Microsoft 70-646 ExamPro: Windows Server 2008 - Server Administrator

Total Question: 262 Last Updated: Aug 19,2019
  • Updated 70-646 Dumps
  • Based on Real 70-646 Exams Scenarios
  • Free 70-646 pdf Demo Available
  • Check out our 70-646 Dumps in a new PDF format
  • Instant 70-646 download
  • Guarantee 70-646 success in first attempt
Package Select:

Questions & Answers PDF

Practice Test Software

Practice Test + PDF 30% Discount

Price: $65.95 $29.99

Buy Now Free Trial
Home > 70-646

Latest Microsoft 70-646 PDF Download (Topic 0)

1. Your company has 250 branch offices. Your network contains an Active Directory domain.

The domain controllers run Windows Server 2008 R2. You plan to deploy Readonly

Domain Controllers (RODCs) in the branch offices.

You need to plan the deployment of the RODCs to meet the following requirements:

Build each RODC at the designated branch office.

Ensure that the RODC installation source files do not contain cached secrets.

Minimize the bandwidth used during the initial synchronization of Active Directory Domain Services (AD?DS).

What should you include in your plan?

A. Use Windows Server Backup to perform a full backup of an existing domain controller.

Use the backup to build the new RODCs.

B. Use Windows Server Backup to perform a custom backup of the critical volumes of anexisting domain controller. Use the backup to build the new RODCs.

C. Create a DFS namespace that contains the Active Directory database from one of the existing domain controllers. Build the RODCs by using an answer file.

D. Create an RODC installation media. Build the RODCs from the RODC installation media.

Answer: D


Installing AD DS from Media

Applies To: Windows Server 2008, Windows Server 2008 R2

You can use the Ntdsutil.exe tool to create installation media for additional domain controllers that you are creating in a domain. By using the Install from Media (IFM) option, you can minimize the replication of directory data over the network. This helps you install additional domain controllers in remote sites more efficiently.

Ntdsutil.exe can create four types of installation media, as described in the following table.

You must use read-only domain controller (RODC) installation media to install an RODC.

For RODC installation media, the ntdsutil command removes any cached secrets, such as passwords. You can create RODC installation media either on an RODC or on a writeable domain controller. You must use writeable domain controller installation media to install a writeable domain controller. You can create writeable domain controller installation mediaonly on a writeable domain controller.

If the source domain controller where you create the installation media and the destination server where you plan to install ActiveDirectory Domain Services (ADDS) both run Windows Server2008 with Service Pack2 or later or Windows Server2008R2, and if you are using Distributed File System (DFS) Replication for SYSVOL, you can run the ntdsutil ifm command with an option to include the SYSVOL shared folder in the installation media.

If the installation media includes SYSVOL, you must use Robocopy.exe to copy the installation media from the source domain controller to the destination server. For more information, see Installing an Additional Domain Controller by Using IFM.


2. Your company purchases 15 new 64bit servers as follows:

Five of the servers have a single processor.

Five of the servers have a single dual core processor.

Five of the servers have twoquad core processors.

You plan to deploy Windows Server 2008 R2 on the new servers by using Windows

Deployment Services (WDS). You need to recommend a WDS install image strategy that meets the following requirements:

Minimizes the number of install images

Supports the deployment of Windows Server 2008 R2

What should you recommend?

A. one install image file that contains three install images

B. one install image file that contains a single install image

C. two install image files that each contain a single install image

D. three install image files that each contain a single install image

Answer: B


You only need one image per processor type

Windows Deployment Services Images

Windows Deployment Services uses two different types of images:install images and boot images. Install images are the operating system images that will be deployed to Windows Server 2008 or Windows Vista client computers. A default installation image is located in the Sources directory of the Windows Vista and Windows Server 2008 installation DVDs. If you are using WDS to deploy Windows Server 2008 to computers with different processor architectures, you will need to add separate installation images for each architecture to the WDS server. Architecture-specific images can be found on the architecture-specific

installation media. For example, the Itanium image is located on the Itanium installation media and the x64 default installation image is located on the x64 installation media.

Although you can create custom images, you only need to have one image per processor architecture. For example, deploying Windows Server 2008 Enterprise Edition x64 to a computer with 1 x64 processor and to a computer with 8 x64 processors in SMP configuration only requires access to the default x64 installation image. Practice exercise 2 at the end of this lesson covers the specifics ol adding a default installation image to a WDS server.


3. Your company has a main office and a branch office. Your network contains a single Active Directory domain.

You install 25 Windows Server 2008 R2 member servers in the branch office.

You need to recommend a storage solution that meets the following requirements:

Encrypts all data on the hard disks

Allows the operating system to start only when the authorized user is present

What should you recommend?

A. Encrypting File System (EFS)

B. File Server Resource Manager (FSRM)

C. Windows BitLocker Drive Encryption (BitLocker)

D. Windows System Resource Manager (WSRM)

Answer: C


MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration:

Planning BitLocker Deployment

Windows BitLocker and Drive Encryption (BitLocker) is a feature that debuted in Windows Vista Enterprise and Ultimate Editions and is available in all versions of Windows Server 2008. BitLocker serves two purposes:

protecting server data through full volume encryption and providing an integrity-checking mechanism to ensure that the boot environment has not been tampered with.

Encrypting the entire operating system and data volumes means that not only are the operating system and data protected, but so are paging files, applications, and application configuration data. In the event that a server is stolen or a hard disk drive removed from a server by third parties for their own nefarious purposes, BitLockerensures that these third parties cannot recover any useful data. The drawback is that if the BitLocker keys for a

server are lost and the boot environment is compromised, the data stored on that server will be unrecoverable.

To support integrity checking, BitLocker requires a computer to have a chip capable of

supporting the Trusted Platform Module(TPM) 1.2 or later standard. A computer must also

have a BIOS that supports the TPM standard. When BitLocker is implemented in these

conditions and in the event that the condition of a startup component has changed,

BitLocker-protected volumes are lockedand cannot be unlocked unless the person doing

the unlocking has the correct digital keys. Protected startup components include the BIOS,

Master Boot Record, Boot Sector, Boot Manager, and Windows Loader.

From a systems administration perspective, it is important to disable BitLocker during

maintenance periods when any of these components are being altered. For example, you

must disable BitLocker during a BIOS upgrade. If you do not, the next time the computer

starts, BitLocker will lock the volumes and youwill need to initiate the recovery process. The

recovery process involves entering a 48-character password that is generated and saved to

a specified location when running the BitLocker setup wizard. This password should be

stored securely because withoutit the recovery process cannot occur. You can also

configure BitLocker to save recovery data directly to Active Directory; this is the

recommended management method in enterprise environments.

You can also implement BitLocker without a TPM chip. When implemented in this mannerthere is no startup integrity check. A key is stored on a removable USB memory

device, which must be present and supported by the computer’s BIOS each time the

computer starts up. After the computer has successfully started, the removable USB

memory device can be removed and should then be stored in a secure location.

Configuring a computer running Windows Server 2008 to use a removable USB memory

device as a BitLocker startup key is covered in the second practice at the end of this


BitLocker Volume Configuration

One of the most important things to remember is that a computer must be configured to

support BitLocker prior to the installation of Windows Server 2008. The procedure for this is

detailed at the start of Practice 2 atthe end of this lesson, but involves creating a separate

1.5-GB partition, formatting it, and making it active as the System partition prior to creating

a larger partition, formatting it, and then installing the Windows Server 2008 operating

system. Figure 1-6 shows a volume configuration that supports BitLocker. If a computer’s

volumes are not correctly configured prior to the installation of Windows Server 2008, you

will need to perform a completely new installation of Windows Server 2008 after

repartitioning the volume correctly. For this reason you should partition the hard disk drives

of all computers in the environment on which you are going to install Windows Server 2008

with the assumption that at some stage in the future you might need to deploy BitLocker.

If BitLocker is not deployed, it has cost you only a few extra minutes of configuration time. If

you later decide to deploy BitLocker, you will have saved many hours of work reconfiguring

the server to support full hard drive encryption.

Figure1-6Partition scheme that supports BitLocker

The necessity of having specifically configured volumes makes BitLocker difficult to

implement on Windows Server 2008 computers that have been upgraded from Windows

Server 2003. The necessary partition scheme would have had to be introduced prior to the

installation of Windows Server 2003, which in most cases would have occurred before

most people were aware of BitLocker.

BitLocker Group Policies

BitLocker group policies are located under the Computer ConfigurationPolicies

Administrative TemplatesWindows ComponentsBitLocker Drive Encryption node of a Windows Server 2008 Group Policy object. In the event that the computers you want to

deploy BitLocker on do not have TPM chips, you can use the Control Panel Setup:

EnableAdvanced Startup Options policy, which is shown in Figure 1-7. When this policy is

enabled and configured, you can implement BitLocker without a TPM being present. You

can also configure this policy to require that a startup code be entered if aTPM chip is

present, providing another layer of security.

Figure 1-7Allowing BitLocker without the TPM chip

Other BitLocker policies include:

Turn On BitLocker Backup To Active Directory Domain ServicesWhen this policy is

enabled, a computer’s recoverykey is stored in Active Directory and can be recovered by

an authorized administrator.

Control Panel Setup: Configure Recovery FolderWhen enabled, this policy sets the default

folder to which computer recovery keys can be stored.

Control Panel Setup: Configure Recovery OptionsWhen enabled, this policy can be used to

disable the recovery password and the recovery key. If both the recovery password and the

recovery key are disabled, the policy that backs up the recovery key to Active Directory

must be enabled.

Configure Encryption MethodThis policy allows the administrator to specify the properties

of the AES encryption method used to protect the hard disk drive.

Prevent Memory Overwrite On RestartThis policy speeds up restarts, but increases the risk

ofBitLocker being compromised.

Configure TMP Platform Validation ProfileThis policy configures how the TMP security

hardware protects the BitLocker encryption key.

Encrypting File System vs. BitLocker

Although both technologies implement encryption, thereis a big difference between

Encrypting File System (EFS) and BitLocker. EFS is used to encrypt individual files and

folders and can be used to encrypt these items for different users. BitLockerencrypts the

whole hard disk drive. A user with legitimate credentials can log on to a file server that is

protected by BitLocker and will be able to read any files that she has permissions for. This

user will not, however be able to read files that have been EFS encrypted for other users,

even if she is granted permission, because you can only read EFS-encrypted files if you

have the appropriate digital certificate. EFS allows organizations to protect sensitive shared

files from the eyes of support staff who might be required to change file and folder

permissions as apart of their job task, but should not actually be able to review the contents

of the file itself. BitLocker provides a transparent form of encryption, visible only when the

server is compromised. EFS provides an opaque form of encryption—the content of files

that are visible to the person who encrypted them are not visible to anyone else, regardless

of what file and folder permissions are set.

Turning Off BitLocker

In some instances you may need to remove BitLocker from a computer. For example, the

environment in which the computer is located has been made much more secure and the

overhead from the BitLocker process is causing performance problems. Alternatively, you

may need to temporarily disable BitLocker so that you can perform maintenance on

startupfiles or the computer’s BIOS. As Figure 1-8 shows, you have two options for

removing BitLocker from a computer on which it has been implemented: disable BitLocker

or decrypt the drive.

Figure 1-8Options for removing BitLocker

Disabling BitLocker removes BitLocker protection without decrypting the encrypted

volumes. This is useful if a TPM chip is present, but it is necessary to update a computer’s

BIOS or startup files. If you do not disable

BitLocker when performing this type of maintenance, BitLocker—when implemented with a

TPM chip—will lock the computer because the diagnostics will detect that the computer has

been tampered with. When you disable BitLocker, a plaintext key is written to the hard disk

drive. This allows the encrypted hard disk drive to be read, but the presence of the plaintext

key means that the computer is insecure. Disabling BitLocker using this method provides

no performance increase because the data remains encrypted—it is just encrypted in an

insecure way. When BitLocker is re-enabled, this plaintext key is removed and the

computer is again secure.

Exam TipKeep in mind the conditions under which you might need to disable BitLocker.

Also remember the limitations of BitLocker without a TPM 1.2 chip.

Select Decrypt The Drive when you want to completely remove BitLocker from a computer.

This process is as time-consuming as performing the initial drive encryption—perhaps

more so because more data might be stored on the computer than when the initial

encryption occurred. After the decryption process is finished, the computer is returned to its

pre-encrypted state and the data stored on it is no longer protected byBitLocker.

Decrypting the drive will not decrypt EFS-encrypted files stored on the hard disk drive.


4. Your network is configured as shown in the following diagram.

Each office contains a server that has the File Services server role installed. The servers

have a shared folder named Resources.

You need to plan the data availability of the Resources folder. Your plan must meet the

following requirements:

If a WAN link fails, the files in the Resources folder must be available in all of the


If a single server fails, the files in the Resources folder must be available in each of

the branch offices, and the users must be able to use existing drive mappings.

Your plan must minimize network traffic over the WAN links.

What should you include in your plan?

A. a standalone DFS namespace that uses DFS Replication in a full mesh topology

B. a domain-based DFS namespace thatuses DFS Replication in a full mesh topology

C. a standalone DFS namespace that uses DFS Replication in a hub and spoke topology

D. a domain-based DFS namespace that uses DFS Replication in a hub and spoke


Answer: D


MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration:

Distributed File System (DFS) DFS is considerably enhanced in Windows Server 2008. It

consists of two technologies, DFS Namespaces and DFS Replication, that you can use

(together or independently) to provide fault-tolerant and flexible file sharing and replication


DFS Namespaces lets you group shared folders on different servers (and in multiple sites)

into one or more logically structured namespaces. Users view each namespace as a

singleshared folder with a series of subfolders. The underlying shared folders structure is

hidden from users, and this structure provides fault tolerance and the ability to

automatically connect users to local shared folders, when available, instead of routingthem

over wide area network (WAN) connections.

DFS Replication provides a multimaster replication engine that lets you synchronize folders

on multiple servers across local or WAN connections. It uses the Remote Differential

Compression (RDC) protocol to update only those files that have changed since the last

replication. You can use DFS Replication in conjunction with DFS Namespaces or by itself.

Specifying the Replication Topology

The replication topology defines the logical connections that DFSR uses to replicate files

among servers. When choosing or changing a topology, remember that that two one-way

connections are created between the members you choose, thus allowing data to flow in

both directions. To create or change a replication topology in the DFS Management

console, right-click the replication group for which you want to define a new topology and

then click New Topology. The New Topology Wizard lets you choose one of the following


Hub And Spoke This topology requires three or more members. For each spoke member,

you should choose a required hub member and an optional second hub member for

redundancy. This optional hub ensures that a spoke member can still replicate if one of the

hub members is unavailable. If you specify more than onehub member, the hub members

will have a full-mesh topology between them.

Full Mesh In this topology, every member replicates with all the other members of the

replication group. This topology works well when 10 or fewer members are in the

replication group.


5. Your network contains a Webbased Application that runs on Windows Server 2003. You

plan to migrate the Webbased Application to Windows Server 2008 R2.You need to

recommend a server configuration to support the Webbased Application.

The server configuration must meet the following requirements:

Ensure that the Application is available to all users if a single server fails

Support the installation of .NET Applications

Minimize software costs

What should you recommend?

A. Install the Server Core installation of Windows Server 2008 R2 Standard on two servers.

Configure the servers in a Network Load Balancing cluster.

B. Install the full installation ofWindows Server 2008 R2 Web on two servers. Configure the

servers in a Network Load Balancing cluster.

C. Install the full installation of Windows Server 2008 R2 Enterprise on two servers.

Configure the servers in a failover cluster.

D. Install the full installation of Windows Server 2008 R2 Datacenter on two servers.

Configure the servers in a failover cluster.

Answer: B


Web Edition meets the requirements

Windows Web Server 2008 R2

Windows Web Server 2008 R2 is designed to function specifically as a Web application


Other roles, such as Windows Deployment Server and Active Directory Domain Services

(AD DS), are not supported on Windows Web Server 2008 R2. You deploy this server

roleeither on a screened subnet to support a website viewable to external hosts or as an

intranet server. As appropriate given its stripped-down role, Windows Web Server 2008 R2

does not support the high-powered hardware configurations that other editions of Windows

Server 2008 R2 do. Windows Web Server 2008 R2has the following properties:

Supports a maximum of 32 GB of RAM and 4 sockets in symmetric multiprocessing (SMP)


You should plan to deploy Windows Web Server 2008 R2 in the Server Core configuration,

which minimizes its attack surface,something that is very important on a server that

interacts with hosts external to your network environment. You should plan to deploy the

full version of Windows Web Server 2008 R2 only if your organization’s web applications

rely on features that are notavailable in the Server Core version of Windows Web Server

2008 R2. Unlike the Server Core version of Windows Web Server 2008, Windows Web

Server 2008 R2 supports a greater amount of Internet Information Services (IIS)


Configuring WindowsNetwork Load Balancing

While DNS Round Robin is a simple way of distributing requests, Windows Server 2008

NLB is a much more robust form of providing high availability to applications. Using NLB,

an administrator can configure multiple servers to operateas a single cluster and control the

usage ot the cluster in near real-time.

Why Failover Cluster will not work.

Contrast DNS Round Robin and NLB with Failover Clustering, another availability

technology in Windows Server 2008. Formerly known as server clustering, Failover

Clustering creates a group of computers that all have access lo the same data store or disk

resource or network share. The applicationsjunning on aJailoverCluster must be clusteraware.

Failover Clustering has had some changes since Windows Server 2003. Lesson 2

will cover these changes.

Get More Information : 70-646 exam