Certkingdom 70-647 Exam Q & A



Best Microsoft MCTS Training – Microsoft MCITP Training at Certkingdom.com



QUESTION 1
You work as an enterprise administrator at Certkingdom.com. The Certkingdom.com network has a domain named
Certkingdom.com. All servers in the Certkingdom.com network run Windows Server 2008.
The Certkingdom.com network has a file server named ABC-SR07 that hosts a shared folder named
ABCDocs. Several Microsoft Word documents are stored in the ABCDocs share. You want to
enable document version history on these documents. You also want the documents in the
ABCDocs share to be accessed through a Web page.
Which of the following roles or services would you install on ABC-SR07 to achieve the desired
results cost effectively?

A. FTP Server role.
B. Application Server role.
C. Microsoft Windows SharePoint Services (WSS) 3.0.
D. File and Print Services role.
E. Microsoft Office SharePoint Server (MOSS) 2007.
F. SMTP Server role.

Answer: C

Explanation:
To achieve the desired results without requiring any additional cost, you need to use Microsoft
Windows SharePoint Services (WSS) 3.0.
Reference: Microsoft Windows SharePoint Services 3.0 and the Mobile Workplace
http://download.microsoft.com/download/b/b/6/bb6672dd-252c-4a21-89de-
78cfc8e0b69e/WSS%20Mobile%20Workplace.doc


QUESTION 2
You work as an enterprise administrator at Certkingdom.com. The Certkingdom.com network has a domain named
Certkingdom.com with a single site named Site
A. All servers in the Certkingdom.com network run Windows Server
2008.
You reorganize the Active Directory infrastructure to include a second site named SiteB with its
own domain controller.
How would you configured the firewall to allow replication between SiteA and SiteB?

A. Enable IPSec traffic to pass through the firewall.
B. Enable RPC traffic to pass through the firewall.
C. Enable SMTP traffic to pass through the firewall.
D. Enable NNTP traffic to pass through the firewall.
E. Enable FTP traffic to pass through the firewall.

Answer: B

Explanation:
You should permit RPC traffic through the firewall to enable the domain controllers to replicate
between the two sites because the Active Directory relies on remote procedure call (RPC) for
replication between domain controllers. You can open the firewall wide to permit RPC’s native
dynamic behavior.
Reference: Active Directory Replication over Firewalls
http://technet.microsoft.com/en-us/library/bb727063.aspx


QUESTION 3
You work as an enterprise administrator at Certkingdom.com. The Certkingdom.com network has a domain named
Certkingdom.com. All servers in the Certkingdom.com network run Windows Server 2008.
Certkingdom.com runs a critical application that accesses data that is stored in a Microsoft SQL Server
2005 database server named ABC-DB02. Which of the following options would you choose to
ensure that the database is always available?

A. Two Windows Server 2008 servers running MS SQL Server 2005 Standard Edition in a
Network Load Balancing (NLB) cluster.
B. Two Windows Server 2008 servers running MS SQL Server 2005 Enterprise Edition in a
Network Load Balancing (NLB) cluster
C. Two Windows Server 2008 servers running MS SQL Server 2005 Standard Edition in a failover
cluster.
D. Two Windows Server 2008 servers running MS SQL Server 2005 Enterprise Edition in a
failover cluster.

Answer: D

Explanation:
To ensure the high availability of the data store, you need to use a Windows Server 2008 failover
cluster with shared storage.
Failover clustering can help you build redundancy into your network and eliminate single points of
failure.
Administrators have better control and can achieve better performance with storage than was
possible in previous releases. Failover clusters now support GUID partition table (GPT) disks that
can have capacities of larger than 2 terabytes, for increased disk size and robustness.
Administrators can now modify resource dependencies while resources are online, which means
they can make an additional disk available without interrupting access to the application that will
use it. And administrators can run tools in Maintenance Mode to check, fix, back up, or restore
disks more easily and with less disruption to the cluster
You should not use Network Load Balancing (NLB) because it only allows you to distribute TCP/IP
requests to multiple systems in order to optimize resource utilization, decrease computing time,
and ensure system availability.
Reference: High Availability
http://www.microsoft.com/windowsserver2008/en/us/high-availability.aspx


QUESTION 4
You work as an enterprise administrator at Certkingdom.com. The Certkingdom.com network has a domain named
Certkingdom.com. All servers in the Certkingdom.com network run Windows Server 2008. Certkingdom.com has its
headquarters in Chicago and sub-divisions in Boston, Atlanta, Miami and Dallas. All domain
controllers are currently installed in the Chicago.
You need to have new domain controllers installed in the Boston, Atlanta, Miami and Dallas subdivisions.
Certkingdom.com issues a security policy for the new domain controllers that states the
following:
• Unauthorized user must not be able to access the Active Directory database.
• Unauthorized user must not be able to boot a domain controller from an alternate boot disk.
Which of the following options would you choose to implement the security policy?

A. Modify the permissions of the ntds.dat file.
B. Configure a read-only domain controller (RODC) in the Boston, Atlanta, Miami and Dallas.
C. Disable replication of the Sysvol folder on the new domain controllers.
D. Configure Windows BitLocker Drive Encryption (BitLocker) on the new domain controllers.
E. Disable the Global Catalog role on the new domain controllers.
F. Configure EFS encryption on the new domain controllers.

Answer: D

Explanation:
To configure domain controller at each branch office to ensure that no unauthorized user should
be allowed to copy the Active Directory database from a branch office domain controller by starting
the server from an alternate startup disk, you need to use Windows BitLocker Drive Encryption
(BitLocker)
BitLocker allows you to encrypt all data stored on the Windows operating system volume and use
the security of using a Trusted Platform Module (TPM) that helps protect user data and to ensure
that a computer running Windows Vista or Server 2008 have not been tampered with while the
system was offline.
In addition, BitLocker offers the option to lock the normal startup process until the user supplies a
personal identification number (PIN) or inserts a removable USB device, such as a flash drive, that
contains a startup key. This process will ensure that users can only access all files on the servers
if they have the PIN. You cannot use an alternate startup disk to boot the server.
Reference: BitLocker Drive Encryption Technical Overview
http://technet2.microsoft.com/windowsserver2008/en/library/a2ba17e6-153b-4269-bc46-
6866df4b253c1033.mspx?mfr=true


QUESTION 5
You work as an enterprise administrator at Certkingdom.com. The Certkingdom.com network has a domain named
Certkingdom.com that runs at the domain functional level of Windows Server 2008.
Which of the following options can be used for tracking any modification to Active Directory
Objections?

A. Configure a Group Policy to run the Security Configuration Wizard on all computers in the ABC
network.
B. Configure the Default Domain Controllers Group Policy to audit Directory Services.
C. Configure the Default Domain Group Policy to audit Directory Services.
D. Enable auditing of the ntds.dat file in the Default Domain Group Policy.
E. Enable auditing of the ntds.dat file in the Default Domain Group Policy.

Answer: B

Explanation:
To implement an audit and compliance policy and ensure that all changes made to Active
Directory objects are recorded, you need to configure a Directory Services Auditing policy in the
Default Domain Controller Policy
In Windows Server 2008, you can enable Audit Directory Service Access policy to log events in
the Security event log whenever certain operations are performed on objects stored in Active
Directory.
Enabling the global audit policy, Audit directory service access, enables all directory service policy
subcategories. You can set this global audit policy in the Default Domain Controllers Group Policy
(under Security Settings\Local Policies\Audit Policy).
Reference: Windows Server 2008 Auditing AD DS Changes Step-by-Step Guide
http://technet2.microsoft.com/windowsserver2008/en/library/a9c25483-89e2-4202-881cea8e02b4b2a51033.
mspx?mfr=true


QUESTION 6
You work as an enterprise administrator at Certkingdom.com. The Certkingdom.com network has a domain named
Certkingdom.com. All servers in the Certkingdom.com network run Windows Server 2003.
You want to install a read-only domain controller (RODC) without uABCrading the existing domain
controllers Windows Server 2008.
What action should you take? (Each correct option will form a part of the answer. Select TWO.)

A. Raise the forest functional level to Windows 2000.
B. Raise the forest functional level to Windows 2003.
C. Raise the forest functional level to Windows 2008.
D. Raise the domain functional level to Windows Server 2000
E. Raise the domain functional level to Windows Server 2003
F. Raise the domain functional level to Windows Server 2008

Answer: B,E

Explanation:
To create an Active Directory forest and domain functional levels to support Read-only domain
controllers (RODC) and Windows Server 2003 domain controllers, you need to create both the
forest and domain functional levels of Windows Server 2003. This is because only when you use
both the forest and domain functional levels of Windows Server 2003, you will be able to support
Read-only domain controllers (RODC) and Windows Server 2003 domain controllers.
Reference: Appendix of Functional Level Features
http://technet2.microsoft.com/windowsserver2008/en/library/34678199-98f1-465f-9156-
c600f723b31f1033.mspx?mfr=true


QUESTION 7
You work as an enterprise administrator at Certkingdom.com. The Certkingdom.com network has a forest named
and Certkingdom.com that runs at the forest functional level of Windows Server 2003. Certkingdom.com has a
subsidiary company named TestLabs, Inc. The TestLabs, Inc. network has a forest named and
testlabs.com that runs at the forest functional level of Windows Server 2003. All domain controllers
on both the Certkingdom.com network and the TestLabs, Inc. network run Windows Server 2008.
Certkingdom.com users do not have access to network resources in TestLabs, Inc.
TestLabs, Inc. has a file server named TESTLABS-SR07. Certkingdom.com users must be able to access
shared folders on TESTLABS-SR07. However, Certkingdom.com users must not be able to access any
other network resources in TestLabs, Inc.
Which of the following options would you choose to accomplish this task? (Each correct option will
form a part of the answer. Select TWO.)

A. By raising the forest functional level of Certkingdom.com and testlabs.com to Windows Server 2008.
B. By raising the domain functional level of all domains in Certkingdom.com and testlabs.com to Windows
Server 2008.
C. By creating a forest trust between Certkingdom.com and testlabs.com.
D. By setting the Allowed to Authenticate for TESTLABS-SR07.
E. By setting the Allowed to Authenticate right on the computer object for the testlabs.com
infrastructure operations master object.

Answer: C,D

Explanation:
To ensure that the users in ABC-south.com are denied access to all the resources ABC-north.com
except the resources on ABC-SR07, you need to create a forest trust between ABC-south.com
and ABC-north.com so that resources can be shared between both the forests. You can however
set the trust authentication setting to selective authentication so that only selected authentication
is allowed.
Next you need to set the Allowed to Authenticate right on the computer object for ABC-SR07 so
that each user must be explicitly granted the Allowed to Authenticate permission to access
resources on ABC-SR07.
You should not set the Allowed to Authenticate right on the computer object for the ABC-north.com
infrastructure operations master object because Allowed to Authenticate right is set for the users in
a trusted Windows Server 2003 domain or forest to be able to access resources in a trusting
Windows Server 2003 domain or forest, where the trust authentication setting has been set to
selective authentication, each user must be explicitly granted the ‘Allowed to Authenticate’
permission on the security descriptor of the computer objects (resource computers) that reside in
the trusting domain or forest.
Reference: Grant the Allowed to Authenticate permission on computers in the trusting domain or
forest
http://technet2.microsoft.com/windowsserver/en/library/b4d96434-0fde-4370-bd29-
39e4b3cc7da81033.mspx?mfr=true


QUESTION 8
You work as an enterprise administrator at Certkingdom.com. The Certkingdom.com network has a domain named
Certkingdom.com. All servers in the Certkingdom.com network run Windows Server 2008. Certkingdom.com has its
headquarters in Chicago and branch offices in Boston. The Boston office is connected to the
Chicago by a WAN link. The Chicago office has a DNS Sever named ABC-SR04 that is configured
as a single DNS zone. The Boston office has two servers named ABC-SR07 and ABC-SR08.
ABC-SR08 hosts shared folders that are only accessed by Certkingdom.com users in the Boston office.
You work in the Chicago office while a network administrator named Rory Allen works in the
Boston office.
Certkingdom.com wants you to ensure that users at the Boston office can log on to the Certkingdom.com domain
and can connect to the shared folders on ABC-SR08 even when the WAN link is down. You must
allow Rory Allen to configure the servers in the Boston office without allowing him to modify the
Active Directory configuration.
Which actions should you take to accomplish this task? (Each correct option will form a part of the
answer. Choose THREE.)

A. By promoting ABC-SR07 to a domain controller.
B. By promoting ABC-SR07 to a read-only domain controller (RODC).
C. By installing USMT role on ABC-SR07.
D. By installing ADMT role on ABC-SR07.
E. By installing DNS role on ABC-SR07.
F. By adding Rory Allen to the Domain Admins group.
G. By creating an organizational unit (OU) for the Boston office.
H. By assigning administrative rights to Rory Allen.

Answer: B,E,H

Explanation:
To ensure that the users in the branch office are able to log on to the domain even if the WAN link
fails, you need to promote the member server to a read-only domain controller (RODC) because
the RODC works as a domain controller and allows log in to the domains except allowing
modifications and changes to the Active directory domain.
Delegating administrative rights to the local branch office administrator after promoting a member
server to a RODC will make sure that branch office administrator is not allowed to initiate any
changes to Active Directory but should be allowed to make configuration changes to the servers in
the branch office.
Configuring the DNS role to the member server, will ensure that the users are allowed to access
file shares on the local server in the absence of the WAN link. Without name resolution and the
other services that are provided by DNS servers, client access to remote host computers would be
prohibitively difficult. DNS servers need to be configured because in intranets computer users
rarely know the IP addresses of computers on their local area network (LAN).
Reference: DNS Server Role: Read-only domain controller support/ Who will be interested in this
server role?
http://technet2.microsoft.com/windowsserver2008/en/library/533a1cfc-5173-4248-914c-
433bd018f66d1033.mspx?mfr=true


QUESTION 9
You work as an enterprise administrator at Certkingdom.com. The Certkingdom.com network has a domain named
Certkingdom.com and a workgroup named ABCGROUP. All servers in the Certkingdom.com network run Windows
Server 2008 and all the client computers run Windows Vist
A. The Certkingdom.com network has
unmanaged network switches and has two servers named ABC-SR07 and ABC-SR08. ABC-SR07
is configured with the Active Directory Domain Services (AD DS), the Active Directory Certificate
Services (AD CS) and the Dynamic Host Configuration Protocol (DHCP) service while ABC-SR08
is configured with the Routing and Remote Access Service (RRAS), the Network Policy Service
(NPS) and Health Registration Authority (HRA).
You notice that the latest Microsoft updates have not been applied to all client computers that are
part of the ABCGROUP workgroup. You are concerned that Certkingdom.com users are accessing the
local area network (LAN) from these client computers.
You want to implement Network Access Protection (NAP) to secure the network by preventing
client computers that are not members of the Certkingdom.com network or do not have the latest Microsoft
updates from accessing any network servers that are members of the Certkingdom.com domain.
Which of the following option would you choose?

A. TCP/IP
B. 802.1z
C. PPTP
D. DHCP
E. L2TP
F. IPsec

Answer: F

Explanation:
To ensure that only the computers that have the latest Microsoft updates installed should be able
to connect to servers in the domain and that only the computers that are joined to the domain
should be able to connect to servers in the domain, you need to use the IPSec NAP enforcement
method. IPsec domain and server isolation methods are used to prevent unmanaged computers
from accessing network resources. This method enforces health policies when a client computer
attempts to communicate with another computer using IPsec.
Reference: Protecting a Network from Unmanaged Clients / Solutions
http://www.microsoft.com/technet/security/midsizebusiness/topics/serversecurity/unmanagedclient
s.mspx
Reference: Network Access Protection (NAP) Deployment Planning / Choosing Enforcement
Methods
http://blogs.technet.com/nap/archive/2007/07/28/network-access-protection-deploymentplanning.
aspx


QUESTION 10
You work as an enterprise administrator at Certkingdom.com. The Certkingdom.com network has a domain named
Certkingdom.com. All servers in the Certkingdom.com network run Windows Server 2008. The Certkingdom.com network
has two web servers named ABC-SR07 and ABC-SR08. Certkingdom.com wants to hosts the company’s
e-commerce Web site named sales.Certkingdom.com on the two web servers. You receive instructions
from the CEO to ensure that the Web site is available even when one of the Web servers is offline.
The CEO also wants the session state of the web site to be available should one of the web
servers be offline. Additionally, you must be able to support the Web site on up to six Web servers
with each Web server having a dedicated IP address.
What action should you take?

A. Configure a two-failover cluster on ABC-SR07 and ABC-SR08.
B. Configure multiple ports for the sales.Certkingdom.com web site.
C. Configure Network Load Balancing on ABC-SR07 and ABC-SR08.
D. Configure the sales.Certkingdom.com web site on each server with the site content on a network share.
E. Configure multiple host headers for the sales.Certkingdom.com website.
F. Configure multiple IP addresses for the sales.Certkingdom.com website.

Answer: C

Explanation:
To ensure that the users of the website would be able to access the Web site if a single server
fails. The website should be scalable to as many as seven Web servers and the web servers
should be able to store session-state information for all users. It should also provide support for
multiple dedicated IP addresses for each Web server.
The Network Load Balancing (NLB) feature in Windows Server 2008 enhances the availability and
scalability of Internet server applications such as those used on Web, FTP, firewall, proxy, virtual
private network (VPN), and other mission-critical servers. NLB provides high availability of a
website by detecting and recovering from a cluster host that fails or goes offline.
You should not use failover clustering in this scenario because failover clustering requires shared
storage which is not mentioned in this question.
Reference: Overview of Network Load Balancing
http://technet2.microsoft.com/windowsserver2008/en/library/11dfa41c-f49e-4ee5-8664-
8b81f6fb8af31033.mspx?mfr=true

Best Microsoft MCTS Training – Microsoft MCITP Training at Certkingdom.com

Certkingdom 70-647 Exam Q & A
Scroll to top