Microsoft 70-648 Practice Exam Questions

Microsoft 70-648
TS: UABCrading Your MCSA on Windows Server 2003

to Windows Server 2008, Technology Specialist
Practice Test
Version: 30.0
Microsoft 70-648: Practice Exam

QUESTION NO: 1
You work as the enterprise administrator at ABC.com. ABC.com has a domain named ABC.com.
The ABC.com network servers run Microsoft Windows Server 2008 and the client computers run
either Microsoft Windows Vista or Microsoft Windows XP Professional. The ABC.com network has
a server named ABC-SR12. You ran the IPconfig /all command and got the following IP
configuration as shown in the exhibit:
ABC.com has a Marketing division which access resources located on another segment. How
would you configure ABC-SR12 to ensure users in the Marketing division are able to access ABCSR12?
A. By enabling DHCP.
B. By changing the subnet mask to 255.255.255.0.
C. By changing the IP address to 192.108.16.2.
D. By changing the DNS Server to 192.108.16.12.
Answer: B
Explanation:
To ensure that all users are able to connect to the server, you need to change the subnet mask to
a 24-bit mask. Because the subnet, 255.255.255.192 assigned to the server can have maximum
of 32 hosts and because the subnet is in different network, the server cannot communicate to the
gateway (192.168.16.1) assigned to it. To communicate with the gateway, the server should have
in the same subnet and therefore the subnet of the server needs to be changed to 24bit, which
can have 254 hosts.
Reference: Subnet Masks & Their Effect
http://www.firewall.cx/ip-subnetting-mask-effect.php
"Pass Any Exam. Any Time." - www.actualtests.com
QUESTION NO: 2
either Microsoft Windows Vista or Microsoft Windows XP Professional SP2. The ABC.com
network has a computer named ABC-SR08 that is configured to communicate using IPv4
addressing.
ABC.com has a Marketing division which requires remote access to shared folders on ABC-SR08
when out of office. You configuring the Routing and Remote Access role on ABC-SR08. What else
must you do on ABC-SR08?
A. On ABC-SR08, by running the netsh interface ipv6 enable.
B. On ABC-SR08, by running the netsh ras ipv6 set access ALL
C. On ABC-SR08, by having the IPv4 Router Routing and Remote Access option enabled.
D. On ABC-SR08, by having the NAT and OSPF enabled on the IPv4 interface o
Answer: C
Explanation:
To configure routing on the server at the branch office, you need to first install the Routing and
Remote Access role on the server and then enable the IPv4 Router Routing and Remote Access
option on the server.
QUESTION NO: 3
network contains several wireless access points (WAPs) that use 802.1x authentication. You
install Network Access Protection (NAP) on a server named ABC-SR07.
How would you configure ABC-SR07 to have NAP verify all client computer connections to the
ABC.com networks?
A. By creating and configuring an Authorization Request Policy which has Secure Sockets Layer
(SSL) as the only available authentication method.
B. By creating and configuring a Connection Request Policy which has Kerberos v5 as the only
available authentication method.
C. By creating and configuring a Connection Request Policy which allows EAP-TLS as the only

method for authentication.
D. By creating and configuring an Authorization Request Policy which has Secure Shell (SSH) as
the only available authentication method.
Answer: C
Explanation:
To ensure that all the client computers that try to access the corporate network are evaluated by
NAP, you need to create a Connection Request Policy that specifies EAP-TLS as the only
available authentication method.
By default, Windows Server 2008 supports the EAP methods: PEAP-MS-CHAP v2, EAP with
Transport Layer Security (TLS) or EAP-TLS, and PEAP-TLS.
The connection request policy can impose connection requirements. For example, for 802.1X and
VPN enforcement, the connection request policy requires the use of a Protected Extensible
Authentication Protocol (PEAP)-based authentication method. If the connecting client does not use
PEAP, the connection request is rejected.
Reference: The Cable Guy Troubleshooting NAP Enforcement / Health Requirement Policies
http://technet.microsoft.com/en-us/magazine/cc434701.aspx
Reference: What Works Differently / 802.1X Authenticated Wired and Wireless Access
http://technet2.microsoft.com/windowsserver2008/en/library/ec5b5e7b-5d5c-4d04-98ad55d9a09677101033.mspx?mfr=true
QUESTION NO: 4
Microsoft Windows Vista. The ABC.com network has a Routing and Remote Access computer
named ABC-SR08 that is configured as a Routing and Remote Access server running Network
Access Protection (NAP).
How should you configure ABC-SR08 to ensure that it uses Point-to-Point (PPP) authentication?
A. By using the Challenge Handshake Authentication Protocol version 2 (CHAP v2) protocol.
B. By using the Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) protocol.
C. By using the Secure Shell (SSH) protocol.
D. By using the Extensible Authentication Protocol (EAP) protocol.

E. By using the Kerberos v5 protocol.
Answer: D
Explanation:
To configure the Point-to-Point Protocol (PPP) authentication method on ABC-SR08, you need to
configure Extensible Authentication Protocol (EAP) authentication method.
Microsoft Windows uses EAP to authenticate network access for Point-to-Point Protocol (PPP)
connections. EAP was designed as an extension to PPP to be able to use newer authentication
methods such as one-time passwords, smart cards, or biometric techniques.
Reference: Making sense of remote access protocols in Windows / DIAL-UP AUTHENTICATION
http://articles.techrepublic.com.com/5100-10878_11-1058239.html
QUESTION NO: 5
Microsoft Windows Vista. The ABC.com network has a computer named ABC-SR08 that is
configured with the Active Directory Certificate Services (AD CS) and hosts the Network Access
Protection (NAP).
ABC.com has a division of marketing users accessing the network using portable computers. How
would you ensure that the Marketing division network users are required to use smart cards?
A. By configuring 802.1X authentication on all WAPs.
B. By configuring WPA2 and EAP-TLS authentication on all portable computers.
C. By having Extensible Authentication Protocol (EAP) used on all portable computers.
D. By configuring WPA2, 802.1X authentication and EAP-TLS on all portable computers.
E. By having Internet Protocol Security (IPSec) protocol used on all portable computers.
Answer: D
Explanation:
To configure the wireless network to accept smart cards, you need to use WPA2, 802.1X
authentication and EAP-TLS.
The use of smart cards for user authentication is the strongest form of authentication in the
Windows Server 2003 family. For remote access connections, you must use the Extensible
Authentication Protocol (EAP) with the Smart card or other certificate (TLS) EAP type, also known
as EAP-Transport Level Security (EAP-TLS).

Reference:
Using smart cards for remote access
http://technet2.microsoft.com/windowsserver/en/library/c19be042-6b5c-407a-952dfb6f451b5edd1033.mspx?mfr=true
QUESTION NO: 6
configured as a Virtual Private Network (VPN) server.
ABC.com recently installed and configured a firewall before ABC-SR04 to protect Web
communications. How should you configure the secure connection without the need to open more
ports?
A. By using full duplex tunneling over a secure SSL channel.
B. By configuring a Point-to-Point (PPP) connection.
C. By configuring a EAP-Transport Level Security (EAP-TLS) connection.
D. By configuring a Secure Socket Tunneling Protocol (SSTP) connection.
E. By using half duplex tunneling over a secure SSL channel.
Answer: D
Explanation:
The question states that the firewall is configured to allow only secure web communications.
Secure Web Communications use SSL. Secure Socket Tunneling Protocol (SSTP) is a form of
VPN tunnel that provides a mechanism to transport PPP traffic through an SSL channel.
QUESTION NO: 7
a domain controller named ABC-SR04.
ABC.com has a Marketing division which travels frequently. How would you configure ABC-SR04
to ensure the Marketing division is able to access the network remotely when traveling? (Choose
two)

A. By configuring ABC-SR04 to run the Windows Deployment Services role.
B. By configuring ABC-SR04 to run the Host Credential Authorization Protocol role service.
C. By configuring ABC-SR04 to run the Routing and Remote Access Services role service.
D. By configuring ABC-SR04 to run the Terminal Services role.
E. By configuring ABC-SR04 to run the Terminal Services Gateway role.
F. By configuring ABC-SR04 to run the Network Policy and Access Services role.
Answer: C,F
Explanation:
To configure the server as a VPN server, you need to install Network Policy and Access Services
role and Routing and Remote Access Services role service on the server. To install the Routing
and Remote Access Services role service on the server, you need to first install the Network
Policy and Access Services role on the server.
Reference: Configuring Windows Server 2008 as a Remote Access SSL VPN Server (Part 2) /
Install the RRAS Server Role on the VPN Server
http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Remote-Access-SSLVPN-Server-Part2.html
QUESTION NO: 8
configured as a Virtual Private Network (VPN) server utilizing end-to end encryption with computer
level authentication without user names and passwords required.
ABC.com has a Marketing division which uses the VPN connection to access resources. How
would you configure the VPN connection to ensure Marketing division members do not require
using their user names and passwords whilst utilizing computer level authentication?
A. By using a L2TP/IPsec connection with EAP-TLS authentication.
B. By using a L2TP/IPsec connection in tunnel mode with WPA2 authentication.
C. By using a L2TP/IPsec connection with a PKI infrastructure.
D. By using a L2TP/IPsec connection with Kerberos v5 authentication.
Answer: A
Explanation: To ensure that the VPN connections between the main office and the branch offices
meet the given requirements, you need to configure a L2TP/IPsec connection to use the EAP-TLS
authentication.

L2TP leverages PPP user authentication and IPSec encryption to encapsulate and encrypt IP
traffic. This combination, known as L2TP/IPSec, uses certificate-based computer identity
authentication to create the IPSec session in addition to PPP-based user authentication.
Therefore it ensures that all data is encrypted by using end-to-end encryption and the VPN
connection uses computer-level authentication. To ensure that User names and passwords cannot
be used for authentication, you need to use EAP-TLS authentication.
With EAP-TLS, the VPN client sends its user certificate for authentication and the VPN server
sends a computer certificate for authentication. This is the strongest authentication method as it
does not rely on passwords.
Reference: Virtual Private Networking with Windows Server 2003: Deploying Remote Access
VPNs / Layer Two Tunneling Protocol with IPSec/ Authentication Protocols
http://www.scribd.com/doc/2320023/DeployRasWithVPN
QUESTION NO: 9
The ABC.com network servers run Microsoft Windows Server 2008 and half the client computers
run either Microsoft Windows Vista or Microsoft Windows XP Professional SP2. The ABC.com
network has a computer named ABC-SR21 that is configured to host Active Directory Certificate
Services (AD CS) and Network Access Protection
ABC.com has a division of marketing users accessing the wireless network using portable
computers. How would you ensure that a created policy is enforced on the portable computers?
A. By configuring 802.1X authentication on all access points.
B. By configuring WPA2 and EAP-TLS authentication on all portable computers.
C. By having Extensible Authentication Protocol (EAP) used on all portable computers.
D. By configuring WPA2, 802.1X authentication and EAP-TLS on all portable computers.
E. By having Internet Protocol Security (IPSec) protocol used on all portable computers.
Answer: A
Explanation:
To ensure that NAP policies are enforced on portable computers that use a wireless connection to
access the network, you need to configure all access points to use 802.1X authentication.
802.1X enforcement enforce health policy requirements every time a computer attempts an
802.1X-authenticated network connection. 802.1X enforcement also actively monitors the health

status of the connected NAP client and applies the restricted access profile to the connection if the
client becomes noncompliant.
Reference: Microsoft Improves Security Policy Compliance with Network Access Protection
http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=4000000983
QUESTION NO: 10
network has a computer named ABC-SR06 that is configured as the Virtual Private Network (VPN)
server running the Network Access Protection (NAP) role.
ABC.com has a Marketing division which uses the ABC-SR06 as a Virtual Private Network (VPN)
server when traveling. How would you configure ABC-SR06 to ensure the Marketing division client
computers health are able to be monitored? (Choose all that apply)
A. By creating a network access policy named MarktingHealth linked to the domain.
B. By configuring the Requiring trusted path for credential entry option set to Enabled.
C. By creating and configuring a Group Policy object (GPO) named Marketing.
D. By creating a network access policy named MarketingHealth and Goup Policy Object (GPO)
named Marketing linked to the Domain Controllers organizational unit (OU).
E. By linking Marketing to the domain.
F. By having the Windows Security Center enabled.
Answer: C,E,F
Explanation:
The NAP replaces Network Access Quarantine Control (NAQC) in Windows Server 2003, which
provided the ability to restrict access to a network for dial-up and virtual private network (VPN)
clients. The solution was restricted to dial-up/VPN clients only.
NAP improves on this functionality by additionally restricting clients that connect to a network
directly, either wirelessly or physically using the Security Center. NAP restricts clients using the
following enforcement methods: IP security (IPsec), 802.1x, Dynamic Host Configuration Protocol
(DHCP) and VPN.
However, to enable NAP on all the clients in your domain, you should create a group policy and
link it to a domain and then enable the Security Center

Reference: Network Access Protection
http://www.biztechmagazine.com/article.asp?item_id=382
Reference: Enabling NAP on clients through group security policies
http://forums.technet.microsoft.com/en-US/winserverNAP/thread/749e65c7-42fa-40da-84b8c8edc62b3eda/
QUESTION NO: 11
The ABC.com network servers run Microsoft Windows Server 2008 and half the client computers
run either Microsoft Windows Vista or Windows XP Professional SP2. The ABC.com network has
a computer named ABC-SR03 that is configured to host Network Access Protection which is setup
to limit access to resources based on client computers health requirements.
How would you configure the NAP policy to prevent access to resources if the client computers do
not comply with the health requirements?
A. By creating an 802.1X network policy.
B. By creating a Kerberos v5 enforcement network policy.
C. By creating an IPSec enforcement network policy.
D. By creating a Layer 2 Tunneling Protocol enforcement policy.
E. By creating a Network Policy restricting remote connections.
Answer: C
Explanation:
Because the scenario suggests the configuration of the security policy on the network, you need to
create an IPSec enforcement network policy as a Network Access Protection Mode to ensure that
personal portable computers that dont comply with policy requirements are prohibited from
accessing company resources.
IPSec enforcement network policy authenticates NAP clients when they initiate IPsec-secured
communications with other NAP clients.
Reference: NAP protects networks by restricting client connections
Reference: The Cable Guy IEEE 802.1X Wired Authentication
http://technet.microsoft.com/en-us/magazine/cc194418.aspx
10
QUESTION NO: 12
You work as an enterprise administrator at ABC.com. The ABC.com network consists has a
domain named ABC.com. All servers on the domain run Microsoft Windows Server 2008 and half
the client computers run either Microsoft Windows Vista or Microsoft Windows XP Professional.
The ABC.com network has a computer named ABC-SR12 that is configured with a SAN that has
multiple physical disk drives attached.
You have received instructions from management to execute a data archiving script on ABCSR12. However, it should only be executed when any of the logical drives has less than 25% free
space left.
How would you ensure the archiving script executes automatically with the condition is met?
A. By using a Resource View to view the free space of the physical disks in Windows Reliability
and Performance Monitor and executing the archiving script.
B. By creating an alert which is triggered when free disk space falls below 30% and executes the
archiving script.
C. By adding the Performance counter alert to the Data Collector Set.
D. By creating a counter log to track disk space usage in Performance console.
Answer: C
Explanation: To automatically run a data archiving script if the free space on any of the logical
drives is below 30 percent and to automate the script execution by creating a new Data Collector
Set, you need to add the Performance counter alert.
The Performance counter alert creates an alert if a performance counter reaches a threshold that
you specify.
You can configure your data collector set to automatically run at a scheduled time, to stop running
after a number of minutes, or to launch a task after running. You can also configure your data
collector set to automatically run on a scheduled basis. This is useful for proactively monitoring
computers.
Reference: Creating a Snapshot of a Computer's Configuration with Data Collector Sets in Vista /
How to Create Custom Data Collector Sets
QUESTION NO: 13
11

either Microsoft Windows Vista or Microsoft Windows XP Professional SP2. ABC.com has three
computers configured as follows:
ABC-SR14 configured with Event Log subscription monitoring ABC-SR15 and ABC-SR16
configured as a domain controller.
ABC-SR15 configured as a domain controller.
ABC-SR16 configured as a domain controller.
During the course of the day ABC.com instructs you to create the subscription using ABC-SR15 or
ABC-SR16 which fails as the operation does not complete. You then create collector subscription
configuration file called config.xml on ABC-SR14.
What steps should you perform next to ensure that the required subscription can be created using
either ABC-SR15 or ABC-SR16?
A. By executing the wecutil cs config.xml command on ABC-SR14.
B. By executing the wecutil qc command on ABC-SR15.
C. By executing the winrm connect command on ABC-SR16.
D. By executing the winrm allow command on ABC-SR16.
Answer: A
Explanation: To configure a subscription on ABC-SR14, you need to first create an event
collector subscription configuration file and Name the file subscription.xml. You need to then run
the wecutil cs subscription.xml command on ABC-SR14.
This command enables you to create and manage subscriptions to events that are forwarded from
remote computers, which support WS-Management protocol. wecutil cs subscription.xml
command will create a subscription to forward events from a Windows Vista Application event log
of a remote computer at ABC.com to the ForwardedEvents log.
Reference: Wecutil
http://technet2.microsoft.com/windowsserver2008/en/library/0c82a6cb-d652-429c-9c3d0f568c78d54b1033.mspx?mfr=true
QUESTION NO: 14
You work as an enterprise administrator at ABC.com. The ABC.com network has a domain named
12

ABC.com. All servers on the domain run Microsoft Windows Server 2008 and all client computers
run Microsoft Windows Vista. The ABC.com network has a computer named ABC-SR20 that is
configured to host WSUS.
During the course of the day you receive instruction from ABC.com to ensure the domain servers
retrieve approved updates from ABC-SR20.
How should you accomplish this?
A. By opening Control Panel from the Start Menu and configuring Windows Update settings on the
domain servers.
B. By opening Control Panel from the Start Menu and configuring Windows Update Settings on
the domain servers using the local group policy.
C. By configuring ABC-SR20 as a Proxy server and executing the wuauclt.exe command on the
domain servers.
D. By opening Control Panel from the Start Menu and configuring Windows Update Settings on
the domain servers using the domain group policy.
Answer: B
Explanation: You need to configure the Windows Update Settings on each server by using the
local group policy to receive updates from ABC-SR20. Microsoft suggests the use of Group Policy
for setting up computers and WSUS in clients.
Reference: What does wuauclt.exe /detectnow do
http://www.wsus.info/forums/lofiversion/index.php?t6505.html
Reference: Adding Computers to WSUS 3.0 SP1 (Windows Server 2008)
http://www.geekzone.co.nz/chakkaradeep/4564
QUESTION NO: 15
You work as an enterprise administrator at ABC.com. The ABC.com has a domain named
run Microsoft Windows Vista. The ABC.com network contains two computers named ABC-SR08
and ABC-SR12 that is configured as WSUS servers.
How should you configure ABC-SR08 to receive approved updates from ABC-SR12?
A. By configuring ABC-SR12 as a proxy server.
13

B. By opening Control Panel from the Start Menu and configuring Windows Update Settings on
ABC-SR08 in the domain group policy.
C. By configuring ABC-SR12 as an upstream server on ABC-SR08.
D. By configuring ABC-SR08 as a downstream server on ABC-SR12.
Answer: C
Explanation: To configure WSUS on ABC-SR22 so that the ABC-SR23 receives updates from
ABC-SR22, you need to configure ABC-SR22 as an upstream server. The WSUS hierarchy model
allows a single WSUS server to act as an upstream server and impose its configuration on those
servers configured as downstream servers below it.
A WSUS hierarchy supports two modes, autonomous mode and replica mode. In replica mode,
the upstream server is the only WSUS server that downloads its updates from Microsoft Update. It
is also the only server that an administrator has to manually configure computer groups and
update approvals on. All information downloaded and configured on to an upstream server is
replicated directly to all of the devices configured as downstream servers.
Reference: Deploying Microsoft Windows Server Update Services / WSUS in a Large LAN
http://www.windowsnetworking.com/articles_tutorials/Deploying-Microsoft-Windows-ServerUpdate-Services.html
QUESTION NO: 16
You are working as an enterprise administrator at ABC.com. ABC.com has a domain named
ABC.com. All servers on the ABC.com network run Windows Server 2008 and all client computers
network has a domain controller named ABC-DC04 that runs the Windows Server Backup feature.
ABC.com has recently discovered that someone has deleted the Organizational Unit (OU) named
Marketing from ABC-DC04. You need to recover the Marketing OU by running a non-authoritative
restore from the latest backup media.
How would you have the non-authoritative restore performed on ABC-DC04 without disrupting the
other data stored on domain controller?
A. By using the incremental backup created of all the volumes.
B. By using the Critical volume backup.
C. By using the backup of the User state and backup of the volume that hosts Operating system.
D. By using the backup of the System and User state and backup of AD DS folders.
14

Answer: B
Explanation: If you do not want to disrupt the data stored on domain controller, you need to use a
critical volume backup to perform non-authoritative restore of AD DS.
You must first complete a non-authoritative restore before performing an authoritative restore of
AD DS. You must ensure that the replication does not occur after non-authoritative restore. You
must do a critical-volume backup before you perform a non-authoritative restore. To prevent the
replication from occurring after the non-authoritative and to perform the authoritative restore
portion of the operation, you must restart the domain controller in Directory Services Restore
Mode and perform the authoritative restore at the domain controller that you are restoring. You
should start the domain controller normally after performing the authoritative restore of AD DS.
You should also synchronize replication with all replication partners.
QUESTION NO: 17
network has a computer named ABC-SR15 that is configured to host Active Directory Lightweight
Directory Services (AD LDS).
How would you create Organizational Units for the network divisions in the Active Directory
Lightweight Directory Services (AD LDS) application directory partition?
A. By using Active Directory Sites and Services to create the OUs.
B. By using the ADSI Edit Snap-in on the AD LDS application directory partition to create the OUs.
C. By running the Dsmgmt command to create the OUs.
D. By using Active Directory Domains and Trusts snap-in to create the OUs on the AD LDS
application directory partition.
Answer: B
Explanation: You need to use the ADSI Edit snap-in to create new OUs in the AD LDS
application directory partition. You also need to add the snap-in in the Microsoft Management
Console (MMC).
QUESTION NO: 18
either Microsoft Windows Vista or Microsoft Windows XP Professional SP2.
15

ABC.com has its headquarters in Chicago and a Marketing division in Boston. The ABC.com
network contains two domain controllers named ABC-DC04 and ABC-DC05. ABC-DC04 is located
in the Chicago office while ABC-DC05 is a Read-Only Domain Controller (RODC) that is located in
the Boston office. Currently, ABC.com users in the Marketing division are using ABC-DC04 to log
onto the domain.
How would you make sure that ABC-DC05 can be used by the Marketing division to log onto the
domain?
A. By deploying a computer running Active Directory Certificate Services (AD CS).
B. By using a Password Replication Policy on the RODC.
C. By installing and configuring an Active Directory Federation Services (AD FS) front-end server.
D. By deploying a computer running Active Directory Lightweight Directory Services (AD LDS) and
Active Directory Domain Services (AD DS).
Answer: B
Explanation: You should use the Password Replication Policy on the RODC. This will allow the
users at the Dallas office to log on to the domain with RODC. RODCs dont cache any user or
machine passwords.
QUESTION NO: 19
network has a computer named ABC-SR05 that is configured host the Active Directory Lightweight
Directory Services (AD LDS) service. You install a new server named ABC-SR06.
How would you replicate Active Directory Lightweight Directory Services (AD LDS) from ABCSR05 to ABC-SR06?
A. By using the ADSI Edit Snap-in to replicate the AD LDS instance.
B. By creating and installing a replica of AD LDS running the AD LDS Setup wizard on ABC-SR06.
C. By using the xcopy command to copy the entire AD LDS instance.
D. By using Active Directory Sites and Services to replicate the AD LDS instance.
Answer: B
Explanation: You need to run the AD LDS setup wizard on the computer in the lab to create and
install a replica of AD LDS. In the AD LDS setup wizard there will be an option to replicate the AD
LDS instance on another computer.
16
QUESTION NO: 20
You are a newly appointed enterprise administrator at ABC.com. ABC.com has a domain named
ABC.com that operates in the domain functional level of Windows Server 2003 Native Mode. The
client computers at ABC.com run either Microsoft Windows Vista or Microsoft Windows XP
Professional SP2. The ABC.com network has a computer named ABC-SR08 that is configured to
run the Active Directory Rights Management Services (AD RMS).
ABC.com has a Marketing division which works with documents that contain confidential company
information. How would you configure ABC-SR08 allowing the Marketing division to secure these
documents?
A. By creating and configuring an e-mail account in Active Directory Domain Services (AD DS) for
each Marketing division user.
B. By deploying Active Directory Certificate Services (AD CS) to ABC-SR08 using a group policy
to create e-mail accounts for the Marketing division.
C. By uABCrading the domain servers to Microsoft Windows Server 2008 and raising the domain
functional level to Windows Server 2008.
D. By deploying Active Directory Federation Services (AD FS) to ABC-SR08 using a group policy
to create e-mail accounts for the Marketing division.
E. By uABCrading the domain servers to Microsoft Windows Server 2008.
Answer: A
Explanation: You need to configure an email account in Active Directory Domain Services (AD
DS) for the user. Doing this you will be able to configure AD RMS to enable users to use it and
protect their documents. You can use Microsoft Word, Outlook, or PowerPoint in Microsoft Office
2007 to enable AD RMS. AD RMS can be integrated with other technologies such as smart cards.
Reference: Active Directory Rights Management Services Overview
http://technet2.microsoft.com/windowsserver2008/en/library/74272acc-0f2d-4dc2-876f15b156a0b4e01033.mspx?mfr=true
QUESTION NO: 21
You are the newly appointed enterprise administrator at ABC.com. You work as the network
administrator at ABC.com. The ABC.com Active Directory forest has a domain named ABC.com
that operates at a forest functional level of Windows Server 2008. The ABC.com network servers
run Microsoft Windows Server 2008 and the client computers run Microsoft Windows Vista. The
ABC.com network has a computer named ABC-SR08 that is configured to run the Active Directory
17

Rights Management Services (AD RMS). ABC.com has recently decided to deploy Microsoft SQL
Server 2005 on ABC-SR08.
How would you configure ABC-SR08 to run the SQL Server when the Active Directory Rights
Management Services administration Web site displays the error message stating "SQL Server
does not exist or access denied." (Choose two)?
A. By restarting the Task Scheduler service on ABC-SR08.

B. By starting the MSSQLSVC service on ABC-SR08.
C. By restarting the Net Logon service on ABC-SR08.
D. By restarting the AD RMS service on ABC-SR08.
E. By starting the Workstation service on ABC-SR08.
Answer: B,D
Explanation:
QUESTION NO: 22
You work as the enterprise administrator at ABC.com. The ABC.com network has a forest with a
domain named ABC.com. The ABC.com network has a member server named ABC-SR04 that
hosts the Active Directory Federation Services (AD FS) role.
What action should you take to have Active Directory domain data in the AD FS tokens?
A. By creating and configuring a new account store.
B. By opening a browser window to type the Federation Service URL for ABC-SR04.
C. By checking Event Viewer applications and Event ID columns for the ID 674 event.
D. By deploying and installing Active Directory Domain Services (AD DS) configured as a new
resource partner.
E. By deploying and installing Active Directory Certificate Services (AD CS) configured as a new
resource partner
Answer: A
Explanation: In order to configure the AD FS trust policy to populate AD FS tokens with
employees information from Active directory domain, you need to add and configure a new
account store.
AD FS allows the secure sharing of identity information between trusted business partners across
an extranet. When a user needs to access a Web application from one of its federation partners,
the user's own organization is responsible for authenticating the user and providing identity
information in the form of "claims" to the partner that hosts the Web application. The hosting
partner uses its trust policy to map the incoming claims to claims that are understood by its Web
18

application, which uses the claims to make authorization decisions. Because claims originate from
an account store, you need to configure account store to configure the AD FS trust policy.
Reference: Active Directory Federation Services
http://msdn2.microsoft.com/en-us/library/bb897402.aspx
QUESTION NO: 23
network has a computer named ABC-SR08 that is configured as the Network Access Policy (NAP)
server.
How would you configure ABC-SR08 to ensure that only able the tunnel interface and the IPv6
Loopback interface are running IPv6?
A. By running the netsh -r command at the command prompt.
B. By clearing the check box stating Internet Protocol Version 6 (TCP/IPv6) from the Local Area
Connection Properties window.
C. By running the netsh -c command at the command prompt.
D. By running the netsh -a command at the command prompt.
Answer: B
Explanation:
To disable IPv6 for all connections except for the tunnel interface and the IPv6 Loopback interface,
you need to uncheck Internet Protocol Version 6 (TCP/IPv6) from the Local Area Connection
Properties window.
This is because unlike Windows XP and Windows Server 2003, IPv6 in Windows Vista and
Windows Server 2008 cannot be uninstalled. However, you can disable IPv6 in Windows Vista
and Windows Server 2008 by doing one of the following: In the Network Connections folder, obtain
properties on all of your connections and adapters and clear the check box next to the Internet
Protocol version 6 (TCP/IPv6) components in the list.
This method disables IPv6 on your LAN interfaces and connections, but does not disable IPv6 on
tunnel interfaces or the IPv6 loopback interface.
Reference: IPv6 for Microsoft Windows: Frequently Asked Questions
19

http://www.microsoft.com/technet/network/ipv6/ipv6faq.mspx
QUESTION NO: 24
You work as the enterprise administrator at ABC.com. ABC.com has a forest with a domain
named ABC.com. The ABC.com network servers run Microsoft Windows Server 2008 and the
client computers run either Microsoft Windows Vista or Microsoft Windows XP Professional. The
ABC.com network has a two DHCP server named ABC-SR04 and ABC-SR05.
How would you configure ABC-SR05 to ensure a client computer named ABC-WS648 receives a
client reservation?
A. By adding a DHCP reservation for ABC-WS648 added to ABC-SR05.
B. By adding a DHCP reservation for ABC-WS648 added to ABC-SR04.
C. By running the netsh DHCP command on ABC-WS648.
D. By running the ipconfig /renew command run on ABC-WS648.
E. By running the ipconfig /release command on ABC-WS648.
Answer: A
Explanation:
A reservation is a specific IP addresses that is tied to a certain device through its MAC address.
By adding a reservation, you ensure that a machine always receives the same IP address from the
DHCP server.
In the above scenario you need to simply add the DHCP reservation for ABC-WS648 to the
second DHCP server also, so that the same reservation is available on the other DHCP server
also.
Reference: Configure a DHCP server in Windows Server 2008
http://www.zdnetindia.com/index.php?action=articleDescription&prodid=18616
Reference: DHCP Reservations and Exclusions
http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/Network/DHCP
ReservationsandExclusions.html
QUESTION NO: 25
20

either Microsoft Windows Vista or Microsoft Windows XP Professional. ABC.com two servers
named ABC-SR05 and ABC-SR06. ABC-SR05 is configured as a domain controller with an IPv4
address 10.16.12.100/21 while ABC-SR06 is using the IP address 10.16.10.90/21.
How would you use ABC-SR05 to verify IPv6 communication to ABC-SR06?
A. By running the ping 192.168.10.90 command on the computer.
B. By running the pathping command with the Link-local address of the computer.
C. By running the tracert command with the Site-local address of the computer.
D. By running the ping command with the Link-local address of the computer.
Answer: D
Explanation:
To test IPv6 communication to a server, you need to type ping followed by the Link-local address
of the server. Link-local addresses are network addresses which are intended only for use in a
local data link layer network, and not for routing beyond that network.
Link-local addresses are often used for network address autoconfiguration where no external
source of network addressing information is available.
Windows Vista, Windows Server 2008, Windows XP with SP1 or later, and Windows Server 2003
include an IPv6-enabled version of the Ping.exe tool.
Reference: Test an IPv6 configuration by using the ping command
http://technet2.microsoft.com/windowsserver/en/library/8478cc0b-1613-431b-8130529735d2945b1033.mspx?mfr=true
Reference: link-local address
http://www.answers.com/topic/link-local-address-1?cat=technology
QUESTION NO: 26
a computer named ABC-SR06 that is configured to run Network Address Translation (NAT).
During the course of the day ABC.com deploys an additional computer named ABC-SR08 to
facilitate the launch of a new office.
21

How would you make sure that you are able to make a Remote Desktop Protocol (RDP)
connection to ABC-SR08?
A. By configuring port forwarding on ABC-SR06 to forward to port 3389.
B. By configuring port forwarding on ABC-SR06 to forward to port 110.
C. By configuring port forwarding on ABC-SR06 to forward to port 21.
D. By configuring port forwarding on ABC-SR06 to forward to port 80.
E. By configuring port forwarding on ABC-SR06 to forward to port 443.
Answer: A
Explanation:
To ensure that administrators can access the server, ABC-SR06 by using Remote Desktop
Protocol (RDP), you need to configure the ABC-SR06 to forward port 3389 to ABC-SR08.
The Remote Desktop Protocol is designed to work across TCP port 3389. If you are attempting to
connect to a remote machine that sits behind a firewall, then the firewall must allow traffic to flow
through TCP port 3389.
Reference: Troubleshooting Remote Desktop / The Remote Computer Cannot be Found
http://www.windowsnetworKing.com/articles_tutorials/Troubleshooting-Remote-Desktop.html
QUESTION NO: 27
network contains two computers named ABC-SR10 and ABC-SR12. ABC-SR10 is running the
Active Directory Certificate Services (AD CS) service and ABC-SR12 is running Network Access
Protection (NAP).
ABC.com has a Marketing division which uses portable computers to access resources during the
business day. These computers connect to the ABC.com network via wireless access points
(WAPs).
How would you configure the Marketing division's portable computers to ensure that smart cards
can be used?
A. By using WPA2, CHAP and MSCHAP v2 authentication on portable computers.
B. By using WPA2, 802.1X authentication and EAP-TLS authentication on portable computers.
C. By using WPA, EAP, MD5 hashing with strong user passwords on portable computers.
22

D. By using WEP, EAP, MSCHAP authentication with MD5 hashing on portable computers.
Answer: B
Explanation: To configure the wireless network to accept smart cards, you need to use WPA2,
802.1X authentication and EAP-TLS.
The use of smart cards for user authentication is the strongest form of authentication in the
Windows Server 2003 family. For remote access connections, you must use the Extensible
Authentication Protocol (EAP) with the Smart card or other certificate (TLS) EAP type, also known
as EAP-Transport Level Security (EAP-TLS).
Reference:
Using smart cards for remote access
http://technet2.microsoft.com/windowsserver/en/library/c19be042-6b5c-407a-952dfb6f451b5edd1033.mspx?mfr=true
QUESTION NO: 28
a computer named ABC-SR08 that is configured to run Network Access Protection (NAP).
ABC.com wants only client computers that have the latest critical and important updates installed
to be allowed to access resources on the network.
How would you implement this using a Group Policy Object (GPO)?
A. By having the automatic updates service disabled for the Marketing division.
B. By having the clients quarantined not installed with the required security updates.
C. By having the Windows Firewall enabled for the Marketing division on the Default Domain
Group Policy.
D. By configuring a policy to restrict remote connections for a health check.
E. By having the Windows Security Center enabled for the Marketing division on the Default
Domain Group Policy.
Answer: B
Explanation:
To ensure that client computers meet the company policy requirement, you need to Quarantine
clients that do not have all available security updates installed.
23

Using the NAP Client Configuration tool, you can configure separate enforcement policies for
remote access clients. Administrators can use NAP to enforce health requirements for all
computers that are connected to an organizations private network, regardless of how those
computers are connected to the network. You can use NAP to improve the security of your private
network by ensuring that the latest updates are installed before users connect to your private
network. If a client computer does not meet the health requirements, you can prevent the
computer from connecting to your private network. To enforce remote access NAP, open NAP
Client Configuration tool, double-click Remote Access Quarantine Enforcement Client, and then
select the Enable This Enforcement Client check box.
Reference: Understanding Network Access Protection / Using Network Access Protection
http://e-articles.info/e/a/title/Network-Access-Protection-(NAP)-in-Windows-Vista/
QUESTION NO: 29
ABC.com has its headquarters located in Miami. The ABC.com domain servers run Microsoft
Windows Server 2008 and the client computers run either Microsoft Windows Vista or Microsoft
Windows XP Professional SP2. The ABC.com network has a Routing and Remote Access
Services (RRAS) server named ABC-SR08.
ABC.com has a Marketing division with remote users contained in a group named KingRemote.
Members of KingRemote are requiring access to the domain when out of office. During the course
of the day ABC.com discovers that stringent security settings are required when remotely
accessing the domain. You started the maintenance by creating a remote access policy.
How should you make sure members of KingRemote use smartcards when accessing ABC-SR08
from remote locations?
A. By creating a remote access policy enabling users to authenticate connections using Extensible
Authentication Protocol-Transport Layer Security (EAP-TLS).
B. By creating a remote access policy enabling users to authenticate connections using Secure
Shell (SSH).
C. You should consider a remote access policy that requires Kerberos v5 authentication.
D. By creating a remote access policy enabling users to authenticate connections using Internet
Protocol Security (IPSec).
Answer: A
Explanation:
You should create a remote access policy that allows users to use Extensible Authentication
24

Protocol Layer Security (EAP TLS) because EAP-TLS requires a user certificate for the user
requesting access and a computer certificate for the authenticating server. All other options like
SSH and IPSec with Kerberos are not right.
QUESTION NO: 30
Microsoft Windows Vista. The ABC.com network has a server named ABC-SR08 that is used to
store documents that contain confidential information.
How should you configure ABC-SR08 to be more secure?
A. By using the Domain Profile in Windows Firewall and Blocking all connections.
B. By using the Internal Profile in Windows Firewall and Blocking all connections.
C. By disabling the Secondary Logon Service in the Services snap-in.
D. By disabling the Browser service in the Services snap-in.
E. By disabling Net Logon service in the Services snap-in.
Answer: A
Explanation:
To immediately disable all incoming connections to the server, you need to enable the Block all
connections option on the Domain Profile from Windows Firewall.
You can configure inbound connections to Block all connections from Windows Firewall by
configuring Firewall properties. When Block all connections is configured for a Domain profile ,
Windows Firewall with Advanced Security ignores all inbound rules, effectively blocking all
inbound connections to the domain.
Reference: Configuring firewall properties
http://technet2.microsoft.com/windowsserver2008/en/library/19b429b3-c32b-4cbd-ae2a8e77f2ced35c1033.mspx?mfr=true
QUESTION NO: 31
25

network has a computer named ABC-SR11 that is configured to run Remote Desktop using the
default settings.
How would you configure the Remote Desktop connection to ensure secure connections between
ABC-SR11 and accessing clients?
A. By configuring Windows Firewall to block communications via port 80 on the firewall.
B. By obtaining user certificates from the internal certificate authority.
By allowing connections to Remote Desktop client computers that use Network Level
Authentication only.
C. By configuring Windows Firewall to block communications via port 443 on the firewall.
D. By obtaining user certificates from the external certificate authority.
By allowing connections to Remote Desktop client computers that use Network Level
Authentication only.
E. By configuring Windows Firewall to block communications via port 25 on the firewall.
Answer: B
Explanation:
To ensure the RDP connections are as secure as possible, you need to first acquire user
certificates from the internal certificate authority and then configure each server to allow
connections only to Remote Desktop client computers that use Network Level Authentication.
In the pre-W2008 Terminal Server, you used to enter the name of the server and a connection is
initiated to its logon screen. Then, at that logon screen you attempt to authenticate. From a
security perspective, this isnt a good idea. Because by doing it in this manner, youre actually
getting access to a server prior to authentication the access youre getting is right to a session
on that server and that is not considered a good security practice.
NLA, or Network Level Authentication, reverses the order in which a client attempts to connect.
The new RDC 6.0 client asks you for your username and password before it takes you to the
logon screen. If youre attempting to connect to a pre-W2008 server, a failure in that initial logon
will fail back to the old way of logging in. It shines when connecting to Windows Vista computers
and W2008 servers with NLA configured it prevents the failback authentication from ever
occurring, which prevents the bad guys from gaining accessing your server without a successful
authentication.
Reference: Server 2008 Terminal Services Part 2: NLA Network Level Authentication
http://www.realtime-windowsserver.com/tips_tricks/2007/06/server_2008_terminal_services_2.htm
QUESTION NO: 32
26

a computer named ABC-SR10 that is configured to host Windows Server Update Services
(WSUS) service.
How would you configure ABC-SR10 to have traffic to and from ABC-SR10 encrypted?
A. By configuring and using Integrated Windows Authentication (IWA).
B. By disabling Basic Authentication setting on ABC-SR10.
C. By configuring and using SHA encryption on the web site.
D. By configuring and using SSH encryption on the web site
E. By enabling Active Directory Client Certificate Authentication on ABC-SR10.
F. By configuring and using Internet Protocol Security (IPSec) on the Web site.
Answer: A
Explanation: To make sure of the encryption, you need to configure IIS to disable anonymous
access to the ServerSyncWebService virtual directory. After that you need to select Integrated
Windows authentication.
SSL encryption will not work. This means that the entire traffic must be encrypt, whereas WSUS
only encrypts metadata traffic.
Reference: Plan and Assess: Using Windows Server Update Services (WSUS)
http://technet.microsoft.com/en-us/updatemanagement/bb245871.aspx
QUESTION NO: 33
You are employed as an enterprise administrator at ABC.com. The ABC.com has a domain
named ABC.com. All servers on the domain run Microsoft Windows Server 2008 and all client
computers run either Microsoft Windows Vista or Microsoft Windows XP Professional. The
ABC.com network has a Web server named ABC-SR05 that is configured to run Internet
Information Services (IIS). During the course of the day ABC.com instructs you to configure ABCSR05 to store information using Reliability Monitor.
How can you accomplish this task?
A. By having the Remote Access Auto Connection Manager service set to start automatically on
the ABC-SR05.
B. By having the Net Logon service set to start automatically on the ABC-SR05.
27

C. By having the Task scheduler service set to start automatically on the ABC-SR05.
D. By having the Error Reporting Services service set to start automatically on the ABC-SR05.
Answer: C
Explanation: To configure the ABC-SR05 to collect the reliability monitor data, you need to
configure the Task scheduler service to start automatically.
Reliability Monitor uses data provided by the RACAgent scheduled task, a pre-defined task that
runs by default on a new installation of Windows Vista. The seamless integration between the
Task Scheduler user interface and the Event Viewer allows an event-triggered task to be created
with just five clicks.
In addition to events, the Task Scheduler in Windows Vista / Server 2008 supports a number of
other new types of triggers, including triggers that launch tasks at machine idle, startup, or logon.
Because you need Task Scheduler to collect reliability monitor data, you need to you need to
configure the Task scheduler service to start automatically.
Reference: Network Monitor 3.1 OneClick now what? / Task Scheduler Changes in Windows
Vista and Windows Server 2008 Part One
http://blogs.technet.com/askperf/
Reference: What allows the Reliability Monitor to display data?
http://www.petri.co.il/reliability_monitor_windows_vista.htm
QUESTION NO: 34
You work as an enterprise administrator at ABC.com. The ABC.com has a domain named
run either Microsoft Windows Vista or Microsoft Windows XP Professional. ABC.com makes use
of two computers named ABC-DC04 and ABC-DC05.
During the course of the day you configure event subscriptions with ABC-DC05 as the default
subscription on ABC-DC04.
How can we now review the system event for ABC-DC05?
A. By opening the Event Viewer on ABC-DC05.
B. By opening the System log on ABC-DC04.
C. By opening the Forwarded Events log on ABC-DC04.
28

D. By opening the Error log on ABC-DC05.
Answer: C
Explanation: To review the system events for ABC-DC05, you need to view the Forwarded
Events log on ABC-DC04, which is configured to centrally manage events.
The Event Collector service can automatically forward event logs to other remote systems, running
Windows Vista or Windows Server 2008 on a configurable schedule. Event logs can also be
remotely viewed from other computers or multiple event logs can be centrally logged and
monitored and managed from a single computer.
Reference: Event Viewer
http://en.wikipedia.org/wiki/Event_Viewer
QUESTION NO: 35
Microsoft Windows Vista. The ABC.com network has a Web server named ABC-SR09 that is
configured to run Internet Information Services (IIS).
ABC.com users complain of slow response times when they access web sites on ABC-SR09. You
investigate and discover ABC-SR09 has maximum CPU usage.
How would you gather diagnostic data regarding this problem?
A. By using Windows Reliability and Performance Monitor to check percentage of processor
capacity used.
B. By using a counter log to track the processor usage.
C. By checking the security log for Performance events.
D. By checking the error log for performance events.
E. By checking the application log for events.
F. By checking the Internet Explorer log for events.
Answer: A
Explanation: Explanation
To gather additional data to diagnose the cause of the problem, you need to use the Resource
View in Windows Reliability and Performance Monitor to see the percentage of processor capacity
used by each application.
The Resource View window of Windows Reliability and Performance Monitor provides a real-time
29

graphical overview of CPU, disk, network, and memory usage. By expanding each of these
monitored elements, system administrators can identify which processes are using which
resources. In previous versions of Windows, this real-time process-specific data was only
available in limited form in Task Manager
Reference: Windows Reliability and Performance Monitor
http://technet.microsoft.com/en-us/library/cc755081.aspx
QUESTION NO: 36
ABC.com has employed you as a network administrator. ABC.com has a domain named
ABC.com. All servers on the ABC.com network run Windows Server 2008 and the client
computers run either Microsoft Windows XP Professional SP2 or Microsoft Windows Vista. The
ABC.com network has a computer named ABC-SR06 that is running Active Directory Certificate
Services (AD CS) and configured as the Enterprise Root Certification Authority (CA). ABC.com
has recently configured the firewall on ABC-SR06 to block communication over ports 443 and 80.
How would you configure ABC-SR06 to ensure that certificates can be requested using a web
browser?
A. By deploying an additional computer running Active Directory Federation Services (AD FS) and
the Certification Authority Web Enrollment Role Service.
B. By deploying an additional computer running Active Directory Domain Services (AD DS) and
the Certification Authority Web Enrollment Role Service.
C. By deploying an additional computer running the Certification Authority Web Enrollment Role
Service and ensure Background Intelligent Transfer Service (BITS) is enabled.
D. By deploying an additional computer running the Certification Authority Web Enrollment Role
Service.
Answer: D
Explanation:
QUESTION NO: 37
You work as an enterprise administrator at ABC.com. ABC.com has a domain named ABC.com.
All servers on the ABC.com network run Windows Server 2008 and all client computers run either
Microsoft Windows Vista or Microsoft Windows XP Professional SP2. The ABC.com network has a
domain controller named ABC-DC08 that is backed up every night. ABC.com has a Marketing
division with an organizational unit (OU) named MarketingDiv.
30

You have recently created an OU in the MarketingDiv OU named MarketingComp that contains
the client computers of the Marketing division. During the course of the day the MarketingComp
OU was accidentally deleted.
How would you recover the MarketingComp OU without affecting other OUs in MarketingDiv?
A. By using the system state from the most recent backup to restore MarketingDiv.
B. By using the user state from the most recent backup to restore MarketingComp.
C. By doing an authoritative restore of MarketingDiv.
D. By doing an authoritative restore of MarketingComp.
Answer: D
Explanation:
QUESTION NO: 38
ABC.com has employed you as a network administrator. ABC.com has a domain named
computers run either Microsoft Windows XP Professional or Microsoft Windows Vista. The
ABC.com network contains two domain controllers named ABC-DC04 and ABC-DC05.
You have become aware of malicious users trying to access the ABC.com network.
How would you track unsuccessful attempts by malicious users to logon to the network?
A. By checking the Event Viewer Internet Explorer log on ABC-DC04 and ABC-DC05.
B. By checking the Windows error log on ABC-DC04 and ABC-DC05.
C. By checking the Event Viewer security log on ABC-DC04 and ABC-DC05.
D. By executing the netsh /events command on the command prompt on ABC-DC04 and ABCDC05.
Answer: C
Explanation: In order to identify the logon attempts on the domain controllers you need to access
the Event Viewer and check the logon attempts. The Event viewer will tell you the IP address and
other details of the user account which was used to logon to the domain controllers.
QUESTION NO: 39
ABC.com has hired you as a systems administrator for their network. ABC.com has a domain
named ABC.com. All servers on the ABC.com network run Windows Server 2008 and all client
31

computers run either Microsoft Windows Vista or Microsoft Windows XP Professional SP2.
ABC.com has three domain controllers named ABC-DC04, ABC-DC05 and ABC-DC06.
How can you verify replication between the domain controllers?
A. By using the Network Monitor utility to troubleshoot directory replication.
B. By using Event Viewer to troubleshoot directory replication.
C. By using Task Manager utility to troubleshoot directory replication.
D. By using the RepAdmin utility to troubleshoot directory replication.
Answer: D
Explanation: To accomplish this you need to make use of the RepAdmin utility to troubleshoot the
directory replication. RepAdmin is used to monitor Active Directory replication, topology as well as
forcing replication.
Reference: Syngress.The.Real.MCTS.MCITP.Exam.70-648.Prep.Kit.Mar.2008
QUESTION NO: 40
You are working as an enterprise administrator at ABC.com. ABC.com has a forest with a domain
ABC.com network has a domain controller named ABC-DC08 with the Directory Services
Recovery Mode (DSRM).
Which of the utilities listed below would be suitable to use when required to have the DSRM
password on ABC-DC08reset?
A. By using Active Directory Security for Computers snap-in.
B. By using the ntdsutil utility.
C. By using the Netsh utility.
D. By using the Domain Controller security snap-in.
Answer: B
Explanation: You should use the ntdsutil utility to reset the DSRM password. You can use
Ntdsutil.exe to reset this password for the server on which you are working, or for another domain
controller in the domain. Type ntdsutil and at the ntdsutil command prompt, type set dsrm
password.
Reference: http://support.microsoft.com/kb/322672
32
QUESTION NO: 41
You are the newly appointed enterprise administrator at ABC.com. ABC.com has a domain named
computers run either Microsoft Windows Vista or Microsoft Windows XP Professional SP2. The
ABC.com network has a domain controller named ABC-DC08 that is hosting ntds.dit file on its
secondary hard disk labeled drive D.
Which of the processes would you use when required to move the ntds.dit file to a newly installed
volume?
A. By using the Files option in the Ntdsutil utility and moving the ntds.dit file to the new volume.
B. By using the Windows Power Shell Copy Paste function to move the ntds.dit file to the new
volume.
C. By using XCOPY to move ntds.dit file to the new volume.
D. By using Windows Explorer to move ntds.dit file to the new volume.
Answer: A
Explanation: The way you move the Active Directory database to a new volume, is to move the
ntds.dit file to the new volume by opening the Files option in the ntdsutil utility. Use Ntdsutil.exe to
move the database file, the log files, or both to a larger existing partition.
Reference: http://technet2.microsoft.com/windowsserver/en/library/af6646aa-2360-46e4-81cad51707bf01eb1033.mspx?mfr=true
QUESTION NO: 42
You are working as an enterprise administrator at ABC.com. ABC.com has a forest with a domain
ABC.com network has a computer named ABC-DC08 that is configured as the domain controller
and backup server.
ABC.com recently added an additional hard disk partitioned into three logical drives. During the
course of the day ABC-DC04 suffers a catastrophic hard disk failure. You replace the hard disk
and partition it into three logical drives of the same size as the original hard disk.
How would you recover the operating system and files?
33

A. By using the Automated System Recovery disk after rebooting ABC-DC04.
B. By using the backup utility to restore the system state from the recent backup.
C. By using Disk defragment before restoring the system and user states.
D. By starting ABC-SC08 from the Windows Server 2008 installation DVD and using the wbadmin
utility.
Answer: D
Explanation:
QUESTION NO: 43
You are employed as the network administrator at ABC.com. ABC.com has a domain named
ABC.com. All servers on the ABC.com network run Windows Server 2008 and all client computers
network has three domain controllers named ABC-DC01, ABC-DC02 and ABC-DC03.
How would you use ABC-DC01 to locate an error message on all domain controllers related to
replication?
A. By using the Event Viewer Directory Service log.
B. By using Active Directory Sites and Services administrative tool.
C. By using the Computer Management tool.
D. By checking the Event Viewer System log.
Answer: A
Explanation: The Directory Service event log will hold all error messages as well as information
linked to replication. These details are helpful when troubleshooting replication problems.
QUESTION NO: 44
You are a newly appointed enterprise administrator at ABC.com. ABC.com has a forest with a
domain named ABC.com. ABC.com has its headquarters in Chicago and a Marketing division in
Boston. The ABC.com network contains only Windows Server 2003 domain controllers that are all
located in the Chicago office. You need to install a Windows Server 2008 Read-Only Domain
Controller (RODC) named ABC-DC04 in the Boston office.
How would you accomplish this task?
A. By uABCrading ABC-DC01 to Windows Server 2008 and executing the adprep /rodcprep
command.
34

B. By raising the forest functional level to at least Windows Server 2003.
C. By raising the domain functional level Windows Server 2008.
D. By executing the adprep /forestprep command on ABC-DC04.
Answer: A
Explanation:
QUESTION NO: 45
You are employed as an enterprise administrator at ABC.com. The ABC.com has a domain
named ABC.com. All servers on the domain run Microsoft Windows Server 2008 and all client
computers run Microsoft Windows Vista. The ABC.com network has a computer named ABCDC07 which runs Network Monitor 3.0. ABC-DC07 has the IP address 192.168.12.4 and the Mac
Address of 00-15-F2-CD-2A-43. ABC.com has recently configured the capturing DHCP serverrelated traffic by selecting P-mode in Network Monitor 3.0.
ABC.com users complain that they cannot access a file server named ABC-SR12. You run the
ipconfig /all command on ABC-SR12 and receive the output shown in the exhibit:
How would you capture DHCP related traffic between ABC-DC07 and ABC-SR12?
A. By using the IPv4 address == 169.254.1.140 && DHCP to build a filter in Network Monitor.
B. By using the MAC Address == 0x0B042D854AF3 && DHCP to build a filter in Network Monitor.
C. By using the MAC Address == 0x0015F2CD2A43 && DHCP to build a filter in Network Monitor.
D. By using the IPv4. Address == 192.168.12.4 && DHCP to build a filter in Network Monitor.
Answer: D
Explanation: To build a filter in the Network application to capture the DHCP traffic between ABCDC07and ABC-WS648, you need to use IPv4.Address == 192.168.12.4 && DHCP.
35

To define a filter, you need to specify IPv4, period, SourceAddress then
the equal mark (twice) and the IP address (source). In order to fine tune a specific filter, you can
combine several conditions in a specific filter using the AND (&&) and OR (||)
logical operators. In this question you need to find the traffic originating from 192.168.15.84 that is
DHCP related. Therefore you would use 192.168.12.4 && DHCP.
Reference: A Guide to Network Monitor 3.1 / Building a complex filter (or defining several
conditions)
http://blogs.microsoft.co.il/blogs/erikr/archive/2007/08/29/A-Guide-to-Network-Monitor-3.1.aspx
QUESTION NO: 46
You are the newly appointed enterprise administrator at ABC.com. ABC.com has a domain named
computers run either Microsoft Windows XP Professional SP2 or Microsoft Windows Vista. The
ABC.com network has a domain controller named ABC-DC04. The I/O times to read data from
ABC-DC04 have become slower. You suspect that this is a result for fragmentation of the hard
disk. As ABC-DC04 is a domain controller, you decide to defragment the file for Active Directory
database by taking the file offline.
How would you complete the task?
A. By starting ABC-DC04 in the Directory Services restore mode and running the defrag utility.
B. By starting ABC-DC04 in the Directory Services restore mode and running the Ntdsutil utility
C. By stopping the Domain controller service in the Services MMC and running the Ntdsutil utility
D. By stopping the Domain controller service in the Services MMC and running the Defrag utility.
Answer: C
Explanation: You need to stop the Domain Controller service in the Microsoft Management
Console (MMC) and then run the Ntdsutil tool. With this you can do offline defragmentation of the
Active Directory database on ABC-DC04. Furthermore, the other mission critical services can
continue running. You can use the restart feature of AD DS to stop AD DS so that you can perform
the defragmentation of Active Directory objects.
Reference: Superior Identity Management Features in Windows Server 2008 Enterprise and
Windows Server 2008 Datacenter / Directory Services: Active Directory Domain Services
http://download.microsoft.com/download/8/2/f/82fa3808-7168-46f1-a07bf1a7c9cb4e85/WS08%20Identity%20Management%20Features%20White%20Paper_FINAL.doc
36
QUESTION NO: 47
You are the network administrator for your company. Your company decides to uABCrade the
existing Windows Server 2003 computers to Windows Server 2008. You perform a pilot uABCrade
on one of the Windows Server 2003 computers.
Immediately after the successful uABCrade, you restart the server, and open the Reliability
Monitor console to view system stability information. However, the Reliability Monitor does not
display any data in the System Stability Chart.
What could be the cause for this problem?
A.
B.
C.
D.
You have not used valid administrative credentials to log on to the server.
You have not created a Data Collector Set.
Running the Reliability Monitor for the first time on a new server does not display any data.
The server must be running at least 24 hours after installation and restart
Answer: D
Explanation:
QUESTION NO: 48
You are the network administrator for your company. The company network runs on Windows
Server 2008. All the client computers run Windows Vista.
You have a branch office and a main office. You need to monitor all the frames that pass over the
network to a local buffer, regardless of the destination address.
What should you do?
A.
B.
C.
D.
Use a capture buffer

Use display filters
Use promiscuous mode
Use capture triggers
Answer: C
Explanation:
QUESTION NO: 49
You administer your company's network. The network consists of a single Active Directory
domain. All servers run Windows Server 2008, and all client computers run Windows Vista. The
company's written security policy stipulates that employees must use certificates for remote
37

access and secure e-mail. Only designated administrators are authorized to approve users'
requests for certificates, issue certificates, and revoke certificates.
You install Certificate Services on several servers and configure them as enterprise certification
authorities (CAs).
You must assign the appropriate privileges to the designated administrators in accordance with
the company policy.
Which of the following should you do?
A. Issue an Enrollment Agent certificate to each designated administrator.
B. Assign the designated administrators to the Certificate Manager role on each CA.
C. Assign the Allow - Enroll permission for each certificate template to the designated
administrators.
D. Assign the Allow - Write permission for each CA to the designated administrators.
Answer: B
Explanation:
QUESTION NO: 50
You are the network administrator for your company. You have recently installed Windows Server
2008 for your company. You want to create a test network of five subnets that will use IPv6. You
have to create the network in such a way that the client computers on the test network are able to
communicate with each other while ensuring that they cannot access the Internet. In addition, the
addresses used should be unique across all sites within your company.
Which IP address could you use?
A.
B.
C.
D.
0:0:0:0:0:0:0:0
FE80:AB10:2B5C:B000:: /64
FD00:AB10:2B5C:B000::/8
FEC0:AB10:2B5C:B000::/10
Answer: C
Explanation:
QUESTION NO: 51
Your network consists of a single Active Directory domain in which all servers run Windows Server
2008. You are planning a secure remote access infrastructure that includes three servers:
WINNPS: Network Policy Server
38

HEALTH01: System Health Validation Server, Remediation Server
VPN01: VPN Server
You need to ensure that VPN client computers are screened by network health policies.
What action should you perform to complete the configuration?
Select the best answer.
A.
B.
C.
D.
Configure VPN01 as a System Health Validator.

Configure VPN01 as a RADIUS server.
Configure VPN01 as a RADIUS client of WINNPS.
Configure VPN01 as a RADIUS client of HEALTH01.
Answer: C
Explanation:
QUESTION NO: 52
Your organization consists of an IP internetwork that is routed by a multihomed Windows Server
2008 member server that is configured with the RRAS server role. You need to configure a
persistent default route on the server from the command prompt that sends all default traffic out of
the interface with IP address 192.168.1.1. What action should you perform?
A. Issue the command route print 192.168.1.0 on the server.
B. Issue the command route -persistent 192.168.1.0 on the server.
C. Issue the command route -p add 0.0.0.0 mask 0.0.0.0 192.168.1.1 on the server.
D. Issue the command route -p add 255.255.255.255 mask 255.255.255.255 192.168.1.1 on the
server.
Answer: C
Explanation:
QUESTION NO: 53
Your organization is planning to migrate from an IPv4 infrastructure to an IPv6 infrastructure. Your
manager is concerned about how IPv6 packets can be routed over the public Internet, especially
to destinations that still use IPv4. What actions should you perform?
Choose TWO. (Each correct answer represents an independent solution.)
A. Deploy the Teredo transition technology in your network.
B. Deploy NAT in your network.
39

C. Deploy 6to4 technology in your network.
D. Deploy NPS in your network.
Answer: A,C
Explanation:
QUESTION NO: 54
Henry is the systems administrator for his company. The company has a total of 20 servers
running Windows Server 2008 Enterprise and 100 workstations running Window Vista. Although
every machine on the network is running antivirus software, one of the users inadvertently
downloaded a Trojan virus which spread through the network to one of the servers. After removing
both the server and the workstation from the network, Henry runs a removal tool and is able to
completely remove the virus from both machine Now, when either machine is booted up, both of
them have the Task Manager option disabled from the Ctrl+Alt+Del screen. When Henry tries to
run the Task Manager from Windows Explorer, it says that the Task Manager has been disabled
by the administrator How can Henry re-enable the Task Manager for the server and the
workstation?
A. Henry must open the Local Computer Policy first from the command line. He then needs to go
to Computer Configuration, Administrative Templates, System, Ctrl+Alt+Del Options and disable
the setting that states "Remove Task Manager".
B. Henry must open the Local Computer Policy first from the command line. He then needs to go
to User Configuration, Windows Settings, System, Ctrl+Alt+Del and enable the setting that states
"Enable Task Manager".
C. To re-enable the Task Manager, Henry must open the Local Computer Policy from the
command line. Then, he needs to navigate to User Configuration, Administrative Templates,
System, Crtl+Alt+Del Options and disable the "Remove Task Manager" setting.
D. Henry must re-apply the latest service packs for both Windows Server 2008 and Windows
Vista for the Task Manager to be enabled.
Answer: C
Explanation:
QUESTION NO: 55
Your organization's single Active Directory domain consists of a mixed IPv4/IPv6 environment. All
servers run Windows Server 2008, and all client workstations run Windows Vista. You need to
ping a file server named FS01.BIRCO.LAN that uses an IPv6 address. What actions should you
perform?
Choose TWO. (Each correct answer represents an independent solution.)
40
A.
B.
C.
D.

Ping the site-local address of the server.
Ping the link-local address of the server.
Issue the command ping -426 fs01.birdco.com from your administrative workstation.
Issue the command ping -6 fs01.birdco.lan from your administrative workstation.
Answer: B,D
Explanation:
QUESTION NO: 56
You are the network administrator for your company, a large financial institution in Memphis. You
are getting ready to purchase three new servers that will be used to carry out financial audits at
different banking locations. These servers will be placed in a large enclosed case with casters and
wheeled into the different locations to perform the audits. When you get the servers, you will install
Windows Server 2008 Enterprise on all of them. You thought about installing Core Server because
of its inherent security, but you thought against it since it would be more difficult to work on the
servers without a Windows interface. Since the servers will store sensitive information and will be
mobile, you have decided to install BitLocker on all the servers for added security and protection
when they are purchased. You really like the BitLocker feature that prevents stolen hard drives
from being used in other computers in order to steal data. What hardware feature must the servers
come with so that they can implement the BitLocker technology which prevents hard drives from
being used in other computers?
A. The servers must have Ultra Wide SCSI-3 support on their backplanes. This will ensure that
BitLocker can communicate between the firmware and the MBR on the first hard drive of the
server.
B. In order for the BitLocker software to check that the hard drives have not been tampered with
or switched out, the servers must have DDR RAM installed. DDR RAM is necessary to keep up
with the speed at which the firmware talks to the hard drives on boot.
C. An EPROM version 2.9 or later chip must be installed on the server motherboards. The chip
stores the OTP passwords used by BitLocker to verify firmware and hardware.
D. You must make sure that the new servers have a TPM version 1.2 or higher chip installed on
the motherboards. This chip checks to make sure that the drive(s) have not been tampered with
while the system is offline.
Answer: D
Explanation:
QUESTION NO: 57
Your organization consists of a single Active Directory domain named Birdco.com in which all
servers run Windows Server 2008. Three of these servers, WSUS01, WSUS02 and WSUS03, are
configured with Windows Server Update Services (WSUS). You need to configure WSUS such
41

that all computer groups and approvals are configured at WSUS01 and updates are copied to
WSUS02 and WSUS03. What action should you perform?
A.
B.
C.
D.
Configure WSUS02 and WSUS3 as upstream servers of WSUS01.

Configure WSUS02 and WSUS03 as downstream servers of WSUS01.
Configure WSUS02 and WSUS03 as replicas of WSUS01.
Configure WSUS01 as a disconnected server.
Answer: B
Explanation:
QUESTION NO: 58
Justin is the systems administrator for the University of Southwest Oklahoma. The university's
network is a Windows Server 2008 Active Directory network. All network users are using Microsoft
Exchange 2007. Because of the sensitive information that users send back and forth in email,
many Exchange users are utilizing S/MIME to encrypt their email. To accommodate S/MIME,
Justin has installed an Active Directory Certificate Server. The only problem is that there are many
satellite schools associated with the university that need to use S/MIME as well. Instead of
installing Certificate Authorities at all the satellite schools, Justin has decided to deploy online
responders so clients can check certificate status through HTTP. Periodically, Justin checks the
IIS servers that are working as Online Responders to ensure that they are working properly. From
the servers' log files, Justin can see that most of them are responding with cached answers since
they are receiving so many requests. He can also see that requests are answered very quickly
within a 120 second interval; then requests take longer to answer. Justin knows that the online
responders use ISAPI extension caching, but not in this manner.
What mechanism is caching responses for 120 seconds in order to answer requests quicker?
A. Network Load Balancing is being used by the online responders to route requests and cache
responses to provide answers quicker.
B. The IIS HTTP.SYS library is what is being used to cache responses for 120 seconds. The
library file helps to cache responses in addition to the OCSP ISAPI extension caching.
C. The CACHING.XML file, which is installed by default with IIS, handles client requests quickly
by caching responses for up to 120 seconds at a time.
D. The CACHING.SYS library file built into IIS is being used to cache responses for 120 seconds
to respond to requests.
Answer: B
Explanation:
42

QUESTION NO: 59
You deploy a Windows Server 2008 public key infrastructure (PKI) and Network Access Protection
(NAP) on your domain. You discover that NAP policies are not affecting wireless clients. You need
to ensure that all wireless clients are properly screened by health policy upon their initial
association with a wireless access point. What actions should you perform?
Choose TWO (Each choice represents a part of a single solution.)
A. Verify that wireless client network connections are configured for 802.1X authentication.
B. Verify that wireless client network connections are configured to use a DHCP server.
C. Verify that DHCP enforcement is configured on your Windows Server 2008 network policy
server.
D. Verify that 802.1X enforcement is configured on your Windows Server 2008 network policy
server.
Answer: A,D
Explanation:
QUESTION NO: 60
Your company has recently increased in size, after acquiring another company twice the size. You
have been given the task to set up a cluster in the main datacenter. You have been given the
scope of the project and decided that the cluster will have to consist of eight nodes for high
availability. Which editions of Windows Server 2008 will not be suitable for the eight nodes in the
cluster?
(Choose all that apply.)
A.
B.
C.
D.
Windows Server 2008 Standard Edition

Windows Server 2008 Enterprise Edition
Windows Server 2008 Datacenter Edition
Windows Web Server 2008
Answer: A,D
Explanation:
QUESTION NO: 61
You have been asked to install the first Windows Server 2008 server in the domain. This server
will be for testing purposes, so you will use older hardware with minimum hardware requirements
for Windows Server 2008. You have decided to install a 32-bit edition of Server 2008 Standard
Edition. What is the minimum amount of disk space required to install the Standard Edition of
Server 2008?
A. 8 GB
43

B. 10 GB
C. 12 GB
D. 40 GB
Answer: B
Explanation:
QUESTION NO: 62
You have recently been transferred to the DNS team at a large multinational company, and are
working feverously learn about DNS. Lately youve been working on the difference between clientto-server and server-to-server queries. Which of the following are true? (Select all that apply).
A.
B.
C.
D.
Client-to-server queries are all-or-nothing requests.

Client-to-server queries are also known as recursive queries.
Server-to-server queries ask for FQDN resolution.
Server-to-server queries ask for as much information as can be provided about the FQDN.
Answer: A,C,D
Explanation:
QUESTION NO: 63
You are the DNS administrator for a mid-sized organization. As part of the uABCrade process, you
put in a request to transition all DNS services to AD integrated zones. When your manager asks
about the key features involved, what do you tell her? (Select all that apply).
A.
B.
C.
D.
You tell her that AD integrated zones are stored in Active Directory.
You tell her that all zone records are stored as AD objects and have object level security.
You tell her that it enables secure dynamic updates.
You tell her that replication is much more efficient and secure.
Answer: A,B,C,D
Explanation:
QUESTION NO: 64
The Web development team has requested that you implement a new Web server in a DMZ that
will be used for presenting Web sites to customers. Which of the following is NOT a reason for
using Windows Server 2008 Core Server?
A. A Core installation does not require a Windows Server 2008 license.
B. A Core installation does not provide GUIs, which limits console access.
C. Core Server installs fewer services than a full installation of Windows Server 2008.
44

D. Core Server uses fewer resources than a full installation of Windows Server 2008.
Answer: A
Explanation:
QUESTION NO: 65
You have a Windows Server 2003 R2 domain currently running in your organization. You would
like to install a read-only domain controller into your Directory Services structure, but you do not
want to completely uABCrade your domain to Windows Server 2008 Directory Services just yet.
What do you need to do in order to add an RODC?
A. Change the domain functional level to Windows Server 2008 mixed mode.
B. Change the forest functional level to Windows Server 2008 mixed mode.
C. Run adprep on a Windows Server 2003 R2 domain controller.
D. An RODC cannot be added until the entire domain is a Windows Server 2008 Directory
Services domain.
Answer: C
Explanation:
QUESTION NO: 66
You are engaged in an exercise that is meant to demonstrate the Public-Key Cryptography
Standards (PKCS) used in modern encryption. You arrive at a portion of the exercise which
outlines the encryption of data using the RSA algorithm. Which of the following PKCS does this
exercise address?
A.
B.
C.
D.
PKCS #5
PKCS #1
PKCS #8
PKCS #9
Answer: B
Explanation:
QUESTION NO: 67
You are the administrator of your companys Windows Server 2008-based network and are
attempting to enroll a smart card and configure it at an enrollment station. Which of the following
certificates must be requested in order to accomplish this action?
A. A machine certificate.
45

B. An application certificate.
C. A user certificate.
D. All of the above
Answer: C
Explanation:
QUESTION NO: 68
You are the domain administrator for your company. Your network consists of multiple DCs at
multiple sites. A DC at your local site is having problems with replicating. You need to know when
this DC last attempted to perform an inbound replication on the Active Directory partitions. How
would you accomplish this?
A.
B.
C.
D.
Open a command prompt on the DC and run ntdsutil

Open a command prompt on the DC and run repadmin /replicate
Open a command prompt on the DC and run repadmin /rodcpwdrepl
Open a command prompt on the DC and run repadmin /showrepl
Answer: D
Explanation:
QUESTION NO: 69
You are the domain administrator for your company. At your site you have a single DC that also
acts as an application server. From 10:00 a.m. to 4:00 p.m., users complain about slow logons to
the network and that accessing resources from this DC is incredibly slow during most of the
workday. You log on to the DC, pull up the Task Manager, and notice that a process called
CustApp.exe is using just more than 90% of the CPU cycles. The application must remain running
during the day, but you also need to resolve the slow logon issues.
There is no money in the budget for additional hardware. What is the best way to handle this
situation?
A. Go into the Windows System Resource Manager on the DC, and create a new recurring
calendar event to start at 8:00 a.m. and end at 5:00 p.m. daily. Associate the event with the
Equal_ Per_ Process policy.
B. Go into the Task Manager and into the Processes tab. Find CustApp.exe and set the priority to
Below Normal.
C. Go into the Task Manager and into the Process tab. Find CustApp.exe and end the process.
D. Purchase a second server to run only the CustApp.exe application
Answer: A
Explanation:
46

QUESTION NO: 70
The CIO has asked you to configure a GPO that will ensure that antivirus software is installed on
every computer in the company. You are the most senior administrator in the company and have
full access to every computer, and to Active Directory. Your company has a single domain and
site. Which one of the following actions do you take?
A. You configure a GPO at the domain level, and publish the application to all computers.
B. You configure a GPO at the site level, and assign the application to all computers.
C. You create a GPO with the required settings and link it into all OUs that have computer
accounts in it. You set the options to assign the application to computers.
D. You tell him it cannot be done.
Answer: D
Explanation:
QUESTION NO: 71
Youve just taken over the domain-level administration for a mid-size company. The previous
administrator did not use group policy software deployment. You have just configured and tested
your first published application to users. The application was designed to be used by all users in
the accounting department. You created the software distribution point and copied the installation
files over to it. You then created the GPO and linked it to the AcctgUsers OU, which contains all
user accounts for the department. When the users log on to their computers, the application is
visible in Control Panel | Add or Remove Programs, but when users attempt the installation it fails.
When you log on from a computer in accounting, you are able to access the installation files and
run them manually. Which one of the following is most likely the problem?
A.
B.
C.
D.
The application files are corrupt.

The permissions on the software distribution point are configured incorrectly.
The GPO is corrupt.
The GPO is linked to the wrong place within Active Directory.
Answer: B
Explanation:
QUESTION NO: 72
Your company, mycompany.com, is merging with the yourcompany.com company. The details of
the merger are not yet complete. You need to gain access to the resources in the
yourcompany.com company before the merger is completed. What type of trust relationship
should you create?
A. Forest trust
B. Shortcut trust
47

C. External trust
D. Tree Root trust
Answer: C
Explanation:
QUESTION NO: 73
You recently completed a merger with yourcompany.com. Corporate decisions have been made to
keep the integrity of both of the original companies; however, management has decided to
centralize the IT departments. You are now responsible for ensuring that users in both companies
have access to the resources in the other company. What type of trust should you create to solve
the requirements?
A.
B.
C.
D.
Forest trust
Shortcut trust
External trust
Tree root trust
Answer: A
Explanation:
QUESTION NO: 74
You need to set up a network in the lab for a training class. You want to isolate the lab network
from the rest of the corporate network so students dont inadvertently do something that takes the
entire network down. What IP addressing method would you use?
A.
B.
C.
D.
Private network addressing

Public network addressing
Network Address Translation
Subnet isolation through subnet mask
Answer: D
Explanation:
QUESTION NO: 75
You have a growing network that originally was configured using the private Class C address
space. However, youre now about to grow beyond the maximum number of devices and need to
expand but you dont anticipate needing more than a total of 290 addresses. What action would
you take to solve this problem that would create the least disruption to your network?
A. Install a router. Create two new scopes on your DHCP Server and reassign IP addresses.
48

B. Change the default subnet mask to 255.255.252.0.
C. Change the IP addressing scheme from Class C to Class B.
D. Assign new computers on the network IP addresses from the existing address pool.
Answer: B
Explanation:
QUESTION NO: 76
You are asked by your employer to set up a LAN using Windows 2008 Server RRAS. Which of
these types of routing algorithms or protocols cannot be used to organize the signal flow between
the devices in the network, according to the supported Windows Server 2008 features?
A.
B.
C.
D.
RIP
RIP2
OSPF
None of the Above
Answer: C
Explanation:
QUESTION NO: 77
You are working with a server running the RRAS that is configured for the Windows authentication
provider. You have administered several policies from RRAS to the server. Which of the following
connection settings cannot be validated before authorization occurs by the policies you set up?
A. Advanced conditions such as access server identity, access client phone number, or MAC
address.
B. Remote access permission.
C. Whether user account dial-in properties are ignored.
D. None of the above.
Answer: D
Explanation:
QUESTION NO: 78
The NAP Health Policy Server is responsible for storing health requirement policies and provides
health state validation for the NAP Infrastructure. What Windows Server 2008 roles have to be
installed for the NAP Health Policy Server to be configured?
A. Active Directory Domain Role
B. NPS Server Role
49

C. NAP Server Role
D. DHCP Server Role
Answer: B
Explanation:
QUESTION NO: 79
You have decided to implement NAP into your existing network. During the design, you need to
make a decision as to how the Restricted Network will be secured from the Remediation Network.
Given the options below, which one(s) would work in this scenario?
A.
B.
C.
D.
Use IPsec with Health Certificates

Use a secondary switch to split the networks
Use IP packet filters
Use VLANs
Answer: A,C,D
Explanation:
QUESTION NO: 80
Yancey is the systems administrator for his company. The entire company's network consists of
one 2008 Active Directory domain, with 20 servers running Windows Server 2008, and 250
workstations running Windows Vista. Of the 20 servers, 4 of them hold the operations master
roles. SVR1 holds the schema master and domain naming master role. SVR2 holds the RID
master role. SVR3 holds the infrastructure master role. SVR4 holds the PDC emulator role. One of
Yancey's junior administrators is planning to take SVR2 down for maintenance over a two day
span. During that same time, another junior administrator is scheduled to add a number of user
accounts to the domain for recently hired employees. Yancey needs to make sure that the junior
administrator can add user accounts to the domain while SVR2 is down and also that user account
creation will be possible after SVR2 is brought back online. What does Yancey need to do to
accomplish this?
Choose TWO.
A.
B.
C.
D.
He needs to use Ntdsutil to connect to SVR1.

He needs to transfer the RID master role from SVR2 to SVR1.
He needs to seize the RID master role from SVR2.
He needs to use Ntdsutil to connect to SVR2.
Answer: A,B
Explanation:
50

QUESTION NO: 81
You are the network administrator for your company. The network contains a single Windows
2008 Active Directory domain. A Windows Server 2008 computer named Remote1 is a member
server with Routing and Remote Access installed. Remote1 allows both dial-up and virtual private
network (VPN) connections.
Smart cards are issued to all users who will access the network remotely. The smart cards will be
used for both dial-up and VPN connections. All users who will access the network remotely are
issued Windows 2000 Professional portable computers with smart card readers. The written
security policy for your company states that the users are required to use the smart cards only
when connecting to the network remotely. When connecting to the network locally, smart cards
should not be used.
You must implement a remote access solution that will enforce the written security policy.
What should you do?
A. In the Active Directory Users and Computers console, enable the Smart card is required for
interactive logon option for each user account that will access the network remotely.
B. Install a computer certificate on Remote1.
Configure the remote access policy on Remote1 to accept only EAP-TLS authentication.
Use the Remote1 computer certificate for authentication.
C. Install a computer certificate on Remote1.
Configure the remote access policy on Remote1 to accept only EAP-MD5 authentication.
Use the Remote1 computer certificate for authentication.
D. Install a computer certificate on each computer.
Configure the remote access policy on Remote1 to accept only EAP-TLS authentication.
Use the computer certificate for authentication.
E. Install a computer certificate on each computer.
Configure the remote access policy on Remote1 to accept only EAP-MD5 authentication.
Use the computer certificate for authentication.
Answer: B
Explanation:
QUESTION NO: 82
You are the systems administrator for your company. The network contains an Active Directory
Lightweight Directory Services (AD LDS) server that runs Windows Server 2008. The AD LDS
server provides directory services to various applications.
You are required to manage AD LDS directories. Which three tools can you use? (Each correct
answer presents a complete solution. Choose three.)
A. Dsamain.exe
B. Active Directory Sites and Services
51

C. LDP.exe
D. ADSI Edit
E. Active Directory Users and Computers
Answer: B,C,D
Explanation:
QUESTION NO: 83
You are the systems administrator for your company, a plastic container manufacturer and
distributor. The company's network consists of a single Active Directory forest. The network
contains an Internet Information Services (IIS) server that hosts a Web application that allows
users to purchase your company's products online.
Your company has a partner organization, a graphic design firm that designs your company's
products. The partner company has its own Active Directory forest. You are required to enable
users in the partner organization to access your Web application without being prompted for
secondary credentials.
Which Windows Server 2008 server role should you install in your network to provide Web-based
Single-Sign-On (SSO) capabilities to users in the partner organization?
A.
B.
C.
D.
Active Directory Rights Management Services (AD RMS)

Active Directory Federation Services (AD FS)
Active Directory Lightweight Directory Services (AD LDS)
Active Directory Directory Services (AD DS)
Answer: B
Explanation:
QUESTION NO: 84
You are the network administrator for your company. All servers on the company's network run
Windows Server 2008. You are required to install a Dynamic Host Configuration Protocol (DHCP)
server on the network to enable client computers on the network to obtain IP address
automatically from the DHCP server.
You want to ensure that when you install the DHCP server, the server is automatically authorized.
What should you do?
A. Install the DHCP server on a server that is member of the domain.
B. Install the DHCP server on a stand-alone server.
C. Install the DHCP server on the domain controller.
D. Install the DHCP server on a member server and the DHCP Relay Agent on the domain
controller.
52

Answer: C
Explanation:
QUESTION NO: 85
You are the systems administrator for your company. The company's network consists of a single
Active Directory domain. All domain controllers run Windows Server 2008, and all client computers
run Windows Vista. You have a public key infrastructure that has a subordinate enterprise
Certification Authority (CA), which issues certificates on behalf of the root CA.
You have a certificate template that allows users to autoenroll, and a group policy object that
distributes the certificates to users. All users are able to automatically obtain certificates. You now
want routers and other network devices are able to obtain certificates from the CA.
What should you do?
A. Assign the routers and network devices the Autoenroll permission in a certificate template.
B. Change the Publish Delta CRL to 1 hour so expired certificates for routers and network devices
are published in Active Directory.
C. Install the Online Certificate Status Protocol (OCSP) role service for AD CS.
D. Install the Microsoft Simple Certificate Enrollment Protocol (MSCEP) role service for AD CS.
Answer: D
Explanation:
53

Microsoft 70-648 Practice Exam Questions

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Microsoft 70-648 Practice Exam Questions

Caricato da

Copyright:

Formati disponibili

Microsoft 70-648

TS: UABCrading Your MCSA on Windows Server 2003

Microsoft 70-648: Practice Exam

Microsoft 70-648: Practice Exam

Microsoft 70-648: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Microsoft 70-648: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Microsoft 70-648: Practice Exam

Microsoft 70-648: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Microsoft 70-648: Practice Exam

Microsoft 70-648: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Microsoft 70-648: Practice Exam

Microsoft 70-648: Practice Exam

Microsoft 70-648: Practice Exam

Microsoft 70-648: Practice Exam

Microsoft 70-648: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Microsoft 70-648: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Microsoft 70-648: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Microsoft 70-648: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Microsoft 70-648: Practice Exam

A. By restarting the Task Scheduler service on ABC-SR08.

Microsoft 70-648: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Microsoft 70-648: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Microsoft 70-648: Practice Exam

Microsoft 70-648: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Microsoft 70-648: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Microsoft 70-648: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Microsoft 70-648: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Microsoft 70-648: Practice Exam

Microsoft 70-648: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Microsoft 70-648: Practice Exam

Microsoft 70-648: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Microsoft 70-648: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Microsoft 70-648: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Microsoft 70-648: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Microsoft 70-648: Practice Exam

Microsoft 70-648: Practice Exam

Microsoft 70-648: Practice Exam

Microsoft 70-648: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com

Microsoft 70-648: Practice Exam

Use a capture buffer

"Pass Any Exam. Any Time." - www.actualtests.com

Microsoft 70-648: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com