Microsoft Pro: Designing and Deploying Messaging Solutions with Microsoft Exchange Server 2010 - 70-663 Exam Practice Test

You are the Nutex Corporation's Exchange 2010 administrator. The Chief Information Officer (CIO) is apprehensive about applying upgrades and service packs until they are needed.
What would be reasons to apply SP1 to the Exchange 2010 servers in the organization?
Correct Answer: B,E
Explanation: Only visible for ExamsLabs members. You can sign-up / login (it's free).
You have an Exchange Server 2010 organization.
Your company's compliance policy states that the following occurs when a user leaves the company:
The user account is disabled The user account and mailbox are deleted after six months All e-mail messages in the mailbox are retained for three years You need to recommend a solution to retain the e-mail messages of users who leave the company.
-The solution must meet the following requirements:
Ensure that a group named Group1 can manage the process
Minimize disk space required to store the mailbox database
What should you recommend?
Correct Answer: D
Your network contains four Active Directory sites. The sites are configured as shown in the following table.

You plan to deploy a new Exchange Server 2010 Service Pack l (SP1) organization named fabrikam.com.
You plan to deploy Mailbox servers to the New York site and the Montreal site.
You need to plan the deployment of Client Access servers to meet the following requirements:
-Support users who use Outlook Web App to access their mailbox from the Internet through Montreal.
-Support users who use Outlook Anywhere to access their mailbox from the Internet through Montreal.
-Minimize the number of Exchange server roles deployed.
Where should you deploy the Client Access servers?
To answer, click on the sites where the client access servers should be.
Hot Area:
Correct Answer:

Explanation: Corrected,,,
I believe that Montreal is the only CAS server as it is the only internet facing site.
===================================================================== Old answer:
You need to recommend changes to the Exchange organization of Contoso. The solution must meet the compliance requirements and the business goals of Contoso. What should you include in the recommendation? (Choose all that apply.)
Case Study Title (Case Study): Contoso Ltd
Company Overview
Contoso, Ltd. is a wholesale travel agency.
Physical Locations
The company has offices in New York and Seattle. Each office has a call center. All IT staff and help desk staff are located in the New York office.
Existing Environment
Contoso has a single domain named contoso.com. An Active Directory site exists for each office. The sites connect to each other by using a high-speed WAN link. The WAN link has an average utilization rate of 90 percent during business hours.
The domain contains three domain controllers. The domain controllers are configured as shown in the following table.

The network has an Exchange Server 2010 Service Pack 1 (SPl) organization that contains four servers. The servers are configured as shown in the following table.

Each mailbox database is 400 GB.
All of the servers have the following hardware configurations:
-64 GB of RAM
-One dual quad-core Intel Xeon processor
-Two l-gigabit per second Ethernet network adapters
-One RAID 10 disk array that has 12 300-GB, 15,000-RPM SAS disks for data
-one RAID 1 disk array that has two 73-GB, 10,000-RPM SAS disks for program files
-One RAID 1 disk array that has two 73-GB, 10,000-RPM SAS disks for the operating system
Requirements
Business Goals
Contoso has the following general requirements that must be considered for all technology deployments:
-Minimize costs whenever possible.
-Minimize administrative effort whenever possible.
-Minimize traffic on the WAN link between the offices.
Planned Changes
Contoso acquires a company named Margie's Travel. Margie's Travel has 3,000 employees.
Margie's Travel has the following email infrastructure:
-A call center, where 200 employees work
-UNIX-based email hosts that users access by using POP3 and SMTP
-Three departments that use the SMTP domains of margiestravel.com, east.margiestravel.com,
-and blueyonderairlinesxam. Users are assigned only one email address that uses the SMTP domain of their department
You plan to deploy a new Exchange Server 2010 SP1 organization to Margie's Travel. The new email infrastructure must meet the following implementation requirements:
-All employees must have access to their mailbox if a single server fails.
-Call center employees must use windows Internet Explorer 8 to access their mailbox.
-The administration of the Margie's Travel Exchange organization must be performed by a dedicated team.
-Call center employees must be prevented from accessing the calendar or journal features of Outlook Web App.
-All employees who do not work in the call center must have access to all of the Outlook web App features.
-All email messages sent to recipients outside of Margie's Travel must have a return address in the [email protected] format.
The new email infrastructure for Margie's Travel must meet the following security requirements:
-Contoso administrators must be prevented from viewing or modifying the settings of the mailboxes of Margie's Travel users.
-All inbound and outbound Internet email to and from the Margie's Travel domains must be routed
through the Hub Transport servers of Contoso.
-All email messages that contain confidential customer information must be encrypted automatically while in transit and the recipients of the messages must be prevented from forwarding them to other users.
Compliance Requirements
Contoso must meet the following compliance requirements:
-Each email message sent by an attorney from the Contoso legal department must be approved by the manager of the legal department.
-Attorneys must be able to classify email messages as "attorney-client privileged".
-All messages classified as "attorney-client privileged" must contain a legal disclaimer automatically.
User Requirements
All users who have a portable computer use Microsoft Outlook 2010 when they work online and offline.
When the users work offline, they must be able to read existing email messages and create new email
messages.
Users who have a large mailbox must minimize the amount of hard disk space used by the mailbox on their
portable computer.
Correct Answer: B,C,F
Explanation: Only visible for ExamsLabs members. You can sign-up / login (it's free).
A corporate environment includes Exchange Server 2010 SP1 and client computers that run Microsoft
Outlook 2010.
You create a Hierarchical Address Book (HAB).
Organizational groups must be added to the HAB and organized alphabetically.
You need to recommend a solution for adding and alphabetizing the organizational groups.
Which two actions should you recommend? (Each correct answer presents part of the solution. Choose
two.)
Correct Answer: B,D
Explanation: Only visible for ExamsLabs members. You can sign-up / login (it's free).
Your network contains an internal network and a perimeter network. The perimeter network contains an Exchange Server 2010 Edge Transport server.
You need to recommend a remote management solution for the Edge Transport server that meets the following requirements:
-All management traffic must be encrypted
-The solution must allow remote administration from the internet network
-The solution must support the use of the Exchange Management Console (EMC)
What should you recommend?
Correct Answer: A
Explanation: Only visible for ExamsLabs members. You can sign-up / login (it's free).
Your network contains a single Active Directory domain named contoso.com.
You plan to deploy a new Exchange Server 2010 Service Pack 1 (SP1) organization. You identify the administrative model for the Exchange organization as shown in the following table.

You need to identity which groups must be assigned to Group1 and Group2 to support the planned
administrative model.
The solution must minimize the number of rights assigned to each group.
Which security groups and role groups should you assign to Group1 and Group2?
To answer, drag the appropriate security groups or role groups to the correct group in the answer area.
Select and Place:
Correct Answer:

Explanation:
I agree with Group 2 answer and with Organization management point of Group 1
-Domain Admins is not right here as it is more than required.
-Account Operator group in the domain is required to be able to create user accounts.
Organization management Admin can do everything :
Administrators who are members of the Organization Management role group have administrative access to the entire Exchange 2010 organization and can perform almost any task against any Exchange 2010 object, with some exceptions, such as the Discovery Management role.
So the only missing or required permission here to perform the required tasks are:
Stop / Restart system or services and system updates. As local administrator group you can do that.
================================
Previous Answer was:
Group 1:
Domain Admins Group in the domain.
Organization Management role group.
Group 2:
Recipient management role group.
Group 1 needs to be able to do the following:
-Restore mailboxes
-Stop and Restart both Servers and Services
-Create mailbox database
-Install Operating System Updates
-Manage Certificates
I don't agree with the need for this group to be a member of the Account Operators group. This is a domain account that allows local logon to domain controllers and they can create user account accounts. Group 1 as I read the question needs to logon to exchange servers and manage the local exchange server. Therefore I think they just need to be members of the Administrative Group on each Exchange Server.
Group 2 needs to be able to do the following:
-create mail - enabled users
-create distribution lists
-delete distribution lists
In order for group 2 to complete their tasks they will need to have recipient management role and the Organization Role
Account Operators is a local group that grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups. They can also log on locally to domain controllers. However, Account Operators can't manage the Administrator user account, the user accounts of administrators, or the group accounts Administrators, Server Operators, Account Operators, Backup Operators, and Print Operators. Account Operators also can't modify user rights.
The Recipient Management management role group is one of several built-in role groups that make up the Role Based Access Control (RBAC) permissions model in Microsoft Exchange Server 2010. Role groups are assigned one or more management roles that contain the permissions required to perform a given set of tasks. The members of a role group are granted access to the management roles assigned to the role group. For more information about role groups, see Understanding Management Role Groups. Administrators who are members of the Recipient Management role group have administrative access to create or modify Microsoft Exchange Server 2010 recipients within the Exchange 2010 organization.
Help Desk - The Help Desk management role group gives members permissions that are typically required by members of a help desk, such as modifying users' details such as their address and phone number.
Organization Management - The Organization Management role group is synonymous with the Exchange Full Administrator role in Exchange 2003 and the Exchange Organization Administrators role in Exchange 2007. Essentially, membership of this management role group gives the user the ability to perform pretty much any task in Exchange 2010, with the main missing task being the ability to perform mailbox searches; that itself is achieved via the Discovery Management role group.
Domain Admins - This group is automatically added to the corresponding Administrators group in every domain in the forest. It has complete control over all domain controllers and all directory content stored in the domain and it can modify the membership of all administrative accounts in the domain.
The permissions granularity issue was improved in Exchange 2007. The Exchange Full Administrator role found in Exchange 2000 and Exchange 2003 became known as the Exchange Organization Administrators role in Exchange 2007 and still gave administrators full access to all Exchange objects in the entire organization. The Exchange View-Only Administrators role also remained, giving administrators read-only access to the entire Exchange organization.
There were effectively three new additions to the Exchange 2007 roles:
-Exchange Recipient Administrators - Allowed administrators to modify Exchange settings on users, groups, contacts and public folders
-Exchange Public Folder Administrators -Was introduced in Exchange 2007 Service Pack 1 and as its name suggests allowed administrators to manage public folders
-Exchange Server Administrators - Allowed administrators to fully manage a particular Exchange 2007 server as long as they were also a member of the local Administrators group on that server
Although the permissions model in Exchange 2007 was a vast improvement over those models found in earlier versions of Exchange, it still wasn't able to satisfy a lot of the administrative scenarios found in various organizations. Essentially, the roles in Exchange 2007 still offered too much administrative power to administrators in a decentralized Exchange organization and it was therefore difficult to limit the permissions available to certain administrators. Although it was possible to implement a split permissions model in Exchange 2007 by modifying Access Control Lists (ACLs), this was a complex procedure that could sometimes result in errors and issues that were difficult to troubleshoot.
The design of Exchange 2010 has needed to take into account the more demanding and granular permissions requirements of organizations. Exchange 2010 now supports a model where specialist users can be granted specific Exchange permissions required to perform their duties. For example, there may be the scenario where a compliance officer within a company needs to conduct a search across all employees' mailboxes for legal reasons, or perhaps a member of the Human Resources department needs to update user information in Active Directory that is seen on the properties of users' mailboxes. In these example cases, the relevant specialist user should only be given the rights to perform the required task and should not be assigned, for example, additional rights that could allow them to affect the overall configuration of the Exchange environment.
Management Role Groups -In Exchange 2010, Microsoft has made the task of assigning a series of common permissions to administrative and specialist users very easy by providing 11 default management role groups. By placing a user or group into a management role group, the management roles associated with that management role group are assigned accordingly thereby giving the user or group the relevant permissions. The term role holder is used by Microsoft to denote the administrative or specialist user that is added to the management role group. These 11 default management role groups are created during Exchange 2010 setup. Specifically, these management role groups are created when Exchange 2010 setup runs the Active Directory preparation steps that can be performed individually by running the Exchange 2010 setup.com program with the /PrepareAD switch. The management role groups can be seen in the Microsoft Exchange Security Groups Organizational Unit (OU) that is created in the root domain during the Exchange setup process. You can see this OU and the groups within it in Figure 1. Note that of the 16 groups shown in Figure 1, only 11 are management role groups; these are highlighted.

A member of LOCAL\Administrators is a far cry from a BUILTIN\Administrators, and here are the two primary reasons why:
One - BUILTIN\Administrators is not stored locally to a single DC - its membership is in the Active Directory, in the CN=Builtin,DC=domain,DC=com container. The contents of this container are replicated to all domain controllers. Therefore, adding a user to a member of this group on one DC makes them a member of the group on all DCs. (A member server has a local accounts database called a SAM that is not visible to the domain.)
Two - Since BUILTIN\Administrators gives local Administrator permissions to its members - they can do anything on any DC in the domain. Anything. Making themselves a Domain Administrator is a trivial exercise.
A final note of caution: it is now widely recognized that forests are the security boundaries in Active Directory, not domains (regardless of what the original Windows 2000 Server A/D documentation said). Domains are simply administrative boundaries. As a corollary to item two above, once a person is a domain administrator, it is fairly easy to become an enterprise administrator.
A corporate environment includes an on-premise deployment of Exchange Server 2010 SP1 with standalone Edge Transport servers in a perimeter network.
The company plans to move a subset of Exchange users to a cloud-based Exchange Server 2010 SP1 service.
The security team has the following requirements:
-Manage mailbox audit logging for the on-premise and cloud-based Exchange servers.
-Search message tracking logs for all on-premise Exchange servers.
-You need to recommend a solution that meets the requirements.
What should you recommend?
Correct Answer: C
Explanation: Only visible for ExamsLabs members. You can sign-up / login (it's free).