Your network is a forest with two domains: stayandsleep.com and dev.stayandsleep.com. Your company is partnering
with BCD Train on a project. BCD Train has a single Active Directory domain: bcdtrain.com.
Users in bcdtrain.com need access to the ProjectA server in dev.stayandsleep.com. They must authenticate using their
user accounts in bcdtrain.com.
You need to configure Active Directory to meet the requirements. Your solution should provide the best possible
security. What should you do?
You should create an outgoing external trust on a domain controller in dev.stayandsleep.com and enable selective
authentication. When you need to authenticate users from a different Active Directory forest, you need to create an
outgoing forest or an outgoing external trust. Because the users only need to access a resource in
dev.stayandsleep.com, you can create an external trust to limit the scope of the trust. When you create the trust, you
can select either forest-wide authentication or selective authentication. In this case, you need to configure selective
authentication because it will allow you to further limit the scope of access to ProjectA.
You should not create an outgoing shortcut trust on a domain controller in dev.stayandsleep.com. A shortcut trust is
used to optimize performance when resources in one domain are frequently accessed by users in another domain. A
shortcut trust can only be established between domains in the same forest.
You should not create an incoming realm trust on a domain controller in dev.stayandsleep.com and enable selective
authentication. A realm trust is used when you need to establish trust with a non-Active Directory Kerberos realm. Also,
you would not create an incoming trust in dev.stayandsleep.com. An incoming trust means that users from the domain
where the trust is created are trusted to access resources in the destination domain.
You should not create an incoming forest trust on a domain controller in dev.stayandsleep.com. A forest trust is created
between two forest root domains. Also, you should not create an incoming trust. An incoming trust allows users in the
trusted domain (in this case dev.stayandsleep.com) to access resources in the trusting domain (in this case
bcdtrain.com).
=============================
Your network is configured as a single Active Directory domain. All domain controllers run Microsoft Windows Server
2008, and your domain is configured at the Windows Server 2008 functional level. The network includes a main office
and three remote branch offices. Each office is configured as a separate Active Directory site.
You need to specify different password policies for each of the remote branch offices. You need to minimize the ongoing
administrative effort of maintaining your solution. Changes to domain structure should be kept to a minimum. What
should you do?
You need to configure fine-grained password policy. Windows Server 2008 supports fine-grained password and account
lockout policies that can override the domain default policies. To implement this feature, you will need to create a
Password Settings object (PSO) and link it to a global security group. In this case, you would:
1. Create a PSO for each set of password policies.
2. Create a global security group for each branch office containing the users in the office.
3. Link the PSO to the appropriate global security group.
You should not create a GPO for each set of password policies, or link a GPO to branch office sites or OUs. Password
policies specified in a GPO and then linked to a site or OU cannot override domain password policy.
You should not link the appropriate PSO to each branch user. Managing PSO links by user requires more administrative
effort to configure and maintain than linking them to global security groups.
=============================
Your network is configured as an Active Directory domain. The network includes multiple Terminal Services farms. The
network is isolated from the Internet by a perimeter network. You deploy a server running Microsoft Windows Server
2008 in the perimeter network and install the Terminal Services Web Access (TS Web Access) role.
You need to create a single Web access point that enables all remote users to access applications hosted on any
Terminal Services farm. What should you do?
You should install Windows SharePoint Services (WSS) on the computer running TS Web Access. Because you are
installing on a computer running Windows Server 2008, you must install WSS 3.0 with service pack 1 (SP1). After
installing WSS, you would need to register the TS Web Access Web Part's assembly and namespace by modifying the
web.config file. Next, you would create a folder path to store TS Web Access Web Part images. Finally, you would add TS
Web Access Web Part for each Terminal Services part, configuring it to point to one of the Terminal Services farms you
need to support. You must add a separate Web Part for each Terminal Services farm.
You should not deploy another computer running Windows Server 2008 in the perimeter network and install Windows
SharePoint Services on that computer. For this configuration to work, WSS must be installed on the computer on which
you configured the TS Web Access role.
You should not install TS Session Broker, either on a terminal services computer or another computer on the network. TS
Session Broker lets users reconnect to an existing session if they get disconnected. It is not used to manage Web access.
=============================
You are developing a logical Microsoft Windows Server 2008 Active Directory Directory Services (AD DS) design for your
organization's network. Network users are part of either the Operations or Research division. The Research division
deals with information that is considered by the organization to be confidential. For organizational purposes, you have
identified a Support division that includes shared resources and a database of reference materials. The only users in the
division are personnel responsible for managing and maintaining the shared resources.
You need to determine the best AD DS design for your network. Design requirements include:
* All users need access to resources in Support.
* Only Operations and Research should have access to resources in Operations.
* Only Research users should have access to Research.
* Each division should be managed separately from the other divisions.
* You should be able to reorganize any division without affecting the other divisions.
What should you do?
You should create a separate forest for each division and configure cross forest trusts where Support trusts Operations
and Research and Operations trusts Research. This lets you administer the divisions separately and enables you to
reorganize a division without affecting the other divisions. The trust relations meet the access requirements.
You should not configure cross forest trusts where Operations trusts Support and Research and Research trusts
Operations. This would give Support and Research access to resources in Operations and give Operations access to
resources in Research.
You should not create a design with a single forest. This does not give you the separation you need between the
divisions or the control over resource access required for the solution.
=============================
Your network is configured as a single Active Directory domain with one site. The domain is operating at the Windows
Server 2003 functional level. All domain controllers run Windows Server 2008.
Your company is planning to open a branch office. You are preparing a Read-only domain controller (RODC) to send to
the branch office. You want to ensure that the RODC is joined to the site associated with its IP address. The site has not
yet been created. There are no members of the Domain Admins group located at the branch office.
You need to prepare for RODC installation. Your solution should provide the best possible security. What should you do?
You should select Pre-create Read-Only Domain Controller Account in the Domain Controllers OU. An RODC installation
can be completed in two stages: creating the account in Active Directory and attaching to the account when running
dcpromo. Only members of Domain Admins can create the account. When you create the account, you specify the user
who can later attach the computer to the account. You can also either select a site or choose to have the site
determined automatically based on IP address. In this case, you should have the site determined based on its IP address.
You should not select Delegate Control in the Domain Controllers OU. While you could delegate permission to add a
domain controller to the user at the branch office, this would not be the most secure option because the user could add
rogue domain controllers.
You should not add the user who will be performing the installation to the Domain Admins group. While this would
allow the user to perform the operation, it would also allow the user to perform modifications in the domain.
You should not install Windows Server 2008 on the computer and set its IP address to the correct value. Since the
computer is not attached to the correct network, setting its IP address to its correct value will not allow it to contact the
domain controller.
=============================
Your network is configured as a single Active Directory domain with 12 sites. User and computer accounts for each site
are created in an organizational unit (OU) with the same name as the site.
Members of the DesktopAdmins group need to be able to create Group Policy objects (GPOs) that can be applied to
computers and users at each site. Members of the Chi-DesktopSupport group at the Chicago site need to be able to link
GPOs to child OUs inside the Chicago OU. You need to assign the necessary permissions to allow for GPO management.
You should use Group Policy Management Editor to delegate permission on the Group Policy Objects node to
DesktopAdmins. You can delegate the permission to create GPOs on the Delegation tab of the Group Policy Objects
node. A user with permission to create a GPO can define its policy settings, but cannot link it.
You should also use Group Policy Management Editor to delegate permission on the Chicago OU to the ChiDekstopSupport group. When you delegate permission on an OU, you can select which permission you are delegating.
You will need to delegate the Link GPOs permission. Permissions delegated on one OU can be inherited by child OUs.
You should not use Group Policy Management Editor to delegate permission on the Group Policy Objects node to ChiDesktopSupport. The only permission you can delegate on the Group Policy Objects node is the permission to create
GPOs. You need to delegate the Link GPOs permission.
You should not use Group Policy Management Editor to delegate permission on the Chicago site to Chi-DesktopSupport.
Permissions delegated on a site are not inherited by OUs.
You should not use Group Policy Management Editor to delegate permission on the domain to DesktopAdmins. At the
domain level, you can delegate permission to Link GPOs, Perform Group Policy Modeling analysis, or Read Group Policy
Results data. You cannot delegate permission to create GPOs.
=============================
Your network is configured as a single Active Directory domain. Your network includes a standalone root certificate
authority (CA) and three subordinate enterprise CAs. All clients on the network run Windows Vista.
You decide to deploy a server running the Online Certificate Status Protocol (OCSP) named OCSPSrv on the internal
network. Users who connect to the network across the Internet will access the server through an ISA Server reverse
proxy. The ISA Server is named ISA1. You need to identify the certificate requirements for the solution.
You should include an Online Response Signing certificate on OCSPSrv. The server running OCSP is known as an online
responder. It must have a certificate that is used to sign its response to the client.
Your plan should not include an SSL server certificate on OCSPSrv or on ISA1. You should not use SSL in the reverse proxy
scenario for OCSP.
=============================
Your company network is configured as a single Active Directory domain with two sites. The exhibit describes the
domain controllers and file servers.
Duplicate files are currently shared on FS1 and FS2. There are frequently problems with only one server being updated
with the latest version of the files.
You need to design a file sharing plan that meets the following requirements:
* All files should be available to users at each site without connecting across the Wide Area Network (WAN) link.
* If the local server is down, users should be able to access files using the remote server.
* Users should only be able to see the files and folders they have permission to read.
You need to identify the steps you should take to meet the requirements. Your solution must not require purchase of
additional software.
What should you do?
In the list on the right, select the steps you should take. Place your selections in the list on the left in the order in which
you should perform them. Place your selections in the list on the left by clicking the items in the list on the right and
clicking the arrow button. You can also use the up and down buttons to rearrange items in the list on the left. You may
not need to use all of the items from the list on the right.
You should perform the following steps:
* Upgrade DC2 to Windows Server 2008.
* Raise the domain functional level to Windows Server 2008.
* Create a domain-based DFS namespace.
* Enable Access-Based Enumeration.
Access-Based Enumeration is a new feature of DFS that prevents files and folders from being listed if a user does not
have permission to access them. DFS is a technology that allows files to be accessed through a single logical share on the
network. The logical share can be mapped to multiple physical locations. Files are kept synchronized through DFS
Replication. You need to create a domain-based namespace because you want to support availability by using multiple
namespace servers. Access-Based Enumeration can only be used on a domain-based namespace if it is a Windows Server
2008 mode namespace. A Windows Server 2008 mode namespace requires the domain to operate at the Windows
Server 2008 functional level, which means that all domain controllers must run Windows Server 2008. You will also need
to enable DFS replication to synchronize the servers at each site.
You should not install MOSS. MOSS is a full-featured collaborative software package. While it could be configured to
meet the requirements, it is not free. Windows SharePoint Services 3.0 (WSS) is the free version of SharePoint. However,
if the only requirements are those listed here, configuring and supporting WSS would require more effort than DFS.
You should not create a standalone DFS namespace. A standalone DFS namespace cannot support multiple namespace
servers for availability because namespace configuration information is stored in the registry.
You should not enable FSR. FSR was the replication method used to replicate DFS data in earlier operating systems.
Windows Server 2008 DFS uses DFS Replication.
=============================
Your network is configured as a single Active Directory domain with three domain controllers, an enterprise certificate
authority (CA), and a Network Access Protection (NAP) policy server. All servers run Windows Server 2008. Your network
includes client computers running Windows XP Professional Service Pack 3 (SP3) and Windows Vista. All client
computers connect to the wired network.
You need to ensure that client computers meet system health requirements. You plan to use the IPSec enforcement
method. You install Windows Server 2008 on a server named HRA1. You need to prepare HRA1 to be a Health
Registration Authority (HRA).
You should install IIS on HRA1. An HRA must run IIS. The IPSec NAP Enforcement Client (EC) sends a request to the HRA
using either Hypertext Transfer Protocol (HTTP) or HTTP Secure (HTTPS). The HRA contacts the NAP policy server to
verify the client's health. If it passes verification, the HRA requests a certificate from the CA.
You should not configure HRA1 as an enterprise CA. The HRA can contact the existing enterprise CA for a certificate.
You should not configure HRA1 as a standalone CA. The HRA can contact the existing enterprise CA for a certificate.
You should not install RRAS. RRAS is used for configuring dial-up, virtual private network (VPN), and routing. It is not
required on a server with the HRA role.
=============================
Your network is configured as an Active Directory forest with multiple domains. All domain controllers run Microsoft
Windows Server 2008. You create an unlinked Group Policy object (GPO) to establish baseline security settings for the
domains.
Each domain has a custom Organizational Unit (OU) structure. Each domain is configured with OUs for each department
containing the user accounts and computers for that department.
You need to apply the baseline security settings to all user accounts in the domains. You need to ensure that the settings
cannot be overridden. You need to minimize the effort necessary to apply the security settings.
You should link the GPO at each domain root and set the Enforced option. This will cause the GPO to be applied to each
user in the domain. The Enforced option prevents the settings from being overridden.
You should not link the GPO to each OU containing users and set the Enforced option. This would cause the settings to
be applied to all users, but it does not minimize the effort necessary to apply the security baseline.
You should not link the GPO at the forest root and set the Enforced option. This would apply the baseline security
settings to users in the root domain only.
You should not link the GPO to the Users container in each domain and set the Enforced option. This would not apply
baseline security settings to the domain users because of the custom OU structure.
=============================
Your network is configured as an Active Directory forest with multiple domains. Each domain is configured in the
Windows 2000 native-mode functional level. All domain controllers currently run Windows 2000 Server.
You need functionality provided by the Windows Server 2008 domain functional level. You need to minimize the
administrative effort needed to change the domain functional level in each domain. What should you do?
In the list on the right, select the steps necessary to raise the domain functional level. Place your selections in the list on
the left in the order in which they must be completed. Place your selections in the list on the left by clicking the items in
the list on the right and clicking the arrow button. You can also use the up and down buttons to rearrange items in the
list on the left. You may not need to use all of the items from the list on the right.
In order to raise the domain functional level to Windows Server 2008, you need to raise the forest functional level.
Before you can do this, you need to upgrade all of the domain controllers to Windows Server 2008. To do this, you need
to do the following:
* Run adprep /forestprep.
* Run adprep /domainprep /gpprep.
* Upgrade all domain controllers to Windows Server 2003.
* Upgrade all domain controllers to Windows Server 2008.
* Manually raise the forest functional level to Windows Server 2008.
You need to run adprep /forestprep and adprep /domainprep /gpprep to prepare the Active Directory schema to
support domain controllers running Windows Server 2008. You then need to run an in-place upgrade on each of the
domain controllers. You cannot upgrade directly from Windows 2000 Server to Windows Server 2008. You must first
upgrade the domain controllers to Windows Server 2003. When you raise the forest functional level to Windows Server
2008, the domain functional level of each domain configured in the Windows 2000 native-mode functional level is
automatically raised to Windows Server 2008.
There is no reason to upgrade the DNS servers to Windows Server 2008. This is not necessary to upgrade the domain.
It is not necessary to install the Active Directory Directory Services (AD DS) role. This role is installed automatically when
you upgrade the domain controllers.
There is no need to manually raise the domain functional level to Windows Server 2008. This will happen automatically
when you raise the forest functional level.
=============================
Your network is configured as a single Active Directory domain. The network includes a main office and two branch
offices. The branch offices are on routed subnets connected by wide area links. Separate network connections are
available between a Storage Area Network (SAN) iSCSI device and all subnets.
You deploy a computer running Microsoft Windows Server 2008 in each branch office. You configure each server with
virtual computers running applications that are not cluster-aware. Each server hosts two guest instances of Windows
Server 2008. Each guest operating system is supporting a different stand-alone server application.
You need to ensure the availability of the applications running on the guest operating systems. You need to minimize the
changes to your network configuration and keep the number of servers required to a minimum.
What should you do?
You should configure the branch office host servers as a two-node failover cluster. Windows Server 2008 failover
clustering supports creating a cluster from nodes that are deployed on different subnets. You can configure the host
clusters to start applications after failover, even if the applications are not cluster aware.
You should not move the servers from the branch offices to the main office and configure the host servers as a twonode failover cluster. There is no need to move the servers before creating the failover cluster.
You should not use TS Session Broker to configure your solution. TS Session Broker is used to configure load balancing in
a TS Web farm. It cannot be used to configure availability in this situation.
You should not configure the applications running on the guest operating systems as an NLB cluster. An NLB cluster is
not appropriate in this situation. An NLB cluster can be used to create a cluster of servers running the same application.
In this situation, the guest operating systems are running different applications. Also, because you are not given what
applications are running on the guest operating systems, you have no way to know whether or not the applications
support NLB.
=============================
=============================
=============================
=============================
=============================
=============================
=============================
=============================
=============================
=============================
=============================
=============================
=============================