70-412

Q&A

Configuring Advanced Windows Server 2012 Services

DEMO Version

Copyright (c) 2014 Chinatag LLC. All rights reserved.

Leading the way in IT testing and certification tools, www.chinatag.com

- 2 -

Important Note Please Read Carefully

For demonstration purpose only, this free version Chinatag study guide contains 10 full length questions selected from our full version products which have (average) more than 200 questions each. This Study guide has been carefully written and compiled by Chinatag certification experts. It is designed to help you learn the concepts behind the questions rather than be a strict memorization tool. Repeated readings will increase your comprehension. For promotion purposes, all PDF files are not encrypted. Feel free to distribute copies among your friends and let them know Chinatag website.

Study Tips This product will provide you questions and answers along with detailed explanations carefully compiled and written by our experts. Try to understand the concepts behind the questions instead of cramming the questions. Go through the entire document at least twice so that you make sure that you are not missing anything.

Latest Version We are constantly reviewing our products. New material is added and old material is revised. Free updates are available for 90 days after the purchase. You should check the products page on the http://www.chinatag.com website for an update 3-4 days before the scheduled exam date.

Please tell us what you think of our products. We appreciate both positive and critical comments as your feedback helps us improve future versions. Feedback on specific questions should be send to feedback@chinatag.com. Thanks for purchasing our products and look forward to supplying you with all your Certification training needs. Good studying! Technical and Support Team Chinatag LLC.

QUESTION 1You have a DHCP server named Server1. Server1 has one network adapter. Server1 is located on a subnet named Subnet1. Server1 has scope named Scope1. Scope1 contains IP addresses for the192.168.1.0/24 network.

Your company is migrating the IP addresses on Subnet1 to use a network ID of 10.10.0.0/16.

On Server1, you create a scope named Scope2. Scope2 contains IP addresses for the 10.10.0.0/16 network.

You need to ensure that clients on Subnet1 can receive IP addresses from either scope.

What should you create on Server1?

A. A multicast scope

B. A scope

C. A superscope

D. A split-scope

Correct Answer: CExplanation

Explanation/Reference:

http://technet.microsoft.com/en-us/library/cc958938.aspx

QUESTION 2Your network contains an Active Directory domain named adatum.com. The domain contains a domain controller named DC1 that runs Windows Server 2012.

On DC1, you open DNS Manager as shown in the exhibit. (Click the Exhibit button.)

You need to change the zone type of the contoso.com zone from an Active Directory- integrated zone to a standard primary zone.

What should you do before you change the zone type?

A. Unsign the zone.

B. Modify the Zone Signing Key (ZSK).

C. Modify the Key Signing Key (KSK).

D. Change the Key Master.

Correct Answer: AExplanation

Explanation/Reference:Unsigning a ZoneIf there are errors in the signing or TA distribution process, or if the zone was signed experimentally and is being reverted, the administrator will need to unsign the zone. This can be done by launching theDNSSEC UI from with the DNS Management console on the key master (or remotely on another server connected to the KM), and selecting the option to Unsign the zone

70-412

3

http://download.microsoft.com/download/E/0/9/E09647CF-90B7-41A8-82B7-762B5507598F/Understand_and_Troubleshoot_DNSSEC_in_Windows_Server_8_Beta.docx

QUESTION 3Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2 that run Windows Server 2012. Server1 has the IP Address Management(IPAM) Server feature installed. Server2 has the DHCP Server server role installed.

A user named User1 is a member of the IPAM Users group on Server1.

You need to ensure that User1 can use IPAM to modify the DHCP scopes on Server2. The solution must minimize the number of permissions assigned to User1.

To which group should you add User1?

A. DHCP Administrators on Server2

B. IPAM ASM Administrators on Server1

C. IPAMUG in Active Directory

D. IPAM MSM Administrators on Server1

Correct Answer: AExplanation

Explanation/Reference:IPAM in Windows Server 2012 is a new built-in framework for discovering, monitoring, auditing, and managing the IP address space used on your network

IPAM provides a dynamic view of your IP infrastructure, and the view is continually refreshed by periodic tasks that run on the IPAM server. IPAM also enables administrators to perform several configurationactions directly from the IPAM console.

The Universal Security Group IPAMUG is created in your Active Directory domain when you install the IPAM feature. Permissions in DNS and DHCP are keyed to this security group. Make sure the group hasbeen created and that the computer account of your IPAM server is a member of the group.

Problem: You are unable to make configuration changes on a DHCP server or scope.Solution: Verify that DHCP RPC firewall ports are enabled on the target DHCP server, and that you are signed in with an account that has DHCP Administrators privileges on the target DHCP server.

http://technet.microsoft.com/en-us/library/jj878309.aspx

QUESTION 4Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2 that run Windows Server 2012. Server1 has the DHCP Server server roleinstalled. Server2 has the Hyper-V server role installed.Server2 has an IP address of 192.168.10.50.

Server1 has a scope named Scope1 for the 192.168.10.0/24 network.

You plan to deploy 20 virtual machines on Server2 that will be connected to the external network. The MAC addresses for the virtual machines will begin with 00-15-SD-83-03.

You need to configure Server1 to offer the virtual machines IP addresses from 192.168.10.200 to 192.168.10.219. Physical computers on the network must be offered IP addresses outside this range. You wantto achieve this goal by using the minimum amount of administrative effort.What should you do from the DHCP console?

A. Create reservations.

B. Create a policy.

C. Delete Scope1 and create two new scopes.

D. Configure Allow filters and Deny filters.

Correct Answer: BExplanation

70-412

4

Explanation/Reference:DHCP policy based assignment

With a DHCP server running Windows Server 2012, administrators can define an address assignment policy at the server level or scope level. A policy contains a set of conditions to evaluate when processingclient requests.

The following fields in the DHCP client request are available when defining policies.Vendor ClassUser ClassMAC addressClient IdentifierRelay Agent Information

http://technet.microsoft.com/en-us/library/hh831538.aspx#pba_2a

QUESTION 5Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2. Both servers have the IP Address Management (IPAM) Server featureinstalled.

You have a support technician named Tech1. Tech1 is a member of the IPAM Administrators group on Server1 and Server2.

You need to ensure that Tech1 can use Server Manager on Server1 to manage IPAM on Server2.

To which group on Server2 should you add Tech1.

A. Remote Management Users

B. IPAM MSM Administrators

C. IPAM Administrators

D. WinRMRemoteWMIUsers

Correct Answer: DExplanation

Explanation/Reference:IPAM is an agentless multi-server, multi-service management feature that leverages standard Windows remote management protocols to manage, monitor and collect data from IP address infrastructure servers.IPAM relies on a host of remote management technologies to provide full functionality. Communication with multiple network elements throughout the enterprise is required for data gathering and configurationmanagement. Depending on the scope of managed elements, this communication may need to traverse multiple security boundaries or domains.

If you are accessing the IPAM server from a remote IPAM client, you must be a member of the WinRMRemoteWMIUsers group on the IPAM server, in addition to being a member of the appropriate localIPAM security group.

http://technet.microsoft.com/en-us/library/jj878312.aspxhttp://msdn.microsoft.com/en-us/library/aa384463%28v=vs.85%29.aspx

QUESTION 6Your network contains two Active Directory forests named contoso.com and adatum.com. All of the domain controllers in both of the forests run Windows Server 2012. The adatum.com domain contains a fileserver named Server5.

Adatum.com has a one-way forest trust to contoso.com.

A contoso.com user name User10 attempts to access a shared folder on Servers and receives the error message shown in the exhibit. (Click the Exhibit button.)

70-412

5

You verify that the Authenticated Users group has Read permissions to the Data folder.

You need to ensure that User10 can read the contents of the Data folder on Server5 in the adatum.com domain.

What should you do?

A. Grant the Other Organization group Read permissions to the Data folder.

B. Modify the list of logon workstations of the contoso\User10 user account.

C. Enable the Netlogon Service (NP-In) firewall rule on Server5.

D. Modify the permissions on the Server5 computer object in Active Directory.

Correct Answer: DExplanation

Explanation/Reference:To resolve this open up AD Users and Computers > Advanced Features > select the computer object > Properties > Security > Add group (eg trustedDomain\Domain users) > allow "Allowed to Authenticate"

70-412

6

http://technet.microsoft.com/en-us/library/cc816733(v=ws.10).aspx

QUESTION 7Your network contains an Active Directory domain named contoso.com. The domain contains a main office and a branch office. An Active Directory site exists for each office.

All domain controllers run Windows Server 2012. The domain contains two domain controllers.

The domain controllers are configured as shown in the following table.

DC1 hosts an Active Directory-integrated zone for contoso.com.

You add the DNS Server server role to DC2.

You discover that the contoso.com DNS zone fails to replicate to DC2.

You verify that the domain, schema, and configuration naming contexts replicate from DC1 to DC2.

You need to ensure that DC2 replicates the contoso.com zone by using Active Directory replication.

Which tool should you use?

A. Active Directory Sites and Services

B. Ntdsutil

C. DNS Manager

D. Active Directory Domains and Trusts

Correct Answer: AExplanation

Explanation/Reference:To control replication between two sites, you can use the Active Directory Sites and Services snap-in to configure settings on the site link object to which the sites are added. By configuring settings on a site link,you can control when replication occurs between two or more sites, and how often.

NOTE: If you see question about AD Replication, First preference is AD Sites and Services, then Repadmin and then DNSLINT.

http://technet.microsoft.com/en-us/library/cc816926%28v=ws.10%29.aspxhttp://technet.microsoft.com/en-us/library/cc731862.aspx

QUESTION 8Your network contains an Active Directory forest. The forest contains two domains named contoso.com and fabrikam.com. The functional level of the forest is Windows Server 2003.

The contoso.com domain contains domain controllers that run either Windows Server 2008 or Windows Server 2008 R2. The functional level of the domain is Windows Server 2008.

The fabrikam.com domain contains domain controllers that run either Windows Server 2003 or Windows Server 2008. The functional level of the domain is Windows Server 2003.

The contoso.com domain contains a member server named Server1 that runs Windows Server 2012.

You install the Active Directory Domain Services server role on Server1.

You need to add Server1 as a new domain controller in the contoso.com domain.

What should you do?

A. Run the Active Directory Domain Services Configuration Wizard.

B. Run adprep.exe /domainprep, and then run dcpromo.exe.

C. Raise the functional level of the forest, and then run dcprorno.exe.

70-412

7

D. Modify the Computer Name/Domain Changes properties.

Correct Answer: AExplanation

Explanation/Reference:The Active Directory Domain Services Configuration Wizard

Beginning with Windows Server 2012, the Active Directory Domain Services Configuration Wizard replaces the legacy Active Directory Domain Services Installation Wizard as the user interface (UI) option tospecify settings when you install a domain controller. The Active Directory Domain Services Configuration Wizard begins after Add Roles Wizard is finished.

The legacy Active Directory Domain Services Installation Wizard (dcpromo.exe) is deprecated beginning with Windows Server 2012.

Functional level features and requirementsWindows Server 2012 requires a Windows Server 2003 forest functional level. That is, before you can add a domain controller that runs Windows Server 2012 to an existing Active Directory forest, the forestfunctional level must be Windows Server 2003 or higher. This means that domain controllers that run Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 can operate in the same forest,but domain controllers that run Windows 2000 Server are not supported and will block installation of a domain controller that runs Windows Server 2012. If the forest contains domain controllers running WindowsServer 2003 or later but the forest functional level is still Windows 2000, the installation is also blocked.

Windows 2000 domain controllers must be removed prior to adding Windows Server 2012 domain controllers to your forest.

From Windows Server 2008 R2 to Windows Server 2012:The Windows Server 2012 forest functional level does not provide any new features, but it ensures that any new domain created in the forest will automatically operate at the Windows Server 2012 domainfunctional level.The Windows Server 2012 domain functional level does not provide other new features beyond KDC support for claims, compound authentication, and Kerberos armoring. But it ensures that any domaincontroller in the domain runs Windows Server 2012.

http://technet.microsoft.com/en-us/library/cc771294.aspxhttp://technet.microsoft.com/en-us/library/hh994618.aspx#BKMK_FunctionalLevels

QUESTION 9Your network contains an Active Directory forest. The forest contains two domains named contoso.com and fabrikam.com. The forest functional level is Windows 2000.

The contoso.com domain contains domain controllers that run either Windows Server 2008 or Windows Server 2008 R2. The domain functional level is Windows Server 2008.

The fabrikam.com domain contains domain controllers that run either Windows 2000 Server or Windows Server 2003. The domain functional level is Windows 2000 native.

The contoso.com domain contains a member server named Server1 that runs Windows Server 2012.

You need to add Server1 as a new domain controller in the contoso.com domain.

What should you do first?

A. Raise the functional level of the contoso.com domain to Windows Server 2008 R2.

B. Upgrade the domain controllers that run Windows Server 2008 to Windows Server 2008 R2.

C. Raise the functional level of the fabrikam.com domain to Windows Server 2003.

D. Decommission the domain controllers that run Windows 2000.

E. Raise the forest functional level to Windows Server 2003.

Correct Answer: DExplanation

Explanation/Reference:Functional level features and requirementsWindows Server 2012 requires a Windows Server 2003 forest functional level. That is, before you can add a domain controller that runs Windows Server 2012 to an existing Active Directory forest, the forestfunctional level must be Windows Server 2003 or higher. This means that domain controllers that run Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 can operate in the same forest,but domain controllers that run Windows 2000 Server are not supported and will block installation of a domain controller that runs Windows Server 2012. If the forest contains domain controllers running WindowsServer 2003 or later but the forest functional level is still Windows 2000, the installation is also blocked.

Windows 2000 domain controllers must be removed prior to adding Windows Server 2012 domain controllers to your forest.

From Windows Server 2008 R2 to Windows Server 2012:The Windows Server 2012 forest functional level does not provide any new features, but it ensures that any new domain created in the forest will automatically operate at the Windows Server 2012 domainfunctional level.The Windows Server 2012 domain functional level does not provide other new features beyond KDC support for claims, compound authentication, and Kerberos armoring. But it ensures that any domain

70-412

8

controller in the domain runs Windows Server 2012.

http://technet.microsoft.com/en-us/library/cc771294.aspxhttp://technet.microsoft.com/en-us/library/hh994618.aspx#BKMK_FunctionalLevels

QUESTION 10Your network contains an Active Directory domain named adatum.com. The domain contains two domain controllers that run Windows Server 2012. The domain controllers are configured as shown in thefollowing table.

You log on to DC1 by using a user account that is a member of the Domain Admins group, and then you create a new user account named User1.

You need to prepopulate the password for User1 on DC2.

What should you do first?

A. Connect to DC2 from Active Directory Users and Computers.

B. Add DC2 to the Allowed RODC Password Replication Policy group.

C. Add the User1 account to the Allowed RODC Password Replication Policy group.

D. Run Active Directory Users and Computers as a member of the Enterprise Admins group.

Correct Answer: CExplanation

Explanation/Reference:When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain controller that will be its replication partner.

The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted to cache a password.After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached.The same account can then perform subsequent logons more efficiently.

Clearing cached passwordsThere is no mechanism to erase passwords after they are cached on an RODC. If you want to clear a password that is stored on an RODC, an administrator should reset the password in the hub site.

http://technet.microsoft.com/en-us/library/cc730883%28v=ws.10%29.aspxhttp://technet.microsoft.com/en-us/library/cc753470(v=ws.10).aspx#BKMK_pre

70-412

9

70-412

10