Learn About Windows Server 2008, Enterprise Administrator

The following are questions from MeasureUp Practice Test for the Microsoft IT Professional exam 70-647: Windows Server 2008, Enterprise Administrator

Objective: Plan network and application services.
Sub-objective: Design for network access.
 
Single answer, multiple choice

Your network is configured as an Active Directory domain. The network is protected from the Internet by a perimeter network. There are two Web servers deployed in the perimeter network. Both Web servers support Secure Sockets Layer (SSL) connections.

You deploy a computer running Microsoft Windows Server 2008 and configure the computer to support Routing and Remote Access Service (RRAS). You need to configure the server to support incoming virtual private network (VPN) connections. Changes to perimeter network firewalls must be kept to a minimum. Communication between the remote client and RRAS server must be encrypted. What should you do?
 
A.    Use SSTP for client connections.
B.    Use PPTP for client connections.
C.    Use L2TP/IPSec for client connections.
D.    Use RDP for client connections.

Answer:
A

Tutorial:
You should use Secure Sockets Transport Protocol (SSTP) for client connections. SSTP provides a secure connection. SSTP support was introduced with Windows Server 2008. Communication between the client and RRAS server are encrypted. The connection uses port 443, the same port as SSL, so you do not have to change the firewall configuration.

You should not use Point-to-Point Tunneling Protocol (PPTP). PPTP does not, in itself, provide for encryption. It would also require you to open an additional port in the perimeter firewall.

You should not use Layer 2 Tunneling Protocol with IP Security (L2TP/IPSec). This connection type provides encryption, but it would require you to open an additional port in the perimeter firewall.

You should not use Remote Desktop Protocol (RDP) for the connection. RDP is not used for VPN connections. It would also require you to open an additional port in the perimeter firewall.

References:
What's New in Routing and Remote Access
Windows Server 2008 Technical Library
http://technet2.microsoft.com/windowsserver2008/en/library/62736172-aa83-43ba-a844-f1c548f5a4ac1033.mspx

SSTP Remote Access Step-by-Step Guide: Deployment
Windows Server 2008 Technical Library
http://technet2.microsoft.com/windowsserver2008/en/library/9f69d438-2723-4e15-836f-8e58ef2827141033.mspx

How to configure a Secure Socket Tunneling Protocol (SSTP)-based VPN server behind a NAT device in Windows Server 2008
Microsoft TechNet
http://support.microsoft.com/kb/947032

Objective: Plan network and application services.
Sub-objective: Plan for name resolution and IP addressing.

Single answer, multiple-choice

Your network has two forests: stayandsleep.com and bcdtrain.com. App1 is a server in the stayandsleep.com domain. WinSrv is a server running Windows Internet Name Service (WINS) and is located in the stayandsleep.com domain. DC.stayandsleep.com and DC.bcdtrain.com host the Domain Name System (DNS) and Active Directory Domain Services (AD DS) roles and are configured with an Active Directory-Integrated zone for their own domains. Both domain controllers run Windows Server 2008.

You plan to decommission WinSrv. Client applications on computers in both stayandsleep.com and bcdtrain.com need to be able to resolve App1 using single-label name resolution. What should you do?

A.    On DC.bcdtrain.com, configure DC.stayandsleep.com as a conditional forwarder.
B.    On DC.stayandsleep.com, configure DC.bcdtrain.com as a forwarder.
C.    Create a GlobalNames zone on DC.stayandsleep.com. Add a SRV record to DC.bcdtrain.com identifying DC.stayandsleep.com as the GlobalNames zone host.
D.    Create a GlobalNames zone on DC.stayandsleep.com. Add DC.stayandsleep.com to root hints on DC.bcdtrain.com.

Answer:
C

Tutorial:
You should create a GlobalNames zone on DC.stayandsleep.com and add a SRV record to DC.bcdtrain.com identifying DC.stayandsleep.com as the GlobalNames zone host. Windows Server 2008 allows you to create a GlobalNames zone to allow single-label name resolution. If you need to resolve the name between forests, you will also need to add a Service Location (SRV) record to the DNS server in the forest that does not contain the GlobalNames zone so that the DNS server will know how to locate the GlobalNames zone.

You should not configure DC.stayandsleep.com as a conditional forwarder on DC.bcdtrain.com. A conditional forwarder is one that forwards requests for resources in a specific zone. In this case, you need to support single-label name resolution so the zone will not be known.

You should not configure DC.bcdtrain.com as a forwarder on DC.stayandsleep.com. The forwarder is the DNS server that receives requests for names that cannot be resolved by the DNS server that initially receives the request. If you configure DC.bcdtrain.com as a forwarder, DC.stayandsleep.com will forward requests for resources it cannot resolve to DC.bcdtrain.com. DC.bcdtrain.com will not be able to resolve the single-label name, so name resolution will fail.

You should not create a GlobalNames zone on DC.stayandsleep.com and add DC.stayandsleep.com to root hints on DC.bcdtrain.com. The root hints file is used to locate domain controllers to resolve fully qualified names outside the hosted zone when there are no forwarders. You cannot identify a DNS server that can resolve a single-label name by using root hints.

Reference:
DNS Server Role
Windows Server 2008 Technical Library
http://technet2.microsoft.com/windowsserver2008/en/library/533a1cfc-5173-4248-914c-433bd018f66d1033.mspx?mfr=true

Objective: Design core identity and access management components.
Sub-objective: Design the Active Directory physical topology.

Single answer, multiple-choice

Your network is configured as two Active Directory domains: stayandsleep.com and branch.stayandsleep.com. There are currently two sites: Corp and BranchA.

Your company is opening a second branch office. The branch office will support 200 users. Three file servers and a server running Microsoft Exchange 2007 will be installed at the branch office. All computers at the branch office will be members of the branch.stayandsleep.com domain. The new branch office connects to the corporate office through a demand-dial connection.

You plan to deploy a single domain controller in the new branch office. You need to determine how that domain controller should be configured. Your solution should require the least amount of server resources. What should you do?

A.    Install a Read Only Domain Controller (RODC) and add the Global Catalog server role.
B.    Install a Server Core installation. Install AD DS and add the Global Catalog server role.
C.    Install a Server Core installation. Install AD DS and enable universal group membership caching.
D.    Install a Read Only Domain Controller (RODC) and enable universal group membership caching.

Answer:
B

Tutorial:
You should install a Server Core installation, install AD DS and add the Global Catalog server role. A Server Core installation uses fewer resources than a full installation because it does not include user-interface components or unnecessary services. You need to install AD DS and the Global Catalog server role because they are required by Exchange Server. The Wide Area Network (WAN) link is not always available, so Exchange needs to be able to contact a local Global Catalog server.

You should not install an RODC and add the Global Catalog server role. Exchange Server requires a computer running AD DS on the network. It cannot function if only an RODC is available.

You should not enable universal group membership caching. Universal group membership caching is only recommended for offices that have fewer than 100 users. Also, Exchange needs to be able to access a Global Catalog server.

Reference:
Planning Global Catalog Server Placement
Windows Server 2008 Technical Library
http://technet2.microsoft.com/windowsserver2008/en/library/d59c8afc-9781-442e-8421-ee549a6966651033.mspx?mfr=true

Objective: Design support Identity and Access Management components.
Sub-objective: Design the branch office deployment.

Single answer, multiple-choice
Your network is configured as a single Active Directory domain with one site. The domain is operating at the Windows Server 2008 functional level.

You are planning to add the first domain controller at a warehouse location. The domain controller will also function as a Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) server. Users at the warehouse will log on to the existing domain.

The warehouse does not have a physically secure place to store the domain controller. It will be stored under the manager's desk. No IT personnel work at the warehouse and all administration will be performed using remote administration tools. You need to determine the most secure configuration for the server. What should you do?

A.    Install a Server Core installation of Windows Server 2008 and enable the Read-only domain controller (RODC) role.
B.    Install a Server Core installation of Windows Server 2008 and enable the Active Directory Domain Services (AD DS) role.
C.    Install a full installation of Windows Server 2008 and enable the Read-only domain controller (RODC) role.
D.    Install a full installation of Windows Server 2008 and enable the Active Directory Lightweight Directory Services (AD LDS) role.

Answer:
A

Tutorial:
You should install a Server Core installation of Windows Server 2008 and enable the RODC role. A Server Core installation does not include a graphical user interface (GUI). Therefore, the attack surface is smaller because even if a user logs on, he or she will not be able to use GUI tools to make changes. An RODC also provides better security because changes to Active Directory objects cannot be made on that server.

You should not install a Server Core installation of Windows Server 2008 and enable the AD DS role. The AD DS role is the domain services role that allows an administrator to create, modify and delete domain objects. Since there is no administrator at the location, there is no need to allow modifications to Active Directory.

You should not install a full installation of Windows Server 2008. A full installation of Windows Server 2008 has a larger attack surface because a user who logs on interactively can attempt to make modifications using GUI tools.

You should not enable the AD LDS role. The AD LDS role is used to provide a directory that is independent of Active Directory for directory-aware applications.

References:
AD DS: Read-Only Domain Controllers
Windows Server 2008 Technical Library
http://technet2.microsoft.com/windowsserver2008/en/library/ce82863f-9303-444f-9bb3-ecaf649bd3dd1033.mspx

Server Core Installation Option
Windows Server 2008 Technical Library
http://technet2.microsoft.com/windowsserver2008/en/library/78d9d3e1-5ecb-4a01-8fe1-5fcf69e26fee1033.mspx?mfr=true

Objective: Designing for business continuity and data availability.
Sub-objective: Plan for business continuity.

Single answer, multiple-choice

Your company has four locations: St. Louis, Kansas City, New York and Boston. The company uses a Microsoft Office SharePoint Services (MOSS) site to allow employees to collaborate on various projects. The Web server hosting the MOSS site is located in St. Louis.

You are designing a business continuity plan. Your plan must meet the following requirements:

* The MOSS site must be available if up to three servers fail.
* The load for the MOSS site should be distributed between all MOSS servers.
* The MOSS site must be available if a regional natural disaster occurs.

What would you recommend?

A.    Create a failover cluster with a server at each site. Use the Node and File Share Majority quorum model.
B.    Create a failover cluster with a server at each site. Use the Node Majority quorum model.
C.    Create a SharePoint farm with a server at each site. Use Hyper-V.
D.    Create a SharePoint farm with a server at each site. Use Network Load Balancing (NLB).

Answer:
D

Tutorial:
You should create a SharePoint farm with a server at each site and use Network Load Balancing (NLB). MOSS is a Web-based application. You can create a SharePoint farm that contains multiple MOSS servers and use a load-balancing mechanism, such as NLB, to balance the load between them. Doing so ensures the load is distributed between all MOSS servers. If any server fails, the load will be distributed between the remaining servers.

You should not create a failover cluster with a server at each site and use the Node and File Share Majority quorum model. A failover cluster provides automatic failover, which meets the availability requirement. However, a failover cluster does not balance the load between all servers. Only one node in a cluster can act as an active node for a specific application. The active nodes service requests. The passive nodes function as a hot standby. Quorum is used to determine whether the cluster can continue functioning. With quorum, each node and the witness (if there is one) get a vote. If a majority of votes are tallied, the cluster (or the set of nodes in a cluster if there are multiple sets) continues to operate. In a multisite configuration, you should use a file-share witness. You can locate that witness at the same location as a node, but for better protection, you should locate it at a different location.

You should not create a failover cluster with a server at each site and use the Node Majority quorum model. The Node Majority quorum model does not use a witness. Instead, it considers the cluster functional if any node is available.

You should not create a SharePoint farm with a server at each site and use Hyper-V. Hyper-V is a virtualization technology. It is not used to provide availability or load balancing for Web applications.

References:
Failover Cluster Step-by-Step Guide: Configuring the Quorum in a Failover Cluster
Windows Server 2008 Technical Library

http://technet2.microsoft.com/windowsserver2008/en/library/139232d7-6b02-471c-94f7-426d5fdaca711033.mspx?mfr=true

Network Load Balancing (NLB) in Windows Server 2008
Microsoft TechNet
http://edge.technet.com/Media/Network-Load-Balancing-NLB-in-Windows-Server-2008/

Introduction to Network Load Balancing
Microsoft TechNet

http://technet2.microsoft.com/windowsserver/en/library/3b98db33-e748-4a75-a0af-e445569655be1033.mspx?mfr=true

Network Load Balancing
Windows Server 2008 Technical Library

http://technet2.microsoft.com/windowsserver2008/en/library/cf7a20f6-fd77-44be-8db1-6590e3b711bb1033.mspx?mfr=true

The audience for this exam includes individuals who are responsible for designing, implementing and supporting enterprise networks, directory services and security policies. Experience with Active Directory, network services, group policies, public key infrastructure (PKI) components and virtualization will help you prepare for this exam.

 

Like what you see? Share it.Share on Google+Share on LinkedInShare on FacebookShare on RedditTweet about this on TwitterEmail this to someone
cmadmin

ABOUT THE AUTHOR

Posted in Archive|

Comment: