Welcome to Alnaba Free Blog,alnaba to share high quality exam dumps to help you improve your skills. The latest sharing
Microsoft Windows Server 2012 70-646 exam dumps and 70-646 PDF downloads online, we share 42 exam questions and answers for free,
and if you want to get a 70-646 exam certificate Please select the full version:https://www.pass4itsure.com/70-646.html
(Q&As:262 Latest update). Pass4itsure is a provider of free blogs, and all of Pass4itsure’s exam content comes from Cisco,microsoft,
Oracle,citrix,comptia and other experts, our experts are trustworthy, we have helped thousands of friends to achieve success,
Select “Pass4itsure” to easily obtain certificates

[PDF] Free Microsoft Windows Server 2012 70-646 dumps download from Google Drive: https://drive.google.com/open?id=1aQsFEOEP6j_ge-VmqJeo5gdZaNh4nXEL

[PDF] Free Full Microsoft dumps download from Google Drive: https://drive.google.com/open?id=1gdQrKIsiLyDEsZ24FxsyukNPYmpSUDDO

Exam 70-646: Windows Server 2008, Server Administrator: https://www.microsoft.com/en-us/learning/exam-70-646.aspx

Who should take this exam?

A server administrator is responsible for the operations and day-to-day management of an infrastructure of Windows Server 2008 R2 servers
for an enterprise organization. Windows server administrators manage the infrastructure, Web, and IT application servers.
The Windows server administrators use scripts and batch files written by others or those that they occasionally write themselves to
accomplish tasks on a regular basis. They conduct most server management tasks remotely by using Remote Desktop Server or administration
tools installed on their local workstation. A server administrator’s primary tasks include:

Managing the server operating system, file, and directory services
Software distribution and updates
Profiling and monitoring assigned servers
Troubleshooting
Server administrators also support engineering projects. Server administrators are responsible for server builds and configuration.
Their job role involves 60 percent operations, 20 percent engineering, and 20 percent support tasks.

Pass4itsure offers the latest Microsoft Windows Server 2012 70-646 practice test free of charge (42Q&As)

QUESTION 1
Your network consists of a single Active Directory domain. The network includes a branch office named Branch1. Branch1 contains 50 member servers that run Windows Server 2008 R2. An organizational unit (OU) named Branch1Servers
contains the computer objects for the servers in Branch1. A global group named Branch1admins contains the user accounts for the administrators. Administrators maintain all member servers in Branch1. You need to recommend a solution
that allows the members of Branch1admins group to perform the following tasks on the Branch1 member servers.
– Stop and start services
– Change registry settings
What should you recommend?
A. Add the Branch1admins group to the Power Users local group on each server in Branch1.
B. Add the Branch1admins group to the Administrators local group on each server in Branch1.
C. Assign the Branch1admins group change permissions to the Branch1Servers OU and to all child objects.
D. Assign the Branch1admins group Full Control permissions on the Branch1Servers OU and to all child objects.
Correct Answer: B
Explanation
Explanation/Reference:
Local admins have these rights.
Power Users do not
By default, members of the power users group have no more user rights or permissions than a standard user account. The Power Users group in previous versions of Windows was designed to give users specific administrator rights and
permissions to perform common system tasks. In this version of Windows, standard user accounts inherently have the ability to perform most common configuration tasks, such as changing time zones. For legacy applications that require the
same Power User rights and permissions that were present in previous versions of Windows,administrators can apply a security template that enables the Power Users group to assume the same rights and permissions that were present in
previous versions of Windows.

QUESTION 2
Your network consists of a single Active Directory domain. The network includes a branch office named Branch1. Branch1 contains a Read only Domain Controller (RODC) named Server1. A global group named Branch1admins contains the
user accounts for administrators. Administrators manage the client computers and servers in Branch1.
You need to recommend a solution for delegating control of Server1.
Your solution must meet the following requirements:
– Allow the members of the Branch1admins group to administer Server1 including, change device drivers and install operating system updates by using Windows Update.
– Provide the Branch1admins group rights on Server1 only.
– Prevent Branch1admins group from modifying Active Directory objects.
What should you recommend?
A. Add the Branch1admins global group to the Server Operators builtin local group.
B. Add the members of the Branch1admins global group to the Administrators builtin local group of Server1.
C. Grant Full Control permission on the Server1 computer object in the domain to the Branch1admins group
D. Move the Server1 computer object to a new organizational unit (OU) named Branch1servers. Grant Full Control permission on the Branch1servers OU to the Branch1admins group.
Correct Answer: B
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc753223%28WS.10%29.aspx
Administrator role separation
Administrator role separation specifies that any domain user or security group can be delegated to be the local administrator of an RODC without granting that user or group any rights for the domain or other domain controllers. Accordingly, a
delegated administrator can log on to an RODC to perform maintenance work, such as upgrading a driver, on the server. But the delegated administrator is not able to log on to any other domain controller or perform any other administrative
task in the domain. In this way, a security group that comprises branch users, rather than members of the Domain Admins group, can be delegated the ability to effectively manage the RODC in the branch office, without compromising the
security of the rest of the domain.

QUESTION 3
Your network consists of a single Active Directory forest. The forest functional level is Windows Server 2008 R2. The forest contains two domains named contoso.com and na.contoso.com.
Contoso.com contains a user named User1. Na.contoso.com contains an organizational unit (OU) named Security.
You need to give User1 administrative rights so that he can manage Group Policies for the Security OU.
You want to achieve this goal while meeting the following requirements:
– User1 must be able to create and configure Group Policies in na.contoso.com.
– User1 must be able to link Group Policies to the Security OU.
– User1 must be granted the least administrative rights necessary to achieve the goal.
What should you do?
A. Add User1 to the Administrators group for na.contoso.com.
B. Add User1 to the Group Policy Creator Owners group in contoso.com. Modify the permissions on the Security OU.
C. Run the Delegation of Control Wizard on the Security OU. In the Group Policy Management Console, modify the permissions of the Group Policy Objects container in the na.contoso.com domain.
D. Run the Delegation of Control Wizard on na.contoso.com. In the Group Policy Management Console, modify the permissions of the Group Policy Objects container in the contoso.com domain.
Correct Answer: C
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/dd145442.aspx
http://technet.microsoft.com/en-us/library/dd145338.aspx
http://technet.microsoft.com/en-us/library/dd145594.aspx pass4itsure 70-646 exam dumpspass4itsure 70-646 exam dumps pass4itsure 70-646 exam dumps

QUESTION 4
Your network contains several branch offices. All servers run Windows Server 2008 R2. Each branch office contains a domain controller and a file server.
The DHCP Server server role is installed on the branch office domain controllers. Each office has a branch office administrator.
You need to delegate the administration of DHCP to meet the following requirements:
– Allow branch office administrators to manage DHCP scopes for their own office
– Prevent the branch office administrators from managing DHCP scopes in other offices
– Minimize administrative effort
What should you do?
A. In the Active Directory domain, add the branch office administrators to the Server Operators builtin local group.
B. In the Active Directory domain, add the branch office administrators to the Network Configuration Operators builtin local group.
C. In each branch office, migrate the DHCP Server server role to the file server. On each file server, add the branch office administrator to the DHCP Administrators local group.
D. In each branch office, migrate the DHCP Server server role to the file server. In the Active Directory domain, add the branch office administrators to the DHCP Administrators domain local group.
Correct Answer: C
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/dd379494%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/dd379483%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/dd379535%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/cc737716%28WS.10%29.aspxpass4itsure 70-646 exam dumps pass4itsure 70-646 exam dumps

DHCP Administrators
Members of the DHCP Administrators group can view and modify any data at the DHCP server.
DHCP Administrators can create and delete scopes, add reservations, change option values, create superscopes, or perform any other activity needed to administer the DHCP server,
including export or import of the DHCP server configuration and database. DHCP Administrators perform these tasks using the Netsh commands for DHCP or the DHCP console. For more information, see DHCP tools.
Members of the DHCP Administrators group do not have unlimited administrative rights. For example, if a DHCP server is also configured as a DNS server, a member of the DHCP
Administrators group can view and modify the DHCP configuration but cannot modify DNS server configuration on the same computer.
Because members of the DHCP Administrators group have rights on the local computer only, DHCP Administrators cannot authorize or unauthorize DHCP servers in Active Directory. Only members of the Domain Admins group can perform
this task. If you want to authorize or unauthorize a DHCP server in a child domain, you must have enterprise administrator credentials for the parent domain. For more information about authorizing DHCP servers in Active Directory, see
Authorizing DHCP servers and Authorize a DHCP server in Active Directory.
Using groups to administer DHCP servers in a domain
When you add a user or group to a DHCP Users or DHCP Administrators group on a DHCP server, the rights of the DHCP group member do not apply to all of the DHCP servers in the
domain. The rights apply only to the DHCP service on the local computer.

QUESTION 5
Your company has a single Active Directory domain. You have 30 database servers that run Windows Server 2008 R2.
The computer accounts for the database servers are stored in an organizational unit (OU) named Data. The user accounts for the database administrators are stored in an OU named Admin. The database administrators are members of a
global group named D_Admins.
You must allow the database administrators to perform administrative tasks on the database servers. You must prevent the database administrators from performing administrative tasks on other servers.
What should you do?
A. Deploy a Group Policy to the Data OU.
B. Deploy a Group Policy to the Admin OU.
C. Add D_Admins to the Domain Admins global group.
D. Add D_Admins to the Server Operators built-in local group.
Correct Answer: A
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc754948%28WS.10%29.aspx
Group Policy Planning and Deployment Guide
You can use Windows Server 2008 Group Policy to manage configurations for groups of computers and users, including options for registry-based policy settings, security settings,
software deployment, scripts, folder redirection, and preferences. Group Policy preferences, new in Windows Server 2008, are more than 20 Group Policy extensions that expand the range of configurable policy settings within a Group Policy
object (GPO). In contrast to Group Policy settings, preferences are not enforced. Users can change preferences after initial deployment. For information about Group Policy Preferences, see Group Policy Preferences Overview. Using Group
Policy, you can significantly reduce an organization’s total cost of ownership. Various factors, such as the large number of policy settings available, the interaction between multiple policies, and inheritance options, can make Group Policy
design complex. By carefully planning, designing, testing, and deploying a solution based on your organization’s business requirements, you can provide the standardized functionality, security, and management control that your organization
needs.
Overview of Group Policy
Group Policy enables Active Directory-ased change and configuration management of user and computer settings on computers running Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP. In addition to using
Group Policy to define configurations for groups of users and computers, you can also use Group Policy to help manage server computers, by configuring many server-specific operational and security settings. By using a structure in which
OUs contain homogeneous objects, such as either user or computer objects but not both, you can easily disable those sections of a GPO that do not apply to a particular type of object. This approach to OU design, illustrated in Figure 1,
reduces complexity and improves the speed at which Group Policy is applied. Keep in mind that GPOs linked to the higher layers of the OU structure are inherited by default, which reduces the need to duplicate GPOs or to link a GPO to
multiple containers.
When designing your Active Directory structure, the most important considerations are ease of administration and delegationpass4itsure 70-646 exam dumps

QUESTION 6
Your network consists of a single Active Directory forest that contains a root domain and two child domains.
All servers run Windows Server 2008 R2. A corporate policy has the following requirements:
– All local guest accounts must be renamed and disabled.
– All local administrator accounts must be renamed.
– You need to recommend a solution that meets the requirements of the corporate policy.
What should you recommend?
A. Implement a Group Policy object (GPO) for each domain.
B. Implement a Group Policy object (GPO) for the root domain.
C. Deploy Network Policy and Access Services (NPAS) on all domain controllers in each domain
D. Deploy Active Directory Rights Management Services (AD RMS) on the root domain controllers.
Correct Answer: A
ExplanationExplanation/Reference:
http://www.windowsecurity.com/articles/protecting-administrator-account.html
http://www.pctips3000.com/enable-or-disable-group-policy-object-in-windows-server-2008/
http://blogs.technet.com/b/chenley/archive/2006/07/13/441642.aspxpass4itsure 70-646 exam dumps pass4itsure 70-646 exam dumps

QUESTION 7
Your network consists of a single Active Directory domain. The functional level of the domain is Windows Server 2008 R2.
All domain controllers run Windows Server 2008 R2. A corporate policy requires that the users from the research department have higher levels of account and password security than other users in the domain.
You need to recommend a solution that meets the requirements of the corporate policy. Your solution must minimize hardware and software costs.
What should you recommend?
A. Create a new Active Directory site. Deploy a Group Policy object (GPO) to the site.
B. Create a new Password Settings Object (PSO) for the research department’s users.
C. Create a new organizational unit (OU) named Research in the existing domain. Deploy a Group Policy object (GPO) to the Research OU.
D. Create a new domain in the forest. Add the research department’s user accounts to the new domain. Configure a new security policy in the new domain.
Correct Answer: B
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc770842%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/cc754461%28WS.10%29.aspxpass4itsure 70-646 exam dumps

QUESTION 8
Your network consists of a single Active Directory domain. The functional level of the domain is Windows Server 2008 R2. All servers run Windows Server 2008 R2. A corporate security policy requires complex passwords for user accounts
that have administrator privileges.
You need to design a strategy that meets the following requirements:
– Ensures that administrators use complex passwords
– Minimizes the number of servers required to support the solution
What should you include in your design?
A. Implement Network Access Protection (NAP).
B. Implement Active Directory Rights Management Services (AD RMS).
C. Create a new Password Settings Object (PSO) for administrator accounts.
D. Create a new child domain in the forest. Move all nonadministrator accounts to the new domain. Configure a complex password policy in the root domain.
Correct Answer: C
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc770842%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/cc754461%28WS.10%29.aspxpass4itsure 70-646 exam dumps

QUESTION 9
Your network consists of a single Active Directory domain. The domain contains three organizational units (OUs) named Test, Application, and Database.
You need to redesign the layout of the OUs to support the following requirements:
– Prevent Group Policy objects (GPOs) that are linked to the domain from applying to computers located in the Applications OU
– Minimize the number of GPOs
– Minimize the number of Ous
What should you include in your design?
A. Create a Starter GPO.
B. Create a Windows Management Instrumentation (WMI) filter.
C. Delegate permissions on the Application OU.
D. Configure block inheritance on the Application OU.
Correct Answer: D
Explanation
Explanation/Reference:
Understanding Group Policy
You already know that Group Policy settings contained in Group Policy objects (GPOs) can be linked to OUs, and that OUs can either inherit settings from parent OUs or block inheritance and obtain their specific settings from their own linked
GPOs. You also know that some policies–specifically, security policies–can be set to “no override” so that they cannot be blocked or overwritten and force child OUs to inherit the settings from their parents.

QUESTION 10
Your network consists of a single Active Directory domain. The relevant portion of the Active Directory domain is configured as shown in the following diagram.

pass4itsure 70-646 exam dumps

The Staff organizational unit (OU) contains all user accounts except for the managers’ user accounts.
The Managers OU contains the managers’ user accounts and the following global groups:
– Sales
– Finance
– Engineering
You create a new Group Policy object (GPO) named GPO1, and then link it to the Employees OU.
Users from the Engineering global group report that they are unable to access the Run command on the Start menu. You discover that the GPO1 settings are causing the issue.
You need to ensure that the users from the Engineering global group are able to access the Run command on the Start menu.
What should you do?
A. Configure GPO1 to use the Enforce Policy option.
B. Configure Block Inheritance on the Managers OU.
C. Configure Group Policy filtering on GPO1 for the Engineering global group.
D. Create a new child OU named Engineering under the Employees OU. Move the Engineering global group to the new Engineering child OU.
Correct Answer: C
Explanation
Explanation/Reference:
MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration
No administrator likes exceptions, but we are required to implement them. Typically you might have configured security filtering, Windows Management Instrumentation (WMI) filters, block inheritance settings, no-override settings, loopback
processing, and slow-link settings. You need to check that these settings are not affecting normal GPO processing.

QUESTION 11
Your network consists of a single Active Directory domain. All servers run Windows Server 2008 R2. You need to recommend a Group Policy deployment strategy.
Your strategy must support the following requirements:
– Domainlevel Group Policy objects (GPOs) must not be overwritten by organizational unit (OU) level GPOs.
– OUlevel GPOs must not Apply to members of the Server Operators group.
What should you recommend?
A. Enable Block Inheritance for the domain, and then modify the permissions of all GPOs linked to OUs.
B. Enable Block Inheritance for the domain, and then enable Loopback Processing policy mode. Add the Server Operators group to the Restricted Groups list.
C. Set all domain level GPOs to Enforced, and then modify the permissions of the GPOs that are linked to OUs.
D. Set all domain level GPOs to Enforced, and then enable Loopback Processing policy mode. Add the Server Operators group to the Restricted Groups list.
Correct Answer: C
Explanation
Explanation/Reference:
http://www.petri.co.il/working_with_group_policy.htm
http://technet.microsoft.com/en-us/library/bb742376.aspxpass4itsure 70-646 exam dumps

Linking a GPO to Multiple Sites, Domains, and OUs
This section demonstrates how you can link a GPO to more than one container (site, domain, or OU) in the Active Directory. Depending on the exact OU configuration, you can use other methods to achieve similar Group Policy effects; for
example, you can use security group filtering or you can block inheritance. In some cases, however, those methods do not have the desired affects. Whenever you need to explicitly state which sites, domains, or OUs need the same set of
policies, use the method outlined below:
To link a GPO to multiple sites, domains, and OUs
1. Open the saved MMC console GPWalkthrough, and then double-click the Active Directory User and Computers node.
2. Double-click the reskit.com domain, and double-click the Accounts OU.
3. Right-click the Headquarters OU, select Properties from the context menu, and then click the Group Policy tab.
4. In the Headquarters Properties dialog box, on the Group Policy tab, click New to create a new GPO named Linked Policies.
5. Select the Linked Policies GPO, and click the Edit button.
6. In the Group Policy snap-in, in the User Configuration node, under Administrative Templates node, click Control Panel, and then click Display.
7. On the details pane, click the Disable Changing Wallpaper policy, and then click Enabled in the Disable Changing Wallpaper dialog box and click OK.
8. Click Close to exit the Group Policy snap-in.
9. In the Headquarters Properties page, click Close.
Next you will link the Linked Policies GPO to another OU.
1. In the GPWalkthrough console, double-click the Active Directory User and Computers node, double-click the reskit.com domain, and then double-click the Accounts OU.
2. Right-click the Production OU, click Properties on the context menu, and then click the Group Policy tab on the Production Properties dialog box.
3. Click the Add button, or right-click the blank area of the Group Policy objects links list, and select Add on the context menu.
4. In the Add a Group Policy Object Link dialog box, click the down arrow on the Look in box, and select the Accounts.reskit.com OU.
5. Double-click the Headquarters.Accounts.reskit.com OU from the Domains, OUs, and linked Group Policy objects list.
6. Click the Linked Policies GPO, and then click OK.
You have now linked a single GPO to two OUs. Changes made to the GPO in either location result in a change for both OUs. You can test this by changing some policies in the Linked Policies GPO, and then logging onto a client in each of
the affected OUs, Headquarters and Production.

QUESTION 12
Your network consists of three Active Directory forests. Forest trust relationships exist between all forests. Each forest contains one domain. All domain controllers run Windows Server 2008 R2.
Your company has three network administrators. Each network administrator manages a forest and the Group Policy objects (GPOs) within that forest.
You need to create standard GPOs that the network administrators in each forest will use. The GPOs must meet the following requirements:- The GPOs must only contain settings for either user configurations or computer configurations.
– The number of GPOs must be minimized.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Export the new GPOs to .cab files. Ensure that the .cab files are available to the network administrator in each forest.
B. Create two new GPOs. Configure both GPOs to use the required user configurations and the required computer configurations.
C. Create two new GPOs. Configure one GPO to use the required user configuration. Configure the other GPO to use the required computer configuration.
D. Back up the Sysvol folder that is located on the domain controller where the new GPOs were created. Provide the backup to the network administrator in each forest.
Correct Answer: AC
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/ee390958.aspx
http://www.petri.co.il/working_with_group_policy.htm
Export a GPO to a File
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2
You can export a controlled Group Policy object (GPO) to a CAB file so that you can copy it to a domain in another forest and import the GPO into Advanced Group Policy Management (AGPM) in that domain. For information about how to
import GPO settings into a new or existing GPO, see Import a GPO from a File.
A user account with the Editor or AGPM Administrator (Full Control) role or necessary permissions in Advanced Group Policy Management (AGPM) is required to complete this procedure. Review the details in “Additional considerations” in
this topic.
To export a GPO to a file
1. In the Group Policy Management Console tree, click Change Control in the forest and domain in which you want to manage GPOs.
2. On the Contents tab, click the Controlled tab to display the controlled GPOs.
3. Right-click the GPO, and then click Export to.
4. Enter a file name for the file to which you want to export the GPO, and then click Export. If the file does not exist, it is created. If it already exists, it is replaced.
Additional considerations
-By default, you must be an Editor or an AGPM Administrator (Full Control) to perform this procedure. Specifically, you must have List Contents, Read Settings, and Export GPO permissions for the GPO.
Group Policy sections
Each GPO is built from 2 sections:
-Computer configuration contains the settings that configure the computer prior to the user logon combo-box.
-User configuration contains the settings that configure the user after the logon. You cannot choose to apply the setting on a single user, all users, including administrator, are affected by the settings.pass4itsure 70-646 exam dumps

QUESTION 13
Your company has a branch office that contains a Windows Server 2008 R2 computer. The Windows Server 2008 R2 computer runs Windows Server Update Services (WSUS). The WSUS server is configured to store updates locally.
The company opens four new satellite offices. Each satellite office connects to the branch office by using a dedicated WAN link. Internet access is provided through the branch office.
You need to design a strategy for patch management that meets the following requirements:
– WSUS updates are approved independently for each satellite office.
– Internet traffic is minimized.
What should you include in your design?
A. In each satellite office, install a WSUS server. Configure each satellite office WSUS server as an autonomous server.
B. In each satellite office, install a WSUS server. Configure each satellite office WSUS server as a replica of the branch office WSUS server.
C. In each satellite office, install a WSUS server. Configure each satellite office WSUS server to use the branch office WSUS server as an upstream server.
D. For each satellite office, create organizational units (OUs). Create and link the Group Policy objects (GPOs) to the OUs. Configure different schedules to download updates from the branch office WSUS server to the client computers in
each satellite office.
Correct Answer: C
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/hh852344.aspx
In addition, a Windows Server 2008 server running WSUS server can act as an upstream server–an update source for other WSUS servers within your organization. At least one WSUS
server in your network must connect to the Microsoft Update Web site to get available update information. How many other servers connect directly to Microsoft Update is something you need to determine as part of your planning process,
and depends upon network configuration and security requirementspass4itsure 70-646 exam dumps

n this deployment model, the WSUS server that receives updates from the Microsoft Update server is designated as the upstream server. A WSUS server that retrieves updates from another WSUS server is designated as a downstream
server.
Autonomous mode: The Autonomous mode, also called distributed administration, is the default installation option for WSUS. In Autonomous mode, an upstream WSUS server shares updates with downstream servers during synchronization.
Downstream WSUS servers are administered separately, and they do not receive update approval status or computer group information from the upstream server. By using the distributed management model, each WSUS server administrator
selects update languages, creates computer groups, assigns computers to groups, tests and approves updates, and makes sure that the correct updates are installed to the appropriate computer groups. The following image shows how you
might deploy autonomous WSUS servers in a branch office environment:pass4itsure 70-646 exam dumps

Replica mode: The Replica mode, also called centralized administration, works by having an upstream WSUS server that shares updates, approval status, and computer groups with
downstream servers. Replica servers inherit update approvals and are not administered separately from the upstream WSUS server. The following image shows how you might deploy
replica WSUS servers in a branch office environment.

pass4itsure 70-646 exam dumps

Branch Office
You can leverage the Branch Office feature in Windows to optimize WSUS deployment. This type of deployment offers the following advantages:
Helps reduce WAN link utilization and improves application responsiveness. To enable BranchCache acceleration of content that is served by the WSUS server, install the BranchCache feature on the server and the clients, and ensure that
the BranchCache service has started. No other steps are necessary.
In branch offices that have low-bandwidth connections to the central office but high-bandwidth connections to the Internet, the Branch Office feature can also be used. In this case you may want to configure downstream WSUS servers to get
information about which updates to install from the central WSUS server, but download the updates from Microsoft Update.

QUESTION 14
Your network contains several Windows Server 2008 R2 servers that run Windows Server Update Services (WSUS). The WSUS servers distribute updates to all computers on the internal network. Remote users connect from their personal
computers to the internal network by using a splittunnel VPN connection.
You need to plan a strategy for patch management that deploys updates on the remote users’ computers.
Your strategy must meet the following requirements:
– Minimize bandwidth use over the VPN connections
– Require updates to be approved on the WSUS servers before they are installed on the client computers.
What should you include in your plan?
A. Create a Group Policy object (GPO) to perform clientside targeting.
B. Create a computer group for the remote users’ computers. Configure the remote users’ computers to use the internal WSUS server.
C. Create a custom connection by using the Connection Manager Administration Kit (CMAK). Deploy the custom connection to all of the remote users’ computers.
D. Deploy an additional WSUS server. Configure the remote users’ computers to use the additional WSUS server. Configure the additional WSUS server to leave the updates on the Microsoft Update Web site.
Correct Answer: D
Explanation
Explanation/Reference:
Performance and Bandwidth Optimization
Branch offices with slow WAN connections to the central server but broadband connections to the Internet can be configured to get metadata from the central server and update content from the Microsoft Update Web site.

QUESTION 15
Your company has a branch office that contains a Windows Server 2008 R2 server. The server runs Windows Server Update Services (WSUS).
The company opens four new satellite offices. Each satellite office connects to the branch office by using a dedicated WAN link.
You need to design a strategy for patch management that meets the following requirements:
– WSUS updates are approved from a central location.
– WAN traffic is minimized between the branch office and the satellite offices.
What should you include in your design?
A. In each satellite office, install a WSUS server. Configure each satellite office WSUS server as a replica of the branch office WSUS server.
B. In each satellite office, install a WSUS server. Configure each satellite office WSUS server as an autonomous server that synchronizes to the branch office WSUS server.
C. On the branch office WSUS server, create a computer group for each satellite office. Add the client computers in each satellite office to their respective computer groups.
D. For each satellite office, create an organizational unit (OU). Create and link a Group Policy object (GPO) to each OU. Configure different schedules to download updates from the branch office WSUS server to the client computers in each
satellite office.
Correct Answer: A
Explanation
Explanation/Reference:
Replica Mode and Autonomous Mode
You have two options when configuring the administration model for your organization’s downstream WSUS servers. The first option, shown in Figure 8-5, is to configure the downstream WSUS server as a replica of the upstream server.
When you configure a WSUS server as a replica, all approvals, settings, computers, and groups from the upstream server are used on the downstream server. The downstream server cannot be used to approve updates when configured in
replica mode, though you can change a replica server to the second mode–called autonomous mode–if an update urgently needs to be deployed.pass4itsure 70-646 exam dumps

Figure 8-5Downstream replica server

QUESTION 16
You need to design a Windows Server Update Services (WSUS) infrastructure that meets the following requirements:
-The updates must be distributed from a central location.
-All computers must continue to receive updates in the event that a server fails.
What should you include in your design?
A. Configure two WSUS servers in a Microsoft SQL Server 2008 failover cluster. Configure each
WSUS server to use a local database.
B. Configure a single WSUS server to use multiple downstream servers. Configure each WSUS
server to use a RAID 1 mirror and a local database.
C. Configure a single WSUS server to use multiple downstream servers. Configure each WSUS
server to use a RAID 5 array and a local database.
D. Configure a Microsoft SQL Server 2008 failover cluster. Configure two WSUS servers in a
Network Load Balancing cluster. Configure WSUS to use the remote SQL Server 2008 database
instance.
Correct Answer: D
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/dd939812(v=WS.10).aspx
WSUS database
WSUS 3.0 SP2 requires a database for each WSUS server. WSUS supports the use of a database that resides on a different computer than the WSUS server, with some restrictions. For a list of supported databases and remote database
limitations, see WSUS database requirements.
The WSUS database stores the following information:
WSUS server configuration information
Metadata that describes each update
Information about client computers, updates, and interactions
If you install multiple WSUS servers, you must maintain a separate database for each WSUS server, whether it is an autonomous or a replica server. (For more information about WSUS server types, see Design the WSUS Server Layout.)
You cannot store multiple WSUS databases on a single instance of SQL Server, except in Network Load Balancing (NLB) clusters that use SQL Server failover. For more about this configuration, see Configure WSUS for Network Load
Balancing.
SQL Server, SQL Server Express, and Windows Internal Database provide the same performance characteristics for a single server configuration, where the database and the WSUS service are located on the same computer. A single server
configuration can support several thousand WSUS client computers.
Windows Server 2008 Enterprise Edition
Windows Server 2008 Enterprise Edition is the version of the operating system targeted at large businesses.
Plan to deploy this version of Windows 2008 on servers that will run applications such as SQL Server 2008 Enterprise Edition and Exchange Server 2007. These products require the extra processing power and RAM that Enterprise Edition
supports. When planning deployments, consider Windows Server 2008 Enterprise Edition in situations that require the following technologies unavailable in Windows Server 2008 StandardEdition:
Failover ClusteringFailover clustering is a technology that allows another server to continue to service client requests in the event that the original server fails. Clustering is covered in more detail in Chapter 11, “Clustering and High
Availability.” You deploy failover clustering on mission-critical servers to ensure that important resources are available even if a server hosting those resources fails.

QUESTION 17
Your network consists of a single Active Directory forest. The sales department in your company has 600 Windows Server 2008 R2 servers.
You need to recommend a solution to monitor the performance of the 600 servers.
Your solution must meet the following requirements:
– Generate alerts when the average processor usage is higher than 90 percent for 20 minutes.
– Automatically adjust the processor monitoring threshold to allow for temporary changes in the workload.
What should you recommend?
A. Install Windows System Resource Manager (WSRM) on each server.
B. Deploy Microsoft System Center Operations Manager (OpsMgr).
C. Deploy Microsoft System Center Configuration Manager (SysMgr).
D. Configure Reliability and Performance Monitor on each server
Correct Answer: B
Explanation
Explanation/Reference:
MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration:
Microsoft System Center Operations Manager 2007
When planning the centralized monitoring and management of large numbers of Windows Server 2008 computers, you should consider implementing Microsoft System Center Operations Manager 2007. System Center Operations Manager
2007 was touched on briefly during Chapter 4, “Application Servers and Services.”Microsoft System Center Operations Manager 2007 allows you to centrally manage and monitor thousands of servers and applications and provides a
complete overview of the health of your network environment. System Center Operations Manager 2007 is the most recent version of Microsoft Operations Manager 2005 (MOM). System Center Operations Manager 2007 provides the
following features:
Proactive alerts that recognize conditions that are likely to lead to failure of critical services, applications, and servers in the future The ability to configure tasks to automatically execute to resolve problems when given events occur
The collection of long-term trend data from all servers and applications across the organization with the ability to generate comparison reports against current performance.
Correlation of auditing data generated across the organization, allowing the detection of trends that might not be apparent when examining server auditing data in isolation.

QUESTION 18
Your network consists of a single Active Directory domain. All servers run Windows Server 2008 R2. A server named Server1 has the Remote Desktop Services server role installed.
You notice that several users consume more than 30 percent of the CPU resources throughout the day. You need to prevent users from consuming more than 15 percent of the CPU resources. Administrators must not be limited by the
amount of CPU resources that they can consume.
What should you do?
A. Implement Windows System Resource Manager (WSRM), and configure user policies.
B. Implement Windows System Resource Manager (WSRM), and configure session policies.
C. Configure Performance Monitor, and create a userdefined Data Collector Set.
D. Configure Performance Monitor, and create an Event Trace Session Data Collector Set.
Correct Answer: A
Explanation
Explanation/Reference:
You can use tools such as the Windows System Resource Manager and Performance Monitor to determine memory and processor usage of Terminal Services clients. Once you understand how the Terminal Server’s resources are used, you
can determine the necessary hardware resources and make a good estimate as to the Terminal Server’s overall client capacity. Terminal Server capacity directly influences your deployment plans: A server that has a capacity of 100 clients is
not going to perform well when more than 250 clients attempt to connect. Monitoring tools are covered in more detail in “Monitoring Terminal Services” later in this lessonpass4itsure 70-646 exam dumps

Windows System Resource Manager
Windows System Resource Manager (WSRM) is a feature that you can install on a Windows Server 2008 computer that controls how resources are allocated. The WSRM console, shown in Figure 5-9, allows an administrator to apply WSRM
policies. WSRM includes four default policies and also allows administrators to create their own. The two policies that will most interest you as someone responsible for planning and deploying Terminal Services infrastructure are
Equal_Per_User and Equal_Per_Session.
The Equal_Per_User WSRM policy ensures that each user is allocated resources equally, even when one user has more sessions connected to the Terminal Server than other users. Apply this policy when you allow users to have multiple
sessions to the Terminal Server–it stops any one user from monopolizing hardware resources by opening multiple sessions. The Equal_Per_Session policy ensures that each session is allocated resources equally. If applied on a Terminal
Server where users are allowed to connect with multiple sessions, this policy can allow those users to gain access to a disproportionate amount of system resources in comparison to users with single sessions.

QUESTION 19
Your network contains a standalone root certification authority (CA). You have a server named Server1 that runs Windows Server 2008 R2. You issue a server certificate to Server1.
You deploy Secure Socket Tunneling Protocol (SSTP) on Server1.
You need to recommend a solution that allows external partner computers to access internal network resources by using SSTP.
What should you recommend?
A. Enable Network Access Protection (NAP) on the network.
B. Deploy the Root CA certificate to the external computers.
C. Implement the Remote Desktop Connection Broker role service.
D. Configure the firewall to allow inbound traffic on TCP Port 1723.
Correct Answer: B
Explanation
Explanation/Reference:
Lesson 1: Configuring Active Directory Certificate Services
Certificate Authorities are becoming as integral to an organization’s network infrastructure as domain controllers, DNS, and DHCP servers. You should spend at least as much time planning the deployment of Certificate Services in your
organization’s Active Directory environment as you spend planning the deployment of these other infrastructure servers. In this lesson, you will learn how certificate templates impact the issuance of digital certificates, how to configure
certificates to be automatically assigned to users, and how to configure supporting technologies such as Online Responders and credential roaming. Learning how to use these technologies will smooth the integration of certificates into your
organization’s Windows Server 2008 environment.
After this lesson, you will be able to:
Install and manage Active Directory Certificate Services.
Configure autoenrollment for certificates.
Configure credential roaming.
Configure an Online Responder for Certificate Services.
Estimated lesson time: 40 minutes
Types of Certificate Authority
When planning the deployment of Certificate Services in your network environment, you must decide which type of Certificate Authority best meets your organizational requirements. There are four types of Certificate Authority (CA):Enterprise Root
Enterprise Subordinate
Standalone Root
Standalone Subordinate
The type of CA you deploy depends on how certificates will be used in your environment and the state of the existing environment. You have to choose between an Enterprise or a Standalone CA during the installation of the Certificate
Services role, as shown in Figure 10-1. You cannot switch between any of the CA types after the CA has been deployed.pass4itsure 70-646 exam dumps

Figure 10-1Selecting an Enterprise or Standalone CA
Enterprise CAs require access to Active Directory. This type of CA uses Group Policy to propagate the certificate trust lists to users and computers throughout the domain and publish certificate revocation lists to Active Directory. Enterprise
CAs issue certificates from certificate templates, which allow the following functionality:
Enterprise CAs enforce credential checks on users during the certificate enrollment process. Each certificate template has a set of security permissions that determine whether a particular user is authorized to receive certificates generated
from that template.
Certificate names are automatically generated from information stored within Active Directory.
The method by which this is done is determined by certificate template configuration.
Autoenrollment can be used to issue certificates from Enterprise CAs, vastly simplifying the certificate distribution process. Autoenrollment is configured through applying certificate template permissions.
In essence, Enterprise CAs are fully integrated into a Windows Server 2008 environment. This type of CA makes the issuing and management of certificates for Active Directory clients as simple as possible.
Standalone CAs do not require Active Directory. When certificate requests are submitted to Standalone CAs, the requestor must provide all relevant identifying information and manually specify the type of certificate needed. This process
occurs automatically with an Enterprise CA. By default, Standalone CA requests require administrator approval.
Administrator intervention is necessary because there is no automated method of verifying a requestor’s credentials. Standalone CAs do not use certificate templates, limiting the ability for administrators to customize certificates for specific
organizational needs.
You can deploy Standalone CAs on computers that are members of the domain. When installed by a user that is a member of the Domain Admins group, or one who has been delegated similar rights, the Standalone CA’s information will be
added to the Trusted Root Certificate Authorities certificate store for all users and computers in the domain. The CA will also be able to publish its certificate revocation list to Active Directory.
Whether you install a Root or Subordinate CA depends on whether there is an existing certificate infrastructure.
Root CAs are the most trusted type of CA in an organization’s public key infrastructure (PKI) hierarchy. Root CAs sit at the top of the hierarchy as the ultimate point of trust and hence must be as secure as possible. In many environments, a
Root CA is only used to issue signing certificates to Subordinate CAs. When not used for this purpose, Root CAs are kept offline in secure environments as a method of reducing the chance that they might be compromised. If a Root CA is
compromised, all certificates within an organization’s PKI infrastructure should be considered compromised. Digital certificates are ultimately statements of trust. If you cannot trust the ultimate authority from which that trust is derived, it follows
that you should not trust any of the certificates downstream from that ultimate authority.
Subordinate CAs are the network infrastructure servers that you should deploy to issue the everyday certificates needed by computers, users, and services. An organization can have many Subordinate CAs, each of which is issued a signing
certificate by the Root CA. In the event that one Subordinate CA is compromised, trust of that CA can be revoked from the Root CA. Only the certificates that were issued by that CA will be considered untrustworthy. You can replace the
compromised Subordinate CA without having to replace the entire organization’s certificate infrastructure. Subordinate CAs can be replaced, but a compromised Enterprise Root CA usually means you have to redeploy the Active Directory
forest from scratch. If a Standalone Root CA is compromised, it also necessitates the replacement of an organization’s PKI infrastructure.

QUESTION 20
Your network consists of a single Active Directory domain. All domain controllers run Windows Server 2008 R2.
You need to plan an auditing strategy that meets the following requirements:
– Audits all changes to Active Directory Domain Services (AD DS)
– Stores all auditing data in a central location
What should you include in your plan?
A. Configure an audit policy for the domain. Configure Event Forwarding.
B. Configure an audit policy for the domain controllers. Configure Data Collector Sets.
C. Implement Windows Server Resource Manager (WSRM) in managing mode.
D. Implement Windows Server Resource Manager (WSRM) in accounting mode.
Correct Answer: A
Explanation
Explanation/Reference:
MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration:
The configuration of a subscription filter is more like the configuration of a custom view in that you are able to specify multiple event log sources, rather than just a single Event Log source. In addition, the subscription will be saved whereas
you need to re-create a filter each time you use one. By default, all collected Event Log data will be written to the Forwarded Event Event Log. You can forward data to other logs by configuring the properties of the subscription. Even though
you use a filter to retrieve only specific events from source computers and place them in the destination log, you can still create and apply a custom view to data that is located in the destination log. You could create a custom view for each
source computer, which would allow you to quickly limit events to that computer rather than viewing data from all source computers at the same time.
You configure collector initiated subscriptions through the application of Group Policy. To do this you must configure the collector computer in the same manner as you did in the previous steps.
When configuring the subscription type, select Source Computer Initiated rather than Collector Initiated. To set up the source computers, apply a GPO where you have configured the Computer Configuration\Policies\AdministrativeTemplates
\Windows Components\Event Forwarding node and configure the Server Address, Refresh Interval, And Issuer Certificate policy with the details of the collector computer, as shown in Figure 7-10.
Auditing enhancements You can use the new Directory Service Changes audit policy subcategory when auditing Windows Server 2008 AD DS. This lets you log old and new values when changes are made to AD DS objects and their
attributes. You can also use this new feature when auditing Active Directory Lightweight Directory Services (AD LDS).
Planning AD DS Auditing
In Windows Server 2008, the global audit policy Audit Directory Service Access is enabled by default. This policy controls whether auditing for directory service events is enabled or disabled. If you configure this policy setting by modifying the
Default Domain Controllers Policy, you can specify whether to audit successes, audit failures, or not audit at all. You can control what operations to audit by modifying the System Access Control List (SACL) on an object. You can set a SACL
on an AD DS object on the Security tab in that object’s Properties dialog box.
As an administrator one of your tasks is to configure audit policy. Enabling success or failure g is a straightforward procedure. Deciding which objects to audit; whether to audit success, failure or both; and whether to record new and old
values if changes are made is much more difficult. Auditing everything is never an option–too much information is as bad as too little. You need to be selective. In Windows 2000 Server and Windows Server 2003, you could specify only
whether DS access was audited. Windows Server 2008 gives you more granular control. You can audit the following:
DS access
DS changes (old and new values)DS replication

QUESTION 21
Your network contains a single Active Directory domain. All domain controllers run Windows Server 2008 R2. There are 1,000 client computers that run Windows 7 and that are connected to managed switches. You need to recommend a
strategy for network access that meets the following requirements:
-Users are unable to bypass network access restrictions.
-Only client computers that have uptodate service packs installed can access the network.
-Only client computers that have uptodate antimalware software installed can access the network.
What should you recommend?
A. Implement Network Access Protection (NAP) that uses DHCP enforcement.
B. Implement Network Access Protection (NAP) that uses 802.1x enforcement.
C. Implement a Network Policy Server (NPS), and enable IPsec on the domain controllers.
D. Implement a Network Policy Server (NPS), and enable Remote Authentication DialIn User Service (RADIUS) authentication on the managed switches.
Correct Answer: B
Explanation
Explanation/Reference:
MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration:
Integration with network access protection (NAP)System Center Configuration Manager 2007 lets your organization enforce compliance of software updates on client computers. This helps protect the integrity of the corporate network through
integration with the Microsoft Windows Server 2008 NAP policy enforcement platform. NAP policies enable you to define which software updates to include in your system health requirements. If a client computer attempts to access your
network, NAP and System Center Configuration Manager 2007 work together to determine the client’s health state compliance and determine whether the client is granted full or restricted network access. If the client is noncompliant, System
Center Configuration Manager 2007 can deliver the necessary software updates so that the client can meet system health requirements and be granted full network access.
Restrict network accessSystem Center Configuration Manager 2007 NAPenables you to include software updates in your system health requirements.NAP policies define which software updates need to be included, and the System Center
Configuration Manager 2007 System Health Validator point passes the client’s compliant or noncompliant health state to the Network Policy Server, which determines whether to grant the client full or restricted network access. Noncompliant
clients can be automatically brought into compliance through remediation. This requires the System Center Configuration Manager 2007 software updates feature to be configured and operational.
NAP Enforcement Methods
When a computer is found to be noncompliant with the enforced health policy, NAPenforces limited network access. This is done through an Enforcement Client (EC). Windows Vista,
Windows XP Service Pack 3, and Windows Server 2008 include NAPEC support for IPsec, IEEE 802.1X, Remote Access VPN, and DHCP enforcement methods. Windows Vista and Windows Server 2008 also support NAP enforcement for
Terminal Server Gateway connections. NAP enforcement methods can either be used individually or can be used in conjunction with each other to limit the network access of computers that are found not to be in compliance with configured
health policies. Hence you can apply the remote access VPN and IPsec enforcement methods to ensure that internal clients and clients coming in from the Internet are only granted access to resources if they meet the appropriate client health
benchmarks.
802.1X NAP Enforcement
802.1X enforcement makes use of authenticating Ethernet switches or IEEE 802.11 Wireless Access Points.
These compliant switches and access points only grant unlimited network access to computers that meet the compliance requirement. Computers that do not meet the compliance requirement are limited in their communication by a restricted
access profile. Restricted access profiles work by applying IP packet filters or VLAN (Virtual Local Area Network) identifiers. This means that hosts that have the restricted access profile are allowed only limited network communication. This
limited network communication generally allows access to remediation servers. You will learn more about remediation servers later in this lesson.
An advantage of 802.1X enforcement is that the health status of clients is constantly assessed. Connected clients that become noncompliant will automatically be placed under the restricted access profile. Clients under the restricted access
profile that become compliant will have that profile removed and will be able to communicate with other hosts on the network in an unrestricted manner. For example, suppose that a new antivirus update comes out. Clients that have not
installed the update are put under a restricted access profile until the new update is installed. Once the new update is installed, the clients are returned to full network access. A Windows Server 2008 computer with the Network Policy Server
role is necessary to support 802.1X NAP enforcement. It is also necessary to have switch and/or wireless access point hardware that is 801.1xcompliant.
Client computers must be running Windows Vista, Windows Server 2008, or Windows XP Service Pack 3 because these operating systems include the EAPHost EC.
MORE INFO 802.1X enforcement step-by-step For more detailed information on implementing 802.1X NAP enforcement, consult the following Step-by-Step guide on TechNet: http://go.microsoft.com/fwlink/?LinkId=86036.

QUESTION 22
You need to plan for the installation of critical updates to only shared client computers.
What should you recommend?
A. Configure all WSUS servers as upstream servers.
B. Create an Automatic Approval rule that Applies to the GDI_Students group.
C. Create an Automatic Approval rule that Applies to the LabComputers group
D. Configure the shared client computers to synchronize hourly from Microsoft Update.
Correct Answer: C
Explanation

QUESTION 23
You are planning the deployment of Windows Server 2008 R2 to CHDATA03 and CHDATA04.
You have the following requirements:
– Do not impact settings for CHDATA01 and CHDATA02.
– Apply Windows Server 2008 R2-specific settings to CHDATA03 and CHDATA04 after migration.
– Ensure that the ServerSettings GPO does not apply to CHDATA03 and CHDATA04 after migration.
You need to plan a strategy that meets the requirements.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Create a GPO named MigratedServers that contains the Windows Server 2008 R2 settings. Create a WMI filter that targets Windows Server 2003 and link it to the MigratedServers GPO,
B. Block inheritance on the CH_FileServers OU.
C. Create a WMI filter that targets Windows Server 2003 and link it to the ServerSettings GPO.
D. Enable loopback processing on the MigratedServers GPO.
E. Link the MigratedServers GPO to the CH_FileServers OU.
F. Create a GPO named MigratedServers that contains the Windows Server 2008 R2 settings. Create a WMI filter that targets Windows Server 2008 R2 and link it to the MigratedServers GPO.
Correct Answer: EF
Explanation
Explanation/Reference:
A WMI filter enables you to specify criteria that must be matched before the linked GPO is applied to a computer. By letting you filter the computers to which the GPO applies, this reduces the need to further subdivide your OUs in Active
Directory. This technique is dynamic, in that the filter is evaluated when the computer attempts to apply the policy. So if you are filtering based on the version of Windows then upgrading the computer from Windows XP to Windows 7 requires
no changes to your GPO, because the filter will automatically recognize the change and filter the computer’s access to the GPO accordingly.
I’ve just put the structure together in a DC and took a screen shot of it. this is how i interperate the information givenpass4itsure 70-646 exam dumps

It on the second page of the exhibit it says that the ServerSettings GPO applies to all servers not all file servers. So that means one of two things, its linked to the CH_Servers OU OR its linked higher like at a domain level because then it
applies to ALL servers in all regions. as the full AD structure is not clear I’ll assume its applied on all CH servers only, but either way if its applied at a domain level it shouldn’t matter.
If you first carry out step F you create the MigratedServers GPO, then you create the Server 2008 R2 WMI filter and apply that to the GPO you just created, then you carry out step E which links the MigratedServers GPO which has a Server
2008 R2 WMI filter to the CH_FileServers OU.
NOTE: possible issue
Thanks to SoK for highlighting this.
the question states what 2 steps
But requirement 3 says Ensure that the ServerSettings GPO does not apply to CHDATA03 and CHDATA04 after migration.
So ServerSettings GPO applies IE settings to servers in the CH_Servers ou and will also be applied to any Child OUs of that and on page 2 it says that CH_FileServers is a child of
CH_servers so the ServerSettings GPO will be applied to all file servers by default regardless of their OS. the settings are IE settings and as its stands those settings would apply to CHDATA03 & CHDATA04 because of the ServerSettings
GPO so unless you block that GPO somehow reaching the two 2008 file servers, answer B wont work because it then blocks them for CHDATA01 & CHDATA02 which you don’t want. A wont work at it is an incorrect “replacement” for Fbecause its applying 2008 settings to 2003 servers which is as useful as tits on a bull. D is pointless in this specific case so it a[[ears that C may be required. I’m going to leave C out for the moment because the question clearly states 2
answers

QUESTION 24
You need to apply a critical security update to all computers on the New Haven campus while ensuring that New Haven computers continue to receive scheduled updates from BODATA03. You must not apply the security update to any other
computers.
What should you recommend?
A. Configure the New Haven campus client computers to synchronize hourly from Microsoft Update.
B. Change NEDATA01 to Autonomous mode, and deploy the security update from NEDATA01.
C. Change NEDATA01 to Autonomous mode, and deploy the security update from BODATA03.
D. Configure only NEDATA01 as an upstream server, and deploy the security update from NEDATA01.
Correct Answer: C
Explanation
Explanation/Reference:
There are two ways to link WSUS servers together:
Autonomous mode: An upstream WSUS server shares updates with its downstream server or servers during synchronization, but not update approval status or computer group information. Downstream WSUS servers must be administered
separately. Autonomous servers can also synchronize updates for a set of languages that is a subset of the set synchronized by their upstream server.
Replica mode: An upstream WSUS server shares updates, approval status, and computer groups with its downstream server or servers. Downstream replica servers inherit update approvals and cannot be administered apart from their
upstream WSUS server.

QUESTION 25
You are planning a recovery strategy in the event that a file server is unable to boot into Windows.
You need to ensure that file servers can be restored from backups.
What should the recovery strategy include?
A. Deploy backups by using WDS.
B. Boot from the Windows Server 2008 R2 DVD into the Recovery Environment, then restore from file server backups by using WBAdmin.
C. Reinstall Windows Server 2008 R2 from DVD, then restore from file server backups by using Windows Server Backup.
D. Restore from file server backups by using NTBackup.
Correct Answer: A
Explanation
Explanation/Reference:
Thanks to Testy for highlighting this one.
NTBackup is not compatible with Server 2008 R2.
Your requirements are for remote backup and remote restore.
The network has WDS installed and uses PXE boot on the servers so WDS could be used to deploy a backup.
Windows Recovery Environment (Windows RE) is an extensible recovery platform based on Windows Preinstallation Environment (Windows PE). When the computer fails to start, Windows automatically fails over into this environment, and
the Startup Repair tool in Windows RE automates the diagnosis and repair of an unbootable Windows Vista installation. Furthermore, Windows RE is a starting point for various tools for manual system recovery. The primary audience of this
technology includes original equipment manufacturers (OEMs), original device manufacturers (ODMs), and corporate IT professionals.
Image-based Recovery from Windows RE In the event that the Windows installation cannot be repaired with Startup Repair or other manual repair steps, Windows RE can be used to launch an image-based recovery tool.
User-created Recovery Image
Windows Vista provides end users with the ability to create a backup image of their entire operating system.
End users can do this by using the Backup tool. The system image can be stored on an external hard disk, on a hard disk partition other than those imaged, or on a DVD. To restore the computer by using this system image, users must launch
the restore interface from the list of Windows RE manual tools.
Factory-created Recovery Image To facilitate restoring a computer to its factory state, a recovery image can be placed on the Windows RE partition. This eliminates the need for a separate recovery media in most cases.
If the Windows image format is used in the manufacturing process, the same operating system image can be used for recovery as well. A computer manufacturer can develop an application by using the Imaging APIs for Windows and the
Windows image to restore the operating system volume. This application can be launched from the Windows RE user interface (UI) by using customizations provided by the ODM.

QUESTION 26
You need to plan a scheduled daily backup of all files on TADC01.
Which tools could you use? (Choose all that Apply.)
A. NTBackup
B. BITSAdmin
C. Windows Server Backup
D. Windows Backup
E. WBAdmin
F. Ntdsutil
Correct Answer: CE
Explanation

QUESTION 27
You are testing a file replication strategy for the IT Budget folders on BODATA01, NEDATA01, and TADATA01. The IT Budget folder on TADATA01 is the primary member.
You need to force replication of files to the Boston campus as soon as possible.
Which command should you execute?
A. dfsrdiag.exe PollAO /Member:GD!\BODC01
B. dfsrdiag.exe PollAD /Member:GDI\TADC01
C. dfsrdiag.exe PollAD /Member:GDI\TADATA01
D. dfsrdiag.exe PollAD /Member:GDI\BODATA01
Correct Answer: B
Explanation
Explanation/Reference:
You are testing a file replication strategy on BODATA01. if you look at
http://technet.microsoft.com/en-us/library/cc771488.aspx its says You can use DFS Replication to keep the contents of folder targets in sync so that users see the same files regardless of which folder target the client computer is referred to. if
you look to the Note on the bottom of the page its says:
To poll immediately for configuration changes, open a command prompt window and then type the following command once for each member of the replication group: dfsrdiag.exe PollAD /Member:DOMAINServer1.
So the question is do you poll the server holding the files or the DC in the location where the primary member is located? I’m pretty sure DFS-Replication uses AD DS replication so to me anyway I’d poll the DC.

QUESTION 28
You are designing a Windows Server 2008 R2 deployment strategy for the Minneapolis campus servers.
Which deployment strategy should you recommend?
A. install from media.
B. Use a discover image in WDS.
C. Auto Add From Policy
D. Use multicast image deployment
Correct Answer: D
Explanation
Explanation/Reference:
Requirements – Bitlocker is needed on all disks in Minneapolis and installations must be done remotely it specifically says they use WDS for deployment. WDS is all about using images so would that not rule out media install? you can do
media installs that are unattended but it requirese sending a DVD and corresponding USB key with an answer file to the site and it being inserted into the server. but GDI uses PXE enabled network cards so that would emply media is not
used as images would be stored centrally.
I’m leaning toward Answer B because
http://technet.microsoft.com/en-us/library/dd637996%28v=ws.10%29.aspx
– “A client is on a different subnet and you do not have method of getting PXE to the client (for example, IP helper tables or Dynamic Host Control Protocol (DHCP)).”
I’m gonna make a huge assumption that the Minneapolis servers are on a different subnet, which makes sense because they are all different campuses for a college Multicasting. Provides the ability to transmit install images using
multicasting. This includes the ability to automatically disconnect slow clients and the ability to transfer images using multiple
streams of varying speeds. To locate these settings, right-click the server in the MMC snap-in, click Properties, and click the Multicast tab.
Multicast allows organizations to use their network bandwidth more efficiently, allowing an operating system image to be transmitted over the network once to multiple installation clients. For example, if you are deploying 20 computers running
Windows Server 2008 R2, you save significant bandwidth in transmitting one installation image across the network (approximately 1.5 GB of data) compared to transmitting all 20 (approximately 60 GB of data). Multicast deployment is
supported only in network environments where the routers support multicast transmissions.The site in question has 10 servers so Multicast would be a possibility

QUESTION 29
You are designing a Windows Server 2008 R2 deployment strategy for the Austin campus servers.
Which deployment strategy should you recommend?
A. Enable an Auto-Add Policy in WDS.
B. Create a discover image in WDS.
C. Deploy the images by using multicast transmission in WDS.
D. Deploy the images by using unicast transmission in WDS.
Correct Answer: C
Explanation
Explanation/Reference:
Topic 19, Tailspin Toys
Scenario
General Background
You are the Windows server administrator for Tailspin Toys. Tailspin Toys has a main office and a manufacturing office.
Tailspin Toys recently acquired Wingtip Toys and is in the beginning stages of merging the IT environments. Wingtip Toys has a main office and a sales office.
Technical Backgroundthe companies use the network subnets indicated in the following tablepass4itsure 70-646 exam dumps

All servers in the Wingtip Toys environment are joined to the wingtiptoys.com domain.
Infrastructure Services
You must ensure that the following infrastructure services requirements are met:
– All domain zones must be stored as Active Directory-integrated zones.
– Only DNS servers located in the Tailspin Toys main office may communicate with DNS servers at Wingtip Toys.
– Only DNS servers located in the Wingtip Toys main office may communicate with DNS servers at Tailspin Toys.
– All tailspintoys.com resources must be resolved from the Wingtip Toys offices.
– All wingtiptoys.com resources must be resolved from the Tailspin Toys offices.
– Certificates must be distributed automatically to all Tailspin Toys and Wingtip Toys computers.
Delegated Administration
You must ensure that the following delegated administration requirements are met:
– Tailspin Toys IT security administrators must be able to create, modify, and delete user objects in the wingtiptoys.com domain.
– Members of the Domain Admins group in the tailspintoys.com domain must have full access to the wingtiptoys.com Active Directory environment.
– A delegation policy must grant minimum access rights and simplify the process of delegating rights.
– Minimum permissions must always be delegated to ensure that the least privilege is granted for a job or task.
– Members of the TAILSPINTOYS\HeIpdesk group must be able to update drivers and add printer ports on TT-PRINT01.
– Members of the TAILSPINTOYS\Helpdesk group must not be able to cancel a print job on TT-PRINT01.
– Tailspin Toys developers must be able to start, stop, and Apply snapshots to their development VMs.
IT Security
You must ensure that the following IT security requirements are met:
– Server security must be automated to ensure that newly deployed servers automatically have the same security configuration as existing servers.
– Auditing must be configured to ensure that the deletion of user objects and OUs is logged.
– Microsoft Word and Microsoft Excel files must be automatically encrypted when uploaded to the Confidential document library on the Tailspin Toys Microsoft SharePoint site.
– Multifactor authentication must control access to Tailspin Toys domain controllers.
– All file and folder auditing must capture the reason for access.
– All folder auditing must capture all delete actions for all existing folders and newly created folders.
– New events must be written to the Security event log in the tailspintoys.com domain and retained indefinitely.
– Drive X:\ on TT-FILE01 must be encrypted by using Windows BitLocker Drive Encryption and must automatically unlock.

QUESTION 30
You need to recommend a solution to migrate shared printers from the print server at Wingtip Toys to the print server at Tailspin Toys.
What should you recommend?
A. On the TT-PRINT01 server, run the printmig.exe command-line tool
B. On the WT-PRINT01 server, run the printbrm.exe command-line tool
C. On the WT-PRINT01 server, run the printmig.exe command-line tool
D. On the TT-PRINT01 server, run the printbrm.exe command-line tool
Correct Answer: D
Explanation
Explanation/Reference:
you are moving from a 2003 to a 2008 server so option B wont work coz WT-print01 is the 2003 server you can export print queues, printer settings, printer ports, and language monitors, and then import them on another print server running a
Windows operating system. This is an efficient way to consolidate multiple print servers or replace an older print server.pass4itsure 70-646 exam dumps

Print Migrator 3.1 is no longer supported by Microsoft. The Printer Migration Wizard and the Printbrm.exe command-line tool were introduced in Windows 7 to replace it. For more information about this decision, see the blog Ask the
Performance Team (http://blogs.technet.com/askperf/archive/2008/10/17/why-printmig-3-1-isretired.aspx).

QUESTION 31
You are planning for the IT integration of Tailspin Toys and Wingtip Toys. The company has decided on the following name resolution requirements:
– Name resolution for Internet-based resources must continue to operate by using the same DNS servers as prior to the merger.
– The existing connectivity between Tailspin Toys and Wingtip Toys must be used for all network communication.
– The documented name resolution goals must be met.
You need to provide a name resolution solution that meets the requirements.
What should you recommend? (Choose all that Apply.)
A. On TT-DC01, TT-DC02, TT-DC03, and TT-DC04, add forwarders with the IP addresses of 172.16.10.10 and 172.16.10.11.
B. On TT-DC01, add a conditional forwarder for wingtiptoys.com, use 172.16.10.10 and 172.16.10.11 as the IP addresses, and then configure it to replicate to all DNS servers in the tailspintoys.com domain.
C. On TT-DC01, TT-DC02, TT-DC03, and TT-DC04, add a secondary DNS zone for wingtiptoys.com and specify 172.16.10.10 and 172.16.10.11 as the master DNS servers.
D. On WT-DC01 and WT-DC02, add a secondary DNS zone for tailspintoys.com and specify 10.10.10.10 and 10.10.10.11 as the master DNS servers.
E. On WT-DC01, WT-DC02, WT-DC03, and WT-DC04, add forwarders with the IP addresses of 10.10.10.10 and 10.10.10.11.
F. On WT-DC01, add a conditional forwarder for tailspintoys.com, use 10.10.10.10 and 10.10.10.11 as the IP addresses, and configure it to replicate to all DNS servers in the
wingtiptoys.com domain.
Correct Answer: BF
Explanation
Explanation/Reference:
Conditional forwarding is used to control where a DNS server forwards queries for a specific domain. A DNS server on one network can be configured to forward queries to a DNS server on another network without having to query DNS
servers on the Internet. They can also be used to help companies resolve each other’s namespace in a situation where companies collaborate a merger is underway.
Forwarders and Forwarding
When a name server is queried in DNS, the way it responds depends on the type of query issued, which can be either iterative or recursive. In an iterative query, the client asks the name server for the best possible answer to its query. The
name server checks its cache and the zones for which it is authoritative and returns the best possible answer to the client, which could be either a full answer like “here is the IP address of the host you are looking for” or a partial answer like
“try this other name server instead, it might know the answer.”
In a recursive query, things work a little different for here the client demands either a full answer (the IP address of the target host) or an error message like “sorry, name not found.” In Windows DNS, client machines always send recursive
queries to name servers, and name servers usually send iterative queries to other name servers.
What Conditional Forwarding Does
A conditional forwarder is one that handles name resolution only for a specific domain. For example, you could configure your name server to forward any requests for hosts in the domain google.com directly to a specific name server that is
authoritative for the google.com domain.
What this does is speed up the name resolution process by eliminating the need to go up to root to find this authoritative server.
So in our question above we would create a conditional forwarder in Wingtiptoys.com for tailspintoys.com and then create a conditional forwarder in tailspintoys.com for windtiptoys.com.
additionally in Server 2008 there is a separate node in DNS Manager to configure Conditional Forwarders, previously if you wanted to configure Forwarding for a certain DNS domain, and you wanted to do this on all DNS Servers, you had to
do this for all the DNS servers separately.
Forwarders can be configured centrally and can be configured as `Active Directory’ integrated What does this mean: well this means they are stored in Active Directory and you can configure a replication scope, in the same way you can with
AD Integrated DNS Zones, they can be replicated using following scopes:
– All DNS servers in this forest (through the ForestDNSZones Application Partition)
– All DNS servers in this domain (through the DomainDNSZones Application Partition)
-All Domain Controllers in this domain (for Windows 2000 compatibility), stored in the Domain Partition
– In a custom Application Partition of your liking, if you want to replicate only to certain Domain Controllers (that are probably your DNS servers)pass4itsure 70-646 exam dumps pass4itsure 70-646 exam dumps

QUESTION 32
You need to recommend a solution to meet the IT security requirements and data encryption requirements for TT-FILE01 with the minimum administrative effort.
What should you recommend? (Choose all that Apply.)
A. Turn on BitLocker on drive X:\ and select the Automatically unlock this drive on this computer option.
B. Migrate TT-FILE01 to Windows Server 2008 R2 Enterprise.
C. Store BitLocker recovery information in the tailspintoys.com domain.
D. Turn on BitLocker on the system drive.
Correct Answer: AC
Explanation
Explanation/Reference:
Backing up recovery passwords for a BitLocker-protected disk volume allows administrators to recover the volume if it is locked. This ensures that encrypted data belonging to the enterprise can always be accessed by authorized users.
Storage of BitLocker recovery information in Active Directory
Backed up BitLocker recovery information is stored in a child object of the Computer object. That is, the Computer object is the container for a BitLocker recovery object.
Each BitLocker recovery object includes the recovery password and other recovery information.
More than one BitLocker recovery object can exist under each Computer object, because there can be more than one recovery password associated with a BitLocker-enabled volume.
The name of the BitLocker recovery object incorporates a globally unique identifier (GUID) and date and time information, for a fixed length of 63 characters. The form is:
<Object Creation Date and Time><Recovery GUID>
For example:
2005-09-30T17:08:23-08:00{063EA4E1-220C-4293-BA01-4754620A96E7}

QUESTION 33
You need to recommend a solution that meets the following requirements:
– Log access to all shared folders on TT-FILE02.
– Minimize administrative effort.
– Ensure that further administrative action is not required when new shared folders are added to TT-FILE02.
What should you recommend?
A. Upgrade TT-FILE02 to Windows Server 2008 Enterprise and use Application control policies in Group Policy.
B. Add the Connection Manager Administration Kit feature on TT-FILE02.
C. Upgrade TT-FILE02 to Windows Server 2008 R2 Standard and use Advanced Audit Policy Configuration settings in Group Policy.
D. Add the Network Policy and Access Services role to TT-FILE02.
Correct Answer: C
Explanation
Explanation/Reference:
Security auditing enhancements in Windows Server 2008 R2 and Windows 7 can help your organization audit compliance with important business-related and security-related rules by
tracking precisely defined activities, such as:
A group administrator has modified settings or data on servers that contain finance information.
An employee within a defined group has accessed an important file.
The correct system access control list (SACL) is applied to every file and folder or registry key on a computer or file share as a verifiable safeguard against undetected access.
In Windows 7 and Windows Server 2008 R2, the number of audit settings for which success and failure can be tracked has increased to 53. Previously, there were nine basic auditing settings under Computer Configuration\Policies\Windows
Settings\Security Settings\Local Policies\Audit Policy. These 53 new settings allow you to select only the behaviors that you want to monitor and exclude audit results for behaviors that are of little or no concern to you, or behaviors that create
an excessive number of log entries. In addition, because Windows 7 and Windows Server 2008 R2 security audit policy can be applied by using domain Group Policy, audit policy settings can be modified, tested, and deployed to selected
users and groups with relative simplicity.
http://technet.microsoft.com/en-us/library/dd408940%28v=ws.10%29.aspx

QUESTION 34
You need to delegate print administration to meet the company requirements.
What should you do?
To answer, select the appropriate check boxes in the dialog boxpass4itsure 70-646 exam dumps pass4itsure 70-646 exam dumps pass4itsure 70-646 exam dumps

Explanation
Explanation/Reference:
The two levels of print server permissions are:
View Server
The View Server permission assigns the ability to view the print server. Without the View Server permission, users cannot see the printers that are managed by the server. By default, this permission is given to members of the Everyone
group.
Manage Server
The Manage Server permission assigns the ability to create and delete print queues (with already installed drivers), add or delete ports, and add or delete forms. A standard user with this permission is called a “delegated print administrator.”
The three levels of printer permissions are:
Print
The Print permission assigns the ability for users to connect to printers and to print, pause, resume, start, and cancel their own documents. By default, this permission is given to members of the Everyone group when a print queue is created.
Manage Documents
The Manage Documents permission assigns the ability to control job settings for all documents and to pause, restart, and delete all documents.
Manage Printers
The Manage Printer permission assigns the ability to pause and restart the printer, change spooler settings, share a printer, adjust printer permissions, and change printer properties.
To create a full delegated print administrator Click Start, click Administrative Tools, right-click Print Management, and then click Run as administrator.
In the left pane, click Print Servers, right-click the applicable print server, and then click Properties.
In Print Server Properties, click the Security tab.
To configure permissions for a new group or user, click Add. Type the name of the group or user that you want to set permissions for by using the following format: domain name\username. Click OK to close the dialog box.
highlight the user or group name that you just added, and in Permissions for <user or group name>, click Allow for the Manage Server permission. (The View Server permission is assigned too.)
Select the Allow check boxes for the Print, Manage Documents, and Manage Printers permissions.
To create a partial delegated print administrator
To enable an administrator to add printers:
Follow the previous instructions, but select the Allow check boxes for the Manage Server and Print permissions. (View Server permission is assigned automatically too.)
To enable an administrator to manage existing print queues:
Follow the previous instructions, but select the Allow check boxes for the View Server, Print, Manage Documents, and Manage Printer permissions.
Print-related permissions and the tasks they enable

QUESTION 35
You need to recommend a solution to meet the certificate distribution requirements.
What should you recommend?
A. Upgrade the Wingtip Toys client computers that run Windows XP to Windows 7.
B. Create a one-way trust from wingtiptoys.com to tailspintoys.com.
C. Create a two-way trust between tailspintoys.com and wingtiptoys.com.
D. Upgrade the Wingtip Toys servers that run Windows Server 2003 to Windows Server 2008 R2.
E. Create a one-way trust from tailspintoys.com to wingtiptoys.com.
Correct Answer: C
Explanation
Explanation/Reference:
Trusts
A trust is a relationship, which you establish between domains, that makes it possible for users in one domain to be authenticated by a domain controller in the other domain.
All Active Directory trusts between domains within a forest are transitive, two-way trusts.
Therefore, both domains in a trust relationship are trusted. As shown in the following illustration, this means that if Domain A trusts Domain B and Domain B trusts Domain C, users from Domain C can access resources in Domain A (when
they are assigned the proper permissions). Only members of the Domain Admins group can manage trust relationships

pass4itsure 70-646 exam dumps

Two-way trust
All domain trusts in an Active Directory forest are two-way, transitive trusts. When a new child domain is created, a two-way, transitive trust is automatically created between the new child domain and the parent domain. In a two-way trust,
Domain A trusts Domain B and Domain B trusts Domain A. This means that authentication requests can be passed between the two domains in both directions. Some two-way relationships can be either nontransitive or transitive, depending
on the type of trust that is created.
The Automatic Enrollment Method
Auto-enrollment makes it possible for an organization to configure the CA to automatically issue certificates to users and computers. Auto-enrollment can be defined as the process by which certificates can be obtained, updated, and stored for
users and computers, without administrator and end user intervention.
The auto-enrollment feature also enables the centralized management of certificates, including:
Certificate enrollment
Certificate renewal
Modifying certificates
Superseding certificates

QUESTION 36
You need to remove Marc’s delegated rights.
What would you recommend?
A. Use the Delegation of Control Wizard.
B. Run the Resultant Set of Policy (RSoP) tool.
C. Run the dsacls command-line utility.
D. Run the xcalcs command-line utility.
Correct Answer: C
Explanation
Explanation/Reference:
http://support.microsoft.com/kb/281146
DSACLS is used to View or Edit ACLs (access control entries) for objects in Active Directory.
Overview of Dsacls.exe
DsAcls uses the following syntax:
dsacls object [/a] [/d {user | group}:permissions […]] [/g {user | group}:permissions […]] [/i:{p | s | t}][/n] [/p:{y | n}][/r {user | group} […]] [/s [/t]]
You can use the following parameters with Dsacls.exe:
object: This is the path to the directory services object on which to display or change the ACLs.
This path must be a distinguished name (also known as RFC 1779 or x.500 format). For example:
CN=Someone,OU=Software,OU=Engineering,DC=Microsoft,DC=Com
To specify a server, add \\Servername\ before the object. For example:
\\MyServer\CN=Someone,OU=Software,OU=Engineering,DC=Microsoft,DC=Com
When you run the dsacls command with only the object parameter (dsacls object), the security information about the object is displayed.
/a : Use this parameter to display the ownership and auditing information with the permissions. /d{user | group}:permissions: Use this parameter to deny specified permissions to a user or group.
User must use either [email protected] or domain\user format, and group must use either [email protected] or domain\group format. You can specify more than one user or group in a
command. For more information about the correct syntax to use for permissions, see the rmissions> Syntax section later in this article.
/g {user | group}:permissions: Use this parameter to grant specified permissions to a user or ust use either [email protected] or domain\user format, and group must use either
[email protected] or domain \group format. You can specify more than one user or group in a command. For more information about the correct syntax to use for permissions, see the
<Permissions> Syntax section later in this article.
/i:{p | s | t} : Use this parameter to specify one of the following inheritance flags:
p: Use this option to propagate inheritable permissions one level only.
s: Use this option to propagate inheritable permissions to subobjects only.
t: Use this option to propagate inheritable permissions to this object and subobjects.
/n : Use this parameter to replace the current access on the object, instead of editing it.
/p:{y | n}: This parameter determines whether the object can inherit permissions from its parent objects. If you omit this parameter, the inheritance properties of the object are not changed. Use this parameter to mark the object as protected (y
= yes) or not protected (n = no).
Note This parameter changes a property of the object, not of an Access Control Entry (ACE). To determine whether an ACE is inheritable, use the /I parameter.
/r {user | group}: Use this parameter to remove all permissions for the specified user or group. You can specify more than one user or group in a command. User must use either [email protected] or domain\user format, and group must use either
[email protected] or domain\group format.
/s: Use this parameter to restore the security on the object to the default security for that object class, as defined in the Active Directory schema.
/t : Use this parameter to restore the security on the tree of objects to the default for each object class. This switch is valid only when you also use the /s parameter.

QUESTION 37
New security events are not being written to the current Security event log in the tailspintoys.com domain. However, old security events are still being maintained in the log.
You need to meet the security event log requirements for the tailspintoys.com domain.
Which Group Policy setting or settings should you select?
To answer, select the appropriate setting or settings in the Group Policy Management Editor

pass4itsure 70-646 exam dumps pass4itsure 70-646 exam dumps

Explanation
Explanation/Reference:
Backup log automatically when full
This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the Retain old events policy setting is enabled. If you enable this policy setting and the Retain old events policy setting is
enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started. If you disable this policy setting and the Retain old events policy setting is enabled, new events are discarded and the old events are
retained.
When this policy setting is not configured and the Retain old events policy setting is enabled, new events are discarded and the old events are retained.
Possible values:
Enabled
Disabled
Not Configured
normally you need RETAIN OLD EVENTS enabled also But this is already set in the default domain policy per the exhibit for the testlet

QUESTION 38
You need to recommend a solution that meets the following requirements:
Log access to all shared folders on TT-FILE02.
Minimize administrative effort.
Ensure that further administrative action is not required when new shared folders are added to TT-FILE02.
Which actions should you perform in sequence?
To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. (Use only actions that Apply.)pass4itsure 70-646 exam dumps pass4itsure 70-646 exam dumps

Explanation
Explanation/Reference:

QUESTION 39
You need to recommend a solution to meet the following requirements:
– Meet the company auditing requirements.
– Ensure that further administrative action is not required when new folders are added to the file server.
What should you recommend? (Choose all that Apply.)
A. Enable the Audit File System Group Policy setting for Success.
B. Enable the Audit object access Group Policy setting for Success.
C. Enable the Audit File System Group Policy setting for Failure.
D. Enable the Audit Handle Manipulation Group Policy setting for Success.
E. Enable the File system option of the Global Object Access Auditing Group Policy setting.
F. Enable the Audit Handle Manipulation Group Policy setting for Failure.
Correct Answer: BDE
Explanation
Explanation/Reference:
Security auditing allows you to track the effectiveness of your network defenses and identify attempts to circumvent them. There are a number of auditing enhancements in Windows Server 2008 R2 and Windows 7 that increase the level of
detail in security auditing logs and simplify the deployment and management of auditing policies.
Auditing policy
Before you implement auditing policy, you must decide which event categories you want to audit.
The auditing settings that you choose for the event categories define your auditing policy. On member servers and workstations that are joined to a domain, auditing settings for the event categories are undefined by default. On domain
controllers, auditing is turned on by default. By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization.
Audit Object Access
This security setting determines whether to audit the event of a user accessing an object–for example, a file, folder, registry key, printer, and so forth–that has its own system access control list (SACL) specified.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an object that has an appropriate SACL
specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an object that has a SACL specified.
To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.
Note that you can set a SACL on a file system object using the Security tab in that object’s Properties dialog box.
http://technet.microsoft.com/en-us/library/cc776774%28v=ws.10%29.aspx
Audit Handle Manipulation Group Policy setting This policy setting determines whether the operating system generates audit events when a handle to an object is opened or closed. Only objects with configured SACLs generate these events,
and only if the attempted handle operation matches the SACL. Event volume can be high, depending on how SACLs are configured.
When used together with the Audit File System or Audit Registry policy settings, the Audit Handle Manipulation policy setting can provide an administrator with useful “reason for access,” audit data detailing the precise permissions on which
the audit event is based. For example, if a file is configured as a read-only resource but a user attempts to save changes to the file, the audit event will log not just the event itself but the permissions that were used, or attempted to be used, to
save the file changes.
Global Object Access Auditing Group Policy setting.
Global Object Access Auditing. In Windows Server 2008 R2 and Windows 7, administrators can define computer-wide system access control lists (SACLs) for either the file system or registry.
The specified SACL is then automatically applied to every single object of that type. This can be useful both for verifying that all critical files, folders, and registry settings on a computer are protected, and for identifying when an issue with a
system resource occurs.

QUESTION 40
Your network contains an Active Directory domain. You have a server that runs Windows Server 2008 R2 and has the Remote Desktop Services server role enabled. All client computers run Windows 7.
You need to plan the deployment of a new line of business application to all client computers.
The deployment must meet the following requirements:
– Users must access the application from an icon on their desktops.
– Users must have access to the application when they are not connected to the network.
What should you do?
A. Publish the application as a RemoteApp.
B. Publish the application by using Remote Desktop Web Access (RD Web Access).
C. Assign the application to the Remote Desktop Services server by using a Group Policy object (GPO).
D. Assign the application to all client computers by using a Group Policy object (GPO).
Correct Answer: D
Explanation
Explanation/Reference:
http://support.microsoft.com/kb/816102
Assign a Package
To assign a program to computers that are running Windows Server 2003, Windows 2000, or Microsoft Windows XP Professional, or to users who are logging on to one of these workstations:
1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. In the console tree, right-click your domain, and then click Properties.
3. Click the Group Policy tab, select the group policy object that you want, and then click Edit.
4. Under Computer Configuration, expand Software Settings.
5. Right-click Software installation, point to New, and then click Package.
6. In the Open dialog box, type the full Universal Naming Convention (UNC) path of the shared installer package that you want. For example, \\file server\share\file name.msi. Important Do not use the Browse button to access the location.
Make sure that you use the UNC path to the shared installer package.
7. Click Open.
8. Click Assigned, and then click OK. The package is listed in the right pane of the Group Policy window.
9. Close the Group Policy snap-in, click OK, and then quit the Active Directory Users and Computers snap-in.
10. When the client computer starts, the managed software package is automatically installed.

QUESTION 41
Your network contains an Active Directory domain. The domain contains a Remote Desktop
Services server that runs Windows Server 2008 R2. All client computers run Windows 7.
You need to deploy a new line of business application.
The deployment must meet the following requirements:
– Users must have access to the application from the company portal.
– Users must always have access to the latest version of the application.
– You must minimize the number of applications installed on the client computers.
What should you do?
A. Publish the application to the users by using a Group Policy object (GPO).
B. Publish the application as a RemoteApp. Enable Remote Desktop Web Access (RD Web Access).
C. Assign the application to the client computers by using a Group Policy object (GPO).D. Deploy the application by using Microsoft System Center Configuration Manager (SCCM) 2007 R2.
Correct Answer: B
Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc753844%28WS.10%29.aspx
http://technet.microsoft.com/en-us/library/cc730673%28WS.10%29.aspx
Terminal Services RemoteApp (TS RemoteApp)
Terminal Services RemoteApp (TSRemoteApp) enables organizations to provide access to standard Windows?based programs from virtually any location to users with computers running WindowsVista? WindowsServer?008, or WindowsXP
with Service Pack3 (SP3). TSRemoteApp is also available to users with computers running WindowsXP with Service Pack2 (SP2), Windows Server2003 with Service Pack1 (SP1), or Windows Server2003 with SP2 that have the new Remote
Desktop Connection (RDC) client installed.
What does TSRemoteApp do?
RemoteApp programs are programs that are accessed remotely through Terminal Services and appear as if they are running on the end user’s local computer. Users can run RemoteApp programs side by side with their local programs. A
user can minimize, maximize, and resize the program window, and can easily start multiple programs at the same time. If a user is running more than one RemoteApp program on the same terminal server, the RemoteApp programs will share
the same Terminal Services session.
Users can run RemoteApp programs in a number of ways. They can:
Double-click a Remote Desktop Protocol (.rdp) file that has been created and distributed by their administrator.
Double-click a program icon on their desktop or Start menu that has been created and distributed by their administrator with a Windows Installer (.msi) package.
Double-click a file whose extension is associated with a RemoteApp program. (This can be configured by their administrator with a Windows Installer package.) Access a link to the RemoteApp program on a Web site by using TSWeb Access.
The .rdp files and Windows Installer packages contain the settings needed to run RemoteApp programs. After opening the RemoteApp program on a local computer, the user can interact with the program that is running on the terminal server
as if it were running locally.
Key scenarios for TSRemoteApp
TSRemoteApp is especially useful in scenarios such as the following:
Remote users. Users often need to access programs from remote locations, such as while working from home or while traveling. If you want users to access RemoteApp programs over an Internet connection, you can allow access through a
Virtual Private Network (VPN), or you can deploy TSRemoteApp together with Terminal Services Gateway (TSGateway) to help secure remote access to the programs.
Branch offices. In a branch office environment, there may be limited local IT support and limited network bandwidth. By using TSRemoteApp, you can centralize the management of your applications and improve remote program performance
in limited bandwidth scenarios.
Line-of-business (LOB) applications deployment. Companies often need to run consistent LOB applications on computers that are running different Windows versions and configurations.
Instead of deploying the LOB applications to all the computers in the company, which can be expensive in terms of time and cost, you can install the LOB applications on a terminal server and make them available through TSRemoteApp.
Application deployment. With TSRemoteApp you do not have to deploy and maintain different versions of the same program for individual computers. If employees need to use multiple versions of a program, you can install those versions on
one or more terminal servers, and users can access them through TSRemoteApp.
Roaming users. In a company with a flexible desk policy, users can work from different computers. In some cases, the computer where a user is working may not have the necessary
programs installed locally.
By using TSRemoteApp, you can install the programs on a terminal server and make them available to users as if those programs were installed locally.

QUESTION 42
You want to deploy web site with less attack surface, high available solution with minimal cost.
Which one would you recommend? There are more than one correct answers but chose the best option.
A. Windows server 2008 R2 Enterprise full installation
B. Windows server 2008 R2 standard full installation.
C. Windows web server 2008 R2 with IIS 7.5 Server core.
D. Windows web server 2008 R2 with IIS 7.5 full installation.
Correct Answer: C
Explanation
Explanation/Reference:

Conclusion:


Alnaba free to share 42 valid Microsoft Windows Server 2012 70-646 exam dumps and 70-646 PDF downloads online, you can test exercises
online to enhance your skills, Pass4itsure is a provider of free blogs, please select the full 70-646 VCE dumps or
70-646 PDF dumps:https://www.pass4itsure.com/70-646.html (q&as:262 latest update). Pass4itsure offers a complete exam policy you
can check in, we are trustworthy, we have helped thousands of friends to achieve the wish.

[PDF] Free Microsoft Windows Server 2012 70-646 dumps download from Google Drive: https://drive.google.com/open?id=1aQsFEOEP6j_ge-VmqJeo5gdZaNh4nXEL

[PDF] Free Full Microsoft dumps download from Google Drive: https://drive.google.com/open?id=1gdQrKIsiLyDEsZ24FxsyukNPYmpSUDDO

pass4itsure 15% OFF Coupon code

pass4itsure 70-646 coupon

related: https://www.alnaba.org/high-efficienct-microsoft-70-398-dump-exam/