· 3/7/2018 · You complete the Active Directory Federation Services Configuration Wizard on Server1. You need to ensure that client devices on the

https://www.gratisexam.com/

70-412.mcsa.exam.290q

Number: 70-412Passing Score: 800Time Limit: 120 minFile Version: 1


Microsoft 70-412

Configuring Advanced Windows Server 2012 R2 Services

Sections1. Volume A2. Volume B3. Volume C


Exam A

QUESTION 1Your network contains an Active Directory domain named contoso.com.

A previous administrator implemented a Proof of Concept installation of Active Directory Rights Management Services (AD RMS).

After the proof of concept was complete, the Active Directory Rights Management Services server role was removed.

You attempt to deploy AD RMS.

During the configuration of AD RMS, you receive an error message indicating that an existing AD RMS Service Connection Point (SCP) was found.

You need to remove the existing AD RMS SCP.

Which tool should you use?

A. Active Directory Users and Computers

B. Authorization Manager

C. Active Directory Domains and Trusts

D. Active Directory Sites and Services

E. Active Directory Rights Management Services

Correct Answer: ESection: Volume AExplanation

Explanation/Reference:Explanation:ADRMS will registered the Service Connection Point (SCP) in Active Directory and you will need to unregister first before you remove the ADRMS server role.

If your ADRMS server is still alive, you can easily manually remove the SCP by below:



Reference: How to manually remove or reinstall ADRMS

QUESTION 2Your network contains an Active Directory domain named contoso.com. The domain contains a member server named Server1 that has the Active DirectoryFederation Services server role installed.All servers run Windows Server 2012.


You complete the Active Directory Federation Services Configuration Wizard on Server1.

You need to ensure that client devices on the internal network can use Workplace Join.

Which two actions should you perform on Server1? (Each correct answer presents part of the solution. Choose two.)


A. Run Enable-AdfsDeviceRegistration -PrepareActiveDirectory.

B. Edit the multi-factor authentication global authentication policy settings.

C. Run Enable-AdfsDeviceRegistration.

D. Run Set-AdfsProxyProperties HttpPort 80.

E. Edit the primary authentication global authentication policy settings.

Correct Answer: CESection: Volume AExplanation

Explanation/Reference:Explanation:C. To enable Device Registration ServiceOn your federation server, open a Windows PowerShell command window and type:Enable-AdfsDeviceRegistrationRepeat this step on each federation farm node in your AD FS farm.

E. Enable seamless second factor authenticationSeamless second factor authentication is an enhancement in AD FS that provides an added level of access protection to corporate resources and applications fromexternal devices that are trying to access them. When a personal device is Workplace Joined, it becomes a `known' device and administrators can use thisinformation to drive conditional access and gate access to resources. To enable seamless second factor authentication, persistent single sign-on (SSO) andconditional access for Workplace Joined devices.In the AD FS Management console, navigate to Authentication Policies. Select Edit Global Primary Authentication. Select the check box next to Enable DeviceAuthentication, and then click OK.

Reference: Configure a federation server with Device Registration Service.

QUESTION 3


DRAG DROPYour network contains an Active Directory domain named contoso.com.

You need to ensure that third-party devices can use Workplace Join to access domain resources on the Internet.

Which four actions should you perform in sequence?To answer, move the appropriate four actions from the list of actions to the answer area and arrange them in the correct order.

Select and Place:


Correct Answer:

Section: Volume AExplanation

Explanation/Reference:Note:* Checklist: Deploying a Federation Server Farm include:


(Box 1) Enroll a Secure Socket Layer (SSL) certificate for AD FS.(Box 2) Install the AD FS role service.(Box 3, box 4) Optional step: Configure a federation server with Device Registration Service (DRS).

Box 3: To enable Device Registration Service.On your federation server, open a Windows PowerShell command window and type:Enable-AdfsDeviceRegistrationRepeat this step on each federation farm node in your AD FS farm.

Box 4: Update the Web Application Proxy configurationThe Device Registration Service will be available through the Web Application Proxy once it is enabled on a federation server. You may need to complete thisprocedure to update the Web Application Proxy configuration if it was deployed prior to enabling the Device Registration Service.* Workplace Join is made possible by the Device Registration Service (DRS) that is included with the Active Directory Federation Role in Windows Server 2012 R2.When a device is Workplace Joined, the DRS provisions a device object in Active Directory and sets a certificate on the consumer device that is used to representthe device identity. The DRS is meant to be both internal and external facing. Companies that deploy both DRS and the Web Application Proxy will be able toWorkplace Join devices from any internet connected location.

Reference: Deploying a Federation Server Farm.

QUESTION 4HOTSPOTYour company has a primary data center and a disaster recovery data center.

The network contains an Active Directory domain named contoso.com. The domain contains a server named that runs Windows Server 2012 R2. Server1 islocated in the primary data center.Server1 has an enterprise root certification authority (CA) for contoso.com.

You deploy another server named Server2 to the disaster recovery data center.

You plan to configure Server2 as a secondary certificate revocation list (CRL) distribution point.

You need to configure Server2 as a CRL distribution point (CDP).

Which tab should you use to configure the required CDP entry? To answer, select the appropriate tab in the answer area.

Hot Area:



Correct Answer:




Explanation/Reference:Explanation:To configure the CDP and AIA extensions on CA1

In Server Manager, click Tools and then click Certification Authority.In the Certification Authority console tree, right-click corp-CA1-CA, and then click Properties.Click the Extensions tab. Ensure that Select extension is set to CRL Distribution Point (CDP), and in the Specify locations from which users can obtain acertificate revocation list (CRL).

Etc.

Reference: Configure the CDP and AIA Extensions on CA1http://technet.microsoft.com/zh-cn/library/jj125369.aspx

QUESTION 5Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1has the Active Directory Certificate Services server role installed and is configured as an enterprise certification authority (CA).

You need to ensure that all of the users in the domain are issued a certificate that can be used for the following purposes:Email securityClient authenticationEncrypting File System (EFS)

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

A. From a Group Policy, configure the Certificate Services Client Auto-Enrollment settings.

B. From a Group Policy, configure the Certificate Services Client Certificate Enrollment Policy settings.

C. Modify the properties of the User certificate template, and then publish the template.

D. Duplicate the User certificate template, and then publish the template.

E. From a Group Policy, configure the Automatic Certificate Request Settings settings.

Correct Answer: ADSection: Volume AExplanation

Explanation/Reference:Explanation:


The default user template supports all of the requirements EXCEPT auto enroll as shown below:

However a duplicated template from users has the ability to autoenroll:

The Automatic Certificate Request Settings GPO setting is only available to Computer, not user.


Reference: Manage Certificate Enrollment Policy by Using Group Policy.http://technet.microsoft.com/en-us/library/dd851772.aspx

QUESTION 6Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server3 that runs Windows Server 2012 R2 and hasthe DHCP Server server role installed.

DHCP is configured as shown in the exhibit. (Click the Exhibit button.)


You need to ensure that only Scope1, Scope3, and Scope5 assign the same DNS servers to DHCP clients. The solution must minimize administrative effort.

What should you do?

A. Create a superscope and scope-level policies.

B. Configure the Scope Options.

C. Create a superscope and a filter.


D. Configure the Server Options.

Correct Answer: BSection: Volume AExplanation

Explanation/Reference:Explanation:Any DHCP scope options can be configured for assignment to DHCP clients, such as DNS server.

References: Configuring a DHCP Scope.https://technet.microsoft.com/en-us/library/dd759218.aspx

QUESTION 7Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and hasthe DNS Server server role installed.Server1 has a zone named contoso.com. The zone is configured as shown in the exhibit. (Click the Exhibit button.)


You need to assign a user named User1 permission to add and delete records from the contoso.com zone only.

What should you do first?

A. Enable the Advanced view from DNS Manager.

B. Add User1 to the DnsUpdateProxy group.

C. Run the New Delegation Wizard.

D. Configure the zone to be Active Directory-integrated.

Correct Answer: D



Explanation/Reference:Secure dynamic updates are only supported or configurable for resource records in zones that are stored in Active Directory Domain Services (AD DS).

Note: To modify security for a resource recordOpen DNS Manager.In the console tree, click the applicable zone.In the details pane, click the record that you want to view.On the Action menu, click Properties.On the Security tab, modify the list of member users or groups that are allowed to securely update the applicable record and reset their permissions as needed.

Reference: Modify Security for a Resource Record


An administrator installs the IP Address Management (IPAM) Server feature on a server named Server2. The administrator configures IPAM by using Group Policybased provisioning and starts server discovery.

You plan to create Group Policies for IPAM provisioning.

You need to identify which Group Policy object (GPO) name prefix must be used for IPAM Group Policies.

What should you do on Server2?


A. From Server Manager, review the IPAM overview.

B. Run the ipamgc.exe tool.

C. From Task Scheduler, review the IPAM tasks.

D. Run the Get-IpamConfiguration cmdlet.

Correct Answer: D



Explanation/Reference:Example:


You need to create an IPv6 scope on Server1. The scope must use an address space that is reserved for private networks. The addresses must be routable.Which IPV6 scope prefix should you use?

A. 2001:123:4567:890A::

B. FE80:123:4567::

C. FF00:123:4567:890A::

D. FD00:123:4567::

Correct Answer: DSection: Volume AExplanation

Explanation/Reference:Explanation/Reference:A unique local address (ULA) is an IPv6 address in the block fc00::/7, defined in RFC 4193. It is the approximate IPv6 counterpart of the IPv4 private address. The address block fc00::/7 is divided into two /8 groups:

The block fc00::/8 has not been defined yet.The block fd00::/8 is defined for /48 prefixes, formed by setting the 40 least-significant bits of the prefix to a randomly generated bit string.

Prefixes in the fd00::/8 range have similar properties as those of the IPv4 private address ranges:

They are not allocated by an address registry and may be used in networks by anyone without outside involvement.They are not guaranteed to be globally unique.Reverse Domain Name System (DNS) entries (under ip6.arpa) for fd00::/8 ULAs cannot be delegated in the global DNS.

Reference: RFC 4193


QUESTION 10Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1 that runs Windows Server 2012 R2.DC1 has the DNS Server server role installed.

The network contains client computers that run either Linux, Windows 7, or Windows 8.1.You have a standard primary zone named adatum.com as shown in the exhibit. (Click the Exhibit button.)



You plan to configure Name Protection on all of the DHCP servers.

You need to configure the adatum.com zone to support Name Protection.

Which two configurations should you perform from DNS Manager? (Each correct answer presents part of the solution. Choose two.)

A. Sign the zone.

B. Store the zone in Active Directory.

C. Modify the Security settings of the zone.

D. Configure Dynamic updates.

E. Add a DNS key record

Correct Answer: BDSection: Volume AExplanation

Explanation/Reference:Explanation:Name protection requires secure update to work. Without name protection DNS names may be hijacked.

You can use the following procedures to allow only secure dynamic updates for a zone. Secure dynamic update is supported only for Active Directoryintegratedzones. If the zone type is configured differently, you must change the zone type and directory-integrate the zone before securing it for Domain Name System (DNS)dynamic updates.

1. (B) Convert primary DNS server to Active Directory integrated primary2. (D) Enable secure dynamic updates


Reference: DHCP: Secure DNS updates should be configured if Name Protection is enabled on any IPv4 scope

http://technet.microsoft.com/en-us/library/ee941152(v=ws.10).aspx

QUESTION 11HOTSPOTYour network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2. All servers run WindowsServer 2012 R2.


You install the DHCP Server server role on both servers.

On Server1, you have the DHCP scope configured as shown in the exhibit. (Click the Exhibit button.)

You need to configure the scope to be load-balanced across Server1 and Server2.

What Windows PowerShell cmdlet should you run on Server1?To answer, select the appropriate options in the answer area.


Hot Area:

Correct Answer:


Explanation/Reference:Explanation:Add-DhcpServerv4FailoverThe Add-DhcpServerv4Failover cmdlet adds a new IPv4 failover relationship to a Dynamic Host Configuration Protocol (DHCP) server service.


-PartnerServer<String>Specifies the IPv4 address, or host name, of the partner DHCP server service with which the failover relationship is created.

-ScopeId<IPAddress[]>Specifies the scope identifiers, in IPv4 address format, which are to be added to the failover relationship.

Example:


Reference: Add-DhcpServerv4Failover

QUESTION 12HOTSPOTYour network contains an Active Directory domain named contoso.com. The domain contains two DHCP servers named Server1 and Server2. Both servers havemultiple IPv4 scopes.

Server1 and Server2 are used to assign IP addresses for the network IDs of 172.20.0.0/16 and 131.107.0.0/16.

You install the IP Address Management (IPAM) Server feature on a server named IPAM1 and configure IPAM1 to manage Server1 and Server2.

Some users from the 172.20.0.0 network report that they occasionally receive an IP address conflict error message.

You need to identify whether any scopes in the 172.20.0.0 network ID conflict with one another.

What Windows PowerShell cmdlet should you run?To answer, select the appropriate options in the answer area.


Hot Area:

Correct Answer:



Explanation/Reference:Explanation:Type the following command at a Windows PowerShell prompt and press ENTER:

PS C:\> Get-IpamRange –AddressFamily IPv4 –AddressCategory Private|where-object {$_.Overlapping –eq “True”}

The previous command will display any overlapping IP address ranges, if they exist.

Reference: Walkthrough: Demonstrate IPAM in Windows Server 2012 R2.

QUESTION 13


Your network contains two DNS servers named DNS1 and DNS2 that run Windows Server 2012 R2.

DNS1 has a primary zone named contoso.com. DNS2 has a secondary copy of the contoso.com zone.

You need to log the zone transfer packets sent between DNS1 and DNS2.

What should you configure?


A. Monitoring from DNS Manager

B. Logging from Windows Firewall with Advanced Security

C. A Data Collector Set (DCS) from Performance Monitor

D. Debug logging from DNS Manager


Explanation/Reference:Explanation:Debug logging allows you to log the packets sent and received by a DNS server. Debug logging is disabled by default, and because it is resource intensive, youshould only activate it temporarily when you need more specific detailed information about server performance.

Reference: Active Directory 2008: DNS Debug Logging Facts.

QUESTION 14Your network contains an Active Directory forest named contoso.com.

Users frequently access the website of an external partner company. The URL of the website is http://partners.adatum.com.

The partner company informs you that it will perform maintenance on its Web server and that the IP addresses of the Web server will change.

After the change is complete, the users on your internal network report that they fail to access the website. However, some users who work from home report thatthey can access the website.


You need to ensure that your DNS servers can resolve partners.adatum.com to the correct IP address immediately.

What should you do?

A. Run dnscmd and specify the CacheLockingPercent parameter.

B. Run Set-DnsServerGlobalQueryBlockList.

C. Run ipconfig and specify the Renew parameter.

D. Run Set-DnsServerCache.


Explanation/Reference:Explanation:The Set-DnsServerCache cmdlet modifies cache settings for a DomainName System (DNS) server.

Run Set-DnsServerCache with the -LockingPercent switch.

-LockingPercent<UInt32>Specifies a percentage of the original Time to Live (TTL) value that caching can consume.Cache locking is configured as a percent value. For example, if the cache locking value is set to 50, the DNS server does not overwrite a cached entry for half of theduration of the TTL. By default, the cache locking percent value is 100. This value means that the DNS server will not overwrite cached entries for the entireduration of the TTL.

Note. A better way would be clear the DNS cache on the DNS server with either Dnscmd /ClearCache (from command prompt), or Clear-DnsServerCache (fromWindows PowerShell).

References: https://technet.microsoft.com/en-us/library/jj649852.aspx

Incorrect Answers:A. You need to use the /config parameter as well:You can change this value if you like by using the dnscmd command:

dnscmd /Config /CacheLockingPercent<percent>

QUESTION 15You have a server named Server1.

You install the IP Address Management (IPAM) Server feature on Server1.


You need to provide a user named User1 with the ability to set the access scope of all the DHCP servers that are managed by IPAM. The solution must use theprinciple of least privilege.

Which user role should you assign to User1?

A. DNS Record Administrator Role

B. IPAM DHCP Reservations Administrator Role

C. IPAM Administrator Role

D. IPAM DHCP Administrator Role


Explanation/Reference:Explanation:The IPAM DHCP administrator role completely manages DHCP servers.


Reference: What's New in IPAM

QUESTION 16Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1 and a member server namedServer1. Server1 has the IP Address Management (IPAM) Server feature installed.

On Dc1, you configure Windows Firewall to allow all of the necessary inbound ports for IPAM.

On Server1, you open Server Manager as shown in the exhibit. (Click the Exhibit button.)



You need to ensure that you can use IPAM on Server1 to manage DNS on DC1.

What should you do?

A. Modify the outbound firewall rules on Server1.

B. Modify the inbound firewall rules on Server1.

C. Add Server1 to the Remote Management Users group.

D. Add Server1 to the Event Log Readers group.


Explanation/Reference:Explanation:To access configuration data and server event logs, the IPAM server must be a member of the domain IPAM Users Group (IPAMUG). The IPAM server must alsobe a member of the Event Log Readers security group.

Note: The computer account of the IPAM server must be a member of the Event Log Readers security group.

Reference: Manually Configure DC and NPS Access Settings.http://technet.microsoft.com/en-us/library/jj878317.aspxhttp://technet.microsoft.com/en-us/library/jj878313.aspx

QUESTION 17You have a server named SCI that runs a Server Core Installation of Windows Server 2012 R2. Shadow copies are enabled on all volumes.

You need to delete a specific shadow copy. The solution must minimize server downtime.


A. Shadow

B. Diskshadow

C. Wbadmin

D. Diskpart



Explanation/Reference:Explanation:DiskShadow.exe is a tool that exposes the functionality offered by the Volume Shadow Copy Service (VSS).The diskshadow command delete shadows deletes shadow copies.

References: Technet, Diskshadowhttps://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow

QUESTION 18You have 20 servers that run Windows Server 2012 R2.

You need to create a Windows PowerShell script that registers each server in Microsoft Azure Backup and sets an encryption passphrase.

Which two PowerShell cmdlets should you run in the script? (Each correct answer presents part of the solution. Choose two.)

A. New-OBPolicy

B. New-OBRetentionPolicy

C. Add-OBFileSpec


D. Start-OBRegistration

E. Set OBMachineSetting

Correct Answer: DESection: Volume AExplanation

Explanation/Reference:Explanation:D. Start-OBRegistrationRegisters the current computer with Windows Azure Online Backup using the credentials (username and password) created during enrollment.E. The Set-OBMachineSetting cmdlet sets a OBMachineSetting object for the server that includes proxy server settings for accessing the internet, networkbandwidth throttling settings, and the encryption passphrase that is required to decrypt the files during recovery to another server.

Incorrect Answers:C. TheAdd-OBFileSpec cmdlet adds the OBFileSpecobject, which specifies the items to include or exclude from a backup, to the backup policy (OBPolicyobject).The OBFileSpecobject can include or exclude multiple files, folders, or volumes. T

References: Start-OBRegistration; Set OBMachineSetting

https://technet.microsoft.com/en-us/library/hh770398.aspxhttps://technet.microsoft.com/en-us/library/hh770409.aspx

QUESTION 19You have 30 servers that run Windows Server 2012 R2.

All of the servers are backed up daily by using Windows Azure Online Backup.

You need to perform an immediate backup of all the servers to Windows Azure Online Backup.

Which Windows PowerShell cmdlets should you run on each server?

A. Get-OBPolicy | StartOBBackup

B. Start-OBRegistration | StartOBBackup

C. Get-WBPolicy | Start-WBBackup

D. Get-WBBackupTarget | Start-WBBackup

Correct Answer: ASection: Volume AExplanation


Explanation/Reference:Explanation:This example starts a backup job using a policy.

Windows PowerShellPS C:\> Get-OBPolicy | Start-OBBackup

Incorrect Answers:B. Registers the current computer to Windows Azure Backup.C. Not using AzureD. Not using Azure

References: Start-OBBackuphttps://technet.microsoft.com/en-us/library/hh770406(v=wps.620).aspx

QUESTION 20You have a server named Server1 that runs Windows Server 2012 R2 and is used for testing.

A developer at your company creates and installs an unsigned kernel-mode driver on Server1. The developer reports that Server1 will no longer start.

You need to ensure that the developer can test the new driver. The solution must minimize the amount of data loss.

Which Advanced Boot Option should you select?

A. Disable Driver Signature Enforcement

B. Disable automatic restart on system failure

C. Last Know Good Configuration (advanced)

D. Repair Your Computer


Explanation/Reference:Explanation:A. By default, 64-bit versions of Windows Vista and later versions of Windows will load a kernel- mode driver only if the kernel can verify the driver signature.However, this default behavior can be disabled to facilitate early driver development and non-automated testing.



Incorrect Answers:B. specifies that Windows automatically restarts your computer when a failure occurs.C. Developer would not be able to test the driver as needed.D. Removes or repairs critical windows files, Developer would not be able to test the driver as needed and some file loss.

References: Installing Windows Server 2012.https://technet.microsoft.com/en-us/library/jj134246.aspxhttp://msdn.microsoft.com/en-us/library/windows/hardware/ff547565(v=vs.85).aspx

QUESTION 21You have a server named Server1 that runs Windows Server 2012 R2.

When you install a custom Application on Server1 and restart the server, you receive the following error message: "The Boot Configuration Data file is missingsome required information.File: \Boot\BCDError code: 0x0000034."

You start Server1 by using Windows RE.

You need to ensure that you can start Windows Server 2012 R2 on Server1.


A. Bootsect

B. Bootim

C. Bootrec

D. Bootcfg

Correct Answer: CSection: Volume AExplanation

Explanation/Reference:Explanation:Bootrec.exe tool to troubleshoot "Bootmgr Is Missing" issue. The /ScanOs option scans all disks for installations that are compatible with Windows Vista orWindows 7. Additionally, this option displays the entries that are currently not in the BCD store. Use this option when there are Windows Vista or Windows 7installations that the Boot Manager menu does not list.

Error code 0x0000034 while booting.


Resolution:Put the Windows Windows 7 installation disc in the disc drive, and then start the computer.Press any key when the message indicating "Press any key to boot from CD or DVD ...". appears.Select a language, time, currency, and a keyboard or another input method. Then click Next.Click Repair your computer.Click the operating system that you want to repair, and then click Next.In the System Recovery Options dialog box, click Command Prompt.Type Bootrec /RebuildBcd, and then press ENTER.

Incorrect Answers:A. Bootsect.exe updates the master boot code for hard disk partitions to switch between BOOTMGR and NTLDR. You can use this tool to restore the boot sectoron your computer. This tool replaces FixFAT and FixNTFS.D. The bootcfg command is a Microsoft Windows Server 2003 utility that modifies the Boot.ini file.

References: Bootsect Command-Line Optionshttps://technet.microsoft.com/en-us/library/cc749177(v=ws.10).aspx http://support.microsoft.com/kb/927392/en-ushttp://answers.microsoft.com/en-us/windows/forum/windows_7-system/error-code-0x0000034-in- windows-7/4dcb8d38-a206-40ed-bced-55e4a4de9bf2

QUESTION 22You have a server named Server1 that runs Windows Server 2012 R2. Server1 is backed up by using Windows Server Backup. The backup configuration is shownin the exhibit. (Click the Exhibit button.)



You discover that only the last copy of the backup is maintained.

You need to ensure that multiple backup copies are maintained.

What should you do?

A. Modify the backup destination.

B. Configure the Optimize Backup Performance settings.

C. Modify the Volume Shadow Copy Service (VSS) settings.

D. Modify the backup times.


Explanation/Reference:Explanation:The destination in the exhibit shows a network share is used. If a network share is being used only the latest copy will be saved


Reference: Where should I save my backup?http://windows.microsoft.com/en-us/windows7/where-should-i-save-my-backup

QUESTION 23Your network contains an Active Directory domain named contoso.com. The domain contains four servers named Server1, Server2, Server3, and Server4 that runWindows Server 2012 R2. All servers have the Hyper-V server role and the Failover Clustering feature installed.


You need to replicate virtual machines from Cluster1 to Cluster2.

Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)


A. From Hyper-V Manager on a node in Cluster2, create three virtual machines.

B. From Cluster2, add and configure the Hyper-V Replica Broker role.

C. From Failover Cluster Manager on Cluster1, configure each virtual machine for replication.

D. From Cluster1, add and configure the Hyper-V Replica Broker role.

E. From Hyper-V Manager on a node in Cluster2 modify the Hyper-V settings.

Correct Answer: CDESection: Volume AExplanation

Explanation/Reference:Explanation:D. You must configure the Hyper-V Replica Broker for cluster1.

E. We must configure configure the Replica server to receive replication from primary servers: In Hyper-V Manager, click Hyper-V Settings in the Actions pane. In the Hyper-V Settings dialog, click Replication Configuration. In the Details pane, select Enable this computer as a Replica server.


C. Enable virtual machine replication.Once the hosting server is configured for Replica, you can enable replication for each virtual machine that you want to be replicated.

Reference: Deploy Hyper-V Replicahttps://technet.microsoft.com/en-us/library/jj134207.aspx


Each day, Server1 is backed up fully to an external disk.

On Server1, the disk that contains the operating system fails.

You replace the failed disk.

You need to perform a bare-metal recovery of Server1 by using the Windows Recovery Environment (Windows RE).

What should you do?

A. Run the Start-WBVolumeRecovery cmdlet and specify the -backupset parameter.

B. Run the Get-WBBareMetalRecovery cmdlet and specify the -policy parameter.

C. Run the wbadmin.exe start recovery command and specify the -recoverytarget parameter.

D. Run the wbadmin.exe start sysrecovery command and specify the -backuptarget parameter.


Explanation/Reference:Explanation:Performs a system recovery (bare metal recovery). This subcommand can be run only from the Windows Recovery Environment.

* -backupTargetSpecifies the storage location that contains the backup or backups that you want to recover. This parameter is useful when the storage location is different fromwhere backups of this computer are usually stored.

References: Wbadmin start sysrecoveryhttps://technet.microsoft.com/en-us/library/cc742118.aspx

QUESTION 25


You have a virtual machine named VM1 that runs on a host named Host1.

You configure VM1 to replicate to another host named Host2. Host2 is located in the same physical location as Host1.

You need to add an additional replica of VM1. The replica will be located in a different physical site.

What should you do?

A. From VM1 on Host2, click Extend Replication.

B. On Host1, configure the Hyper-V settings.

C. From VM1 on Host1, click Extend Replication.

D. On Host2, configure the Hyper-V settings.


Explanation/Reference:Explanation:Extend Replication through UI:Before you Extend Replication to third site, you need to establish the replication between a primary server and replica server.Once that is done, go to replica site and from Hyper-V UI manager select the VM for which you want to extend the replication. Right click on VM and select"Replication->Extend Replication ...". This will open Extend Replication Wizard which is similar to Enable Replication Wizard.

NOTE: You configure a server to receive replication with Hyper-V Manager, in this situation the replica site is assumed to be the Replica Server. Therefore youextend replication from VM1 on Host2.

Note 2: With Hyper-V Extend Replication feature in Windows Server 2012 R2, customers can have multiple copies of data to protect them from different outagescenarios. For example, as a customer I might choose to keep my second DR site in the same campus or a few miles away while I want to keep my third copy ofdata across the continents to give added protection for my workloads. Hyper-V Replica Extend replication exactly addresses this problem by providing one morecopy of workload at an extended site apart from replica site.

Reference: Hyper-V Replica: Extend Replicationhttp://blogs.technet.com/b/virtualization/archive/2013/12/10/hyper-v-replica-extend-replication.aspx

QUESTION 26Your network contains two servers named Server1 and Server2 that run Windows Server 2012 R2.

Both servers have the Hyper-V server role installed. Server1 and Server2 are located in different offices. The offices connect to each other by using a high-latencyWAN link.


Server1 hosts a virtual machine named VM1.

You need to ensure that you can start VM1 on Server2 if Server1 fails. The solution must minimize hardware costs.

What should you do?

A. . On Server1, install the Multipath I/O (MPIO) feature. Modify the storage location of the VHDs for VM1.

B. From the Hyper-V Settings of Server2, modify the Replication Configuration settings. Enable replication for VM1.

C. On Server2, install the Multipath I/O (MPIO) feature. Modify the storage location of the VHDs for VM1.

D. From the Hyper-V Settings of Server1, modify the Replication Configuration settings. Enable replication for VM1.


Explanation/Reference:Explanation:You first have to enable replication on the Replica server—Server2--by going to the server and modifying the "Replication Configuration" settings under Hyper-Vsettings. You then go to VM1--which presides on Server1-- and run the "Enable Replication" wizard on VM1.


QUESTION 27You have a Hyper-V host named Server1 that runs Windows Server 2012 R2. Server1 contains a virtual machine named VM1 that runs Windows Server 2012 R2.

You fail to start VM1 and you suspect that the boot files on VM1 are corrupt.

On Server1, you attach the virtual hard disk (VHD) of VM1 and you assign the VHD a drive letter of F.


You need to repair the corrupt boot files on VM1.

What should you run?

A. bootrec.exe /rebuildbcd

B. bootrec.exe /scanos

C. bcdboot.exe f:\windows /s c:

D. bcdboot.exe c:\windows /s f:


Explanation/Reference:Explanation:Enables you to quickly set up a system partition, or to repair the boot environment located on the system partition. The system partition is set up by copying a simpleset of Boot Configuration Data (BCD) files to an existing empty partition.


Reference: BCDboot Command-Line Options

QUESTION 28DRAG DROPYour network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1. All servers run Windows Server 2012R2.

All domain user accounts have the Division attribute automatically populated as part of the user provisioning process. The Support for Dynamic Access Control andKerberos armoring policy is enabled for the domain.

You need to control access to the file shares on Server1 based on the values in the Division attribute and the Division resource property.


Which three actions should you perform in sequence?

Select and Place:

Correct Answer:



Explanation/Reference:Explanation:First create a claim type for the property, then create a reference resource property that points back to the claim. Finally set the classification value on the folder.

Configure the components and policy1. Create claim types2. Create resource properties

Deploy the central access policy


3. Assign the CAP to the appropriate shared folders on the file server.

Reference: Deploy a Central Access Policy (Demonstration Steps)https://technet.microsoft.com/en-us/library/hh846167.aspx

QUESTION 29You have a server named LON-DC1 that runs Windows Server 2012 R2. An iSCSI virtual disk named VirtualiSCSI1.vhd exists on LON-DC1 as shown in theexhibit. (Click the Exhibit button.)

You create a new iSCSI virtual disk named VirtualiSCSI2.vhd by using the existing itgt iSCSI target.


VirtualiSCSIl.vhd is removed from LON-DC1.

You need to assign VirtualiSCSI2.vhd a logical unit value of 0.

What should you do?

A. Modify the properties of the itgt ISCSI target.

B. Modify the properties of the VirtualiSCSI2.vhd iSCSI virtual disk.

C. Run the Set-VirtualDisk cmdlet and specify the -UniqueId parameter.

D. Run the iscsicli command and specify the reportluns parameter.


Explanation/Reference:Explanation:The virtual disk has the option to change the lun ID, no other option available in the answers appears to allow this change.

Note: Logical unit numbers (LUNs) created on an iSCSI disk storage subsystem are not directly assigned to a server. For iSCSI, LUNs are assigned to logicalentities called targets.

QUESTION 30HOTSPOTYou have a file server named Server1 that runs Windows Server 2012 R2.

You need to ensure that you can use the NFS Share - Advanced option from the New Share Wizard in Server Manager.

Which two role services should you install?

To answer, select the appropriate two role services in the answer area.

Hot Area:



Correct Answer:




Explanation/Reference:File Server Resource Manager RoleFile Server Resource Manager is a set of features that allow you to manage and classify data that is stored on file servers.

Note: NFS Share – AdvancedThis advanced profile offers additional options to configure a NFS file share.

Set the folder owners for access-denied assistanceConfigure default classification of data in the folder for management and access policiesEnable quotas

Reference: How to share a folder in Windows Server 2012.

QUESTION 31DRAG DROPYour network contains an Active Directory domain named contoso.com. All file servers in the domain run Windows Server 2012 R2.

The computer accounts of the file servers are in an organizational unit (OU) named OU1. A Group Policy object (GPO) named GPO1 is linked to OU1.

You plan to modify the NTFS permissions for many folders on the file servers by using central access policies.

You need to identify any users who will be denied access to resources that they can currently access once the new permissions are implemented.

In which order should you Perform the five actions?

Select and Place:


Correct Answer:



Explanation/Reference:Explanation:* Configure a central access rule* Configure a central access policy (CAP) (with help of central access rules)* Deploy the central access policy (through GPO)* Modify security settings* Check the result


Reference: Deploy a Central Access Policy (Demonstration Steps)http://technet.microsoft.com/en-us/library/hh846167.aspx

QUESTION 32Your network contains 20 iSCSI storage appliances that will provide storage for 50 Hyper-V hosts running Windows Server 2012 R2.

You need to configure the storage for the Hyper-V hosts. The solution must minimize administrative effort.


A. Install the iSCSI Target Server role service and configure iSCSI targets.

B. Install the iSNS Server service feature and create a Discovery Domain.

C. Start the Microsoft iSCSI Initiator Service and configure the iSCSI Initiator Properties.

D. Install the Multipath I/O (MPIO) feature and configure the MPIO Properties.


Explanation/Reference:Explanation:Windows Server 2012 includes an iSCSI Target role that, along with Failover Clustering, allows it to become a cost-effective and highly-available iSCSI StorageArray.

We can connect from our Hyper-V host to the iSCSI target on the storage array with the following PowerShell command line:

New-IscsiTargetPortal TargetPortalAddress <IP_Address or FQDN of storage array>

$target = Get-IscsiTarget

Connect-IscsiTarget NodeAddress $target.NodeAddress

Incorrect Answers:B. Discovery Domains in an iSCSIfabric, like zones in a Fibre Channel fabric, enable you to partition the storage resources in your storage area network (SAN). Bycreating and managing DiscoveryDomains, you can control the iSCSI targets that each iSCSI initiator can see and log on to.

References: Configure iSCSI Target Server Role on Windows Server 2012

QUESTION 33Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1 that runs Windows Server 2012 R2. Allclient computers run Windows 8.


You need to configure a custom Access Denied message that will be displayed to users when they are denied access to folders or files on Server1.



A. A classification property

B. The File Server Resource Manager Options

C. A file management task

D. A file screen template


Explanation/Reference:Explanation:Access-denied assistance can be configured by using the File Server Resource Manager console on the file server.

Note: Access-denied assistance is a new feature in Windows Server 2012, which provides the following ways to troubleshoot issues that are related to access tofiles and folders:

Self-assistance. If a user can determine the issue and remediate the problem so that they can get the requested access, the impact to the business is low, andno special exceptions are needed in the central access policy. Access-denied assistance provides an access-denied message that file server administrators cancustomize with information specific to their organizations. For example, an administrator could set the message so that users can request access from a dataowner without involving the file server administrator.

Reference: Scenario: Access-Denied Assistance

QUESTION 34DRAG DROPYou have a server that runs Windows Server 2012 R2.

You create a new work folder named Share1.

You need to configure Share1 to meet the following requirements:Ensure that all synchronized copies of Share1 are encrypted.


Ensure that clients synchronize to Share1 every 30 minutes.Ensure that Share1 inherits the NTFS permissions of the parent folder.

Which cmdlet should you use to achieve each requirement?

To answer, drag the appropriate cmdlets to the correct requirements. Each cmdlet may be used once, more than once, or not at all. You may need to drag the splitbar between panes or scroll to view content.

Select and Place:

Correct Answer:



Explanation/Reference:Explanation:* (box 1) Set-SyncShare The Set-SyncShare cmdlet modifies the settings for a sync share./ parameter: -RequireEncryption<Boolean>Indicates whether the sync server requests that the contents of Work Folders be encrypted on each PC and device that accesses the sync share.

* (box 2) Set-SyncServerSettingsParameter: -MinimumChangeDetectionMins<UInt32>Specifies the time, in minutes, before the Sync Share server detects changes on devices and syncs the client and server.

* (box 3): Example: Modify a sync share to enable inherited permissionsThis command modifies settings on the share named Share01, and sets KeepParentFolderPermission to enable the share to inherit permissions from the parentfolder.


Windows PowerShellPS C:\> Set-SyncShare Share01 -KeepParentFolderPermission

Reference: Set-SyncShare; Set-SyncServerSettings

QUESTION 35HOTSPOTYour network contains an Active Directory domain named contoso.com. All client computers run Windows 8 Enterprise.

You have a remote site that only contains client computers. All of the client computer accounts are located in an organizational unit (OU) named Remote1. A GroupPolicy object (GPO) named GPO1 is linked to the Remote1 OU.

You need to configure BranchCache for the remote site.

Which two settings should you configure in GPO1?

To answer, select the two appropriate settings in the answer area.

Hot Area:


Correct Answer:



Explanation/Reference:Explanation:BranchCache is disabled by default on client computers. Take the following steps to enable BranchCache on client computers:1. Turn on BranchCache.2. Enable either Distributed Cache mode or Hosted Cache mode.3. Configure the client firewall to enable BranchCache protocols.

Reference: BranchCache Early Adopter’s Guide, Client Configurationhttp://technet.microsoft.com/en-us/library/dd637820(v=ws.10).aspx

QUESTION 36You have a server named Server1 that runs Windows Server 2012 R2. The storage on Server1 is configured as shown in the following table.


You plan to implement Data Deduplication on Server1.

You need to identify on which drives you can enable Data Deduplication.

Which three drives should you identify? (Each correct answer presents part of the solution. Choose three.)

A. C

B. D

C. E

D. F

E. G

Correct Answer: BDESection: Volume AExplanation

Explanation/Reference:Explanation:Volumes that are candidates for deduplication must conform to the following requirements:* Must not be a system or boot volume. (not A)* Can be partitioned as a master boot record (MBR) or a GUID Partition Table (GPT), and must be formatted using the NTFS file system. (not C)* Can reside on shared storage, such as storage that uses a Fibre Channel or an SAS array, or when an iSCSI SAN and Windows Failover Clustering is fullysupported.* Do not rely on Cluster Shared Volumes (CSVs). You can access data if a deduplication-enabled volume is converted to a CSV, but you cannot continue to processfiles for deduplication.* Do not rely on the Microsoft Resilient File System (ReFS).* Must be exposed to the operating system as non-removable drives. Remotely-mapped drives are not supported.


Ref: Plan to Deploy Data Deduplicationhttp://technet.microsoft.com/en-us/library/hh831700.aspx

QUESTION 37Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2.

You are creating a central access rule named TestFinance that will be used to audit members of the Authenticated Users group for access failure to shared foldersin the finance department.

You need to ensure that access requests are unaffected when the rule is published.

What should you do?

A. Add a User condition to the current permissions entry for the Authenticated Users principal.

B. Set the Permissions to Use the following permissions as proposed permissions.

C. Add a Resource condition to the current permissions entry for the Authenticated Users principal.

D. Set the Permissions to Use following permissions as current permissions.


Explanation/Reference:Explanation:Proposed permissions enable an administrator to more accurately model the impact of potential changes to access control settings without actually changing them.

Reference: Access Control and Authorization Overviewhttp://technet.microsoft.com/en-us/library/jj134043.aspx

QUESTION 38You create a new virtual disk in a storage pool by using the New Virtual Disk Wizard. You discover that the new virtual disk has a write-back cache of 1 GB.

You need to ensure that the virtual disk has a write-back cache of 5 GB.

What should you do?

A. Detach the virtual disk, and then run the Resize-VirtualDisk cmdlet.

B. Detach the virtual disk, and then run the Set-VirtualDisk cmdlet.

C. Delete the virtual disk, and then run the New-StorageSubSystemVirtualDisk cmdlet.

D. Delete the virtual disk, and then run the New-VirtualDisk cmdlet.



Explanation/Reference:Explanation:So what about changing the cache size? Well, you can't modify the cache size, but you can specify it at the time that you create a new virtual hard disk. In order todo so, you have to use Windows PowerShell.

New-VirtualDisk StoragePoolFriendlyName "<storage pool name>" FriendlyName "<v

Reference: Using Windows Server 2012's SSD Write-Back Cache

QUESTION 39Your network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2. All servers runWindows Server 2012 R2.

Server1 and Server2 have the Failover Clustering feature installed. The servers are configured as nodes in a failover cluster named Cluster1.

You configure File Services and DHCP as clustered resources for Cluster1. Server1 is the active node for both clustered resources.

You need to ensure that if two consecutive heartbeat messages are missed between Server1 and Server2, Server2 will begin responding to DHCP requests. Thesolution must ensure that Server1 remains the active node for the File Services clustered resource for up to five missed heartbeat messages.


A. Affinity-None

B. Affinity-Single

C. The cluster quorum settings

D. The failover settings

E. A file server for general use

F. The Handling priority

G. The host priority

H. Live migration

I. The possible owner

J. The preferred owner


K. Quick migration

L. the Scale-Out File Server

Correct Answer: DSection: Volume BExplanation

Explanation/Reference:Explanation:The number of heartbeats that can be missed before failover occurs is known as the heartbeat threshold. Heartbeat threshold is failover clustering setting.

Reference: Tuning Failover Cluster Network Thresholdshttp://technet.microsoft.com/en-us/library/dn265972.aspxhttp://technet.microsoft.com/en-us/library/dd197562(v=ws.10).aspx http://blogs.msdn.com/b/clustering/archive/2012/11/21/10370765.aspx



You add two additional nodes to Cluster1. You need to ensure that Cluster1 stops running if three nodes fail.


A. Affinity-None

B. Affinity-Single






H. Live migration



K. Quick migration



Correct Answer: CSection: Volume BExplanation

Explanation/Reference:Explanation:The quorum configuration in a failover cluster determines the number of failures that the cluster can sustain.

Reference: Understanding Quorum Configurations in a Failover Cluster http://technet.microsoft.com/en-us/library/cc731739.aspx

QUESTION 41Information and details provided in a question App1y only to that question.

Your network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2. All servers runWindows Server 2012 R2. Server1 and Server2 have the Network Load Balancing (NLB) feature installed. The servers are configured as nodes in an NLB clusternamed Cluster1.

Cluster1 hosts a secure web Application named WebApp1. WebApp1 saves user state information locally on each node.

You need to ensure that when users connect to WebApp1, their session state is maintained.


A. Affinity-None

B. Affinity-Single






H. Live migration



K. Quick migration


Correct Answer: B


Section: Volume BExplanation

Explanation/Reference:Explanation:Client AffinityNLB offers three types of client affinity to minimize response time to clients and provide generic support for preserving session state. Each affinity specifies adifferent method for distributing client requests.

Affinity Single: SingleMultiple requests from the same client must access the same member; useful for clusters within an intranet.

This affinity provides the best support for clients that use sessions on an intranet. These clients cannot use No affinity because their sessions could be disrupted.

Incorrect:Not A. Affinity none: Multiple requests from the same client can access any member; useful for clusters that do not store session state information on individualmembers.

Reference: Using NLBhttp://technet.microsoft.com/en-us/library/bb687542.aspx



You add two additional nodes in Cluster1.

You have a folder named Folder1 on Server1 that hosts Application data. Folder1 is a folder target in a Distributed File System (DFS) namespace.

You need to provide highly available access to Folder1. The solution must support DFS Replication to Folder1.


A. Affinity-None

B. Affinity-Single







H. Live migration



K. Quick migration

L. The Scale-Out File Server

Correct Answer: ESection: Volume BExplanation

Explanation/Reference:Explanation:File Server for general use

Note: You can deploy and configure a clustered file server by using either of the following methods:* File Server for general use.


This is the continuation of the clustered file server that has been supported in Windows Server since the introduction of Failover Clustering. This type of clusteredfile server, and therefore all the shares associated with the clustered file server, is online on one node at a time. This is sometimes referred to as active-passive ordual-active. File shares associated with this type of clustered file server are called clustered file shares. This is the recommended file server type when deployinginformation worker scenarios.

* Scale-Out File Server for application dataThis clustered file server feature was introduced in Windows Server 2012, and it lets you store server application data, such as Hyper-V virtual machine files, on fileshares, and obtain a similar level of reliability, availability, manageability, and high performance that you would expect from a storage area network. All file sharesare simultaneously online on all nodes. File shares associated with this type of clustered file server are called scale-out file shares. This is sometimes referred to asactive- active. This is the recommended file server type when deploying either Hyper-V over Server Message Block (SMB) or Microsoft SQL Server over SMB.

Reference: Scale-Out File Server for Application Data Overview

QUESTION 43Your network contains an Active Directory domain named contoso.com. The domain contains three servers named Server1, Server2, and Server3 that runWindows Server 2012 R2. All three servers have the Hyper-V server role installed and the Failover Clustering feature installed.

Server1 and Server2 are nodes in a failover cluster named Cluster1. Several highly available virtual machines run on Cluster1. Cluster1 has the Hyper-V ReplicaBroker role installed. The Hyper-V Replica Broker currently runs on Server1.

Server3 currently has no virtual machines.

You need to configure Cluster1 to be a replica server for Server3 and Server3 to be a replica server for Cluster1.

Which two tools should you use? (Each correct answer presents part of the solution. Choose two.)

A. The Hyper-V Manager console connected to Server3

B. The Failover Cluster Manager console connected to Server3

C. The Hyper-V Manager console connected to Server1.

D. The Failover Cluster Manager console connected to Cluster1

E. The Hyper-V Manager console connected to Server2

Correct Answer: ADSection: Volume BExplanation

Explanation/Reference:Explanation:A. To configure the Replica server [on a server that is not part of a cluster which in this case is Server3]

1. In Hyper-V Manager, click Hyper-V Settings in the Actions pane.2. In the Hyper-V Settings dialog, click Replication Configuration.


3. In the Details pane, select Enable this computer as a Replica server.Etc.

D. To configure a Replica server that is part of a failover cluster.1. In Server Manager, open Failover Cluster Manager.2. In the left pane, connect to the cluster, and while the cluster name is highlighted, click Roles in the Navigate category of the Details pane.3. Right-click the role and choose Replication Settings.4. In the Details pane, select Enable this cluster as a Replica server.

Reference: Deploy Hyper-V Replica , Step 2: Enable Replication http://technet.microsoft.com/en-us/library/jj134240.aspx

QUESTION 44Your network contains an Active Directory domain named contoso.com. The domain contains a file server named File1 that runs a Server Core Installation ofWindows Server 2012 R2.

File1 has a volume named D that contains home folders. File1 creates a shadow copy of volume D twice a day.

You discover that volume D is almost full.

You add a new volume named H to File1.

You need to ensure that the shadow copies of volume D are stored on volume H.

Which command should you run?


A. The Set-Volume cmdlet with the -driveletter parameter

B. The vssadmin.exe create shadow command

C. The Set-Volume cmdlet with the -path parameter

D. The vssadmin.exe add shadowstorage command



Explanation/Reference:Explanation:Add ShadowStorageAdds a shadow copy storage association for a specified volume.

Incorrect Answers:A. Sets or changes the file system label of an existing volume. -DriveLetter Specifies a letter used to identify a drive or volume in the system.

B. Create ShadowCreates a new shadow copy of a specified volume.

C. Sets or changes the file system label of an existing volume -Path Contains valid path information.

References: Vssadmin; Set-Volumehttps://technet.microsoft.com/en-us/library/cc754968(v=ws.10).aspxhttps://technet.microsoft.com/en-us/library/hh848673(v=wps.620).aspx

QUESTION 45You have a server named Server1 that runs Windows Server 2012 R2. Server1 has a single volume that is encrypted by using BitLocker Drive Encryption(BitLocker).

BitLocker is configured to save encryption keys to a Trusted Platform Module (TPM). Server1 is configured to perform a daily system image backup.

The motherboard on Server1 is upgraded.

After the upgrade, Windows Server 2012 R2 on Server1 fails to start.

You need to start the operating system on Server1 as soon as possible.

What should you do?

A. Start Server1 from the installation media. Run startrec.exe.

B. Move the disk to a server that has a model of the old motherboard. Start the server from the installation media. Run bcdboot.exe.

C. Move the disk to a server that has a model of the old motherboard. Start the server. Run tpm.msc.

D. Start Server1 from the installation media. Perform a system image recovery.



Explanation/Reference:Explanation:By moving the hard drive to server with that has a model of the old motherboard the system would be able to start. As BitLocker was configured to save encryptionkeys to a Trusted Platform Module (TPM), we can use tpm.msc to access the TPM settings.

Note: After you replaced the motherboard, you need to repopulate the TPM with new information regarding the encryption of the hard disk.We use these commands to repopulate the information in the TPM (without PIN):manage-bde delete -protectors C: -type TPMmanage-bde protectors add C: -tpm

Incorrect Answers:D. After the system image recovery you would still have the new motherboard installed. The problem would return.

References: BitLocker - New motherboard replacement

QUESTION 46Your network contains two servers that run Windows Server 2012 R2 named Server1 and Server2. Both servers have the File Server role service installed.

On Server2, you create a share named Backups.From Windows Server Backup on Server1, you schedule a full backup to run every night. You set the backup destination to \\Server2 \Backups.

After several weeks, you discover that \\Server2\Backups only contains the last backup that completed on Server1.

You need to ensure that multiple backups of Server1 are maintained.

What should you do?

A. Modify the Volume Shadow Copy Service (VSS) settings.

B. Modify the properties of the Windows Store Service (WSService) service.

C. Change the backup destination.

D. Configure the permission of the Backups share.


Explanation/Reference:Explanation/Reference:The destination in the exhibit shows a network share is used. If a network share is being used only the latest copy will be saved.


Reference: Where should I save my backup?http://windows.microsoft.com/en-us/windows7/where-should-i-save-my-backup

QUESTION 47Your network contains two servers named Server1 and Server2 that run Windows Server 2012 R2. Server1 and Server2 have the Hyper-V server role installed.Server1 and Server2 are configured as Hyper-V replicas of each other.

Server2 hosts a virtual machine named VM5. VM5 is replicated to Server1.


You need to verify whether the replica of VM5 on Server1 is functional. The solution must ensure that VM5 remains accessible to clients.

What should you do from Hyper-V Manager?

A. On Server1, execute a Planned Failover.

B. On Server1, execute a Test Failover.

C. On Server2, execute a Planned Failover.

D. On Server2, execute a Test Failover.

Correct Answer: BSection: Volume BExplanation

Explanation/Reference:Explanation:Test Failover (TFO) is an operation initiated on your replica virtual machine (in this scenario on Server1) which allows you to test the sanity of the virtualizedworkload without interrupting your production workload or ongoing replication.

TFO is performed on the replica virtual machine by right-clicking on the VM and choosing the Test Failover operation (either from the Hyper-V Manager or from theFailover Clustering Manager).

Reference: Types of failover operations in Hyper-V Replica Part I Test Failover.

QUESTION 48HOTSPOTYour network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2 that run Windows Server2012 R2. The servers have the Hyper-V server role installed.

A certification authority (CA) is available on the network.

A virtual machine named vml.contoso.com is replicated from Server1 to Server2. A virtual machine named vm2.contoso.com is replicated from Server2 to Server1.

You need to configure Hyper-V to encrypt the replication of the virtual machines.

Which common name should you use for the certificates on each server?

To answer, configure the appropriate common name for the certificate on each server in the answer area.

Hot Area:


Correct Answer:



Explanation/Reference:Explanation:Hyper-V Replica Certificate RequirementsIf you want to use HTTPS, then you will need to create certificates for the hosts/clusters in both the primary and secondary sites.

Reference: Use Hyper-V Replica over HTTPS/SSL: Configuring Certificates.

QUESTION 49DRAG DROP


Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2.

You plan to install the Active Directory Federation Services server role on Server1 to allow for Workplace Join.

You run nslookup enterprise registration and you receive the following results:

You need to create a certificate request for Server1 to support the Active Directory Federation Services (AD FS) installation.

How should you configure the certificate request?To answer, drag the appropriate names to the correct locations. Each name may be used once, more than once, or not at all. You may need to drag the split barbetween panes or scroll to view content.

Select and Place:

Correct Answer:



Explanation/Reference:Explanation:Obtain a server SSL certificate from either a public certificate authority (CA) or from your organization's PKI subordinate CA that is trusted by a public certificateauthority.

The server SSL certificate must have the following certificate attributes to be used with Workplace Join:

- Subject Name (CN): adfs1.contoso.com - Subject Alternative Name (DNS): adfs1.contoso.com - Subject Alternative Name (DNS): enterpriseregistration.contoso.com

Reference: Why R2? Step-by-Step: Solve BYOD Challenges with Workplace Join in Windows Server 2012 R2 and Windows 8.1

QUESTION 50Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1is an enterprise root certification authority (CA) for contoso.com.

Your user account is assigned the certificate manager role and the auditor role on the contoso.com CA. Your account is a member of the local Administrators groupon Server1.You enable CA role separation on Server1.


You need to ensure that you can manage the certificates on the CA.

What should you do?

A. Remove your user account from the local Administrators group.

B. Assign the CA administrator role to your user account.

C. Assign your user account the Bypass traverse checking user right.

D. Remove your user account from the Manage auditing and security log user right.


Explanation/Reference:Explanation:The separation of CA roles can be enforced using role separation. Once enforced, role separation only allows a user to be assigned a single role. If a user isassigned to more than one role and attempts to perform an operation on the CA, the operation is denied. For this reason, before role separation is enabled, a usershould be assigned only one CA role.

Reference: Role Separation

QUESTION 51Your network contains an Active Directory domain named contoso.com. The domain contains servers named Server1 and Server2 that run Windows Server 2012R2. Server1 has the Active Directory Federation Services server role installed. Server2 is a file server.

Your company introduces a Bring Your Own Device (BYOD) policy.

You need to ensure that users can use a personal device to access domain resources by using Single Sign-On (SSO) while they are connected to the internalnetwork.


A. Enable the Device Registration Service in Active Directory.

B. Publish the Device Registration Service by using a Web Application Proxy.

C. Configure Active Directory Federation Services (AD FS) for the Device Registration Service.

D. Create and configure a sync share on Server2.

E. Install the Work Folders role service on Server2.

Correct Answer: ACSection: Volume B


Explanation

Explanation/Reference:Explanation:* Workplace Join leverages a feature included in the Active Directory Federation Services (AD FS) Role in Windows Server 2012 R2, called Device RegistrationService (DRS). DRS provisions a device object in Active Directory when a device is Workplace Joined. Once the device object is in Active Directory, attributes ofthat object can be retrieved and used to provide conditional access to resources and applications. The device identity is represented by a certificate which is set onthe personal device by DRS when the device is Workplace Joined.

* In Windows Server 2012 R2, AD FS and Active Directory Domain Services have been extended to comprehend the most popular mobile devices and provideconditional access to enterprise resources based on user+device combinations and access policies. With these policies in place, you can control access based onusers, devices, locations, and access times.

Reference: BYOD Basics: Enabling the use of Consumer Devices using Active Directory in Windows Server 2012 R2


The domain contains a domain controller named DC1 that is configured as an enterprise root certification authority (CA).

All users in the domain are issued a smart card and are required to log on to their domain-joined client computer by using their smart card.

A user named User1 resigned and started to work for a competing company.

You need to prevent User1 immediately from logging on to any computer in the domain.

The solution must not prevent other users from logging on to the domain.


A. Active Directory Administrative Center

B. Certificate Templates

C. The Security Configuration Wizard

D. The Certificates snap-in

Correct Answer: ASection: Volume BExplanation



To disable or enable a user account using Active Directory Administrative Center1. To open Active Directory Administrative Center, click Start , click Administrative Tools , and then click Active Directory Administrative Center.2. To open Active Directory Users and Computers in Windows Server 2012, click Start , type dsac.exe.3. In the navigation pane, select the node that contains the user account whose status you want to change.4. In the management list, right-click the user whose status you want to change.5. Depending on the status of the user account, do one of the following:

To disable the user account, click Disable.To enable the user account, click Enable.

References: Disable or Enable a User Accounthttps://www.pcwdld.com/active-directory-users-computers-not-showing-administrative-tools

QUESTION 53DRAG DROPYour network contains two Active Directory forests named contoso.com and adatum.com. All domain controllers run Windows Server 2012 R2.

A federated trust exists between adatum.com and contoso.com. The trust provides adatum.com users with access to contoso.com resources.

You need to configure Active Directory Federation Services (AD FS) claim rules for the federated trust.

The solution must meet the following requirements:In contoso.com, replace an incoming claim type named Group with an outgoing claim type named Role.In adatum.com, allow users to receive their tokens for the relying party by using their Active Directory group membership as the claim type.

The AD FS claim rules must use predefined templates.

Which rule types should you configure on each side of the federated trust?

To answer, drag the appropriate rule types to the correct location or locations. Each rule type may be used once, more than once, or not at all. You may need todrag the split bar between panes or scroll to view content.

Select and Place:


Correct Answer:



Explanation/Reference:Explanation:* Acceptance transform rule setA set of claim rules that you use on a particular claims provider trust to specify the incoming claims that will be accepted from the claims provider organization andthe outgoing claims that will be sent to the relying party trust.Used on: Claims provider trusts

* Issuance Authorization Rule SetA set of claim rules that you use on a relying party trust to specify the claims that will be issued to the relying party.Used on: Relying party trusts

Reference: The Role of Claim Ruleshttp://technet.microsoft.com/zh-cn/library/ee913586(v=WS.10).aspx

QUESTION 54You have a datacenter that contains six servers. Each server has the Hyper-V server role installed and runs Windows Server 2012 R2. The servers are configuredas shown in the following table.

Host4 and Host5 are part of a cluster named Cluster1. Cluster1 hosts a virtual machine named VM1.

You need to move VM1 to another Hyper-V host. The solution must minimize the downtime of VM1.

To which server and by which method should you move VM1?

A. To Host3 by using a storage migration

B. To Host6 by using a storage migration


C. To Host2 by using a live migration

D. To Host1 by using a quick migration


Explanation/Reference:Explanation:With Hyper-V live migration, you can move running VMs from one Hyper-V physical host to another without any disruption of service or perceived downtime.

Host3 has an Intel processer, as does Host4 and Host5 in Cluster1, so the migration will work fine.

Incorrect Answers:B, C. The migration of a virtual machine between physical computers is only supported on computers that have the same processor steppings or are from the samevendor. Therefore, you cannot move a virtual machine from a Hyper-V host on an Intel-based server to a Hyper-V Host on an AMD-based server.D. Quick Migration saves, moves and restores VMs, which results in some downtime.

References:https://technet.microsoft.com/en-us/library/ee849855(v=WS.10).aspxhttps://technet.microsoft.com/en-us/library/hh831656.aspxhttp://www.microsoft.com/en-us/download/details.aspx? id=12601

QUESTION 55DRAG DROPYou have two failover clusters named Cluster1 and Cluster2. All of the nodes in both of the clusters run Windows Server 2012 R2.

Cluster1 hosts two virtual machines named VM1 and VM2.

You plan to configure VM1 and VM2 as nodes in a new failover cluster named Cluster3.

You need to configure the witness disk for Cluster3 to be hosted on Cluster2.

Which three actions should you perform in sequence?To answer, move the appropriate three actions from the list of actions to the answer area and arrange them in the correct order.

Select and Place:


Correct Answer:



Explanation/Reference:Note:* Use the Create Clustered File Server WizardWhen you create a Scale-Out File Server Cluster from existing servers, the Create Clustered File ServerWizard does the following:1. Enables the file server role on the computers (box 1) 2. Enables the Scale-Out File Server role on the cluster (box 2)3. Adds the provisioned computers as a Scale-Out File Server cluster under VMM management* VMM provides support for the Microsoft iSCSI Software Target by using an SMI-S provider. Microsoft iSCSI is now fully integrated into Windows Server 2012.* Scale-Out File Server-- As of System Center 2012 R2, VMM can create a Scale-Out File Server and manage its storage.


Reference: How to Create a Scale-Out File Server in VMM

QUESTION 56Your network contains four Active Directory forests. Each forest contains an Active Directory Rights Management Services (AD RMS) root cluster.

All of the users in all of the forests must be able to access protected content from any of the forests.

You need to identify the minimum number of AD RMS trusts required.

How many trusts should you identify?

A. 3

B. 6

C. 12

D. 16


Explanation/Reference:Explanation:The number of AD RMS trusts required to interact between all AD RMS forests can be defined by using the following formula: N*(N-1).Here N=4, so the number of trust is 12 (4*3).

References: AD RMS Prerequisites, Important considerations for installing AD RMS in a multi-forest environment

QUESTION 57HOTSPOTYour network contains two Web servers named Server1 and Server2. Both servers run Windows Server 2012 R2.

Server1 and Server2 are nodes in a Network Load Balancing (NLB) cluster. The NLB cluster contains an application named App1 that is accessed by using theURL http://app1.contoso.com.



You deploy a new server named Server3 that runs Windows Server 2012 R2. The contoso.com DNS zone contains the records shown in the following table.

You need to add Server3 to the NLB cluster.

What command should you run?To answer, select the appropriate options in the answer area.

Hot Area:


Correct Answer:



Explanation/Reference:* The Add-NlbClusterNode cmdlet adds a new node to the NLB cluster. Once the new node settings are circulated through all of the NLB cluster node, the newcluster node will be in a running state in the cluster.

* The Get-NlbClusterNode cmdlet retrieves information about a node in the NLB cluster.

* EXAMPLE: This command adds host node2 to the cluster on node1.C:\PS>

Get-NlbCluster node1 | Add-NlbClusterNode -NewNodeName node2 -NewNodeInterface vlan-3


Name State Interface HostID

---- ----- --------- ------

node2 Converged vlan-3 2

Reference: Get-NlbClusterNode; Add-NlbClusterNode

QUESTION 58DRAG DROPYour network contains an Active Directory domain named contoso.com. The domain contains four member servers named Server1, Server2, Server3, and Server4.All servers run Windows Server 2012 R2.

Server1 and Server3 are located in a site named Site1. Server2 and Server4 are located in a site named Site2. The servers are configured as nodes in a failovercluster named Cluster1.

Dynamic quorum management is disabled.

Cluster1 is configured to use the Node Majority quorum configuration.

You need to ensure that users in Site2 can access Cluster1 if the network connection between the two sites becomes unavailable.

What should you run from Windows PowerShell?To answer, drag the appropriate commands to the correct location. Each command may be used once, more than once, or not at all. You may need to drag the splitbar between panes or scroll to view content.

Select and Place:


Correct Answer:


Explanation/Reference:Explanation:NodeWeight settings are used during quorum voting to support disaster recovery and multi-subnet scenarios for AlwaysOn Availability Groups and SQL ServerFailover Cluster Instances.


Example (Powershell)The following example changes the NodeWeight setting to remove the quorum vote for the “AlwaysOnSrv1” node.Import-Module FailoverClusters

$node = “AlwaysOnSrv1”(Get-ClusterNode $node).NodeWeight = 0

Reference: Configure Cluster Quorum NodeWeight Settings.


Server1 and Server2 have the Network Load Balancing (NLB) feature installed. The servers are configured as nodes in an NLB cluster named Cluster1.

Port rules are configured for all clustered Applications.

You need to ensure that Server2 handles all client requests to the cluster that are NOT covered by a port rule.


A. Affinity-None

B. Affinity-Single






H. Live migration



K. Quick migration


Correct Answer: GSection: Volume BExplanation


Explanation/Reference:Explanation:Host PrioritiesEach cluster host is assigned a unique host priority in the range of 1 to 32, where lower numbers denote higher priorities. The host with the highest host priority(lowest numeric value) is called the default host. It handles all client traffic for the virtual IP addresses that is not specifically intended to be load-balanced. Thisensures that server applications not configured for load balancing only receive client traffic on a single host. If the default host fails, the host with the next highestpriority takes over as default host.

Reference: Network Load Balancing Technical Overviewhttp://technet.microsoft.com/en-us/library/bb742455.aspx



Cluster1 hosts an Application named App1.

You need to ensure that Server2 handles all of the client requests to the cluster for App1. The solution must ensure that if Server2 fails, Server1 becomes the activenode for App1.


A. Affinity-None

B. Affinity-Single






H. Live migration



K. Quick migration


Correct Answer: JSection: Volume B


Explanation

Explanation/Reference:Explanation:The preferred owner in a two-server cluster will always be the active node unless it is down.

Reference: Preferred Owners in a Clusterhttp://blogs.msdn.com/b/clustering/archive/2008/10/14/9000092.aspx



You add two additional nodes to Cluster1.You have a folder named Folder1 on Server1 that contains Application data.

You plan to provide continuously available access to Folder1.

You need to ensure that all of the nodes in Cluster1 can actively respond to the client requests for Folder1.


A. Affinity-None

B. Affinity-Single






H. Live migration



K. Quick migration


Correct Answer: LSection: Volume B


Explanation

Explanation/Reference:Explanation:Scale-Out File Server is a feature that is designed to provide scale-out file shares that are continuously available for file-based server application storage. Scale-outfile shares provides the ability to share the same folder from multiple nodes of the same cluster.

Note: You can deploy and configure a clustered file server by using either of the following methods:* Scale-Out File Server for Application data (Scale-Out File Server)* File Server for general use

Scale-Out File Server for Application data (Scale-Out File Server) This clustered file server is introduced in Windows Server 2012 R2 and lets you store serverApplication data, such as Hyper-V virtual machine files, on file shares, and obtain a similar level of reliability, availability, manageability, and high performance thatyou would expect from a storage area network. All file shares are online on all nodes simultaneously. File shares associated with this type of clustered file serverare called scale-out file shares. This is sometimes referred to as active-active.

Reference: Scale-Out File Server for Application Data Overview http://technet.microsoft.com/en-us/library/hh831349.aspx

QUESTION 62DRAG DROP

Your network contains two Active Directory forests named contoso.com and adatum.com. Each forest contains an Active Directory Rights Management Services(AD RMS) root cluster. All servers run Windows Server 2012 R2.

You need to ensure that the rights account certificates issued in adatum.com are accepted by the AD RMS root cluster in contoso.com.

What should you do in each forest?

To answer, drag the appropriate actions to the correct forests. Each action may be used once, more than once, or not at all. You may need to drag the split barbetween panes or scroll to view content.

Select and Place:


Correct Answer:




A trusted user domain, often referred as a TUD, is a trust between AD RMS clusters that instructs a licensing server to accept rights account certificates (thecertificates identifying users) from another AD RMS server in a different Active Directory forest. An AD RMS trust is not the same as an Active Directory trust, but itis similar in that it refers to the ability of one environment to accept identities from another environment as valid subjects.

Illustration:

Reference: Trusted User Domain

QUESTION 63HOTSPOTYour network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2.

The network has the physical sites and TCP/IP subnets configured as shown in the following table.


You have a web application named App1 that is hosted on six separate Web servers. DNS has the host names and IP addresses registered as shown in thefollowing table.

You discover that when users connect to appl.contoso.com, they are connected frequently to a server that is not on their local subnet.

You need to ensure that when the users connect to appl.contoso.com, they connect to a server on their local subnet. The connections must be distributed acrossthe servers that host appl.contoso.com on their subnet.

Which two settings should you configure?To answer, select the appropriate two settings in the answer area.

Hot Area:



Correct Answer:




Explanation/Reference:Explanation:DNS Round Robin is a mechanism for choosing an IP address from the list returned by a DNS server so that all clients won't get the same IP address every time.Netmask ordering is a mechanism for further optimizing which IP address is used by attempting to determine the closest result.

Reference: DNS Round Robin and Destination IP address selection

QUESTION 64You have a server named Server1 that runs Windows Server 2012 R2. Server1 is located in the perimeter network and has the DNS Server server role installed.

Server1 has a zone named contoso.com.You App1y a security template to Server1.

After you App1y the template, users report that they can no longer resolve names from contoso.com. On Server1, you open DNS Manager as shown in the DNSexhibit. (Click the Exhibit button.)

On Server1, you open Windows Firewall with Advanced Security as shown in the Firewall exhibit.


(Click the Exhibit button.)

You need to ensure that users can resolve contoso.com names.

What should you do?

A. From Windows Firewall with Advanced Security, disable the DNS (TCP, Incoming) rule and the DNS (UDP, Incoming) rule.

B. From DNS Manager, modify the Zone Transfers settings of the contoso.com zone.

C. From DNS Manager, unsign the contoso.com zone.

D. From DNS Manager, modify the Start of Authority (SOA) of the contoso.com zone.

E. From Windows Firewall with Advanced Security, modify the profiles of the DNS (TCP, Incoming) rule and the DNS (UDP, Incoming) rule.

Correct Answer: ESection: Volume BExplanation

Explanation/Reference:


Explanation:To configure Windows Firewall on a managed DNS server

On the Server Manager menu, click Tools and then click Windows Firewall with Advanced Security.Right-click Inbound Rules, and then click New Rule. The New Inbound Rule Wizard will launch.In Rule Type, select Predefined, choose DNS Service from the list, and then click Next.In Predefined Rules, under Rules, select the checkboxes next to the following rules:

- RPC (TCP, Incoming)- DNS (UDP, Incoming)- DNS (TCP, Incoming)- RPC Endpoint Mapper (TCP, Incoming)

Click Next, choose Allow the connection, and then click Finish.Right-click Inbound Rules, and then click New Rule. The New Inbound Rule Wizard will launch.

etc.

Reference: Manually Configure DNS Access Settings

QUESTION 65Your network contains an Active Directory forest named contoso.com. All servers run Windows Server 2012 R2.

The domain contains four servers. The servers are configured as shown in the following table.

You need to deploy IP Address Management (IPAM) to manage DNS and DHCP.


On which server should you install IPAM?

A. DC1

B. DC2

C. DC3

D. Server1


Explanation/Reference:Explanation:IPAM cannot be installed on Domain Controllers. All servers, except Server1, have the DC role

References: IP Address Management (IPAM) Overviewhttps://technet.microsoft.com/en-us/library/hh831353.aspx

QUESTION 66Your network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2.

You install the DHCP Server server role on Server1 and Server2. You install the IP Address Management (IPAM) Server feature on Server1.

You notice that you cannot discover Server1 or Server2 in IPAM.

You need to ensure that you can use IPAM to discover the DHCP infrastructure.


A. On Server2, create an IPv4 scope.

B. On Server1, run the Add-IpamServerInventory cmdlet.

C. On Server2, run the Add-DhcpServerInDc cmdlet

D. On both Server1 and Server2, run the Add-DhcpServerv4Policy cmdlet.

E. On Server1, uninstall the DHCP Server server role.

Correct Answer: BCSection: Volume BExplanation


Explanation/Reference:Explanation:B. The Add-IpamServerInventory cmdlet adds a new infrastructure server to the IP Address Management (IPAM) server inventory. Use the fully qualified domainname (FQDN) of the server to add to the server inventory.C. The Add-DhcpServerInDC cmdlet adds the computer running the DHCP server service to the list of authorized Dynamic Host Configuration Protocol (DHCP)server services in the Active Directory (AD). A DHCP server service running on a domain joined computer needs to be authorized in AD so that it can start leasingIP addresses on the network.

Reference: Add-IpamServerInventory; Add-DhcpServerInDC

QUESTION 67Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and hasthe DHCP Server server role installed. Server1 has an IPv6 scope named Scope1.

You implement an additional DHCP server named Server2 that runs Windows Server 2012 R2.

You need to provide high availability for Scope1. The solution must minimize administrative effort.

What should you do?


A. Install and configure Network Load Balancing (NLB) on Server1 and Server2.

B. Create a scope on Server2.

C. Configure DHCP failover on Server1.

D. Install and configure Failover Clustering on Server1 and Server2.


Explanation/Reference:Explanation:Overview: Configure DHCP failover using the DHCP consoleTo configure DHCP failover using the DHCP console, right-click a DHCP scope or right-click IPv4 and then click Configure Failover.


The Configure Failover wizard guides you through configuring DHCP failover on the selected scope.

Note: The DHCP server failover feature, available in Windows Server 2012 and later, provides the ability to have two DHCP servers provide IP addresses andoption configuration to the same subnet or scope, providing for continuous availability of DHCP service to clients.

Incorrect Answers:A. NLB is not related to DHCP scope availability.

B. DHCP failover requirements include:DHCP Scopes requirement:At least one IPv4 DHCP scope must be configured on the primary DHCP server.The same DHCP scope ID, or an overlapping scope, must not be configured on the failover partner.

D. Failover clustering is possibly, but would not minimize administration.

References: Deploy DHCP Failover

QUESTION 68Your network contains two Active Directory forests named contoso.com and corp.contoso.com.


User1 is a member of the DnsAdmins domain local group in contoso.com.

User1 attempts to create a conditional forwarder to corp.contoso.com but receive an error message shown in the exhibit. (Click the Exhibit button.)


You need to configure bi-directional name resolution between the two forests.


A. Add User1 to the DnsUpdateProxy group.


B. Configure the zone to be Active Directory-integrated.

C. Enable the Advanced view from DNS Manager.

D. Run the New Delegation Wizard.


Explanation/Reference:Explanation:The zone must be Active Directory-integrated.

QUESTION 69Your network contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Active Directory Certificate Services server role installed and isconfigured as a standalone certification authority (CA).

You install a second server named Server2. You install the Online Responder role service on Server2.

You need to ensure that Server1 can issue an Online Certificate Status Protocol (OCSP) Response Signing certificate to Server2.

What should you run on Server1?

A. The certreq.exe command and specify the -policy parameter

B. The certutil.exe command and specify the -getkey parameter

C. The certutil.exe command and specify the -setreg parameter

D. The certreq.exe command and specify the -retrieve parameter


Explanation/Reference:Explanation:To prepare a computer running Windows Server to issue OCSP Response Signing certificates

On the server hosting the CA, open a command prompt, and type:certutil -v-setreg policy\EnableRequestExtensionList +1.3.6.1.5.5.7.48.1.5Stop and restart the CA. You can do this at a command prompt by running the following commands:

- net stop certsvc- net start certsvc


References: Configure a CA to Support OCSP Respondershttps://technet.microsoft.com/en-us/library/cc732526.aspx

QUESTION 70Your network contains two Active Directory forests named contoso.com and adatum.com. Each forest contains one domain. Contoso.com has a two-way foresttrust to adatum.com. Selective authentication is enabled on the forest trust.

Contoso contains 10 servers that have the File Server role service installed. Users successfully access shared folders on the file servers by using permissionsgranted to the Authenticated Users group.

You migrate the file servers to adatum.com.

Contoso users report that after the migration, they are unable to access shared folders on the file servers.

You need to ensure that the Contoso users can access the shared folders on the file servers.

What should you do?

A. Disable selective authentication on the existing forest trust.

B. Disable SID filtering on the existing forest trust.

C. Run netdom and specify the /quarantine attribute.

D. Replace the existing forest trust with an external trust.


Explanation/Reference:Explanation:Although it is not recommended, you can use this procedure to disable security identifier (SID) filter quarantining for an external trust with the Netdom.exe tool. Youshould consider disabling SID filter quarantining only in the following situations:* Users have been migrated to the trusted domain with their SID histories preserved, and you want to grant those users access to resources in the trusting domain(the former domain of the migrated users) based on the sIDHistory attribute.

Etc.

Reference: Disabling SID filter quarantininghttp://technet.microsoft.com/en-us/library/cc794713(v=ws.10).aspx

QUESTION 71Your network contains an Active Directory forest. The forest contains two domains named contoso.com and fabrikam.com. The functional level of the forest is


Windows Server 2003.

You have a domain outside the forest named adatum.com.

You need to configure an access solution to meet the following requirements:Users in adatum.com must be able to access resources in contoso.com.Users in adatum.com must be prevented from accessing resources in fabrikam.com.Users in both contoso.com and fabrikam.com must be prevented from accessing resources in adatum.com.

What should you create?

A. a one-way realm trust from contoso.com to adatum.com

B. a one-way realm trust from adatum.com to contoso.com

C. a one-way external trust from contoso.com to adatum.com

D. a one-way external trust from adatum.com to contoso.com


Explanation/Reference:Explanation:The contoso domain must trust the adatum domain.

Note: In a One-way: incoming trust, users in your (trusted) domain can be authenticated in the other (trusting) domain. Users in the other domain cannot beauthenticated in your domain.

Incorrect Answers:A, B: Use realm trusts to form a trust relationship between a non-Windows Kerberos realm and a Windows Server domain.D: The resources that are to be shared are in the contoso domain.

References: Trust types

QUESTION 72Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. The forest functional level is Windows Server 2012 R2.You have a domain controller named DC1.

On DC1, you create a new Group Policy object (GPO) named GPO1. You need to verify that GPO1 was replicated to all of the domain controllers.Which tool should you use?

A. Group Policy Management


B. Active Directory Sites and Services

C. DFS Management

D. Active Directory Administrative Center


Explanation/Reference:Explanation:In Windows Server 2012, the Group Policy Management Console (GPMC) was enhanced to provide a report for the overall health state of the Group Policyinfrastructure for a domain, or to scope the health view to a single GPO.

Reference: Check Group Policy Infrastructure Statushttp://technet.microsoft.com/en-us/library/jj134176.aspx

QUESTION 73Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs a Server Core installation ofWindows Server 2012 R2.

You need to deploy a certification authority (CA) to Server1. The CA must support the auto-enrollment of certificates.

Which two cmdlets should you run? (Each correct answer presents part of the solution. Choose two.)

A. Add-CAAuthoritylnformationAccess

B. Install-AdcsCertificationAuthority

C. Add-WindowsFeature

D. Install-AdcsOnlineResponder

E. Install-AdcsWebEnrollment

Correct Answer: BESection: Volume BExplanation

Explanation/Reference:ExplanationB. The Install-AdcsCertificationAuthority cmdlet performs installation and configuration of the AD CS CA role service. It can be used to install a root CA.Example:Install-AdcsCertificationAuthority –CAType StandaloneRootCA –CACommonName "ContosoRootCA" –KeyLength 2048 –HashAlgorithm SHA1–CryptoProviderName "RSA#Microsoft Software Key Storage Provider"


E: The Install-AdcsWebEnrollment cmdlet performs initial installation and configuration of the Certification Authority Web Enrollment role service.

Note: Prior to the availability of Certificate Enrollment Web Services, AD CS required that client computers configured for certificate auto-enrollment be connecteddirectly to the corporate network. Certificate Enrollment Web Services allows organizations to enable AD CS using a perimeter network. This allows users andcomputers outside the corporate network to enroll for certificates.

Certificate Enrollment web service

Reference: Deploying AD CS Using Windows PowerShell

QUESTION 74Your company recently deployed a new Active Directory forest named contoso.com. The forest contains two Active Directory sites named Site1 and Site2. The firstdomain controller in the forest runs Windows Server 2012 R2.

You need to force the replication of the SYSVOL folder from Site1 to Site2.


A. Active Directory Sites and Services

B. DFS Management

C. Repadmin

D. Dfsrdiag



Explanation/Reference:Explanation:In Windows Server 2012 R2, Windows Server 2008 R2, or Windows Server 2008, you can force replication immediately by using DFS Management, as describedin Edit Replication Schedules. You can also force replication by using the Dfsrdiag SyncNow command. You can force polling by using the Dfsrdiag PollADcommand.

Reference: DFS Replication: Frequently Asked Questions (FAQ) http://technet.microsoft.com/en-us/library/cc773238(v=ws.10).aspx#BKMK_072

QUESTION 75Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. The forest contains three Active Directory sites namedSiteA, SiteB, and SiteC. The sites contain four domain controllers. The domain controllers are configured as shown in the following table.

An IP site link exits between each site.

You discover that the users in SiteC are authenticated by the domain controllers in SiteA and SiteB.

You need to ensure that the SiteC users are authenticated by the domain controllers in SiteB, unless all of the domain controllers in SiteB are unavailable.

What should you do?

A. Create an SMTP site link between SiteB and SiteC.

B. Create additional connection objects for DC3 and DC4.

C. Decrease the cost of the site link between SiteB and SiteC.

D. Create additional connection objects for DC1 and DC2.



Explanation/Reference:Explanation:By decreasing the site link cost between SiteB and SiteC the SiteC users would be authenticated by SiteB rather than by SiteA.

References: https://technet.microsoft.com/en-us/library/dd277430.aspx#XSLTsection126121120120

QUESTION 76Your network contains an Active Directory forest. The forest contains one domain named adatum.com. The domain contains four domain controllers. The domaincontrollers are configured as shown in the following table.

DC2 has all of the domain-wide operations master roles. DC3 has all of the forest-wide operation master roles.

You need to ensure that you can use Password Settings objects (PSOs) in the domain.


A. Uninstall Active Directory from DC1.

B. Change the domain functional level.

C. Transfer the domain-wide operations master roles.

D. Transfer the forest-wide operations master roles.


Explanation/Reference:Explanation:In Windows Server 2008 and later, you can use fine-grained password policies to specify multiple password policies and apply different password restrictions and


account lockout policies to different sets of users within a single domain.

Note: In Microsoft Windows 2000 and Windows Server 2003 Active Directory domains, you could apply only one password and account lockout policy, which isspecified in the domain's Default Domain Policy, to all users in the domain. As a result, if you wanted different password and account lockout settings for differentsets of users, you had to either create a password filter or deploy multiple domains. Both options were costly for different reasons.

Reference: AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide

QUESTION 77You have a server named FS1 that runs Windows Server 2012 R2.

You install the File and Storage Services server role on FS1.

From Windows Explorer, you view the properties of a shared folder named Share1 and you discover that the Classification tab is missing.

You need to ensure that you can assign classifications to Share1 from Windows Explorer manually.

What should you do?

A. From Folder Options, select Show hidden files, folders, and drives.

B. From Folder Options, clear Use Sharing Wizard (Recommend).

C. Install the File Server Resource Manager role service.

D. Install the Enhanced Storage feature.


Explanation/Reference:On the Classification tab of the file properties in Windows Server 2012, File Classification Infrastructure adds the ability to manually classify files. You can alsoclassify folders so that any file added to the classified folder will inherit the classifications of the parent folder. Reference: What's New in File Server ResourceManager in Windows Server

QUESTION 78Your network contains two servers named Server1 and Server2 that run Windows Server 2012 R2. Server1 and Server2 are configured as shown in the followingtable.


You need to ensure that when new targets are added to Server1, the targets are registered on Server2 automatically.


A. Configure the Discovery settings of the iSCSI initiator.

B. Configure the security settings of the iSCSI target.

C. Run the Set-WmiInstance cmdlet.

D. Run the Set-IscsiServerTarget cmdlet.


Explanation/Reference:Explanation/Reference:Manage iSNS server registrationThe iSNS server registration can be done using the following cmdlets, which manages the WMI objects.To add an iSNS server:Set-WmiInstance -Namespace root\wmi -Class WT_iSNSServer Arguments @{ServerName="ISNSservername"}

Note: The Set-WmiInstance cmdlet creates or updates an instance of an existing WMI class. The created or updated instance is written to the WMI repository.

Reference: iSCSI Target cmdlet referencehttp://blogs.technet.com/b/filecab/archive/2012/06/08/iscsi-target-cmdlet-reference.aspx

QUESTION 79HOTSPOTYou have a file server named Server1 that runs Windows Server 2012 R2.

Server1 contains a file share that must be accessed by only a limited number of users.

You need to ensure that if an unauthorized user attempts to access the file share, a custom access-denied message appears, which contains a link to requestaccess to the share. The message must not appear when the unauthorized user attempts to access other shares.


Which two nodes should you configure in File Server Resource Manager?To answer, select the appropriate two nodes in the answer area.

Hot Area:

Correct Answer:



Explanation/Reference:* Configure access-denied assistanceTo configure access-denied assistance by using File Server Resource Manager1. Open File Server Resource Manager. In Server Manager, click Tools, and then click File Server Resource Manager.2. Right-click File Server Resource Manager (Local), and then click Configure Options.etc.


* To specify a separate access-denied message for a shared folder by using File Server Resource Manager

1. Open File Server Resource Manager. In Server Manager, click Tools, and then click File Server Resource Manager.2. Expand File Server Resource Manager (Local), and then click Classification Management.3. Right-click Classification Properties, and then click Set Folder Management Properties.Etc

Reference: Deploy Access-Denied Assistance (Demonstration Steps)

QUESTION 80HOTSPOTYou have a server named Server1 that runs Windows Server 2012 R2.

You are configuring a storage space on Server1.

You need to ensure that the storage space supports tiered storage.


Which settings should you configure?To answer, select the appropriate options in the answer area.

Hot Area:


Correct Answer:



Explanation/Reference:Explanation:Disk Allocation: Automatic


* When using tiers, you must fixed provisioning.


Reference: Storage Spaces: How to configure Storage Tiers with Windows Server 2012 R2

QUESTION 81HOTSPOTYour company has a main office and a branch office. An Active Directory site exists for each office.

The network contains an Active Directory forest named contoso.com. The contoso.com domain contains three member servers named Server1, Server2, andServer3. All servers run Windows Server 2012 R2.

In the main office, you configure Server1 as a file server that uses BranchCache.

In the branch office, you configure Server2 and Server3 as BranchCache hosted cache servers.


You are creating a Group Policy for the branch office site.

Which two Group Policy settings should you configure?To answer, select the appropriate two settings in the answer area.

Hot Area:

Correct Answer:



Explanation/Reference:To use Group Policy to configure clients for hosted cache modeStep x: In the Turn on BranchCache dialog box, click Enabled, and then click OK.Step x+1: In the Group Policy Management Editor console, ensure that BranchCache is still selected, and then in the details pane double-click Set BranchCacheHosted Cache mode. The Set BranchCache Hosted Cache mode dialog box opens.


Reference: Use Group Policy to configure domain member clients for hosted cache modehttp://technet.microsoft.com/en-us/library/ee649153(v=ws.10).aspx

QUESTION 82HOTSPOTYour company has a main office and a branch office. The main office is located in Detroit. The branch office is located in Seattle.

The network contains an Active Directory domain named adatum.com. Client computers run either Windows 7 Enterprise or Windows 8 Enterprise.

The main office contains 1,000 client computers and 50 servers. The branch office contains 20 client computers.

All computer accounts for the branch office are located in an organizational unit (OU) named SeattleComputers. A Group Policy object (GPO) named GPO1 islinked to the SeattleComputers OU.

You need to configure BranchCache for the branch office.

Hot Area:


Correct Answer:


Explanation/Reference:Explanation:BranchCache is disabled by default on client computers. Take the following steps to enable BranchCache on client computers:

Turn on BranchCache.Enable either Distributed Cache mode or Hosted Cache mode.Configure the client firewall to enable BranchCache protocols.

Distributed Cache modeIf client computers are configured to use Distributed Cache mode, the cached content is distributed among client computers on the branch office network. Noinfrastructure or services are required in the branch office beyond client computers running Windows 7.


Hosted Cache modeIn hosted cache mode, cached content is maintained on a computer running Windows Server 2008 R2 on the branch office network.

Reference: BranchCache Early Adopter’s Guide, Client Configurationhttp://technet.microsoft.com/en-us/library/dd637820(v=ws.10).aspx


You are creating a central access rule named TestFinance that will be used to grant members of the Authenticated users group access to a folder stored on aMicrosoft SharePoint Server 2013 server.

You need to ensure that the permissions are granted when the rule is published.

What should you do?

A. Set the Permissions to Use the following permissions as proposed permissions.

B. Set the Permissions to Use following permissions as current permissions.

C. Add a Resource condition to the current permissions entry for the Authenticated Users principal.

D. Add a User condition to the current permissions entry for the Authenticated Users principal.


Explanation/Reference:Explanation:To create a central access rule (see step 5 below):1. In the left pane of the Active Directory Administrative Center, click Tree View, select Dynamic Access Control, and then click Central Access Rules.2. Right-click Central Access Rules, click New, and then click Central Access Rule.3. In the Name field, type Finance Documents Rule.4. In the Target Resources section, click Edit, and in the Central Access Rule dialog box, click Add a condition. Add the following condition:

[Resource] [Department] [Equals] [Value] [Finance], and then click OK.5. In the Permissions section, select Use following permissions as current permissions, click Edit, and in the Advanced Security Settings for Permissions dialog boxclick Add.

Note (not A): Use the following permissions as proposed permissions option lets you create the policy in staging.6 .In the Permission entry for Permissions dialog box, click Select a principal, type Authenticated Users, and then click OK.

Incorrect Answers:A: Proposed permissions enable an administrator to more accurately model the impact of potential changes to access control settings without actually changingthem.


QUESTION 84HOTSPOT You have a server that runs Windows Server 2012 R2 and has the iSCSI Target Server role service installed.

You run the New-IscsiVirtualDisk cmdlet as shown in the New-IscsiVirtualDisk exhibit. (Click the Exhibit button.)

To answer, complete each statement according to the information presented in the exhibits. Each correct selection is worth one point.

Hot Area:


Correct Answer:




From the exhibit we see that the size is 10737418240 bytes. This is roughly 10 GB.From the exhibit we also see 'Status: Not connected'.

Note: Target: It is an object which allows the iSCSI initiator to make a connection. The Target keeps track of the initiators which are allowed to be connected to it.The Target also keeps track of the iSCSI virtual disks which are associated with it. Once the initiator establishes the connection to the Target, all the iSCSI virtualdisks associated with the Target will be accessible by the initiator.

Reference: Introduction of iSCSI Target in Windows Server 2012http://blogs.technet.com/b/filecab/archive/2012/05/21/introduction-of-iscsi-target-in-windows-server-2012.aspx

QUESTION 85Your network contains an Active Directory domain named contoso.com. The network contains a file server named Server1 that runs Windows Server 2012 R2.


You are configuring a central access policy for temporary employees.

You enable the Department resource property and assign the property a suggested value of Temp.

You need to configure a target resource condition for the central access rule that is scoped to resources assigned to Temp only.

Which condition should you use?

A. (Temp.Resource Equals "Department")

B. (Resource.Temp Equals "Department")

C. (Resource.Department Equals "Temp")

D. (Department.Value Equals "Temp")


Explanation/Reference:Explanation:Example:Targeting: Resource.Department Contains FinanceAccess rule: Allow read User.Country=Resource.Country AND User.department = Resource.Department

Reference: Deploy a Central Access Policy (Demonstration Steps)

QUESTION 86Your network contains an Active Directory domain named contoso.com. The domain contains two sites named Site1 and Site2 and two domain controllers namedDC1 and DC2. Both domain controllers are located in Site1.

You install an additional domain controller named DC3 in Site1 and you ship DC3 to Site2.A technician connects DC3 to Site2.

You discover that users in Site2 are authenticated by all three domain controllers.

You need to ensure that the users in Site2 are authenticated by DC1 or DC2 only if DC3 is unavailable.

What should you do?

A. From Network Connections, modify the IP address of DC3.


B. In Active Directory Sites and Services, modify the Query Policy of DC3.

C. From Active Directory Sites and Services, move DC3.

D. In Active Directory Users and Computers, configure the insDS-PrimaryComputer attribute for the users in Site2.


Explanation/Reference:Explanation:DC3 needs to be moved to Site2 in AD DS

Incorrect:Not A. Modifying IP will not affect authenticationNot B. A query policy prevents specific Lightweight Directory Access Protocol (LDAP) operations from adversely impacting the performance of the domain controllerand also makes the domain controller more resilient to denial-of-service attacks.

Reference: Move a domain controller between siteshttp://technet.microsoft.com/en-us/library/cc759326(v=ws.10).aspx

QUESTION 87Your network contains two Active Directory forests named contoso.com and litwareinc.com. A two- way forest trusts exists between the forest. Selectiveauthentication is enabled on the trust.

The contoso.com forest contains a server named Server1.

You need to ensure that users in litwareinc.com can access resources on Server1.

What should you do?

A. Install Active Directory Rights Management Services on a domain controller in contoso.com.

B. Modify the permission on the Server1 computer account.

C. Install Active Directory Rights Management Services on a domain controller in litwareinc.com.

D. Configure SID filtering on the trust.




Explanation:Selective authentication between forestsIf you decide to set selective authentication on an incoming forest trust, you need to manually assign permissions on each computer in the domain as well as theresources to which you want users in the second forest to have access. To do this, set a control access right Allowed to authenticate on the computer object thathosts the resource in Active Directory Users and Computers in the second forest. Then, allow user or group access to the particular resources you want to share.

Reference: Accessing resources across forests

QUESTION 88Your network contains an Active Directory domain named adatum.com. The domain contains two domain controllers that run Windows Server 2012 R2. Thedomain controllers are configured as shown in the following table.

You log on to DC1 by using a user account that is a member of the Domain Admins group, and then you create a new user account named User1.

You need to prepopulate the password for User1 on DC2.


A. Connect to DC2 from Active Directory Users and Computers.

B. Add DC2 to the Allowed RODC Password Replication Policy group.

C. Add the User1 account to the Allowed RODC Password Replication Policy group.

D. Run Active Directory Users and Computers as a member of the Enterprise Admins group.


Explanation/Reference:Explanation:To prepopulate the password cache for an RODC by using Active Directory Users and Computers (see step 1 below).

Administrative credentials: To prepopulate the password cache for an RODC, you must be a member of the Domain Admins group.Click Start, click Administrative Tools, and then click Active Directory Users and Computers.Ensure that Active Directory Users and Computers points to the writable domain controller that is running Windows Server 2008, and then click DomainControllers.


In the details pane, right-click the RODC computer account, and then click Properties. Click the Password Replication Policy tab. Click Advanced. Click Prepopulate Passwords. Type the name of the accounts whose passwords you want to prepopulate in the cache for the RODC, and then click OK. When you are asked if you want to send the passwords for the accounts to the RODC, click Yes.

Note: You can prepopulate the password cache for an RODC with the passwords of user and computer accounts that you plan to authenticate to it. When youprepopulate the RODC password cache, you trigger the RODC to replicate and cache the passwords for users and computers before the accounts try to log on inthe branch office.

Incorrect Answers:C. You don't need to add User1 to the Allowed RODC Password Replication Policy group. As a first step you should run Active Directory Users and Computers as amember of the Domain/Enterprise Admins group.

References: Password Replication Policy Administrationhttps://technet.microsoft.com/en-us/library/cc753470(v=ws.10).aspx#BKMK_pre

QUESTION 89Your network contains an Active Directory forest named contoso.com. The contoso.com domain only contains domain controllers that run Windows Server 2012R2.

The forest contains a child domain named child.contoso.com. The child.contoso.com domain only contains domain controllers that run Windows Server 2008 R2Service Pack 1 (SP1). The child.contoso.com domain contains a member server named Server1 that runs Windows Server 2012 R2.

You have access to four administrative user accounts in the forest. The administrative user accounts are configured as shown in the following table.

You need to ensure that you can add a domain controller that runs Windows Server 2012 R2 to the child.contoso.com domain.

Which account should you use to run adprep.exe?


A. Admin1

B. Admin2

C. Admin3

D. Admin4


Explanation/Reference:Explanation:Adprep.exe performs operations that must be completed on the domain controllers that run in an existing Active Directory environment before you can add adomain controller that runs that version of Windows Server.

Preparing to run adprep /domainprep (see step 2 below).To help ensure that the adprep /domainprep command runs successfully, complete these steps before you run the command on the infrastructure operationsmaster role holder in each domain:

Make sure that the schema updates that adprep /forestprep performs replicated throughout the forest or that they at least replicated to the infrastructure masterfor the domain where you plan to run adprep /domainprep.Make sure that you can log on to the infrastructure master with an account that is a member of the Domain Admins group.Verify that the domain functional level is appropriate.

References: Running Adprep.exehttps://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx

QUESTION 90Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2 that run Windows Server2012 R2. Server1 is a file server that has the Hyper-V server role installed.

Server1 hosts several virtual machines. The virtual machine configuration files are stored on drive D and the VHD files are stored on drive E.

You plan to replace drive E with a larger volume.

You need to ensure that the virtual machines on Server1 remain available while drive E is being replaced.What should you do?

A. Perform a quick migration.

B. Add Server1 and Server2 as nodes in a failover cluster.

C. Perform a live migration.

D. Perform a storage migration.



Explanation/Reference:Explanation:Hyper-V in Windows Server 2012 R2 introduces support for moving virtual machine storage without downtime by making it possible to move the storage while thevirtual machine remains running.

Reference: Virtual Machine Storage Migration Overviewhttp://technet.microsoft.com/en-us/library/hh831656.aspx

QUESTION 91Your network contains two servers named Server1 and Server2 that run Windows Server 2008 R2 Service Pack 1 (SP1). Server1 and Server2 are nodes in afailover cluster named Cluster1. The network contains two servers named Server3 and Server4 that run Windows Server 2012 R2. Server3 and Server4 are nodesin a failover cluster named Cluster2.

You need to move all of the applications and the services from Cluster1 to Cluster2.

What should you do first from Failover Cluster Manager?

A. On a server in Cluster2, configure Cluster-Aware Updating.

B. On a server in Cluster2, click Move Core Cluster Resources, and then click Best Possible Node.

C. On a server in Cluster1, click Move Core Cluster Resources, and then click Best Possible Node.

D. On a server in Cluster2, click Migrate Roles.




Incorrect Answers:A. Cluster Aware Updating can greatly simplify the process of applying operating system patches to Windows Server 2012 or 2012 R2 failover cluster nodes.B. C. Move Core Cluster Resources is used to resources from one node to another within the same cluster.

References:https://technet.microsoft.com/en-us/library/dn530789(v=ws.11).aspx#BKMK_MigrateClusterRoles

QUESTION 92You deploy an Active Directory Federation Services (AD FS) infrastructure. The infrastructure uses Active Directory as the attribute store. All servers run WindowsServer 2012 R2.

Some users report that they fail to authenticate to the AD FS infrastructure.

You discover that only users who run third-party web browsers experience issues.

You need to ensure that all of the users can authenticate to the AD FS infrastructure successfully.


Which Windows PowerShell command should you run?

A. Set-ADFSProperties -ProxyTrustTokenLifetime 1:00:00

B. Set-ADFSProperties -AddProxyAuthenticationRulesNone

C. Set-ADFSProperties -SSOLifetime 1:00:00

D. Set-ADFSProperties -ExtendedProtectionTokenCheck None


Explanation/Reference:Explanation:Certain client browser software, such as Firefox, Chrome, and Safari, do not support the Extended Protection for Authentication capabilities that can be used acrossthe Windows platform to protect against man-in-the-middle attacks. To prevent this type of attack from occurring over secure AD FS communications, AD FS 2.0enforces (by default) that all communications use a channel binding token (CBT) to mitigate against this threat.

Note: Disable the extended Protection for authenticationTo disable the Extended Protection for Authentication feature in AD FS 2.0

On a federation server, login using the Administrator account, open the Windows PowerShell command prompt, and then type the following command:Set-ADFSProperties –ExtendedProtectionTokenCheck None

Repeat this step on each federation server in the farm.

References: Configuring Advanced Options for AD FS 2.0

QUESTION 93HOTSPOTYou have the following Microsoft azure backup policy



Use the drop-down menus to select the answer choice that completes each statement.

Hot Area:

Correct Answer:


Section: Volume CExplanation


QUESTION 94Note: This question is part of series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in theseries. Each question is independent of the other questions in this series. Information and details provided in a question apply only to that question.

Your network contains one Active Directory forest named contoso.com.

The forest contains two child domains and six domain controllers.


The domain controllers are configured as shown in the following table.

You need to replicate users who haven't authenticated against any domain controllers for the last 7 days.

What should you use?


A. Set-ADSite

B. Set-ADReplicationSite

C. Set-ADDomain

D. Set-ADReplicationSiteLink

E. Set-ADGroup

F. Set-ADForest

G. Netdom

Correct Answer: CSection: Volume CExplanation



https://technet.microsoft.com/en-us/library/ee617212.aspx

QUESTION 95Note: This question is part of series of questions that use the same or similar answer choices. An answer choice may be correct for more than onequestion in the series. Each question is independent of the other questions in this series. Information and details provided in a question apply only tothat question.

Your network contains one Active Directory forest named contoso.com.

The forest contains two child domains and six domain controllers.


You need to add an additional UPN Suffix.


A. Set-ADSite


C. Set-ADDomain


E. Set-ADGroup

F. Set-ADForest

G. Netdom


Correct Answer: FSection: Volume CExplanation


https://technet.microsoft.com/en-us/library/dd391925(v=ws.10).aspx

QUESTION 96Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC2 that runs Windows Server 2012.DC2 has the DHCP Server server role installed.

DHCP is configured as shown in the exhibit. (Click the Exhibit button.)


You discover that client computers cannot obtain IPv4 addresses from DC2.

You need to ensure that the client computers can obtain IPv4 addresses from DC2.

What should you do?

A. Enable the Allow filters.

B. Authorize DC2.

C. Disable the Deny filters.


D. Restart the DHCP Server service.

Correct Answer: BSection: Volume CExplanation

Explanation/Reference:Explanation:From the exhibit we see a red marker on the IPv4 server icon. The DHCP server is not authorized.

Authorize DHCP ServerThe final step is to authorize the server.Right-click your FQDN and select Authorize.Refresh the view by right-clicking your FQDN and selecting Refresh.You should now see green checkmark next to IPv4.

Example:


References: Server 2012 DHCP Server Role

QUESTION 97Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1has the Active Directory Rights Management Services server role installed.

The domain contains a domain local group named Group1.

You create a rights policy template named Template1. You assign Group1 the rights to Template1. You need to ensure that all the members of Group1 can useTemplate1.


What should you do?

A. Configure the email address attribute of Group1.

B. Convert the scope of Group1 to global.

C. Convert the scope of Group1 to universal.

D. Configure the email address attribute of all the users who are members of Group1.

Correct Answer: DSection: Volume CExplanation

Explanation/Reference:Explanation/Reference:When a user or group is created in Active Directory, the mail attribute is an optional attribute that can be set to include a primary email address for the user orgroup. For AD RMS to work properly, this attribute must be set because all users must have an email attribute to protect and consume content.

Reference: AD RMS Troubleshooting Guidehttp://social.technet.microsoft.com/wiki/contents/articles/13130.ad-rms-troubleshooting-guide.aspx

QUESTION 98HOTSPOT

Your company has a main office and a branch office. An Active Directory site exists for each office.

The network contains an Active Directory forest named contoso.com. The contoso.com domain contains two member servers named Server1 and Server2. Allservers run Windows Server 2012 R2. Client computers run either Windows 7 or Windows 8.1.


In the branch office, you configure Server2 as a BranchCache hosted cache server.

You are creating a Group Policy for the branch office site.

You need to configure the client computers to use Server2 as a BranchCache hosted cache server.

Which two Group Policy settings should you configure?

To answer, select the appropriate two settings in the answer area.

Hot Area:


Correct Answer:



Explanation/Reference:References: https://technet.microsoft.com/en-us/library/ee649153(v=ws.10).aspx

QUESTION 99Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1. The File Server Resource Manager roleservice is installed on Server1. All servers run Windows Server 2012 R2.

A Group Policy object (GPO) named GPO1 is linked to the organizational unit (OU) that contains Server1. The following graphic shows the configured settings inGPO1.


Server1 contains a folder named Folder1. Folder1 is shared as Share1.

You attempt to configure access-denied assistance on Server1, but the Enable access-denied assistance option cannot be selected from File Server ResourceManager.

You need to ensure that you can configure access-denied assistance on Server1 manually by using File Server Resource Manager.

Which two actions should you perform?

A. Set the Enable access-denied assistance on client for all file types policy setting to Disabled for GPO1.

B. Set the Customize message for Access Denied errors policy setting to Not Configured for GPO1.

C. Set the Enable access-denied assistance on client for all file types policy setting to Enabled for GPO1.

D. Set the Customize message for Access Denied errors policy setting to Enabled for GPO1.

Correct Answer: CDSection: Volume CExplanation

Explanation/Reference:Explanation:C. To configure access-denied assistance for all file types by using Group Policy

Open Group Policy Management. In Server Manager, click Tools, and then click Group Policy Management.Right-click the appropriate Group Policy, and then click Edit.Click Computer Configuration, click Policies, click Administrative Templates, click System, and then click Access-Denied Assistance.Right-click Enable access-denied assistance on client for all file types, and then click Edit.


Click Enabled, and then click OK.

D. To configure access-denied assistance by using Group Policy (see step 5)Open Group Policy Management. In Server Manager, click Tools, and then click Group Policy Management.Right-click the appropriate Group Policy, and then click Edit.Click Computer Configuration, click Policies, click Administrative Templates, click System, and then click Access-Denied Assistance.Right-click Customize message for Access Denied errors, and then click Edit.Select the Enabled option.

Etc

Reference: Deploy Access-Denied Assistance (Demonstration Steps) http://technet.microsoft.com/en-us/library/hh831402.aspx

QUESTION 100Your network contains an Active Directory forest named contoso.com. The forest contains four domains. All servers run Windows Server 2012 R2.

Each domain has a user named User1.

You have a file server named Server1 that is used to synchronize user folders by using the Work Folders role service.

Server1 has a work folder named Sync1.

You need to ensure that each user has a separate folder in Sync1.

What should you do?

A. From Windows Explorer, modify the Sharing properties of Sync1.

B. Run the Set-SyncServerSetting cmdlet.

C. From File and Storage Services in Server Manager, modify the properties of Sync1.

D. Run the Set-SyncShare cmdlet.


Explanation/Reference:Explanation:The Set-SyncShare cmdlet modifies the settings for a sync share.

Example: Modify a sync share to add a user groupThis example modifies settings on the share named Share01, and enables the user group named ContosoEngGroup to access the share.


The first command uses the Get-SyncShare cmdlet to retrieve the sync share for Share01, and assigns the results to the variable$Current.The second command uses the Set-SyncShare cmdlet to modify the sync share and add the current user and the ContosoEngGroup to the list of users allowed toaccess the share.

References: Set-SyncSharehttps://technet.microsoft.com/en-US/library/dn296649.aspx

QUESTION 101HOTSPOTYour network contains an Active Directory domain named contoso.com. The relevant servers in the domain are configured as shown in the following table.

You plan to create a shared folder on Server1 named Share1. Share1 must only be accessed by users who are using computers that are joined to the domain.

You need to identify which servers must be upgraded to support the requirements of Share1.


In the table below, identify which computers require an upgrade and which computers do not require an upgrade. Make only one selection in each row. Each correctselection is worth one point.

Hot Area:

Correct Answer:



Explanation/Reference:Explanation: There is new file server functionality in Windows Server 2012. The file server should be upgraded to Windows Server 2012.

QUESTION 102You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the File Server Resource Manager role service installed.

You attempt to delete a classification property and you receive the error message as shown in the exhibit. (Click the Exhibit button.)


You need to delete the isConfidential classification property.

What should you do?

A. Delete the classification rule that is assigned the isConfidential classification property.

B. Disable the classification rule that is assigned the isConfidential classification property.

C. Set files that have an isConfidential classification property value of Yes to No.

D. Clear the isConfidential classification property value of all files.

Correct Answer: ASection: Volume CExplanation

Explanation/Reference:Explanation:You would have to delete the classification rule in order to delete the classification property.

QUESTION 103Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2. Both servers have theHyper-V server role installed.

You plan to replicate virtual machines between Server1 and Server2. The replication will be encrypted by using Secure Sockets Layer (SSL).

You need to request a certificate on Server1 to ensure that the virtual machine replication is encrypted.

Which two intended purposes should the certificate for Server1 contain? (Each correct answer presents part of the solution. Choose two.)


A. Client Authentication

B. Kernel Mode Code Signing

C. Server Authentication

D. IP Security end system

E. KDC Authentication

Correct Answer: ACSection: Volume CExplanation

Explanation/Reference:Explanation:You need to use certificate-based authentication if you want transmitted data to be encrypted.

Replica Server Certificate Requirements

To enable a server to receive replication traffic, the certificate in the replica server must meet the following conditionsEnhanced Key Usage must support both Client and Server authentication Etc.

Reference: Hyper-V Replica - Prerequisites for certificate based deployments http://blogs.technet.com/b/virtualization/archive/2012/03/13/hyper-v-replica-certificate-requirements.aspx

QUESTION 104HOTSPOTYou have a server named Server1 that runs Windows Server 2012 R2. The volumes on Server1 are configured as shown in the following table.

A new corporate policy states that backups must use Windows Azure Online Backup whenever possible.

You need to identify which backup methods you must use to back up Server1. The solution must use Windows Azure Online Backup whenever possible.

Which backup type should you identify for each volume?To answer, select the appropriate backup type for each volume in the answer area.


Hot Area:

Correct Answer:



Explanation/Reference:Explanation:Box 1: Windows Server BackupVolume1 is NTFS and on a fixed disk, but Bitlocker is used.Windows Azure Online Backup cannot backup volume that has Bitlocker.

Box 2: Windows Azure Online Backup Volume2 is NTFS, on a fixed disk, and Bitlocker is not used.


Windows Azure Online Backup can be used.Box 3: Windows Server BackupVolume3 is not on a fixed disk. It is on a USB disk.Additionally bitlocker is used.Windows Azure Online Backup cannot be used.Box 4: Windows Server BackupVolume3 is not on a fixed disk. It is on a USB disk.Windows Azure Online Backup cannot be used.

Note: You can use Microsoft Azure Backup to back up content stored on fixed NTFS volumes. It cannot be used in the following situations:Volume is locked by BitLocker Drive Encryption. If BitLocker is enabled on the volume, the volume must be unlocked before it can be backed up.Drive type is not fixed.Volume is not formatted with NTFS.Volume is read-only.Volume is not currently online.Volume is on a network share.

Reference: Azure Backup Overviewhttps://msdn.microsoft.com/en-us/library/azure/hh831419.aspx

QUESTION 105You have a file server named Server1 that runs a Server Core Installation of Windows Server 2012 R2.

Server1 has a volume named D that contains user data. Server1 has a volume named E that is empty.

Server1 is configured to create a shadow copy of volume D every hour. You need to configure the shadow copies of volume D to be stored on volume E.

What should you run?

A. The Set-Volume cmdlet with the -driveletter parameter

B. The Set-Volume cmdlet with the -path parameter

C. The vssadmin.exe add shadowstorage command

D. The vssadmin.exe create shadow command


Explanation/Reference:Explanation:Add ShadowStorage


Adds a shadow copystorage association for a specified volume.

Incorrect Answers:A: Sets or changes the file system label of an existing volume. -DriveLetter Specifies a letter used to identify a drive or volume in the system.

B: Create Shadow creates a new shadow copy of a specified volume.

C: Sets or changes the file system label of an existing volume -Path Contains valid path information.

References: Vssadmin; Set-Volumehttps://technet.microsoft.com/en-us/library/cc754968(v=ws.10).aspxhttps://technet.microsoft.com/en-us/library/hh848673(v=wps.620).aspx


Each day, Server1 is backed up fully to an external disk.

On Server1, the disk that contains the operating system fails.

You replace the failed disk.

You need to perform a bare-metal recovery of Server1 by using the Windows Recovery Environment (Windows RE).


A. The Wbadmin.exe command

B. The Repair-bde.exe command

C. The Get-WBBareMetalRecovery cmdlet

D. The Start-WBVolumeRecovery cmdlet


Explanation/Reference:Explanation:Wbadmin enables you to back up and restore your operating system, volumes, files, folders, and applications from a command prompt.

Wbadmin start sysrecoveryruns a recovery of the full system (at least all the volumes that contain the operating system's state). This subcommand is only available if you are using the


Windows Recovery Environment.

*Wbadmin start sysrecovery -backupTargetSpecifies the storage location that contains the backup or backups that you want to recover. This parameter is useful when the storage location is different fromwhere backups of this computer

Incorrect Answers:B. Accesses encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the driveand salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data.C. Gets the value that indicates whether the ability to perform bare metal recoveries from backups has been added to the backup policy (WBPolicy object).D. Starts a volume recovery operation.

References: Wbadmin start sysrecoveryhttps://technet.microsoft.com/en-us/library/cc742118.aspx

QUESTION 107DRAG DROPYou have a file server named Server1 that runs Windows Server 2012 R2. The folders on Server1 are configured as shown in the following table.

A new corporate policy states that backups must use Windows Azure Online Backup whenever possible.

You need to identify which technology you must use to back up Server1. The solution must use Windows Azure Online Backup whenever possible.

What should you identify?

To answer, drag the appropriate backup type to the correct location or locations. Each backup type may be used once, more than once, or not at all. You may needto drag the split bar between panes or scroll to view content.

Select and Place:


Correct Answer:


Explanation/Reference:Explanation:* NTFS encrypted


Azure Backup supported* NTFS compressedAzure Backup supported* At this time you cannot backup entire Azure Virtual Machines or perform a system state backup of Azure Virtual Machines using Azure Backup.

Note: * NTFS encrypted + NTFS compressedAzure Backup not supported

Reference: Azure Backup Frequently Asked Questions (FAQ)http://msdn.microsoft.com/en-us/library/azure/jj573031.aspx

QUESTION 108You have five servers that run Windows Server 2012 R2. The servers have the Failover Clustering feature installed. You deploy a new cluster named Cluster1.Cluster1 is configured as shown in the following table.

Server1, Server2, and Server3 are configured as the preferred owners of the cluster roles. Dynamic quorum management is disabled.

You plan to perform hardware maintenance on Server3.

You need to ensure that if the WAN link between Site1 and Site2 fails while you are performing maintenance on Server3, the cluster resource will remain availablein Site1.

What should you do?

A. Add a file share witness in Site1.

B. Enable DrainOnShutdown on Cluster1.

C. Remove the node vote for Server4 and Server5.

D. Remove the node vote for Server3.

Correct Answer: CSection: Volume C


Explanation

Explanation/Reference:Recommended Adjustments to Quorum VotingWhen enabling or disabling a given WSFC (Windows Server Failover Clustering) node's vote, follow these guidelines:

Exclude secondary site (here site2) nodes (here server4 and server5). In general, do not give votes to WSFC nodes that reside at a secondary disaster recoverysite. You do not want nodes in the secondary site to contribute to a decision to take the cluster offline when there is nothing wrong with the primary site.

Reference: WSFC Quorum Modes and Voting Configuration (SQL Server)

QUESTION 109HOTSPOTYour network contains an Active Directory domain named contoso.com. The domain contains a DNS server named Server1. Server1 is configured to resolvesingle-label names for DNS clients.

You need to view the number of queries for single-label names that are resolved by Server1.

What command should you run?

To answer, select the appropriate options in the answer area.

Hot Area:


Correct Answer:


Explanation/Reference:* The Get-DnsServerStatistics cmdlet retrieves statistics of a Domain Name System (DNS) server. If the ZoneName parameter is specified, this cmdlet getsstatistics for the zones specified by that parameter.

* To help network administrators migrate to DNS for all name resolution, the DNS Server role in Windows Server 2008 (and later) supports a specially named zone,called GlobalNames. By deploying a zone with this name, you can have the static, global records with single-label names, without relying on WINS. These single-label names typically refer to records for important, well-known and widely-used servers—servers that are already assigned static IP addresses and that arecurrently managed by IT-administrators using WINS.

Reference: Get-DnsServerStatistics; Deploying a GlobalNames Zone

QUESTION 110Your network contains an Active Directory domain named contoso.com. The domain contains a member server named Server1. Server1 has the IP AddressManagement (IPAM) Server feature installed.

A technician performs maintenance on Server1.


After the maintenance is complete, you discover that you cannot connect to the IPAM server on Server1.

You open the Services console as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that you can connect to the IPAM server.

Which service should you start?


A. Windows Process Activation Service

B. Windows Event Collector

C. Windows Internal Database

D. Windows Store Service (WSService)


Explanation/Reference:Explanation:Windows Internal DatabaseWindows Internal Database is a relational data store that can be used only by Windows roles and features.IPAM does not support external databases. Only a Windows Internal Database is supported.IPAM stores 3 years of forensics data (IP address leases, host MAC addresses, user login/logoff information) for 100,000 users in a Windows Internal Database.There is no database purge policy provided, and the administrator must purge data manually as needed.

Incorrect Answers:A. IPAM works even if the Windows Process Activation Service is not running.B. IPAM does not require the Windows Event Collector Service. It needs to be running on the managed DC/DNS/DHCP computers.D. IPAM does not require the Windows Store Service. It provides infrastructure support for Windows Store. This service is started on demand and if disabledapplications bought using Windows Store will not behave correctly.

References: IPAM Deployment Planning

QUESTION 111DRAG DROPYour network contains an Active Directory domain named contoso.com. The domain contains two DHCP servers named DHCP1 and DHCP2 that run WindowsServer 2012 R2.

You install the IP Address Management (IPAM) Server feature on a member server named Server1 and you run the Run Invoke-IpamGpoProvisioning cmdlet.



You need to manage the DHCP servers by using IPAM on Server1.

Which three actions should you perform?To answer, move the three appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Select and Place:

Correct Answer:





Reference: Checklist: Deploy IPAM Server

QUESTION 112HOTSPOTYour network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2.

The domain contains two domain controllers. The domain controllers are configured as shown in the following table.


On DC1, you create an Active Directory-integrated zone named Zone1. You verify that Zone1 replicates to DC2.

You use DNSSEC to sign Zone1.

You discover that the updates to Zone1 fail to replicate to DC2.

You need to ensure that Zone1 replicates to DC2.

What should you configure on DC1?

To answer, select the appropriate tab in the answer area.

Hot Area:



Correct Answer:




Explanation/Reference:We most allow and configure zone transfers.

To modify zone transfer settings using the Windows interfaceOpen DNS Manager.Right-click a DNS zone, and then click Properties.On the Zone Transfers tab, do one of the following:

- To disable zone transfers, clear the Allow zone transfers check box. - To allow zone transfers, select the Allow zone transfers check box.

If you allowed zone transfers, do one of the following: - To allow zone transfers to any server, click To any server. - To allow zone transfers only to the DNS servers that are listed on the Name Servers tab, click Only to servers listed on the Name Servers tab. - To allow zone transfers only to specific DNS servers, click Only to the following servers, and then add the IP address of one or more DNS servers.

Reference: Modify Zone Transfer Settings

QUESTION 113Your network contains three servers named Server1, Server2, and Server3. All servers run Windows Server 2012 R2.

You need to ensure that Server1 can provide iSCSI storage for Server2 and Server3.


A. Install the Multipath I/O (MPIO) feature and configure the MPIO Properties.

B. Start the Microsoft iSCSI Initiator Service and configure the iSCSI Initiator Properties.

C. Install the iSNS Server service feature and create a Discovery Domain.

D. Install the iSCSI Target Server role service and configure iSCSI targets.


Explanation/Reference:Explanation:iSCSI Target Server: The server runs the iSCSI Target. It is also the iSCSI Target role name in Windows Server 2012.


Note: iSCSI: it is an industry standard protocol allow sharing block storage over the Ethernet. The server shares the storage is called iSCSI Target. The server(machine) consumes the storage is called iSCSI initiator. Typically, the iSCSI initiator is an application server. For example, iSCSI Target provides storage to a SQLserver, the SQL server will be the iSCSI initiator in this deployment.

Target: It is an object which allows the iSCSI initiator to make a connection. The Target keeps track of the initiators which are allowed to be connected to it. TheTarget also keeps track of the iSCSI virtual disks which are associated with it. Once the initiator establishes the connection to the Target, all the iSCSI virtual disksassociated with the Target will be accessible by the initiator.

References:https://blogs.technet.microsoft.com/amitd/2014/06/17/configure-windows-2012-r2-as-iscsi-target/

QUESTION 114HOTSPOTYour network contains two servers named Server1 and Server2 that run Windows Server 2012 R2. Server1 and Server2 have the Hyper-V server role installed.

Server1 and Server2 have different processor models from the same manufacturer.

On Server1, you plan to create a virtual machine named VM1. Eventually, VM1 will be exported to Server2.

You need to ensure that when you import VM1 to Server2, you can start VM1 from saved snapshots.

What should you configure on VM1?

To answer, select the appropriate node in the answer area.

Hot Area:



Correct Answer:




Explanation/Reference:Explanation:Use the Processor Compatibility Mode only in cases where VMs will migrate from one Hyper-V-enabled processor type to another within the same vendor processorfamily.

Reference: When to Use Processor Compatibility Mode to Migrate Virtual Machinestechnet.microsoft.com/en-us/magazine/gg299590.aspx

QUESTION 115HOTSPOTYour network contains two application servers that run Windows Server 2012 R2. The application servers have the Network Load Balancing (NLB) feature installed.

You create an NLB cluster that contains the two servers.

You plan to deploy an application named App1 to the nodes in the cluster. App1 uses TCP port 8080 and TCP port 8081.

Clients will connect to App1 by using HTTP and HTTPS via a single reverse proxy. App1 does not use session state information.

You need to configure a port rule for Appl. The solution must ensure that connections to App1 are distributed evenly between the nodes.

Which port rule should you use?To answer, select the appropriate rule in the answer area.

Hot Area:



Correct Answer:





Only the TCP Protocol is neededOnly a Single host is required.

Reference: Create a new Network Load Balancing Port Rule

QUESTION 116HOTSPOTYour network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2. All servers runWindows Server 2012 R2.

Server1 and Server2 have the Hyper-V server role installed. The servers are configured as shown in the following table.

You add a third server named Server3 to the network. Server3 has Intel processors.

You need to move VM3 and VM6 to Server3. The solution must minimize downtime on the virtual machines.

Which method should you use to move each virtual machine?

To answer, select the appropriate method for each virtual machine in the answer area.

Hot Area:


Correct Answer:



Explanation/Reference:Explanation:VM3: export/import is the only option due to different processor manufacturersVM6: Live migration can be used as both have Intel CPU'sLive Storage Migration requires same processor manufacturersLive migration requires same processor manufacturers

Incorrect Answers:Quick migration has downtime

Reference: Migrating Virtual Machines and Storage Overviewhttp://technet.microsoft.com/en-us/library/jj628158.aspx

QUESTION 117DRAG DROPYour network contains four servers that run Windows Server 2012 R2.Each server has the Failover Clustering feature installed. Each server has three network adapters installed. An iSCSI SAN is available on the network.


You create a failover cluster named Cluster1. You add the servers to the cluster.

You plan to configure the network settings of each server node as shown in the following table.

You need to configure the network settings for Cluster1.

What should you do?

To answer, drag the appropriate network communication setting to the correct cluster network. Each network communication setting may be used once, more thanonce, or not at all. You may need to drag the split bar between panes or scroll to view content.

Select and Place:

Correct Answer:



Explanation/Reference:Explanation:Allow cluster network communication for heartbeats.

Note: HeartbeatsThe Cluster service, running on each node of the cluster, keeps track of the current state of the nodes within a cluster and determines when a group and itsresources fail over to an alternate node. This communication takes the form of messages that are sent regularly between each node's Cluster service. Thesemessages are called heartbeats.

Reference: Network communication between nodeshttp://technet.microsoft.com/en-us/library/cc787135(v=WS.10).aspx

QUESTION 118DRAG DROPYou have a server named Server2 that runs Windows Server 2012 R2. You have storage provisioned on Server2 as shown in the exhibit. (Click the Exhibit button.)



You need to configure the storage so that it appears in Windows Explorer as a drive letter on Server1.

Which three actions should you perform in sequence? To answer, move the three appropriate actions from the list of actions to the answer area and arrange themin the correct order.

Select and Place:

Correct Answer:



Explanation/Reference:Explanation:Step 1 (on Server2): Target: It is an object which allows the iSCSI initiator to make a connection. The Target keeps track of the initiators which are allowed to beconnected to it. The Target also keeps track of the iSCSI virtual disks which are associated with it. Once the initiator establishes the connection to the Target, all theiSCSI virtual disks associated with the Target will be accessible by the initiator.


Step 2 (on server 1): Configure iSCSI initiator to logon the Target

Once the iSCSI Virtual disk is created and assigned, it is ready for the initiator to logon.

Note: Typically, the iSCSI initiator and iSCSI Target are on different machines (physical or virtual). You will need to provide the iSCSI Target server IP or host nameto the initiator, and the initiator will be able to do a discovery of the iSCSI Target.

Step 3 (on server1): Create new volume

Once the connection is established, the iSCSI virtual disk will be presented to the initiator as a disk. By default, this disk will be offline. For typical usage, you want tocreate a volume, format the volume and assign with a drive letter so it can be used just like a local hard disk.

Reference: Introduction of iSCSI Target in Windows Server 2012

QUESTION 119You have a server named Server1 that runs Windows Server 2012 R2. You install the File and Storage Services server role on Server1.

From Windows Explorer, you view the properties of a folder named Folder1 and you discover that the Classification tab is missing.

You need to ensure that you can assign classifications to Folder1 from Windows Explorer manually.

What should you do?

A. From Folder Options, clear Hide protected operating system files (Recommended).

B. Install the File Server Resource Manager role service.

C. From Folder Options, select the Always show menus.

D. Install the Share and Storage Management Tools.


Explanation/Reference:Explanation:On the Classification tab of the file properties in Windows Server 2012, File Classification Infra- structure adds the ability to manually classify files. You can alsoclassify folders so that any file added to the classified folder will inherit the classifications of the parent folder.

Reference: What's New in File Server Resource Manager in Windows Server.

QUESTION 120


Your network contains an Active Directory forest named adatum.com. The forest contains an Active Directory Rights Management Services (AD RMS) cluster.

A partner company has an Active Directory forest named litwareinc.com. The partner company does not have AD RMS deployed.You need to ensure that users in litwareinc.com can consume rights-protected content from adatum.com.

Which type of trust policy should you create?

A. At federated trust

B. A trusted user domain

C. A trusted publishing domain

D. Windows Live ID


Explanation/Reference:Explanation:In AD RMS rights can be assigned to users who have a federated trust with Active Directory Federation Services (AD FS). This enables an organization to shareaccess to rights-protected content with another organization without having to establish a separate Active Directory trust or Active Directory Rights ManagementServices (AD RMS) infrastructure.

Reference: AD RMS and AD FS Considerationshttp://technet.microsoft.com/en-us/library/dd772651(v=WS.10).aspx

QUESTION 121Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1has the Active Directory Certificate Services server role installed and is configured to support key archival and recovery.

You create a new Active Directory group named Group1.

You need to ensure that the members of Group1 can request a Key Recovery Agent certificate.

The solution must minimize the permissions assigned to Group1.

Which two permissions should you assign to Group1? (Each correct answer presents part of the solution. Choose two.)

A. Read

B. Auto enroll

C. Write


D. Enroll

E. Full control

Correct Answer: ADSection: Volume CExplanation

Explanation/Reference:Explanation:See step 6 below.To configure the Key Recovery Agent certificate template

1. Open the Certificate Templates snap-in.2. In the console tree, right-click the Key Recovery Agent certificate template.3. Click Duplicate Template.4. In Template, type a new template display name, and then modify any other optional properties as needed.5. On the Security tab, click Add, type the name of the users you want to issue the key recovery agent certificates to, and then click OK.6. Under Group or user names, select the user names that you just added. Under Permissions, select the Read and Enroll check boxes, and then click OK.

Reference: Identify a Key Recovery Agent

QUESTION 122HOTSPOTYour network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1 and a member server namedServer1. All servers run Windows Server 2012 R2.

You install the IP Address Management (IPAM) Server feature on Server1.

From the Provision IPAM wizard, you select the Group Policy Based provisioning method and enter a GPO name prefix of IPAM1.

You need to provision IPAM by using Group Policy.

What command should you run on Server1 to complete the process?To answer, select the appropriate options in the answer area.

Hot Area:


Correct Answer:


Explanation/Reference:The Invoke-IpamGpoProvisioning cmdlet creates and links three group policies specified in the Domain parameter for provisioning required access settings on theserver roles managed by the computer running the IP Address Management (IPAM) server.

Reference: Invoke-IpamGpoProvisioning

QUESTION 123You have a server named Server1 that runs a Server Core Installation of Windows Server 2012 R2. Shadow copies are enabled on all volumes.


You need to delete a specific shadow copy. The solution must minimize server downtime.


A. Shadow

B. Vssadmin

C. Wbadmin

D. Diskpart


Explanation/Reference:References:https://technet.microsoft.com/en-us/library/cc754968(v=ws.11).aspx

QUESTION 124You have a server named DNS1 that runs Windows Server 2012 R2.

You discover that the DNS resolution is slow when users try to access the company intranet home page by using the URL http://companyhome.You need to provide single-label name resolution for CompanyHome that is not dependent on the suffix search order.

Which three cmdlets should you run? (Each correct answer presents part of the solution. Choose three.)

A. Add-DnsServerPrimaryZone

B. Add-DnsServerResourceRecordCName

C. Set-DnsServerDsSetting

D. Set-DnsServerGlobalNameZone

E. Set-DnsServerEDns

F. Add-DnsServerDirectory Partition

Correct Answer: ABDSection: Volume CExplanation

Explanation/Reference:Explanation:You can use this task to create a GlobalNames zone to maintain a set of single-label, Domain Name System (DNS) names that Windows Server 2008 DNS servers


can resolve on behalf of DNS clients throughout a single forest in Active Directory Domain Services (AD DS). Deploying a GlobalNames zone in a single forestrequires that you perform the following steps:

(A) Create a zone named GlobalNames that replicates to all domain controllers in the forest.(B) Add an alias (CNAME) record to the zone for each host for which you want to provide single-label name resolution. For example, if you want DNS clients tobe able to access a server whose fully qualified domain name (FQDN) is cweb.itgroup.contoso.com, add an alias (CNAME) resource record that maps the namecweb to cweb.igroup.contoso.com.

Note:A. The Add-DnsServerPrimaryZone cmdlet adds a specified primary zone on a Domain Name System (DNS) server.B. The Add-DnsServerResourceRecordCName cmdlet adds a canonical name (CNAME) resource record to a specified Domain Name System (DNS) zone. ACNAME record allows you to use more than one resource record to refer to a single hostD. The Set-DnsServerGlobalNameZone cmdlet enables or disables single-label Domain Name System (DNS) queries. It also changes configuration settings for aGlobalNames zone. The GlobalNames zone supports short, easy-to-use names instead of fully qualified domain names (FQDNs) without using Windows Internet Name Service (WINS)technology. For instance, DNS can query SarahJonesDesktop instead of SarahJonesDesktop.contoso.com.

Reference: Adding a GlobalNames zone to a foresthttps://technet.microsoft.com/en-us/library/cc816717(v=ws.10).aspx

QUESTION 125You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the DNS Server server role installed.

You need to store the contents of all the DNS queries received by Server1.


A. Logging from Windows Firewall with Advanced Security

B. Debug logging from DNS Manager

C. Data Collector Set (DCS) from Performance Monitor

D. Monitoring from DNS Manager


Explanation/Reference:Explanation:Debug logging allows you to log the packets sent and received by a DNS server. Debug logging is disabled by default, and because it is resource intensive, youshould only activate it temporarily when you need more specific detailed information about server performance.

References: Active Directory 2008: DNS Debug Logging Facts...



Windows Server 2012 R2 is installed on volume C.

You need to ensure that Safe Mode with Command Prompt loads the next time Server1 restarts.


A. The Restart-Server cmdlet

B. The Bootcfg command

C. The Restart-Computer cmdlet

D. The Bcdedit command


Explanation/Reference:Explanation:How To Force Windows To Restart in Safe Mode1. Open Advanced Startup Options in Windows 82. Open Command Prompt.3. With Command Prompt open, execute the correct bcdedit command as shown below based on which Safe Mode option you'd like to start:

Safe Mode:bcdedit /set {default} safeboot minimal

http://pcsupport.about.com/od/repair-recovery/a/force-or-stop-safe-mode-windows.htm


Server1 fails.

You identify that the master boot record (MBR) is corrupt.

You need to repair the MBR.



A. Bcdedit

B. Bcdboot

C. Bootrec

D. Fixmbr


Explanation/Reference:Explanation:Repairing an unbootable Windows installation with bootrec.exe If the boot/recovery partition is corrupted or lost, you can modify your Windows OS partition to boot.

Boot from your Windows Vista/7/Server2008/R2/2012 media and choose the "Repair Windows" option.Open the command prompt.Using diskpart, mark your Windows partition as bootable.If your windows partition does not have it, copy the "boot" folder from the installation media.Run the following commands:

>c:>cd boot>attrib bcd -s -h -r>ren c:\boot\bcd bcd.old>bootrec /RebuildBcdReboot and Windows should boot normally. If not, return to the command prompt and run:>bootrec /FixMBR>bootrec /FixBoot

Incorrect Answers:A: BCDEdit is a command-line tool for managing BCD stores. It can be used for a variety of purposes, including creating new stores, modifying existing stores,adding boot menu options, and so on. BCDEdit serves essentially the same purpose as Bootcfg.exe on earlier versions of Windows

B: The BCDboot tool is a command-line tool that enables you to manage system partition files

D: Fixmbr is not a tool. Fixmbr is an option when using the bootrec tool.

References: Windows BCD Storehttp://www.itsgotme.com/wiki/Windows_BCD

QUESTION 128


Your network contains three servers named HV1, HV2, and Server1 that run Windows Server 2012 R2. HV1 and HV2 have the Hyper-V server role installed.Server1 is a file server that contains 3 TB of free disk space.

HV1 hosts a virtual machine named VM1. The virtual machine configuration file for VM1 is stored in D:\VM and the virtual hard disk file is stored in E:\VHD.

You plan to replace drive E with a larger volume.

You need to ensure that VM1 remains available from HV1 while drive E is being replaced. You want to achieve this goal by using the minimum amount ofadministrative effort.

What should you do?

A. Perform a live migration to HV2.

B. Add HV1 and HV2 as nodes in a failover cluster. Perform a storage migration to HV2.

C. Add HV1 and HV2 as nodes in a failover cluster. Perform a live migration to HV2.

D. Perform a storage migration to Server1.


Explanation/Reference:Explanation:One of the great new features coming in Windows Server 2012 is Storage Migration for Hyper-V. Storage Migration allows an administrator to relocate the sourcefiles that make up a virtual machine to another location without any downtime.

Storage Migration creates a copy of the file or files at the new location. Once that is finished, Server 2012 does a final replication of changes and then the virtualmachine uses the files in the new location.

Reference: Windows Server 2012 Hyper-V Part 3: Storage Migration

QUESTION 129HOTSPOT

Your network contains two Web servers named Server1 and Server2. Both servers run Windows Server 2012 R2.

Server1 and Server2 are nodes in a Network Load Balancing (NLB) cluster. The NLB cluster contains an application named App1 that is accessed by using thename appl.contoso.com.

The NLB cluster has the port rules configured as shown in the exhibit. (Click the Exhibit button.)



To answer, complete each statement according to the information presented in the exhibit. Each correct selection is worth one point.

Hot Area:

Correct Answer:



Explanation/Reference:Explanation:* Port 80 is in Single mode.* An HTTP session is a sequence of network request-response transactions. An HTTP client initiates a request by establishing a Transmission Control Protocol(TCP) connection to a particular port on a server (typically port 80, occasionally port 8080.

QUESTION 130You have a failover cluster named Cluster1 that contains four nodes. All of the nodes run Windows Server 2012 R2.

You need to force every node in Cluster1 to contact immediately the Windows Server Update Services (WSUS) server on your network for updates.


A. The Add-CauClusterRole cmdlet

B. The Wuauclt command


C. The Wusa command

D. The Invoke-CauScan cmdlet


Explanation/Reference:Explanation:The Add-CauClusterRole cmdlet adds the Cluster-Aware Updating (CAU) clustered role that provides the self-updating functionality to the specified cluster. Whenthe CAU clustered role has been added to a cluster, the failover cluster can update itself on the schedule that is specified by the user, without requiring an externalcomputer to coordinate the cluster updating process.

Incorrect Answers:B. The wuauclt utility allows you some control over the functioning of the Windows Update Agent. It is updated as part of Windows Update.The following are the command line for wuauclt.

Option Description/a /ResetAuthorizationInitiates an asynchronous background search for applicable updates. If Automatic Updates is disabled, this option has no effect./r /ReportNowSends all queued reporting events to the server asynchronously./? /h /helpShows this help information.

D.The Invoke-CauScan cmdlet performs a scan of cluster nodes for applicable updates and returns a list of the initial set of updates that would be applied to eachnode in a specified cluster.

Note: The Invoke-CauRun cmdlet performs a scan of cluster nodes for applicable updates and installs those updates via an Updating Run on the specified cluster.

References: Add-CauClusterRolehttps://technet.microsoft.com/en-us/library/hh847235(v=wps.620).aspx

QUESTION 131HOTSPOTYour network contains an Active Directory domain named contoso.com.

You install the IP Address Management (IPAM) Server feature on a server named Server1 and select Manual as the provisioning method.

The IPAM database is located on a server named SQL1.


You need to configure IPAM to use Group Policy Based provisioning.

What command should you run first?To answer, select the appropriate options in the answer area.

Hot Area:

Correct Answer:



Explanation/Reference:Explanation: The choice of a provisioning method is permanent for the current installation of IPAM Server. To change the provisioning method, you must uninstalland reinstall IPAM Server.

Reference: Choose an IPAM Provisioning Method

QUESTION 132Your network contains an Active Directory domain named contoso.com. The domain contains an IP Address Management (IPAM) server that uses a WindowsInternal Database.

You install a Microsoft SQL Server 2012 instance on a new server.

You need to migrate the IPAM database to the SQL Server instance.

Which cmdlet should you run?

A. Disable-IpamCapability

B. Set-IpamConfiguration

C. Update-IpamServer


D. Move-IpamDatabase


Explanation/Reference:Explanation:The Move-IpamDatabase cmdlet migrates the IP Address Management (IPAM) database to a Microsoft SQL Server database. You can migrate from WindowsInternal Database (WID) or from a SQL Server database. The cmdlet creates a new IPAM schema and copies all data from the existing IPAM database. After thecmdlet completes copying data, it changes IPAM configuration settings to refer to the new database as the IPAM database.

Reference: Move-IpamDatabase

QUESTION 133Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1has the Active Directory Rights Management Services server role installed.

Your company works with a partner organization that does not have its own Active Directory Rights Management Services (AD RMS) implementation.

You need to create a trust policy for the partner organization.

The solution must meet the following requirements:Grant users in the partner organization access to protected content. Provide users in the partner organization with the ability to create protected content.

Which type of trust policy should you create?


A. A federated trust

B. Windows Live ID

C. A trusted publishing domain

D. A trusted user domain

Correct Answer: A



Explanation/Reference:Explanation:In AD RMS rights can be assigned to users who have a federated trust with Active Directory Federation Services (AD FS). This enables an organization to shareaccess to rights-protected content with another organization without having to establish a separate Active Directory trust or Active Directory Rights ManagementServices (AD RMS) infrastructure.

Incorrect Answers:C. Trusted publishing domains allow one AD RMS server to issue use licenses that correspond with a publishing license issued by another AD RMS server, but inthis scenario the partner organization does not have any Active Directory.D. A trusted user domain, often referred as a TUD, is a trust between AD RMS clusters, but in this scenario the partner organization does not have any ActiveDirectory.

References: AD RMS and AD FS Considerationshttps://technet.microsoft.com/en-us/library/dd772651(v=WS.10).aspx

QUESTION 134Your network contains an Active Directory domain named contoso.com. The domain contains a certification authority (CA).

You suspect that a certificate issued to a Web server is compromised.

You need to minimize the likelihood that users will trust the compromised certificate.


A. Stop the Certificate Propagation service.

B. Modify the validity period of the Web Server certificate template.

C. Run certutil and specify the -revoke parameter.

D. Run certutil and specify the -deny parameter.

E. Publish the certificate revocation list (CRL).

Correct Answer: CESection: Volume CExplanation

Explanation/Reference:First revoke the certificate, then publish the CRL.

QUESTION 135


Your network contains an Active Directory domain named adatum.com. The domain contains a server named CA1 that runs Windows Server 2012 R2. CA1 has theActive Directory Certificate Services server role installed and is configured to support key archival and recovery.

You need to ensure that a user named User1 can decrypt private keys archived in the Active Directory Certificate Services (AD CS) database. The solution mustprevent User1 from retrieving the private keys from the AD CS database.

What should you do?

A. Assign User1 the Issue and Manage Certificates permission to CA1.

B. Assign User1 the Read permission and the Write permission to all certificate templates.

C. Provide User1 with access to a Key Recovery Agent certificate and a private key.

D. Assign User1 the Manage CA permission to CA1.


Explanation/Reference:Explanation:Understanding the Key Recovery Agent RoleKRAs are Information Technology (IT) administrators who can decrypt users' archived private keys. An organization can assign KRAs by issuing KRA certificates todesignated administrators and configure them on the CA. The KRA role is not one of the default roles defined by the Common Criteria specifications but a virtualrole that can provide separation between Certificate Managers and the KRAs. This allows the separation between the Certificate Manager, who can retrieve theencrypted key from the CA database but not decrypt it, and the KRA, who can decrypt private keys but not retrieve them from the CA database.

Reference: Understanding User Key Recovery

QUESTION 136Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2.

Server1 is an enterprise root certification authority (CA) for contoso.com.

You need to ensure that the members of a group named Group1 can request code signing certificates. The certificates must be issued automatically to themembers.

Which two actions should you perform? (Each correct answer presents part of the solution.Choose two.)

A. From Certificate Templates, modify the certificate template.

B. From Certification Authority, add a certificate template to be issued.


C. From Certificate Authority, modify the CA properties.

D. From Certificate Templates, duplicate a certificate template.

E. From Certificate Authority, stop and start the Active Directory Certificate Services (AD CS) service.


Explanation/Reference:Explanation/Reference:Best Practices include: Duplicate new templates from existing templates closest in function to the intended template.

New certificate templates are duplicated from existing templates. Many settings are copied from the original template. Because of this, duplicating one template toanother of a totally different type may carry over some unintended settings. When duplicating a template, examine the subject type of the original template andensure that you duplicate one that has a similar function to that of the intended template. Although most settings for certificate templates can be edited once thetemplate is duplicated, the subject type cannot be changed.

Reference: Deploying Certificate Templateshttps://technet.microsoft.com/en-us/library/cc770794%28v=ws.10%29.aspx

QUESTION 137Your network contains an Active Directory domain named adatum.com. The domain contains a file server named FS1 that runs Windows Server 2012 R2 and hasthe File Server Resource Manager role service installed. All client computers run Windows 8.

File classification and Access-Denied Assistance are enabled on FS1.

You need to ensure that if users receive an Access Denied message, they can request assistance by email from the Access Denied dialog box.


A. A file management task

B. A classification property

C. The File Server Resource Manager Options

D. A report task




Explanation:You can configure access-denied assistance individually on each file server by using the File Server Resource Manager console.

Note:To configure access-denied assistance by using File Server Resource Manager1. Open File Server Resource Manager. In Server Manager, click Tools, and then click File Server Resource Manager.2. Right-click File Server Resource Manager (Local), and then click Configure Options.3. Click the Access-Denied Assistance tab.4. Select the Enable access-denied assistance check box.5. In the Display the following message to users who are denied access to a folder or filebox, type a message that users will see when they are denied access to a

file or folder.6. You can add macros to the message that will insert customized text.7. Click Configure email requests, select the Enable users to request assistance check box, and then click OK.8. Click Preview if you want to see how the error message will look to the user.9. Click OK.

References: Deploy Access-Denied Assistance (Demonstration Steps)

QUESTION 138HOTSPOTYour network contains an Active Directory forest.

You implement Dynamic Access Control in the forest.

You have the claim types shown in the Claim Types exhibit. (Click the Exhibit button.)


The properties of a user named User1 are configured as shown in the User1 exhibit. (Click the Exhibit button.)



The output of Whoami /claims for a user named User2 is shown in the Whoami exhibit. (Click the Exhibit button.)

Select Yes if the statement can be shown to be true based on the available information; otherwise select No. Each correct selection is worth one point.

Hot Area:


Correct Answer:




QUESTION 139DRAG DROPYour network contains an Active Directory forest. The forest contains a single domain named contoso.com.

The forest contains two Active Directory sites named Main and Branch1. The sites connect to each other by using a site link named Main-Branch1. There are noother site links.


Each site contains several domain controllers. All domain controllers run Windows Server 2012 R2. Your company plans to open a new branch site namedBranch2. The new site will have a WAN link that connects to the Main site only. The site will contain two domain controllers that run Windows Server 2012 R2.

You need to create a new site and a new site link for Branch2. The solution must ensure that the domain controllers in Branch2 only replicate to the domaincontrollers in Branch1 if all of the domain controllers in Main are unavailable.

Which three actions should you perform?To answer, move the three appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Select and Place:

Correct Answer:



Explanation/Reference:Explanation:SO...the first part of this answer is:1. Create a new site object named Branch2*When you create the new site Branch2 you will be prompted to associate it with a site link...right now we only have one site link (Main-Branch1). Hit Finish2. Remove Branch2 site from the Main-Branch1 Site Link*In order to move a site into a new site link, you must first remove them from their previous site link....In this case Branch2 was put in Main-Branch1 when we createthe new site because we didn't have another site link to associate the new site with at the time we created it.3. Create a new site link object named Main-Branch2*When you create the site link object you will be asked to place the appropriate sites in this link...choose Main and Branch 2Because we are using Interstice topology replication, ISTG (similar to KCC with Intrasite) will build a logical transitive connection path between all site links becausesite link bridge is enabled by default and is a Microsoft best practice to leave this default.By default a site link has a default cost of 100 so the Main-Branch1 site cost 100. Since we do not have a site link established from Branch2 - Branch1, ISTG willcreate a logical patch that travels along the Main-Branch2 site link (cost 100) and through Main-Branch1 site link(cost 100) to establish replication connection in the


event the least cost path goes down. Since the logical path =200, Branch2 will only replicate with Branch1 if the site link to the Main Site goes down.

QUESTION 140DRAG DROPYour network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2 that run WindowsServer 2012 R2.

You configure a new failover cluster named Cluster1. Server1 and Server2 are nodes in Cluster1. You need to configure the disk that will be used as a witness diskfor Cluster1.

How should you configure the witness disk?To answer, drag the appropriate configurations to the correct location or locations. Each configuration may be used once, more than once, or not at all. You mayneed to drag the split bar between panes or scroll to view content.

Select and Place:


Correct Answer:



Explanation/Reference:Explanation:Disk witness requirements include:

Basic disk with a single volumeCan be formatted with NTFS or ReFS

Reference: Configure and Manage the Quorum in a Windows Server 2012 Failover Clusterhttp://technet.microsoft.com/en-us/library/jj612870.aspx#BKMK_witness


QUESTION 141DRAG DROPYour network contains an Active Directory domain named contoso.com. The domain contains four member servers named Server1, Server2, Server3, and Server4.Server1 and Server2 run Windows Server 2008 R2.

Server1 and Server2 have the Hyper-V server role and the Failover Clustering feature installed. FailoverClustering is configured to provide highly available virtual machines by using a cluster named Cluster1.Cluster1 hosts 10 virtual machines.

Server3 and Server4 run Windows Server 2012 R2.

You install the Hyper-V server role and the Failover Clustering feature on Server3 and Server4. You create a cluster named Cluster2.

You need to migrate cluster resources from Cluster1 to Cluster2. The solution must minimize downtime on the virtual machines.

Which five actions should you perform?To answer, move the appropriate five actions from the list of actions to the answer area and arrange them in the correct order.

Select and Place:


Correct Answer:



Explanation/Reference:Explanation:1. Move Highly Available (Clustered) VMs to Windows Server 2012 with the Cluster Migration Wizard


On the Windows Server 2012 cluster – the target cluster - from the Failover Cluster Manger, select a cluster and then use the More Actions | Migrate Roles… menu to launch the Cluster Migration Wizard:

2. Shutdown all VMs on the source Windows Server 2008 R2 cluster that have been migrated.

3. Unmask the common shared storage (LUNs) so that they are not presented to the Windows Server 2008 R2source cluster4. Mask the common shared storage (LUNs) to the Windows Server 2012 target cluster.5. Start all VMs on the target Windows Server 2012 cluster.

Reference: Best practices for migration of cluster windows 2008 R2 / 2012http://blogs.technet.com/b/hugofe/archive/2012/12/06/best-practices-for-migration-of-cluster-windows-2008-r2-2012-as-melhores-praticas-para-migrar-um-cluster-de-windows-2008-para-windows-2012.aspx

QUESTION 142


DRAG DROPYou have 3 server named Server1 that runs Windows Server 2012 R2.

You are asked to test Windows Azure Online Backup to back up Server1.

You need to back up Server1 by using Windows Azure Online Backup.

Which four actions should you perform in sequence?To answer, move the appropriate four actions from the list of actions to the answer area and arrange them in the correct order.

Select and Place:

Correct Answer:



Explanation/Reference:Explanation:* Getting started with Windows Azure Online Backup is a simple two-step process:1. Get a free preview Windows Azure Online Backup account (with 300 GB of cloud storage).2. Login to the Windows Azure Online Backup portal and download and install the Windows Azure Online Backup agent for Windows Server 2012 R2 or SystemCenter 2012 SP1 Data Protection Manager. For Windows Server 2012 R2 Essentials, download and install the Windows Azure Online Backup integration module.Once you have installed the agent or integration module you can use the existing user interfaces for registering the server to the service and setting up onlinebackup.* Install the Windows Azure Online Backup agentBefore you can begin to use the online protection service, you must download and install the Windows Azure Online Backup agent on the Data Protection Manager(DPM) server. You can download the Windows Azure Online Backup agent from the Windows Azure Online Backup portal.

To registering for online protection (box 4)After you install the agent on the DPM server, you must register the DPM server for online protection. Click Register Online Protection on the tool ribbon to start the


Windows Azure Backup Registration wizard.

Etc. (finish the steps in the wizard).

Reference: Setting up Windows Azure Online Backup for DPMhttp://technet.microsoft.com/en-us/library/hh831761.aspxhttp://technet.microsoft.com/en-us/library/jj884318.aspx http://technet.microsoft.com/en-us/library/hh831761.aspx#BKMK_installagent

QUESTION 143HOTSPOTYour network contains an Active Directory domain named contoso.com. The domain contains two Active Directory sites named Site1 and Site2.

You discover that when the account of a user in Site1 is locked out, the user can still log on to the servers in Site2 for up to 15 minutes by using Remote DesktopServices (RDS).

You need to reduce the amount of time it takes to synchronize account lockout information across the domain.

Which attribute should you modify?To answer, select the appropriate attribute in the answer area.

Hot Area:



Correct Answer:




Explanation/Reference:Explanation/Reference:Enabling reciprocal replication between two sites involves modifying the options attribute value on the site link object. With this attribute set on the site link, the KCCcreates the connections across the link with the appropriate setting that is in effect. Use ADSI Edit to enable reciprocal replication.

Reference: Advanced Replication Managementhttp://technet.microsoft.com/en-us/library/cc961787.aspx

QUESTION 144HOTSPOTYour network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1has the Active Directory Federation Services (AD FS) server role installed.

Adatum.com is a partner organization.

You are helping the administrator of adatum.com set up a federated trust between adatum.com and contoso.com. The administrator of adatum.com asks you toprovide a file containing the federation metadata of contoso.com.

You need to identify the location of the federation metadata file. Which node in the AD FS console should you select?To answer, select the appropriate node in the answer area.

Hot Area:


Correct Answer:



Explanation/Reference:Explanation:See figure below.


QUESTION 145HOTSPOTYour network contains an Active Directory domain named contoso.com. The domain contains an enterprise certification authority (CA).

The domain contains a server named Server1 that runs Windows Server 2012 R2. You install the Active Directory Federation Services server role on Server1.

You plan to configure Server1 as an Active Directory Federation Services (AD FS) server. The Federation Service name will be set to adfs1.contoso.com.

You need to identify which type of certificate template you must use to request a certificate for AD FS.


Hot Area:


Correct Answer:



Explanation/Reference:Explanation:In general installation of ADFS Service is a very straight forward process:

Create Service Account for ADFS 2.0 ServiceCreate Web Server Certificate Template

This step might be optional if you already have a template for Web Server.

Reference: Installing a stand-alone ADFS Servicehttp://blogs.msdn.com/b/alextch/archive/2011/06/27/installing-a-stand-along-adfs-service.aspx

QUESTION 146HOTSPOTYour network contains an Active Directory domain named contoso.com. The domain contains two Active Directory sites named Site1 and Site2.

You need to configure the replication between the sites to occur by using change notification.

Which attribute should you modify?

Hot Area:



Correct Answer:




Explanation/Reference:Explanation:Active Directory Replication Change Notification* Right-click the site link object for the sites for which you want to enable change notification, and then click Properties.

* In the Select a property to view box, select options.

* In the Edit Attribute box, if the Value(s) box shows <not set> , type 1 in the Edit Attribute box.


* Click OK.

Reference: Active Directory Replication: Change Notification & You

QUESTION 147HOTSPOTYour network contains an Active Directory domain named adatum.com. All servers run Windows Server 2012 R2. All domain controllers have the DNS Serverserver role installed.

You have a domain controller named DC1.

On DC1, you create an Active Directory-integrated zone named adatum.com and you sign the zone by using DNSSEC.

You deploy a new read-only domain controller (RODC) named RODC1.

You need to ensure that the contoso.com zone replicates to RODC1.

What should you configure on DC1?To answer, select the appropriate tab in the answer area.


Hot Area:

Correct Answer:





Explanation:For additional servers to host a zone, zone transfers are required to replicate and synchronize all copies of the zone used at each server configured to host thezone.

Reference: Understanding zones and zone transferhttp://technet.microsoft.com/en-us/library/cc781340(v=ws.10).aspx


QUESTION 148HOTSPOT

Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server2 that runs Windows Server 2012 R2.

You are a member of the local Administrators group on Server2. You install an Active Directory Rights

Management Services (AD RMS) root cluster on Server2.

You need to ensure that the AD RMS cluster is discoverable automatically by the AD RMS client computers and the users in contoso.com.

Which additional configuration settings should you configure? To answer, select the appropriate tab in the answer area.

Hot Area:



Correct Answer:




Explanation/Reference:Explanation:* Active Directory Domain Services (AD DS) service connection point (SCP) automatic service discovery. This is the recommended way to deploy an AD RMSenvironment. In this scenario, an SCP is created in the Active Directory forest where the AD RMS cluster is installed. When the AD RMS client attempts useractivation on the computer, it queries the SCP to find the AD RMS cluster and download the rights account certificate (RAC). With automatic service discovery, noadditional configuration is required on the AD RMS client.

* Cluster - Cluster Properties - SCP Tab

Reference: AD RMS Client Service Discovery; Cluster - Cluster Properties - SCP Tab

http://technet.microsoft.com/en-us/library/cc753538(v=ws.10).aspxhttp://technet.microsoft.com/en-us/library/cc755112.aspx

QUESTION 149HOTSPOTYour network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1


has the Active Directory Federation Services server role installed.

You need to make configuration changes to the Windows Token-based Agent role service.

Which tool should you use?To answer, select the appropriate tool in the answer area.

Hot Area:



Correct Answer:




Explanation/Reference:Explanation:To configure the Windows token-based agent

Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.Etc.

Reference: Configure the Windows Token-Based Agenthttps://technet.microsoft.com/en-us/library/cc771128%28v=ws.10%29.aspx

QUESTION 150HOTSPOTYour network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2. All servers runWindows Server 2012.

Server1 and Server2 have the Hyper-V server role and the Failover Clustering feature installed.


Server1 and Server2 are members of a cluster named Cluster1. Cluster1 hosts 10 virtual machines.

When you try to migrate a running virtual machine from one server to another, you receive the following error message: "There was an error checking for virtualmachine compatibility on the target node."

You need to ensure that the virtual machines can be migrated from one node to another.

From which node should you perform the configuration?

To answer, select the appropriate node in the answer area.


Hot Area:



Correct Answer:




Explanation/Reference:Explanation:The Migrate to a physical computer with a different processor version setting ensures that the virtual machine uses only the features of the processor that areavailable on all versions of a virtualization- capable processor by the same processor manufacturer. It does not provide compatibility between different processormanufacturers.

Note: To enable processor compatibility mode for a virtual machineClick Start, point to Administrative Tools, and then click Hyper-V Manager.Select the server running Hyper-V and the desired virtual machine.If the virtual machine is running, you must shut down the virtual machine to change the processor compatibility mode setting.In the Action pane, click Settings, and then click Processor.Expand Processor, and click Compatibility.Click Migrate to a physical computer with a different processor, and then click OK.

Reference: Processor Compatibility Mode in Hyper-Vhttps://technet.microsoft.com/en-us/library/dn859550.aspx

QUESTION 151HOTSPOTYour network contains two DHCP servers named Server1 and Server2. Server1 fails.

You discover that DHCP clients can no longer receive IP address leases.

You need to ensure that the DHCP clients receive IP addresses immediately.


What should you configure from the View/Edit Failover Relationship settings? To answer, select the appropriate setting in the answer area.

Hot Area:



Correct Answer:




Explanation/Reference:Explanation:A manual failover will have to occur by clicking on the Change to partner down button (the partner has to actually be unavailable to click this button).

Note: You can manually change the state of a server which is running in communication interrupted to partner down using DHCP MMC or DHCP PowerShell.

In MMC, go to IPv4->Properties, go to Failover tab, select the specific failover relationship and click edit. You will see "Change to partner down" button on the editpage. This button is enabled when the server is running in communication interrupted state.

Reference: DHCP Failover Hot-Standby Modehttp://blogs.technet.com/b/teamdhcp/archive/2012/09/03/dhcp-failover-hot-standby-mode.aspx

QUESTION 152HOTSPOTYour network contains an Active Directory domain named contoso.com. The domain contains the two servers.

The servers are configured as shown in the following table.

ou investigate a report about the potential compromise of a private key for a certificate issued to Server2.

You need to revoke the certificate issued to Server2. The solution must ensure that the revocation can be reverted.

Which reason code should you select?To answer, select the appropriate reason code in the answer area.

Hot Area:


Correct Answer:



Explanation/Reference:Explanation:If you specify "Certificate Hold" as the reason for revoking the certificate, it typically means that you may want to unrevoke the certificate at a future time. Onlycertificates that have been revoked with the reason of "Certificate Hold" can be unrevoked.

Reference: Manage Certificate Revocationhttp://technet.microsoft.com/en-us/library/cc753724(v=WS.10).aspx

QUESTION 153You have two servers named Server1 and Server2 that run Windows Server 2012 R2.You have a Microsoft Azure subscription that has two backup vaults named Vault1 and Vault2.Server1 is backed up to Vault1. The backup of Server1 contains a file named Data.db. Server2 is backed up to Vault2.


You download vault credential files for Vault1 and Vault2.

Server1 experiences a severe hardware failure and will not start.

You need to recover a copy of Data.db to Server2.

What should you do?

A. From the Azure Management Portal, modify the configuration of Vault1. On Server2, run the Recover Data Wizard.

B. From Server2, modify the logon settings for the Microsoft Azure Recovery Services Agent service, and then run the Recover Data Wizard.

C. From Server1, run the Recover Data Wizard, and then click This server. When the wizard completes, copy the files.

D. From the Azure Management Portal, add the certificate of Server2 as a management certificate. On Server2, run the Recover Data Wizard.

E. From Server1, run the Recover Data Wizard, and then click Another server. When the wizard completes, copy the files.



QUESTION 154HOTSPOT

Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2. Both servers have the IPAddress Management (IPAM) Server feature installed.

You have a support technician named Tech1. Tech1 is a member of the IPAM Administrators group on Server1 and Server2. You need to ensure that Tech1 canuse Server Manager on Server1 to manage IPAM on Server2. To which group on Server2 should you add Tech1? To answer, select the appropriate group in theanswer area.

Hot Area:



Correct Answer:




Explanation/Reference:Explanation:If you are accessing the IPAM server remotely using Server Manager IPAM client RSAT, then you must be a member of the WinRMRemoteWMIUsers group on theIPAM server, in addition to being a member of the appropriate IPAMsecurity group (or local Administrators group).

References: Understand and Troubleshoot IP Address Management (IPAM) in Windows Server "8" Beta.

QUESTION 155Your network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2 that run WindowsServer 2012 R2. Both servers have the Hyper-V server role installed.The network contains an enterprise certification authority (CA). All servers are enrolled automatically for a certificate-based on the Computer certificate template.

On Server1, you have a virtual machine named VM1. VM1 is replicated to Server2.

You need to encrypt the replication of VM1.


A. On Server1, modify the Hyper-V Settings.

B. On Server2, modify the settings of VM1.

C. On Server2, modify the Hyper-V Settings.

D. On Server1, modify the settings of VM1.

E. On Server1, modify the settings of the virtual switch to which VM1 is connected.

F. On Server2, modify the settings of the virtual switch to which VM1 is connected.

Correct Answer: BCSection: Volume CExplanation

Explanation/Reference:B. Each virtual machine that is to be replicated must be enabled for replication (on the replica server Server2).

C. To configure the Replica server (here Server2)In Hyper-V Manager, click Hyper-V Settings in the Actions pane.In the Hyper-V Settings dialog, click Replication Configuration.In the Details pane, select Enable this computer as a Replica server.


In the Authentication and ports section, select the authentication method. For either authentication method, specify the port to be used (the default ports are80 for Kerberos over HTTP and 443 for certificate-based authentication over HTTPS).If you are using certificate-based authentication, click Select Certificate and provide the request certificate information.

Etc

Reference: Deploy Hyper-V Replica Step 2: Enable Replication

QUESTION 156Your company has a main office and a branch office.

The main office contains a file server named Server1. Server1 has the BranchCache for Network Files role service installed. The branch office contains a servernamed Server2. Server2 is configured as a BranchCache hosted cache server.

You need to preload the data from the file shares on Server1 to the cache on Server2.

What should you run first?

A. Publish-BCFileContent

B. Add- BCDataCacheExtension

C. Set-BCCache

D. Export-BCCachePackage


Explanation/Reference:See step 2 below.

To prehash content and preload the content on hosted cache servers1. Log on to the file or Web server that contains the data that you wish to preload, and identify the folders and files that you wish to load on one or more remote

hosted cache servers.2. Run Windows PowerShell as an Administrator. For each folder and file, run either the Publish-BCFileContent command or the Publish-BCWebContent

command, depending on the type of content server, to trigger hash generation and to add data to a data package.3. After all the data has been added to the data package, export it by using the Export- BCCachePackage command to produce a data package file.4. Move the data package file to the remote hosted cache servers by using your choice of file transfer technology. FTP, SMB, HTTP, DVD and portable hard disks

are all viable transports.5. Import the data package file on the remote hosted cache servers by using the Import- BCCachePackage command.

Reference: Prehashing and Preloading Content on Hosted Cache Servers (Optional)



Windows Server 2012 R2 is installed on volume C.

You need to ensure that Safe Mode with Networking loads the next time Server1 restarts.


A. The Msconfig command

B. The Bootcfg command

C. The Restart-Computer cmdlet

D. The Restart-Server cmdlet


Explanation/Reference:Explanation:Use system config (Msconfig) to configure boot options.


Reference: System Configuration aka MSCONFIG.

QUESTION 158HOTSPOTYour network contains three application servers that run Windows Server 2012 R2. The application servers have the Network Load Balancing (NLB) featureinstalled.

You create an NLB cluster that contains the three servers.

You plan to deploy an application named App1 to the nodes in the cluster. App1 uses TCP port 8080 and TCP port 8081.

Clients will connect to App1 by using HTTP and HTTPS. When clients connect to App1 by using HTTPS, session state information will be retained locally by thecluster node that responds to the client request.

You need to configure a port rule for Appl.


Which port rule should you use?To answer, select the appropriate rule in the answer area.

Hot Area:



Correct Answer:




Explanation/Reference:Explanation:* Filtering Mode: Multiple hostsThe Multiple hosts parameter specifies that multiple hosts in the cluster will handle network traffic for the associated port rule. This filtering mode provides scaledperformance and fault tolerance by distributing the network load among multiple hosts. You can specify that the load be equally distributed among the hosts or thateach host will handle a specified load weight.

* AffinitySelect Affinity Single or Network to ensure that all network traffic from a particular client is directed to the same host.


You modify the properties of a system driver and you restart Server1.

You discover that Server1 continuously restarts without starting Windows Server 2012 R2.

You need to start Windows Server 2012 R2 on Server1 in the least amount of time. The solution must minimize the amount of data loss.

Which Advanced Boot Option should you select?

A. Repair Your Computer

B. Last Known Good Configuration (advanced)

C. Disable Driver Signature Enforcement

D. Disable automatic restart on system failure


Explanation/Reference:Explanation:Try using Last Known Good Configuration if you can't start Windows, but it started correctly the last time you turned on the computer.

Reference: Using Last Known Good Configuration


QUESTION 160Your network contains one Active Directory forest named contoso.com. The forest contains two child domains and six domain controllers. The domain controllersare configured as shown in the following table.

For the contoso.com domain, a company policy states that administrators must be able to retrieve a list of all the users who have not logged on to the network in thelast seven days from any domain controller.

You need to ensure that the users' last logon information from the last seven days is replicated to all of the domain controllers.


A. Set-ADSite


C. Set-ADDomain


E. Set-ADGroup

F. Set-ADForest

G. Netdom



Explanation/Reference:Explanation:The Set-ADDomain LastLogonReplicationInterval parameter specifies the time, in days, within which the last logon time of an account must be replicated across alldomain controllers in the domain. This parameter sets the LastLogonReplicationInterval property for a domain. The LDAP display name (ldapDisplayName) for thisproperty is msDS-LogonTimeSyncInterval. The last logon replication interval must beat least one day. Setting the last logon replication interval to a low value cansignificantly increase domain-wide replication.

Incorrect Answers:A: Set-ADSite is a Microsoft Exchange 2013 command. Use the Set-AdSite cmdlet to configure the Exchange settings of Active Directory sites.E: The Set-ADGroup cmdlet modifies the properties of an Active Directory group.F: The Set-ADForest cmdlet modifies the properties of an Active Directory forest.

Reference: Technet, Set-ADDomainhttps://technet.microsoft.com/en-us/library/ee617212.aspx


You need to enable universal group membership caching for the Europe office and Asia office sites.


A. Set-ADSite



C. Set-ADDomain


E. Set-ADGroup

F. Set-ADForest

G. Netdom


Explanation/Reference:The Set-ADReplicationSite cmdlet is used to set the properties for an Active Directory site that is being used for replication.

Parameter: -UniversalGroupCachingEnabled<Boolean>Indicates whether the cmdlet enables universal group caching. If this parameter is true, it indicates this site caches universal groups, which are those groupscached on global catalog (GC) servers. It can be useful in sites with no GC servers available locally.

Reference: Technet, Set-ADReplicationSite


You create a trust between contoso.com and a domain in another forest at a partner company.


You need to prevent the sales.contoso.com and the manufacturing.contoso.com names from being used in authentication requests across the forest trust.


A. Set-ADSite


C. Set-ADDomain


E. Set-ADGroup

F. Set-ADForest

G. Netdom

Correct Answer: GSection: Volume CExplanation

Explanation/Reference:The Netdom trust command establishes, verifies, or resets a trust relationship between domains.Parameters include /RemoveTLNEX:Removes the specified top level name exclusion (DNS Name Suffix) from the forest trust info from the specified trust. Valid only for a forest transitive non-Windowsrealm trust and can only be performed on the root domain for a forest.

Reference: Netdom trusthttps://technet.microsoft.com/sv-se/library/Cc835085(v=WS.10).aspx


A previous administrator implemented a Proof of Concept installation of Active Directory Rights Management Services (AD RMS) on a server named Server1.

After the proof of concept was complete, the Active Directory Rights Management Services server role was removed.

You attempt to deploy AD RMS.

During the configuration of AD RMS, you receive an error message indicating that an existing AD RMS Service Connection Point (SCP) was found.

You need to ensure that clients will only attempt to establish connections to the new AD RMS deployment.

Which should you do?


A. From DNS, remove the records for Server1.

B. From DNS, increase the priority of the DNS records for the new deployment of AD RMS.

C. From Active Directory, remove the computer object for Server1.

D. From Active Directory, remove the SCP.


Explanation/Reference:The Active Directory Rights Management Services (AD RMS) Service Connection Point (SCP) is an object in Active Directory that holds the web address of the ADRMS certification cluster. AD RMS- enabled applications use the SCP to discover the AD RMS service; it is the first connection point for users to discover the ADRMS web services.

Only one SCP can exist in your Active Directory forest. If you try to install AD RMS and an SCP already exists in your forest from a previous AD RMS installationthat was not properly deprovisioned, the new SCP will not install properly. It must be removed before you can establish the new SCP.

Reference: The AD RMS Service Connection Pointhttp://social.technet.microsoft.com/wiki/contents/articles/710.the-ad-rms-service-connection- point.aspx

QUESTION 164Your network contains one Active Directory domain named contoso.com. The domain contains an IP Address Management (IPAM) server named Server1. Server1manages several DHCP and DNS servers.

From Server Manager on Server1, you create a custom role for IPAM.

You need to assign the role to a group named IP_Admins.

What should you do?

A. From Windows PowerShell, run the Add-Member cmdlet.

B. From Server Manager, create an access policy.

C. From Windows PowerShell, run the Set-IpamConfiguration cmdlet.

D. From Server Manager, create an access scope.



Explanation/Reference:A role is a collection of IPAM operations. You can associate a role with a user or group in Windows using an access policy. Several built-in roles are provided, butyou can also create customized roles to meet your business requirements.

Reference: Manage IPAM, Access Controlhttps://technet.microsoft.com/en-us/library/dn741281.aspx


You have a trust from contoso.com to another forest named fabrikam.com.

You plan to migrate users from contoso.com to fabrikam.com.

You need to ensure that the users who migrated to fabrikam.com can continue to access shared resources in contoso.com. The solution must not requireadministrators to modify permissions to shared resources.


A. Set-ADSite


C. Set-ADDomain



E. Set-ADGroup

F. Set-ADForest

G. Netdom

Correct Answer: GSection: Volume CExplanation

Explanation/Reference:The Netdom move command moves a workstation or member server to a new domain. The act of moving a computer to a new domain creates an account for thecomputer on the domain, if it does not already exist.

Reference: Technet, Netdom movehttps://technet.microsoft.com/en-us/library/cc788127.aspx


You need to ensure that all Active Directory changes are replicated to all of the domain controllers in the forest within 30 minutes.




A. Set-ADSite


C. Set-ADDomain


E. Set-ADGroup

F. Set-ADForest

G. Netdom


Explanation/Reference:Explanation:The Set-ADReplicationSite cmdlet is used to set the properties for an Active Directory site that is being used for replication. Sites are used in Active Directory toeither enable clients to discover network resources (published shares, domain controllers) close to the physical location of a client computer or to reduce networktraffic over wide area network (WAN) links. Sites can also be used to optimize replication between domain controllers.

The parameter -ReplicationSchedule<ActiveDirectorySchedule> specifies the default replication schedule for connections within this site (intra-site replication).

Incorrect Answers:A: Set-ADSite is a Microsoft Exchange 2013 command. Use the Set-AdSite cmdlet to configure the Exchange settings of Active Directory sites.

D: The Set-ADReplicationSiteLink cmdlet sets properties on an Active Directory site link. A site link connects two or more sites. Replication site links reflect theadministrative policy for how sites interconnect and the methods used to transfer replication traffic. You must connect sites with site links so that domain controllersat each site can replicate Active Directory changes.

F: The Set-ADForest cmdlet modifies the properties of an Active Directory forest. Replication cannot be configured with this command.

Reference: Technet, Set-ADReplicationSitehttps://technet.microsoft.com/en-us/library/hh852305(v=wps.630).aspx

QUESTION 167


HOTSPOT

Your network contains one Active Directory domain.

The domain contains an enterprise certification authority (CA).

You need to ensure that members of a group named Group1 can issue certificates for the User certificate template only.

Which two tabs should you use to perform the configuration? To answer, select the appropriate tabs in the answer area.

Hot Area:



Correct Answer:




Explanation/Reference:Explanation:To configure certificate manager restrictions for a CA

Open the Certification Authority snap-in, and right-click the name of the CA.Click Properties, and then click the Security tab.Verify that the user or group that you have selected has Issue and Manage Certificates permission. If they do not yet have this permission, select the Allowcheck box, and then click Apply.Click the Certificate Managers tab.Click Restrict certificate managers, and verify that the name of the group or user is displayed.Under Certificate Templates, click Add, select the template for the certificates that you want this user or group to manage, and then click OK. Repeat this stepuntil you have selected all certificate templates that you want to allow this certificate manager to manage.Under Permissions, click Add, type the name of the client for whom you want the certificate manager to manage the defined certificate types, and then click OK.If you want to block the certificate manager from managing certificates for a specific user, computer, or group, under Permissions, select this user, computer, orgroup, and click Deny.When you are finished configuring certificate manager restrictions, click OK or Apply.

References: Restrict Certificate Managershttps://technet.microsoft.com/en-us/library/cc753372.aspx

QUESTION 168Your network contains one Active Directory domain named contoso.com. The domain contains three users named User1, User2, and User3.

You need to ensure that the users can log on to the domain by using the user principal names (UPNs) shown in the following table.


A. the Set-ADDomain cmdlet

B. the Add-DNSServerSecondaryZone cmdlet


C. the Setspn command

D. the Set-ADUser cmdlet


Explanation/Reference:Explanation:The Set-ADUser cmdlet modifies the properties of an Active Directory user. You can modify commonly used property values by using the cmdlet parameters.Parameters include: UserPrincipalNameEach user account has a user principal name (UPN) in the format <user>@<DNS-domain-name>. A UPN is a friendly name assigned by an administrator that isshorter than the LDAP distinguished name used by the system and easier to remember. The UPN is independent of the user object's DN, so a user object can bemoved or renamed without affecting the user logon name. When logging on using a UPN, users no longer have to choose a domain from a list on the logon dialogbox.

Incorrect Answers:A: The Set-ADDomain cmdlet modifies the properties of an Active Directory domain. You can modify commonly used property values by using the cmdletparameters.

B: The Add-DnsServerSecondaryZone cmdlet adds a specified secondary zone on a Domain Name System (DNS) server.

C: Setspn reads, modifies, and deletes the Service Principal Names (SPN) directory property for an Active Directory service account. You use SPNs to locate atarget principal name for running a service. You can use setspn to view the current SPNs, reset the account's default SPNs, and add or delete supplemental SPNs.

Reference: Technet, Set-ADUserhttps://technet.microsoft.com/en-us/library/ee617215.aspx

QUESTION 169HOTSPOTYour network contains one Active Directory forest named contoso.com and one Active Directory forest named adatum.com. Each forest contains a single domain.

You have the domain controllers configured as shown in the following table.


You perform the following three actions:

Create a user named User1 on DC3.Create a file named File1.txt in the SYSVOL folder on DC1.Create a Group Policy object (GPO) named GPO1 on DC1 and link GPO1 to Site2.

You need to identify on which domain controller or controllers each object is stored.

What should you identify? To answer, select the appropriate options in the answer area.

Hot Area:

Correct Answer:



Explanation/Reference:Explanation: * SYSVOL is simply a folder which resides on each and every domain controller within the domain. It contains the domains public files that need to be accessed byclients and kept synchronised between domain controllers.Here File1.text will be stored on both domain controllers in contoso.com (DC1 and DC2).

* User1 will be stored on both domain controllers in adatum.com (DC3 and DC4), and on the global catalog server in contoso.com (DC1).

* The global catalog is the set of all objects in an Active Directory Domain Services (AD DS) forest. A global catalog server is a domain controller that stores a fullcopy of all objects in the directory for its host domain and a partial, read-only copy of all objects for all other domains in the forest. Global catalog servers respond toglobal catalog queries.

GPO1 will be stored on the global catalog servers in the forest (Dc1 and DC3)

Reference: Understanding the Global Cataloghttps://technet.microsoft.com/en-us/library/cc730749.aspx

QUESTION 170HOTSPOTYour network contains one Active Directory forest named contoso.com. The forest contains the domain controllers configured as shown in the following table.


You perform the following actions:

Create a file named File1.txt in the SYSVOL folder on DC1.Create a user named User1 on DC4.

You need to identify on which domain controller or controllers a copy of each object is stored.

What should you identify? To answer, select the appropriate options in the answer area.

Hot Area:


Correct Answer:




A Microsoft Azure Backup of Server1 is created automatically every day.

You need to view the items that are included in the backup.


A. Get-OBPolicyState

B. Get-OBJob

C. Get-OBPolicy

D. Get-WBSummary

E. Get-WBFileSpec

F. Get-WBPolicy

G. WBJob



Explanation/Reference:Explanation:The Get-OBPolicy cmdlet gets the current backup policy that is set for the server, including the details about scheduling backups, files included in the backup, andretention policy.

Incorrect Answers:A: The Get-OBPolicyState cmdlet gets the Policy State of the current backup policy. The state can be either Valid or Paused.B: The Get-OBJob cmdlet gets a list of operations from a server as OBJob objects.D: The Get-WBSummary cmdlet gets the history of the backup operations performed. Information returned includes when the next backup is scheduled for, detailsfor the last backup, and details of the last successful backup. You can use this cmdlet to monitor the backups and the backup schedule on the computer.

Reference: Technet, Get-OBPolicyhttps://technet.microsoft.com/en-us/library/hh770406(v=wps.630).aspx

QUESTION 172Your network contains one Active Directory domain. The domain contains two Hyper-V hosts named Host1 and Host2 that run Windows Server 2012 R2.

Host1 contains a virtual machine named VM1.

You plan to move VM1 to Host2.

You need to generate a report that lists any configuration issues on Host2 that will prevent VM1 from being moved successfully.

Which cmdlet should you use?

A. Move-VM

B. Test-VHD

C. Debug-VM

D. Compare-VM


Explanation/Reference:Explanation:The Compare-VM cmdlet compares a virtual machine and a virtual machine host for compatibility, returning a compatibility report. This is useful when trying to


import or migrate a virtual machine that is incompatible with the target Hyper-V server.

Incorrect Answers:A: The Move-VM cmdlet moves a virtual machine to a new Hyper-V host.The parameter -CompatibilityReport<VMCompatibilityReport> specifies a compatibility report which includes any adjustments required for the move. This reportmust first be generated by the Compare-VM command.

B: The Test-VHD cmdlet tests a virtual hard disk, not a virtual machine which is what we are handling here, for any problems that would make it unusable.

Reference: Technet, Compare-VMhttps://technet.microsoft.com/en-us/library/hh848612(v=wps.630).aspx

QUESTION 173Your network contains an Active Directory domain named adatum.com. The domain contains a file server named Server1 that runs Windows Server 2012 R2.

All client computers run Windows 7.

You need to ensure that user settings are saved to \\Server1\Users\.

What should you do?

A. From the properties of each user account, configure the User profile settings.

B. From a Group Policy object (GPO), configure the Folder Redirection settings.

C. From the properties of each user account, configure the Home folder settings.

D. From a Group Policy object (GPO), configure the Drive Maps preferences.


Explanation/Reference:Explanation:User settings and user files are typically stored in the local user profile, under the Users folder. The files in local user profiles can be accessed only from the currentcomputer, which makes it difficult for users who use more than one computer to work with their data and synchronize settings between multiple computers. Twotechnologies exist to address this problem: Roaming Profiles and Folder Redirection.Folder Redirection lets administrators redirect the path of a folder to a new location. The location can be a folder on the local computer or a directory on a networkfile share. Users can work with documents on a server as if the documents were based on a local drive. The documents in the folder are available to the user fromany computer on the network. Folder Redirection is located under Windows Settings in the console tree when you edit domain-based Group Policy by using theGroup Policy Management Console (GPMC).


References: https://technet.microsoft.com/en-us/library/cc732275.aspx

QUESTION 174Your network contains an Active Directory domain named contoso.com. Domain controllers run either Windows Server 2008, Windows Server 2008 R2, orWindows Server 2012 R2.

You have a Password Settings object (PSOs) named PSO1.

You need to view the settings of PSO1.


A. Active Directory Administrative Center

B. Get-ADAccountResultantPasswordReplication Policy

C. Group Policy Management

D. Get-ADDomainControllerPasswordReplication Policy


Explanation/Reference:Explanation:To implement Fine-Grained Passwords you have to deploy a Windows Server 2012 Domain Controller, with the domain functional level set at Windows Server 2008or above. You can now accomplish this task in ADAC (Active Directory Administrative Center).Editing or viewing a policy is as simple as expanding the AD tree and selecting the correct policy within the Password Settings container. Right-click Properties; ordouble-click opens the policy for editing.

References: Guest Post: How to use Fine-Grained Passwords in Windows Server 2012 http://blogs.technet.com/b/uktechnet/archive/2012/08/28/guest-post-how-to-use-fine-grained-passwords-in-windows-server-2012.aspx

QUESTION 175You have an enterprise certification authority (CA) named CA1.

You configure a recovery agent for CA1.

On CA1, you create a new certificate template named CertTemplate1, and then you configure CA1 to allow certificates to be requested based on CertTemplate1.

You need to ensure that new certificates issued based on CertTemplate1 can be recovered.

What should you do?


A. From the Certificate Templates console, modify the Issuance Requirements settings of CertTemplate1.

B. From the Certification Authority console, modify the enrollment agents of CA1.

C. From the Certificate Templates console, modify the Request Handling settings of CertTemplate1.

D. From the Certification Authority console, modify the certificate managers of CA1.


Explanation/Reference:Explanation:The key archival process takes place when a certificate is issued. Therefore, a certificate template must be modified to archive keys before any certificates areissued based on this template.See step 7 below.To configure a certificate template for key archival and recovery

Open the Certificate Templates snap-in.In the details pane, right-click the certificate template that you want to change, and then click Duplicate Template.In the Duplicate Template dialog box, click Windows Server 2003 Enterprise unless all of your certification authorities (CAs) and client computers are runningWindows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.In Template, type a new template display name, and then modify any other optional properties as needed.On the Security tab, click Add, type the name of the users or groups you want to issue the certificates to, and then click OK.Under Group or user names, select the user or group names that you just added. Under Permissions, select the Read and Enroll check boxes, and if youwant to automatically issue the certificate, also select the Autoenroll check box.On the Request Handling tab, select the Archive subject's encryption private key check box.If users already have EFS certificates that are not configured for key archival and recovery, click the Superseded Templates tab, click Add, and then click thename of the template that you want to replace.Click OK.

Reference: Configure a Certificate Template for Key Archival https://technet.microsoft.com/en-us/library/cc753826.aspx

QUESTION 176You have a server named Server1.

A Microsoft Azure Backup of Server1 is created automatically every day.

You rename Server1 to Server2.

You discover that backups are no longer created in Azure.


You need to back up the server to Azure.

What should you do?

A. From the Azure Management Portal, modify the configuration of backup vault.

B. On Server2, run the Add-WBBackupTarget cmdlet.

C. On Server2, run the Start-OBRegistration cmdlet.

D. From the Azure Management Portal, upload the Server2 certificate as a management certificate.


Explanation/Reference:Explanation:The Start-OBRegistration cmdlet registers the server with using the vault credentials downloaded during enrollment.What happens if I rename a Windows server that is backing up data to Azure?Any currently configured backups will be stopped. You will need to reregister the server with the backup vault and it will be considered a new server by RecoveryServices, so the first backup operation that occurs after registration will be a full backup of all of the data included in the backup instead of just the changes sincethe last backup occurred. However, if you need to perform a recovery operation you can recover the data that has been backed up using Recover from anotherserver recovery option. For more information, see Rename a server.

References:https://azure.microsoft.com/sv-se/documentation/articles/backup-azure-backup-faq/https://technet.microsoft.com/en-us/library/hh770398(v=wps.630).aspx

QUESTION 177You need to verify whether a DNS response from a DNS server is signed by DNSSEC.What should you run?

A. nslookup.exe

B. dnscmd.exe

C. Resolve-DNSName

D. Get-NetIPAddress



Explanation/Reference:Explanation:The Resolve-DnsName cmdlet performs a DNS query for the specified name. This cmdlet is functionally similar to the nslookup tool which allows users to query fornames. The Resolve-DnsName cmdlet was introduced in Windows Server 2012and Windows 8 and can be used to display DNS queries that include DNSSECdata.Parameters include:

-DnssecOkSets the DNSSEC OK bit for this query.

-DnssecCdSets the DNSSEC checking-disabled bit for this query

Example: In the following example, the DO=1 flag is set by adding the dnssecok parameter.PS C:\> resolve-dnsname -name finance.secure.contoso.com -type A -server dns1.contoso.com -dnssecok

Incorrect Answers:A: Do not use the nslookup command-line tool to test DNSSEC support for a zone. The nslookuptool uses an internal DNS client that is not DNSSEC-aware.

References:https://technet.microsoft.com/library/jj590781.aspxhttps://technet.microsoft.com/en-us/library/jj200221.aspx#validation

QUESTION 178You have a DNS server named Server1 that runs Windows Server 2012 R2.

You need to disable recursion on Server1.

What are three possible ways to achieve the goal? Each correct answer presents a complete solution.

A. From DNS Manager, modify the Advanced properties of Server1.

B. Create a forward lookup zone named GlobalNames.

C. From DNS Manager, modify the Forwarders properties of server1.

D. Create a reverse lookup zone named 0.in-addr.arpa.

E. Create a forward lookup zone named ".".

F. Run dns.cmd.exe and specify the /config parameter.

Correct Answer: AEFSection: Volume CExplanation



A: To disable recursion on the DNS server using the Windows interfaceOpen DNS Manager.In the console tree, right-click the applicable DNS server, then click Properties.Click the Advanced tab.In Server options, select the Disable recursion check box, and then click OK.

E: Disable recursion on DNS servers that do not respond to DNS clients directly and that are not configured with forwarders. A DNS server requires recursion only ifit responds to recursive queries from DNS clients or if it is configured with a forwarder. DNS servers use iterative queries to communicate with each other.The DNS server has root DNS servers in its configuration so it returns the root DNS server details each time it is queried for a non existent domain name. Toprevent this we need to create a forward lookup zone with the name "."

F: To disable recursion on the DNS server using a command lineOpen a command prompt.Type the following command, and then press ENTER:

dnscmd <ServerName> /Config /NoRecursion {1|0}

Reference: Disable Recursion on the DNS Serverhttps://technet.microsoft.com/en-us/library/cc771738.aspx Reference: Setting up an authoritative DNS in Windows Server 2008 http://websistent.com/authoritative-dns-in-windows-server-2008/

QUESTION 179You have a DHCP server named Server1 that runs Windows Server 2012 R2. You need to configure Server1 as a stateless DHCPv6 server.Which cmdlet should you run?

A. Add-DHCPServerv6Scope

B. Add-DHCPServerv6OptionDefinition

C. Set-DHCPServerv6Class

D. Set-DHCPServerv6OptionValue




Explanation/Reference:Explanation:The parameters Parent Domain and IPv6 DNSServer, which the installation wizard asked for during the DHCP server role installation if you chose “enable statelessmode,” can be added manually to the Server Options node in the DHCP management console.The Set-DhcpServerv6OptionValue cmdlet sets anIPv6 option value at the server, scope, or reservation level.

References: The difference between stateless and stateful mode of a Windows Server 2008 R2 DHCPv6 serverhttps://4sysops.com/archives/the-difference-between-stateless-and-stateful-mode-of-a-windowsserver-2008-r2-dhcpv6-server/

QUESTION 180You have a DHCP server named Server1 that runs Windows Server 2012 R2.

Server1 has two scopes named Production and Development. Currently, all DHCP clients register their host name in a DNS zone named contoso.com.

You need to ensure that only the clients that obtain an IP address from the Development scope, register their host name in a DNS zone named dev.contoso.com.

What should you do?

A. Run the Set-DHCPServerv4Binding cmdlet.

B. Modify the Advanced settings of the Development scope.

C. Modify the Advanced settings of the DHCP server.

D. Create a DHCP policy for the Development scope.


Explanation/Reference:Explanation:DHCP policies can be defined server wide or for a specific scope. Any DNS registration behavior of the DHCP server which can be configured server wide or on aper scope basis – for example, turn on/off the DNS registration (and deregistration) or DNS name protection – can be configured on a per policy basis.

References: DHCP Policies in Windows Server 2012http://blogs.technet.com/b/teamdhcp/archive/2012/08/22/granular-dhcp-server-administration-using-dhcp-policies-in-windows-server-2012.aspx

QUESTION 181Your network contains one Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2 that run Windows Server2012 R2.

You perform daily backups of the data on Server1 to Microsoft Azure.


You need to restore the data from the 1st backup of Server1 to Server2.


A. On Server2, install the Azure Backup Agent.

B. From the Azure Management Portal, modify the configuration of the backup vault.

C. In the domain, add Server2 to the Backup Operators group.

D. On Server2, install the windows Server Backup feature.


Explanation/Reference:References: https://azure.microsoft.com/en-us/documentation/articles/backup-azure-restore-windowsserver/#recover-to-an-alternate-machine

QUESTION 182DRAG DROPYour network contains one Active Directory domain. The domain contains two Hyper-V hosts named Host1 and Host2 that run Windows Server 2012 R2. Host1contains a virtual machine named DC5. DC5 is a domain controller that runs Windows Server 2012 R2.

You configure Active Directory to support domain controller cloning for DC5, and then you shut down DC5.

You need to create a clone of DC5 on Host2.

What should you run on each Hyper-V host? To answer, drag the appropriate commands or cmdlets to the correct Hyper-V hosts. Each command or cmdlet maybe used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Select and Place:


Correct Answer:


Explanation/Reference:Explanation:Use import and export feature, when you want to create a new virtual machine with the same configuration of an existing machine in Hyper-V.


The Export-VM cmdlet exports a virtual machine to disk.The Import-VM cmdlet imports a virtual machine from a file.

References: Overview of exporting and importing a virtual machinehttps://technet.microsoft.com/en-us/library/hh831535.aspx

QUESTION 183Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2008 R2.

You plan to test Windows Server 2012 R2 by using native-boot virtual hard disks (VHDs).

You have a Windows image file named file1.wim.

You need to add an image of a volume to file1.wim.

What should you do?

A. Run imagex.exe and specify the /append parameter.

B. Run imagex.exe and specify the /export parameter.

C. Run dism.exe and specify the /image parameter.

D. Run dism.exe and specify the /append-image parameter.


Explanation/Reference:Explanation: Append a Volume Image to an Existing Image Using DISM

The Deployment Image Servicing and Management (DISM) tool is a command-line tool that enables the creation of Windows® image (.wim) files for deployment ina manufacturing or corporate IT environment. The /Append-Image option appends a volume image to an existing. wim file allowing you to store many customizedWindows images in a fraction of the space. When you combine two or more Windows image files into a single .wim, any files that are duplicated between theimages are only stored once.

Incorrect Answers:A, B: ImageX has been flagged by Microsoft as a deprecated utility, and has been replaced with DISM

References:https://technet.microsoft.com/en-us/library/hh824916.aspx


QUESTION 184You have a group Managed Service Account named Service01. Three servers named Server01, Server02, and Server03 currently use the Service01 serviceaccount.

You plan to decommission Server01.

You need to remove the cached password of the Service01 service account from Server01. The solution must ensure that Server02 and Server03 continue to useService01.


A. Set-ADServiceAccount

B. Reset-ADServiceAccountPassword

C. Remove-ADServiceAccount

D. Uninstall-ADServiceAccount


Explanation/Reference:Explanation:We reset the password for the service.The Reset-ADServiceAccountPassword cmdlet resets the service account password for the local computer. This cmdlet needs to be run on the computer where theservice account is installed.

Incorrect Answers:A: The Set-ADServiceAccount cmdlet cannot modify the password of the service.

References: Reset-ADServiceAccountPasswordhttps://technet.microsoft.com/en-us/library/ee617201.aspx

QUESTION 185Your network contains one Active Directory domain named contoso.com. The forest functional level is Windows Server 2012. All servers run Windows Server 2012R2. All client computers run Windows 8.1.

The domain contains 10 domain controllers and a read-only domain controller (RODC) named RODC01. All domain controllers and RODCs are hosted on Hyper-Vhost that runs Windows Server 2012 R2.

You need to identify which domain controller must be online when cloning a domain controller.



A. Get-ADGroupMember

B. Get-ADDomainControllerPasswordReplicationPolicy

C. Get-ADDomainControllerPasswordReplicationPolicyUsage

D. Get-ADDomain

E. Get-ADOptionalFeature


Explanation/Reference:Explanation:A prerequisite to clone a domain controller is that an existing Windows Server 2012 DC that hosts the PDC emulator role is online.The output of the Get-ADDomain command includes a line indicating which domain controller acts as a PDC emulator.For example: PDCEmulator: Fabrikam-DC1.Fabrikam.com

Incorrect Answers:A: The Get-ADGroupMember cmdlet gets the members of an Active Directory group.Members can be users, groups, and computers.

E: The Get-ADOptionalFeature cmdlet gets an optional feature or performs a search to retrieve multiple optional features from an Active Directory.

References:http://blogs.technet.com/b/canitpro/archive/2013/06/12/step-by-step-domain-controller- cloning.aspxhttps://technet.microsoft.com/en-us/library/ee617224.aspx

QUESTION 186Your network contains one Active Directory domain named contoso.com. The forest functional level is Windows Server 2012. All servers run Windows Server 2012R2. All client computers run Windows 8.1.The domain contains 10 domain controllers and a read-only domain controller (RODC) named RODC01. All domain controllers and RODCs are hosted on a Hyper-V host that runs Windows Server 2012 R2.You need to identify whether deleted objects can be recovered from the Active Directory Recycle Bin.Which cmdlet should you use?




D. Get-ADDomain



Correct Answer: ESection: Volume CExplanation

Explanation/Reference:Explanation:The Get-ADOptionalFeature cmdlet gets an optional feature or performs a search to retrieve multiple optional features from an Active Directory.Example: Get a specified optional featureThis command gets the optional feature with the name Recycle Bin Feature.Windows PowerShellPS C:\> Get-ADOptionalFeature -Identity 'Recycle Bin Feature'

References: Get-ADOptionalFeaturehttps://technet.microsoft.com/en-us/library/hh852212(v=wps.630).aspx


The domain contains 10 domain controllers and a read-only domain controller (RODC) named RODC01. All domain controllers and RODCs are hosted on a Hyper-V host that runs Windows Server 2012 R2.

You need to identify which domain controllers are authorized to be cloned by using virtual domain controller cloning.





D. Get-ADDomain





If you want to be able to clone a Domain Controller, then authorize the original source Domain Controller to be used as the source for cloning by adding its computerobject into the new "Cloneable Domain Controllers" Active Directory group.The Get-ADGroupMember cmdlet gets the members of an Active Directory group. Members can be users, groups, and computers.We use the Get-ADGroupMember cmdlet to retrieve the members of the "Cloneable Domain Controllers" Active Directory group.

References:http://blogs.technet.com/b/keithmayer/archive/2012/08/06/safely-cloning-an-active-directory- domain-controller-with-windows-server-2012-step-by-step-ws2012-hyperv-itpro-vmware.aspx

QUESTION 188HOTSPOT

Your network contains a DNS server named Server1. Server1 hosts a DNS zone for contoso.com.

You need to ensure that DNS clients cache records from contoso.com for a maximum for one hour.

Which value should you modify in the Start of Authority (SOA) record?

To answer, select the appropriate setting in the answer area.

Hot Area:

Correct Answer:



Explanation/Reference:Explanation: Minimum TTL - The minimum time-to-live value applies to all resource records in the zone file. This value is supplied in query responses to inform other servershow long they should keep the data in cache. The default value is 3,600.

Reference: The Structure of a DNS SOA Recordhttps://support.microsoft.com/en-us/kb/163971

QUESTION 189HOTSPOT

Your network contains one Active Directory domain named contoso.com. The domain contains 10 file servers that run Windows Server 2012 R2.You plan to enable BitLocker Drive Encryption (BitLocker) for the for the operating system drives of the file servers.You need to configure BitLocker policies for the file servers to meet the following requirements:

Ensure that all of the servers use a startup PIN for operating system drives encrypted with BitLocker.Ensure that the BitLocker recovery key and recovery password are stored in Active Directory.

Which two Group Policy settings should you configure? To answer, select the appropriate settings in the answer area.


Hot Area:

Correct Answer:



Explanation/Reference:Explanation: * Choice 1: Require additional authentication at startupThis policy setting is used to control which unlock options are available for operating system drives.


You can set this option to Require startup PIN with TPMChoice 2: Choose how BitLocker-protected operating system drives can be recoveredThis policy setting is used to configure recovery methods for operating system drives.In Save BitLocker recovery information to Active Directory Domain Services, choose which BitLocker recovery information to store in Active Directory DomainServices (AD DS) for operating system drives. If you select Store recovery password and key packages, the BitLocker recovery password and the key package arestored in AD DS. Storing the key package supports recovering data from a drive that is physically corrupted. If you select Store recovery password only, only therecovery password is stored in AD DS.

Reference: BitLocker Group Policy Settingshttps://technet.microsoft.com/en-us/library/jj679890.aspx#BKMK_unlockpol1



You need to identify which security principals are authorized to have their password cached on RODC01.





D. Get-ADDomain


Explanation/Reference:Explanation:The Get-ADDomainControllerPasswordReplicationPolicy gets the users, computers, service accounts and groups that are members of the applied list or denied listfor a read-only domain controller's (RODC) password replication policy. To get the members of the applied list, specify the AppliedList parameter. To get themembers of the denied list, specify the DeniedList parameter.

Example: Get from an RODC domain controller password replication policy the allowed accounts showing the name and object class of each:Get-ADDomainControllerPasswordReplicationPolicy -Identity "FABRIKAM-RODC1" -Allowed | ft Name,ObjectClass

Reference: Get-ADDomainControllerPasswordReplicationPolicy


https://technet.microsoft.com/en-us/library/ee617207.aspx



You need to identify which user accounts were authenticated by RODC1.





D. Get-ADDomain


Explanation/Reference:Explanation:The Get-ADDomainControllerPasswordReplicationPolicyUsage gets the user or computer accounts that are authenticated by a read-only domain controller (RODC)or that have passwords that are stored on that RODC. The list of accounts that are stored on a RODC is known as the revealed list.

Reference: Get-ADDomainControllerPasswordReplicationPolicyUsage https://technet.microsoft.com/en-us/library/ee617194.aspx

QUESTION 192Your network contains two Active Directory forests named contoso.com and adatum.com. All domain controllers run Windows Server 2012 R2.

The adatum.com domain contains a Group Policy object (GPO) named GPO1. An administrator from adatum.com backs up GPO1 to a USB flash drive.

You have a domain controller named dc1.contoso.com. You insert the USB flash drive in dc1.contoso.com.

You need to identify the domain-specific reference in GPO1.

What should you do?


A. From the Migration Table Editor, click Populate from Backup.

B. From Group Policy Management, run the Group Policy Modeling Wizard.

C. From Group Policy Management, run the Group Policy results Wizard.

D. From the Migration Table Editor, click Populate from GPO.


Explanation/Reference:Explanation:You can auto-populate a migration table by scanning one or more GPOs or backups to extract all references to security principals and UNC paths, and then enterthese items into the table as source name entries. This capability is provided by the Populate from GPO and Populate from Backup options.

Reference: The migration table editorhttps://technet.microsoft.com/sv-se/library/Cc779961(v=WS.10).aspx

QUESTION 193You have a DNS server that runs Windows Server 2012 R2. The server hosts the zone for contoso.com and is accessible from the Internet.You need to create a DNS record for the Sender Policy Framework (SPF) to list the hosts that are authorized to send email for contoso.com.Which type of record should you create?

A. mail exchanger (MX)

B. resource record signature (RRSIG)

C. text (TXT)

D. name server (NS)


Explanation/Reference:Explanation:To configure SPF records in the Windows Server DNS, follow these steps:

Click Start, point to All Programs, point to Administrative Tools, and then click DNS.In the left pane, expand the DNS server object, and then expand Forward Lookup Zones.Right-click the domain folder to which you want to add the SPF record, and then click Other New Records.In the Select a resource record type list, click Text (TXT), and then click Create Record.If you add a record for the parent domain, leave the Record name box blank. If you do not add a record for the parent domain, type the single part name of thedomain in the Record name box.


In the Text box, type v=spf1 mx -all.Click OK, and then click Done.

Reference: How to configure Sender of Policy Framework records in the Windows Server 2003 Domain Name Systemhttps://support.microsoft.com/en-us/kb/912716

QUESTION 194You have two Windows Server Update Services (WSUS) servers named Server01 and Server02. Server01 synchronizes from Microsoft Update. Server02synchronizes updates from Server01. Both servers are members of the same Active Directory domain.

You configure Server01 to require SSL for all WSUS metadata by using a certificate issued by an enterprise root certification authority (CA).

You need to ensure that Server02 synchronizes updates from Server01.



A. From a command prompt, run wsusutil.exe configuresslproxy server02 443.

B. From a command prompt, run wsusutil.exe configuressl server01.

C. From a command prompt, run wsusutil.exe configuresslproxy server01 443.

D. From the Update Services console, modify the Update Source and Proxy Server options.


Explanation/Reference:Explanation:We configure server02 to use server01 as a proxy for the updates through the wsusutil.exe configuresslproxy <ssl_proxy_ip_or_name> <port>Server01 is the ssl_proxy and the port is 443 (the sll port).

References: A work-around when using different proxies for HTTP and SSL in WSUS 3.0 SP1http://blogs.technet.com/b/craigf/archive/2009/05/04/a-work-around-when-using-different- proxies-for-http-and-ssl-in-wsus-3-0-sp1.aspx

QUESTION 195


HOTSPOTYou need to configure Server1 to meet the following requirements:

Ensure that old files in folder named Folder1 are archived automatically to a folder named Archive1.Ensure that JPG files can always be saved to a local computer, even when a file screen exists.

Which two nodes should you configure?

Hot Area:


Correct Answer:



Explanation/Reference:Explanation:Node 1: File expiration tasks are used to automatically move all files that match certain criteria to a specified expiration directory, where an administrator can then


back those files up and delete them.To create a file expiration task

Click the File Management Tasks node.Right-click File Management Tasks, and then click Create File Management Task (or click Create File Management Task in the Actionspane). Thisopens the Create File Management Task dialog box.In the Exception path text box, type or select the path that the exception will apply to. The exception will apply to the selected folder and all of its subfolders.

Etc.

Node 2: Occasionally, you need to allow exceptions to file screening. For example, you might want to block video files from a file server, but you need to allow your traininggroup to save the video files for their computer-based training. To allow files that other file screens are blocking, create a file screen exception.You assign file groups to determine which file types will be allowed in the file screen exception.To create a file screen exception

InFile Screening Management, click the File Screens node.Right-click File Screens, and click Create File Screen Exception (or select Create File Screen Exception from the Actions pane). This opens the Create File Screen Exception dialog box.

EtcNote: On the File Screening Management node of the File Server Resource Manager MMC snap-in, you can perform the following tasks:

Create file screens to control the types of files that users can save, and generate notifications when users attempt to save unauthorized files.Define file screening templates that can be applied to new volumes or folders and that can be used across an organization.Create file screening exceptions that extend the flexibility of the file screening rules.

Reference: Create a File Expiration Taskhttps://technet.microsoft.com/en-us/library/dd759233.aspx

QUESTION 196You have two Hyper-V hosts named Host1 and Host2 that run Windows Server 2012 R2. Host1 hosts a virtual machine named VM1 that is replicated to Host2.VM1 hosts an internal web application.

You need to test the failover of VM1 to Host2. The solution must ensure that clients continue to connect to VM1 on Host1.


A. Start-VMFailover

B. Export-VM

C. Move-VM

D. Test-VMReplicationConnection

E. Compare-VM

Correct Answer: A



Explanation/Reference:Explanation:Start-VMFailover -AsTestCreates a test virtual machine using the chosen recovery point. You can use a test virtual machine to validate a Replica virtual machine. To stop a test failover, usethe Stop-VMFailover cmdlet.

The Start-VMFailover cmdlet can be used for the following tasks:-- Fail over a Replica virtual machine to a chosen recovery point. -- Start a planned failover on a primary virtual machine. -- Create a test virtual machine on a Replica virtual machine.

Reference: Start-VMFailoverhttps://technet.microsoft.com/en-us/library/jj136051(v=wps.630).aspx

QUESTION 197You have two servers named Server1 and Server2 that run Windows Server 2012 R2.

You have a Microsoft Azure subscription that has two backup vaults named Vault1 and Vault2.

Server1 is backed up to Vault1. The backup of Server1 contains a file named Data.db. Server2 is backed up to Vault2.

You need to recover a copy of Data.db to Server2.

What should you do?

A. From the Azure Management Portal, modify the policies of Vault1. On Server2, run the Recover Data Wizard.

B. From Server2, modify the logon settings for the Microsoft Azure Recovery Services Agent service, and then run the Recover Data Wizard.

C. From the Azure Management Portal, allow the re-registration of Server1. On Server2, modify the Microsoft Azure Backup properties, and then run the RecoverData Wizard.

D. From Server2, copy the Vault1 credentials and the passphrase. Run the Recover data Wizard.


Explanation/Reference:Explanation:We need the Vault1 credentials to be able to access the data in Vault1.


We need the passphrase of Server1 to access the backup that was made on Server1.

References: Microsoft Azure - Cloud Backup and Recoveryhttp://blogs.technet.com/b/rmurphy/archive/2014/12/02/microsoft-azure-backup.aspx


You suspect that some protected system files are corrupt.

You need to verify the protected system files on Server1 and replace files that have incorrect versions.


A. Sfc

B. Repair-volume

C. Repair-FileIntegrity

D. Fsutil


Explanation/Reference:Explanation:Sfc scans and verifies the integrity of all protected system files and replaces incorrect versions with correct versions.

Examples:To verify the kernel32.dll file, type:sfc /verifyfile=c:\windows\system32\kernel32.dllTo setup offline repair of the kernel32.dll file with an offline boot directory set to d: and offline windows directory set to d:\windows, type:sfc /scanfile=d:\windows\system32\kernel32.dll /offbootdir=d:\ /offwindir=d:\windows

References: Technet, sfchttps://technet.microsoft.com/en-us/library/ff950779.aspx

QUESTION 199HOTSPOTYour network contains 25 Web servers that run Windows Server 2012 R2.

You need to configure auditing policies that meet the following requirements:


Generate an event each time a new process is created.Generate an event each time a user attempts to access a file share.

Which two auditing policies should you configure?

To answer, select the appropriate two auditing policies in the answer area.

Hot Area:

Correct Answer:



Explanation/Reference:Explanation:* Audit object accessDetermines whether to audit the event of a user accessing an object (for example, file, folder, registry key, printer, and so forth) which has its own system accesscontrol list (SACL) specified.* Audit process tracking


This security setting determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirectobject access.

Reference: https://technet.microsoft.com/en-us/library/cc976403.aspxReference: https://technet.microsoft.com/sv-se/library/Cc775520(v=WS.10).aspx

QUESTION 200HOTSPOT

You discover that when users connect to app1.contoso.com, they are connected frequently to a server that is not on their local subnet.

You need to ensure that when the users connect to app1.contoso.com, they connect to a server on their local subnet. The connections must be distributed acrossthe servers that host app1.contoso.com on their subnet.

Which options should you select?

Hot Area:


Correct Answer:


Section: Volume C


Explanation


QUESTION 201Your network contains two Active Directory forests named contoso.com and adatum.com.A two- way forest trust exists between the forests.

The contoso.com forest contains an enterprise certification authority (CA) named Server1.

You implement cross-forest certificate enrollment between the contoso.com forest and the adatum.com forest. On Server1, you create a new certificate templatenamed Template1.

You need to ensure that users in the adatum.com forest can request certificates that are based on Template1.


A. DumpADO.ps1

B. Repadmin

C. Add-CATemplate

D. Certutil

E. PKISync.ps1


Explanation/Reference:Explanation:PKISync.ps1 copies objects in the source forest to the target forest


Incorrect Answers:B: Repadmin.exe helps administrators diagnose Active Directory replication problems between domain controllers running Microsoft Windows operating systems.

C: Adds a certificate template to the CA.

D: Use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components,and verify certificates, key pairs, and certificate chains.

References:https://technet.microsoft.com/en-us/library/ff955845(v=ws.10).aspx#BKMK_Consolidatinghttps://technet.microsoft.com/en-us/library/cc770963(v=ws.10).aspxhttps://technet.microsoft.com/en-us/library/hh848372.aspxhttps://technet.microsoft.com/library/cc732443.aspxhttps://technet.microsoft.com/en-us/library/ff961506(v=ws.10).aspx


Server1 has the Windows Deployment Services server role installed.

You back up Server1 each day by using Windows Server Backup.

The disk array on Server1 fails.


You replace the disk array.

You need to restore Server1 as quickly as possible.

What should you do?

A. Start Server1 from the WindowsServer 2012 R2 installation media.

B. Start Server1and press F8.

C. Start Server1 and press Shift+F8.

D. Start Server1 by using the PXE.


Explanation/Reference:Explanation:A. Recovery of the OS uses the Windows Setup Disc

References:https://technet.microsoft.com/en-us/library/cc753920.aspxhttp://www.windowsnetworking.com/articles_tutorials/Restoring-Windows-Server-BareMetal.html

QUESTION 203DRAG DROPYou have a file server named Server1 that runs Windows Server 2012 R2.

The folders on Server1 are configured as shown in the following table.

A new corporate policy states that backups must use Microsoft Online Backup whenever possible.You need to identify which technology you must use to back up Server1.


The solution must use Microsoft Online Backup whenever.

What should you identify? To answer, drag the appropriate backup type to the correct location or locations. Each backup type may be used once, more than once,or not at all. You may need to drag the split bar between panes or scroll to view content.

Select and Place:

Correct Answer:





QUESTION 204You have a DNS server named Server1 that runs Windows Server 2012 R2.

Server1 has a signed zone for contoso.com.

You need to configure DNS clients to perform DNSSEC validation for the contoso.com DNS domain.


A. The Network Connection settings

B. A Name Resolution Policy

C. The Network Location settings

D. The DNS Client settings



B. Ina DNSSEC deployment, validation of DNS queries by client computers is enabled through configuration of IPSEC & NRPT


http://technet.microsoft.com/en-us/library/ee649182(v=ws.10).aspxhttp://technet.microsoft.com/en-us/library/ee649136(v=ws.10).aspx


The domain contains a domain controller named DC1 that runs Windows Server 2012 R2.

On DC1, you open DNS Manager as shown in the exhibit. (Click the Exhibit button.)


You need to change the replication scope of the contoso.com zone.What should you do before you change the replication scope?

A. Modify the Zone Transfers settings.

B. Add DC1 to the Name Servers list.

C. Add your user account to the Security settings ofthe zone.

D. Unsign the zone.

Correct Answer: DSection: Volume C


Explanation


Lock icon signifies that the Zone has been signed. Changes to the zone are blocked when signed

References:http://www.microsoft.com/en-us/download/dlx/ThankYou.aspx?id=29018


The domain contains servers named Server1 and Server2 that run Windows Server 2012 R2.

Server1 has the IP Address Management (IPAM) Server feature installed.

You install the IPAM client on Server2.

You open Server Manager on Server2 as shown in the exhibit. (Click the Exhibit button.)


You need to manage IPAM from Server2.


A. On Server1, add the Server2 computer account to the IPAMMSM Administrators group.

B. On Server2,open Computer Management and connect to Server1.

C. On Server2, add Server1 to Server Manager.

D. On Server1, add the Server2 computer account to the IPAM ASM Administrators group.





QUESTION 207Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named Dc1. DC1 has the DNS Server server roleinstalled.The network has two sites named Site1 and Site2. Site1 uses 10.10.0.0/16 IP addresses and Site2 uses 10.11.0.0/16 IP addresses. All computers use DC1 as theirDNS server.The domain contains four servers named Server1, Server2, Server3, and Server4.

All of the servers run a service named Service1.

DNS host records are configured as shown in the exhibit. (Click the Exhibit button.)


You discover that computers from the 10.10.1.0/24 network always resolve Service1 to the IP address of Server1.

You need to configure DNS on DC1 to distribute computers in Site1 between Server1 and Server2 when the computers attempt to resolve Service1.

What should run on DC1?

A. dnscmd /config /bindsecondaries 1

B. dnscmd /config /localnetpriority 0


C. dnscmd /config /localnetprioritynetmask 0x0000ffff

D. dnscmd /config /roundrobin 0


Explanation/Reference:Explanation:You can use the Dnscmd /Config /LocalNetPriorityNetMask 0x0000FFFF command to use class B (or 16 bit) for netmask ordering for DNS round robin

Incorrect Answers:A: Specifies use of fast transfer format used by legacy Berkeley Internet Name Domain (BIND) servers. 1enablesB: Disables netmask ordering.D: Disables round robin rotation.

References:https://technet.microsoft.com/en-us/library/cc737355(v=ws.10).aspxhttps://technet.microsoft.com/en-us/library/cc738473(v=ws.10).aspxhttp://support.microsoft.com/kb/842197https://technet.microsoft.com/en-us/library/cc779169(v=ws.10).aspx

QUESTION 208Your network contains an Active Directory domain named contoso.com. The domain contains a main office and a branch office. An Active Directory site exists foreach office. The domain contains two servers named Server1 and Server2 that run Windows Server 2012 R2.

Both servers have the DHCP Server server role installed.

Server1 is located in the main office site. Server2 is located in the branch office site.

Server1 provides IPv4 addresses to the client computers in the main office site.

Server2 provides IPv4 addresses to the client computers in the branch office site.

You need to ensure that if either Server1 or Server2 are offline, the client computers can still obtain IPv4 addresses.

The solution must meet the following requirements:- The storage location of the DHCP databases must not be a single point of failure.- Server1 must provide IPv4 addresses to the client computers in the branch office site only if Server2 is offline.- Server2 must provide IPv4 addresses to the client computers in the main office site only if Server1 is offline.

Which configuration should you use?


A. load sharing mode failover partners

B. a failover cluster

C. hot standby mode failover partners

D. a Network Load Balancing (NLB)cluster


Explanation/Reference:Explanation:Needs to be a DHCP Failover option

Incorrect Answers:A: The load sharing mode of operation is best suited to deployments where both servers in a failover relationship are located at the same physical site.B: Hot standby mode of operation is best suited to deployments where a central office or data center server acts as a standby backup server to a server at a remotesite, which is local to theDHCP clientsD: Needs to be a DHCP Failover option

References:https://technet.microsoft.com/en-us/library/hh831385.aspxhttp://blogs.technet.com/b/teamdhcp/archive/2012/09/03/dhcp-failover-hot-standbymode.aspx

QUESTION 209You have a DHCP server named Server1. Server1 has an IP address 192.168.1.2 is located on a subnet that has a network ID of 192.168.1.0/24.


On Server1, you create the scopes shown in the following table.

You need to ensure that Server1 can assign IP addresses from both scopes to the DHCP clients on the local subnet.

What should you create on Server1?


A. A scope

B. A superscope

C. A split-scope

D. A multicast scope


Explanation/Reference:Explanation:A superscope is an administrative feature of Dynamic Host Configuration Protocol (DHCP) servers running Windows Server 2008 that you can create and manageby using the DHCP Microsoft Management Console (MMC) snap-in.By using a superscope, you can group multiple scopes as a single administrative entity.


Incorrect Answers:A: A scope is an administrative grouping of IP addresses for computers on a subnet that use the Dynamic Host Configuration Protocol (DHCP) service. Theadministrator first creates a scope for each physical subnet and then uses the scope to define the parameters used by clients.

D: Multicasting is the sending of network traffic to a group of endpoints destination hosts. Only those members in the group of endpoints hosts that are listening forthe multicast traffic (the multicast group) process the multicast traffic

References:https://technet.microsoft.com/en-us/library/dd759168.aspxhttps://technet.microsoft.com/en-us/library/dd759152.aspx

QUESTION 210Your network contains servers that run Windows Server 2012 R2.

The network contains a large number of iSCSI storage locations and iSCSI clients.

You need to deploy a central repository that can discover and list iSCSI resources on the network automatically.

Which feature should you deploy?

A. the Windows Standards-Based Storage Management feature

B. the iSCSI Target Server role service

C. the iSCSI Target Storage Provider feature


D. the iSNS Server service feature


Explanation/Reference:Explanation:D. The Internet Storage Name Service (iSNS) protocol is used for interaction between iSNS servers and iSNS clients. iSNS clients are computers, also known asinitiators, that are attempting to discover storage devices, also known as targets, on an Ethernet network.


Incorrect Answers:A: Windows Server 2012 R2 enables storage management that is comprehensive and fully scriptable, and administrators can manage it remotely. A WMI-basedinterface provides a single mechanism through which to manage all storage, including non-Microsoft intelligent storage subsystems and virtualized local storage(known as Storage Spaces). Additionally, management applications can use a single Windows API to manage different storage types by using standards-basedprotocols such as Storage Management Initiative Specification (SMI-S).


B: Targets are created in order to manage the connections between an iSCSI device and the servers that need to access it. A target defines the portals (IPaddresses) that can be used to connect to the iSCSI device, as well as the security settings (if any) that the iSCSI device requires in order to authenticate theservers that are requesting access to its resources.

C: iSCSI Target Storage Provider enables applications on a server that is connected to an iSCSI target to perform volume shadow copies of data on iSCSI virtualdisks. It also enables you to manage iSCSI virtual disks by using older applications that require a Virtual Disk Service (VDS) hardware provider, such as theDiskraid command.

References:https://technet.microsoft.com/en-us/library/cc726015.aspxhttps://technet.microsoft.com/en-us/library/cc772568.aspx

QUESTION 211Your network contains two Active Directory forests named contoso.com and fabrikam.com.

The contoso.com forest contains two domains named corp.contoso.com and contoso.com.

You establish a two-way forest trust between contoso.com and fabrikam.com. Users from the corp.contoso.com domain report that they cannot log on to clientcomputers in the fabrikam.com domain by using their corp.contoso.com user account.

When they try to log on, they receive following error message:

"The computer you are signing into is protected by an authentication firewall. The specified account is not allowed to authenticate to the computer."

Corp.contoso.com users can log on successfully to client computers in the contoso.com domain by using their corp.contoso.com user account credentials.

You need to allow users from the corp.contoso.com domain to log on to the client computers in the fabrikam.com forest.

What should you do?

A. Configure Windows Firewall with Advanced Security.

B. Enable SID history.

C. Configure forest-wide authentication.

D. Instruct the users to log on by using a user principal name (UPN).




The forest-wide authentication setting permits unrestricted access by any users in the trusted forest to all available shared resources in any of the domains in thetrusting forest.http://technet.microsoft.com/en-us/library/cc785875(v=ws.10).aspx

QUESTION 212Your network contains two servers named Server1 and Server2 that run Windows Server 2012

R2. Both servers have the Hyper-V server role installed.

The servers have the hardware configurations shown in the following table.


Server1 hosts five virtual machines that run Windows Server 2012 R2.

You need to move the virtual machines from Server1 to Server2.

The solution must minimize downtime.

What should you do for each virtual machine?

A. Export the virtual machines from Server1 and import the virtual machines to Server2.

B. Perform a live migration.

C. Perform a quick migration.

D. Perform a storage migration.



None of these migration options will work between different Processors ( AMD/Intel).The only optionremaining is to export and re-import the VMs


QUESTION 213Your network contains an Active Directory domain named contoso.com. The domain contains a main office and a branch office. An Active Directory site exists foreach office.

All domain controllers run Windows Server 2012 R2.

The domain contains two domain controllers.

DC1 hosts an Active Directory- integrated zone for contoso.com.

You add the DNS Server server role to DC2.

You discover that the contoso.com DNS zone fails to replicate to DC2.

You verify that the domain, schema, and configuration naming contexts replicate from DC1 to DC2.

You need to ensure that DC2 replicates the contoso.com zone by using Active Directory replication.


A. Dnscmd

B. Dnslint

C. Repadmin

D. Ntdsutil

E. DNS Manager

F. Active Directory Sites and Services

G. Active Directory Domains and Trusts

H. Active Directory Users and Computers

Correct Answer: FSection: Volume CExplanation

Explanation/Reference:Explanation:If you see questions about AD Replication, first preference is AD sites and services, then Repadmin and then DNSLINT.

References:https://technet.microsoft.com/en-us/library/cc739941(v=ws.10).aspx


QUESTION 214Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1 and a domain controller named DC1. Allservers run Windows Server 2012 R2. A Group Policy object (GPO) named GPO1 is linked to the domain.

Server1 contains a folder named Folder1. Folder1 is shared as Share1.

You need to ensure that authenticated users can request assistance when they are denied access to the resources on Server1.

Which two actions should you perform? (Each correct answer presents part of the solution. (Choose two.)

A. Assignthe Read Attributes NTFS permission on Folder1 to the Authenticated Users group.

B. Install the File Server Resource Manager role service on Server1.

C. Configure the Customize message for Access Denied errors policy setting of GPO1.

D. Enable the Enableaccess-denied assistance on client for all file types policy setting for GPO1.

E. Install the File Server Resource Manager role service on DC1.

Correct Answer: BDSection: Volume CExplanation


http://technet.microsoft.com/en-us/library/hh831402.aspx#BKMK_1

QUESTION 215Your network contains an Active Directory domain named adatum.com. All domain controllers run Windows Server 2008 R2. The domain contains a file servernamed Server6 that runs Windows Server 2012 R2. Server6 contains a folder named Folder1. Folder1 is shared as Share1.The NTFS permissions on Folder1 are shown in the exhibit. (Click the Exhibit button.)


The domain contains two global groups named Group1 and Group2.

You need to ensure that only users who are members of both Group1 and Group2 are denied access to Folder1.


Which two actions should you perform? (Each correct answer presents part of the solution. (Choose two.)

A. Remove the Deny permission for Group1 from Folder1.

B. Deny Group2 permission to Folder1.

C. Install a domain controller that runs Windows Server 2012 R2.

D. Create a conditional expression.

E. Deny Group2 permission to Share1.

F. Deny Group1 permission to Share1.

Correct Answer: CDSection: Volume CExplanation


* Conditional Expressions for Permission Entries Windows Server 2008 R2 and Windows 7enhanced Windows security descriptors by introducing a conditionalaccess permissionentry.Windows Server 2012 R2 takes advantage of conditional access permission entries by inserting user claims, device claims, and resource properties, intoconditional expressions. Windows Server 2012 R2 security evaluates these expressions and allows ordenies access based on results of the evaluation. Securingaccess to resources through claims is known as claims-based access control.Claims-based access control works with traditional access control to provide an additional layer of authorization that is flexible to the varying needs of the enterpriseenvironment.References:http://social.technet.microsoft.com/wiki/contents/articles/14269.introducing-dynamicaccess-control-en-us.aspx

QUESTION 216Your network contains two servers named Server1 and Server2 that run Windows Server 2012 R2. Server1 and Server2 have the Hyper-V server role installed.

Server1 and Server2 are configured as Hyper-V replicas of each other.

Server1 hosts a virtual machine named VM1. VM1 is replicated to Server2.

You need to verify whether the replica of VM1 on Server2 is functional.

The solution must ensure that VM1 remains accessible to clients.

What should you do from Hyper-V Manager?


A. On Server1, execute a Planned Failover.

B. On Server1, execute a Test Failover.

C. On Server2, execute a Planned Failover.

D. On Server2,execute a Test Failover.




References:http://blogs.technet.com/b/virtualization/archive/2012/07/26/types-of-failover-operations-in-hyper-v-replica.aspx

QUESTION 217You have a test server named Server1 that is configured to dual-boot between Windows Server 2008 R2 and Windows Server 2012 R2.

You start Server1 and you discover that the boot entry for Windows Server 2008 R2 no longer appears on the boot menu.


You start Windows Server 2012 R2 on Server1 and you discover the disk configurations shown in the following table.

You need to restore the Windows Server 2008 R2 boot entry on Server1.

What should you do?

A. Run bcdedit.exe and specify the /createstore parameter.

B. Run bootrec.exe and specify the /scanos parameter.

C. Run bcdboot.exe d:\windows.

D. Run bootrec.exe and specify the /rebuildbcd parameter.


Explanation/Reference:Explanation:Bootrec.exe tool to troubleshoot "Bootmgr Is Missing" issue. The /ScanOs option scans all disks for installations that are compatible with Windows Vista orWindows 7.Additionally, this option displays the entries that are currently not in the BCD store.Use this option when there are Windows Vista or Windows 7 installations that the Boot Manager menu does not list.


Incorrect Answers:A: BCDEdit is a command-line tool for managing BCD stores. It can be used for a variety of purposes, including creating new stores, modifying existing stores,adding boot menu options, /Createstore Creates a new empty boot configuration data store.The created store is not a system store.

B: Bootrec.exe tool to troubleshoot "Bootmgr Is Missing" issue. The /ScanOs option scans all disks for installations that are compatible with Windows Vista orWindows 7.Additionally, this option displays the entries that are currently not in the BCD store.Use this option when there are Windows Vista or Windows 7 installations that the Boot Manager menu does not list.

References:https://technet.microsoft.com/en-us/library/cc709667(v=ws.10).aspxhttp://support.microsoft.com/kb/927392/en-us

QUESTION 218You have a DHCP server named Server1.

Server1 has one network adapter. Server1 is located on a subnet named Subnet1.

Server1 has scope named Scope1. Scope1 contains IP addresses for the 192.168.1.0/24 network.

Your company is migrating the IP addresses on Subnet1 to use a network ID of 10.10.0.0/16.

On Server1 you create a scope named Scope2.

Scope2 contains IP addresses for the 10.10.0.0/16 network.


You need to ensure that clients on Subnet1 can receive IP addresses from either scope.

What should you create on Server1?

A. A multicast scope

B. A scope

C. A superscope

D. A split-scope


Explanation/Reference:Explanation:A superscope is an administrative feature of Dynamic Host Configuration Protocol (DHCP) servers running Windows Server 2008 that you can create and manageby using the DHCP Microsoft Management Console (MMC) snap-in.By using a superscope, you can group multiple scopes as a single administrative entity.

Incorrect Answers:A: Multicasting is the sending of network traffic to a group of endpoints destination hosts. Only those members in the group of endpoints hosts that are listening forthe multicast traffic (the multicast group) process the multicast trafficB: A scope is an administrative grouping of IP addresses for computers on a subnet that use the Dynamic Host Configuration Protocol (DHCP) service. Theadministrator first creates a scope for each physical subnet and then uses the scope to define the parameters used by clients.


References:https://technet.microsoft.com/en-us/library/dd759152.aspxhttps://technet.microsoft.com/en-us/library/dd759218.aspxhttps://technet.microsoft.com/en-us/library/dd759168.aspx

QUESTION 219Your network contains an Active Directory domain named adatum.com. The domain contains a domain controller named DC1 that runs Windows Server 2012 R2.On Dc1, you open DNS Manager as shown in the exhibit. (Click the Exhibit button.)

You need to change the zone type of the contoso.com zone from an Active Directory-integrated zone to a standard primary zone.

What should you do before you change the zone type?

A. Unsign the zone.

B. Modify the Zone Signing Key (ZSK).

C. Modify the Key Signing Key (KSK).

D. Change the Key Master.



Explanation/Reference:Explanation:A. Lock icon indicating that it is currently signed with DNSSEC, zone must be unsigned.


Incorrect Answers:B. An authentication key that corresponds to a private key used to sign a zone.C. The KSK is an authentication key that corresponds to a private key used to sign one or more other signing keys for a given zone.Typically, the private key corresponding to a KSK will sign a ZSK, which in turn has a corresponding private key that will sign other zone data.

References:https://technet.microsoft.com/en-us/library/hh831411.aspxhttps://technet.microsoft.com/en-us/library/ee649132(v=ws.10).aspx

QUESTION 220Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2 that run Windows Server2012 R2. Server1 has the IP Address Management (IPAM) Server feature installed. Server2 has the DHCP Server server role installed. A user named User1 is amember of the IPAM Users group on Server1.

You need to ensure that User1 can use IPAM to modify the DHCP scopes on Server2.

The solution must minimize the number of permissions assigned to User1.

To which group should you add User1?

A. DHCP Administrators on Server2

B. IPAM ASM Administrators on Server1

C. IPAMUG in Active Directory

D. IPAM MSM Administrators on Server1



The user need rights to change DHCP not IPAMC. Members ofthe DHCP Administrators group can view and modify any data at the DHCP server.

References:https://technet.microsoft.com/en-us/library/jj878348.aspxhttps://technet.microsoft.com/en-us/library/cc737716(v=ws.10).aspx

QUESTION 221You have a server named DC2 that runs Windows Server 2012 R2. DC2 contains a DNS zone named adatum.com. The adatum.com zone is shown in the exhibit.


(Click the Exhibit button.)

You need to configure DNS clients to perform DNSSEC validation for the adatum.com DNS domain.What should you configure?

A. The Network Location settings

B. A Name Resolution Policy

C. The DNS Client settings

D. The Network Connection settings



Explanation/Reference:Explanation:The NameResolutionPolicy Table (NRPT) is a table that contains rules you can configure to specify DNS settings or special behavior for names or namespaces.The NRPT can be configured using Group Policy or by using the Windows Registry.

Incorrect Answers:


C: Client component that resolves and caches Domain Name System (DNS) domain names. When the DNS Client service receives a request to resolve a DNSname that it does not contain in its cache, it queries an assigned DNS server for an IP address for the nameD: Network connections make it possible for computers to access resources on the network and the internet

References:https://technet.microsoft.com/en-us/library/hh831411.aspx#config_client1


The domain contains two servers named Server1 and Server2 that run Windows Server 2012 R2. Server1 has the DHCP Server server role installed.

Server2 has the Hyper-V server role installed. Server2 has an IP address of 192.168.10.50. Server1 has a scope named Scope1 for the 192.168.10.0/24 network.

You plan to deploy 20 virtual machines on Server2 that will be connected to the external network.

The MAC addresses for the virtual machines will begin with 00-15-SD-83-03.

You need to configure Server1 to offer the virtual machines IP addresses from 192.168.10.200 to 192.168.10.219.

Physical computers on the network must be offered IP addresses outside this range.

You want to achieve this goal by using the minimum amount of administrative effort.

What should you do from the DHCP console?

A. Create reservations.

B. Create a policy.

C. Delete Scope1 and create two new scopes.

D. Configure Allow filters and Deny filters.


Explanation/Reference:Explanation:Policy based assignment allows the policy to be scoped to a MAC address and IP range

Incorrect Answers:A. With client reservations, it is possible to reserve a specific IP address for permanent use by a DHCP client. A new feature in Windows Server 2012 R2 called


policy based assignment allows for even greater flexibility.

D. A DHCP server offers its services to the DHCP clients based on the availability of MAC address filtering.Once the Allow filter is set, all DHCP operations are based on the access controls (allow/deny).

References:http://blogs.technet.com/b/teamdhcp/archive/2012/08/22/granular-dhcp-serveradministration-using-dhcppolicies-in-windows-server-2012.aspxhttps://technet.microsoft.com/en-us/library/hh831538.aspxhttps://technet.microsoft.com/en-us/library/ee405265(v=ws.10).aspx

QUESTION 223HOTSPOT

Your network contains one Active Directory forest named adatum.com. The forest contains a single domain.

The site topology for the forest is shown in the exhibit. (Click the Exhibit button.)

Each site contains one domain controller.

You need to ensure that replication between Site2 and Site4 occurs in 15 minutes or less.

What command should you run? To answer, select the appropriate options in the answer area.

Hot Area:


Correct Answer:


Explanation/Reference:References:https://technet.microsoft.com/en-us/library/hh852320(v=wps.630).aspxhttps://technet.microsoft.com/en-us/library/cc753764(v=ws.10).aspx


QUESTION 224HOTSPOT

Your network contains one active directory domain.

The domain contains the servers configured as shown in the following table:

Server1 has the zones shown in the following table:

Server3 has the following output:

Use the drop-down list to select the answer choice that completes each assignment.

Hot Area:


Correct Answer:




QUESTION 225Your network contains an Active Directory forest. The forest contains two domains named contoso.com and fabrikam.com. The functional level of the forest isWindows Server 2003.


The contoso.com domain contains domain controllers that run either Windows Server 2008 or Windows Server 2008 R2. The functional level of the domain isWindows Server 2008.

The fabrikam.com domain contains domain controllers that run either Windows Server 2003 or Windows Server 2008. The functional level of the domain isWindows Server 2003.

The contoso.com domain contains a member server named Server1 that runs Windows Server 2012 R2. You install the Active Directory Domain Services serverrole on Server1.

You need to add Server1 as a new domain controller in the contoso.com domain.

What should you do?


A. Run the Active Directory Domain Services Configuration Wizard.

B. Run adprep.exe /domainprep, and then run dcpromo.exe.

C. Raise the functional level of the forest, and then run dcprorno.exe.

D. Modify the Computer Name/Domain Changes properties.


Explanation/Reference:Explanation:Windows Server2012 R2 requires a Windows Server 2003 forest functional level. That is, before you can add a domain controller that runs Windows Server 2012R2 to an existing Active Directory forest, the forest functional level must be Windows Server 2003 or higher.



References:http://blogs.technet.com/b/askpfeplat/archive/2012/09/03/introducing-the-first-windowsserver-2012-domaincontroller.aspxhttps://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspxhttps://technet.microsoft.com/en-us/library/jj574134.aspx

QUESTION 226Your network contains an Active Directory forest. The forest contains two domains named contoso.com and fabrikam.com.

The forest functional level is Windows 2000.

The contoso.com domain contains domain controllers that run either Windows Server 2008 or Windows Server 2008 R2.


The domain functional level is Windows Server 2008.

The fabrikam.com domain contains domain controllers that run either Windows 2000 Server or Windows Server 2003.

The domain functional level is Windows 2000 native.

The contoso.com domain contains a member server named Server1 that runs Windows Server 2012 R2.

You need to add Server1 as a new domain controller in the contoso.com domain.


A. Raise the functional level of the contoso.com domainto Windows Server 2008 R2.

B. Upgrade the domain controllers that run Windows Server 2008 to Windows Server 2008 R2.

C. Raise the functional level of the fabrikam.com domain to Windows Server 2003.

D. Decommission the domain controllers that run Windows 2000.

E. Raise the forest functional level to Windows Server 2003.


Explanation/Reference:Explanation:Server 2003 is the minimum Domain Functional level for any domain in the forest Windows Server2012 R2 requires a Windows Server 2003 forest functional level. That is, before you can add a domain controller that runs Windows Server 2012 R2 to an existingActive Directory forest, the forest functional level must be Windows Server 2003 or higher.


References:https://technet.microsoft.com/en-us/library/cc771294.aspx

QUESTION 227Your network contains an Active Directory domain named adatum.com.

The domain contains four servers. The servers are configured as shown in the following table.


You plan to deploy an enterprise certification authority (CA) on a server named Server5. Server5 will be used to issue certificates to domain-joined computers andworkgroup computers.

You need to identify which server you must use as the certificate revocation list (CRL) distribution point for Server5.

Which server should you identify?

A. Server 3

B. Server 2

C. Server 4

D. Server 1


Explanation/Reference:Explanation:We cannot use AD DS because workgroup computers must access CRL distribution point


Incorrect Answers:B: We cannot use FileShare because workgroup computers must access CRL distribution pointC: Public facing web server can be usedD: AD DS, Web & File Share only

References:https://technet.microsoft.com/en-us/library/cc771079.aspx

QUESTION 228You have a server named Server1 that has the Active Directory Certificate Services server role installed. Server1 uses a hardware security module (HSM) to protectthe private key of Server1.

You need to ensure that the Active Directory Certificate Services (AD CS) database, log files, and private key are backed up.

You perform regular backups of the HSM module by using a backup utility provided by the HSM manufacturer.

What else should you do?

A. Run the certutil.execommand and specify the -backupkey parameter.

B. Run the certutil.exe command and specify the -backupdb parameter.

C. Run the certutil.exe command and specify the -backup parameter.

D. Run the certutil.exe command and specify the -dump parameter.


Explanation/Reference:Explanation:Backup the Active Directory Certificate Services database


Incorrect Answers:A: Backup the Active Directory Certificate Services certificate and private keyC: Backup Active Directory Certificate ServicesD: Dump configuration information or files

References:https://technet.microsoft.com/en-us/library/cc732443.aspx#BKMK_backupKeyhttps://technet.microsoft.com/en-us/library/cc732443.aspx#BKMK_backupDBhttps://technet.microsoft.com/en-us/library/cc732443.aspx#BKMK_backuphttps://technet.microsoft.com/library/cc732443.aspx#BKMK_dump

QUESTION 229HOTSPOT

Your network contains an Active Directory domain named adatum.com. All servers run Windows Server 2012 R2. All domain controllers have the DNS Serverserver role installed.

You have a domain controller named DC1. On DC1, you create an Active Directory-integrated zone named adatum.com and you sign the zone by using DNSSEC.

You deploy a new read-only domain controller (RODC) named R0DC1.

You need to ensure that the contoso.com zone replicates to R0DC1.

What should you configure on DC1? To answer, select the appropriate tab in the answer area.

Hot Area:


Correct Answer:





For additional servers to host a zone, zone transfers are required to replicate and synchronize all copies of the zone used at each server configured to host thezone.

References:https://technet.microsoft.com/en-us/library/cc781340(v=ws.10).aspx


QUESTION 230Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. The forest contains three Active Directory sites namedSiteA, SiteB, and SiteC.

The sites contain four domain controllers.


An IP site link exits between each site.

You discover that the users in SiteC are authenticated by the domain controllers in SiteA and SiteB.

You need to ensure that the SiteC users are authenticated by the domain controllers in SiteB, unless all of the domain controllers in SiteB are unavailable.

What should you do?

A. Create a site link bridge.

B. Create additional connection objects for DC3 and DC4.

C. Create additional connection objects for DC1 and DC2.

D. Increase the cost of the site link between SiteA and SiteC.




References: https://technet.microsoft.com/en-us/library/dd277430.aspx#XSLTsection126121120120

QUESTION 231You have a server named File1 that runs Windows Server 2012 R2. File1 has the File Server role service installed.

You plan to back up all shared folders by using Windows Azure Online Backup.

You download and install the Windows Azure Online Backup Service Agent on File1.

You need to ensure that you use Windows Server Backup to back up data to Windows Azure Online Backup.

What should you do?

A. From Computer Management, add the File1 computer account to the Backup Operators group.

B. From the Services console, modify the Log On settings ofthe Windows Azure Online BackupService Agent.

C. From Windows Server Backup, run the Register Server Wizard.

D. From a command prompt, run wbadmin.exe enable backup.

Correct Answer: CSection: Volume C


Explanation




References:http://blogs.technet.com/b/windowsserver/archive/2012/03/28/microsoft-online-backupservice.aspx

QUESTION 232Your network contains an Active Directory domain named contoso.com. The domain contains a main office and a branch office. An Active Directory site exists foreach office. All domain controllers run Windows Server 2012 R2. The domain contains two domain controllers.


DC1 hosts an Active Directory-integrated zone for contoso.com.






A. Ntdsutil

B. Repadmin

C. Dnslint

D. Active Directory Domains and Trusts

Correct Answer: BSection: Volume C


Explanation

Explanation/Reference:Explanation:If you see questions about AD Replication, First preference is AD sites and services, then Repadmin and then DNSLINT.

QUESTION 233You have a file server named FS1 that runs Windows Server 8.

Data Deduplication is enabled on FS1.You need to configure Data Deduplication to run at a normal priority from 20:00 to 06:00 daily.


A. File and Storage Services in Server Manager

B. The Data Deduplication process in Task Manager

C. Disk Management in Computer Management

D. The properties of drive C


Explanation/Reference:Explanation:In Windows Server 2012 R2, deduplication can be enabled locally or remotely by using Windows PowerShell or Server Manager.



QUESTION 234HOTSPOTYour company has a main office and a branch office. An Active Directory site exists for each office. The network contains an Active Directory forest namedcontoso.com.

The contoso.com domain contains three member servers named Server1, Server2, and Server3.All servers run Windows Server 2012 R2.



In the branch office, you configure Server2 and Server3 as BranchCache hosted cache servers.

You are creating a Group Policy for the branch office site. In the branch office, you need to configure the client computers that run Windows B to use Server2 andServer3 as BranchCache.

Hot Area:

Correct Answer:




References:https://technet.microsoft.com/en-us/library/ee649153(v=ws.10).aspx


http://blogs.technet.com/b/wsnetdoc/archive/2012/06/01/highlighting-branchcache-hosted-cache-mode-in-windows-server-2012.aspx

QUESTION 235Your network contains two Active Directory forests named contoso.com and fabrikam.com.

A two- way forest trust exists between the forests.

The contoso.com forest contains an enterprise certification authority (CA) named CAl.

You implement cross-forest certificate enrollment between the contoso.com forest and the fabrikam.com forest. On CA1, you create a new certificate templatenamed Template1.

You need to ensure that users in the fabrikam.com forest can request certificates that are based on Template1.


A. Sync-ADObject

B. Pkiview.msc

C. CertificateServices.ps1

D. Certutil

E. PKISync.ps1


Explanation/Reference:Explanation:E. PKISync.ps1 copies objects in the source forest to the target forest


Incorrect Answers:A: Replicates a single object between any two domain controllers that have partitions in common.B: Monitoring and troubleshooting the health of all certification authorities (CAs) in a public key infrastructure (PKI) are essential administrative tasks facilitated bythe Enterprise PKI snap-in.D: use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components,and verify certificates, key pairs, and certificate chains.

References:https://technet.microsoft.com/en-us/library/hh852296.aspxhttps://technet.microsoft.com/en-us/library/cc732261(v=ws.10).aspxhttps://technet.microsoft.com/en-us/library/ff955845(v=ws.10).aspx



The domain contains a main office and a branch office.

An Active Directory site exists for each office.

All domain controllers run Windows Server 2012 R2.

The domain contains two domain controllers.


DC1 hosts an Active Directory-integrated zone for contoso.com.






A. Dnslint

B. A DNS Manager

C. Active Directory Users and Computers

D. Dnscmd

Correct Answer: A



Explanation/Reference:Explanation:Note: If you see questions about AD Replication, first preference is AD sites and services, then Repadmin and then DNSLINT.


Domain controllers run either Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 R2.

You have a Password Settings object (PSOs) named PSO1.

You need to view the settings of PSO1.


A. Get-ADDomainControllerPasswordReplicationPolicy

B. Get-ADDefaultDomainPasswordPolicy

C. Server Manager

D. Get-ADFineGrainedPasswordPolicy


Explanation/Reference:Explanation:D. Gets one or more Active Directory fine grained password policies.

Incorrect Answers:A: Gets the members of the allowed list or denied list of a read-only domain controller's password replication policyB: Gets the default password policy for an Active Directory domain.C: PSO's managed from AD AC or PowerShell Only

References:https://technet.microsoft.com/en-us/library/ee617207.aspxhttps://technet.microsoft.com/en-us/library/ee617244.aspxhttps://technet.microsoft.com/en-us/library/ee617231.aspx


QUESTION 238Your network contains two Active Directory forests named contoso.com and adatum.com.

Both forests contain multiple domains. All domain controllers run Windows Server 2012 R2.

Contoso.com has a one-way forest trust to adatum.com. A domain named paris.eu.contoso.com hosts several legacy applications that use NTLM authentication.Users in a domain named london.europe.adatum.com report that it takes a long time to be authenticated when they attempt to access the legacy applicationshosted in paris.eu.contoso.com.

You need to reduce how long it takes for the london.europe.adatum.com users to be authenticated in paris.eu.contoso.com.

What should you do?

A. Create a shortcut trust.

B. Create an external trust between the forest root domains.

C. Disable SID filtering on the existing trust.

D. Create an external trust.


Explanation/Reference:Explanation:Shortcut trusts are one-way or two-way, transitive trusts that can be used when administrators need to optimize the authentication process. Authentication requestsmust first travel a trust path between domain trees, and in a complex forest this can take time, which can be reduced with shortcut trusts.


Incorrect Answers:B: Use external trusts to provide access to resources located on a Windows NT 4.0 domain or a domain located in a separate forest that is not joined by a foresttrust.C: Filters users or SIDs from one domainD: Use external trusts to provide access to resources located on a Windows NT 4.0 domain or a domain located in a separate forest that is not joined by a foresttrust

References:https://technet.microsoft.com/en-us/library/cc737939(v=ws.10).aspxhttps://technet.microsoft.com/en-us/library/cc775736(v=ws.10).aspxhttps://technet.microsoft.com/en-us/library/cc772633(v=ws.10).aspx

QUESTION 239You have a file server named Server1 that runs Windows Server 2012 R2.

Data Deduplication is enabled on drive D of Server1.


You need to exclude D:\Folder1 from Data Deduplication.


A. Disk Management in Computer Management

B. File and Storage Services in Server Manager

C. the classification rules in File Server Resource Manager (FSRM)

D. the properties of D:\Folder1


Explanation/Reference:Explanation:Data deduplication exclusion on a Volume are set from File & Storage Services, Server Manager or PowerShell



QUESTION 240You manage an environment that has many servers.

The servers run Windows Server 2012 R2 and use iSCSI storage.

Administrators report that it is difficult to locate available iSCSI resources on the network.

You need to ensure that the administrators can locate iSCSI resources on the network by using a central repository.

Which feature should you deploy?



A. The iSCSI Target Server role service

B. The iSNS Server service feature

C. The Windows Standards-Based Storage Management feature

D. The iSCSI Target Storage Provider feature


Explanation/Reference:Explanation:Incorrect Answers:A: iSNS facilitates automated discovery, management, and configuration of iSCSI and Fibre Channel devices (using iFCP gateways) on a TCP/IP network.C: Windows Server 2012 R2 enables storage management that is comprehensive and fully scriptable, and administrators can manage it remotelyD: iSCSI Target Server enables you to network boot multiple computers from a single operating system image that is stored in a centralized location

References:https://technet.microsoft.com/en-us/library/cc772568.aspxhttps://technet.microsoft.com/en-us/library/hh831751.aspxhttps://technet.microsoft.com/en-us/library/dn305893.aspx


The network contains a file server named Server1 that runs Windows Server 2012 R2.

You create a folder named Folder1.

You share Folder1 as Share1. The NTFS permissions on Folder1 are shown in the Folder1 exhibit. (Click the Exhibit button.)


The Everyone group has the Full control Share permission to Folder1.

You configure a central access policy as shown in the Central Access Policy exhibit. (Click the Exhibit button.)


Members of the IT group report that they cannot modify the files in Folder1.

You need to ensure that the IT group members can modify the files in Folder1.

The solution must use central access policies to control the permissions.

Which two actions should you perform? (Each correct answer presents part of the solution.

(Choose two.)


A. On the Classification tab of Folder1, set the classification to Information Technology.

B. On the Security tab of Folder1, add a conditional expression to the existing permission entry for the IT group.

C. On Share1, assign the Change Share permission to the IT group.

D. On the Security tab of Folder1, remove the permission entry for the IT group.

E. On the Security tab of Folder1, assign the Modify permission to the Authenticated Users group.

Correct Answer: AESection: Volume CExplanation

Explanation/Reference:Explanation:Central access policies for files enable organizations to centrally deploy and manage authorization policies that include conditional expressions that use usergroups, user claims, device claims, and resource properties.(Claims are assertions about the attributes of the object with which they are associated).For example, to access high-business-impact (HBI) data, a user must be a full-time employee, obtain access from a managed device, and log on with a smart card.These policies are defined and hosted in Active Directory Domain Services (AD DS).





QUESTION 242You have a server named File1 that runs Windows Server 2012 R2.

File1 has the File Server role service installed.

You plan to back up all shared folders by using Microsoft Online Backup.

You download and install the Microsoft Online Backup Service Agent on File1.

You need to ensure that you use Windows Server Backup to back up data to Microsoft Online Backup.

What should you do?

A. From Computer Management, add the File1 computer account to the Backup Operators group.

B. From Windows Server Backup, run the Register Server Wizard.

C. From acommand prompt, run wbadmin.exe enable backup.

D. From the Services console, modify the Log On settings of the Microsoft Online Backup Service Agent.


Explanation/Reference:Explanation:To register a server for use with Windows Azure Backup you must run the register server wizard

Incorrect Answers:A: Enables you to back up and restore your operating system, volumes, files, folders, and applications from a command prompt.



You are creating a custom Windows Recovery Environment (Windows RE) image.


You need to ensure that when a server starts from the custom Windows RE image, a drive is mapped automatically to a network share.

What should you modify in the image?

A. startnet.cmd

B. Xsl-mApp1ngs.xml

C. Win.ini

D. smb.types.ps1xml



The best way to define what to start is using starnet.cmd

http://technet.microsoft.com/en-us/library/cc766521(v=ws.10).aspx

QUESTION 244You have a file server named Server1 that runs a Server Core Installation of Windows Server 2012 R2.

You need to ensure that users can access previous versions of files that are shared on Server1 by using the Previous Versions tab.



A. Diskpart

B. Wbadmin

C. Vssadmin

D. Storrept


Explanation/Reference:Explanation:The storrept command is installed with File Server Resource Manager and includes subcommands for creating and managing storage reports and storage reporttasks, as well as for configuring general administrative options for File Server Resource Manager.

Incorrect Answers:A: Enables you to back up and restore your operating system, volumes, files, folders, and applications from a command prompt.B: DiskPart is a text-mode command interpreter that enables you to manage objects (disks, partitions, volumes, or virtual hard disks) by using scripts or direct inputfrom a command prompt.D: Displays current volume shadow copy backups and all installed shadow copy writers and providers. To view the command syntax for any of the commands in thefollowing table, click the command name.

References:


https://technet.microsoft.com/en-us/library/cc754015(v=ws.10).aspxhttps://technet.microsoft.com/en-us/library/cc770877(v=ws.10).aspxhttps://technet.microsoft.com/en-us/library/cc753567(v=ws.10).aspxhttps://technet.microsoft.com/en-us/library/cc754968.aspx

QUESTION 245You have a server named Server 1 that runs Windows Server 2012 R2. Server1 has five network adapters. Three of the network adapters are connected to anetwork named LAN1.

The two other network adapters are connectedto a network named LAN2.

You create a network adapter team named Team1 from two of the adapters connected to LAN1.

You create a network adapter team named Team2 from the two adapters connected to LAN2.

A company policy states that all server IP addresses must be assigned by using a reserved address in DHCP.

You need to identify how many DHCP reservations you must create for Server1.

How many reservations should you identify?

A. 2

B. 3

C. 5

D. 7


Explanation/Reference:Explanation:3 adapter on LAN 12 adapters on LAN 22 adapterson LAN 1 used in ateam, so that's 3 - 2 leaving 1.2 adapaters on LAN 2 used in a team, so that's 2 - 2 leaving 0.1 team on LAN 1 + 1 team on LAN 2 + remaining adapter on LAN 1 = 3.



The domain contains a server named Server1 that runs Windows Server 2012 R2.

Server1 has the IP Address Management (IPAM) Server feature installed.

IPAM is configured currently for Group Policy-based provisioning.

You need to change the IPAM provisioning method on Server1.

What should you do?

A. Run the ipamgc.exe command.

B. Run the Set-IPAMConfiguration cmdlet.

C. Reinstall the IP Address Management (IPAM) Server feature.

D. Delete IPAM Group Policy objects (GPOs) from the domain.



You cannot change the provisioning method after completing the initial setup.


QUESTION 247You are employee as a network administrator at abc.com. ABC.com has an active directory domain named ABC.com All servers on the abc.com network haveWindows Server 2012 R2 installed and all workstations have windows 8 enterprise installed. ABC.com has established a remote Active directory site that only hostworkstations. The Computer accounts for these workstations have been placed in an organizational unit (OU), named ABCAD Remote, which has a group policyobject (GPO) associated with it.

You are in the process of configuration Branchcahce for the remote Active directory site.

You have Already turned Branchcache on.

Which of the following actions should you take next_?

A. You Should consider having the set Branchcache HostedServer Cache mode setting configured.

B. You Should consider having the set Branchcache Hostedclient Cache mode setting configured

C. You Should consider having the set Branchcache distributed cache mode setting configured

D. You should consider having the set BranchCache disabled cache mode settings configured




QUESTION 248You are employed as a network administrator at ABC.com. ABC.com has an active directory domain named ABC.com. ALL servers on the ABC.com network haveWindows Server 2012 R2.

ABC.com has a server, named server 1, which runs the windows deployment services server role.

You make use of windows server backup to back up server 1. Subsequent to a disk array on server1 becoming corrupt, you swap the disk array with new hardware.

You now need to recover server1 in the shortest time conceivable.

Which of the following actions should you take?

A. you should considermaking use of the Windows Server 2012 R2 installation media to start server1

B. you should consider restoring server1 from a snapshot backup

C. you should consider restoring server 1 from an incremental backup

D. you should consider restoring server 1 froma differential backup



QUESTION 249You are employed as a senior network administrator at ABC.com. ABC.com has an active directory domain named ABC.com. All servers on the abc.com networkwindows server2012 installed.

You are currently running a training exercise for junior network administrators.

You are discussing the PKISync.ps1 tool.

Which of the following is true with regards to The PKISync.ps1?

A. it adds a certificate template to the CA


B. it assists administrators in diagnosing replication problems between windows domain controllers

C. it is used to display information about the digital certificates that are installed on a direct Access client, Direct Access server, or intranet resource

D. it copies objects in the source forest to the target forest.



QUESTION 250You are employed as a network administrator ABC.com.

ABC.com has an active directory domain named ABC.com.

All servers on the ABC.com network have Windows Server 2012 R2 installed.

ABC.com has a server named server1 which is configured as a DHCP server.You have created a superscope on server1.

Which of the following describes reason for creating a superscope?(choose all that apply.)

A. To support DHCP clients on a singlephysical network segment where multiple logical ip networks are used.

B. To allow for the sending of network traffic to a group of endpoints destination hosts.

C. To support remote DHCP clients located on the far side of DHCP and BOOTP relay agents.

D. Toprovide fault tolerance.



http://technet.microsoft.com/en-us/library/cc757614(v=ws.10).aspx

QUESTION 251You are employed as a network administrator at ABC.com. ABC.com has an active directory domain named ABC.com all servers including domain controllers onthe ABC.com network have Windows Server 2012 R2 installed. ABC.com has its headquarters in London and an office in Paris.


The London Office has a domain controller named server1, which is configured as a writeable domain controller that servers as a Global catalog server and a DNSserver.

Server1 is configured to host an Active Directory-integrated zone for ABC.com

The Paris office has a Read-Only domain controller (RODC) named server2 which servers as a Global catalog server. After installing the DNS server role onserver2, you want to make sure that the ABC.com zone is replicated to server2 via active directory replication.

Which of the following actions should you take?

A. You should consider making use of Active Directory Sites and Services to Configured replication

B. You should consider making use of replmon.exe to configure replication.

C. You should consider making use of repadmin.exe to configure replication

D. You should consider making use of Active DirectorySchema To configure replication



QUESTION 252You are employed as a network administrator at ABC.com.

ABC.com has an Active Directory domain named.

ABC.com all servers on the ABC.com network have Windows Server 2012 R2.

You are running a training exercise for junior network administrators.

You are currently discussing DHCP failover architecture.

You have informed the trainees that DHCP servers can be deployed as fail over partners in either hot standby mode or load sharing mode.

Which of the following is TRUE with regards to hot standby mode? (Choose all that apply)

A. It is when two servers function in a fail over relationship where an active server is responsible for leasing IP address and configuration datato all clientsin ascope or subnet


B. It when two servers in a fail over relationship server IP addresses and options to clients on a given subnet at the same time

C. It is best suited to deployments where a data center server acts as a standby backup server to a serverat a remote site

D. It is best suited deployments where both servers in a fail over relationship are located at the same physical site



http://blogs.technet.com/b/teamdhcp/archive/2012/09/03/dhcp-failover-hot-standby-mode.aspx

QUESTION 253You are employed as a network administrator at ABC.com Abc.com has an Active directory domain named ABC.com all servers on the ABC.com network haveWindows Server 2012 R2.

The ABC.com domain has two Active Directory sites configured.

You want to make use of change notification configure replication between these Active Directory Sites.

You have opened DEFAULTIPSITELINK Properties to configure the necessary attribute.Which of the following is the attribute that needs to be configured?

A. The revision attribute

B. The Options attribute

C. The schedule attribute

D. The proxyAddresses attribute



QUESTION 254Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. The domain contains twoorganizational units (OUs) named OU1 and OU2 in the root of the domain. Two Group Policy objects (GPOs) named GPO1 and GPO2 are created. GPO1 is linkedto OU1. GPO2 is linked to OU2.


OU1 contains a client computer named Computer1. OU2 contains a user named User1.

You need to ensure that the GPOs Applied to Computer1areApplied to User1 when User1 logs on.


A. Item-level targeting

B. Block Inheritance

C. GPO links

D. The Enforced setting




The domain contains client computers that run either Windows XP, Windows 7, or Windows 8.

Network Policy Server (NPS) is deployed to the domain.

You plan to create a system health validator (SHV).

You need to identify which policy settings can be Applied to all of the computers.

Which three policy settings should you identify? (Each correct answer presents part of the solution.

Choose three.)

A. A firewall is enabled for all network connections.

B. An antispyware application is on.

C. Automatic updating is enabled.

D. Antivirus is up to date.

E. Antispyware is up to date.


Correct Answer: ACDSection: Volume CExplanation


* System health agent (SHA) is a NAP component.* System health agent (SHA)A component that checks the state of the client computer to determinewhether the settings monitored by the SHA are up-to-date and configured correctly.For example, the Windows Security Health Agent (WSHA) can monitor Windows Firewall, whether antivirus software is installed, enabled, and updated, whetherantispyware software is installed, enabled, and updated, and whether Microsoft Update Services is enabled and the computer has the most recent security updatesfrom Microsoft Update Services.There might also be SHAs (and corresponding system health validators) available from other companies that provide different functionality.

QUESTION 256Your network contains a Hyper-V host named Server1 that hosts 20 virtual machines.

You need to view the amount of memory resources and processor resources each virtual machine uses currently.

Which tool should you use on Server1?

A. Hyper-V Manager

B. Windows System Resource Manager (WSRM)

C. Task Manager

D. Resource Monitor



You get it from the Hyper-V Manager



You create a Data Collector Set (DCS) named DCS1.

You need to configure DCS1 to log data to D:\logs.

What should you do?

A. Right-click DCS1 and click Data Manager...

B. Right-click DCS1 and click SaveTemplate...

C. Right-click DCS1 and click Properties.

D. Right-click DCS1 and click Export list...



It is under the Directory tab from the DCS properties.

http://technet.microsoft.com/en-us/library/cc749267.aspx



All servers run Windows Server 2012 R2. The domain contains a server named Server1.

You open Review Options in the Active Directory Domain Services Configuration Wizard, and then you click View script.

You need to ensure that you can use the script to promote Server1 to a domain controller.

Which file extension should you use to save the script?

A. .xml

B. .ps1

C. .bat

D. .cmd



The View Script button is used toview the corresponding PowerShell script The PowerShellscript extension is .ps1, The Answer could logically be either a .cmd fileor a .bat file.According to http://www.fileinfo.com/:PAL - Settings file created by Corel Painter or Palette of colors usedby Dr. Halo bitmap images BAT - DOS batch file used toexecute commands with the WindowsCommand Prompt (cmd.exe); contains a series of line commands that typically might be entered at the DOS command prompt; most commonly used to startprograms and run maintenance utilities within Windows.XML - XML (Extensible Markup Language) data file that uses tags to define objects and object attributes; formatted much like an .HTML document, but usescustom tags to define objects and the data within each object; can be thought of as a text-based database.CMD - Batch file that contains a series of commands executed in order; introduced with Windows NT, but can be run by DOS or Windows NT systems; similar to a.BAT file, but is run by CMD.EXE instead of COMMAND.COM.



QUESTION 259Your network contains an Active Directory domain named adatum.com.

You have a standard primary zone named adatum.com.

You need to provide a user named User1 the ability to modify records in the zone. Other users must be prevented from modifying records in the zone.


A. Run the Zone Signing Wizard for the zone.

B. From the properties of the zone, change the zone type.

C. Run the new Delegation Wizard for the zone.

D. From the properties of the zone, modify theStart Of Authority (SOA) record.




All domain controllers run Windows Server 2012. One of the domain controllers is named DC1.

The DNS zone for the contoso.com zone is Active Directory-integrated and has the default settings.

A server named Server1 is a DNS server that runs a UNIX-based operating system.

You plan to use Server1 as a secondary DNS server for the contoso.com zone.

You need to ensure that Server1 can host a secondary copy of the contoso.com zone.

Whatshould you do?

A. From Windows PowerShell, run the Set-DnsServerForwarder cmdlet and specify the contoso.com zone as a target.

B. From Windows PowerShell, run the Set-DnsServerSetting cmdlet and specify DC1 as a target.

C. From Windows PowerShell, run theSet-DnsServerPrimaryZone cmdlet and specify the contoso.com zone as a target.

D. From DNS Manager, modify the Advanced settings of DC1.




C. The Set-DnsServerSecondaryZone cmdletchanges settings for an existing secondary zone on aDomain Name System (DNS) server.http://technet.microsoft.com/en-us/library/jj649920(v=wps.620).aspx


The domain contains a member server named Server1. Server1 runs Windows Server 2012 R2 and has the Hyper-V server role installed. Server1 hosts 10 virtualmachines.

A virtual machine named VM1 runs Windows Server 2012 R2 and hosts a processor-intensive Application named App1. Users report that App1 responds moreslowly than expected.

You need to monitor the processor usage on VM1 to identify whether changes must be made to the hardware settings of VM1.

Which performance object should you monitor on Server1?


A. Hyper-V Hypervisor Logical Processor

B. Processor

C. Hyper-V Hypervisor Root Virtual Processor

D. Process

E. Hyper-V Hypervisor Virtual Processor





All user accounts reside in an organizational unit (OU) named OU1.

You create a Group Policy object (GPO) named GPO1.

You link GPO1 to OU1.

You configure the Group Policy preference of GPO1 to add a shortcut named Link1 to the desktop of each user.

You discover that when a user deletes Link1, the shortcut is removed permanently from the desktop.

You need to ensure that if a user deletes Link1, the shortcut is added to the desktop again.

What should you do?

A. Modify the Link1 shortcut preference of GPO1.

B. Enable loopback processing in GPO1.

C. Enforce GPO1.

D. Modify the Security Filtering settings of GPO1.



QUESTION 263Your network contains an Active Directory forest named contoso.com.

The forest contains two sites named Main and Branch.

The Main site contains 400 desktop computers and the Branch site contains 150 desktop computers. All of the desktop computers run Windows 8.

In Main, the network contains a member server named Server1 that runs Windows Server 2012.


You install the Windows Server Update Services server role on Server1.

You need to ensure that Windows updates obtained from Windows Server Update Services (WSUS) are the same for the computers in each site.

You want to achieve this goal by using the minimum amount of administrative effort.

What should you do?

A. From the Update Services console, create computer groups.

B. From the Update Services console, configure the Computers options.

C. From the Group Policy Management console, configure the Windows Update settings.

D. From the Group Policy Management console, configure the Windows Anytime Upgrade settings.

E. From the Update Services console, configure the Synchronization Schedule options.



Create one computer group for Main site and another group for Branch site.You can deploy Windows updates by computer group.


The domain contains a domain controller named DC1 that is configured as an enterprise root certification authority (CA).

All users in the domain are issued a smart card and are required to log on to their domain-joined client computer by using their smart card.

A user named User1 resigned and started to work for a competing company.

You need to prevent User1 immediately from logging on to any computer in the domain.

The solution must not prevent other users from logging on to the domain.



A. Active Directory Users and Computers

B. Active Directory Sites and Services

C. The Certificates snap-in

D. Server Manager


Explanation/Reference:Explanation:Disabling or enabling a user accountTo open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users andComputers.To open Active Directory Users and Computers in Windows Server 2012, click Start, type dsa.msc.In the console tree, click Users.In the details pane, right-click the user.Depending on the status of the account, do one of the following:To disable the account, click Disable Account.To enable the account, click Enable Account.

References: https://www.pcwdld.com/active-directory-users-computers-not-showing-administrative-tools

QUESTION 265Which security groups must a user account be a member of to modify the AD RMS SCP?(Choose two answers. Each answer forms part of a complete solution.)

A. Domain Admins

B. AD RMS Enterprise Administrators

C. Enterprise Admins

D. Cryptographic Operators.



QUESTION 266


Which of the following would you configure if you wanted to block computers running Windows 7 and earlier operating systems from consuming AD RMS-protectedcontent?

A. Trusted publishing domain

B. Trusted user domain

C. Exclusion policies

D. Super Users



QUESTION 267Which of the following must you back up or have a copy of to be able to ensure that you can restore an AD RMS cluster in the event that a single server hosting allAD RMS components suffers complete data loss? (Choose three answers.)

A. Cluster key password

B. Trusted publishing domain

C. Trusted user domain

D. AD RMS databases

Correct Answer: ABDSection: Volume CExplanation


QUESTION 268You want to enable key archiving on a CA.

You need to issue a certificate from a specific template to the user who will recover private keys.

Which certificate template will you use as the basis for this certificate?

A. Kerberos authentication


B. Code signing

C. OCSP response signing

D. Key recovery agent



QUESTION 269Which group policy item should you configure to enable automatic reenrollment of certificates?

A. Certificate Path Validation Settings

B. Certificate Services Client - Certificate Enrollment Policy

C. Certificate Services Client - Auto-Enrollment

D. Trusted Root Certification Authorities



QUESTION 270You need to ensure that clients will check at least every 30 minutes as to whether a certificate has been revoked. Which of the following should you configure toaccomplish this goal?

A. Key recovery agent

B. CRL publication interval

C. Delta CRL publication interval

D. Certificate templates.




QUESTION 271Which of the following revocation statuses can you change to alter the status of a certificate from revoked to valid?

A. Certificate Hold

B. CA Compromise

C. Key Compromise

D. Change Of Affiliation



QUESTION 272Which of the following CA types would you deploy if you wanted to deploy a CA at the top of a hierarchy that could issue signing certificates to other CAs and whichwould be taken offline if not issuing, renewing, or revoking signing certificates?

A. Enterprise root

B. Enterprise subordinate

C. Standalone root

D. Standalone subordinate



QUESTION 273Which of the following CA types must be deployed on domain-joined computers?

A. Enterprise root

B. Enterprise subordinate


C. Standalone root

D. Standalone subordinate

Correct Answer: ABSection: Volume CExplanation


QUESTION 274Which permission should you assign on a CA to a group of users that you want to be able to respond to certificate requests but you do not want to provide themwith the ability to change CA security settings?

A. Read

B. Issue And Manage Certificates

C. Manage CA

D. Request Certificates



QUESTION 275Which permission should you assign on a CA to a group of users that you want to allow to alter the list of recovery agents?

A. Read

B. Issue And Manage Certificates

C. Manage CA

D. Request Certificates.




Explanation:

QUESTION 276You are configuring AD FS. Which server should you deploy on your organization's perimeter network?

A. Web application proxy

B. Relying-party server

C. Federation server

D. Claims-provider server



QUESTION 277The Wingtip Toys forest hosts a web application that users in the Tailspin Toys forest need to access. You are the system administrator at Tailspin Toys. A singlefederation server is present in each forest and you are configuring a federated trust.

Which of the following statements are true about the deployment solution? (Choose all that apply.)

A. The AD FS server in the Wingtip Toys forest will function as the claims-provider server.

B. The AD FS server in the Wingtip Toys forest willfunction as the relying-party server.

C. You need to configure a relying-party trust on the AD FS server in the Tailspin Toys forest.

D. You need to configure a claims-provider trust on the AD FS server in the Tailspin Toys forest.



QUESTION 278The Wingtip Toys forest hosts a web application that users in the Tailspin Toys forest need to access. You are the system administrator at Wingtip Toys. A singlefederation server is present in each forest and you are configuring a federated trust.Which of the following statements are true about the deployment solution? (Choose all that apply.)


A. The AD FS server in the Tailspin Toys forest will function as the claims-provider server.

B. The AD FS server in the Tailspin Toysforest will function as the relying-party server.

C. Configure a relying-party trust on the Wingtip Toys AD FS server.

D. Configure a claims-provider trust on the Wingtip Toys AD FS server.



QUESTION 279Which of the following authentication types must you enable to support Workplace Join?

A. Forms

B. Windows

C. Certificate

D. Device



QUESTION 280Which of the following is the minimum domain functional level required before you can promote a member server running Windows Server 2012 R2 so that itfunctions as a domain controller?

A. Windows Server 2003

B. Windows Server 2008

C. Windows Server 2008 R2

D. Windows Server 2012

Correct Answer: ASection: Volume C


Explanation


QUESTION 281You are considering adding a child domain to the dandenong.melbourne.victoria.australia.contoso.com domain tree.

Which of the following represents the maximum length in characters, including periods, of an Active Directory domain name?

A. 64 characters

B. 128 characters

C. 256 characters

D. 512 characters



QUESTION 282You are about to promote a server running the Windows Server 2012 R2 operating system to domain controller. The domain is currently running at the WindowsServer 2008 domain functional level. Your account is a member of the Domain Admins group.Which additional groups should your account be a member of to ensure that the environment is appropriately configured for this domain controller running WindowsServer 2012 R2? (Choose two. Each answer forms part of a complete solution.)

A. Schema Admins

B. Enterprise Admins

C. Account Operators

D. Server Operators

Correct Answer: ABSection: Volume CExplanation



QUESTION 283The root domain of the Adatum forest is Adatum.local. The contoso.com domain tree is part of the Adatum forest. Don has an account in the australia.contoso.comdomain and is signing on to a computer that is a member of the computers.adatum.local domain.No additional UPNs have been configured. Which UPN suffix will Don use to sign on to this computer?

A. @adatum.com

B. @adatum.local

C. @computers.adatum.local

D. @australia.contoso.com



QUESTION 284You have configured a forest trust relationship between the Adatum forest and the Contoso forest. You want to ensure that users from the Contoso forest canauthenticate only when needing to access resources in the Adatum forest using the [email protected] UPN rather than any other UPN that isavailable for them.

Which of the following should you use to accomplish this goal?

A. SID filtering

B. Name suffix routing

C. Shortcut trust

D. External trust



QUESTION 285There are 42 domains in the tailspintoys.com forest. Users in the Melbourne.victoria.australia.tailspintoys.com find the process of authenticating to resources in the Copenhagen.


denmark.europe.tailspintoys.com domain to be much too slow.

Which of the following steps can you take to speed up authentication between these domains?

A. Create a forest trust.

B. Createan external trust.

C. Create a shortcut trust.


D. Configure name suffix routing.



QUESTION 286Your organization is deploying a second Active Directory forest because a substantial number of users need to access a resource that requires significant changesto the Active Directory schema, which are not compatible with your current forest's schema.You want users in your forest to be able to access any resource in any domain in the new forest.

Which of the following should you do to accomplish this goal?

A. Configure a forest trust.

B. Configure an external trust.






Explanation:

QUESTION 287You want to configure a security relationship by which users in the Melbourne domain of the Adatum.com forest are able to access resources in the Sydney domainof the Contoso forest.Users do not require access to resources in any other domains in either forest.

Which of the following should you configure to accomplish this goal?

A. Configure a forest trust.

B. Configure an external trust.





QUESTION 288At present, the subnet 192.168.15.0/24 is associated with the Brisbane site.

You want to instead associate this subnet with the Melbourne site.

Which of the following steps can you take to resolve this problem?

A. Use the Active Directory Sites And Services console to edit the properties of the 192.168.15.0/24 subnet.

B. Use the Active Directory Sites And Services console to edit the properties of the Melbourne site.

C. Use the Active Directory Sites And Services console to edit the properties of the Brisbane site.

D. Use the Active Directory Domains And Trusts console to edit the properties of the 192.168.15.0/24 subnet.




QUESTION 289HOTSPOTYour network contains one Active Directory forest named contoso.com.The forest contains a single domain.The domain contains the domain controllers is configured as shown in the following table.

The forest contains a member server named Server1.

Server1 has an IP address of 172.16.10.66.The forest has the following Active Directory subnet configuration.


Use the drop down menus to select the answer choice that complete each statement.

Hot Area:


Correct Answer:



Explanation/Reference:S1 -172.16.10.66/26, /26 = 63 IP address, Site 2 is located in this subnet.You be automatically redirected on DC2 on your IP addressing.

QUESTION 290You have a server named Server1 that runs Windows Server 2012 R2 and uses Windows Server Backup.


You need to identify whether the backups performed on Server1 support bare metal recovery.


A. Get-OBMachineSetting

B. GetWBVSSBackupOption

C. Get-WBPolicy

D. Get-OBPolicy



Get-OBMachineSetting is for AzureBackup, question asks about Windows BackupGetWBVSSBackupOption cmdlet doesn’t existGet-WBPolicy is for Windows BackupGet-OBPolicy is for Azure Backup, question asksWindows Backup

https://technet.microsoft.com/en-us/library/Ee706650.aspx
