Your company recently deployed a new Active Directory forest named contoso.com. The first domain controller in the forest runs Windows Server 2012 R2.
You need to identify the time-to-live (TTL) value for domain referrals to the NETLOGON and SYSVOL shared folders.
Which tool should you use?
- A . Ultrasound
- B . Replmon
- C . Dfsdiag
- D . Frsutil
C
Explanation:
DFSDIAG can check your configuration in five different ways:
– Checking referral responses (DFSDIAG /TestReferral)
– Checking domain controller configuration
– Checking site associations
– Checking namespace server configuration
– Checking individual namespace configuration and integrity
References: https://blogs.technet.microsoft.com/josebda/2009/07/15/five-ways-to-check-your-dfsnamespaces-dfs-n-configuration-with-the-dfsdiag-exe-tool/
HOTSPOT
Your network contains an Active Directory forest named contoso.com that contains a single domain. The forest contains three sites named Site1, Site2, and Site3.
Domain controllers run either Windows Server 2008 R2 or Windows Server 2012 R2.
Each site contains two domain controllers. Site1 and Site2 contain a global catalog server.
You need to create a new site link between Site1 and Site2. The solution must ensure that the site link supports the replication of all the naming contexts.
From which node should you create the site link? To answer, select the appropriate node in the answer area.
Explanation:
Create a Site Link
To create a site link
– Open Active Directory Sites and Services. To open Active Directory Sites and Services, click Start, click Administrative Tools, and then click Active Directory Sites and Services. To open Active Directory Sites and Services in Windows Server® 2012, click Start, type dssite.msc.
– In the console tree, right-click the intersite transport protocol that you want the site link to use.
Use the IP intersite transport unless your network has remote sites where network connectivity is intermittent or end-to-end IP connectivity is not available. Simple Mail Transfer Protocol (SMTP) replication has restrictions that do not apply to IP replication.
Reference: Create a Site Link p://technet.microsoft.com/en-us/library/cc731294.aspx
Your network contains two Active Directory forests named contoso.com and adatum.com. Contoso.com contains one domain. Adatum.com contains a child domain named child.adatum.com.
Contoso.com has a one-way forest trust to adatum.com. Selective authentication is enabled on the forest trust.
Several user accounts are migrated from child.adatum.com to adatum.com. Users report that after the migration, they fail to access resources in contoso.com. The users successfully accessed the resources in contoso.com before the accounts were migrated.
You need to ensure that the migrated users can access the resources in contoso.com.
What should you do?
- A . Replace the existing forest trust with an external trust.
- B . Run netdom and specify the /quarantine attribute.
- C . Disable SID filtering on the existing forest trust.
- D . Disable selective authentication on the existing forest trust.
C
Explanation:
Security Considerations for Trusts
Need to gain access to the resources in contoso.com
Disabling SID Filter Quarantining on External Trusts
Although it reduces the security of your forest (and is therefore not recommended), you can disable SID filter quarantining for an external trust by using the Netdom.exe tool. You should consider disabling SID filter quarantining only in the following situations:
* Users have been migrated to the trusted domain with their SID histories preserved, and you want to grant them access to resources in the trusting domain based on the SID history attribute.
Etc.
Incorrect:
Not B. Enables administrators to manage Active Directory domains and trust relationships from the command prompt, /quarantine Sets or clears the domain quarantine.
Not D. Selective authentication over a forest trust restricts access to only those users in a trusted forest who have been explicitly given authentication permissions to computer objects (resource computers) that reside in the trusting forest.
Reference: Security Considerations for Trusts
http://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx
HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains domain controllers that run either Windows Server 2003, Windows Server 2008 R2, or Windows Server 2012 R2. You plan to implement a new Active Directory forest. The new forest will be used for testing and will be isolated from the production network. In the test network, you deploy a server named Server1 that runs Windows Server 2012 R2. You need to configure Server1 as a new domain controller in a new forest named contoso.test.
The solution must meet the following requirements:
• The functional level of the forest and of the domain must be the same as that of contoso.com.
• Server1 must provide name resolution services for contoso.test.
What should you do? To answer, configure the appropriate options in the answer area.
Explanation:
Set the forest function level and the Domain functional level both to Windows Server 2003.
Also check Domain Name (DNS) server.
Note:
* When you deploy AD DS, set the domain and forest functional levels to the highest value that your environment can support. This way, you can use as many AD DS features as possible. For example, if you are sure that you will never add domain controllers that run Windows Server 2003 to the domain or forest, select the Windows Server 2008 functional level during the deployment process. However, if you might retain or add domain controllers that run Windows Server 2003, select the Windows Server 2003 functional level.
* You can set the domain functional level to a value that is higher than the forest functional level. For example, if the forest functional level is Windows Server 2003, you can set the domain functional level to Windows Server 2003or higher.
Reference: Understanding Active Directory Domain Services (AD DS) Functional Levels
Your network contains an Active Directory forest named adatum.com. The forest contains a single domain. The domain contains four servers.
The servers are configured as shown in the following table.
You need to update the schema to support a domain controller that will run Windows Server 2012 R2.
On which server should you run adprep.exe?
- A . Server1
- B . DC3
- C . DC2
- D . DC1
B
Explanation:
We must use the Windows Server 2008 R2 Server.
Upgrade Domain Controllers to Windows Server 2012 R2 and Windows Server 2012
You can use adprep.exe on domain controllers that run 64-bit versions of Windows Server 2008 or Windows Server 2008 R2 to upgrade to Windows Server 2012. You cannot upgrade domain controllers that run Windows Server 2003 or 32-bit versions of Windows Server 2008. To replace them, install domain controllers that run a later version of Windows Server in the domain, and then remove the domain controllers that Windows Server 2003.
Reference: Upgrade Domain Controllers to Windows Server 2012 R2 and Windows Server 2012, Supported in-place upgrade paths.
http://technet.microsoft.com/en-us/library/hh994618.aspx#BKMK_UpgradePaths
HOTSPOT
Your network contains three Active Directory forests.
The forests are configured as shown in the following table.
A two-way forest trust exists between contoso.com and divisionl.contoso.com. A two-way forest trust also exists between contoso.com and division2.contoso.com.
You plan to create a one-way forest trust from divisionl.contoso.com to division2.contoso.com.
You need to ensure that any cross-forest authentication requests are sent to the domain controllers in the appropriate forest after the trust is created.
How should you configure the existing forest trust settings? In the table below, identify which configuration must be performed in each forest. Make only one selection in each column. Each correct selection is worth one point.
Explanation:
There will be a one-way forest trust from division1.contoso.com to division2.contoso.com
Division1 trusts Division2. Division2 must be able to access resources in Division1.
Division1 should not be able to access resources in Division2.
Your network contains an Active Directory forest named contoso.com. The forest contains three domains. All domain controllers run Windows Server 2012 R2.
The forest has a two-way realm trust to a Kerberos realm named adatum.com.
You discover that users in adatum.com can only access resources in the root domain of contoso.com.
You need to ensure that the adatum.com users can access the resources in all of the domains in the forest.
What should you do in the forest?
- A . Delete the realm trust and create a forest trust.
- B . Delete the realm trust and create three external trusts.
- C . Modify the incoming realm trust.
- D . Modify the outgoing realm trust.
D
Explanation:
A one-way, outgoing realm trust allows resources in your Windows Server domain (the domain that you are logged on to at the time that you run the New Trust Wizard) to be accessed by users in the Kerberos realm.
You can establish a realm trust between any non-Windows Kerberos version 5 (V5) realm and an Active Directory domain. This trust relationship allows cross-platform interoperability with security services that are based on other versions of the Kerberos V5 protocol, for example, UNIX and MIT implementations. Realm trusts can switch from nontransitive to transitive and back. Realm trusts can also be either one-way or two-way.
Reference: Create a One-Way, Outgoing, Realm Trust
Your network contains an Active Directory forest named contoso.com. The forest contains two domains named contoso.com and childl.contoso.com. The domains contain three domain controllers.
The domain controllers are configured as shown in the following table.
You need to ensure that the KDC support for claims, compound authentication, and kerberos armoring setting is enforced in the child1.contoso.com domain.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
- A . Upgrade DC1 to Windows Server 2012 R2.
- B . Upgrade DC11 to Windows Server 2012 R2.
- C . Raise the domain functional level of childl.contoso.com.
- D . Raise the domain functional level of contoso.com.
- E . Raise the forest functional level of contoso.com.
BC
Explanation:
The root domain in the forest must be at Windows Server 2012 level. First upgrade DC1 to this level (A), then raise the contoso.com domain functional level to Windows Server 2012 (D).
* (A) To support resources that use claims-based access control, the principal’s domains will need to be running one of the following:
/ All Windows Server 2012 domain controllers
/ Sufficient Windows Server 2012 domain controllers to handle all the Windows 8 device authentication requests
/ Sufficient Windows Server 2012 domain controllers to handle all the Windows Server 2012 resource protocol transition requests to support non-Windows 8 devices.
Reference: What’s New in Kerberos Authentication
http://tec hnet.microsoft.com/en-us/library/hh831747.aspx .
Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. The domain contains two domain controllers.
The domain controllers are configured as shown in the following table.
You configure a user named User1 as a delegated administrator of DC10.
You need to ensure that User1 can log on to DC10 if the network link between the Main site and the Branch site fails.
What should you do?
- A . Add User1 to the Domain Admins group.
- B . On DC10, modify the User Rights Assignment in Local Policies.
- C . Run repadmin and specify the /prp parameter.
- D . On DC10, run ntdsutil and configure the settings in the Roles context.
- E . Run repadmin and specify /replsingleobject parameter.
- F . On DC1, modify the User Rights Assignment in Default Controllers Group Policy object (GPO).
C
Explanation:
repadmin /prp will allow the password caching of the local administrator to the RODC. This command lists and modifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs).
References: RODC Administration https://technet.microsoft.com/en-us/library/cc755310%28v=ws.10%29.aspx
Your company has offices in Montreal, New York, and Amsterdam.
The network contains an Active Directory forest named contoso.com. An Active Directory site exists for each office. All of the sites connect to each other by using the DEFAULTIPSITELINK site link.
You need to ensure that only between 20:00 and 08:00, the domain controllers in the Montreal office replicate the Active Directory changes to the domain controllers in the Amsterdam office.
The solution must ensure that the domain controllers in the Montreal and the New York offices can replicate the Active Directory changes any time of day.
What should you do?
- A . Create a new site link that contains Montreal and Amsterdam. Remove Amsterdam from DEFAULTIPSITE1INK. Modify the schedule of DEFAULTIPSITELINK.
- B . Create a new site link that contains Montreal and Amsterdam. Create a new site link bridge. Modify the schedule of DEFAULTIPSITELINK.
- C . Create a new site link that contains Montreal and Amsterdam. Remove Amsterdam from DEFAULTIPSITELINK. Modify the schedule of the new site link.
- D . Create a new site link that contains Montreal and Amsterdam. Create a new site link bridge. Modify the schedule of the new site link.
C
Explanation:
We create a new site link between Montreal and Amsterdam and schedule it only between 20:00 and
08:00. To ensure that traffic between Montreal and Amsterdam only occurs at this time we also remove Amsterdam from the DEFAULTIPSITELINK.
Reference: How Active Directory Replication Topology Works http://technet.microsoft.com/en-us/library/ cc755994(v=ws.10).aspx
HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2. All servers run Windows Server 2012 R2.
Server1 and Server2 have the Network Load Balancing (NLB) feature installed. The servers are configured as nodes in an NLB cluster named Cluster1. Both servers connect to the same switch.
Cluster1 hosts a secure web Application named WebApp1. WebApp1 saves user state information in a central database.
You need to ensure that the connections to WebApp1 are distributed evenly between the nodes. The solution must minimize port flooding.
What should you configure? To answer, configure the appropriate affinity and the appropriate mode for Cluster1 in the answer area.
Explanation:
The Affinity parameter is applicable only for the Multiple hosts filtering mode. With No affinity, NLB does not associate clients with a particular member. Every client request can be load balanced to any member.
References: https://technet.microsoft.com/en-us/library/bb687542.aspx
Your network contains two Web servers named Server1 and Server2. Both servers run Windows Server 2012 R2.
Server1 and Server2 are nodes in a Network Load Balancing (NLB) cluster. The NLB cluster contains an application named App1 that is accessed by using the URL http://app1.contoso.com. You plan to perform maintenance on Server1.
You need to ensure that all new connections to App1 are directed to Server2. The solution must not disconnect the existing connections to Server1.
What should you run?
- A . The Set-NlbCluster cmdlet
- B . The Set-NlbClusterNode cmdlet
- C . The Stop-NlbCluster cmdlet
- D . The Stop-NlbClusterNode cmdlet
- E . The Suspend-NlbClusterNode cmdlet
- F . The nlb.exe suspend command
D
Explanation:
The Stop-NlbClusterNode cmdlet stops a node in an NLB cluster. When you use the stop the nodes in the cluster, client connections that are already in progress are interrupted. To avoid interrupting active connections, consider using the -drain parameter, which allows the node to continue servicing active connections but disables all new traffic to that node.
-Drain <SwitchParameter>
Drains existing traffic before stopping the cluster node. If this parameter is omitted, existing traffic will be
dropped.
References: Stop-NlbClusterNode
Your network contains two servers named HV1 and HV2. Both servers run Windows Server 2012 R2 and have the Hyper-V server role installed. HV1 hosts 25 virtual machines. The virtual machine configuration files and the virtual hard disks are stored in D:VM. You shut down all of the virtual machines on HV1. You copy D:VM to D:VM on HV2. You need to start all of the virtual machines on HV2. You want to achieve this goal by using the minimum amount of administrative effort.
What should you do?
- A . Run the Import-VMInitialReplication cmdlet.
- B . From HV1, export all virtual machines to D:VM. Copy D:VM to D:VM on HV2 and overwrite the existing files. On HV2, run the Import Virtual Machine wizard.
- C . From HV1, export all virtual machines to D:VM. Copy D:VM to D:VM on HV2 and overwrite the existing files. On HV2, run the New Virtual Machine wizard.
- D . Run the Import-VM cmdlet.
D
Explanation:
Import-VM
Imports a virtual machine from a file.
Example
Imports the virtual machine from its configuration file. The virtual machine is registered in-place, so its files are not copied.
Windows PowerShell
PS C:> Import-VM CPath ‘D:TestVirtualMachines5AE40946-3A98-428E-8C83-081A3C6BD18C.XML’
Reference: Import-VM
HOTSPOT
Your network contains two Hyper-V hosts that are configured as shown in the following table.
You create a virtual machine on Server1 named VM1. You plan to export VM1 from Server1 and import VM1 to Server2.
You need to ensure that you can start the imported copy of VM1 from snapshots.
What should you configure on VM1? To answer, select the appropriate node in the answer area.
Explanation:
Note:
* If the CPUs are from the same manufacturer but not from the same type, you may need to use Processor Compatibility.
(Incorrect) The network adapter is already disconnected.
DRAG DROP
Your network contains an Active Directory domain named contoso.com. The domain contains four member
servers named Server1, Server2, Servers, and Server4. All servers run Windows Server 2012 R2.
Server1 and Server2 are located in a site named Site1. Server3 and Server4 are located in a site named Site2. The servers are configured as nodes in a failover cluster named Cluster1. Cluster1 is configured to use the Node Majority quorum configuration. You need to ensure that Server1 is the only server in Site1 that can vote to maintain quorum.
What should you run from Windows PowerShell? To answer, drag the appropriate commands to the correct location. Each command may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Explanation:
We remove Server2 from quorum vote by setting it’s NodeWeight to 0.
NodeWeight settings are used during quorum voting to support disaster recovery and multi-subnet scenarios for AlwaysOn Availability Groups and SQL Server Failover Cluster Instances.
Example (Powershell)
The following example changes the NodeWeight setting to remove the quorum vote for the “AlwaysOnSrv1” node.
Import-Module FailoverClusters
$node = “AlwaysOnSrv1”
(Get-ClusterNode $node).NodeWeight = 0
Reference: Configure Cluster Quorum NodeWeight Settings
Your network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2. All servers run Windows Server 2012 R2.
Server1 and Server2 have the Failover Clustering feature installed. The servers are configured as nodes in a failover cluster named Cluster1. Cluster1 contains a cluster disk resource.
A developer creates an application named App1. App1 is NOT a cluster-aware application. App1 runs as a service. App1 stores data on the cluster disk resource.
You need to ensure that App1 runs in Cluster1. The solution must minimize development effort.
Which cmdlet should you run?
- A . Add-ClusterGenericServiceRole
- B . Add-ClusterGenericApplicationRole
- C . Add-ClusterScaleOutFileServerRole
- D . Add-ClusterServerRole
B
Explanation:
Add-ClusterGenericApplicationRole
Configure high availability for an application that was not originally designed to run in a failover cluster.
If you run an application as a Generic Application, the cluster software will start the application, then periodically query the operating system to see whether the application appears to be running. If so, it is presumed to be online, and will not be restarted or failed over.
EXAMPLE 1.
Command Prompt: C:PS>
Add-ClusterGenericApplicationRole -CommandLine NewApplication.exe
Name OwnerNode State
—- ——— —–
cluster1GenApp node2 Online
Description
———–
This command configures NewApplication.exe as a generic clustered application. A default name will be used for client access and this application requires no storage.
Reference: Add-ClusterGenericApplicationRole
http://technet.microsoft.com/en-us/library/ee460976.aspx
HOTSPOT
Your network contains an Active Directory domain named contoso.com. You have a failover cluster named Cluster1 that contains two nodes named Server1 and Server2. Both servers run Windows Server 2012 R2 and have the Hyper-V server role installed. You plan to create two virtual machines that will run an application named App1. App1 will store data on a virtual hard drive named App1data.vhdx. App1data.vhdx will be shared by both virtual machines.
The network contains the following shared folders:
• An SMB file share named Share1 that is hosted on a Scale-Out File Server.
• An SMB file share named Share2 that is hosted on a standalone file server.
• An NFS share named Share3 that is hosted on a standalone file server.
You need to ensure that both virtual machines can use App1data.vhdx simultaneously.
What should you do? To answer, select the appropriate configurations in the answer area.
Explanation:
* Simultaneous access to vhd can only be done by scale-out file server
* Create your VHDX data files to be shared as fixed-size or dynamically expanding, on the disk where you manually attached the Shared VHDX filter. Old VHD files are not allowed. Differencing disks are not allowed.
Reference: Windows Server 2012 R2 Storage: Step-by-step with Storage Spaces, SMB Scale-Out and Shared VHDX (Virtual)
HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Active Directory Certificate Services server role installed and configured.
For all users, you are deploying smart cards for logon. You are using an enrollment agent to enroll the smart card certificates for the users.
You need to configure the Contoso Smartcard Logon certificate template to support the use of the enrollment agent.
Which setting should you modify? To answer, select the appropriate setting in the answer area.
Explanation:
/ In application policy drop-down list select Certificate Request Agent.
/ The Issuance Requirements Tab
* Application policy. This option specifies the application policy that must be included in the signing certificate used to sign the certificate request. It is enabled when Policy type required in signature is set to either Application policy or Both application and issuance policy.
Reference: Administering Certificate Templates
http://technet.microsoft.com/en-us/library/cc725621(v=WS.10) .aspx
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2.
The system properties of Server1 are shown in the exhibit. (Click the Exhibit button.)
You need to configure Server1 as an enterprise subordinate certification authority (CA).
What should you do first?
- A . Add RAM to the server.
- B . Set the Startup Type of the Certificate Propagation service to Automatic.
- C . Install the Certification Authority Web Enrollment role service.
- D . Join Server1 to the contoso.com domain.
D
Explanation:
Enterprise CAs must be domain members. From the exhibit we see that it is only a Workgroup member.
Note:
A new CA can be the root CA of a new PKI or subordinate to another in an existing PKI. Enterprise subordinate certification authority. An enterprise subordinate CA must get a CA certificate from an enterprise root CA but can then issue certificates to all users and computers in the enterprise. These types of CAs are often used for load balancing of an enterprise root CA.
Reference: Install a Subordinate Certification Authority
Your network contains a perimeter network and an internal network. The internal network contains an Active Directory Federation Services (AD FS) 2.1 infrastructure. The infrastructure uses Active Directory as the attribute store.
You plan to deploy a federation server proxy to a server named Server2 in the perimeter network. You need to identify which value must be included in the certificate that is deployed to Server2.
What should you identify?
- A . The FQDN of the AD FS server
- B . The name of the Federation Service
- C . The name of the Active Directory domain
- D . The public IP address of Server2
B
Explanation:
To add a host (A) record to corporate DNS for a federation server
On a DNS server for the corporate network, open the DNS snap-in.
Your network contains a perimeter network and an internal network. The internal network contains an Active Directory Federation Services (AD FS) 2.1 infrastructure. The infrastructure uses Active Directory as the attribute store.
You plan to deploy a federation server proxy to a server named Server2 in the perimeter network. You need to identify which value must be included in the certificate that is deployed to Server2.
What should you identify?
- A . The FQDN of the AD FS server
- B . The name of the Federation Service
- C . The name of the Active Directory domain
- D . The public IP address of Server2
B
Explanation:
To add a host (A) record to corporate DNS for a federation server
On a DNS server for the corporate network, open the DNS snap-in.
Your network contains a perimeter network and an internal network. The internal network contains an Active Directory Federation Services (AD FS) 2.1 infrastructure. The infrastructure uses Active Directory as the attribute store.
You plan to deploy a federation server proxy to a server named Server2 in the perimeter network. You need to identify which value must be included in the certificate that is deployed to Server2.
What should you identify?
- A . The FQDN of the AD FS server
- B . The name of the Federation Service
- C . The name of the Active Directory domain
- D . The public IP address of Server2
B
Explanation:
To add a host (A) record to corporate DNS for a federation server
On a DNS server for the corporate network, open the DNS snap-in.
Your network contains a perimeter network and an internal network. The internal network contains an Active Directory Federation Services (AD FS) 2.1 infrastructure. The infrastructure uses Active Directory as the attribute store.
You plan to deploy a federation server proxy to a server named Server2 in the perimeter network. You need to identify which value must be included in the certificate that is deployed to Server2.
What should you identify?
- A . The FQDN of the AD FS server
- B . The name of the Federation Service
- C . The name of the Active Directory domain
- D . The public IP address of Server2
B
Explanation:
To add a host (A) record to corporate DNS for a federation server
On a DNS server for the corporate network, open the DNS snap-in.
Your network contains a perimeter network and an internal network. The internal network contains an Active Directory Federation Services (AD FS) 2.1 infrastructure. The infrastructure uses Active Directory as the attribute store.
You plan to deploy a federation server proxy to a server named Server2 in the perimeter network. You need to identify which value must be included in the certificate that is deployed to Server2.
What should you identify?
- A . The FQDN of the AD FS server
- B . The name of the Federation Service
- C . The name of the Active Directory domain
- D . The public IP address of Server2
B
Explanation:
To add a host (A) record to corporate DNS for a federation server
On a DNS server for the corporate network, open the DNS snap-in.
Your network contains an Active directory forest named contoso.com. The forest contains two child domains named east.contoso.com and west.contoso.com.
You install an Active Directory Rights Management Services (AD RMS) cluster in each child domain.
You discover that all of the users in the contoso.com forest are directed to the AD RMS cluster in east.contoso.com.
You need to ensure that the users in west.contoso.com are directed to the AD RMS cluster in west.contoso.com and that the users in east.contoso.com are directed to the AD RMS cluster in east.contoso.com.
What should you do?
- A . Modify the Service Connection Point (SCP).
- B . Configure the Group Policy object (GPO) settings of the users in the west.contoso.com domain.
- C . Configure the Group Policy object (GPO) settings of the users in the east.contoso.com domain.
- D . Modify the properties of the AD RMS cluster in west.contoso.com.
B
Explanation:
The west.contoso.com are the ones in trouble that need to be redirected to the west.contoso.com not the east.contoso.com.
Note: It is recommended that you use GPO to deploy AD RMS client settings and that you only deploy settings as needed.
Reference: AD RMS Best Practices Guide
You have a server named Server1 that runs Windows Server 2012 R2. From Server Manager, you install the Active Directory Certificate Services server role on Server1. A domain administrator named Admin1 logs on to Server1.
When Admin1 runs the Certification Authority console, Admin1 receive the following error message.
You need to ensure that when Admin1 opens the Certification Authority console on Server1, the error message does not appear.
What should you do?
- A . Install the Active Directory Certificate Services (AD CS) tools.
- B . Run the regsvr32.exe command.
- C . Modify the PATH system variable.
- D . Configure the Active Directory Certificate Services server role from Server Manager.
- E . Run the Install-AdcsCertificationAuthority cmdlet.
- F . Add Admin1 to the Cert Publishers group.
- G . Add Admin1to the Enterprise Admins group.
D
Explanation:
The error message is related to missing role configuration.
* Cannot Manage Active Directory Certificate Services
Resolution: configure the two Certification Authority and Certification Authority Web Enrollment Roles:
Active Directory Certificate Services (AD CS) is an Active Directory tool that lets administrators customize services in order to issue and manage public key certificates.
AD CS included:
CA Web enrollment – connects users to a CA with a Web browser
Certification authorities (CAs) – manages certificate validation and issues certificates
Etc.
Incorrect Answers:
A, E. The CA is installed, it just need to be configured correctly.
Note: Install-AdcsCertificationAuthority
The Install-AdcsCertificationAuthority cmdlet performs installation and configuration of the AD CS CA role service.
References: Cannot manage Active Directory Certificate Services in Server 2012 Error 0x800070002; Active Directory Certificate Services (AD CS) Definition
http://searchwindowsserver.techtarget.com/definition/Active-Directory-Certificate-Services-AD-CS
Your network contains an Active Directory domain named contoso.com.
A previous administrator implemented a Proof of Concept installation of Active Directory Rights Management Services (AD RMS).
After the proof of concept was complete, the Active Directory Rights Management Services server role was removed.
You attempt to deploy AD RMS.
During the configuration of AD RMS, you receive an error message indicating that an existing AD RMS Service Connection Point (SCP) was found.
You need to remove the existing AD RMS SCP.
Which tool should you use?
- A . Active Directory Users and Computers
- B . Authorization Manager
- C . Active Directory Domains and Trusts
- D . Active Directory Sites and Services
- E . Active Directory Rights Management Services
D
Explanation:
ADRMS will registered the Service Connection Point (SCP) in Active Directory and you will need to unregister first before you remove the ADRMS server role.
If your ADRMS server is still alive, you can easily manually remove the SCP by below:
Reference: How to manually remove or reinstall ADRMS
Your network contains an Active Directory domain named contoso.com. The domain contains a member server named Server1 that has the Active Directory Federation Services server role installed. All servers run Windows Server 2012.
You complete the Active Directory Federation Services Configuration Wizard on Server1.
You need to ensure that client devices on the internal network can use Workplace Join.
Which two actions should you perform on Server1? (Each correct answer presents part of the solution. Choose two.)
- A . Run Enable-AdfsDeviceRegistration -PrepareActiveDirectory.
- B . Edit the multi-factor authentication global authentication policy settings.
- C . Run Enable-AdfsDeviceRegistration.
- D . Run Set-AdfsProxyProperties HttpPort 80.
- E . Edit the primary authentication global authentication policy settings.
CE
Explanation:
C. To enable Device Registration Service
On your federation server, open a Windows PowerShell command window and type:
Enable-AdfsDeviceRegistration
Repeat this step on each federation farm node in your AD FS farm.
E. Enable seamless second factor authentication
Seamless second factor authentication is an enhancement in AD FS that provides an added level of access protection to corporate resources and applications from external devices that are trying to access them. When a personal device is Workplace Joined, it becomes a `known’ device and administrators can use this information to drive conditional access and gate access to resources. To enable seamless second factor authentication, persistent single sign-on (SSO) and conditional access for Workplace Joined devices.
In the AD FS Management console, navigate to Authentication Policies. Select Edit Global Primary Authentication. Select the check box next to Enable Device Authentication, and then click OK.
Reference: Configure a federation server with Device Registration Service.
DRAG DROP
Your network contains an Active Directory domain named contoso.com.
You need to ensure that third-party devices can use Workplace Join to access domain resources on the Internet.
Which four actions should you perform in sequence? To answer, move the appropriate four actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Note:
* Checklist: Deploying a Federation Server Farm include:
(Box 1) Enroll a Secure Socket Layer (SSL) certificate for AD FS.
(Box 2) Install the AD FS role service.
(Box 3, box 4) Optional step: Configure a federation server with Device Registration Service (DRS).
Box 3: To enable Device Registration Service.
On your federation server, open a Windows PowerShell command window and type:
Enable-AdfsDeviceRegistration
Repeat this step on each federation farm node in your AD FS farm..
Box 4: Update the Web Application Proxy configuration
The Device Registration Service will be available through the Web Application Proxy once it is enabled on a federation server. You may need to complete this procedure to update the Web Application Proxy configuration if it was deployed prior to enabling the Device Registration Service.
* Workplace Join is made possible by the Device Registration Service (DRS) that is included with the Active Directory Federation Role in Windows Server 2012 R2. When a device is Workplace Joined, the DRS provisions a device object in Active Directory and sets a certificate on the consumer device that is used to represent the device identity. The DRS is meant to be both internal and external facing. Companies that deploy both DRS and the Web Application Proxy will be able to Workplace Join devices from any internet connected location.
Reference: Deploying a Federation Server Farm.
HOTSPOT
Your company has a primary data center and a disaster recovery data center. The network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 is located in the primary data center.
Server1 has an enterprise root certification authority (CA) for contoso.com.
You deploy another server named Server2 to the disaster recovery data center.
You plan to configure Server2 as a secondary certificate revocation list (CRL) distribution point.
You need to configure Server2 as a CRL distribution point (CDP).
Which tab should you use to configure the required CDP entry? To answer, select the appropriate tab in
the answer area.
Explanation:
To configure the CDP and AIA extensions on CA1
HOTSPOT
Your company has a primary data center and a disaster recovery data center. The network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 is located in the primary data center.
Server1 has an enterprise root certification authority (CA) for contoso.com.
You deploy another server named Server2 to the disaster recovery data center.
You plan to configure Server2 as a secondary certificate revocation list (CRL) distribution point.
You need to configure Server2 as a CRL distribution point (CDP).
Which tab should you use to configure the required CDP entry? To answer, select the appropriate tab in
the answer area.
Explanation:
To configure the CDP and AIA extensions on CA1
HOTSPOT
Your company has a primary data center and a disaster recovery data center. The network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 is located in the primary data center.
Server1 has an enterprise root certification authority (CA) for contoso.com.
You deploy another server named Server2 to the disaster recovery data center.
You plan to configure Server2 as a secondary certificate revocation list (CRL) distribution point.
You need to configure Server2 as a CRL distribution point (CDP).
Which tab should you use to configure the required CDP entry? To answer, select the appropriate tab in
the answer area.
Explanation:
To configure the CDP and AIA extensions on CA1
HOTSPOT
Your company has a primary data center and a disaster recovery data center. The network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 is located in the primary data center.
Server1 has an enterprise root certification authority (CA) for contoso.com.
You deploy another server named Server2 to the disaster recovery data center.
You plan to configure Server2 as a secondary certificate revocation list (CRL) distribution point.
You need to configure Server2 as a CRL distribution point (CDP).
Which tab should you use to configure the required CDP entry? To answer, select the appropriate tab in
the answer area.
Explanation:
To configure the CDP and AIA extensions on CA1
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Active Directory Certificate Services server role installed and is configured as an enterprise certification authority (CA).
You need to ensure that all of the users in the domain are issued a certificate that can be used for the following purposes:
• Email security
• Client authentication
• Encrypting File System (EFS)
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
- A . From a Group Policy, configure the Certificate Services Client Auto-Enrollment settings.
- B . From a Group Policy, configure the Certificate Services Client Certificate Enrollment Policy settings.
- C . Modify the properties of the User certificate template, and then publish the template.
- D . Duplicate the User certificate template, and then publish the template.
- E . From a Group Policy, configure the Automatic Certificate Request Settings settings.
AD
Explanation:
The default user template supports all of the requirements EXCEPT auto enroll as shown below:
However a duplicated template from users has the ability to autoenroll:
The Automatic Certificate Request Settings GPO setting is only available to Computer, not user.
Reference: Manage Certificate Enrollment Policy by Using Group Policy. http://technet.microsoft.com/en-us/library/dd851772.aspx
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server3 that runs Windows Server 2012 R2 and has the DHCP Server role installed.
DHCP is configured as shown in the exhibit. (Click the Exhibit button.)
Scope1, Scope2, and Scope3 are configured to assign the IP addresses of two DNS servers to DHCP clients. The remaining scopes are NOT configured to assign IP addresses of DNS servers to DHCP clients.
You need to ensure that only Scope1, Scope3, and Scope5 assign the same DNS servers to DHCP clients. The solution must minimize administrative effort.
What should you do?
- A . Create a superscope and scope-level policies.
- B . Configure the Scope Options.
- C . Create a superscope and a filter.
- D . Configure the Server Options.
B
Explanation:
Any DHCP scope options can be configured for assignment to DHCP clients, such as DNS server.
References:
Configuring a DHCP Scope. https://technet.microsoft.com/en-us/library/dd759218.aspx
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the DNS Server role installed. Server1 has a zone named contoso.com.
The zone is configured as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that only Scope1, Scope3, and Scope5 assign the same DNS servers to DHCP clients. The solution must minimize administrative effort.
What should you do?
- A . Create a superscope and scope-level policies.
- B . Configure the Scope Options.
- C . Create a superscope and a filter.
- D . Configure the Server Options.
D
Explanation:
Secure dynamic updates are only supported or configurable for resource records in zones that are stored in Active Directory Domain Services (AD DS).
Note: To modify security for a resource record
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the DNS Server role installed. Server1 has a zone named contoso.com.
The zone is configured as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that only Scope1, Scope3, and Scope5 assign the same DNS servers to DHCP clients. The solution must minimize administrative effort.
What should you do?
- A . Create a superscope and scope-level policies.
- B . Configure the Scope Options.
- C . Create a superscope and a filter.
- D . Configure the Server Options.
D
Explanation:
Secure dynamic updates are only supported or configurable for resource records in zones that are stored in Active Directory Domain Services (AD DS).
Note: To modify security for a resource record
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the DNS Server role installed. Server1 has a zone named contoso.com.
The zone is configured as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that only Scope1, Scope3, and Scope5 assign the same DNS servers to DHCP clients. The solution must minimize administrative effort.
What should you do?
- A . Create a superscope and scope-level policies.
- B . Configure the Scope Options.
- C . Create a superscope and a filter.
- D . Configure the Server Options.
D
Explanation:
Secure dynamic updates are only supported or configurable for resource records in zones that are stored in Active Directory Domain Services (AD DS).
Note: To modify security for a resource record
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the DNS Server role installed. Server1 has a zone named contoso.com.
The zone is configured as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that only Scope1, Scope3, and Scope5 assign the same DNS servers to DHCP clients. The solution must minimize administrative effort.
What should you do?
- A . Create a superscope and scope-level policies.
- B . Configure the Scope Options.
- C . Create a superscope and a filter.
- D . Configure the Server Options.
D
Explanation:
Secure dynamic updates are only supported or configurable for resource records in zones that are stored in Active Directory Domain Services (AD DS).
Note: To modify security for a resource record
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the DNS Server role installed. Server1 has a zone named contoso.com.
The zone is configured as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that only Scope1, Scope3, and Scope5 assign the same DNS servers to DHCP clients. The solution must minimize administrative effort.
What should you do?
- A . Create a superscope and scope-level policies.
- B . Configure the Scope Options.
- C . Create a superscope and a filter.
- D . Configure the Server Options.
D
Explanation:
Secure dynamic updates are only supported or configurable for resource records in zones that are stored in Active Directory Domain Services (AD DS).
Note: To modify security for a resource record
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the DNS Server role installed. Server1 has a zone named contoso.com.
The zone is configured as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that only Scope1, Scope3, and Scope5 assign the same DNS servers to DHCP clients. The solution must minimize administrative effort.
What should you do?
- A . Create a superscope and scope-level policies.
- B . Configure the Scope Options.
- C . Create a superscope and a filter.
- D . Configure the Server Options.
D
Explanation:
Secure dynamic updates are only supported or configurable for resource records in zones that are stored in Active Directory Domain Services (AD DS).
Note: To modify security for a resource record
Your network contains an Active Directory domain named contoso.com. The domain contains a server
named Server1 that runs Windows Server 2012 R2 and has the DHCP Server role installed.
An administrator installs the IP Address Management (IPAM) Server feature on a server named Server2. The administrator configures IPAM by using Group Policy based provisioning and starts server discovery. You plan to create Group Policies for IPAM provisioning. You need to identify which Group Policy object (GPO) name prefix must be used for IPAM Group Policies.
What should you do on Server2?
- A . From Server Manager, review the IPAM overview.
- B . Run the ipamgc.exe tool.
- C . From Task Scheduler, review the IPAM tasks.
- D . Run the Get-IpamConfiguration cmdlet.
D
Explanation:
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the DHCP Server server role installed.
You need to create an IPv6 scope on Server1. The scope must use an address space that is reserved for private networks. The addresses must be routable.
Which IPV6 scope prefix should you use?
- A . 2001:123:4567:890A::
- B . FE80:123:4567::
- C . FF00:123:4567:890A::
- D . FD00:123:4567::
D
Explanation:
* A unique local address (ULA) is an IPv6 address in the block fc00::/7, defined in RFC 4193. It is the approximate IPv6 counterpart of the IPv4 private address.
The address block fc00::/7 is divided into two /8 groups:
/ The block fc00::/8 has not been defined yet.
/ The block fd00::/8 is defined for /48 prefixes, formed by setting the 40 least-significant bits of the prefix to a randomly generated bit string.
* Prefixes in the fd00::/8 range have similar properties as those of the IPv4 private address ranges:
/ They are not allocated by an address registry and may be used in networks by anyone without outside involvement.
/ They are not guaranteed to be globally unique.
/ Reverse Domain Name System (DNS) entries (under ip6.arpa) for fd00::/8 ULAs cannot be delegated in the global DNS.
Reference: RFC 4193
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1 that runs Windows Server 2012 R2. DC1 has the DNS Server role installed.
The network contains client computers that run either Linux, Windows 7, or Windows 8.1.
You have a standard primary zone named adatum.com as shown in the exhibit. (Click the Exhibit button.)
You plan to configure Name Protection on all of the DHCP servers. You need to configure the adatum.com zone to support Name Protection.
Which two configurations should you perform from DNS Manager? (Each correct answer presents part of
the solution. Choose two.)
- A . Sign the zone.
- B . Store the zone in Active Directory.
- C . Modify the Security settings of the zone.
- D . Configure Dynamic updates.
- E . Add a DNS key record
BD
Explanation:
Name protection requires secure update to work. Without name protection DNS names may be hijacked.
You can use the following procedures to allow only secure dynamic updates for a zone. Secure dynamic update is supported only for Active Directory integrated zones. If the zone type is configured differently, you must change the zone type and directory-integrate the zone before securing it for Domain Name System (DNS) dynamic updates.
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1 that runs Windows Server 2012 R2. DC1 has the DNS Server role installed.
The network contains client computers that run either Linux, Windows 7, or Windows 8.1.
You have a standard primary zone named adatum.com as shown in the exhibit. (Click the Exhibit button.)
You plan to configure Name Protection on all of the DHCP servers. You need to configure the adatum.com zone to support Name Protection.
Which two configurations should you perform from DNS Manager? (Each correct answer presents part of
the solution. Choose two.)
- A . Sign the zone.
- B . Store the zone in Active Directory.
- C . Modify the Security settings of the zone.
- D . Configure Dynamic updates.
- E . Add a DNS key record
BD
Explanation:
Name protection requires secure update to work. Without name protection DNS names may be hijacked.
You can use the following procedures to allow only secure dynamic updates for a zone. Secure dynamic update is supported only for Active Directory integrated zones. If the zone type is configured differently, you must change the zone type and directory-integrate the zone before securing it for Domain Name System (DNS) dynamic updates.
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1 that runs Windows Server 2012 R2. DC1 has the DNS Server role installed.
The network contains client computers that run either Linux, Windows 7, or Windows 8.1.
You have a standard primary zone named adatum.com as shown in the exhibit. (Click the Exhibit button.)
You plan to configure Name Protection on all of the DHCP servers. You need to configure the adatum.com zone to support Name Protection.
Which two configurations should you perform from DNS Manager? (Each correct answer presents part of
the solution. Choose two.)
- A . Sign the zone.
- B . Store the zone in Active Directory.
- C . Modify the Security settings of the zone.
- D . Configure Dynamic updates.
- E . Add a DNS key record
BD
Explanation:
Name protection requires secure update to work. Without name protection DNS names may be hijacked.
You can use the following procedures to allow only secure dynamic updates for a zone. Secure dynamic update is supported only for Active Directory integrated zones. If the zone type is configured differently, you must change the zone type and directory-integrate the zone before securing it for Domain Name System (DNS) dynamic updates.
HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2. All servers run Windows Server 2012 R2. You install the DHCP Server role on both servers.
On Server1, you have the DHCP scope configured as shown in the exhibit. (Click the Exhibit button.)
You need to configure the scope to be load-balanced across Server1 and Server2.
What Windows PowerShell cmdlet should you run on Server1? To answer, select the appropriate options in the answer area.
Explanation:
* Add-DhcpServerv4Failover
The Add-DhcpServerv4Failover cmdlet adds a new IPv4 failover relationship to a Dynamic Host Configuration Protocol (DHCP) server service.
/ -PartnerServer<String>
Specifies the IPv4 address, or host name, of the partner DHCP server service with which the failover relationship is created.
/ -ScopeId<IPAddress[]>
Specifies the scope identifiers, in IPv4 address format, which are to be added to the failover relationship.
* Example:
Reference: Add-DhcpServerv4Failover
HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains two DHCP servers named Server1 and Server2. Both servers have multiple IPv4 scopes. Server1 and Server2 are used to assign IP addresses for the network IDs of 172.20.0.0/16 and 131.107.0.0/16.
You install the IP Address Management (IPAM) Server feature on a server named IPAM1 and configure IPAM1 to manage Server1 and Server2.
Some users from the 172.20.0.0 network report that they occasionally receive an IP address conflict error message.
You need to identify whether any scopes in the 172.20.0.0 network ID conflict with one another.
What Windows PowerShell cmdlet should you run? To answer, select the appropriate options in the answer area.
Explanation:
Type the following command at a Windows PowerShell prompt and press ENTER:
PS C:> Get-IpamRange CAddressFamily IPv4 CAddressCategory Private|where-object {$_.Overlapping C
eq “True”} The previous command will display any overlapping IP address ranges, if they exist. Reference:
Walkthrough: Demonstrate IPAM in Windows Server 2012 R2.
Your network contains two DNS servers named DNS1 and DNS2 that run Windows Server 2012 R2. DNS1 has a primary zone named contoso.com. DNS2 has a secondary copy of the contoso.com zone. You need to log the zone transfer packets sent between DNS1 and DNS2.
What should you configure?
- A . Monitoring from DNS Manager
- B . Logging from Windows Firewall with Advanced Security
- C . A Data Collector Set (DCS) from Performance Monitor
- D . Debug logging from DNS Manager
D
Explanation:
Debug logging allows you to log the packets sent and received by a DNS server. Debug logging is disabled by default, and because it is resource intensive, you should only activate it temporarily when you need more specific detailed information about server performance.
Reference: Active Directory 2008: DNS Debug Logging Facts.
Your network contains an Active Directory forest named contoso.com.
Users frequently access the website of an external partner company. The URL of the website is http:// partners.adatum.com. The partner company informs you that it will perform maintenance on its Web server and that the IP
addresses of the Web server will change.
After the change is complete, the users on your internal network report that they fail to access the website.
However, some users who work from home report that they can access the website. You need to ensure that your DNS servers can resolve partners.adatum.com to the correct IP address
immediately.
What should you do?
- A . Run dnscmd and specify the CacheLockingPercent parameter.
- B . Run Set-DnsServerGlobalQueryBlockList.
- C . Run ipconfig and specify the Renew parameter.
- D . Run Set-DnsServerCache.
D
Explanation:
The Set-DnsServerCache cmdlet modifies cache settings for a Domain Name System (DNS) server.
Run Set-DnsServerCache with the -LockingPercent switch.
/ -LockingPercent<UInt32>
Specifies a percentage of the original Time to Live (TTL) value that caching can consume.
Cache locking is configured as a percent value. For example, if the cache locking value is set to 50, the DNS server does not overwrite a cached entry for half of the duration of the TTL. By default, the cache locking percent value is 100. This value means that the DNS server will not overwrite cached entries for the entire duration of the TTL.
Note. A better way would be clear the DNS cache on the DNS server with either Dnscmd /ClearCache (from command prompt), or Clear-DnsServerCache (from Windows PowerShell).
Reference: Set-DnsServerCache
http://technet.microsoft.com/en-us/library/jj649852.aspx
Incorrect:
Not A. You need to use the /config parameter as well:
You can change this value if you like by using the dnscmd command:
dnscmd /Config /CacheLockingPercent<percent>
You have a server named Server1. You install the IP Address Management (IPAM) Server feature on Server1. You need to provide a user named User1 with the ability to set the access scope of all the DHCP servers that are managed by IPAM. The solution must use the principle of least privilege.
Which user role should you assign to User1?
- A . DNS Record Administrator Role
- B . IPAM DHCP Reservations Administrator Role
- C . IPAM Administrator Role
- D . IPAM DHCP Administrator Role
D
Explanation:
The IPAM DHCP administrator role completely manages DHCP servers.
Reference: What’s New in IPAM
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1 and a member server named Server1. Server1 has the IP Address Management (IPAM) Server feature installed. On Dc1, you configure Windows Firewall to allow all of the necessary inbound ports for IPAM.
On Server1, you open Server Manager as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that you can use IPAM on Server1 to manage DNS on DC1.
What should you do?
- A . Modify the outbound firewall rules on Server1.
- B . Modify the inbound firewall rules on Server1.
- C . Add Server1 to the Remote Management Users group.
- D . Add Server1 to the Event Log Readers group.
D
Explanation:
To access configuration data and server event logs, the IPAM server must be a member of the domain IPAM Users Group (IPAMUG). The IPAM server must also be a member of the Event Log Readers security group.
Note: The computer account of the IPAM server must be a member of the Event Log Readers security group.
Reference: Manually Configure DC and NPS Access Settings. http://technet.microsoft.com/en-us/library/jj878317.aspx http://technet.microsoft.com/en-us/library/jj878313.aspx
You have a server named SCI that runs a Server Core Installation of Windows Server 2012 R2. Shadow copies are enabled on all volumes.
You need to delete a specific shadow copy. The solution must minimize server downtime.
Which tool should you use?
- A . Shadow
- B . Diskshadow
- C . Wbadmin
- D . Diskpart
B
Explanation:
DiskShadow.exe is a tool that exposes the functionality offered by the Volume Shadow Copy Service (VSS). The diskshadow command delete shadows deletes shadow copies.
References: Technet, Diskshadow https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow
You have 20 servers that run Windows Server 2012 R2.
You need to create a Windows PowerShell script that registers each server in Microsoft Azure Backup and sets an encryption passphrase.
Which two PowerShell cmdlets should you run in the script? (Each correct answer presents part of the solution. Choose two.)
- A . New-OBPolicy
- B . New-OBRetentionPolicy
- C . Add-OBFileSpec
- D . Start-OBRegistration
- E . Set OBMachineSetting
DE
Explanation:
D. Start-OBRegistration
Registers the current computer with Windows Azure Online Backup using the credentials (username and password) created during enrollment.
E. The Set-OBMachineSetting cmdlet sets a OBMachineSetting object for the server that includes proxy server settings for accessing the internet, network bandwidth throttling settings, and the encryption passphrase that is required to decrypt the files during recovery to another server.
Incorrect Answers:
C. TheAdd-OBFileSpec cmdlet adds the OBFileSpecobject, which specifies the items to include or exclude from a backup, to the backup policy (OBPolicyobject). The OBFileSpecobject can include or exclude multiple files, folders, or volumes. T
References: Start-OBRegistration; Set OBMachineSetting
https://technet.microsoft.com/en-us/library/hh770398.aspx https://technet.microsoft.com/en-us/library/hh770409.aspx
You have 30 servers that run Windows Server 2012 R2.
All of the servers are backed up daily by using Windows Azure Backup.
You need to perform an immediate backup of all the servers to Windows Azure Backup.
Which Windows PowerShell cmdlets should you run on each server?
- A . Get-OBPolicy | StartOBBackup
- B . Start-OBRegistration | StartOBBackup
- C . Get-WBPolicy | Start-WBBackup
- D . Get-WBBackupTarget | Start-WBBackup
A
Explanation:
This example starts a backup job using a policy.
Windows PowerShell
PS C:> Get-OBPolicy | Start-OBBackup
Incorrect Answers:
B. Registers the current computer to Windows Azure Backup.
C. Not using Azure
D. Not using Azure References: Start-OBBackup https://technet.microsoft.com/en-us/library/hh770406(v=wps.620).aspx
You have a server named Server1 that runs Windows Server 2012 R2 and is used for testing.
A developer at your company creates and installs an unsigned kernel-mode driver on Server1. The developer reports that Server1 will no longer start.
You need to ensure that the developer can test the new driver. The solution must minimize the amount of data loss.
Which Advanced Boot Option should you select?
- A . Disable Driver Signature Enforcement
- B . Disable automatic restart on system failure
- C . Last Know Good Configuration (advanced)
- D . Repair Your Computer
C
Explanation:
You have a server named Server1 that runs Windows Server 2012 R2.
When you install a custom Application on Server1 and restart the server, you receive the following error message: "The Boot Configuration Data file is missing some required information.
File: BootBCD
Error code: 0x0000034."
You start Server1 by using Windows RE. You need to ensure that you can start Windows Server 2012 R2 on Server1.
Which tool should you use?
- A . Bootsect
- B . Bootim
- C . Bootrec
- D . Bootcfg
C
Explanation:
* Bootrec.exe tool to troubleshoot "Bootmgr Is Missing" issue. The /ScanOs option scans all disks for installations that are compatible with Windows Vista or Windows 7. Additionally, this option displays the entries that are currently not in the BCD store. Use this option when there are Windows Vista or Windows 7 installations that the Boot Manager menu does not list.
* Error code 0x0000034 while booting.
Resolution:
You have a server named Server1 that runs Windows Server 2012 R2.
When you install a custom Application on Server1 and restart the server, you receive the following error message: "The Boot Configuration Data file is missing some required information.
File: BootBCD
Error code: 0x0000034."
You start Server1 by using Windows RE. You need to ensure that you can start Windows Server 2012 R2 on Server1.
Which tool should you use?
- A . Bootsect
- B . Bootim
- C . Bootrec
- D . Bootcfg
C
Explanation:
* Bootrec.exe tool to troubleshoot "Bootmgr Is Missing" issue. The /ScanOs option scans all disks for installations that are compatible with Windows Vista or Windows 7. Additionally, this option displays the entries that are currently not in the BCD store. Use this option when there are Windows Vista or Windows 7 installations that the Boot Manager menu does not list.
* Error code 0x0000034 while booting.
Resolution:
You have a server named Server1 that runs Windows Server 2012 R2.
When you install a custom Application on Server1 and restart the server, you receive the following error message: "The Boot Configuration Data file is missing some required information.
File: BootBCD
Error code: 0x0000034."
You start Server1 by using Windows RE. You need to ensure that you can start Windows Server 2012 R2 on Server1.
Which tool should you use?
- A . Bootsect
- B . Bootim
- C . Bootrec
- D . Bootcfg
C
Explanation:
* Bootrec.exe tool to troubleshoot "Bootmgr Is Missing" issue. The /ScanOs option scans all disks for installations that are compatible with Windows Vista or Windows 7. Additionally, this option displays the entries that are currently not in the BCD store. Use this option when there are Windows Vista or Windows 7 installations that the Boot Manager menu does not list.
* Error code 0x0000034 while booting.
Resolution:
You have a server named Server1 that runs Windows Server 2012 R2.
When you install a custom Application on Server1 and restart the server, you receive the following error message: "The Boot Configuration Data file is missing some required information.
File: BootBCD
Error code: 0x0000034."
You start Server1 by using Windows RE. You need to ensure that you can start Windows Server 2012 R2 on Server1.
Which tool should you use?
- A . Bootsect
- B . Bootim
- C . Bootrec
- D . Bootcfg
C
Explanation:
* Bootrec.exe tool to troubleshoot "Bootmgr Is Missing" issue. The /ScanOs option scans all disks for installations that are compatible with Windows Vista or Windows 7. Additionally, this option displays the entries that are currently not in the BCD store. Use this option when there are Windows Vista or Windows 7 installations that the Boot Manager menu does not list.
* Error code 0x0000034 while booting.
Resolution:
You have a server named Server1 that runs Windows Server 2012 R2.
When you install a custom Application on Server1 and restart the server, you receive the following error message: "The Boot Configuration Data file is missing some required information.
File: BootBCD
Error code: 0x0000034."
You start Server1 by using Windows RE. You need to ensure that you can start Windows Server 2012 R2 on Server1.
Which tool should you use?
- A . Bootsect
- B . Bootim
- C . Bootrec
- D . Bootcfg
C
Explanation:
* Bootrec.exe tool to troubleshoot "Bootmgr Is Missing" issue. The /ScanOs option scans all disks for installations that are compatible with Windows Vista or Windows 7. Additionally, this option displays the entries that are currently not in the BCD store. Use this option when there are Windows Vista or Windows 7 installations that the Boot Manager menu does not list.
* Error code 0x0000034 while booting.
Resolution:
You have a server named Server1 that runs Windows Server 2012 R2.
When you install a custom Application on Server1 and restart the server, you receive the following error message: "The Boot Configuration Data file is missing some required information.
File: BootBCD
Error code: 0x0000034."
You start Server1 by using Windows RE. You need to ensure that you can start Windows Server 2012 R2 on Server1.
Which tool should you use?
- A . Bootsect
- B . Bootim
- C . Bootrec
- D . Bootcfg
C
Explanation:
* Bootrec.exe tool to troubleshoot "Bootmgr Is Missing" issue. The /ScanOs option scans all disks for installations that are compatible with Windows Vista or Windows 7. Additionally, this option displays the entries that are currently not in the BCD store. Use this option when there are Windows Vista or Windows 7 installations that the Boot Manager menu does not list.
* Error code 0x0000034 while booting.
Resolution:
You have a server named Server1 that runs Windows Server 2012 R2.
When you install a custom Application on Server1 and restart the server, you receive the following error message: "The Boot Configuration Data file is missing some required information.
File: BootBCD
Error code: 0x0000034."
You start Server1 by using Windows RE. You need to ensure that you can start Windows Server 2012 R2 on Server1.
Which tool should you use?
- A . Bootsect
- B . Bootim
- C . Bootrec
- D . Bootcfg
C
Explanation:
* Bootrec.exe tool to troubleshoot "Bootmgr Is Missing" issue. The /ScanOs option scans all disks for installations that are compatible with Windows Vista or Windows 7. Additionally, this option displays the entries that are currently not in the BCD store. Use this option when there are Windows Vista or Windows 7 installations that the Boot Manager menu does not list.
* Error code 0x0000034 while booting.
Resolution:
You have a server named Server1 that runs Windows Server 2012 R2.
When you install a custom Application on Server1 and restart the server, you receive the following error message: "The Boot Configuration Data file is missing some required information.
File: BootBCD
Error code: 0x0000034."
You start Server1 by using Windows RE. You need to ensure that you can start Windows Server 2012 R2 on Server1.
Which tool should you use?
- A . Bootsect
- B . Bootim
- C . Bootrec
- D . Bootcfg
C
Explanation:
* Bootrec.exe tool to troubleshoot "Bootmgr Is Missing" issue. The /ScanOs option scans all disks for installations that are compatible with Windows Vista or Windows 7. Additionally, this option displays the entries that are currently not in the BCD store. Use this option when there are Windows Vista or Windows 7 installations that the Boot Manager menu does not list.
* Error code 0x0000034 while booting.
Resolution:
You have a server named Server1 that runs Windows Server 2012 R2. Server1 is backed up by using Windows Server Backup.
The backup configuration is shown in the exhibit. (Click the Exhibit button.)
You discover that only the last copy of the backup is maintained. You need to ensure that multiple backup copies are maintained.
What should you do?
- A . Modify the backup destination.
- B . Configure the Optimize Backup Performance settings.
- C . Modify the Volume Shadow Copy Service (VSS) settings.
- D . Modify the backup times.
A
Explanation:
The destination in the exhibit shows a network share is used. If a network share is being used only the latest copy will be saved
Reference: Where should I save my backup? http://windows.microsoft.com/en-us/windows7/where-should-i-save-my-backup
Your network contains an Active Directory domain named contoso.com. The domain contains four servers named Server1, Server2, Server3, and Server4 that run Windows Server 2012 R2.
All servers have the Hyper-V server role and the Failover Clustering feature installed.
You need to replicate virtual machines from Cluster1 to Cluster2.
Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)
- A . From Hyper-V Manager on a node in Cluster2, create three virtual machines.
- B . From Cluster2, add and configure the Hyper-V Replica Broker role.
- C . From Failover Cluster Manager on Cluster1, configure each virtual machine for replication.
- D . From Cluster1, add and configure the Hyper-V Replica Broker role.
- E . From Hyper-V Manager on a node in Cluster2 modify the Hyper-V settings.
BCD
Explanation:
D. You must configure the Hyper-V Replica Broker for cluster1.
E. We must configure configure the Replica server to receive replication from primary servers:
Your network contains an Active Directory domain named contoso.com. The domain contains four servers named Server1, Server2, Server3, and Server4 that run Windows Server 2012 R2.
All servers have the Hyper-V server role and the Failover Clustering feature installed.
You need to replicate virtual machines from Cluster1 to Cluster2.
Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)
- A . From Hyper-V Manager on a node in Cluster2, create three virtual machines.
- B . From Cluster2, add and configure the Hyper-V Replica Broker role.
- C . From Failover Cluster Manager on Cluster1, configure each virtual machine for replication.
- D . From Cluster1, add and configure the Hyper-V Replica Broker role.
- E . From Hyper-V Manager on a node in Cluster2 modify the Hyper-V settings.
BCD
Explanation:
D. You must configure the Hyper-V Replica Broker for cluster1.
E. We must configure configure the Replica server to receive replication from primary servers:
Your network contains an Active Directory domain named contoso.com. The domain contains four servers named Server1, Server2, Server3, and Server4 that run Windows Server 2012 R2.
All servers have the Hyper-V server role and the Failover Clustering feature installed.
You need to replicate virtual machines from Cluster1 to Cluster2.
Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)
- A . From Hyper-V Manager on a node in Cluster2, create three virtual machines.
- B . From Cluster2, add and configure the Hyper-V Replica Broker role.
- C . From Failover Cluster Manager on Cluster1, configure each virtual machine for replication.
- D . From Cluster1, add and configure the Hyper-V Replica Broker role.
- E . From Hyper-V Manager on a node in Cluster2 modify the Hyper-V settings.
BCD
Explanation:
D. You must configure the Hyper-V Replica Broker for cluster1.
E. We must configure configure the Replica server to receive replication from primary servers:
Your network contains an Active Directory domain named contoso.com. The domain contains four servers named Server1, Server2, Server3, and Server4 that run Windows Server 2012 R2.
All servers have the Hyper-V server role and the Failover Clustering feature installed.
You need to replicate virtual machines from Cluster1 to Cluster2.
Which three actions should you perform? (Each correct answer presents part of the solution. Choose three.)
- A . From Hyper-V Manager on a node in Cluster2, create three virtual machines.
- B . From Cluster2, add and configure the Hyper-V Replica Broker role.
- C . From Failover Cluster Manager on Cluster1, configure each virtual machine for replication.
- D . From Cluster1, add and configure the Hyper-V Replica Broker role.
- E . From Hyper-V Manager on a node in Cluster2 modify the Hyper-V settings.
BCD
Explanation:
D. You must configure the Hyper-V Replica Broker for cluster1.
E. We must configure configure the Replica server to receive replication from primary servers:
You have a server named Server1 that runs Windows Server 2012 R2. Each day, Server1 is backed up fully to an external disk. On Server1, the disk that contains the operating system fails. You replace the failed disk. You need to perform a bare-metal recovery of Server1 by using the Windows Recovery Environment (Windows RE).
What should you do?
- A . Run the Start-WBVolumeRecovery cmdlet and specify the -backupset parameter.
- B . Run the Get-WBBareMetalRecovery cmdlet and specify the -policy parameter.
- C . Run the wbadmin.exe start recovery command and specify the -recoverytarget parameter.
- D . Run the wbadmin.exe start sysrecovery command and specify the -backuptarget parameter.
D
Explanation:
Performs a system recovery (bare metal recovery). This subcommand can be run only from the Windows Recovery Environment.
* -backupTarget
Specifies the storage location that contains the backup or backups that you want to recover. This parameter is useful when the storage location is different from where backups of this computer are usually stored.
References: Wbadmin start sysrecovery https://technet.microsoft.com/en-us/library/cc742118.aspx
You have a virtual machine named VM1 that runs on a host named Host1. You configure VM1 to replicate to another host named Host2. Host2 is located in the same physical location as Host1.
You need to add an additional replica of VM1. The replica will be located in a different physical site.
What should you do?
- A . From VM1 on Host2, click Extend Replication.
- B . On Host1, configure the Hyper-V settings.
- C . From VM1 on Host1, click Extend Replication.
- D . On Host2, configure the Hyper-V settings.
A
Explanation:
Extend Replication through UI:
Before you Extend Replication to third site, you need to establish the replication between a primary server and replica server.
Once that is done, go to replica site and from Hyper-V UI manager select the VM for which you want to extend the replication. Right click on VM and select “Replication->Extend Replication …”. This will open Extend Replication Wizard which is similar to Enable Replication Wizard.
NOTE: You configure a server to receive replication with Hyper-V Manager, in this situation the replica site is assumed to be the Replica Server. Therefore you extend replication from VM1 on Host2.
Note 2: With Hyper-V Extend Replication feature in Windows Server 2012 R2, customers can have multiple copies of data to protect them from different outage scenarios. For example, as a customer I might choose to keep my second DR site in the same campus or a few miles away while I want to keep my third copy of data across the continents to give added protection for my workloads. Hyper-V Replica Extend replication exactly addresses this problem by providing one more copy of workload at an extended site apart from replica site.
Reference: Hyper-V Replica: Extend Replication
http://blogs.technet.com/b/virtualization/archive/2013/12/10/hyper-v-replica-extend-replication.aspx
Your network contains two servers named Server1 and Server2 that run Windows Server 2012 R2.
Both servers have the Hyper-V server role installed. Server1 and Server2 are located in different offices. The offices connect to each other by using a high-latency WAN link.
Server1 hosts a virtual machine named VM1.
You need to ensure that you can start VM1 on Server2 if Server1 fails. The solution must minimize hardware costs.
What should you do?
- A . On Server1, install the Multipath I/O (MPIO) feature. Modify the storage location of the VHDs for VM1.
- B . From the Hyper-V Settings of Server2, modify the Replication Configuration settings. Enable replication for VM1.
- C . On Server2, install the Multipath I/O (MPIO) feature. Modify the storage location of the VHDs for VM1.
- D . From the Hyper-V Settings of Server1, modify the Replication Configuration settings. Enable replication for VM1.
D
Explanation:
You first have to enable replication on the Replica server―Server2–by going to the server and modifying the "Replication Configuration" settings under Hyper-V settings. You then go to VM1–which presides on Server1– and run the "Enable Replication" wizard on VM1.
You have a Hyper-V host named Server1 that runs Windows Server 2012 R2. Server1 contains a virtual machine named VM1 that runs Windows Server 2012 R2. You fail to start VM1 and you suspect that the boot files on VM1 are corrupt. On Server1, you attach the virtual hard disk (VHD) of VM1 and you assign the VHD a drive letter of F. You need to repair the corrupt boot files on VM1.
What should you run?
- A . bootrec.exe /rebuildbcd
- B . bootrec.exe /scanos
- C . bcdboot.exe f:windows /s c:
- D . bcdboot.exe c:windows /s f:
D
Explanation:
Enables you to quickly set up a system partition, or to repair the boot environment located on the system partition. The system partition is set up by copying a simple set of Boot Configuration Data (BCD) files to an existing empty partition.
Reference: BCDboot Command-Line Options
DRAG DROP
Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1. All servers run Windows Server 2012 R2.
All domain user accounts have the Division attribute automatically populated as part of the user provisioning process. The Support for Dynamic Access Control and Kerberos armoring policy is enabled for the domain.
You need to control access to the file shares on Server1 based on the values in the Division attribute and the Division resource property.
Which three actions should you perform in sequence?
Explanation:
* First create a claim type for the property, then create a reference resource property that points back to the claim. Finally set the classification value on the folder.
* Configure the components and policy
DRAG DROP
Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1. All servers run Windows Server 2012 R2.
All domain user accounts have the Division attribute automatically populated as part of the user provisioning process. The Support for Dynamic Access Control and Kerberos armoring policy is enabled for the domain.
You need to control access to the file shares on Server1 based on the values in the Division attribute and the Division resource property.
Which three actions should you perform in sequence?
Explanation:
* First create a claim type for the property, then create a reference resource property that points back to the claim. Finally set the classification value on the folder.
* Configure the components and policy
DRAG DROP
Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1. All servers run Windows Server 2012 R2.
All domain user accounts have the Division attribute automatically populated as part of the user provisioning process. The Support for Dynamic Access Control and Kerberos armoring policy is enabled for the domain.
You need to control access to the file shares on Server1 based on the values in the Division attribute and the Division resource property.
Which three actions should you perform in sequence?
Explanation:
* First create a claim type for the property, then create a reference resource property that points back to the claim. Finally set the classification value on the folder.
* Configure the components and policy
DRAG DROP
Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1. All servers run Windows Server 2012 R2.
All domain user accounts have the Division attribute automatically populated as part of the user provisioning process. The Support for Dynamic Access Control and Kerberos armoring policy is enabled for the domain.
You need to control access to the file shares on Server1 based on the values in the Division attribute and the Division resource property.
Which three actions should you perform in sequence?
Explanation:
* First create a claim type for the property, then create a reference resource property that points back to the claim. Finally set the classification value on the folder.
* Configure the components and policy
You have a server named LON-DC1 that runs Windows Server 2012 R2.
An iSCSI virtual disk named VirtualiSCSI1.vhd exists on LON-DC1 as shown in the exhibit. (Click the Exhibit button.)
You create a new iSCSI virtual disk named VirtualiSCSI2.vhd by using the existing itgt iSCSI target. VirtualiSCSIl.vhd is removed from LON-DC1. You need to assign VirtualiSCSI2.vhd a logical unit value of 0.
What should you do?
- A . Modify the properties of the itgt ISCSI target.
- B . Modify the properties of the VirtualiSCSI2.vhd iSCSI virtual disk.
- C . Run the Set-VirtualDisk cmdlet and specify the -UniqueId parameter.
- D . Run the iscsicli command and specify the reportluns parameter.
- E . Run the iscsicli command and specify the virtualdisklun parameter.
B
Explanation:
The virtual disk has the option to change the lun ID, no other option available in the answers appears to allow this change.
Note: Logical unit numbers (LUNs) created on an iSCSI disk storage subsystem are not directly assigned to a server. For iSCSI, LUNs are assigned to logical entities called targets.
HOTSPOT
You have a file server named Server1 that runs Windows Server 2012 R2. You need to ensure that you can use the NFS Share – Advanced option from the New Share Wizard in Server Manager.
Which two role services should you install? To answer, select the appropriate two role services in the answer area.
Explanation:
*File Server Resource Manager Role
File Server Resource Manager is a set of features that allow you to manage and classify data that is stored on file servers.
Note: NFS Share C Advanced
This advanced profile offers additional options to configure a NFS file share.
Set the folder owners for access-denied assistance
Configure default classification of data in the folder for management and access policies
Enable quotas
Reference: How to share a folder in Windows Server 2012.
DRAG DROP
Your network contains an Active Directory domain named contoso.com. All file servers in the domain run Windows Server 2012 R2. The computer accounts of the file servers are in an organizational unit (OU) named OU1. A Group Policy object (GPO) named GPO1 is linked to OU1. You plan to modify the NTFS permissions for many folders on the file servers by using central access policies. You need to identify any users who will be denied access to resources that they can currently access once the new permissions are implemented.
In which order should you Perform the five actions?
Explanation:
* Configure a central access rule
* Configure a central access policy (CAP) (with help of central access rules)
* Deploy the central access policy (through GPO)
* Modify security settings
* Check the result
Reference: Deploy a Central Access Policy (Demonstration Steps)
http://technet.microsoft.com/en-us/library/hh846167.aspx
Your network contains 20 iSCSI storage appliances that will provide storage for 50 Hyper-V hosts running Windows Server 2012 R2.
You need to configure the storage for the Hyper-V hosts. The solution must minimize administrative effort.
What should you do first?
- A . Install the iSCSI Target Server role service and configure iSCSI targets.
- B . Install the iSNS Server service feature and create a Discovery Domain.
- C . Start the Microsoft iSCSI Initiator Service and configure the iSCSI Initiator Properties.
- D . Install the Multipath I/O (MPIO) feature and configure the MPIO Properties.
B
Explanation:
Windows Server 2012 includes an iSCSI Target role that, along with Failover Clustering, allows it to become a cost-effective and highly-available iSCSI Storage Array.
We can connect from our Hyper-V host to the iSCSI target on the storage array with the following PowerShell command line:
New-IscsiTargetPortal CTargetPortalAddress <IP_Address or FQDN of storage array>
$target = Get-IscsiTarget
Connect-IscsiTarget CNodeAddress $target.NodeAddress
Incorrect:
Not B. Discovery Domains in an iSCSI fabric, like zones in a Fibre Channel fabric, enable you to partition the storage resources in your storage area network (SAN). By creating and managing Discovery Domains, you can control the iSCSI targets that each iSCSI initiator can see and log on to.
Reference: Configure iSCSI Target Server Role on Windows Server 2012
Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1 that runs Windows Server 2012 R2. All client computers run Windows 8. You need to configure a custom Access Denied message that will be displayed to users when they are denied access to folders or files on Server1.
What should you configure?
- A . A classification property
- B . The File Server Resource Manager Options
- C . A file management task
- D . A file screen template
B
Explanation:
Access-denied assistance can be configured by using the File Server Resource Manager console on the file server.
Note: Access-denied assistance is a new feature in Windows Server 2012, which provides the following ways to troubleshoot issues that are related to access to files and folders:
* Self-assistance. If a user can determine the issue and remediate the problem so that they can get the requested access, the impact to the business is low, and no special exceptions are needed in the central access policy. Access-denied assistance provides an access-denied message that file server administrators can customize with information specific to their organizations. For example, an administrator could set the message so that users can request access from a data owner without involving the file server administrator.
Reference: Scenario: Access-Denied Assistance
DRAG DROP
You have a server that runs Windows Server 2012 R2. You create a new work folder named Share1.
You need to configure Share1 to meet the following requirements:
• Ensure that all synchronized copies of Share1 are encrypted.
• Ensure that clients synchronize to Share1 every 30 minutes.
• Ensure that Share1 inherits the NTFS permissions of the parent folder.
Which cmdlet should you use to achieve each requirement? To answer, drag the appropriate cmdlets to the correct requirements. Each cmdlet may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Explanation:
* (box 1) Set-SyncShare
The Set-SyncShare cmdlet modifies the settings for a sync share.
/ parameter: -RequireEncryption<Boolean>
Indicates whether the sync server requests that the contents of Work Folders be encrypted on each PC and device that accesses the sync share.
* (box 2) Set-SyncServerSettings
Parameter: -MinimumChangeDetectionMins<UInt32>
Specifies the time, in minutes, before the Sync Share server detects changes on devices and syncs the client and server.
* (box 3): Example: Modify a sync share to enable inherited permissions
This command modifies settings on the share named Share01, and sets KeepParentFolderPermission to enable the share to inherit permissions from the parent folder.
Windows PowerShell
PS C:> Set-SyncShare Share01 -KeepParentFolderPermission
Reference: Set-SyncShare; Set-SyncServerSettings
HOTSPOT
Your network contains an Active Directory domain named contoso.com. All client computers run Windows 8 Enterprise. You have a remote site that only contains client computers. All of the client computer accounts are located in an organizational unit (OU) named Remote1. A Group Policy object (GPO) named GPO1 is linked to the Remote1 OU. You need to configure BranchCache for the remote site.
Which two settings should you configure in GPO1? To answer, select the two appropriate settings in the answer area.
Explanation:
BranchCache is disabled by default on client computers.
Take the following steps to enable BranchCache on client computers:
HOTSPOT
Your network contains an Active Directory domain named contoso.com. All client computers run Windows 8 Enterprise. You have a remote site that only contains client computers. All of the client computer accounts are located in an organizational unit (OU) named Remote1. A Group Policy object (GPO) named GPO1 is linked to the Remote1 OU. You need to configure BranchCache for the remote site.
Which two settings should you configure in GPO1? To answer, select the two appropriate settings in the answer area.
Explanation:
BranchCache is disabled by default on client computers.
Take the following steps to enable BranchCache on client computers:
HOTSPOT
Your network contains an Active Directory domain named contoso.com. All client computers run Windows 8 Enterprise. You have a remote site that only contains client computers. All of the client computer accounts are located in an organizational unit (OU) named Remote1. A Group Policy object (GPO) named GPO1 is linked to the Remote1 OU. You need to configure BranchCache for the remote site.
Which two settings should you configure in GPO1? To answer, select the two appropriate settings in the answer area.
Explanation:
BranchCache is disabled by default on client computers.
Take the following steps to enable BranchCache on client computers:
HOTSPOT
Your network contains an Active Directory domain named contoso.com. All client computers run Windows 8 Enterprise. You have a remote site that only contains client computers. All of the client computer accounts are located in an organizational unit (OU) named Remote1. A Group Policy object (GPO) named GPO1 is linked to the Remote1 OU. You need to configure BranchCache for the remote site.
Which two settings should you configure in GPO1? To answer, select the two appropriate settings in the answer area.
Explanation:
BranchCache is disabled by default on client computers.
Take the following steps to enable BranchCache on client computers:
You have a server named Server1 that runs Windows Server 2012 R2.
The storage on Server1 is configured as shown in the following table.
You plan to implement Data Deduplication on Server1.
You need to identify on which drives you can enable Data Deduplication.
Which three drives should you identify? (Each correct answer presents part of the solution. Choose three.)
- A . C
- B . D
- C . E
- D . F
- E . G
BDE
Explanation:
Volumes that are candidates for deduplication must conform to the following requirements:
* Must not be a system or boot volume. (not A)
* Can be partitioned as a master boot record (MBR) or a GUID Partition Table (GPT), and must be formatted using the NTFS file system. (not C)
* Can reside on shared storage, such as storage that uses a Fibre Channel or an SAS array, or when an iSCSI SAN and Windows Failover Clustering is fully supported.
* Do not rely on Cluster Shared Volumes (CSVs). You can access data if a deduplication-enabled volume is converted to a CSV, but you cannot continue to process files for deduplication.
* Do not rely on the Microsoft Resilient File System (ReFS).
* Must be exposed to the operating system as non-removable drives. Remotely-mapped drives are not supported.
Ref: Plan to Deploy Data Deduplication
http://technet.microsoft.com/en-us/library/hh831700.aspx
Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2.
You are creating a central access rule named TestFinance that will be used to audit members of the Authenticated Users group for access failure to shared folders in the finance department.
You need to ensure that access requests are unaffected when the rule is published.
What should you do?
- A . Add a User condition to the current permissions entry for the Authenticated Users principal.
- B . Set the Permissions to Use the following permissions as proposed permissions.
- C . Add a Resource condition to the current permissions entry for the Authenticated Users principal.
- D . Set the Permissions to Use following permissions as current permissions.
B
Explanation:
Proposed permissions enable an administrator to more accurately model the impact of potential changes to access control settings without actually changing them.
Reference: Access Control and Authorization Overview
http://technet.microsoft.com/en-us/library/jj134043.aspx
You create a new virtual disk in a storage pool by using the New Virtual Disk Wizard. You discover that the new virtual disk has a write-back cache of 1 GB.
You need to ensure that the virtual disk has a write-back cache of 5 GB.
What should you do?
- A . Detach the virtual disk, and then run the Resize-VirtualDisk cmdlet.
- B . Detach the virtual disk, and then run the Set-VirtualDisk cmdlet.
- C . Delete the virtual disk, and then run the New-StorageSubSystemVirtualDisk cmdlet.
- D . Delete the virtual disk, and then run the New-VirtualDisk cmdlet.
D
Explanation:
So what about changing the cache size? Well, you can’t modify the cache size, but you can specify it at the time that you create a new virtual hard disk. In order to do so, you have to use Windows PowerShell.
New-VirtualDisk StoragePoolFriendlyName "<storage pool name>" FriendlyName "<v
Reference: Using Windows Server 2012’s SSD Write-Back Cache