Extra: PassLeader have been updated the 70-647 brain dumps with the newest exam questions. We provide the latest 70-647 PDF and VCE files with Free New Version VCE Player for free download to ensure your exam pass. Welcome to visit our website — passleader.com and get the 100 percent pass ensure 70-647 study materials!
Vendor: Microsoft
Exam Code: 70-647
Exam Name: Pro: Windows Server 2008, Enterprise Administrator
QUESTION 1
Your network consists of one Active directory domain. The functional level of the domain is Windows Server 2008 R2. Your company has three departments named Sales, Marketing, and Engineering. All users in the domain are in an organizational unit (OU) named AllUsers. You have three custom applications. You deploy all custom applications by using a Group Policy object (GPO) named Applnstall. The Sales department purchases a new application that is only licensed for use by the Sales department. You need to recommend a solution to simplify the distribution of the new application. The solution must meet the following requirements:
– The application must only be distributed to licensed users.
– The amount of administrative effort required to manage the users must remain unaffected.
– The three custom applications must be distributed to all existing and new users on the network.
What should you recommend?
A. Create a new child domain for each department and link the AppInstall GPO to each child domain. Create a new GPO. Link the new GPO to the Sales domain.
B. Create a new child OU for each department. Link the AppInstall GPO to the Marketing OU and the Engineering OU. Create a new GPO. Link the new GPO to the Sales OU.
C. Create a new group for each department and filter the AppInstall GPO to each group. Create a new GPO. Link the new GPO to the domain. Filter the new GPO to the Sales group.
D. Create a new group for each department. Filter the AppInstall GPO to the Marketing group and the Engineering group. Create a new GPO. Link the new GPO to the domain. Filter the new GPO to the Sales group.
Answer: C
Explanation:
To ensure that the other applications are distributed to all existing and new users on the network, you need to create a new group for each department and filter the InstallApp GPO to each group. Filtering allows you to target only specific computers or users. You can create and modify multiple preference items within each GPO, and you can filter each preference item to target only specific computers or users. Finally to simplify the distribution of the licensed application to the users of the sales department, you need to create and link a new GPO to the domain and filter the new GPO to the Sales group. You should not filter the InstallApp GPO to the Marketing group and the Development groups only because all the other applications beside the licensed application need to be installed to the Sales department also.
Reference: Group Policy/ Preferences.
http://technet2.microsoft.com/windowsserver2008/en/library/3b4568bc-9d3c-4477-807d-2ea149ff06491033.mspx?mfr=true
QUESTION 2
Your network contains servers that run Windows Server 2008 R2 and client computers that run Windows 7. All network routers support IPsec connections. Client computers and servers use IPsec to connect through network routers. You have two servers named Server1 and Server2. Server1 has Active Directory Certificate Services (AD CS) installed and is configured as a certification authority (CA). Server2 runs Internet Information Services (IIS). You need to recommend a certificate solution for the network routers. The solution must meet the following requirements:
– Use the Simple Certificate Enrollment Protocol (SCEP).
– Enable the routers to automatically request certificates.
What should you recommend implementing?
A. certification authority Web enrollment services on Server2
B. Network Device Enrollment Service on Server2
C. Online Responder service on Server1
D. subordinate CA on Server1
Answer: B
Explanation:
To recommend a certificate solution for the network routers that would enable the routers to automatically request certificates and that would use Simple Certificate Enrollment Protocol (SCEP), you need to implement Network Device Enrollment Service on Server2. The Network Device Enrollment Service allows routers and other network devices to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP) from Microsoft Systems Inc.
Reference: Windows Server Active Directory Certificate Services Step-by-Step Guide/ AD CS Technology Review.
http://technet2.microsoft.com/windowsserver2008/en/library/f7dfccc0-4f65-4d6f-a801-ae6a87fd174c1033.mspx?mfr=true
QUESTION 3
Your network consists of one Active Directory domain. Your company uses a firewall to connect to the Internet. Inbound TCP/IP port 443 is allowed on the firewall. You have terminal servers on the internal network. You have one server on the internal network that has Terminal Services Gateway (TS Gateway) deployed. All servers run Windows Server 2008. You need to recommend a solution that enables remote users to access network resources by using TS Gateway. What should you recommend?
A. Change the firewall rules to permit traffic through port 3389 from the Internet.
B. Install the Terminal Services server role with the Terminal Services Web Access (TS Web Access) services role.
C. Install the Terminal Services server role with the Terminal Services Session Broker (TS Session Broker) services role.
D. Create a Terminal Services connection authorization policy (TS CAP) and a Terminal Services resource authorization policy (TS RAP).
Answer: D
Explanation:
To implement a solution that enables remote users to access network resources by using TS Gateway, you need to create a Terminal Services connection authorization policy (TS CAP) and a Terminal Services resource authorization policy (TS RAP). TS CAPs allow you to specify who can connect to a TS Gateway server. Users are granted access to a TS Gateway server if they meet the conditions specified in the TS CAP. You must also create a Terminal Services resource authorization policy (TS RAP). A TS RAP allows you to specify the internal network resources that users can connect to through TS Gateway. Until you create both a TS CAP and a TS RAP, users cannot connect to internal network resources through this TS Gateway server.
Reference: Terminal Services Gateway (TS Gateway) / Why are TS CAPs important?
http://technet2.microsoft.com/windowsserver2008/en/library/9da3742f-699d-4476-b050-c50aa14aaf081033.mspx?mfr=true
QUESTION 4
Your network consists of one Active Directory forest that contains one root domain and 22 child domains. All domain controllers run Windows Server 2003. All domain controllers run the DNS Server service and host Active Directory-integrated zones. Administrators report that it takes more than one hour to restart the DNS servers. You need to reduce the time it takes to restart the DNS servers. What should you do?
A. Upgrade all domain controllers to Windows Server 2008.
B. Upgrade all domain controllers in the root domain to Windows Server 2008, and then set the functional level for the root domain to Windows Server 2008.
C. Deploy new secondary zones on additional servers in each child domain.
D. Change the Active Directory-integrated DNS zones to standard primary zones.
Answer: A
Explanation:
Sometime DNS server can take an hour or more in companies that have extremely large zones and the DNS data of the company is stored in AD DS. The result is that the DNS server is effectively unavailable to service client requests for the entire time that it takes to load AD DS-based zones. The problem can be solved by upgrading the domain controllers to Windows Server 2008. This is because a DNS server running Windows Server 2008 now loads zone data from AD DS in the background while it restarts so that it can respond to requests for data from other zones.
Reference: DNS Server Role/ Background zone loading.
http://technet2.microsoft.com/windowsserver2008/en/library/533a1cfc-5173-4248-914c-433bd018f66d1033.mspx?mfr=true
QUESTION 5
Your network consists of one Active Directory domain. All domain controllers run Windows Server 2008. You have file servers that run Windows Server 2008. Client computers run Windows Vista and UNIX-based operating systems. All users have both Active Directory user accounts and UNIX realm user accounts. Both environments follow identical user naming conventions. You need to provide the UNIX-based client computers access to the file servers. The solution must meet the following requirements:
– Users must only log on once to access all resources.
– No additional client software must be installed on UNIX-based client computers.
What should you do?
A. Create a realm trust so that the Active Directory domain trusts the UNIX realm.
B. Install an Active Directory Federation Services (AD FS) server that runs Windows Server 2008 R2
C. Enable the subsystem for UNIX-based applications on the file servers. Enable a Network File System (NFS) component on the client computers.
D. Enable the User Name Mapping component and configure simple mapping. Enable a Network File System (NFS) component on the servers.
Answer: D
Explanation:
To provide the UNIX-based client computers access to the file servers, you need to enable the User Name Mapping component and configure simple mapping and also enable a Network File System (NFS) component on the servers. User Name Mapping (UNM) bridges the gap between the different user identification used in Windows and UNIX worlds. When UNM is used it in conjunction with Server for NFS, UNM authenticates the incoming NFS access requests. With Client for NFS, it determines the effective UID and GID to be sent with the NFS requests to UNIX NFS servers.
Reference: Configuring User Name Mapping – Part 2 (Simple Mapping).
http://blogs.msdn.com/sfu/archive/2007/10/02/configuring-user-name-mapping-part-2-simple-mapping.aspx
QUESTION 6
Your Company has a main office and 10 branch offices. The network consists of one Active Directory domain. All domain controllers run Windows Server 2008 R2 and are located in the main office. Each branch office contains one member server. Branch office administrators in each branch office are assigned the necessary rights to administer only their member servers. You deploy one read-only domain controller (RODC) in each branch office. You need to recommend a security solution for the branch office Windows Server 2008 R2 domain controllers. The solution must meet the following requirements:
– Branch office administrators must be granted rights on their local domain controller only.
– Branch office administrators must be able to administer the domain controller in their branch office. This includes changing device drivers and running Windows updates.
What should you recommend?
A. Add each branch office administrator to the Administrators group of the domain.
B. Add each branch office administrator to the local Administrators group of their respective domain controller.
C. Grant each branch office administrator Full Control permission on their domain controller computer object in Active Directory.
D. Move each branch office domain controller computer object to a new organizational unit (OU). Grant each local administrator Full Control permission on the new OU.
Answer: B
Explanation:
To allow branch office administrators to manage their local domain controller only, change device drivers, and run Windows updates, you need to add each branch office administrator to the local Administrators group of their respective domain controller. The users of Local administrator group have administrative rights on their local domain controllers to manage several machines to perform all necessary administrative tasks but they have restricted rights as compared to domain administrators.
Reference: Adding a group to the local administrators group.
http://blogcastrepository.com/blogs/kim_oppalfenss_systems_management_ideas/archive/2007/04/23/adding-a-group-to-the-local-administrators-group.aspx
QUESTION 7
Your network consists of one Active Directory domain. The functional level of the forest is Windows Server 2003. All domain controllers run Windows Server 2003. The relevant portion of the network is configured as shown in the exhibit. (Click the Exhibit button.)
The Bridge all site links option is enabled. You need to ensure that domain controllers in the spoke sites can replicate with domain controllers in only the hub sites. The solution must ensure that domain controllers can replicate if a server fails in one of the hub sites. What should you do?
A. Lower the site link costs between the spoke sites and the hub sites.
B. Disable the Bridge all site links option. Create site link bridges that include the site links between each spoke site and the hub sites.
C. Disable the Bridge all site links option. Install a writable domain controller that runs Windows Server 2008 in each hub site.
D. Enable the global catalog server attribute for all domain controllers in the hub sites. Upgrade all domain controllers in the spoke sites to Windows Server 2008.
Answer: B
Explanation:
By default, all site links are bridged so that all the sites that are not connected by an explicit site link can communicate directly, through a chain of intermediary site links and sites. However, if you want to ensure that domain controllers in the spoke sites do not replicate with other spoke sites when a server fails in one of the hub sites, you need to disable the Bridge all site links option. You need to then create site link bridges to create the site links between each spoke site and the hub sites to ensure that domain controllers in the spoke sites can replicate with domain controllers in the hub sites.
Reference: Configuring site link bridges.
http://technet2.microsoft.com/windowsserver/en/library/b42bb443-c5cd-4539-8dfa-917dbddb087a1033.mspx?mfr=true
http://www.passleader.com/70-647.html
QUESTION 8
Your company has 5,000 users. The network contains servers that run Windows Server 2008. You need to recommend a collaboration solution for the users to meet the following requirements: Support tracking of document version history. Enable shared access to documents created in Microsoft Office. Enable shared access to documents created by using Web pages. The solution must be achieved without requiring any additional costs. What should you recommend?
A. Install servers that run the Web Server role.
B. Install servers that run the Application Server role.
C. Install servers that run Microsoft Windows SharePoint Services (WSS) 3.0.
D. Install servers that run Microsoft Office SharePoint Server (MOSS) 2007.
Answer: C
Explanation:
To achieve the desired results without requiring any additional cost, you need to use Microsoft Windows SharePoint Services (WSS) 3.0.
Reference: Microsoft Windows SharePoint Services 3.0 and the Mobile Workplace.
http://download.microsoft.com/download/b/b/6/bb6672dd-252c-4a21-89de-78cfc8e0b69e/WSS%20Mobile%20Workplace.doc
QUESTION 9
Your Company has 10 offices. Each office has 10 domain controllers that run Windows Server 2008. The network consists of one Active directory domain. Each office has a local administrator. You use domain-level Group Policy objects (GPO). Office administrators have the necessary permissions to create and link domain-level Group Policy objects. You create custom Administrative Template (.admx) files locally on a computer that runs Windows Vista. You need to implement a GPO management strategy to ensure that the administrators can access the .admx files and any future updates to the .admx files from each office. The solution must ensure that .admx files remain identical across the company. What should you do?
A. In the domain, create a central store. Copy the custom .admx files to the central store.
B. In each office, create a central store on a file server. Copy the custom .admx files to the central store.
C. Create a GPO and link it to the domain. Add the .admx files to the GPO.
D. Create a GPO and link it to the Domain Controllers organizational unit (OU). Add the custom .admx files to the GPO.
Answer: A
Explanation:
To implement a GPO management strategy to ensure that the administrators can access the .admx files and any future updates to these files from each office and to ensure that the .admx files remain identical across the company, you need to create a central store in the domain and copy the custom .admx files to the central store. The central store for ADMX files allows all local administrators to edit domain-based GPOs to access the same set of ADMX files. When a central store is created, the Group Policy tools will use the ADMX files only in the central store, ignoring the locally stored versions. You need to copy the custom .admx files to the central store and not add them because there need to be only one ADMX file and not multiple versions of the same file in the central store.
Reference: Scenario 2: Editing Domain-Based GPOs Using ADMX Files.
http://technet2.microsoft.com/WindowsVista/en/library/1494d791-72e1-484b-a67a-22f66fbf9d171033.mspx?mfr=true
QUESTION 10
Your network consists of one Active Directory domain. The network contains one Active Directory site. All domain controllers run Windows Server 2008. You create a second Active Directory site and plan to install a domain controller that runs Windows Server 2008 in the new site. You also plan to deploy a new firewall to connect the two sites. You need to enable the domain controllers to replicate between the two sites. Which traffic should you permit through the firewall?
A. LDAP
B. NetBIOS
C. RPC
D. SMTP
Answer: C
Explanation:
You should permit RPC traffic through the firewall to enable the domain controllers to replicate between the two sites because the Active Directory relies on remote procedure call (RPC) for replication between domain controllers. You can open the firewall wide to permit RPC’s native dynamic behavior.
Reference: Active Directory Replication over Firewalls.
http://technet.microsoft.com/en-us/library/bb727063.aspx
QUESTION 11
Your network consists of one Active Directory domain. All domain controllers run Windows Server 2008. You need to prepare the environment to provide a high-availability solution for a back-end Microsoft SQL Server 2005 data store. What should you do?
A. Install a Windows Server 2003 Network Load Balancing cluster.
B. Install a Windows Server 2008 Network Load Balancing cluster.
C. Install a Windows Server 2008 failover cluster that has shared storage.
D. Install a Windows Server 2008 failover cluster that has direct attached storage.
Answer: C
Explanation:
To ensure the high availability of the data store, you need to use Windows Server 2008 failover cluster having a shared storage. Failover clustering can help you build redundancy into your network and eliminate single points of failure. Administrators have better control and can achieve better performance with storage than was possible in previous releases. Failover clusters now support GUID partition table (GPT) disks that can have capacities of larger than 2 terabytes, for increased disk size and robustness. Administrators can now modify resource dependencies while resources are online, which means they can make an additional disk available without interrupting access to the application that will use it. And administrators can run tools in Maintenance Mode to check, fix, back up, or restore disks more easily and with less disruption to the cluster. You should not use Network Load Balancing (NLB) because it only allows you to distribute TCP/IP requests to multiple systems in order to optimize resource utilization, decrease computing time, and ensure system availability.
Reference: High Availability.
http://www.microsoft.com/windowsserver2008/en/us/high-availability.aspx
QUESTION 12
Your company has one main office and 10 branch offices. The network consists of one Active Directory domain. All domain controllers run Windows Server 2008 and are located in the main office. You plan to deploy one Windows Server 2008 domain controller in each branch office. You need to recommend a security solution for the branch office domain controllers. The solution must prevent unauthorized users from copying the Active Directory database from a branch office domain controller by starting the server from an alternate startup disk. What should you recommend on each branch office domain controller?
A. Enable the secure server IPsec policy.
B. Enable the read-only domain controller (RODC) option.
C. Enable Windows BitLocker Drive Encryption (BitLocker).
D. Enable an Encrypting File System (EFS) encryption on the %Systemroot%\NTDS folder.
Answer: C
Explanation:
To configure domain controller of each branch office to ensure to no unauthorized user should be allowed to copy the Active Directory database from a branch office domain controller by starting the server from an alternate startup disk, you need to use Windows BitLocker Drive Encryption (BitLocker). BitLocker allows you to encrypt all data stored on the Windows operating system volume and use the security of using a Trusted Platform Module (TPM) that helps protect user data and to ensure that a computer running Windows Vista or Server 2008 have not been tampered with while the system was offline. In addition, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device, such as a flash drive, that contains a startup key. This process will ensure that all the users can access all files on the servers if they have the PIN. You cannot use an alternate startup disk to boot the disk.
Reference: BitLocker Drive Encryption Technical Overview.
http://technet2.microsoft.com/windowsserver2008/en/library/a2ba17e6-153b-4269-bc46-6866df4b253c1033.mspx?mfr=true
QUESTION 13
Your network contains servers that run Windows Server 2008. Microsoft Windows SharePoint Services (WSS) are available on the network. WSS is only accessible from the internal network. Several users use devices that run Windows Mobile 6.0. The users can establish only HTTP and HTTPS sessions from the Internet. You need to enable users to access WSS from the Internet by using their Windows Mobile devices. The solution must ensure that all connections from the Internet to WSS are encrypted. What should you do?
A. Install Microsoft Internet Security and Acceleration (ISA) Server 2006 and create a HTTPS publishing rule.
B. Install Microsoft Internet Security and Acceleration (ISA) Server 2006 and create a Secure RPC publishing rule.
C. Install the Network Policy and Access Services (NPAS) role and enable Secure Socket Tunneling (SSTP) connections. Configure WSS to require Kerberos authentication.
D. Install the Network Policy and Access Services (NPAS) role and enable Secure Socket Tunneling (SSTP) connections. Configure WSS to require IPsec encryption.
Answer: A
Explanation:
To ensure that mobile users are allowed to access WSS from the Internet by using their Windows Mobile devices securely and to ensure that all the connections from the Internet to WSS are encrypted, you need to use external Firewall solution by using Microsoft Internet Security and Acceleration ISA Server 2006 and create a HTTPS publishing rule on ISA Server. The Firewall will ensure a secure connection to the internal network of the company. When you publish an application through ISA Server 2006, you are protecting the server from direct external access because the name and IP address of the server are not accessible to the user. The user accesses the ISA Server computer, which then forwards the request to the server according to the conditions of the server publishing rule. When you create a secure Web publishing rule, you can configure how SSL requests will be redirected as Hypertext Transfer Protocol (HTTP) requests or as SSL requests.
Reference: Deploying Office SharePoint Server 2007 with ISA Server 2006 / No direct access to the server from the Internet.
http://technet.microsoft.com/en-us/library/cc268368.aspx
QUESTION 14
Your company has one main office and 20 branch offices. Each office is configured as an Active Directory site. The network consists of one Active Directory domain. All servers run Windows Server 2008 R2 and all client computers run Windows 7. The main office contains three domain controllers. You need to deploy one domain controller in each branch office to meet the following requirements:
– Authentication to a main office domain controller must only occur if a local domain controller fails.
– Client computers in the main office must not authenticate to a domain controller office.
– Client computers in a branch office must not authenticate to a domain controller in another branch office.
– Client computers in each branch office must attempt to authenticate to the domain controller at their local site first.
What should you do first?
A. Associate the IP subnet of each branch office to the Active Directory site of the main office.
B. Select the read-only domain controller (RODC) option and the Global Catalog option when deploying the branch office domain controllers.
C. Create a Group Policy object (GPO) that applies to all branch office domain controllers and controls the registration of DNS service location (SRV) records.
D. Configure only the main office domain controllers as global catalog servers. Enable Universal Group Membership Caching in the Active Directory site for each branch office.
Answer: C
Explanation:
To deploy domain controllers in the branch offices and make sure that the client computers in each branch office must attempt to authenticate to the domain controller at their local site first and the authentication to a main office domain controller must only occur if a local domain controller fails and to meet other specified requirements, you need to create a Group Policy object (GPO) for all branch office domain controllers to control the registration of DNS service location (SRV) records. SRV records are used by Windows Server to locate domain controllers in specific domains, domain controllers in the same site, global catalogue servers, and key distribution centers.
Reference: DNS Service Records and Locating Domain Controllers.
http://www.2000trainers.com/windows-2000/dns-service-records/
QUESTION 15
Your network consists of one Active Directory domain that contains only domain controllers that run Windows Server 2003. Your company acquires another company. You need to provide user accounts for the employees of the newly acquired company. The solution must support multiple account lockout policies. What should you do?
A. Implement Authorization Manager.
B. Implement Active Directory Federation Services (AD FS).
C. Upgrade one domain controller to Windows Server 2008. Raise the functional level of the domain to Windows Server 2003.
D. Upgrade all domain controllers to Windows Server 2008. Raise the functional level of the domain to Windows Server 2008.
Answer: D
Explanation:
To support multiple account lockout policies, you need to upgrade all domain controllers to Windows Server 2008. In Microsoft Windows 2000 and Windows Server 2003 Active Directory domains, you could apply only one password and account lockout policy. In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies and apply different password restrictions and account lockout policies to different sets of users within a single domain. Next you need to raise the functional level of the domain to Windows Server 2008 because Windows Server 2003 functional level does not support Windows Server 2008 domain controllers.
Reference: Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration.
http://technet2.microsoft.com/windowsserver2008/en/library/2199dcf7-68fd-4315-87cc-ade35f8978ea1033.mspx?mfr=true
Reference: Appendix of Functional Level Features.
http://technet2.microsoft.com/windowsserver2008/en/library/34678199-98f1-465f-9156-c600f723b31f1033.mspx?mfr=true