Microsoft 70-646 ExamPro: Windows Server 2008 - Server Administrator

Total Question: 262 Last Updated: Aug 19,2019
  • Updated 70-646 Dumps
  • Based on Real 70-646 Exams Scenarios
  • Free 70-646 pdf Demo Available
  • Check out our 70-646 Dumps in a new PDF format
  • Instant 70-646 download
  • Guarantee 70-646 success in first attempt
Package Select:

Questions & Answers PDF

Practice Test Software

Practice Test + PDF 30% Discount

Price: $65.95 $29.99

Buy Now Free Trial
Home > 70-646

Latest Microsoft 70-646 Dumps (Topic 3)

16. Your network contains a single Active Directory domain. All domain controllers run

Windows Server 2008 R2. There are 1,000 clientcomputers that run Windows 7 and that

are connected to managed switches. You need to recommend a strategy for network

access that meets the following requirements:

·Users are unable to bypass network access restrictions.

·Only client computers that haveuptodate service packs installed can access the network.

·Only client computers that have uptodate antimalware software installed can access the

network. What should you recommend?

A. Implement Network Access Protection (NAP) that uses DHCP enforcement.

B. Implement Network Access Protection (NAP) that uses 802.1x enforcement.

C. Implement a Network Policy Server (NPS), and enable IPsec on the domain controllers.

D. Implement a Network Policy Server (NPS), and enable Remote Authentication DialIn

User Service (RADIUS) authentication on the managed switches.

Answer: B


MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration:

Integration with network access protection (NAP)System Center Configuration Manager

2007 lets your organization enforce compliance of software updates on client computers.

This helps protect the integrity of the corporate network through integration with the

MicrosoftWindows Server 2008 NAP policy enforcement platform. NAP policies enable you

to define which software updates to include in your system health requirements. If a client

computer attempts to access your network, NAP and System Center Configuration

Manager 2007 work together to determine the client’s health state compliance and

determine whetherthe client is granted full or restricted network access. If the client is

noncompliant, System Center Configuration Manager 2007 can deliver the necessary software updates so that the client can meet system health requirements and be granted

full network access.

Restrict network accessSystem Center Configuration Manager 2007 NAPenables you to

include software updates in your system health requirements.NAP policies define which

software updates need to be included, and the System Center Configuration Manager 2007

System Health Validator point passes the client’s compliant or noncompliant health state to

the Network Policy Server, which determines whether to grant the client full or restricted

network access. Noncompliant clients can be automatically broughtinto compliance through

remediation. This requires the System Center Configuration Manager 2007 software

updates feature to be configured and operational.

NAP Enforcement Methods

When a computer is found to be noncompliant with the enforced health policy,

NAPenforces limited network access. This is done through an Enforcement Client (EC).

Windows Vista, Windows XP Service Pack 3, and Windows Server 2008 include NAPEC

support for IPsec, IEEE 802.1X, Remote Access VPN, and DHCP enforcement methods.

WindowsVista and Windows Server 2008 also support NAP enforcement for Terminal

Server Gateway connections.

NAP enforcement methods can either be used individually or can be used in conjunction

with each other to limit the network access of computers that are found not to be in

compliance with configured health policies. Hence you can apply the remote access VPN

and IPsec enforcement methods to ensure that internal clients and clients coming in from

the Internet are only granted access to resources if they meet theappropriate client health


802.1X NAP Enforcement

802.1X enforcement makes use of authenticating Ethernet switches or IEEE 802.11

Wireless Access Points.

These compliant switches and access points only grant unlimited network access to

computers that meet the compliance requirement. Computers that do not meet the

compliance requirement are limited in their communication by a restricted access profile.

Restricted access profiles work by applying IP packet filters or VLAN (Virtual Local Area

Network) identifiers. This means that hosts that have the restricted access profile are

allowed only limited network communication. This limited network communication generally

allows access to remediation servers. You will learn more about remediation serverslater in

this lesson.

An advantage of 802.1X enforcement is that the health status of clients is constantly

assessed. Connected clients that become noncompliant will automatically be placed under

the restricted access profile. Clients under the restrictedaccess profile that become

compliant will have that profile removed and will be able to communicate with other hosts on the network in anunrestricted manner. For example, suppose that a new antivirus

update comes out. Clients that have not installed the update are put under a restricted

access profile until the new update is installed. Once the new update is installed, the clients

are returned to full network access.

A Windows Server 2008 computer with the Network Policy Server role is necessary to

support802.1X NAP enforcement. It is also necessary to have switch and/or wireless

access point hardware that is 801.1xcompliant.

Client computers must be running Windows Vista, Windows Server 2008, or Windows XP

Service Pack 3 because these operating systems include the EAPHost EC.

MORE INFO 802.1X enforcement step-by-step

For more detailed information on implementing 802.1X NAP enforcement, consult the

following Step-by-Step guide on TechNet:


17. Your network consists of a single Active Directory domain. All servers run Windows Server

2008 R2. All client computers run Windows 7. Some users have laptop computers and

work remotely from home.

You need to plan a data provisioning infrastructure to secure sensitive files. Your plan must

meet the following requirements:

Files must be stored in an encrypted format.

Files must be accessible by remote users over the Internet.

Files must be encrypted while they are transmitted over the Internet.

What should you include in your plan?

A. Deploy one Microsoft SharePoint Foundation 2010 site. Require users to access the

SharePoint site by using a Secure Socket Transmission Protocol (SSTP) connection.

B. Deploy two Microsoft SharePoint Foundation 2010 sites. Configure one site for internal

users. Configure the other site for remote users. Publish the SharePoint sites by using


C. Configure a Network Policy and Access Services (NPAS) server to act as a VPN server.

Require remote users to access the files by using an IPsec connection to the VPN server.

D. Store all sensitive files in folders that are encrypted by using Encrypting File System

(EFS). Require remote users to access the files by using Secure Socket Transmission

Protocol (SSTP).

Answer: D


MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration:

Encrypting File System Encrypting File System (EFS) is another method through which you

can ensure the integrity of data. Unlike BitLocker, whichencrypts all data on a volume using

a single encryption key that is tied to the computer, EFS allows for the encryption

ofindividual files and folders using a public encryption key tied to a specific user account.

The encrypted file can only be decryptedusing a private encryption key that is accessible

only to the user. It is also possible to encrypt documents to other user’s public EFS

certificates. A document encrypted to another user’s public EFS certificate can only be

decrypted by that user’s privatecertificate.

Security Groups cannot hold encryption certificates, so the number of users that can

access an encrypted document is always limited to the individual EFS certificates that have

been assigned to the document. Only a user that originally encrypts the file or a user

whose certificate is already assigned to the file can add another user’s certificate to that

file. With EFS there is no chance that an encrypted file on a departmental shared folder

might be accessed by someone who should not have access because of incorrectly

configured NTFS or Shared Folder permissions. As many administrators know, teaching

regular staff to configure NTFS permissions can be challenging. The situation gets even

more complicated when you take into account Shared Folder permissions. Teaching staff

to use EFS to limit access to documents is significantly simpler than explaining NTFS


If you are considering deployment of EFS throughout your organization, you should

remember that the default configuration of EFS usesself-signed certificates. These are

certificates generated by the user’s computer rather than a Certificate Authority and can

cause problems with sharing documents because they are not necessarily accessible from

other computers where the user has not encrypted documents. A more robust solution is to

modify the default EFS Certificate Template that is provided with a Windows Server 2008

Enterprise Certificate Authority to enable autoenrollment. EFS certificates automatically

issued by an Enterprise CA canbe stored in Active Directory and applied to files that need

to be shared between multiple users.

Another EFS deployment option involves smart cards. In organizations where users

authenticate using smart cards, their private EFS certificates can be storedon a smart card

and their public certificates stored within Active Directory. You can learn more about

configuring templates for autoenrollment in Chapter 10, “Certificate Services and Storage

Area Networks.”


For more information onEncrypting File System in Windows Server 2008, consult the following TechNet article:


Quick Check

1. From a normal user’s perspective, in terms of encryption functionality, how does EFS

differ from BitLocker?

2. What type of auditing policy should you implement to track access to sensitive files?

Quick Check Answers

1. BitLocker works on entire volumes and is transparent to the user. EFS workson

individualfiles and folders and be configured by the user.

2. Auditing Object Access.

Windows Server 2008 VPN Protocols

Windows Server 2008 supports three different VPN protocols: Tunneling Protocol (PPTP),

Layer Two Tunneling Protocol over IPsec (L2TP/IPsec), and Secure Socket Tunneling

Protocol (SSTP). The factors that will influence the protocol you choose to deploy in your

own network environment include client operating system, certificate infrastructure, and

how your organization’s firewall is deployed.

Windows XP remote access clients, because these clients cannot use SSTP

SSTP Secure Socket Tunneling Protocol (SSTP)is a VPN technology that makes its

debut with Windows Server 2008. SSTP VPN tunnels allow traffic to pass across firewalls

thatblock traditional PPTP or L2TP/IPsec VPN traffic. SSTP works by encapsulating Pointto-

Point Protocol (PPP) traffic over the Secure Sockets Layer (SSL) channel of the Secure

Hypertext Transfer Protocol (HTTPS) protocol. Expressed more directly, SSTP piggybacks

PPP over HTTPS. This means that SSTP traffic passes across TCP port 443, which is

almost certain to be open on any firewall between the Internet and a public-facing Web

server on an organization’s screened subnet.

When planning for the deployment of SSTP, you need to take into account the following


SSTP is only supported with Windows Server 2008 and Windows Vista with Service Pack


SSTP requires that the client trust the CA that issues the VPN server’s SSL certificate.

The SSLcertificate must be installed on the server that will function as the VPN server prior

to the installation of Routing and Remote Access; otherwise, SSTP will not be available.

The SSL certificate subject name and the host name that external clients use to connect to

the VPN server must match, and the client Windows Vista SP1 computer must trust the

issuing CA.

SSTP does not support tunneling through Web proxies that require authentication.

SSTP does not support site-to-site tunnels. (PPTP and L2TP do.)


To learn more about SSTP, see the following SSTP deployment walkthrough document at

Deploying%20SSTP %20Remote%20Access%20Step%20by%20Step%20Guide.doc.


18. Your network consists of an ActiveDirectory domain. The domain controllers run Windows

Server 2008 R2. Client computers run Windows 7.

You need to implement Encrypting File System (EFS) for all client computers.

You want to achieve this goal while meeting the following requirements:

You must minimize the amount of data that is transferred across the network when

a user logs on to or off from a client computer.

Users must be able to access their EFS certificates on any client computers.

If a client computer's disk fails, EFS certificates must be accessible.

What should you do?

A. Enable credential roaming.

B. Enable roaming user profiles.

C. Enable a Data Recovery Agent.

D. Issue smart cards to all users.

Answer: A


Configuring Credential Roaming

Credential roaming allows for the storage of certificates and private keys within Active

Directory. For example, a user’s encrypting file system certificate can be stored in Active

Directory and provided to the user when she logs on to different computers within the

domain. The same EFS certificate will always be used to encrypt files.

This means that the user can encrypt files on an NTFS-formatted USB storage device on

one computer and then decrypt them on another, because the EFS certificate will be transferred to the second computer’s certificate store during the logon process.Credential

roaming also allows for all of a user’s certificates and keys to be removed when he logs off

of the computer.

Credential roaming is enabled through the Certificate Services Client policy, located under

User Configuration\Policies\Windows Settings\Security Settings\Public Key Policies and

shown in Figure 10-4.

Figure 10-4Credential Roaming Policy

Credential roaming works in the following manner. When a user logs on to a client

computer in a domain where the Credential Roaming Policy has been enabled, the

certificates in the user’s store on the client computer are compared to certificates stored for

the user within Active Directory.

If the certificates in the user’s certificate store are up todate, no further action is taken.

If more recent certificates for the user are stored in Active Directory, these credentials are

copied to the client computer.

If more recent certificates are located in the user’s store, the certificates stored in Active Directory are updated.

Credential roaming synchronizes and resolves any conflicts between certificates and

private keys from any number of client computers that a user logs on to, as well as

certificates and private keys stored within Active Directory.Credential roaming is triggered

whenever a private key or certificate in the local certificate store changes, whenever the

user locks or unlocks a computer, and whenever Group Policy refreshes. Credential

roaming is supported on Windows Vista, Windows Server 2008, Windows XP SP2, and

Windows Server 2003


MORE INFO More on credential roaming

For more information on configuring credential roaming, consult the following TechNet


9b12a1f19a331 033.mspx?mfr=true



You are designing a monitoring solution to log performance for servers that run Windows

Server 2008 R2.

The monitoring solution must allow members of the Performance Log Users group to

create and modify Data Collector Sets.

You need to grant members of the Performance Log Users group the necessary


Which User Rights Assignment policy should you configure?

To answer, select the appropriate User Rights Assignment policy in the answer area.





20. Your company has a main office and a branch office. Your network contains a single Active

Directory domain.

The functional level of the domain is Windows Server 2008 R2. An Active Directory site

exists for each office.

All servers run Windows Server 2008 R2. You plan to deploy file servers in each office.

You need to design a file sharing strategy to meet the following requirements:

Users in both offices must be able to access the same files.

Users in both offices must use the same Universal Naming Convention (UNC) path

to access files.

The design must reduce the amountof bandwidth used to access files.

Users must be able to access files even if a server fails.

What should you include in your design?

A. A standalone DFS namespace that uses replication.

B. A domainbased DFS namespace that uses replication.

C. A multisite failover cluster that contains a server located in the main office and another

server located in the branch office.

D. A Network Load Balancing cluster that contains a server located in the main office and

another server located in the branch office.

Answer: B


MCITP Self-Paced Training Kit Exam 70-646 Windows Server Administration:

Domain-Based Namespaces

You can create domain-based namespaces on one or more member servers or DCs in the

same domain.

Metadata for a domain-based namespacesis stored by AD DS. Each server must contain

an NTFS volume to host the namespace. Multiple namespace servers increase the

availability of the namespace and ensure failover protection. A domain-based namespace

cannot be a clustered resource in a failovercluster. However, you can locate the

namespace on a server that is also a node in a failover cluster provided that you configure

the namespace to use only local resources on that server. A domain-based namespace in

Windows Server

2008 mode supports access-based enumeration. Windows Server 2008 mode is discussed

later in this lesson.

You choose a domain-based namespace if you want to use multiple namespace servers to

ensure the availability of the namespace, or if you want to make the name of the namespaceserver invisible to users.

When users do not need to know the UNC path to a namespace folder it is easier to

replace the namespace server or migrate the namespace to another server.

If, for example, a stand-alone namespace called \\Glasgow\Books needed tobe transferred

to a server called Brisbane, it would become \\Brisbane\Books. However, if it were a

domain-based namespace (assuming Brisbane and Glasgow are both in the

Contoso.internal domain),it would be \\Contoso.internal\Books no matter which

serverhosted it, and it could be transferred from one server to the other without this transfer

being apparent to the user, who would continue to use \\Contoso.internal\Books to access


Get More Information : 70-646 exam