70-642 Sample

Microsoft_70-642

1 | P a g e w w w . a l l d u m p s . c o m

Microsoft_70-642

TS: Windows Server 2008 Network Infrastructure, Configuring Number: 70-642 Passing Score: 700 Question : 230 Sections 1. Configure IPv4 and IPv6 addressing 2. Configure Dynamic Host Configuration Protocol (DHCP) 3. Configure routing 4. Configure Windows Firewall with Advanced Security 5. Gather network data 6. Configure performance monitoring 7. Configure event logs 8. Configure Windows Server Update Services (WSUS) server settings 9. Configure remote access 10. Configure Network Access Protection 11. Configure DirectAccess 12. Configure Network Policy Server (NPS) 13. Configure a Domain Name System (DNS) server 14. Configure DNS zones 15. Configure DNS records 16. Configure DNS replication 17. Configure name resolution for client computers 18. Configure IPSEC 19. Configure a file server 20. Configure Distributed File System (DFS) 21. Configure backup and restore 22. Manage file server resources 23. Configure and monitor print services

Microsoft_70-642


Exam A QUESTION 1 Your network contains 100 servers that run Windows Server 2008 R2. A server named Server1 is deployed on the network. Server1 will be used to collect events from the Security event logs of the other servers on the network. You need to define the Custom Event Delivery Optimization settings on Server1. Which tool should you use?

A. Event Viewer

B. Task Scheduler

C. Wecutil

D. Wevtutil

Answer: C Section: Configure event logs Explanation/Reference: The Custom event delivery option is never used when managing subscriptions created by using the Event Viewer snap-in. The Event Viewer can only create subscriptions with event delivery settings that correspond to the Normal, Minimize Bandwidth or Minimize Latency options. However, you can use Event Viewer to manage a subscription that was created or updated by using a different method, like the wecutil command-line tool. In that case, the Custom option is selected to indicate that the set of delivery settings of the subscription do not correspond to any of those supported by Event Viewer. Reference: http://technet.microsoft.com/en-us/library/cc749167.aspx QUESTION 2 Your network contains a server that runs Windows Server 2008 R2. You plan to create a custom script. You need to ensure that each time the script runs, an entry is added to the Application event log. Which tool should you use?

A. Eventcreate

B. Eventvwr

C. Wecutil

D. Wevtutil

Answer: A Section: Configure event logs Explanation/Reference: Eventcreate: Enables an administrator to create a custom event in a specified event log. Reference: http://technet.microsoft.com/en-us/library/bb490899.aspx QUESTION 3 Your network contains a server that has the SNMP Service installed. You need to configure the SNMP security settings on the server. Which tool should you use?

A. Local Security Policy

Microsoft_70-642


B. Scw

C. Secedit

D. Services console

Answer: D Section: Gather network data Explanation/Reference: To configure SNMP agent information: 24. Click Start, point to Control Panel, point to Administrative Tools, and then click Computer

Management. 25. In the console tree, expand Services and Applications, and then click Services. 26. In the right pane, double-click SNMP Service to configure the service (or right-click and select

Properties)

Reference: http://support.microsoft.com/kb/324263 QUESTION 4 Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 has the SNMP Service installed. You perform an SNMP query against Server1 and discover that the query

Microsoft_70-642


returns the incorrect identification information. You need to change the identification information returned by Server1. What should you do?

A. From the properties of the SNMP Service, modify the Agent settings.

B. From the properties of the SNMP Service, modify the General settings.

C. From the properties of the SNMP Trap Service, modify the Logon settings.

D. From the properties of the SNMP Trap Service, modify the General settings.

Answer: A Section: Gather network data Explanation/Reference: The SNMP Agent tab lets you modify the name of the user or administrator and the physical location of the computer or contact.

Reference: http://support.microsoft.com/kb/324263 QUESTION 5 You need to capture the HTTP traffic to and from a server every day between 09:00 and 10:00. What

Microsoft_70-642


should you do?

A. Create a scheduled task that runs the Netsh tool.

B. Create a scheduled task that runs the Nmcap tool.

C. From Network Monitor, configure the General options.

D. From Network Monitor, configure the Capture options.

Answer: B Section: Gather network data Explanation/Reference: NMCap is a tool that runs from the command line and allows you to set all kinds of options to control when it starts, when it stops, how it stops, what it captures, where it captures, in all kinds of variations. This allows you to script it so that when you want somebody to get a trace; you get exactly what you want. Reference: http://blogs.technet.com/b/netmon/archive/2006/10/24/nmcap-the-easy-way-to-automate-capturing.aspx QUESTION 6 Your network contains a single Active Directory domain. All servers run Windows Server 2008 R2. A DHCP server is deployed on the network and configured to provide IPv6 prefixes. You need to ensure that when you monitor network traffic, you see the interface identifiers derived from the Extended Unique Identifier (EUI)-64 address. Which command should you run?

A. netsh.exe interface ipv6 set global addressmaskreply=disabled

B. netsh.exe interface ipv6 set global dhcpmediasense=enabled

C. netsh.exe interface ipv6 set global randomizeidentifiers=disabled

D. netsh.exe interface ipv6 set privacy state=enabled

Answer: C Section: Gather network data Explanation/Reference: The last 64 bits of an IPv6 address are the interface identifier that is unique to the 64-bit prefix of the IPv6 address. The ways in which an interface identifier can be assiged are as follows:

All unicast addresses that use the prefixes 001 through 111 must also use a 64-bit interface identifier that is derived from the Extended Unique Identifier (EUI)-64 address

A randomly-generated interface identifier that changes over time to provide a level of anonymity. Assigned during stateful address autoconfiguration Manually configured.

Windows, by default, generates random interface IDs for non-temporary autoconfigured IPv6 addresses, including public and link-local addresses. If you want to use the EUI-64 as the interface identifier, you need to prevent Windows from using Random Identifiers by doing the following: 27. Click Start – search “cmd“, right-click and choose “Run as Administrator“. This should launch the

command window withe elevated privileges. 28. Run the following command: C:\windows\system32> netsh interface ipv6 set global

randomizeidentifiers=disabled The MAC addresses (in EUI-48 format by default) can be converted into an EUI-64 interface ID by

Microsoft_70-642


copying the OUI (first three octets int he MAC address), appending the two octets FF-FE, and then

copying the organization-specified part. For example, an EUI-48 MAC address of 01:23:45:67:89:AB would be converted into the EUI-64 address of 0123:45FF:FE67:89AB. References: http://technet.microsoft.com/en-us/library/cc736439(WS.10).aspx http://en.wikipedia.org/wiki/Extended_Unique_Identifier http://www.windowsreference.com/networking/disable-ipv6-random-identifier-in-windows-7-server-2008-vista/ QUESTION 7 Your network contains a server named Server1 that runs Windows Server 2008 R2. Server1 has the Routing and Remote Access service (RRAS) role service installed. You need to view all inbound VPN packets. The solution must minimize the amount of data collected. What should you do?

A. From RRAS, create an inbound packet filter.

B. From Network Monitor, create a capture filter.

C. From the Registry Editor, configure file tracing for RRAS.

D. At the command prompt, run netsh.exe ras set tracing rasauth enabled.

Answer: B Section: Gather network data Explanation/Reference: Microsoft RRAS includes a stateless 5 tuple packet filter - also called as Inbound & Outbound packet filters (or static filters). These filters can be applied on any interface - public, private OR per PPP connection too or in other words - it can do filtering for packets destined to/originated from RRAS server as well as packets being forwarded. It allows packet to be filtered based upon source IP address/mask, destination IP address/mask, IP protocol type, Source port number (for TCP/UDP), destination port number (for TCP/UDP). Reference: http://blogs.technet.com/b/rrasblog/archive/2006/06/14/435839.aspx QUESTION 8 Your company is designing its public network. The network will use an IPv4 range of 131.107.40.0/22. The network must be configured as shown in the following exhibit.

Microsoft_70-642


You need to configure subnets for each segment. Which network addresses should you assign? Exhibit:

A. Segment A: 131.107.40.0/23 Segment B: 131.107.42.0/24 Segment C: 131.107.43.0/25 Segment D: 131.107.43.128/27

B. Segment A: 131.107.40.0/25 Segment B: 131.107.40.128/26 Segment C: 131.107.43.192/27 Segment D: 131.107.43.224/30

C. Segment A: 131.107.40.0/23 Segment B: 131.107.41.0/24 Segment C: 131.107.41.128/25 Segment D: 131.107.43.0/27

D. Segment A: 131.107.40.128/23 Segment B: 131.107.43.0/24 Segment C: 131.107.44.0/25 Segment D: 131.107.44.128/27

Microsoft_70-642


Answer: A Section: Configure IPv4 and IPv6 addressing Explanation/Reference: Given the network 131.107.40.0/22, if we consider this from a CIDR value of /24, we have taken 2 network bits and given them to the host bits to get to a /22. This means that we have 2 network bits to play with, which gives us 2^2, or 4 networks. The four '/24' networks that have been folded into 131.107.40.0/22 are: 131.107.40.0/24 131.107.41.0/24 131.107.42.0/24 131.107.43.0/24 Our job is to mix and match those networks to fit the host size requriements listed. A single Class C network has a maximum of 254 hosts available, so the 131.107.40.0/24 network is not big enough to fit the required 280 computers. This means that we need to 'steal' one bit from the network and give it to the host bit. This will 'consume' or 'subsume' the 131.107.41.0/24 network into the 131.107.40.0/23 network. So we can eliminate Answer B, since its first address listed is /25, not the required /23. The next network we need has 180 computers. This fits in the /24 network size of 254 hosts, but not in half of that network which would only fit 126 hosts, so we need to leave that network at a /24 value. The next 'available' network of those remaining is: 131.107.42.0/24 We don't really need to go any further, since there is only answer that has the second network listed as 131.107.42.0/24. QUESTION 9 Your company has an IPv6 network that has 25 segments. You deploy a server on the IPv6 network. You need to ensure that the server can communicate with all segments on the IPv6 network. What should you do?

A. Configure the IPv6 address as fd00::2b0:d0ff:fee9:4143/8.

B. Configure the IPv6 address as fe80::2b0:d0ff:fee9:4143/64.

C. Configure the IPv6 address as ff80::2b0:d0ff:fee9:4143/64.

D. Configure the IPv6 address as 0000::2b0:d0ff:fee9:4143/64.

Answer: A Section: Configure IPv4 and IPv6 addressing Explanation/Reference: IPv6 addresses use different types of prefixes, which are used to determine the address type: 1. Link local address These are special addresses which will only be valid on a link of an interface. Using this address as destination the packet would never pass through a router. Similar to APIPA addresses under IPv4. This address type begins with:

fe8x: <- currently the only one in use

fe9x:

feax:

febx:

Microsoft_70-642


2. Site local address These are addresses can address mulitple sub-nets, but are not routable on the Internet. Similar to private addresses under IPv4. This address type begins with: It begins with:

fecx: <- most commonly used

fedx:

feex:

fefx:

3. Unique Local IPv6 Unicast Addresses Because the original defined site local addresses are not unique, this can lead to major problems if two former independend networks are connected later (overlapping of subnets). This and other issues led to a new address type named Unique Local IPv6 Unicast Addresses. This address type begins with:

fcxx:

fdxx: <- currently the only one in use

4. Global address type "(Aggregatable) global unicast" Today, there is one global address type defined. Similar to public addresses under IPv4. This address type begins with: 2xxx:

3xxx:

5. Multicast addresses Multicast addresses are used for related services. This address type begins with: ffxy:

Thus, the answer is the address that starts with fd00, the 'Unique Local IPv6 Unicast Address.' Incorrect answers: B. FE80 indicates a Link Local address, which cannot address multiple sub-nets C. FF80 indicates a Multicast address D. 0000 is not one of the defined address types listed above Reference: http://tldp.org/HOWTO/Linux+IPv6-HOWTO/x513.html QUESTION 10 Your company is designing its network. The network will use an IPv6 prefix of 2001:DB8:BBCC:0000::/53. You need to identify an IPv6 addressing scheme that will support 2000 subnets. Which network mask should you use?

A. /61

B. /62

C. /63

D. /64

Answer: D Section: Configure IPv4 and IPv6 addressing Explanation/Reference: The design of the IPv6 address space differs significantly from IPv4. The primary reason for subnetting in

Microsoft_70-642


IPv4 is to improve efficiency in the utilization of the relatively small address space available, particularly to enterprises. No such limitations exist in IPv6, as the address space available, even to end-users, is large. The recommended allocation for an IPv6 customer site is an address space with an 80-bit (/48) prefix. This provides 65536 subnets for a site. Despite this recommendation, other common allocations are /56 (72 bits) as well as /64 prefixes for a residential customer network. Of the answers given, only the /64 falls within the recommendations listed above. Reference: http://en.wikipedia.org/wiki/Subnetwork QUESTION 11 Your company uses DHCP to lease IPv4 addresses to computers at the main office. A WAN link connects the main office to a branch office. All computers in the branch office are configured with static IP addresses. The branch office does not use DHCP and uses a different subnet. You need to ensure that the portable computers can connect to network resources at the main office and the branch office. How should you configure each portable computer?

A. Use a static IPv4 address in the range used at the branch office.

B. Use an alternate configuration that contains a static IP address in the range used at the main office.

C. Use the address that was assigned by the DHCP server as a static IP address.

D. Use an alternate configuration that contains a static IP address in the range used at the branch office.

Answer: D Section: Configure IPv4 and IPv6 addressing Explanation/Reference: Laptop users often experience problems when moving between networks where DHCP servers aren't consistently used (e.g., moving between an office that uses DHCP to assign IP addresses and a home network that uses static IP addresses). If you configure your computer to use DHCP and no DHCP server is available, the machine will typically use an APIPA address (in the range 169.254.0.1 to 169.254.255.254). The actual IP address will depend on what IP addresses other machines on the local subnet have selected (Windows will perform a limited test to ensure it doesn't use an address already in use). Because the local TCP/IP stack assigns no WINS, DHCP, or gateway information, all IP communication is limited to machines in the local subnet. Windows lets you create an alternate IP configuration that you can use when your system can't find a DHCP server. This alternate configuration lets you specify an IP address, subnet, gateway, and the other typical network settings. Reference: http://www.windowsitpro.com/article/tcpip/how-do-i-use-the-windows-xp-alternate-tcp-ip-configuration-.aspx QUESTION 12 Your company has computers in multiple locations that use IPv4 and IPv6. Each location is protected by a firewall that performs symmetric NAT. You need to allow peer-to-peer communication between all locations. What should you do?

A. Configure dynamic NAT on the firewall.

Microsoft_70-642


B. Configure the firewall to allow the use of Teredo.

C. Configure a link local IPv6 address for the internal interface of the firewall.

D. Configure a global IPv6 address for the external interface of the firewall.

Answer: B Section: Configure Windows Firewall with Advanced Security Explanation/Reference: In computer networking, Teredo is a transition technology that allows mutual access between IPv6 hosts and those hosts on the IPv4 Internet which have no direct native connection to an IPv6 network. Compared to other similar protocols its distinguishing feature is that it is able to perform its function even from behind network address translation (NAT) devices such as home routers. Reference: http://en.wikipedia.org/wiki/Teredo_tunneling QUESTION 13 You have a Windows Server 2008 R2 computer that has an IP address of 172.16.45.9/21. The server is configured to use IPv6 addressing. You need to test IPv6 communication to a server that has an IP address of 172.16.40.18/21. What should you do from a command prompt?

A. Type ping 172.16.45.9:::::

B. Type ping ::9.45.16.172

C. Type ping followed by the Link-local address of the server.

D. Type ping followed by the Site-local address of the server.

Answer: C Section: Configure IPv4 and IPv6 addressing Explanation/Reference: The real question here is: Are the two computers on the same IPv4 subnet, since if they won't have a router between them, and you can use the Link-Local address to communicate between them. If there is be a router between them, you will have to use the Site-Local address. However, the Site-Local address is deprecated in favor of the Unique Local address, so that is probably not the correct answer. However, deprecated doesn't mean that it can't be used, so let's test whether the devices are local to one another.

With a CIDR value of /21, the subnet mask is 255.255.248.0. The magic number is 256 - 248 = 8.

This means that the range is 8, so the possible network addresses are: 172.16.0.0, 172.16.8.0, 172.16.16.0, 172.16.24.0, 172.16.32.0, 172.16.40.0,

172.16.48.0...

Both .45. and .40. fall between .40. and .48., so the network addresses are:

172.16.45.9/21 --> Network address is 172.16.40.0

172.16.40.18/21 --> Network address is 172.16.40.0

Thus, they are on the same subnet/segment, and do not have a router between them. You would use the Link-Local address to ping them via IPv6. Incorrect answers: A. This would test IPv4 communicaiton, not IPv6 B. The address listed has no meaning in IPv6 (or anywhere, for that matter) D. The Site-Local address is deprecated, but since there is no router between them you wouldn't use this

Microsoft_70-642


address anyway QUESTION 14 Your company has four DNS servers that run Windows Server 2008 R2. Each server has a static IP address. You need to prevent DHCP from assigning the addresses of the DNS servers to DHCP clients. What should you do?

A. Create a new scope for the DNS servers.

B. Create a reservation for the DHCP server.

C. Configure the 005 Name Servers scope option.

D. Configure an exclusion that contains the IP addresses of the four DNS servers.

Answer: D Section: Configure Dynamic Host Configuration Protocol (DHCP) Explanation/Reference: In DHCP, an exclusion range is a limited sequence of IP addresses within a scope, excluded from DHCP service offerings. Exclusion ranges assure that any addresses in these ranges are not offered by the server to DHCP clients on your network. Reference: http://technet.microsoft.com/en-us/library/cc782696(WS.10).aspx QUESTION 15 You have a DHCP server named Server1 and an application server named Server2. Both servers run Windows Server 2008 R2. The DHCP server contains one scope. You need to ensure that Server2 always receives the same IP address. Server2 must receive its DNS settings and its WINS settings from DHCP. What should you do?

A. Create a multicast scope.

B. Assign a static IP address to Server2.

C. Create an exclusion range in the DHCP scope.

D. Create a DHCP reservation in the DHCP scope.

Answer: D Section: Configure Dynamic Host Configuration Protocol (DHCP) Explanation/Reference: A DHCP reservation is used to create a permanent address lease assignment by the DHCP server. Reservations assure that a specified hardware device on the subnet can always use the same IP address. Reference: http://technet.microsoft.com/en-us/library/cc782696(WS.10).aspx QUESTION 16 You have a DHCP server that runs Windows Server 2008 R2. You need to reduce the size of the DHCP database. What should you do?

A. From the DHCP snap-in, reconcile the database.

Microsoft_70-642


B. From the folder that contains the DHCP database, run jetpack.exe dhcp.mdb temp.mdb.

C. From the properties of the dhcp.mdb file, enable the File is ready for archiving attribute.

D. From the properties of the dhcp.mdb file, enable the Compress contents to save disk space attribute.

Answer: B Section: Configure Dynamic Host Configuration Protocol (DHCP) Explanation/Reference: Microsoft Windows Server includes a utility, Jetpack.exe, that can be used to compact a Windows Internet Name Service (WINS) or Dynamic Host Configuration Protocol (DHCP) database. Microsoft recommends that you compact the WINS database whenever it approaches 30 MB. Reference: http://support.microsoft.com/kb/145881 QUESTION 17 You have a DHCP server that runs Windows Server 2008 R2. The DHCP server has two network connections named LAN1 and LAN2. You need to prevent the DHCP server from responding to DHCP client requests on LAN2. The server must continue to respond to non-DHCP client requests on LAN2. What should you do?

A. From the DHCP snap-in, modify the bindings to associate only LAN1 with the DHCP service.

B. From the DHCP snap-in, create a new multicast scope.

C. From the properties of the LAN1 network connection, set the metric value to 1.

D. From the properties of the LAN2 network connection, set the metric value to 1.

Answer: A Section: Configure Dynamic Host Configuration Protocol (DHCP) Explanation/Reference: The DHCP service will respond to any broadcast Discover request that it receives. Since the DHCP process happenes before that IP address is assigned to the client, the entire process is done through broadcasts. Thus you cannot limit the DHCP server by restricting IP addresses. The only way to accomplish this is to remove the DHCP binding from the network adapter, which will prevent the DHCP service from seeing the Discover broadcasts occuring on that segment.

Microsoft_70-642


QUESTION 18 You have a DHCP server that runs Windows Server 2008 R2. You restore the DHCP database by using a recent backup. You need to prevent DHCP clients from receiving IP addresses that are currently in use on the network. What should you do?

A. Add the DHCP server option 15.

B. Add the DHCP server option 44.

C. Set the Conflict Detection value to 0.

D. Set the Conflict Detection value to 2.

Answer: D Section: Configure Dynamic Host Configuration Protocol (DHCP) Explanation/Reference: Conflict detection can be used by either DHCP servers or clients to determine whether an IP address is already in use on the network before leasing or using the address. By default, the DHCP service does not perform any conflict detection. To enable conflict detection, increase the number of ping attempts that the DHCP service performs for each address before leasing that address to a client. Note that for each additional conflict detection attempt that the DHCP service performs, additional seconds are added to the time needed to negotiate leases for DHCP clients. Typically, if DHCP server-side conflict detection is used, you should set the number of conflict detection attempts made by the server to use one or two pings at most. This provides the intended benefits of this feature without decreasing DHCP server performance. A Conflict Detection value of 0 would disable the feature.

Microsoft_70-642


Reference: http://technet.microsoft.com/en-us/library/cc780311(WS.10).aspx QUESTION 19 Your network uses IPv4. You install a server that runs Windows Server 2008 R2 at a branch office. The server is configured with two network interfaces. You need to configure routing on the server at the branch office. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

A. Install the Routing and Remote Access Services role service.

B. Run the netsh ras ip set access ALL command.

C. Run the netsh interface ipv4 enable command.

D. Enable the IPv4 Router Routing and Remote Access option.

Answer: AD Section: Configure routing Explanation/Reference: RRAS provides multiprotocol LAN-to-LAN, LAN-to-WAN, virtual private network (VPN), and network address translation (NAT) routing services. RRAS is intended for use by system administrators who are already familiar with routing protocols and services. Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. To enable LAN and WAN routing 29. Install the RRAS Role service. 30. Open the RRAS MMC Snap-in. 31. Right-click the server name for which you want to enable routing, and then click Properties. If you are

using Server Manager, right-click Routing and Remote Access, and then click Properties. 32. On the General tab, select the IPv4 Router or IPv6 Router check boxes, and then under each one

that you enable, do one of the following: 33. To enable only LAN routing without support for demand-dial connections, click Local area network

(LAN) routing only. Click OK to save your changes. Reference: http://technet.microsoft.com/en-us/library/dd458974.aspx QUESTION 20 Your company has an IPv4 Ethernet network. A router named R1 connects your segment to the Internet. A router named R2 joins your subnet with a segment named Private1. The Private1 segment has a network address of 10.128.4.0/26. Your computer named WKS1 requires access to servers on the Private1 network. The WKS1 computer configuration is as shown in the following table.

Microsoft_70-642


WKS1 is unable to connect to the Private1 network by using the current configuration. You need to add a persistent route for the Private1 network to the routing table on WKS1. Which command should you run on WKS1?

A. Route add -p 10.128.4.0/22 10.128.4.1

B. Route add p 10.128.4.0/26 10.128.64.10

C. Route add p 10.128.4.0 mask 255.255.255.192 10.128.64.1

D. Route add p 10.128.64.10 mask 255.255.255.192 10.128.4.0

Answer: B Section: Configure routing Explanation/Reference: Since the workstation has only one network interface set with a default gateway, you need to add a route that tells the local system to route packets for the 10.128.4.0/26 network to a router other than the default gateway. This is done with the command listed in answer B. A route may be added using either the CIDR value of /22, or the 'mask 255.255.255.192.' Incorrect answers: A. The second address in the route command must refer to an interface or a router on the same sub-net as the workstation. The workstation IP address is 10.128.64.113/26, so the IP address 10.128.4.1 is not in the same subnet. C. Since the currrent default gateway is 10.128.64.1, all packets are already going to this router. This command would have no effect. D. The route command listed is trying to add a route that is already in the current sub-net, 10.128.64.10. This would not provide a route to the 10.128.4.0/26 network. Reference: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/route.mspx?mfr=true QUESTION 21 Your network contains one Active Directory domain. You have a member server that runs Windows Server 2008 R2. You need to immediately disable all incoming connections to the server. What should you do?

Microsoft_70-642


A. From the Services snap-in, disable the IP Helper.

B. From the Services snap-in, disable the Netlogon service.

C. From Windows Firewall, enable the Block all connections option on the Public Profile.

D. From Windows Firewall, enable the Block all connections option on the Domain Profile.

Answer: D Section: Configure Windows Firewall with Advanced Security Explanation/Reference: When the firewall is enabled, you can immediately block all incoming (or outgoing) connections using the Windows Firewall control, as shown below. Since the question states that you are working in an Active Directory domain, you would use the Domain Profile vs. the Public Profile.

QUESTION 22 Your network consists of a single Active Directory domain. The domain contains a server named Server1 that runs Windows Server 2008 R2. All client computers run Windows 7. All computers are members of the Active Directory domain. You assign the Secure Server (Require Security) IPsec policy to Server1 by using a Group Policy object (GPO). Users report that they fail to connect to Server1. You need to ensure that users can connect to Server1. All connections to Server1 must be encrypted. What should you do?

A. Restart the IPsec Policy Agent service on Server1.

B. Assign the Client (Respond Only) IPsec policy to Server1.

Microsoft_70-642


C. Assign the Server (Request Security) IPsec policy to Server1.

D. Assign the Client (Respond Only) IPsec policy to all client computers.

Answer: D Section: Configure IPSEC Explanation/Reference: When you see the words "Client (Respond Only)," "Server (Reqeust Security)," or "Server (Require Security)," you are talking about IPsec. Most questions that say "connections must be encrypted" or "highest level of security" are also talking about IPsec. By setting the client policy to "Client (Respond Only)" you are telling the clients to respond the the server's request for IPsec credentials. Reference: http://technet.microsoft.com/en-us/library/cc786870(WS.10).aspx QUESTION 23 Your company uses Active Directory-integrated DNS. Users require access to the Internet. You run a network capture. You notice the DNS server is sending DNS name resolution queries to a server named f.root-servers.net. You need to prevent the DNS server from sending queries to f.root-servers.net. The server must be able to resolve names for Internet hosts. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

A. Enable forwarding to your ISP's DNS servers.

B. Disable the root hints on the DNS server.

C. Disable the netmask ordering option on the DNS server.

D. Configure Reverse Lookup Zones for the IP subnets on the network.

Answer: AB Section: Configure a Domain Name System (DNS) server Explanation/Reference: A DNS server must have root hints or forwarders configured. If the Use root hints if no forwarders are available checkbox is cleared, then forwarders must be configured to resolve DNS queries for external zones. If the Use root hints if no forwarders are available checkbox is enabled, then root hints must be configured to permit recursion when forwarders are not responding.

f.root-servers.net is a reference to "root hints," that FQDN being one of the Internet Root DNS

servers. If you do not wish your server to use root hints, you must configure it to use a forwarder. Reference: http://technet.microsoft.com/en-us/library/ff807391(WS.10).aspx QUESTION 24 Your company has a single Active Directory forest that has six domains. All DNS servers in the forest run Windows Server 2008 R2. You need to ensure that all public DNS queries are channeled through a single-caching-only DNS server. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

A. Disable the root hints.

Microsoft_70-642


B. Enable BIND secondaries.

C. Configure a forwarder to the caching DNS server.

D. Configure a GlobalNames host (A) record for the hostname of the caching DNS server.

Answer: AC Section: Configure a Domain Name System (DNS) server Explanation/Reference: A DNS server must have root hints or forwarders configured. If the Use root hints if no forwarders are available checkbox is cleared, then forwarders must be configured to resolve DNS queries for external zones. If the Use root hints if no forwarders are available checkbox is enabled, then root hints must be configured to permit recursion when forwarders are not responding.

If root hints are enabled, DNS queries will be forwarded to the Internet for resolution. To "channel" DNS queries through a single-caching-only DNS server, you must use forwarding. To enable forwarding, you must disable "root hints." Reference: http://technet.microsoft.com/en-us/library/ff807391(WS.10).aspx QUESTION 25 Contoso Ltd. has a single Active Directory forest that has five domains. Each domain has two DNS servers. Each DNS server hosts Active Directory-integrated zones for all five domains. All domain controllers run Windows Server 2008 R2. Contoso acquires a company named Tailspin Toys. Tailspin Toys has a single Active Directory forest that contains a single domain. You need to configure the DNS system in the Contoso forest to provide name resolution for resources in both forests. What should you do?

A. Configure client computers in the Contoso forest to use the Tailspin Toys DNS server as the alternate DNS server.

B. Create a new conditional forwarder and store it in Active Directory. Replicate the new conditional forwarder to all DNS servers in the Contoso forest.

C. Create a new application directory partition in the Contoso forest. Enlist the directory partition for all DNS servers.

D. Create a new host (A) record in the GlobalNames folder on one of the DNS servers in the Contoso forest. Configure the host (A) record by using the Tailspin Toys domain name and the IP address of the DNS server in the Tailspin Toys forest.

Answer: B Section: Configure a Domain Name System (DNS) server Explanation/Reference: You can use conditional forwarders to route queries between the domains or forests for which you are establishing a forest or domain trust. Conditional forwarders route names to a specified DNS server in the target domain or forest for queries that the conditional forwarders cannot resolve. Reference: http://technet.microsoft.com/en-us/library/ee307976(WS.10).aspx QUESTION 26 Your company has a single Active Directory forest that has an Active Directory domain named

Microsoft_70-642


na.contoso.com. A server named Server1 runs the DNS Server role. You notice stale resource records in the na.contoso.com zone. You have enabled DNS scavenging on Server1. Three weeks later, you notice that the stale resource records remain in na.contoso.com. You need to ensure that the stale resource records are removed from na.contoso.com. What should you do?

A. Stop and restart the DNS Server service on Server1.

B. Enable DNS scavenging on the na.contoso.com zone.

C. Run the dnscmd Server1 /AgeAllRecords command on Server1.

D. Run the dnscmd Server1 /StartScavenging command on Server1.

Answer: B Section: Configure DNS zones Explanation/Reference: To enable the aging and scavenging features, perform the following steps to configure the applicable server and its Active Directory–integrated zones:

Enable aging and scavenging at the server. These settings determine the effect of zone-level properties for any Active Directory–integrated zones loaded at the server.

Enable aging and scavenging for selected zones at the DNS server. When zone-specific properties are set for a selected zone, these settings apply only to the applicable zone and its resource records. Unless these zone-level properties are otherwise configured, they inherit their default settings from comparable settings maintained in the DNS server aging/scavenging properties.

Reference: http://technet.microsoft.com/en-us/library/cc755716(WS.10).aspx QUESTION 27 Your company has two servers that run Windows Server 2008 R2 named Server2 and Server3. Both servers have the DNS Server role installed. Server3 is configured to forward all DNS requests to Server2. You update a DNS record on Server2. You need to ensure that Server3 is able to immediately resolve the updated DNS record. What should you do?

A. Run the dnscmd . /clearcache command on Server3.

B. Run the ipconfig /flushdns command on Server3.

C. Decrease the Time-to-Live (TTL) on the Start of Authority (SOA) record of na.contoso.com to 15 minutes.

D. Increase the Retry Interval value on the Start of Authority (SOA) record of na.contoso.com to 15 minutes.

Answer: A Section: Configure name resolution for client computers Explanation/Reference: Dnscmd clearcache

Clears the DNS cache memory of resource records in the specified DNS server.

Syntax: dnscmd [ServerName] /clearcache

Reference: http://technet.microsoft.com/en-us/library/cc756116(WS.10).aspx QUESTION 28 Your company has a main office and a branch office. The company network has two WINS servers. You

Microsoft_70-642


have an application that requires NetBIOS name resolution. The WINS servers are configured as shown in the following table.

You discover that the WINS addresses on all client computers in both offices are configured in the following order of use: 10.1.0.23 10.6.0.254

You reconfigure the WINS addresses on all client computers in the branch office in the following order of use: 10.6.0.254 10.1.0.23

After the reconfiguration, users in the branch office are unable to connect to the servers that are located in the main office. You need to restore name resolution in the branch office. What should you do?

A. Configure the burst handling option on DC2.

B. Configure DC1 and DC2 as WINS push/pull replication partners.

C. In the WINS server properties on DC1, increase the Renew interval setting to 1 day.

D. In the WINS server properties on DC2, increase the Renew interval setting to 1 day.

Answer: B Section: Configure name resolution for client computers Explanation/Reference: By default, WINS does not perform push replication unless other related settings are also configured on the Push Replication tab in Replication Partners Properties. For example, WINS uses an update count value of 0. This is set using Number of changes in version ID before replication. Push replication only occurs at configured replication intervals, unless other push replication settings are configured as well To administratively correct a delay like the one indicated in the question, you would configure a push/pull replication partnership between the two servers. Reference: http://technet.microsoft.com/en-us/library/cc785660(WS.10).aspx QUESTION 29 Your company has a server named Server1 that runs a Server Core installation of Windows Server 2008 R2, and the DNS Server server role. Server1 has one network interface named Local Area Connection. The static IP address of the network interface is configured as 10.0.0.1. You need to create a DNS zone named local.contoso.com on Server1. Which command should you use?

A. ipconfig /registerdns:local.contoso.com

Microsoft_70-642


B. dnscmd Server1 /ZoneAdd local.contoso.com /DSPrimary

C. dnscmd Server1 /ZoneAdd local.contoso.com /Primary /file local.contoso.com.dns

D. netsh interface ipv4 set dnsserver name="local.contoso.com" static 10.0.0.1 primary

Answer: C Section: Configure DNS zones Explanation/Reference: Dnscmd zoneadd

Adds a zone to the DNS server. Syntax: dnscmd [ServerName] /zoneadd ZoneName ZoneType [/dp FQDN| {/domain|/enterprise|/legacy}] /load

Reference: http://technet.microsoft.com/en-us/library/cc756116(WS.10).aspx QUESTION 30 Your company has a single domain named contoso.com. The contoso.com DNS zone is Active Directory-integrated. Your partner company has a single domain named partner.com. The partner.com DNS zone is Active Directory-integrated. The IP addresses of the DNS servers in the partner domain will change. You need to ensure name resolution for users in contoso.com to resources in partner.com. What should you do?

A. Create a stub zone for partner.com on each DNS server in contoso.com.

B. Configure the Zone Replication Scope for partner.com to replicate to all DNS servers in the forest.

C. Configure an application directory partition in the contoso.com forest. Enlist all DNS servers in the contoso.com forest in the partition.

D. Configure an application directory partition in the partner forest. Enlist all DNS servers in the partner forest in the partition.

Answer: A Section: Configure DNS zones Explanation/Reference: When a zone that this Domain Name System (DNS) server hosts is a stub zone, this DNS server is a source only for information about the authoritative name servers for this zone. This DNS server must have network access to the remote DNS server to copy the authoritative name server information about the zone. You can use stub zones to:

Keep delegated zone information current. By updating a stub zone for one of its child zones regularly, the DNS server that hosts the stub zone will maintain a current list of authoritative DNS servers for the child zone.

Improve name resolution. Stub zones make it possible for a DNS server to perform name resolution using the stub zone's list of name servers, without having to use forwarding or root hints.

Reference: http://technet.microsoft.com/en-us/library/cc816809(WS.10).aspx

Documents

70-642 Sample