You are on page 1of 118

Microsoft.Certify-Me.Testking.70-648.v2011-12-18.by.Gosha.

646q
Number: 70-648 Passing Score: 700 Time Limit: 120 min File Version: 1.0

Sections 1. 70-640 2. 70-642

Exam A QUESTION 1 Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2003. You upgrade all domain controllers to Windows Server 2008. You need to configure the Active Directory environment to support the application of multiple password policies. What should you do? A. B. C. D. Raise the functional level of the domain to Windows Server 2008. On one domain controller, run dcpromo /adv. Create multiple Active Directory sites. On all domain controllers, run dcpromo /adv.

Answer: A Section: 70-640 Explanation/Reference: Explanation:

QUESTION 2 Your company has two Active Directory forests named contoso.com and fabrikam.com. The company network has three DNS servers named DNS1, DNS2, and DNS3. The DNS servers are configured as shown in the following table.

All computers that belong to the fabrikam.com domain have DNS3 configured as the preferred DNS server. All other computers use DNS1 as the preferred DNS server. Users from the fabrikam.com domain are unable to connect to the servers that belong to the contoso.com domain. You need to ensure users in the fabrikam.com domain are able to resolve all contoso.com queries. What should you do? A. B. C. D. Configure conditional forwarding on DNS1 and DNS2 to forward fabrikam.com queries to DNS3. Create a copy of the _msdcs.contoso.com zone on the DNS3 server. Create a copy of the fabrikam.com zone on the DNS1 server and the DNS2 server. Configure conditional forwarding on DNS3 to forward contoso.com queries to DNS1.

Answer: D Section: 70-640 Explanation/Reference: Explanation:

QUESTION 3 Your company, Contoso, Ltd., has offices in North America and Europe. Contoso has an Active Directory forest that has three domains. You need to reduce the time required to authenticate users from the labs.eu. contoso.com domain when they access resources in the eng.na.contoso.com domain. What should you do?

A. B. C. D.

Decrease the replication interval for all Connection objects. Decrease the replication interval for the DEFAULTIPSITELINK site link. Set up a one-way shortcut trust from eng.na.contoso.com to labs.eu.contoso.com. Set up a one-way shortcut trust from labs.eu.contoso.com to eng.na.contoso.com.

Answer: C Section: 70-640 Explanation/Reference: Explanation:

QUESTION 4 Your company has an Active Directory forest that contains eight linked Group Policy Objects (GPOs). One of these GPOs publishes applications to user objects. A user reports that the application is not available for installation. You need to identify whether the GPO has been applied. What should you do? A. B. C. D. Run the Group Policy Results utility for the user. Run the GPRESULT /S <system name> /Z command at the command prompt. Run the GPRESULT /SCOPE COMPUTER command at the command prompt. Run the Group Policy Results utility for the computer.

Answer: A Section: 70-640 Explanation/Reference: Explanation:

QUESTION 5 Your company has a single-domain Active Directory forest. The functional level of the domain is Windows Server 2008. You perform the following activities: Create a global distribution group. Add users to the global distribution group. Create a shared folder on a Windows Server 2008 member server. Place the global distribution group in a domain local group that has access to the shared folder. You need to ensure that the users have access to the shared folder. What should you do? A. B. C. D. Add the global distribution group to the Domain Administrators group. Change the group type of the global distribution group to a security group. Change the scope of the global distribution group to a Universal distribution group. Raise the forest functional level to Windows Server 2008.

Answer: B Section: 70-640 Explanation/Reference: Explanation:

QUESTION 6 Your company has a DNS server that has 10 Active DirectoryCintegrated zones. You need to provide copies of the zone files of the DNS server to the security department. What should you do? A. B. C. D. Run the dnscmd /ZoneInfo command. Run the ipconfig /registerdns command. Run the dnscmd /ZoneExport command. Run the ntdsutil > Partition Management > List commands.

Answer: C Section: 70-640 Explanation/Reference: Explanation:

QUESTION 7 Your company has a main office and a branch office that are configured as a single Active Directory forest. The functional level of the Active Directory forest is Windows Server 2003. There are four Windows Server 2003 domain controllers in the main office. You need to ensure that you are able to deploy a read-only domain controller (RODC) at the branch office. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.) A. B. C. D. Raise the functional level of the forest to Windows Server 2008. Deploy a Windows Server 2008 domain controller at the main office. Raise the functional level of the domain to Windows Server 2008. Run the adprep/rodcprep command.

Answer: BD Section: 70-640 Explanation/Reference: Explanation:

QUESTION 8 Your company has a domain controller that runs Windows Server 2008. The domain controller has the backup features installed. You need to perform a non-authoritative restore of the doman controller using an existing backup file. What should you do? A. B. C. D. Boot into Directory Services Restore Mode and use wbadmin to restore critical volume Boot into Directory Services Restore Mode and use the backup snap-in to restore critical volume Boot into Safe Mode and use wbadmin to restore critical volume Boot into Safe Mode and use the backup snap-in to restore critical volume

Answer: A Section: 70-640 Explanation/Reference: Explanation:

QUESTION 9 Your company has an Active Directory domain. All servers run Windows Server. You deploy a Certification Authority (CA) server. You create a new global security group named CertIssuers. You need to ensure that members of the CertIssuers group can issue, approve, and revoke certificates. What should you do?

A. B. C. D.

Assign the Certificate Manager role to the CertIssuers group Place CertIssuers group in the Certificate Publisher group Run the certsrv -add CertIssuers command promt of the certificate server Run the add -member-membertype memberset CertIssuers command by using Microsoft Windows Powershell

Answer: A Section: 70-640 Explanation/Reference: Explanation:

QUESTION 10 Your company has an Active Directory domain. The company has purchased 100 new computers. You want to deploy the computers as members of the domain. You need to create the computer accounts in an OU. What should you do? A. B. C. D. Run the csvde -f computers.csv command Run the ldifde -f computers.ldf command Run the dsadd computer <computerdn> command Run the dsmod computer <computerdn> command

Answer: C Section: 70-640 Explanation/Reference: Explanation: DSAdd is the command line utility that is used to add computers to a domain. DSMod is a commandline utility that is designed to modify an already existing object.

QUESTION 11 Your company has recently acquired a new subsidiary company in Quebec. The Active Directory administrators of the subsidiary company must use the French-language version of the administrative templates. You create a folder on the PDC emulator for the subsidiary domain in the path %systemroot%\SYSVOL \domain\Policies\PolicyDefinitions\FR . You need to ensure that the French-language version of the templates is available. What should you do?

A. Download the Conf.adm, System.adm, Wuau.adm, and Inetres.adm files from the Microsoft Web site. Copy the ADM files to the FR folder. B. Copy the ADML files from the French local installation media for Windows Server 2008 R2 to the FR folder on the subsidiary PDC emulator. C. Copy the Install.WIM file from the French local installation media for Windows Server 2008 R2 to the FR folder on the subsidiary PDC emulator. D. Copy the ADMX files from the French local installation media for Windows Server 2008 R2 to the FR folder on the subsidiary PDC emulator. Answer: B Section: 70-640 Explanation/Reference: Explanation:

QUESTION 12 Your company has two Active Directory forests named Forestl and Forest2, The forest functional level and the domain functional level of Forestl are set to Windows Server 2008. The forest functional level of Forest2 is set to Windows 2000, and the domain functional levels in Forest2 are set to Windows Server 2003. You need to set up a transitive forest trust between Forestl and Forest2, What should you do first? A. B. C. D. Raise the forest functional level of Forest2 to Windows Server 2003 Interim mode, Raise the forest functional level of Forest2 to Windows Server 2003. Upgrade the domain controllers in Forest2 to Windows Server 2008. Upgrade the domain controllers in Forest2 to Windows Server 2003,

Answer: B Section: 70-640 Explanation/Reference: Explanation:

QUESTION 13 Your company has an Active Directory forest that contains two domains, The forest has universal groups that contain members from each domain, A branch office has a domain controller named DC1, Users at the branch office report that the logon process takes too long, You need to decrease the amount of time it takes for the branch office users to logon. What should you do? A. Configure DC1 as a Global Catalog server, B. Configure DC1 as a bridgehead server for the branch office site, C. Decrease the replication interval on the site link that connects the branch office to the corporate network, D. Increase the replication interval on the site link that connects the branch office to the corporate network. Answer: A Section: 70-640 Explanation/Reference: Explanation:

QUESTION 14 You have a domain controller that runs the DHCP service. You need to perform an offline defragmentation of the Active Directory database on the domain controller. You must achieve this goal without affecting the availability of the DHCP service. What should you do? A. B. C. D. Restart the domain controller in Directory Services Restore Mode. Run the Disk Defragmenter utility. Restart the domain controller in Directory Services Restore Mode. Run the Ntdsutil utility. Stop the Active Directory Domain Services service. Run the Ntdsutil utility. Stop the Active Directory Domain Services service. Run the Disk Defragmenter utility.

Answer: C Section: 70-640

Explanation/Reference: Explanation:

QUESTION 15 Your network contains an Active Directory forest. You need to add a new user principal name (UPN) suffix to the forest. Which tool should you use? A. B. C. D. Active Directory Administrative Center Active Directory Domains and Trusts Active Directory Sites and Services Active Directory Users and Computers

Answer: B Section: 70-640 Explanation/Reference: Explanation:

QUESTION 16 Your network contains an Active Directory domain. The domain contains two sites named Site1 and Site2. Site 1 contains five domain controllers. Site2 contains one read-only domain controller (RODC). Site1 and Site2 connect to each other by using a slow WAN link. You discover that the cached password for a user named User1 is compromised on the RODC. On a domain controller in Site1, you change the password for User1. You need to replicate the new password for User1 to the RODC immediately. The solution must not replicate other objects to the RODC. Which tool should you use? A. B. C. D. Active Directory Sites and Services Active Directory Users and Computers Repadmin Replmon

Answer: A Section: 70-640 Explanation/Reference: Explanation:

QUESTION 17 Your network contains an Active Directory domain named contoso.com. All domain controllers and member servers run Windows Server 2008. All client computers run Windows 7. From a client computer, you create an audit policy by using the Advanced Audit Policy Configuration settings in the Default Domain Policy Group Policy object (GPO). You discover that the audit policy is not applied to the member servers. The audit policy is applied to the client computers. You need to ensure that the audit policy is applied to all member servers and all client computers. What should you do? A. B. C. D. Add a WMI filter to the Default Domain Policy GPO. Modify the security settings of the Default Domain Policy GPO. Configure a startup script that runs auditpol.exe on the member servers. Configure a startup script that runs auditpol.exe on the domain controllers.

Answer: C Section: 70-640 Explanation/Reference: Explanation:

QUESTION 18 Your network contains an Active Directory-integrated zone. All DNS servers that host the zone are domain controllers. You add multiple DNS records to the zone. You need to ensure that the records are replicated to all DNS servers. Which tool should you use? A. B. C. D. Dnslint Ldp Nslookup Repadmin

Answer: D Section: 70-640 Explanation/Reference: Explanation:

QUESTION 19 You have an enterprise subordinate certification authority (CA). You have a custom Version 3 certificate template. Users can enroll for certificates based on the custom certificate template by using the Certificates console. The certificate template is unavailable for Web enrollment. You need to ensure that the certificate template is available on the Web enrollment pages. What should you do? A. B. C. D. Run certutil.exe Cpulse. Run certutil.exe Cinstallcert. Change the certificate template to a Version 2 certificate template. On the certificate template, assign the Autoenroll permission to the users.

Answer: C Section: 70-640 Explanation/Reference: Explanation:

QUESTION 20 Your network contains an Active Directory domain. The domain contains a member server named Server1 that runs Windows Server 2008 R2. You need to configure Server1 as a global catalog server. What should you do? A. B. C. D. Modify the Active Directory schema. From Ntdsutil, use the Roles option. Run the Active Directory Domain Services Installation Wizard on Server1. Move the Server1 computer object to the Domain Controllers organizational unit (OU).

Answer: C Section: 70-640 Explanation/Reference: Explanation:

QUESTION 21 Your network contains an Active Directory forest. The forest contains an Active Directory site for a remote office. The remote site contains a read-only domain controller (RODC). You need to configure the RODC to store only the passwords of users in the remote site. What should you do? A. B. C. D. Create a Password Settings object (PSO). Modify the Partial-Attribute-Set attribute of the forest. Add the user accounts of the remote site users to the Allowed RODC Password Replication Group. Add the user accounts of users who are not in the remote site to the Denied RODC Password Replication Group.

Answer: C Section: 70-640 Explanation/Reference: Explanation:

QUESTION 22 Your network contains a single Active Directory domain. Client computers run either Windows XP Service Pack 3 (SP3) or Windows 7. All of the computer accounts for the client computers are located in an organizational unit (OU) named OU1. You link a new Group Policy object (GPO) named GPO10 to OU1. You need to ensure that GPO10 is applied only to client computers that run Windows 7. What should you do? A. B. C. D. Create a new OU in OU1. Move the Windows XP computer accounts to the new OU. Enable block inheritance on OU1. Create a WMI filter and assign the filter to GPO10. Modify the permissions of OU1.

Answer: C Section: 70-640 Explanation/Reference: Explanation: http://technet.microsoft.com/en-us/library/cc758471(v=WS.10).aspx

QUESTION 23 Your network contains an Active Directory domain named contoso.com. You need to audit changes to a service account. The solution must ensure that the audit logs contain the before and after values of all the changes. Which security policy setting should you configure? A. B. C. D. Audit Sensitive Privilege Use Audit User Account Management Audit Directory Service Changes Audit Other Account Management Events

Answer: C Section: 70-640 Explanation/Reference: Explanation:

QUESTION 24 Your network contains two Active Directory forests named contoso.com and nwtraders.com. Active Directory Rights Management Services (AD RMS) is deployed in each forest. You need to ensure that users from the nwtraders.com forest can access AD RMS protected content in the contoso.com forest. What should you do?

A. B. C. D.

Add a trusted user domain to the AD RMS cluster in the nwtraders.com domain. Create an external trust from nwtraders.com to contoso.com. Add a trusted user domain to the AD RMS cluster in the contoso.com domain. Create an external trust from contoso.com to nwtraders.com.

Answer: D Section: 70-640 Explanation/Reference: Explanation:

QUESTION 25 Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 is configured as an Active Directory Federation Services (AD FS) 2.0 standalone server. You plan to add a new token-signing certificate to Server1. You import the certificate to the server as shown in the exhibit. (Click the Exhibit button.) When you run the Add Token-Signing Certificate wizard, you discover that the new certificate is unavailable. You need to ensure that you can use the new certificate for AD FS. What should you do? Exhibit:

A. B. C. D.

From the properties of the certificate, modify the Certificate Policy OIDs setting. Import the certificate to the AD FS 2.0 Windows Service personal certificate store. From the properties of the certificate, modify the Certificate purposes setting. Import the certificate to the local computer personal certificate store.

Answer: D Section: 70-640 Explanation/Reference: Explanation:

QUESTION 26 You need to purge the list of user accounts that were authenticated on a read-only domain controller (RODC). What should you do? A. Run the repadmin.exe command and specify the /prp parameter. B. From Active Directory Sites and Services, modify the properties of the RODC computer object.

C. From Active Directory Users and Computers, modify the properties of the RODC computer object. D. Run the dsrm.exe command and specify the -u parameter. Answer: D Section: 70-640 Explanation/Reference: Explanation:

QUESTION 27 Your company has a main office and four branch offices. An Active Directory site exists for each office. Each site contains one domain controller. Each branch office site has a site link to the main office site. You discover that the domain controllers in the branch offices sometimes replicate directly to each other. You need to ensure that the domain controllers in the branch offices only replicate to the domain controller in the main office. What should you do? A. B. C. D. Modify the firewall settings for the main office site. Disable the Knowledge Consistency Checker (KCC) for each branch office site. Disable site link bridging. Modify the security settings for the main office site.

Answer: C Section: 70-640 Explanation/Reference: Explanation:

QUESTION 28 Your network contains an Active Directory forest. The forest contains one domain. The domain contains two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. DC1 was installed before DC2. DC1 fails. You need to ensure that you can add 1,000 new user accounts to the domain. What should you do? A. B. C. D. Modify the permissions of the DC2 computer account. Seize the schema master FSMO role. Configure DC2 as a global catalog server. Seize the RID master FSMO role.

Answer: D Section: 70-640 Explanation/Reference: Explanation:

QUESTION 29 Your network contains an Active Directory domain named contoso.com. You need to identify whether the Active Directory Recycle Bin is enabled. What should you do? A. B. C. D. From Ldp, search for the Reanimate-Tombstones object. From Ldp, search for the LostAndFound container. From Windows PowerShell, run the Get-ADObject cmdlet. From Windows PowerShell, run the Get-ADOptionalFeature cmdlet.

Answer: D Section: 70-640 Explanation/Reference: Explanation:

QUESTION 30 Your network contains an Active Directory domain. You create and mount an Active Directory snapshot. You run dsamain.exe as shown in the exhibit. (Click the Exhibit button.) You need to ensure that you can browse the contents of the Active Directory snapshot. What should you? Exhibit:

A. B. C. D.

Stop Active Directory Domain Services (AD DS), and then rerun dsamain.exe. Change the value of the dbpath parameter, and then rerun dsamain.exe. Change the value of the ldapport parameter, and then rerun dsamain.exe. Restart the Volume Shadow Copy Service (VSS), and then rerun dsamain.exe.

Answer: B Section: 70-640 Explanation/Reference: Explanation:

QUESTION 31 Your network contains an Active Directory domain. You need to back up all of the Group Policy objects (GPOs), Group Policy permissions, and Group Policy links for the domain. What should you do?

A. B. C. D.

From Group Policy Management Console (GPMC), back up the GPOs. From Windows Explorer, copy the content of the %systemroot%\SYSVOL folder. From Windows Server Backup, perform a system state backup. From Windows PowerShell, run the Backup-GPO cmdlet.

Answer: C Section: 70-640 Explanation/Reference: Explanation:

QUESTION 32 Your network contains a domain controller that runs Windows Server 2008 R2. You need to reset the Directory Services Restore Mode (DSRM) password on the domain controller. Which tool should you use? A. B. C. D. Ntdsutil Dsamain Active Directory Users and Computers Local Users and Groups

Answer: A Section: 70-640 Explanation/Reference: Explanation:

QUESTION 33 Your network contains an Active Directory forest. All client computers run Windows 7. The network contains a high-volume enterprise certification authority (CA). You need to minimize the amount of network bandwidth required to validate a certificate. What should you do? A. B. C. D. Configure an LDAP publishing point for the certificate revocation list (CRL). Configure an Online Certification Status Protocol (OCSP) responder. Modify the settings of the delta certificate revocation list (CRL). Replicate the certificate revocation list (CRL) by using Distributed File System (DFS).

Answer: B Section: 70-640 Explanation/Reference: Explanation:

QUESTION 34 Your network contains an Active Directory domain. You have five organizational units (OUs) named Finance, HR, Marketing, Sales, and Dev. You link a Group Policy object named GPO1 to the domain as shown in the exhibit. (Click the Exhibit button.) You need to ensure that GPO1 is applied to users in the Finance, HR, Marketing, and Sales OUs. The solution must prevent GPO1 from being applied to users in the Dev OU. What should you do? Exhibit:

A. B. C. D.

Enforce GPO1. Modify the security settings of the Dev OU. Link GPO1 to the Finance OU. Modify the security settings of the Finance OU.

Answer: C Section: 70-640 Explanation/Reference: Explanation:

QUESTION 35 Your network contains an Active Directory domain. The domain contains an organizational unit (OU) named OU1. OU1 contains all managed service accounts in the domain. You need to prevent the managed service accounts from being deleted accidentally from OU1. Which cmdlet should you use? A. Set-ADUser B. Set-ADOrganizationalUnit

C. Set-ADServiceAccount D. Set-ADObject Answer: D Section: 70-640 Explanation/Reference: Explanation:

QUESTION 36 Your network contains an Active Directory domain named contoso.com. Contoso.com contains a writable domain controller named DC1 and a read-only domain controller (RODC) named DC2. All domain controllers run Windows Server 2008 R2. You need to install a new writable domain controller named DC3 in a remote site. The solution must minimize the amount of replication traffic that occurs during the installation of Active Directory Domain Services (AD DS) on DC3. What should you do first? A. B. C. D. Run dcpromo.exe /createdcaccount on DC3. Run ntdsutil.exe on DC2. Run dcpromo.exe /adv on DC3. Run ntdsutil.exe on DC1.

Answer: C Section: 70-640 Explanation/Reference: Explanation:

QUESTION 37 Your network contains an Active Directory forest. The forest contains 10 domains. All domain controllers are configured as global catalog servers. You remove the global catalog role from a domain controller named DC5. You need to reclaim the hard disk space used by the global catalog on DC5. What should you do? A. B. C. D. From Active Directory Sites and Services, run the Knowledge Consistency Checker (KCC). From Active Directory Sites and Services, modify the general properties of DC5. From Ntdsutil, use the Semantic database analysis option. From Ntdsutil, use the Files option.

Answer: D Section: 70-640 Explanation/Reference: Explanation:

QUESTION 38 A corporate network includes an Active Directory-integrated zone. All DNS servers that host the zone are domain controllers. You add multiple DNS records to the zone. You need to ensure that the new records are available on all DNS servers as soon as possible.

Which tool should you use? A. B. C. D. E. F. G. H. Ldp Repadmin Ntdsutil Nslookup Active Directory Sites And Services console Active Directory Domains And Trusts console Dnslint Dnscmd

Answer: H Section: 70-640 Explanation/Reference: Explanation: http://technet.microsoft.com/en-us/library/cc778513(WS.10).aspx

QUESTION 39 You have a DNS zone that is stored in a custom application partition. You need to add a domain controller to the replication scope of the custom application partition. Which tool should you use? A. B. C. D. DNScmd DNS Manager Server Manager Dsmod

Answer: A Section: 70-640 Explanation/Reference: Explanation:

QUESTION 40 Your network contains a server named Server1 that runs Windows Server 2008 R2 Standard. Server1 has the Active Directory Certificate Services (AD CS) role installed. You configure a certificate template named Template1 for autoenrollment. You discover that certificates are not being issued to any client computers. The event logs on the client computers do not contain any autoenrollment errors. You need to ensure that all of the client computers automatically receive certificates based on Template1. What should you do? A. B. C. D. Modify the Default Domain Policy Group Policy object (GPO). Modify the Default Domain Controllers Policy Group Policy object (GPO). Upgrade Server1 to Windows Server 2008 R2 Enterprise. Restart Certificate Services on Server1.

Answer: A Section: 70-640 Explanation/Reference: Explanation:

QUESTION 41 Your network contains a server that has the Active Directory Lightweight Directory Services (AD LDS) role installed.

You need to perform an automated installation of an AD LDS instance. Which tool should you use? A. B. C. D. Dism.exe Servermanagercmd.exe Adaminstall.exe Ocsetup.exe

Answer: C Section: 70-640 Explanation/Reference: Explanation:

QUESTION 42 Your network contains an Active Directory domain named contoso.com. A partner company has an Active Directory domain named nwtraders.com. The networks for contoso.com and nwtraders.com connect to each other by using a WAN link. You need to ensure that users in contoso.com can access resources in nwtraders.com and resources on the Internet. What should you do first? A. B. C. D. Modify the Trusted Root Certification Authorities store. Modify the Intermediate Certification Authorities store. Create conditional forwarders. Add a root hint to the DNS server.

Answer: C Section: 70-640 Explanation/Reference: Explanation:

QUESTION 43 Your network contains an Active Directory forest. The forest contains multiple domains. You need to ensure that users in the human resources department can search for employees by using the employeeNumber attribute. What should you do? A. From Active Directory Sites and Services, modify the properties of each global catalog server. B. From the Active Directory Schema snap-in, modify the properties of the user object class. C. From Active Directory Sites and Services, modify the NTDS Settings objectof each global catalog server. D. From the Active Directory Schema snap-in, modify the properties of the employeeNumber attribute. Answer: D Section: 70-640 Explanation/Reference: Explanation:

QUESTION 44 Your network contains a single Active Directory domain. The domain contains an enterprise certification authority (CA). You need to ensure that the encryption keys for e-mail certificates can be recovered from the CA database. You modify the e-mail certificate template to support key archival. What should you do next? A. B. C. D. Issue the key recovery agent certificate template. Run certutil.exe -recoverkey. Run certreq.exe-policy. Modify the location of the Authority Information Access (AIA) distribution point.

Answer: A Section: 70-640 Explanation/Reference: -recoverkey as this recovers archived keys but e-mail certificate Explanation: Not certutil.exe template does not have key archival by default.

QUESTION 45 Your network contains an Active Directory-integrated DNS zone named contoso.com. You discover that the zone includes DNS records for computers that were removed from the network. You need to ensure that the DNS records are deleted automatically from the zone. What should you do? A. B. C. D. From DNS Manager, set the aging properties. Create a scheduled task that runs dnslint.exe /v /d contoso.com. From DNS Manager, modify the refresh interval of the start of authority (SOA) record. Create a scheduled task that runs ipconfig.exe /flushdns.

Answer: A Section: 70-640 Explanation/Reference: Explanation:

QUESTION 46 Your network contains a domain controller that runs Windows Server 2008 R2. You run the following command on the domain controller: dsamain.exe C dbpath c:\$SNAP_201006170326_VOLUMEC$\Windows\NTDS\ntds.dit C ldapport 389 allowNonAdminAccess The command fails. You need to ensure that the command completes successfully. How should you modify the command? A. B. C. D. Change the value of the -dbpath parameter. Include the path to Dsamain. Change the value of the -ldapport parameter. Remove the CallowNonAdminAccess parameter.

Answer: C Section: 70-640 Explanation/Reference: Explanation:

QUESTION 47 Your network contains an Active Directory domain. The domain contains 10 domain controllers that run Windows Server 2008 R2. You need to monitor the following information on the domain controllers during the next five days: - Memory usage - Processor usage - The number of LDAP queries What should you do? A. B. C. D. Create a User Defined Data Collector Set (DCS) that uses the Active Directory Diagnostics template. Use the System Performance Data Collector Set (DCS). Create a User Defined Data Collector Set (DCS) that uses the System Performance template. Use the Active Directory Diagnostics Data Collector Set (DCS).

Answer: A Section: 70-640 Explanation/Reference: Explanation:

QUESTION 48 Your network contains an Active Directory domain named contoso.com. Contoso.com contains a domain controller named DC1 and a read-only domain controller (RODC) named RODC1. You need to view the most recent user accounts authenticated by RODC1. What should you do first? A. From Active Directory Sites and Services, right-click the Connection object for DC1, and then click Replicate Now. B. From Active Directory Sites and Services, right-click the Connection object for DC2, and then click Replicate Now. C. From Active Directory Users and Computers, right-click contoso.com, click Change DomainController, and then connect to DC1. D. From Active Directory Users and Computers, right-click contoso.com, click Change Domain Controller, and then connect to RODC1. Answer: C Section: 70-640 Explanation/Reference: Explanation:

QUESTION 49 Your network contains an Active Directory domain. The domain contains 3,000 client computers. All of the client computers run Windows 7. Users log on to their client computers by using standard user accounts. You plan to deploy a new application named App1. The vendor of App1 provides a Setup.exe file to install App1. Setup.exe requires administrative rights to run. You need to deploy App1 to all client computers. The solution must meet the following requirements: - App1 must automatically detect and replace corrupt application files. - App1 must be available from the Start menu on each client computer. What should you do first? A. B. C. D. Create a logon script that calls Setup.exe for App1. Create a .zap file. Create a startup script that calls Setup.exe for App1. Repackage App1 as a Windows Installer package.

Answer: D Section: 70-640 Explanation/Reference: Explanation:

QUESTION 50 Your network contains an Active Directory domain named contoso.com. Contoso.com contains two sites named Site1 and Site2. Site1 contains a domain controller named DC1. In Site1, you install a new domain controller named DC2. You ship DC2 to Site2. You discover that certain users in Site2 authenticate to DC1. You need to ensure that the users in Site2 always attempt to authenticate to DC2 first. What should you do? A. B. C. D. From Active Directory Users and Computers, modify the Location settings of the DC2 computer object. From Active Directory Sites and Services, modify the Location attribute for Site2. From Active Directory Sites and Services, move the DC2 server object. From Active Directory Users and Computers, move the DC2 computer object.

Answer: C Section: 70-640 Explanation/Reference: Explanation:

QUESTION 51 Your network contains an Active Directory domain named contoso.com. Contoso.com contains a server named Server2. You open the System properties on Server2 as shown in the exhibit. (Click the Exhibit button.)

When you attempt to configure Server2 as an enterprise subordinate certification authority (CA), you discover that the enterprise subordinate CA option is unavailable. You need to configure Server2 as an enterprise subordinate CA. What should you do first? Exhibit:

A. B. C. D.

Upgrade Server2 to Windows Server 2008 R2 Enterprise. Log in as an administrator and run Server Manager. Import the root CA certificate. Join Server2 to the domain.

Answer: D Section: 70-640 Explanation/Reference: Explanation:

QUESTION 52 Your network contains an Active Directory domain. The domain contains an enterprise certification authority (CA). You need to ensure that only members of a group named Admin1 can create certificate templates. Which tool should you use to assign permissions to Admin1? A. B. C. D. the Certification Authority console Active Directory Users and Computers the Certificates snap-in Active Directory Sites and Services

Answer: D Section: 70-640 Explanation/Reference: Explanation:

QUESTION 53 Your network contains an Active Directory domain. All DNS servers are domain controllers. You view the properties of the DNS zone as shown in the exhibit. (Click the Exhibit button.) You need to ensure that only domain members can register DNS records in the zone. What should you do first? Exhibit:

A. B. C. D.

Modify the zone type. Create a trust anchor. Modify the Advanced properties of the DNS server. Modify the Dynamic updates setting.

Answer: A Section: 70-640 Explanation/Reference: Explanation:

QUESTION 54 Your company has a single Active Directory forest with a single domain. Consultants in different departments of the company require access to different network resources. The consultants belong to a global group named TempWorkers. Three file servers are placed in a new organizational unit named SecureServers. The file servers contain confidential data in shared folders. You need to prevent the consultants from accessing the confidential data. What should you do?

A. Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit. Assign the Deny access to this computer from the network user right to the TempWorkers global group. B. Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny access to this computer from the network user right to the TempWorkers global group. C. On the three file servers, create a share on the root of each hard disk. Configure the Deny Full control permission for the TempWorkers global group on the share. D. Create a new Group Policy Object (GPO) and link it to the domain. Assign the Deny log on locally user right to the TempWorkers global group. E. Create a new Group Policy Object (GPO) and link it to the SecureServers organizational unit. Assign the Deny log on locally user right to the TempWorkers global group. Answer: A Section: 70-640 Explanation/Reference: Explanation:

QUESTION 55 Your network contains two Active Directory forests named contoso.com and nwtraders.com. The functional level of both forests is Windows Server 2003. Contoso.com contains one domain. Nwtraders.com contains two domains. You need to ensure that users in contoso.com can access the resources in all domains. The solution must require the minimum number of trusts. Which type of trust should you create? A. B. C. D. external forest realm shortcut

Answer: D Section: 70-640 Explanation/Reference: Explanation:

QUESTION 56 You install an Active Directory domain in a test environment. You need to reset the passwords of all the user accounts in the domain from a domain controller. Which two Windows PowerShell commands should you run? (Each correct answer presents part of the solution, choose two.) A. B. C. D. E. F. G. $ newPassword = * Import-Module ActiveDirectory Import-Module WebAdministration Get- AdUser -filter * | Set- ADAccountPossword - NewPassword $ newPassword - Reset Set- ADAccountPossword - NewPassword - Reset $ newPassword = (Read-Host - Prompt "New Password" - AsSecureString ) Import-Module ServerManager

Answer: DF Section: 70-640

Explanation/Reference: Explanation:

QUESTION 57 DRAG DROP Your network contains an Active Directory forest named contoso.com. The forest contains a domain controller named DC1 that runs Windows Server 2008 R2 Enterprise and a member server named Server1 that runs Windows Server 2008 R2 Standard. You have a computer named Computer1 that runs Windows 7. Computer1 is not connected to the network. You need to join Computer1 to the contoso.com domain. What should you do? To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order.

A. B. C. D. Answer: Section: 70-640 Explanation/Reference:

Explanation:

QUESTION 58 HOTSPOT Your network contains an Active Directory domain named contoso.com. You need to ensure that IP addresses can be resolved to fully qualified domain names (FQDNs). Under which node in the DNS snap-in should you add a zone? To answer, select the appropriate node in the answer area.

A. B. C. D. Answer: Section: 70-640 Explanation/Reference:

Explanation: Reverse Lookup Zones Select

QUESTION 59 HOTSPOT Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named Server1. Server1 has an IP address of 192.168.200.100. You need to view the Pointer (PTR) record for Server1. Which zone should you open in the DNS snap-in to view the record? To answer, select the appropriate zone in the answer area.

A. B. C. D. Answer: Section: 70-640 Explanation/Reference:

Explanation: 200.168.192.in-addr.arpa Select

QUESTION 60 HOTSPOT Your network contains an Active Directory domain. You need to create a new site link between two sites named Site1 and Site3. The site link must support the replication of domain objects. Under which node in Active Directory Sites and Services should you create the site link? To answer, select the appropriate node in the answer area.

A. B. C. D. Answer: Section: 70-640 Explanation/Reference:

Explanation:

IP container under Inter-Site Transports. Select the

QUESTION 61 DRAG DROP Your network contains an Active Directory forest named adatum.com. The forest contains four child domains named europe.adatum.com, northamerica.adatum.com, asia.adatum.com, and africa.adatum. com. You need to create four new groups in the forest root domain. The groups must be configured as shown in the following table.

What should you do? To answer, drag the appropriate group type to the correct group name in the answer area.

A. B. C. D.

Answer: Section: 70-640 Explanation/Reference:

Explanation:

QUESTION 62 HOTSPOT You need to modify the Password Replication Policy on a read-only domain controller (RODC). Which tool should you use? To answer, select the appropriate tool in the answer area.

A. B. C. D. Answer: Section: 70-640 Explanation/Reference:

Explanation: Active Directory Users and Computers. Select

QUESTION 63 HOTSPOT Your network contains an Active Directory forest named contoso.com.

The password policy of the forest requires that the passwords for all of the user accounts be changed every 30 days. You need to create user accounts that will be used by services. The passwords for these accounts must be changed automatically every 30 days. Which tool should you use to create these accounts? To answer, select the appropriate tool in the answer area.

A. B. C. D. Answer: Section: 70-640 Explanation/Reference:

Explanation: Active Directory Module for Windows PowerShell. Select

QUESTION 64 Your network contains two forests named adatum.com and litwareinc.com. The functional level of all the domains is Windows Server 2003. The functional level of both forests is Windows 2000. You need to create a forest trust between adatum.com and litwareinc.com. What should you do first? A. B. C. D. Create an external trust. Raise the functional level of both forests. Configure SID filtering. Raise the functional level of all the domains.

Answer: B Section: 70-640 Explanation/Reference: Explanation:

QUESTION 65 Your network contains an Active Directory forest named adatum.com. All client computers used by the marketing department are in an organizational unit (OU) named Marketing Computers. All user accounts for the marketing department are in an OU named Marketing Users. You purchase a new application. You need to ensure that every user in the domain who logs on to a marketing department computer can use the application. The application must only be available from the marketing department computers. What should you do? A. Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation package to a shared folder on the network. Assign the application.

B. Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the installation package to a shared folder on the network. Assign the application. C. Create and link a Group Policy object (GPO) to the Marketing Computers OU. Copy the installation package to a local drive on each marketing department computer. Publish the application. D. Create and link a Group Policy object (GPO) to the Marketing Users OU. Copy the installation package to a folder on each marketing department computer. Publish the application. Answer: B Section: 70-640 Explanation/Reference: Explanation:

QUESTION 66 Your network contains an Active Directory forest named adatum.com. You need to create an Active Directory Rights Management Services (AD RMS) licensing-only cluster. What should you install before you create the AD RMS root cluster? A. B. C. D. E. The Failover Cluster feature The Active Directory Certificate Services (AD CS) role Microsoft Exchange Server 2010 Microsoft SharePoint Server 2010 Microsoft SQL Server 2008

Answer: E Section: 70-640 Explanation/Reference: Explanation:

QUESTION 67 HOTSPOT Your network contains an Active Directory forest. The DNS infrastructure fails. You rebuild the DNS infrastructure. You need to force the registration of the Active Directory Service Locator (SRV) records in DNS. Which service should you restart on the domain controllers? To answer, select the appropriate service in the answer area.

A. B. C. D. Answer: Section: 70-640 Explanation/Reference:

Explanation: Netlogon service. Select the

QUESTION 68 Your network contains an Active Directory domain named contoso.com. The contoso.com domain contains a domain controller named DC1. You create an Active Directory-integrated GlobalNames zone. You add an alias (CNAME) resource record named Server1 to the zone. The target host of the record is server2.contoso.com. When you ping Server1, you discover that the name fails to resolve. You are able to successfully ping server2.contoso.com. You need to ensure that you can resolve names by using the GlobalNames zone. Which command should you run? A. B. C. D. Dnscmd DCl.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /domain Dnscmd DCl.contoso.com /config /Enableglobalnamessupport forest DnscmdDCl.contoso.com/config/Enableglobalnamessupport 1 Dnscmd DCl.contoso.com /ZoneAdd GlobalNames /DsPrimary /DP /forest

Answer: C Section: 70-640 Explanation/Reference: Explanation:

QUESTION 69 Your network contains an Active Directory domain named contoso.com. The network has a branch office site that contains a read-only domain controller (RODC) named R0DC1.

R0DC1 runs Windows Server 2008 R2. A user logs on to a computer in the branch office site. You discover that the user's password is not stored on R0DC1. You need to ensure that the user's password is stored on RODC1 when he logs on to a branch office site computer. What should you do? A. Modify the RODC s password replication policy by removing the entry for the Allowed RODC Password Replication Group. B. Modify the RODC's password replication policy by adding R0DC1's computer account to the list of allowed users, groups, and computers. C. Add the user's user account to the built-in Allowed RODC Password Replication Group on R0DC1. D. Add R0DC1's computer account to the built-in Allowed RODC Password Replication Group on R0DC1. Answer: C Section: 70-640 Explanation/Reference: Explanation:

QUESTION 70 You deploy an Active Directory Federation Services (AD FS) Federation Service Proxy on a server named Server1. You need to configure the Windows Firewall on Server1 to allow external users to authenticate by using AD FS. Which protocol should you allow on Server1? A. B. C. D. Kerberos SSL SMB RPC

Answer: B Section: 70-640 Explanation/Reference: Explanation:

QUESTION 71 Your network contains an Active Directory domain named contoso.com. Contoso.com contains a member server that runs Windows Server 2008 R2 Standard. You need to create an enterprise subordinate certification authority (CA) that can issue certificates based on version 3 certificate templates. You must achieve this goal by using the minimum amount of administrative effort. What should you do first? A. Run the certutil.exe - addenrollmentserver command. B. Install the Active Directory Certificate Services (AD CS) role on the member server.

C. Upgrade the member server to Windows Server 2008 R2 Enterprise. D. Run the certutil.exe - installdefaulttemplates command. Answer: B Section: 70-640 Explanation/Reference: Explanation:

QUESTION 72 Your network contains a server named Server1. The Active Directory Rights Management Services (AD RMS) server role is installed on Server1. An administrator changes the password of the user account that is used by AD RMS. You need to update AD RMS to use the new password. Which console should you use? A. B. C. D. Active Directory Rights Management Services Active Directory Users and Computers Local Users and Groups Services

Answer: D Section: 70-640 Explanation/Reference: Explanation:

QUESTION 73 Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise. You enable key archival on the CA. The CA is configured to use custom certificate templates for Encrypted File System (EFS) certificates. You need to archive the private key for all new EFS certificates. Which snap-in should you use? A. B. C. D. E. F. G. H. I. Active Directory Users and Computers Authorization Manager Group Policy Management Enterprise PKI Security Templates TPM Management Certificates Certification Authority Certificate Templates

Answer: H Section: 70-640 Explanation/Reference: Explanation:

QUESTION 74 Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise. You need to ensure that all of the members of a group named Group1 can view the event log entries for Certificate Services. Which snap-in should you use? A. B. C. D. E. F. G. H. I. Certificate Templates Certification Authority Authorization Manager Active Directory Users and Computers TPM Management Security Templates Group Policy Management Enterprise PKI Certificates

Answer: C Section: 70-640 Explanation/Reference: Explanation:

QUESTION 75 Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise. You need to ensure that users can enroll for certificates that use the IPSEC (Offline request) certificate template Which snap-in should you use? A. B. C. D. E. F. G. H. I. Enterprise PKI TPM Management Certificates Active Directory Users and Computers Authorization Manager Certification Authority Group Policy Management Security Templates Certificate Templates

Answer: I Section: 70-640 Explanation/Reference: Explanation:

QUESTION 76 Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise.

You have a custom certificate template named Template 1. Template1 is published to the CA. You need to ensure that all of the members of a group named Group1 can enroll for certificates that use Template1. Which snap-in should you use?

A. B. C. D. E. F. G. H. I.

Security Templates Enterprise PKI Certification Authority Certificate Templates Certificates TPM Management Authorization Manager Group Policy Management Active Directory Users and Computers

Answer: D Section: 70-640 Explanation/Reference: Explanation:

QUESTION 77 Your network contains an enterprise certification authority (CA) that runs Windows Server 2008 R2 Enterprise. You need to approve a pending certificate request. Which snap-in should you use? A. B. C. D. E. F. G. H. I. Active Directory Users and Computers Authorization Manager Certification Authority Group Policy Management Certificate Templates TPM Management Certificates Enterprise PKI Security Templates

Answer: C Section: 70-640 Explanation/Reference: Explanation:

QUESTION 78 DRAG DROP Your network contains an Active Directory domain named adatum.com. You need to use Group Policies to deploy the line-of-business applications shown in the following

table.

What should you do? To answer, drag the appropriate deployment method to the correct application in the answer area.

A. B. C. D. Answer: Section: 70-640 Explanation/Reference:

Explanation:

QUESTION 79 DRAG DROP Your network contains an Active Directory forest named contoso.com. You need to create an Active Directory Rights Management Services (AD RMS) licensing-only cluster. What should you do? To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order.

A. B. C. D. Answer: Section: 70-640 Explanation/Reference:

Explanation:

QUESTION 80 You have a single Active Directory domain. All domain controllers run Windows Server 2008 and are configured as DNS servers. The domain contains one Active Directory-integrated DNS zone. You need to ensure that outdated DNS records are automatically removed from the DNS zone. What should you do? A. B. C. D. From the properties of the zone, modify the TTL of the SOA record. From the properties of the zone, enable scavenging. From the command prompt, run ipconfig /flushdns. From the properties of the zone, disable dynamic updates.

Answer: B Section: 70-640 Explanation/Reference: Explanation: To remove the outdated DNS records from the DNS zone automatically, you should enable Scavenging through Zone properties. Scavenging will help you clean up old unused records in DNS. Since "clean up" really means "delete stuff" a good understanding of what you are doing and a healthy respect for "delete stuff" will keep you out of the hot grease. Because deletion is involved there are quite a few safety valves built into scavenging that take a long time to pop. When enabling scavenging, patience is required. Reference:http://www.gilham.org/Blog/Lists/Posts/Post.aspx?List=aab85845-88d2-4091-8088a6bbce0a4304&ID=211

QUESTION 81 Your company, Contoso, Ltd., has a main office and a branch office. The offices are connected by a WAN link. Contoso has an Active Directory forest that contains a single domain named ad.contoso.com. The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1 is configured as a DNS server for the ad.contoso.com DNS zone. This zone is configured as a standard primary zone. You install a new domain controller named DC2 in the branch office. You install DNS on DC2. You need to ensure that the DNS service can update records and resolve DNS queries in the event that a WAN link fails.

What should you do? A. B. C. D. Create a new stub zone named ad.contoso.com on DC2. Create a new standard secondary zone named ad.contoso.com on DC2. Configure the DNS server on DC2 to forward requests to DC1. Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.

Answer: D Section: 70-640 Explanation/Reference: Explanation: To make sure that the DNS service on TK2 can update records and resolve DNS queries in the event of a MAN link failure, you should convert maks.contoso.com on TK1 to an Active Directory- integrated zone. Active Directory-integrated DNS offers two pluses over traditional zones. For one, the fault tolerance built into Active Directory eliminates the need for primary and secondary nameservers. Effectively, all nameservers using Active Directory-integrated zones are primary nameservers. This has a huge advantage for the use of dynamic DNS as well: namely, the wide availability of nameservers that can accept registrations. Recall that domain controllers and workstations register their locations and availability to the DNS zone using dynamic DNS. In a --the primary traditional DNS setup, only one type of nameserver can accept these registrations server, because it has the only read/write copy of a zone. By creating an Active Directory- Microsoft 70-640 Exam integrated zone, all Windows Server 2008 nameservers that store their zone data in Active Directory can accept a dynamic registration, and the change will be propagated using Active Directory multimaster replication. Reference:http://safari.adobepress.com/9780596514112/active_directory-integrated_zones

QUESTION 82 Your company has an Active Directory domain. A user attempts to log on to a computer that was turned off for twelve weeks. The administrator receives an error message that authentication has failed. You need to ensure that the user is able to log on to the computer. What should you do? A. Run the netsh command with the set and machine options. B. Reset the computer account. Disjoin the computer from the domain, and then rejoin the computer to the domain. C. Run the netdom TRUST /reset command. D. Run the Active Directory Users and Computers console to disable, and then enable the computer account. Answer: B Section: 70-640 Explanation/Reference: Explanation: To ensure that the administrator can log on to the computer, you should disjoin the computer from the domain and rejoin it again. Reset the computer account too. Due to long inactivity, the computer was not responding to the authentication query using the Active Directory records. So when you disjoin and rejoin the computer to the domain and reset the computer account, the Active Directory refreshes the computer account password. After that the administrator can easily log on to the computer.

QUESTION 83 Your company has a main office and a branch office. You deploy a read-only domain controller (RODC) that runs Microsoft Windows Server 2008 to the branch office. You need to ensure that users at the branch office are able to log on to the domain by using the RODC. What should you do? A. Add another RODC to the branch office.

B. Configure a new bridgehead server in the main office. C. Decrease the replication interval for all connection objects by using the Active Directory Sites and Services console. D. Configure the Password Replication Policy on the RODC. Answer: D Section: 70-640 Explanation/Reference: Explanation: To ensure that the users at the branch office can log on to the domain using RODC, you should don't cache any user or machine passwords. You can use a Password Replication Policy. RODCs RODC's unique Password Replication Policy (PRP). change this by adding a policy through each A policy would create a group for each branch office with a RODC and add users in that branch office. An administrator, then, can allow password replication for the branch-office group.

QUESTION 84 Your company has a single Active Directory domain named intranet.adatum.com. The domain controllers run Windows Server 2008 and the DNS server role. All computers, including non- domain members, dynamically register their DNS records. You need to configure the intranet.adatum.com zone to allow only domain members to dynamically register DNS records. What should you do? A. B. C. D. Set dynamic updates to Secure Only. Remove the Authenticated Users group. Enable zone transfers to Name Servers. Deny the Everyone group the Create All Child Objects permission.

Answer: A Section: 70-640 Explanation/Reference: Explanation: To make sure only the domain members are able to register their DNS records dynamically, set the option Secure only for Dynamic updates. This will let only the domain members to register their DNS records dynamically. Reference: www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cncf_imp_afpf.mspx

QUESTION 85 An Active Directory database is installed on the C volume of a domain controller. You need to move the Active Directory database to a new volume. What should you do? A. Copy the ntds.dit file to the new volume by using the ROBOCOPY command. B. Move the ntds.dit file to the new volume by using Windows Explorer. C. Move the ntds.dit file to the new volume by running the Move-item command in Microsoft Windows PowerShell. D. Move the ntds.dit file to the new volume by using the Files option in the Ntdsutil utility. Answer: D Section: 70-640 Explanation/Reference: Explanation: To move the Active Directory database to a new volume, you should move the ntds.dit file to the new

volume by opening the Files option in the ntdsutil utility. Use Ntdsutil.exe to move the database file, the log files, or both to a larger existing partition. If you are not using Ntdsutil.exe when moving files to a different partition, you will need to manually update the registry. Reference:http://technet2.microsoft.com/ windowsserver/en/library/af6646aa-2360-46e4-81ca- d51707bf01eb1033.mspx?mfr=true

QUESTION 86 Your company uses a Windows 2008 Enterprise certificate authority (CA) to issue certificates. You need to implement key archival. What should you do? A. B. C. D. Configure the certificate for automatic enrollment for the computers that store encrypted files. Install an Enterprise Subordinate CA and issue a user certificate to users of the encrypted files. Apply the Hisecdc security template to the domain controllers. Archive the private key on the server.

Answer: D Section: 70-640 Explanation/Reference: Explanation:

QUESTION 87 Your company has a main office and three branch offices. The company has an Active Directory forest that has a single domain. Each office has one domain controller. Each office is configured as an Active Directory site. All sites are connected with the DEFAULTIPSITELINK object. You need to decrease the replication latency between the domain controllers. What should you do? A. B. C. D. Decrease the replication schedule for the DEFAULTIPSITELINK object. Decrease the replication interval for the DEFAULTIPSITELINK object. Decrease the cost between the connection objects. Decrease the replication interval for all connection objects.

Answer: B Section: 70-640 Explanation/Reference: Explanation:

QUESTION 88 Your company has two Active Directory forests named contoso.com and fabrikam.com. Both forests run only domain controllers that run Windows Server 2008. The domain functional level of contoso.com is Windows Server 2008. The domain functional level of fabrikam.com is Windows Server 2003 Native mode. You configure an external trust between contoso.com and fabrikam.com. You need to enable the Kerberos AES encryption option. What should you do? A. B. C. D. Raise the forest functional level of fabrikam.com to Windows Server 2008. Raise the domain functional level of fabrikam.com to Windows Server 2008. Raise the forest functional level of contoso.com to Windows Server 2008. Create a new forest trust and enable forest-wide authentication.

Answer: B Section: 70-640 Explanation/Reference: Explanation:

QUESTION 89 You need to remove the Active Directory Domain Services role from a domain controller named DC1. What should you do? A. B. C. D. Run the netdom remove DC1 command. Run the Dcpromo utility. Remove the Active Directory Domain Services role. Run the nltest /remove_server: DC1 command. Reset the Domain Controller computer account by using the Active Directory Users and Computers utility.

Answer: B Section: 70-640 Explanation/Reference: Explanation:

QUESTION 90 Your company has an Active Directory forest. Each branch office has an organizational unit and a child organizational unit named Sales. The Sales organizational unit contains all users and computers of the sales department. You need to install an Office 2007 application only on the computers in the Sales organizational unit. You create a GPO named SalesApp GPO. What should you do next? A. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the Sales organizational unit in each location. B. Configure the GPO to assign the application to the computer account. Link the SalesAPP GPO to the domain. C. Configure the GPO to publish the application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each location. D. Configure the GPO to assign the application to the user account. Link the SalesAPP GPO to the Sales organizational unit in each location. Answer: A Section: 70-640 Explanation/Reference: Explanation:

QUESTION 91 Your company has a main office and three branch offices. Each office is configured as a separate Active Directory site that has its own domain controller. You disable an account that has administrative rights. You need to immediately replicate the disabled account information to all sites. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.) A. From the Active Directory Sites and Services console, configure all domain controllers as global catalog servers. B. From the Active Directory Sites and Services console, select the existing connection objects and force replication. C. Use Repadmin.exe to force replication between the site connection objects. D. Use Dsmod.exe to configure all domain controllers as global catalog servers. Answer: BC Section: 70-640 Explanation/Reference: Explanation:

QUESTION 92 Your company network has an Active Directory forest that has one parent domain and one child domain. The child domain has two domain controllers that run Windows Server 2008. All user accounts from the child domain are migrated to the parent domain. The child domain is scheduled to be decommissioned. You need to remove the child domain from the Active Directory forest. What are two possible ways to achieve this goal? (Each correct answer presents a complete solution. Choose two.) A. Run the Computer Management console to stop the Domain Controller service on both domain controllers in the child domain. B. Delete the computer accounts for each domain controller in the child domain. Remove the trust relationship between the parent domain and the child domain. C. Use Server Manager on both domain controllers in the child domain to uninstall the Active Directory domain services role. D. Run the Dcpromo tool that has individual answer files on each domain controller in the child domain. Answer: CD Section: 70-640 Explanation/Reference: Explanation:

QUESTION 93 Your company has an Active Directory domain. You install a new domain controller in the domain. Twenty users report that they are unable to log on to the domain. You need to register the SRV records. Which command should you run on the new domain controller? A. B. C. D. Run the netsh interface reset command. Run the ipconfig /flushdns command. Run the dnscmd /EnlistDirectoryPartition command. Run the sc stop netlogon command followed by the sc start netlogon command.

Answer: D Section: 70-640 Explanation/Reference: Explanation:

QUESTION 94 Your company uses shared folders. Users are granted access to the shared folders by using domain local groups. One of the shared folders contains confidential data. You need to ensure that unauthorized users are not able to access the shared folder that contains confidential data. What should you do? A. Enable the Do not trust this computer for delegation property on all the computers of unauthorized users by using the Dsmod utility. B. Instruct the unauthorized users to log on by using the Guest account. Configure the Deny Full control permission on the shared folders that hold the confidential data for the Guest account. C. Create a Global Group named Deny DLG. Place the global group that contains the unauthorized users in to the Deny DLG group. Configure the Allow Full control permission on the shared folder that hold the confidential data for the Deny DLG group. D. Create a Domain Local Group named Deny DLG. Place the global group that contains the unauthorized users in to the Deny DLG group. Configure the Deny Full control permission on the shared folder that hold the confidential data for the Deny DLG group. Answer: D Section: 70-640 Explanation/Reference:

Explanation:

QUESTION 95 Your company has three Active Directory domains in a single forest. You install a new Active Directory enabled application. The application ads new user attributes to the Active Directory schema. You discover that the Active Directory replication traffic to the Global Catalogs has increased. You need to prevent the new attributes from being replicated to the Global Catalog. You must achieve this goal without affecting application functionality. What should you do? A. B. C. D. Change the replication interval for the DEFAULTIPSITELINK object to 9990. Change the cost for the DEFAULTIPSITELINK object to 9990. Make the new attributes in the Active Directory as defunct. Modify the properties in the Active Directory schema for the new attributes.

Answer: D Section: 70-640 Explanation/Reference: Explanation:

QUESTION 96 There are 100 server and 2000 computers present at your company's headquarters. The DHCP service is installed on a two-node Microsoft failover cluster named CKMFO to ensure the high availability of the service. The nodes are named as CKMFON1 and CKMFON2. The cluster on CKMFO has one physical shared disk of 400 GB capacity. A 200GB single volume is configured on the shared disk. Company has decided to host a Windows Internet Naming Service (WINS) on CKMFON1. The DHCP and WINS services will be hosted on other nodes. Using High Availability Wizard, you begin creating the WINS service group on cluster available on CKMFON1 node. The wizard shows an error "no disks are available" during configuration. Which action should you perform to configure storage volumes on CKMFON1 to successfully add the WINS Service group to CKMFON1? A. Backup all data on the single volume on CKMFON1 and configure the disk with GUID partition table and create two volumes. Restore the backed up data on one of the volumes and use the other for WINS service group B. Add a new physical shared disk to the CKMFON1 cluster and configure a new volume on it. Use this volume to fix the error in the wizard. C. Add new physical shared disks to CKMFON1 and EMBFON2. Configure the volumes onthese disk and direct CKMOFONI to use CKMFON2 volume for the WINS service group D. Add and configure a new volume on the existing shared disk which has 400GB of space. Use this volume to fix the error in the wizard E. None of the above Answer: B Section: 70-640

Explanation/Reference: Explanation:

QUESTION 97 Company servers run Windows Server 2008. It has a single Active Directory domain. A server called S4 has file services role installed. You install some disk for additional storage. The disks are configured as shown in the exhibit. To support data stripping with parity, you have to create a new drive volume. What should you do to achieve this objective? Exhibit:

A. B. C. D.

Build a new spanned volume by combining Disk0 and Disk1 Create a new Raid-5 volume by adding another disk. Create a new virtual volume by combining Disk 1 and Disk 2 Build a new striped volume by combining Disk0 and Disk 2

Answer: B

Section: 70-640 Explanation/Reference: Explanation:

QUESTION 98 Your company asks you to implement Windows Cardspace in the domain. You want to use Windows Cardspace at your home. Your home and office computers run Windows Vista Ultimate. What should you do to create a backup copy of Windows Cardspace cards to be used at home? A. B. C. D. E. F. Log on with your administrator account and copy \Windows\ServiceProfiles folder to your USB drive Backup \Windows\Globalization folder by using backup status and save the folder on your USB drive Back up the system state data by using backup status tool on your USB drive Employ Windows Cardspace application to backup the data on your USB drive. Reformat the C: Drive None of the above

Answer: D Section: 70-640 Explanation/Reference: Explanation:

QUESTION 99 Company has servers on the main network that run Windows Server 2008. It also has two domain controllers. Active Directory services are running on a domain controller named CKDC1. You have to perform critical updates of Windows Server 2008 on CKDC1 without rebooting the server. What should you do to perform offline critical updates on CKDC1 without rebooting the server? A. Start the Active Directory Domain Services on CKDC1 B. Disconnect from the network and start the Windows update feature C. Stop the Active Directory domain services and install the updates. Start the Active Directory domain services after installing the updates. D. Stop Active Directory domain services and install updates. Disconnect from the network and then connect again E. None of the above Answer: C Section: 70-640 Explanation/Reference: Explanation:

QUESTION 100 One of the remote branch offices of Company branch is running a Windows Server 2008 having ready only domain controller (RODC) installed.For security reasons you don't want some critical credentials like (passwords, encryption keys) to be stored on RODC. What should you do so that these credentials are not replicated to any RODC's in the forest? (Select 2) A. Configure RODC filtered attribute set on the server B. Configure RODC filtered set on the server that holds Schema Operations Master role.

C. Delegate local administrative permissions for an RODC to any domain user without granting that user any user rights for the domain D. Configure forest functional level server for Windows server 2008 to configure filtered attribute set. E. None of the above Answer: BD Section: 70-640 Explanation/Reference: Explanation:

QUESTION 101 Company has a server with Active Directory Rights Management Services (AD RMS) server installed. Users have computers with Windows Vista installed on them with an Active Directory domain installed at Windows Server 2003 functional level. As an administrator at Company, you discover that the users are unable to benefit from AD RMS to protect their documents. You need to configure AD RMS to enable users to use it and protect their documents. What should you do to achieve this functionality? A. B. C. D. E. Configure an email account in Active Directory Domain Services (AD DS) for each user. Add and configure ADRMSADMIN account in local administrators group on the user computers Add and configure the ADRMSSRVC account in AD RMS server's local administrator group Reinstall the Active Directory domain on user computers All of the above

Answer: A Section: 70-640 Explanation/Reference: Explanation:

QUESTION 102 Company has an active directory forest on a single domain. Company needs a distributed application that employs a custom application. The application is directory partition software named PARDAT. You need to implement this application for data replication. Which two tools should you use to achieve this task? (Choose two answers. Each answer is a part of a complete solution) A. B. C. D. E. Dnscmd. Ntdsutil. Ipconfig Dnsutil All of the above

Answer: AB Section: 70-640 Explanation/Reference: Explanation:

QUESTION 103 Company has an Active Directory forest with six domains. The company has 5 sites. The company requires

a new distributed application that uses a custom application directory partition named ResData for data replication. The application is installed on one member server in five sites. You need to configure the five member servers to receive the ResData application directory partition for data replication. What should you do? A. B. C. D. Run the Dcpromo utility on the five member servers. Run the Regsvr32 command on the five member servers Run the Webadmin command on the five member servers Run the RacAgent utility on the five member servers

Answer: A Section: 70-640 Explanation/Reference: Explanation:

QUESTION 104 As an administrator at Company, you have installed an Active Directory forest that has a single domain. You have installed an Active Directory Federation services (AD FS) on the domain member server. What should you do to configure AD FS to make sure that AD FS token contains information from the active directory domain? A. B. C. D. E. Add a new account store and configure it. Add a new resource partner and configure it Add a new resource store and configure it Add a new administrator account on AD FS and configure it None of the above

Answer: A Section: 70-640 Explanation/Reference: Explanation:

QUESTION 105 Company runs Window Server 2008 on all of its servers. It has a single Active Directory domain and it uses Enterprise Certificate Authority. The security policy at ABC.com makes it necessary to examine revoked certificate information. You need to make sure that the revoked certificate information is available at all times. What should you do to achieve that? A. Add and configure a new GPO (Group Policy Object) that enables users to accept peer certificates and link the GPO to the domain. B. Configure and use a GPO to publish a list of trusted certificate authorities to the domain C. Configure and publish an OCSP (Online certificate status protocol) responder through ISAS (Internet Security and Acceleration Server) array. D. Use network load balancing and publish an OCSP responder. E. None of the above Answer: D Section: 70-640

Explanation/Reference: Explanation:

QUESTION 106 As the Company administrator you had installed a read-only domain controller (RODC) server at remote location. The remote location doesn't provide enough physical security for the server. What should you do to allow administrative accounts to replicate authentication information to Read-Only Domain Controllers?

A. Remove any administrative accounts from RODC's group B. Add administrative accounts to the domain Allowed RODC Password Replication group C. Set the Deny on Receive as permission for administrative accounts on the RODC computer account Security tab for the Group Policy Object (GPO) D. Configure a new Group Policy Object (GPO) with the Account Lockout settings enabled. Link the GPO to the remote location. Activate the Read Allow and the Apply group policy Allow permissions for the administrators on the Security tab for the GPO. E. None of the above Answer: B Section: 70-640 Explanation/Reference: Explanation:

QUESTION 107 ABC.com boosts a two-node Network Load Balancing cluster which is called web. CK1.com. The purpose of this cluster is to provide load balancing and high availability of the intranet website only. With monitoring the cluster, you discover that the users can view the Network Load Balancing cluster in their Network Neighborhood and they can use it to connect to various services by using the name web. CK1.com. You also discover that there is only one port rule configured for Network Load Balancing cluster. You have to configure web. CK1 .com NLB cluster to accept HTTP traffic only. Which two actions should you perform to achieve this objective? (Choose two answers. Each answer is part of the complete solution) A. B. C. D. Create a new rule for TCP port 80 by using the Network Load Balancing Cluster console Run the wlbs disable command on the cluster nodes Assign a unique port rule for NLB cluster by using the NLB Cluster console Delete the default port rules through Network Load Balancing Cluster console

Answer: AD Section: 70-640 Explanation/Reference: Explanation:

QUESTION 108 ABC.com has a main office and a branch office. ABC.com's network consists of a single Active Directory forest. Some of the servers in the network run Windows Server 2008 and the rest run Windows server 2003.

You are the administrator at ABC.com. You have installed Active Directory Domain Services (AD DS) on a computer that runs Windows Server 2008. The branch office is located in a physically insecure place. It has not IT personnel onsite and there are no administrators over there. You need to setup a Read-Only Domain Controller (RODC) on the Server Core installation computer in the branch office. What should you do to setup RODC on the computer in branch office? A. B. C. D. E. Execute an attended installation of AD DS Execute an unattended installation of AD DS Execute RODC through AD DS Execute AD DS by using deploying the image of AD DS none of the above

Answer: B Section: 70-640 Explanation/Reference: Explanation:

QUESTION 109 You had installed an Active Directory Federation Services (AD FS) role on a Windows server 2008 in your organization. Now you need to test the connectivity of clients in the network to ensure that they can successfully reach the new Federation server and Federation server is operational. What should you do? (Select all that apply) A. B. C. D. Go to Services tab, and check if Active Directory Federation Services is running In the event viewer, Applications, Event ID column look for event ID 674. Open a browser window, and then type the Federation Service URL for the new federation server. None of the above

Answer: BC Section: 70-640 Explanation/Reference: Explanation:

QUESTION 110 ABC.com has purchased laptop computers that will be used to connect to a wireless network. You create a laptop organizational unit and create a Group Policy Object (GPO) and configure user profiles by utilizing the names of approved wireless networks. You link the GPO to the laptop organizational unit. The new laptop users complain to you that they cannot connect to a wireless network. What should you do to enforce the group policy wireless settings to the laptop computers? A. B. C. D. E. Execute gpupdate/target:computer command at the command prompt on laptop computers Execute Add a network command and leave the SSID (service set identifier) blank Execute gpupdate/boot command at the command prompt on laptops computers Connect each laptop computer to a wired network and log off the laptop computer and then login again. None of the above

Answer: D Section: 70-640

Explanation/Reference: Explanation:

QUESTION 111 The Company has a Windows 2008 domain controller server. This server is routinely backed up over the network from a dedicated backup server that is running Windows 2003 OS. You need to prepare the domain controller for disaster recovery apart from the routine backup procedures. You are unable to launch the backup utility while attempting to back up the system state data for the data controller. You need to backup system state data from the Windows Server 2008 domain controller server. What should you do? A. B. C. D. Add your user account to the local Backup Operators group Install the Windows Server backup feature using the Server Manager feature. Install the Removable Storage Manager feature using the Server Manager feature Deactivating the backup job that is configured to backup Windows 2008 server domain controller on the Windows 2003 server. E. None of the above Answer: B Section: 70-640 Explanation/Reference: Explanation:

QUESTION 112 You are an administrator at ABC.com. Company has a RODC (read-only domain controller) server at a remote location. The remote location doesn't have proper physical security. You need to activate nonadministrative accounts passwords on that RODC server. Which of the following action should be considered to populate the RODC server with non-administrative accounts passwords? A. Delete all administrative accounts from the RODC's group B. Configure the permission to Deny on Receive for administrative accounts on the security tab for Group Policy Object (GPO) C. Configure the administrative accounts to be added in the Domain RODC Password Replication Denied group D. Add a new GPO and enable Account Lockout settings. Link it to the remote RODC server and on the security tab on GPO, check the Read Allow and the Apply group policy permissions for the administrators. E. None of the above Answer: C Section: 70-640 Explanation/Reference: Explanation:

QUESTION 113 ABC.com has a network that is comprise of a single Active Directory Domain. As an administrator at ABC.com, you install Active Directory Lightweight Directory Services (AD LDS) on a server that runs Windows Server 2008. To enable Secure Sockets Layer (SSL) based connections to the AD LDS server, you install certificates from a trusted Certification Authority (CA) on the AD LDS server and

client computers. Which tool should you use to test the certificate with AD LDS? A. B. C. D. E. F. Ldp.exe Active Directory Domain services ntdsutil.exe Lds.exe wsamain.exe None of the above

Answer: A Section: 70-640 Explanation/Reference: Explanation:

QUESTION 114 ABC.com boosts a main office and 20 branch offices. Configured as a separate site, each branch office has a Read-Only Domain Controller (RODC) server installed. Users in remote offices complain that they are unable to log on to their accounts. What should you do to make sure that the cached credentials for user accounts are only stored in their local branch office RODC server? A. Open the RODC computer account security tab and set Allow on the Receive as permission only for the users that are unable to log on to their accounts B. Add a password replication policy to the main Domain RODC and add user accounts in the security group C. Configure a unique security group for each branch office and add user accounts to the respective security group. Add the security groups to the password replication allowed group on the main RODC server D. Configure and add a separate password replication policy on each RODC computer account Answer: D Section: 70-640 Explanation/Reference: Explanation:

QUESTION 115 The corporate network of Company consists of a Windows Server 2008 single Active Directory domain. The domain has two servers named Company 1 and Company 2. To ensure central monitoring of events you decided to collect all the events on one server, Company 1. To collect events from Company 2. and transfer them to Company 1, you configured the required event subscriptions. You selected the Normal option for the Event delivery optimization setting by using the HTTP protocol. However, you discovered that none of the subscriptions work. Which of the following actions would you perform to configure the event collection and event forwarding on the two servers? (Select three. Each answer is a part of the complete solution).

A. B. C. D. E. F.

Through Run window execute the winrm quickconfig command on Company 2. Through Run window execute the wecutil qc command on Company 2. Add the Company 1 account to the Administrators group on Company 2. Through Run window execute the winrm quickconfig command on Company 1. Add the Company 2 account to the Administrators group on Company 1. Through Run window execute the wecutil qc command on Company 1.

Answer: ABF Section: 70-640 Explanation/Reference: Reference: http://msdn.microsoft.com/en-us/library/bb870973%28VS.85%29.aspx

QUESTION 116 ABC.com has a software evaluation lab. There is a server in the evaluation lab named as CKT. CKT runs Windows Server 2008 and Microsoft Virtual Server 2005 R2. CKT has 200 virtual servers running on an isolated virtual segment to evaluate software. To connect to the internet, it uses physical network interface card. ABC.com requires every server in the company to access Internet. ABC.com security policy dictates that the IP address space used by software evaluation lab must not be used by other networks. Similarly, it states the IP address space used by other networks should not be used by the evaluation lab network. As an administrator you find you that the applications tested in the software evaluation lab need to access normal network to connect to the vendors update servers on the internet. You need to configure all virtual servers on the CKT server to access the internet. You also need to comply with company's security policy. Which two actions should you perform to achieve this task? (Choose two answers. Each answer is a part of the complete solution) A. Trigger the Virtual DHCP server for the external virtual network and run ipconfig/renew command on each virtual server B. On CKT's physical network interface, activate the Internet Connection Sharing (ICS) C. Use ABC.com intranet IP addresses on all virtual servers on CKT. D. Add and install a Microsoft Loopback Adapter network interface on CKT. Use a new network interface and create a new virtual network. E. None of the above Answer: AD Section: 70-640 Explanation/Reference: Explanation:

QUESTION 117 You are an administrator at ABC.com. Company has a network of 5 member servers acting as file servers. It has an Active Directory domain. You have installed a software application on the servers. As soon as the application is installed, one of the member servers shuts down itself. To trace and rectify the problem, you create a Group Policy Object (GPO). You need to change the domain security settings to trace the shutdowns and identify the cause of it. What should you do to perform this task? A. Link the GPO to the domain and enable System Events option

B. C. D. E.

Link the GPO to the domain and enable Audit Object Access option Link the GPO to the Domain Controllers and enable Audit Object Access option Link the GPO to the Domain Controllers and enable Audit Process tracking option Perform all of the above actions

Answer: A Section: 70-640 Explanation/Reference: Explanation:

QUESTION 118 ABC.com has a network that consists of a single Active Directory domain. A technician has accidently deleted an Organizational unit (OU) on the domain controller. As an administrator of ABC.com, you are in process of restoring the OU. You need to execute a non-authoritative restore before an authoritative restore of the OU. Which backup should you use to perform non- authoritative restore of Active Directory Domain Services (AD DS) without disturbing other data stored on domain controller? A. B. C. D. E. Critical volume backup Backup of all the volumes Backup of the volume that hosts Operating system Backup of AD DS folders all of the above

Answer: A Section: 70-640 Explanation/Reference: Explanation:

QUESTION 119 DRAG DROP ABC.com has an Active Directory forest on a single domain. The domain operates Windows Server 2008. A new administrator accidentally deletes the entire organizational unit in the Active Directory database that hosts 6000 objects. You have backed up the system state data using third-party backup software. To restore backup, you start the domain controller in the Directory Services Restore Mode (DSRM). You need to perform an authoritative restore of the organizational unit and restore the domain controller to its original state. Which three actions should you perform? The answer should be in a sequence. Drag and drop the appropriate action into the sequential order.

A. B. C. D. Answer: Section: 70-640 Explanation/Reference:

QUESTION 120 ABC.com has a network that consists of a single Active Directory domain.Windows Server 2008 is installed on all domain controllers in the network. You are instructed to capture all replication s from all domain controllers to a central location. What should you do to achieve this task?

A. B. C. D.

Initiate the Active Directory Diagnostics data collector set Set event log subscriptions and configure it Initiate the System Performance data collector set Create a new capture in the Network Monitor

Answer: B Section: 70-640 Explanation/Reference: Explanation:

QUESTION 121 Company has a single domain network with Windows 2000, Windows 2003, and Windows 2008 servers. Client computers running Windows XP and Windows Vista. All domain controllers are running Windows server 2008. Exhibit B Servers Operating system Role Company_DC1 Windows server 2008 Domain controller Company _DC2 Windows server 2008 Domain controller Company _SRV5 Windows server 2008 File and Print server You need to deploy Active Directory Rights Management System (AD RMS) to secure all documents, spreadsheets and to provide user authentication. What do you need to configure, in order to complete the deployment of AD RMS? A. Upgrade all client computers to Windows Vista. Install AD RMS on domain controller Company _DC1 B. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all systems. Install AD RMS on domain controller Company _DC1 C. Upgrade all client computers to Windows Vista. Install AD RMS on Company _SRV5 D. Ensure that all Windows XP computers have the latest service pack and install the RMS client on all systems. Install AD RMS on domain controller Company _SRV5 E. None of the above Answer: D Section: 70-640 Explanation/Reference: Explanation:

QUESTION 122 You are formulating the backup strategy for Active Directory Lightweight Directory Services (AD LDS) to ensure that data and log files are backed up regularly. This will also ensure the continued availability of data to applications and users in the event of a system failure. Because you have limited media resources, you decided to backup only specific ADLDS instance instead of taking backup of the entire volume. What should you do to accomplish this task? A. Use Windows Server backup utility and enable checkbox to take only backup of database and log files of AD LDS B. Use Dsdbutil.exe tool to create installation media that corresponds only to the ADLDS instance C. Move AD LDS database and log files on a separate volume and use windows server backup utility D. None of the above

Answer: B Section: 70-640 Explanation/Reference: Explanation:

QUESTION 123 You had installed Windows Server 2008 on a computer and configured it as a file server, named FileSrv1. The FileSrv1 computer contains four hard disks, which are configured as basic disks. For fault tolerance and performance you want to configure Redundant Array of Independent Disks (RAID) 0 +1 on FileSrv1. Which utility you will use to convert basic disks to dynamic disks on FileSrv1? A. B. C. D. E. Diskpart.exe Chkdsk.exe Fsutil.exe Fdisk.exe None of the above

Answer: A Section: 70-640 Explanation/Reference: Explanation:

QUESTION 124 ABC.com has a domain controller that runs Windows Server 2008. The ABC.com network boosts 40 Windows Vista client machines. As an administrator at ABC.com, you want to deploy Active Directory Certificate service (AD CS) to authorize the network users by issuing digital certificates. What should you do to manage certificate settings on all machines in a domain from one main location? A. B. C. D. E. Configure Enterprise CA certificate settings Configure Enterprise trust certificate settings Configure Advance CA certificate settings Configure Group Policy certificate settings All of the above

Answer: D Section: 70-640 Explanation/Reference: Explanation:

QUESTION 125 DRAG DROP Your network contains two forests named contoso.com and fabrikam.com. The functional level of all the domains is Windows Server 2003. The functional level of both forests is Windows 2000. You need to create a trust between contoso.com and fabrikam.com. The solution must ensure that users from contoso.com can only access the servers in fabrikam.com that have the Allowed to Authenticate permission set.

What should you do? To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order.

A. B. C. D. Answer: Section: 70-640 Explanation/Reference:

Explanation:

QUESTION 126 Your network contains an Active Directory domain named adatum.com. You need to ensure that IP addresses can be resolved to fully qualified domain names (FQDNs). Under which node in the DNS snap-in should you add a zone? A. B. C. D. E. Reverse Lookup Zones adatum.com Forward Lookup Zones Conditional Forwarders _msdcs.adatum.com

Answer: A Section: 70-640 Explanation/Reference: Explanation:

QUESTION 127 DRAG DROP Your company has a main office and a branch office. All servers are located in the main office. The network contains an Active Directory forest named adatum.com. The forest contains a domain controller named MainDC that runs Windows Server 2008 R2 Enterprise and a member server named FileServer that runs Windows Server 2008 R2 Standard. You have a kiosk computer named Public_Computer that runs Windows 7. Public_Computer is not connected to the network. You need to join Public_Computer to the adatum.com domain.

What should you do? To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order.

A. B. C. D. Answer: Section: 70-640 Explanation/Reference:

Explanation:

QUESTION 128 Your network contains an Active Directory domain named adatum.com. The domain contains a domain controller named DC1. DC1 has an IP address of 192.168.200.100. You need to identify the zone that contains the Pointer (PTR) record for 0C1. Which zone should you identify? A. adatum.com B. _msdcs.adatum.com C. 100.168.192.in-addr.arpa

D. 200.168.192.in-addr.arpa Answer: D Section: 70-640 Explanation/Reference: Explanation:

QUESTION 129 Your network contains an Active Directory forest named adatum.com. The DNS infrastructure fails. You rebuild the DNS infrastructure. You need to force the registration of the Active Directory Service Locator (SRV) records in DNS. Which service should you restart on the domain controllers? A. B. C. D. E. Netlogon DNS Server Network Location Awareness Network Store Interface Service Online Responder Service

Answer: A Section: 70-640 Explanation/Reference: Explanation:

QUESTION 130 Your network contains an Active Directory domain named adatum.com. The password policy of the domain requires that the passwords for all user accounts be changed every 50 days. You need to create several user accounts that will be used by services. The passwords for these accounts must be changed automatically every 50 days. Which tool should you use to create the accounts? A. B. C. D. E. Active Directory Administrative Center Active Directory Users and Computers Active Directory Module for Windows PowerShell ADSI Edit Active Directory Domains and Trusts

Answer: C Section: 70-640 Explanation/Reference: Explanation:

QUESTION 131 Your network contains an Active Directory domain. The domain contains several domain controllers. You

need to modify the Password Replication Policy on a read-only domain controller (RODC). Which tool should you use? A. B. C. D. E. Group Policy Management Active Directory Domains and Trusts Active Directory Users and Computers Computer Management Security Configuration Wizard

Answer: C Section: 70-640 Explanation/Reference: Explanation:

QUESTION 132 HOTSPOT Your network contains an Active Directory forest named contoso.com. All client computers run Windows 7 Enterprise. You need automatically to create a local group named PowerManagers on each client computer that contains a battery. The solution must minimize the amount of administrative effort. Which node in Group Policy Management Editor should you use? To answer, select the appropriate node in the answer area.

A. B. C. D. Answer: Section: 70-640 Explanation/Reference:

Explanation: Control Panel Settings under Preferences. Select

QUESTION 133 Your network contains an Active Directory forest. The forest contains domain controllers that run Windows Server 2008 R2. The functional level of the forest is Windows Server 2003. The functional level of the domain is Windows Server 2008. From a domain controller, you need to perform an authoritative restore of an organizational unit (OU). What should you do first? A. B. C. D. Raise the functional level of the forest Modify the tombstone lifetime of the forest. Restore the system state. Raise the functional level of the domain.

Answer: C Section: 70-640 Explanation/Reference: Explanation:

QUESTION 134 Your network contains an Active Directory forest. The forest contains two domains named contoso.com and woodgrovebank.com. You have a custom attribute named Attribute 1 in Active Directory. Attribute 1 is associated to User objects. You need to ensure that Attribute1 is included in the global catalog. What should you do? A. From the Active Directory Schema snap-in, modify the properties of the Attribute 1 attributeSchema object. B. In Active Directory Users and Computers, configure the permissions on the Attribute 1 attribute for User objects. C. From the Active Directory Schema snap-in, modify the properties of the User classSchema object.

D. In Active Directory Sites and Services, configure the Global Catalog settings for all domain controllers in the forest. Answer: A Section: 70-640 Explanation/Reference: Explanation:

QUESTION 135 Your network contains a server named Server1. Server1 runs Windows Server 2008 R2 and has the Active Directory Lightweight Directory Services (AD LDS) role installed. Server1 hosts two AD LDS instances named Instance1 and Instance2. You need to remove Instance2 from Server1 without affecting Instance1. Which tool should you use? A. B. C. D. NTDSUtil Dsdbutil Programs and Features in the Control Panel Server Manager

Answer: C Section: 70-640 Explanation/Reference: Explanation:

QUESTION 136 Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to compact the Active Directory database. What should you do? A. B. C. D. E. F. G. H. I. J. Run the Get-ADForest cmdlet. Configure subscriptions from Event Viewer. Run the eventcreate.exe command. Configure the Active Directory Diagnostics Data Collector Set (OCS). Create a Data Collector Set (DCS). Run the repadmin.exe command. Run the ntdsutil.exe command. Run the dsquery.exe command. Run the dsamain.exe command. Create custom views from Event Viewer.

Answer: G Section: 70-640 Explanation/Reference: Explanation:

QUESTION 137

Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to collect all of the Directory Services events from all of the domain controllers and store the events in a single central computer. What should you do? A. B. C. D. E. F. G. H. I. J. Run the ntdsutil.exe command. Run the repodmin.exe command. Run the Get-ADForest cmdlet. Run the dsamain.exe command. Create custom views from Event Viewer. Run the dsquery.exe command. Configure the Active Directory Diagnostics Data Collector Set (DCS), Configure subscriptions from Event Viewer. Run the eventcreate.exe command. Create a Data Collector Set (DCS).

Answer: H Section: 70-640 Explanation/Reference: Explanation:

QUESTION 138 Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to receive a notification when more than 100 Active Directory objects are deleted per second. What should you do? A. B. C. D. E. F. G. H. I. J. Create custom views from Event Viewer. Run the Get-ADForest cmdlet. Run the ntdsutil.exe command. Configure the Active Directory Diagnostics Data Collector Set (DCS). Create a Data Collector Set (DCS). Run the dsamain.exe command. Run the dsquery.exe command. Run the repadmin.exe command. Configure subscriptions from Event Viewer. Run the eventcreate.exe command.

Answer: E Section: 70-640 Explanation/Reference: Explanation:

QUESTION 139 Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. You need to create a snapshot of Active Directory. What should you do?

A. B. C. D. E. F. G. H. I. J.

Run the dsquery.exe command. Run the dsamain.exe command. Create custom views from Event Viewer. Configure subscriptions from Event Viewer. Create a Data Collector Set (DCS). Configure the Active Directory Diagnostics Data Collector Set (DCS). Run the repadmin.exe command. Run the ntdsutil.exe command. Run the Get-ADForest cmdlet. Run the eventcreate.exe command.

Answer: H Section: 70-640 Explanation/Reference: Explanation:

QUESTION 140 Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. You mount an Active Directory snapshot. You need to ensure that you can query the snapshot by using LDAP. What should you do? A. B. C. D. E. F. G. H. I. J. Run the dsamain.exe command. Create custom views from Event Viewer. Run the ntdsutil.exe command. Configure subscriptions from Event Viewer. Run the Get-ADForest cmdlet. Create a Data Collector Set (DCS). Run the eventcreate.exe command. Configure the Active Directory Diagnostics Data Collector Set (DCS). Run the repadmin.exe command. Run the dsquery.exe command.

Answer: A Section: 70-640 Explanation/Reference: Explanation:

Exam B QUESTION 1 Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2008 R2 and are configured as DNS servers. All client computers run Windows 7. You create a new zone named secure.contoso.com and configure the zone to use DNSSEC. You need to ensure that all client computers verify whether the name and address information of secure.contoso.com is validated by the DNS servers. What should you configure from Group Policy? A. B. C. D. an IPSec Security policy the DNS Client settings the Public Key policies a Name Resolution Policy rule

Answer: D Section: 70-642 Explanation/Reference: Explanation: see also: http://technet.microsoft.com/de-de/library/ee649207(WS.10).aspx

QUESTION 2 Your network contains an Active Directory domain. The domain contains an enterprise certification authority (CA) named Server1 and a server named Server2. On Server2, you deploy Network Policy Server (NPS) and you configure a Network Access Protection (NAP) enforcement policy for IPSec. From the Health Registration Authority snap-in on Server2, you set the lifetime of health certificates to four hours. You discover that the validity period of the health certificates issued to client computers is one year. You need to ensure that the health certificates are only valid for four hours. What should you do? A. B. C. D. Modify the Request Handling settings of the certificate template used for the health certificates. Modify the Issuance Requirements settings of the certificate template used for the health certificates. On Server1, run certutil.exe -setreg policy\editflags +editf_attributeenddate. On Server1, run certutil.exe Csetregdbflags +dbflags_enablevolatilerequests.

Answer: C Section: 70-642 Explanation/Reference: Explanation:

QUESTION 3 Your company has a server that runs Windows Server 2008 R2. You have a new application that locates remote resources by name. The new application requires IPv6. You need to ensure that the application can locate remote resources by using IPv6. What should you do? A. B. C. D. Create a new Pointer (PTR) DNS record. Create a new Quad-A (AAAA) DNS record. Create a new Signature (SIG) DNS record. Create a new Route Through (RT) DNS record.

Answer: B Section: 70-642 Explanation/Reference:

Explanation:

QUESTION 4 Your network contains an Active Directory domain. The domain contains DNS servers that run Windows Server 2008 R2. The network has two external links. One link connects to the Internet. The other link directly connects to the network of a partner company. The partner companys network is not connected to the Internet. You need to ensure that users on your network can access resources on the partner companys network. The solution must ensure that the users on your network can continue to access resources on the Internet. Which two actions should you perform on the DNS servers? (Each correct answer presents a complete solution. Choose two.) A. B. C. D. E. Configure conditional forwarding. Add a stub zone. Modify the root hints. Add a reverse lookup zone. Add a trust anchor.

Answer: AC Section: 70-642 Explanation/Reference: Explanation:

QUESTION 5 Your network contains a server named Server1 that runs Windows Server 2008 R2. You configure IPSec on Server1. You need to identify the total number of encrypted bytes sent and received by Server1. Which node should you use to achieve this task? To answer, select the appropriate node in the answer area.

A. B. C. D.

Active Policy Main Mode Quick Mode None

Answer: C Section: 70-642 Explanation/Reference:

Explanation:

QUESTION 6 Your network contains a Windows Server Update Services (WSUS) server named Server1. All client computers are configured to download updates from Server1. Server1 is configured only to synchronize manually to Microsoft Update. Your company deploys a new Microsoft application. You discover that the new application is not listed on the Products and Classifications list. You need to ensure that updates for the new application are available to all of the client computers. What should you do first? A. B. C. D. Run the Server Cleanup Wizard. Approve updates. Synchronize the WSUS server. Modify the Products and Classifications settings.

Answer: C Section: 70-642 Explanation/Reference: Explanation:

QUESTION 7 You have a perimeter network that contains 20 servers. All of the servers run Windows Server 2008 R2 and are members of a workgroup. You add an additional server named Server21 to the perimeter network. You plan to configure Server21 to collect events forwarded from the other servers. You need to ensure that the events are available on Server21 as quickly as possible. Which event delivery optimization option should you enable?

A. B. C. D.

Normal Custom Minimize Bandwidth Minimize Latency

Answer: D Section: 70-642 Explanation/Reference: Explanation:

QUESTION 8 You have a client computer named Computer1 that runs Windows 7. You need to ensure that, from Computer1, you can enumerate all of the records in a DNS zone. Which settings should you configure from the properties of the DNS zone? To answer, select the appropriate tab in the answer area.

A. B. C. D. E. F.

General Start Of Authority (SOA) Security Zone Transfers Name Servers Wins

Answer: D Section: 70-642

Explanation/Reference:

QUESTION 9 Your network contains an Active Directory domain named fabrikam.com. The domain contains five domain controllers named DC1, DC2, DC3, DC4, and DC5. All domain controllers run Windows Server 2008 R2 and have the DNS server role installed. On DC5, you create a new Active Directory-integrated DNS zone named adatum.com. You need to ensure that the adatum.com DNS zone is only replicated to DC5 and DC2. The solution must ensure that all zone replication traffic is encrypted. What should you do first? A. B. C. D. Create an application directory partition. Create a primary zone. Modify the zone transfer settings. Change the zone replication scope.

Answer: A Section: 70-642 Explanation/Reference: Explanation:

QUESTION 10 Your network contains a server named Server1 that runs Windows Server 2008 R2. You enable IPSec on Server1. You need to identify which client computers have active IPSec associations to Server1. Which administrative tool should you use to achieve this task? To answer, select the appropriate tool from the answer area.

A. B. C. D.

Computer Management Storage Explorer Component Services Windows Firewall with Advanced Security

Answer: D Section: 70-642 Explanation/Reference:

Explanation: M

QUESTION 11 Your network contains a DHCP server named DHCP1 that runs Windows Server 2008 R2. All client computers on the network obtain their network configurations from DHCP1. You have a client computer named Client1 that runs Windows 7 Enterprise. You need to configure Client1 to use a different DNS server than the other client computers on the network. What should you do? A. B. C. D. Configure the scope options. Create a reservation. Create a DHCP filter. Define a user class.

Answer: B Section: 70-642 Explanation/Reference: Explanation:

QUESTION 12 Your network contains an Active Directory forest named fabrikam.com. The forest contains a DNS server named Server1. You need to configure Server1 to resolve single-label names. What should you do? A. Create a DNS zone named GlobalNames. Run dnscmd.exe and specify the Config parameter. B. Create a DNS zone named GlobalNames. Run dnscmd.exe and specify the CreateDirectoryPartition parameter. C. Create a DNS zone named RootNames. Run dnscmd.exe and specify the CreateDirectoryPartition parameter. D. Create a DNS zone named RootNames. Run dnscmd.exe and specify the Config parameter. Answer: A Section: 70-642 Explanation/Reference: Explanation:

QUESTION 13 Your network contains a server named Server1. You perform a full server backup by using Windows Server

Backup. You need to test a full server restore. Which option should you select from the Advanced Boot Options menu? To answer, select the appropriate option in the answer area.

Then

A. B. C. D. E. F. G. H. I. J. K. L.

Repair Your Computer Safe Mode Safe Mode With Networking Safe Mode With Command Prompt Enable boot logging Enable low resolution video (640 480) Last Known Good Configuration (advanced) Directory services restore mode Debugging mode Disable automatic restart on system failure Disable Driver Signature Enforcement Start Windows normally

Answer: A Section: 70-642 Explanation/Reference:

Then

Explanation: A

QUESTION 14 Your network contains a server that runs Windows Server 2008 R2 named Server1. You install a new application on Server1. After the installation, you discover that Server1 frequently becomes

unavailable. You need to identify whether the issues on Server1 coincide with the installation of the application. What should you do? A. B. C. D. From Reliability Monitor, review the reliability details. From Administrative Tools, run Windows Memory Diagnostic. From the System Configuration utility, select Diagnostic startup. From the command prompt, run the Program Compatibility Wizard.

Answer: A Section: 70-642 Explanation/Reference: Explanation:

QUESTION 15 Your network contains a file server named Server1 that runs Windows Server 2008 R2. Users report that when they try to open some of the folders in \\server1\folder1, they receive an Access is Denied error message. You need to ensure that when the users connect to \\server1\folder1, they only see the files and the folders to which they are assigned permissions. Which tool should you use? A. B. C. D. Local Security Policy Share and Storage Management Windows Explorer Windows Firewall with Advanced Security

Answer: B Section: 70-642 Explanation/Reference: Explanation:

QUESTION 16 You configure a full server backup on a server as shown in the exhibit. (Click the Exhibit button.) You need to ensure that a full server backup runs each day at 23:45 and that a custom script runs when the backup completes. Which tool should you use? Exhibit:

A. B. C. D.

Task Scheduler Windows Server Backup System Configuration Services

Answer: A Section: 70-642 Explanation/Reference: Explanation:

QUESTION 17 You need to configure a static IPv6 address for a server that runs a Server Core installation of Windows Server 2008 R2. Which tool should you use? A. netsh B. ocsetup C. servermanagercmd

D. ipconfig Answer: A Section: 70-642 Explanation/Reference: Explanation:

QUESTION 18 Your network contains an Active Directory forest. The forest contains a member server named Server1 that runs Windows Server 2008 R2. You need to ensure that UNIX-based client computers can access shared folders on Server1. Which server role, role service, or feature should you install? A. B. C. D. E. F. G. H. I. J. K. L. M. Windows Server Update Services (WSUS) Network Policy Server (NPS) Routing and Remote Access service (RRAS) Simple TCP/IP Services Windows System Resource Manager (WSRM) File Server Resource Manager (FSRM) Wireless LAN Service Network Load Balancing (NLB) Windows Internal Database Services for Network File System (NFS) Group Policy Management Health Registration Authority (HRA) Connection Manager Administration Kit (CMAK)

Answer: J Section: 70-642 Explanation/Reference: Explanation:http://technet.microsoft.com/en-us/library/cc753302(WS.10).aspx

QUESTION 19 Your network contains an Active Directory forest. The forest contains a member server named Server1 that runs Windows Server 2008 R2. You need to create folder quotas on Server1. Which server role, role service, or feature should you install? A. B. C. D. E. F. G. H. I. J. K. L. M. Routing and Remote Access service (RRAS) Health Registration Authority (HRA) Network Load Balancing (NLB) File Server Resource Manager (FSRM) Windows Server Update Services (WSUS) Connection Manager Administration Kit (CMAK) Wireless LAN Service Windows Internal Database Network Policy Server (NPS) Group Policy Management Windows System Resource Manager (WSRM) Simple TCP/IP Services Services for Network File System (NFS)

Answer: D Section: 70-642 Explanation/Reference: Explanation:

QUESTION 20 Your network contains an Active Directory forest. The forest contains a member server named Server1 that runs Windows Server 2008 R2. You need to configure Server1 to provide central authentication of dial-up, VPN, and wireless connections to the network. Which server role, role service or feature should you install? A. B. C. D. E. F. G. H. I. J. K. L. M. Simple TCP/IP Services Windows System Resource Manager (WSRM) Routing and Remote Access service (RRAS) Network Policy Server (NPS) File Server Resource Manager (FSRM) Network Load Balancing (NLB) Windows Internal Database Health Registration Authority (HRA) Group Policy Management Wireless LAN Service Connection Manager Administration Kit (CMAK) Windows Server Update Services (WSUS) Services for Network File System (NFS)

Answer: D Section: 70-642 Explanation/Reference: Explanation:

QUESTION 21 Your network contains a file server named Server1. Server1 contains a folder named Folder1. The permissions for Folder1 are configured as shown in the following table.

You need to ensure that only members of Group1 can add files to Folder1 over the network. What should you do? A. B. C. D. Modify the share permission for Group1. Modify the share permission for Authenticated Users. Modify the NTFS permission for Group1. Modify the NTFS permission for Authenticated Users.

Answer: C Section: 70-642

Explanation/Reference: Explanation:

QUESTION 22 Your network contains an Active Directory forest. The forest contains a member server named Server1 that runs Windows Server 2008 R2. You configure Server1 as a VPN server. You need to ensure that only client computers that have up-to-date virus definitions can establish VPN connections to Server1. Which server role, role service, or feature should you install? A. B. C. D. E. F. G. H. I. J. K. L. M. Simple TCP/IP Services Windows Internal Database Connection Manager Administration Kit (CMAK) File Server Resource Manager (FSRM) Windows Server Update Services (WSUS) Services for Network File System (NFS) Routing and Remote Access service (RRAS) Network Policy Server (NPS) Wireless LAN Service Group Policy Management Health Registration Authority (HRA) Windows System Resource Manager (WSRM) Network Load Balancing (NLB)

Answer: H Section: 70-642 Explanation/Reference: Explanation:

QUESTION 23 Your network contains an Active Directory forest. The forest contains a member server named Server1 that runs Windows Server 2008 R2. You need to configure Server1 as a network address translation (NAT) server. Which server role, role service, or feature should you install? A. B. C. D. E. F. G. H. I. J. K. L. M. Services for Network File System (NFS) Wireless LAN Service Network Load Balancing (NLB) Group Policy Management Routing and Remote Access service (RRAS) File Server Resource Manager (FSRM) Windows System Resource Manager (WSRM) Health Registration Authority (HRA) Windows Server Update Services (WSUS) Windows Internal Database Simple TCP/IP Services Connection Manager Administration Kit (CMAK) Network Policy Server (NPS)

Answer: E Section: 70-642 Explanation/Reference:

Explanation:

QUESTION 24 Your network contains an Active Directory domain named contoso.com. Contoso.com contains two servers named Server1 and Server2 that run Windows Server 2008 R2. DirectAccess is deployed on Server2. You need to configure Server1 as a network location server (NLS). Which Web Server (IIS) role service should you install on Server1? A. B. C. D. Request Filtering IIS Client Certificate Mapping Authentication URL Authorization IP and Domain Restrictions

Answer: D Section: 70-642 Explanation/Reference: Explanation: see steps below : If your DirectAccess server is acting as the network location server, you must install the Web Server (IIS) server role with the IP and Domain Restrictions role service. source: http://technet.microsoft.com/en-us/ library/ee649160%28WS.10%29.aspx

QUESTION 25 Your network contains three servers named Server1, Server2, and Server3 that have the Network Policy Server (NPS) role service installed. On Server1, you configure a Remote RADIUS Server Group that contains Server2 and Server3. On Server2 and Server3, you configure Server1 as a RADIUS client. You configure Server2 and Server3 to authenticate remote users. You need to configure Server1 to forward RADIUS authentication requests to Server2 and Server3. What should you create on Server1? A. B. C. D. a network policy a remediation server group a connection request policy a health policy

Answer: C Section: 70-642 Explanation/Reference: Explanation: http://technet.microsoft.com/en-us/library/cc754518.aspx

QUESTION 26 Your network contains an Active Directory domain. The domain contains a file server named Server1 that runs Windows Server 2008 R2. You need to ensure that a user named User1 can back up and restore files on Server1. The solution must minimize the number of user rights assigned to User1. What should you do? A. B. C. D. Add User1 to the Server Operators group. Assign the Backup files and directories user right to User1. Add User1 to the Backup Operators group. Assign the Perform volume maintenance tasks user right to User1.

Answer: B Section: 70-642 Explanation/Reference: Explanation:

QUESTION 27 Your network contains a server named Server1 that runs Windows Server 2008 R2. You configure IPSec on Server1. You need to identify the total number of authentication failures and negotiation failures that occurred on Server1. Which node should you use to achieve this task? To answer, select the appropriate node in the answer area.

A. B. C. D.

Main Mode Active Policy Quick Mode None

Answer: A Section: 70-642 Explanation/Reference:

Explanation: E

QUESTION 28 Your network contains a file server named Server1 that runs Windows Server 2008 R2. You enable IPSec on Server1. You need to identify which client computers have active IPSec associations to Server1. Which administrative tool should you use to achieve this task? A. B. C. D. Share and Storage Management Windows Firewall with Advanced Security Performance Monitor Event Viewer

Answer: B Section: 70-642 Explanation/Reference: Explanation:

QUESTION 29 Your network contains a DNS server named DNS1 that runs Windows Server 2008 R2. You need to be notified by e-mail if the DNS service logs errors or warnings. The solution must minimize the number of email notifications you receive. What should you do? A. B. C. D. Create an alert in Performance Monitor. Run the Configure a DNS Server Wizard. Select the DNS Server log from Event Viewer and attach a task to the log. Create a custom view from Event Viewer and attach a task to the custom view.

Answer: D Section: 70-642 Explanation/Reference:

Explanation:

QUESTION 30 Your company has four DNS servers that run Windows Server 2008 R2. Each server has a static IP address. You need to prevent DHCP from assigning the addresses of the DNS servers to DHCP clients. What should you do? A. B. C. D. Create a new scope for the DNS servers. Create a reservation for the DHCP server. Configure the 005 Name Servers scope option. Configure an exclusion that contains the IP addresses of the four DNS servers.

Answer: D Section: 70-642 Explanation/Reference: Explanation:

QUESTION 31 Your network contains a file server that runs Windows Server 2008 R2. You create a shared folder on the server. You need to ensure that an administrator is notified whenever a user saves .exe files to the shared folder. What should you do? A. B. C. D. Configure access-based enumeration (ABE). Create a file screen. Modify the NTFS permissions and the share permissions. Create a soft quota.

Answer: B Section: 70-642 Explanation/Reference: Explanation: http://technet.microsoft.com/en-us/library/cc732349(WS.10).aspx Topic 5, Exam Set E

QUESTION 32 Your network contains a server that runs a Server Core installation of Windows Server 2008 R2. You need to configure outbound firewall rules on the server. Which tool should you use? A. B. C. D. ocsetup servermanagercmd netcfg netsh

Answer: D Section: 70-642 Explanation/Reference: Explanation:

QUESTION 33 Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1 and Server2 are configured as DNS servers. On Server1, you create a primary DNS zone named contoso.

com. You configure Server2 to host a secondary copy of contoso.com. On Server2, you open DNS Manager as shown in the exhibit. (Click the Exhibit button.) You need to ensure that the contoso.com zone is available on Server2. What should you do? Exhibit:

A. B. C. D.

From Server2, modify the root hints. From Server1, modify the zone transfer settings of the primary zone. From Server1, add Server2 as a name server for the zone. From Server2, modify the zone transfer settings of the secondary zone.

Answer: C Section: 70-642 Explanation/Reference: Explanation:

QUESTION 34 Your network contains a domain-based Distributed File System (DFS) namespace named \\contoso.com \dfs. \\contoso.com\\dfs is configured to use Windows 2000 Server mode. The domain contains two servers named Server1 and Server2 that run Windows Server 2008 R2. Server1 is configured as a namespace server for \\contoso.com\dfs. You need to migrate \\contoso.com\dfs to Windows Server 2008 mode. You install the Distributed File System role service on Server2. What should you do next? A. B. C. D. Configure Server2 as a namespace server for \\contoso.com\dfs. At the command prompt, run dfsutil root export \\contoso.com\dfs c:\dfs.xml. At the command prompt, run dfsutil root adddom \\contoso.com\dfs v2. Create a new shared folder named DFS on Server2.

Answer: B Section: 70-642 Explanation/Reference: Explanation:

QUESTION 35 Your network contains a file server named Server1 that runs Windows Server 2008 R2. Server1 has a

volume named E. From the File Server Resource Manager console, you create a new quota for volume E. The quota is derived from the 100 MB limit quota template. You need to prevent users from storing audio and video files on volume E. What should you do? A. B. C. D. Create a file screen. Create a file management task. Modify the properties of the quota. Modify the properties of the Audio and Video Files file group.

Answer: A Section: 70-642 Explanation/Reference: Explanation: Create a File Screen to prevent users from saving of video/audio files to a share and send notifications when users attempt to do that.

QUESTION 36 Your network contains a server named Server1 that runs a Server Core installation of Windows Server 2008 R2. Server1 is configured as a DNS server. You need to ensure that Server1 only resolves name queries from IPv6 clients. What should you do? A. B. C. D. Run netsh.exe and specify the dnsclient parameter. Run dnscmd.exe and specify the /config parameter. Run dnscmd.exe and specify the /resetlistenaddresses parameter. Run netsh.exe and specify the interface parameter.

Answer: C Section: 70-642 Explanation/Reference: Explanation: To configure your DNS server to listen over IPv6, do the following: Install Windows Support Tools. For more information, see Install Windows Support Tools Open Command Prompt. Type the following command: dnscmd /config /EnableIPv6 1 Restart the DNS Server service. For more information, see Start or stop a DNS server. http://technet.microsoft.com/en-us/library/cc783049 (WS.10).aspx

QUESTION 37 Your network contains an Active Directory domain. The domain contains a DNS server that runs Windows Server 2008 R2. You plan to deploy DirectAccess on the network. You need to ensure that the internal DNS infrastructure supports name resolution for DirectAccess. What should you do? A. B. C. D. Modify the Dynamic updates setting. Add a trust anchor. Modify the global query block list. Create a GlobalNames zone.

Answer: C

Section: 70-642 Explanation/Reference: Explanation:

QUESTION 38 Your network contains a file server named Server1 that runs Windows Server 2008 R2. Server1 hosts a shared folder that stores Microsoft Excel spreadsheets. A new Excel spreadsheet is created each day. You need to ensure that all Excel spreadsheets that are older than one month are automatically moved to a different folder. What should you do? A. B. C. D. Create an Active Directory Rights Management Services (AD RMS) policy template. Create a quota for the shared folder. Create a file management task. Modify the archive attribute of the shared folder.

Answer: C Section: 70-642 Explanation/Reference: Explanation: http://technet.microsoft.com/en-us/library/dd759233.aspx

QUESTION 39 Your network contains a server named Server1. Server1 has the DHCP server role installed and contains multiple scopes. You restore the DHCP database and discover that the active IP address leases are not displayed. You need to ensure that all IP address leases are displayed. What should you do? A. B. C. D. Reconcile all of the scopes. Run jetpack.exe dhcp.mdb temp.mdb. Restart the DHCP Server service. Authorize Server1.

Answer: C Section: 70-642 Explanation/Reference: Explanation: Recovery: Restoring from Backup If the DHCP server database becomes corrupted or is lost, simple recovery is possible by replacing the server database file (Dhcp.mdb), located in the % SystemRoot %\System32\Dhcp folder, with a backup copy of the same file. You can then perform a simple file copy to overwrite the current corrupted database with a backup copy of the same file. If DHCP Manager has been used previously to enable backup, you can obtain the backup copy of the server database file located in the % SystemRoot %\System32\Dhcp\Backup folder. As an option, you can also choose to restore the Dhcp.mdb file from a tape backup or other backup media. Before restoring the database file from backup, the DHCP service must first be stopped. Once you have copied the backup file to the % SystemRoot %\System32\Dhcp folder from your preferred backup source, you can restart the DHCP service. To stop the DHCP server service, type the following at a command prompt: net stop dhcpserver Once the DHCP service has been stopped, the following procedure can be used to safely restore a backup copy of the database from either backup media or the DHCP service backup folder. First, move the files from your existing DHCP folder to a different folder location, such as \Olddhcp. Be careful to keep the DHCP folder structure intact. For example, type the following set of commands at a command prompt to perform this step: md c:\Olddhcp move % SystemRoot % \system32\DHCP\*.* C:\Olddhcp Next, remove the corrupted server database file. This can also be done at the command prompt: del % SystemRoot % \system32\DHCP\Dhcp.mdb You can then copy the backup database file into the DHCP service folder. The path to be used when performing the actual copy operation varies (as shown in Table 4.15), depending on the specific server

version of Windows running on the computer where the DHCP database file is being restored. http://technet.microsoft.com/en-us/library/cc958954.aspx

QUESTION 40 Your network contains an Active Directory domain. The domain contains two DHCP servers named DHCP1 and DHCP2. On DHCP1, you create a scope named Scope1. You configure Scope1 as a split scope and add DHCP2 as an additional DHCP server. You need to ensure that DHCP1 and DHCP2 can issue IP addresses. What should you do from the DHCP console? A. B. C. D. Reconcile Scope1 on DHCP2. Activate Scope1 on DHCP2. Restart the DHCP Server service on DHCP2. Update the range of IP addresses on DHCP1.

Answer: B Section: 70-642 Explanation/Reference: Explanation: http://technet.microsoft.com/en-us/library/ee405264(WS.10).aspx

QUESTION 41 You deploy Network Access Protection (NAP) on your network. An administrator configures a network policy as shown in the exhibit. (Click the Exhibit button.) You discover that noncompliant client computers cannot access the remediation network. You need to configure the network policy to ensure that noncompliant client computers can access the remediation network. What should you do? Exhibit:

A. In Access Permission, select the Grant access. Grant access if the connection request matches this policy option button. B. In the Type of network access server list, click HCAP Server. C. In the Type of network access server list, click Health Registration Authority. D. In Access Permission, select the Ignore user account dial-in properties check box. Answer: A Section: 70-642 Explanation/Reference: Explanation:

QUESTION 42 Your network contains a server named Server1 that runs Windows Server 2008 R2. The network for Server1 is configured as shown in the table.

You plan to deploy DirectAccess on Server1. You need to configure the network interfaces on Server1 to support DirectAccess. What should you do? A. B. C. D. Add the IP address of 10.1.2.2 to LAN1. Remove the IP address of 131.107.1.13 from Internet2, and then add the address to LAN1. Remove the IP of address 131.107.1.13 from Internet2, and then add the address to Internet1. Add the default gateway of 131.107.1.1 to Internet2.

Answer: C Section: 70-642 Explanation/Reference: Explanation:

QUESTION 43 Your network contains a server named Server1 that runs a Server Core installation of Windows Server 2008 R2. The network contains a client computer named Computer1 that runs Windows 7. You need to ensure that you can collect events from Server1 on Computer1. What should you run on Server1? A. B. C. D. wecutil cs eventcreate /so winrm quickconfig net config server

Answer: C Section: 70-642 Explanation/Reference: Explanation: http://technet.microsoft.com/en-us/library/cc748890(v=WS.10).aspx

QUESTION 44 Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2008 R2. The network contains a DHCP server named DHCP1 on a subnet named Subnet1. You implement a new subnet named Subnet2. Subnet2 contains a server named Server1. On DHCP1, you create a DHCP scope for Subnet2. You need to configure Server1 to ensure that the client computers on Subnet2 can receive IP addresses from DHCP1. What should you install on Server1?

A. B. C. D.

the Application Server server role the DHCP server role the Network Policy Server (NPS) role service the Routing and Remote Access service (RRAS) role service

Answer: D Section: 70-642 Explanation/Reference: Explanation:

QUESTION 45 Your network contains an Active Directory forest named contoso.com. Contoso.com contains three domain controllers that run Windows Server 2008 R2 and three domain controllers that run Windows Server 2003. All domain controllers are configured as DNS servers. You configure the contoso.com zone to use DNSSEC. You need to ensure that the zone only replicates to DNS servers that support DNSSEC. What should you do first? A. B. C. D. Modify the Notify settings of the contoso.com zone. Create an application directory partition. Move the contoso.com zone to the ForestDnsZones application directory partition. Add a server certificate to the Windows Server 2003 DNS servers.

Answer: B Section: 70-642 Explanation/Reference: Explanation: you've installed Windows Server 2008 Core, you don't use DHCP and you want to get the thing So I'd create this post to help me on the network. I keep forgetting how to do this so I thought remember! I'm assuming that you've got as far as changing the administrator password and logging in. The next step is as easy as typing a few commands into the plain black window you see in front of you. let's assume that we want the server to have the following network configuration: For this example,

HOSTNAME: win2008core IP ADDRESS: 10.1.5.16

SUBNET MASK: 255.255.255.128 DEFAULT GATEWAY: 10.1.5.126 DNS SERVER: 10.10.20.6 DNS SERVER: 10.20.4.3 We first have to extract two pieces of information from the server. The current hostname and the index of the NIC that we want to configure. The hostname can be acquired simply by entering the command: "WIN-87abac8chasa87 or something random like that. hostname This will return something like we'll need it later. Make a note of the name returned as Next enter the following command: netsh interface ipv4 show interfaces This will return an output a bit like the one below. The important thing though is getting the index you're interested in (3 in this case). By default this will probably be (Idx) value for the interface that "Local Area Connection". called To setup the IP details for the interface just enter the following command: netsh interface ipv4 set address name="3" source=static address=10.1.5.16 mask=255.255.255.128 gateway=10.1.5.126 To add the DNS servers to this interface, use the following commands: netsh interface ipv4 add dnsserver name="3" address=10.10.20.6 index=1 netsh interface ipv4 add dnsserver name="3" address=10.20.4.3 index=2 Note that we incremented the index value in the second command. That was quite easy really. All that remains is to rename the server. This is done with another simple command using the value that we obtained earlier: netdom renamecomputer WIN-87abac8chasa87 /NewName:win2008core All that you then need to do is reboot the server: shutdown /r /t 0

QUESTION 46 Your network contains an Active Directory domain named fabrikam.com. The domain contains a DNS server named Server1. Server1 hosts the DNS zone for fabrikam.com. You have a client computer named Computer1 that runs Windows 7. You need to ensure that, from Computer1, you can enumerate all of the records in the fabrikam.com DNS zone. What should you modify? A. B. C. D. the forwarders of Server1 the root hints of Server1 the security settings of the fabrikam.com DNS zone the zone transfer settings of the fabrikam.com DNS zone

Answer: D Section: 70-642 Explanation/Reference: Explanation:

QUESTION 47 Your network contains a server named Server1 that runs Windows Server 2008 R2. You need to ensure that you can log performance counter data from Server1 to a SQL database.

Which tool should you use? A. B. C. D. Component Services Data Sources (ODBC) Share and Storage Management Storage Explorer

Answer: B Section: 70-642 Explanation/Reference: Explanation:

QUESTION 48 Your network contains an Active Directory domain. The network contains a standalone server that runs Windows Server 2008 R2. The server has a static IP address. You need to configure the server as a DHCP Relay Agent. What should you do first? A. B. C. D. Install the Health Registration Authority (HRA) role service on the server. Configure the server to use a dynamic IP address. Install the Routing and Remote Access service (RRAS) role service on the server. Join the server to the domain.

Answer: C Section: 70-642 Explanation/Reference: Explanation:

QUESTION 49 You have an application server that runs Windows Server 2008 R2. You need to configure Windows Firewall to allow communications on the server as shown in the following table.

What is the minimum number of firewall rules you should create? A. B. C. D. 4 2 1 3

Answer: B Section: 70-642 Explanation/Reference: Explanation:

QUESTION 50 Your network is configured as shown in the exhibit. (Click the Exhibit button.)

The network contains a server named TMG1. TMG1 runs Microsoft Forefront Threat Management Gateway (TMG) 2010 and has a default gateway of 131.107.1.2. You need to ensure that TMG1 can connect to the Internet and to the client computers in all of the internal subnets. What should you do on TMG1? A. B. C. D. Run route -p add 192.168.1.0 netmask 255.255.255.0 192.168.2.1. Change the default gateway to 192.168.1.1. Run route -p add 192.168.2.0 netmask 255.255.255.0 192.168.1.1. Change the default gateway to 192.168.2.1.

Answer: A Section: 70-642 Explanation/Reference: Explanation:

QUESTION 51 You have an application that requires localhost to resolve to 127.0.0.1. You ping localhost as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that localhost resolves to 127.0.0.1. What should you do? A. B. C. D. Modify the Hosts file. Add a Microsoft Loopback Adapter. Modify the Lmhosts file. Modify the properties of the local area connection.

Answer: A Section: 70-642 Explanation/Reference: Explanation:

QUESTION 52 Your network contains an Active Directory domain. Your company is implementing Network Access Protection (NAP). You need to define which network resources non-compliant client computers can access. What should you configure? A. B. C. D. E. F. G. H. I. J. the Windows Authentication authentication provider remediation server groups the RADIUS Accounting accounting provider system health validators (SHVs) IKEv2 client connections the Windows Accounting accounting provider the RADIUS Authentication authentication provider Group Policy preferences health policies connection request policies

Answer: B Section: 70-642 Explanation/Reference: Explanation:

QUESTION 53 Your network contains an Active Directory domain. You deploy Network Access Protection (NAP). You need to verify whether VPN clients have Windows Firewall enabled. What should you configure? A. B. C. D. E. F. G. H. I. J. connection request policies IKEv2 client connections Group Policy preferences the RADIUS Authentication authentication provider remediation server groups the Windows Authentication authentication provider the Windows Accounting accounting provider the RADIUS Accounting accounting provider system health validators (SHVs) health policies

Answer: I Section: 70-642 Explanation/Reference: Explanation:

QUESTION 54 Your network contains an Active Directory domain. The domain contains several VPN servers that have the Routing and Remote Access service (RRAS) role service installed. You need to collect information about the duration of the VPN connections. The information must be stored in a central location. What should you

configure on the VPN servers? A. B. C. D. E. F. G. H. I. J. connection request policies the RADIUS Authentication authentication provider health policies the RADIUS Accounting accounting provider remediation server groups the Windows Accounting accounting provider system health validators (SHVs) Group Policy preferences the Windows Authentication authentication provider IKEv2 client connections

Answer: D Section: 70-642 Explanation/Reference: Explanation:

QUESTION 55 Your network contains an Active Directory domain. Your company provides VPN access for multiple organizations. You need to configure Network Policy Server (NPS) to forward authentication requests to the appropriate organization. What should you configure on the NPS server? A. B. C. D. E. F. G. H. I. J. the RADIUS Accounting accounting provider the Windows Accounting accounting provider remediation server groups health policies connection request policies the RADIUS Authentication authentication provider the Windows Authentication authentication provider system health validators (SHVs) Group Policy preferences IKEv2 client connections

Answer: E Section: 70-642 Explanation/Reference: Explanation:

QUESTION 56 Your network contains two servers named Server1 and Server2 that run a Server Core installation of Windows Server 2008 R2. Server1 has the SNMP Service installed. You need to ensure that Server2 can send SNMP traps to Server1. What should you do? A. B. C. D. On Server2, run dism /online /enable-feature /featurename:snmp-sc. On Server1, run oclistsnmp-sc. On Server2, run oclistsnmp-sc. On Server1, run dism /online /enable-feature /featurename:snmp-sc.

Answer: A Section: 70-642

Explanation/Reference: Explanation:

QUESTION 57 Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 contains two shared folders named Share 1 and Share2. The shared folders are located on the same volume. You need to prevent users from storing more that 100 MB of data in Share1 only. What should you install on Server1? A. B. C. D. File Server Resource Manager (FSRM) Network Policy Server (NPS) Services for Network File System (NFS) Windows System Resource Manager (WSRM)

Answer: A Section: 70-642 Explanation/Reference: Explanation: Reference: http://technet.microsoft.com/en-us/library/cc733029.aspx

QUESTION 58 Your network contains four servers named Server1, Server2, Server3, and Server4 that run Windows Server 2008 R2. The servers have the Network Policy Server (NPS) role service installed. You configure a Remote RADIUS Server Group named Group1. Group 1 contains Server2, Server3, and Server4. You need to configure load balancing for the members of Group1 to meet the following requirements: Server1 must send 25 percent of all authentication requests to Server3. Server1 must send 75 percent of all authentication requests to Server2. Server1 must only send authentication requests to Server4 if Server2 and Server3 are unavailable. What should you do from the Network Policy Server console? A. For Server2, set the weight to 75 and the priority to 75, For Server3, set the weight to 25 and the priority to 25. For Server4, set the weight to 100 and the priority to 200. B. For Server2, set the weight to 75 and the priority to 1. For Server3, set the weight to 25 and the priority to 1. For Server4, set the weight to 100 and the priority to 100. C. For Server2, set the weight to 1 and the priority to 75. For Server3, set the weight to 1 and the priority to 25. For Server4, set the weight to 100 and the priority to 1. D. For Server2, set the weight to 75 and the priority to 25. For Server3, set the weight to 25 and the priority to 75. For Server4, set the weight to 100 and the priority to 1. Answer: B Section: 70-642 Explanation/Reference: Explanation:

Reference: http://technet.microsoft.com/en-us/library/dd197433(WS.10).aspx

QUESTION 59 You are planning the network for a branch office. The branch office will contain 100 IPv4 hosts. You need to recommend a subnet mask for the branch office. The subnet mask must minimize the number of unused IP addresses. Which subnet mask should you use? A. B. C. D. 255.255.255.0 255.255.255.128 255.255.0.0 255.255.128.0

Answer: B Section: 70-642 Explanation/Reference: Explanation: http://www.pantz.org/software/tcpip/subnetchart.html

QUESTION 60 Your Network contains a server named Server1 that has the Routing and Remote Access service(RRAS) role servive installed Server1 provides access to the internal network by using Point-to-Point ytunneling protocol (PPTP).Static RRAS filters on the external interface of Server1 allow only PPTP. THe IPaddress of the external interface is 131.107.1.100 You install the Web server (IIS) role on Server1. You need to ensure that users o nthe internet can access a Web site on server1 by using HTTP. The solution must minimize the number of open ports on Server1 Which static RRAS filter or filters should you configure on server1 ? Choose 2 A. An outbound filter that has the following configurations Source network 131.107.1.100/32 Destination network :any Protocol :TCP Port 80 B. An inbound filter that has the following configurations Source network: any Destination network : 131.107.1.100/32 Protocol :TCP Port 80 C. An outbound filter that has the following configurations Source network: 131.107.1.100/32 Destination network :any Protocol :TCP Port any D. An outbound filter that has the following configurations Source network: 131.107.1.100/32 Destination network :any Protocol :TCP(established) Port 80

E. An inbound filter that has the following configurations Source network: 131.107.1.100/32 Destination network :any Protocol :TCP Port any Answer: BD Section: 70-642 Explanation/Reference:

QUESTION 61 Your network contains a subnet named Subnet1. You add a new subnet named Subnet2 to the network. Subnet1 and Subnet2 are connected by a router named Router1. You need to configure the IP addresses on Router1 to ensure that IP traffic can be routed between Subnet1 and Subnet2. Which IP addresses should you assign to Router1? To answer, drag the appropriate IP address to the correct interface in the answer area.

A. B. C. D. E. F.

10.10.10.0 10.10.10.1 10.10.10.64 10.10.10.65 10.10.10.128 10.10.10.129

Answer: DF Section: 70-642 Explanation/Reference:

QUESTION 62 Your network contains an Active Directory forest. The forest contains a member server named VPN1 that runs Windows Server 2008 R2. You configure VPN1 as a VPN server. You need to ensure that only client computers that have windows Update enabled can establish VPN connections to VPN1. What should you install on VPN1? A. B. C. D. Windows Server Update Services (WSUS) Network Policy Server (NPS) Health Registration Authority (HRA) Connection Manager Administration Kit (CMAK)

Answer: B Section: 70-642 Explanation/Reference: Explanation: http://technet.microsoft.com/en-us/library/cc754378.aspx

QUESTION 63 Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. The network contains a DHCP server named Server1 on a subnet namend Subnet1. You implement a new subnet named Subnet2. Subnet2 contains a server named Server2.

On Server1, you create a DHCP scope for Subnet2. You need to configure Server2 to ensure that the client computers on Subnet2 can receive IP adresses from Server1. What should you do? To answer move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order.

Answer:

Section: 70-642 Explanation/Reference:

QUESTION 64 Your network contains an Active Directory domain. The domain contains a server named Server 1 that runs Windows Server 2008 R2 Server 1 contains a folder named Folder1. a domain user named User1 does not have NTFS Read permission for Folder1. You need User1 to create a backup copy of Folder1. User1 must NOT be able to restore the backup copy on Server1

What should you do? To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order.

Answer:

Section: 70-642 Explanation/Reference:

QUESTION 65 Your Network contains a server named Server1 that runs Windows Server 2008 R2 You need to log performance counter data from Server1 to SQL database What should you do? To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order.

Answer:

Section: 70-642 Explanation/Reference: http://www.simple-talk.com/sql/performance/collecting-performance-data-into-a-sql-server-table/

QUESTION 66 Your network contains an Active Directory forest. The forest contains a server named server1.contoso.com. You need to ensure that all DNS clients can user DNS to resolve the single-label name of a server named Server1. What should you do? To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order.

Answer:

Section: 70-642 Explanation/Reference:

QUESTION 67 Your network contains a Windows Server Update Services (WSUS) server named Server1. All client computers are configured to download updates from Server1. Server1 ts configured only to synchronize manually to Microsoft Update. Your company deploys a new Microsoft application. You discover that the new application is not listed on the Products and Classifications list. You synchronize the WSUS server. You need to ensure that updates for the new application are available to all of the client computers. what should you do? To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order.

Answer:

Section: 70-642 Explanation/Reference:

QUESTION 68 Your network contains an Active Directory domain. The domain contains a server that runs Windows Server 2008 R2. The server contains 10 shared folders. You need to be notified by email when users save .mp3 files to the shared folders. What should you do? To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order.

Answer:

Section: 70-642 Explanation/Reference:

QUESTION 69 Your network contains an Active Directory domain. All domain controllers run Windows Server 2008 R2. The domain contains three domain controllers named DC1, DC2, and DC3. All of the domain controllers have the DNS server role installed. You create a new Active Directory-integrated DNS zone on DC1. You need to ensure that the zone is only replicated to DC1 and DC3. The solution must ensure that all zone replication traffic is encrypted. What should you do? To answer, move the appropriate actions from the Possible Actions list to the Necessary Actions area and arrange them in the correct order.

Answer:

Section: 70-642 Explanation/Reference:

QUESTION 70 Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 has the DHCP server role installed. All client computer on the network obtain their network configurations from Server1. You have a client computer named Computer1. You need to configure Computer1 to use a different DNS server than the other client computers on the network. What should you do? To answer , move the appropriate actions from Possible Actions list to the Necessary Actions area and arrange them in the correct order.

Answer:

Section: 70-642 Explanation/Reference: