Official 2014 Latest Microsoft 70-412 Exam Dump Free Download(61-70)!

QUESTION 61
Your network contains an Active Directory forest. The forest contains two domains named contoso.com and fabrikam.com. The forest functional level is Windows 2000. The contoso.com domain contains domain controllers that run either Windows Server 2008 or Windows Server 2008 R2. The domain functional level is Windows Server 2008. The fabrikam.com domain contains domain controllers that run either Windows 2000 Server or Windows Server 2003. The domain functional level is Windows 2000 native. The contoso.com domain contains a member server named Server1 that runs Windows Server 2012 R2. You need to add Server1 as a new domain controller in the contoso.com domain. What should you do first?

A.    Raise the functional level of the contoso.com domain to Windows Server 2008 R2.
B.    Upgrade the domain controllers that run Windows Server 2008 to Windows Server 2008 R2.
C.    Raise the functional level of the fabrikam.com domain to Windows Server 2003.
D.    Decommission the domain controllers that run Windows 2000.
E.    Raise the forest functional level to Windows Server 2003.

Answer: D
Explanation:
D. Server 2003 is the minimum Domain Functional level for any domain in the forest Windows Server 2012 R2 requires a Windows Server 2003 forest functional level. That is, before you can add a domain controller that runs Windows Server 2012 R2 to an existing Active Directory forest, the forest functional level must be Windows Server 2003 or higher.
http://technet.microsoft.com/en-us/library/cc771294.aspx
 clip_image001[24]

QUESTION 62
Your network contains an Active Directory domain named adatum.com. The domain contains four servers. The servers are configured as shown in the following table.
 clip_image002[8]
You plan to deploy an enterprise certification authority (CA) on a server named Server5. Server5 will be used to issue certificates to domain-joined computers and workgroup computers. You need to identify which server you must use as the certificate revocation list (CRL) distribution point for Server5. Which server should you identify?

A.    Server 3
B.    Server 2
C.    Server 4
D.    Server 1

Answer: C
Explanation:
A. We cannot use AD DS because workgroup computers must access CRL distribution point
B. We cannot use File Share because workgroup computers must access CRL distribution point
C. Public facing web server can be used
D. AD DS, Web & File Share only
http://technet.microsoft.com/en-us/library/cc771079.aspx
 clip_image001[26]

QUESTION 63
You have a server named Server1 that has the Active Directory Certificate Services server role installed. Server1 uses a hardware security module (HSM) to protect the private key of Server1. You need to ensure that the Active Directory Certificate Services (AD CS) database, log files, and private key are backed up. You perform regular backups of the HSM module by using a backup utility provided by the HSM manufacturer. What else should you do?

A.    Run the certutil.exe command and specify the -backupkey parameter.
B.    Run the certutil.exe command and specify the -backupdb parameter.
C.    Run the certutil.exe command and specify the -backup parameter.
D.    Run the certutil.exe command and specify the -dump parameter.

Answer: B
Explanation:
A. Backup the Active Directory Certificate Services certificate and private key
B. Backup the Active Directory Certificate Services database
C. Backup Active Directory Certificate Services
D. Dump configuration information or files
http://technet.microsoft.com/en-us/library/cc732443.aspx#BKMK_backupKey http://technet.microsoft.com/en-us/library/cc732443.aspx#BKMK_backupDB http://technet.microsoft.com/en-us/library/cc732443.aspx#BKMK_backup http://technet.microsoft.com/library/cc732443.aspx#BKMK_dump
 clip_image001[28]

QUESTION 64
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Active Directory Federation Services (AD FS) server role installed. Adatum.com is a partner organization. You are helping the administrator of adatum.com set up a federated trust between adatum.com and contoso.com. The administrator of adatum.com asks you to provide a file containing the federation metadata of contoso.com. You need to identify the location of the federation metadata file. Which node in the AD FS console should you select?
To answer, select the appropriate node in the answer area.
 clip_image002[10]
Answer:
 clip_image002[12]

QUESTION 65
Your network contains three Active Directory forests. Each forest contains an Active Directory Rights Management Services (AD RMS) root cluster. All of the users in all of the forests must be able to access protected content from any of the forests. You need to identify the minimum number of AD RMS trusts required. How many trusts should you identify?

A.    2
B.    3
C.    4
D.    6

Answer: D
Explanation:
3 Forests. Bi Direcrional test needed means each forest needs 2 other forests TUD file. 3 x 2 =6 http://technet.microsoft.com/en-us/library/ee221071(v=ws.10).aspx
 clip_image001[30]

QUESTION 66
Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2. The domain contains a domain controller named DC1 that is configured as an enterprise root certification authority (CA). All users in the domain are issued a smart card and are required to log on to their domain-joined client computer by using their smart card. A user named User1 resigned and started to work for a competing company. You need to prevent User1 immediately from logging on to any computer in the domain. The solution must not prevent other users from logging on to the domain. Which tool should you use?

A.    Active Directory Sites and Services
B.    Active Directory Administrative Center
C.    Server Manager
D.    Certificate Templates

Answer: B
Explanation:
B. Disable user1 from ADAC
http://technet.microsoft.com/en-us/library/dd861307.aspx

QUESTION 67
Your network contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Hyper-V server role installed. Server1 hosts 10 virtual machines that run Windows Server 2012 R2. You add a new server named Server2. Server2 has faster hard disk drives, more RAM, and a different processor manufacturer than Server1. You need to move all of the virtual machines from Server1 to Server2. The solution must minimize downtime. What should you do for each virtual machine?

A.    Perform a quick migration.
B.    Perform a storage migration.
C.    Export the virtual machines from Server1 and import the virtual machines to Server2.
D.    Perform a live migration.

Answer: C
Explanation:
C. Other options require same CPU family and cluster
http://technet.microsoft.com/en-us/library/hh848491.aspx
http://technet.microsoft.com/en-us/library/hh848495.aspx
http://technet.microsoft.com/en-us/library/jj628158.aspx
The different processor manufacturer is the key here. Storage, Live, and Quick all require same manufacturer.
 clip_image001[32]
 clip_image001[34]
QUESTION 68
You have a datacenter that contains six servers. Each server has the Hyper-V server role installed and runs Windows Server 2012 R2. The servers are configured as shown in the following table.
 clip_image001[36]
Host4 and Host5 are part of a cluster named Cluster1. Cluster1 hosts a virtual machine named VM1. You need to move VM1 to another Hyper-V host. The solution must minimize the downtime of VM1. To which server and by which method should you move VM1?

A.    To Host3 by using a storage migration
B.    To Host6 by using a storage migration
C.    To Host2 by using a live migration
D.    To Host1 by using a quick migration

Answer: A
Explanation:
A. Host3 is the only option to allow minimum downtime and has same processor manufacturers
B. Live Storage Migration requires same processor manufacturers
C. Live migration requires same same processor manufacturers
D. Quick migration has downtime
NOTE: Exam may have more options but same answer
http://technet.microsoft.com/en-us/library/dd446679(v=ws.10).aspx http://technet.microsoft.com/en-us/library/hh831656.aspx
http://technet.microsoft.com/en-us/library/jj628158.aspx

QUESTION 69
Your network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2. All servers run Windows Server 2012 R2. Server1 and Server2 have the Failover Clustering feature installed. The servers are configured as nodes in a failover cluster named Cluster1. Cluster1 hosts an application named App1. You need to ensure that Server2 handles all of the client requests to the cluster for App1. The solution must ensure that if Server2 fails, Server1 becomes the active node for Appl. What should you configure?

A.    Affinity-None
B.    Affinity-Single
C.    The cluster quorum settings
D.    The failover settings
E.    A file server for general use
F.    The Handling priority
G.    The host priority
H.    Live migration
I.    The possible owner
J.    The preferred owner
K.    Quick migration
L.    the Scale-Out File Server

Answer: J
Explanation:
http://blogs.msdn.com/b/clustering/archive/2008/10/14/9000092.aspx
The preferred owner in a 2 server cluster will always be the active node unless it is down.

QUESTION 70
Your network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2. All servers run Windows Server 2012 R2. Server1 and Server2 have the Failover Clustering feature installed. The servers are configured as nodes in a failover cluster named Cluster1. You add two additional nodes to Cluster1. You need to ensure that Cluster1 stops running if three nodes fail. What should you configure?

A.    Affinity-None
B.    Affinity-Single
C.    The cluster quorum settings
D.    The failover settings
E.    A file server for general use
F.    The Handling priority
G.    The host priority
H.    Live migration
I.    The possible owner
J.    The preferred owner
K.    Quick migration
L.    the Scale-Out File Server

Answer: C
Explanation:
C. The quorum configuration in a failover cluster determines the number of failures that the cluster can sustain.
http://technet.microsoft.com/en-us/library/cc731739.aspx

clip_image001[38]
Passing Microsoft 70-412 Exam successfully in a short time! Just using Braindump2go’s Latest Microsoft 70-411 Dump: http://www.braindump2go.com/70-412.html

Official 2014 Latest Microsoft 70-412 Exam Dump Free Download(51-60)!

QUESTION 51
You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the DNS Server server role installed. You need to configure Server1 to resolve queries for single-label DNS names. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

A.    Run the Set-DNSServerGlobalNameZone cmdlet.
B.    Modify the DNS suffix search list setting.
C.    Modify the Primary DNS Suffix Devolution setting.
D.    Create a zone named ".".
E.    Create a zone named GlobalNames.
F.    Run the Set-DNSServerRootHint cmdlet.

Answer: AE
Explanation:
http://technet.microsoft.com/en-us/library/cc731744.aspx
http://technet.microsoft.com/en-us/library/jj649907(v=wps.620).aspx
clip_image001[4] clip_image001
 

clip_image001[6]

QUESTION 52
Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2 that run Windows Server 2012 R2. Server1 has the IP Address Management (IPAM) Server feature installed. Server2 has the DHCP Server server role installed. A user named User1 is a member of the IPAM Users group on Server1. You need to ensure that User1 can use IPAM to modify the DHCP scopes on Server2. The solution must minimize the number of permissions assigned to User1. To which group should you add User1?

A.    DHCP Administrators on Server2
B.    IPAM ASM Administrators on Server1
C.    IPAMUG in Active Directory
D.    IPAM MSM Administrators on Server1

Answer: A
Explanation:
The user need rights to change DHCP not IPAM
C. Members of the DHCP Administrators group can view and modify any data at the DHCP server. http://technet.microsoft.com/en-us/library/jj878348.aspx
http://technet.microsoft.com/en-us/library/cc737716(v=ws.10).aspx

QUESTION 53
You have a server named DC2 that runs Windows Server 2012 R2. DC2 contains a DNS zone named adatum.com. The adatum.com zone is shown in the exhibit. (Click the Exhibit button.)
 clip_image002
You need to configure DNS clients to perform DNSSEC validation for the adatum.com DNS domain.
What should you configure?

A.    The Network Location settings
B.    A Name Resolution Policy
C.    The DNS Client settings
D.    The Network Connection settings

Answer: B
B. The Name Resolution Policy Table (NRPT) is a table that contains rules you can configure to specify DNS settings or special behavior for names or namespaces. The NRPT can be configured using Group Policy or by using the Windows Registry.
C. client component that resolves and caches Domain Name System (DNS) domain names. When the DNS Client service receives a request to resolve a DNS name that it does not contain in its cache, it queries an assigned DNS server for an IP address for the name
D. Network connections make it possible for computers to access resources on the network and the internet
http://technet.microsoft.com/en-us/library/hh831411.aspx#config_client1
 clip_image002[4]

QUESTION 54
Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2 that run Windows Server 2012 R2. Server1 has the DHCP Server server role installed. Server2 has the Hyper-V server role installed. Server2 has an IP address of 192.168.10.50. Server1 has a scope named Scope1 for the 192.168.10.0/24 network. You plan to deploy 20 virtual machines on Server2 that will be connected to the external network. The MAC addresses for the virtual machines will begin with 00-15-SD-83-03. You need to configure Server1 to offer the virtual machines IP addresses from 192.168.10.200 to 192.168.10.21g. Physical computers on the network must be offered IP addresses outside this range. You want to achieve this goal by using the minimum amount of administrative effort. What should you do from the DHCP console?

A.    Create reservations.
B.    Create a policy.
C.    Delete Scope1 and create two new scopes.
D.    Configure Allow filters and Deny filters.

Answer: B
Explanation:
A. With client reservations, it is possible to reserve a specific IP address for permanent use by a DHCP client. A new feature in Windows Server 2012 R2 called policy based assignment allows for even greater flexibility.
B. Policy based assignment allows the policy to be scoped to a MAC address and IP range
C.
D. A DHCP server offers its services to the DHCP clients based on the availability of MAC address filtering.
Once the Allow filter is set, all DHCP operations are based on the access controls (allow/deny).
http://blogs.technet.com/b/teamdhcp/archive/2012/08/22/granular-dhcp-serveradministration- using-dhcppolicies-in-windows-server-2012.aspx
http://technet.microsoft.com/en-us/library/hh831538.aspx
http://technet.microsoft.com/en-us/library/ee405265(v=ws.10).aspx

QUESTION 55
Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2. Both servers have the IP Address Management (IPAM) Server feature installed. You have a support technician named Tech1. Tech1 is a member of the IPAM Administrators group on Server1 and Server2. You need to ensure that Tech 1 can use Server Manager on Server1 to manage IPAM on Server2. To which group on Server2 should you add Tech1.

A.    Remote Management Users
B.    IPAM MSM Administrators
C.    IPAM Administrators
D.    WinRM Remote WM1 Users

Answer: D

QUESTION 56
Your network contains two Active Directory forests named contoso.com and adatum.com. All of the domain controllers in both of the forests run Windows Server 2012 R2. The adatum.com domain contains a file server named Servers. Adatum.com has a one-way forest trust to contoso.com. A contoso.com user name User10 attempts to access a shared folder on Servers and receives the error message shown in the exhibit. (Click the Exhibit button.)
 clip_image001[8]
You verify that the Authenticated Users group has Read permissions to the Data folder. You need to ensure that User10 can read the contents of the Data folder on Server5 in the adatum.com domain.
What should you do?

A.    Grant the Other Organization group Read permissions to the Data folder.
B.    Modify the list of logon workstations of the contoso\User10 user account.
C.    Enable the Netlogon Service (NP-In) firewall rule on Server5.
D.    Modify the permissions on the Server5 computer object in Active Directory.

Answer: D
Explanation:
To resolve the issue, I had to open up AD Users and Computers –> enable Advanced Features –> Select the Computer Object –> Properties –> Security –> Add the Group I want to allow access to the computer (in this case, DomainA\Domain users) and allow "Allowed to Authenticate". Once I did that, everything worked:

QUESTION 57
Your network contains an Active Directory domain named contoso.com. The domain contains two Active Directory sites named Site1 and Site2. You discover that when the account of a user in Site1 is locked out, the user can still log on to the servers in Site2 for up to 15 minutes by using Remote Desktop Services (RDS). You need to reduce the amount of time it takes to synchronize account lockout information across the domain. Which attribute should you modify? To answer, select the appropriate attribute in the answer area.
 clip_image001[10]
Answer:
 clip_image001[12]

QUESTION 58
Your network contains an Active Directory forest. The forest contains two domains named contoso.com and fabrikam.com. The functional level of the forest is Windows Server 2003. You have a domain outside the forest named adatum.com. You need to configure an access solution to meet the following requirements:
– Users in adatum.com must be able to access resources in contoso.com.
– Users in adatum.com must be prevented from accessing resources in fabrikam.com.
– Users in both contoso.com and fabrikam.com must be prevented from accessing resources in adatum.com.
What should you create?

A.    a one-way external trust from adatum.com to fabrikam.com
B.    a one-way realm trust from fabrikam.com to adatum.com
C.    a one-way realm trust from adatum.com to fabrikam.com
D.    a one-way external trust from fabrikam.com to adatum.com

Answer: A
Explanation:
A. A one-way trust is a unidirectional authentication path that is created between two domains. This means that in a one-way trust between Domain A and Domain B, users in Domain A can access resources in Domain B. However, users in Domain B cannot access resources in Domain A. This would allow adatum.com users access to contoso which is desired.
B. This would allow contoso.com users access to adatum which must be prevented and used for non windows realm to AD.
C. This would allow adatum.com users access to contoso which is desired but realm trust types are used for non windows realm to AD.
D. This would allow adatum users access to contoso which must be prevented and You need to make trust relationship where domain contoso.com trusts adatum.com.
NOTE: On exam the domain names were changed, so understand the question well
http://technet.microsoft.com/en-us/library/cc728024(v=ws.10).aspx
 clip_image001[14]

QUESTION 59
Your network contains an Active Directory domain named contoso.com. The domain contains a main office and a branch office. An Active Directory site exists for each office. All domain controllers run Windows Server 2012 R2. The domain contains two domain controllers. The domain controllers are configured as shown in the following table.
 clip_image001[16]
DC1 hosts an Active Directory-integrated zone for contoso.com. You add the DNS Server server role to DC2. You discover that the contoso.com DNS zone fails to replicate to DC2. You verify that the domain, schema, and configuration naming contexts replicate from DC1 to DC2. You need to ensure that DC2 replicates the contoso.com zone by using Active Directory replication. Which tool should you use?

A.    Active Directory Sites and Services
B.    Ntdsutil
C.    DNS Manager
D.    Active Directory Domains and Trusts

Answer: A
Explanation:
A. To control replication between two sites, you can use the Active Directory Sites and Services snap- in to configure settings on the site link object to which the sites are added. By configuring settings on a site link, you can control when replication occurs between two or more sites, and how often
B. Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). You can use the ntdsutil commands to perform database maintenance of AD DS, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled.
C. DNS Manager is the tool you’ll use to manage local and remote DNS Servers
D. Active Directory Domains and Trusts is the Microsoft Management Console (MMC) snap-in that you can use to administer domain trusts, domain and forest functional levels, and user principal name (UPN) suffixes.
http://technet.microsoft.com/en-us/library/cc731862.aspx
http://technet.microsoft.com/en-us/library/cc753343(v=ws.10).aspx http://technet.microsoft.com/en-us/library/cc722541.aspx
http://technet.microsoft.com/en-us/library/cc770299.aspx
Note: If you see question about AD Replication, First preference is AD sites and services, then
Repadmin and then DNSLINT.

QUESTION 60
Your network contains an Active Directory forest. The forest contains two domains named contoso.com and fabrikam.com. The functional level of the forest is Windows Server 2003. The
contoso.com domain contains domain controllers that run either Windows Server 2008 or Windows Server 2008 R2. The functional level of the domain is Windows Server 2008. The fabrikam.com domain contains domain controllers that run either Windows Server 2003 or Windows Server 2008. The functional level of the domain is Windows Server 2003. The contoso.com domain contains a member server named Server1 that runs Windows Server 2012 R2. You install the Active Directory Domain Services server role on Server1. You need to add Server1 as a new domain controller in the contoso.com domain. What should you do?

A.    Run the Active Directory Domain Services Configuration Wizard.
B.    Run adprep.exe /domainprep, and then run dcpromo.exe.
C.    Raise the functional level of the forest, and then run dcprorno.exe.
D.    Modify the Computer Name/Domain Changes properties.

Answer: A
Explanation:
Windows Server 2012 R2 requires a Windows Server 2003 forest functional level. That is, before you can add a domain controller that runs Windows Server 2012 R2 to an existing Active Directory forest, the forest functional level must be Windows Server 2003 or higher.
http://blogs.technet.com/b/askpfeplat/archive/2012/09/03/introducing-the-first-windowsserver- 2012-domaincontroller.aspx
http://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx http://technet.microsoft.com/en-us/library/jj574134.aspx
 clip_image001[18]
 clip_image001[20]

clip_image002[6]

Passing Microsoft 70-412 Exam successfully in a short time! Just using Braindump2go’s Latest Microsoft 70-411 Dump: http://www.braindump2go.com/70-412.html

Official 2014 Latest Microsoft 70-411 Exam Dump Free Download(321-330)!

QUESTION 321
Your network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2. All servers run Windows Server 2012 R2. Server1 and Server2 are nodes in a Hyper-V cluster named Cluster1. Cluster1 hosts 10 virtual machines. All of the virtual machines run Windows Server 2012 R2 and are members of the domain. You need to ensure that the first time a service named Service1 fails on a virtual machine, the virtual machine is moved to a different node. You configure Service1 to be monitored from Failover Cluster Manager. What should you configure on the virtual machine?

A.    From the Recovery settings of Service1, set the First failure recovery action to Restart the Service.
B.    From the Recovery settings of Service1, set the First failure recovery action to Take No Action.
C.    From the General settings, modify the Startup type.
D.    From the General settings, modify the Service status.

Answer: B

QUESTION 322
Your network contains two servers named Server1 and Server2. Both servers run Windows Server 2012 R2, On Server1, you create a Data Collector Set (DCS) named Data1. You need to export Data1 to Server2. What should you do first?

A.    Right-click Data1 and click Data Manager…
B.    Right-click Data1 and click Save template…
C.    Right-click Data1 and click Properties.
D.    Right-click Data1 and click Export list…

Answer: B
Explanation:
http://technet.microsoft.com/en-us/library/cc766318.aspx

QUESTION 323
Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. An organizational unit (OU) named OU1 contains 200 client computers that run Windows 8 Enterprise. A Group Policy object (GPO) named GPO1 is linked to OU1. You make a change to GPO1. You need to force all of the computers in OU1 to refresh their Group Policy settings immediately. The solution must minimize administrative effort. Which tool should you use?

A.    The Set-AdComputercmdlet
B.    Group Policy Object Editor
C.    Active Directory Users and Computers
D.    Group Policy Management Console (GPMC)

Answer: D
Explanation:
In the previous versions of Windows, this was accomplished by having the user run GPUpdate.exe on their computer. Starting with Windows Server 2012 and Windows 8, you can now remotely refresh Group Policy settings for all computers in an OU from one central location through the Group Policy Management Console (GPMC). Or you can use the Invoke-GPUpdate cmdlet to refresh Group Policy for a set of computers, not limited to the OU structure, for example, if the computers are located in the default computers container.
Note: Group Policy Management Console (GPMC) is a scriptable Microsoft Management Console (MMC) snap-in, providing a single administrative tool for managing Group Policy across the enterprise. GPMC is the standard tool for managing Group Policy.
Incorrect:
Not B: Secedit configures and analyzes system security by comparing your current configuration to at least one template.
Reference: Force a Remote Group Policy Refresh (GPUpdate)

QUESTION 324
Your network contains an Active Directory domain named contoso.com. Network Access Protection (NAP) is deployed to the domain. You need to create NAP event trace log files on a client computer.
What should you run?

A.    Logman
B.    Tracert
C.    Register-EngineEvent
D.    Register-ObjectEvent

Answer: A

QUESTION 325
Your network contains an Active Directory domain named contoso.com. The domain contains client computers that run either Windows XP, Windows 7, or Windows 8. Network Policy Server (NPS) is deployed to the domain. You plan to create a system health validator (SHV). You need to identify which policy settings can be Applied to all of the computers. Which three policy settings should you identify? (Each correct answer presents part of the solution. Choose three.)

A.    A firewall is enabled for all network connections.
B.    An antispyware application is on.
C.    Automatic updating is enabled.
D.    Antivirus is up to date.
E.    Antispyware is up to date.

Answer: ACD
Explanation:
* System health agent (SHA) is a NAP component.
* System health agent (SHA)
A component that checks the state of the client computer to determine whether the settings monitored by the SHA are up-to-date and configured correctly. For example, the Windows Security Health Agent (WSHA) can monitor Windows Firewall, whether antivirus software is installed, enabled, and updated, whether antispyware software is installed, enabled, and updated, and whether Microsoft Update Services is enabled and the computer has the most recent security updates from Microsoft Update Services. There might also be SHAs (and corresponding system health validators) available from other companies that provide different functionality.

QUESTION 326
Drag and Drop Question
Your network contains an Active Directory forest named contoso.com. The forest contains a Network Policy Server (NPS) server named NPS1 and a VPN server named VPN1. VPN1 forwards all authentication requests to NPS1.
A partner company has an Active Directory forest named adatum.com. The adatum.com forest contains an NPS server named NPS2.
You plan to grant users from adatum.com VPN access to your network.
You need to authenticate the users from adatum.com on VPN1.
What should you create on each NPS server?
To answer, drag the appropriate objects to the correct NPS servers. Each object may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
 clip_image002[46]
Answer:
 clip_image002[48]

QUESTION 327
Hotspot Question
Your network contains an Active Directory domain named contoso.com. The domain contains the users shown in the following table.
 clip_image001[114]
You have a Network Policy Server (NPS) server that has the network policies shown in the following table.
 clip_image001[116]
User1, User2, and User3 plan to connect to the network by using a VPN. You need to identify which network policy will apply to each user.
What should you identify?
To answer, select the appropriate policy for each user in the answer area.
 clip_image001[118]
Answer:
 clip_image001[120]

QUESTION 328
Hotspot Question
Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2. Server1 has the Network Policy Server server role installed. Server2 has the DHCP Server server role installed. Both servers run Windows Server 2012 R2.
You are configuring Network Access Protection (NAP) to use DHCP enforcement.
You configure a DHCP scope as shown in the exhibit. (Click the Exhibit button.)
 clip_image001[122]
You need to ensure that non-compliant NAP clients receive different DHCP options than compliant NAP clients.
What should you configure on each server?
To answer, select the appropriate options for each server in the answer area.
 clip_image001[124]
Answer:
 clip_image001[126]

QUESTION 329
Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2.
The domain contains a server named Server1 that has the Network Policy Server server role and the Remote Access server role installed. The domain contains a server named Server2 that is configured as a RADIUS server.
Server1 provides VPN access to external users.
You need to ensure that all of the VPN connections to Server1 are logged to the RADIUS server on Server2.
What should you run?

A.    Add-RemoteAccessRadius -ServerNameServer1 -AccountingOnOffMsg Enabled – SharedSecret "Secret" -Purpose Accounting
B.    Set-RemoteAccessAccounting -AccountingOnOffMsg Enabled -AccountingOnOffMsg Enabled
C.    Add-RemoteAccessRadius -ServerName Server2 -AccountingOnOffMsg Enabled – SharedSecret "Secret" -Purpose Accounting
D.    Set-RemoteAccessAccounting -EnableAccountingType Inbox -AccountingOnOffMsg Enabled

Answer: C

QUESTION 330
Your network contains four Network Policy Server (NPS) servers named Server1, Server2, Servers, and Server4.
Server1 is configured as a RADIUS proxy that forwards connection requests to a remote RADIUS server group named Group1.
You need to ensure that Server2 and Server3 receive connection requests. Server4 must only receive connection requests if both Server2 and Server3 are unavailable.
How should you configure Group1?

A.    Change the Weight of Server4 to 10.
B.    Change the Weight of Server2 and Server3 to 10.
C.    Change the Priority of Server2 and Server3 to 10.
D.    Change the Priority of Server4 to 10.

Answer: D
Explanation:
During the NPS proxy configuration process, you can create remote RADIUS server groups and then add RADIUS servers to each group. To configure load balancing, you must have more than one RADIUS server per remote RADIUS server group. While adding group members, or after creating a RADIUS server as a group member, you can access the Add RADIUS server dialog box to configure the following items on the Load Balancing tab:
Priority. Priority specifies the order of importance of the RADIUS server to the NPS proxy server. Priority level must be assigned a value that is an integer, such as 1, 2, or 3. The lower the number, the higher priority the NPS proxy gives to the RADIUS server.
For example, if the RADIUS server is assigned the highest priority of 1, the NPS proxy sends connection requests to the RADIUS server first; if servers with priority 1 are not available, NPS then sends connection requests to RADIUS servers with priority 2, and so on. You can assign the same priority to multiple RADIUS servers, and then use the Weight setting to load balance between them.
Weight. NPS uses this Weight setting to determine how many connection requests to send to each group member when the group members have the same priority level. Weight setting must be assigned a value between 1 and 100, and the value represents a percentage of 100 percent. For example, if the remote RADIUS server group contains two members that both have a priority level of 1 and a weight rating of 50, the NPS proxy forwards 50 percent of the connection requests to each RADIUS server.
Advanced settings. These failover settingsprovide a way for NPS to determine whether the remote RADIUS server is unavailable. If NPS determines that a RADIUS server is unavailable, it can start sending connection requests to other group members. With these settings you can configure the number of seconds that the NPS proxy waits for a response from the RADIUS server before it considers the request dropped; the maximum number of dropped requests before the NPS proxy identifies the RADIUS server as unavailable; and the number of seconds that can elapse between requests before the NPS proxy identifies the RADIUS server as unavailable.
The default priority is 1 and can be changed from 1 to 65535. So changing server 2 and 3 to priority 10 is not the way to go.
 clip_image001[128]
http://technet.microsoft.com/en-us/library/dd197433(WS.10).aspx

Passing Microsoft 70-411 Exam successfully in a short time! Just using Braindump2go’s Latest Microsoft 70-411 Dump: http://www.braindump2go.com/70-411.html

Official 2014 Latest Microsoft 70-411 Exam Dump Free Download(311-320)!

QUESTION 311
You have 30 servers that run Windows Server 2012 R2. All of the servers are backed up daily by using Windows Azure Online Backup. You need to perform an immediate backup of all the servers to Windows Azure Online Backup. Which Windows PowerShell cmdlets should you run on each server?

A.    Start-OBRegistration | Start-OBBackup
B.    Get-OBPolicy | Start-OBBackup
C.    Get-WBBackupTarget | Start-WBBackup
D.    Get-WBPolicy | Start-WBBackup

Answer: B
Explanation:
A. starts a backup job using a policy
B. Registers the current computer to Windows Azure Backup.
C. Not using Azure
D. Not using Azure
http://technet.microsoft.com/en-us/library/hh770406(v=wps.620).aspx http://technet.microsoft.com/en-us/library/hh770426.aspx
http://technet.microsoft.com/en-us/library/hh770398.aspx

QUESTION 312
You have 20 servers that run Windows Server 2012 R2. You need to create a Windows PowerShell script that registers each server in Windows Azure Online Backup and sets an encryption passphrase. Which two PowerShell cmdlets should you run in the script? (Each correct answer presents part of the solution. Choose two.)

A.    New-OBPolicy
B.    New-OBRetentionPolicy
C.    Add-OBFileSpec
D.    Start-OBRegistration
E.    Set OBMachineSetting

Answer: DE
Explanation:
D: Start-OBRegistration
Registers the current computer with Windows Azure Online Backup using the credentials (username and password) created during enrollment.
E: The Set-OBMachineSettingcmdlet sets aOBMachineSetting object for the server that includes proxy server settings for accessing the internet, network bandwidth throttling settings, and the encryption passphrase that is required to decrypt the files during recovery to another server. Incorrect:
Not C: TheAdd-OBFileSpeccmdlet adds theOBFileSpecobject, which specifies the items to include or exclude from a backup, to the backup policy (OBPolicyobject). TheOBFileSpecobject can include or exclude multiple files, folders, or volumes.
http://technet.microsoft.com/en-us/library/hh770416(v=wps.620).aspx
http://technet.microsoft.com/en-us/library/hh770425(v=wps.620).aspx
http://technet.microsoft.com/en-us/library/hh770424.aspx
http://technet.microsoft.com/en-us/library/hh770398.aspx
http://technet.microsoft.com/en-us/library/hh770409.aspx

QUESTION 313
Your network contains an Active Directory domain named adatum.com. All domain controllers run Windows Server 2008 R2. The domain contains a file server named Server6 that runs Windows Server 2012 R2. Server6 contains a folder named Folder1. Folder1 is shared as Share1. The NTFS permissions on Folder1 are shown in the exhibit. (Click the Exhibit button.)
 clip_image002[44]
The domain contains two global groups named Group1 and Group2. You need to ensure that only users who are members of both Group1 and Group2 are denied access to Folder1. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

A.    Remove the Deny permission for Group1 from Folder1.
B.    Deny Group2 permission to Folder1.
C.    Install a domain controller that runs Windows Server 2012 R2.
D.    Create a conditional expression.
E.    Deny Group2 permission to Share1.
F.    Deny Group1 permission to Share1.

Answer: AD
Explanation:
* Conditional Expressions for Permission Entries Windows Server 2008 R2 and Windows 7 enhanced Windows security descriptors by introducing a conditional access permission entry. Windows Server 2012 R2 takes advantage of conditional access permission entries by inserting user claims, device claims, and resource properties, into conditional expressions. Windows Server 2012 R2 security evaluates these expressions and allows or denies access based on results of the evaluation. Securing access to resources through claims is known as claims-based access control. Claims-based access control works with traditional access control to provide an additional layer of authorization that is flexible to the varying needs of the enterprise environment. http://social.technet.microsoft.com/wiki/contents/articles/14269.introducing-dynamicaccess-control-en-us.aspx

QUESTION 314
Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1. The File Server Resource Manager role service is installed on Server1. All servers run Windows Server 2012 R2. A Group Policy object (GPO) named GPO1 is linked to the organizational unit (OU) that contains Server1. The following graphic shows the configured settings in GPO1.
 clip_image001[110]
Server1 contains a folder named Folder1. Folder1 is shared as Share1. You attempt to configure access-denied assistance on Server1, but the Enable accessdenied assistance option cannot be selected from File Server Resource Manager. You need to ensure that you can configure access- denied assistance on Server1 manually by using File Server Resource Manager. What should you do?

A.    Set the Customize message for Access Denied errors policy setting to Enabled for GPO1.
B.    Set the Enable access-denied assistance on client for all file types policy setting to Enabled for GPO1.
C.    Set the Customize message for Access Denied errors policy setting to Not Configured for GPO1.
D.    Set the Enable access-denied assistance on client for all file types policy setting to Disabled for GPO1.

Answer: C
Explanation:
Ensure that you can configure access-denied assistance
http://technet.microsoft.com/en-us/library/hh831402.aspx#BKMK_1

QUESTION 315
You have a server named FS1 that runs Windows Server 2012 R2. You install the File and Storage Services server role on FS1. From Windows Explorer, you view the properties of a shared folder named Share1 and you discover that the Classification tab is missing. You need to ensure that you can assign classifications to Share1 from Windows Explorer manually. What should you do?

A.    From Folder Options, clear Use Sharing Wizard (Recommend).
B.    Install the File Server Resource Manager role service.
C.    From Folder Options, select Show hidden files, folders, and drives.
D.    Install the Enhanced Storage feature.

Answer: B

QUESTION 316
Your network contains an Active Directory forest named adatum.com. All servers run Windows Server 2012 R2. The domain contains four servers. The servers are configured as shown in the following table.
 clip_image001[112]
You need to deploy IP Address Management (IPAM) to manage DNS and DHCP. On which server should you install IPAM?

A.    Server1
B.    Server2
C.    Server3
D.    Server4

Answer: D
Explanation:
IPAM can not be installed on a Domain Controller.

QUESTION 317
Your company deploys a new Active Directory forest named contoso.com. The first domain controller in the forest runs Windows Server 2012 R2. The forest contains a domain controller named DC10. On DC10; the disk that contains the SYSVOL folder fails. You replace the failed disk. You stop the Distributed File System (DFS) Replication service. You restore the SYSVOL folder. You need to perform a non-authoritative synchronization of SYSVOL on DC10. Which tool should you use before you start the DFS Replication service on DC10?

A.    Ldp
B.    Ultrasound
C.    dfsmgmt.msc (used to be Dfsgui.msc)
D.    Frsutil

Answer: C
Explanation:
Back to original since the answer changed.
===
http://support.microsoft.com/kb/2218556
===
Original C
Which I’d probably pick if it was "dfsmgmt.msc"

QUESTION 318
Your network contains an Active Directory forest named contoso.com. All servers run Windows Server 2012 R2. You need to create a custom Active Directory Application partition. Which tool should you use?

A.    Netdom
B.    Ntdsutil
C.    Dsmod
D.    Dsamain

Answer: B
Explanation:
* To create or delete an application directory partition Open Command Prompt.
Type:ntdsutil
At the ntdsutil command prompt, type:domain management
At the domain management command prompt, type:connection At the server connections command prompt, type:connect to server ServerName At the server connections command prompt, type:quit
At the domain management command prompt, do one of the following:
* partition management
Manages directory partitions for Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS).
This is a subcommand of Ntdsutil and Dsmgmt. Ntdsutil and Dsmgmt are command-line tools that are built into Windows Server 2008 and Windows Server 2008 R2.
/ partition management create nc %s1 %s2
Creates the application directory partition with distinguished name %s1, on the Active Directory domain controller or AD LDS instance with full DNS name %s2. If you specify "NULL" for %s2, this command uses the currently connected Active Directory domain controller. Use this command only with AD DS. For AD LDS, use create nc %s1 %s2 %s3.
Note:
* An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition.

QUESTION 319
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1 that runs Windows Server 2012 R2. You create an Active Directory snapshot of DC1 each day. You need to view the contents of an Active Directory snapshot from two days ago. What should you do first?

A.    Stop the Active Directory Domain Services (AD DS) service.
B.    Run the ntdsutil.exe command.
C.    Run the dsamain.exe command.
D.    Start the Volume Shadow Copy Service (VSS).

Answer: B
Explanation:
Mounting an Active Directory snapshot Before connecting to the snapshot we need to mount it. By looking at the results of the List All command in step #8 above, identify the snapshot that you wish to mount, and note the number next to it.
In order to mount an Active Directory snapshot follow these steps:
Log on as a member of the Domain Admins group to one of your Windows Server 2008 Domain Controllers.
Open a Command Prompt window by clicking on the CMD shortcut in the Start menu, or by typing CMD and pressing Enter in the Run or Quick Search parts of the Start menu. Note: You must run NTDSUTIL from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
In the CMD window, type the following command:
ntdsutil
In the CMD window, type the following command:
snapshot
To view all available snapshots, in the CMD window, type the following command:
list all The result should look like this:
snapshot: List All
1: 2008/10/25:03:14 {ec53ad62-8312-426f-8ad4-d47768351c9a}
2: C: {15c6f880-cc5c-483b-86cf-8dc2d3449348}
In this example we only have one snapshot available, one from 2008/10/25 at 03:14AM (yes, I write articles at this time…). We’ll mount this one.
In the CMD window, type the following command:
mount 2
The result should look like this:
snapshot: mount 2
Snapshot {15c6f880-cc5c-483b-86cf-8dc2d3449348} mounted as
C:’$SNAP_200810250314_VOLUMEC$’
Next, you can leave the NTDSUTIL running, or you can quit by typing quit 2 times. Note: Like the above command, the mounting process can also be run in one line.
However, note that
NTDSUTIL requires that the "list all" command be run in the same session that you mount the snapshot. So in order to mount the snapshot with a one-liner, you will need to run "list all" first.
ntdsutil snapshot "list all" "mount 2" quit quit
Note: You do not need to quit from the NTDSUTIL command, you can keep it open assuming that you’ll probably want to unmount the snapshot right after working with it.

QUESTION 320
You have a server named Server1 that runs Windows Server 2012 R2. You need to configure Server1 to create an entry in an event log when the processor usage exceeds 60 percent. Which type of data collector should you create?

A.    an event trace data collector
B.    a performance counter data collector
C.    a performance counter alert
D.    a configuration data collector

Answer: C

Passing Microsoft 70-411 Exam successfully in a short time! Just using Braindump2go’s Latest Microsoft 70-411 Dump: http://www.braindump2go.com/70-411.html

Official 2014 Latest Microsoft 70-411 Exam Dump Free Download(301-310)!

QUESTION 301
Your network contains a Hyper-V host named Hyperv1. Hyperv1 runs Windows Server 2012 R2. Hyperv1 hosts four virtual machines named VM1, VM2, VM3, and VM4. All of the virtual machines run Windows Server 2008 R2. You need to view the amount of memory resources and processor resources that VM4 currently uses. Which tool should you use on Hyperv1?

A.    Resource Monitor
B.    Task Manager
C.    Hyper-V Manager
D.    Windows System Resource Manager (WSRM)

Answer: C

QUESTION 302
Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. DirectAccess is deployed to the network. Remote users connect to the DirectAccess server by using a variety of network speeds. The remote users report that sometimes their connection is very slow. You need to minimize Group Policy processing across all wireless wide area network (WWAN) connections. Which Group Policy setting should you configure?

A.    Configure Group Policy slow link detection.
B.    Configure wireless policy processing.
C.    Change Group Policy processing to run asynchronously when a slow network connection is detected.
D.    Configure Direct Access connections as a fast network connection.

Answer: A

QUESTION 303
Your network contains a single Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. The domain contains 400 desktop computers that run Windows 8 and 10 desktop computers that run Windows XP Service Pack 3 (SP3). All new desktop computers that are added to the domain run Windows 8. All of the desktop computers are located in an organizational unit (OU) named OU1. You create a Group Policy object (GPO) named GPO1. GPO1 contains startup script settings. You link GPO1 to OU1. You need to ensure that GPO1 is Applied only to computers that run Windows XP SP3. What should you do?

A.    Modify the Security settings of OU1.
B.    Run the Set-GPInheritancecmdlet and specify the -target parameter.
C.    Create and link a WMI filter to GPO1.
D.    Run the Set-GPLinkcmdlet and specify the -target parameter.

Answer: C

QUESTION 304
Your network contains an Active Directory domain named contoso.com. AH servers run Windows Server 2012 R2. The domain contains a server named Server1. You install the Windows PowerShell Web Access gateway on Server1. You need to provide administrators with the ability to manage the servers in the domain by using the Windows PowerShell Web Access gateway. Which two cmdlets should you run on Server1? (Each correct answer presents part of the solution. Choose two.)

A.    Set-WSManQuickConfig
B.    Set-WSManInstance
C.    Add-PswaAuthorizationRule
D.    Set-BCAuthentication
E.    Install-Pswa Web Application

Answer: CE

QUESTION 305
You have a server named Server1 that runs Windows Server 2012 R2. You promote Server1 to a domain controller. You need to view the service location (SRV) records that Server1 registers in DNS. What should you do on Server1?

A.    Open the Netlogon.dns file.
B.    Open the Srv.sys file.
C.    Run ipconfig /displaydns.
D.    Run Get-DnsServerDiagnostics.

Answer: A

QUESTION 306
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1. Server1 runs Windows Server 2012 R2. You create a group Managed Service Account named gservice1. You need to configure a service named Service1 to run as the gservice1 account. How should you configure Service1?

A.    From Windows PowerShell, run Set-Service and specify the -PassThrough parameter.
B.    From a command prompt, run sc.exe and specify the config parameter.
C.    From Windows PowerShell, run Set-Service and specify the -StartupType parameter.
D.    From a command prompt, run sc.exe and specify the privs parameter.

Answer: B
Explanation:
A. General settings only allow you to stop, start and set type/paramaters
B. Set-Service provides a way for you to change the Description, StartupType, or DisplayName of a service
C. Modifies service configuration
D. Sets the response/action on service failure
http://windows.microsoft.com/en-us/windows-vista/using-system-configuration http://technet.microsoft.com/en-us/library/ee176963.aspx
http://technet.microsoft.com/en-us/library/cc990290(v=ws.10).aspx http://technet.microsoft.com/en-us/library/cc738230(v=ws.10).aspx

QUESTION 307
You have a server named Data1 that runs a Server Core Installation of Windows Server 2012 R2 Standard. You need to configure Data1 to run a Server Core Installation of Windows Server 2012 R2 Enterprise. You want to achieve this goal by using the minimum amount of administrative effort.
What should you perform?

A.    a clean installation of Windows Server 2012 R2
B.    an upgrade installation of Windows Server 2012 R2
C.    an online servicing by using Dism
D.    an offline servicing by using Dism

Answer: C

QUESTION 308
You perform a Server Core Installation of Windows Server 2012 R2 on a server named Server1. You need to add a graphical user interface (GUI) to Server1. Which tool should you use?

A.    the Add-WindowsPackagecmdlet
B.    the Add-WindowsFeaturecmdlet
C.    the Install-Module cmdlet
D.    the Install-RoleServicecmdlet

Answer: B

QUESTION 309
You have a server named Server1 that runs Windows Server 2012 R2. You plan to create an image of Server1. You need to remove the source files for all server roles that are not installed on Server1.
Which tool should you use?

A.    Ocsetup.exe
B.    Servermanagercmd.exe
C.    Imagex.exe
D.    Dism.exe

Answer: D
Explanation:
servermanagercmd.exe – The ServerManagerCmd.exe command-line tool has been deprecated in WindowsServer 2008 R2.
imagex.exe – ImageX is a command-line tool in Windows Vista that you can use to create and manageWindows image (.wim) files. A .wim file contains one or more volume images, disk volumes that containimages of an installed Windows operating system. dism.exe – Deployment Image Servicing and Management (DISM.exe) is a command-line tool that canbe used to service a Windows?image or to prepare a Windows Preinstallation Environment (WindowsPE) image. It replaces Package Manager (Pkgmgr.exe), PEimg, and Intlcfg that were included inWindows Vista? The functionality that was included in these tools is now consolidated in one tool(DISM.exe), and new functionality has been added to improve the experience for offline servicing. DISMcan Add, remove, and enumerate packages. ocsetup.exe – The Ocsetup.exe tool is used as a wrapper for Package Manager (Pkgmgr.exe) and for WindowsInstaller (Msiexec.exe). Ocsetup.exe is a command-line utility that can be used to perform scripted installs andscripted uninstalls of Windows optional components. The Ocsetup.exe tool replaces the Sysocmgr.exe tool thatWindows XP and Windows Server 2003i use.
 clip_image002[42]
http://technet.microsoft.com/en-us/library/hh824822.aspx http://blogs.technet.com/b/joscon/archive/2010/08/26/adding-features-with-dism.aspx http://technet.microsoft.com/en-us/library/hh831809.aspx
http://technet.microsoft.com/en-us/library/hh825265.aspx

QUESTION 310
You have five servers that run Windows Server 2012 R2. The servers have the Failover Clustering feature installed. You deploy a new cluster named Cluster1. Cluster1 is configured as shown in the following table.
 clip_image001[108]
Server1, Server2, and Server3 are configured as the preferred owners of the cluster roles. Dynamic quorum management is disabled. You plan to perform hardware maintenance on Server3. You need to ensure that if the WAN link between Site1 and Site2 fails while you are performing maintenance on Servers, the cluster resource will remain available in Site1. What should you do?

A.    Add a file share witness in Site1.
B.    Remove the node vote for Server3.
C.    Remove the node vote for Server4 and Server5.
D.    Enable dynamic quorum management.

Answer: C

Passing Microsoft 70-411 Exam successfully in a short time! Just using Braindump2go’s Latest Microsoft 70-411 Dump: http://www.braindump2go.com/70-411.html

Official 2014 Latest Microsoft 70-411 Exam Dump Free Download(291-300)!

QUESTION 291
Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. One of the domain controllers is named DC1.
The DNS zone for the contoso.com zone is Active Directory-integrated and has the default settings.
A server named Server1 is a DNS server that runs a UNIX-based operating system.
You plan to use Server1 as a secondary DNS server for the contoso.com zone.
You need to ensure that Server1 can host a secondary copy of the contoso.com zone.
What should you do?

A.    From Windows PowerShell, run the Set-DnsServerPrimaryZone cmdlet and specify the contoso.com
zone as a target.
B.    From DNS Manager, modify the Security settings of DC1
C.    From DNS Manager, modify the replication scope of the contoso.com zone
D.    From DNS Manager, modify the Advanced settings of DC1.

Answer: A
Explanation:
Set-DnsServerPrimaryZone
Changes settings for a DNS primary zone.
Applies To: Windows Server 2012 R2
The Set-DnsServerPrimaryZone cmdlet changes settings for an existing Domain Name System (DNS) primary zone. You can change values that are relevant for either Active Directory-integrated zones or file-backed zones.
Examples of parameters include:
/ -NotifyServers<IPAddress[]>
Specifies an array of IP addresses of secondary DNS servers that the DNS master server notifies of changes to resource records. You need this parameter only if you selected the value NotifyServers for the Notify parameter.
/ -Notify<String>
Specifies how a DNS master server notifies secondary servers of changes to resource records. The acceptable values for this parameter are:
— NoNotify. The zone does not send change notifications to secondary servers. — Notify. The zone sends change notifications to all secondary servers. — NotifyServers. The zone sends change notifications to some secondary servers. If you choose this option, specify the list of secondary servers in the NotifyServers parameter.
Reference: Set-DnsServerPrimaryZone

QUESTION 292
Your network contains an Active Directory domain named contoso.com. Network Access Protection (NAP) is deployed to the domain.
You need to create NAP event trace log files on a client computer.
What should you run?

A.    Register-ObjectEvent
B.    Register-EngineEvent
C.    tracert
D.    logman

Answer: D
Explanation:
Register-ObjectEvent: Monitor events generated from .Net Framework Object. Register-EngineEvent: Subscribes to events that are generated by the Windows PowerShell engine and by the New-Event cmdlet.
http://technet.microsoft.com/en-us/library/hh849967.aspx
tracert: Trace IP route
logman: Manages and schedules performance counter and event trace log collections on a local and remote systems.
http://technet.microsoft.com/en-us/library/bb490956.aspx

QUESTION 293
Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. The domain contains two servers. The servers are configured as shown in the following table.
 clip_image001[104]
Server1 and Server2 host a load-balanced website named Web1. Web1 runs by using an application pool named WebApp1. WebApp1 uses a group Managed Service Account named gMSA1 as its identity.
Domain users connect to Web1 by using either the name Web1.contoso.com or the alias myweb.contoso.com.
You discover the following:
– When the users access Web1 by using Web1.contoso.com, they authenticate by using Kerberos.
– When the users access Web1 by using myweb.contoso.com, they authenticate by using NTLM.
You need to ensure that the users can authenticate by using Kerberos when they connect by using myweb.contoso.com.
What should you do?

A.    Run the Add-ADComputerServiceAccount cmdlet.
B.    Modify the properties of the gMSA1 service account.
C.    Modify the properties of the Web1 website.
D.    Run the Install-ADServiceAccount cmdlet.

Answer: D
Explanation:
* Install-ADServiceAccount
Installs an Active Directory service account on a computer.
* The Install-ADServiceAccount cmdlet installs an existing Active Directory service account on the computer on which the cmdlet is run. This cmdlet verifies that the computer is eligible to host the service account. The cmdlet also makes the required changes locally so that the service account password can be periodically reset by the computer without requiring any user action.
* Managed service accounts and virtual accounts are two new types of accounts introduced
in Windows Server 2008 R2/2012 and Windows 7/8 to enhance the service isolation and manageability of network applications such as Microsoft SQL Server and Internet Information Services (IIS).
* If you configure the application to use a domain account, you can isolate the privileges for the application, but you need to manually manage passwords or create a custom solution for managing these passwords. Many SQL Server and IIS applications use this strategy to enhance security, but this strategy requires additional administration and complexity. In these deployments, service administrators spend a considerable amount of time on maintenance tasks such as managing service passwords and service principal names (SPNs), which are required for Kerberos authentication. In addition, these maintenance tasks can disrupt service.
Two new types of accounts available in Windows Server 2008 R2 and Windows 7–the managed service account and the virtual account–are designed to provide crucial applications such as SQL Server or IIS with the isolation of their own accounts, while eliminating the need for an administrator to manually administer the SPN and credentials for these accounts.
Reference: Service Accounts Step-by-Step Guide

QUESTION 294
Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. All domain controllers run Windows Server 2012 R2.
The domain contains two domain controllers. The domain controllers are configured as shown in the following table.
 clip_image001[106]
Active Directory Recycle Bin is enabled.
You discover that a support technician accidentally removed 100 users from an Active Directory group named Group1 an hour ago.
You need to restore the membership of Group1.
What should you do?

A.    Apply a virtual machine snapshot to VM1.
B.    Modify the is Deleted attribute of Group1.
C.    Perform tombstone reanimation.
D.    Export and import data by using Dsamain.

Answer: C
Explanation:
Active Directory provides a mechanism for restoring a tombstone back into a normal object. This is effectively an undelete function for deleted objects. The function is a specially formed LDAP modify operation that must include two specific attribute modifications: it must remove the isDeleted attribute (not just set it to FALSE) and it must move the object to another container by changing the object’s distinguishedName. The new distinguishedName typically (but not necessarily) uses the lastKnownParent attribute as the container and keeps the same RDN minus the \0ADEL:<objectGUID> component that Active Directory added when it created the tombstone.
Note:
* When deleting an object, Active Directory will not actually delete that object immediately (in most cases) but rather it will keep it for a period of time as a tombstone object. This means it will remove some of its attributes, add the isDeleted=True attribute, and place the object in the Deleted Object container.
* Tombstone reanimation (which has nothing to do with zombies) provides the only way to recover deleted objects without taking a DC offline, and it’s the only way to recover a deleted object’s identity information, such as its objectGUID and objectSid attributes. It neatly solves the problem of recreating a deleted user or group and having to fix up all the old access control list (ACL) references, which contain the objectSid of the deleted object. Just keep in mind that tombstone reanimation does have its own limitations, which I will discuss, so you’ll still want to keep authoritative restores in your box of tricks.
* Restoring an object in Active Directory Recycle Bin to Restore A Deleted Object
In the management console, go to Tools > Active Directory Administrative Center Click the Deleted Objects folder
Search the list of deleted objects for the object that needs to be restored.
Right-click the selected object and select Restore from the shortcut menu.
Reference: Step-By-Step: Utilizing Active Directory Recycle Bin to Restore A Deleted Object
QUESTION 295
Sometimes its important to remove an RODC from your forest or domain. However, its important that you follow a simple rule whilst removing RODC’s. What is this rule?

A.    All RODC’s must be detached before removing a final writable domain controller
B.    All writable domain controllers must be removed before RODC’s can be detached
C.    Your forest must only consist of RODC’s if you want to remove them
D.    There are no rules for removing RODC’s

Answer: A
Explanation:
After researching this and using logic, we need a writable DC for a RODC to exist,
therefore we have to remove all RODC’s before removing the last writable DC.

QUESTION 296
DNS record types come in many forms, but which record type is being described below? Maps a domain name such as www.google.com to an IP address

A.    A
B.    CNAME
C.    MX
D.    PTR

Answer: A

QUESTION 297
In Windows Server 2012 R2, you can remove the Server Graphical Shell, resulting in the "Minimal Server Interface." This is similar to a Server with a GUI installation except that some features are not installed. Which of the following features is not installed in this scenario?

A.    MMC
B.    Windows Explorer
C.    Control Panel (subset)
D.    Server Manager

Answer: B
Explanation:
When you choose the minimal server interface option Internet Explorer 10, Windows Explorer, the desktop, and the Start screen are not installed. Microsoft Management Console (MMC), Server Manager, and a subset of Control Panel are still present.

QUESTION 298
Which of the following features is available when Windows Server 2012 R2 is installed using the GUI option but without the desktop experience feature installed?

A.    Metro-style Start screen
B.    Built-in help system
C.    All of these
D.    Windows Media Player

Answer: AB
Explanation:
Here is description of Desktop Experience:
http://technet.microsoft.com/en-us/library/cc772567.aspx

QUESTION 299
You are a network administrator of an Active Directory domain named contoso.com. You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the DHCP Server server role and the Network Policy Server role service installed. You enable Network Access Protection (NAP) on all of the DHCP scopes on Server1. You need to create a DHCP policy that willApply to all of the NAP non-compliant DHCP clients. Which criteria should you specify when you create the DHCP policy?

A.    The relay agent information
B.    The client identifier
C.    The vendor class
D.    The user class

Answer: D

QUESTION 300
You have a server named Server1 that runs Windows Server 2012 R2. You create a custom Data Collector Set (DCS) named DCS1. You need to configure Server1 to start DCS1 automatically when the network usage exceeds 70 percent. Which type of data collector should you create?

A.    A configuration data collector
B.    A performance counter data collector
C.    An event trace data collector
D.    A performance counter alert

Answer: D
Passing Microsoft 70-411 Exam successfully in a short time! Just using Braindump2go’s Latest Microsoft 70-411 Dump: http://www.braindump2go.com/70-411.html

Official 2014 Latest Microsoft 70-411 Exam Dump Free Download(281-290)!

QUESTION 281
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the Network Policy Server role service installed.
An administrator creates a RADIUS client template named Template1.
You create a RADIUS client named Client1 by using Template1.
You need to modify the shared secret for Client1.
What should you do first?

A.    Clear Select an existing template for Client1
B.    Set the Shared secret setting of Template1 to Manual.
C.    Clear Enable this RADIUS client for Client1.
D.    Configure the Advanced settings of Template1.

Answer: A

QUESTION 282
Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. All domain controllers run Windows Server 2012 R2.
The domain contains two domain controllers. The domain controllers are configured as shown in the following table.
 clip_image001[96]
You discover that a support technician accidentally removed 100 users from an Active Directory group named Group1 an hour ago.
You need to restore the membership of Group1.
What should you do?

A.    Apply a virtual machine snapshot to VM1.
B.    Perform an authoritative restore.
C.    Perform a non-authoritative restore.
D.    Perform tombstone reanimation.

Answer: B
Explanation:
Authoritative restore allows the administrator to recover a domain controller, restore it to a specific point in time, and mark objects in Active Directory as being authoritative with respect to their replication partners. For example, you might need to perform an authoritative restore if an administrator inadvertently deletes an organizational unit containing a large number of users. If you restore the server from tape, the normal replication process would not restore the inadvertently deleted organizational unit. Authoritative restore allows you to mark the organizational unit as authoritative and force the replication process to restore it to all of the other domain controllers in the domain.
Incorrect:
Not C: A nonauthoritative restore returns the domain controller to its state at the time of backup and then allows normal replication to overwrite that state with any changes that occurred after the backup was taken. After you restore the system state, the domain controller queries its replication partners. The replication partners replicate any changes to the restored domain controller, ensuring that the domain controller has an accurate and updated copy of the Active Directory database.
Reference: Performing an Authoritative Restore

QUESTION 283
Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. The domain contains two servers. The servers are configured as shown in the following table.
 clip_image001[98]
Server1 and Server2 host a load-balanced website named Web1. Web1 runs by using an application pool named WebApp1. WebApp1 uses a group Managed Service Account named gMSA1 as its identity.
Domain users connect to Web1 by using either the name Web1.contoso.com or the alias myweb.contoso.com.
You discover the following:
– When the users access Web1 by using Web1.contoso.com, they authenticate by using Kerberos.
– When the users access Web1 by using myweb.contoso.com, they authenticate by using NTLM.
You need to ensure that the users can authenticate by using Kerberos when they connect by using myweb.contoso.com.
What should you do?

A.    Run the Set-ADServiceAccount cmdlet.
B.    Run the New-ADServiceAccount cmdlet.
C.    Modify the properties of the WebApp1 application pool.
D.    Modify the properties of the Web1 website.

Answer: B
Explanation:
Note:
* Managed service accounts and virtual accounts are two new types of accounts introduced in Windows Server 2008 R2/2012 and Windows 7/8 to enhance the service isolation and manageability of network applications such as Microsoft SQL Server and Internet Information Services (IIS).
* The New-ADServiceAccount cmdlet creates a new Active Directory managed service account (MSA).
* If you configure the application to use a domain account, you can isolate the privileges for the application, but you need to manually manage passwords or create a custom solution for managing these passwords. Many SQL Server and IIS applications use this strategy to enhance security, but this strategy requires additional administration and complexity. In these deployments, service administrators spend a considerable amount of time on maintenance tasks such as managing service passwords and service principal names (SPNs), which are required for Kerberos authentication. In addition, these maintenance tasks can disrupt service.
Two new types of accounts available in Windows Server 2008 R2 and Windows 7–the managed service account and the virtual account–are designed to provide crucial applications such as SQL Server or IIS with the isolation of their own accounts, while eliminating the need for an administrator to manually administer the SPN and credentials for these accounts.
Reference: Service Accounts Step-by-Step Guide

QUESTION 284
Your network contains an Active Directory domain named contoso.com. Domain controllers run either Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 R2.
You have a Password Settings object (PSOs) named PSO1.
You need to view the settings of PSO1.
Which tool should you use?

A.    Active Directory Administrative Center
B.    Get-ADAccountResultantPasswordReplicationPolicy
C.     Local Security Policy
D.     Get-ADDomainControllerPasswordReplicationPolicy

Answer: A
Explanation:
Up until now, PSOs were created with the ADSI Edit application or PowerShell. Now, we can use the Active Directory Administrative Center.
Note:
* Password Setting Object (PSO) is another name for Fine Grain Password Policies. These PSOs allowed us to set up a different password policy based on security group membership.
* Storing fine-grained password policies
Windows Server 2008 includes two new object classes in the Active Directory Domain Services (AD DS) schema to store fine-grained password policies:
/ Password Settings Container
/ Password Settings
The Password Settings Container (PSC) object class is created by default under the System container in the domain. It stores the Password Settings objects (PSOs) for that domain. You cannot rename, move, or delete this container.

QUESTION 285
Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1 that runs Windows Server 2012 R2. Server1 has a share named Share1.
When users without permission to Share1 attempt to access the share, they receive the Access Denied message as shown in the exhibit. (Click the Exhibit button.)
 clip_image002[32]
You deploy a new file server named Server2 that runs Windows Server 2012 R2.
You need to configure Server2 to display the same custom Access Denied message as Server1.
What should you install on Server2?

A.    The Remote Assistance feature
B.    The File Server Resource Manager role service
C.    The Enhanced Storage feature
D.    The Storage Services server role

Answer: B
Explanation:
We need to install the prerequisites for Access-Denied Assistance.
Because Access-Denied Assistance relies up on e-mail notifications, we also need to configure each relevant file server with a Simple Mail Transfer Protocol (SMTP) server address. Let’s do that quickly with Windows PowerShell:
Set-FSRMSetting -SMTPServer mailserver.nuggetlab.com -AdminEmailAddress admingroup@nuggetlab.com -FromEmailAddress admingroup@nuggetlab.com
You can enable Access-Denied Assistance either on a per-server basis or centrally via Group Policy. To my mind, the latter approach is infinitely preferable from an administration standpoint.
Create a new GPO and make sure to target the GPO at your file servers’ Active Directory computer accounts as well as those of your AD client computers. In the Group Policy Object Editor, we are looking for the following path to configure Access-Denied Assistance:
\Computer Configuration\Policies\Administrative Templates\System\Access-Denied Assistance
 clip_image002[34]
The Customize message for Access Denied errors policy, shown in the screenshot below, enables us to create the actual message box shown to users when they access a shared file to which their user account has no access.
 clip_image002[36]
What’s cool about this policy is that we can "personalize" the e-mail notifications to give us administrators (and, optionally, file owners) the details they need to resolve the permissions issue quickly and easily.
For instance, we can insert pre-defined macros to swap in the full path to the target file, the administrator e-mail address, and so forth. See this example:
Whoops! It looks like you’re having trouble accessing [Original File Path]. Please click Request Assistance to send [Admin Email] a help request e-mail message. Thanks!
You should find that your users prefer these human-readable, informative error messages to the cryptic, non-descript error dialogs they are accustomed to dealing with.
The Enable access-denied assistance on client for all file types policy should be enabled to force client computers to participate in Access-Denied Assistance. Again, you must make sure to target your GPO scope accordingly to "hit" your domain workstations as well as your Windows Server 2012 file servers.
Testing the configuration
This should come as no surprise to you, but Access-Denied Assistance works only with Windows Server 2012 and Windows 8 computers. More specifically, you must enable the Desktop Experience feature on your servers to see Access-Denied Assistance messages on server computers.
When a Windows 8 client computer attempts to open a file to which the user has no access, the custom Access-Denied Assistance message should appear:
 clip_image002[38]
If the user clicks Request Assistance in the Network Access dialog box, they see a secondary message:
 clip_image002[40]
At the end of this process, the administrator(s) will receive an e-mail message that contains the key information they need in order to resolve the access problem:
The user’s Active Directory identity
The full path to the problematic file
A user-generated explanation of the problem
So that’s it, friends! Access-Denied Assistance presents Windows systems administrators with an easy-to-manage method for more efficiently resolving user access problems on shared file system resources. Of course, the key caveat is that your file servers must run Windows Server 2012 and your client devices must run Windows 8, but other than that, this is a great technology that should save admins extra work and end-users extra headaches.
http://4sysops.com/archives/access-denied-assistance-in-windows-server-2012/

QUESTION 286
Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2.
Administrators use client computers that run Windows 8 to perform all management tasks.
A central store is configured on a domain controller named DC1.
You have a custom administrative template file named App1.admx. App1.admx contains application settings for an application named Appl.
From a client computer named Computer1, you create a new Group Policy object (GPO) named GPO1.
You discover that the application settings for App1 fail to appear in GPO1.
You need to ensure that the App1 settings appear in all of the new GPOs that you create.
What should you do?

A.    Copy App1.admx to \\Contoso.com\SYSVOL\Contoso.com\Policies\PolicyDefinitions\
B.    From the Default Domain Controllers Policy, add App1.admx to the Administrative Templates.
C.    From the Default Domain Policy, add App1.admx to the Administrative Templates
D.    Copy App1.admx to \\Contoso.com\SYSVOL\Contoso.com\StarterGPOs.

Answer: A

QUESTION 287
Your network contains an Active Directory domain named contoso.com. The domain contains client computers that run either Windows XP, Windows 7, or Windows 8.
Network Policy Server (NPS) is deployed to the domain.
You plan to create a system health validator (SHV).
You need to identify which policy settings can be applied to all of the computers.
Which three policy settings should you identify? (Each correct answer presents part of the solution. Choose three.)

A.    A firewall is enabled for all network connections.
B.    An antispyware application is on.
C.    Automatic updating is enabled.
D.    Antivirus is up to date.
E.    Antispyware is up to date.

Answer: ACD
Explanation:
System health agent (SHA) is a NAP component. System health agent (SHA) A component that checks the state of the client computer to determine whether the settings monitored by the SHA are up-to-date and configured correctly. For example, the Windows Security Health Agent (WSHA) can monitor Windows Firewall, whether antivirus software is installed, enabled, and updated, whether antispyware software is installed, enabled, and updated, and whether Microsoft Update Services is enabled and the computer has the most recent security updates from Microsoft Update Services. There might also be SHAs (and corresponding system health validators) available from other companies that provide different functionality.

QUESTION 288
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the Network Policy Server role service installed.
You need to enable trace logging for Network Policy Server (NPS) on Server1.
Which tool should you use?

A.    the Network Policy Server console
B.    the Server Manager console
C.    the tracert.exe command
D.    the netsh.exe command

Answer: D
Explanation:
You can use log files on servers running Network Policy Server (NPS) and NAP client computers to help troubleshoot NAP problems. Log files can provide the detailed information required for troubleshooting complex problems.
You can capture detailed information in log files on servers running NPS by enabling remote access tracing. The Remote Access service does not need to be installed or running to use remote access tracing. When you enable tracing on a server running NPS, several log files are created in %windir%\tracing.
The following log files contain helpful information about NAP:
IASNAP.LOG: Contains detailed information about NAP processes, NPS authentication, and NPS authorization.
IASSAM.LOG: Contains detailed information about user authentication and authorization.
Membership in the local Administrators group, or equivalent, is the minimum required to enable tracing. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups
(http://go.microsoft.com/fwlink/?LinkId=83477).
To create tracing log files on a server running NPS
Open a command line as an administrator.
Type netshras set tr * en.
Reproduce the scenario that you are troubleshooting.
Type netshras set tr * dis.
Close the command prompt window.
http://technet.microsoft.com/en-us/library/dd348461%28v=ws.10%29.aspx

QUESTION 289
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2 and has the DNS Server server role installed.
Server1 is configured to delete automatically the DNS records of client computers that are no longer on the network. A technician confirms that the DNS records are deleted automatically from the contoso.com zone.
You discover that the contoso.com zone has many DNS records for servers that were on the network in the past, but have not connected to the network for a long time.
You need to set the time stamp for all of the DNS records in the contoso.com zone.
What should you do?

A.    From DNS Manager, modify the Advanced settings from the properties of Server1
B.    From Windows PowerShell, run the Set-DnsServerResourceRecordAging cmdlet
C.    From DNS Manager, modify the Zone Aging/Scavenging Properties
D.    From Windows PowerShell, run the Set-DnsServerZoneAging cmdlet.

Answer: D

QUESTION 290
Hotspot Question
Your network contains an Active Directory domain named contoso.com. The domain contains three member servers named Server1, Server2, and Server3. All servers run Windows Server 2012 R2 and have the Windows Server Update Services (WSUS) server role installed.
Server1 and Server2 are configured as replica servers that use Server3 as an upstream server. You remove Server3 from the network.
You need to ensure that WSUS on Server2 retrieves updates from Server1.
The solution must ensure that Server1 and Server2 have the latest updates from Microsoft.
Which command should you run on each server? To answer, select the appropriate command to run on each server in the answer area.
 clip_image001[100]
Answer:

clip_image001[102]
Passing Microsoft 70-411 Exam successfully in a short time! Just using Braindump2go’s Latest Microsoft 70-411 Dump: http://www.braindump2go.com/70-411.html

Official 2014 Latest Microsoft 70-412 Exam Dump Free Download(41-50)!

QUESTION 41
Your network contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Active Directory Certificate Services server role installed and is configured as a standalone certification authority (CA). You install a second server named Server2. You install the Online Responder role service on Server2. You need to ensure that Server1 can issue an Online Certificate Status Protocol (OCSP) Response Signing certificate to Server2. What should you do?

A.    On Server1, run the certutil.exe command and specify the -setreg parameter.
B.    On Server2, run the certutil.exe command and specify the -policy parameter.
C.    On Server1, configure Security for the OCSP Response Signing certificate template.
D.    On Server2, configure Issuance Requirements for the OCSP Response Signing certificate template.

Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/cc732526.aspx
 clip_image001[68]

QUESTION 42
Your network contains an Active Directory domain named adatum.com. The domain contains a server named CA1 that runs Windows Server 2012 R2. CA1 has the Active Directory Certificate Services server role installed and is configured to support key archival and recovery. You need to ensure that a user named User1 can decrypt private keys archived in the Active Directory Certificate Services (AD CS) database. The solution must prevent User1 from retrieving the private keys from the AD CS database. What should you do?

A.    Assign User1 the Issue and Manage Certificates permission to Server1.
B.    Assign User1 the Read permission and the Write permission to all certificate templates.
C.    Provide User1 with access to a Key Recovery Agent certificate and a private key.
D.    Assign User1 the Manage CA permission to Server1.

Answer: C

QUESTION 43
Your network contains an Active Directory domain named contoso.com. The domain contains two sites named Site1 and Site2 and two domain controllers named DC1 and DC2. Both domain controllers are located in Site1. You install an additional domain controller named DC3 in Site1 and you ship DC3 to Site2. A technician connects DC3 to Site2. You discover that users in Site2 are authenticated by all three domain controllers. You need to ensure that the users in Site2 are authenticated by DC1 or DC2 only if DC3 is unavailable. What should you do?

A.    From Network Connections, modify the IP address of DC3.
B.    In Active Directory Sites and Services, modify the Query Policy of DC3.
C.    From Active Directory Sites and Services, move DC3.
D.    In Active Directory Users and Computers, configure the insDS-PrimaryComputer attribute for the
users in Site2.

Answer: C
Explanation:
http://social.technet.microsoft.com/wiki/contents/articles/7573.active-directory-certificateservices- pki-keyarchival-and-anagement.aspx#Protecting_Key_Recovery_Agent_Keys
 clip_image001[70]
QUESTION 44
Your network contains two Active Directory forests named contoso.com and adatum.com. Contoso.com contains one domain. Adatum.com contains a child domain named child.adatum.com. Contoso.com has a one-way forest trust to adatum.com. Selective authentication is enabled on the forest trust. Several user accounts are migrated from child.adatum.com to adatum.com. Users report that after the migration, they fail to access resources in contoso.com. The users successfully accessed the resources in contoso.com before the accounts were migrated. You need to ensure that the migrated users can access the resources in contoso.com. What should you do?

A.    Replace the existing forest trust with an external trust.
B.    Run netdom and specify the /quarantine attribute.
C.    Disable SID filtering on the existing forest trust.
D.    Disable selective authentication on the existing forest trust.

Answer: C
Explanation:
B. Enables administrators to manage Active Directory domains and trust relationships from the command prompT, /quarantine Sets or clears the domain quarantine C. Need to gran access to the resources in contoso.com
D. Selective authentication over a forest trust restricts access to only those users in a trusted forest who have been explicitly given authentication permissions to computer objects (resource
computers) that reside in the trusting forest
http://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx http://technet.microsoft.com/en-us/library/cc758152(v=ws.10).aspx
 clip_image001[72]

QUESTION 45
You have four servers that run Windows Server 2012 R2. The servers have the Failover Clustering feature installed. You deploy a new cluster named Cluster1. Cluster1 is configured as shown in the following table.
 clip_image001[74]
Site2 is a disaster recovery site. Server1, Server2, and Server3 are configured as the preferred owners of the cluster roles. Dynamic quorum management is disabled. You plan to perform hardware maintenance on Server3. You need to ensure that if the WAN link between Site1 and Site2 fails while you are performing maintenance on Server3, the cluster resource will remain available in Site1. What should you do?

A.    Enable dynamic quorum management.
B.    Remove the node vote for Server3.
C.    Add a file share witness in Site1.
D.    Remove the node vote for [C1] Server4 and Server5.

Answer: D
Explanation:
http://msdn.microsoft.com/en-us/library/hh270280.aspx#VotingandNonVotingNodes
 clip_image001[76]

QUESTION 46
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server2 that runs Windows Server 2012 R2. You are a member of the local Administrators group on Server2. You install an Active Directory Rights Management Services (AD RMS) root cluster on Server2. You need to ensure that the AD RMS cluster is discoverable automatically by the AD RMS client computers and the users in contoso.com. Which additional configuration settings should you configure?
To answer, select the appropriate tab in the answer area.
 clip_image001[78]
Answer:
 clip_image001[80]

QUESTION 47
You plan to deploy a failover cluster that will contain two nodes that run Windows Server 2012 R2. You need to configure a witness disk for the failover cluster. How should you configure the witness disk? To answer, drag the appropriate configurations to the correct location or locations. Each configuration may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
 clip_image001[82]
Answer:
 clip_image002

QUESTION 48
You have a test server named Server1 that is configured to dual-boot between Windows Server 2008 R2 and Windows Server 2012 R2. You start Server1 and you discover that the boot entry for Windows Server 2008 R2 no longer appears on the boot menu. You start Windows Server 2012 R2 on Server1 and you discover the disk configurations shown in the following table.
 clip_image001[84]
You need to restore the Windows Server 2008 R2 boot entry on Server1. What should you do?

A.    Run bcdedit.exe and specify the /createstore parameter.
B.    Run bootrec.exe and specify the /scanos parameter.
C.    Run bcdboot.exe d:\windows.
D.    Run bootrec.exe and specify the /rebuildbcd parameter.

Answer: D
Explanation:
A. BCDEdit is a command-line tool for managing BCD stores. It can be used for a variety of purposes, including creating new stores, modifying existing stores, adding boot menu options, /Createstore Creates a new empty boot configuration data store. The created store is not a system store. B. Bootrec.exe tool to troubleshoot "Bootmgr Is Missing" issue. The /ScanOs option scans all disks for installations that are c mpatible with Windows Vista or Windows 7. Additionally, this option displays the entries that are currently not in the BCD store. Use this option when there are Windows Vista or Windows 7 installations that the Boot Manager menu does not list.
C.
D. Bootrec.exe tool to troubleshoot "Bootmgr Is Missing" issue. The /ScanOs option scans all disks for installations that are compatible with Windows Vista or Windows 7. Additionally, this option displays the entries that are currently not in the BCD store. Use this option when there are Windows Vista or Windows 7 installations that the Boot Manager menu does not list.
http://technet.microsoft.com/en-us/library/cc709667(v=ws.10).aspx http://support.microsoft.com/kb/927392/en-us
 clip_image001[86]
QUESTION 49
You have a DHCP server named Server1. Server1 has one network adapter. Server1 is located on a subnet named Subnet1. Server1 has scope named Scope1. Scope1 contains IP addresses for the 192.168.1.0/24 network. Your company is migrating the IP addresses on Subnet1 to use a network ID of 10.10.0.0/16. On Server11 you create a scope named Scope2. Scope2 contains IP addresses for the 10.10.0.0/16 network. You need to ensure that clients on Subnet1 can receive IP addresses from either scope. What should you create on Server1?

A.    A multicast scope
B.    A scope
C.    A superscope
D.    A split-scope

Answer: C
Explanation:
A. Multicasting is the sending of network traffic to a group of endpointsdestination hosts. Only those members in the group of endpoints hosts that are listening for the multicast traffic (the multicast group) process the multicast traffic
B. A scope is an administrative grouping of IP addresses for computers on a subnet that use the Dynamic Host Configuration Protocol (DHCP) service. The administrator first creates a scope for each physical subnet and then uses the scope to define the parameters used by clients. C. A superscope is an administrative feature of Dynamic Host Configuration Protocol (DHCP) servers running Windows Server 2008 that you can create and manage by using the DHCP Microsoft Management Console (MMC) snap-in. By using a superscope, you can group multiple scopes as a single administrative entity.
D.
http://technet.microsoft.com/en-us/library/dd759152.aspx http://technet.microsoft.com/en-us/library/dd759218.aspx http://technet.microsoft.com/en-us/library/dd759168.aspx
 

QUESTION clip_image001[88]50
Your network contains an Active Directory domain named adatum.com. The domain contains a domain controller named DC1 that runs Windows Server 2012 R2. On Dc1, you open DNS Manager as shown in the exhibit. (Click the Exhibit button.)
 clip_image001[90]
You need to change the zone type of the contoso.com zone from an Active Directory-integrated zone to a standard primary zone. What should you do before you change the zone type?

A.    Unsign the zone.
B.    Modify the Zone Signing Key (ZSK).
C.    Modify the Key Signing Key (KSK).
D.    Change the Key Master.

Answer: A
Explanation:
A. Lock icon indicating that it is currently signed with DNSSEC, zone must be unsignes
B. An authentication key that corresponds to a private key used to sign a zone.
C. The KSK is an authentication key that corresponds to a private key used to sign one or more other signing keys for a given zone. Typically, the private key corresponding to a KSK will sign a ZSK, which in turn has a corresponding private key that will sign other zone data.
D.
http://technet.microsoft.com/en-us/library/hh831411.aspx
http://technet.microsoft.com/en-us/library/ee649132(v=ws.10).aspx

clip_image001[92]
Passing Microsoft 70-412 Exam successfully in a short time! Just using Braindump2go’s Latest Microsoft 70-411 Dump: http://www.braindump2go.com/70-412.html

Official 2014 Latest Microsoft 70-412 Exam Dump Free Download(31-40)!

QUESTION 31
Your network contains three Active Directory forests. Each forest contains an Active Directory Rights Management Services (AD RMS) root cluster. All of the users in all of the forests must be able to access protected content from any of the forests. You need to identify the minimum number of AD RMS trusts required. How many trusts should you identify?

A.    2
B.    3
C.    4
D.    6

Answer: D

QUESTION 32
Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2. The domain contains a domain controller named DC1 that is configured as an enterprise root certification authority (CA). All users in the domain are issued a smart card and are required to log on to their domain-joined client computer by using their smart card. A user named User1 resigned and started to work for a competing company. You need to prevent User1 immediately from logging on to any computer in the domain. The solution must not prevent other users from logging on to the domain. Which tool should you use?

A.    Active Directory Sites and Services
B.    Active Directory Administrative Center
C.    Server Manager
D.    Certificate Templates

Answer: B

QUESTION 33
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1 that runs Windows Server 2012 R2. DC1 has the DHCP Server server role installed. DHCP is configured as shown in the exhibit. (Click the Exhibit button.)
 clip_image001[54]
You discover that client computers cannot obtain IPv4 addresses from DC1. You need to ensure that the client computers can obtain IPv4 addresses from DC1. What should you do?

A.    Activate the scope.
B.    Authorize DC1.
C.    Disable the Allow filters.
D.    Disable the Deny filters.

Answer: C
Explanation:
There is no items in the deny List. So it means that client computers MAC addresses is not listed in the allow list. So we have to disable the "Allow Filters" http://technet.microsoft.com/en-us/library/ee956897(v=ws.10).aspx
 clip_image001[56]

QUESTION 34
Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1 and a domain controller named DC1. All servers run Windows Server 2012 R2. A Group Policy object (GPO) named GPO1 is linked to the domain. Server1 contains a folder named Folder1. Folder1 is shared as Share1. You need to ensure that authenticated users can request assistance when they are denied access to the resources on Server1. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

A.    Assign the Read Attributes NTFS permission on Folder1 to the Authenticated Users group.
B.    Install the File Server Resource Manager role service on Server1.
C.    Configure the Customize message for Access Denied errors policy setting of GPO1.
D.    Enable the Enable access-denied assistance on client for all file types policy setting for GPO1.
E.    Install the File Server Resource Manager role service on DC1.

Answer: BD
Explanation:
http://technet.microsoft.com/en-us/library/hh831402.aspx#BKMK_1

QUESTION 35
Your network contains an Active Directory domain named adatum.com. All domain controllers run Windows Server 2008 R2. The domain contains a file server named Server6 that runs Windows Server 2012 R2. Server6 contains a folder named Folder1. Folder1 is shared as Share1. The NTFS permissions on Folder1 are shown in the exhibit. (Click the Exhibit button.)
 clip_image002[26]
The domain contains two global groups named Group1 and Group2. You need to ensure that only users who are members of both Group1 and Group2 are denied access to Folder1. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

A.    Remove the Deny permission for Group1 from Folder1.
B.    Deny Group2 permission to Folder1.
C.    Install a domain controller that runs Windows Server 2012 R2.
D.    Create a conditional expression.
E.    Deny Group2 permission to Share1.
F.    Deny Group1 permission to Share1.

Answer: CD
Explanation:
* Conditional Expressions for Permission Entries Windows Server 2008 R2 and Windows 7 enhanced Windows security descriptors by introducing a conditional access permission entry. Windows Server 2012 R2 takes advantage of conditional access permission entries by inserting user claims, device claims, and resource properties, into conditional expressions. Windows Server 2012 R2 security evaluates these expressions and allows or denies access based on results of the evaluation. Securing access to resources through claims is known as claims-based access control. Claims-based access control works with traditional access control to provide an additional layer of authorization that is flexible to the varying needs of the enterprise environment.
http://social.technet.microsoft.com/wiki/contents/articles/14269.introducing-dynamicaccess- control-en-us.aspx

QUESTION 36
Your network contains an Active Directory forest. The forest contains a single domain named contoso.com. The forest contains two Active Directory sites named Main and Branch1. The sites connect to each other by using a site link named Main-Branch1. There are no other site links. Each site contains several domain controllers. All domain controllers run Windows Server 2012 R2. Your company plans to open a new branch site named Branch2. The new site will have a WAN link that connects to the Main site only. The site will contain two domain controllers that run Windows Server 2012 R2. You need to create a new site and a new site link for Branch2. The solution must ensure that the domain controllers in Branch2 only replicate to the domain controllers in Branch1 if all of the domain controllers in Main are unavailable. Which three actions should you perform? To answer, move the three appropriate actions from the list of actions to the answer area and arrange them in the correct order.
 clip_image002[28]
Answer:
 clip_image002[30]

QUESTION 37
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1 that runs Windows Server 2012 R2. DC1 has the DNS Server server role installed. The network contains client computers that run either Linux, Windows 7, or Windows 8. You have a standard primary zone named adatum.com as shown in the exhibit. (Click the Exhibit button.)
 clip_image001[58]
You plan to configure Name Protection on all of the DHCP servers. You need to configure the adatum.com zone to support Name Protection. Which two configurations should you perform from DNS Manager? (Each correct answer presents part of the solution. Choose two.)

A.    Sign the zone.
B.    Store the zone in Active Directory.
C.    Modify the Security settings of the zone.
D.    Configure Dynamic updates.

Answer: BD
Explanation:
http://technet.microsoft.com/en-us/library/ee941152(v=ws.10).aspx
 clip_image001[60]

clip_image001[62]

QUESTION 38
Your network contains two servers named Server1 and Server2 that run Windows Server 2012 R2. Server1 and Server2 have the Hyper-V server role installed. Server1 and Server2 are configured as Hyper-V replicas of each other. Server1 hosts a virtual machine named VM1. VM1 is replicated to Server2. You need to verify whether the replica of VM1 on Server2 is functional. The solution must ensure that VM1 remains accessible to clients. What should you do from Hyper-V Manager?

A.    On Server1, execute a Planned Failover.
B.    On Server1, execute a Test Failover.
C.    On Server2, execute a Planned Failover.
D.    On Server2, execute a Test Failover.

Answer: D
Explanation:
A. Server 1 is houses VM1 and it is replicated to Server2 – wrong server to failover and this is not a planned fail over case
B. Wrong server correct failover type
C. Wrong server, wrong failover type
D. Right server and failover type
http://blogs.technet.com/b/virtualization/archive/2012/07/31/types-of-failover-operations-inhyper- v-replica-partii-planned-failover.aspx
http://blogs.technet.com/b/virtualization/archive/2012/07/26/types-of-failover-operations-inhyper- v-replica.aspx

QUESTION 39
You have a failover cluster named Cluster1 that contains four nodes. All of the nodes run Windows Server 2012 R2. You need to force every node in Cluster1 to contact immediately the Windows Server Update Services (WSUS) server on your network for updates. Which tool should you use?

A.    The Add-CauClusterRole cmdlet
B.    The Wuauclt command
C.    The Wusa command
D.    The Invoke-CauScan cmdlet

Answer: D
Explanation:
A. Adds the Cluster-Aware Updating (CAU) clustered role that provides the self-updating functionality to the specified cluster.
B. the wuauclt utility allows you some control over the functioning of the Windows Update Agent C. The Wusa.exe file is in the %windir%\System32 folder. The Windows Update Standalone Installer uses the Windows Update Agent API to install update packages. Update packages have an .msu file name extension. The .msu file name extension is associated with the Windows Update Standalone Installer.
D. Performs a scan of cluster nodes for applicable updates and returns a list of the initial set of updates that would be applied to each node in a specified cluster. http://technet.microsoft.com/en-us/library/hh847235(v=wps.620).aspx http://technet.microsoft.com/en-us/library/cc720477(v=ws.10).aspx http://support.microsoft.com/kb/934307
http://technet.microsoft.com/en-us/library/hh847228(v=wps.620).aspx
 clip_image001[64]

QUESTION 40
Your network contains an Active Directory domain named contoso.com. The network contains a file server named Server1 that runs Windows Server 2012 R2. You are configuring a central access policy for temporary employees. You enable the Department resource property and assign the property a suggested value of Temp. You need to configure a target resource condition for the central access rule that is scoped to resources assigned to Temp only. Which condition should you use?

A.    (Temp.Resource Equals "Department")
B.    (Resource.Temp Equals "Department")
C.    (Resource.Department Equals "Temp")
D.    (Department.Value Equals "Temp")

Answer: C
Explanation:
http://technet.microsoft.com/fr-fr/library/hh846167.aspx

clip_image001[66]
Passing Microsoft 70-412 Exam successfully in a short time! Just using Braindump2go’s Latest Microsoft 70-411 Dump: http://www.braindump2go.com/70-412.html

Official 2014 Latest Microsoft 70-412 Exam Dump Free Download(21-30)!

QUESTION 21
Your network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2 that run Windows Server 2012 R2. Both servers have the Hyper-V server role installed. The network contains an enterprise certification authority (CA). All servers are enrolled automatically for a certificate-based on the Computer certificate template. On Server1, you have a virtual machine named VM1. VM1 is replicated to Server2. You need to encrypt the replication of VM1. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

A.    On Server1, modify the settings of VM1.
B.    On Server2, modify the settings of VM1.
C.    On Server2, modify the Hyper-V Settings.
D.    On Server1, modify the Hyper-V Settings.
E.    On Server1, modify the settings of the virtual switch to which VM1 is connected.
F.    On Server2, modify the settings of the virtual switch to which VM1 is connected.

Answer: AC
Explanation:
Answer is A and C, not A and F. Virtual Switch has nothing to do with this scenario based many sites I’ve visited even TechNet. And added a couple examples with Enterprise CA as well.
C. – Is Server 2, modify settings of Hyper-V=>Replica Server. then all the Encryption Reqs. TCP-443/SSL.

QUESTION 22
Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1 that runs Windows Server 2012 R2. You create a user account named User1 in the domain. You need to ensure that User1 can use Windows Server Backup to back up Server1. The solution must minimize the number of administrative rights assigned to User1. What should you do?

A.    Add User1 to the Backup Operators group.
B.    Add User1 to the Power Users group.
C.    Assign User1 the Backup files and directories user right and the Restore files and directories user right.
D.    Assign User1 the Backup files and directories user right.

Answer: D
Explanation:
Backup Operators have these permissions by default:
 clip_image001[40]
However the question explicitly says we need to minimize administrative rights. Since the requirement is for backing up the data only–no requirement to restore or shutdown–then assigning the "Back up files and directories user right" would be the correct answer.
 clip_image001[42]

QUESTION 23
You have a server named Server1 that runs Windows Server 2012 R2 and is used for testing. A developer at your company creates and installs an unsigned kernel-mode driver on Server1. The developer reports that Server1 will no longer start. You need to ensure that the developer can test the new driver. The solution must minimize the amount of data loss. Which Advanced Boot Option should you select?

A.    Disable Driver Signature Enforcement
B.    Disable automatic restart on system failure
C.    Last Know Good Configuration (advanced)
D.    Repair Your Computer

Answer: A
Explanation:
A. By default, 64-bit versions of Windows Vista and later versions of Windows will load a kernel- mode driver only if the kernel can verify the driver signature. However, this default behavior can be disabled to facilitate early driver development and non-automated testing. B. specifies that Windows automatically restarts your computer when a failure occurs C. Developer would not be able to test the driver as needed D. Removes or repairs critical windows files, Developer would not be able to test the driver as needed and some file loss
http://technet.microsoft.com/en-us/library/jj134246.aspx
http://msdn.microsoft.com/en-us/library/windows/hardware/ff547565(v=vs.85).aspx
 clip_image001[44]

QUESTION 24
Your network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2. All servers run Windows Server 2012 R2. Server1 and Server2 have the Failover Clustering feature installed. The servers are configured as nodes in a failover cluster named Cluster1. You add two additional nodes to Cluster1. You need to ensure that Cluster1 stops running if three nodes fail. What should you configure?

A.    Affinity-None
B.    Affinity-Single
C.    The cluster quorum settings
D.    The failover settings
E.    A file server for general use
F.    The Handling priority
G.    The host priority
H.    Live migration
I.    The possible owner
J.    The preferred owner
K.    Quick migration
L.    The Scale-Out File Server

Answer: C

QUESTION 25
Your network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2. All servers run Windows Server 2012 R2. Server1 and Server2 have the Failover Clustering feature installed. The servers are configured as nodes in a failover cluster named Cluster1. You add two additional nodes in Cluster1. You have a folder named Folder1 on Server1 that hosts application data. Folder1 is a folder target in a Distributed File System (DFS) namespace. You need to provide highly available access to Folder1. The solution must support DFS Replication to Folder1. What should you configure?

A.    Affinity-None
B.    Affinity-Single
C.    The cluster quorum settings
D.    The failover settings
E.    A file server for general use
F.    The Handling priority
G.    The host priority
H.    Live migration
I.    The possible owner
J.    The preferred owner
K.    Quick migration
L.    The Scale-Out File Server

Answer: E

QUESTION 26
Your network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2. All servers run Windows Server 2012 R2. Server1 and Server2 have the Network Load Balancing (NLB) feature installed. The servers are configured as nodes in an NLB cluster named Cluster1. Port rules are configured for all clustered applications. You need to ensure that Server2 handles all client requests to the cluster that are NOT covered by a port rule. What should you configure?

A.    Affinity-None
B.    Affinity-Single
C.    The cluster quorum settings
D.    The failover settings
E.    A file server for general use
F.    The Handling priority
G.    The host priority
H.    Live migration
I.    The possible owner
J.    The preferred owner
K.    Quick migration
L.    The Scale-Out File Server

Answer: G
Explanation:
http://technet.microsoft.com/en-us/library/bb742455.aspx
 clip_image001[46]
QUESTION 27
Your network contains an Active Directory domain named contoso.com. A previous administrator implemented a Proof of Concept installation of Active Directory Rights Management Services (AD RMS). After the proof of concept was complete, the Active Directory Rights Management Services server role was removed. You attempt to deploy AD RMS. During the configuration of AD RMS, you receive an error message indicating that an existing AD RMS Service Connection Point (SCP) was found. You need to remove the existing AD RMS SCP. Which tool should you use?

A.    ADSI Edit
B.    Active Directory Users and Computers
C.    Active Directory Domains and Trusts
D.    Active Directory Sites and Services
E.    Services
F.    Authorization Manager
G.    TPM Management
H.    Certification Authority

Answer: AD
Explanation:
http://technet.microsoft.com/en-us/library/jj835767(v=ws.10).aspx
 clip_image001[48]

clip_image001[50]

clip_image001[52]

QUESTION 28
Your network contains an Active Directory forest. The forest contains two domains named contoso.com and fabrikam.com. The functional level of the forest is Windows Server 2003. You have a domain outside the forest named adatum.com. You need to configure an access solution to meet the following requirements:
– Users in adatum.com must be able to access resources in contoso.com.
– Users in adatum.com must be prevented from accessing resources in fabrikam.com.
– Users in both contoso.com and fabrikam.com must be prevented from accessing resources in adatum.com.
What should you create?

A.    a one-way realm trust from contoso.com to adatum.com
B.    a one-way realm trust from adatum.com to contoso.com
C.    a one-way external trust from contoso.com to adatum.com
D.    a one-way external trust from adatum.com to contoso.com

Answer: C
Explanation:
domain names were changed, so understand the question well
You need to make trust relationship where domain contoso.com trusts adatum.com.
http://technet.microsoft.com/en-us/library/cc728024(v=ws.10).aspx
 clip_image002[24]

QUESTION 29
Your network contains an Active Directory domain named contoso.com. The domain contains a main office and a branch office. An Active Directory site exists for each office. All domain controllers run Windows Server 2012 R2. The domain contains two domain controllers. DC1 hosts an Active Directory- integrated zone for contoso.com. You add the DNS Server server role to DC2. You discover that the contoso.com DNS zone fails to replicate to DC2. You verify that the domain, schema, and configuration naming contexts replicate from DC1 to DC2. You need to ensure that DC2 replicates the contoso.com zone by using Active Directory replication. Which tool should you use?

A.    Dnscmd
B.    Dnslint
C.    Repadmin
D.    Ntdsutil
E.    DNS Manager
F.    Active Directory Sites and Services
G.    Active Directory Domains and Trusts
H.    Active Directory Users and Computers

Answer: F
Explanation:
http://technet.microsoft.com/en-us/library/cc739941(v=ws.10).aspx
If you see question about AD Replication, First preference is AD sites and services, then Repadmin and then DNSLINT.

QUESTION 30
Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2. The domain contains a domain controller named DC1 that is configured as an enterprise root certification authority (CA). All users in the domain are issued a smart card and are required to log on to their domain-joined client computer by using their smart card. A user named User1 resigned and started to work for a competing company. You need to prevent User1 immediately from logging on to any computer in the domain. The solution must not prevent other users from logging on to the domain. Which tool should you use?

A.    Active Directory Administrative Center
B.    Active Directory Sites and Services
C.    Active Directory Users and Computers
D.    the Certification Authority console
E.    the Certificates snap-in
F.    Certificate Templates
G.    Server Manager
H.    the Security Configuration Wizard

Answer: AC
Explanation:
A. ADAC – Active Directory Administrative Center used to manage users/computers C. ADUC – Active Directory Users and Computers used to manage users/Computers.
http://technet.microsoft.com/en-us/library/dd560651(v=ws.10).aspx http://technet.microsoft.com/en-us/library/aa997340(v=exchg.65).aspx

Passing Microsoft 70-412 Exam successfully in a short time! Just using Braindump2go’s Latest Microsoft 70-411 Dump: http://www.braindump2go.com/70-412.html

Official 2014 Latest Microsoft 70-412 Exam Dump Free Download(11-20)!

QUESTION 11
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1 and a member server named Server1. Server1 has the IP Address Management (IPAM) Server feature installed. On Dc1, you configure Windows Firewall to allow all of the necessary inbound ports for IPAM. On Server1, you open Server Manager as shown in the exhibit. (Click the Exhibit button.)
 clip_image002[12]
You need to ensure that you can use IPAM on Server1 to manage DNS on DC1. What should you do?

A.    Modify the outbound firewall rules on Server1.
B.    Modify the inbound firewall rules on Server1.
C.    Add Server1 to the Remote Management Users group.
D.    Add Server1 to the Event Log Readers group.

Answer: D
Explanation:
Since no exhibit, the guess here is it’s not using the GPO to manage the Event Log Readers group– evidenced by the fact that the firewall was configured manually instead of with the GPO. If the GPO was being used then the IPAM server would be in the Event Log Readers group due to restricted group settings in the GPO as shown below:
 clip_image002[14]
In the above example, the IPAM server is as member of the VDI\IPAMUG group.
http://technet.microsoft.com/en-us/library/jj878313.aspx
 clip_image001[22]

QUESTION 12
Your network contains an Active Directory domain named contoso.com. The domain contains servers named Server1 and Server2 that run Windows Server 2012 R2. Server1 has the IP Address Management (IPAM) Server feature installed. You install the IPAM client on Server2. You open Server Manager on Server2 as shown in the exhibit. (Click the Exhibit button.)
 clip_image002[16]
You need to manage IPAM from Server2. What should you do first?

A.    On Server1, add the Server2 computer account to the IPAM MSM Administrators group.
B.    On Server2, open Computer Management and connect to Server1.
C.    On Server2, add Server1 to Server Manager.
D.    On Server1, add the Server2 computer account to the IPAM ASM Administrators group.

Answer: C
Explanation:
http://technet.microsoft.com/en-us/library/hh831453.aspx
 clip_image002[18]
QUESTION 13
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named Dc1. DC1 has the DNS Server server role installed. The network has two sites named Site1 and Site2. Site1 uses 10.10.0.0/16 IP addresses and Site2 uses 10.11.0.0/16 IP addresses. All computers use DC1 as their DNS server. The domain contains four servers named Server1, Server2, Server3, and Server4. All of the servers run a service named Service1. DNS host records are configured as shown in the exhibit. (Click the Exhibit button.)
 clip_image001[24]
You discover that computers from the 10.10.1.0/24 network always resolve Service1 to the [P address of Server1. You need to configure DNS on DC1 to distribute computers in Site1 between Server1 and Server2 when the computers attempt to resolve Service1. What should run on DC1?

A.    dnscmd /config /bindsecondaries 1
B.    dnscmd /config /localnetpriority 0
C.    dnscmd /config /localnetprioritynetmask 0x0000ffff
D.    dnscmd /config /roundrobin 0

Answer: C
Explanation:
A. Specifies use of fast transfer format used by legacy Berkeley Internet Name Domain (BIND) servers. 1 enables
B. Disables netmask ordering.
C. You can use the Dnscmd /Config /LocalNetPriorityNetMask 0x0000FFFF command to use class B ( or 16 bit) for netmask ordering for DNS round robin
D. Disables round robin rotation.
http://technet.microsoft.com/en-us/library/cc737355(v=ws.10).aspx http://technet.microsoft.com/en-us/library/cc738473(v=ws.10).aspx http://support.microsoft.com/kb/842197
http://technet.microsoft.com/en-us/library/cc779169(v=ws.10).aspx

QUESTION 14
Your network contains an Active Directory domain named contoso.com. The domain contains a main office and a branch office. An Active Directory site exists for each office. The domain contains two servers named Server1 and Server2 that run Windows Server 2012 R2. Both servers have the DHCP Server server role installed. Server1 is located in the main office site. Server2 is located in the branch office site. Server1 provides IPv4 addresses to the client computers in the main office site. Server2 provides IPv4 addresses to the client computers in the branch office site. You need to ensure that if either Server1 or Server2 are offline, the client computers can still obtain IPv4 addresses.
The solution must meet the following requirements:
– The storage location of the DHCP databases must not be a single point of failure.
– Server1 must provide IPv4 addresses to the client computers in the branch office site only if Server2 is offline.
– Server2 must provide IPv4 addresses to the client computers in the main office site only if Server1 is offline.
Which configuration should you use?

A.    load sharing mode failover partners
B.    a failover cluster
C.    hot standby mode failover partners
D.    a Network Load Balancing (NLB) cluster

Answer: C
Explanation:
A. The load sharing mode of operation is best suited to deployments where both servers in a failover relationship are located at the same physical site.
B. Hot standby mode of operation is best suited to deployments where a central office or data center server acts as a standby backup server to a server at a remote site, which is local to the DHCP clients
C. Needs to be a DHCP Failover option
D. Needs to be a DHCP Failover option
http://technet.microsoft.com/en-us/library/hh831385.aspx http://blogs.technet.com/b/teamdhcp/archive/2012/09/03/dhcp-failover-hot-standbymode.aspx
 clip_image001[26]

QUESTION 15
You have a DHCP server named Server1. Server1 has an IP address 192.168.1.2 is located on a subnet that has a network ID of 192.168.1.0/24. On Server1, you create the scopes shown in the following table.
 clip_image001[28]
You need to ensure that Server1 can assign IP addresses from both scopes to the DHCP clients on the local subnet. What should you create on Server1?

A.    A scope
B.    A superscope
C.    A split-scope
D.    A multicast scope

Answer: B
Explanation:
A. A scope is an administrative grouping of IP addresses for computers on a subnet that use the Dynamic Host Configuration Protocol (DHCP) service. The administrator first creates a scope for each physical subnet and then uses the scope to define the parameters used by clients.
B. A superscope is an administrative feature of Dynamic Host Configuration Protocol (DHCP) servers running Windows Server 2008 that you can create and manage by using the DHCP Microsoft Management Console (MMC) snap-in. By using a superscope, you can group multiple scopes as a single administrative entity.
D. Multicasting is the sending of network traffic to a group of endpointsdestination hosts. Only those members in the group of endpoints hosts that are listening for the multicast traffic (the multicast group) process the multicast traffic http://technet.microsoft.com/en-us/library/dd759168.aspx http://technet.microsoft.com/en-us/library/dd759152.aspx
 clip_image001[30]

QUESTION 16
Your network contains servers that run Windows Server 2012 R2. The network contains a large number of iSCSI storage locations and iSCSI clients. You need to deploy a central repository that can discover and list iSCSI resources on the network automatically. Which feature should you deploy?

A.    the Windows Standards-Based Storage Management feature
B.    the iSCSI Target Server role service
C.    the iSCSI Target Storage Provider feature
D.    the iSNS Server service feature

Answer: D
Explanation:
A. Windows Server 2012 R2 enables storage management that is comprehensive and fully scriptable, and administrators can manage it remotely. A WMI-based interface provides a single mechanism through which to manage all storage, including non-Microsoft intelligent storage subsystems and virtualized local storage (known as Storage Spaces). Additionally, management applications can use a single Windows API to manage different storage types by using standards-based protocols such as Storage Management Initiative Specification (SMI-S).
B. Targets are created in order to manage the connections between an iSCSI device and the servers that need to access it. A target defines the portals (IP addresses) that can be used to connect to the iSCSI device, as well as the security settings (if any) that the iSCSI device requires in order to authenticate the servers that are requesting access to its resources. C. iSCSI Target Storage Provider enables applications on a server that is connected to an iSCSI target to perform volume shadow copies of data on iSCSI virtual disks. It also enables you to manage iSCSI virtual disks by using older applications that require a Virtual Disk Service (VDS) hardware provider, such as the Diskraid command.
D. The Internet Storage Name Service (iSNS) protocol is used for interaction between iSNS servers and iSNS clients. iSNS clients are computers, also known as initiators, that are attempting to discover storage devices, also known as targets, on an Ethernet network.
http://technet.microsoft.com/en-us/library/cc726015.aspx
http://technet.microsoft.com/en-us/library/cc772568.aspx
 clip_image001[32]
QUESTION 17
Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1. All servers run Windows Server 2012 R2. All domain user accounts have the Division attribute automatically populated as part of the user provisioning process. The Support for Dynamic Access Control and Kerberos armoring policy is enabled for the domain. You need to control access to the file shares on Server1 based on the values in the Division attribute and the Division resource property. Which three actions should you perform in sequence?
 clip_image002[20]
Answer:
 clip_image001[34]
Explanation:
First create a claim type for the property, then create a reference resource property that points back to the claim. Finally set the classification value on the folder

QUESTION 18
Your network contains two Active Directory forests named contoso.com and fabrikam.com. The contoso.com forest contains two domains named corp.contoso.com and contoso.com. You establish a two-way forest trust between contoso.com and fabrikam.com. Users from the corp.contoso.com domain report that they cannot log on to client computers in the fabrikam.com domain by using their corp.contoso.com user account. When they try to log on, they receive following error message:
"The computer you are signing into is protected by an authentication firewall. The specified account is not allowed to authenticate to the computer." Corp.contoso.com users can log on successfully to client computers in the contoso.com domain by using their corp.contoso.com user account credentials. You need to allow users from the corp.contoso.com domain to log on to the client computers in the fabrikam.com forest. What should you do?

A.    Configure Windows Firewall with Advanced Security.
B.    Enable SID history.
C.    Configure forest-wide authentication.
D.    Instruct the users to log on by using a user principal name (UPN).

Answer: C
Explanation:
C. The forest-wide authentication setting permits unrestricted access by any users in the trusted forest to all available shared resources in any of the domains in the trusting forest.
http://technet.microsoft.com/en-us/library/cc785875(v=ws.10).aspx
 clip_image001[36]

QUESTION 19
Your network contains two servers named Server1 and Server2 that run Windows Server 2012 R2. Both servers have the Hyper-V server role installed. The servers have the hardware configurations shown in the following table.
 clip_image001[38]
Server1 hosts five virtual machines that run Windows Server 2012 R2. You need to move the virtual machines from Server1 to Server2. The solution must minimize downtime. What should you do for each virtual machine?

A.    Export the virtual machines from Server1 and import the virtual machines to Server2.
B.    Perform a live migration.
C.    Perform a quick migration.
D.    Perform a storage migration.

Answer: A
Explanation:
None of these migration options will work between different Processors ( AMD/Intel). The only option remaining is to export and re-import the VMs

QUESTION 20
Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2. Both servers have the Hyper-V server role installed. You plan to replicate virtual machines between Server1 and Server2. The replication will be encrypted by using Secure Sockets Layer (SSL). You need to request a certificate on Server1 to ensure that the virtual machine replication is encrypted. Which two intended purposes should the certificate for Server1 contain? (Each correct answer presents part of the solution. Choose two.)

A.    Client Authentication
B.    Kernel Mode Code Signing
C.    Server Authentication
D.    IP Security end system
E.    KDC Authentication

Answer: AC
Explanation:
http://blogs.technet.com/b/virtualization/archive/2012/03/13/hyper-v-replica-certificate- requirements.aspx

clip_image002[22]
Passing Microsoft 70-412 Exam successfully in a short time! Just using Braindump2go’s Latest Microsoft 70-411 Dump: http://www.braindump2go.com/70-412.html

Pages: 1 2 ... 420 421 422 423 424 ... 444 445