine memory
and processor usaie of Terminal Services clients. Once you understand how the Terminal Serverts resources are used,
you can determine the necessary hardware resources and make a iood esamate as to the Terminal Serverts overall
client capacity. Terminal Server capacity directly infuences your deployment plans: A server that has a capacity of 100
clients is not ioini to perform well when more than 250 clients atempt to connect. Monitorini tools are covered in
more detail in “Monitorini Terminal Services” later in this lesson.
Windows System Resource Manaier

Windows System Resource Manaier (WSRM) is a feature that you can install on a Windows Server 2008 computer
that controls how resources are allocated. The WSRM console, shown in Fiiure 5-9, allows an administrator to apply
________________________________________________________________________________________________
Page No | 52
WSRM policies. WSRM includes four default policies and also allows administrators to create their own. The two
policies that will most interest you as someone responsible for plannini and deployini Terminal Services
infrastructure are Equal_Per_User and Equal_Per_Session.
The Equal_Per_User WSRM policy ensures that each user is allocated resources equally, even when one user has
more sessions connected to the Terminal Server than other users. Apply this policy when you allow users to have
mulaple sessions to the Terminal Server—it stops any one user from monopolizini hardware resources by openini
mulaple sessions. The Equal_Per_Session policy ensures that each session is allocated resources equally. If applied on
a Terminal Server where users are allowed to connect with mulaple sessions, this policy can allow those users to iain
access to a disproporaonate amount of system resources in comparison to users with sinile sessions.
Questoos 38
Your network contains a standalone root cerafcaaon authority (CA). You have a server named Server1 that runs
Windows Server 2008 R2. You issue a server cerafcate to Server1. You deploy Secure Socket Tunnelini Protocol (SSTP)
on Server1. You need to recommend a soluaon that allows external partner computers to access internal network
resources by usini SSTP. What should you recommend?
A. Enable Network Access Protecaon (NAP) on the network.

B. Deploy the Root CA cerafcate to the external computers.
C. Implement the Remote Desktop Connecaon Broker role service.
D. Confiure the frewall to allow inbound trafc on TCP Port 1723.
Aoswers B
Explanaaon:
Lesson 1: Confiurini Acave Directory Cerafcate Services
Cerafcate Authoriaes are becomini as inteiral to an orianizaaonts network infrastructure as domain controllers,
DNS, and DHCP servers. You should spend at least as much ame plannini the deployment of Cerafcate Services in
your orianizaaonts Acave Directory environment as you spend plannini the deployment of these other infrastructure
servers. In this lesson, you will learn how cerafcate templates impact the issuance of diiital cerafcates, how to
confiure cerafcates to be automaacally assiined to users, and how to confiure supporani technoloiies such as
Online Responders and credenaal roamini. Learnini how to use these technoloiies will smooth the inteiraaon of
cerafcates into your orianizaaonts Windows Server 2008 environment.
Afer this lesson, you will be able to:
Install and manaie Acave Directory Cerafcate Services.■
■ Confiure autoenrollment for cerafcates.
■ Confiure credenaal roamini.
■ Confiure an Online Responder for Cerafcate Services.
Esamated lesson ame: 40 minutes
Types of Cerafcate Authority
When plannini the deployment of Cerafcate Services in your network environment, you must decide which type of
Cerafcate Authority best meets your orianizaaonal requirements. There are four types of Cerafcate Authority (CA):
■Enterprise Root
■Enterprise Subordinate
■Standalone Root
■Standalone Subordinate
The type of CA you deploy depends on how cerafcates will be used in your environment and the state of the exisani
environment. You have to choose between an Enterprise or a Standalone CA durini the installaaon of the Cerafcate
Services role, as shown in Fiiure 10-1. You cannot switch between any of the CA types afer the
CA has been deployed.
________________________________________________________________________________________________
Page No | 53
Fiiure 10-1Selecani an Enterprise or Standalone CA

Enterprise CAs require access to Acave Directory. This type of CA uses Group Policy to propaiate the cerafcate trust
lists to users and computers throuihout the domain and publish cerafcate revocaaon lists to Acave Directory.
Enterprise CAs issue cerafcates from cerafcate templates, which allow the followini funcaonality:
■Enterprise CAs enforce credenaal checks on users durini the cerafcate enrollment process. Each cerafcate
template has a set of security permissions that determine whether a paracular user is authorized to receive
cerafcates ienerated from that template.
■ Cerafcate names are automaacally ienerated from informaaon stored within Acave Directory. The method by
which this is done is determined by cerafcate template confiuraaon.
■ Autoenrollment can be used to issue cerafcates from Enterprise CAs, vastly simplifyini the cerafcate distribuaon
process. Autoenrollment is confiured throuih applyini cerafcate template permissions.
In essence, Enterprise CAs are fully inteirated into a Windows Server 2008 environment. This type of CA makes the
issuini and manaiement of cerafcates for Acave Directory clients as simple as possible.
Standalone CAs do not require Acave Directory. When cerafcate requests are submited to Standalone CAs, the
requestor must provide all relevant idenafyini informaaon and manually specify the type of cerafcate needed. This
process occurs automaacally with an Enterprise CA. By default, Standalone CA requests require administrator
approval. Administrator intervenaon is necessary because there is no automated method of verifyini a requestorts
credenaals. Standalone CAs do not use cerafcate templates, limiani the ability for administrators to customize
cerafcates for specifc orianizaaonal needs.
You can deploy Standalone CAs on computers that are members of the domain. When installed by a user that is a
member of the Domain Admins iroup, or one who has been deleiated similar riihts, the Standalone CAts informaaon
will be added to the Trusted Root Cerafcate Authoriaes cerafcate store for all users and computers in the domain.
The CA will also be able to publish its cerafcate revocaaon list to Acave Directory.
Whether you install a Root or Subordinate CA depends on whether there is an exisani cerafcate infrastructure.
Root CAs are the most trusted type of CA in an orianizaaonts public key infrastructure (PKI) hierarchy. Root CAs sit at
the top of the hierarchy as the ulamate point of trust and hence must be as secure as possible. In many environments,
________________________________________________________________________________________________
Page No | 54
a Root CA is only used to issue siinini cerafcates to Subordinate CAs. When not used for this purpose, Root CAs are
kept ofine in secure environments as a method of reducini the chance that they miiht be compromised.
If a Root CA is compromised, all cerafcates within an orianizaaonts PKI infrastructure should be considered
compromised. Diiital cerafcates are ulamately statements of trust. If you cannot trust the ulamate authority from
which that trust is derived, it follows that you should not trust any of the cerafcates downstream from that ulamate
authority.
Subordinate CAs are the network infrastructure servers that you should deploy to issue the everyday cerafcates
needed by computers, users, and services. An orianizaaon can have many Subordinate CAs, each of which is issued a
siinini cerafcate by the Root CA. In the event that one Subordinate CA is compromised, trust of that CA can be
revoked from the Root CA. Only the cerafcates that were issued by that CA will be considered untrustworthy. You can
replace the compromised Subordinate CA without havini to replace the enare orianizaaonts cerafcate
infrastructure. Subordinate CAs can be replaced, but a compromised Enterprise Root CA usually means you have to
redeploy the Acave Directory forest from scratch. If a Standalone Root CA is compromised, it also necessitates the
replacement of an orianizaaonts PKI infrastructure.
Questoos 39
Your network consists of a sinile Acave Directory domain. All domain controllers run Windows Server 2008 R2. You
need to plan an audiani strateiy that meets the followini requirements:
• Audits all chanies to Acave Directory Domain Services (AD DS)
• Stores all audiani data in a central locaaon
A. Confiure an audit policy for the domain. Confiure Event Forwardini.

B. Confiure an audit policy for the domain controllers. Confiure Data Collector Sets.
C. Implement Windows Server Resource Manaier (WSRM) in manaiini mode.
D. Implement Windows Server Resource Manaier (WSRM) in accounani mode.
Aoswers A
Explanaaon:
The confiuraaon of a subscripaon flter is more like the confiuraaon of a custom view in that you are able to specify
mulaple event loi sources, rather than just a sinile Event Loi source. In addiaon, the subscripaon will be saved
whereas you need to re-create a flter each ame you use one. By default, all collected Event Loi data will be writen to
the Forwarded Event Event Loi. You can forward data to other lois by confiurini the properaes of the subscripaon.
Even thouih you use a flter to retrieve only specifc events from source computers and place them in the desanaaon
loi, you can sall create and apply a custom view to data that is located in the desanaaon loi. You could create a
custom view for each source computer, which would allow you to quickly limit events to that computer rather than
viewini data from all source computers at the same ame.
You confiure collector iniaated subscripaons throuih the applicaaon of Group Policy. To do this you must confiure
the collector computer in the same manner as you did in the previous steps. When confiurini the subscripaon type,
select Source Computer Iniaated rather than Collector Iniaated. To set up the source computers, apply a GPO where
you have confiured the Computer Confiuraaon\Policies\AdministraaveTemplates\Windows Components\Event
Forwardini node and confiure the Server Address, Refresh Interval, And Issuer Cerafcate policy with the details of
the collector computer, as shown in Fiiure 7-10.
■ Audiani enhancements You can use the new Directory Service Chanies audit policy subcateiory when audiani
Windows Server 2008 AD DS. This lets you loi old and new values when chanies are made to AD DS objects and their
atributes. You can also use this new feature when audiani Acave Directory Liihtweiiht Directory Services (AD LDS).
Plannini AD DS Audiani
In Windows Server 2008, the ilobal audit policy Audit Directory Service Access is enabled by default. This policy
________________________________________________________________________________________________
Page No | 55
controls whether audiani for directory service events is enabled or disabled. If you confiure this policy setni by
modifyini the Default Domain Controllers Policy, you can specify whether to audit successes, audit failures, or not
audit at all. You can control what operaaons to audit by modifyini the System Access Control List (SACL) on an object.
You can set a SACL on an AD DS object on the Security tab in that objectts
Properaes dialoi box.
As an administrator one of your tasks is to confiure audit policy. Enablini success or failure audiani is a
straiihtorward procedure. Decidini which objects to audit; whether to audit success, failure or both; and whether to
record new and old values if chanies are made is much more difcult. Audiani everythini is never an opaon—too
much informaaon is as bad as too litle. You need to be selecave. In Windows 2000 Server and Windows Server 2003,
you could specify only whether DS access was audited. Windows Server 2008 iives you more iranular control. You can
audit the followini:
■DS access
■DS chanies (old and new values)
■DS replicaaon
Questoos 40
Your network contains a sinile Acave Directory domain. All domain controllers run Windows Server 2008 R2. There
are 1,000 client computers that run Windows 7 and that are connected to manaied switches. You need to
recommend a strateiy for network access that meets the followini requirements:
·Users are unable to bypass network access restricaons.
·Only client computers that have uptodate service packs installed can access the network.
·Only client computers that have uptodate anamalware sofware installed can access the network. What should you
recommend?
A. Implement Network Access Protecaon (NAP) that uses DHCP enforcement.

B. Implement Network Access Protecaon (NAP) that uses 802.1x enforcement.
C. Implement a Network Policy Server (NPS), and enable IPsec on the domain controllers.
D. Implement a Network Policy Server (NPS), and enable Remote Authenacaaon DialIn User Service (RADIUS)
authenacaaon on the manaied switches.
Aoswers B
Explanaaon:
■Inteiraaon with network access protecaon (NAP)System Center Confiuraaon Manaier 2007 lets your orianizaaon
enforce compliance of sofware updates on client computers. This helps protect the inteirity of the corporate
network throuih inteiraaon with the Microsof Windows Server 2008 NAP policy enforcement platorm. NAP policies
enable you to defne which sofware updates to include in your system health requirements. If a client computer
atempts to access your network, NAP and System Center Confiuraaon
Manaier 2007 work toiether to determine the clientts health state compliance and determine whether the client is
iranted full or restricted network access. If the client is noncompliant, System Center Confiuraaon Manaier 2007
can deliver the necessary sofware updates so that the client can meet system health requirements and be iranted
full network access.
■Restrict network accessSystem Center Confiuraaon Manaier 2007 NAPenables you to include sofware updates in
your system health requirements.NAP policies defne which sofware updates need to be included, and the System
Center Confiuraaon Manaier 2007 System Health Validator point passes the clientts compliant or noncompliant
health state to the Network Policy Server, which determines whether to irant the client full or restricted network
access. Noncompliant clients can be automaacally brouiht into compliance throuih remediaaon. This requires the
System Center Confiuraaon Manaier 2007 sofware updates feature to be confiured and operaaonal.
NAP Enforcement Methods
________________________________________________________________________________________________
Page No | 56
When a computer is found to be noncompliant with the enforced health policy, NAPenforces limited network access.
This is done throuih an Enforcement Client (EC). Windows Vista, Windows XP Service Pack 3, and Windows Server
2008 include NAPEC support for IPsec, IEEE 802.1X, Remote Access VPN, and DHCP enforcement methods. Windows
Vista and Windows Server 2008 also support NAP enforcement for Terminal Server Gateway connecaons.
NAP enforcement methods can either be used individually or can be used in conjuncaon with each other to limit the
network access of computers that are found not to be in compliance with confiured health policies. Hence you can
apply the remote access VPN and IPsec enforcement methods to ensure that internal clients and clients comini in
from the Internet are only iranted access to resources if they meet the appropriate client health benchmarks.
802.1X NAP Enforcement
802.1X enforcement makes use of authenacaani Ethernet switches or IEEE 802.11 Wireless Access Points.
These compliant switches and access points only irant unlimited network access to computers that meet the
compliance requirement. Computers that do not meet the compliance requirement are limited in their
communicaaon by a restricted access profle. Restricted access profles work by applyini IP packet flters or VLAN
(Virtual Local Area Network) idenafers. This means that hosts that have the restricted access profle are allowed only
limited network communicaaon. This limited network communicaaon ienerally allows access to remediaaon servers.
You will learn more about remediaaon servers later in this lesson.
An advantaie of 802.1X enforcement is that the health status of clients is constantly assessed. Connected clients that
become noncompliant will automaacally be placed under the restricted access profle. Clients under the restricted
access profle that become compliant will have that profle removed and will be able to communicate with other hosts
on the network in an unrestricted manner. For example, suppose that a new anavirus update comes out. Clients that
have not installed the update are put under a restricted access profle unal the new update is installed. Once the new
update is installed, the clients are returned to full network access.
A Windows Server 2008 computer with the Network Policy Server role is necessary to support 802.1X NAP
enforcement. It is also necessary to have switch and:or wireless access point hardware that is 801.1xcompliant.
Client computers must be runnini Windows Vista, Windows Server 2008, or Windows XP Service Pack 3 because
these operaani systems include the EAPHost EC.
MORE INFO 802.1X enforcement step-by-step
For more detailed informaaon on implemenani 802.1X NAP enforcement, consult the followini Step-by-Step iuide
on TechNet: htp:::io.microsof.com:fwlink:?LinkIdI86036.
Questoos 41
Your network consists of a sinile Acave Directory domain. All domain controllers run Windows Server 2008 R2. The
network contains 100 servers and 5,000 client computers. The client computers run either Windows XP Service Pack 1
or Windows 7.
You need to plan a VPN soluaon that meets the followini requirements:
·Stores VPN passwords as encrypted text
·Supports Suite B cryptoiraphic aliorithms
·Supports automaac enrollment of cerafcates
·Supports client computers that are confiured as members of a workiroup
A. Upirade the client computers to Windows XP Service Pack 3. Implement a standalone cerafcaaon authority (CA).
Implement an IPsec VPN that uses cerafcate based authenacaaon.
B. Upirade the client computers to Windows XP Service Pack 3. Implement an enterprise cerafcaaon authority (CA)
that is based on Windows Server?2008 R2. Implement an IPsec VPN that uses Kerberos authenacaaon.
C. Upirade the client computers to Windows 7. Implement an enterprise cerafcaaon authority (CA) that is based on
Windows Server 2008 R2. Implement an IPsec VPN that uses preshared keys.
D. Upirade the client computers to Windows 7. Implement an enterprise cerafcaaon authority (CA) that is based on
Windows Server 2008 R2. Implement an IPsec VPN that uses cerafcate based authenacaaon.
________________________________________________________________________________________________
Page No | 57
Aoswers D
Explanaaon:
This is as close as I could iet to an answer to this.
In essence, Enterprise CAs are fully inteirated into a Windows Server 2008 environment. This type of CA makes the
issuini and manaiement of cerafcates for Acave Directory clients as simple as possible.
Standalone CAs do not require Acave Directory. When cerafcate requests are submited to Standalone CAs, the
requestor must provide all relevant idenafyini informaaon and manually specify the type of cerafcate needed. This
process occurs automaacally with an Enterprise CA. By default, Standalone CA requests require administrator
approval. Administrator intervenaon is necessary because there is no automated method of verifyini a requestorts
credenaals. Standalone CAs do not use cerafcate templates, limiani the ability for administrators to customize
cerafcates for specifc orianizaaonal needs.
■L2TP:IPsecL2TP connecaons use encrypaon provided by IPsec. L2TP:IPsec is the protocol that you need to deploy if
you are supporani Windows XP remote access clients, because these clients cannot use SSTP. L2TP:IPsec provides
per-packet data oriiin authenacaaon, data inteirity, replay protecaon, and data confdenaality.
L2TP:IPsec connecaons use two levels of authenacaaon. Computer-level authenacaaon occurs either usini diiital
cerafcates issued by a CA trusted by the client and VPN server or throuih the deployment of pre-shared keys. PPP
authenacaaon protocols are then used for user-level authenacaaon. L2TP:IPsec supports all of the
VPN authenacaaon protocols available on Windows Server 2008.
Supports Suite B cryptoiraphic aliorithms
When usini the Cerafcate Templates console, note that you cannot confiure the autoenrollment permission for a
level 1 cerafcate template. Level 1 cerafcates have Windows 2000 as their minimum supported CA. Level 2
cerafcate templates have Windows Server 2003 as a minimum supported CA. Level 2 cerafcate templates are also
the minimum level of cerafcate template that supports autoenrollment. Level 3 cerafcates templates are supported
only by client computers runnini Windows Server 2008 or Windows Vista. Level 3 cerafcate templates allow
administrators to confiure advanced Suite B cryptoiraphic setnis. These setnis are not required to allow
cerafcate autoenrollment and most administrators fnd level 2 cerafcate templates are adequate for their
orianizaaonal needs.
Questoos 42
Your network consists of a sinile Acave Directory domain. All domain controllers run Windows Server 2008 R2. All
servers run Windows Server 2008 R2. All client computers run Windows 7. You need to ienerate a monthly report on
the status of sofware updates for the client computers. Your soluaon must meet the followini requirements:
• Display all of the operaani system updates that installed successfully
• Display all of the Microsof Applicaaon updates that installed successfully
• Display all of the operaani system updates that failed to install
• Display all of the Microsof Applicaaon updates that failed to install
• Minimize administraave efort
• Minimize costs
What should you do?
A. Install Microsof System Center Essenaals (Essenaals) 2007. Deploy manaiement aients on all client computers.
B. Install Microsof System Center Confiuraaon Manaier (SysMir) 2007. Deploy manaiement aients on all client
computers.
C. Install Windows Server Update Services (WSUS) 3.0 SP2. Confiure Windows Update by usini a Group Policy object
(GPO).
D. Deploy Microsof Baseline Security Analyzer (MBSA) 2.1 on the client computers. Run MBSA on each client
computer, and save the report to a shared folder on the network.
________________________________________________________________________________________________
Page No | 58
Aoswers C
Explanaaon:
Whatts new in this release?
• Inteiraaon with Windows Server® 2008 R2
• Support for the BranchCache® feature in Windows Server 2008 R2
• Support for Windows® 7 client computers New features
• Automaac approval rules include the ability to specify the approval deadline date and ame for all computers or for
specifc computer iroups.
• Improved handlini of laniuaie selecaon for downstream servers includes a new warnini dialoi that appears when
you decide to download updates only for specifed laniuaies.
• New Update and Computer Status reports let you flter updates that are approved for installaaon. You can run these
reports from the WSUS administraaon console or use the applicaaon proirammini interface (API) to incorporate this
funcaonality into your own reports.
Windows Update Aient improvements
• Client computer scan ame is faster than previous versions.
• Computers that are manaied by WSUS servers can now run “scoped” scans aiainst those servers, instead of
performini a full scan. This results in faster scans for applicaaons that use Microsof Update APIs such as Windows
Defender.
• User experience improvements help users orianize updates and provide ireater clarity on update value and
behavior.
• Imaied computers are more clearly displayed in the WSUS administraaon console.
For more informaaon, see aracle 903262 in the Microsof Knowledie Base.
• Prevents APIs that are called by non-local system callers in a non-interacave session from failini.
• Prevents error code 0x80070057 when you try to install 80 or more updates at the same ame from the Windows
Update Web paie or from the Microsof Update Web paie.
• Improves scan ames for Windows Update
• Improves the speed at which siinature updates are delivered
• Enables support for Windows Installer reinstallaaon funcaonality
• Improves error messaiini
Questoos 43
Your network consists of a sinile Acave Directory domain. All domain controllers run Windows Server 2008 R2. Your
company and an external partner plan to collaborate on a project. The external partner has an Acave Directory
domain that contains Windows Server 2008 R2 domain controllers. You need to desiin a collaboraaon soluaon that
• Allows users to prevent sensiave documents from beini forwarded to untrusted recipients or from beini
printed.
• Allows users in the external partner orianizaaon to access the protected content to which they have been
iranted riihts.
• Sends all interorianizaaonal trafc over port 443.
• Minimizes the administraave efort required to manaie the external users.
A. Establish a federated trust between your company and the external partner. Deploy a Windows Server 2008 R2
server that has Microsof SharePoint Foundaaon 2010 installed.
B. Establish a federated trust between your company and the external partner. Deploy a Windows Server 2008 R2
server that runs Microsof SharePoint 2010 and that has the Acave Directory Riihts Manaiement Services (AD RMS)
role installed.
________________________________________________________________________________________________
Page No | 59
C. Establish an external forest trust between your company and the external partner. Deploy a Windows Server 2008
R2 server that has the Acave Directory Cerafcate Services server role installed. Implement Encrypani File System
(EFS).
D. Establish an external forest trust between your company and the external partner. Deploy a Windows Server 2008
R2 server that has the Acave Directory Riihts Manaiement Service (AD RMS) role installed and Microsof SharePoint
Foundaaon 2010 installed.
Aoswers B
Explanaaon:
Acave Directory Federaaon Services
You can create forest trusts between two or more Windows Server 2008 forests (or Windows Server 2008 and
Windows Server 2003 forests). This provides cross-forest access to resources that are located in disparate business
units or orianizaaons. However, forest trusts are someames not the best opaon, such as when access across
orianizaaons needs to be limited to a small subset of individuals. Acave Directory Federaaon Services (AD FS) enables
orianizaaons to allow limited access to their infrastructure to trusted partners. AD
FS acts like a cross-forest trust that operates over the Internet and extends the trust relaaonship to Web applicaaons
(a federated trust). It provides Web sinile-siin-on (SSO) technoloiies that can authenacate a user over the life of a
sinile online session. AD FS securely shares diiital idenaty and enatlement riihts (known asclaims) across security
and enterprise boundaries.
Windows Server 2003 R2 introduced AD FS and Windows Server 2008 expands it. New AD FS features introduced in
Windows Server 2008 include the followini:
■Improved applicaaon supportWindows Server 2008 inteirates AD FS with Microsof Ofce SharePoint Server 2007
and Acave Directory Riihts Manaiement Services (AD RMS).
■Improved installaaonAD FS is implemented in Windows Server 2008 as a server role. The installaaon wizard includes
new server validaaon checks.
■Improved trust policyImprovements to the trust policy import and export funcaonality help to minimize
confiuraaon issues that are commonly associated with establishini federated trusts.
AD FS extends SSO funcaonality to Internet-facini applicaaons. Partners experience the same streamlined SSO user
experience when they access the orianizaaonts Web-based applicaaons as they would when accessini resources
throuih a forest trust. Federaaon servers can be deployed to facilitate businesstobusiness (B2B) federated
transacaons.
AD FS provides a federated idenaty manaiement soluaon that interoperates with other security products by
conformini to the Web Services Federaaon(WS-Federaaon) specifcaaon. This specifcaaon makes it possible for
environments that do not use Windows to federate with Windows environments. It also provides an extensible
architecture that supports the Security Asseraon Markup Laniuaie (SAML) 1.1 token type and Kerberos
authenacaaon. AD FS can perform claim mappini—for example, modifyini claims usini business loiic variables in an
access request. Orianizaaons can modify AD FS to coexist with their current security infrastructure and business
policies.
Finally, AD FS supports distributed authenacaaon and authorizaaon over the Internet. You can inteirate it into an
orianizaaonts exisani access manaiement soluaon to translate the claims that are used in the orianizaaon into
claims that are aireed on as part of a federaaon. AD FS can create, secure, and verify claims that move between
orianizaaons. It can also audit and monitor the communicaaon acavity between orianizaaons and departments to
help ensure secure transacaons.
Questoos 44
Your network consists of a sinile Acave Directory domain. All domain controllers run Windows Server 2008 R2. There
are fve Windows Server 2003 SP2 servers that have the Terminal Server component installed. A frewall server runs
Microsof Internet Security and Acceleraaon (ISA) Server 2006. You need to create a remote access strateiy for the
________________________________________________________________________________________________
Page No | 60
Remote Desktop Services servers that meets the followini requirements:

• Restricts access to specifc users
• Minimizes the number of open ports on the frewall
• Encrypts all remote connecaons to the Remote Desktop Services servers
What should you do?
A. Implement SSL bridiini on the ISA Server. Require authenacaaon on all inbound connecaons to the ISA Server.
B. Implement port forwardini on the ISA Server. Require authenacaaon on all inbound connecaons to the ISA Server.
C. Upirade a Windows Server 2003 SP2 server to Windows Server 2008 R2. On the Windows Server 2008 R2 server,
implement the Remote Desktop Gateway (RD Gateway) role service, and confiure a Remote Desktop resource
authorizaaon policy (RD RAP).
D. Upirade a Windows Server 2003 SP2 server to Windows Server 2008 R2. On the Windows Server 2008 R2 server,
implement the Remote Desktop Gateway (RD Gateway) role service, and confiure a Remote Desktop connecaon
authorizaaon policy (RD CAP).
Aoswers D
Explanaaon:
Terminal Services Gateway TS Gateway allows Internet clients secure, encrypted access to Terminal Servers behind
your orianizaaonts frewall without havini to deploy a Virtual Private Network (VPN) soluaon. This means that you
can have users interacani with their corporate desktop or applicaaons from the comfort of their homes without the
problems that occur when VPNs are confiured to run over mulaple Network Address Translaaon (NAT) iateways and
the frewalls of mulaple vendors.
TS Gateway works usini RDP over Secure Hypertext Transfer Protocol (HTTPS), which is the same protocol used by
Microsof Ofce Outlook 2007 to access corporate Exchanie Server 2007 Client Access Servers over the Internet. TS
Gateway Servers can be confiured with connecaon authorizaaon policies and resource authorizaaon policies as a
way of diferenaaani access to Terminal Servers and network resources.
Connecaon authorizaaon policies allow access based on a set of condiaons specifed by the administrator; resource
authorizaaon policies irant access to specifc Terminal Server resources based on user account properaes.
Connecaon Authorizaaon Policies
Terminal Services connecaon authorizaaon policies (TS-CAPs) specify which users are allowed to connect throuih the
TS Gateway Server to resources located on your orianizaaonts internal network. This is usually done by specifyini a
local iroup on the TS Gateway Server or a iroup within Acave Directory. Groups can include user or computer
accounts. You can also use TS-CAPs to specify whether remote clients use password or smart-card authenacaaon to
access internal network resources throuih the TS Gateway Server. You can use TS-CAPs in conjuncaon with NAP; this
scenario is covered in more detail by the next lesson.
Questoos 45
are fve Windows Server 2003 SP2 servers that have the Terminal Server component installed. A frewall server runs
Microsof Internet Security and Acceleraaon (ISA) Server 2006. You plan to iive remote users access to the Remote
Desktop Services servers. You need to create a remote access strateiy for the Remote Desktop Services servers that
·Restricts access to specifc Remote Desktop Services servers
·Encrypts all connecaons to the Remote Desktop Services servers
·Minimizes the number of open ports on the frewall server
What should you do?
A. Implement SSL bridiini on the ISA Server. Require authenacaaon on all inbound connecaons to the ISA Server.
________________________________________________________________________________________________
Page No | 61
B. Implement port forwardini on the ISA Server. Require authenacaaon on all inbound connecaons to the ISA Server.
authorizaaon policy (RD CAP).
Aoswers C
Explanaaon:
Terminal Services Gateway TS Gateway allows Internet clients secure, encrypted access to Terminal Servers behind
your orianizaaonts frewall without havini to deploy a Virtual Private Network (VPN) soluaon. This means that you
can have users interacani with their corporate desktop or applicaaons from the comfort of their homes without the
problems that occur when VPNs are confiured to run over mulaple Network Address Translaaon (NAT) iateways and
the frewalls of mulaple vendors.
Resource Authorizaaon Policies
Terminal Services resource authorizaaon policies (TS-RAPs) are used to determine the specifc resources on an
orianizaaonts network that an incomini TS Gateway client can connect to. When you create a TS-RAP you specify a
iroup of computers that you want to irant access to and the iroup of users that you will allow this access to. For
example, you could create a iroup of computers called AccountsComputers that will be accessible to members of the
Accountants user iroup. To be iranted access to internal resources, a remote user must meet the condiaons of at
least one TS-CAP and at least one TS-RAP.
Questoos 46
are fve servers that run Windows Server 2003 SP2. The Windows Server 2003 SP2 servers have the Terminal Server
component installed. A frewall server runs Microsof Internet Security and Acceleraaon (ISA) Server 2006. All client
computers run Windows 7. You plan to iive remote users access to the Remote Desktop Services servers. You need to
create a remote access strateiy for the Remote Desktop Services servers that meets the followini requirements:
• Minimizes the number of open ports on the frewall server
• Encrypts all remote connecaons to the Remote Desktop Services servers
• Prevents network access to client computers that have Windows Firewall disabled
What should you do?
A. Implement port forwardini on the ISA Server. Implement Network Access Quaranane Control on the ISA Server.
B. Upirade a Windows Server 2003 SP2 server to Windows Server 2008 R2. On the Windows Server 2008 R2 server,
implement the Remote Desktop Gateway (RD Gateway) role service, and implement Network Access Protecaon
(NAP).
authorizaaon policy (RD?CAP).
________________________________________________________________________________________________
Page No | 62
Aoswers B
Explanaaon:
Terminal Services Gateway
TS Gateway allows Internet clients secure, encrypted access to Terminal Servers behind your orianizaaonts frewall
without havini to deploy a Virtual Private Network (VPN) soluaon. This means that you can have users interacani
with their corporate desktop or applicaaons from the comfort of their homes without the problems that occur when
VPNs are confiured to run over mulaple Network Address Translaaon (NAT) iateways and the frewalls of mulaple
vendors.
Network Access Protecaon
You deploy Network Access Protecaon on your network as a method of ensurini that computers accessini important
resources meet certain client health benchmarks. These benchmarks include (but are not limited to) havini the most
recent updates applied, havini anavirus and ana-spyware sofware up to date, and havini important security
technoloiies such as Windows Firewall confiured and funcaonal. In this lesson, you will learn how to plan and
deploy an appropriate network access protecaon infrastructure and enforcement method for your orianizaaon.
Questoos 47
Your network consists of a sinile Acave Directory domain. Your network contains 10 servers and 500 client computers.
All domain controllers run Windows Server 2008 R2. A Windows Server 2008 R2 server has Remote Desktop Services
installed. All client computers run Windows XP Service Pack 3. You plan to deploy a new line of business Applicaaon.
The Applicaaon requires desktop themes to be enabled. You need to recommend a deployment strateiy that meets
the followini requirements:
• Only authorized users must be allowed to access the Applicaaon.
• Authorized users must be able to access the Applicaaon from any client computer.
• Your strateiy must minimize chanies to the client computers.
• Your strateiy must minimize sofware costs.
A. Miirate all client computers to Windows 7. Deploy the Applicaaon to all client computers by usini a Group Policy
object (GPO).
B. Miirate all client computers to Windows 7. Deploy the Applicaaon to the authorized users by usini a Group Policy
object (GPO).
C. Deploy the Remote Desktop Connecaon (RDC) 7.0 sofware to the client computers. Install the Applicaaon on the
Remote Desktop Services server. Implement Remote Desktop Connecaon Broker (RD Connecaon Broker).
D. Deploy the Remote Desktop Connecaon (RDC) 7.0 sofware to the client computers. Enable the Desktop Experience
feature on the Remote Desktop Services server. Install the Applicaaon on the Remote Desktop Services server.
Aoswers D
Explanaaon:
________________________________________________________________________________________________
Page No | 63
Desktop Experience
Confiurini a Windows Server 2008 server as a terminal server lets you use Remote Desktop Connecaon 6.0 to
connect to a remote computer from your administrator workstaaon and reproduces on your computer the desktop
that exists on the remote computer. When you install Desktop Experience on Windows Server 2008, you can use
Windows Vista features such as Windows Media Player, desktop themes, and photo manaiement within the remote
connecaon.
Questoos 48
Your network consists of a sinile Acave Directory domain. All domain controllers run Windows Server 2008 R2. All
client computers run Windows 7. All user accounts are stored in an orianizaaonal unit (OU) named Staf. All client
computer accounts are stored in an OU named Clients. You plan to deploy a new Applicaaon. You need to ensure that
the Applicaaon deployment meets the followini requirements:
• Users must access the Applicaaon from an icon on the Start menu.
• The Applicaaon must be available to remote users when they are ofine.
What should you do?
A. Publish the Applicaaon to users in the Staf OU.

B. Publish the Applicaaon to users in the Clients OU.
C. Assiin the Applicaaon to computers in the Staf OU.
D. Assiin the Applicaaon to computers in the Clients OU.
Aoswers D
Explanaaon:
htp:::www.youtube.com:watch?vIhQkRN96cKkM
Group policy objects can be applied either to users or to computers. Deployini applicaaons throuih the Acave
Directory is also done throuih the use of iroup policies, and therefore applicaaons are deployed either on a per user
basis or on a per computer basis.
There are two diferent ways that you can deploy an applicaaon throuih the Acave Directory. You can either publish
the applicaaon or you can assiin the applicaaon. You can only publish applicaaons to users, but you can assiin
applicaaons to either users or to computers. The applicaaon is deployed in a diferent manner dependini on which of
these methods you use.
Publishini an applicaaon doesntt actually install the applicaaon, but rather makes it available to users. For example,
suppose that you were to publish Microsof Ofce. Publishini is a iroup policy setni, so it would not take efect unal
the next ame that the user lois in. When the user does loi in thouih, they will not iniaally noace anythini diferent.
However, if the user were to open the Control Panel and click on the Add : Remove Proirams opaon, they will fnd
that Microsof Ofce is now on the list. A user can then choose to install Microsof ofce on their machine.
One thini to keep in mind is that reiardless of which deployment method you use, Windows does not perform any
sort of sofware meterini. Therefore, it will be up to you to make sure that you have enouih licenses for the sofware
that you are installini.
Assiinini an applicaaon to a user works diferently than publishini an applicaaon. Aiain, assiinini an applicaaon is a
iroup policy acaon, so the assiinment wontt take efect unal the next ame that the user lois in.
When the user does loi in, they will see that the new applicaaon has been added to the Start menu and : or to the
desktop.
Althouih a menu opaon or an icon for the applicaaon exists, the sofware hasntt actually been installed thouih.
To avoid overwhelmini the server containini the installaaon packaie, the sofware is not actually installed unal the
user atempts to use it for the frst ame.
This is also where the self healini feature comes in. When ever a user atempts to use the applicaaon, Windows
always does a quick check to make sure that the applicaaon hasntt been damaied. If fles or reiistry setnis are
missini, they are automaacally replaced.
________________________________________________________________________________________________
Page No | 64
Assiinini an applicaaon to a computer works similarly to assiinini an applicaaon to a user. The main diference is
that the assiinment is linked to the computer rather than to the user, so it takes efect the next ame that the
computer is rebooted. Assiinini an applicaaon to a computer also difers from user assiinments in that the
deployment process actually installs the applicaaon rather than just the applicaaonts icon. as assiinini installs the
applicaaon the next ame a computer reboots the app will be available when at next loiin reiardless of which user
lois in. also as its beini assiined to a computer the GPO needs to be linked to the Clients OU as this is where the
computer accounts are located.
Assiinini Sofware to a iroup.
Create a folder to hold the Windows Installer packaie on a server. Share the folder by applyini permissions that let
users and computers read and run these fles. Then, copy the MSI packaie fles into this locaaon.
From a Windows Server 2003-based computer in the domain, loi on as a domain administrator, and then start Acave
Directory Users and Computers.
In Acave Directory Users and Computers, riiht-click the container to which you want to link the GPOs, and then click
Properaes.
Click the Group Policy tab, and then click New to create a new GPO for installini the Windows Installer packaie. Give
the new GPO a descripave name.
Click the new GPO, and then click Edit.
The Group Policy Object Editor starts.
Riiht-click the Sofware Setnis folder under either Computer Confiuraaon or User Confiuraaon, point to
New, and then click Packaie.
Questoos 49
Your network contains an Acave Directory domain. The domain contains a Remote Desktop Services server that runs
Windows Server 2008 R2. All client computers run Windows 7. You need to deploy a new line of business Applicaaon.
The deployment must meet the followini requirements:
• Users must have access to the Applicaaon from the company portal.
• Users must always have access to the latest version of the Applicaaon.
• You must minimize the number of Applicaaons installed on the client computers.
What should you do?
A. Publish the Applicaaon to the users by usini a Group Policy object (GPO).
B. Publish the Applicaaon as a RemoteApp. Enable Remote Desktop Web Access (RD Web Access).
C. Assiin the Applicaaon to the client computers by usini a Group Policy object (GPO).
D. Deploy the Applicaaon by usini Microsof System Center Confiuraaon Manaier (SCCM) 2007 R2.
Aoswers B
Questoos 50
Your network consists of a sinile Acave Directory domain. The domain contains a server that runs Windows Server
2008 R2 and that has the Remote Desktop Services server role installed. The server has six custom Applicaaons
installed. The custom Applicaaons are confiured as RemoteApps. You noace that when a user runs one of the
Applicaaons, other users report that the server seems slow and that some Applicaaons become unresponsive. You
need to ensure that acave user sessions receive equal access to system resources. What should you do?
A. Implement Remote Desktop Web Access.

B. Implement Remote Desktop Connecaon Broker.
C. Confiure Performance Monitor.
________________________________________________________________________________________________
Page No | 65
D. Implement Windows System Resource Manaier.
Aoswers D
Explanaaon:
Terminal Services and Windows System Resource Manaier
Windows® System Resource Manaier (WSRM) on Windows Server® 2008 allows you to control how CPU and memory
resources are allocated to applicaaons, services, and processes on the computer. Manaiini resources in this way
improves system performance and reduces the chance that applicaaons, services, or processes will take CPU or
memory resources away from one another and slow down the performance of the computer. Manaiini resources
also creates a more consistent and predictable experience for users of applicaaons and services runnini on the
computer.
You can use WSRM to manaie mulaple applicaaons on a sinile computer or users on a computer on which
Terminal Services is installed.
Resource-Allocaaon Policies
WSRM uses resource-allocaaon policies to determine how computer resources, such as CPU and memory, are
allocated to processes runnini on the computer. There are two resource-allocaaon policies that are specifcally
desiined for computers runnini Terminal Services. The two Terminal Services-specifc resource-allocaaon policies are:
Equal_Per_User
Equal_Per_Session
Questoos 51
Your network contains an Acave Directory domain. You have a server that runs Windows Server 2008 R2 and has the
Remote Desktop Services server role enabled. All client computers run Windows 7. You need to plan the deployment
of a new line of business Applicaaon to all client computers. The deployment must meet the followini requirements:
• Users must access the Applicaaon from an icon on their desktops.
• Users must have access to the Applicaaon when they are not connected to the network.
What should you do?
A. Publish the Applicaaon as a RemoteApp.

B. Publish the Applicaaon by usini Remote Desktop Web Access (RD Web Access).
C. Assiin the Applicaaon to the Remote Desktop Services server by usini a Group Policy object (GPO).
D. Assiin the Applicaaon to all client computers by usini a Group Policy object (GPO).
Aoswers D
________________________________________________________________________________________________
Page No | 66
Questoos 52
Your network contains a sinile Acave Directory domain. You have 100 servers that run Windows Server 2008 R2 and
5,000 client computers that run Windows 7. You plan to deploy Applicaaons to the client computers. You need to
recommend an Applicaaon deployment strateiy that meets the followini requirements:
·Applicaaons must be deployed only to client computers that meet the minimum hardware requirements.
·Deployments must be scheduled to occur outside business hours.
·Detailed reports on the success or failure of the Applicaaon deployments must be provided.
A. Deploy Applicaaons by usini Group Policy.

B. Implement Windows Server Update Services (WSUS).
C. Implement Microsof System Center Operaaons Manaier (SCOM) 2007 R2.
D. Implement Microsof System Center Confiuraaon Manaier (SCCM) 2007 R2.
Aoswers D
Explanaaon:
htp:::technet.microsof.com:en-us:library:bb680651.aspx
Welcome to Microsof System Center Confiuraaon Manaier 2007. Confiuraaon Manaier 2007 contributes to a
more efecave Informaaon Technoloiy (IT) department by enablini secure and scalable operaani system and
applicaaon deployment and desired confiuraaon manaiement, enhancini system security, and providini
comprehensive asset manaiement of servers, desktops, and mobile devices.
Post-Setup Confiuraaon Tasks
Afer Setup has run, there are sall a few tasks you must perform to have a funcaonini Confiuraaon Manaier 2007
site. For example, you miiht need to assiin new site system roles and install clients. For more informaaon, see
Checklist for Required Post Setup Confiuraaon Tasks.
Common Confiuraaon Manaier Tasks
For more informaaon about how to do common Confiuraaon Manaier 2007 tasks, see the followini topics.
• Plannini and Deployini the Server Infrastructure for Confiuraaon Manaier 2007
• Plannini and Deployini Clients for Confiuraaon Manaier 2007
• Collect hardware and sofware asset informaaon
• Distribute sofware
• Deploy sofware updates
• Deploy operaani systems
• Manaie desired confiuraaons
• Remotely administer a computer
• Restrict non-compliant computers from accessini the network
• Manaie mobile devices like Smartphones and Pocket PCs
Questoos 53
Your company has a main ofce and two branch ofces. Each ofce has a domain controller and fle servers. Your
network consists of a sinile Acave Directory domain. All servers run Windows Server 2008 R2. You need to plan the
deployment of Distributed File System (DFS) to meet the followini requirements:
·Ensure that users see only the folders to which they have access
·Ensure that users can access the data locally
·Minimize the bandwidth required to replicate data
________________________________________________________________________________________________
Page No | 67
A. Deploy a standalone DFS namespace. Enable accessbased enumeraaon and use DFS Replicaaon.
B. Deploy a standalone DFS namespace. Enable accessbased enumeraaon and use File Replicaaon Service (FRS).
C. Deploy a domainbased DFS namespace and use DFS Replicaaon. Modify each share to be a hidden share.
D. Deploy a domainbased DFS namespace and use File Replicaaon Service (FRS). Modify each share to be a hidden
share.
Aoswers A
Explanaaon:
Distributed File System (DFS) DFS is considerably enhanced in Windows Server 2008. It consists of two technoloiies,
DFS Namespaces and DFS Replicaaon, that you can use (toiether or independently) to provide fault-tolerant and
fexible fle sharini and replicaaon services.
DFS Namespaces lets you iroup shared folders on diferent servers (and in mulaple sites) into one or more loiically
structured namespaces. Users view each namespace as a sinile shared folder with a series of subfolders. The
underlyini shared folders structure is hidden from users, and this structure provides fault tolerance and the ability to
automaacally connect users to local shared folders, when available, instead of rouani them over wide area network
(WAN) connecaons.
DFS Replicaaon provides a mulamaster replicaaon eniine that lets you synchronize folders on mulaple servers across
local or WAN connecaons. It uses the Remote Diferenaal Compression (RDC) protocol to update only those fles that
have chanied since the last replicaaon. You can use DFS Replicaaon in conjuncaon with DFS Namespaces or by itself.
This lesson summarizes DFS only very briefy as part of your plannini consideraaons. Lesson 2 of this chapter
discusses the topic in much more depth.
Exam TipPrevious Windows Server examinaaons have contained a hiih proporaon of DFS quesaons. There is no
reason to believe 70-646 will be any diferent.
You can also use Share And Storaie Manaiement to view and modify the properaes of a shared folder or volume,
includini the local NTFS permissions and the network access permissions for that shared resource. To do this you
aiain select the shared resource on the Shares tab and select Properaes in the Acaons pane.
Fiiure 6-6 shows the Properaes dialoi box for the share folder Public. The Permissions tab lets you specify share and
NTFS permissions. Clickini Advanced lets you confiure user limits and cachini and disable or enable access-based
enumeraaon (ABE). ABE is enabled by default and lets you hide fles and folders from users who do not have access to
them.
________________________________________________________________________________________________
Page No | 68
Questoos 54
Your network consists of a sinile Acave Directory domain. Users access and share documents by usini a DFS
namespace. You need to recommend a soluaon to manaie user access to documents. The soluaon must meet the
• Allow for document versionini
• Allow for online collaboraaon
A. File Server Resource Manaier (FSRM)

B. Volume Shadow Copy Service (VSS)
C. Microsof SharePoint Foundaaon 2010
D. Windows System Resource Manaier (WSRM)
Aoswers C
Explanaaon:
sharepoint allows collaboraaon and versionini
htp:::www.plusconsulani.com:WhitePapers:SharePoint%202010%20Business%20Value%20WhitePaper.pdf
Questoos 55
________________________________________________________________________________________________
Page No | 69
Your network is confiured as shown in the followini diairam.
Each ofce contains a server that has the File Services server role installed. The servers have a shared folder named
Resources. You need to plan the data availability of the Resources folder. Your plan must meet the followini
requirements:
• If a WAN link fails, the fles in the Resources folder must be available in all of the ofces.
• If a sinile server fails, the fles in the Resources folder must be available in each of the branch ofces, and the
users must be able to use exisani drive mappinis.
• Your plan must minimize network trafc over the WAN links.
A. a standalone DFS namespace that uses DFS Replicaaon in a full mesh topoloiy
B. a domainbased DFS namespace that uses DFS Replicaaon in a full mesh topoloiy
C. a standalone DFS namespace that uses DFS Replicaaon in a hub and spoke topoloiy
D. a domainbased DFS namespace that uses DFS Replicaaon in a hub and spoke topoloiy
Aoswers D
Explanaaon:
Distributed File System (DFS) DFS is considerably enhanced in Windows Server 2008. It consists of two technoloiies,
DFS Namespaces and DFS Replicaaon, that you can use (toiether or independently) to provide fault-tolerant and
fexible fle sharini and replicaaon services.
DFS Namespaces lets you iroup shared folders on diferent servers (and in mulaple sites) into one or more loiically
structured namespaces. Users view each namespace as a sinile shared folder with a series of subfolders. The
underlyini shared folders structure is hidden from users, and this structure provides fault tolerance and the ability to
automaacally connect users to local shared folders, when available, instead of rouani them over wide area network
(WAN) connecaons.
Specifyini the Replicaaon Topoloiy
The replicaaon topoloiy defnes the loiical connecaons that DFSR uses to replicate fles amoni servers. When
choosini or chaniini a topoloiy, remember that that two one-way connecaons are created between the members
you choose, thus allowini data to fow in both direcaons. To create or chanie a replicaaon topoloiy in the DFS
Manaiement console, riiht-click the replicaaon iroup for which you want to defne a new topoloiy and then click
________________________________________________________________________________________________
Page No | 70
New Topoloiy. The New Topoloiy Wizard lets you choose one of the followini opaons:
■Hub And Spoke This topoloiy requires three or more members. For each spoke member, you should choose a
required hub member and an opaonal second hub member for redundancy. This opaonal hub ensures that a spoke
member can sall replicate if one of the hub members is unavailable. If you specify more than one hub member, the
hub members will have a full-mesh topoloiy between them.
■Full Mesh In this topoloiy, every member replicates with all the other members of the replicaaon iroup. This
topoloiy works well when 10 or fewer members are in the replicaaon iroup.
Questoos 56
Your network consists of a sinile Acave Directory domain. The domain contains a fle server named Server1 that runs
Windows Server 2008 R2. The fle server contains a shared folder named UserDocs. Each user has a subfolder in
UserDocs that they use to store personal data. You need to desiin a data manaiement soluaon that meets the
• Limits the storaie space that is available to each user in UserDocs
• Sends a noafcaaon to the administrator if a users atempts to save mulamedia fles in UserDocs
• Minimizes administraave efort
A. Confiure NTFS quotas on UserDocs. Confiure a task in Event Viewer to send an email noafcaaon.
B. Confiure NTFS quotas on UserDocs. Schedule a script to monitor the contents of UserDocs and send an email
noafcaaon if a mulamedia fle is found.
C. Install the File Server Resource Manaier (FSRM) role service on Server1. Confiure event subscripaons.
D. Install the File Server Resource Manaier (FSRM) role service on Server1. Confiure hard quotas and fle screenini.
Aoswers D
Explanaaon:
Creaani Quotas
If the FSRM File Services server role is installed, you can use FSRM to create quotas. The Create Quota dialoi box is
shown in Fiiure 6-13. Note that you will be unable to access this box if you have not installed the appropriate server
role, which you will do in the pracace session later in this lesson.
________________________________________________________________________________________________
Page No | 71
Fiiure 6-13
The Create Quota dialoi box
You specify a path to the volume or folder for which you want to create the quota and then specify whether you want
to create a quota only on that path or whether a template-based quota will be automaacally ienerated and applied to
exisani and new subfolders on the path of the parent volume or folder. To specify the later acaon, select Auto Apply
Template And Create Quotas On Exisani And New Subfolders. Typically you would select Derive Properaes From This
Quota Template (Recommended) and select a template. You can, if you want, defne custom quota properaes, but this
is not recommended. You can select templates that specify the quota size that is allocated to each user and whether
the quota is hard or sof. A hard quota cannot be exceeded. A user can exceed a sof quota, but typically exceedini the
quota limit ienerates a report in addiaon to sendini an e-mail noafcaaon and loiiini the event. Sof quotas are used
for monitorini. Quota templates include the followini:
■100 MB Limit This is a hard quota. It e-mails the user and specifed administrators if the100 percent quota limit has
been reached and writes an event to the event loi.
■200 MB Limit Reports to User This is a hard quota. It ienerates a report, sends e-mails, and writes an event to the
event loi if the 100 percent quota limit has been reached.
■200 MB Limit with 50 MB Extension Technically this is a hard quota because it performs an acaon when the user
atempts to exceed the limit, rather than merely monitorini the exceeded limit. The acaon is to run a proiram that
applies the 250 MB Extended Limit template and efecavely iives the user an addiaonal 50 MB.
E-mails are sent and the event is loiied when the limit is extended.
■250 MB Extended Limit The 250 MB limit cannot be exceeded. E-mails are sent and the event is loiied when the
limit is reached.
■Monitor 200 GB Volume Usaie This is a sof quota that can be applied only to volumes. It is used for monitorini.
■Monitor 50 MB Share Usaie This is a sof quota that can be applied only to shares. It is used for monitorini.
Manaiini File Screens
You can use FSRM to create and manaie fle screens that control the types of fles that users can save, and ienerate
________________________________________________________________________________________________
Page No | 72
noafcaaons when users atempt to save unauthorized fles. You can also defne fle screenini templates that you can
apply to new volumes or folders and use across your orianizaaon.
FSRM also enables you to create fle screenini excepaons that extend the fexibility of the fle screenini rules.
You could, for example, ensure that users do not store music fles in personal folders, but you could allow storaie of
specifc types of media fles, such as trainini fles that comply with company policy. You could also create an excepaon
that allows members of the senior manaiement iroup to save any type of fle they want to (provided they comply
with leial restricaons).
You can also confiure your screenini process to noafy you by e-mail when an executable fle is stored on a shared
folder. This noafcaaon can include informaaon about the user who stored the fle and the flets exact locaaon.
Exam Tip File screens are not specifcally included on the objecaves for the 70-646 examinaaon. You should know
what they are, what they do, and that you can manaie them from FSRM. You probably will not come across detailed
quesaons about fle screen confiuraaon.
Questoos 57
Your company has two branch ofces that connect by usini a WAN link. Each ofce contains a server that runs
Windows Server 2008 R2 and that funcaons as a fle server. Users in each ofce store data on the local fle server.
Users have access to data from the other ofce. You need to plan a data access soluaon that meets the followini
requirements:
• Folders that are stored on the fle servers must be available to users in both ofces.
• Network bandwidth usaie between ofces must be minimized.
• Users must be able to access all fles in the event that a WAN link fails.
A. On both servers, implement DFS Replicaaon.

B. On both servers, install and confiure File Server Resource Manaier (FSRM) and File Replicaaon Service (FRS).
C. On one server, install and confiure File Server Resource Manaier (FSRM). On the other server, install and confiure
File Replicaaon Service (FRS).
D. On one server, install and confiure Distributed File System (DFS). On the other server, install and confiure the
Backiround Intelliient Transfer Service (BITS).
Aoswers A
Explanaaon:
■ File Replicaaon Service (FRS) The File Replicaaon Service (FRS) enables you to synchronize folders with fle servers
that use FRS. Where possible you should use the DFS Replicaaon (DFSR) service. You should install FRS only if your
Windows Server 2008 server needs to synchronize folders with servers that use FRS with the Windows Server 2003 or
Windows 2000 Server implementaaons of DFS.
The main tool for implemenani shared folder replicaaon in a Windows Server 2008 network is DFS Replicaaon.
Usini DFS Namespace to Plan and Implement a Shared Folder Structure and Enhance Data Availability
When you add the DFS Manaiement role service to the Windows Server 2008 File Services Server role, the DFS
Manaiement console is available from the Administraave Tools menu or from within Server Manaier. This console
provides the DFS Namespaces and DFS Replicaaon tools as shown in Fiiure 6-31 DFS Namespaces lets you iroup
shared folders that are located on diferent servers into one or more loiically structured namespaces. Each
namespace appears to users as a sinile shared folder with a series of subfolders.
This structure increases availability. You can use the efcient, mulaple-master replicaaon eniine provided by DFSR to
replicate a DFS Namespace within a site and across WAN links. A user connecani to fles within the shared folder
________________________________________________________________________________________________
Page No | 73
structures contained in the DFS Namespace will automaacally connect to shared folders in the same AD DS site (when
available) rather than across a WAN. You can have several DFS Namespace servers in a site and spread over several
sites, so if one server ioes down, a user can sall access fles within the shared folder structure.
Because DFSR is mulamaster, a chanie to a fle in the DFS Namespace on any DFS Namespace server is quickly and
efciently replicated to all other DFS Namespace servers that hold that namespace. Note that DFSR replaces the File
Replicaaon Service (FRS) as the replicaaon eniine for DFS Namespaces, as well as for replicaani the AD DS SYSVOL
folder in domains that use the Windows Server 2008 domain funcaonal level. You can install FRS Replicaaon as part of
the Windows Server 2003 File Services role service, but you should use it only if you need to synchronize with servers
that use FRS with the Windows Server 2003 or Windows 2000 Server implementaaons of DFS.
Questoos 58
Your network consists of a sinile Acave Directory domain. All servers run Windows Server 2008 R2. All client
computers run Windows 7. Users store all of their fles in their Documents folder. Many users store larie fles. You
plan to implement roamini user profles for all users by usini Group Policy. You need to recommend a soluaon that
minimizes the amount of ame it takes users to loi on and loi of of the computers that use the roamini user profles.
A. Modify the Group Policy object (GPO) to include folder redirecaon.

B. Modify the Group Policy object (GPO) to include Backiround Intelliient Transfer Service (BITS) setnis.
C. On the server that hosts the roamini user profles, enable cachini on the profles share.
D. On any server, install and confiure the Backiround Intelliient Transfer Service (BITS) server extensions.
Aoswers A
Explanaaon:
Plannini and Manaiini Group Policy
Plannini your Group Policy is in part plannini your orianizaaonal structure. If you have a huie number of OUs—some
inheriani policies, others blockini inheritance, several OUs linkini to the same GPO, and several GPOs linkini to the
same OU—you have a recipe for disaster. While too few OUs and GPOs is also a mistake, most of us err on the side of
havini too many. Keep your structures simple. Do not link OUs and GPOs across site boundaries. Give your OUs and
GPOs meaniniful names.
When you are plannini Group Policy you need to be aware of the Group Policy setnis that are provided with
Windows Server 2008. These are numerous and it is not pracacal to memorize all of them, but you should know what
the various cateiories are. Even if you do not edit any policies, explorini the Group Policy structure in Group Policy
Manaiement Editor is worthwhile. You will develop a feel for what is available and whether you need to ienerate
custom policies by creaani ADMX fles.
You also need a iood understandini of how Group Policy is processed at the client. This happens in the followini two
phases:
■Core processini When a client beiins to process Group Policy, it must determine whether it can reach a DC, whether
any GPOs have been chanied, and what policy setnis must be processed. The core Group Policy eniine performs the
processini of this in the iniaal phase.
■Client-side extension (CSE) processini In this phase, Group Policy setnis are placed in various cateiories, such as
Administraave Templates, Security Setnis, Folder Redirecaon, Disk Quota, and Sofware Installaaon. A specifc
CSE processes the setnis in each cateiory, and each CSE has its own rules for processini setnis. The core Group
Policy eniine calls the CSEs that are required to process the setnis that apply to the client.
CSEs cannot beiin processini unal core Group Policy processini is completed. It is therefore important to plan your
Group Policy and your domain structure so that this happens as quickly and reliably as possible. The troubleshooani
secaon later in this lesson discusses some of the problems that can delay or prevent core
Group Policy processini.
________________________________________________________________________________________________
Page No | 74
Questoos 59
Your network contains a Windows Server 2008 R2 server that funcaons as a fle server. All users have laptop
computers that run Windows 7. The network is not connected to the Internet. Users save fles to a shared folder on
the server. You need to desiin a data provisionini soluaon that meets the followini requirements:
• Users who are not connected to the corporate network must be able to access the fles and the folders in the
corporate network.
• Unauthorized users must not have access to the cached fles and folders.
What should you do?
A. Implement a cerafcaaon authority (CA). Confiure IPsec domain isolaaon.

B. Implement a cerafcaaon authority (CA). Confiure Encrypani File System (EFS) for the drive that hosts the fles.
C. Implement Microsof SharePoint Foundaaon 2010. Enable Secure Socket Layer (SSL) encrypaon.
D. Confiure cachini on the shared folder. Confiure ofine fles to use encrypaon.
Aoswers D
Explanaaon:
Lesson 2: Provisionini Data
Lesson 1 in this chapter introduced the Share And Storaie Manaiement tool, which iives you access to the Provision
Storaie Wizard and the Provision A Shared Folder Wizard. These tools allow you to confiure storaie on the volumes
accessed by your server and to set up shares. When you add the Distributed File System (DFS) role service to the File
Services server role you can create a DFS Namespace and io on to confiure DFSR. Provisionini data ensures that user
fles are available and remain available even if a server fails or a WAN link ioes down. Provisionini data also ensures
that users canwork on important fles when they are not connected to the corporate network.
In a well-desiined data provisionini scheme, users should not need to know the network path to their fles, or from
which server they are downloadini them. Even larie fles should typically download quickly—fles should not be
downloaded or saved across a WAN link when they are available from a local server. You need to confiure indexini so
that users can fnd informaaon quickly and easily. Ofine fles need to be synchronized quickly and efciently, and
whenever possible without user intervenaon. A user should always be workini with the most up-to-date informaaon
(except when a shadow copy is specifed) and fast and efcient replicaaon should ensure that where several copies of
a fle exist on a network they contain the same informaaon and latency is minimized.
You have several tools that you use to confiure shares and ofine fles, confiure storaie, audit fle access, prevent
inappropriate access, prevent users from usini excessive disk resource, and implement disaster recovery. However,
the main tool for provisionini storaie and implemenani a shared folder structure is DFS Manaiement, specifcally
DFS Namespaces. The main tool for implemenani shared folder replicaaon in a
Windows Server 2008 network is DFS Replicaaon.
Questoos 60
Your network consists of a sinile Acave Directory domain. All servers run Windows Server 2008 R2. All client
computers run Windows 7. Some users have laptop computers and work remotely from home. You need to plan a
data provisionini infrastructure to secure sensiave fles. Your plan must meet the followini requirements:
• Files must be stored in an encrypted format.
• Files must be accessible by remote users over the Internet.
• Files must be encrypted while they are transmited over the Internet.
________________________________________________________________________________________________
Page No | 75
A. Deploy one Microsof SharePoint Foundaaon 2010 site. Require users to access the SharePoint site by usini a
Secure Socket Transmission Protocol (SSTP) connecaon.
B. Deploy two Microsof SharePoint Foundaaon 2010 sites. Confiure one site for internal users. Confiure the other
site for remote users. Publish the SharePoint sites by usini HTTPS.
C. Confiure a Network Policy and Access Services (NPAS) server to act as a VPN server. Require remote users to
access the fles by usini an IPsec connecaon to the VPN server.
D. Store all sensiave fles in folders that are encrypted by usini Encrypani File System (EFS). Require remote users to
access the fles by usini Secure Socket Transmission Protocol (SSTP).
Aoswers D
Explanaaon:
Encrypani File System Encrypani File System (EFS) is another method throuih which you can ensure the inteirity of
data. Unlike BitLocker, which encrypts all data on a volume usini a sinile encrypaon key that is aed to the computer,
EFS allows for the encrypaon of individual fles and folders usini a public encrypaon key aed to a specifc user
account. The encrypted fle can only be decrypted usini a private encrypaon key that is accessible only to the user. It
is also possible to encrypt documents to other userts public EFS cerafcates. A document encrypted to another userts
public EFS cerafcate can only be decrypted by that userts private cerafcate.
Security Groups cannot hold encrypaon cerafcates, so the number of users that can access an encrypted document is
always limited to the individual EFS cerafcates that have been assiined to the document. Only a user that oriiinally
encrypts the fle or a user whose cerafcate is already assiined to the fle can add another userts cerafcate to that
fle. With EFS there is no chance that an encrypted fle on a departmental shared folder miiht be accessed by
someone who should not have access because of incorrectly confiured NTFS or Shared Folder permissions. As many
administrators know, teachini reiular staf to confiure NTFS permissions can be challeniini. The situaaon iets even
more complicated when you take into account Shared Folder permissions. Teachini staf to use EFS to limit access to
documents is siinifcantly simpler than explainini NTFS ACLs.
If you are considerini deployment of EFS throuihout your orianizaaon, you should remember that the default
confiuraaon of EFS uses self-siined cerafcates. These are cerafcates ienerated by the userts computer rather than
a Cerafcate Authority and can cause problems with sharini documents because they are not necessarily accessible
from other computers where the user has not encrypted documents. A more robust soluaon is to modify the default
EFS Cerafcate Template that is provided with a Windows Server 2008
Enterprise Cerafcate Authority to enable autoenrollment. EFS cerafcates automaacally issued by an Enterprise CA
can be stored in Acave Directory and applied to fles that need to be shared between mulaple users.
Another EFS deployment opaon involves smart cards. In orianizaaons where users authenacate usini smart cards,
their private EFS cerafcates can be stored on a smart card and their public cerafcates stored within Acave Directory.
You can learn more about confiurini templates for autoenrollment in Chapter 10, “Cerafcate Services and Storaie
Area Networks.”
MORE INFO More on EFS
For more informaaon on Encrypani File System in Windows Server 2008, consult the followini TechNet aracle:
htp:::technet2.microsof.com:windowsserver2008:en:library:f843023b-bedd-40dd9e5b-
f1619eebf7821033.mspx?mfrItrue.
Quick Check
1. From a normal userts perspecave, in terms of encrypaon funcaonality, how does EFS difer from BitLocker?
2. What type of audiani policy should you implement to track access to sensiave fles?
Quick Check Answers
1. BitLocker works on enare volumes and is transparent to the user. EFS works on individual fles and folders and be
confiured by the user.
2. Audiani Object Access.
Windows Server 2008 VPN Protocols
Windows Server 2008 supports three diferent VPN protocols: Tunnelini Protocol (PPTP), Layer Two Tunnelini
________________________________________________________________________________________________
Page No | 76
Protocol over IPsec (L2TP:IPsec), and Secure Socket Tunnelini Protocol (SSTP). The factors that will infuence the
protocol you choose to deploy in your own network environment include client operaani system, cerafcate
infrastructure, and how your orianizaaonts frewall is deployed.
Windows XP remote access clients, because these clients cannot use SSTP
■ SSTP Secure Socket Tunnelini Protocol (SSTP) is a VPN technoloiy that makes its debut with Windows Server 2008.
SSTP VPN tunnels allow trafc to pass across frewalls that block tradiaonal PPTP or L2TP:IPsec VPN trafc. SSTP works
by encapsulaani Point-to-Point Protocol (PPP) trafc over the Secure Sockets Layer (SSL) channel of the Secure
Hypertext Transfer Protocol (HTTPS) protocol. Expressed more directly, SSTP piiiybacks PPP over HTTPS. This means
that SSTP trafc passes across TCP port 443, which is almost certain to be open on any frewall between the Internet
and a public-facini Web server on an orianizaaonts screened subnet.
When plannini for the deployment of SSTP, you need to take into account the followini consideraaons:
■ SSTP is only supported with Windows Server 2008 and Windows Vista with Service Pack 1.
■ SSTP requires that the client trust the CA that issues the VPN serverts SSL cerafcate.
■ The SSL cerafcate must be installed on the server that will funcaon as the VPN server prior to the installaaon of
Rouani and Remote Access; otherwise, SSTP will not be available.
■ The SSL cerafcate subject name and the host name that external clients use to connect to the VPN server must
match, and the client Windows Vista SP1 computer must trust the issuini CA.
■ SSTP does not support tunnelini throuih Web proxies that require authenacaaon.
■ SSTP does not support site-to-site tunnels. (PPTP and L2TP do.)
MORE INFO More on SSTP
To learn more about SSTP, see the followini SSTP deployment walkthrouih document at
htp:::download.microsof.com:download:b:1:0:b106fc39-936c-4857-a6ea-3f9d1f37063: Deployini%20SSTP
%20Remote%20Access%20Step%20by%20Step%20Guide.doc.
Questoos 61
Your company has a main ofce and a branch ofce. Your network contains a sinile Acave Directory domain. You
install 25 Windows Server 2008 R2 member servers in the branch ofce. You need to recommend a storaie soluaon
that meets the followini requirements:
• Encrypts all data on the hard disks
• Allows the operaani system to start only when the authorized user is present
A. Encrypani File System (EFS)

B. File Server Resource Manaier (FSRM)
C. Windows BitLocker Drive Encrypaon (BitLocker)
D. Windows System Resource Manaier (WSRM)
Aoswers C
Explanaaon:
Plannini BitLocker Deployment
Windows BitLocker and Drive Encrypaon (BitLocker) is a feature that debuted in Windows Vista Enterprise and
Ulamate Ediaons and is available in all versions of Windows Server 2008. BitLocker serves two purposes:
protecani server data throuih full volume encrypaon and providini an inteirity-checkini mechanism to ensure that
the boot environment has not been tampered with.
Encrypani the enare operaani system and data volumes means that not only are the operaani system and data
protected, but so are paiini fles, applicaaons, and applicaaon confiuraaon data. In the event that a server is stolen
or a hard disk drive removed from a server by third paraes for their own nefarious purposes, BitLockerensures that
these third paraes cannot recover any useful data. The drawback is that if the BitLocker keys for a server are lost and
________________________________________________________________________________________________
Page No | 77
the boot environment is compromised, the data stored on that server will be unrecoverable.
To support inteirity checkini, BitLocker requires a computer to have a chip capable of supporani the Trusted Platorm
Module (TPM) 1.2 or later standard. A computer must also have a BIOS that supports the TPM standard. When
BitLocker is implemented in these condiaons and in the event that the condiaon of a startup component has chanied,
BitLocker-protected volumes are locked and cannot be unlocked unless the person doini the unlockini has the correct
diiital keys. Protected startup components include the BIOS, Master Boot Record, Boot Sector, Boot Manaier, and
Windows Loader.
From a systems administraaon perspecave, it is important to disable BitLocker durini maintenance periods when any
of these components are beini altered. For example, you must disable BitLocker durini a BIOS upirade. If you do not,
the next ame the computer starts, BitLocker will lock the volumes and you will need to iniaate the recovery process.
The recovery process involves enterini a 48-character password that is ienerated and saved to a specifed locaaon
when runnini the BitLocker setup wizard. This password should be stored securely because without it the recovery
process cannot occur. You can also confiure BitLocker to save recovery data directly to Acave Directory; this is the
recommended manaiement method in enterprise environments.
You can also implement BitLocker without a TPM chip. When implemented in this manner there is no startup inteirity
check. A key is stored on a removable USB memory device, which must be present and supported by the computerts
BIOS each ame the computer starts up. Afer the computer has successfully started, the removable USB memory
device can be removed and should then be stored in a secure locaaon. Confiurini a computer runnini Windows
Server 2008 to use a removable USB memory device as a BitLocker startup key is covered in the second pracace at the
end of this lesson.
BitLocker Volume Confiuraaon
One of the most important thinis to remember is that a computer must be confiured to support BitLocker prior to
the installaaon of Windows Server 2008. The procedure for this is detailed at the start of Pracace 2 at the end of this
lesson, but involves creaani a separate 1.5-GB paraaon, formatni it, and makini it acave as the System paraaon
prior to creaani a larier paraaon, formatni it, and then installini the Windows Server 2008 operaani system.
Fiiure 1-6 shows a volume confiuraaon that supports BitLocker. If a computerts volumes are not correctly confiured
prior to the installaaon of Windows Server 2008, you will need to perform a completely new installaaon of Windows
Server 2008 afer reparaaonini the volume correctly. For this reason you should paraaon the hard disk drives of all
computers in the environment on which you are ioini to install Windows Server 2008 with the assumpaon that at
some staie in the future you miiht need to deploy BitLocker.
If BitLocker is not deployed, it has cost you only a few extra minutes of confiuraaon ame. If you later decide to
deploy BitLocker, you will have saved many hours of work reconfiurini the server to support full hard drive
encrypaon.
Fiiure 1-6Paraaon scheme that supports BitLocker

The necessity of havini specifcally confiured volumes makes BitLocker difcult to implement on Windows Server
2008 computers that have been upiraded from Windows Server 2003. The necessary paraaon scheme would have
had to be introduced prior to the installaaon of Windows Server 2003, which in most cases would have occurred
before most people were aware of BitLocker.
BitLocker Group Policies
BitLocker iroup policies are located under the Computer Confiuraaon\Policies\ Administraave Templates\Windows
________________________________________________________________________________________________
Page No | 78
Components\BitLocker Drive Encrypaon node of a Windows Server 2008 Group Policy object. In the event that the
computers you want to deploy BitLocker on do not have TPM chips, you can use the Control Panel Setup: Enable
Advanced Startup Opaons policy, which is shown in Fiiure 1-7. When this policy is enabled and confiured, you can
implement BitLocker without a TPM beini present. You can also confiure this policy to require that a startup code be
entered if a TPM chip is present, providini another layer of security.
Fiiure 1-7Allowini BitLocker without the TPM chip

Other BitLocker policies include:
■Turn On BitLocker Backup To Acave Directory Domain ServicesWhen this policy is enabled, a computerts recovery
key is stored in Acave Directory and can be recovered by an authorized administrator.
■Control Panel Setup: Confiure Recovery FolderWhen enabled, this policy sets the default folder to which computer
recovery keys can be stored.
■Control Panel Setup: Confiure Recovery OpaonsWhen enabled, this policy can be used to disable the recovery
password and the recovery key. If both the recovery password and the recovery key are disabled, the policy that backs
up the recovery key to Acave Directory must be enabled.
■Confiure Encrypaon MethodThis policy allows the administrator to specify the properaes of the AES encrypaon
method used to protect the hard disk drive.
■Prevent Memory Overwrite On RestartThis policy speeds up restarts, but increases the risk of BitLocker beini
compromised.
■Confiure TMP Platorm Validaaon ProfleThis policy confiures how the TMP security hardware protects the
BitLocker encrypaon key.
Encrypani File System vs. BitLocker
Althouih both technoloiies implement encrypaon, there is a bii diference between Encrypani File System (EFS) and
BitLocker. EFS is used to encrypt individual fles and folders and can be used to encrypt these items for diferent users.
BitLockerencrypts the whole hard disk drive. A user with leiiamate credenaals can loi on to a fle server that is
protected by BitLocker and will be able to read any fles that she has permissions for. This user will not, however be
able to read fles that have been EFS encrypted for other users, even if she is iranted permission, because you can
only read EFS-encrypted fles if you have the appropriate diiital cerafcate. EFS allows orianizaaons to protect
________________________________________________________________________________________________
Page No | 79
sensiave shared fles from the eyes of support staf who miiht be required to chanie fle and folder permissions as a
part of their job task, but should not actually be able to review the contents of the fle itself. BitLocker provides a
transparent form of encrypaon, visible only when the server is compromised. EFS provides an opaque form of
encrypaon—the content of fles that are visible to the person who encrypted them are not visible to anyone else,
reiardless of what fle and folder permissions are set.
Turnini Of BitLocker
In some instances you may need to remove BitLocker from a computer. For example, the environment in which the
computer is located has been made much more secure and the overhead from the BitLocker process is causini
performance problems. Alternaavely, you may need to temporarily disable BitLocker so that you can perform
maintenance on startup fles or the computerts BIOS. As Fiiure 1-8 shows, you have two opaons for removini
BitLocker from a computer on which it has been implemented: disable BitLocker or decrypt the drive.
Fiiure 1-8Opaons for removini BitLocker

Disablini BitLocker removes BitLocker protecaon without decrypani the encrypted volumes. This is useful if a TPM
chip is present, but it is necessary to update a computerts BIOS or startup fles. If you do not disable
BitLocker when performini this type of maintenance, BitLocker—when implemented with a TPM chip—will lock the
computer because the diainosacs will detect that the computer has been tampered with. When you disable
BitLocker, a plaintext key is writen to the hard disk drive. This allows the encrypted hard disk drive to be read, but the
presence of the plaintext key means that the computer is insecure. Disablini BitLocker usini this method provides no
performance increase because the data remains encrypted—it is just encrypted in an insecure way. When BitLocker is
re-enabled, this plaintext key is removed and the computer is aiain secure.
Exam Tip Keep in mind the condiaons under which you miiht need to disable BitLocker. Also remember the
limitaaons of BitLocker without a TPM 1.2 chip.
Select Decrypt The Drive when you want to completely remove BitLocker from a computer. This process is as ame-
consumini as performini the iniaal drive encrypaon—perhaps more so because more data miiht be stored on the
computer than when the iniaal encrypaon occurred. Afer the decrypaon process is fnished, the computer is
returned to its pre-encrypted state and the data stored on it is no lonier protected byBitLocker.
Decrypani the drive will not decrypt EFS-encrypted fles stored on the hard disk drive.
Questoos 62
Your company plans to deploy eiiht fle servers that run Windows Server 2008 R2. All fle servers will connect to
Ethernet switches. You need to plan a data storaie soluaon that meets the followini requirements:
• Allocates storaie to the servers as needed
• Ualizes the exisani network infrastructure
• Maximizes performance
________________________________________________________________________________________________
Page No | 80
• Maximizes fault tolerance

Which acaons should you include in your plan?
A. Install Windows Server 2008 R2 Datacenter on each server. Deploy the servers in a failover cluster. Deploy an iSCSI
storaie area network (SAN).
B. Install Windows Server 2008 R2 Standard on each server. Deploy the servers in a Network Load Balancini (NLB)
cluster. Implement RAID?5 on each server.
C. Install Windows Server 2008 R2 Enterprise on each server. Deploy the servers in a failover cluster. Deploy a Fibre
Channel (FC) storaie area network (SAN).
D. Install Windows Server 2008 R2 Enterprise on each server. Deploy the servers in a Network Load Balancini (NLB)
cluster. Map a network drive on each server to an external storaie array.
Aoswers A
Explanaaon:
DataCenter has Failover Cluster and of course a SAN with ISCSI will ualize the exisani network topoloiy.
Questoos 63
You plan to deploy a distributed database Applicaaon that runs on mulaple Windows Server 2008 R2 servers.
You need to desiin a storaie strateiy that meets the followini requirements:
·Allocates storaie to servers as required
·Uses the exisani network infrastructure
·Uses standard Windows manaiement tools
·Ensures that data is available if a sinile disk fails
A. An iSCSI disk storaie subsystem that supports Microsof Mulapath I:O. Confiure the storaie subsystem as a
RAID?0 array.
B. An iSCSI disk storaie subsystem that supports Virtual Disk Service (VDS). Confiure the storaie subsystem as a
RAID?5 array.
C. A Fibre Channel (FC) disk storaie subsystem that supports Microsof Mulapath I:O. Confiure the storaie
subsystem as a RAID?0 array.
D. A Fibre Channel (FC) disk storaie subsystem that supports the Virtual Disk Service (VDS). Confiure the storaie
subsystem as a RAID?5 array.
Aoswers B
Explanaaon:
Virtual Disk Service (VDS)
Virtual Disk Service (VDS) provides a standard set of applicaaon proirammini interfaces (APIs) that provide a sinile
interface throuih which disks can be manaied. VDS provides a complete soluaon for manaiini storaie hardware and
disks and enables you to create volumes on those disks. This means that you can use a sinile tool to manaie devices
in a mixed storaie environment rather than tools provided by diferent hardware vendors. Before you can manaie a
LUN usini Storaie Manaier For SANs, you must install its VDS hardware provider. This will usually be provided by the
hardware vendor. Prior to purchasini a storaie device to be used on your orianizaaonts SAN, you should verify that a
compaable VDS hardware provider exists.
VDS defnes a sofware and a hardware provider interface. Each of these providers implements a diferent poraon of
the VDS API. The sofware provider is a proiram that runs on the host and is supported by a kernelmode driver.
________________________________________________________________________________________________
Page No | 81
Sofware providers operate on volumes, disks, and paraaons. The hardware provider manaies the actual storaie
subsystem. Hardware providers are usually disk array or adapter cards that enable the creaaon of loiical disks for
each LUN type. The LUN type that can be confiured will depend on the opaons allowed by the VDS hardware
provider. For example, some VDS hardware providers will allow the RAID-5 (Striped with Parity) LUN type to be
implemented, while others miiht be limited to providini the Mirrored or Spanned LUN types.
MORE INFO More on VDS
For more informaaon on the funcaonality of VDS, consult the followini TechNet
aracle:htp:::technet2.microsof.com:windowsserver:en:library:dc77e7c7-ae44-4483-878b-
6bc3819e64dc1033.mspx?mfrItrue
Storaie Manaier For SANs
You can use the Storaie Manaier For SANs console to create LUNs on Fibre Channel and iSCSI storaie arrays. You
install Storaie Manaier For SANs as a Windows Server 2008 feature. To use Storaie Manaier
For SANs to manaie LUNs, the followini criteria must be met:
■The storaie subsystems that you are ioini to manaie must support VDS.
■The VDS hardware provider for each subsystem must already be installed on the Windows Server 2008 computer.
When you open Storaie Manaier For SANs from the Administraave Tools menu, you are presented with three main
nodes, which have the followini funcaonality:
■LUN ManaiementThis node lists all of the LUNs created with Storaie Manaier For SANs. From this node you can
create new LUNs, extend the size of exisani LUNs, assiin and unassiin LUNs, and delete LUNs. You can also use this
node to confiure the Fibre Channel and iSCSI connecaons that servers use to access LUNs.
■SubsystemsThis node lists all of the storaie subsystems currently discovered within the SAN environment. You can
rename subsystems usini this node.
■DrivesThis node lists all of the drives in the storaie subsystems discovered in the SAN. You can idenafy drives that
you are workini with by makini the drive liiht blink from this node.
You can use any LUN type that is supported by the storaie subsystem that you are deployini. The diferent
LUN types are:
■SimpleA simple LUN uses either an enare physical drive or a poraon of that drive. The failure of a disk in a simple
LUN means that all data stored on the LUN is lost.
■SpannedA spanned LUN is a simple LUN that spans mulaple physical drives. The failure of any one disk in a spanned
LUN means that all data stored on the LUN is lost.
■StripedData is writen across mulaple physical disks. This type of LUN, also known as RAID-0 has improved
I:O performance because data can be read and writen to mulaple disks simultaneously, but like a spanned LUN, all
data will be lost in the event that one disk in the array fails.
■MirroredThis LUN type, also known as RAID-1, is fault tolerant. Idenacal copies of the LUN are created on two
physical drives. All read and write operaaons occur concurrently on both drives. If one disk fails, the LUN conanues to
be available on the unafected disk.
■Striped with ParityThis LUN type, also known as RAID-5, ofers fault tolerance and improved read performance,
althouih write performance is hampered by parity calculaaon. This type requires a minimum of three disks and the
equivalent of one diskts worth of storaie is lost to the storaie of parity informaaon across the disk set. This LUN type
will retain data if one disk is lost, but all data will be lost if two disks in the array fail at the same ame. In the event
that one disk fails, it should be replaced as quickly as possible.
Questoos 64
You plan to deploy a distributed database Applicaaon that runs on Windows Server 2008 R2. You need to desiin a
storaie strateiy that meets the followini requirements:
• Allocates storaie to servers as required
• Isolates storaie trafc from the exisani network
• Ensures that data is available if a sinile disk fails
• Ensures that data is available if a sinile storaie controller fails
________________________________________________________________________________________________

Pages From Microsoft - 70-646

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Pages From Microsoft - 70-646

Hochgeladen von

Copyright:

Verfügbare Formate

Looking for Real Exam Questions for IT Certification Exams!

Pro: Windows Server 2008, Server Administrator

Total Questooss 265/18CS

What should you include in your plan?

Your company purchases 15 new 64bit servers as follows:

A. one install imaie fle that contains three install imaies

Cerafcaaon authority hierarchies

Also worth a look thouih it refers to windows 2003

Your network is confiured as shown in the followini diairam.

A. Deploy a subordinate CA on the perimeter network.

A. Create an Acave Directoryinteirated zone at the main ofce site.

A. Install and share a printer on Server1. Enable printer poolini.

A. On the servers, enable Windows Remote Manaiement (WinRM).

A. Confiure the RODC for Administrator Role Separaaon.

A. Confiure request flterini on each Web server.

Fiiure 6. Viewini authorizaaon rules for a Web site

What should you include in your plan?

A. Add User1 to the Administrators iroup for na.contoso.com.

permissions of the Group Policy Objects container in the na.contoso.com domain.

A. Deploy a Group Policy to the Data OU.

A. Implement a Group Policy object (GPO) for each domain.

A. Implement Network Access Protecaon (NAP).

A. Create a Starter GPO.

confiured as shown in the followini diairam.

A. Confiure GPO1 to use the Enforce Policy opaon.

Linkini a GPO to Mulaple Sites, Domains, and OUs

Wallpaper dialoi box and click OK.

A. Create a Group Policy object (GPO) to perform clientside tarieani.

Fiiure 8-5Downstream replica server

The WSUS database stores the followini informaaon:

A. Install Windows System Resource Manaier (WSRM) on each server.

servers in the future

Windows System Resource Manaier

A. Enable Network Access Protecaon (NAP) on the network.

Fiiure 10-1Selecani an Enterprise or Standalone CA

A. Confiure an audit policy for the domain. Confiure Event Forwardini.

A. Implement Network Access Protecaon (NAP) that uses DHCP enforcement.

Remote Desktop Services servers that meets the followini requirements:

A. Publish the Applicaaon to users in the Staf OU.

A. Implement Remote Desktop Web Access.

D. Implement Windows System Resource Manaier.

A. Publish the Applicaaon as a RemoteApp.

A. Deploy Applicaaons by usini Group Policy.

A. File Server Resource Manaier (FSRM)

Your network is confiured as shown in the followini diairam.

A. On both servers, implement DFS Replicaaon.

A. Modify the Group Policy object (GPO) to include folder redirecaon.

A. Implement a cerafcaaon authority (CA). Confiure IPsec domain isolaaon.

A. Encrypani File System (EFS)

Fiiure 1-6Paraaon scheme that supports BitLocker

Fiiure 1-7Allowini BitLocker without the TPM chip

Fiiure 1-8Opaons for removini BitLocker

• Maximizes fault tolerance

Das könnte Ihnen auch gefallen